From 1b7c8fcdf66f2b52b96253e553ae072129385189 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 11 Apr 2011 07:58:00 +0000 Subject: [PATCH] - Add Dan's patch to remove 64 bit variants - Allow colord to use unix_dgram_socket - Allow apps that search pids to read /var/run if it is a lnk_file - iscsid_t creates its own directory - Allow init to list var_lock_t dir - apm needs to verify user accounts auth_use_nsswitch - Add labeling for systemd unit files - Allow gnomeclok to enable ntpd service using systemctl - systemd_syst - Add label for matahari-broker.pid file - We want to remove untrustedmcsprocess from ability to read /proc/pid - Fixes for matahari policy - Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir - Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on --- policy-F16.patch | 2571 ++++++++++++++++++++++++++++++++++--------- selinux-policy.spec | 17 +- 2 files changed, 2039 insertions(+), 549 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index cd7b7d72..62292e36 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -218,10 +218,35 @@ index 4705ab6..262b5ba 100644 +gen_tunable(allow_console_login,false) + diff --git a/policy/mcs b/policy/mcs -index 358ce7c..0f1d444 100644 +index 358ce7c..e5dc022 100644 --- a/policy/mcs +++ b/policy/mcs -@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto } +@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats) + # - /proc/pid operations are not constrained. + + mlsconstrain file { read ioctl lock execute execute_no_trans } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + mlsconstrain file { write setattr append unlink link rename } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + mlsconstrain dir { search read ioctl lock } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + mlsconstrain dir { write setattr append unlink link rename add_name remove_name } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); ++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ++ (( t1 != mcsuntrustedproc ) and (t2 == domain))); + + # New filesystem object labels must be dominated by the relabeling subject + # clearance, also the objects are single-level. +@@ -86,10 +90,10 @@ mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); # new file labels must be dominated by the relabeling subject clearance @@ -234,7 +259,7 @@ index 358ce7c..0f1d444 100644 (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } -@@ -101,6 +101,9 @@ mlsconstrain process { ptrace } +@@ -101,6 +105,9 @@ mlsconstrain process { ptrace } mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); @@ -244,7 +269,7 @@ index 358ce7c..0f1d444 100644 # # MCS policy for SELinux-enabled databases # -@@ -144,4 +147,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -144,4 +151,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -281,6 +306,27 @@ index e66c296..61f738b 100644 + + dontaudit $1 acct_data_t:dir list_dir_perms; +') +diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc +index e3e0701..3fd0282 100644 +--- a/policy/modules/admin/amanda.fc ++++ b/policy/modules/admin/amanda.fc +@@ -7,11 +7,11 @@ + + /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0) + +-/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) +-/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) +-/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +-/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) +-/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) ++/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) ++/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) ++/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) ++/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) ++/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + + /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 46d467c..3305e15 100644 --- a/policy/modules/admin/amanda.te @@ -1426,6 +1472,29 @@ index e0791b9..373882d 100644 + term_dontaudit_use_all_ttys(traceroute_t) + term_dontaudit_use_all_ptys(traceroute_t) +') +diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc +index db46387..b665b08 100644 +--- a/policy/modules/admin/portage.fc ++++ b/policy/modules/admin/portage.fc +@@ -5,12 +5,12 @@ + /usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) + /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + +-/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) +-/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +-/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) +-/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) +-/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) +-/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + + /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) + diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 8aaa46d..8714d7f 100644 --- a/policy/modules/admin/portage.if @@ -2649,7 +2718,7 @@ index d5aaf0e..689b2fd 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..7300952 100644 +index 6a5004b..1ef8f1c 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -2677,7 +2746,7 @@ index 6a5004b..7300952 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t) +@@ -38,12 +44,15 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -2688,7 +2757,13 @@ index 6a5004b..7300952 100644 ifdef(`distro_redhat',` userdom_list_user_home_content(tmpreaper_t) -@@ -52,7 +60,9 @@ optional_policy(` + userdom_delete_user_home_content_dirs(tmpreaper_t) + userdom_delete_user_home_content_files(tmpreaper_t) ++ userdom_delete_user_home_content_sock_files(tmpreaper_t) + userdom_delete_user_home_content_symlinks(tmpreaper_t) + ') + +@@ -52,7 +61,9 @@ optional_policy(` ') optional_policy(` @@ -2698,7 +2773,7 @@ index 6a5004b..7300952 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +76,17 @@ optional_policy(` +@@ -66,9 +77,17 @@ optional_policy(` ') optional_policy(` @@ -2800,6 +2875,19 @@ index 74354da..f04565f 100644 +optional_policy(` + modutils_read_module_deps(usbmodules_t) +') +diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc +index c467144..fb794f9 100644 +--- a/policy/modules/admin/usermanage.fc ++++ b/policy/modules/admin/usermanage.fc +@@ -10,7 +10,7 @@ ifdef(`distro_gentoo',` + /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + +-/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) ++/usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0) + + /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) + /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 81fb26f..cd18ca8 100644 --- a/policy/modules/admin/usermanage.if @@ -2815,7 +2903,7 @@ index 81fb26f..cd18ca8 100644 optional_policy(` diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..b123de0 100644 +index 441cf22..4e2205c 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t) @@ -2920,7 +3008,15 @@ index 441cf22..b123de0 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -469,8 +471,7 @@ selinux_compute_create_context(useradd_t) +@@ -460,6 +462,7 @@ fs_search_auto_mountpoints(useradd_t) + fs_getattr_xattr_fs(useradd_t) + + mls_file_upgrade(useradd_t) ++mls_process_read_to_clearance(useradd_t) + + # Allow access to context for shadow file + selinux_get_fs_mount(useradd_t) +@@ -469,8 +472,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -2930,7 +3026,7 @@ index 441cf22..b123de0 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,20 +499,16 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,20 +500,16 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -3004,6 +3100,15 @@ index 39c75fb..057d8b1 100644 optional_policy(` unconfined_domain(ada_t) +diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc +index 48cf11b..9787bd4 100644 +--- a/policy/modules/apps/authbind.fc ++++ b/policy/modules/apps/authbind.fc +@@ -1,3 +1,3 @@ + /etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0) + +-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) ++/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te index 1f42250..3d36ae2 100644 --- a/policy/modules/apps/awstats.te @@ -3064,13 +3169,13 @@ index 1403835..128f634 100644 # Handle nfs home dirs diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc new file mode 100644 -index 0000000..432fb25 +index 0000000..1f468aa --- /dev/null +++ b/policy/modules/apps/chrome.fc @@ -0,0 +1,3 @@ + /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + -+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 index 0000000..e921f24 @@ -3346,10 +3451,10 @@ index cd70958..126d7ea 100644 # until properly implemented diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc new file mode 100644 -index 0000000..4540090 +index 0000000..6f3570a --- /dev/null +++ b/policy/modules/apps/execmem.fc -@@ -0,0 +1,50 @@ +@@ -0,0 +1,48 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -3368,17 +3473,15 @@ index 0000000..4540090 +ifdef(`distro_gentoo',` +/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +') -+/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -4724,7 +4827,7 @@ index f5afe78..b1b6bf6 100644 +') + diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..ca56b50 100644 +index 2505654..d0792a8 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te @@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0) @@ -4799,7 +4902,7 @@ index 2505654..ca56b50 100644 ############################## # # Local Policy -@@ -75,3 +110,151 @@ optional_policy(` +@@ -75,3 +110,153 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -4861,6 +4964,8 @@ index 2505654..ca56b50 100644 +allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; +allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; + ++kernel_read_system_state(gnomesystemmm_t) ++ +corecmd_search_bin(gnomesystemmm_t) + +domain_kill_all_domains(gnomesystemmm_t) @@ -4952,15 +5057,22 @@ index 2505654..ca56b50 100644 + +userdom_use_inherited_user_terminals(gnome_domain) diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc -index e9853d4..717d163 100644 +index e9853d4..6864b58 100644 --- a/policy/modules/apps/gpg.fc +++ b/policy/modules/apps/gpg.fc -@@ -1,4 +1,5 @@ +@@ -1,9 +1,10 @@ HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) + /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0) + /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) + +-/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) +-/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) ++/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) ++/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if index 40e0a2a..f4a103c 100644 --- a/policy/modules/apps/gpg.if @@ -5394,7 +5506,7 @@ index 66beb80..9c45e44 100644 + automount_dontaudit_getattr_tmp_dirs(irssi_t) +') diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc -index 86c1768..cd76e6a 100644 +index 86c1768..5d2130c 100644 --- a/policy/modules/apps/java.fc +++ b/policy/modules/apps/java.fc @@ -5,10 +5,13 @@ @@ -5411,7 +5523,13 @@ index 86c1768..cd76e6a 100644 /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0) /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0) -@@ -33,6 +36,9 @@ +@@ -27,12 +30,14 @@ + /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0) + /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) +-/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0) + + /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0) @@ -5733,14 +5851,14 @@ index 0bac996..ca2388d 100644 diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc new file mode 100644 -index 0000000..bf872ef +index 0000000..d56fd69 --- /dev/null +++ b/policy/modules/apps/mediawiki.fc @@ -0,0 +1,10 @@ + -+/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -+/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) -+/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) ++/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) ++/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) ++/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) + +/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) + @@ -5862,7 +5980,7 @@ index 7b08e13..515a88a 100644 optional_policy(` xserver_role($1_r, $1_mono_t) diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc -index 93ac529..aafece7 100644 +index 93ac529..35b51ab 100644 --- a/policy/modules/apps/mozilla.fc +++ b/policy/modules/apps/mozilla.fc @@ -1,6 +1,7 @@ @@ -5873,11 +5991,28 @@ index 93ac529..aafece7 100644 HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -@@ -27,3 +28,4 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) - /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) - /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) -+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) +@@ -18,12 +19,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + # + # /lib + # +-/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +-/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 9a6d67d..d88c02c 100644 --- a/policy/modules/apps/mozilla.if @@ -6545,7 +6680,7 @@ index 0000000..4af1aa0 +userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file }) diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc new file mode 100644 -index 0000000..717eb3f +index 0000000..22e6c96 --- /dev/null +++ b/policy/modules/apps/nsplugin.fc @@ -0,0 +1,11 @@ @@ -6557,9 +6692,9 @@ index 0000000..717eb3f + +/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) -+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) -+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) ++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) ++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) ++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 