rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288

Browse Source 
- Remove all unnecessary dac_override capability in SELinux modules
This commit is contained in:
Lukas Vrabec 2017-09-22 14:15:27 +02:00
parent be528824f0
commit 12fd9044f9
4 changed files with 840 additions and 600 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

263
policy-rawhide-base.patch
View File

@ -1791,7 +1791,7 @@ index cc8df9d7d..90467f3af 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 0fd5c5f2e..a14addb41 100644
index 0fd5c5f2e..7ee6ec7a3 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -20,13 +20,20 @@ type bootloader_t;
@ -1821,7 +1821,7 @@ index 0fd5c5f2e..a14addb41 100644
#
-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c3592a..cba535365 100644
index c44c3592a..2a3a90bf4 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -2222,8 +2222,9 @@ index c44c3592a..cba535365 100644
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
-dontaudit netutils_t self:capability { dac_override sys_tty_config };
+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
+dontaudit netutils_t self:capability { sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
@ -2419,7 +2420,7 @@ index 688abc2ae..3d89250a6 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 03ec5cafe..1e3ace4cf 100644
index 03ec5cafe..f483a97a6 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
@ -2427,7 +2428,7 @@ index 03ec5cafe..1e3ace4cf 100644
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
@ -2615,7 +2616,7 @@ index 03ec5cafe..1e3ace4cf 100644
#######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 85bb77e05..a4302332a 100644
index 85bb77e05..fdd7b656c 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -9,3 +9,82 @@ attribute su_domain_type;
@ -2623,7 +2624,7 @@ index 85bb77e05..a4302332a 100644
type su_exec_t;
corecmd_executable_file(su_exec_t)
+
+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
+dontaudit su_domain_type self:capability sys_tty_config;
+allow su_domain_type self:process { setexec setsched setrlimit };
+allow su_domain_type self:fifo_file rw_fifo_file_perms;
@ -3189,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1e7..7e03673be 100644
index 1d732f1e7..9823c5a68 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3229,7 +3230,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
+allow chfn_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
@ -3316,7 +3317,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_read_search chown kill setuid sys_resource audit_write };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
@ -3375,7 +3376,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
+allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
@ -3474,7 +3475,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
@ -3518,7 +3519,7 @@ index 1d732f1e7..7e03673be 100644
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:cap_userns { sys_ptrace };
@ -3764,7 +3765,7 @@ index 1dc7a85d3..e4f6fc227 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 759016583..f50f79935 100644
index 759016583..1b9a61d18 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
@ -3781,7 +3782,7 @@ index 759016583..f50f79935 100644
#
# seunshare local policy
#
+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@ -12602,7 +12603,7 @@ index b876c48ad..2e591a538 100644
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76ad..f2b8e4558 100644
index f962f76ad..bb8b58852 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -13481,7 +13482,7 @@ index f962f76ad..f2b8e4558 100644
- type root_t;
+ attribute mountpoint;
')
+ dontaudit $1 self:capability { dac_read_search dac_override };
+ dontaudit $1 self:capability { dac_read_search };
- allow $1 root_t:dir list_dir_perms;
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
@ -25364,10 +25365,10 @@ index 000000000..48caabc7e
+allow domain unlabeled_t:packet { send recv };
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 834a065de..ff9369756 100644
index 834a065de..404a5c677 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
@@ -7,14 +7,14 @@ policy_module(auditadm, 2.2.0)
role auditadm_r;
role system_r;
@ -25376,6 +25377,14 @@ index 834a065de..ff9369756 100644
########################################
#
# Local policy
#
-allow auditadm_t self:capability { dac_read_search dac_override };
+allow auditadm_t self:capability { dac_read_search };
kernel_read_ring_buffer(auditadm_t)
@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
@ -25401,7 +25410,7 @@ index 834a065de..ff9369756 100644
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
index 3a45a3ef0..7499f24b5 100644
index 3a45a3ef0..f31d79957 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
@ -25418,13 +25427,13 @@ index 3a45a3ef0..7499f24b5 100644
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
+allow logadm_t self:capability { dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
index da111206f..621ec5afc 100644
