diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index aa9ab98..12f8a66 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1802,7 +1802,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..ec441aa 100644 +index c44c359..bb78970 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -1883,15 +1883,17 @@ index c44c359..ec441aa 100644 corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_generic_if(ping_t) corenet_raw_sendrecv_generic_if(ping_t) -@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t) +@@ -124,6 +126,9 @@ corenet_raw_bind_generic_node(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t) +fs_dontaudit_rw_anon_inodefs_files(ping_t) ++ ++dev_read_urand(ping_t) domain_use_interactive_fds(ping_t) -@@ -131,14 +134,13 @@ files_read_etc_files(ping_t) +@@ -131,14 +136,13 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) @@ -1909,7 +1911,7 @@ index c44c359..ec441aa 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',` +@@ -149,11 +153,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -1935,7 +1937,7 @@ index c44c359..ec441aa 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +177,15 @@ optional_policy(` +@@ -161,6 +179,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -1951,7 +1953,7 @@ index c44c359..ec441aa 100644 ######################################## # # Traceroute local policy -@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -174,7 +201,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -1959,7 +1961,7 @@ index c44c359..ec441aa 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -198,6 +224,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -1967,7 +1969,7 @@ index c44c359..ec441aa 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t) +@@ -206,11 +233,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -5527,7 +5529,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..87b5aa1 100644 +index b191055..a60bc60 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5601,7 +5603,7 @@ index b191055..87b5aa1 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0) +@@ -83,56 +106,71 @@ network_port(agentx, udp,705,s0, tcp,705,s0) network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) @@ -5644,6 +5646,7 @@ index b191055..87b5aa1 100644 +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) ++network_port(cyrus_imapd, tcp,2005,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) network_port(dbskkd, tcp,1178,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) @@ -5681,7 +5684,7 @@ index b191055..87b5aa1 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +177,55 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +178,55 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5752,7 +5755,7 @@ index b191055..87b5aa1 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,95 +233,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,95 +234,116 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5887,7 +5890,7 @@ index b191055..87b5aa1 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +356,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +357,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5914,7 +5917,7 @@ index b191055..87b5aa1 100644 ######################################## # -@@ -333,6 +405,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +406,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5923,7 +5926,7 @@ index b191055..87b5aa1 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +419,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +420,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -19590,7 +19593,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..43bc4f2 100644 +index 0fef1fc..405687c 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,72 @@ policy_module(staff, 2.4.0) @@ -19817,7 +19820,7 @@ index 0fef1fc..43bc4f2 100644 ') optional_policy(` -@@ -52,10 +232,60 @@ optional_policy(` +@@ -52,11 +232,61 @@ optional_policy(` ') optional_policy(` @@ -19862,6 +19865,7 @@ index 0fef1fc..43bc4f2 100644 ') optional_policy(` +- xserver_role(staff_r, staff_t) + vmtools_run_helper(staff_t, staff_r) +') + @@ -19875,9 +19879,10 @@ index 0fef1fc..43bc4f2 100644 + +optional_policy(` + xserver_read_log(staff_t) - xserver_role(staff_r, staff_t) ++ xserver_run(staff_t, staff_r) ') + ifndef(`distro_redhat',` @@ -65,10 +295,6 @@ ifndef(`distro_redhat',` ') @@ -21676,7 +21681,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..ee93201 100644 +index 6d77e81..656a8c4 