Add latest changes from selinux-policy.git

This commit is contained in:
Miroslav Grepl 2014-01-10 14:55:21 +01:00
parent 01969cfc26
commit 0a96c38442
2 changed files with 447 additions and 402 deletions

View File

@ -5400,7 +5400,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..fd1a0d0 100644
index b191055..51daa72 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5609,7 +5609,7 @@ index b191055..fd1a0d0 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -186,26 +225,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
@@ -186,26 +225,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@ -5628,6 +5628,7 @@ index b191055..fd1a0d0 100644
network_port(oa_system, tcp,8022,s0, udp,8022,s0)
-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
+network_port(openflow, tcp,6633,s0, tcp,6653,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(osapi_compute, tcp, 8774, s0)
@ -5648,7 +5649,7 @@ index b191055..fd1a0d0 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
@@ -215,39 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
@@ -215,39 +263,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@ -5701,7 +5702,7 @@ index b191055..fd1a0d0 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -259,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -259,8 +313,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -5712,7 +5713,7 @@ index b191055..fd1a0d0 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
@@ -271,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0)
@@ -271,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -5725,7 +5726,7 @@ index b191055..fd1a0d0 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -288,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0)
@@ -288,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@ -5752,7 +5753,7 @@ index b191055..fd1a0d0 100644
########################################
#
@@ -333,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -333,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5761,7 +5762,7 @@ index b191055..fd1a0d0 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -345,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -345,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -9407,7 +9408,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76..35cd90c 100644
index f962f76..5c44da2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -10081,7 +10082,31 @@ index f962f76..35cd90c 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -1765,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',`
@@ -1725,6 +2131,23 @@ interface(`files_list_root',`
allow $1 root_t:dir list_dir_perms;
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
+########################################
+## <summary>
+## Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_write_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir write;
+')
########################################
## <summary>
@@ -1765,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',`
########################################
## <summary>
@ -10108,7 +10133,7 @@ index f962f76..35cd90c 100644
## Create an object in the root directory, with a private
## type using a type transition.
## </summary>
@@ -1892,25 +2318,25 @@ interface(`files_delete_root_dir_entry',`
@@ -1892,25 +2335,25 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@ -10140,7 +10165,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1923,7 +2349,7 @@ interface(`files_relabel_rootfs',`
@@ -1923,7 +2366,7 @@ interface(`files_relabel_rootfs',`
type root_t;
')
@ -10149,7 +10174,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -1946,6 +2372,24 @@ interface(`files_unmount_rootfs',`
@@ -1946,6 +2389,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@ -10174,7 +10199,7 @@ index f962f76..35cd90c 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
@@ -2181,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',`
@@ -2181,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@ -10199,7 +10224,7 @@ index f962f76..35cd90c 100644
######################################
## <summary>
## Read symbolic links in the /boot directory.
@@ -2645,6 +3107,24 @@ interface(`files_rw_etc_dirs',`
@@ -2645,6 +3124,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@ -10224,7 +10249,7 @@ index f962f76..35cd90c 100644
##########################################
## <summary>
## Manage generic directories in /etc
@@ -2716,6 +3196,7 @@ interface(`files_read_etc_files',`
@@ -2716,6 +3213,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@ -10232,7 +10257,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -2724,7 +3205,7 @@ interface(`files_read_etc_files',`
@@ -2724,7 +3222,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@ -10241,7 +10266,7 @@ index f962f76..35cd90c 100644
## </summary>
## </param>
#
@@ -2780,6 +3261,25 @@ interface(`files_manage_etc_files',`
@@ -2780,6 +3278,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@ -10267,7 +10292,7 @@ index f962f76..35cd90c 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
@@ -2798,6 +3298,24 @@ interface(`files_delete_etc_files',`
@@ -2798,6 +3315,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@ -10292,7 +10317,7 @@ index f962f76..35cd90c 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
@@ -2963,24 +3481,6 @@ interface(`files_delete_boot_flag',`
@@ -2963,24 +3498,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@ -10317,7 +10342,7 @@ index f962f76..35cd90c 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
@@ -3021,9 +3521,7 @@ interface(`files_read_etc_runtime_files',`
@@ -3021,9 +3538,7 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@ -10328,7 +10353,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3031,18 +3529,17 @@ interface(`files_read_etc_runtime_files',`
