rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288 

- Remove all unnecessary dac_override capability in SELinux modules
This commit is contained in:
Lukas Vrabec 2017-09-22 14:15:27 +02:00
parent be528824f0
commit 12fd9044f9
4 changed files with 840 additions and 600 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

263
policy-rawhide-base.patch
View File

@ -1791,7 +1791,7 @@ index cc8df9d7d..90467f3af 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+') +')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 0fd5c5f2e..a14addb41 100644 index 0fd5c5f2e..7ee6ec7a3 100644
--- a/policy/modules/admin/bootloader.te --- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te
@@ -20,13 +20,20 @@ type bootloader_t; @@ -20,13 +20,20 @@ type bootloader_t;
@ -1821,7 +1821,7 @@ index 0fd5c5f2e..a14addb41 100644
# #
-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; +allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms; allow bootloader_t self:fifo_file rw_fifo_file_perms;
@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644
') ')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c3592a..cba535365 100644 index c44c3592a..2a3a90bf4 100644
--- a/policy/modules/admin/netutils.te --- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -2222,8 +2222,9 @@ index c44c3592a..cba535365 100644
# Perform network administration operations and have raw access to the network. # Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
-dontaudit netutils_t self:capability { dac_override sys_tty_config };
+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; +allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
dontaudit netutils_t self:capability { dac_override sys_tty_config }; +dontaudit netutils_t self:capability { sys_tty_config };
allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms; allow netutils_t self:netlink_socket create_socket_perms;
@ -2419,7 +2420,7 @@ index 688abc2ae..3d89250a6 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 03ec5cafe..1e3ace4cf 100644 index 03ec5cafe..f483a97a6 100644
--- a/policy/modules/admin/su.if --- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if
@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', ` @@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
@ -2427,7 +2428,7 @@ index 03ec5cafe..1e3ace4cf 100644
allow $2 $1_su_t:process signal; allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config; dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write }; allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:process { setexec setsched setrlimit };
@ -2615,7 +2616,7 @@ index 03ec5cafe..1e3ace4cf 100644
####################################### #######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 85bb77e05..a4302332a 100644 index 85bb77e05..fdd7b656c 100644
--- a/policy/modules/admin/su.te --- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te
@@ -9,3 +9,82 @@ attribute su_domain_type; @@ -9,3 +9,82 @@ attribute su_domain_type;
@ -2623,7 +2624,7 @@ index 85bb77e05..a4302332a 100644
type su_exec_t; type su_exec_t;
corecmd_executable_file(su_exec_t) corecmd_executable_file(su_exec_t)
+ +
+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; +allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
+dontaudit su_domain_type self:capability sys_tty_config; +dontaudit su_domain_type self:capability sys_tty_config;
+allow su_domain_type self:process { setexec setsched setrlimit }; +allow su_domain_type self:process { setexec setsched setrlimit };
+allow su_domain_type self:fifo_file rw_fifo_file_perms; +allow su_domain_type self:fifo_file rw_fifo_file_perms;
@ -3189,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1e7..7e03673be 100644 index 1d732f1e7..9823c5a68 100644
--- a/policy/modules/admin/usermanage.te --- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t; @@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3229,7 +3230,7 @@ index 1d732f1e7..7e03673be 100644
# #
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; +allow chfn_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use; allow chfn_t self:fd use;
@ -3316,7 +3317,7 @@ index 1d732f1e7..7e03673be 100644
# #
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write }; +allow groupadd_t self:capability { dac_read_search chown kill setuid sys_resource audit_write };
dontaudit groupadd_t self:capability { fsetid sys_tty_config }; dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate }; allow groupadd_t self:process { setrlimit setfscreate };
@ -3375,7 +3376,7 @@ index 1d732f1e7..7e03673be 100644
# #
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; +allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