index da111206f..a5ac38465 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
@@ -7,19 +7,25 @@ policy_module(secadm, 2.4.0)
role secadm_r;
@ -25438,12 +25447,14 @@ index da111206f..621ec5afc 100644
########################################
#
@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
# Local policy
#
allow secadm_t self:capability { dac_read_search dac_override };
+kernel_read_system_state(secadm_t)
-allow secadm_t self:capability { dac_read_search dac_override };
+allow secadm_t self:capability { dac_read_search };
+
+kernel_read_system_state(secadm_t)
corecmd_exec_shell(secadm_t)
dev_relabel_all_dev_nodes(secadm_t)
@ -25909,7 +25920,7 @@ index ff9243078..36740eab3 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2522ca6c0..7aeed7254 100644
index 2522ca6c0..c8ef8c8e4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1)
@ -26335,7 +26346,7 @@ index 2522ca6c0..7aeed7254 100644
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
+ allow sysadm_screen_t self:capability { dac_read_search dac_override };
+ allow sysadm_screen_t self:capability { dac_read_search };
')
optional_policy(`
@ -28342,7 +28353,7 @@ index 9d2f31168..2d782e051 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 03061349c..e30703d3c 100644
index 03061349c..bb764b3d0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@ -28394,6 +28405,15 @@ index 03061349c..e30703d3c 100644
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
@@ -224,7 +234,7 @@ postgresql_view_object(user_sepgsql_view_t)
#
# postgresql Local policy
#
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+allow postgresql_t self:capability { kill dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -28624,7 +28644,7 @@ index 76d9f66ec..7528851ad 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c68272..79d568a54 100644
index fe0c68272..f0a61f830 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -28640,7 +28660,7 @@ index fe0c68272..79d568a54 100644
')
##############################
@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
@@ -47,16 +48,12 @@ template(`ssh_basic_client_template',`
application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t;
@ -28651,6 +28671,13 @@ index fe0c68272..79d568a54 100644
##############################
#
# Client local policy
#
- allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ allow $1_ssh_t self:capability { setuid setgid dac_read_search };
allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_ssh_t self:fd use;
allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
# or "regular" (not special like sshd_extern_t) servers
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
@ -28755,7 +28782,7 @@ index fe0c68272..79d568a54 100644
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
@ -29357,7 +29384,7 @@ index fe0c68272..79d568a54 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7b0..b14a28d5c 100644
index cc877c7b0..296d9c7dd 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@ -29444,7 +29471,7 @@ index cc877c7b0..b14a28d5c 100644
type ssh_t;
type ssh_exec_t;
@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@ -29465,7 +29492,11 @@ index cc877c7b0..b14a28d5c 100644
##############################
#
@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
# SSH client local policy
#
-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+allow ssh_t self:capability { setuid setgid dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -29839,7 +29870,7 @@ index cc877c7b0..b14a28d5c 100644
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
+allow ssh_keygen_t self:capability { dac_read_search dac_override };
+allow ssh_keygen_t self:capability { dac_read_search };
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
@ -31986,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b403774f..af9ee8070 100644
index 8b403774f..fe21bfc46 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32246,7 +32277,7 @@ index 8b403774f..af9ee8070 100644
# Xauth local policy
#
+allow xauth_t self:capability { dac_read_search dac_override };
+allow xauth_t self:capability { dac_read_search };
allow xauth_t self:process signal;
+allow xauth_t self:shm create_shm_perms;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
@ -32351,7 +32382,7 @@ index 8b403774f..af9ee8070 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+allow xdm_t self:cap_userns { kill };
+dontaudit xdm_t self:capability sys_admin;
@ -33025,7 +33056,7 @@ index 8b403774f..af9ee8070 100644
# NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { sys_ptrace dac_read_search fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+
dontaudit xserver_t self:capability chown;
+#allow xserver_t self:capability2 compromise_kernel;
@ -34736,7 +34767,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791dcc..2d255df93 100644
index 09b791dcc..598dd5ed1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -34825,7 +34856,7 @@ index 09b791dcc..2d255df93 100644
#
-allow chkpwd_t self:capability { dac_override setuid };
