From 09460452b65dafc74f6a97eba361e7661b73ba85 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 2 Dec 2010 18:21:58 +0100 Subject: [PATCH] - Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools - Allow init to setattr on logfile directories --- policy-F15.patch | 934 ++++++++++++++++++++++++++++++++++---------- selinux-policy.spec | 9 +- 2 files changed, 731 insertions(+), 212 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index 7aaeaae5..d7161521 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -269,6 +269,19 @@ index 63eb96b..17a9f6d 100644 ######################################## ## ## Execute bootloader interactively and do +diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te +index 40c0192..1a0f72c 100644 +--- a/policy/modules/admin/bootloader.te ++++ b/policy/modules/admin/bootloader.te +@@ -23,7 +23,7 @@ role system_r types bootloader_t; + # grub.conf, lilo.conf, etc. + # + type bootloader_etc_t alias etc_bootloader_t; +-files_type(bootloader_etc_t) ++files_config_file(bootloader_etc_t) + + # + # The temp file is used for initrd creation; diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if index 2c2cdb6..73b3814 100644 --- a/policy/modules/admin/brctl.if @@ -901,6 +914,19 @@ index 6a53a18..1bc14ea 100644 + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') +diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te +index c633aea..b773bc3 100644 +--- a/policy/modules/admin/portage.te ++++ b/policy/modules/admin/portage.te +@@ -43,7 +43,7 @@ type portage_db_t; + files_type(portage_db_t) + + type portage_conf_t; +-files_type(portage_conf_t) ++files_config_file(portage_conf_t) + + type portage_cache_t; + files_type(portage_cache_t) diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te index aa0dcc6..0faba2a 100644 --- a/policy/modules/admin/prelink.te @@ -1241,7 +1267,7 @@ index d33daa8..e50a5ed 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 542b820..a91d384 100644 +index 542b820..0b1760d 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -1266,7 +1292,7 @@ index 542b820..a91d384 100644 allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) -@@ -101,13 +104,15 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) +@@ -101,13 +104,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) @@ -1280,10 +1306,11 @@ index 542b820..a91d384 100644 kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) +kernel_read_network_state_symlinks(rpm_t) ++kernel_rw_irq_sysctls(rpm_t) corecmd_exec_all_executables(rpm_t) -@@ -127,6 +132,8 @@ corenet_sendrecv_all_client_packets(rpm_t) +@@ -127,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -1292,7 +1319,15 @@ index 542b820..a91d384 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -207,6 +214,7 @@ optional_policy(` +@@ -173,6 +181,7 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) + domain_dontaudit_getattr_all_raw_sockets(rpm_t) + domain_dontaudit_getattr_all_stream_sockets(rpm_t) + domain_dontaudit_getattr_all_dgram_sockets(rpm_t) ++domain_signull_all_domains(rpm_t) + + files_exec_etc_files(rpm_t) + +@@ -207,6 +216,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -1300,7 +1335,7 @@ index 542b820..a91d384 100644 ') optional_policy(` -@@ -214,7 +222,7 @@ optional_policy(` +@@ -214,7 +224,7 @@ optional_policy(` ') optional_policy(` @@ -1309,7 +1344,7 @@ index 542b820..a91d384 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -261,6 +269,7 @@ kernel_read_crypto_sysctls(rpm_script_t) +@@ -261,6 +271,7 @@ kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -1317,7 +1352,7 @@ index 542b820..a91d384 100644 kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -308,6 +317,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) +@@ -308,6 +319,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) @@ -1326,7 +1361,7 @@ index 542b820..a91d384 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -338,12 +349,15 @@ modutils_domtrans_insmod(rpm_script_t) +@@ -338,12 +351,15 @@ modutils_domtrans_insmod(rpm_script_t) seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1342,7 +1377,7 @@ index 542b820..a91d384 100644 ') ') -@@ -377,8 +391,9 @@ optional_policy(` +@@ -377,8 +393,9 @@ optional_policy(` ') optional_policy(` @@ -2485,7 +2520,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..8978675 100644 +index f5afe78..dd4bd1e 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,7 @@ interface(`gnome_role',` @@ -2498,7 +2533,7 @@ index f5afe78..8978675 100644 ## ## ## -@@ -46,25 +45,282 @@ interface(`gnome_role',` +@@ -46,25 +45,300 @@ interface(`gnome_role',` ## ## # @@ -2665,12 +2700,11 @@ index f5afe78..8978675 100644 +## append to generic cache home files (.cache) +## +## - ## - ## Domain allowed access. - ## - ## - # --template(`gnome_read_gconf_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_append_generic_cache_files',` + gen_require(` + type cache_home_t; @@ -2750,6 +2784,24 @@ index f5afe78..8978675 100644 + gnome_search_gconf($1) +') + ++####################################### ++## ++## Manage gconf data home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_manage_data',` ++ gen_require(` ++ type data_home_t; ++ ') ++ ++ manage_files_pattern($1, data_home_t, data_home_t) ++') ++ +######################################## +## +## Create gconf_home_t objects in the /root directory @@ -2778,16 +2830,17 @@ index f5afe78..8978675 100644 +## read gconf config files +## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_gconf_config',` +interface(`gnome_read_gconf_config',` gen_require(` type gconf_etc_t; ') -@@ -76,7 +332,27 @@ template(`gnome_read_gconf_config',` +@@ -76,7 +350,27 @@ template(`gnome_read_gconf_config',` ####################################### ## @@ -2816,7 +2869,7 @@ index f5afe78..8978675 100644 ## ## ## -@@ -84,37 +360,40 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +378,40 @@ template(`gnome_read_gconf_config',` ## ## # @@ -2868,7 +2921,7 @@ index f5afe78..8978675 100644 ## ## ## -@@ -122,12 +401,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +419,13 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -2885,7 +2938,7 @@ index f5afe78..8978675 100644 ') ######################################## -@@ -151,40 +431,173 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +449,173 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -2916,7 +2969,7 @@ index f5afe78..8978675 100644 ## -## manage gnome homedir content (.config) +## manage gconf home files - ## ++## +## +## +## Domain allowed access. @@ -2935,7 +2988,7 @@ index f5afe78..8978675 100644 +######################################## +## +## Connect to gnome over an unix stream socket. -+## + ## +## +## +## Domain allowed access. @@ -4088,7 +4141,7 @@ index 9a6d67d..b0c1197 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..05dd44a 100644 +index cbf4bec..9826f66 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2) @@ -4170,7 +4223,7 @@ index cbf4bec..05dd44a 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,139 @@ optional_policy(` +@@ -266,3 +291,144 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4238,7 +4291,7 @@ index cbf4bec..05dd44a 100644 +files_read_usr_files(mozilla_plugin_t) +files_list_mnt(mozilla_plugin_t) + -+fs_getattr_tmpfs(mozilla_plugin_t) ++fs_getattr_all_fs(mozilla_plugin_t) +fs_list_dos_dirs(mozilla_plugin_t) +fs_read_dos_files(mozilla_plugin_t) + @@ -4288,6 +4341,11 @@ index cbf4bec..05dd44a 100644 +') + +optional_policy(` ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_read_user_home_files(mozilla_plugin_t) ++') ++ ++optional_policy(` + nsplugin_domtrans(mozilla_plugin_t) + nsplugin_rw_exec(mozilla_plugin_t) + nsplugin_manage_home_dirs(mozilla_plugin_t) @@ -6896,10 +6954,10 @@ index 0000000..46368cc +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..0b28cf8 +index 0000000..7d62b71 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,329 @@ +@@ -0,0 +1,333 @@ + +policy_module(telepathy, 1.0.0) + @@ -7054,6 +7112,10 @@ index 0000000..0b28cf8 + fs_manage_cifs_files(telepathy_gabble_t) +') + ++optional_policy(` ++ gnome_read_home_config(telepathy_gabble_t) ++') ++ +####################################### +# +# Telepathy Idle local policy. @@ -14272,7 +14334,7 @@ index c9e1a44..1a1ba36 100644 + dontaudit $1 httpd_tmp_t:file { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 08dfa0c..ee604fe 100644 +index 08dfa0c..b02e348 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.0) @@ -14527,6 +14589,15 @@ index 08dfa0c..ee604fe 100644 attribute httpdcontent; attribute httpd_user_content_type; +@@ -166,7 +231,7 @@ files_type(httpd_cache_t) + + # httpd_config_t is the type given to the configuration files + type httpd_config_t; +-files_type(httpd_config_t) ++files_config_file(httpd_config_t) + + type httpd_helper_t; + type httpd_helper_exec_t; @@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts @@ -14819,10 +14890,11 @@ index 08dfa0c..ee604fe 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +709,12 @@ optional_policy(` +@@ -537,8 +709,13 @@ optional_policy(` ') optional_policy(` ++ git_read_generic_system_content_files(httpd_t) + gitosis_read_lib_files(httpd_t) +') + @@ -14833,7 +14905,7 @@ index 08dfa0c..ee604fe 100644 ') ') -@@ -556,7 +732,13 @@ optional_policy(` +@@ -556,7 +733,13 @@ optional_policy(` ') optional_policy(` @@ -14847,7 +14919,7 @@ index 08dfa0c..ee604fe 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +749,7 @@ optional_policy(` +@@ -567,6 +750,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -14855,7 +14927,7 @@ index 08dfa0c..ee604fe 100644 ') optional_policy(` -@@ -577,6 +760,16 @@ optional_policy(` +@@ -577,6 +761,16 @@ optional_policy(` ') optional_policy(` @@ -14872,7 +14944,7 @@ index 08dfa0c..ee604fe 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +784,11 @@ optional_policy(` +@@ -591,6 +785,11 @@ optional_policy(` ') optional_policy(` @@ -14884,7 +14956,7 @@ index 08dfa0c..ee604fe 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +801,11 @@ optional_policy(` +@@ -603,6 +802,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -14896,7 +14968,7 @@ index 08dfa0c..ee604fe 100644 ######################################## # # Apache helper local policy -@@ -618,6 +821,10 @@ logging_send_syslog_msg(httpd_helper_t) +@@ -618,6 +822,10 @@ logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) @@ -14907,7 +14979,7 @@ index 08dfa0c..ee604fe 100644 ######################################## # # Apache PHP script local policy -@@ -654,28 +861,27 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +862,27 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -14948,7 +15020,7 @@ index 08dfa0c..ee604fe 100644 ') ######################################## -@@ -699,17 +905,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +906,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -14974,7 +15046,7 @@ index 08dfa0c..ee604fe 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +951,20 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,10 +952,20 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -14996,7 +15068,7 @@ index 08dfa0c..ee604fe 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +990,25 @@ optional_policy(` +@@ -769,6 +991,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -15022,7 +15094,7 @@ index 08dfa0c..ee604fe 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1029,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1030,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -15040,7 +15112,7 @@ index 08dfa0c..ee604fe 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1048,33 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,6 +1049,33 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -15074,7 +15146,7 @@ index 08dfa0c..ee604fe 100644 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -822,7 +1094,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,7 +1095,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -15083,7 +15155,7 @@ index 08dfa0c..ee604fe 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -830,6 +1102,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -830,6 +1103,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -15104,7 +15176,7 @@ index 08dfa0c..ee604fe 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1128,20 @@ optional_policy(` +@@ -842,10 +1129,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -15125,7 +15197,7 @@ index 08dfa0c..ee604fe 100644 ') ######################################## -@@ -891,11 +1187,21 @@ optional_policy(` +@@ -891,11 +1188,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -15439,7 +15511,7 @@ index 44a1e3d..7e9d2fb 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..0bde225 100644 +index 4deca04..42aa033 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -6,10 +6,10 @@ policy_module(bind, 1.11.0) @@ -15457,6 +15529,15 @@ index 4deca04..0bde225 100644 ## gen_tunable(named_write_master_zones, false) +@@ -27,7 +27,7 @@ init_system_domain(named_t, named_checkconf_exec_t) + + # A type for configuration files of named. + type named_conf_t; +-files_type(named_conf_t) ++files_config_file(named_conf_t) + files_mountpoint(named_conf_t) + + # for secondary zone files @@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) @@ -15606,10 +15687,10 @@ index 3e45431..fa57a6f 100644 admin_pattern($1, bluetooth_var_lib_t) diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te -index 215b86b..913d2a9 100644 +index 215b86b..4a3569f 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te -@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0) +@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0) # # Declarations # @@ -15617,6 +15698,13 @@ index 215b86b..913d2a9 100644 type bluetooth_t; type bluetooth_exec_t; init_daemon_domain(bluetooth_t, bluetooth_exec_t) + + type bluetooth_conf_t; +-files_type(bluetooth_conf_t) ++files_config_file(bluetooth_conf_t) + + type bluetooth_conf_rw_t; + files_type(bluetooth_conf_rw_t) @@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t) #search debugfs - redhat bug 548206 kernel_search_debugfs(bluetooth_t) @@ -16395,9 +16483,18 @@ index 6ee2cc8..3105b09 100644 # interface(`ccs_domtrans',` diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te -index 4c90b57..8d7e14e 100644 +index 4c90b57..af806c2 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te +@@ -10,7 +10,7 @@ type ccs_exec_t; + init_daemon_domain(ccs_t, ccs_exec_t) + + type cluster_conf_t; +-files_type(cluster_conf_t) ++files_config_file(cluster_conf_t) + + type ccs_tmp_t; + files_tmp_file(ccs_tmp_t) @@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) @@ -16671,7 +16768,7 @@ index d020c93..e5cbcef 100644 cgroup_initrc_domtrans_cgconfig($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te -index 8ca2333..0a1097b 100644 +index 8ca2333..27f8f4d 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t) @@ -16694,7 +16791,17 @@ index 8ca2333..0a1097b 100644 init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -52,7 +55,7 @@ fs_unmount_cgroup(cgclear_t) +@@ -36,8 +39,7 @@ files_config_file(cgconfig_etc_t) + # + # cgclear personal policy. + # +- +-allow cgclear_t self:capability sys_admin; ++allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; + + kernel_read_system_state(cgclear_t) + +@@ -52,7 +54,7 @@ fs_unmount_cgroup(cgclear_t) # cgconfig personal policy. # @@ -16703,6 +16810,14 @@ index 8ca2333..0a1097b 100644 allow cgconfig_t cgconfig_etc_t:file read_file_perms; +@@ -67,6 +69,7 @@ fs_manage_cgroup_dirs(cgconfig_t) + fs_manage_cgroup_files(cgconfig_t) + fs_mount_cgroup(cgconfig_t) + fs_mounton_cgroup(cgconfig_t) ++fs_unmount_cgroup(cgconfig_t) + + ######################################## + # @@ -79,6 +82,9 @@ allow cgred_t self:unix_dgram_socket { write create connect }; allow cgred_t cgrules_etc_t:file read_file_perms; @@ -18048,6 +18163,19 @@ index 37f4810..cc93958 100644 miscfiles_read_localization(courier_pop_t) +diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te +index 13d2f63..a048c53 100644 +--- a/policy/modules/services/cpucontrol.te ++++ b/policy/modules/services/cpucontrol.te +@@ -10,7 +10,7 @@ type cpucontrol_exec_t; + init_system_domain(cpucontrol_t, cpucontrol_exec_t) + + type cpucontrol_conf_t; +-files_type(cpucontrol_conf_t) ++files_config_file(cpucontrol_conf_t) + + type cpuspeed_t; + type cpuspeed_exec_t; diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc index 2eefc08..3e8ad69 100644 --- a/policy/modules/services/cron.fc @@ -19081,6 +19209,19 @@ index e182bf4..f80e725 100644 snmp_read_snmp_var_lib_files(cyrus_t) snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) +diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te +index a8b93c0..831ce70 100644 +--- a/policy/modules/services/dante.te ++++ b/policy/modules/services/dante.te +@@ -10,7 +10,7 @@ type dante_exec_t; + init_daemon_domain(dante_t, dante_exec_t) + + type dante_conf_t; +-files_type(dante_conf_t) ++files_config_file(dante_conf_t) + + type dante_var_run_t; + files_pid_file(dante_var_run_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 0d5711c..3874025 100644 --- a/policy/modules/services/dbus.if @@ -19493,18 +19634,24 @@ index 8ba9425..b10da2c 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc -index 418a5a0..76542e1 100644 +index 418a5a0..28d9e41 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc -@@ -10,5 +10,6 @@ +@@ -8,7 +8,12 @@ + /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) + /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) ++/var/log/pm-powersave\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0) ++/var/log/pm-suspend\.log -- gen_context(system_u:object_r:devicekit_var_log_t,s0) ++ /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++ /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..205afb9 100644 +index f706b99..92d4eba 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -19545,7 +19692,7 @@ index f706b99..205afb9 100644 ## Read devicekit PID files. ## ## -@@ -139,22 +158,31 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +158,52 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -19557,15 +19704,10 @@ index f706b99..205afb9 100644 ## ## -## Domain allowed access. --## --## --## --## --## The role to be allowed to manage the devicekit domain. +## Domain to not audit. ## ## --## +-## +# +interface(`devicekit_dontaudit_read_pid_files',` + gen_require(` @@ -19575,6 +19717,29 @@ index f706b99..205afb9 100644 + dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; +') + ++ ++######################################## ++## ++## Manage devicekit PID files. ++## ++## + ## +-## The role to be allowed to manage the devicekit domain. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`devicekit_manage_pid_files',` ++ gen_require(` ++ type devicekit_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -19587,7 +19752,7 @@ index f706b99..205afb9 100644 ## ## ## -@@ -165,21 +193,22 @@ interface(`devicekit_admin',` +@@ -165,21 +214,22 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -19617,10 +19782,20 @@ index f706b99..205afb9 100644 ') + diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..14921ca 100644 +index f231f17..4ecd4b7 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te -@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) + type devicekit_var_lib_t; + files_type(devicekit_var_lib_t) + ++type devicekit_var_log_t; ++logging_log_file(devicekit_var_log_t) ++ + ######################################## + # + # DeviceKit local policy +@@ -75,10 +78,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -19633,7 +19808,7 @@ index f231f17..14921ca 100644 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -105,8 +107,10 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -105,8 +110,10 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -19645,7 +19820,7 @@ index f231f17..14921ca 100644 files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) -@@ -178,25 +182,41 @@ optional_policy(` +@@ -178,25 +185,47 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -19667,6 +19842,9 @@ index f231f17..14921ca 100644 allow devicekit_power_t self:unix_dgram_socket create_socket_perms; allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; ++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) ++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) ++ +manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) +files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) @@ -19675,6 +19853,9 @@ index f231f17..14921ca 100644 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) ++manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) ++logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) ++ +manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir) @@ -19688,7 +19869,7 @@ index f231f17..14921ca 100644 kernel_search_debugfs(devicekit_power_t) kernel_write_proc_files(devicekit_power_t) -@@ -212,12 +232,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) +@@ -212,12 +241,16 @@ dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -19705,7 +19886,7 @@ index f231f17..14921ca 100644 term_use_all_terms(devicekit_power_t) -@@ -225,8 +249,11 @@ auth_use_nsswitch(devicekit_power_t) +@@ -225,8 +258,11 @@ auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) @@ -19717,7 +19898,7 @@ index f231f17..14921ca 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -261,6 +288,10 @@ optional_policy(` +@@ -261,14 +297,21 @@ optional_policy(` ') optional_policy(` @@ -19726,9 +19907,10 @@ index f231f17..14921ca 100644 + +optional_policy(` hal_domtrans_mac(devicekit_power_t) - hal_manage_log(devicekit_power_t) +- hal_manage_log(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) -@@ -269,6 +300,10 @@ optional_policy(` + hal_manage_pid_files(devicekit_power_t) + hal_dbus_chat(devicekit_power_t) ') optional_policy(` @@ -19739,7 +19921,7 @@ index f231f17..14921ca 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +311,21 @@ optional_policy(` +@@ -276,9 +319,21 @@ optional_policy(` ') optional_policy(` @@ -20252,7 +20434,7 @@ index 0000000..440a6c5 +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..6f93d77 +index 0000000..01c3755 --- /dev/null +++ b/policy/modules/services/dirsrv.te @@ -0,0 +1,172 @@ @@ -20379,6 +20561,10 @@ index 0000000..6f93d77 + kerberos_dontaudit_write_config(dirsrv_t) +') + ++optional_policy(` ++ rpcbind_stream_connect(dirsrv_t) ++') ++ +######################################## +# +# dirsrv-snmp local policy @@ -20424,10 +20610,6 @@ index 0000000..6f93d77 + snmp_append_snmp_var_lib_files(dirsrv_snmp_t) + snmp_stream_connect(dirsrv_snmp_t) +') -+ -+optional_policy(` -+ rpcbind_stream_connect(initrc_t) -+') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te index 0c6a473..51e2ce8 100644 --- a/policy/modules/services/djbdns.te @@ -20556,10 +20738,35 @@ index bfc880b..9a1dcba 100644 ') diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if -index e1d7dc5..ee51a19 100644 +index e1d7dc5..673f185 100644 --- a/policy/modules/services/dovecot.if +++ b/policy/modules/services/dovecot.if -@@ -9,13 +9,13 @@ +@@ -1,5 +1,24 @@ + ## Dovecot POP and IMAP mail server + ++####################################### ++## ++## Connect to dovecot unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dovecot_stream_connect',` ++ gen_require(` ++ type dovecot_t, dovecot_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) ++') ++ + ######################################## + ## + ## Connect to dovecot auth unix domain stream socket. +@@ -9,13 +28,13 @@ ## Domain allowed access. ## ## @@ -20574,7 +20781,7 @@ index e1d7dc5..ee51a19 100644 stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) ') -@@ -52,6 +52,7 @@ interface(`dovecot_manage_spool',` +@@ -52,6 +71,7 @@ interface(`dovecot_manage_spool',` type