dontaudit passwd_t self:capability sys_tty_config; dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:process { setrlimit setfscreate };
@ -3474,7 +3475,7 @@ index 1d732f1e7..7e03673be 100644
# #
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; -allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; +allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use; allow sysadm_passwd_t self:fd use;
@ -3518,7 +3519,7 @@ index 1d732f1e7..7e03673be 100644
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config; -dontaudit useradd_t self:capability sys_tty_config;
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; +allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+ +
+dontaudit useradd_t self:capability { net_admin sys_tty_config }; +dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:cap_userns { sys_ptrace }; +dontaudit useradd_t self:cap_userns { sys_ptrace };
@ -3764,7 +3765,7 @@ index 1dc7a85d3..e4f6fc227 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t) + corecmd_shell_domtrans($1_seunshare_t, $1_t)
') ')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 759016583..f50f79935 100644 index 759016583..1b9a61d18 100644
--- a/policy/modules/apps/seunshare.te --- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
@ -3781,7 +3782,7 @@ index 759016583..f50f79935 100644
# #
# seunshare local policy # seunshare local policy
# #
+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:capability { fowner setgid setuid dac_read_search setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@ -12602,7 +12603,7 @@ index b876c48ad..2e591a538 100644
+ +
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76ad..f2b8e4558 100644 index f962f76ad..bb8b58852 100644
--- a/policy/modules/kernel/files.if --- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@ @@ -19,6 +19,136 @@
@ -13481,7 +13482,7 @@ index f962f76ad..f2b8e4558 100644
- type root_t; - type root_t;
+ attribute mountpoint; + attribute mountpoint;
') ')
+ dontaudit $1 self:capability { dac_read_search dac_override }; + dontaudit $1 self:capability { dac_read_search };
- allow $1 root_t:dir list_dir_perms; - allow $1 root_t:dir list_dir_perms;
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
@ -25364,10 +25365,10 @@ index 000000000..48caabc7e
+allow domain unlabeled_t:packet { send recv }; +allow domain unlabeled_t:packet { send recv };
+ +
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 834a065de..ff9369756 100644 index 834a065de..404a5c677 100644
--- a/policy/modules/roles/auditadm.te --- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te
@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) @@ -7,14 +7,14 @@ policy_module(auditadm, 2.2.0)
role auditadm_r; role auditadm_r;
role system_r; role system_r;
@ -25376,6 +25377,14 @@ index 834a065de..ff9369756 100644
######################################## ########################################
# #
# Local policy
#
-allow auditadm_t self:capability { dac_read_search dac_override };
+allow auditadm_t self:capability { dac_read_search };
kernel_read_ring_buffer(auditadm_t)
@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t) @@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t) domain_kill_all_domains(auditadm_t)
@ -25401,7 +25410,7 @@ index 834a065de..ff9369756 100644
consoletype_exec(auditadm_t) consoletype_exec(auditadm_t)
') ')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index 3a45a3ef0..7499f24b5 100644 index 3a45a3ef0..f31d79957 100644
--- a/policy/modules/roles/logadm.te --- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te +++ b/policy/modules/roles/logadm.te
@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) @@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
@ -25418,13 +25427,13 @@ index 3a45a3ef0..7499f24b5 100644
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
- -
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; +allow logadm_t self:capability { dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r) logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index da111206f..621ec5afc 100644 index da111206f..a5ac38465 100644
--- a/policy/modules/roles/secadm.te --- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te
@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) @@ -7,19 +7,25 @@ policy_module(secadm, 2.4.0)
role secadm_r; role secadm_r;
@ -25438,12 +25447,14 @@ index da111206f..621ec5afc 100644
######################################## ########################################
# #
@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r) # Local policy