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -21839,7 +21844,7 @@ index 6d77e81..ee93201 100644 ') + + optional_policy(` -+ xserver_role(user_r, user_t) ++ xserver_run(user_t, user_r) + ') +') + @@ -25765,7 +25770,7 @@ index 6bf0ecc..b036584 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..415f8be 100644 +index 8b40377..07ff17c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -26357,17 +26362,16 @@ index 8b40377..415f8be 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +641,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +641,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) +storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) -+term_use_console(xdm_t) -+term_use_virtio_console(xdm_t) - term_use_unallocated_ttys(xdm_t) +-term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) ++term_use_all_terms(xdm_t) +term_relabel_all_ttys(xdm_t) +term_relabel_unallocated_ttys(xdm_t) @@ -26407,7 +26411,7 @@ index 8b40377..415f8be 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +689,155 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +687,155 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -26569,7 +26573,7 @@ index 8b40377..415f8be 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +850,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +848,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -26601,7 +26605,7 @@ index 8b40377..415f8be 100644 ') optional_policy(` -@@ -517,9 +884,34 @@ optional_policy(` +@@ -517,9 +882,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -26637,7 +26641,7 @@ index 8b40377..415f8be 100644 ') ') -@@ -530,6 +922,20 @@ optional_policy(` +@@ -530,6 +920,20 @@ optional_policy(` ') optional_policy(` @@ -26658,7 +26662,7 @@ index 8b40377..415f8be 100644 hostname_exec(xdm_t) ') -@@ -547,28 +953,78 @@ optional_policy(` +@@ -547,28 +951,78 @@ optional_policy(` ') optional_policy(` @@ -26746,7 +26750,7 @@ index 8b40377..415f8be 100644 ') optional_policy(` -@@ -580,6 +1036,14 @@ optional_policy(` +@@ -580,6 +1034,14 @@ optional_policy(` ') optional_policy(` @@ -26761,7 +26765,7 @@ index 8b40377..415f8be 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1056,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -26770,7 +26774,7 @@ index 8b40377..415f8be 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1066,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -26783,7 +26787,7 @@ index 8b40377..415f8be 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1083,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -26799,7 +26803,7 @@ index 8b40377..415f8be 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1099,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -26810,7 +26814,7 @@ index 8b40377..415f8be 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1114,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -26847,7 +26851,7 @@ index 8b40377..415f8be 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1160,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -26879,7 +26883,7 @@ index 8b40377..415f8be 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1193,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -26894,7 +26898,7 @@ index 8b40377..415f8be 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1216,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1214,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -26918,7 +26922,7 @@ index 8b40377..415f8be 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1233,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -26927,7 +26931,7 @@ index 8b40377..415f8be 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1279,50 @@ optional_policy(` +@@ -785,17 +1277,50 @@ optional_policy(` ') optional_policy(` @@ -26980,7 +26984,7 @@ index 8b40377..415f8be 100644 ') optional_policy(` -@@ -803,6 +1330,10 @@ optional_policy(` +@@ -803,6 +1328,10 @@ optional_policy(` ') optional_policy(` @@ -26991,7 +26995,7 @@ index 8b40377..415f8be 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1349,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1347,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -27016,7 +27020,7 @@ index 8b40377..415f8be 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1372,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1370,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -27051,7 +27055,7 @@ index 8b40377..415f8be 100644 ') optional_policy(` -@@ -912,7 +1437,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1435,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -27060,7 +27064,7 @@ index 8b40377..415f8be 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1491,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1489,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -27092,7 +27096,7 @@ index 8b40377..415f8be 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1537,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1535,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -38400,7 +38404,7 @@ index 3822072..8a23b62 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..fa0e220 100644 +index dc46420..90ff61b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -38932,7 +38936,7 @@ index dc46420..fa0e220 100644 ') ######################################## -@@ -522,111 +602,196 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +602,197 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -39111,6 +39115,7 @@ index dc46420..fa0e220 100644 # for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) +userdom_read_user_home_content_files(setfiles_domain) ++userdom_read_admin_home_files(setfiles_domain) +userdom_rw_inherited_user_home_content_files(setfiles_domain) ifdef(`distro_debian',` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3a05f2a..266027e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -546,7 +546,7 @@ index 058d908..1e92177 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..d77f4a6 100644 +index eb50f07..2e7633c 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -984,7 +984,7 @@ index eb50f07..d77f4a6 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +451,58 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +451,60 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1030,6 +1030,8 @@ index eb50f07..d77f4a6 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) ++auth_read_passwd(abrt_dump_oops_t) ++ +dev_read_urand(abrt_dump_oops_t) +dev_read_rand(abrt_dump_oops_t) + @@ -1047,7 +1049,7 @@ index eb50f07..d77f4a6 100644 ####################################### # -@@ -404,7 +510,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +512,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1056,7 +1058,7 @@ index eb50f07..d77f4a6 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +519,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +521,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1100,7 +1102,7 @@ index eb50f07..d77f4a6 100644 ') ####################################### -@@ -430,10 +562,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +564,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -5147,7 +5149,7 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..3226dec 100644 +index 6649962..12fcbb6 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -6924,7 +6926,7 @@ index 6649962..3226dec 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1391,106 @@ optional_policy(` +@@ -1083,172 +1391,107 @@ optional_policy(` ') ') @@ -6989,6 +6991,7 @@ index 6649962..3226dec 100644 +files_search_spool(httpd_sys_script_t) -seutil_dontaudit_search_config(httpd_script_domains) ++logging_send_syslog_msg(httpd_sys_script_t) +logging_inherit_append_all_logs(httpd_sys_script_t) -tunable_policy(`httpd_enable_cgi && httpd_unified',` @@ -7161,7 +7164,7 @@ index 6649962..3226dec 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7258,7 +7261,7 @@ index 6649962..3226dec 100644 ######################################## # -@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7275,7 +7278,7 @@ index 6649962..3226dec 100644 ') ######################################## -@@ -1330,49 +1589,38 @@ optional_policy(` +@@ -1330,49 +1590,38 @@ optional_policy(` # User content local policy # @@ -7340,7 +7343,7 @@ index 6649962..3226dec 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9460,7 +9463,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..f255b29 100644 +index f5c1a48..f7b4f1d 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) @@ -9508,7 +9511,7 @@ index f5c1a48..f255b29 100644 corenet_tcp_connect_ircd_port(bitlbee_t) corenet_tcp_sendrecv_ircd_port(bitlbee_t) -@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) +@@ -109,16 +116,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -9521,10 +9524,14 @@ index f5c1a48..f255b29 100644 logging_send_syslog_msg(bitlbee_t) -miscfiles_read_localization(bitlbee_t) -- ++optional_policy(` ++ dbus_system_bus_client(bitlbee_t) ++') + optional_policy(` tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) ') ++ diff --git a/blueman.fc b/blueman.fc index c295d2e..4f84e9c 100644 --- a/blueman.fc @@ -10522,10 +10529,10 @@ index 0000000..968c957 +') diff --git a/brltty.te b/brltty.te new file mode 100644 -index 0000000..0efa3a2 +index 0000000..eabda1e --- /dev/null +++ b/brltty.