@@ -3031,18 +3546,17 @@ interface(`files_read_etc_runtime_files',`
## </summary>
## </param>
#
@ -10350,7 +10375,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3060,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
@@ -3060,6 +3574,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
########################################
## <summary>
@ -10377,7 +10402,7 @@ index f962f76..35cd90c 100644
## Read and write files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
@@ -3077,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',`
@@ -3077,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@ -10385,7 +10410,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -3098,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',`
@@ -3098,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@ -10393,58 +10418,11 @@ index f962f76..35cd90c 100644
')
########################################
@@ -3150,45 +3669,64 @@ interface(`files_getattr_isid_type_dirs',`
@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
-## Do not audit attempts to search directories on new filesystems
+## Setattr of directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`files_dontaudit_search_isid_type_dirs',`
+interface(`files_setattr_isid_type_dirs',`
gen_require(`
type file_t;
')
- dontaudit $1 file_t:dir search_dir_perms;
+ allow $1 file_t:dir setattr;
')
########################################
## <summary>
-## List the contents of directories on new filesystems
+## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
-interface(`files_list_isid_type_dirs',`
+interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
type file_t;
')
- allow $1 file_t:dir list_dir_perms;
+ dontaudit $1 file_t:dir search_dir_perms;
')
########################################
## <summary>
-## Read and write directories on new filesystems
+## List the contents of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@ -10453,21 +10431,20 @@ index f962f76..35cd90c 100644
+## </summary>
+## </param>
+#
+interface(`files_list_isid_type_dirs',`
+interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:dir list_dir_perms;
+ allow $1 file_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Read and write directories on new filesystems
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
@@ -3223,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',`
@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@ -10530,7 +10507,7 @@ index f962f76..35cd90c 100644
########################################
## <summary>
@@ -3473,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',`
@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@ -10556,7 +10533,7 @@ index f962f76..35cd90c 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
@@ -3814,20 +4427,38 @@ interface(`files_list_mnt',`
@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@ -10600,7 +10577,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -4217,6 +4848,172 @@ interface(`files_read_world_readable_sockets',`
@@ -4217,6 +4865,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@ -10773,7 +10750,7 @@ index f962f76..35cd90c 100644
########################################
## <summary>
## Allow the specified type to associate
@@ -4239,6 +5036,26 @@ interface(`files_associate_tmp',`
@@ -4239,6 +5053,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@ -10800,7 +10777,7 @@ index f962f76..35cd90c 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
@@ -4252,17 +5069,37 @@ interface(`files_getattr_tmp_dirs',`
@@ -4252,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@ -10839,7 +10816,7 @@ index f962f76..35cd90c 100644
## </summary>
## </param>
#
@@ -4289,6 +5126,7 @@ interface(`files_search_tmp',`
@@ -4289,6 +5143,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@ -10847,7 +10824,7 @@ index f962f76..35cd90c 100644
allow $1 tmp_t:dir search_dir_perms;
')
@@ -4325,6 +5163,7 @@ interface(`files_list_tmp',`
@@ -4325,6 +5180,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@ -10855,7 +10832,7 @@ index f962f76..35cd90c 100644
allow $1 tmp_t:dir list_dir_perms;
')
@@ -4334,7 +5173,7 @@ interface(`files_list_tmp',`
@@ -4334,7 +5190,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@ -10864,7 +10841,7 @@ index f962f76..35cd90c 100644
## </summary>
## </param>
#
@@ -4346,6 +5185,25 @@ interface(`files_dontaudit_list_tmp',`
@@ -4346,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@ -10890,7 +10867,7 @@ index f962f76..35cd90c 100644
########################################
## <summary>
## Remove entries from the tmp directory.
@@ -4361,6 +5219,7 @@ interface(`files_delete_tmp_dir_entry',`
@@ -4361,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@ -10898,7 +10875,7 @@ index f962f76..35cd90c 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
@@ -4402,6 +5261,32 @@ interface(`files_manage_generic_tmp_dirs',`
@@ -4402,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@ -10931,7 +10908,7 @@ index f962f76..35cd90c 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
@@ -4456,7 +5341,7 @@ interface(`files_rw_generic_tmp_sockets',`
@@ -4456,7 +5358,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@ -10940,7 +10917,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4464,17 +5349,17 @@ interface(`files_rw_generic_tmp_sockets',`
@@ -4464,17 +5366,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@ -10962,7 +10939,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4482,34 +5367,124 @@ interface(`files_setattr_all_tmp_dirs',`
@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@ -11000,14 +10977,17 @@ index f962f76..35cd90c 100644
- allow $1 var_t:dir search_dir_perms;
- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Do not audit attempts to get the attributes
-## of all tmp files.