#
allow secadm_t self:capability { dac_read_search dac_override }; -allow secadm_t self:capability { dac_read_search dac_override };
+allow secadm_t self:capability { dac_read_search };
+kernel_read_system_state(secadm_t)
+ +
+kernel_read_system_state(secadm_t)
corecmd_exec_shell(secadm_t) corecmd_exec_shell(secadm_t)
dev_relabel_all_dev_nodes(secadm_t) dev_relabel_all_dev_nodes(secadm_t)
@ -25909,7 +25920,7 @@ index ff9243078..36740eab3 100644
## <summary> ## <summary>
## Execute a generic bin program in the sysadm domain. ## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2522ca6c0..7aeed7254 100644 index 2522ca6c0..c8ef8c8e4 100644
--- a/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1) @@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1)
@ -26335,7 +26346,7 @@ index 2522ca6c0..7aeed7254 100644
optional_policy(` optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t) screen_role_template(sysadm, sysadm_r, sysadm_t)
+ allow sysadm_screen_t self:capability { dac_read_search dac_override }; + allow sysadm_screen_t self:capability { dac_read_search };
') ')
optional_policy(` optional_policy(`
@ -28342,7 +28353,7 @@ index 9d2f31168..2d782e051 100644
+ postgresql_filetrans_named_content($1) + postgresql_filetrans_named_content($1)
') ')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 03061349c..e30703d3c 100644 index 03061349c..bb764b3d0 100644
--- a/policy/modules/services/postgresql.te --- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(` @@ -19,25 +19,32 @@ gen_require(`
@ -28394,6 +28405,15 @@ index 03061349c..e30703d3c 100644
type postgresql_lock_t; type postgresql_lock_t;
files_lock_file(postgresql_lock_t) files_lock_file(postgresql_lock_t)
@@ -224,7 +234,7 @@ postgresql_view_object(user_sepgsql_view_t)
#
# postgresql Local policy
#
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+allow postgresql_t self:capability { kill dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; @@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -28624,7 +28644,7 @@ index 76d9f66ec..7528851ad 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c68272..79d568a54 100644 index fe0c68272..f0a61f830 100644
--- a/policy/modules/services/ssh.if --- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@ @@ -32,10 +32,11 @@
@ -28640,7 +28660,7 @@ index fe0c68272..79d568a54 100644
') ')
############################## ##############################
@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` @@ -47,16 +48,12 @@ template(`ssh_basic_client_template',`
application_domain($1_ssh_t, ssh_exec_t) application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t; role $3 types $1_ssh_t;
@ -28651,6 +28671,13 @@ index fe0c68272..79d568a54 100644
############################## ##############################
# #
# Client local policy # Client local policy
#
- allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow $1_ssh_t self:capability { setuid setgid dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` @@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
# or "regular" (not special like sshd_extern_t) servers # or "regular" (not special like sshd_extern_t) servers
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
@ -28755,7 +28782,7 @@ index fe0c68272..79d568a54 100644
files_pid_file($1_var_run_t) files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; + allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
@ -29357,7 +29384,7 @@ index fe0c68272..79d568a54 100644
+ ps_process_pattern($1, sshd_t) + ps_process_pattern($1, sshd_t)
+') +')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7b0..b14a28d5c 100644 index cc877c7b0..296d9c7dd 100644
--- a/policy/modules/services/ssh.te --- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@ -29444,7 +29471,7 @@ index cc877c7b0..b14a28d5c 100644
type ssh_t; type ssh_t;
type ssh_exec_t; type ssh_exec_t;
@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) @@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
type ssh_tmpfs_t; type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@ -29465,7 +29492,11 @@ index cc877c7b0..b14a28d5c 100644
############################## ##############################
# #
@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; # SSH client local policy
#
-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:capability { setuid setgid dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use; allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms; allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -29839,7 +29870,7 @@ index cc877c7b0..b14a28d5c 100644
