From 05f913e88b4a41ec573d7a84b18ae196b3bf0d85 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 25 Nov 2010 12:21:34 +0000 Subject: [PATCH] - Update to upstream - Cleanup for sandbox - Add attribute to be able to select sandbox types --- .gitignore | 1 + policy-F15.patch | 1459 +++++++++++++++++++------------------------ selinux-policy.spec | 9 +- sources | 2 +- 4 files changed, 645 insertions(+), 826 deletions(-) diff --git a/.gitignore b/.gitignore index 100fdfa4..91580fb6 100644 --- a/.gitignore +++ b/.gitignore @@ -230,3 +230,4 @@ serefpolicy* /config.tgz /serefpolicy-3.9.8.tgz /serefpolicy-3.9.9.tgz +/serefpolicy-3.9.10.tgz diff --git a/policy-F15.patch b/policy-F15.patch index 6f8d4141..a0a33995 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -47,6 +47,36 @@ index 6760c95..34edd2a 100644 open } +diff --git a/policy/global_booleans b/policy/global_booleans +index 111d004..9df7b5e 100644 +--- a/policy/global_booleans ++++ b/policy/global_booleans +@@ -6,7 +6,7 @@ + + ## + ##

+-## Enabling secure mode disallows programs, such as ++## disallow programs, such as + ## newrole, from transitioning to administrative + ## user domains. + ##

+@@ -15,14 +15,14 @@ gen_bool(secure_mode,false) + + ## + ##

+-## Disable transitions to insmod. ++## disallow programs and users from transitioning to insmod domain. + ##

+ ## + gen_bool(secure_mode_insmod,false) + + ## + ##

+-## boolean to determine whether the system permits loading policy, setting ++## prevent all confined domains from loading policy, setting + ## enforcing mode, and changing boolean values. Set this to true and you + ## have to reboot to set it back + ##

diff --git a/policy/global_tunables b/policy/global_tunables index 3316f6e..6e82b1e 100644 --- a/policy/global_tunables @@ -4022,9 +4052,18 @@ index 9a6d67d..b0c1197 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..62796d8 100644 +index cbf4bec..7099120 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te +@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2) + + ## + ##

+-## Control mozilla content access ++## allow confined web browsers to read home directory content + ##

+ ## + gen_tunable(mozilla_read_content, false) @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; @@ -5529,9 +5568,18 @@ index c1d5f50..989f88c 100644 + + diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index a3225d4..9cd8b55 100644 +index a3225d4..bc10481 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te +@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true) + + ## + ##

+-## Allow qemu to user serial/parallel communication ports ++## Allow qemu to use serial/parallel communication ports + ##