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,62 @@ +policy_module(brltty, 1.0.0) + +######################################## @@ -10577,6 +10584,7 @@ index 0000000..0efa3a2 + +dev_read_sysfs(brltty_t) +dev_rw_generic_usb_dev(brltty_t) ++dev_rw_input_dev(brltty_t) + +fs_getattr_all_fs(brltty_t) + @@ -19713,7 +19721,7 @@ index 3023be7..0317731 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..325c5e3 100644 +index c91813c..9533fa0 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -19986,7 +19994,7 @@ index c91813c..325c5e3 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -20008,18 +20016,17 @@ index c91813c..325c5e3 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_t) +userdom_dontaudit_search_user_home_dirs(cupsd_t) -+userdom_dontaudit_search_user_home_content(cupsd_t) -+userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) - ++userdom_dontaudit_use_unpriv_user_fds(cupsd_t) ++userdom_dontaudit_search_user_home_content(cupsd_t) ++ +tunable_policy(`cups_execmem',` + allow cupsd_t self:process { execmem execstack }; +') + -+ + optional_policy(` apm_domtrans_client(cupsd_t) - ') @@ -272,6 +320,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -20166,7 +20173,18 @@ index c91813c..325c5e3 100644 ') optional_policy(` -@@ -487,10 +533,6 @@ optional_policy(` +@@ -467,6 +513,10 @@ optional_policy(` + ') + + optional_policy(` ++ libs_exec_ldconfig(cupsd_config_t) ++') ++ ++optional_policy(` + rpm_read_db(cupsd_config_t) + ') + +@@ -487,10 +537,6 @@ optional_policy(` # Lpd local policy # @@ -20177,7 +20195,7 @@ index c91813c..325c5e3 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +550,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +554,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -20195,7 +20213,7 @@ index c91813c..325c5e3 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +579,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +583,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -20205,7 +20223,7 @@ index c91813c..325c5e3 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +589,6 @@ optional_policy(` +@@ -550,7 +593,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -20213,7 +20231,7 @@ index c91813c..325c5e3 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +604,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +608,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -20242,11 +20260,13 @@ index c91813c..325c5e3 100644 - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') -- --optional_policy(` ++userdom_home_manager(cups_pdf_t) + + optional_policy(` - lpd_manage_spool(cups_pdf_t) --') -- ++ gnome_read_config(cups_pdf_t) + ') + -######################################## -# -# HPLIP local policy @@ -20352,20 +20372,18 @@ index c91813c..325c5e3 100644 -optional_policy(` - seutil_sigchld_newrole(hplip_t) -') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` +- +-optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -+ gnome_read_config(cups_pdf_t) - ') - +-') +- -optional_policy(` - udev_read_db(hplip_t) -') ######################################## # -@@ -735,7 +648,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +652,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -20373,7 +20391,7 @@ index c91813c..325c5e3 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +657,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +661,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -20387,7 +20405,7 @@ index c91813c..325c5e3 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +669,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +673,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -20396,7 +20414,7 @@ index c91813c..325c5e3 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +681,4 @@ optional_policy(` +@@ -773,3 +685,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -20666,7 +20684,7 @@ index 83bfda6..92d9fb2 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 4283f2d..0632ef7 100644 +index 4283f2d..21a3620 100644 --- a/cyrus.te +++ b/cyrus.te @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) @@ -20678,7 +20696,7 @@ index 4283f2d..0632ef7 