# ssh_keygen_t is the type of the ssh-keygen program when run at install time # ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t # and by sysadm_t
+allow ssh_keygen_t self:capability { dac_read_search dac_override }; +allow ssh_keygen_t self:capability { dac_read_search };
dontaudit ssh_keygen_t self:capability sys_tty_config; dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
- -
@ -31986,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644
+') +')
+ +
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b403774f..af9ee8070 100644 index 8b403774f..fe21bfc46 100644
--- a/policy/modules/services/xserver.te --- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(` @@ -26,28 +26,66 @@ gen_require(`
@ -32246,7 +32277,7 @@ index 8b403774f..af9ee8070 100644
# Xauth local policy # Xauth local policy
# #
+allow xauth_t self:capability { dac_read_search dac_override }; +allow xauth_t self:capability { dac_read_search };
allow xauth_t self:process signal; allow xauth_t self:process signal;
+allow xauth_t self:shm create_shm_perms; +allow xauth_t self:shm create_shm_perms;
allow xauth_t self:unix_stream_socket create_stream_socket_perms; allow xauth_t self:unix_stream_socket create_stream_socket_perms;
@ -32351,7 +32382,7 @@ index 8b403774f..af9ee8070 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend }; +allow xdm_t self:capability2 { block_suspend };
+allow xdm_t self:cap_userns { kill }; +allow xdm_t self:cap_userns { kill };
+dontaudit xdm_t self:capability sys_admin; +dontaudit xdm_t self:capability sys_admin;
@ -33025,7 +33056,7 @@ index 8b403774f..af9ee8070 100644
# NVIDIA Needs execstack # NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { sys_ptrace dac_read_search fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+ +
dontaudit xserver_t self:capability chown; dontaudit xserver_t self:capability chown;
+#allow xserver_t self:capability2 compromise_kernel; +#allow xserver_t self:capability2 compromise_kernel;
@ -34736,7 +34767,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms; + allow $1 login_pgm:key manage_key_perms;
+') +')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791dcc..2d255df93 100644 index 09b791dcc..598dd5ed1 100644
--- a/policy/modules/system/authlogin.te --- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -34825,7 +34856,7 @@ index 09b791dcc..2d255df93 100644
# #
-allow chkpwd_t self:capability { dac_override setuid }; -allow chkpwd_t self:capability { dac_override setuid };
+allow chkpwd_t self:capability { dac_read_search dac_override setuid }; +allow chkpwd_t self:capability { dac_read_search setuid };
dontaudit chkpwd_t self:capability sys_tty_config; dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal }; allow chkpwd_t self:process { getattr signal };
@ -34947,7 +34978,7 @@ index 09b791dcc..2d255df93 100644
# #
-allow updpwd_t self:capability { chown dac_override }; -allow updpwd_t self:capability { chown dac_override };
+allow updpwd_t self:capability { chown dac_read_search dac_override }; +allow updpwd_t self:capability { chown dac_read_search };
allow updpwd_t self:process setfscreate; allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms; allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms; allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@ -35294,15 +35325,18 @@ index d475c2deb..55305d5f3 100644
+ files_etc_filetrans($1, adjtime_t, file, "adjtime" ) + files_etc_filetrans($1, adjtime_t, file, "adjtime" )
+') +')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index edece47dc..2e7b81176 100644 index edece47dc..d71651f31 100644
--- a/policy/modules/system/clock.te --- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te
@@ -20,7 +20,7 @@ role system_r types hwclock_t; @@ -18,9 +18,9 @@ role system_r types hwclock_t;
# Local policy
#
# Give hwclock the capabilities it requires. dac_override is a surprise, -# Give hwclock the capabilities it requires. dac_override is a surprise,
+# Give hwclock the capabilities it requires. is a surprise,
# but hwclock does require it. # but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
+allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config }; +allow hwclock_t self:capability { dac_read_search sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config; dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms; allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file rw_fifo_file_perms; allow hwclock_t self:fifo_file rw_fifo_file_perms;
@ -35461,7 +35495,7 @@ index 016a770b9..3fce820a5 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+') +')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3f48d300a..cb4f966c0 100644 index 3f48d300a..cf67cf714 100644