+ ## + gen_tunable(qemu_use_comm, false) @@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',` ') @@ -5681,10 +5729,10 @@ index 0000000..15778fd +# No types are sandbox_exec_t diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..9783c8f +index 0000000..402027a --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,339 @@ +@@ -0,0 +1,340 @@ + +## policy for sandbox + @@ -5757,7 +5805,7 @@ index 0000000..9783c8f +######################################## +## +## Creates types and rules for a basic -+## qemu process domain. ++## sandbox process domain. +## +## +## @@ -5770,10 +5818,10 @@ index 0000000..9783c8f + gen_require(` + attribute sandbox_domain; + attribute sandbox_file_type; -+ attribute sandbox_x_type; ++ attribute sandbox_type; + ') ++ type $1_t, sandbox_domain, sandbox_type; + -+ type $1_t, sandbox_domain, sandbox_x_type; + application_type($1_t) + + mls_rangetrans_target($1_t) @@ -5793,7 +5841,7 @@ index 0000000..9783c8f +######################################## +## +## Creates types and rules for a basic -+## qemu process domain. ++## sandbox process domain. +## +## +## @@ -5807,9 +5855,10 @@ index 0000000..9783c8f + type sandbox_xserver_t; + attribute sandbox_domain, sandbox_x_domain; + attribute sandbox_file_type, sandbox_tmpfs_type; ++ attribute sandbox_type; + ') + -+ type $1_t, sandbox_x_domain; ++ type $1_t, sandbox_x_domain, sandbox_type; + application_type($1_t) + mcs_untrusted_proc($1_t) + @@ -6026,10 +6075,10 @@ index 0000000..9783c8f +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..aa1d56d +index 0000000..6522c1b --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,430 @@ +@@ -0,0 +1,441 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6037,7 +6086,7 @@ index 0000000..aa1d56d +attribute sandbox_file_type; +attribute sandbox_web_type; +attribute sandbox_tmpfs_type; -+attribute sandbox_x_type; ++attribute sandbox_type; + +######################################## +# @@ -6102,6 +6151,7 @@ index 0000000..aa1d56d +files_search_home(sandbox_xserver_t) +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) +fs_list_inotifyfs(sandbox_xserver_t) ++fs_search_auto_mountpoints(sandbox_xserver_t) + +miscfiles_read_fonts(sandbox_xserver_t) +miscfiles_read_localization(sandbox_xserver_t) @@ -6184,6 +6234,7 @@ index 0000000..aa1d56d + +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; +dontaudit sandbox_x_domain sandbox_x_domain:process signal; ++dontaudit sandbox_x_domain sandbox_xserver_t:process signal; + +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -6272,18 +6323,27 @@ index 0000000..aa1d56d +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) + ++fs_search_auto_mountpoints(sandbox_x_domain) ++ +tunable_policy(`use_nfs_home_dirs',` ++ fs_search_auto_mountpoints(sandbox_x_domain) ++ fs_search_nfs(sandbox_xserver_t) + fs_read_nfs_files(sandbox_xserver_t) ++ fs_manage_nfs_dirs(sandbox_x_domain) + fs_manage_nfs_files(sandbox_x_domain) +') + +tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(sandbox_xserver_t) + fs_read_cifs_files(sandbox_xserver_t) ++ fs_manage_cifs_dirs(sandbox_x_domain) + fs_manage_cifs_files(sandbox_x_domain) +') + +tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(sandbox_xserver_t) + fs_read_fusefs_files(sandbox_xserver_t) ++ fs_manage_fusefs_dirs(sandbox_x_domain) + fs_manage_fusefs_files(sandbox_x_domain) +') + @@ -7544,11 +7604,43 @@ index 9e5c83e..953e0e8 100644 + +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) +diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in +index b06df19..5282ad5 100644 +--- a/policy/modules/kernel/corenetwork.if.in ++++ b/policy/modules/kernel/corenetwork.if.in +@@ -2149,13 +2149,18 @@ interface(`corenet_tcp_recvfrom_netlabel',` + ## + # + interface(`corenet_tcp_recvfrom_unlabeled',` ++ gen_require(` ++ attribute corenet_unlabeled_type; ++ ') ++ + kernel_tcp_recvfrom_unlabeled($1) + kernel_recvfrom_unlabeled_peer($1) + ++ typeattribute $1 corenet_unlabeled_type; + # XXX - at some point the oubound/send access check will be removed + # but for right now we need to keep this in place so as not to break + # older systems +- kernel_sendrecv_unlabeled_association($1) ++# kernel_sendrecv_unlabeled_association($1) + ') + + ######################################## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 36ba519..ba41f1f 100644 +index 36ba519..8b431af 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in -@@ -24,6 +24,7 @@ dev_node(ppp_device_t) +@@ -15,6 +15,7 @@ attribute rpc_port_type; + attribute server_packet_type; + + attribute corenet_unconfined_type; ++attribute corenet_unlabeled_type; + + type ppp_device_t; + dev_node(ppp_device_t) +@@ -24,11 +25,14 @@ dev_node(ppp_device_t) # type tun_tap_device_t; dev_node(tun_tap_device_t) @@ -7556,7 +7648,14 @@ index 36ba519..ba41f1f 100644 ######################################## # -@@ -64,20 +65,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; + # Ports and packets + # ++type intranet_packet_t; ++type internet_packet_t; + + # + # client_packet_t is the default type of IPv4 and IPv6 client packets. +@@ -64,20 +68,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -7582,7 +7681,7 @@ index 36ba519..ba41f1f 100644 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -85,6 +91,7 @@ network_port(clamd, tcp,3310,s0) +@@ -85,6 +94,7 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -7590,7 +7689,7 @@ index 36ba519..ba41f1f 100644 network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -97,7 +104,9 @@ network_port(dict, tcp,2628,s0) +@@ -97,7 +107,9 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(epmap, tcp,135,s0, udp,135,s0) @@ -7600,7 +7699,7 @@ index 36ba519..ba41f1f 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -111,7 +120,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -111,7 +123,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -7609,7 +7708,7 @@ index 36ba519..ba41f1f 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -125,30 +134,34 @@ network_port(iscsi, tcp,3260,s0) +@@ -125,30 +137,34 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -7648,7 +7747,7 @@ index 36ba519..ba41f1f 100644 network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -156,12 +169,20 @@ network_port(pegasus_http, tcp,5988,s0) +@@ -156,12 +172,20 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -7669,7 +7768,7 @@ index 36ba519..ba41f1f 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -176,24 +197,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -176,24 +200,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -7702,7 +7801,7 @@ index 36ba519..ba41f1f 100644 network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -203,16 +228,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -203,16 +231,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -7723,6 +7822,17 @@ index 36ba519..ba41f1f 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) +@@ -262,6 +291,10 @@ network_interface(lo, lo, s0 - mls_systemhigh) + typealias netif_t alias { lo_netif_t netif_lo_t }; + ') + ++optional_policy(` ++ unlabelednet_sendrecv_packets(corenet_unlabeled_type) ++') ++ + ######################################## + # + # Unconfined access to this module diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 3b2da10..7c29e17 100644 --- a/policy/modules/kernel/devices.fc @@ -7761,7 +7871,7 @@ index 3b2da10..7c29e17 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 99482ca..c381190 100644 +index 15a7bef..d5f08a4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',` @@ -8007,7 +8117,7 @@ index 99482ca..c381190 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3755,6 +3899,24 @@ interface(`dev_rw_sysfs',` +@@ -3773,6 +3917,24 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -8032,7 +8142,7 @@ index 99482ca..c381190 100644 ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## -@@ -3924,6 +4086,24 @@ interface(`dev_read_usbmon_dev',` +@@ -3942,6 +4104,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -8057,7 +8167,7 @@ index 99482ca..c381190 100644 ## Mount a usbfs filesystem. ## ## -@@ -4234,11 +4414,10 @@ interface(`dev_write_video_dev',` +@@ -4252,11 +4432,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -8072,7 +8182,7 @@ index 99482ca..c381190 100644 ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 7047f2f..ef76289 100644 +index ae138bb..95f6137 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -102,6 +102,7 @@ dev_node(ksm_device_t) @@ -8443,7 +8553,7 @@ index 3517db2..4dd4bef 100644 + +/usr/lib/debug <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..2c77493 100644 +index ed203b2..bfb7926 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8545,7 +8655,7 @@ index 5302dac..2c77493 100644 ## List the contents of the root directory. ## ## -@@ -1836,6 +1906,25 @@ interface(`files_relabelfrom_boot_files',` +@@ -1854,6 +1924,25 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -8571,7 +8681,7 @@ index 5302dac..2c77493 100644 ######################################## ## ## Read and write symbolic links -@@ -2435,6 +2524,24 @@ interface(`files_delete_etc_files',` +@@ -2453,6 +2542,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -8596,7 +8706,7 @@ index 5302dac..2c77493 100644 ## Execute generic files in /etc. ## ## -@@ -2605,6 +2712,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2623,6 +2730,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -8621,7 +8731,7 @@ index 5302dac..2c77493 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -3086,6 +3211,7 @@ interface(`files_getattr_home_dir',` +@@ -3104,6 +3229,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -8629,7 +8739,7 @@ index 5302dac..2c77493 100644 ') ######################################## -@@ -3106,6 +3232,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3124,6 +3250,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -8637,7 +8747,7 @@ index 5302dac..2c77493 100644 ') ######################################## -@@ -3347,6 +3474,24 @@ interface(`files_list_mnt',` +@@ -3365,6 +3492,24 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -8662,7 +8772,7 @@ index 5302dac..2c77493 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3420,6 +3565,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3583,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -8687,7 +8797,7 @@ index 5302dac..2c77493 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3711,6 +3874,100 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3892,100 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -8788,7 +8898,7 @@ index 5302dac..2c77493 100644 ######################################## ## ## Allow the specified