From 1de5de64508f5bfdd1a8077e685ff23f9d56e1d0 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 27 Jun 2012 12:53:34 +0200 Subject: [PATCH] - add ptrace_child access to process - remove files_read_etc_files() calling from all policies which hav - Allow boinc domains to manage boinc_lib_t lnk_files - Add support for boinc-client.service unit file - Add support for boinc.log - Allow mozilla_plugin execmod on mozilla home files if allow_ex - Allow dovecot_deliver_t to read dovecot_var_run_t - Allow ldconfig and insmod to manage kdumpctl tmp files - Move thin policy out from cloudform.pp and add a new thin poli - pacemaker needs to communicate with corosync streams - abrt is now started on demand by dbus - Allow certmonger to talk directly to Dogtag servers - Change labeling for /var/lib/cobbler/webui_sessions to httpd_c - Allow mozila_plugin to execute gstreamer home files - Allow useradd to delete all file types stored in the users hom - rhsmcertd reads the rpm database - Add support for lightdm --- policy-rawhide.patch | 27 +- policy_contrib-rawhide.patch | 3080 ++++++++++++++++++++++++---------- selinux-policy.spec | 22 +- 3 files changed, 2247 insertions(+), 882 deletions(-) diff --git a/policy-rawhide.patch b/policy-rawhide.patch index b43bd594..38ea8528 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58144,10 +58144,18 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index f462e95..e8f76cb 100644 +index f462e95..20fb556 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors -@@ -393,6 +393,10 @@ class system +@@ -329,6 +329,7 @@ class process + execheap + setkeycreate + setsockcreate ++ ptrace_child + } + + +@@ -393,6 +394,10 @@ class system syslog_mod syslog_console module_request @@ -58158,7 +58166,7 @@ index f462e95..e8f76cb 100644 } # -@@ -445,6 +449,8 @@ class capability2 +@@ -445,6 +450,8 @@ class capability2 mac_override # unused by SELinux mac_admin # unused by SELinux syslog @@ -58167,7 +58175,7 @@ index f462e95..e8f76cb 100644 } # -@@ -860,3 +866,20 @@ inherits database +@@ -860,3 +867,20 @@ inherits database implement execute } @@ -73296,7 +73304,7 @@ index b17e27a..d193a52 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..7da0fde 100644 +index fc86b7c..f393f76 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -73354,7 +73362,7 @@ index fc86b7c..7da0fde 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -73376,6 +73384,7 @@ index fc86b7c..7da0fde 100644 /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) -/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -73385,21 +73394,24 @@ index fc86b7c..7da0fde 100644 /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -90,24 +120,43 @@ ifndef(`distro_debian',` +@@ -90,24 +121,47 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + ++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -73412,6 +73424,7 @@ index fc86b7c..7da0fde 100644 +/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index d1693f64..5a8340e8 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index 1bd5812..196cfc9 100644 +index 1bd5812..b5fe639 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,13 +1,16 @@ +@@ -1,12 +1,16 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) @@ -16,13 +16,13 @@ index 1bd5812..196cfc9 100644 +/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) - -+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) ++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) + ++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) + /var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - -@@ -15,6 +18,19 @@ +@@ -15,6 +19,19 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..cb6f88a 100644 +index 30861ec..410772e 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -587,7 +587,7 @@ index 30861ec..cb6f88a 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +327,145 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -729,7 +729,6 @@ index 30861ec..cb6f88a 100644 + +kernel_read_system_state(abrt_domain) + -+files_read_etc_files(abrt_domain) + +logging_send_syslog_msg(abrt_domain) + @@ -936,10 +935,16 @@ index e66c296..993a1e9 100644 + dontaudit $1 acct_data_t:dir list_dir_perms; +') diff --git a/acct.te b/acct.te -index 63ef90e..1627428 100644 +index 63ef90e..622d6d3 100644 --- a/acct.te +++ b/acct.te -@@ -55,6 +55,8 @@ files_list_usr(acct_t) +@@ -49,12 +49,13 @@ corecmd_exec_shell(acct_t) + + domain_use_interactive_fds(acct_t) + +-files_read_etc_files(acct_t) + files_read_etc_runtime_files(acct_t) + files_list_usr(acct_t) # for nscd files_dontaudit_search_pids(acct_t) @@ -1395,7 +1400,7 @@ index 1392679..25e02df 100644 + ps_process_pattern($1, alsa_t) +') diff --git a/alsa.te b/alsa.te -index dc1b088..b688045 100644 +index dc1b088..d1f2a62 100644 --- a/alsa.te +++ b/alsa.te @@ -22,6 +22,9 @@ files_type(alsa_var_lib_t) @@ -1408,8 +1413,16 @@ index dc1b088..b688045 100644 ######################################## # # Local policy +@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t) + + corecmd_exec_bin(alsa_t) + +-files_read_etc_files(alsa_t) + files_read_usr_files(alsa_t) + + term_dontaudit_use_console(alsa_t) diff --git a/amanda.te b/amanda.te -index bec220e..ae601d8 100644 +index bec220e..1d26add 100644 --- a/amanda.te +++ b/amanda.te @@ -58,7 +58,7 @@ optional_policy(` @@ -1429,7 +1442,23 @@ index bec220e..ae601d8 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -207,5 +208,10 @@ logging_search_logs(amanda_recover_t) +@@ -120,7 +121,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) + dev_getattr_all_blk_files(amanda_t) + dev_getattr_all_chr_files(amanda_t) + +-files_read_etc_files(amanda_t) + files_read_etc_runtime_files(amanda_t) + files_list_all(amanda_t) + files_read_all_files(amanda_t) +@@ -193,7 +193,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t) + + domain_use_interactive_fds(amanda_recover_t) + +-files_read_etc_files(amanda_recover_t) + files_read_etc_runtime_files(amanda_recover_t) + files_search_tmp(amanda_recover_t) + files_search_pids(amanda_recover_t) +@@ -207,5 +206,10 @@ logging_search_logs(amanda_recover_t) miscfiles_read_localization(amanda_recover_t) @@ -1461,7 +1490,7 @@ index e31d92a..e515cb8 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 5a9b451..b310d7a 100644 +index 5a9b451..5f1d427 100644 --- a/amavis.te +++ b/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -1473,7 +1502,7 @@ index 5a9b451..b310d7a 100644 ######################################## # -@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t) +@@ -128,15 +128,16 @@ corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) dev_read_urand(amavis_t) @@ -1481,7 +1510,9 @@ index 5a9b451..b310d7a 100644 domain_use_interactive_fds(amavis_t) -@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t) +-files_read_etc_files(amavis_t) + files_read_etc_runtime_files(amavis_t) + files_read_usr_files(amavis_t) fs_getattr_xattr_fs(amavis_t) @@ -1489,7 +1520,7 @@ index 5a9b451..b310d7a 100644 auth_dontaudit_read_shadow(amavis_t) # uses uptime which reads utmp - redhat bug 561383 -@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t) +@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) @@ -2467,7 +2498,7 @@ index 6480167..d30bdbf 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index a36a01d..bde887f 100644 +index a36a01d..6a85ab0 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2) @@ -2855,7 +2886,7 @@ index a36a01d..bde887f 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -398,6 +575,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -398,59 +575,112 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -2863,7 +2894,11 @@ index a36a01d..bde887f 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -409,48 +587,101 @@ files_read_etc_files(httpd_t) + # for modules that want to access /etc/mtab + files_read_etc_runtime_files(httpd_t) + # Allow httpd_t to have access to files such as nisswitch.conf +-files_read_etc_files(httpd_t) + # for tomcat files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -2969,7 +3004,7 @@ index a36a01d..bde887f 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +692,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3033,7 +3068,7 @@ index a36a01d..bde887f 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +756,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3056,7 +3091,7 @@ index a36a01d..bde887f 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +791,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3077,7 +3112,7 @@ index a36a01d..bde887f 100644 ') optional_policy(` -@@ -525,6 +815,9 @@ optional_policy(` +@@ -525,6 +814,9 @@ optional_policy(` ') optional_policy(` @@ -3087,7 +3122,7 @@ index a36a01d..bde887f 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +833,24 @@ optional_policy(` +@@ -540,6 +832,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3112,7 +3147,7 @@ index a36a01d..bde887f 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,13 +860,24 @@ optional_policy(` +@@ -549,13 +859,24 @@ optional_policy(` ') optional_policy(` @@ -3138,7 +3173,7 @@ index a36a01d..bde887f 100644 ') optional_policy(` -@@ -568,7 +890,21 @@ optional_policy(` +@@ -568,7 +889,21 @@ optional_policy(` ') optional_policy(` @@ -3160,7 +3195,7 @@ index a36a01d..bde887f 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -579,6 +915,7 @@ optional_policy(` +@@ -579,6 +914,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3168,7 +3203,7 @@ index a36a01d..bde887f 100644 ') optional_policy(` -@@ -589,6 +926,33 @@ optional_policy(` +@@ -589,6 +925,33 @@ optional_policy(` ') optional_policy(` @@ -3202,7 +3237,7 @@ index a36a01d..bde887f 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -603,6 +967,11 @@ optional_policy(` +@@ -603,6 +966,11 @@ optional_policy(` ') optional_policy(` @@ -3214,7 +3249,7 @@ index a36a01d..bde887f 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -615,6 +984,12 @@ optional_policy(` +@@ -615,6 +983,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3227,7 +3262,7 @@ index a36a01d..bde887f 100644 ######################################## # # Apache helper local policy -@@ -628,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -628,7 +1002,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3240,7 +3275,7 @@ index a36a01d..bde887f 100644 ######################################## # -@@ -666,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -666,28 +1044,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3284,7 +3319,7 @@ index a36a01d..bde887f 100644 ') ######################################## -@@ -697,6 +1078,7 @@ optional_policy(` +@@ -697,6 +1077,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3292,7 +3327,7 @@ index a36a01d..bde887f 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -711,14 +1093,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -711,19 +1092,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3316,7 +3351,12 @@ index a36a01d..bde887f 100644 # for shell scripts corecmd_exec_bin(httpd_suexec_t) corecmd_exec_shell(httpd_suexec_t) -@@ -752,13 +1143,31 @@ tunable_policy(`httpd_can_network_connect',` + +-files_read_etc_files(httpd_suexec_t) + files_read_usr_files(httpd_suexec_t) + files_dontaudit_search_pids(httpd_suexec_t) + files_search_home(httpd_suexec_t) +@@ -752,13 +1141,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3349,7 +3389,7 @@ index a36a01d..bde887f 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -781,6 +1190,25 @@ optional_policy(` +@@ -781,6 +1188,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3375,7 +3415,7 @@ index a36a01d..bde887f 100644 ######################################## # # Apache system script local policy -@@ -801,12 +1229,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -801,12 +1227,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -3393,7 +3433,7 @@ index a36a01d..bde887f 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -815,18 +1248,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -815,18 +1246,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -3450,7 +3490,7 @@ index a36a01d..bde887f 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -834,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -834,14 +1297,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -3491,7 +3531,7 @@ index a36a01d..bde887f 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,10 +1344,20 @@ optional_policy(` +@@ -854,10 +1342,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -3512,7 +3552,15 @@ index a36a01d..bde887f 100644 ') ######################################## -@@ -903,11 +1403,146 @@ optional_policy(` +@@ -873,7 +1371,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) + kernel_dontaudit_list_proc(httpd_rotatelogs_t) + kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) + +-files_read_etc_files(httpd_rotatelogs_t) + + logging_search_logs(httpd_rotatelogs_t) + +@@ -903,11 +1400,144 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -3556,7 +3604,6 @@ index a36a01d..bde887f 100644 + +domain_use_interactive_fds(httpd_passwd_t) + -+files_read_etc_files(httpd_passwd_t) + +auth_use_nsswitch(httpd_passwd_t) + @@ -3593,7 +3640,6 @@ index a36a01d..bde887f 100644 +application_exec_all(httpd_script_type) + +files_exec_etc_files(httpd_script_type) -+files_read_etc_files(httpd_script_type) +files_search_home(httpd_script_type) + +libs_exec_ld_so(httpd_script_type) @@ -4066,7 +4112,7 @@ index c804110..06a516f 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 804135f..0f7ec8d 100644 +index 804135f..d94d72e 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -4098,6 +4144,14 @@ index 804135f..0f7ec8d 100644 kernel_read_proc_symlinks(arpwatch_t) kernel_request_load_module(arpwatch_t) +@@ -74,7 +79,6 @@ corecmd_read_bin_symlinks(arpwatch_t) + + domain_use_interactive_fds(arpwatch_t) + +-files_read_etc_files(arpwatch_t) + files_read_usr_files(arpwatch_t) + files_search_var_lib(arpwatch_t) + diff --git a/asterisk.if b/asterisk.if index b6168fd..313c6e4 100644 --- a/asterisk.if @@ -4118,7 +4172,7 @@ index b6168fd..313c6e4 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 3b4613b..8ba2e55 100644 +index 3b4613b..3bd044f 100644 --- a/asterisk.te +++ b/asterisk.te @@ -20,10 +20,11 @@ type asterisk_log_t; @@ -4174,7 +4228,12 @@ index 3b4613b..8ba2e55 100644 dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) -@@ -127,6 +134,7 @@ files_search_spool(asterisk_t) +@@ -122,11 +129,11 @@ dev_read_urand(asterisk_t) + + domain_use_interactive_fds(asterisk_t) + +-files_read_etc_files(asterisk_t) + files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -4182,7 +4241,7 @@ index 3b4613b..8ba2e55 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -143,6 +151,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -143,6 +150,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -4278,7 +4337,7 @@ index d80a16b..ef740ef 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 39799db..48901a2 100644 +index 39799db..8c012e9 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -4299,7 +4358,15 @@ index 39799db..48901a2 100644 files_search_boot(automount_t) # Automount is slowly adding all mount functionality internally files_search_all(automount_t) -@@ -143,10 +147,6 @@ logging_search_logs(automount_t) +@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t) + files_getattr_all_dirs(automount_t) + files_list_mnt(automount_t) + files_getattr_home_dir(automount_t) +-files_read_etc_files(automount_t) + files_read_etc_runtime_files(automount_t) + # for if the mount point is not labelled + files_getattr_isid_type_dirs(automount_t) +@@ -143,10 +146,6 @@ logging_search_logs(automount_t) miscfiles_read_localization(automount_t) miscfiles_read_generic_certs(automount_t) @@ -4310,7 +4377,7 @@ index 39799db..48901a2 100644 userdom_dontaudit_use_unpriv_user_fds(automount_t) userdom_dontaudit_search_user_home_dirs(automount_t) -@@ -155,6 +155,13 @@ optional_policy(` +@@ -155,6 +154,13 @@ optional_policy(` ') optional_policy(` @@ -4398,7 +4465,7 @@ index 61c74bc..17b3ecc 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index a7a0e71..3b01eed 100644 +index a7a0e71..a70fe55 100644 --- a/avahi.te +++ b/avahi.te @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) @@ -4420,7 +4487,15 @@ index a7a0e71..3b01eed 100644 corecmd_exec_bin(avahi_t) corecmd_exec_shell(avahi_t) -@@ -104,6 +109,10 @@ optional_policy(` +@@ -74,7 +79,6 @@ fs_list_inotifyfs(avahi_t) + + domain_use_interactive_fds(avahi_t) + +-files_read_etc_files(avahi_t) + files_read_etc_runtime_files(avahi_t) + files_read_usr_files(avahi_t) + +@@ -104,6 +108,10 @@ optional_policy(` ') optional_policy(` @@ -4682,10 +4757,10 @@ index 0000000..5ff58fd +') diff --git a/bcfg2.te b/bcfg2.te new file mode 100644 -index 0000000..7c301dc +index 0000000..e18dc4f --- /dev/null +++ b/bcfg2.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,54 @@ +policy_module(bcfg2, 1.0.0) + +######################################## @@ -4733,7 +4808,6 @@ index 0000000..7c301dc + +domain_use_interactive_fds(bcfg2_t) + -+files_read_etc_files(bcfg2_t) +files_read_usr_files(bcfg2_t) + +auth_use_nsswitch(bcfg2_t) @@ -4921,7 +4995,7 @@ index 44a1e3d..9b50c13 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 4deca04..04d55e9 100644 +index 4deca04..6137526 100644 --- a/bind.te +++ b/bind.te @@ -6,6 +6,13 @@ policy_module(bind, 1.11.0) @@ -4977,7 +5051,15 @@ index 4deca04..04d55e9 100644 # read zone files allow named_t named_zone_t:dir list_dir_perms; -@@ -147,6 +159,10 @@ miscfiles_read_generic_certs(named_t) +@@ -131,7 +143,6 @@ dev_read_urand(named_t) + + domain_use_interactive_fds(named_t) + +-files_read_etc_files(named_t) + files_read_etc_runtime_files(named_t) + + fs_getattr_all_fs(named_t) +@@ -147,6 +158,10 @@ miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) @@ -4988,7 +5070,7 @@ index 4deca04..04d55e9 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -154,6 +170,12 @@ tunable_policy(`named_write_master_zones',` +@@ -154,6 +169,12 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -5001,7 +5083,7 @@ index 4deca04..04d55e9 100644 init_dbus_chat_script(named_t) sysnet_dbus_chat_dhcpc(named_t) -@@ -206,10 +228,11 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; +@@ -206,10 +227,11 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) allow ndc_t named_conf_t:file read_file_perms; @@ -5014,7 +5096,12 @@ index 4deca04..04d55e9 100644 kernel_read_kernel_sysctls(ndc_t) corenet_all_recvfrom_unlabeled(ndc_t) -@@ -228,6 +251,8 @@ files_search_pids(ndc_t) +@@ -223,11 +245,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t) + + domain_use_interactive_fds(ndc_t) + +-files_read_etc_files(ndc_t) + files_search_pids(ndc_t) fs_getattr_xattr_fs(ndc_t) @@ -5023,7 +5110,7 @@ index 4deca04..04d55e9 100644 init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -@@ -235,16 +260,16 @@ logging_send_syslog_msg(ndc_t) +@@ -235,16 +258,16 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) @@ -5081,7 +5168,7 @@ index de0bd67..1df2048 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f4e7ad3..c323651 100644 +index f4e7ad3..df0296d 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t) @@ -5146,7 +5233,7 @@ index f4e7ad3..c323651 100644 # Allow bitlbee to connect to jabber servers corenet_tcp_connect_jabber_client_port(bitlbee_t) corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) -@@ -69,6 +90,11 @@ corenet_tcp_connect_http_port(bitlbee_t) +@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t) corenet_tcp_sendrecv_http_port(bitlbee_t) corenet_tcp_connect_http_cache_port(bitlbee_t) corenet_tcp_sendrecv_http_cache_port(bitlbee_t) @@ -5158,6 +5245,11 @@ index f4e7ad3..c323651 100644 dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) + +-files_read_etc_files(bitlbee_t) + files_search_pids(bitlbee_t) + # grant read-only access to the user help files + files_read_usr_files(bitlbee_t) diff --git a/blueman.fc b/blueman.fc new file mode 100644 index 0000000..98ba16a @@ -5275,10 +5367,10 @@ index 0000000..a66b2ff +') diff --git a/blueman.te b/blueman.te new file mode 100644 -index 0000000..6ed024b +index 0000000..5000a2a --- /dev/null +++ b/blueman.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,55 @@ +policy_module(blueman, 1.0.0) + +######################################## @@ -5314,7 +5406,6 @@ index 0000000..6ed024b + +domain_use_interactive_fds(blueman_t) + -+files_read_etc_files(blueman_t) +files_read_usr_files(blueman_t) + +auth_use_nsswitch(blueman_t) @@ -5488,7 +5579,7 @@ index 3e45431..540f783 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index d3019b3..7e206e7 100644 +index d3019b3..59440d1 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0) @@ -5516,7 +5607,15 @@ index d3019b3..7e206e7 100644 ######################################## # # Bluetooth services local policy -@@ -144,6 +148,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) +@@ -127,7 +131,6 @@ corecmd_exec_shell(bluetooth_t) + domain_use_interactive_fds(bluetooth_t) + domain_dontaudit_search_all_domains_state(bluetooth_t) + +-files_read_etc_files(bluetooth_t) + files_read_etc_runtime_files(bluetooth_t) + files_read_usr_files(bluetooth_t) + +@@ -144,6 +147,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` @@ -5527,7 +5626,12 @@ index d3019b3..7e206e7 100644 dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) -@@ -217,6 +225,8 @@ files_read_etc_runtime_files(bluetooth_helper_t) +@@ -212,11 +219,12 @@ corecmd_exec_shell(bluetooth_helper_t) + + domain_read_all_domains_state(bluetooth_helper_t) + +-files_read_etc_files(bluetooth_helper_t) + files_read_etc_runtime_files(bluetooth_helper_t) files_read_usr_files(bluetooth_helper_t) files_dontaudit_list_default(bluetooth_helper_t) @@ -5538,24 +5642,28 @@ index d3019b3..7e206e7 100644 logging_send_syslog_msg(bluetooth_helper_t) diff --git a/boinc.fc b/boinc.fc new file mode 100644 -index 0000000..c095160 +index 0000000..e59e51b --- /dev/null +++ b/boinc.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,12 @@ + -+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) + -+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) ++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) + -+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) ++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) ++ ++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) +/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) ++ ++/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0) diff --git a/boinc.if b/boinc.if new file mode 100644 -index 0000000..9fe3f9e +index 0000000..6d7e034 --- /dev/null +++ b/boinc.if -@@ -0,0 +1,154 @@ +@@ -0,0 +1,189 @@ +## policy for boinc + +######################################## @@ -5673,6 +5781,30 @@ index 0000000..9fe3f9e + manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) +') + ++####################################### ++## ++## Execute boinc server in the boinc domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`boinc_systemctl',` ++ gen_require(` ++ type boinc_t; ++ type boinc_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 boinc_unit_file_t:file read_file_perms; ++ allow $1 boinc_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, boinc_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -5693,6 +5825,7 @@ index 0000000..9fe3f9e +interface(`boinc_admin',` + gen_require(` + type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; ++ type boinc_unit_file_t; + ') + + allow $1 boinc_t:process signal_perms; @@ -5709,13 +5842,23 @@ index 0000000..9fe3f9e + + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) ++ ++ boinc_systemctl($1) ++ admin_pattern($1, boinc_unit_file_t) ++ ++ allow $1 boinc_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') +') diff --git a/boinc.te b/boinc.te new file mode 100644 -index 0000000..b1c752c +index 0000000..20156f6 --- /dev/null +++ b/boinc.te -@@ -0,0 +1,190 @@ +@@ -0,0 +1,200 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -5741,6 +5884,12 @@ index 0000000..b1c752c +type boinc_var_lib_t; +files_type(boinc_var_lib_t) + ++type boinc_log_t; ++logging_log_file(boinc_log_t) ++ ++type boinc_unit_file_t; ++systemd_unit_file(boinc_unit_file_t) ++ +type boinc_project_t; +domain_type(boinc_project_t) +role system_r types boinc_project_t; @@ -5761,6 +5910,7 @@ index 0000000..b1c752c + +manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) ++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t) + +# needs read /proc/interrupts +kernel_read_system_state(boinc_domain) @@ -5816,6 +5966,9 @@ index 0000000..b1c752c +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + ++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) ++logging_log_filetrans(boinc_t, boinc_log_t, { file }) ++ +kernel_search_vm_sysctl(boinc_t) + +files_getattr_all_dirs(boinc_t) @@ -6233,6 +6386,18 @@ index 0000000..e7d2a5b +dev_search_sysfs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) +diff --git a/calamaris.te b/calamaris.te +index b13fb66..bef8664 100644 +--- a/calamaris.te ++++ b/calamaris.te +@@ -51,7 +51,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t) + dev_read_urand(calamaris_t) + + files_search_pids(calamaris_t) +-files_read_etc_files(calamaris_t) + files_read_usr_files(calamaris_t) + files_read_var_files(calamaris_t) + files_read_etc_runtime_files(calamaris_t) diff --git a/callweaver.fc b/callweaver.fc new file mode 100644 index 0000000..3e15c63 @@ -6620,10 +6785,10 @@ index 0000000..e07d3b8 +') diff --git a/callweaver.te b/callweaver.te new file mode 100644 -index 0000000..4cfc9f8 +index 0000000..4129562 --- /dev/null +++ b/callweaver.te -@@ -0,0 +1,77 @@ +@@ -0,0 +1,76 @@ +policy_module(callweaver,1.0.0) + +######################################## @@ -6692,7 +6857,6 @@ index 0000000..4cfc9f8 + +domain_use_interactive_fds(callweaver_t) + -+files_read_etc_files(callweaver_t) + +term_getattr_pty_fs(callweaver_t) +term_use_generic_ptys(callweaver_t) @@ -6924,7 +7088,7 @@ index 7a6e5ba..7475aa5 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index c3e3f79..40ecdf0 100644 +index c3e3f79..0b4158f 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,12 +18,17 @@ files_pid_file(certmonger_var_run_t) @@ -6946,7 +7110,7 @@ index c3e3f79..40ecdf0 100644 allow certmonger_t self:process { getsched setsched sigkill }; allow certmonger_t self:fifo_file rw_file_perms; allow certmonger_t self:unix_stream_socket create_stream_socket_perms; -@@ -38,10 +43,17 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) +@@ -38,19 +43,31 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) @@ -6961,10 +7125,13 @@ index c3e3f79..40ecdf0 100644 corenet_tcp_sendrecv_all_ports(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) +corenet_tcp_connect_http_port(certmonger_t) ++corenet_tcp_connect_pki_ca_port(certmonger_t) dev_read_urand(certmonger_t) -@@ -51,6 +63,11 @@ files_read_etc_files(certmonger_t) + domain_use_interactive_fds(certmonger_t) + +-files_read_etc_files(certmonger_t) files_read_usr_files(certmonger_t) files_list_tmp(certmonger_t) @@ -7229,10 +7396,10 @@ index 0000000..2972c77 +') diff --git a/cfengine.te b/cfengine.te new file mode 100644 -index 0000000..0de6133 +index 0000000..4a07a67 --- /dev/null +++ b/cfengine.te -@@ -0,0 +1,101 @@ +@@ -0,0 +1,100 @@ +policy_module(cfengine, 1.0.0) + +######################################## @@ -7288,7 +7455,6 @@ index 0000000..0de6133 +sysnet_dns_name_resolve(cfengine_domain) +sysnet_domtrans_ifconfig(cfengine_domain) + -+files_read_etc_files(cfengine_domain) + +######################################## +# @@ -7384,7 +7550,7 @@ index 33facaf..1d39797 100644 admin_pattern($1, cgrules_etc_t) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 806191a..f7ad195 100644 +index 806191a..c577c98 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -7398,7 +7564,15 @@ index 806191a..f7ad195 100644 init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -72,12 +72,15 @@ fs_mount_cgroup(cgconfig_t) +@@ -64,7 +64,6 @@ kernel_list_unlabeled(cgconfig_t) + kernel_read_system_state(cgconfig_t) + + # /etc/nsswitch.conf, /etc/passwd +-files_read_etc_files(cgconfig_t) + + fs_manage_cgroup_dirs(cgconfig_t) + fs_manage_cgroup_files(cgconfig_t) +@@ -72,12 +71,15 @@ fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) fs_unmount_cgroup(cgconfig_t) @@ -7415,7 +7589,7 @@ index 806191a..f7ad195 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -@@ -86,6 +89,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) +@@ -86,6 +88,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) allow cgred_t cgrules_etc_t:file read_file_perms; @@ -7425,7 +7599,11 @@ index 806191a..f7ad195 100644 # rc script creates pid file manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -@@ -104,6 +110,8 @@ files_read_etc_files(cgred_t) +@@ -100,10 +105,11 @@ files_getattr_all_files(cgred_t) + files_getattr_all_sockets(cgred_t) + files_read_all_symlinks(cgred_t) + # /etc/group +-files_read_etc_files(cgred_t) fs_write_cgroup_files(cgred_t) @@ -8195,7 +8373,7 @@ index bbac14a..87840b4 100644 + ') diff --git a/clamav.te b/clamav.te -index 5b7a1d7..d9ae236 100644 +index 5b7a1d7..d5c0e45 100644 --- a/clamav.te +++ b/clamav.te @@ -1,9 +1,23 @@ @@ -8272,7 +8450,15 @@ index 5b7a1d7..d9ae236 100644 corenet_sendrecv_clamd_server_packets(clamd_t) dev_read_rand(clamd_t) -@@ -127,13 +149,6 @@ logging_send_syslog_msg(clamd_t) +@@ -117,7 +139,6 @@ dev_read_urand(clamd_t) + + domain_use_interactive_fds(clamd_t) + +-files_read_etc_files(clamd_t) + files_read_etc_runtime_files(clamd_t) + files_search_spool(clamd_t) + +@@ -127,13 +148,6 @@ logging_send_syslog_msg(clamd_t) miscfiles_read_localization(clamd_t) @@ -8286,7 +8472,7 @@ index 5b7a1d7..d9ae236 100644 optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) -@@ -142,13 +157,31 @@ optional_policy(` +@@ -142,13 +156,31 @@ optional_policy(` ') optional_policy(` @@ -8319,7 +8505,7 @@ index 5b7a1d7..d9ae236 100644 ') ######################################## -@@ -178,10 +211,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +210,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -8338,7 +8524,7 @@ index 5b7a1d7..d9ae236 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +228,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +227,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -8346,7 +8532,15 @@ index 5b7a1d7..d9ae236 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t) +@@ -196,7 +235,6 @@ dev_read_urand(freshclam_t) + + domain_use_interactive_fds(freshclam_t) + +-files_read_etc_files(freshclam_t) + files_read_etc_runtime_files(freshclam_t) + + auth_use_nsswitch(freshclam_t) +@@ -207,16 +245,22 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -8373,7 +8567,7 @@ index 5b7a1d7..d9ae236 100644 ######################################## # # clamscam local policy -@@ -242,15 +288,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,17 +286,34 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -8405,9 +8599,11 @@ index 5b7a1d7..d9ae236 100644 kernel_read_kernel_sysctls(clamscan_t) +kernel_read_system_state(clamscan_t) - files_read_etc_files(clamscan_t) +-files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t) + files_search_var_lib(clamscan_t) + +@@ -264,10 +325,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -8440,17 +8636,16 @@ index b40f3f7..3676ecc 100644 # diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..3fe384f +index 0000000..7182054 --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,19 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + +/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) +/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) -+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) + +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) + @@ -8460,11 +8655,9 @@ index 0000000..3fe384f +/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) +/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0) +/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) -+/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0) + +/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) -+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) diff --git a/cloudform.if b/cloudform.if new file mode 100644 @@ -8514,10 +8707,10 @@ index 0000000..7f55959 +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..787b40a +index 0000000..579dff8 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,236 @@ +@@ -0,0 +1,192 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -8529,10 +8722,6 @@ index 0000000..787b40a +cloudform_domain_template(deltacloudd) +cloudform_domain_template(iwhd) +cloudform_domain_template(mongod) -+cloudform_domain_template(thin) -+ -+type thin_log_t; -+logging_log_file(thin_log_t) + +type deltacloudd_log_t; +logging_log_file(deltacloudd_log_t) @@ -8567,9 +8756,6 @@ index 0000000..787b40a +type mongod_var_run_t; +files_pid_file(mongod_var_run_t) + -+type thin_var_run_t; -+files_pid_file(thin_var_run_t) -+ +type iwhd_log_t; +logging_log_file(iwhd_log_t) + @@ -8717,43 +8903,6 @@ index 0000000..787b40a + sysnet_dns_name_resolve(mongod_t) +') + -+######################################## -+# -+# thin local policy -+# -+ -+allow thin_t self:capability { setuid kill setgid dac_override }; -+ -+allow thin_t self:netlink_route_socket r_netlink_socket_perms; -+allow thin_t self:udp_socket create_socket_perms; -+allow thin_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(thin_t, thin_log_t, thin_log_t) -+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t) -+logging_log_filetrans(thin_t, thin_log_t, { file dir }) -+ -+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) -+files_pid_filetrans(thin_t, thin_var_run_t, { file }) -+ -+corecmd_exec_bin(thin_t) -+ -+corenet_tcp_bind_generic_node(thin_t) -+corenet_tcp_bind_ntop_port(thin_t) -+corenet_tcp_connect_postgresql_port(thin_t) -+corenet_tcp_connect_all_ports(iwhd_t) -+ -+files_read_usr_files(thin_t) -+ -+fs_search_auto_mountpoints(thin_t) -+ -+init_read_utmp(thin_t) -+ -+kernel_read_kernel_sysctls(thin_t) -+ -+optional_policy(` -+ sysnet_read_config(thin_t) -+') -+ diff --git a/cmirrord.if b/cmirrord.if index f8463c0..126b293 100644 --- a/cmirrord.if @@ -9649,7 +9798,7 @@ index 733e4e6..fa2c3cb 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 74505cc..dbd4f7f 100644 +index 74505cc..2bafa23 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.0) @@ -9706,8 +9855,11 @@ index 74505cc..dbd4f7f 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,19 +80,35 @@ files_list_mnt(colord_t) - files_read_etc_files(colord_t) +@@ -62,22 +77,37 @@ dev_rw_generic_usb_dev(colord_t) + domain_use_interactive_fds(colord_t) + + files_list_mnt(colord_t) +-files_read_etc_files(colord_t) files_read_usr_files(colord_t) +fs_search_all(colord_t) @@ -9743,7 +9895,7 @@ index 74505cc..dbd4f7f 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +120,12 @@ optional_policy(` +@@ -89,6 +119,12 @@ optional_policy(` ') optional_policy(` @@ -9756,7 +9908,7 @@ index 74505cc..dbd4f7f 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +133,20 @@ optional_policy(` +@@ -96,5 +132,20 @@ optional_policy(` ') optional_policy(` @@ -9777,6 +9929,18 @@ index 74505cc..dbd4f7f 100644 +optional_policy(` + zoneminder_rw_tmpfs_files(colord_t) +') +diff --git a/comsat.te b/comsat.te +index 3d121fd..fbad020 100644 +--- a/comsat.te ++++ b/comsat.te +@@ -51,7 +51,6 @@ dev_read_urand(comsat_t) + + fs_getattr_xattr_fs(comsat_t) + +-files_read_etc_files(comsat_t) + files_list_usr(comsat_t) + files_search_spool(comsat_t) + files_search_home(comsat_t) diff --git a/condor.fc b/condor.fc new file mode 100644 index 0000000..b3a5b51 @@ -10139,10 +10303,10 @@ index 0000000..168f664 +') diff --git a/condor.te b/condor.te new file mode 100644 -index 0000000..1bba4b7 +index 0000000..206443e --- /dev/null +++ b/condor.te -@@ -0,0 +1,232 @@ +@@ -0,0 +1,231 @@ +policy_module(condor, 1.0.0) + +######################################## @@ -10239,7 +10403,6 @@ index 0000000..1bba4b7 +dev_read_urand(condor_domain) +dev_read_sysfs(condor_domain) + -+files_read_etc_files(condor_domain) + +logging_send_syslog_msg(condor_domain) + @@ -10508,7 +10671,7 @@ index fd15dfe..aac1e5d 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index 6f2896d..c202601 100644 +index 6f2896d..5a5a3bb 100644 --- a/consolekit.te +++ b/consolekit.te @@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t) @@ -10531,15 +10694,17 @@ index 6f2896d..c202601 100644 allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -43,7 +50,6 @@ dev_read_sysfs(consolekit_t) +@@ -43,9 +50,7 @@ dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) - files_read_etc_files(consolekit_t) +-files_read_etc_files(consolekit_t) files_read_usr_files(consolekit_t) -@@ -69,15 +75,17 @@ logging_send_audit_msgs(consolekit_t) + # needs to read /var/lib/dbus/machine-id + files_read_var_lib_files(consolekit_t) +@@ -69,15 +74,17 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) @@ -10562,7 +10727,7 @@ index 6f2896d..c202601 100644 ') optional_policy(` -@@ -97,7 +105,7 @@ optional_policy(` +@@ -97,7 +104,7 @@ optional_policy(` ') optional_policy(` @@ -10571,7 +10736,7 @@ index 6f2896d..c202601 100644 ') optional_policy(` -@@ -108,9 +116,10 @@ optional_policy(` +@@ -108,9 +115,10 @@ optional_policy(` ') optional_policy(` @@ -10584,7 +10749,7 @@ index 6f2896d..c202601 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -126,6 +135,5 @@ optional_policy(` +@@ -126,6 +134,5 @@ optional_policy(` ') optional_policy(` @@ -10619,7 +10784,7 @@ index 3a6d7eb..bb32bf0 100644 +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/corosync.if b/corosync.if -index 5220c9d..11e5dc4 100644 +index 5220c9d..25babd6 100644 --- a/corosync.if +++ b/corosync.if @@ -18,6 +18,25 @@ interface(`corosync_domtrans',` @@ -10648,7 +10813,15 @@ index 5220c9d..11e5dc4 100644 ####################################### ## ## Allow the specified domain to read corosync's log files. -@@ -58,6 +77,29 @@ interface(`corosync_stream_connect',` +@@ -52,12 +71,37 @@ interface(`corosync_read_log',` + interface(`corosync_stream_connect',` + gen_require(` + type corosync_t, corosync_var_run_t; ++ type corosync_var_lib_t; + ') + + files_search_pids($1) ++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) ') @@ -10678,7 +10851,7 @@ index 5220c9d..11e5dc4 100644 ###################################### ## ## All of the rules required to administrate -@@ -80,11 +122,16 @@ interface(`corosyncd_admin',` +@@ -80,11 +124,16 @@ interface(`corosyncd_admin',` type corosync_t, corosync_var_lib_t, corosync_var_log_t; type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; type corosync_initrc_exec_t; @@ -10696,7 +10869,7 @@ index 5220c9d..11e5dc4 100644 init_labeled_script_domtrans($1, corosync_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; -@@ -103,4 +150,8 @@ interface(`corosyncd_admin',` +@@ -103,4 +152,8 @@ interface(`corosyncd_admin',` files_list_pids($1) admin_pattern($1, corosync_var_run_t) @@ -10706,7 +10879,7 @@ index 5220c9d..11e5dc4 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index 04969e5..a1944e6 100644 +index 04969e5..628bbf2 100644 --- a/corosync.te +++ b/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -10780,11 +10953,10 @@ index 04969e5..a1944e6 100644 corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,9 +89,12 @@ dev_read_urand(corosync_t) +@@ -73,9 +89,11 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) -+files_read_etc_files(corosync_t) +files_read_usr_files(corosync_t) auth_use_nsswitch(corosync_t) @@ -10793,7 +10965,7 @@ index 04969e5..a1944e6 100644 