--- a/policy/modules/system/fstools.te --- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te
@@ -13,9 +13,15 @@ role system_r types fsadm_t; @@ -13,9 +13,15 @@ role system_r types fsadm_t;
@ -35480,10 +35514,12 @@ index 3f48d300a..cb4f966c0 100644
type swapfile_t; # customizable type swapfile_t; # customizable
files_type(swapfile_t) files_type(swapfile_t)
@@ -26,6 +32,7 @@ files_type(swapfile_t) @@ -25,7 +31,8 @@ files_type(swapfile_t)
#
# ipc_lock is for losetup # ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; -allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_read_search };
+dontaudit fsadm_t self:capability net_admin; +dontaudit fsadm_t self:capability net_admin;
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use; allow fsadm_t self:fd use;
@ -35686,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
+ allow $1 getty_unit_file_t:service start; + allow $1 getty_unit_file_t:service start;
+') +')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea19..ef08ff3cf 100644 index f6743ea19..abcc39a8c 100644
--- a/policy/modules/system/getty.te --- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@ -35711,7 +35747,7 @@ index f6743ea19..ef08ff3cf 100644
# Use capabilities. # Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config; dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms }; allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms; allow getty_t self:fifo_file rw_fifo_file_perms;
@ -35888,18 +35924,21 @@ index 40eb10c60..2a0a32c2d 100644
corecmd_search_bin($1) corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index b2097e743..0a49e14ba 100644 index b2097e743..8d66956d0 100644
--- a/policy/modules/system/hotplug.te --- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) @@ -23,9 +23,9 @@ files_pid_file(hotplug_var_run_t)
# #
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; -dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; +dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat # for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search }; -dontaudit hotplug_t self:capability { dac_override dac_read_search };
+dontaudit hotplug_t self:capability { dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms }; allow hotplug_t self:process { setpgid getsession getattr signal_perms };
allow hotplug_t self:fifo_file rw_file_perms;
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) @@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t) files_read_kernel_modules(hotplug_t)
@ -39655,7 +39694,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t) + ps_process_pattern($1, ipsec_mgmt_t)
+') +')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd0417..56961b493 100644 index 312cd0417..27a5d0650 100644
--- a/policy/modules/system/ipsec.te --- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -39685,7 +39724,7 @@ index 312cd0417..56961b493 100644
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_t self:process { getcap setcap getsched signal setsched }; -allow ipsec_t self:process { getcap setcap getsched signal setsched };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; +allow ipsec_t self:capability { net_admin dac_read_search setpcap sys_nice net_raw setuid setgid };
+dontaudit ipsec_t self:capability sys_tty_config; +dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill }; +allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:tcp_socket create_stream_socket_perms;
@ -39827,7 +39866,7 @@ index 312cd0417..56961b493 100644
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; -allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; +allow ipsec_mgmt_t self:capability { dac_read_search net_admin setpcap sys_nice sys_ptrace };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config; +dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -40140,10 +40179,10 @@ index c42fbc329..bf211dbee 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+') +')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e6c..73e51f7ef 100644 index be8ed1e6c..1afb965b8 100644
--- a/policy/modules/system/iptables.te --- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -16,44 +16,61 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t; type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t) init_script_file(iptables_initrc_exec_t)
@ -40168,7 +40207,11 @@ index be8ed1e6c..73e51f7ef 100644
######################################## ########################################
# #
# Iptables local policy # Iptables local policy
@@ -35,25 +41,36 @@ dontaudit iptables_t self:capability sys_tty_config; #
-allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