+## Allow caller to read inherited tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain allowed access.
+## </summary>
+## </param>
@ -11094,10 +11074,20 @@ index f962f76..35cd90c 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
')
########################################
@@ -4519,7 +5494,7 @@ interface(`files_relabel_all_tmp_dirs',`
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@ -11106,16 +11096,7 @@ index f962f76..35cd90c 100644
## </summary>
## </param>
#
@@ -4579,7 +5554,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
-## Domain not to audit.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -4611,6 +5586,44 @@ interface(`files_read_all_tmp_files',`
@@ -4611,6 +5603,44 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
@ -11160,7 +11141,7 @@ index f962f76..35cd90c 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
## </summary>
@@ -4664,6 +5677,16 @@ interface(`files_purge_tmp',`
@@ -4664,6 +5694,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -11177,7 +11158,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -5241,6 +6264,24 @@ interface(`files_list_var',`
@@ -5241,6 +6281,24 @@ interface(`files_list_var',`
########################################
## <summary>
@ -11202,7 +11183,7 @@ index f962f76..35cd90c 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
@@ -5527,6 +6568,25 @@ interface(`files_rw_var_lib_dirs',`
@@ -5527,6 +6585,25 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
@ -11228,7 +11209,7 @@ index f962f76..35cd90c 100644
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
@@ -5596,6 +6656,25 @@ interface(`files_read_var_lib_symlinks',`
@@ -5596,6 +6673,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@ -11254,7 +11235,7 @@ index f962f76..35cd90c 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
@@ -5641,7 +6720,7 @@ interface(`files_manage_mounttab',`
@@ -5641,7 +6737,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@ -11263,7 +11244,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5649,12 +6728,13 @@ interface(`files_manage_mounttab',`
@@ -5649,12 +6745,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@ -11279,7 +11260,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -5672,6 +6752,7 @@ interface(`files_search_locks',`
@@ -5672,6 +6769,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@ -11287,7 +11268,7 @@ index f962f76..35cd90c 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
@@ -5698,7 +6779,26 @@ interface(`files_dontaudit_search_locks',`
@@ -5698,7 +6796,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@ -11315,7 +11296,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5706,13 +6806,12 @@ interface(`files_dontaudit_search_locks',`
@@ -5706,13 +6823,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@ -11332,7 +11313,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -5731,7 +6830,7 @@ interface(`files_rw_lock_dirs',`
@@ -5731,7 +6847,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@ -11341,7 +11322,7 @@ index f962f76..35cd90c 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
@@ -5764,7 +6863,6 @@ interface(`files_create_lock_dirs',`
@@ -5764,7 +6880,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@ -11349,7 +11330,7 @@ index f962f76..35cd90c 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
@@ -5779,7 +6877,7 @@ interface(`files_relabel_all_lock_dirs',`
@@ -5779,7 +6894,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@ -11358,7 +11339,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -5787,13 +6885,33 @@ interface(`files_relabel_all_lock_dirs',`
@@ -5787,13 +6902,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@ -11393,7 +11374,7 @@ index f962f76..35cd90c 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -5809,13 +6927,12 @@ interface(`files_getattr_generic_locks',`
@@ -5809,13 +6944,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@ -11411,7 +11392,7 @@ index f962f76..35cd90c 100644
')
########################################
@@ -5834,9 +6951,7 @@ interface(`files_manage_generic_locks',`
@@ -5834,9 +6968,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@ -11422,7 +11403,7 @@ index f962f76..35cd90c 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
@@ -5878,8 +6993,7 @@ interface(`files_read_all_locks',`
@@ -5878,8 +7010,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@ -11432,7 +11413,7 @@ index f962f76..35cd90c 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
@@ -5901,8 +7015,7 @@ interface(`files_manage_all_locks',`
@@ -5901,8 +7032,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@ -11442,7 +11423,7 @@ index f962f76..35cd90c 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
@@ -5939,8 +7052,7 @@ interface(`files_lock_filetrans',`
@@ -5939,8 +7069,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@ -11452,7 +11433,7 @@ index f962f76..35cd90c 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
@@ -5979,7 +7091,7 @@ interface(`files_setattr_pid_dirs',`
@@ -5979,7 +7108,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@ -11461,7 +11442,7 @@ index f962f76..35cd90c 100644
allow $1 var_run_t:dir setattr;
')
@@ -5999,10 +7111,48 @@ interface(`files_search_pids',`
@@ -5999,10 +7128,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@ -11510,7 +11491,7 @@ index f962f76..35cd90c 100644
########################################
## <summary>
## Do not audit attempts to search
@@ -6025,28 +7175,47 @@ interface(`files_dontaudit_search_pids',`
@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@ -11541,7 +11522,6 @@ index f962f76..35cd90c 100644
########################################
## <summary>
-## Read generic process ID files.
