From 0cdcb41ef424db7422846ef715c5517215561445 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 7 Mar 2017 18:20:47 +0100 Subject: [PATCH] * Tue Mar 07 2017 Lukas Vrabec - 3.13.1-244 - Update fwupd policy - /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t - Update ganesha policy - Allow chronyd to read adjtime - Merge pull request #194 from hogarthj/certbot_policy - get the correct cert_t context on certbot certificates bz#1289778 - Label /dev/ss0 as gpfs_device_t --- container-selinux.tgz | Bin 6455 -> 6463 bytes policy-rawhide-base.patch | 227 ++++++++++++--------- policy-rawhide-contrib.patch | 384 +++++++++++++++-------------------- selinux-policy.spec | 11 +- 4 files changed, 301 insertions(+), 321 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 60752204ea32cb1c66b7ce113ad9d9f9fbdaeedb..3c76eaa0415004aa8d04345da5ebe7f9bc531095 100644 GIT binary patch delta 6423 zcmV+y8R+J>GQTo^ABzY8w(GuF00Zq^ZI9eGlFrxZUm@55JQLV6_BeI`JG+NPa=_h( z1A^TJ?!)D-qn6m+%IGbUdS1@({`RXXzKD`Yic)Lrxw{sSv`4CXSSpgmVzEd?Mc#x- z&Z^5~`^_U=ui<+C{(Jm=^TWH>`Y&8>-(G+J?wdDnU%&f*;obXp@87@w=JlJm*Ke=C z30^;zK>Bs4o3ILkZ_?W;+_1<>H}?F0>9ubADgGXm$2&7-u! z`T{zy_hH4JlGaHef4y^Z53Q$3-C*0cDO~`68E*Mh**JHa-^@nvukb;2|Al%zj?Z<; zqGX#u1@Vf+v6T%>9+esM27&xX4(^X=2ajtg7Rxq6ttz0DPIWwg zAj@6S?1K;p4-IIzNuq$>zMVXPxkI{8vx8-o++sOM`2{Pqhb*L6qZ9^wjKy zTq$V0Bhu28qB!q5O2fLg6h+U5Wo?)!E}l{z{{LA}l&JqO{nN9iI@n$jNqfa^Sd#C& ziZyo;Y2&;jG{z3%3a4nD;M;5X?=Ad)_x-Z|*)RY4^Aj04$crhHc-puDb770Y0jPR{ zLrg%%n~P8TYF6DY5`$bQP-U5SKhzD&q9&ahLh3&|Kx%f`gY}Sngt!gyR_Iqnaci@F!3$L(ND>xP(A~7{J7TpOSlZ zRzef23hV(R5z-a)`EXE zXv4pSLd_xZS-*p%#m>R1jfED9eUY(#8xVt{7<6T%-!e2J$;;rGdUgqX&n{-;#6@&7 zAEXBE^*|!LI|mJ1eI4gjlqOKU^O5+wEg;D(-EfQ|ny1;G1hv3`=C=cXf0>%04TYMh zL`d(WPVut&yF?Jqu0@2II0HpYMle+8OpI44n7dkUS)TsCA&}R${%x|mWclrqsQaRB z>ZJi`zP2D{#p)uxy+jQx0?TWv21j61+_Pm~pJSp^yC7Tv^M^EiSRV0uLCCNvvP9Yd za9k=Fwbx;sB{?69a3RQl)_wS3C6O-G13)`6^i$-yjBhBX17AJ}190^3gSr8iB%|?# zHDBF-=F*_Qfl|*-12Il;EvX-tNpx3|Srci?Jjf5aC+*Zn<_Tes^Mi~D2c0FA8Q!n6 z;r;EGpIRB}r`-C=$h!q1E&65f;~SUZw`t0?23g5L;cs5|rtk!R{sA>4<>7RJ5UVMU ztR0w_$mn2o0I34;eiTL_o0UMpFm_Xnx0|PSn^Z-fO`5bkPIZx-$3|?(oiV z)&hRI`N7V3pSv@jVE_?p2|mFjy#j3nb+XIDly}(R^T%lc87PcKCo`cG%)PSVLeQ2k ztbJmPUqmE({HSGr4**^n$Su8j#lQ1n7q4#!5{`3g?PNSUC*y2r76w5!8Sr11MVdqp z)WT&@P(%Sk=mCvffW6S3j|2^0EFJ7!hlge_GPMQ~UwZh>KPqDS4;F(6JWUD<7Fp zsv!+-AD6dauBc;k4Ijy_OD%X;$5H8p8p5&btOjSB>-p(_`aJaZ)7|c2FDTOkm{@OT z$jb@tWBNXu-eC;2*9UCJ(LB!F85TEdfCMGg>%naap&emyIem`#~1P1l6Y-sV)39` zH?Oq?leblWYVVNKm@=q|(|hbdGUk-^Wbs2XrdYK|{l^N)4W+Vtj7a#@A<{4vLh~92 zQPO@cgGKG#T!5a^)kB9=-4$$`(`x3`7uqyddD~U$aO|+fb6hCqskduxetd>HErX)} zBj;6hLwQnLoPcW~i?2OK%~VHg z^*s2Q0Zv8xO2J~S$gsq$jzoe+DN-{SCOCjJ!QGyL?W^=;gpiyo8D*qcV44Ph|LK>Y zEUHF-WpI?jYH@UYndXp(8~s(4V-L>W%U~O(HM{7EBqZWKp;&~{9%#Lr7K7ITye;3v=i;)E-5IJk>iY7I+ zr0%PePt&?;98HCfM-`kEfI#}k-E%rQezTJ z7fvR&$R$SncT4FkrO1f2x_NFy7{bdezAko~1jrNmnuqft%MeVg z>36YIo*Gv|RzQ`}1pIu!XizkaoCEcL(!Gx>j8x{Vp})`jEK|q-b{vNu6{Z1qLf{dP zE0~76nx)$hQCNnXBu$!!;8PIoi@Q9yNnqID!oL7)TeBvKgX|_R;sAxEMGyMdCdpOK zGTo>`7|B_)1xOqM)|jwDXI^~%I3@**-Ext$VktO9wR)=n@tR9i^li!Biw)0#E8yd;#LtU~wc5(K5y8bE{QlO6I(YU}EkW zl1dE#*Z|0y!Ze0eNwfxIYjhGW6bm-oi7cT1sVvkop*dG9y5&hLI1wC|Yz_~J=1H#< zHi2GEN!=_f=i-=!N7(mG+TUb5GWX+7&G62JL{y323qblE5l^O*ehU_VN@yXpYer{ibW;>2CvWCVpE>pEM&wZ7o%!pj1?=U; zKb!Z;e12)l3!3w~cC_9M*Xvy++9!Nh%0do4tGxvCUUp}=G51xSSd+V!4bQyQ!VgSS zoJwZ>>}Tl+;e+hLd>1#2TMb~E4c})z0qiF5jEHGWFBG!(xAVOEy)N>9OL+Lq^#Y%a z0jJ>%_VaMH_<8V`IOaK1S$M-b2@QJ|-2`_vgl9x$HTP58U%ZpFOUQ9Gl_N*4LYS-s447}wm!;(gst*)0WgZi+^A_pKI*stvMav6LYfB^TeHO_&jl^2ctZJCtJZWTpvr=Ij(i$B+#@Y z-e2Se9oVt6oaVM(FU+YOD(S4?4fV(h;kMo%KA)mTYG*%`B^z>ay_C-o9x{ z&mtsCRAgD1vimi)$#LG!>ZY#-jZA)Pyt7wQXDlU;t&H;Fj=H)qcRa<}La&iWZ7QLY zxV3Q|>ww#FCUcDzCRQ^2h{X=Z(AJN&mp#3=4}<$oVYzMI|a^$t13VR~_ETXkUw ziEE$opPlb0D0$pxM0gKn)ZLnJlzO)=a(?)wI10o3E_G8>=)z$R1DWr8m*x?P&|8MK3ivLm zH7!W3BW8Pl6RY%Vw{Qm#LcnmCj-Ir{#^ds`UWv8m+x!9pegzp-&ZFoo<9)D-Kx2Z(u;LXnl{ZQi&6N~uGnxA22=`@0v zT%ly^#5Ej>QP=x+!=jPvg_*G`Giz}3f(D{qB9;q7(b5e2-aUM5* zj_#J5MX&TG+KUA3HNB7cc|o|p$Um+4AD<{2nEMJIxxji-CGcipw8rphmBftx;C~s& zpU0DT+w*e3uv1d9`oZeL-*T74ft=Y5&eQQt@`L`TlKTQar5t7qdZ!HDZ>xTS>`^I* z!a5!gNC~|0u4?mlKbaC60~{`RtZaHl@Fz!RXb{QsuSP1z669-Fv8J&OSHXPOL-f5p z!e#D^SK|SN9gj}jCMDR!d|Qk}AAkNhu)0~3L)G7YXrLGGv(BKGfG6ROe@J3?bi+XG z6I`M133(wuR(JYq(e9TF`1p}^n3V`k zitSknozdm{u2wO-)h7U!Fpx$Bio=y|TZ{=PsoG(rv-B24a`2!@Z)w15s(->E8lJa~ zQaLHoqA0zf{E9^3U_7s!^KYrMq)uW=g&Lh7i+REk45QQI0f)~7c)+9<#3pg6<*u>G zKIa)PK-ey%_Myw+KT2Xt%pr3VZufm{^(}bDCeeCWz%|!q9%Q~6sJol1T}`S_IueHf zlU<9n7uUO}SN&-(m`DSyJTNDzdEto;GHW4dubdImxWEy;@}**>`AB}u+#Xpv(r zKWOBQl$6WIfJXFr=U4WsT|rWjV(T%CrTRhmEMgsGYC2d3eiGHEZ>k{Em#1Cx6}?(EA9{UEC$M zK~rr`@R=woTHZE1H!?^r<=Np4=L%BG!7HvU$e}AElgvY%%40Wo+P-|Pt8zv|tIO-V9wXlJ|7`gfy!U8aww!l^z*8;)qRvu*26J_D~5?te?znQ)HOa>>D%&(h3X zmH=p2(&7MV*tvu$DP_Wndmyuvwkum-1paM}5Lno0oEFJ4G-T7)dMxttBXH!%?jqtY zL%V2%u7+h?avnkL=SG<5Gf*wi**IR7~!sVW386;d&ly ziwYMx1VDSR__||V%t2py=9N0h)nt)OA!n6YBwkaRHBD?=Qy~VhDW+$oZkhj4Z_r~5bC`KJkI+b6` zs}=~37ET{lX_p193x9^wQ_Y>;uSC&K4e903TJ>aIY`MK5Tohqk@wN}Cg3CTiw+F#m zeGVdT9S?=6J%0oRp?TDv`i_3E{XvUKei+0BbFQ!c;b(;9D^ zU6XS5jie*%TN8ZVQC|G(0VC&miDMLJ99N}tPCT4Rx#1Q#ZTVjv8un2?TgB>E$iw?b zc0-JRfxz`_bYsLq@XoCa3zgy8)o^SP?hOt;=;NClEPtPZ7%}_Dej9?~?NfHzOjDd+ z9=&Soy`2t*$dw{>Wi~1zEnQ6>zG4LPOW9N8;`qu7w@Do4TFMZ%=MkM_6 z8!%{tJB`Np5g%9;gkCTlux1|Gcif4Au3WE4*;Mn-;G1#w-mz!yEqB)5-0U`wO|l&$ETftI zJ6_vjJ(0SWI;s9JSn8&ms$|HmYW%jgH52ywG=Kg(KpOuO0hu8v zYWz?7qp?