+allow iptables_t self:capability { dac_read_search net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:netlink_socket create_socket_perms;
@ -40928,7 +40971,7 @@ index 808ba93eb..b717d9709 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+') +')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 54f8fa5c8..e14ec857c 100644 index 54f8fa5c8..7a660a06c 100644
--- a/policy/modules/system/libraries.te --- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@ -40953,7 +40996,7 @@ index 54f8fa5c8..e14ec857c 100644
# #
-allow ldconfig_t self:capability { dac_override sys_chroot }; -allow ldconfig_t self:capability { dac_override sys_chroot };
+allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot }; +allow ldconfig_t self:capability { dac_read_search sys_chroot };
+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@ -41130,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+') +')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 446fa9908..fcf08acb2 100644 index 446fa9908..a0d1b1ff7 100644
--- a/policy/modules/system/locallogin.te --- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@ -41165,7 +41208,7 @@ index 446fa9908..fcf08acb2 100644
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec }; -allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; +allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; +allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use; allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:fifo_file rw_fifo_file_perms;
@ -41267,7 +41310,7 @@ index 446fa9908..fcf08acb2 100644
# #
-allow sulogin_t self:capability dac_override; -allow sulogin_t self:capability dac_override;
+allow sulogin_t self:capability { dac_read_search dac_override sys_admin }; +allow sulogin_t self:capability { dac_read_search sys_admin };
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use; allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms; allow sulogin_t self:fifo_file rw_fifo_file_perms;
@ -42138,7 +42181,7 @@ index 4e9488463..2db173f77 100644
+') +')
+ +
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1a2..ba742cd03 100644 index 59b04c1a2..6ae1e2663 100644
--- a/policy/modules/system/logging.te --- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@ -42221,8 +42264,12 @@ index 59b04c1a2..ba742cd03 100644
ifdef(`enable_mls',` ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
@@ -94,8 +129,11 @@ ifdef(`enable_mls',` @@ -91,11 +126,14 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { fsetid dac_read_search dac_override }; # Auditctl local policy
#
-allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:capability { fsetid dac_read_search };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+allow auditctl_t self:process getcap; +allow auditctl_t self:process getcap;
@ -42304,7 +42351,7 @@ index 59b04c1a2..ba742cd03 100644
# #
-allow audisp_t self:capability { dac_override setpcap sys_nice }; -allow audisp_t self:capability { dac_override setpcap sys_nice };
+allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice }; +allow audisp_t self:capability { dac_read_search setpcap sys_nice };
allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:process { getcap signal_perms setcap setsched };
allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms;
@ -42393,7 +42440,7 @@ index 59b04c1a2..ba742cd03 100644
# sys_nice for rsyslog # sys_nice for rsyslog
# cjp: why net_admin! # cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; +allow syslogd_t self:capability { sys_ptrace dac_read_search sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config; dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:cap_userns sys_ptrace; +dontaudit syslogd_t self:cap_userns sys_ptrace;
+allow syslogd_t self:capability2 { syslog block_suspend }; +allow syslogd_t self:capability2 { syslog block_suspend };
@ -43095,7 +43142,7 @@ index 58bc27f22..90f567300 100644
+ +
+ +
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c410..924fa2e75 100644 index 79048c410..d404d6528 100644
--- a/policy/modules/system/lvm.te --- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -43184,7 +43231,7 @@ index 79048c410..924fa2e75 100644
# rawio needed for dmraid # rawio needed for dmraid
# net_admin for multipath # net_admin for multipath
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; -allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; +allow lvm_t self:capability { dac_read_search fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
dontaudit lvm_t self:capability sys_tty_config; dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority. # LVM will complain a lot if it cannot set its priority.