type to associate -@@ -3896,6 +4153,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4171,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -8821,7 +8931,7 @@ index 5302dac..2c77493 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3950,6 +4233,84 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,6 +4251,84 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -8861,27 +8971,6 @@ index 5302dac..2c77493 100644 + +######################################## +## -+## Relabel all tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabelto_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ type var_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ relabelto_dirs_pattern($1, tmpfile, tmpfile) -+') -+ -+######################################## -+## +## Relabel all tmp dirs. +## +## @@ -8891,14 +8980,35 @@ index 5302dac..2c77493 100644 +## +## +# -+interface(`files_relabelto_all_tmp_dirs',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` + attribute tmpfile; + type var_t; + ') + + allow $1 var_t:dir search_dir_perms; -+ relabelto_dirs_pattern($1, tmpfile, tmpfile) ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ++') ++ ++######################################## ++## ++## Relabel all tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ type var_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) +') + +######################################## @@ -8906,7 +9016,7 @@ index 5302dac..2c77493 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4109,6 +4470,13 @@ interface(`files_purge_tmp',` +@@ -4127,6 +4488,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -8920,7 +9030,7 @@ index 5302dac..2c77493 100644 ') ######################################## -@@ -4718,7 +5086,7 @@ interface(`files_read_var_files',` +@@ -4736,7 +5104,7 @@ interface(`files_read_var_files',` ######################################## ## @@ -8929,7 +9039,7 @@ index 5302dac..2c77493 100644 ## ## ## -@@ -4726,36 +5094,54 @@ interface(`files_read_var_files',` +@@ -4744,36 +5112,54 @@ interface(`files_read_var_files',` ## ## # @@ -8992,7 +9102,7 @@ index 5302dac..2c77493 100644 ## ## ## -@@ -5053,6 +5439,24 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5457,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -9017,7 +9127,7 @@ index 5302dac..2c77493 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5138,12 +5542,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5560,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -9034,7 +9144,7 @@ index 5302dac..2c77493 100644 ') ######################################## -@@ -5189,6 +5593,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5611,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -9062,7 +9172,7 @@ index 5302dac..2c77493 100644 ## Read all lock files. ## ## -@@ -5317,6 +5742,43 @@ interface(`files_search_pids',` +@@ -5335,6 +5760,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -9106,7 +9216,7 @@ index 5302dac..2c77493 100644 ######################################## ## ## Do not audit attempts to search -@@ -5524,6 +5986,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6004,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -9169,7 +9279,7 @@ index 5302dac..2c77493 100644 ## Read all process ID files. ## ## -@@ -5541,6 +6059,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6077,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -9214,7 +9324,7 @@ index 5302dac..2c77493 100644 ') ######################################## -@@ -5826,3 +6382,247 @@ interface(`files_unconfined',` +@@ -5844,3 +6400,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -9463,7 +9573,7 @@ index 5302dac..2c77493 100644 + allow $1 file_type:kernel_service create_files_as; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 07352a5..12e9ecf 100644 +index ba9529a..cd45491 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -11,6 +11,7 @@ attribute lockfile; @@ -9519,7 +9629,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 437a42a..725b363 100644 +index dfe361a..99984fd 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -9908,7 +10018,7 @@ index 437a42a..725b363 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4187,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -9951,7 +10061,7 @@ index 437a42a..725b363 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4505,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -9960,7 +10070,7 @@ index 437a42a..725b363 100644 ') ######################################## -@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +4917,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -9986,7 +10096,7 @@ index 437a42a..725b363 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 0dff98e..7f1a558 100644 +index 6d21b3d..255b47a 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -10064,33 +10174,13 @@ index 0dff98e..7f1a558 100644 # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index ed7667a..10c14fe 100644 +index b4ad6d7..0937933 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',` +@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` ######################################## ## -+## Read/Write information from the debugging filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_rw_debugfs',` -+ gen_require(` -+ type debugfs_t; -+ ') -+ -+ rw_files_pattern($1, debugfs_t, debugfs_t) -+ read_lnk_files_pattern($1, debugfs_t, debugfs_t) -+ list_dirs_pattern($1, debugfs_t, debugfs_t) -+') -+ -+######################################## -+## +## Manage information from the debugging filesystem. +## +## @@ -10114,7 +10204,7 @@ index ed7667a..10c14fe 100644 ## Mount a kernel VM filesystem. ## ## -@@ -1977,7 +2017,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2014,7 +2034,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -10123,7 +10213,7 @@ index ed7667a..10c14fe 100644 ') ######################################## -@@ -2380,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2417,6 +2437,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -10148,7 +10238,7 @@ index ed7667a..10c14fe 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2845,6 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -10173,7 +10263,7 @@ index ed7667a..10c14fe 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2860,3 +2936,23 @@ interface(`kernel_unconfined',` +@@ -2897,3 +2953,23 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; ') @@ -10198,10 +10288,19 @@ index ed7667a..10c14fe 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index e4f98ce..806026c 100644 +index 25a817f..c26b4c8 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) + + type debugfs_t; + fs_type(debugfs_t) ++files_mountpoint(debugfs_t) ++ + allow debugfs_t self:filesystem associate; + genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) + +@@ -156,6 +158,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -10209,7 +10308,7 @@ index e4f98ce..806026c 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t) +@@ -254,7 +257,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -10219,7 +10318,7 @@ index e4f98ce..806026c 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -268,19 +270,29 @@ files_list_root(kernel_t) +@@ -268,19 +272,29 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -10249,7 +10348,7 @@ index e4f98ce..806026c 100644 optional_policy(` hotplug_search_config(kernel_t) ') -@@ -357,6 +369,10 @@ optional_policy(` +@@ -357,6 +371,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -10401,17 +10500,25 @@ index 3723150..bde6daa 100644 dev_add_entry_generic_dirs($1) ') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 3994e57..ee146ae 100644 +index 3994e57..43aa641 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',` +@@ -18,6 +18,7 @@ + /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) + /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) + /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + + /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) +@@ -40,3 +41,5 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 492bf76..a177011 100644 +index 492bf76..525563a 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',` @@ -10516,8 +10623,31 @@ index 492bf76..a177011 100644 ') ######################################## +@@ -1468,3 +1473,22 @@ interface(`term_dontaudit_use_all_user_ttys',` + refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') + term_dontaudit_use_all_ttys($1) + ') ++ ++##################################### ++## ++## Read from and write to the virtio console. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_use_virtio_console',` ++ gen_require(` ++ type virtio_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 virtio_device_t:chr_file rw_chr_file_perms; ++') diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te -index 646bbcf..a5deade 100644 +index 646bbcf..49d77df 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -29,6 +29,7 @@ files_mountpoint(devpts_t) @@ -10528,6 +10658,57 @@ index 646bbcf..a5deade 100644 # # devtty_t is the type of /dev/tty. +@@ -56,3 +57,9 @@ dev_node(tty_device_t) + # + type usbtty_device_t, serial_device; + dev_node(usbtty_device_t) ++ ++# ++# virtio_device_t is the type of /dev/vport[0-9]p[0-9] ++# ++type virtio_device_t, serial_device; ++dev_node(virtio_device_t) +diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc +new file mode 100644 +index 0000000..f310b9d +--- /dev/null ++++ b/policy/modules/kernel/unlabelednet.fc +@@ -0,0 +1 @@ ++# No unlabelednet file contexts. +diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if +new file mode 100644 +index 0000000..ba2f0b8 +--- /dev/null ++++ b/policy/modules/kernel/unlabelednet.if +@@ -0,0 +1,19 @@ ++## Policy for allowing confined domains to talk use unlabeled_t packets. ++ ++######################################## ++## ++## Allow specified type to send recv unlabeled packets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unlabelednet_sendrecv_packets',` ++ gen_require(` ++ attribute unlabelednet_domain; ++ ') ++ ++ kernel_sendrecv_unlabeled_association($1) ++') +diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te +new file mode 100644 +index 0000000..dee5ba8 +--- /dev/null ++++ b/policy/modules/kernel/unlabelednet.te +@@ -0,0 +1,3 @@ ++policy_module(unlabelednet, 1.0) ++ ++attribute unlabelednet_domain; diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index b0d5b27..a96f2e6 100644 --- a/policy/modules/roles/auditadm.te @@ -11796,7 +11977,7 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..31bbe95 +index 0000000..7d5de28 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,489 @@ @@ -11810,14 +11991,14 @@ index 0000000..31bbe95 + +## +##