|r@cIcpjXe*iv8N$5j`XA6U~Jts)AUpGjoJ3S)gBh6)Zp%iy@I;nu_Xk1bn$61lrZr)}GLV^z3n-k-Tg#DTUE@3F&i& z>KN~oBVEU^CJcfvUIxFl-yPL+Fm2mzEUU3CK_`i-zcy`5!s@LXTRXB}t3siv*zqky z_GnFA*Rg%>@8BC>ZEBv(XN{Chm)l4CwttQL`#-OLc=!Iz;QK$m@(#pFY-wO@iGw;u|*W!v|qXst;`g7AM5kub~TE9qQ^TO*S}Tyy7@lm*1VedgYBK zCvM_aZ@mC19mS|o&G3sF0DBS3*a3;ZusM*hi(7>r@bSh0{DPT-bVj?bs^mm4 zMKGr;8}PVrzh0I}Jjov!fy3Yr;ML3Ey%H(D%cxKc0Nlx|r-BZay)`=qz?$1L!2-}% lFLa>YJRE6BzV?LwlMxvj5p$h)zzk7H6`t|Ftu3x{oxqkOm zaQ##Q>DQs=VHE^lrFT`hVUd+??D_xEYxVqj@O^#AvaovmJl<6nPM-h7z!R2fvr!Un#Z~fcRaV(%_G?KR>YOz?p`gPJ6X+G8!oOEZ&RMk$BX<5v zBh9)x*u+<4bsoaqU_SYZJRR;5JNs&vXE8%QTtdh)O(d|unNAuF=HUaQ}k6((ihuNvB6JK zb<-c6y)6oJqICAMBRkYzsZ34XX@9Z_Vh}&#MU}96f~KAQ#-nMQRVI6+Wo$KT)s8@wqNplx!2IAW@Mxwz7fAqcUUBAdvsa!TkyC z;BgJbV%cV>+@SRT4D)c;A4tB8K9-SaPiEUB{4v%|VT^T{C$*Bs8vK%60j(ax(&`yd3u0|yQBBns&5+sOl%JERLW zJ6Kl99hQTXzhi~=kfjuBl)`|I(HMG_VoR1-C*&{dIs%g~4o~8XG=b`!k0jo0 z0ZC@*Mqm`tJb%shB&a0@G`}7A%hU{QDAYt1Li!MOidW6wC4zKzEh5as87N{hf}uKR zV!TSh+|_!^^7Q`=fxNc$Zz{=&mHQ zCeoI9kRNnU+NqDs6T%+ndleH7I!h`uykBR-`|D3Xv@+CRa_cK2?-q!(=$FBdZ(K&) zrYYANWPc?GMZ9_4o5BLNLhjn-HL@2W=K;ho{E1^jgLgPrldaA!Qj05aARe1u7Q1=7V!fRqFDJN<>HBPYhcVPO>+N_uXcrwv!^PB$HoIaeymNU^{)4S)Xj!%sn3RJ_UHD5cdB==d`HkcS)nRU5}1oV}O9 zHcV@F(Gy8ZBz!`-2&Kn~q4Z3q4ezSrPzL8RsBs}}riT=ANEZOD95z1~UN;HR&!jO4 zOsUgt>ryLMj`F$UkYz=_79+#Cp(NM-Ho>*751U`tFziSBFyGPBi~>O>xPOKT{Z&tn zW;$#V&o13cA8KT&cWgpH_*HuRvOZK>E0Q*(cep( z!gezW&O1+s?WhTOc16?@VFVtj%N!>)Cb4wkRAP%-V#Hr@6Zv3vaNg%1;;P_o7rBi^ z3pwTA^yGpjTmfW5{BIgK`nt!+b0}71}6)2OB^K{*;G4f{Z1am{Rg%q(kK!cy z!LKI=CJBoKQ$105jA`F8?R}X*rr#77{@atyw4g1E)^B>E@u*w?z@v2CM_S!{yH-BvXh`5pfdkdQj@=EJ&AB%>aN6fUGG@V_20$YcRG(C*h)D!G=4L z1@u3ag<2*w=ZZylB54IDg5#3S;UUpH=^KSjpl_z6ZkCmEam>Oa?fWL}Z?YYk`w6FJ zc;`YPHi_R0Kp^^9B$<$a2UvWR1M#*hvUX6WP3~C{!;ro*ZciQ&Pos=MvM|@Yx zLJmGPdkN;f?9Omw?yEYnCU-3xo_VWWCD`1?? z_gn}}C+e|@lcfwXe~^KRrz}M6s(s2bCOh0y%J3OQ`dccnWopC62lq0ItMsiNFrL~? z#JlNk#k|*Pc1DwxEbryiY?_!`WT-bVmdBN79yV1E~Th!vSb(S(+-!D zeyVUYMB2$_I4V*%uTyGWhpwlU}TU397HJxfy$ zI={fu5vzus^*qIvY-cddEUTC5vhdR0p7YYP2*nZ=Syra(VNGpvoVT;O>8n8_liwQe z?3L6ROUYv^qhh$Dt}e};NO88%YvfUzO6VkRZCuAX;C7tJT%(1_l}tZkxq~sZ^<(X2 z4>fMOf5~w9-v?6cX7_r%Lr!s+UfkMNT^K?V+NbkAqlV*Y^pJ_GUV{{kz|MU}72<_ZDb* zVyD`VW2Pb^e15RJkt8TeH^0ps(Q`G8lq;sRe-9orVH_2`YL7y|4o`2L)jJDyhZuY$ zT)6^j+vGc`Bdr@y8e;Olp*;n?WoWBF?2=m3g48-7TQ`5X~qBe zNZG)`SMbOM){`oMHw&XRhEJ;`X7q>1e?a~;p1j+hmji~Kl9HPrtS)lZN;Dg{wm$KwGhfj8b&ZT{{@Q(|L)!-a^IP0tAa z=*SEWB6a@NNaa|9eC;aMG}hrNnD2UszPCrZ%$@OSJfN@>(TTgH1e=&|i;?KVe{Tm? z^EEkC{q2Vadig%<40;K867KkiB6deN48%Uc75bi#7xGhucYsthM-N)P4#^W%AtK`S zWbJr5qpv-5bCAX5Ft{1*e#wAO99f51iO{6jo~6(kUB2&X6|*~i0$>RPX+)qnTZlOipO(hJJ3NE8mn^U68@Rys@SB&JlT z(fP5QCmg{rIz1k6_)LHYOwEGWB(7$;YizPFc*YBmwhO6!=yLdvlGqY+$lQe6eP3IB zOP;Ywv>q04&9#{anXd-w?&fM&lj@U>#38_B*D~$J^)AgUXZ;{%eSX9gP2pH12tq^F z{s7%E-8djU10jT#ol$* zEqV6fAW@nJB&+6$P)))|300FB5*&Y4gpH`dG&^5y^YE6X;_K!w^&J@}PrNyx_YtDI zxJztqT$n#<9rX-m-w6k4k{hNPlUzh2lHQ`jBq76s1+1a*rC!ax7itr`uOgKksxzu1R zW@%ouw>|DZBlqzAxJ&;*S+m)>^0{^x~2rTS0PRnE&8nWqYJr;Sz5jbjO zcM%DfpddR=Bv+F~GKHL*%p&=k%B*Q(+nNe7fL#f3AxF~VNh%2)A!)H__K>_mV8g*I zVrB8HL)>nTbGMMgW)1p1cZz|eF_M|Tf$@KlzJxfsIAHQ@+R~!-csk|R%s47QXY1za zgbr7(Uzl%(&*T#U@f1_zSwM6i+c7&yU5C64&bT-BmO(Mi(WF!PwY+MH;Ar9WVU>1S z(7NzvI6c+e>HSKS?bMK74y{#B*2R`D`*(^UmxN zp9vT_xJ#awIOAL@opa(TOpU*7fz#Ico72HQ=!d9S9SC(w|H!t7@lOr7o{jE+SP0&^ zXJMf-T-z6pEyBH%!3TYOH-qJy4uN=){DX!^w|k)G5yLHDe@U^rmS zJe}{jqXAt>U6azL<{!2<q?RKFQ4EbrzL z8Iqs4-`+DmVKWZ*-=e|&kL-Wr6OQWR6E>EZq#dDi?%U!1NAb~^s$y*Y3>J6gSeJ#A7J8w*f@2&sQs$Xv*8-YfqGM#%g4)+6wGCRbzyF)C%=Y`0Q=$$#P zx(nr?H^+xcsE)=JrEz?eiRb1Gc!IN=ojyFU)NnkrDspsT3Ip=(S3rL)hD{r#8u|}@ z3tx2Tu_rdsdg5ZU2iDpXdXPUo&NGrY?Ioog5nMw09CA9wJLSyPF{}xL*Nd0IFYSjx z^(0B#z8K4LX-m+_a_TQ08?&T(3%k~i?ANMLXexGmkB>ddQrC5CpR+so#+QTmzsh%q znpeKuKH0Zz+~5DX{_cP6yVry7|6JdkzW?)kTvvFy{MFBw;<$hMSQj=4_Q2&gY}SYO z(o$9L+x{U>h^?=ohg}`&>MBh(IFGy%I9He7oV|MGji%;v@_Vv~Y62BM%Rqzs*WxV& z2y^sT2)E?B1LoC&BEqw1837Tkq57}?x%%&KM8s*?+IfYslA3=nCb2}7pI}%THZSgq z^pLSv(^a8=P`LvQ-eb1tp{t%T*;SPLy(0r@-6B50p{k?4#on{^I- z_u}8qys;v6qBJR>#gX0MD7e+tT`1lf*R=(bFHpO3NrEY$&Py(W1yEN)>Ywp|IB!t3 zG;4xvsA@#N{N{gWJh|9kiQ)|8abR`koIkR^&~)6~GQgNoHMJeN@Z@oU6B~gC;>{6| zEoQ67Wtyp0FCj0oWNJ?`zBroXWyC|ID>>C-Q(xJv!J{mYv$IRgC+PDE+1&My?)hf; zMGb(xh-K`6!e7`NDA>iVLJ#WI$fvhbe*o#b-GU1={jAf>tE*jC+PGb6adHo0ND9{GXMYp diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 26d0b95a..94395953 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -277,6 +277,15 @@ index c049e10..150f281 100644 -system_u:system_r:svirt_t +system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 +diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist +index d392dec..4565e9b 100644 +--- a/config/file_contexts.subs_dist ++++ b/config/file_contexts.subs_dist +@@ -19,3 +19,4 @@ + /usr/local/lib64 /usr/lib + /usr/local/lib /usr/lib + /var/run/lock /var/lock ++/sbin /usr/sbin diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8 deleted file mode 100644 index 5bebd82..0000000 @@ -6455,7 +6464,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..1ed65a0 100644 +index b31c054..3ad1127 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6498,7 +6507,7 @@ index b31c054..1ed65a0 100644 /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) +/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0) -+/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) ++/dev/mei[0-9]* -c