@ -44006,7 +44053,7 @@ index 7449974f6..b79290062 100644
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+') +')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7a363b8b2..3a6ded940 100644 index 7a363b8b2..69463d732 100644
--- a/policy/modules/system/modutils.te --- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@ -44112,7 +44159,7 @@ index 7a363b8b2..3a6ded940 100644
# #
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config }; +allow insmod_t self:capability { dac_read_search mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:udp_socket create_socket_perms;
@ -44687,7 +44734,7 @@ index 4584457b1..8f676d0c8 100644
') ')
+ +
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 459a0efbc..ed4756edc 100644 index 459a0efbc..816066d07 100644
--- a/policy/modules/system/mount.te --- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te
@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1) @@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
@ -44749,7 +44796,7 @@ index 459a0efbc..ed4756edc 100644
-# setuid/setgid needed to mount cifs -# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+# setuid/setgid needed to mount cifs +# setuid/setgid needed to mount cifs
+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; +allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_read_search chown sys_tty_config setuid setgid sys_nice };
+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; +allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms;
@ -46088,7 +46135,7 @@ index 38220721d..abac74231 100644
+ allow semanage_t $1:dbus send_msg; + allow semanage_t $1:dbus send_msg;
+') +')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index dc4642022..0e7086c60 100644 index dc4642022..5b26b2de2 100644
--- a/policy/modules/system/selinuxutil.te --- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(` @@ -11,14 +11,16 @@ gen_require(`
@ -46233,7 +46280,7 @@ index dc4642022..0e7086c60 100644
# #
-allow checkpolicy_t self:capability dac_override; -allow checkpolicy_t self:capability dac_override;
+allow checkpolicy_t self:capability { dac_read_search dac_override }; +allow checkpolicy_t self:capability { dac_read_search };
# able to create and modify binary policy files # able to create and modify binary policy files
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
@ -46259,7 +46306,7 @@ index dc4642022..0e7086c60 100644
# #
-allow load_policy_t self:capability dac_override; -allow load_policy_t self:capability dac_override;
+allow load_policy_t self:capability { dac_read_search dac_override }; +allow load_policy_t self:capability { dac_read_search };
# only allow read of policy config files # only allow read of policy config files
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
@ -46311,7 +46358,7 @@ index dc4642022..0e7086c60 100644
# #
-allow newrole_t self:capability { fowner setuid setgid dac_override }; -allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override }; +allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec; allow newrole_t self:process setexec;
allow newrole_t self:fd use; allow newrole_t self:fd use;
@ -46383,6 +46430,15 @@ index dc4642022..0e7086c60 100644
files_polyinstantiate_all(newrole_t) files_polyinstantiate_all(newrole_t)
') ')
@@ -318,7 +362,7 @@ tunable_policy(`allow_polyinstantiation',`
# Restorecond local policy
#
-allow restorecond_t self:capability { dac_override dac_read_search fowner };
+allow restorecond_t self:capability { dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
@@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t) @@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t) kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t) kernel_read_system_state(restorecond_t)
@ -46434,10 +46490,11 @@ index dc4642022..0e7086c60 100644
# often the administrator runs such programs from a directory that is owned # often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit # by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory # the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search }; -dontaudit run_init_t self:capability { dac_override dac_read_search };
+dontaudit run_init_t self:capability { dac_read_search };
+kernel_dontaudit_getattr_core_if(run_init_t)
+ +
+kernel_dontaudit_getattr_core_if(run_init_t)
corecmd_exec_bin(run_init_t) corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t) corecmd_exec_shell(run_init_t)
@ -46763,7 +46820,7 @@ index dc4642022..0e7086c60 100644
+# +#
+# Setfiles common policy +# Setfiles common policy
+# +#
+allow setfiles_domain self:capability { dac_override dac_read_search fowner }; +allow setfiles_domain self:capability { dac_read_search fowner };
+dontaudit setfiles_domain self:capability sys_tty_config; +dontaudit setfiles_domain self:capability sys_tty_config;
+allow setfiles_domain self:fifo_file rw_file_perms; +allow setfiles_domain self:fifo_file rw_file_perms;
+dontaudit setfiles_domain self:dir relabelfrom; +dontaudit setfiles_domain self:dir relabelfrom;
@ -46875,7 +46932,7 @@ index dc4642022..0e7086c60 100644
+ dbus_read_pid_files(setfiles_domain) + dbus_read_pid_files(setfiles_domain)
') ')
+allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource }; +allow policy_manager_domain self:capability { dac_read_search sys_nice sys_resource };
+dontaudit policy_manager_domain self:capability sys_tty_config; +dontaudit policy_manager_domain self:capability sys_tty_config;
+allow policy_manager_domain self:process { signal setsched }; +allow policy_manager_domain self:process { signal setsched };
+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms; +allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
@ -47651,7 +47708,7 @@ index 2cea692c0..e3cb4f2ef 100644