dovecot_spool_t; ') @@ -20582,7 +20789,7 @@ index e1d7dc5..ee51a19 100644 manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ') -@@ -93,12 +94,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',` +@@ -93,12 +113,10 @@ interface(`dovecot_dontaudit_unlink_lib_files',` # interface(`dovecot_admin',` gen_require(` @@ -20599,7 +20806,7 @@ index e1d7dc5..ee51a19 100644 ') allow $1 dovecot_t:process { ptrace signal_perms }; -@@ -112,8 +111,11 @@ interface(`dovecot_admin',` +@@ -112,8 +130,11 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, dovecot_etc_t) @@ -20613,7 +20820,7 @@ index e1d7dc5..ee51a19 100644 files_list_spool($1) admin_pattern($1, dovecot_spool_t) -@@ -121,6 +123,9 @@ interface(`dovecot_admin',` +@@ -121,6 +142,9 @@ interface(`dovecot_admin',` files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) @@ -20624,7 +20831,7 @@ index e1d7dc5..ee51a19 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..da1c6bf 100644 +index cbe14e4..2cc1082 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -20687,10 +20894,14 @@ index cbe14e4..da1c6bf 100644 corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) corenet_sendrecv_pop_server_packets(dovecot_t) -@@ -159,6 +166,11 @@ optional_policy(` +@@ -159,6 +166,15 @@ optional_policy(` ') optional_policy(` ++ gnome_manage_data(dovecot_t) ++') ++ ++optional_policy(` + postfix_manage_private_sockets(dovecot_t) + postfix_search_spool(dovecot_t) +') @@ -20699,7 +20910,7 @@ index cbe14e4..da1c6bf 100644 postgresql_stream_connect(dovecot_t) ') -@@ -179,7 +191,7 @@ optional_policy(` +@@ -179,7 +195,7 @@ optional_policy(` # dovecot auth local policy # @@ -20708,7 +20919,7 @@ index cbe14e4..da1c6bf 100644 allow dovecot_auth_t self:process { signal_perms getcap setcap }; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; -@@ -189,6 +201,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -189,6 +205,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -20717,7 +20928,7 @@ index cbe14e4..da1c6bf 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -242,6 +256,7 @@ optional_policy(` +@@ -242,6 +260,7 @@ optional_policy(` ') optional_policy(` @@ -20725,7 +20936,7 @@ index cbe14e4..da1c6bf 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +268,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; +@@ -253,19 +272,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; @@ -20761,9 +20972,14 @@ index cbe14e4..da1c6bf 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +331,5 @@ tunable_policy(`use_samba_home_dirs',` +@@ -301,5 +334,10 @@ tunable_policy(`use_samba_home_dirs',` + ') optional_policy(` ++ gnome_manage_data(dovecot_deliver_t) ++') ++ ++optional_policy(` mta_manage_spool(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) ') @@ -21227,7 +21443,7 @@ index f590a1f..87f6bfb 100644 allow $1 fail2ban_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..0a4216c 100644 +index 2a69e5e..84e7ce2 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t) @@ -21248,7 +21464,15 @@ index 2a69e5e..0a4216c 100644 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) -@@ -94,5 +94,9 @@ optional_policy(` +@@ -66,6 +66,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) + dev_read_urand(fail2ban_t) + + domain_use_interactive_fds(fail2ban_t) ++domain_dontaudit_read_all_domains_state(fail2ban_t) + + files_read_etc_files(fail2ban_t) + files_read_etc_runtime_files(fail2ban_t) +@@ -94,5 +95,9 @@ optional_policy(` ') optional_policy(` @@ -21323,7 +21547,7 @@ index 69dcd2a..a9a9116 100644 /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te -index 8a74a83..b2ca277 100644 +index 8a74a83..eca06f7 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false) @@ -21399,7 +21623,15 @@ index 8a74a83..b2ca277 100644 # Create and modify /var/log/xferlog. manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) -@@ -270,10 +288,13 @@ tunable_policy(`ftp_home_dir',` +@@ -219,6 +237,7 @@ auth_append_login_records(ftpd_t) + #kerberized ftp requires the following + auth_write_login_records(ftpd_t) + auth_rw_faillog(ftpd_t) ++auth_manage_var_auth(ftpd_t) + + init_rw_utmp(ftpd_t) + +@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',` # allow access to /home files_list_home(ftpd_t) userdom_read_user_home_content_files(ftpd_t) @@ -21417,7 +21649,7 @@ index 8a74a83..b2ca277 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -316,6 +337,23 @@ optional_policy(` +@@ -316,6 +338,23 @@ optional_policy(` ') optional_policy(` @@ -21441,7 +21673,7 @@ index 8a74a83..b2ca277 100644 inetd_tcp_service_domain(ftpd_t, ftpd_exec_t) optional_policy(` -@@ -347,10 +385,11 @@ optional_policy(` +@@ -347,10 +386,11 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -21454,7 +21686,7 @@ index 8a74a83..b2ca277 100644 files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) # Allow ftpdctl to read config files -@@ -368,15 +407,28 @@ files_read_etc_files(sftpd_t) +@@ -368,15 +408,28 @@ files_read_etc_files(sftpd_t) # allow read access to /home by default userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) @@ -22323,9 +22555,18 @@ index 7d97298..d6b2959 100644 + allow $1 gpmctl_t:sock_file setattr_sock_file_perms; ') diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te -index a627b34..c899c61 100644 +index a627b34..4b27e25 100644 --- a/policy/modules/services/gpm.te +++ b/policy/modules/services/gpm.te +@@ -10,7 +10,7 @@ type gpm_exec_t; + init_daemon_domain(gpm_t, gpm_exec_t) + + type gpm_conf_t; +-files_type(gpm_conf_t) ++files_config_file(gpm_conf_t) + + type gpm_tmp_t; + files_tmp_file(gpm_tmp_t) @@ -69,6 +69,7 @@ miscfiles_read_localization(gpm_t) userdom_dontaudit_use_unpriv_user_fds(gpm_t) @@ -22359,10 +22600,16 @@ index 03742d8..2a87d1e 100644 ') diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc -index c98b0df..9db14d6 100644 +index c98b0df..3b1a051 100644 --- a/policy/modules/services/hal.fc +++ b/policy/modules/services/hal.fc -@@ -24,7 +24,6 @@ +@@ -18,13 +18,9 @@ + + /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) + +-/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) +-/var/log/pm-.*\.log gen_context(system_u:object_r:hald_log_t,s0) +- /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) /var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) @@ -22471,7 +22718,7 @@ index 7cf6763..ce32fe5 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..ae0b05b 100644 +index 24c6253..f11fa08 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -22532,7 +22779,17 @@ index 24c6253..ae0b05b 100644 init_dbus_chat_script(hald_t) -@@ -268,6 +277,10 @@ optional_policy(` +@@ -263,11 +272,20 @@ optional_policy(` + ') + + optional_policy(` ++ # for pm-suspend.lock in /var/run/pm-utils/ ++ devicekit_manage_pid_files(hald_t) ++') ++ ++optional_policy(` + # For /usr/libexec/hald-probe-smbios + dmidecode_domtrans(hald_t) ') optional_policy(` @@ -22543,7 +22800,7 @@ index 24c6253..ae0b05b 100644 gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -302,7 +315,7 @@ optional_policy(` +@@ -302,7 +320,7 @@ optional_policy(` ') optional_policy(` @@ -22552,7 +22809,7 @@ index 24c6253..ae0b05b 100644 policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -318,6 +331,10 @@ optional_policy(` +@@ -318,6 +336,10 @@ optional_policy(` ') optional_policy(` @@ -22563,7 +22820,7 @@ index 24c6253..ae0b05b 100644 udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +355,10 @@ optional_policy(` +@@ -338,6 +360,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -22574,7 +22831,7 @@ index 24c6253..ae0b05b 100644 ######################################## # # Hal acl local policy -@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t) +@@ -358,6 +384,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -22582,7 +22839,7 @@ index 24c6253..ae0b05b 100644 corecmd_exec_bin(hald_acl_t) -@@ -388,7 +410,7 @@ logging_send_syslog_msg(hald_acl_t) +@@ -388,7 +415,7 @@ logging_send_syslog_msg(hald_acl_t) miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -22591,7 +22848,7 @@ index 24c6253..ae0b05b 100644 policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t) +@@ -470,6 +497,10 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -22739,6 +22996,19 @@ index dfb4232..7665429 100644 ') allow $1 ifplugd_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te +index 978c32f..3b96342 100644 +--- a/policy/modules/services/ifplugd.te ++++ b/policy/modules/services/ifplugd.te +@@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t) + + # config files + type ifplugd_etc_t; +-files_type(ifplugd_etc_t) ++files_config_file(ifplugd_etc_t) + + type ifplugd_initrc_exec_t; + init_script_file(ifplugd_initrc_exec_t) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if index df48e5e..6985546 100644 --- a/policy/modules/services/inetd.if @@ -23252,7 +23522,7 @@ index 604f67b..31a6075 100644 + files_tmp_filetrans($1, krb5_host_rcache_t, file) +') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te -index 8edc29b..c233701 100644 +index 8edc29b..245d4ec 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) @@ -23268,7 +23538,13 @@ index 8edc29b..c233701 100644 ## gen_tunable(allow_kerberos, false) -@@ -40,7 +40,7 @@ files_type(krb5_conf_t) +@@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) + domain_obj_id_change_exemption(kpropd_t) + + type krb5_conf_t; +-files_type(krb5_conf_t) ++files_config_file(krb5_conf_t) + type krb5_home_t; userdom_user_home_content(krb5_home_t) @@ -23277,8 +23553,12 @@ index 8edc29b..c233701 100644 files_tmp_file(krb5_host_rcache_t) # types for general configuration files in /etc -@@ -52,7 +52,7 @@ type krb5kdc_conf_t; - files_type(krb5kdc_conf_t) +@@ -49,10 +49,10 @@ files_security_file(krb5_keytab_t) + + # types for KDC configs and principal file(s) + type krb5kdc_conf_t; +-files_type(krb5kdc_conf_t) ++files_config_file(krb5kdc_conf_t) type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) @@ -23705,9 +23985,18 @@ index 49e04e5..69db026 100644 /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te -index 6a78de1..b229ba0 100644 +index 6a78de1..ae8af5b 100644 --- a/policy/modules/services/lircd.te +++ b/policy/modules/services/lircd.te +@@ -13,7 +13,7 @@ type lircd_initrc_exec_t; + init_script_file(lircd_initrc_exec_t) + + type lircd_etc_t; +-files_type(lircd_etc_t) ++files_config_file(lircd_etc_t) + + type lircd_var_run_t alias lircd_sock_t; + files_pid_file(lircd_var_run_t) @@ -44,13 +44,13 @@ corenet_tcp_bind_lirc_port(lircd_t) corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) @@ -23764,7 +24053,7 @@ index a4f32f5..ea7dca0 100644 type lpr_t, lpr_exec_t; ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te -index 93c14ca..80671d9 100644 +index 93c14ca..96a105a 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) @@ -23780,6 +24069,15 @@ index 93c14ca..80671d9 100644 ## gen_tunable(use_lpd_server, false) +@@ -54,7 +54,7 @@ type printer_t; + files_type(printer_t) + + type printconf_t; +-files_type(printconf_t) ++files_config_file(printconf_t) + + ######################################## + # @@ -80,7 +80,7 @@ rw_files_pattern(checkpc_t, print_spool_t, print_spool_t) delete_files_pattern(checkpc_t, print_spool_t, print_spool_t) files_search_spool(checkpc_t) @@ -26432,9 +26730,18 @@ index abe3f7f..995a6cb 100644 allow $1 ypbind_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..5f2ba87 100644 +index 4876cae..5b60041 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te +@@ -37,7 +37,7 @@ type ypserv_exec_t; + init_daemon_domain(ypserv_t, ypserv_exec_t) + + type ypserv_conf_t; +-files_type(ypserv_conf_t) ++files_config_file(ypserv_conf_t) + + type ypserv_tmp_t; + files_tmp_file(ypserv_tmp_t) @@ -55,10 +55,11 @@ files_pid_file(ypxfr_var_run_t) ######################################## # @@ -26656,6 +26963,19 @@ index 23c769c..be5a5b4 100644 + files_list_pids($1) + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') +diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te +index 34eee5f..a9f19d8 100644 +--- a/policy/modules/services/nslcd.te ++++ b/policy/modules/services/nslcd.te +@@ -16,7 +16,7 @@ type nslcd_var_run_t; + files_pid_file(nslcd_var_run_t) + + type nslcd_conf_t; +-files_type(nslcd_conf_t) ++files_config_file(nslcd_conf_t) + + ######################################## + # diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te index ded9fb6..9d1e60a 100644 --- a/policy/modules/services/ntop.te @@ -27369,9 +27689,18 @@ index 3116191..df751a6 100644 # pid files diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te -index 3185114..5322412 100644 +index 3185114..790742c 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te +@@ -16,7 +16,7 @@ type pegasus_tmp_t; + files_tmp_file(pegasus_tmp_t) + + type pegasus_conf_t; +-files_type(pegasus_conf_t) ++files_config_file(pegasus_conf_t) + + type pegasus_mof_t; + files_type(pegasus_mof_t) @@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t) # Local policy # @@ -27500,9 +27829,18 @@ index 8688aae..1bfd8d2 100644 allow $1 pingd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te -index e9cf8a4..4a9d196 100644 +index e9cf8a4..9a7e5dc 100644 --- a/policy/modules/services/pingd.te +++ b/policy/modules/services/pingd.te +@@ -11,7 +11,7 @@ init_daemon_domain(pingd_t, pingd_exec_t) + + # type for config + type pingd_etc_t; +-files_type(pingd_etc_t) ++files_config_file(pingd_etc_t) + + type pingd_initrc_exec_t; + init_script_file(pingd_initrc_exec_t) @@ -27,7 +27,7 @@ files_type(pingd_modules_t) allow pingd_t self:capability net_raw; @@ -27725,7 +28063,7 @@ index 0000000..6403c17 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..6716b5e +index 0000000..5793840 --- /dev/null +++ b/policy/modules/services/piranha.te @@ -0,0 +1,219 @@ @@ -27760,7 +28098,7 @@ index 0000000..6716b5e +files_tmpfs_file(piranha_web_tmpfs_t) + +type piranha_web_conf_t; -+files_type(piranha_web_conf_t) ++files_config_file(piranha_web_conf_t) + +type piranha_web_data_t; +files_type(piranha_web_data_t) @@ -27769,7 +28107,7 @@ index 0000000..6716b5e +files_tmp_file(piranha_web_tmp_t) + +type piranha_etc_rw_t; -+files_type(piranha_etc_rw_t) ++files_config_file(piranha_etc_rw_t) + +type piranha_log_t; +logging_log_file(piranha_log_t) @@ -28532,6 +28870,19 @@ index 4313a6f..1d9fa76 100644 /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) +diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te +index 0b1f471..075a550 100644 +--- a/policy/modules/services/portreserve.te ++++ b/policy/modules/services/portreserve.te +@@ -13,7 +13,7 @@ type portreserve_initrc_exec_t; + init_script_file(portreserve_initrc_exec_t) + + type portreserve_etc_t; +-files_type(portreserve_etc_t) ++files_config_file(portreserve_etc_t) + + type portreserve_var_run_t; + files_pid_file(portreserve_var_run_t) diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc index 55e62d2..c114a40 100644 --- a/policy/modules/services/postfix.fc @@ -28835,7 +29186,7 @@ index 46bee12..b87375e 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..cffba21 100644 +index 06e37d4..e76a63c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -29074,7 +29425,7 @@ index 06e37d4..cffba21 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,6 +627,11 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +627,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -29086,7 +29437,12 @@ index 06e37d4..cffba21 100644 mta_read_aliases(postfix_smtpd_t) optional_policy(` -@@ -611,8 +655,8 @@ optional_policy(` + dovecot_stream_connect_auth(postfix_smtpd_t) ++ dovecot_stream_connect(postfix_smtpd_t) + ') + + optional_policy(` +@@ -611,8 +656,8 @@ optional_policy(` # Postfix virtual local policy # @@ -29096,7 +29452,7 @@ index 06e37d4..cffba21 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +674,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -29871,9 +30227,18 @@ index bc329d1..f040c20 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..c23cd14 100644 +index d4000e0..93cbfa2 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te +@@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) + + # config files + type psad_etc_t; +-files_type(psad_etc_t) ++files_config_file(psad_etc_t) + + type psad_initrc_exec_t; + init_script_file(psad_initrc_exec_t) @@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) @@ -30082,7 +30447,7 @@ index 494f7e2..aa3d0b4 100644 + admin_pattern($1, pyzor_var_lib_t) +') diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te -index cd683f9..d455637 100644 +index cd683f9..a272112 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -5,40 +5,62 @@ policy_module(pyzor, 2.1.0) @@ -30153,7 +30518,7 @@ index cd683f9..d455637 100644 + role system_r types pyzor_t; + + type pyzor_etc_t; -+ files_type(pyzor_etc_t) ++ files_config_file(pyzor_etc_t) + + type pyzor_home_t; + typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t }; @@ -33627,7 +33992,7 @@ index 275f9fb..6defb76 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..0927db4 100644 +index 3d8d1b3..19148ba 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -33638,7 +34003,7 @@ index 3d8d1b3..0927db4 100644 type snmpd_t; type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) -@@ -24,7 +25,8 @@ files_type(snmpd_var_lib_t) +@@ -24,12 +25,13 @@ files_type(snmpd_var_lib_t) # # Local policy # @@ -33648,6 +34013,12 @@ index 3d8d1b3..0927db4 100644 dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; + allow snmpd_t self:unix_dgram_socket create_socket_perms; +-allow snmpd_t self:unix_stream_socket create_stream_socket_perms; ++allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow snmpd_t self:tcp_socket create_stream_socket_perms; + allow snmpd_t self:udp_socket connected_stream_socket_perms; + @@ -43,8 +45,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) @@ -34375,7 +34746,7 @@ index d2496bd..1d0c078 100644 allow $1 squid_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te -index 4b2230e..744b172 100644 +index 4b2230e..cb4411d 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) @@ -34403,6 +34774,15 @@ index 4b2230e..744b172 100644 ## gen_tunable(squid_use_tproxy, false) +@@ -29,7 +29,7 @@ type squid_cache_t; + files_type(squid_cache_t) + + type squid_conf_t; +-files_type(squid_conf_t) ++files_config_file(squid_conf_t) + + type squid_initrc_exec_t; + init_script_file(squid_initrc_exec_t) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 078bcd7..06da5f7 100644 --- a/policy/modules/services/ssh.fc @@ -34715,7 +35095,7 @@ index 22adaca..784c363 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..57a8f21 100644 +index 2dad3c8..4877b5a 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -34860,7 +35240,7 @@ index 2dad3c8..57a8f21 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -200,6 +203,56 @@ optional_policy(` +@@ -200,6 +203,57 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -34881,6 +35261,7 @@ index 2dad3c8..57a8f21 100644 + +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) ++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) + +kernel_read_kernel_sysctls(ssh_keygen_t) + @@ -34917,7 +35298,7 @@ index 2dad3c8..57a8f21 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +262,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,7 +263,7 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -34926,7 +35307,7 @@ index 2dad3c8..57a8f21 100644 dev_read_urand(ssh_keysign_t) -@@ -232,33 +285,39 @@ optional_policy(` +@@ -232,33 +286,39 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -34975,7 +35356,7 @@ index 2dad3c8..57a8f21 100644 ') optional_policy(` -@@ -266,11 +325,24 @@ optional_policy(` +@@ -266,11 +326,24 @@ optional_policy(` ') optional_policy(` @@ -35001,7 +35382,7 @@ index 2dad3c8..57a8f21 100644 ') optional_policy(` -@@ -284,6 +356,11 @@ optional_policy(` +@@ -284,6 +357,11 @@ optional_policy(` ') optional_policy(` @@ -35013,7 +35394,7 @@ index 2dad3c8..57a8f21 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +369,26 @@ optional_policy(` +@@ -292,26 +370,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -35059,7 +35440,7 @@ index 2dad3c8..57a8f21 100644 ') dnl endif TODO ######################################## -@@ -324,7 +401,6 @@ tunable_policy(`ssh_sysadm_login',` +@@ -324,7 +402,6 @@ tunable_policy(`ssh_sysadm_login',` dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; @@ -35067,7 +35448,7 @@ index 2dad3c8..57a8f21 100644 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; allow ssh_keygen_t sshd_key_t:file manage_file_perms; -@@ -353,10 +429,6 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -353,10 +430,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -35746,9 +36127,18 @@ index 831b4a3..a206464 100644 /var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te -index 00aa99e..eab7ef5 100644 +index 00aa99e..5f1ad7d 100644 --- a/policy/modules/services/ulogd.te +++ b/policy/modules/services/ulogd.te +@@ -11,7 +11,7 @@ init_daemon_domain(ulogd_t, ulogd_exec_t) + + # config files + type ulogd_etc_t; +-files_type(ulogd_etc_t) ++files_config_file(ulogd_etc_t) + + type ulogd_initrc_exec_t; + init_script_file(ulogd_initrc_exec_t) @@ -29,8 +29,13 @@ logging_log_file(ulogd_var_log_t) # ulogd local policy # @@ -35791,7 +36181,7 @@ index 9001230..7ff3ef8 100644 uucp_manage_spool(uux_t) diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te -index e385c83..6524574 100644 +index e385c83..10710fd 100644 --- a/policy/modules/services/varnishd.te +++ b/policy/modules/services/varnishd.te @@ -6,10 +6,10 @@ policy_module(varnishd, 1.1.1) @@ -35809,6 +36199,15 @@ index e385c83..6524574 100644 ## gen_tunable(varnishd_connect_any, false) +@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; + init_script_file(varnishd_initrc_exec_t) + + type varnishd_etc_t; +-files_type(varnishd_etc_t) ++files_config_file(varnishd_etc_t) + + type varnishd_tmp_t; + files_tmp_file(varnishd_tmp_t) diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc new file mode 100644 index 0000000..71d9784 @@ -39741,7 +40140,7 @@ index 6b87605..347f754 100644 allow $1 zebra_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te -index c349adc..f0b1201 100644 +index c349adc..a4855b1 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -6,11 +6,10 @@ policy_module(zebra, 1.11.1) @@ -39759,6 +40158,15 @@ index c349adc..f0b1201 100644 gen_tunable(allow_zebra_write_config, false) type zebra_t; +@@ -18,7 +17,7 @@ type zebra_exec_t; + init_daemon_domain(zebra_t, zebra_exec_t) + + type zebra_conf_t; +-files_type(zebra_conf_t) ++files_config_file(zebra_conf_t) + + type zebra_initrc_exec_t; + init_script_file(zebra_initrc_exec_t) @@ -52,7 +51,7 @@ allow zebra_t zebra_conf_t:dir list_dir_perms; read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) @@ -40396,9 +40804,18 @@ index 89cc088..81e5ed4 100644 + allow $1 svc_run_t:process sigchld; +') diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te -index 183fcf1..699451c 100644 +index 183fcf1..d923d03 100644 --- a/policy/modules/system/daemontools.te +++ b/policy/modules/system/daemontools.te +@@ -6,7 +6,7 @@ policy_module(daemontools, 1.2.0) + # + + type svc_conf_t; +-files_type(svc_conf_t) ++files_config_file(svc_conf_t) + + type svc_log_t; + files_type(svc_log_t) @@ -38,7 +38,10 @@ files_type(svc_svc_t) # multilog creates /service/*/log/status manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t) @@ -40489,7 +40906,7 @@ index a97a096..dd65c15 100644 /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index a442acc..69c1509 100644 +index a442acc..aef0c84 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -40536,10 +40953,14 @@ index a442acc..69c1509 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +171,14 @@ optional_policy(` +@@ -166,6 +171,18 @@ optional_policy(` ') optional_policy(` ++ devicekit_dontaudit_read_pid_files(fsadm_t) ++') ++ ++optional_policy(` + hal_dontaudit_write_log(fsadm_t) +') + @@ -40551,7 +40972,7 @@ index a442acc..69c1509 100644 nis_use_ypbind(fsadm_t) ') -@@ -175,6 +188,10 @@ optional_policy(` +@@ -175,6 +192,10 @@ optional_policy(` ') optional_policy(` @@ -40634,7 +41055,7 @@ index 9775375..41a244a 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index df3fa64..36da732 100644 +index df3fa64..cbc34e2 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -40683,8 +41104,11 @@ index df3fa64..36da732 100644 # daemons started from init will # inherit fds from init for the console -@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',` +@@ -283,17 +304,20 @@ interface(`init_daemon_domain',` + interface(`init_ranged_daemon_domain',` + gen_require(` type initrc_t; ++ type init_t; ') - init_daemon_domain($1,$2) @@ -40692,7 +41116,17 @@ index df3fa64..36da732 100644 ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; -@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',` ++ range_transition init_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; + mls_rangetrans_target($1) ++ range_transition init_t $2:process $3; + ') + ') + +@@ -336,8 +360,10 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -40703,7 +41137,7 @@ index df3fa64..36da732 100644 ') application_domain($1,$2) -@@ -345,6 +368,20 @@ interface(`init_system_domain',` +@@ -345,6 +371,20 @@ interface(`init_system_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -40724,7 +41158,7 @@ index df3fa64..36da732 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +390,37 @@ interface(`init_system_domain',` +@@ -353,6 +393,37 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -40762,7 +41196,27 @@ index df3fa64..36da732 100644 ') ######################################## -@@ -687,19 +755,24 @@ interface(`init_telinit',` +@@ -401,16 +472,19 @@ interface(`init_system_domain',` + interface(`init_ranged_system_domain',` + gen_require(` + type initrc_t; ++ type init_t; + ') + + init_system_domain($1,$2) + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; ++ range_transition init_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; ++ range_transition init_t $2:process $3; + ') + ') + +@@ -687,19 +761,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -40788,7 +41242,7 @@ index df3fa64..36da732 100644 ') ') -@@ -772,18 +845,19 @@ interface(`init_script_file_entry_type',` +@@ -772,18 +851,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -40812,7 +41266,7 @@ index df3fa64..36da732 100644 ') ') -@@ -799,23 +873,45 @@ interface(`init_spec_domtrans_script',` +@@ -799,23 +879,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -40862,7 +41316,7 @@ index df3fa64..36da732 100644 ## Execute a init script in a specified domain. ## ## -@@ -867,8 +963,12 @@ interface(`init_script_file_domtrans',` +@@ -867,8 +969,12 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -40875,7 +41329,7 @@ index df3fa64..36da732 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1129,12 +1229,7 @@ interface(`init_read_script_state',` +@@ -1129,12 +1235,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -40889,7 +41343,7 @@ index df3fa64..36da732 100644 ') ######################################## -@@ -1374,6 +1469,27 @@ interface(`init_dbus_send_script',` +@@ -1374,6 +1475,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -40917,7 +41371,7 @@ index df3fa64..36da732 100644 ## init scripts over dbus. ## ## -@@ -1460,6 +1576,25 @@ interface(`init_getattr_script_status_files',` +@@ -1460,6 +1582,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -40943,7 +41397,7 @@ index df3fa64..36da732 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1673,7 +1808,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1673,7 +1814,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -40952,7 +41406,7 @@ index df3fa64..36da732 100644 ') ######################################## -@@ -1748,3 +1883,93 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1748,3 +1889,93 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -41047,7 +41501,7 @@ index df3fa64..36da732 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..9a3255e 100644 +index 8a105fd..dccae9d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -41152,7 +41606,15 @@ index 8a105fd..9a3255e 100644 files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -@@ -162,12 +194,15 @@ init_domtrans_script(init_t) +@@ -151,6 +183,7 @@ mls_file_read_all_levels(init_t) + mls_file_write_all_levels(init_t) + mls_process_write_down(init_t) + mls_fd_use_all_levels(init_t) ++mls_rangetrans_source(initrc_t) + + selinux_set_all_booleans(init_t) + +@@ -162,12 +195,15 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -41168,7 +41630,7 @@ index 8a105fd..9a3255e 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +213,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +214,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -41177,7 +41639,7 @@ index 8a105fd..9a3255e 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +221,115 @@ tunable_policy(`init_upstart',` +@@ -186,12 +222,116 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -41249,6 +41711,7 @@ index 8a105fd..9a3255e 100644 + files_manage_all_pids(init_t) + files_manage_all_locks(init_t) + files_setattr_all_tmp_dirs(init_t) ++ logging_setattr_all_log_dirs(init_t) + + files_purge_tmp(init_t) + files_manage_generic_tmp_files(init_t) @@ -41293,7 +41756,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -199,10 +337,24 @@ optional_policy(` +@@ -199,10 +339,24 @@ optional_policy(` ') optional_policy(` @@ -41318,7 +41781,7 @@ index 8a105fd..9a3255e 100644 unconfined_domain(init_t) ') -@@ -212,7 +364,7 @@ optional_policy(` +@@ -212,7 +366,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -41327,7 +41790,7 @@ index 8a105fd..9a3255e 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +393,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +395,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -41342,7 +41805,7 @@ index 8a105fd..9a3255e 100644 init_write_initctl(initrc_t) -@@ -258,11 +412,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +414,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -41366,7 +41829,7 @@ index 8a105fd..9a3255e 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +457,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -41374,7 +41837,7 @@ index 8a105fd..9a3255e 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +465,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -41390,7 +41853,7 @@ index 8a105fd..9a3255e 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +490,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +492,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -41402,7 +41865,7 @@ index 8a105fd..9a3255e 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +509,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +511,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -41416,7 +41879,7 @@ index 8a105fd..9a3255e 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +524,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +526,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -41425,7 +41888,7 @@ index 8a105fd..9a3255e 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +538,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +540,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -41433,7 +41896,7 @@ index 8a105fd..9a3255e 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +550,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +552,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -41441,7 +41904,7 @@ index 8a105fd..9a3255e 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +571,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +573,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -41457,7 +41920,7 @@ index 8a105fd..9a3255e 