gen_context(system_u:object_r:mei_device_t,s0) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/memory_bandwidth -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) @@ -6573,7 +6582,12 @@ index b31c054..1ed65a0 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +199,21 @@ ifdef(`distro_suse', ` +@@ -169,18 +196,26 @@ ifdef(`distro_suse', ` + + /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) + ++/dev/ss[0-9]+ -c gen_context(system_u:object_r:gpfs_device_t,s0) ++ /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6595,7 +6609,7 @@ index b31c054..1ed65a0 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +231,27 @@ ifdef(`distro_debian',` +@@ -198,12 +233,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6626,7 +6640,7 @@ index b31c054..1ed65a0 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..72f99c0 100644 +index 76f285e..47c1b4d 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8375,32 +8389,11 @@ index 76f285e..72f99c0 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',` +@@ -4351,7 +5313,159 @@ interface(`dev_list_usbfs',` ######################################## ## --## Allow caller to get a list of usb hardware. -+## Allow caller to get a list of usb hardware. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_list_usbfs',` -+ gen_require(` -+ type usbfs_t; -+ ') -+ -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ getattr_files_pattern($1, usbfs_t, usbfs_t) -+ -+ list_dirs_pattern($1, usbfs_t, usbfs_t) -+') -+ -+######################################## -+## +-## Set the attributes of usbfs filesystem. +## Set the attributes of usbfs filesystem. +## +## @@ -8536,31 +8529,23 @@ index 76f285e..72f99c0 100644 +## +## Do not audit attempts to set the attributes +## of video4linux device nodes. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`dev_list_usbfs',` ++## ++## ++# +interface(`dev_dontaudit_setattr_video_dev',` - gen_require(` -- type usbfs_t; ++ gen_require(` + type v4l_device_t; - ') - -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -- getattr_files_pattern($1, usbfs_t, usbfs_t) -- -- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ ') ++ + dontaudit $1 v4l_device_t:chr_file setattr; - ') - - ######################################## - ## --## Set the attributes of usbfs filesystem. ++') ++ ++######################################## ++## +## Read the video4linux devices. ## ## @@ -8883,7 +8868,7 @@ index 76f285e..72f99c0 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',` +@@ -4851,3 +6015,1042 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -9000,6 +8985,24 @@ index 76f285e..72f99c0 100644 + +######################################## +## ++## Allow read/write the hypervkvp device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_gpfs',` ++ gen_require(` ++ type device_t, gpfs_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, gpfs_device_t) ++') ++ ++######################################## ++## +## Allow read/write the hypervvssd device +## +## @@ -9137,6 +9140,7 @@ index 76f285e..72f99c0 100644 + type mptctl_device_t; + type hypervkvp_device_t; + type hypervvssd_device_t; ++ type gpfs_device_t; +') + + dev_filetrans_printer_named_dev($1) @@ -9839,6 +9843,7 @@ index 76f285e..72f99c0 100644 + filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") + filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp") + filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss") ++ filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0") + dev_filetrans_xserver_named_dev($1) +') + @@ -9907,7 +9912,7 @@ index 76f285e..72f99c0 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..29965c3 100644 +index 0b1a871..9099db5 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9954,7 +9959,7 @@ index 0b1a871..29965c3 100644 type event_device_t; dev_node(event_device_t) -@@ -88,12 +92,33 @@ type framebuf_device_t; +@@ -88,12 +92,39 @@ type framebuf_device_t; dev_node(framebuf_device_t) # @@ -9966,6 +9971,12 @@ index 0b1a871..29965c3 100644 +type hypervvssd_device_t; +dev_node(hypervvssd_device_t) + ++# ++# Type for /dev/ss0 ++# ++type gpfs_device_t; ++dev_node(gpfs_device_t) ++ +# # Type for /dev/ipmi/0 # @@ -9988,7 +9999,7 @@ index 0b1a871..29965c3 100644 # Type for /dev/kmsg # type kmsg_device_t; -@@ -111,6 +136,7 @@ dev_node(ksm_device_t) +@@ -111,6 +142,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9996,7 +10007,7 @@ index 0b1a871..29965c3 100644 # # Type for /dev/lirc -@@ -118,6 +144,9 @@ dev_node(kvm_device_t) +@@ -118,6 +150,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -10006,7 +10017,7 @@ index 0b1a871..29965c3 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -150,12 +179,24 @@ type modem_device_t; +@@ -150,12 +185,24 @@ type modem_device_t; dev_node(modem_device_t) # @@ -10031,7 +10042,7 @@ index 0b1a871..29965c3 100644 # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t; -@@ -183,6 +224,12 @@ type nvram_device_t; +@@ -183,6 +230,12 @@ type nvram_device_t; dev_node(nvram_device_t) # @@ -10044,7 +10055,7 @@ index 0b1a871..29965c3 100644 # Type for /dev/pmu # type power_device_t; -@@ -227,6 +274,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +280,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -10055,7 +10066,7 @@ index 0b1a871..29965c3 100644 # # Type for /dev/tpm # -@@ -266,6 +317,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +323,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -10071,7 +10082,7 @@ index 0b1a871..29965c3 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +334,7 @@ dev_node(v4l_device_t) +@@ -274,6 +340,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -10079,7 +10090,7 @@ index 0b1a871..29965c3 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +380,8 @@ files_associate_tmp(device_node) +@@ -319,5 +386,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -10442,10 +10453,10 @@ index 6a1e4d1..4b87be8 100644 + allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..ae8a257 100644 +index cf04cb5..3c25609 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te -@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) +@@ -4,17 +4,49 @@ policy_module(domain, 1.11.0) # # Declarations # @@ -10482,13 +10493,21 @@ index cf04cb5..ae8a257 100644 ## gen_tunable(mmap_low_allowed, false) ++## ++##

++## Allow all domains write to kmsg_device, ++## while kernel is executed with systemd.log_target=kmsg parameter. ++##

++## ++gen_tunable(domain_can_write_kmsg, false) ++ # Mark process types as domains attribute domain; +attribute named_filetrans_domain; # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; -@@ -86,23 +110,55 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +118,59 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -10539,13 +10558,17 @@ index cf04cb5..ae8a257 100644 + userdom_search_admin_dir(domain) +') + ++tunable_policy(`domain_can_write_kmsg',` ++ dev_write_kmsg(domain) ++') ++ +tunable_policy(`domain_kernel_load_modules',` + kernel_request_load_module(domain) +') ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +177,19 @@ tunable_policy(`global_ssp',` +@@ -121,8 +189,19 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -10565,7 +10588,7 @@ index cf04cb5..ae8a257 100644 ') optional_policy(` -@@ -133,6 +200,9 @@ optional_policy(` +@@ -133,6 +212,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -10575,7 +10598,7 @@ index cf04cb5..ae8a257 100644 ') ######################################## -@@ -145,14 +215,21 @@ optional_policy(` +@@ -145,14 +227,21 @@ optional_policy(` # be used on an attribute. # Use/sendto/connectto sockets created by any domain. @@ -10598,7 +10621,7 @@ index cf04cb5..ae8a257 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +237,386 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +249,386 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10987,7 +11010,7 @@ index cf04cb5..ae8a257 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..03f9342 100644 +index b876c48..3690ce4 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -11127,7 +11150,7 @@ index b876c48..03f9342 100644 +ifdef(`distro_redhat',` +/rhev -d gen_context(system_u:object_r:mnt_t,s0) +/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) -+/rhev/[^/]*/.* <> ++/rhev/[^/]*/.* gen_context(system_u:object_r:mnt_t,s0) +') + # @@ -20548,7 +20571,7 @@ index e100d88..ff9e7ba 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..88c7112 100644 +index 8dbab4c..a2f0d06 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -20611,7 +20634,15 @@ index 8dbab4c..88c7112 100644 type proc_xen_t, proc_type; files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) -@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) +@@ -118,6 +147,7 @@ genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) + + # /proc/net/rpc directory and files + type sysctl_rpc_t, sysctl_type; ++fs_associate_proc(sysctl_rpc_t) + genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) + + # /proc/sys/crypto directory and files +@@ -133,14 +163,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) @@ -20626,7 +20657,7 @@ index 8dbab4c..88c7112 100644 # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) -@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) +@@ -153,6 +175,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -20637,7 +20668,7 @@ index 8dbab4c..88c7112 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +191,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -20652,7 +20683,7 @@ index 8dbab4c..88c7112 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +223,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -20660,7 +20691,7 @@ index 8dbab4c..88c7112 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +268,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -20668,7 +20699,7 @@ index 8dbab4c..88c7112 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +278,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -20694,7 +20725,7 @@ index 8dbab4c..88c7112 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +301,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -20704,7 +20735,7 @@ index 8dbab4c..88c7112 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,13 +315,23 @@ files_list_root(kernel_t) +@@ -277,13 +316,23 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -20728,7 +20759,7 @@ index 8dbab4c..88c7112 100644 ifdef(`distro_redhat',` # Bugzilla 222337 -@@ -291,11 +339,29 @@ ifdef(`distro_redhat',` +@@ -291,11 +340,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -20758,7 +20789,7 @@ index 8dbab4c..88c7112 100644 ') optional_policy(` -@@ -305,6 +371,19 @@ optional_policy(` +@@ -305,6 +372,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -20778,7 +20809,7 @@ index 8dbab4c..88c7112 100644 ') optional_policy(` -@@ -312,6 +391,11 @@ optional_policy(` +@@ -312,6 +392,11 @@ optional_policy(` ') optional_policy(` @@ -20790,7 +20821,7 @@ index 8dbab4c..88c7112 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +416,6 @@ optional_policy(` +@@ -332,9 +417,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -20800,7 +20831,7 @@ index 8dbab4c..88c7112 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +424,7 @@ optional_policy(` +@@ -343,9 +425,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -20811,7 +20842,7 @@ index 8dbab4c..88c7112 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +433,7 @@ optional_policy(` +@@ -354,7 +434,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -20820,7 +20851,7 @@ index 8dbab4c..88c7112 100644 ') ') -@@ -364,9 +443,22 @@ optional_policy(` +@@ -364,9 +444,22 @@ optional_policy(` ') optional_policy(` @@ -20843,7 +20874,7 @@ index 8dbab4c..88c7112 100644 ######################################## # # Unlabeled process local policy -@@ -388,6 +480,8 @@ optional_policy(` +@@ -388,6 +481,8 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; @@ -20852,7 +20883,7 @@ index 8dbab4c..88c7112 100644 # load_module() calls stop_machine() which # calls sched_setscheduler() allow can_load_kernmodule self:capability sys_nice; -@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +494,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -37508,10 +37539,10 @@ index 312cd04..102b975 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..63c7fc0 100644 +index 73a1c4e..1ca98b8 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,48 @@ +@@ -1,22 +1,49 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -37574,6 +37605,7 @@ index 73a1c4e..63c7fc0 100644 +/var/lib/ebtables(/.*)? gen_context(system_u:object_r:iptables_var_lib_t,s0) + +/var/lock/subsys/iptables -- gen_context(system_u:object_r:iptables_lock_t,s0) ++/var/lock/subsys/ip6tables -- gen_context(system_u:object_r:iptables_lock_t,s0) + +/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if @@ -37854,7 +37886,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..5d62107 100644 +index 73bb3c0..f36d28b 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -38032,7 +38064,7 @@ index 73bb3c0..5d62107 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +315,158 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -38186,6 +38218,8 @@ index 73bb3c0..5d62107 100644 + +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib64/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:lib_t,s0) ++ +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40644,10 +40678,10 @@ index 79048c4..262c9ec 100644 udev_read_pid_files(lvm_t) ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..cf3a4a6 100644 +index 9fe8e01..c62c761 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc -@@ -9,11 +9,15 @@ ifdef(`distro_gentoo',` +@@ -9,11 +9,16 @@ ifdef(`distro_gentoo',` # /etc # /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) @@ -40659,13 +40693,14 @@ index 9fe8e01..cf3a4a6 100644 +/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/etc/(letsencrypt|certbot)/(live|archive)(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/ipa/nssdb(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) +/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0) ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,24 +41,20 @@ ifdef(`distro_redhat',` +@@ -37,24 +42,20 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -40695,7 +40730,7 @@ index 9fe8e01..cf3a4a6 100644 /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -77,7 +77,7 @@ ifdef(`distro_redhat',` +@@ -77,7 +78,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -40704,7 +40739,7 @@ index 9fe8e01..cf3a4a6 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +90,7 @@ ifdef(`distro_debian',` +@@ -90,6 +91,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 73e49d8b..94a80b3e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -13596,7 +13596,7 @@ index 32e8265..ac74503 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..bc73da9 100644 +index e5b621c..eba4e6d 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13627,7 +13627,16 @@ index e5b621c..bc73da9 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -62,6 +69,8 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) + kernel_read_system_state(chronyd_t) + kernel_read_network_state(chronyd_t) + ++clock_read_adjtime(chronyd_t) ++ + corenet_all_recvfrom_unlabeled(chronyd_t) + corenet_all_recvfrom_netlabel(chronyd_t) + corenet_udp_sendrecv_generic_if(chronyd_t) +@@ -76,18 +85,42 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -19268,7 +19277,7 @@ index 1303b30..f13c532 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..e8010ba 100644 +index 7de3859..65e947c 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -19985,7 +19994,7 @@ index 7de3859..e8010ba 100644 ') optional_policy(` -@@ -598,7 +618,23 @@ optional_policy(` +@@ -598,7 +618,27 @@ optional_policy(` ') optional_policy(` @@ -20006,10 +20015,14 @@ index 7de3859..e8010ba 100644 + +optional_policy(` + rkhunter_manage_lib_files(system_cronjob_t) ++') ++ ++optional_policy(` ++ rhsmcertd_dbus_chat(system_cronjob_t) ') optional_policy(` -@@ -607,7 +643,12 @@ optional_policy(` +@@ -607,7 +647,12 @@ optional_policy(` ') optional_policy(` @@ -20022,7 +20035,7 @@ index 7de3859..e8010ba 100644 ') optional_policy(` -@@ -615,12 +656,27 @@ optional_policy(` +@@ -615,12 +660,27 @@ optional_policy(` ') optional_policy(` @@ -20052,7 +20065,7 @@ index 7de3859..e8010ba 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +688,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20086,7 +20099,7 @@ index 7de3859..e8010ba 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +721,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -23908,14 +23921,14 @@ index 583a527..91c4104 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/devicekit.fc b/devicekit.fc -index ae49c9d..6eb0842 100644 +index ae49c9d..99a54eb 100644 --- a/devicekit.fc +++ b/devicekit.fc @@ -11,6 +11,8 @@ /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) -+/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_exec_t,s0) ++/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/bin/udisksctl -- gen_context(system_u:object_r:devicekit_exec_t,s0) /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -30736,10 +30749,10 @@ index 0000000..daef190 +') diff --git a/fwupd.te b/fwupd.te new file mode 100644 -index 0000000..e0bb02d +index 0000000..77a7b23 --- /dev/null +++ b/fwupd.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,69 @@ +policy_module(fwupd, 1.0.0) + +######################################## @@ -30785,13 +30798,18 @@ index 0000000..e0bb02d +manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) +files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir }) + ++kernel_dgram_send(fwupd_t) ++ +auth_read_passwd(fwupd_t) + +dev_rw_sysfs(fwupd_t) +dev_rw_generic_usb_dev(fwupd_t) ++dev_read_raw_memory(fwupd_t) + +fs_getattr_all_fs(fwupd_t) + ++logging_send_syslog_msg(fwupd_t) ++ +udev_read_pid_files(fwupd_t) + +optional_policy(` @@ -31051,10 +31069,10 @@ index 0000000..d9ba5fa +') diff --git a/ganesha.te b/ganesha.te new file mode 100644 -index 0000000..20b9fcf +index 0000000..4125c8d --- /dev/null +++ b/ganesha.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,71 @@ +policy_module(ganesha, 1.0.0) + +######################################## @@ -31102,6 +31120,11 @@ index 0000000..20b9fcf +corenet_udp_bind_nfs_port(ganesha_t) +corenet_udp_bind_all_rpc_ports(ganesha_t) +corenet_tcp_bind_all_rpc_ports(ganesha_t) ++corenet_tcp_bind_mountd_port(ganesha_t) ++corenet_udp_bind_mountd_port(ganesha_t) ++ ++dev_read_infiniband_dev(ganesha_t) ++dev_read_gpfs(ganesha_t) + +logging_send_syslog_msg(ganesha_t) + @@ -31112,6 +31135,11 @@ index 0000000..20b9fcf + dbus_connect_system_bus(ganesha_t) +') + ++ ++optional_policy(` ++ kerberos_read_keytab(ganesha_t) ++') ++ +optional_policy(` + rpc_manage_nfs_state_data_dir(ganesha_t) + rpcbind_stream_connect(ganesha_t) @@ -67899,12 +67927,14 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..34682ff 100644 +index 44dbc99..e1fbbd9 100644 --- a/openvswitch.te +++ b/openvswitch.te -@@ -9,11 +9,8 @@ type openvswitch_t; +@@ -8,12 +8,10 @@ policy_module(openvswitch, 1.1.1) + type openvswitch_t; type openvswitch_exec_t; init_daemon_domain(openvswitch_t, openvswitch_exec_t) ++init_initrc_domain(openvswitch_t) -type openvswitch_initrc_exec_t; -init_script_file(openvswitch_initrc_exec_t) @@ -67916,7 +67946,7 @@ index 44dbc99..34682ff 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -27,20 +24,29 @@ files_tmp_file(openvswitch_tmp_t) +@@ -27,20 +25,29 @@ files_tmp_file(openvswitch_tmp_t) type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) @@ -67942,19 +67972,19 @@ index 44dbc99..34682ff 100644 +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; +allow openvswitch_t self:netlink_generic_socket create_socket_perms; ++ ++can_exec(openvswitch_t, openvswitch_exec_t) -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -+can_exec(openvswitch_t, openvswitch_exec_t) -+ +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -48,9 +54,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -48,9 +55,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -67965,7 +67995,7 @@ index 44dbc99..34682ff 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -63,35 +67,52 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +@@ -63,35 +68,56 @@ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -68021,6 +68051,10 @@ index 44dbc99..34682ff 100644 sysnet_dns_name_resolve(openvswitch_t) optional_policy(` ++ hostname_exec(openvswitch_t) ++') ++ ++optional_policy(` iptables_domtrans(openvswitch_t) ') + @@ -75334,7 +75368,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..501c935 100644 +index 5cfb83e..6167c01 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -75959,7 +75993,7 @@ index 5cfb83e..501c935 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +503,26 @@ optional_policy(` +@@ -584,19 +503,28 @@ optional_policy(` ######################################## # @@ -75979,11 +76013,13 @@ index 5cfb83e..501c935 100644 