+ files_etc_filetrans($1, net_conf_t, file) + files_etc_filetrans($1, net_conf_t, file)
+') +')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4bc..95c64150b 100644 index a392fc4bc..d29b7f6fb 100644
--- a/policy/modules/system/sysnetwork.te --- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -47699,7 +47756,7 @@ index a392fc4bc..95c64150b 100644
# #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; -dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +allow dhcpc_t self:capability { dac_read_search fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability sys_tty_config; +dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat # for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module }; dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@ -50034,7 +50091,7 @@ index 000000000..634d9596a
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 000000000..1927b4fc0 index 000000000..3660fe1c4
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1025 @@ @@ -0,0 +1,1025 @@
@ -50195,7 +50252,7 @@ index 000000000..1927b4fc0
+# Systemd_logind local policy +# Systemd_logind local policy
+# +#
+ +
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) +# is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin }; +allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
+allow systemd_logind_t self:capability2 block_suspend; +allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:process getcap;
@ -50363,7 +50420,7 @@ index 000000000..1927b4fc0
+# systemd_machined local policy +# systemd_machined local policy
+# +#
+ +
+allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill }; +allow systemd_machined_t self:capability { dac_read_search setgid sys_admin sys_chroot sys_ptrace kill };
+allow systemd_machined_t systemd_unit_file_t:service { status start }; +allow systemd_machined_t systemd_unit_file_t:service { status start };
+allow systemd_machined_t self:unix_dgram_socket create_socket_perms; +allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
+ +
@ -50481,7 +50538,7 @@ index 000000000..1927b4fc0
+# Local policy +# Local policy
+# +#
+ +
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override }; +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search };
+allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+ +
@ -50525,7 +50582,7 @@ index 000000000..1927b4fc0
+# Local policy +# Local policy
+# +#
+ +
+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin }; +allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:process { setfscreate }; +allow systemd_tmpfiles_t self:process { setfscreate };
+ +
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@ -50796,7 +50853,7 @@ index 000000000..1927b4fc0
+# Timedated policy +# Timedated policy
+# +#
+ +
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override }; +allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search };
+allow systemd_timedated_t self:process { getattr getsched setfscreate }; +allow systemd_timedated_t self:process { getattr getsched setfscreate };
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms; +allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
@ -51361,7 +51418,7 @@ index 9a1650d37..d7e8a0193 100644
######################################## ########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 39f185f68..a313a7d1a 100644 index 39f185f68..815aada78 100644
--- a/policy/modules/system/udev.te --- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -51390,7 +51447,7 @@ index 39f185f68..a313a7d1a 100644
# #
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +allow udev_t self:capability { chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability2 { block_suspend wake_alarm }; +allow udev_t self:capability2 { block_suspend wake_alarm };
dontaudit udev_t self:capability sys_tty_config; dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend; -allow udev_t self:capability2 block_suspend;
@ -52479,7 +52536,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+ +
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6c0..6a26bba87 100644 index 9dc60c6c0..1d1213e00 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -54094,15 +54151,17 @@ index 9dc60c6c0..6a26bba87 100644
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',` @@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',`
## </summary> ## </summary>
## </param> ## </param>
# #
-template(`userdom_security_admin_template',` -template(`userdom_security_admin_template',`
- allow $1 self:capability { dac_read_search dac_override };
+template(`userdom_security_admin',` +template(`userdom_security_admin',`
allow $1 self:capability { dac_read_search dac_override }; + allow $1 self:capability { dac_read_search };
corecmd_exec_shell($1) corecmd_exec_shell($1)
@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',` @@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
@ -57575,7 +57634,7 @@ index 9dc60c6c0..6a26bba87 100644
+## </param> +## </param>
+# +#
+template(`userdom_security_admin_template',` +template(`userdom_security_admin_template',`
+ allow $1 self:capability { dac_read_search dac_override }; + allow $1 self:capability { dac_read_search };
+ +
+ corecmd_exec_shell($1) + corecmd_exec_shell($1)
+ +

1172
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

5
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 287%{?dist} Release: 288%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -682,6 +682,9 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
- Remove all unnecessary dac_override capability in SELinux modules
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287 * Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
- Allow init noatsecure httpd_t - Allow init noatsecure httpd_t
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)