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(cyrus_t) +@@ -63,12 +63,12 @@ kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) kernel_read_all_sysctls(cyrus_t) @@ -20686,7 +20704,13 @@ index 4283f2d..0632ef7 100644 corenet_all_recvfrom_netlabel(cyrus_t) corenet_tcp_sendrecv_generic_if(cyrus_t) corenet_tcp_sendrecv_generic_node(cyrus_t) -@@ -76,6 +75,9 @@ corenet_tcp_bind_mail_port(cyrus_t) + corenet_tcp_sendrecv_all_ports(cyrus_t) + corenet_tcp_bind_generic_node(cyrus_t) ++corenet_tcp_bind_cyrus_imapd_port(cyrus_t) + + corenet_sendrecv_mail_server_packets(cyrus_t) + corenet_tcp_bind_mail_port(cyrus_t) +@@ -76,6 +76,9 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_sendrecv_lmtp_server_packets(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) @@ -20696,7 +20720,7 @@ index 4283f2d..0632ef7 100644 corenet_sendrecv_pop_server_packets(cyrus_t) corenet_tcp_bind_pop_port(cyrus_t) -@@ -95,8 +97,6 @@ domain_use_interactive_fds(cyrus_t) +@@ -95,8 +98,6 @@ domain_use_interactive_fds(cyrus_t) files_list_var_lib(cyrus_t) files_read_etc_runtime_files(cyrus_t) @@ -20705,7 +20729,7 @@ index 4283f2d..0632ef7 100644 fs_getattr_all_fs(cyrus_t) fs_search_auto_mountpoints(cyrus_t) -@@ -107,7 +107,6 @@ libs_exec_lib_files(cyrus_t) +@@ -107,7 +108,6 @@ libs_exec_lib_files(cyrus_t) logging_send_syslog_msg(cyrus_t) @@ -20713,7 +20737,7 @@ index 4283f2d..0632ef7 100644 miscfiles_read_generic_certs(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) -@@ -121,6 +120,10 @@ optional_policy(` +@@ -121,6 +121,10 @@ optional_policy(` ') optional_policy(` @@ -20724,7 +20748,7 @@ index 4283f2d..0632ef7 100644 kerberos_read_keytab(cyrus_t) kerberos_use(cyrus_t) ') -@@ -134,8 +137,8 @@ optional_policy(` +@@ -134,8 +138,8 @@ optional_policy(` ') optional_policy(` @@ -22477,7 +22501,7 @@ index a7326da..c87b5b7 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index 583a527..1053281 100644 +index 583a527..91c4104 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) @@ -22498,7 +22522,7 @@ index 583a527..1053281 100644 corenet_all_recvfrom_netlabel(denyhosts_t) corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) -@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t) +@@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) corenet_tcp_sendrecv_smtp_port(denyhosts_t) @@ -22510,6 +22534,8 @@ index 583a527..1053281 100644 +auth_use_nsswitch(denyhosts_t) + ++iptables_domtrans(denyhosts_t) ++ logging_read_generic_logs(denyhosts_t) logging_send_syslog_msg(denyhosts_t) @@ -22518,7 +22544,7 @@ index 583a527..1053281 100644 sysnet_dns_name_resolve(denyhosts_t) sysnet_manage_config(denyhosts_t) sysnet_etc_filetrans_config(denyhosts_t) -@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t) +@@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` cron_system_entry(denyhosts_t, denyhosts_exec_t) ') @@ -28235,7 +28261,7 @@ index c62c567..6460877 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..cbaf309 100644 +index 98072a3..e91b89f 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28254,15 +28280,16 @@ index 98072a3..cbaf309 100644 ######################################## # # Local policy -@@ -37,6 +43,7 @@ allow firewalld_t self:udp_socket create_socket_perms; +@@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms; manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) ++relabelfrom_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) +manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; -@@ -48,8 +55,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) +@@ -48,8 +56,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) allow firewalld_t firewalld_tmp_t:file mmap_file_perms; @@ -28276,7 +28303,7 @@ index 98072a3..cbaf309 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +75,17 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +76,17 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -28302,7 +28329,7 @@ index 98072a3..cbaf309 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +104,10 @@ optional_policy(` +@@ -95,6 +105,10 @@ optional_policy(` ') optional_policy(` @@ -29106,7 +29133,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..a09e8b2 100644 +index 36838c2..a422d04 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -29152,7 +29179,22 @@ index 36838c2..a09e8b2 100644 ## ##

-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) +@@ -50,14 +57,6 @@ gen_tunable(ftpd_connect_db, false) + + ## + ##