+allow chkpwd_t self:capability { dac_read_search dac_override setuid };
+allow chkpwd_t self:capability { dac_read_search setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
@ -34947,7 +34978,7 @@ index 09b791dcc..2d255df93 100644
#
-allow updpwd_t self:capability { chown dac_override };
+allow updpwd_t self:capability { chown dac_read_search dac_override };
+allow updpwd_t self:capability { chown dac_read_search };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@ -35294,15 +35325,18 @@ index d475c2deb..55305d5f3 100644
+ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
+')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index edece47dc..2e7b81176 100644
index edece47dc..d71651f31 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -20,7 +20,7 @@ role system_r types hwclock_t;
@@ -18,9 +18,9 @@ role system_r types hwclock_t;
# Local policy
#
# Give hwclock the capabilities it requires. dac_override is a surprise,
-# Give hwclock the capabilities it requires. dac_override is a surprise,
+# Give hwclock the capabilities it requires. is a surprise,
# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
+allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config };
+allow hwclock_t self:capability { dac_read_search sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file rw_fifo_file_perms;
@ -35461,7 +35495,7 @@ index 016a770b9..3fce820a5 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3f48d300a..cb4f966c0 100644
index 3f48d300a..cf67cf714 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,9 +13,15 @@ role system_r types fsadm_t;
@ -35480,10 +35514,12 @@ index 3f48d300a..cb4f966c0 100644
type swapfile_t; # customizable
files_type(swapfile_t)
@@ -26,6 +32,7 @@ files_type(swapfile_t)
@@ -25,7 +31,8 @@ files_type(swapfile_t)
#
# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_read_search };
+dontaudit fsadm_t self:capability net_admin;
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
@ -35686,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea19..ef08ff3cf 100644
index f6743ea19..abcc39a8c 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@ -35711,7 +35747,7 @@ index f6743ea19..ef08ff3cf 100644
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
@ -35888,18 +35924,21 @@ index 40eb10c60..2a0a32c2d 100644
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index b2097e743..0a49e14ba 100644
index b2097e743..8d66956d0 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
@@ -23,9 +23,9 @@ files_pid_file(hotplug_var_run_t)
#
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
-dontaudit hotplug_t self:capability { dac_override dac_read_search };
+dontaudit hotplug_t self:capability { dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
allow hotplug_t self:fifo_file rw_file_perms;
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
@ -39655,7 +39694,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd0417..56961b493 100644
index 312cd0417..27a5d0650 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -39685,7 +39724,7 @@ index 312cd0417..56961b493 100644
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_t self:process { getcap setcap getsched signal setsched };
+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
+allow ipsec_t self:capability { net_admin dac_read_search setpcap sys_nice net_raw setuid setgid };
+dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@ -39827,7 +39866,7 @@ index 312cd0417..56961b493 100644
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+allow ipsec_mgmt_t self:capability { dac_read_search net_admin setpcap sys_nice sys_ptrace };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -40140,10 +40179,10 @@ index c42fbc329..bf211dbee 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e6c..73e51f7ef 100644
index be8ed1e6c..1afb965b8 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
@@ -16,44 +16,61 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@ -40168,7 +40207,11 @@ index be8ed1e6c..73e51f7ef 100644
########################################
#
# Iptables local policy
@@ -35,25 +41,36 @@ dontaudit iptables_t self:capability sys_tty_config;
#
-allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
+allow iptables_t self:capability { dac_read_search net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
@ -40928,7 +40971,7 @@ index 808ba93eb..b717d9709 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 54f8fa5c8..e14ec857c 100644
index 54f8fa5c8..7a660a06c 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@ -40953,7 +40996,7 @@ index 54f8fa5c8..e14ec857c 100644
#
-allow ldconfig_t self:capability { dac_override sys_chroot };
+allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot };
+allow ldconfig_t self:capability { dac_read_search sys_chroot };
+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@ -41130,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 446fa9908..fcf08acb2 100644