-## </summary>
+## List the contents of the runtime process
+## ID directories (/var/run).
+## </summary>
@ -11563,11 +11543,10 @@ index f962f76..35cd90c 100644
+########################################
+## <summary>
+## Read generic process ID files.
+## </summary>
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -6058,7 +7227,7 @@ interface(`files_read_generic_pids',`
@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@ -11576,7 +11555,7 @@ index f962f76..35cd90c 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
@@ -6078,7 +7247,7 @@ interface(`files_write_generic_pid_pipes',`
@@ -6078,7 +7264,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@ -11585,7 +11564,7 @@ index f962f76..35cd90c 100644
allow $1 var_run_t:fifo_file write;
')
@@ -6140,7 +7309,6 @@ interface(`files_pid_filetrans',`
@@ -6140,7 +7326,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@ -11593,7 +11572,7 @@ index f962f76..35cd90c 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
@@ -6169,6 +7337,24 @@ interface(`files_pid_filetrans_lock_dir',`
@@ -6169,6 +7354,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@ -11618,7 +11597,7 @@ index f962f76..35cd90c 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
@@ -6182,7 +7368,7 @@ interface(`files_rw_generic_pids',`
@@ -6182,7 +7385,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@ -11627,7 +11606,7 @@ index f962f76..35cd90c 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
@@ -6249,55 +7435,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
@@ -6249,55 +7452,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@ -11690,7 +11669,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6305,42 +7479,35 @@ interface(`files_delete_all_pids',`
@@ -6305,42 +7496,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@ -11740,7 +11719,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6348,18 +7515,18 @@ interface(`files_manage_all_pids',`
@@ -6348,18 +7532,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@ -11764,7 +11743,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6367,37 +7534,40 @@ interface(`files_mounton_all_poly_members',`
@@ -6367,37 +7551,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@ -11816,7 +11795,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6405,18 +7575,17 @@ interface(`files_dontaudit_search_spool',`
@@ -6405,18 +7592,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@ -11839,7 +11818,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6424,18 +7593,18 @@ interface(`files_list_spool',`
@@ -6424,18 +7610,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@ -11863,7 +11842,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6443,19 +7612,18 @@ interface(`files_manage_generic_spool_dirs',`
@@ -6443,19 +7629,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@ -11888,7 +11867,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6463,55 +7631,130 @@ interface(`files_read_generic_spool',`
@@ -6463,55 +7648,130 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@ -12038,7 +12017,7 @@ index f962f76..35cd90c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -6519,64 +7762,767 @@ interface(`files_spool_filetrans',`
@@ -6519,64 +7779,767 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@ -21729,7 +21708,7 @@ index cc877c7..07f129b 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..830bb6f 100644
index 8274418..abeb351 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -21851,7 +21830,7 @@ index 8274418..830bb6f 100644
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/mdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log -- gen_context(system_u:object_r:xdm_log_t,s0)
+/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@ -29783,7 +29762,7 @@ index 17eda24..7acba2b 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..32fad12 100644
index 662e79b..05d25b0 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,23 @@
@ -29825,7 +29804,8 @@ index 662e79b..32fad12 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
+/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
+/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0)
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@ -31424,7 +31404,7 @@ index 446fa99..050a2ac 100644
- nscd_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b50c5fe..2faaaf2 100644
index b50c5fe..e55a556 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,10 +2,13 @@
@ -31468,7 +31448,7 @@ index b50c5fe..2faaaf2 100644
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@ -31483,8 +31463,10 @@ index b50c5fe..2faaaf2 100644
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
-/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
')
ifdef(`distro_redhat',`
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@ -32362,7 +32344,7 @@ index 59b04c1..7b0ef85 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 6b91740..b250b3e 100644
index 6b91740..633e449 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@ -32474,12 +32456,13 @@ index 6b91740..b250b3e 100644
#
# /var
@@ -98,5 +168,8 @@ ifdef(`distro_gentoo',`
@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)

File diff suppressed because it is too large Load Diff