-+## Transition unconfined user to the nsplugin domains when running nspluginviewer ++## allow unconfined users to transition to the nsplugin domains when running nspluginviewer +##

+## +gen_tunable(allow_unconfined_nsplugin_transition, false) + +## +##

-+## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container. ++## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +##

+## +gen_tunable(unconfined_mozilla_plugin_transition, false) @@ -12362,18 +12543,26 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..b8b5c15 100644 +index e88b95f..8929065 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te -@@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true) +@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) ## ##

-## Allow xguest to configure Network Manager -+## Allow xguest to configure Network Manager and connect to apache ports ++## Allow xguest users to configure Network Manager and connect to apache ports ##

## gen_tunable(xguest_connect_network, true) + + ## + ##

+-## Allow xguest to use blue tooth devices ++## Allow xguest users to use blue tooth devices + ##

+ ## + gen_tunable(xguest_use_bluetooth, true) @@ -29,12 +29,12 @@ gen_tunable(xguest_use_bluetooth, true) role xguest_r; @@ -13989,7 +14178,7 @@ index c9e1a44..1a1ba36 100644 + dontaudit $1 httpd_tmp_t:file { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 08dfa0c..84e9bea 100644 +index 08dfa0c..ee604fe 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.0) @@ -14341,7 +14530,15 @@ index 08dfa0c..84e9bea 100644 domain_use_interactive_fds(httpd_t) -@@ -402,6 +490,10 @@ files_read_etc_files(httpd_t) +@@ -391,6 +479,7 @@ files_dontaudit_getattr_all_pids(httpd_t) + files_read_usr_files(httpd_t) + files_list_mnt(httpd_t) + files_search_spool(httpd_t) ++files_read_var_symlinks(httpd_t) + files_read_var_lib_files(httpd_t) + files_search_home(httpd_t) + files_getattr_home_dir(httpd_t) +@@ -402,6 +491,10 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -14352,7 +14549,7 @@ index 08dfa0c..84e9bea 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +508,71 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +509,71 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -14426,7 +14623,7 @@ index 08dfa0c..84e9bea 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +585,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +586,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -14437,7 +14634,7 @@ index 08dfa0c..84e9bea 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,8 +599,12 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,8 +600,12 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -14452,7 +14649,7 @@ index 08dfa0c..84e9bea 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,6 +612,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -475,6 +613,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -14465,7 +14662,7 @@ index 08dfa0c..84e9bea 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +627,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +628,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -14482,7 +14679,7 @@ index 08dfa0c..84e9bea 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -500,8 +652,10 @@ tunable_policy(`httpd_ssi_exec',` +@@ -500,8 +653,10 @@ tunable_policy(`httpd_ssi_exec',` # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -14493,7 +14690,7 @@ index 08dfa0c..84e9bea 100644 ') optional_policy(` -@@ -513,7 +667,13 @@ optional_policy(` +@@ -513,7 +668,13 @@ optional_policy(` ') optional_policy(` @@ -14508,7 +14705,7 @@ index 08dfa0c..84e9bea 100644 ') optional_policy(` -@@ -528,7 +688,18 @@ optional_policy(` +@@ -528,7 +689,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -14528,7 +14725,7 @@ index 08dfa0c..84e9bea 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +708,12 @@ optional_policy(` +@@ -537,8 +709,12 @@ optional_policy(` ') optional_policy(` @@ -14542,7 +14739,7 @@ index 08dfa0c..84e9bea 100644 ') ') -@@ -556,7 +731,13 @@ optional_policy(` +@@ -556,7 +732,13 @@ optional_policy(` ') optional_policy(` @@ -14556,7 +14753,7 @@ index 08dfa0c..84e9bea 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +748,7 @@ optional_policy(` +@@ -567,6 +749,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -14564,7 +14761,7 @@ index 08dfa0c..84e9bea 100644 ') optional_policy(` -@@ -577,6 +759,16 @@ optional_policy(` +@@ -577,6 +760,16 @@ optional_policy(` ') optional_policy(` @@ -14581,7 +14778,7 @@ index 08dfa0c..84e9bea 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +783,11 @@ optional_policy(` +@@ -591,6 +784,11 @@ optional_policy(` ') optional_policy(` @@ -14593,7 +14790,7 @@ index 08dfa0c..84e9bea 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +800,11 @@ optional_policy(` +@@ -603,6 +801,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -14605,7 +14802,7 @@ index 08dfa0c..84e9bea 100644 ######################################## # # Apache helper local policy -@@ -618,6 +820,10 @@ logging_send_syslog_msg(httpd_helper_t) +@@ -618,6 +821,10 @@ logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) @@ -14616,7 +14813,7 @@ index 08dfa0c..84e9bea 100644 ######################################## # # Apache PHP script local policy -@@ -654,28 +860,27 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +861,27 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -14657,7 +14854,7 @@ index 08dfa0c..84e9bea 100644 ') ######################################## -@@ -699,17 +904,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +905,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -14683,7 +14880,7 @@ index 08dfa0c..84e9bea 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +950,20 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,10 +951,20 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -14705,7 +14902,7 @@ index 08dfa0c..84e9bea 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +989,25 @@ optional_policy(` +@@ -769,6 +990,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -14731,7 +14928,11 @@ index 08dfa0c..84e9bea 100644 ######################################## # # Apache system script local policy -@@ -792,9 +1031,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) +@@ -789,12 +1029,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp + + kernel_read_kernel_sysctls(httpd_sys_script_t) + ++files_read_var_symlinks(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -14745,7 +14946,7 @@ index 08dfa0c..84e9bea 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1046,33 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,6 +1048,33 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -14779,7 +14980,7 @@ index 08dfa0c..84e9bea 100644 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -822,7 +1092,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,7 +1094,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -14788,7 +14989,7 @@ index 08dfa0c..84e9bea 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -830,6 +1100,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -830,6 +1102,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -14809,7 +15010,7 @@ index 08dfa0c..84e9bea 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1126,20 @@ optional_policy(` +@@ -842,10 +1128,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -14830,7 +15031,7 @@ index 08dfa0c..84e9bea 100644 ') ######################################## -@@ -891,11 +1185,21 @@ optional_policy(` +@@ -891,11 +1187,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -15045,6 +15246,21 @@ index 61c74bc..c6b0498 100644 allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; ') +diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te +index fd64068..2da00a1 100644 +--- a/policy/modules/services/avahi.te ++++ b/policy/modules/services/avahi.te +@@ -104,6 +104,10 @@ optional_policy(` + ') + + optional_policy(` ++ rpcbind_signull(avahi_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(avahi_t) + ') + diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if index 44a1e3d..7e9d2fb 100644 --- a/policy/modules/services/bind.if @@ -16290,6 +16506,16 @@ index 1a65b5e..1bc0bc7 100644 pcscd_stream_connect(certmonger_t) ') + +diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc +index 420c9d3..b6bb46c 100644 +--- a/policy/modules/services/cgroup.fc ++++ b/policy/modules/services/cgroup.fc +@@ -11,4 +11,5 @@ + /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) + /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + ++/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) + /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if index d020c93..e5cbcef 100644 --- a/policy/modules/services/cgroup.if @@ -16344,10 +16570,19 @@ index d020c93..e5cbcef 100644 cgroup_initrc_domtrans_cgconfig($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te -index 8ca2333..8750492 100644 +index 8ca2333..0a1097b 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te -@@ -22,8 +22,8 @@ files_pid_file(cgred_var_run_t) +@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t) + type cgred_initrc_exec_t; + init_script_file(cgred_initrc_exec_t) + ++type cgred_log_t; ++logging_log_file(cgred_log_t) ++ + type cgred_var_run_t; + files_pid_file(cgred_var_run_t) + type cgrules_etc_t; files_config_file(cgrules_etc_t) @@ -16358,7 +16593,7 @@ index 8ca2333..8750492 100644 init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -52,7 +52,7 @@ fs_unmount_cgroup(cgclear_t) +@@ -52,7 +55,7 @@ fs_unmount_cgroup(cgclear_t) # cgconfig personal policy. # @@ -16367,6 +16602,16 @@ index 8ca2333..8750492 100644 allow cgconfig_t cgconfig_etc_t:file read_file_perms; +@@ -79,6 +82,9 @@ allow cgred_t self:unix_dgram_socket { write create connect }; + + allow cgred_t cgrules_etc_t:file read_file_perms; + ++manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t) ++logging_log_filetrans(cgred_t, cgred_log_t, file) ++ + # rc script creates pid file + manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) + manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if index 9a0da94..2ede737 100644 --- a/policy/modules/services/chronyd.if @@ -18723,7 +18968,7 @@ index e182bf4..f80e725 100644 snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..27a2b36 100644 +index 0d5711c..72fe7a8 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -18826,7 +19071,7 @@ index 0d5711c..27a2b36 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -431,14 +441,27 @@ interface(`dbus_system_domain',` +@@ -431,14 +441,28 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -18836,7 +19081,8 @@ index 0d5711c..27a2b36 100644 dbus_connect_system_bus($1) + init_stream_connect($1) -+ ++ init_dgram_send($1) ++ ps_process_pattern(system_dbusd_t, $1) + userdom_dontaudit_search_admin_dir($1) @@ -18855,7 +19101,7 @@ index 0d5711c..27a2b36 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +520,22 @@ interface(`dbus_unconfined',` +@@ -497,3 +521,22 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -20875,7 +21121,7 @@ index 69dcd2a..a9a9116 100644 /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..ce4f73b 100644 +index 8a74a83..b2ca277 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -20898,7 +21144,7 @@ index 8a74a83..ce4f73b 100644 +## +##

-+## Allow interlnal-sftp to read and write files ++## Allow internal-sftp to read and write files +## in the user ssh home directories. +##