+-## Determine whether ftpd can bind to all +-## unreserved ports for passive mode. +-##

+-## +-gen_tunable(ftpd_use_passive_mode, false) +- +-## +-##

+ ## Determine whether ftpd can connect to + ## all unreserved ports. + ##

+@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -29162,7 +29204,7 @@ index 36838c2..a09e8b2 100644 type ftpd_keytab_t; files_type(ftpd_keytab_t) -@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; +@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -29172,7 +29214,7 @@ index 36838c2..a09e8b2 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -29199,7 +29241,7 @@ index 36838c2..a09e8b2 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -29213,7 +29255,7 @@ index 36838c2..a09e8b2 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -29221,7 +29263,7 @@ index 36838c2..a09e8b2 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t) +@@ -259,37 +263,47 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -29268,18 +29310,18 @@ index 36838c2..a09e8b2 100644 - files_manage_non_auth_files(ftpd_t) + files_manage_non_security_dirs(ftpd_t) + files_manage_non_security_files(ftpd_t) -+') -+ -+tunable_policy(`ftpd_use_passive_mode',` -+ corenet_tcp_bind_all_unreserved_ports(ftpd_t) -+') + ') + +-tunable_policy(`ftpd_use_passive_mode',` +- corenet_sendrecv_all_server_packets(ftpd_t) +- corenet_tcp_bind_all_unreserved_ports(ftpd_t) + +tunable_policy(`ftpd_connect_all_unreserved',` + corenet_tcp_connect_all_unreserved_ports(ftpd_t) ') - tunable_policy(`ftpd_use_passive_mode',` -@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',` + tunable_policy(`ftpd_connect_all_unreserved',` +@@ -304,22 +318,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -29307,7 +29349,7 @@ index 36838c2..a09e8b2 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -363,9 +390,8 @@ optional_policy(` +@@ -363,9 +374,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -29318,7 +29360,7 @@ index 36838c2..a09e8b2 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +442,20 @@ optional_policy(` +@@ -416,21 +426,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -29342,7 +29384,7 @@ index 36838c2..a09e8b2 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -443,23 +452,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -29383,7 +29425,7 @@ index 36838c2..a09e8b2 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -481,21 +501,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -30816,10 +30858,10 @@ index 0000000..8c8c6c9 +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if new file mode 100644 -index 0000000..1ed97fe +index 0000000..07b266a --- /dev/null +++ b/glusterd.if -@@ -0,0 +1,150 @@ +@@ -0,0 +1,170 @@ + +## policy for glusterd + @@ -30923,6 +30965,26 @@ index 0000000..1ed97fe + manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) +') + ++###################################### ++## ++## Allow the specified domain to execute gluster's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gluster_execute_lib',` ++ gen_require(` ++ type glusterd_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 glusterd_var_lib_t:dir search_dir_perms; ++ can_exec($1, glusterd_var_lib_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -30972,10 +31034,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..fbc6a67 +index 0000000..9040220 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,201 @@ +@@ -0,0 +1,205 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -31166,6 +31228,10 @@ index 0000000..fbc6a67 +') + +optional_policy(` ++ gluster_execute_lib(glusterd_t) ++') ++ ++optional_policy(` + rpc_domtrans_rpcd(glusterd_t) + rpc_kill_rpcd(glusterd_t) +') @@ -37092,7 +37158,7 @@ index ca020fa..5f1a035 100644 optional_policy(` tgtd_manage_semaphores(iscsid_t) diff --git a/isns.te b/isns.te -index bc11034..107ed2f 100644 +index bc11034..81253f4 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -37103,15 +37169,18 @@ index bc11034..107ed2f 100644 allow isnsd_t self:udp_socket { accept listen }; allow isnsd_t self:unix_stream_socket { accept listen }; -@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -46,10 +47,7 @@ corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) -files_read_etc_files(isnsd_t) -- ++auth_use_nsswitch(isnsd_t) + logging_send_syslog_msg(isnsd_t) - miscfiles_read_localization(isnsd_t) +-miscfiles_read_localization(isnsd_t) +- +-sysnet_dns_name_resolve(isnsd_t) diff --git a/jabber.fc b/jabber.fc index 59ad3b3..bd02cc8 100644 --- a/jabber.fc @@ -41524,10 +41593,10 @@ index 1664036..51dd14f 100644 - unconfined_domtrans(kudzu_t) -') diff --git a/l2tp.fc b/l2tp.fc -index d5d1572..82267a7 100644 +index d5d1572..ddc6ef2 100644 --- a/l2tp.fc +++ b/l2tp.fc -@@ -5,6 +5,7 @@ +@@ -5,7 +5,9 @@ /etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) @@ -41535,6 +41604,8 @@ index d5d1572..82267a7 100644 /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) + /var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) ++/var/run/*.xl2tpd.