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) +rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) -+postfix_list_spool(postfix_postdrop_t) - manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +-manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t) -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; -- ++postfix_list_spool(postfix_postdrop_t) ++manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) +corenet_udp_sendrecv_generic_if(postfix_postdrop_t) @@ -75991,7 +76027,7 @@ index 5cfb83e..501c935 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +537,7 @@ optional_policy(` +@@ -611,10 +539,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -76003,7 +76039,7 @@ index 5cfb83e..501c935 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +552,24 @@ optional_policy(` +@@ -629,17 +554,24 @@ optional_policy(` ####################################### # @@ -76031,7 +76067,7 @@ index 5cfb83e..501c935 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +585,78 @@ optional_policy(` +@@ -655,69 +587,78 @@ optional_policy(` ######################################## # @@ -76128,7 +76164,7 @@ index 5cfb83e..501c935 100644 ') optional_policy(` -@@ -730,28 +669,32 @@ optional_policy(` +@@ -730,28 +671,32 @@ optional_policy(` ######################################## # @@ -76169,7 +76205,7 @@ index 5cfb83e..501c935 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -764,6 +707,7 @@ optional_policy(` +@@ -764,6 +709,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -76177,7 +76213,7 @@ index 5cfb83e..501c935 100644 ') optional_policy(` -@@ -774,31 +718,100 @@ optional_policy(` +@@ -774,31 +720,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -105874,40 +105910,47 @@ index 0000000..80c6480 + systemd_read_fifo_file_passwd_run($1) + ') +') -diff --git a/stapserver.te b/stapserver.te -new file mode 100644 -index 0000000..e847ea3 ---- /dev/null +diff --git a/systemtap.te b/stapserver.te +similarity index 64% +rename from systemtap.te +rename to stapserver.te +index ffde368..e847ea3 100644 +--- a/systemtap.te +++ b/stapserver.te -@@ -0,0 +1,114 @@ +@@ -1,4 +1,4 @@ +-policy_module(systemtap, 1.1.0) +policy_module(stapserver, 1.1.1) -+ -+######################################## -+# -+# Declarations -+# -+ -+type stapserver_t; -+type stapserver_exec_t; -+init_daemon_domain(stapserver_t, stapserver_exec_t) -+ -+type stapserver_var_lib_t; -+files_type(stapserver_var_lib_t) -+ -+type stapserver_log_t; -+logging_log_file(stapserver_log_t) -+ -+type stapserver_var_run_t; -+files_pid_file(stapserver_var_run_t) -+ + + ######################################## + # +@@ -9,12 +9,6 @@ type stapserver_t; + type stapserver_exec_t; + init_daemon_domain(stapserver_t, stapserver_exec_t) + +-type stapserver_initrc_exec_t; +-init_script_file(stapserver_initrc_exec_t) +- +-type stapserver_conf_t; +-files_config_file(stapserver_conf_t) +- + type stapserver_var_lib_t; + files_type(stapserver_var_lib_t) + +@@ -24,50 +18,62 @@ logging_log_file(stapserver_log_t) + type stapserver_var_run_t; + files_pid_file(stapserver_var_run_t) + +type stapserver_tmp_t; +files_tmp_file(stapserver_tmp_t) + -+######################################## -+# + ######################################## + # +-# Local policy +# stapserver local policy -+# -+ + # + +-allow stapserver_t self:capability { dac_override kill setuid setgid }; +-allow stapserver_t self:process { setrlimit setsched signal }; +#runuser +allow stapserver_t self:capability { setuid setgid }; +allow stapserver_t self:process setsched; @@ -105915,84 +105958,84 @@ index 0000000..e847ea3 +allow stapserver_t self:capability { dac_override kill sys_ptrace}; +allow stapserver_t self:process { setrlimit signal }; + -+allow stapserver_t self:fifo_file rw_fifo_file_perms; -+allow stapserver_t self:key write; + allow stapserver_t self:fifo_file rw_fifo_file_perms; + allow stapserver_t self:key write; +-allow stapserver_t self:unix_stream_socket { accept listen }; +-allow stapserver_t self:tcp_socket create_stream_socket_perms; +- +-allow stapserver_t stapserver_conf_t:file read_file_perms; +allow stapserver_t self:unix_stream_socket create_stream_socket_perms; +allow stapserver_t self:tcp_socket { accept listen }; -+ -+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) -+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -+ -+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) + + manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) + manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) + files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) + + manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -+logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -+ + logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) + +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir }) + -+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) -+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -+ -+kernel_read_system_state(stapserver_t) + manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) + manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) + files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) + +-kernel_read_kernel_sysctls(stapserver_t) + kernel_read_system_state(stapserver_t) +kernel_read_kernel_sysctls(stapserver_t) -+ -+corecmd_exec_bin(stapserver_t) -+corecmd_exec_shell(stapserver_t) -+ -+domain_read_all_domains_state(stapserver_t) + + corecmd_exec_bin(stapserver_t) + corecmd_exec_shell(stapserver_t) + + domain_read_all_domains_state(stapserver_t) +domain_use_interactive_fds(stapserver_t) -+ -+dev_read_sysfs(stapserver_t) + +-dev_read_rand(stapserver_t) + dev_read_sysfs(stapserver_t) +dev_read_rand(stapserver_t) -+dev_read_urand(stapserver_t) -+ -+files_list_tmp(stapserver_t) -+files_search_kernel_modules(stapserver_t) -+ + dev_read_urand(stapserver_t) + + files_list_tmp(stapserver_t) +-files_read_usr_files(stapserver_t) + files_search_kernel_modules(stapserver_t) + +fs_search_cgroup_dirs(stapserver_t) +fs_getattr_all_fs(stapserver_t) + -+auth_use_nsswitch(stapserver_t) -+ -+init_read_utmp(stapserver_t) -+ -+logging_send_audit_msgs(stapserver_t) -+logging_send_syslog_msg(stapserver_t) -+ + auth_use_nsswitch(stapserver_t) + + init_read_utmp(stapserver_t) +@@ -75,12 +81,18 @@ init_read_utmp(stapserver_t) + logging_send_audit_msgs(stapserver_t) + logging_send_syslog_msg(stapserver_t) + +-miscfiles_read_localization(stapserver_t) +#lspci -+miscfiles_read_hwdata(stapserver_t) -+ + miscfiles_read_hwdata(stapserver_t) + +systemd_dbus_chat_logind(stapserver_t) + -+userdom_use_user_terminals(stapserver_t) -+ -+optional_policy(` + userdom_use_user_terminals(stapserver_t) + + optional_policy(` + avahi_dbus_chat(stapserver_t) +') + +optional_policy(` -+ consoletype_exec(stapserver_t) -+') -+ -+optional_policy(` -+ dbus_system_bus_client(stapserver_t) -+') -+ -+optional_policy(` -+ hostname_exec(stapserver_t) -+') -+ -+optional_policy(` -+ plymouthd_exec_plymouth(stapserver_t) -+') -+ -+optional_policy(` -+ rpm_exec(stapserver_t) -+') + consoletype_exec(stapserver_t) + ') + +@@ -99,3 +111,4 @@ optional_policy(` + optional_policy(` + rpm_exec(stapserver_t) + ') + diff --git a/stunnel.fc b/stunnel.fc index 49dd63c..ae2e798 100644 @@ -106811,113 +106854,6 @@ index c755e2d..0000000 - files_search_pids($1) - admin_pattern($1, stapserver_var_run_t) -') -diff --git a/systemtap.te b/systemtap.te -deleted file mode 100644 -index ffde368..0000000 ---- a/systemtap.te -+++ /dev/null -@@ -1,101 +0,0 @@ --policy_module(systemtap, 1.1.0) -- --######################################## --# --# Declarations --# -- --type stapserver_t; --type stapserver_exec_t; --init_daemon_domain(stapserver_t, stapserver_exec_t) -- --type stapserver_initrc_exec_t; --init_script_file(stapserver_initrc_exec_t) -- --type stapserver_conf_t; --files_config_file(stapserver_conf_t) -- --type stapserver_var_lib_t; --files_type(stapserver_var_lib_t) -- --type stapserver_log_t; --logging_log_file(stapserver_log_t) -- --type stapserver_var_run_t; --files_pid_file(stapserver_var_run_t) -- --######################################## --# --# Local policy --# -- --allow stapserver_t self:capability { dac_override kill setuid setgid }; --allow stapserver_t self:process { setrlimit setsched signal }; --allow stapserver_t self:fifo_file rw_fifo_file_perms; --allow stapserver_t self:key write; --allow stapserver_t self:unix_stream_socket { accept listen }; --allow stapserver_t self:tcp_socket create_stream_socket_perms; -- --allow stapserver_t stapserver_conf_t:file read_file_perms; -- --manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) --files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) -- --manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) --logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) -- --manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) --files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) -- --kernel_read_kernel_sysctls(stapserver_t) --kernel_read_system_state(stapserver_t) -- --corecmd_exec_bin(stapserver_t) --corecmd_exec_shell(stapserver_t) -- --domain_read_all_domains_state(stapserver_t) -- --dev_read_rand(stapserver_t) --dev_read_sysfs(stapserver_t) --dev_read_urand(stapserver_t) -- --files_list_tmp(stapserver_t) --files_read_usr_files(stapserver_t) --files_search_kernel_modules(stapserver_t) -- --auth_use_nsswitch(stapserver_t) -- --init_read_utmp(stapserver_t) -- --logging_send_audit_msgs(stapserver_t) --logging_send_syslog_msg(stapserver_t) -- --miscfiles_read_localization(stapserver_t) --miscfiles_read_hwdata(stapserver_t) -- --userdom_use_user_terminals(stapserver_t) -- --optional_policy(` -- consoletype_exec(stapserver_t) --') -- --optional_policy(` -- dbus_system_bus_client(stapserver_t) --') -- --optional_policy(` -- hostname_exec(stapserver_t) --') -- --optional_policy(` -- plymouthd_exec_plymouth(stapserver_t) --') -- --optional_policy(` -- rpm_exec(stapserver_t) --') diff --git a/targetd.fc b/targetd.fc new file mode 100644 index 0000000..c1ef053 diff --git a/selinux-policy.spec b/selinux-policy.spec index 7ca849dd..f0cd6e4a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 243%{?dist} +Release: 244%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,15 @@ exit 0 %endif %changelog +* Tue Mar 07 2017 Lukas Vrabec - 3.13.1-244 +- Update fwupd policy +- /usr/libexec/udisks2/udisksd should be labeled as devicekit_disk_exec_t +- Update ganesha policy +- Allow chronyd to read adjtime +- Merge pull request #194 from hogarthj/certbot_policy +- get the correct cert_t context on certbot certificates bz#1289778 +- Label /dev/ss0 as gpfs_device_t + * Thu Mar 02 2017 Lukas Vrabec - 3.13.1-243 - Allow abrt_t to send mails.