+## @@ -25023,7 +25269,7 @@ index fd71d69..bad9920 100644 /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if -index c358d8f..92c9dca 100644 +index c358d8f..fec6a97 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -13,10 +13,11 @@ @@ -25055,7 +25301,7 @@ index c358d8f..92c9dca 100644 - corecmd_exec_bin($1_munin_plugin_t) - - miscfiles_read_localization($1_munin_plugin_t) -+ allow munin_t $1_munin_plugin_t:process signal; ++ allow munin_t $1_munin_plugin_t:process signal_perms; ') ######################################## @@ -25111,7 +25357,7 @@ index c358d8f..92c9dca 100644 allow $1 munin_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..0dc6344 100644 +index f17583b..bdeea89 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -25138,7 +25384,7 @@ index f17583b..0dc6344 100644 # -allow munin_t self:capability { chown dac_override setgid setuid }; -+allow munin_t self:capability { chown dac_override setgid setuid sys_rawio }; ++allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; allow munin_t self:process { getsched setsched signal_perms }; allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -25507,7 +25753,7 @@ index 8581040..f54b3b8 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index da5b33d..5416fde 100644 +index da5b33d..433417a 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) @@ -25578,7 +25824,15 @@ index da5b33d..5416fde 100644 ') ###################################### -@@ -323,7 +323,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -310,6 +310,7 @@ optional_policy(` + # needed by ioctl() + allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; + ++files_getattr_all_dirs(nagios_checkdisk_plugin_t) + files_read_etc_runtime_files(nagios_checkdisk_plugin_t) + + fs_getattr_all_fs(nagios_checkdisk_plugin_t) +@@ -323,7 +324,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; @@ -25586,7 +25840,7 @@ index da5b33d..5416fde 100644 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; -@@ -340,6 +339,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -340,6 +340,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -28028,7 +28282,7 @@ index 333a1fe..d1cf513 100644 type portmap_tmp_t; files_tmp_file(portmap_tmp_t) diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc -index c69d047..1d9fa76 100644 +index 4313a6f..4995571 100644 --- a/policy/modules/services/portreserve.fc +++ b/policy/modules/services/portreserve.fc @@ -1,3 +1,6 @@ @@ -28037,123 +28291,7 @@ index c69d047..1d9fa76 100644 + /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) -diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if -index 10300a0..7385056 100644 ---- a/policy/modules/services/portreserve.if -+++ b/policy/modules/services/portreserve.if -@@ -18,6 +18,24 @@ interface(`portreserve_domtrans',` - domtrans_pattern($1, portreserve_exec_t, portreserve_t) - ') - -+######################################## -+## -+## Execute portreserve in the portreserve domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`portreserve_initrc_domtrans',` -+ gen_require(` -+ type portreserve_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, portreserve_initrc_exec_t) -+') -+ - ####################################### - ## - ## Allow the specified domain to read -@@ -29,7 +47,6 @@ interface(`portreserve_domtrans',` - ## - ## - ## --## - # - interface(`portreserve_read_config',` - gen_require(` -@@ -52,7 +69,6 @@ interface(`portreserve_read_config',` - ## Domain allowed access. - ## - ## --## - # - interface(`portreserve_manage_config',` - gen_require(` -@@ -64,3 +80,41 @@ interface(`portreserve_manage_config',` - manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t) - read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t) - ') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an portreserve environment. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`portreserve_admin',` -+ gen_require(` -+ type portreserve_t, portreserve_etc_t, portreserve_var_run_t; -+ type portreserve_initrc_exec_t; -+ ') -+ -+ allow $1 portreserve_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, portreserve_t) -+ -+ portreserve_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 portreserve_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_list_etc($1) -+ admin_pattern($1, portreserve_etc_t) -+ -+ files_list_pids($1) -+ admin_pattern($1, portreserve_var_run_t) -+') -diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te -index 4f2dae1..e091aba 100644 ---- a/policy/modules/services/portreserve.te -+++ b/policy/modules/services/portreserve.te -@@ -9,6 +9,9 @@ type portreserve_t; - type portreserve_exec_t; - init_daemon_domain(portreserve_t, portreserve_exec_t) - -+type portreserve_initrc_exec_t; -+init_script_file(portreserve_initrc_exec_t) -+ - type portreserve_etc_t; - files_type(portreserve_etc_t) - -@@ -35,7 +38,7 @@ read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t) - manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) - manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) - manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t) --files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file }) -+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }) - - corecmd_getattr_bin_files(portreserve_t) - -@@ -47,3 +50,5 @@ corenet_tcp_bind_all_ports(portreserve_t) - corenet_udp_bind_all_ports(portreserve_t) - - files_read_etc_files(portreserve_t) -+ -+userdom_dontaudit_search_user_home_content(portreserve_t) + /etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc index 55e62d2..c114a40 100644 --- a/policy/modules/services/postfix.fc @@ -29285,30 +29423,11 @@ index 7e84587..7a7310d 100644 allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; -diff --git a/policy/modules/services/privoxy.if b/policy/modules/services/privoxy.if -index 1da26dc..7221526 100644 ---- a/policy/modules/services/privoxy.if -+++ b/policy/modules/services/privoxy.if -@@ -19,12 +19,11 @@ - # - interface(`privoxy_admin',` - gen_require(` -- type privoxy_t, privoxy_log_t; -+ type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; - type privoxy_etc_rw_t, privoxy_var_run_t; -- type privoxy_initrc_exec_t; - ') - -- allow $1 privoxy_t:process { ptrace signal_perms getattr }; -+ allow $1 privoxy_t:process { ptrace signal_perms }; - ps_process_pattern($1, privoxy_t) - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te -index 0d295a8..2404ddc 100644 +index 6f1b2c3..3f1a3fe 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te -@@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.0) +@@ -6,10 +6,10 @@ policy_module(privoxy, 1.10.1) # ## @@ -29323,19 +29442,6 @@ index 0d295a8..2404ddc 100644 ## gen_tunable(privoxy_connect_any, false) -@@ -58,10 +58,12 @@ corenet_tcp_bind_generic_node(privoxy_t) - corenet_tcp_bind_http_cache_port(privoxy_t) - corenet_tcp_connect_http_port(privoxy_t) - corenet_tcp_connect_http_cache_port(privoxy_t) -+corenet_tcp_connect_squid_port(privoxy_t) - corenet_tcp_connect_ftp_port(privoxy_t) - corenet_tcp_connect_pgpkeyserver_port(privoxy_t) - corenet_tcp_connect_tor_port(privoxy_t) - corenet_sendrecv_http_cache_client_packets(privoxy_t) -+corenet_sendrecv_squid_client_packets(privoxy_t) - corenet_sendrecv_http_cache_server_packets(privoxy_t) - corenet_sendrecv_http_client_packets(privoxy_t) - corenet_sendrecv_ftp_client_packets(privoxy_t) diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc index 1343621..4b36a13 100644 --- a/policy/modules/services/procmail.fc @@ -30367,51 +30473,6 @@ index 0000000..d9c56d4 + corosync_stream_connect(qpidd_t) +') + -diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if -index 9a78598..8f132e7 100644 ---- a/policy/modules/services/radius.if -+++ b/policy/modules/services/radius.if -@@ -38,7 +38,7 @@ interface(`radius_admin',` - type radiusd_initrc_exec_t; - ') - -- allow $1 radiusd_t:process { ptrace signal_perms getattr }; -+ allow $1 radiusd_t:process { ptrace signal_perms }; - ps_process_pattern($1, radiusd_t) - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) -diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te -index db6296a..b3f1fd3 100644 ---- a/policy/modules/services/radius.te -+++ b/policy/modules/services/radius.te -@@ -36,7 +36,7 @@ files_pid_file(radiusd_var_run_t) - # gzip also needs chown access to preserve GID for radwtmp files - allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; - dontaudit radiusd_t self:capability sys_tty_config; --allow radiusd_t self:process { getsched setsched sigkill signal }; -+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; - allow radiusd_t self:fifo_file rw_fifo_file_perms; - allow radiusd_t self:unix_stream_socket create_stream_socket_perms; - allow radiusd_t self:tcp_socket create_stream_socket_perms; -@@ -59,8 +59,9 @@ logging_log_filetrans(radiusd_t, radiusd_log_t,{ file dir }) - manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) - - manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) -+manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) - manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) --files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file }) -+files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) - - kernel_read_kernel_sysctls(radiusd_t) - kernel_read_system_state(radiusd_t) -@@ -129,6 +130,7 @@ optional_policy(` - ') - - optional_policy(` -+ samba_domtrans_winbind_helper(radiusd_t) - samba_read_var_files(radiusd_t) - ') - diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if index be05bff..2bd662a 100644 --- a/policy/modules/services/radvd.if @@ -31989,7 +32050,7 @@ index f5c47d6..5a965e9 100644 /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if -index a96249c..0458ba7 100644 +index a96249c..3942dfc 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -5,9 +5,9 @@ @@ -32014,7 +32075,32 @@ index a96249c..0458ba7 100644 ') ######################################## -@@ -141,8 +140,14 @@ interface(`rpcbind_admin',` +@@ -117,6 +116,24 @@ interface(`rpcbind_manage_lib_files',` + + ######################################## + ## ++## Send a null signal to rpcbind. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpcbind_signull',` ++ gen_require(` ++ type rpcbind_t; ++ ') ++ ++ allow $1 rpcbind_t:process signull; ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an rpcbind environment + ## +@@ -141,8 +158,14 @@ interface(`rpcbind_admin',` allow $1 rpcbind_t:process { ptrace signal_perms }; ps_process_pattern($1, rpcbind_t) @@ -33191,50 +33277,19 @@ index 4804f14..6f49778 100644 term_dontaudit_search_ptys(fsdaemon_t) -diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if -index 824d206..8265278 100644 ---- a/policy/modules/services/smokeping.if -+++ b/policy/modules/services/smokeping.if -@@ -5,9 +5,9 @@ - ## Execute a domain transition to run smokeping. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`smokeping_domtrans',` diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te -index 4ca5449..247beaf 100644 +index 688fbd0..5873bce 100644 --- a/policy/modules/services/smokeping.te +++ b/policy/modules/services/smokeping.te -@@ -23,6 +23,7 @@ files_type(smokeping_var_lib_t) +@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t) # smokeping local policy # +-dontaudit smokeping_t self:capability { dac_read_search dac_override }; +dontaudit smokeping_t self:capability { dac_read_search dac_override }; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:udp_socket create_socket_perms; allow smokeping_t self:unix_stream_socket create_stream_socket_perms; -@@ -44,6 +45,7 @@ files_read_usr_files(smokeping_t) - files_search_tmp(smokeping_t) - - auth_use_nsswitch(smokeping_t) -+auth_dontaudit_read_shadow(smokeping_t) - - logging_send_syslog_msg(smokeping_t) - -@@ -63,6 +65,7 @@ optional_policy(` - - allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms; - -+ manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - - getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc index 623c8fa..ac10740 100644 --- a/policy/modules/services/snmp.fc @@ -35447,62 +35502,8 @@ index 831b4a3..a206464 100644 /usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) /var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) -diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if -index b078bf7..fd72fe8 100644 ---- a/policy/modules/services/ulogd.if -+++ b/policy/modules/services/ulogd.if -@@ -5,9 +5,9 @@ - ## Execute a domain transition to run ulogd. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`ulogd_domtrans',` -@@ -65,9 +65,9 @@ interface(`ulogd_read_log',` - ## Allow the specified domain to search ulogd's log files. - ## - ## --## -+## - ## Domain allowed access. --## -+## - ## - # - interface(`ulogd_search_log',` -@@ -119,9 +119,8 @@ interface(`ulogd_append_log',` - # - interface(`ulogd_admin',` - gen_require(` -- type ulogd_t, ulogd_etc_t; -+ type ulogd_t, ulogd_etc_t, ulogd_modules_t; - type ulogd_var_log_t, ulogd_initrc_exec_t; -- type ulogd_modules_t; - ') - - allow $1 ulogd_t:process { ptrace signal_perms }; -@@ -132,12 +131,12 @@ interface(`ulogd_admin',` - role_transition $2 ulogd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, ulogd_etc_t) - - logging_list_logs($1) - admin_pattern($1, ulogd_var_log_t) - -- files_search_usr($1) -+ files_list_usr($1) - admin_pattern($1, ulogd_modules_t) - ') diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te -index eeaa641..6456c06 100644 +index 00aa99e..eab7ef5 100644 --- a/policy/modules/services/ulogd.te +++ b/policy/modules/services/ulogd.te @@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t) @@ -35520,27 +35521,6 @@ index eeaa641..6456c06 100644 # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -43,6 +48,19 @@ mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) - manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) - logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - --files_search_etc(ulogd_t) -+files_read_etc_files(ulogd_t) -+files_read_usr_files(ulogd_t) - - miscfiles_read_localization(ulogd_t) -+ -+sysnet_dns_name_resolve(ulogd_t) -+ -+optional_policy(` -+ mysql_stream_connect(ulogd_t) -+ mysql_tcp_connect(ulogd_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(ulogd_t) -+ postgresql_tcp_connect(ulogd_t) -+') diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te index c2cf97e..037a1e8 100644 --- a/policy/modules/services/uptime.te @@ -35554,212 +35534,24 @@ index c2cf97e..037a1e8 100644 allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) -diff --git a/policy/modules/services/usbmuxd.fc b/policy/modules/services/usbmuxd.fc -index fa54aee..40b8b8d 100644 ---- a/policy/modules/services/usbmuxd.fc -+++ b/policy/modules/services/usbmuxd.fc -@@ -1,3 +1,3 @@ - /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - --/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) -diff --git a/policy/modules/services/usbmuxd.if b/policy/modules/services/usbmuxd.if -index 5015043..53792d3 100644 ---- a/policy/modules/services/usbmuxd.if -+++ b/policy/modules/services/usbmuxd.if -@@ -5,9 +5,9 @@ - ## Execute a domain transition to run usbmuxd. - ## - ## --## -+## - ## Domain allowed to transition. --## -+## - ## - # - interface(`usbmuxd_domtrans',` -diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if -index a4fbe31..a717e2d 100644 ---- a/policy/modules/services/uucp.if -+++ b/policy/modules/services/uucp.if -@@ -2,6 +2,25 @@ - - ######################################## - ## -+## Execute the uucico program in the -+## uucpd_t domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`uucp_domtrans',` -+ gen_require(` -+ type uucpd_t, uucpd_exec_t; -+ ') -+ -+ domtrans_pattern($1, uucpd_exec_t, uucpd_t) -+') -+ -+######################################## -+## - ## Allow the specified domain to append - ## to uucp log files. - ## -@@ -80,7 +99,7 @@ interface(`uucp_admin',` - type uucpd_var_run_t; - ') - -- allow $1 uucpd_t:process { ptrace signal_perms getattr }; -+ allow $1 uucpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, uucpd_t) - - logging_list_logs($1) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index b775aaf..7718dbb 100644 +index 9001230..7ff3ef8 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te -@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0) - type uucpd_t; - type uucpd_exec_t; - inetd_tcp_service_domain(uucpd_t, uucpd_exec_t) --role system_r types uucpd_t; - - type uucpd_lock_t; - files_lock_file(uucpd_lock_t) -@@ -83,6 +82,7 @@ corenet_tcp_sendrecv_generic_node(uucpd_t) - corenet_udp_sendrecv_generic_node(uucpd_t) - corenet_tcp_sendrecv_all_ports(uucpd_t) - corenet_udp_sendrecv_all_ports(uucpd_t) -+corenet_tcp_connect_ssh_port(uucpd_t) - - dev_read_urand(uucpd_t) - -@@ -113,13 +113,19 @@ optional_policy(` - kerberos_use(uucpd_t) - ') - -+optional_policy(` -+ ssh_exec(uucpd_t) -+') -+ - ######################################## - # - # UUX Local policy - # - +@@ -125,6 +125,8 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; --allow uux_t self:fifo_file write_file_perms; -+allow uux_t self:fifo_file write_fifo_file_perms; -+ -+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) + allow uux_t self:fifo_file write_fifo_file_perms; ++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) ++ uucp_append_log(uux_t) uucp_manage_spool(uux_t) -diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if -index b4d90ac..fe5ce10 100644 ---- a/policy/modules/services/varnishd.if -+++ b/policy/modules/services/varnishd.if -@@ -21,7 +21,7 @@ interface(`varnishd_domtrans',` - ####################################### - ## --## Execute varnishd -+## Execute varnishd - ## - ## - ## -@@ -56,6 +56,25 @@ interface(`varnishd_read_config',` - read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) - ') - -+##################################### -+## -+## Read varnish lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`varnishd_read_lib_files',` -+ gen_require(` -+ type varnishd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) -+') -+ - ####################################### - ## - ## Read varnish logs. -@@ -132,9 +151,8 @@ interface(`varnishd_manage_log',` - # - interface(`varnishd_admin_varnishlog',` - gen_require(` -- type varnishlog_t; -- type varnishlog_var_run_t, varnishlog_log_t; -- type varnishlog_initrc_exec_t; -+ type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; -+ type varnishlog_var_run_t; - ') - - allow $1 varnishlog_t:process { ptrace signal_perms }; -@@ -145,12 +163,11 @@ interface(`varnishd_admin_varnishlog',` - role_transition $2 varnishlog_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_pids($1) -- admin_pattern($1, varnishlog_var_run_t) -+ files_list_pids($1) -+ admin_pattern($1, varnishlog_var_run_t) - - logging_list_logs($1) - admin_pattern($1, varnishlog_log_t) -- - ') - - ####################################### -@@ -173,7 +190,7 @@ interface(`varnishd_admin_varnishlog',` - interface(`varnishd_admin',` - gen_require(` - type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; -- type varnishd_var_run_t, varnishd_tmp_t; -+ type varnishd_var_run_t, varnishd_tmp_t; - type varnishd_initrc_exec_t; - ') - -@@ -185,16 +202,15 @@ interface(`varnishd_admin',` - role_transition $2 varnishd_initrc_exec_t system_r; - allow $2 system_r; - -- files_search_var_lib($1) -+ files_list_var_lib($1) - admin_pattern($1, varnishd_var_lib_t) - -- files_search_etc($1) -+ files_list_etc($1) - admin_pattern($1, varnishd_etc_t) - -- files_search_pids($1) -+ files_list_pids($1) - admin_pattern($1, varnishd_var_run_t) - -- files_search_tmp($1) -+ files_list_tmp($1) - admin_pattern($1, varnishd_tmp_t) -- - ') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te -index 1cc80e8..c6bf70e 100644 +index e385c83..6524574 100644 --- a/policy/modules/services/varnishd.te +++ b/policy/modules/services/varnishd.te -@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.0) +@@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.1) # ## @@ -35774,51 +35566,31 @@ index 1cc80e8..c6bf70e 100644 ## gen_tunable(varnishd_connect_any, false) -@@ -50,7 +50,8 @@ files_type(varnishlog_log_t) - # varnishd local policy - # - --allow varnishd_t self:capability { dac_override ipc_lock setuid setgid }; -+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; -+dontaudit varnishd_t self:capability sys_tty_config; - allow varnishd_t self:process signal; - allow varnishd_t self:fifo_file rw_fifo_file_perms; - allow varnishd_t self:tcp_socket create_stream_socket_perms; -@@ -69,7 +70,7 @@ manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t) - files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file }) - - manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t) --files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file }) -+files_pid_filetrans(varnishd_t, varnishd_var_run_t, file) - - kernel_read_system_state(varnishd_t) - -@@ -107,7 +108,7 @@ tunable_policy(`varnishd_connect_any',` - # - - manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t) --files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file }) -+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file) - - manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) - manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc new file mode 100644 -index 0000000..bb0a79c +index 0000000..71d9784 --- /dev/null +++ b/policy/modules/services/vdagent.fc -@@ -0,0 +1,4 @@ +@@ -0,0 +1,11 @@ ++ ++/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0) ++ ++/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) ++/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0) ++ ++/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0) ++/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0) ++ + -+/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0) + -+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..35020c8 +index 0000000..83336ab --- /dev/null +++ b/policy/modules/services/vdagent.if -@@ -0,0 +1,39 @@ -+## The spice guest agent daemon. +@@ -0,0 +1,93 @@ ++ ++## policy for vdagent + + +######################################## @@ -35839,9 +35611,10 @@ index 0000000..35020c8 + domtrans_pattern($1, vdagent_exec_t, vdagent_t) +') + ++ +######################################## +## -+## Connect to vdagent over an unix stream socket. ++## Read vdagent PID files. +## +## +## @@ -35849,20 +35622,72 @@ index 0000000..35020c8 +## +## +# -+interface(`vdagent_stream_connect',` ++interface(`vdagent_read_pid_files',` + gen_require(` -+ type vdagent_t, vdagent_var_run_t; ++ type vdagent_var_run_t; + ') + + files_search_pids($1) -+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ++ allow $1 vdagent_var_run_t:file read_file_perms; +') ++ ++##################################### ++## ++## Connect to vdagent over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_stream_connect',` ++ gen_require(` ++ type vdagent_var_run_t, vdagent_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an vdagent environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`vdagent_admin',` ++ gen_require(` ++ type vdagent_t; ++ type vdagent_var_run_t; ++ ') ++ ++ allow $1 vdagent_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, vdagent_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, vdagent_var_run_t) ++ ++') ++ diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 -index 0000000..87d5c8c +index 0000000..324365e --- /dev/null +++ b/policy/modules/services/vdagent.te -@@ -0,0 +1,38 @@ +@@ -0,0 +1,50 @@ +policy_module(vdagent,1.0.0) + +######################################## @@ -35872,35 +35697,47 @@ index 0000000..87d5c8c + +type vdagent_t; +type vdagent_exec_t; -+udev_system_domain(vdagent_t, vdagent_exec_t) ++init_daemon_domain(vdagent_t, vdagent_exec_t) ++ ++permissive vdagent_t; + +type vdagent_var_run_t; +files_pid_file(vdagent_var_run_t) + -+permissive vdagent_t; ++type vdagent_log_t; ++logging_log_file(vdagent_log_t) + +######################################## +# +# vdagent local policy +# -+allow vdagent_t self:process { fork }; + +allow vdagent_t self:fifo_file rw_fifo_file_perms; +allow vdagent_t self:unix_stream_socket create_stream_socket_perms; + -+manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) +manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -+manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) -+files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file }) ++files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file }) + -+domain_use_interactive_fds(vdagent_t) ++manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) ++manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) ++logging_log_filetrans(vdagent_t, vdagent_log_t, { file }) + -+files_read_etc_files(vdagent_t) ++dev_rw_input_dev(vdagent_t) ++ ++term_use_virtio_console(vdagent_t) + +miscfiles_read_localization(vdagent_t) + -+userdom_use_user_ptys(vdagent_t) ++optional_policy(` ++ consolekit_dbus_chat(vdagent_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(vdagent_t) ++') ++ diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if index 1f872b5..da605ba 100644 --- a/policy/modules/services/vhostmd.if @@ -36301,7 +36138,7 @@ index 7c5d8d8..dbdc0e0 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..500f8e9 100644 +index 3eca020..a48a862 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) @@ -36315,7 +36152,7 @@ index 3eca020..500f8e9 100644 -## Allow virt to use serial/parallell communication ports -##