* -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tp.if b/l2tp.if index 73e2803..34ca3aa 100644 --- a/l2tp.if @@ -41765,7 +41836,7 @@ index 73e2803..34ca3aa 100644 role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; diff --git a/l2tp.te b/l2tp.te -index bb06a7f..5546de2 100644 +index bb06a7f..01e784b 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) @@ -41827,7 +41898,7 @@ index bb06a7f..5546de2 100644 +') + +optional_policy(` -+ networkmanager_read_pid_files(l2tpd_t) ++ networkmanager_manage_pid_files(l2tpd_t) +') + +optional_policy(` @@ -51967,10 +52038,10 @@ index ff1d68c..86d8c9b 100644 + + diff --git a/munin.fc b/munin.fc -index eb4b72a..af28bb5 100644 +index eb4b72a..4ea6ce7 100644 --- a/munin.fc +++ b/munin.fc -@@ -1,77 +1,79 @@ +@@ -1,77 +1,78 @@ -/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) - +/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) @@ -52077,7 +52148,7 @@ index eb4b72a..af28bb5 100644 /usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) +-/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) @@ -53191,7 +53262,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..e14423d 100644 +index 7584bbe..a110a1a 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) @@ -53418,7 +53489,7 @@ index 7584bbe..e14423d 100644 logging_send_syslog_msg(mysqld_safe_t) -miscfiles_read_localization(mysqld_safe_t) -+auth_read_passwd(mysqld_safe_t) ++auth_use_nsswitch(mysqld_safe_t) + +domain_dontaudit_signull_all_domains(mysqld_safe_t) @@ -92290,7 +92361,7 @@ index 98c9e0a..562666e 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..2b642a3 100644 +index 299756b..1a69cf7 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -92376,8 +92447,12 @@ index 299756b..2b642a3 100644 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; -@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) +@@ -82,8 +95,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t) + storage_raw_read_fixed_disk(sblim_gatherd_t) + storage_raw_read_removable_device(sblim_gatherd_t) ++auth_use_nsswitch(sblim_gatherd_t) ++ init_read_utmp(sblim_gatherd_t) +logging_send_syslog_msg(sblim_gatherd_t) @@ -92385,7 +92460,7 @@ index 299756b..2b642a3 100644 sysnet_dns_name_resolve(sblim_gatherd_t) term_getattr_pty_fs(sblim_gatherd_t) -@@ -103,8 +118,9 @@ optional_policy(` +@@ -103,8 +120,9 @@ optional_policy(` ') optional_policy(` @@ -92396,7 +92471,7 @@ index 299756b..2b642a3 100644 ') optional_policy(` -@@ -117,6 +133,59 @@ optional_policy(` +@@ -117,6 +135,59 @@ optional_policy(` # Reposd local policy # diff --git a/selinux-policy.spec b/selinux-policy.spec index 082f1f9..bf4b338 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 114%{?dist} +Release: 115%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,27 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Mar 05 2015 Lukas Vrabec 3.13.1-115 +- Allow glusterd_t exec glusterd_var_lib_t files. BZ(1198406) +- Add gluster_exec_lib interface. +- Allow l2tpd to manage NetworkManager pid files +- Allow firewalld_t relabelfrom firewalld_rw_etc_t. BZ(1195327) +- Allow cyrus bind tcp berknet port. BZ(1198347) +- Add nsswitch domain for more serviecs. +- Allow abrt_dump_oops_t read /etc/passwd file. BZ(1197190) +- Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling. +- Make munin yum plugin as unconfined by default. +- Allow bitlbee connections to the system DBUS. +- Allow system apache scripts to send log messages. +- Allow denyhosts execute iptables. BZ(1197371) +- Allow brltty rw event device. BZ(1190349) +- Allow cupsd config to execute ldconfig. BZ(1196608) +- xdm_t now needs to manage user ttys +- Allow ping_t read urand. BZ(1181831) +- Add support for tcp/2005 port. +- Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile. +- In F23 we are running xserver as the user, need this to allow confined users to us X + * Mon Feb 25 2015 Lukas Vrabec 3.13.1-114 - Fix source filepath for moving html files.