index 446fa9908..a0d1b1ff7 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@ -41165,7 +41208,7 @@ index 446fa9908..fcf08acb2 100644
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
@ -41267,7 +41310,7 @@ index 446fa9908..fcf08acb2 100644
#
-allow sulogin_t self:capability dac_override;
+allow sulogin_t self:capability { dac_read_search dac_override sys_admin };
+allow sulogin_t self:capability { dac_read_search sys_admin };
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
@ -42138,7 +42181,7 @@ index 4e9488463..2db173f77 100644
+')
+
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1a2..ba742cd03 100644
index 59b04c1a2..6ae1e2663 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@ -42221,8 +42264,12 @@ index 59b04c1a2..ba742cd03 100644
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
@@ -94,8 +129,11 @@ ifdef(`enable_mls',`
allow auditctl_t self:capability { fsetid dac_read_search dac_override };
@@ -91,11 +126,14 @@ ifdef(`enable_mls',`
# Auditctl local policy
#
-allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:capability { fsetid dac_read_search };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+allow auditctl_t self:process getcap;
@ -42304,7 +42351,7 @@ index 59b04c1a2..ba742cd03 100644
#
-allow audisp_t self:capability { dac_override setpcap sys_nice };
+allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice };
+allow audisp_t self:capability { dac_read_search setpcap sys_nice };
allow audisp_t self:process { getcap signal_perms setcap setsched };
allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
@ -42393,7 +42440,7 @@ index 59b04c1a2..ba742cd03 100644
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
+allow syslogd_t self:capability { sys_ptrace dac_read_search sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:cap_userns sys_ptrace;
+allow syslogd_t self:capability2 { syslog block_suspend };
@ -43095,7 +43142,7 @@ index 58bc27f22..90f567300 100644
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c410..924fa2e75 100644
index 79048c410..d404d6528 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -43184,7 +43231,7 @@ index 79048c410..924fa2e75 100644
# rawio needed for dmraid
# net_admin for multipath
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+allow lvm_t self:capability { dac_read_search fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
@ -44006,7 +44053,7 @@ index 7449974f6..b79290062 100644
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7a363b8b2..3a6ded940 100644
index 7a363b8b2..69463d732 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@ -44112,7 +44159,7 @@ index 7a363b8b2..3a6ded940 100644
#
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config };
+allow insmod_t self:capability { dac_read_search mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@ -44687,7 +44734,7 @@ index 4584457b1..8f676d0c8 100644
')
+
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 459a0efbc..ed4756edc 100644
index 459a0efbc..816066d07 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
@ -44749,7 +44796,7 @@ index 459a0efbc..ed4756edc 100644
-# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+# setuid/setgid needed to mount cifs
+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_read_search chown sys_tty_config setuid setgid sys_nice };
+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
@ -46088,7 +46135,7 @@ index 38220721d..abac74231 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index dc4642022..0e7086c60 100644
index dc4642022..5b26b2de2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@ -46233,7 +46280,7 @@ index dc4642022..0e7086c60 100644
#
-allow checkpolicy_t self:capability dac_override;
+allow checkpolicy_t self:capability { dac_read_search dac_override };
+allow checkpolicy_t self:capability { dac_read_search };
# able to create and modify binary policy files
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
@ -46259,7 +46306,7 @@ index dc4642022..0e7086c60 100644
#
-allow load_policy_t self:capability dac_override;
+allow load_policy_t self:capability { dac_read_search dac_override };
+allow load_policy_t self:capability { dac_read_search };
# only allow read of policy config files
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
@ -46311,7 +46358,7 @@ index dc4642022..0e7086c60 100644
#
-allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override };
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@ -46383,6 +46430,15 @@ index dc4642022..0e7086c60 100644
files_polyinstantiate_all(newrole_t)
')
@@ -318,7 +362,7 @@ tunable_policy(`allow_polyinstantiation',`
# Restorecond local policy
#
-allow restorecond_t self:capability { dac_override dac_read_search fowner };
+allow restorecond_t self:capability { dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
@@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@ -46434,10 +46490,11 @@ index dc4642022..0e7086c60 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+kernel_dontaudit_getattr_core_if(run_init_t)