+##

-+## Allow virt to use serial/parallell communication ports ++## Allow confined virtual guests to use serial/parallel communication ports +##

## gen_tunable(virt_use_comm, false) @@ -36325,7 +36162,7 @@ index 3eca020..500f8e9 100644 -## Allow virt to read fuse files -##

+##

-+## Allow virt to read fuse files ++## Allow confined virtual guests to read fuse files +##

## gen_tunable(virt_use_fusefs, false) @@ -36335,7 +36172,7 @@ index 3eca020..500f8e9 100644 -## Allow virt to manage nfs files -##

+##

-+## Allow virt to manage nfs files ++## Allow confined virtual guests to manage nfs files +##

## gen_tunable(virt_use_nfs, false) @@ -36345,7 +36182,7 @@ index 3eca020..500f8e9 100644 -## Allow virt to manage cifs files -##

+##

-+## Allow virt to manage cifs files ++## Allow confined virtual guests to manage cifs files +##

## gen_tunable(virt_use_samba, false) @@ -36355,7 +36192,7 @@ index 3eca020..500f8e9 100644 -## Allow virt to manage device configuration, (pci) -##

+##

-+## Allow virt to manage device configuration, (pci) ++## Allow confined virtual guests to manage device configuration, (pci) +##

## gen_tunable(virt_use_sysfs, false) @@ -36365,14 +36202,14 @@ index 3eca020..500f8e9 100644 -## Allow virt to use usb devices -##

+##

-+## Allow virtual machine to interact with the xserver ++## Allow confined virtual guests to interact with the xserver +##

+## +gen_tunable(virt_use_xserver, false) + +## +##

-+## Allow virt to use usb devices ++## Allow confined virtual guests to use usb devices +##

## gen_tunable(virt_use_usb, true) @@ -38171,7 +38008,7 @@ index da2601a..4b06508 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index e226da4..eb4294e 100644 +index e226da4..1ada171 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -38199,14 +38036,14 @@ index e226da4..eb4294e 100644 +## ##

-## Allow xdm logins as sysadm -+## Allows xdm to execute bootloader ++## Allow the graphical login program to execute bootloader ##

## +gen_tunable(xdm_exec_bootloader, false) + +## +##

-+## Allow xdm logins as sysadm ++## Allow the graphical login program to login directly as sysadm_r:sysadm_t +##