index 0000000..37449c0 @@ -7377,12 +7512,11 @@ index 0000000..6cc919e + diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc new file mode 100644 -index 0000000..0c53a12 +index 0000000..4428be4 --- /dev/null +++ b/policy/modules/apps/openoffice.fc -@@ -0,0 +1,4 @@ +@@ -0,0 +1,3 @@ +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) -+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) +/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0) + diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if @@ -8425,10 +8559,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..c62f0f8 +index 0000000..88efdca --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,475 @@ +@@ -0,0 +1,479 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8698,6 +8832,10 @@ index 0000000..c62f0f8 +') + +optional_policy(` ++ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain) ++') ++ ++optional_policy(` + gnome_read_gconf_config(sandbox_x_domain) +') + @@ -9877,10 +10015,23 @@ index 03fc701..f58654e 100644 -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc -index 5872ea2..028c994 100644 +index 5872ea2..179960c 100644 --- a/policy/modules/apps/vmware.fc +++ b/policy/modules/apps/vmware.fc -@@ -66,5 +66,6 @@ ifdef(`distro_gentoo',` +@@ -39,12 +39,6 @@ ifdef(`distro_redhat',` + /usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + ') + +-/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0) +-/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0) +-/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0) +-/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0) +-/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0) +- + /usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0) + /usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0) + +@@ -66,5 +60,6 @@ ifdef(`distro_gentoo',` /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0) /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0) @@ -10170,7 +10321,7 @@ index 223ad43..d400ef6 100644 # Reading dotfiles... # cjp: ? diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..4593351 100644 +index 34c9d01..d0c0d02 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -10193,7 +10344,7 @@ index 34c9d01..4593351 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -128,8 +128,8 @@ ifdef(`distro_debian',` +@@ -128,18 +128,15 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -10203,7 +10354,18 @@ index 34c9d01..4593351 100644 /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -177,6 +177,8 @@ ifdef(`distro_gentoo',` + +-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) +-/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) +- + ifdef(`distro_gentoo',` + /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +-/lib64/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) ++/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) + + /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) + /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -177,6 +174,8 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -10212,23 +10374,105 @@ index 34c9d01..4593351 100644 # # /usr # -@@ -232,6 +234,9 @@ ifdef(`distro_gentoo',` - /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -244,9 +249,13 @@ ifdef(`distro_gentoo',` +@@ -196,47 +195,49 @@ ifdef(`distro_gentoo',` + /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) +-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) +- +-/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +- +-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) +- +-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) ++ ++/usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++ ++/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) ++ ++/usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -244,9 +245,13 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib(64)?/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) +-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) + - /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) @@ -10236,7 +10480,7 @@ index 34c9d01..4593351 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -283,6 +292,7 @@ ifdef(`distro_gentoo',` +@@ -283,6 +288,7 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -10244,15 +10488,27 @@ index 34c9d01..4593351 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -307,6 +317,7 @@ ifdef(`distro_redhat', ` - /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -291,7 +297,7 @@ ifdef(`distro_gentoo',` + /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + +-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) ++/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) + + ifdef(`distro_gentoo', ` + /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -304,9 +310,8 @@ ifdef(`distro_redhat', ` + /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) + + /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -316,9 +327,11 @@ ifdef(`distro_redhat', ` +@@ -316,9 +321,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -10264,6 +10520,23 @@ index 34c9d01..4593351 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) +@@ -360,7 +367,7 @@ ifdef(`distro_redhat', ` + ifdef(`distro_suse', ` + /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + ') + +@@ -373,7 +380,6 @@ ifdef(`distro_suse', ` + + /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) + + /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) + /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 9e9263a..24018ce 100644 --- a/policy/modules/kernel/corecommands.if @@ -11049,7 +11322,7 @@ index 3ff4f60..89ffda6 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index aad8c52..edc8af9 100644 +index aad8c52..e957e76 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` @@ -11146,10 +11419,17 @@ index aad8c52..edc8af9 100644 ## dontaudit checking for execute on all entry point files ## ## -@@ -1473,3 +1528,22 @@ interface(`domain_unconfined',` +@@ -1472,4 +1527,29 @@ interface(`domain_unconfined',` + typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; - ') ++ ++ mcs_file_read_all($1) ++ mcs_file_write_all($1) ++ mcs_killall($1) ++ mcs_ptrace_all($1) ++ mcs_socket_write_all_levels($1) ++') + +######################################## +## @@ -11168,7 +11448,7 @@ index aad8c52..edc8af9 100644 + ') + + dontaudit $1 domain:socket_class_set { read write }; -+') + ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index bc534c1..b70ea07 100644 --- a/policy/modules/kernel/domain.te @@ -11354,7 +11634,7 @@ index bc534c1..b70ea07 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 16108f6..0f1470f 100644 +index 16108f6..e76bf67 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -11400,7 +11680,28 @@ index 16108f6..0f1470f 100644 HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -153,6 +164,17 @@ HOME_ROOT/lost\+found/.* <> +@@ -101,10 +112,9 @@ HOME_ROOT/lost\+found/.* <> + /initrd -d gen_context(system_u:object_r:root_t,s0) + + # +-# /lib(64)? ++# /lib + # + /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) +-/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) + + # + # /lost+found +@@ -145,7 +155,7 @@ HOME_ROOT/lost\+found/.* <> + /opt -d gen_context(system_u:object_r:usr_t,s0) + /opt/.* gen_context(system_u:object_r:usr_t,s0) + +-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) ++/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) + + # + # /proc +@@ -153,6 +163,17 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -11418,7 +11719,7 @@ index 16108f6..0f1470f 100644 # # /selinux # -@@ -166,12 +188,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -166,12 +187,6 @@ HOME_ROOT/lost\+found/.* <> /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -11431,7 +11732,7 @@ index 16108f6..0f1470f 100644 # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -211,7 +227,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -211,7 +226,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -11439,7 +11740,7 @@ index 16108f6..0f1470f 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -227,6 +242,8 @@ ifndef(`distro_redhat',` +@@ -227,6 +241,8 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -11448,7 +11749,14 @@ index 16108f6..0f1470f 100644 /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -243,7 +260,7 @@ ifndef(`distro_redhat',` +@@ -237,13 +253,14 @@ ifndef(`distro_redhat',` + /var/lost\+found/.* <> + + /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) ++/var/run -l gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) + /var/run/.* gen_context(system_u:object_r:var_run_t,s0) + /var/run/.*\.*pid <> + /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -11466,7 +11774,7 @@ index 16108f6..0f1470f 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..a595aa7 100644 +index 958ca84..cec6add 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -11619,7 +11927,32 @@ index 958ca84..a595aa7 100644 ######################################## ## ## Read and write symbolic links -@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',` +@@ -2300,6 +2407,24 @@ interface(`files_rw_etc_dirs',` + allow $1 etc_t:dir rw_dir_perms; + ') + ++####################################### ++## ++## Dontaudit remove dir /etc directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_remove_etc_dir',` ++ gen_require(` ++ type etc_t; ++ ') ++ ++ dontaudit $1 etc_t:dir rmdir; ++') ++ + ########################################## + ## + ## Manage generic directories in /etc +@@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -11644,7 +11977,7 @@ index 958ca84..a595aa7 100644 ## Execute generic files in /etc. ## ## -@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',` +@@ -2583,6 +2726,31 @@ interface(`files_create_boot_flag',` ######################################## ## @@ -11676,7 +12009,7 @@ index 958ca84..a595aa7 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2623,6 +2791,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -11701,7 +12034,7 @@ index 958ca84..a595aa7 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',` +@@ -3104,6 +3290,7 @@ interface(`files_getattr_home_dir',` ') allow $1 home_root_t:dir getattr; @@ -11709,7 +12042,7 @@ index 958ca84..a595aa7 100644 ') ######################################## -@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3124,6 +3311,7 @@ interface(`files_dontaudit_getattr_home_dir',` ') dontaudit $1 home_root_t:dir getattr; @@ -11717,7 +12050,7 @@ index 958ca84..a595aa7 100644 ') ######################################## -@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` +@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` dontaudit $1 lost_found_t:dir getattr; ') @@ -11742,7 +12075,7 @@ index 958ca84..a595aa7 100644 ######################################## ## ## Create, read, write, and delete objects in -@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',` +@@ -3365,6 +3571,43 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -11786,7 +12119,7 @@ index 958ca84..a595aa7 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3681,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -11811,7 +12144,7 @@ index 958ca84..a595aa7 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11911,7 +12244,7 @@ index 958ca84..a595aa7 100644 ######################################## ## ## Allow the specified type to associate -@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4268,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -11944,7 +12277,7 @@ index 958ca84..a595aa7 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,7 +4348,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11953,7 +12286,7 @@ index 958ca84..a595aa7 100644 ## ## ## -@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3976,17 +4356,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -11975,7 +12308,7 @@ index 958ca84..a595aa7 100644 ## ## ## -@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -3994,22 +4374,100 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -12000,36 +12333,31 @@ index 958ca84..a595aa7 100644 ## -## Domain not to audit. +## Domain allowed access. - ## - ## ++## ++## +## - # --interface(`files_dontaudit_getattr_all_tmp_files',` ++# +interface(`files_relabel_all_tmp_dirs',` - gen_require(` - attribute tmpfile; ++ gen_require(` ++ attribute tmpfile; + type var_t; - ') - -- dontaudit $1 tmpfile:file getattr; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. ++') ++ ++######################################## ++## +## Relabel all tmp files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_getattr_all_tmp_files',` ++# +interface(`files_relabel_all_tmp_files',` + gen_require(` + attribute tmpfile; @@ -12084,33 +12412,10 @@ index 958ca84..a595aa7 100644 +## +## +## Domain not to audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file getattr; -+') -+ -+######################################## -+## -+## Allow attempts to get the attributes -+## of all tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_all_tmp_files',` - gen_require(` - attribute tmpfile; - ') -@@ -4127,6 +4567,15 @@ interface(`files_purge_tmp',` + ## + ## + # +@@ -4127,6 +4585,15 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -12126,7 +12431,7 @@ index 958ca84..a595aa7 100644 ') ######################################## -@@ -4736,6 +5185,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5203,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -12151,7 +12456,7 @@ index 958ca84..a595aa7 100644 ## Read and write files in the /var directory. ## ## -@@ -5071,6 +5538,25 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5556,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -12177,7 +12482,7 @@ index 958ca84..a595aa7 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5084,6 +5570,7 @@ interface(`files_search_locks',` +@@ -5084,6 +5588,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -12185,7 +12490,7 @@ index 958ca84..a595aa7 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5108,6 +5595,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5108,6 +5613,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -12212,7 +12517,7 @@ index 958ca84..a595aa7 100644 ## Add and remove entries in the /var/lock ## directories. ## -@@ -5122,6 +5629,7 @@ interface(`files_rw_lock_dirs',` +@@ -5122,6 +5647,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -12220,7 +12525,7 @@ index 958ca84..a595aa7 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5142,6 +5650,7 @@ interface(`files_getattr_generic_locks',` +@@ -5142,6 +5668,7 @@ interface(`files_getattr_generic_locks',` allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:dir list_dir_perms; @@ -12228,7 +12533,7 @@ index 958ca84..a595aa7 100644 getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5156,12 +5665,13 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5683,13 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -12246,7 +12551,7 @@ index 958ca84..a595aa7 100644 ') ######################################## -@@ -5181,6 +5691,7 @@ interface(`files_manage_generic_locks',` +@@ -5181,6 +5709,7 @@ interface(`files_manage_generic_locks',` ') allow $1 var_t:dir search_dir_perms; @@ -12254,7 +12559,7 @@ index 958ca84..a595aa7 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5207,6 +5718,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5736,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -12282,7 +12587,7 @@ index 958ca84..a595aa7 100644 ## Read all lock files. ## ## -@@ -5224,6 +5756,7 @@ interface(`files_read_all_locks',` +@@ -5224,6 +5774,7 @@ interface(`files_read_all_locks',` allow $1 { var_t var_lock_t }:dir search_dir_perms; allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) @@ -12290,7 +12595,7 @@ index 958ca84..a595aa7 100644 read_lnk_files_pattern($1, lockfile, lockfile) ') -@@ -5244,6 +5777,7 @@ interface(`files_manage_all_locks',` +@@ -5244,6 +5795,7 @@ interface(`files_manage_all_locks',` ') allow $1 { var_t var_lock_t }:dir search_dir_perms; @@ -12298,7 +12603,7 @@ index 958ca84..a595aa7 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5276,6 +5810,7 @@ interface(`files_lock_filetrans',` +@@ -5276,6 +5828,7 @@ interface(`files_lock_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -12306,10 +12611,13 @@ index 958ca84..a595aa7 100644 filetrans_pattern($1, var_lock_t, $2, $3) ') -@@ -5335,6 +5870,43 @@ interface(`files_search_pids',` - search_dirs_pattern($1, var_t, var_run_t) - ') +@@ -5333,6 +5886,44 @@ interface(`files_search_pids',` + ') + search_dirs_pattern($1, var_t, var_run_t) ++ read_lnk_files_pattern($1, var_t, var_run_t) ++') ++ +###################################### +## +## Add and remove entries from pid directories. @@ -12345,12 +12653,10 @@ index 958ca84..a595aa7 100644 + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir create_dir_perms; -+') -+ + ') + ######################################## - ## - ## Do not audit attempts to search -@@ -5542,6 +6114,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6133,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12413,7 +12719,7 @@ index 958ca84..a595aa7 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6187,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6206,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -12458,7 +12764,7 @@ index 958ca84..a595aa7 100644 ') ######################################## -@@ -5844,3 +6510,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6529,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12808,7 +13114,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..be9572b 100644 +index dfe361a..79b4c0f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -12821,7 +13127,7 @@ index dfe361a..be9572b 100644 ######################################## ## -+## Relabelto cgroup directories. ++## Relabel cgroup directories. +## +## +## @@ -12843,7 +13149,7 @@ index dfe361a..be9572b 100644 ## list cgroup directories. ## ## -@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', ` +@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) @@ -12851,7 +13157,29 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', ` ++####################################### ++## ++## Dontaudit list cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_search_cgroup_dirs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ dontaudit $1 cgroup_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ++') ++ + ######################################## + ## + ## Delete cgroup directories. +@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) @@ -12859,7 +13187,7 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',` +@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) @@ -12867,7 +13195,7 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',` +@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) @@ -12875,7 +13203,7 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', ` +@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) @@ -12883,7 +13211,7 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',` +@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -12891,7 +13219,7 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',` +@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -12899,7 +13227,7 @@ index dfe361a..be9572b 100644 dev_search_sysfs($1) ') -@@ -1052,6 +1079,24 @@ interface(`fs_list_noxattr_fs',` +@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',` ######################################## ## @@ -12924,7 +13252,7 @@ index dfe361a..be9572b 100644 ## Create, read, write, and delete all noxattrfs directories. ## ## -@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -12967,7 +13295,7 @@ index dfe361a..be9572b 100644 ## Dont audit attempts to write to noxattrfs files. ## ## -@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -13010,7 +13338,7 @@ index dfe361a..be9572b 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -13019,7 +13347,7 @@ index dfe361a..be9572b 100644 ') ######################################## -@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -13045,7 +13373,7 @@ index dfe361a..be9572b 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',` +@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',` ######################################## ## @@ -13071,7 +13399,7 @@ index dfe361a..be9572b 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',` +@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',` ######################################## ## @@ -13096,7 +13424,7 @@ index dfe361a..be9572b 100644 ## Search directories ## on a FUSEFS filesystem. ## -@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -13123,7 +13451,7 @@ index dfe361a..be9572b 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -13151,7 +13479,7 @@ index dfe361a..be9572b 100644 ## ## ## -@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -13193,7 +13521,7 @@ index dfe361a..be9572b 100644 ######################################## ## -@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -13201,7 +13529,7 @@ index dfe361a..be9572b 100644 ') ######################################## -@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -13209,7 +13537,7 @@ index dfe361a..be9572b 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -13217,7 +13545,7 @@ index dfe361a..be9572b 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -13243,7 +13571,7 @@ index dfe361a..be9572b 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -13286,7 +13614,7 @@ index dfe361a..be9572b 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -13295,7 +13623,7 @@ index dfe361a..be9572b 100644 ') ######################################## -@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -13320,7 +13648,7 @@ index dfe361a..be9572b 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -13346,7 +13674,7 @@ index dfe361a..be9572b 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -13354,7 +13682,7 @@ index dfe361a..be9572b 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -13362,7 +13690,7 @@ index dfe361a..be9572b 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -13371,7 +13699,7 @@ index dfe361a..be9572b 100644 ## ## ## -@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -13379,7 +13707,7 @@ index dfe361a..be9572b 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -13400,11 +13728,29 @@ index dfe361a..be9572b 100644 +') + +######################################## ++## ++## Relabel files on tmpfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ relabel_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## +## ## Create, read, write, and delete ## tmpfs directories ## -@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -13429,7 +13775,7 @@ index dfe361a..be9572b 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -13438,7 +13784,7 @@ index dfe361a..be9572b 100644 ') ######################################## -@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -15698,10 +16044,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..77c513d +index 0000000..805d0ea --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,499 @@ +@@ -0,0 +1,503 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -16035,9 +16381,9 @@ index 0000000..77c513d + lpd_run_checkpc(unconfined_t, unconfined_r) +') + -+optional_policy(` -+ mock_role(unconfined_r, unconfined_t) -+') ++#optional_policy(` ++# mock_role(unconfined_r, unconfined_t) ++#') + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) @@ -16089,6 +16435,10 @@ index 0000000..77c513d +') + +optional_policy(` ++ quota_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -16202,10 +16552,10 @@ index 0000000..77c513d +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..10d03a3 100644 +index e5bfdd4..0e1c254 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,67 @@ role user_r; +@@ -12,15 +12,72 @@ role user_r; userdom_unpriv_user_template(user) @@ -16229,6 +16579,7 @@ index e5bfdd4..10d03a3 100644 + +optional_policy(` + gnome_role(user_r, user_t) ++ +') + +optional_policy(` @@ -16257,6 +16608,10 @@ index e5bfdd4..10d03a3 100644 + sandbox_transition(user_t, user_r) +') + ++optional_policy(` ++ ssh_role_template(user, user_r, user_t) ++') ++ +optional_policy(` screen_role_template(user, user_r, user_t) ') @@ -16273,7 +16628,7 @@ index e5bfdd4..10d03a3 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +114,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +119,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16284,16 +16639,20 @@ index e5bfdd4..10d03a3 100644 gpg_role(user_r, user_t) ') -@@ -118,7 +166,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +171,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - spamassassin_role(user_r, user_t) +- ') +- +- optional_policy(` +- ssh_role_template(user, user_r, user_t) + spamassassin_role(user_r, user_t) ') optional_policy(` -@@ -157,3 +205,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +206,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -17338,6 +17697,19 @@ index 0000000..3d0fd88 + ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r) +') + +diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc +index d96fdfa..e07158f 100644 +--- a/policy/modules/services/amavis.fc ++++ b/policy/modules/services/amavis.fc +@@ -4,7 +4,7 @@ + /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) + + /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) +-/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) ++/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) + + ifdef(`distro_debian',` + /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index ceb2142..e31d92a 100644 --- a/policy/modules/services/amavis.if @@ -17431,7 +17803,7 @@ index c3a1903..19fb14a 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..7ba3b11 100644 +index 9e39aa5..ec27284 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u @@ -17443,14 +17815,26 @@ index 9e39aa5..7ba3b11 100644 /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) -@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u +@@ -24,13 +24,12 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) - /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +-/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) +-/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +-/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) + + /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -43,8 +42,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -19073,7 +19457,7 @@ index 1ea99b2..49e6c74 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..6ddb10d 100644 +index 1c8c27e..a960ba0 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -19110,7 +19494,16 @@ index 1c8c27e..6ddb10d 100644 dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t) +@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? + files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? + files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? + ++auth_use_nsswitch(apmd_t) ++ + init_domtrans_script(apmd_t) + init_rw_utmp(apmd_t) + init_telinit(apmd_t) +@@ -127,9 +133,6 @@ logging_send_audit_msgs(apmd_t) miscfiles_read_localization(apmd_t) miscfiles_read_hwdata(apmd_t) @@ -19120,7 +19513,7 @@ index 1c8c27e..6ddb10d 100644 seutil_dontaudit_read_config(apmd_t) userdom_dontaudit_use_unpriv_user_fds(apmd_t) -@@ -142,9 +143,8 @@ ifdef(`distro_redhat',` +@@ -142,9 +145,8 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) @@ -19131,7 +19524,7 @@ index 1c8c27e..6ddb10d 100644 ') optional_policy(` -@@ -155,6 +155,15 @@ ifdef(`distro_redhat',` +@@ -155,6 +157,15 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') @@ -19147,7 +19540,7 @@ index 1c8c27e..6ddb10d 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) -@@ -205,6 +214,11 @@ optional_policy(` +@@ -205,6 +216,11 @@ optional_policy(` ') optional_policy(` @@ -19159,7 +19552,7 @@ index 1c8c27e..6ddb10d 100644 pcmcia_domtrans_cardmgr(apmd_t) pcmcia_domtrans_cardctl(apmd_t) ') -@@ -218,9 +232,9 @@ optional_policy(` +@@ -218,9 +234,9 @@ optional_policy(` udev_read_state(apmd_t) #necessary? ') @@ -19214,9 +19607,18 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..51cb893 100644 +index b3b0176..e343da3 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te +@@ -39,7 +39,7 @@ files_pid_file(asterisk_var_run_t) + # + + # dac_override for /var/run/asterisk +-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; ++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; + dontaudit asterisk_t self:capability sys_tty_config; + allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; + allow asterisk_t self:fifo_file rw_fifo_file_perms; @@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) @@ -19239,6 +19641,25 @@ index b3b0176..51cb893 100644 corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) +@@ -125,6 +128,7 @@ files_search_spool(asterisk_t) + # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm + # are labeled usr_t + files_read_usr_files(asterisk_t) ++files_dontaudit_search_home(asterisk_t) + + fs_getattr_all_fs(asterisk_t) + fs_list_inotifyfs(asterisk_t) +@@ -141,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) + userdom_dontaudit_search_user_home_dirs(asterisk_t) + + optional_policy(` ++ alsa_read_rw_config(asterisk_t) ++') ++ ++optional_policy(` + mysql_stream_connect(asterisk_t) + ') + diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index d80a16b..a43e006 100644 --- a/policy/modules/services/automount.if @@ -19591,7 +20012,7 @@ index f4e7ad3..68aebc4 100644 corenet_tcp_connect_jabber_client_port(bitlbee_t) corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if -index 3e45431..fa57a6f 100644 +index 3e45431..4aa8fb1 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -14,6 +14,7 @@ @@ -19629,7 +20050,7 @@ index 3e45431..fa57a6f 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -22023,10 +22444,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..36d4c6d +index 0000000..694e975 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,76 @@ +@@ -0,0 +1,77 @@ +policy_module(colord,1.0.0) + +######################################## @@ -22051,6 +22472,7 @@ index 0000000..36d4c6d +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:udp_socket create_socket_perms; ++allow colord_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) +manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) @@ -22398,6 +22820,35 @@ index 7d2cf85..92b621a 100644 ') optional_policy(` +diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc +index f1bf79a..7be46b4 100644 +--- a/policy/modules/services/courier.fc ++++ b/policy/modules/services/courier.fc +@@ -6,15 +6,15 @@ + /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) + /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) + +-/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) +-/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) +-/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) +-/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +-/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) ++/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) ++/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) ++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) ++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) ++/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) ++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) + + /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) + diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if index 9971337..f081899 100644 --- a/policy/modules/services/courier.if @@ -22804,7 +23255,7 @@ index 35241ed..b6c4cc9 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..220ba1b 100644 +index f7583ab..254e671 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -22933,7 +23384,7 @@ index f7583ab..220ba1b 100644 # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) -+auth_read_var_auth(crond_t) ++auth_manage_var_auth(crond_t) corecmd_exec_shell(crond_t) corecmd_list_bin(crond_t) @@ -23210,10 +23661,22 @@ index f7583ab..220ba1b 100644 ') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc -index 1b492ed..76480c2 100644 +index 1b492ed..c79454d 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc -@@ -56,6 +56,7 @@ +@@ -28,11 +28,8 @@ + + # keep as separate lines to ensure proper sorting + /usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +-/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) + /usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +-/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) + /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) +-/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0) + + /usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) + /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +@@ -56,6 +53,7 @@ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -23221,7 +23684,7 @@ index 1b492ed..76480c2 100644 /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) -@@ -64,10 +65,16 @@ +@@ -64,10 +62,16 @@ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -23291,7 +23754,7 @@ index 305ddf4..777091a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..1c96265 100644 +index 0f28095..cda064a 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -23392,7 +23855,18 @@ index 0f28095..1c96265 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -393,6 +402,10 @@ dev_read_sysfs(cupsd_config_t) + dev_read_urand(cupsd_config_t) + dev_read_rand(cupsd_config_t) + dev_rw_generic_usb_dev(cupsd_config_t) ++ifdef(`hide_broken_symptoms', ` ++ dev_rw_generic_chr_files(cupsd_config_t) ++') ++ + + files_search_all_mountpoints(cupsd_config_t) + +@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -23405,7 +23879,7 @@ index 0f28095..1c96265 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +461,10 @@ optional_policy(` +@@ -453,6 +465,10 @@ optional_policy(` ') optional_policy(` @@ -23416,7 +23890,7 @@ index 0f28095..1c96265 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +479,10 @@ optional_policy(` +@@ -467,6 +483,10 @@ optional_policy(` ') optional_policy(` @@ -23427,7 +23901,7 @@ index 0f28095..1c96265 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -23447,7 +23921,7 @@ index 0f28095..1c96265 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -23458,7 +23932,7 @@ index 0f28095..1c96265 100644 ######################################## # # HPLIP local policy -@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -23467,7 +23941,7 @@ index 0f28095..1c96265 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -23475,7 +23949,7 @@ index 0f28095..1c96265 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -23580,6 +24054,17 @@ index 9d44538..7e9057e 100644 ## # interface(`cyphesis_domtrans',` +diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc +index 445d93d..a5bce33 100644 +--- a/policy/modules/services/cyrus.fc ++++ b/policy/modules/services/cyrus.fc +@@ -1,5 +1,5 @@ + /etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0) + +-/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) ++/usr/lib/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0) + + /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index e182bf4..aab657c 100644 --- a/policy/modules/services/cyrus.te @@ -23625,6 +24110,18 @@ index a8b93c0..831ce70 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) +diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc +index 81eba14..d0ab56c 100644 +--- a/policy/modules/services/dbus.fc ++++ b/policy/modules/services/dbus.fc +@@ -3,7 +3,6 @@ + /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) + + /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) + + /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) + /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 0d5711c..85a1dc0 100644 --- a/policy/modules/services/dbus.if @@ -24173,7 +24670,7 @@ index 418a5a0..28d9e41 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..22b862e 100644 +index f706b99..30954ba 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -24188,7 +24685,35 @@ index f706b99..22b862e 100644 ## # interface(`devicekit_domtrans',` -@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',` +@@ -81,6 +81,27 @@ interface(`devicekit_dbus_chat_disk',` + + ######################################## + ## ++## Dontaudit Send and receive messages from ++## devicekit disk over dbus. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_dbus_chat_disk',` ++ gen_require(` ++ type devicekit_disk_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 devicekit_disk_t:dbus send_msg; ++ dontaudit devicekit_disk_t $1:dbus send_msg; ++') ++ ++######################################## ++## + ## Send signal devicekit power + ## + ## +@@ -118,6 +139,44 @@ interface(`devicekit_dbus_chat_power',` allow devicekit_power_t $1:dbus send_msg; ') @@ -24233,7 +24758,7 @@ index f706b99..22b862e 100644 ######################################## ## ## Read devicekit PID files. -@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +198,52 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -24293,7 +24818,7 @@ index f706b99..22b862e 100644 ## ## ## -@@ -165,21 +233,21 @@ interface(`devicekit_admin',` +@@ -165,21 +254,21 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -24586,7 +25111,7 @@ index d4424ad..2e09383 100644 ') diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc new file mode 100644 -index 0000000..2ce40a0 +index 0000000..051e1e6 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.fc @@ -0,0 +1,11 @@ @@ -24598,8 +25123,8 @@ index 0000000..2ce40a0 +/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) +/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) + -+/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) -+/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) ++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) + diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if new file mode 100644 @@ -27403,10 +27928,11 @@ index 7382f85..0b39a8b 100644 +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc -index 462de63..aaa94fc 100644 +index 462de63..5df751b 100644 --- a/policy/modules/services/gnomeclock.fc +++ b/policy/modules/services/gnomeclock.fc -@@ -1,2 +1,5 @@ +@@ -1,2 +1,6 @@ ++ /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) @@ -27442,10 +27968,19 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..9939628 100644 +index 4fde46b..6ee7b93 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,22 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -9,24 +9,31 @@ type gnomeclock_t; + type gnomeclock_exec_t; + dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + ++systemd_systemctl_domain(gnomeclock) ++permissive gnomeclock_systemctl_t; ++ + ######################################## + # + # gnomeclock local policy # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -27471,7 +28006,7 @@ index 4fde46b..9939628 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +39,28 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -27500,6 +28035,28 @@ index 4fde46b..9939628 100644 policykit_dbus_chat(gnomeclock_t) policykit_domtrans_auth(gnomeclock_t) policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) + ') ++ ++####################################### ++# ++# gnomeclock systemctl local policy ++# ++ ++files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t) ++files_manage_etc_symlinks(gnomeclock_systemctl_t) ++ ++fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t) ++ ++# needed by systemctl ++init_stream_connect(gnomeclock_systemctl_t) ++init_read_state(gnomeclock_systemctl_t) ++ ++systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) ++ ++optional_policy(` ++ ntpd_read_unit_file(gnomeclock_systemctl_t) ++') diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 7d97298..d6b2959 100644 --- a/policy/modules/services/gpm.if @@ -28130,6 +28687,88 @@ index df48e5e..6985546 100644 gen_require(` type inetd_t; ') +diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc +index 8ca038d..8507ee2 100644 +--- a/policy/modules/services/inn.fc ++++ b/policy/modules/services/inn.fc +@@ -19,45 +19,43 @@ + + /var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) + +-/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0) ++/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0) + + # cjp: split these to fix an ordering + # problem with a match in corecommands + /usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) + /usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0) +-/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0) + + /var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) + diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index ebc9e0d..2f3d8dc 100644 --- a/policy/modules/services/inn.if @@ -29070,7 +29709,7 @@ index ca5cfdf..554ad30 100644 auth_use_nsswitch(ktalkd_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc -index c62f23e..335fda1 100644 +index c62f23e..92f3475 100644 --- a/policy/modules/services/ldap.fc +++ b/policy/modules/services/ldap.fc @@ -1,6 +1,8 @@ @@ -29079,7 +29718,7 @@ index c62f23e..335fda1 100644 -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) + -+/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) @@ -29450,6 +30089,31 @@ index 93c14ca..c08de17 100644 fs_list_auto_mountpoints(lpr_t) fs_read_cifs_files(lpr_t) fs_read_cifs_symlinks(lpr_t) +diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc +index 14ad189..b0c5d98 100644 +--- a/policy/modules/services/mailman.fc ++++ b/policy/modules/services/mailman.fc +@@ -1,4 +1,4 @@ +-/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) + + /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) +@@ -25,10 +25,10 @@ ifdef(`distro_debian', ` + ifdef(`distro_redhat', ` + /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + +-/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +-/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) +-/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +-/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) ++/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0) ++/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + + /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + ') diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if index 67c7fdd..84b7626 100644 --- a/policy/modules/services/mailman.if @@ -29526,7 +30190,7 @@ index af4d572..0fd2357 100644 +') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 -index 0000000..8d13eb6 +index 0000000..bce824e --- /dev/null +++ b/policy/modules/services/matahari.fc @@ -0,0 +1,15 @@ @@ -29543,16 +30207,43 @@ index 0000000..8d13eb6 +/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0) + +/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0) -+/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0) -+ ++/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) ++/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if new file mode 100644 -index 0000000..8e22c5e +index 0000000..9343f3f --- /dev/null +++ b/policy/modules/services/matahari.if -@@ -0,0 +1,220 @@ +@@ -0,0 +1,247 @@ +## policy for matahari + ++###################################### ++## ++## Creates types and rules for a basic ++## matahari init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`matahari_domain_template',` ++ gen_require(` ++ attribute matahari_domain; ++ ') ++ ++ ############################## ++ # ++ # Declarations ++ # ++ ++ type matahari_$1_t, matahari_domain; ++ type matahari_$1_exec_t; ++ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t) ++ ++') ++ +######################################## +## +## Search matahari lib directories. @@ -29773,10 +30464,10 @@ index 0000000..8e22c5e +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..dbc94ac +index 0000000..fd4a08b --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,112 @@ +@@ -0,0 +1,83 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -29784,17 +30475,11 @@ index 0000000..dbc94ac +# Declarations +# + -+type matahari_hostd_t; -+type matahari_hostd_exec_t; -+init_daemon_domain(matahari_hostd_t, matahari_hostd_exec_t) ++attribute matahari_domain; + -+type matahari_netd_t; -+type matahari_netd_exec_t; -+init_daemon_domain(matahari_netd_t, matahari_netd_exec_t) -+ -+type matahari_serviced_t; -+type matahari_serviced_exec_t; -+init_daemon_domain(matahari_serviced_t, matahari_serviced_exec_t) ++matahari_domain_template(hostd) ++matahari_domain_template(netd) ++matahari_domain_template(serviced) + +type matahari_initrc_exec_t; +init_script_file(matahari_initrc_exec_t) @@ -29809,32 +30494,18 @@ index 0000000..dbc94ac +# +# matahari_hostd local policy +# -+allow matahari_hostd_t self:capability sys_ptrace; -+allow matahari_hostd_t self:process { signal }; + -+allow matahari_hostd_t self:fifo_file rw_fifo_file_perms; -+allow matahari_hostd_t self:unix_stream_socket create_stream_socket_perms; ++allow matahari_hostd_t self:capability sys_ptrace; + +kernel_read_network_state(matahari_hostd_t) -+kernel_read_system_state(matahari_hostd_t) -+ -+corenet_tcp_connect_matahari_port(matahari_hostd_t) ++kernel_read_network_state(matahari_hostd_t) + +dev_read_sysfs(matahari_hostd_t) -+dev_read_urand(matahari_hostd_t) +dev_rw_mtrr(matahari_hostd_t) + +domain_use_interactive_fds(matahari_hostd_t) +domain_read_all_domains_state(matahari_hostd_t) + -+files_read_etc_files(matahari_hostd_t) -+ -+logging_send_syslog_msg(matahari_hostd_t) -+ -+miscfiles_read_localization(matahari_hostd_t) -+ -+sysnet_dns_name_resolve(matahari_hostd_t) -+ +optional_policy(` + dbus_system_bus_client(matahari_hostd_t) +') @@ -29843,52 +30514,43 @@ index 0000000..dbc94ac +# +# matahari_netd local policy +# -+allow matahari_netd_t self:process { signal }; -+ -+allow matahari_netd_t self:fifo_file rw_fifo_file_perms; -+allow matahari_netd_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_read_system_state(matahari_netd_t) -+ -+corenet_tcp_connect_matahari_port(matahari_netd_t) -+ -+dev_read_urand(matahari_netd_t) + +domain_use_interactive_fds(matahari_netd_t) + -+files_read_etc_files(matahari_netd_t) -+ -+logging_send_syslog_msg(matahari_netd_t) -+ -+miscfiles_read_localization(matahari_netd_t) -+ -+sysnet_dns_name_resolve(matahari_netd_t) ++optional_policy(` ++ dbus_system_bus_client(matahari_netd_t) ++') + +######################################## +# +# matahari_serviced local policy +# -+allow matahari_serviced_t self:process { signal }; -+ -+allow matahari_serviced_t self:fifo_file rw_fifo_file_perms; -+allow matahari_serviced_t self:unix_stream_socket create_stream_socket_perms; -+ -+kernel_read_system_state(matahari_serviced_t) -+ -+corenet_tcp_connect_matahari_port(matahari_serviced_t) -+ -+dev_read_urand(matahari_serviced_t) + +domain_use_interactive_fds(matahari_serviced_t) + -+files_read_etc_files(matahari_serviced_t) ++####################################### ++# ++# matahari domain local policy ++# + -+logging_send_syslog_msg(matahari_serviced_t) ++allow matahari_domain self:process { signal }; + -+miscfiles_read_localization(matahari_serviced_t) ++allow matahari_domain self:fifo_file rw_fifo_file_perms; ++allow matahari_domain self:unix_stream_socket create_stream_socket_perms; + -+sysnet_dns_name_resolve(matahari_serviced_t) ++kernel_read_system_state(matahari_domain) + ++corenet_tcp_connect_matahari_port(matahari_domain) ++ ++dev_read_urand(matahari_domain) ++ ++files_read_etc_files(matahari_domain) ++ ++logging_send_syslog_msg(matahari_domain) ++ ++miscfiles_read_localization(matahari_domain) ++ ++sysnet_dns_name_resolve(matahari_domain) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index db4fd6f..5008a6c 100644 --- a/policy/modules/services/memcached.if @@ -31095,7 +31757,7 @@ index 0000000..0b9257a + xserver_dontaudit_read_xdm_pid(mpd_t) +') diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc -index 256166a..15daf47 100644 +index 256166a..df99841 100644 --- a/policy/modules/services/mta.fc +++ b/policy/modules/services/mta.fc @@ -1,4 +1,5 @@ @@ -31105,7 +31767,7 @@ index 256166a..15daf47 100644 /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -@@ -11,6 +12,9 @@ ifdef(`distro_redhat',` +@@ -11,9 +12,12 @@ ifdef(`distro_redhat',` /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') @@ -31114,7 +31776,11 @@ index 256166a..15daf47 100644 + /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) ++/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) + + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 343cee3..3d7edf0 100644 --- a/policy/modules/services/mta.if @@ -32135,6 +32801,147 @@ index 0a0d63c..91de41a 100644 ######################################## # # MySQL Manager Policy +diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc +index 1fc9905..c9ae263 100644 +--- a/policy/modules/services/nagios.fc ++++ b/policy/modules/services/nagios.fc +@@ -6,8 +6,8 @@ + /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) + /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) + +-/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + + /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) + /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +@@ -19,70 +19,70 @@ + ifdef(`distro_debian',` + /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) + ') +-/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +-/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) + + # admin plugins +-/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) + + # check disk plugins +-/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) + + # mail plugins +-/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) + + # system plugins +-/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) + + # services plugins +-/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) + + # unconfined plugins +-/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) ++/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if index 8581040..2367841 100644 --- a/policy/modules/services/nagios.if @@ -32364,6 +33171,19 @@ index bf64a4c..8a9789c 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) +diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc +index 74da57f..b94bb3b 100644 +--- a/policy/modules/services/nessus.fc ++++ b/policy/modules/services/nessus.fc +@@ -1,7 +1,7 @@ + + /etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0) + +-/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) ++/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0) + + /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0) + diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc index 386543b..1b34e21 100644 --- a/policy/modules/services/networkmanager.fc @@ -32652,7 +33472,7 @@ index 0619395..6000a3f 100644 ######################################## diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc -index 15448d5..0c97dab 100644 +index 15448d5..181300b 100644 --- a/policy/modules/services/nis.fc +++ b/policy/modules/services/nis.fc @@ -1,5 +1,5 @@ @@ -32662,7 +33482,11 @@ index 15448d5..0c97dab 100644 /etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) -@@ -11,6 +11,7 @@ +@@ -7,10 +7,10 @@ + /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) + + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) +-/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) @@ -33021,11 +33845,50 @@ index ded9fb6..9d1e60a 100644 manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t) files_pid_filetrans(ntop_t, ntop_var_run_t, file) +diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc +index e79dccc..50202ef 100644 +--- a/policy/modules/services/ntp.fc ++++ b/policy/modules/services/ntp.fc +@@ -10,6 +10,8 @@ + + /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) + ++/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) ++ + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..694b002 100644 +index e80f8c0..be0d107 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if -@@ -140,11 +140,10 @@ interface(`ntp_rw_shm',` +@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',` + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + ') + ++##################################### ++## ++## Allow domain to read ntpd systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntpd_read_unit_file',` ++ gen_require(` ++ type ntpd_unit_file_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 ntpd_unit_file_t:file read_file_perms; ++') ++ + ######################################## + ## + ## Read and write ntpd shared memory. +@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -33040,10 +33903,20 @@ index e80f8c0..694b002 100644 init_labeled_script_domtrans($1, ntpd_initrc_exec_t) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te -index c61adc8..b5b5992 100644 +index c61adc8..11909b0 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te -@@ -96,9 +96,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) +@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) + type ntpd_initrc_exec_t; + init_script_file(ntpd_initrc_exec_t) + ++type ntpd_unit_file_t; ++systemd_unit_file(ntpd_unit_file_t) ++ + type ntpd_key_t; + files_type(ntpd_key_t) + +@@ -96,9 +99,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t) dev_read_sysfs(ntpd_t) # for SSP dev_read_urand(ntpd_t) @@ -33169,11 +34042,12 @@ index b4c5f86..0f1549d 100644 optional_policy(` cron_system_entry(oav_update_t, oav_update_exec_t) diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc -index bdf8c89..5ee1598 100644 +index bdf8c89..0132b08 100644 --- a/policy/modules/services/oddjob.fc +++ b/policy/modules/services/oddjob.fc @@ -1,4 +1,5 @@ - /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +-/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) @@ -33598,18 +34472,18 @@ index b246bdd..07baada 100644 files_search_spool(pads_t) diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc new file mode 100644 -index 0000000..fbd07f6 +index 0000000..498c07f --- /dev/null +++ b/policy/modules/services/passenger.fc @@ -0,0 +1,16 @@ + -+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) + -+/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) + -+/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + -+/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) ++/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) + + +/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0) @@ -34728,7 +35602,7 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..179e320 100644 +index 06e217d..dc27c14 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1) @@ -34760,12 +35634,13 @@ index 06e217d..179e320 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +68,22 @@ domain_use_interactive_fds(plymouthd_t) +@@ -60,10 +68,23 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) +term_use_unallocated_ttys(plymouthd_t) + ++logging_link_generic_logs(plymouthd_t) +logging_delete_generic_logs(plymouthd_t) + miscfiles_read_localization(plymouthd_t) @@ -34783,7 +35658,7 @@ index 06e217d..179e320 100644 ######################################## # # Plymouth private policy -@@ -74,6 +94,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +95,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -34791,7 +35666,7 @@ index 06e217d..179e320 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +108,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +109,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -35891,6 +36766,23 @@ index 7257526..7d73656 100644 manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) +diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc +index f03fad4..1865d8f 100644 +--- a/policy/modules/services/postgresql.fc ++++ b/policy/modules/services/postgresql.fc +@@ -11,9 +11,9 @@ + /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) + /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) + +-/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) +-/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) +-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) ++/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) ++/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) + + ifdef(`distro_debian', ` + /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 09aeffa..dd70b14 100644 --- a/policy/modules/services/postgresql.if @@ -39128,10 +40020,10 @@ index 33e72e8..b71d193 100644 ') diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc -index 2785337..c3c2775 100644 +index 2785337..d7f6b82 100644 --- a/policy/modules/services/rlogin.fc +++ b/policy/modules/services/rlogin.fc -@@ -1,4 +1,7 @@ +@@ -1,7 +1,10 @@ HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) @@ -39139,6 +40031,10 @@ index 2785337..c3c2775 100644 /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) +-/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) ++/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0) + + /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if index 63e78c6..ffa4f37 100644 --- a/policy/modules/services/rlogin.if @@ -40681,7 +41577,7 @@ index bcdd16c..7c379a8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..610a762 100644 +index 086cd5f..79347e7 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -40716,7 +41612,24 @@ index 086cd5f..610a762 100644 corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) -@@ -112,8 +118,6 @@ logging_send_audit_msgs(setroubleshootd_t) +@@ -85,6 +91,7 @@ files_getattr_all_files(setroubleshootd_t) + files_getattr_all_pipes(setroubleshootd_t) + files_getattr_all_sockets(setroubleshootd_t) + files_read_all_symlinks(setroubleshootd_t) ++files_read_mnt_files(setroubleshootd_t) + + fs_getattr_all_dirs(setroubleshootd_t) + fs_getattr_all_files(setroubleshootd_t) +@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t) + init_read_utmp(setroubleshootd_t) + init_dontaudit_write_utmp(setroubleshootd_t) + ++libs_exec_ld_so(setroubleshootd_t) ++ + miscfiles_read_localization(setroubleshootd_t) + + locallogin_dontaudit_use_fds(setroubleshootd_t) +@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -40725,7 +41638,7 @@ index 086cd5f..610a762 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,6 +125,18 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -40744,7 +41657,7 @@ index 086cd5f..610a762 100644 dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -152,6 +168,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) seutil_domtrans_setfiles(setroubleshoot_fixit_t) @@ -40752,7 +41665,7 @@ index 086cd5f..610a762 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +181,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -41670,6 +42583,18 @@ index ec1eb1e..7e51d2b 100644 ') optional_policy(` +diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc +index 6cc4a90..2015152 100644 +--- a/policy/modules/services/squid.fc ++++ b/policy/modules/services/squid.fc +@@ -2,7 +2,6 @@ + /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + + /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +-/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) + /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) + /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) + diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if index d2496bd..1d0c078 100644 --- a/policy/modules/services/squid.if @@ -42120,7 +43045,7 @@ index 22adaca..68ad7a7 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..efa5535 100644 +index 2dad3c8..c71bdb9 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -42244,16 +43169,18 @@ index 2dad3c8..efa5535 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,6 +144,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,7 +144,10 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) +corenet_tcp_bind_generic_node(ssh_t) +corenet_tcp_bind_all_unreserved_ports(ssh_t) ++dev_read_rand(ssh_t) dev_read_urand(ssh_t) -@@ -162,21 +170,28 @@ logging_read_generic_logs(ssh_t) + fs_getattr_all_fs(ssh_t) +@@ -162,21 +171,28 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -42288,7 +43215,7 @@ index 2dad3c8..efa5535 100644 ') tunable_policy(`use_nfs_home_dirs',` -@@ -196,10 +211,15 @@ tunable_policy(`user_tcp_server',` +@@ -196,10 +212,15 @@ tunable_policy(`user_tcp_server',` ') optional_policy(` @@ -42304,16 +43231,18 @@ index 2dad3c8..efa5535 100644 ############################## # # ssh_keysign_t local policy -@@ -209,7 +229,7 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,8 +230,9 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; - allow ssh_keysign_t sshd_key_t:file { getattr read }; + allow ssh_keysign_t sshd_key_t:file read_file_perms; ++ dev_read_rand(ssh_keysign_t) dev_read_urand(ssh_keysign_t) -@@ -232,33 +252,42 @@ optional_policy(` + files_read_etc_files(ssh_keysign_t) +@@ -232,33 +254,43 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -42358,6 +43287,7 @@ index 2dad3c8..efa5535 100644 -',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) ++ userdom_spec_domtrans_all_users(sshd_t) +') + +optional_policy(` @@ -42365,7 +43295,7 @@ index 2dad3c8..efa5535 100644 ') optional_policy(` -@@ -266,11 +295,24 @@ optional_policy(` +@@ -266,11 +298,24 @@ optional_policy(` ') optional_policy(` @@ -42391,7 +43321,7 @@ index 2dad3c8..efa5535 100644 ') optional_policy(` -@@ -284,6 +326,11 @@ optional_policy(` +@@ -284,6 +329,11 @@ optional_policy(` ') optional_policy(` @@ -42403,7 +43333,7 @@ index 2dad3c8..efa5535 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +339,26 @@ optional_policy(` +@@ -292,26 +342,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -42449,7 +43379,7 @@ index 2dad3c8..efa5535 100644 ') dnl endif TODO ######################################## -@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +372,25 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -42476,8 +43406,11 @@ index 2dad3c8..efa5535 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t) +@@ -351,9 +407,10 @@ auth_use_nsswitch(ssh_keygen_t) + logging_send_syslog_msg(ssh_keygen_t) + userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) ++userdom_use_user_terminals(ssh_keygen_t) optional_policy(` - nscd_socket_use(ssh_keygen_t) @@ -42701,6 +43634,21 @@ index f646c66..5370bb8 100644 ') + allow stunnel_t stunnel_port_t:tcp_socket name_bind; +diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc +index 08d999c..bca4388 100644 +--- a/policy/modules/services/sysstat.fc ++++ b/policy/modules/services/sysstat.fc +@@ -1,7 +1,7 @@ + +-/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) +-/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) +-/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) ++/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) ++/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) ++/usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) + + /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) + /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te index 52f0d6c..6bfbf45 100644 --- a/policy/modules/services/sysstat.te @@ -43244,7 +44192,7 @@ index a0794bf..37c056b 100644 ') + diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc -index 831b4a3..a206464 100644 +index 831b4a3..8590730 100644 --- a/policy/modules/services/ulogd.fc +++ b/policy/modules/services/ulogd.fc @@ -1,7 +1,7 @@ @@ -43252,7 +44200,7 @@ index 831b4a3..a206464 100644 /etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) -/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) -+/usr/lib(64)?/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) ++/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) /usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) /var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) @@ -44906,7 +45854,7 @@ index aa6e5a8..42a0efb 100644 ######################################## ## diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 6f1e3c7..ecfe665 100644 +index 6f1e3c7..62b0b98 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,23 @@ @@ -44954,7 +45902,7 @@ index 6f1e3c7..ecfe665 100644 # # /opt # -@@ -47,21 +54,23 @@ ifdef(`distro_redhat',` +@@ -47,28 +54,30 @@ ifdef(`distro_redhat',` # /tmp # @@ -44983,6 +45931,14 @@ index 6f1e3c7..ecfe665 100644 /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` + /usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0) + ') + +-/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + + /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + @@ -89,17 +98,44 @@ ifdef(`distro_debian', ` /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -48716,10 +49672,17 @@ index 882c6a2..d0ff4ec 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 354ce93..f97fbb7 100644 +index 354ce93..4955c6b 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', ` +@@ -27,12 +27,25 @@ ifdef(`distro_gentoo',` + ifdef(`distro_gentoo', ` + /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) + /lib32/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) +-/lib64/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) ++/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) + ') + # # /sbin # @@ -49459,7 +50422,7 @@ index cc83689..3388f34 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..b4fdd42 100644 +index ea29513..9740a9f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -49625,7 +50588,7 @@ index ea29513..b4fdd42 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +236,113 @@ tunable_policy(`init_upstart',` +@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -49677,12 +50640,15 @@ index ea29513..b4fdd42 100644 + files_relabel_all_pid_files(init_t) + files_unlink_all_pid_sockets(init_t) + files_manage_urandom_seed(init_t) ++ files_list_locks(init_t) + files_create_lock_dirs(init_t) ++ files_relabel_all_lock_dirs(init_t) + + fs_manage_cgroup_dirs(init_t) + fs_manage_hugetlbfs_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) + fs_relabel_tmpfs_dirs(init_t) ++ fs_relabel_tmpfs_files(init_t) + fs_mount_all_fs(init_t) + fs_remount_autofs(init_t) + fs_list_auto_mountpoints(init_t) @@ -49706,6 +50672,9 @@ index ea29513..b4fdd42 100644 + + seutil_read_file_contexts(init_t) + ++ systemd_exec_systemctl(init_t) ++ systemd_read_unit_files(init_t) ++ + # needs to remain + logging_create_devlog_dev(init_t) + @@ -49739,7 +50708,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -199,10 +350,25 @@ optional_policy(` +@@ -199,10 +356,25 @@ optional_policy(` ') optional_policy(` @@ -49765,7 +50734,7 @@ index ea29513..b4fdd42 100644 unconfined_domain(init_t) ') -@@ -212,7 +378,7 @@ optional_policy(` +@@ -212,7 +384,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -49774,7 +50743,7 @@ index ea29513..b4fdd42 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +407,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -49790,7 +50759,7 @@ index ea29513..b4fdd42 100644 init_write_initctl(initrc_t) -@@ -258,20 +427,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -49827,7 +50796,7 @@ index ea29513..b4fdd42 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +460,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -49835,7 +50804,7 @@ index ea29513..b4fdd42 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +473,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -49843,7 +50812,7 @@ index ea29513..b4fdd42 