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +651,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +653,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -41466,7 +41929,7 @@ index 8a105fd..9a3255e 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +697,23 @@ ifdef(`distro_redhat',` +@@ -519,6 +699,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -41490,7 +41953,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -526,10 +721,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +723,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -41508,7 +41971,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -544,6 +746,35 @@ ifdef(`distro_suse',` +@@ -544,6 +748,35 @@ ifdef(`distro_suse',` ') ') @@ -41544,7 +42007,7 @@ index 8a105fd..9a3255e 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +787,8 @@ optional_policy(` +@@ -556,6 +789,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -41553,7 +42016,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -572,6 +805,7 @@ optional_policy(` +@@ -572,6 +807,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -41561,7 +42024,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -584,6 +818,11 @@ optional_policy(` +@@ -584,6 +820,11 @@ optional_policy(` ') optional_policy(` @@ -41573,7 +42036,7 @@ index 8a105fd..9a3255e 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,9 +839,13 @@ optional_policy(` +@@ -600,9 +841,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -41587,7 +42050,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -701,7 +944,13 @@ optional_policy(` +@@ -701,7 +946,13 @@ optional_policy(` ') optional_policy(` @@ -41601,7 +42064,7 @@ index 8a105fd..9a3255e 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +973,10 @@ optional_policy(` +@@ -724,6 +975,10 @@ optional_policy(` ') optional_policy(` @@ -41612,7 +42075,7 @@ index 8a105fd..9a3255e 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -737,6 +990,10 @@ optional_policy(` +@@ -737,6 +992,10 @@ optional_policy(` ') optional_policy(` @@ -41623,7 +42086,7 @@ index 8a105fd..9a3255e 100644 quota_manage_flags(initrc_t) ') -@@ -745,6 +1002,10 @@ optional_policy(` +@@ -745,6 +1004,10 @@ optional_policy(` ') optional_policy(` @@ -41634,7 +42097,7 @@ index 8a105fd..9a3255e 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +1027,6 @@ optional_policy(` +@@ -766,8 +1029,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -41643,7 +42106,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -776,14 +1035,21 @@ optional_policy(` +@@ -776,14 +1037,21 @@ optional_policy(` ') optional_policy(` @@ -41665,7 +42128,7 @@ index 8a105fd..9a3255e 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1071,19 @@ optional_policy(` +@@ -805,11 +1073,19 @@ optional_policy(` ') optional_policy(` @@ -41686,7 +42149,7 @@ index 8a105fd..9a3255e 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1093,25 @@ optional_policy(` +@@ -819,6 +1095,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -41712,7 +42175,7 @@ index 8a105fd..9a3255e 100644 ') optional_policy(` -@@ -844,3 +1137,59 @@ optional_policy(` +@@ -844,3 +1139,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -42805,7 +43268,7 @@ index 571599b..17dd196 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index c7cfb62..db7ad6b 100644 +index c7cfb62..f32290a 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',` @@ -42853,7 +43316,7 @@ index c7cfb62..db7ad6b 100644 ## Read the auditd configuration files. ## ## -@@ -715,7 +753,25 @@ interface(`logging_append_all_logs',` +@@ -715,7 +753,44 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -42877,10 +43340,29 @@ index c7cfb62..db7ad6b 100644 + ') + + allow $1 logfile:file { getattr append }; ++') ++ ++######################################## ++## ++## Set attributes on all log dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_setattr_all_log_dirs',` ++ gen_require(` ++ attribute logfile; ++ ') ++ ++ allow $1 logfile:dir setattr; ') ######################################## -@@ -798,7 +854,7 @@ interface(`logging_manage_all_logs',` +@@ -798,7 +873,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -42889,7 +43371,7 @@ index c7cfb62..db7ad6b 100644 ') ######################################## -@@ -996,6 +1052,8 @@ interface(`logging_admin_syslog',` +@@ -996,6 +1071,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -42899,10 +43381,16 @@ index c7cfb62..db7ad6b 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index aa2b0a6..fc5aa2c 100644 +index aa2b0a6..304fbba 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -60,6 +60,7 @@ files_type(syslog_conf_t) +@@ -55,11 +55,12 @@ type klogd_var_run_t; + files_pid_file(klogd_var_run_t) + + type syslog_conf_t; +-files_type(syslog_conf_t) ++files_config_file(syslog_conf_t) + type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -43060,7 +43548,7 @@ index 58bc27f..b4f0663 100644 + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 86ef2da..f1fe005 100644 +index 86ef2da..17aeb3e 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -43073,6 +43561,15 @@ index 86ef2da..f1fe005 100644 type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) +@@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t) + role system_r types lvm_t; + + type lvm_etc_t; +-files_type(lvm_etc_t) ++files_config_file(lvm_etc_t) + + type lvm_lock_t; + files_lock_file(lvm_lock_t) @@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; @@ -43256,10 +43753,10 @@ index 9c0faab..def8d5a 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 74a4466..7243733 100644 +index 74a4466..9061149 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te -@@ -18,6 +18,7 @@ type insmod_t; +@@ -18,11 +18,12 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) mls_file_write_all_levels(insmod_t) @@ -43267,6 +43764,12 @@ index 74a4466..7243733 100644 role system_r types insmod_t; # module loading config + type modules_conf_t; +-files_type(modules_conf_t) ++files_config_file(modules_conf_t) + + # module dependencies + type modules_dep_t; @@ -36,6 +37,9 @@ role system_r types update_modules_t; type update_modules_tmp_t; files_tmp_file(update_modules_tmp_t) @@ -43621,7 +44124,7 @@ index 8b5c196..b195f9d 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6fe8471..139e2c9 100644 +index 6fe8471..21de81b 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -43663,7 +44166,7 @@ index 6fe8471..139e2c9 100644 # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:capability { fsetid ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; ++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; +allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; @@ -45130,7 +45633,7 @@ index 8e71fb7..350d003 100644 + role_transition $1 dhcpc_exec_t system_r; ') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index dfbe736..f66bf66 100644 +index dfbe736..d1f6368 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0) @@ -45157,6 +45660,15 @@ index dfbe736..f66bf66 100644 type dhcpc_state_t; files_type(dhcpc_state_t) +@@ -34,7 +44,7 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) + role system_r types ifconfig_t; + + type net_conf_t alias resolv_conf_t; +-files_type(net_conf_t) ++files_config_file(net_conf_t) + + ######################################## + # @@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7da2388d..b4fc3ecc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.10 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Thu Dec 1 2010 Miroslav Grepl 3.9.9-5 +- Fix cron to run ranged when started by init +- Fix devicekit to use log files +- Dontaudit use of devicekit_var_run_t for fstools +- Allow init to setattr on logfile directories +- Allow hald to manage files in /var/run/pm-utils/ dir which is now labeled as devicekit_var_run_t + * Tue Nov 30 2010 Dan Walsh 3.9.9-4 - Fix up handling of dnsmasq_t creating /var/run/libvirt/network - Turn on sshd_forward_ports boolean by default