-dontaudit run_init_t self:capability { dac_override dac_read_search };
+dontaudit run_init_t self:capability { dac_read_search };
+
+kernel_dontaudit_getattr_core_if(run_init_t)
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@ -46763,7 +46820,7 @@ index dc4642022..0e7086c60 100644
+#
+# Setfiles common policy
+#
+allow setfiles_domain self:capability { dac_override dac_read_search fowner };
+allow setfiles_domain self:capability { dac_read_search fowner };
+dontaudit setfiles_domain self:capability sys_tty_config;
+allow setfiles_domain self:fifo_file rw_file_perms;
+dontaudit setfiles_domain self:dir relabelfrom;
@ -46875,7 +46932,7 @@ index dc4642022..0e7086c60 100644
+ dbus_read_pid_files(setfiles_domain)
')
+allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource };
+allow policy_manager_domain self:capability { dac_read_search sys_nice sys_resource };
+dontaudit policy_manager_domain self:capability sys_tty_config;
+allow policy_manager_domain self:process { signal setsched };
+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
@ -47651,7 +47708,7 @@ index 2cea692c0..e3cb4f2ef 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4bc..95c64150b 100644
index a392fc4bc..d29b7f6fb 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -47699,7 +47756,7 @@ index a392fc4bc..95c64150b 100644
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+allow dhcpc_t self:capability { dac_read_search fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@ -50034,7 +50091,7 @@ index 000000000..634d9596a
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 000000000..1927b4fc0
index 000000000..3660fe1c4
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1025 @@
@ -50195,7 +50252,7 @@ index 000000000..1927b4fc0
+# Systemd_logind local policy
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
+# is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
+allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap;
@ -50363,7 +50420,7 @@ index 000000000..1927b4fc0
+# systemd_machined local policy
+#
+
+allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
+allow systemd_machined_t self:capability { dac_read_search setgid sys_admin sys_chroot sys_ptrace kill };
+allow systemd_machined_t systemd_unit_file_t:service { status start };
+allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
+
@ -50481,7 +50538,7 @@ index 000000000..1927b4fc0
+# Local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override };
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search };
+allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
@ -50525,7 +50582,7 @@ index 000000000..1927b4fc0
+# Local policy
+#
+
+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@ -50796,7 +50853,7 @@ index 000000000..1927b4fc0
+# Timedated policy
+#
+
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override };
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search };
+allow systemd_timedated_t self:process { getattr getsched setfscreate };
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
@ -51361,7 +51418,7 @@ index 9a1650d37..d7e8a0193 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 39f185f68..a313a7d1a 100644
index 39f185f68..815aada78 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -51390,7 +51447,7 @@ index 39f185f68..a313a7d1a 100644
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability { chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability2 { block_suspend wake_alarm };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
@ -52479,7 +52536,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6c0..6a26bba87 100644
index 9dc60c6c0..1d1213e00 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -54094,15 +54151,17 @@ index 9dc60c6c0..6a26bba87 100644
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',`
@@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
-template(`userdom_security_admin_template',`
- allow $1 self:capability { dac_read_search dac_override };
+template(`userdom_security_admin',`
allow $1 self:capability { dac_read_search dac_override };
+ allow $1 self:capability { dac_read_search };
corecmd_exec_shell($1)
@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
@ -57575,7 +57634,7 @@ index 9dc60c6c0..6a26bba87 100644
+## </param>
+#
+template(`userdom_security_admin_template',`
+ allow $1 self:capability { dac_read_search dac_override };
+ allow $1 self:capability { dac_read_search };
+
+ corecmd_exec_shell($1)
+

1172
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

5
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 287%{?dist}
Release: 288%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -682,6 +682,9 @@ exit 0
%endif
%changelog
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-288
- Remove all unnecessary dac_override capability in SELinux modules
* Fri Sep 22 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-287
- Allow init noatsecure httpd_t
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)