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +481,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -49859,7 +50828,7 @@ index ea29513..b4fdd42 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +499,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -49867,7 +50836,7 @@ index ea29513..b4fdd42 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +507,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -49879,7 +50848,7 @@ index ea29513..b4fdd42 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +526,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -49893,7 +50862,7 @@ index ea29513..b4fdd42 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +541,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -49902,7 +50871,7 @@ index ea29513..b4fdd42 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +555,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -49910,7 +50879,7 @@ index ea29513..b4fdd42 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +567,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -49918,7 +50887,7 @@ index ea29513..b4fdd42 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +588,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -49940,7 +50909,18 @@ index ea29513..b4fdd42 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -478,7 +671,7 @@ ifdef(`distro_redhat',` +@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',` + sysnet_setattr_config(initrc_t) + + optional_policy(` ++ abrt_manage_pid_files(initrc_t) ++ ') ++ ++ optional_policy(` + alsa_read_lib(initrc_t) + ') + +@@ -478,7 +681,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -49949,7 +50929,7 @@ index ea29513..b4fdd42 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +686,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +696,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -49957,7 +50937,7 @@ index ea29513..b4fdd42 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -524,6 +718,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +728,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -49981,7 +50961,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -531,10 +742,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +752,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -49999,7 +50979,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -549,6 +767,39 @@ ifdef(`distro_suse',` +@@ -549,6 +777,39 @@ ifdef(`distro_suse',` ') ') @@ -50039,7 +51019,7 @@ index ea29513..b4fdd42 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +812,8 @@ optional_policy(` +@@ -561,6 +822,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -50048,7 +51028,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -577,6 +830,7 @@ optional_policy(` +@@ -577,6 +840,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -50056,7 +51036,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -589,6 +843,11 @@ optional_policy(` +@@ -589,6 +853,11 @@ optional_policy(` ') optional_policy(` @@ -50068,7 +51048,7 @@ index ea29513..b4fdd42 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +864,13 @@ optional_policy(` +@@ -605,9 +874,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -50082,7 +51062,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -649,6 +912,11 @@ optional_policy(` +@@ -649,6 +922,11 @@ optional_policy(` ') optional_policy(` @@ -50094,7 +51074,7 @@ index ea29513..b4fdd42 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +974,13 @@ optional_policy(` +@@ -706,7 +984,13 @@ optional_policy(` ') optional_policy(` @@ -50108,7 +51088,7 @@ index ea29513..b4fdd42 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1003,10 @@ optional_policy(` +@@ -729,6 +1013,10 @@ optional_policy(` ') optional_policy(` @@ -50119,7 +51099,7 @@ index ea29513..b4fdd42 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1016,20 @@ optional_policy(` +@@ -738,10 +1026,20 @@ optional_policy(` ') optional_policy(` @@ -50140,7 +51120,7 @@ index ea29513..b4fdd42 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1038,10 @@ optional_policy(` +@@ -750,6 +1048,10 @@ optional_policy(` ') optional_policy(` @@ -50151,7 +51131,7 @@ index ea29513..b4fdd42 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1063,6 @@ optional_policy(` +@@ -771,8 +1073,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -50160,7 +51140,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -781,14 +1071,21 @@ optional_policy(` +@@ -781,14 +1081,21 @@ optional_policy(` ') optional_policy(` @@ -50182,7 +51162,7 @@ index ea29513..b4fdd42 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1097,6 @@ optional_policy(` +@@ -800,7 +1107,6 @@ optional_policy(` ') optional_policy(` @@ -50190,7 +51170,7 @@ index ea29513..b4fdd42 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1106,19 @@ optional_policy(` +@@ -810,11 +1116,19 @@ optional_policy(` ') optional_policy(` @@ -50211,7 +51191,7 @@ index ea29513..b4fdd42 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1128,25 @@ optional_policy(` +@@ -824,6 +1138,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -50237,7 +51217,7 @@ index ea29513..b4fdd42 100644 ') optional_policy(` -@@ -849,3 +1172,42 @@ optional_policy(` +@@ -849,3 +1182,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -50281,18 +51261,44 @@ index ea29513..b4fdd42 100644 +init_stream_connect(initrc_t) + diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 07eba2b..942bea1 100644 +index 07eba2b..a75297a 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -25,6 +25,7 @@ +@@ -12,12 +12,12 @@ + + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) + +-/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +-/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +-/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) +-/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) +-/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) +-/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/lib/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) + + /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +@@ -25,16 +25,19 @@ /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - /usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) - /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) -@@ -35,6 +36,8 @@ +-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) +-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) +-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) +-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/local/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/local/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/local/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) + + /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) @@ -50809,7 +51815,7 @@ index 663a47b..ad0b864 100644 + allow $1 iscsid_t:sem create_sem_perms; +') diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te -index 1d1c399..67d0dec 100644 +index 1d1c399..b8f623a 100644 --- a/policy/modules/system/iscsi.te +++ b/policy/modules/system/iscsi.te @@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t) @@ -50820,7 +51826,18 @@ index 1d1c399..67d0dec 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -64,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +@@ -44,8 +45,9 @@ allow iscsid_t self:tcp_socket create_stream_socket_perms; + + can_exec(iscsid_t, iscsid_exec_t) + ++manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) + manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) +-files_lock_filetrans(iscsid_t, iscsi_lock_t, file) ++files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file }) + + manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) + logging_log_filetrans(iscsid_t, iscsi_log_t, file) +@@ -64,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) @@ -50828,7 +51845,7 @@ index 1d1c399..67d0dec 100644 corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) -@@ -76,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t) +@@ -76,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) dev_rw_userio_dev(iscsid_t) @@ -50837,7 +51854,7 @@ index 1d1c399..67d0dec 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -@@ -91,5 +95,5 @@ logging_send_syslog_msg(iscsid_t) +@@ -91,5 +96,5 @@ logging_send_syslog_msg(iscsid_t) miscfiles_read_localization(iscsid_t) optional_policy(` @@ -50845,18 +51862,36 @@ index 1d1c399..67d0dec 100644 + tgtd_manage_semaphores(iscsid_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 9df8c4d..010ec0e 100644 +index 9df8c4d..6b49c76 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc -@@ -44,6 +44,7 @@ ifdef(`distro_redhat',` +@@ -37,17 +37,12 @@ ifdef(`distro_redhat',` + # + /lib -d gen_context(system_u:object_r:lib_t,s0) + /lib/.* gen_context(system_u:object_r:lib_t,s0) +-/lib64 -d gen_context(system_u:object_r:lib_t,s0) +-/lib64/.* gen_context(system_u:object_r:lib_t,s0) + /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +-/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) /lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:lib_t,s0) +-/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_debian',` /lib32 -l gen_context(system_u:object_r:lib_t,s0) -@@ -90,6 +91,7 @@ ifdef(`distro_gentoo',` +-/lib64 -l gen_context(system_u:object_r:lib_t,s0) + ') + + ifdef(`distro_gentoo',` +@@ -62,7 +57,6 @@ ifdef(`distro_gentoo',` + # + /opt/.*\.so gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) + /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) +@@ -90,6 +84,7 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -50864,7 +51899,21 @@ index 9df8c4d..010ec0e 100644 /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) -@@ -129,15 +131,13 @@ ifdef(`distro_redhat',` +@@ -118,64 +113,62 @@ ifdef(`distro_redhat',` + /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) + + /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) + +-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) ++/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) + + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -50872,30 +51921,88 @@ index 9df8c4d..010ec0e 100644 -/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,9 +151,10 @@ ifdef(`distro_redhat',` - /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(.*/)?lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + ifdef(`distro_debian',` + /usr/lib32 -l gen_context(system_u:object_r:lib_t,s0) ++/lib -l gen_context(system_u:object_r:lib_t,s0) + ') + + ifdef(`distro_gentoo',` +@@ -194,94 +187,92 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t + /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -50904,23 +52011,145 @@ index 9df8c4d..010ec0e 100644 /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t + /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib64/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +- +-/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t - /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + # Fedora Extras packages: ladspa, imlib2, ocaml +-/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +-/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + # Jai, Sun Microsystems (Jpackage SPRM) +-/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + # vmware +-/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +-/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + # Java, Sun Microsystems (JPackage SRPM) + /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -302,13 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -50932,38 +52161,43 @@ index 9df8c4d..010ec0e 100644 -/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) ') dnl end distro_redhat # -@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te - /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) +@@ -316,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te + # + /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) --/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - +-/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) + /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -+/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') +-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + - /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) - /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) +-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) ++/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + -+/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -50971,23 +52205,23 @@ index 9df8c4d..010ec0e 100644 + +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + +/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -50999,80 +52233,80 @@ index 9df8c4d..010ec0e 100644 + +/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +ifdef(`fixed',` -+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +# Flash plugin, Macromedia +HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +') +/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -51080,9 +52314,9 @@ index 9df8c4d..010ec0e 100644 + +/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -51435,7 +52669,7 @@ index 571599b..ddaf246 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index c7cfb62..6160239 100644 +index c7cfb62..ee89659 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',` @@ -51538,10 +52772,29 @@ index c7cfb62..6160239 100644 ') ######################################## -@@ -824,6 +899,25 @@ interface(`logging_read_generic_logs',` +@@ -824,6 +899,44 @@ interface(`logging_read_generic_logs',` ######################################## ## ++## Link generic log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_link_generic_logs',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ allow $1 var_log_t:file link; ++') ++ ++######################################## ++## +## Delete generic log files. +## +## @@ -51564,7 +52817,7 @@ index c7cfb62..6160239 100644 ## Write generic log files. ## ## -@@ -971,6 +1065,7 @@ interface(`logging_admin_syslog',` +@@ -971,6 +1084,7 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -51572,7 +52825,7 @@ index c7cfb62..6160239 100644 allow $1 syslogd_t:process { ptrace signal_perms }; allow $1 klogd_t:process { ptrace signal_perms }; ps_process_pattern($1, syslogd_t) -@@ -996,6 +1091,8 @@ interface(`logging_admin_syslog',` +@@ -996,6 +1110,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -51864,7 +53117,7 @@ index 58bc27f..b95f0c0 100644 + allow $1 clvmd_tmpfs_t:file unlink; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..090189c 100644 +index a0a0ebf..e7fd4ec 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -52011,12 +53264,13 @@ index a0a0ebf..090189c 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -299,15 +321,20 @@ seutil_read_file_contexts(lvm_t) +@@ -299,15 +321,22 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) --userdom_use_user_terminals(lvm_t) +userdom_use_inherited_user_terminals(lvm_t) + userdom_use_user_terminals(lvm_t) ++userdom_rw_semaphores(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: @@ -52036,7 +53290,7 @@ index a0a0ebf..090189c 100644 ') optional_policy(` -@@ -331,6 +358,10 @@ optional_policy(` +@@ -331,14 +360,26 @@ optional_policy(` ') optional_policy(` @@ -52047,7 +53301,12 @@ index a0a0ebf..090189c 100644 modutils_domtrans_insmod(lvm_t) ') -@@ -339,6 +370,10 @@ optional_policy(` + optional_policy(` ++ raid_read_mdadm_pid(lvm_t) ++') ++ ++optional_policy(` + rpm_manage_script_tmp_files(lvm_t) ') optional_policy(` @@ -52059,7 +53318,7 @@ index a0a0ebf..090189c 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 172287e..2683ce9 100644 +index 172287e..ec1f0e8 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,7 +9,7 @@ ifdef(`distro_gentoo',` @@ -52071,6 +53330,15 @@ index 172287e..2683ce9 100644 /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) +@@ -34,7 +34,7 @@ ifdef(`distro_redhat',` + # + /usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) + +-/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) ++/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) + + /usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) + /usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 926ba65..1dfa62a 100644 --- a/policy/modules/system/miscfiles.if @@ -52114,6 +53382,21 @@ index 703944c..1d3a6a9 100644 attribute cert_type; # +diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc +index 532181a..2410551 100644 +--- a/policy/modules/system/modutils.fc ++++ b/policy/modules/system/modutils.fc +@@ -10,10 +10,8 @@ ifdef(`distro_gentoo',` + ') + + /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) +-/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) + + /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) +-/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) + + /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) + /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 9c0faab..def8d5a 100644 --- a/policy/modules/system/modutils.if @@ -53021,6 +54304,35 @@ index ed9c70d..b961d53 100644 /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) +diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if +index c817fda..8bcb1fd 100644 +--- a/policy/modules/system/raid.if ++++ b/policy/modules/system/raid.if +@@ -21,6 +21,24 @@ interface(`raid_domtrans_mdadm',` + + ######################################## + ## ++## read the mdadm pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_read_mdadm_pid',` ++ gen_require(` ++ type mdadm_var_run_t; ++ ') ++ ++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete the mdadm pid files. + ## + ## diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 73cc8cf..020e663 100644 --- a/policy/modules/system/raid.te @@ -53095,7 +54407,7 @@ index 73cc8cf..020e663 100644 +# unconfined_domain(mdadm_t) +#') diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index 2cc4bda..9e81136 100644 +index 2cc4bda..167c358 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -6,13 +6,13 @@ @@ -53115,7 +54427,14 @@ index 2cc4bda..9e81136 100644 # # /root -@@ -38,11 +38,20 @@ +@@ -32,17 +32,26 @@ + /usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0) + /usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0) + +-/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) ++/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) + + /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) @@ -54549,17 +55868,19 @@ index df32316..e372b51 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..266e9b0 +index 0000000..c7476cb --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,12 @@ +@@ -0,0 +1,14 @@ +/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) + ++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + +/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) + ++/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0) +/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + +/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0) @@ -54567,14 +55888,120 @@ index 0000000..266e9b0 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..aabfb0d +index 0000000..4dfe28c --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,140 @@ +@@ -0,0 +1,246 @@ +## SELinux policy for systemd components + +####################################### +## ++## Create a domain for processes which are started ++## exuting systemctl. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++# ++interface(`systemd_systemctl_domain',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ role system_r; ++ ') ++ ++ type $1_systemctl_t; ++ domain_type($1_systemctl_t) ++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) ++ ++ role system_r types $1_systemctl_t; ++ ++ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) ++') ++ ++######################################## ++## ++## Execute systemctl in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_exec_systemctl',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, systemd_systemctl_exec_t) ++') ++ ++####################################### ++## ++## Create a file type used for systemd unit files. ++## ++## ++## ++## Type to be used for an unit file. ++## ++## ++# ++interface(`systemd_unit_file',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ typeattribute $1 systemd_unit_file_type; ++ files_type($1) ++') ++ ++###################################### ++## ++## Allow domain to read all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:file read_file_perms; ++') ++ ++##################################### ++## ++## Dontaudit domain to read all systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dontaudit_read_unit_files',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ dontaudit $1 systemd_unit_file_type:file read_file_perms; ++') ++ ++####################################### ++## +## Execute a domain transition to run systemd-tmpfiles. +## +## @@ -54713,10 +56140,10 @@ index 0000000..aabfb0d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..d5b6aff +index 0000000..ef7eddd --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,162 @@ +@@ -0,0 +1,180 @@ + +policy_module(systemd, 1.0.0) + @@ -54725,6 +56152,8 @@ index 0000000..d5b6aff +# Declarations +# + ++attribute systemd_unit_file_type; ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -54741,6 +56170,14 @@ index 0000000..d5b6aff +type systemd_notify_exec_t; +init_systemd_domain(systemd_notify_t, systemd_notify_exec_t) + ++# type for systemd unit files ++type systemd_unit_file_t; ++systemd_unit_file(systemd_unit_file_t) ++ ++# executable for systemctl ++type systemd_systemctl_exec_t; ++corecmd_executable_file(systemd_systemctl_exec_t) ++ +# +# Type for systemd pipes in /dev/.systemd/ directory +# @@ -54841,6 +56278,14 @@ index 0000000..d5b6aff +miscfiles_relabel_man_pages(systemd_tmpfiles_t) +miscfiles_read_localization(systemd_tmpfiles_t) + ++ifdef(`distro_redhat',` ++ userdom_list_user_home_content(systemd_tmpfiles_t) ++ userdom_delete_user_home_content_dirs(systemd_tmpfiles_t) ++ userdom_delete_user_home_content_files(systemd_tmpfiles_t) ++ userdom_delete_user_home_content_sock_files(systemd_tmpfiles_t) ++ userdom_delete_user_home_content_symlinks(systemd_tmpfiles_t) ++') ++ +optional_policy(` + auth_rw_login_records(systemd_tmpfiles_t) +') @@ -56030,7 +57475,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..d514493 100644 +index 28b88de..359a84b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -57566,7 +59011,32 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',` + + ######################################## + ## ++## Delete sock files in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_home_content_sock_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:sock_file delete_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to write user home files. + ## + ## +@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -57576,7 +59046,7 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -57590,19 +59060,18 @@ index 28b88de..d514493 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -57611,7 +59080,7 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -57627,7 +59096,7 @@ index 28b88de..d514493 100644 ## ## ## -@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -57654,7 +59123,7 @@ index 28b88de..d514493 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2937,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2955,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -57679,7 +59148,7 @@ index 28b88de..d514493 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +2973,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +2991,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -57722,7 +59191,7 @@ index 28b88de..d514493 100644 ## ## ## -@@ -2614,14 +3009,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3027,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -57760,7 +59229,7 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -2815,7 +3229,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3247,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -57769,7 +59238,7 @@ index 28b88de..d514493 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3245,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3263,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -57785,7 +59254,7 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -2917,7 +3333,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3351,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -57794,7 +59263,7 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -2972,7 +3388,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3406,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -57841,7 +59310,7 @@ index 28b88de..d514493 100644 ') ######################################## -@@ -3009,6 +3463,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3481,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -57849,7 +59318,7 @@ index 28b88de..d514493 100644 kernel_search_proc($1) ') -@@ -3087,6 +3542,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3560,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -57874,7 +59343,7 @@ index 28b88de..d514493 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3612,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3630,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -59045,10 +60514,10 @@ index df29ca1..2a5c03d 100644 +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc -index a865da7..2e7f2b0 100644 +index a865da7..0818ff0 100644 --- a/policy/modules/system/xen.fc +++ b/policy/modules/system/xen.fc -@@ -1,7 +1,5 @@ +@@ -1,12 +1,10 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) -/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0) @@ -59056,6 +60525,12 @@ index a865da7..2e7f2b0 100644 /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) + +-/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) ++/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) + + ifdef(`distro_debian',` + /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index 77d41b6..4aa96c6 100644 --- a/policy/modules/system/xen.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 7afe7c53..20e6ab42 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,21 @@ exit 0 %endif %changelog +* Mon Apr 11 2011 Miroslav Grepl 3.9.16-14 +- Add Dan's patch to remove 64 bit variants +- Allow colord to use unix_dgram_socket +- Allow apps that search pids to read /var/run if it is a lnk_file +- iscsid_t creates its own directory +- Allow init to list var_lock_t dir +- apm needs to verify user accounts auth_use_nsswitch +- Add labeling for systemd unit files +- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added +- Add label for matahari-broker.pid file +- We want to remove untrustedmcsprocess from ability to read /proc/pid +- Fixes for matahari policy +- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir +- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on + * Tue Apr 5 2011 Miroslav Grepl 3.9.16-13 - Fix typo