+## gen_tunable(xdm_sysadm_login, false) @@ -40425,7 +40262,7 @@ index 408f4e6..55c2d03 100644 auth_rw_login_records(getty_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index 1fd31c1..683494c 100644 +index 1fcd657..52063bc 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t) @@ -40447,17 +40284,6 @@ index 1fd31c1..683494c 100644 fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -@@ -55,6 +58,10 @@ sysnet_read_config(hostname_t) - sysnet_dns_name_resolve(hostname_t) - - optional_policy(` -+ nis_use_ypbind(hostname_t) -+') -+ -+optional_policy(` - xen_append_log(hostname_t) - xen_dontaudit_use_fds(hostname_t) - ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 9775375..41a244a 100644 --- a/policy/modules/system/init.fc @@ -40494,7 +40320,7 @@ index 9775375..41a244a 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index df3fa64..b123b4a 100644 +index df3fa64..36da732 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -40563,7 +40389,7 @@ index df3fa64..b123b4a 100644 ') application_domain($1,$2) -@@ -345,6 +368,19 @@ interface(`init_system_domain',` +@@ -345,6 +368,20 @@ interface(`init_system_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -40579,11 +40405,12 @@ index df3fa64..b123b4a 100644 + allow init_t $1:process siginh; + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; ++ dontaudit $1 init_t:unix_stream_socket { read getattr ioctl }; + ') ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +389,37 @@ interface(`init_system_domain',` +@@ -353,6 +390,37 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -40621,7 +40448,7 @@ index df3fa64..b123b4a 100644 ') ######################################## -@@ -687,19 +754,24 @@ interface(`init_telinit',` +@@ -687,19 +755,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -40647,7 +40474,7 @@ index df3fa64..b123b4a 100644 ') ') -@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',` +@@ -772,18 +845,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -40671,7 +40498,7 @@ index df3fa64..b123b4a 100644 ') ') -@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',` +@@ -799,23 +873,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -40721,7 +40548,7 @@ index df3fa64..b123b4a 100644 ## Execute a init script in a specified domain. ## ## -@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',` +@@ -867,8 +963,12 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -40734,7 +40561,7 @@ index df3fa64..b123b4a 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',` +@@ -1129,12 +1229,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -40748,7 +40575,7 @@ index df3fa64..b123b4a 100644 ') ######################################## -@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',` +@@ -1374,6 +1469,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -40776,7 +40603,7 @@ index df3fa64..b123b4a 100644 ## init scripts over dbus. ## ## -@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',` +@@ -1460,6 +1576,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -40802,7 +40629,7 @@ index df3fa64..b123b4a 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1673,7 +1808,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -40811,7 +40638,7 @@ index df3fa64..b123b4a 100644 ') ######################################## -@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1748,3 +1883,93 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -40886,8 +40713,27 @@ index df3fa64..b123b4a 100644 + + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') ++ ++######################################## ++## ++## Send a message to init over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dgram_send',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_dgram_socket sendto; ++') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..fda765f 100644 +index 8a105fd..2981ece 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -41094,8 +40940,8 @@ index 8a105fd..fda765f 100644 + files_manage_generic_tmp_dirs(init_t) + files_relabelfrom_tmp_dirs(init_t) + files_relabelfrom_tmp_files(init_t) -+ files_relabelto_all_tmp_dirs(init_t) -+ files_relabelto_all_tmp_files(init_t) ++ files_relabel_all_tmp_dirs(init_t) ++ files_relabel_all_tmp_files(init_t) + + auth_manage_faillog(init_t) + auth_relabel_faillog(init_t) @@ -43009,51 +42855,11 @@ index 86ef2da..7f649d5 100644 modutils_domtrans_insmod(lvm_t) ') -diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 7711464..a8bd9fe 100644 ---- a/policy/modules/system/miscfiles.fc -+++ b/policy/modules/system/miscfiles.fc -@@ -10,7 +10,9 @@ ifdef(`distro_gentoo',` - # - /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) - /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -+/etc/timezone -- gen_context(system_u:object_r:locale_t,s0) - /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) - - ifdef(`distro_redhat',` - /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -75,13 +77,11 @@ ifdef(`distro_redhat',` - /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) - --/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) -- - /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) - --/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -+/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) - --/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) -+/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) - - ifdef(`distro_debian',` - /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fe4e741..1dfa62a 100644 +index 926ba65..1dfa62a 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if -@@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',` - allow $1 locale_t:dir list_dir_perms; - read_files_pattern($1, locale_t, locale_t) - read_lnk_files_pattern($1, locale_t, locale_t) -- -- # why? -- libs_read_lib_files($1) - ') - - ######################################## -@@ -585,6 +582,26 @@ interface(`miscfiles_manage_man_pages',` +@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',` ######################################## ## @@ -43081,10 +42887,10 @@ index fe4e741..1dfa62a 100644 ## transfer services. ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index c51f7f5..59c70bf 100644 +index 2cb10d4..6c33b3b 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te -@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.1) +@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.2) # # Declarations # @@ -43092,14 +42898,6 @@ index c51f7f5..59c70bf 100644 attribute cert_type; # -@@ -12,6 +11,7 @@ attribute cert_type; - # - type cert_t; - miscfiles_cert_type(cert_t) -+ - # - # fonts_t is the type of various font - # files in /usr diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 9c0faab..def8d5a 100644 --- a/policy/modules/system/modutils.if @@ -43497,7 +43295,7 @@ index 8b5c196..b195f9d 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index fca6947..5dadaa8 100644 +index 6fe8471..be5821a 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -43547,7 +43345,7 @@ index fca6947..5dadaa8 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,50 +68,85 @@ can_exec(mount_t, mount_exec_t) +@@ -46,8 +68,23 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -43564,12 +43362,14 @@ index fca6947..5dadaa8 100644 kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) --kernel_dontaudit_getattr_core_if(mount_t) +kernel_manage_debugfs(mount_t) +kernel_setsched(mount_t) +kernel_use_fds(mount_t) +kernel_request_load_module(mount_t) - + kernel_dontaudit_getattr_core_if(mount_t) + kernel_dontaudit_write_debugfs_dirs(mount_t) + kernel_dontaudit_write_proc_dirs(mount_t) +@@ -55,46 +92,68 @@ kernel_dontaudit_write_proc_dirs(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -43579,13 +43379,17 @@ index fca6947..5dadaa8 100644 +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) +dev_read_sysfs(mount_t) + dev_read_sysfs(mount_t) + dev_dontaudit_write_sysfs_dirs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) ++ +ifdef(`hide_broken_symptoms',` + dev_rw_generic_blk_files(mount_t) +') ++ # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(mount_t) @@ -43615,7 +43419,7 @@ index fca6947..5dadaa8 100644 # For reading cert files files_read_usr_files(mount_t) files_list_mnt(mount_t) -+files_write_all_dirs(mount_t) + files_dontaudit_write_root_dirs(mount_t) -fs_getattr_xattr_fs(mount_t) -fs_getattr_cifs(mount_t) @@ -43630,17 +43434,17 @@ index fca6947..5dadaa8 100644 fs_rw_tmpfs_chr_files(mount_t) +fs_rw_nfsd_fs(mount_t) +fs_rw_removable_blk_files(mount_t) -+fs_manage_tmpfs_dirs(mount_t) ++#fs_manage_tmpfs_dirs(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) +fs_manage_nfs_dirs(mount_t) +fs_read_nfs_symlinks(mount_t) +fs_manage_cgroup_dirs(mount_t) +fs_manage_cgroup_files(mount_t) + fs_dontaudit_write_tmpfs_dirs(mount_t) mls_file_read_all_levels(mount_t) - mls_file_write_all_levels(mount_t) -@@ -100,6 +157,7 @@ storage_raw_read_fixed_disk(mount_t) +@@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -43648,7 +43452,7 @@ index fca6947..5dadaa8 100644 term_use_all_terms(mount_t) -@@ -108,6 +166,8 @@ auth_use_nsswitch(mount_t) +@@ -114,6 +174,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -43657,7 +43461,7 @@ index fca6947..5dadaa8 100644 logging_send_syslog_msg(mount_t) -@@ -118,6 +178,12 @@ sysnet_use_portmap(mount_t) +@@ -124,6 +186,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -43670,7 +43474,7 @@ index fca6947..5dadaa8 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -133,10 +199,17 @@ ifdef(`distro_ubuntu',` +@@ -139,10 +207,17 @@ ifdef(`distro_ubuntu',` ') ') @@ -43688,7 +43492,7 @@ index fca6947..5dadaa8 100644 ') optional_policy(` -@@ -166,6 +239,8 @@ optional_policy(` +@@ -172,6 +247,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -43697,7 +43501,7 @@ index fca6947..5dadaa8 100644 ') optional_policy(` -@@ -173,6 +248,28 @@ optional_policy(` +@@ -179,6 +256,28 @@ optional_policy(` ') optional_policy(` @@ -43726,7 +43530,7 @@ index fca6947..5dadaa8 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -180,13 +277,44 @@ optional_policy(` +@@ -186,13 +285,44 @@ optional_policy(` ') ') @@ -43771,7 +43575,7 @@ index fca6947..5dadaa8 100644 ') ######################################## -@@ -195,6 +323,42 @@ optional_policy(` +@@ -201,6 +331,42 @@ optional_policy(` # optional_policy(` @@ -48625,9 +48429,18 @@ index 35f1476..d74e327 100644 + type_transition $1 user_tmp_t:process $2; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index a7088c6..5119d1e 100644 +index a7088c6..2c840bc 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te +@@ -7,7 +7,7 @@ policy_module(userdomain, 4.4.4) + + ## + ##

+-## Allow users to connect to mysql ++## Allow users to connect to the local mysql server + ##

+ ## + gen_tunable(allow_user_mysql_connect, false) @@ -43,6 +43,13 @@ gen_tunable(user_rw_noexattrfile, false) ## @@ -48992,14 +48805,14 @@ index 22ca011..df6b5de 100644 # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index effb6c5..cabc009 100644 +index f7380b3..cabc009 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') # # All socket classes. # --define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }') +-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') diff --git a/selinux-policy.spec b/selinux-policy.spec index 0c5a81d5..8bc25c22 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,8 +20,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.9 -Release: 4%{?dist} +Version: 3.9.10 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Thu Nov 25 2010 Miroslav Grepl 3.9.10-1 +- Update to upstream +- Cleanup for sandbox +- Add attribute to be able to select sandbox types + * Mon Nov 22 2010 Miroslav Grepl 3.9.9-4 - Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons diff --git a/sources b/sources index f2023737..56f19d9f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 409b40c8102b1617681ba17c31032e66 config.tgz -24888445b1086e411acfa24c592cc65a serefpolicy-3.9.9.tgz +1deb2db0ad303b26fc44b5c7f7497c32 serefpolicy-3.9.10.tgz