init_read_script_state(corosync_t) init_rw_script_tmp_files(corosync_t) -@@ -83,19 +102,49 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +101,49 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -11116,10 +11288,10 @@ index 0000000..3e17383 +') diff --git a/couchdb.te b/couchdb.te new file mode 100644 -index 0000000..4a80b5c +index 0000000..7fa117a --- /dev/null +++ b/couchdb.te -@@ -0,0 +1,85 @@ +@@ -0,0 +1,84 @@ +policy_module(couchdb, 1.0.0) + +######################################## @@ -11195,7 +11367,6 @@ index 0000000..4a80b5c + +domain_use_interactive_fds(couchdb_t) + -+files_read_etc_files(couchdb_t) +files_read_usr_files(couchdb_t) + +fs_getattr_xattr_fs(couchdb_t) @@ -11454,7 +11625,7 @@ index 3559a05..50c8036 100644 /var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0) diff --git a/cron.if b/cron.if -index 6e12dc7..bd94df7 100644 +index 6e12dc7..38dac8e 100644 --- a/cron.if +++ b/cron.if @@ -12,6 +12,11 @@ @@ -11497,7 +11668,7 @@ index 6e12dc7..bd94df7 100644 kernel_read_system_state($1_t) -@@ -50,6 +59,8 @@ template(`cron_common_crontab_template',` +@@ -50,20 +59,25 @@ template(`cron_common_crontab_template',` selinux_dontaudit_search_fs($1_t) fs_getattr_xattr_fs($1_t) @@ -11506,7 +11677,8 @@ index 6e12dc7..bd94df7 100644 domain_use_interactive_fds($1_t) -@@ -58,12 +69,16 @@ template(`cron_common_crontab_template',` +- files_read_etc_files($1_t) + files_read_usr_files($1_t) files_dontaudit_search_pids($1_t) auth_domtrans_chk_passwd($1_t) @@ -11523,7 +11695,7 @@ index 6e12dc7..bd94df7 100644 miscfiles_read_localization($1_t) -@@ -72,9 +87,10 @@ template(`cron_common_crontab_template',` +@@ -72,9 +86,10 @@ template(`cron_common_crontab_template',` userdom_manage_user_tmp_dirs($1_t) userdom_manage_user_tmp_files($1_t) # Access terminals. @@ -11535,7 +11707,7 @@ index 6e12dc7..bd94df7 100644 tunable_policy(`fcron_crond',` # fcron wants an instant update of a crontab change for the administrator -@@ -101,10 +117,12 @@ template(`cron_common_crontab_template',` +@@ -101,10 +116,12 @@ template(`cron_common_crontab_template',` ## User domain for the role ## ## @@ -11548,7 +11720,7 @@ index 6e12dc7..bd94df7 100644 ') role $1 types { cronjob_t crontab_t }; -@@ -115,9 +133,20 @@ interface(`cron_role',` +@@ -115,9 +132,20 @@ interface(`cron_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, crontab_exec_t, crontab_t) @@ -11570,7 +11742,7 @@ index 6e12dc7..bd94df7 100644 # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) -@@ -150,29 +179,21 @@ interface(`cron_role',` +@@ -150,29 +178,21 @@ interface(`cron_role',` ## User domain for the role ## ## @@ -11607,7 +11779,7 @@ index 6e12dc7..bd94df7 100644 optional_policy(` gen_require(` -@@ -180,9 +201,8 @@ interface(`cron_unconfined_role',` +@@ -180,9 +200,8 @@ interface(`cron_unconfined_role',` ') dbus_stub(unconfined_cronjob_t) @@ -11618,7 +11790,7 @@ index 6e12dc7..bd94df7 100644 ') ######################################## -@@ -199,6 +219,7 @@ interface(`cron_unconfined_role',` +@@ -199,6 +218,7 @@ interface(`cron_unconfined_role',` ## User domain for the role ## ## @@ -11626,7 +11798,7 @@ index 6e12dc7..bd94df7 100644 # interface(`cron_admin_role',` gen_require(` -@@ -219,7 +240,10 @@ interface(`cron_admin_role',` +@@ -219,7 +239,10 @@ interface(`cron_admin_role',` # crontab shows up in user ps ps_process_pattern($2, admin_crontab_t) @@ -11638,7 +11810,7 @@ index 6e12dc7..bd94df7 100644 # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) -@@ -263,6 +287,9 @@ interface(`cron_system_entry',` +@@ -263,6 +286,9 @@ interface(`cron_system_entry',` domtrans_pattern(crond_t, $2, $1) role system_r types $1; @@ -11648,7 +11820,7 @@ index 6e12dc7..bd94df7 100644 ') ######################################## -@@ -303,7 +330,7 @@ interface(`cron_exec',` +@@ -303,7 +329,7 @@ interface(`cron_exec',` ######################################## ## @@ -11657,7 +11829,7 @@ index 6e12dc7..bd94df7 100644 ## ## ## -@@ -321,6 +348,29 @@ interface(`cron_initrc_domtrans',` +@@ -321,6 +347,29 @@ interface(`cron_initrc_domtrans',` ######################################## ## @@ -11687,7 +11859,7 @@ index 6e12dc7..bd94df7 100644 ## Inherit and use a file descriptor ## from the cron daemon. ## -@@ -358,6 +408,24 @@ interface(`cron_sigchld',` +@@ -358,6 +407,24 @@ interface(`cron_sigchld',` ######################################## ## @@ -11712,7 +11884,7 @@ index 6e12dc7..bd94df7 100644 ## Read a cron daemon unnamed pipe. ## ## -@@ -376,6 +444,47 @@ interface(`cron_read_pipes',` +@@ -376,6 +443,47 @@ interface(`cron_read_pipes',` ######################################## ## @@ -11760,7 +11932,7 @@ index 6e12dc7..bd94df7 100644 ## Do not audit attempts to write cron daemon unnamed pipes. ## ## -@@ -407,7 +516,43 @@ interface(`cron_rw_pipes',` +@@ -407,7 +515,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -11805,7 +11977,7 @@ index 6e12dc7..bd94df7 100644 ') ######################################## -@@ -467,6 +612,25 @@ interface(`cron_search_spool',` +@@ -467,6 +611,25 @@ interface(`cron_search_spool',` ######################################## ## @@ -11831,7 +12003,7 @@ index 6e12dc7..bd94df7 100644 ## Manage pid files used by cron ## ## -@@ -480,6 +644,7 @@ interface(`cron_manage_pid_files',` +@@ -480,6 +643,7 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -11839,7 +12011,7 @@ index 6e12dc7..bd94df7 100644 manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') -@@ -535,7 +700,7 @@ interface(`cron_write_system_job_pipes',` +@@ -535,7 +699,7 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') @@ -11848,7 +12020,7 @@ index 6e12dc7..bd94df7 100644 ') ######################################## -@@ -553,7 +718,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -553,7 +717,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -11857,7 +12029,7 @@ index 6e12dc7..bd94df7 100644 ') ######################################## -@@ -586,11 +751,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -586,11 +750,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -11873,7 +12045,7 @@ index 6e12dc7..bd94df7 100644 ') ######################################## -@@ -626,7 +794,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -626,7 +793,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -11922,7 +12094,7 @@ index 6e12dc7..bd94df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/cron.te b/cron.te -index b357856..de056ab 100644 +index b357856..3155d2a 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -12082,7 +12254,7 @@ index b357856..de056ab 100644 manage_files_pattern(crond_t, cron_log_t, cron_log_t) logging_log_filetrans(crond_t, cron_log_t, file) -@@ -187,12 +204,16 @@ fs_list_inotifyfs(crond_t) +@@ -187,27 +204,47 @@ fs_list_inotifyfs(crond_t) # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) @@ -12099,7 +12271,10 @@ index b357856..de056ab 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,11 +224,28 @@ files_list_usr(crond_t) +-files_read_etc_files(crond_t) + files_read_generic_spool(crond_t) + files_list_usr(crond_t) + # Read from /var/spool/cron. files_search_var_lib(crond_t) files_search_default(crond_t) @@ -12128,7 +12303,7 @@ index b357856..de056ab 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,20 +258,23 @@ miscfiles_read_localization(crond_t) +@@ -220,20 +257,23 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -12157,7 +12332,7 @@ index b357856..de056ab 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -241,7 +282,7 @@ ifdef(`distro_redhat', ` +@@ -241,7 +281,7 @@ ifdef(`distro_redhat', ` ') ') @@ -12166,7 +12341,7 @@ index b357856..de056ab 100644 files_polyinstantiate_all(crond_t) ') -@@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -12194,7 +12369,7 @@ index b357856..de056ab 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +321,8 @@ optional_policy(` +@@ -264,6 +320,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -12203,7 +12378,7 @@ index b357856..de056ab 100644 ') optional_policy(` -@@ -286,15 +345,25 @@ optional_policy(` +@@ -286,15 +344,25 @@ optional_policy(` ') optional_policy(` @@ -12229,7 +12404,7 @@ index b357856..de056ab 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +375,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -12250,7 +12425,7 @@ index b357856..de056ab 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +407,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -12258,7 +12433,7 @@ index b357856..de056ab 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,11 +419,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -12276,7 +12451,7 @@ index b357856..de056ab 100644 kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) -@@ -365,6 +449,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -12284,7 +12459,15 @@ index b357856..de056ab 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +476,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -376,7 +460,6 @@ fs_getattr_all_sockets(system_cronjob_t) + domain_dontaudit_read_all_domains_state(system_cronjob_t) + + files_exec_etc_files(system_cronjob_t) +-files_read_etc_files(system_cronjob_t) + files_read_etc_runtime_files(system_cronjob_t) + files_list_all(system_cronjob_t) + files_getattr_all_dirs(system_cronjob_t) +@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -12292,7 +12475,7 @@ index b357856..de056ab 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +499,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -12304,7 +12487,7 @@ index b357856..de056ab 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +527,8 @@ optional_policy(` +@@ -439,6 +525,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -12313,7 +12496,7 @@ index b357856..de056ab 100644 ') optional_policy(` -@@ -446,6 +536,14 @@ optional_policy(` +@@ -446,6 +534,14 @@ optional_policy(` ') optional_policy(` @@ -12328,7 +12511,7 @@ index b357856..de056ab 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,6 +554,10 @@ optional_policy(` +@@ -456,6 +552,10 @@ optional_policy(` ') optional_policy(` @@ -12339,7 +12522,7 @@ index b357856..de056ab 100644 lpd_list_spool(system_cronjob_t) ') -@@ -464,7 +566,9 @@ optional_policy(` +@@ -464,7 +564,9 @@ optional_policy(` ') optional_policy(` @@ -12349,7 +12532,7 @@ index b357856..de056ab 100644 ') optional_policy(` -@@ -472,6 +576,10 @@ optional_policy(` +@@ -472,6 +574,10 @@ optional_policy(` ') optional_policy(` @@ -12360,7 +12543,7 @@ index b357856..de056ab 100644 postfix_read_config(system_cronjob_t) ') -@@ -480,7 +588,7 @@ optional_policy(` +@@ -480,7 +586,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -12369,7 +12552,7 @@ index b357856..de056ab 100644 ') optional_policy(` -@@ -495,6 +603,7 @@ optional_policy(` +@@ -495,6 +601,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -12377,7 +12560,7 @@ index b357856..de056ab 100644 ') optional_policy(` -@@ -502,7 +611,18 @@ optional_policy(` +@@ -502,7 +609,18 @@ optional_policy(` ') optional_policy(` @@ -12396,7 +12579,7 @@ index b357856..de056ab 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +715,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -12990,7 +13173,7 @@ index 305ddf4..11d010a 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/cups.te b/cups.te -index 6e7f1b6..a699948 100644 +index 6e7f1b6..f8cf711 100644 --- a/cups.te +++ b/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -13059,13 +13242,13 @@ index 6e7f1b6..a699948 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t) +@@ -220,11 +228,12 @@ corecmd_exec_bin(cupsd_t) domain_use_interactive_fds(cupsd_t) +files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) - files_read_etc_files(cupsd_t) +-files_read_etc_files(cupsd_t) files_read_etc_runtime_files(cupsd_t) # read python modules files_read_usr_files(cupsd_t) @@ -13073,7 +13256,7 @@ index 6e7f1b6..a699948 100644 # for /var/lib/defoma files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) -@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t) +@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -13086,7 +13269,7 @@ index 6e7f1b6..a699948 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -287,6 +291,8 @@ optional_policy(` +@@ -287,6 +290,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -13095,7 +13278,7 @@ index 6e7f1b6..a699948 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -297,8 +303,10 @@ optional_policy(` +@@ -297,8 +302,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -13106,7 +13289,7 @@ index 6e7f1b6..a699948 100644 ') ') -@@ -311,10 +319,23 @@ optional_policy(` +@@ -311,10 +318,23 @@ optional_policy(` ') optional_policy(` @@ -13130,7 +13313,7 @@ index 6e7f1b6..a699948 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +343,8 @@ optional_policy(` +@@ -322,6 +342,8 @@ optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -13139,7 +13322,7 @@ index 6e7f1b6..a699948 100644 ') optional_policy(` -@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -13150,7 +13333,15 @@ index 6e7f1b6..a699948 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -407,7 +430,6 @@ domain_use_interactive_fds(cupsd_config_t) + domain_dontaudit_search_all_domains_state(cupsd_config_t) + + files_read_usr_files(cupsd_config_t) +-files_read_etc_files(cupsd_config_t) + files_read_etc_runtime_files(cupsd_config_t) + files_read_var_symlinks(cupsd_config_t) + +@@ -425,11 +447,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -13164,7 +13355,7 @@ index 6e7f1b6..a699948 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +477,10 @@ optional_policy(` +@@ -453,6 +475,10 @@ optional_policy(` ') optional_policy(` @@ -13175,7 +13366,7 @@ index 6e7f1b6..a699948 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +495,10 @@ optional_policy(` +@@ -467,6 +493,10 @@ optional_policy(` ') optional_policy(` @@ -13186,7 +13377,7 @@ index 6e7f1b6..a699948 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,13 +567,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -13194,7 +13385,22 @@ index 6e7f1b6..a699948 100644 dev_read_urand(cupsd_lpd_t) dev_read_rand(cupsd_lpd_t) -@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t) + + fs_getattr_xattr_fs(cupsd_lpd_t) + +-files_read_etc_files(cupsd_lpd_t) + + auth_use_nsswitch(cupsd_lpd_t) + +@@ -577,7 +607,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) + + kernel_read_system_state(cups_pdf_t) + +-files_read_etc_files(cups_pdf_t) + files_read_usr_files(cups_pdf_t) + + corecmd_exec_shell(cups_pdf_t) +@@ -587,23 +616,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -13227,7 +13433,7 @@ index 6e7f1b6..a699948 100644 ') ######################################## -@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t) +@@ -661,10 +689,10 @@ corenet_tcp_bind_generic_node(hplip_t) corenet_udp_bind_generic_node(hplip_t) corenet_tcp_bind_hplip_port(hplip_t) corenet_tcp_connect_hplip_port(hplip_t) @@ -13241,8 +13447,11 @@ index 6e7f1b6..a699948 100644 dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t) - files_read_etc_files(hplip_t) +@@ -682,9 +710,11 @@ corecmd_exec_bin(hplip_t) + + domain_use_interactive_fds(hplip_t) + +-files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) +files_dontaudit_write_usr_dirs(hplip_t) @@ -13251,7 +13460,7 @@ index 6e7f1b6..a699948 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -13264,6 +13473,14 @@ index 6e7f1b6..a699948 100644 optional_policy(` dbus_system_bus_client(hplip_t) +@@ -760,7 +792,6 @@ fs_search_auto_mountpoints(ptal_t) + + domain_use_interactive_fds(ptal_t) + +-files_read_etc_files(ptal_t) + files_read_etc_runtime_files(ptal_t) + + logging_send_syslog_msg(ptal_t) diff --git a/cvs.if b/cvs.if index c43ff4c..5da88b5 100644 --- a/cvs.if @@ -13314,7 +13531,7 @@ index c43ff4c..5da88b5 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) diff --git a/cvs.te b/cvs.te -index 88e7e97..08d7ec0 100644 +index 88e7e97..4742d3a 100644 --- a/cvs.te +++ b/cvs.te @@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0) @@ -13340,7 +13557,12 @@ index 88e7e97..08d7ec0 100644 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -@@ -81,6 +81,8 @@ files_read_etc_runtime_files(cvs_t) +@@ -76,11 +76,12 @@ auth_use_nsswitch(cvs_t) + corecmd_exec_bin(cvs_t) + corecmd_exec_shell(cvs_t) + +-files_read_etc_files(cvs_t) + files_read_etc_runtime_files(cvs_t) # for identd; cjp: this should probably only be inetd_child rules? files_search_home(cvs_t) @@ -13349,7 +13571,7 @@ index 88e7e97..08d7ec0 100644 logging_send_syslog_msg(cvs_t) logging_send_audit_msgs(cvs_t) -@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t) +@@ -88,9 +89,11 @@ miscfiles_read_localization(cvs_t) mta_send_mail(cvs_t) @@ -13362,7 +13584,7 @@ index 88e7e97..08d7ec0 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') -@@ -112,4 +116,5 @@ optional_policy(` +@@ -112,4 +115,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -13388,7 +13610,7 @@ index e4e86d0..7c30655 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index a531e6f..6b0ffc2 100644 +index a531e6f..ec075b8 100644 --- a/cyrus.te +++ b/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -13408,7 +13630,15 @@ index a531e6f..6b0ffc2 100644 corenet_tcp_bind_pop_port(cyrus_t) corenet_tcp_bind_sieve_port(cyrus_t) corenet_tcp_connect_all_ports(cyrus_t) -@@ -119,6 +120,10 @@ optional_policy(` +@@ -93,7 +94,6 @@ corecmd_exec_bin(cyrus_t) + domain_use_interactive_fds(cyrus_t) + + files_list_var_lib(cyrus_t) +-files_read_etc_files(cyrus_t) + files_read_etc_runtime_files(cyrus_t) + files_read_usr_files(cyrus_t) + +@@ -119,6 +119,10 @@ optional_policy(` ') optional_policy(` @@ -13419,7 +13649,7 @@ index a531e6f..6b0ffc2 100644 kerberos_keytab_template(cyrus, cyrus_t) ') -@@ -135,6 +140,7 @@ optional_policy(` +@@ -135,6 +139,7 @@ optional_policy(` ') optional_policy(` @@ -13530,6 +13760,18 @@ index 1875064..2adc35f 100644 +optional_policy(` + sudo_role_template(dbadm, dbadm_r, dbadm_t) +') +diff --git a/dbskk.te b/dbskk.te +index 1445f97..f874b4d 100644 +--- a/dbskk.te ++++ b/dbskk.te +@@ -60,7 +60,6 @@ dev_read_urand(dbskkd_t) + + fs_getattr_xattr_fs(dbskkd_t) + +-files_read_etc_files(dbskkd_t) + + auth_use_nsswitch(dbskkd_t) + diff --git a/dbus.fc b/dbus.fc index e6345ce..31f269b 100644 --- a/dbus.fc @@ -13896,7 +14138,7 @@ index fb4bf82..115133d 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 8e7ba54..088e2ca 100644 +index 8e7ba54..9201358 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -13948,7 +14190,7 @@ index 8e7ba54..088e2ca 100644 fs_getattr_all_fs(system_dbusd_t) fs_list_inotifyfs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) -@@ -110,6 +115,8 @@ auth_read_pam_console_data(system_dbusd_t) +@@ -110,17 +115,20 @@ auth_read_pam_console_data(system_dbusd_t) corecmd_list_bin(system_dbusd_t) corecmd_read_bin_pipes(system_dbusd_t) corecmd_read_bin_sockets(system_dbusd_t) @@ -13957,7 +14199,10 @@ index 8e7ba54..088e2ca 100644 domain_use_interactive_fds(system_dbusd_t) domain_read_all_domains_state(system_dbusd_t) -@@ -120,7 +127,9 @@ files_read_usr_files(system_dbusd_t) + +-files_read_etc_files(system_dbusd_t) + files_list_home(system_dbusd_t) + files_read_usr_files(system_dbusd_t) init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -13967,7 +14212,7 @@ index 8e7ba54..088e2ca 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -135,11 +144,27 @@ seutil_sigchld_newrole(system_dbusd_t) +@@ -135,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t) userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) @@ -13995,7 +14240,7 @@ index 8e7ba54..088e2ca 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -150,12 +175,161 @@ optional_policy(` +@@ -150,12 +174,160 @@ optional_policy(` ') optional_policy(` @@ -14094,7 +14339,6 @@ index 8e7ba54..088e2ca 100644 +domain_use_interactive_fds(session_bus_type) +domain_read_all_domains_state(session_bus_type) + -+files_read_etc_files(session_bus_type) +files_list_home(session_bus_type) +files_read_usr_files(session_bus_type) +files_dontaudit_search_var(session_bus_type) @@ -14170,7 +14414,7 @@ index 784753e..bf65e7d 100644 stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te -index 5178337..b309a53 100644 +index 5178337..d83413e 100644 --- a/dcc.te +++ b/dcc.te @@ -36,7 +36,7 @@ type dcc_var_t; @@ -14182,7 +14426,15 @@ index 5178337..b309a53 100644 type dccd_t; type dccd_exec_t; -@@ -110,7 +110,7 @@ logging_send_syslog_msg(cdcc_t) +@@ -101,7 +101,6 @@ corenet_udp_sendrecv_generic_if(cdcc_t) + corenet_udp_sendrecv_generic_node(cdcc_t) + corenet_udp_sendrecv_all_ports(cdcc_t) + +-files_read_etc_files(cdcc_t) + files_read_etc_runtime_files(cdcc_t) + + auth_use_nsswitch(cdcc_t) +@@ -110,7 +109,7 @@ logging_send_syslog_msg(cdcc_t) miscfiles_read_localization(cdcc_t) @@ -14191,7 +14443,15 @@ index 5178337..b309a53 100644 ######################################## # -@@ -152,7 +152,7 @@ logging_send_syslog_msg(dcc_client_t) +@@ -141,7 +140,6 @@ corenet_udp_sendrecv_generic_node(dcc_client_t) + corenet_udp_sendrecv_all_ports(dcc_client_t) + corenet_udp_bind_generic_node(dcc_client_t) + +-files_read_etc_files(dcc_client_t) + files_read_etc_runtime_files(dcc_client_t) + + fs_getattr_all_fs(dcc_client_t) +@@ -152,7 +150,7 @@ logging_send_syslog_msg(dcc_client_t) miscfiles_read_localization(dcc_client_t) @@ -14200,7 +14460,15 @@ index 5178337..b309a53 100644 optional_policy(` amavis_read_spool_files(dcc_client_t) -@@ -197,7 +197,7 @@ logging_send_syslog_msg(dcc_dbclean_t) +@@ -188,7 +186,6 @@ corenet_udp_sendrecv_generic_if(dcc_dbclean_t) + corenet_udp_sendrecv_generic_node(dcc_dbclean_t) + corenet_udp_sendrecv_all_ports(dcc_dbclean_t) + +-files_read_etc_files(dcc_dbclean_t) + files_read_etc_runtime_files(dcc_dbclean_t) + + auth_use_nsswitch(dcc_dbclean_t) +@@ -197,7 +194,7 @@ logging_send_syslog_msg(dcc_dbclean_t) miscfiles_read_localization(dcc_dbclean_t) @@ -14209,6 +14477,30 @@ index 5178337..b309a53 100644 ######################################## # +@@ -251,7 +248,6 @@ dev_read_sysfs(dccd_t) + + domain_use_interactive_fds(dccd_t) + +-files_read_etc_files(dccd_t) + files_read_etc_runtime_files(dccd_t) + + fs_getattr_all_fs(dccd_t) +@@ -316,7 +312,6 @@ dev_read_sysfs(dccifd_t) + + domain_use_interactive_fds(dccifd_t) + +-files_read_etc_files(dccifd_t) + files_read_etc_runtime_files(dccifd_t) + + fs_getattr_all_fs(dccifd_t) +@@ -380,7 +375,6 @@ dev_read_sysfs(dccm_t) + + domain_use_interactive_fds(dccm_t) + +-files_read_etc_files(dccm_t) + files_read_etc_runtime_files(dccm_t) + + fs_getattr_all_fs(dccm_t) diff --git a/ddclient.if b/ddclient.if index 0a1a61b..64742c6 100644 --- a/ddclient.if @@ -14371,7 +14663,7 @@ index 567865f..b5e9376 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te -index 8ba9425..02f4190 100644 +index 8ba9425..b06678c 100644 --- a/denyhosts.te +++ b/denyhosts.te @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t) @@ -14396,7 +14688,7 @@ index 8ba9425..02f4190 100644 corecmd_exec_bin(denyhosts_t) corenet_all_recvfrom_unlabeled(denyhosts_t) -@@ -53,20 +59,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) +@@ -53,20 +59,29 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -14405,7 +14697,7 @@ index 8ba9425..02f4190 100644 dev_read_urand(denyhosts_t) - files_read_etc_files(denyhosts_t) +-files_read_etc_files(denyhosts_t) +files_read_usr_files(denyhosts_t) + +auth_use_nsswitch(denyhosts_t) @@ -14755,7 +15047,7 @@ index f706b99..aa049fc 100644 + #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 1819518..04bd8a8 100644 +index 1819518..b2dd360 100644 --- a/devicekit.te +++ b/devicekit.te @@ -8,14 +8,17 @@ policy_module(devicekit, 1.2.0) @@ -14786,7 +15078,15 @@ index 1819518..04bd8a8 100644 ######################################## # # DeviceKit local policy -@@ -62,7 +68,8 @@ optional_policy(` +@@ -42,7 +48,6 @@ kernel_read_system_state(devicekit_t) + dev_read_sysfs(devicekit_t) + dev_read_urand(devicekit_t) + +-files_read_etc_files(devicekit_t) + + miscfiles_read_localization(devicekit_t) + +@@ -62,7 +67,8 @@ optional_policy(` # DeviceKit disk local policy # @@ -14796,7 +15096,7 @@ index 1819518..04bd8a8 100644 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -75,10 +82,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -75,10 +81,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -14811,7 +15111,7 @@ index 1819518..04bd8a8 100644 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -97,6 +108,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) +@@ -97,6 +107,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -14819,7 +15119,7 @@ index 1819518..04bd8a8 100644 domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) -@@ -105,14 +117,17 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -105,14 +116,16 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -14830,7 +15130,7 @@ index 1819518..04bd8a8 100644 +files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) - files_read_etc_files(devicekit_disk_t) +-files_read_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) files_read_usr_files(devicekit_disk_t) @@ -14838,7 +15138,7 @@ index 1819518..04bd8a8 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -127,14 +142,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -127,14 +140,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -14857,7 +15157,7 @@ index 1819518..04bd8a8 100644 optional_policy(` dbus_system_bus_client(devicekit_disk_t) -@@ -170,6 +188,10 @@ optional_policy(` +@@ -170,6 +186,10 @@ optional_policy(` ') optional_policy(` @@ -14868,7 +15168,7 @@ index 1819518..04bd8a8 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -178,55 +200,85 @@ optional_policy(` +@@ -178,55 +198,84 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -14936,7 +15236,7 @@ index 1819518..04bd8a8 100644 +dev_getattr_all_chr_files(devicekit_power_t) files_read_kernel_img(devicekit_power_t) - files_read_etc_files(devicekit_power_t) +-files_read_etc_files(devicekit_power_t) +files_read_etc_runtime_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) +files_dontaudit_list_mnt(devicekit_power_t) @@ -14959,7 +15259,7 @@ index 1819518..04bd8a8 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,7 +287,12 @@ optional_policy(` +@@ -235,7 +284,12 @@ optional_policy(` ') optional_policy(` @@ -14972,7 +15272,7 @@ index 1819518..04bd8a8 100644 ') optional_policy(` -@@ -261,14 +318,21 @@ optional_policy(` +@@ -261,14 +315,21 @@ optional_policy(` ') optional_policy(` @@ -14995,7 +15295,7 @@ index 1819518..04bd8a8 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +340,31 @@ optional_policy(` +@@ -276,9 +337,31 @@ optional_policy(` ') optional_policy(` @@ -15117,7 +15417,7 @@ index 5e2cea8..2ab8a14 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 54b794f..6d3ed6e 100644 +index 54b794f..def601e 100644 --- a/dhcp.te +++ b/dhcp.te @@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -15151,7 +15451,15 @@ index 54b794f..6d3ed6e 100644 corenet_udp_bind_all_unreserved_ports(dhcpd_t) dev_read_sysfs(dhcpd_t) -@@ -110,12 +113,21 @@ sysnet_read_dhcp_config(dhcpd_t) +@@ -94,7 +97,6 @@ corecmd_exec_bin(dhcpd_t) + + domain_use_interactive_fds(dhcpd_t) + +-files_read_etc_files(dhcpd_t) + files_read_usr_files(dhcpd_t) + files_read_etc_runtime_files(dhcpd_t) + files_search_var_lib(dhcpd_t) +@@ -110,12 +112,21 @@ sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_user_home_dirs(dhcpd_t) @@ -15193,10 +15501,17 @@ index a0d23ce..83a7ca5 100644 init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/dictd.te b/dictd.te -index d2d9359..ee10625 100644 +index d2d9359..c0e30db 100644 --- a/dictd.te +++ b/dictd.te -@@ -73,23 +73,15 @@ files_search_var_lib(dictd_t) +@@ -66,30 +66,21 @@ fs_search_auto_mountpoints(dictd_t) + + domain_use_interactive_fds(dictd_t) + +-files_read_etc_files(dictd_t) + files_read_etc_runtime_files(dictd_t) + files_read_usr_files(dictd_t) + files_search_var_lib(dictd_t) # for checking for nscd files_dontaudit_search_pids(dictd_t) @@ -16249,7 +16564,7 @@ index 9bd812b..53f895e 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index fdaeeba..1a2a666 100644 +index fdaeeba..fa7f1b8 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -16278,7 +16593,15 @@ index fdaeeba..1a2a666 100644 corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) -@@ -88,6 +94,8 @@ logging_send_syslog_msg(dnsmasq_t) +@@ -76,7 +82,6 @@ dev_read_urand(dnsmasq_t) + + domain_use_interactive_fds(dnsmasq_t) + +-files_read_etc_files(dnsmasq_t) + files_read_etc_runtime_files(dnsmasq_t) + + fs_getattr_all_fs(dnsmasq_t) +@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) @@ -16287,7 +16610,7 @@ index fdaeeba..1a2a666 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +104,20 @@ optional_policy(` +@@ -96,7 +103,20 @@ optional_policy(` ') optional_policy(` @@ -16308,7 +16631,7 @@ index fdaeeba..1a2a666 100644 ') optional_policy(` -@@ -113,5 +134,7 @@ optional_policy(` +@@ -113,5 +133,7 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -16610,7 +16933,7 @@ index e1d7dc5..df96c0d 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te -index 2df7766..d536976 100644 +index 2df7766..479b994 100644 --- a/dovecot.te +++ b/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -16686,7 +17009,14 @@ index 2df7766..d536976 100644 corenet_tcp_bind_sieve_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) -@@ -135,6 +143,7 @@ files_dontaudit_list_default(dovecot_t) +@@ -128,13 +136,13 @@ corecmd_exec_bin(dovecot_t) + + domain_use_interactive_fds(dovecot_t) + +-files_read_etc_files(dovecot_t) + files_search_spool(dovecot_t) + files_search_tmp(dovecot_t) + files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) files_search_all_mountpoints(dovecot_t) @@ -16694,7 +17024,7 @@ index 2df7766..d536976 100644 init_getattr_utmp(dovecot_t) -@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t) +@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t) miscfiles_read_generic_certs(dovecot_t) miscfiles_read_localization(dovecot_t) @@ -16702,7 +17032,7 @@ index 2df7766..d536976 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) +@@ -153,6 +162,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) @@ -16710,7 +17040,7 @@ index 2df7766..d536976 100644 mta_manage_spool(dovecot_t) optional_policy(` -@@ -160,10 +171,24 @@ optional_policy(` +@@ -160,10 +170,24 @@ optional_policy(` ') optional_policy(` @@ -16735,7 +17065,7 @@ index 2df7766..d536976 100644 seutil_sigchld_newrole(dovecot_t) ') -@@ -180,8 +205,8 @@ optional_policy(` +@@ -180,8 +204,8 @@ optional_policy(` # dovecot auth local policy # @@ -16746,7 +17076,7 @@ index 2df7766..d536976 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -16756,7 +17086,7 @@ index 2df7766..d536976 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,22 +228,25 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -16769,7 +17099,12 @@ index 2df7766..d536976 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t) + auth_use_nsswitch(dovecot_auth_t) + +-files_read_etc_files(dovecot_auth_t) + files_read_etc_runtime_files(dovecot_auth_t) + files_search_pids(dovecot_auth_t) + files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) @@ -16779,7 +17114,7 @@ index 2df7766..d536976 100644 init_rw_utmp(dovecot_auth_t) -@@ -236,6 +268,8 @@ optional_policy(` +@@ -236,6 +266,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -16788,7 +17123,7 @@ index 2df7766..d536976 100644 ') optional_policy(` -@@ -243,6 +277,8 @@ optional_policy(` +@@ -243,6 +275,8 @@ optional_policy(` ') optional_policy(` @@ -16797,7 +17132,7 @@ index 2df7766..d536976 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +286,42 @@ optional_policy(` +@@ -250,23 +284,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -16821,6 +17156,7 @@ index 2df7766..d536976 100644 +files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; ++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) +read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) +dovecot_stream_connect(dovecot_deliver_t) + @@ -16829,9 +17165,9 @@ index 2df7766..d536976 100644 kernel_read_all_sysctls(dovecot_deliver_t) kernel_read_system_state(dovecot_deliver_t) +-files_read_etc_files(dovecot_deliver_t) +corecmd_exec_bin(dovecot_deliver_t) + - files_read_etc_files(dovecot_deliver_t) files_read_etc_runtime_files(dovecot_deliver_t) auth_use_nsswitch(dovecot_deliver_t) @@ -16842,7 +17178,7 @@ index 2df7766..d536976 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -283,24 +338,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +336,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -17542,10 +17878,10 @@ index 0000000..a446210 +') diff --git a/dspam.te b/dspam.te new file mode 100644 -index 0000000..d409571 +index 0000000..fe2a993 --- /dev/null +++ b/dspam.te -@@ -0,0 +1,95 @@ +@@ -0,0 +1,94 @@ + +policy_module(dspam, 1.0.0) + @@ -17602,7 +17938,6 @@ index 0000000..d409571 +# need to add the port tcp/10026 to corenetwork.te.in +#allow dspam_t port_t:tcp_socket name_connect; + -+files_read_etc_files(dspam_t) + +auth_use_nsswitch(dspam_t) + @@ -17642,10 +17977,18 @@ index 0000000..d409571 +') + diff --git a/entropyd.te b/entropyd.te -index b6ac808..053caed 100644 +index b6ac808..63ba594 100644 --- a/entropyd.te +++ b/entropyd.te -@@ -52,6 +52,8 @@ domain_use_interactive_fds(entropyd_t) +@@ -42,7 +42,6 @@ dev_write_urand(entropyd_t) + dev_read_rand(entropyd_t) + dev_write_rand(entropyd_t) + +-files_read_etc_files(entropyd_t) + files_read_usr_files(entropyd_t) + + fs_getattr_all_fs(entropyd_t) +@@ -52,6 +51,8 @@ domain_use_interactive_fds(entropyd_t) logging_send_syslog_msg(entropyd_t) @@ -17655,10 +17998,17 @@ index b6ac808..053caed 100644 userdom_dontaudit_use_unpriv_user_fds(entropyd_t) diff --git a/evolution.te b/evolution.te -index 73cb712..61483ec 100644 +index 73cb712..14f0228 100644 --- a/evolution.te +++ b/evolution.te -@@ -188,6 +188,8 @@ files_read_var_files(evolution_t) +@@ -181,13 +181,14 @@ dev_read_urand(evolution_t) + + domain_dontaudit_read_all_domains_state(evolution_t) + +-files_read_etc_files(evolution_t) + files_read_usr_files(evolution_t) + files_read_usr_symlinks(evolution_t) + files_read_var_files(evolution_t) fs_search_auto_mountpoints(evolution_t) @@ -17667,7 +18017,7 @@ index 73cb712..61483ec 100644 logging_send_syslog_msg(evolution_t) miscfiles_read_localization(evolution_t) -@@ -201,7 +203,7 @@ userdom_rw_user_tmp_files(evolution_t) +@@ -201,7 +202,7 @@ userdom_rw_user_tmp_files(evolution_t) userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_sockets(evolution_t) userdom_manage_user_tmp_files(evolution_t) @@ -17676,7 +18026,12 @@ index 73cb712..61483ec 100644 # FIXME: suppress access to .local/.icons/.themes until properly implemented # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization) # until properly implemented -@@ -362,6 +364,8 @@ files_read_usr_files(evolution_alarm_t) +@@ -357,11 +358,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write; + + dev_read_urand(evolution_alarm_t) + +-files_read_etc_files(evolution_alarm_t) + files_read_usr_files(evolution_alarm_t) fs_search_auto_mountpoints(evolution_alarm_t) @@ -17685,7 +18040,13 @@ index 73cb712..61483ec 100644 miscfiles_read_localization(evolution_alarm_t) # Access evolution home -@@ -445,6 +449,8 @@ files_read_usr_files(evolution_exchange_t) +@@ -439,12 +441,13 @@ corecmd_exec_bin(evolution_exchange_t) + + dev_read_urand(evolution_exchange_t) + +-files_read_etc_files(evolution_exchange_t) + files_read_usr_files(evolution_exchange_t) + # Access evolution home fs_search_auto_mountpoints(evolution_exchange_t) @@ -17694,7 +18055,13 @@ index 73cb712..61483ec 100644 miscfiles_read_localization(evolution_exchange_t) userdom_write_user_tmp_sockets(evolution_exchange_t) -@@ -525,6 +531,8 @@ files_read_usr_files(evolution_server_t) +@@ -519,12 +522,13 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t) + + dev_read_urand(evolution_server_t) + +-files_read_etc_files(evolution_server_t) + # Obtain weather data via http (read server name from xml file in /usr) + files_read_usr_files(evolution_server_t) fs_search_auto_mountpoints(evolution_server_t) @@ -17703,7 +18070,7 @@ index 73cb712..61483ec 100644 miscfiles_read_localization(evolution_server_t) # Look in /etc/pki miscfiles_read_generic_certs(evolution_server_t) -@@ -586,7 +594,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t) +@@ -586,7 +590,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t) corenet_sendrecv_http_client_packets(evolution_webcal_t) corenet_sendrecv_http_cache_client_packets(evolution_webcal_t) @@ -17832,7 +18199,7 @@ index 6bef7f8..ba138e8 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/exim.te b/exim.te -index f28f64b..681d083 100644 +index f28f64b..6a30d96 100644 --- a/exim.te +++ b/exim.te @@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t) @@ -17860,15 +18227,16 @@ index f28f64b..681d083 100644 corecmd_search_bin(exim_t) -@@ -108,6 +111,7 @@ domain_use_interactive_fds(exim_t) +@@ -108,7 +111,7 @@ domain_use_interactive_fds(exim_t) files_search_usr(exim_t) files_search_var(exim_t) +-files_read_etc_files(exim_t) +files_read_usr_files(exim_t) - files_read_etc_files(exim_t) files_read_etc_runtime_files(exim_t) files_getattr_all_mountpoints(exim_t) -@@ -162,6 +166,10 @@ optional_policy(` + +@@ -162,6 +165,10 @@ optional_policy(` ') optional_policy(` @@ -17879,7 +18247,7 @@ index f28f64b..681d083 100644 kerberos_keytab_template(exim, exim_t) ') -@@ -171,6 +179,10 @@ optional_policy(` +@@ -171,6 +178,10 @@ optional_policy(` ') optional_policy(` @@ -17890,7 +18258,7 @@ index f28f64b..681d083 100644 tunable_policy(`exim_can_connect_db',` mysql_stream_connect(exim_t) ') -@@ -184,6 +196,7 @@ optional_policy(` +@@ -184,6 +195,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -17999,7 +18367,7 @@ index f590a1f..b1b13b0 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/fail2ban.te b/fail2ban.te -index 2a69e5e..78841e5 100644 +index 2a69e5e..64f9d4f 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) @@ -18045,15 +18413,17 @@ index 2a69e5e..78841e5 100644 kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) -@@ -66,6 +78,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) +@@ -66,8 +78,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) +domain_dontaudit_read_all_domains_state(fail2ban_t) - files_read_etc_files(fail2ban_t) +-files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -85,6 +98,9 @@ miscfiles_read_localization(fail2ban_t) + files_read_usr_files(fail2ban_t) + files_list_var(fail2ban_t) +@@ -85,6 +97,9 @@ miscfiles_read_localization(fail2ban_t) mta_send_mail(fail2ban_t) @@ -18063,7 +18433,7 @@ index 2a69e5e..78841e5 100644 optional_policy(` apache_read_log(fail2ban_t) ') -@@ -94,5 +110,45 @@ optional_policy(` +@@ -94,5 +109,44 @@ optional_policy(` ') optional_policy(` @@ -18097,7 +18467,6 @@ index 2a69e5e..78841e5 100644 +corecmd_exec_bin(fail2ban_client_t) + +# nsswitch.conf, passwd -+files_read_etc_files(fail2ban_client_t) +files_read_usr_files(fail2ban_client_t) +files_search_pids(fail2ban_client_t) + @@ -18334,7 +18703,7 @@ index ac6626e..8fb83ef 100644 ') diff --git a/finger.te b/finger.te -index 9b7036a..0cf2dbf 100644 +index 9b7036a..b223fa8 100644 --- a/finger.te +++ b/finger.te @@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t) @@ -18345,6 +18714,14 @@ index 9b7036a..0cf2dbf 100644 corecmd_exec_bin(fingerd_t) corecmd_exec_shell(fingerd_t) +@@ -73,7 +74,6 @@ corecmd_exec_shell(fingerd_t) + domain_use_interactive_fds(fingerd_t) + + files_search_home(fingerd_t) +-files_read_etc_files(fingerd_t) + files_read_etc_runtime_files(fingerd_t) + + init_read_utmp(fingerd_t) diff --git a/firewalld.fc b/firewalld.fc new file mode 100644 index 0000000..f440549 @@ -18655,10 +19032,10 @@ index 0000000..2bd5790 +') diff --git a/firewallgui.te b/firewallgui.te new file mode 100644 -index 0000000..c97a6ea +index 0000000..3d0c142 --- /dev/null +++ b/firewallgui.te -@@ -0,0 +1,75 @@ +@@ -0,0 +1,74 @@ +policy_module(firewallgui,1.0.0) + +######################################## @@ -18700,7 +19077,6 @@ index 0000000..c97a6ea + +files_manage_system_conf_files(firewallgui_t) +files_etc_filetrans_system_conf(firewallgui_t) -+files_read_etc_files(firewallgui_t) +files_read_usr_files(firewallgui_t) +files_search_kernel_modules(firewallgui_t) +files_list_kernel_modules(firewallgui_t) @@ -18863,7 +19239,7 @@ index ebad8c4..640293e 100644 ') - diff --git a/fprintd.te b/fprintd.te -index 7df52c7..26422af 100644 +index 7df52c7..5b9e374 100644 --- a/fprintd.te +++ b/fprintd.te @@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0) @@ -18887,7 +19263,15 @@ index 7df52c7..26422af 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -54,4 +56,5 @@ optional_policy(` +@@ -33,7 +35,6 @@ dev_list_usbfs(fprintd_t) + dev_rw_generic_usb_dev(fprintd_t) + dev_read_sysfs(fprintd_t) + +-files_read_etc_files(fprintd_t) + files_read_usr_files(fprintd_t) + + fs_getattr_all_fs(fprintd_t) +@@ -54,4 +55,5 @@ optional_policy(` policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) @@ -20362,10 +20746,10 @@ index 0000000..e15bbb0 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..8dfb74a +index 0000000..81fda2d --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,104 @@ +@@ -0,0 +1,103 @@ +policy_module(glusterd, 1.0.0) + +######################################## @@ -20454,7 +20838,6 @@ index 0000000..8dfb74a +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) + -+files_read_etc_files(glusterd_t) +files_read_usr_files(glusterd_t) +files_rw_pid_dirs(glusterd_t) + @@ -22501,7 +22884,7 @@ index 6d50300..46cc164 100644 ## ## Send generic signals to user gpg processes. diff --git a/gpg.te b/gpg.te -index 156820c..9cbbfd4 100644 +index 156820c..970165a 100644 --- a/gpg.te +++ b/gpg.te @@ -1,9 +1,10 @@ @@ -22616,7 +22999,15 @@ index 156820c..9cbbfd4 100644 manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) -@@ -116,22 +140,26 @@ logging_send_syslog_msg(gpg_t) +@@ -106,7 +130,6 @@ fs_list_inotifyfs(gpg_t) + + domain_use_interactive_fds(gpg_t) + +-files_read_etc_files(gpg_t) + files_read_usr_files(gpg_t) + files_dontaudit_search_var(gpg_t) + +@@ -116,22 +139,26 @@ logging_send_syslog_msg(gpg_t) miscfiles_read_localization(gpg_t) @@ -22651,7 +23042,7 @@ index 156820c..9cbbfd4 100644 ') optional_policy(` -@@ -140,15 +168,19 @@ optional_policy(` +@@ -140,15 +167,19 @@ optional_policy(` ') optional_policy(` @@ -22675,7 +23066,11 @@ index 156820c..9cbbfd4 100644 ######################################## # # GPG helper local policy -@@ -184,7 +216,7 @@ files_read_etc_files(gpg_helper_t) +@@ -180,11 +211,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t) + corenet_udp_bind_generic_node(gpg_helper_t) + corenet_tcp_connect_all_ports(gpg_helper_t) + +-files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) @@ -22684,7 +23079,7 @@ index 156820c..9cbbfd4 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -198,15 +230,17 @@ tunable_policy(`use_samba_home_dirs',` +@@ -198,15 +228,17 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -22703,7 +23098,7 @@ index 156820c..9cbbfd4 100644 manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) -@@ -232,34 +266,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -232,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -22742,7 +23137,7 @@ index 156820c..9cbbfd4 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -294,6 +319,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) +@@ -294,6 +317,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) # read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) @@ -22750,7 +23145,15 @@ index 156820c..9cbbfd4 100644 corecmd_exec_bin(gpg_pinentry_t) corenet_all_recvfrom_netlabel(gpg_pinentry_t) -@@ -325,13 +351,15 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -310,7 +334,6 @@ dev_read_rand(gpg_pinentry_t) + + files_read_usr_files(gpg_pinentry_t) + # read /etc/X11/qtrc +-files_read_etc_files(gpg_pinentry_t) + + fs_dontaudit_list_inotifyfs(gpg_pinentry_t) + fs_getattr_tmpfs(gpg_pinentry_t) +@@ -325,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -22771,7 +23174,7 @@ index 156820c..9cbbfd4 100644 ') optional_policy(` -@@ -340,6 +368,12 @@ optional_policy(` +@@ -340,6 +365,12 @@ optional_policy(` ') optional_policy(` @@ -22784,7 +23187,7 @@ index 156820c..9cbbfd4 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -349,4 +383,28 @@ optional_policy(` +@@ -349,4 +380,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -22980,10 +23383,15 @@ index 2d0b4e1..69fb7c1 100644 ######################################## diff --git a/hadoop.te b/hadoop.te -index c81c58a..cbeafaa 100644 +index c81c58a..99bc7cb 100644 --- a/hadoop.te +++ b/hadoop.te -@@ -156,15 +156,19 @@ files_read_usr_files(hadoop_t) +@@ -151,20 +151,23 @@ dev_read_urand(hadoop_t) + domain_use_interactive_fds(hadoop_t) + + files_dontaudit_search_spool(hadoop_t) +-files_read_etc_files(hadoop_t) + files_read_usr_files(hadoop_t) fs_getattr_xattr_fs(hadoop_t) @@ -23008,8 +23416,11 @@ index c81c58a..cbeafaa 100644 optional_policy(` nis_use_ypbind(hadoop_t) -@@ -336,17 +340,17 @@ domain_use_interactive_fds(zookeeper_t) - files_read_etc_files(zookeeper_t) +@@ -333,20 +336,19 @@ dev_read_urand(zookeeper_t) + + domain_use_interactive_fds(zookeeper_t) + +-files_read_etc_files(zookeeper_t) files_read_usr_files(zookeeper_t) +auth_use_nsswitch(zookeeper_t) @@ -23030,7 +23441,15 @@ index c81c58a..cbeafaa 100644 ') ######################################## -@@ -432,4 +436,6 @@ miscfiles_read_localization(zookeeper_server_t) +@@ -421,7 +423,6 @@ dev_read_rand(zookeeper_server_t) + dev_read_sysfs(zookeeper_server_t) + dev_read_urand(zookeeper_server_t) + +-files_read_etc_files(zookeeper_server_t) + files_read_usr_files(zookeeper_server_t) + + fs_getattr_xattr_fs(zookeeper_server_t) +@@ -432,4 +433,6 @@ miscfiles_read_localization(zookeeper_server_t) sysnet_read_config(zookeeper_server_t) @@ -23077,7 +23496,7 @@ index 7cf6763..9d2be6b 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/hal.te b/hal.te -index e0476cb..8c6d661 100644 +index e0476cb..987f2c2 100644 --- a/hal.te +++ b/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -23107,6 +23526,38 @@ index e0476cb..8c6d661 100644 kernel_search_network_sysctl(hald_t) kernel_setsched(hald_t) kernel_request_load_module(hald_t) +@@ -139,7 +143,6 @@ domain_read_all_domains_state(hald_t) + domain_dontaudit_ptrace_all_domains(hald_t) + + files_exec_etc_files(hald_t) +-files_read_etc_files(hald_t) + files_rw_etc_runtime_files(hald_t) + files_manage_mnt_dirs(hald_t) + files_manage_mnt_files(hald_t) +@@ -372,7 +375,6 @@ dev_setattr_generic_usb_dev(hald_acl_t) + dev_setattr_usbfs_files(hald_acl_t) + + files_read_usr_files(hald_acl_t) +-files_read_etc_files(hald_acl_t) + + fs_getattr_all_fs(hald_acl_t) + +@@ -418,7 +420,6 @@ dev_write_raw_memory(hald_mac_t) + dev_read_sysfs(hald_mac_t) + + files_read_usr_files(hald_mac_t) +-files_read_etc_files(hald_mac_t) + + auth_use_nsswitch(hald_mac_t) + +@@ -465,7 +466,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) + + dev_rw_input_dev(hald_keymap_t) + +-files_read_etc_files(hald_keymap_t) + files_read_usr_files(hald_keymap_t) + + miscfiles_read_localization(hald_keymap_t) diff --git a/hddtemp.if b/hddtemp.if index 87b4531..901d905 100644 --- a/hddtemp.if @@ -23202,7 +23653,7 @@ index ecab47a..6eddc6d 100644 - ') diff --git a/icecast.te b/icecast.te -index fdb7e9a..a1f2938 100644 +index fdb7e9a..795a6f1 100644 --- a/icecast.te +++ b/icecast.te @@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0) @@ -23220,7 +23671,7 @@ index fdb7e9a..a1f2938 100644 type icecast_t; type icecast_exec_t; init_daemon_domain(icecast_t, icecast_exec_t) -@@ -39,7 +47,18 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +@@ -39,12 +47,22 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) kernel_read_system_state(icecast_t) @@ -23239,6 +23690,11 @@ index fdb7e9a..a1f2938 100644 # Init script handling domain_use_interactive_fds(icecast_t) + +-files_read_etc_files(icecast_t) + + auth_use_nsswitch(icecast_t) + diff --git a/ifplugd.if b/ifplugd.if index dfb4232..35343f8 100644 --- a/ifplugd.if @@ -23307,7 +23763,7 @@ index df48e5e..161814e 100644 ######################################## diff --git a/inetd.te b/inetd.te -index 10f25d3..307b8eb 100644 +index 10f25d3..99e3a15 100644 --- a/inetd.te +++ b/inetd.te @@ -38,9 +38,9 @@ ifdef(`enable_mcs',` @@ -23353,7 +23809,15 @@ index 10f25d3..307b8eb 100644 corenet_sendrecv_swat_server_packets(inetd_t) corenet_sendrecv_tftp_server_packets(inetd_t) -@@ -150,7 +153,10 @@ miscfiles_read_localization(inetd_t) +@@ -137,7 +140,6 @@ corecmd_read_bin_symlinks(inetd_t) + + domain_use_interactive_fds(inetd_t) + +-files_read_etc_files(inetd_t) + files_read_etc_runtime_files(inetd_t) + + auth_use_nsswitch(inetd_t) +@@ -150,7 +152,10 @@ miscfiles_read_localization(inetd_t) mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) @@ -23364,7 +23828,7 @@ index 10f25d3..307b8eb 100644 sysnet_read_config(inetd_t) -@@ -177,6 +183,10 @@ optional_policy(` +@@ -177,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -23375,6 +23839,14 @@ index 10f25d3..307b8eb 100644 udev_read_db(inetd_t) ') +@@ -223,7 +232,6 @@ dev_read_urand(inetd_child_t) + + fs_getattr_xattr_fs(inetd_child_t) + +-files_read_etc_files(inetd_child_t) + files_read_etc_runtime_files(inetd_child_t) + + auth_use_nsswitch(inetd_child_t) diff --git a/inn.if b/inn.if index ebc9e0d..2c4b5da 100644 --- a/inn.if @@ -23528,7 +24000,7 @@ index 4f9dc90..81a0fc6 100644 + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') diff --git a/irc.te b/irc.te -index 6e2dbd2..f174f68 100644 +index 6e2dbd2..e3c7e9b 100644 --- a/irc.te +++ b/irc.te @@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t) @@ -23564,7 +24036,15 @@ index 6e2dbd2..f174f68 100644 ######################################## # -@@ -83,20 +107,75 @@ seutil_use_newrole_fds(irc_t) +@@ -62,7 +86,6 @@ domain_use_interactive_fds(irc_t) + + files_dontaudit_search_pids(irc_t) + files_search_var(irc_t) +-files_read_etc_files(irc_t) + files_read_usr_files(irc_t) + + fs_getattr_xattr_fs(irc_t) +@@ -83,20 +106,75 @@ seutil_use_newrole_fds(irc_t) sysnet_read_config(irc_t) # Write to the user domain tty. @@ -23689,7 +24169,7 @@ index 14d9670..358255e 100644 +/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) diff --git a/iscsi.te b/iscsi.te -index 8bcfa2f..93450ef 100644 +index 8bcfa2f..b3547c6 100644 --- a/iscsi.te +++ b/iscsi.te @@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) @@ -23708,7 +24188,7 @@ index 8bcfa2f..93450ef 100644 corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) -@@ -75,9 +75,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t) +@@ -75,14 +75,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t) corenet_tcp_connect_http_port(iscsid_t) corenet_tcp_connect_iscsi_port(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) @@ -23721,6 +24201,11 @@ index 8bcfa2f..93450ef 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) + +-files_read_etc_files(iscsid_t) + + auth_use_nsswitch(iscsid_t) + diff --git a/isnsd.fc b/isnsd.fc new file mode 100644 index 0000000..3e29080 @@ -24180,10 +24665,10 @@ index 9878499..8643cd3 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index 53e53ca..91bdd44 100644 +index 53e53ca..635f84e 100644 --- a/jabber.te +++ b/jabber.te -@@ -1,94 +1,154 @@ +@@ -1,94 +1,153 @@ -policy_module(jabber, 1.9.0) +policy_module(jabber, 1.8.0) @@ -24387,7 +24872,6 @@ index 53e53ca..91bdd44 100644 +dev_read_urand(jabberd_domain) +dev_read_sysfs(jabberd_domain) + -+files_read_etc_files(jabberd_domain) +files_read_etc_runtime_files(jabberd_domain) + +logging_send_syslog_msg(jabberd_domain) @@ -25745,6 +26229,18 @@ index 835b16b..8a98c76 100644 + files_list_tmp($1) admin_pattern($1, kerneloops_tmp_t) ') +diff --git a/kerneloops.te b/kerneloops.te +index 6b35547..97b6483 100644 +--- a/kerneloops.te ++++ b/kerneloops.te +@@ -40,7 +40,6 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t) + corenet_tcp_bind_http_port(kerneloops_t) + corenet_tcp_connect_http_port(kerneloops_t) + +-files_read_etc_files(kerneloops_t) + + auth_use_nsswitch(kerneloops_t) + diff --git a/keyboardd.fc b/keyboardd.fc new file mode 100644 index 0000000..485aacc @@ -26159,10 +26655,15 @@ index c18c920..582f7f3 100644 kismet_manage_pid_files($1) kismet_manage_lib($1) diff --git a/kismet.te b/kismet.te -index 9dd6880..4b7fa27 100644 +index 9dd6880..cb634e4 100644 --- a/kismet.te +++ b/kismet.te -@@ -91,7 +91,7 @@ files_read_usr_files(kismet_t) +@@ -86,12 +86,11 @@ corenet_tcp_connect_pulseaudio_port(kismet_t) + + auth_use_nsswitch(kismet_t) + +-files_read_etc_files(kismet_t) + files_read_usr_files(kismet_t) miscfiles_read_localization(kismet_t) @@ -26205,7 +26706,7 @@ index 6fd0b4c..568f842 100644 files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) diff --git a/ksmtuned.te b/ksmtuned.te -index a73b7a1..d845f46 100644 +index a73b7a1..9707887 100644 --- a/ksmtuned.te +++ b/ksmtuned.te @@ -9,6 +9,9 @@ type ksmtuned_t; @@ -26233,7 +26734,7 @@ index a73b7a1..d845f46 100644 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,19 @@ kernel_read_system_state(ksmtuned_t) +@@ -31,9 +38,18 @@ kernel_read_system_state(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) @@ -26241,24 +26742,27 @@ index a73b7a1..d845f46 100644 corecmd_exec_bin(ksmtuned_t) +corecmd_exec_shell(ksmtuned_t) - - files_read_etc_files(ksmtuned_t) - ++ ++ +mls_file_read_to_clearance(ksmtuned_t) + +term_use_all_inherited_terms(ksmtuned_t) + +auth_use_nsswitch(ksmtuned_t) -+ + +-files_read_etc_files(ksmtuned_t) +logging_send_syslog_msg(ksmtuned_t) -+ + miscfiles_read_localization(ksmtuned_t) diff --git a/ktalk.te b/ktalk.te -index ca5cfdf..554ad30 100644 +index ca5cfdf..cdaeee8 100644 --- a/ktalk.te +++ b/ktalk.te -@@ -68,7 +68,7 @@ fs_getattr_xattr_fs(ktalkd_t) - files_read_etc_files(ktalkd_t) +@@ -65,10 +65,9 @@ dev_read_urand(ktalkd_t) + + fs_getattr_xattr_fs(ktalkd_t) + +-files_read_etc_files(ktalkd_t) term_search_ptys(ktalkd_t) -term_use_all_terms(ktalkd_t) @@ -26791,7 +27295,7 @@ index 3aa8fa7..9539b76 100644 + allow $1 ldap_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 64fd1ff..47c43ab 100644 +index 64fd1ff..fe76c32 100644 --- a/ldap.te +++ b/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -26851,7 +27355,13 @@ index 64fd1ff..47c43ab 100644 kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) -@@ -106,6 +123,7 @@ files_read_usr_files(slapd_t) +@@ -100,12 +117,12 @@ fs_search_auto_mountpoints(slapd_t) + + domain_use_interactive_fds(slapd_t) + +-files_read_etc_files(slapd_t) + files_read_etc_runtime_files(slapd_t) + files_read_usr_files(slapd_t) files_list_var_lib(slapd_t) auth_use_nsswitch(slapd_t) @@ -26859,7 +27369,7 @@ index 64fd1ff..47c43ab 100644 logging_send_syslog_msg(slapd_t) -@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) +@@ -117,6 +134,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) optional_policy(` kerberos_keytab_template(slapd, slapd_t) @@ -27444,7 +27954,7 @@ index 572b5db..1e55f43 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.te b/logrotate.te -index 7090dae..51123b2 100644 +index 7090dae..0b9e946 100644 --- a/logrotate.te +++ b/logrotate.te @@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) @@ -27490,7 +28000,15 @@ index 7090dae..51123b2 100644 domain_signal_all_domains(logrotate_t) domain_use_interactive_fds(logrotate_t) -@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) +@@ -93,7 +95,6 @@ domain_getattr_all_entry_files(logrotate_t) + domain_read_all_domains_state(logrotate_t) + + files_read_usr_files(logrotate_t) +-files_read_etc_files(logrotate_t) + files_read_etc_runtime_files(logrotate_t) + files_read_all_pids(logrotate_t) + files_search_all(logrotate_t) +@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -27498,7 +28016,7 @@ index 7090dae..51123b2 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +119,17 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +118,17 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -27523,7 +28041,7 @@ index 7090dae..51123b2 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +141,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +140,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -27532,7 +28050,7 @@ index 7090dae..51123b2 100644 ') optional_policy(` -@@ -154,6 +157,10 @@ optional_policy(` +@@ -154,6 +156,10 @@ optional_policy(` ') optional_policy(` @@ -27543,7 +28061,7 @@ index 7090dae..51123b2 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +169,20 @@ optional_policy(` +@@ -162,10 +168,20 @@ optional_policy(` ') optional_policy(` @@ -27564,7 +28082,7 @@ index 7090dae..51123b2 100644 cups_domtrans(logrotate_t) ') -@@ -178,6 +195,10 @@ optional_policy(` +@@ -178,6 +194,10 @@ optional_policy(` ') optional_policy(` @@ -27575,7 +28093,7 @@ index 7090dae..51123b2 100644 icecast_signal(logrotate_t) ') -@@ -194,15 +215,19 @@ optional_policy(` +@@ -194,15 +214,19 @@ optional_policy(` ') optional_policy(` @@ -27596,7 +28114,7 @@ index 7090dae..51123b2 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -228,3 +253,14 @@ optional_policy(` +@@ -228,3 +252,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -27628,7 +28146,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/logwatch.te b/logwatch.te -index 75ce30f..47aa9f5 100644 +index 75ce30f..57f0320 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0) @@ -27662,15 +28180,17 @@ index 75ce30f..47aa9f5 100644 kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) -@@ -58,6 +68,7 @@ files_list_var(logwatch_t) +@@ -56,8 +66,8 @@ domain_read_all_domains_state(logwatch_t) + + files_list_var(logwatch_t) files_read_var_symlinks(logwatch_t) - files_read_etc_files(logwatch_t) +-files_read_etc_files(logwatch_t) files_read_etc_runtime_files(logwatch_t) +files_read_system_conf_files(logwatch_t) files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t) +@@ -70,6 +80,10 @@ fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) @@ -27681,7 +28201,7 @@ index 75ce30f..47aa9f5 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t) +@@ -92,11 +106,14 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) @@ -27697,7 +28217,7 @@ index 75ce30f..47aa9f5 100644 files_getattr_all_file_type_fs(logwatch_t) ') -@@ -145,3 +163,24 @@ optional_policy(` +@@ -145,3 +162,24 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -27807,7 +28327,7 @@ index a4f32f5..628b63c 100644 ## in the caller domain. ## diff --git a/lpd.te b/lpd.te -index a03b63a..e154044 100644 +index a03b63a..9b3ca81 100644 --- a/lpd.te +++ b/lpd.te @@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -27836,7 +28356,15 @@ index a03b63a..e154044 100644 allow checkpc_t printconf_t:dir list_dir_perms; kernel_read_system_state(checkpc_t) -@@ -111,7 +111,7 @@ init_use_fds(checkpc_t) +@@ -102,7 +102,6 @@ corecmd_exec_bin(checkpc_t) + + domain_use_interactive_fds(checkpc_t) + +-files_read_etc_files(checkpc_t) + files_read_etc_runtime_files(checkpc_t) + + init_use_script_ptys(checkpc_t) +@@ -111,7 +110,7 @@ init_use_fds(checkpc_t) sysnet_read_config(checkpc_t) @@ -27845,7 +28373,7 @@ index a03b63a..e154044 100644 optional_policy(` cron_system_entry(checkpc_t, checkpc_exec_t) -@@ -143,9 +143,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) +@@ -143,9 +142,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t) files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir }) @@ -27857,7 +28385,23 @@ index a03b63a..e154044 100644 # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -@@ -275,19 +276,20 @@ miscfiles_read_localization(lpr_t) +@@ -197,7 +197,6 @@ files_list_var_lib(lpd_t) + files_read_var_lib_files(lpd_t) + files_read_var_lib_symlinks(lpd_t) + # config files for lpd are of type etc_t, probably should change this +-files_read_etc_files(lpd_t) + + logging_send_syslog_msg(lpd_t) + +@@ -256,7 +255,6 @@ domain_use_interactive_fds(lpr_t) + + files_search_spool(lpr_t) + # for lpd config files (should have a new type) +-files_read_etc_files(lpr_t) + # for test print + files_read_usr_files(lpr_t) + #Added to cover read_content macro +@@ -275,19 +273,20 @@ miscfiles_read_localization(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -27883,7 +28427,7 @@ index a03b63a..e154044 100644 # Send SIGHUP to lpd. allow lpr_t lpd_t:process signal; -@@ -305,17 +307,7 @@ tunable_policy(`use_lpd_server',` +@@ -305,17 +304,7 @@ tunable_policy(`use_lpd_server',` read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') @@ -27902,7 +28446,7 @@ index a03b63a..e154044 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +316,13 @@ optional_policy(` +@@ -324,5 +313,13 @@ optional_policy(` ') optional_policy(` @@ -29076,10 +29620,10 @@ index db4fd6f..650014e 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index b681608..be4b196 100644 +index b681608..9ad4b2e 100644 --- a/memcached.te +++ b/memcached.te -@@ -42,7 +42,8 @@ corenet_udp_bind_memcache_port(memcached_t) +@@ -42,12 +42,12 @@ corenet_udp_bind_memcache_port(memcached_t) manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) @@ -29089,6 +29633,11 @@ index b681608..be4b196 100644 kernel_read_kernel_sysctls(memcached_t) kernel_read_system_state(memcached_t) + +-files_read_etc_files(memcached_t) + + term_dontaudit_use_all_ptys(memcached_t) + term_dontaudit_use_all_ttys(memcached_t) diff --git a/milter.fc b/milter.fc index 1ec5a6c..cbcad00 100644 --- a/milter.fc @@ -29583,10 +30132,10 @@ index 0000000..7f6f2d6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..621fc5a +index 0000000..00d38c5 --- /dev/null +++ b/mock.te -@@ -0,0 +1,253 @@ +@@ -0,0 +1,251 @@ +policy_module(mock,1.0.0) + +## @@ -29687,7 +30236,6 @@ index 0000000..621fc5a +domain_read_all_domains_state(mock_t) +domain_use_interactive_fds(mock_t) + -+files_read_etc_files(mock_t) +files_read_etc_runtime_files(mock_t) +files_read_usr_files(mock_t) +files_dontaudit_list_boot(mock_t) @@ -29819,7 +30367,6 @@ index 0000000..621fc5a +domain_dontaudit_read_all_domains_state(mock_build_t) +domain_use_interactive_fds(mock_build_t) + -+files_read_etc_files(mock_build_t) +files_read_usr_files(mock_build_t) +files_dontaudit_list_boot(mock_build_t) + @@ -30290,7 +30837,7 @@ index b397fde..30bfefb 100644 +') + diff --git a/mozilla.te b/mozilla.te -index 0724816..8a17b85 100644 +index 0724816..843cde4 100644 --- a/mozilla.te +++ b/mozilla.te @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) @@ -30354,7 +30901,15 @@ index 0724816..8a17b85 100644 corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -155,6 +176,8 @@ fs_rw_tmpfs_files(mozilla_t) +@@ -140,7 +161,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t) + + files_read_etc_runtime_files(mozilla_t) + files_read_usr_files(mozilla_t) +-files_read_etc_files(mozilla_t) + # /var/lib + files_read_var_lib_files(mozilla_t) + # interacting with gstreamer +@@ -155,6 +175,8 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -30363,7 +30918,7 @@ index 0724816..8a17b85 100644 logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -@@ -164,29 +187,23 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -164,29 +186,23 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -30400,7 +30955,7 @@ index 0724816..8a17b85 100644 # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -263,6 +280,7 @@ optional_policy(` +@@ -263,6 +279,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -30408,7 +30963,7 @@ index 0724816..8a17b85 100644 ') optional_policy(` -@@ -283,7 +301,8 @@ optional_policy(` +@@ -283,7 +300,8 @@ optional_policy(` ') optional_policy(` @@ -30418,7 +30973,7 @@ index 0724816..8a17b85 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,25 +316,35 @@ optional_policy(` +@@ -297,25 +315,35 @@ optional_policy(` # mozilla_plugin local policy # @@ -30462,7 +31017,7 @@ index 0724816..8a17b85 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -323,31 +352,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -323,31 +351,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -30516,7 +31071,7 @@ index 0724816..8a17b85 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -356,6 +401,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -356,6 +400,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -30524,7 +31079,7 @@ index 0724816..8a17b85 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,15 +409,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,15 +408,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -30548,7 +31103,7 @@ index 0724816..8a17b85 100644 logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -384,35 +438,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -384,35 +437,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -30596,7 +31151,7 @@ index 0724816..8a17b85 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -422,24 +468,36 @@ optional_policy(` +@@ -422,24 +467,37 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -30613,6 +31168,7 @@ index 0724816..8a17b85 100644 gnome_manage_config(mozilla_plugin_t) + gnome_read_usr_config(mozilla_plugin_t) + gnome_filetrans_home_content(mozilla_plugin_t) ++ gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') optional_policy(` @@ -30637,7 +31193,7 @@ index 0724816..8a17b85 100644 ') optional_policy(` -@@ -447,10 +505,102 @@ optional_policy(` +@@ -447,10 +505,104 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -30666,7 +31222,7 @@ index 0724816..8a17b85 100644 + xserver_read_user_xauth(mozilla_plugin_t) + xserver_append_xdm_home_files(mozilla_plugin_t) + xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t) - ') ++') + +######################################## +# @@ -30704,7 +31260,6 @@ index 0724816..8a17b85 100644 + +domain_use_interactive_fds(mozilla_plugin_config_t) + -+files_read_etc_files(mozilla_plugin_config_t) +files_read_usr_files(mozilla_plugin_config_t) +files_dontaudit_search_home(mozilla_plugin_config_t) +files_list_tmp(mozilla_plugin_config_t) @@ -30740,6 +31295,9 @@ index 0724816..8a17b85 100644 + userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) +') + ++tunable_policy(`selinuxuser_execmod',` ++ userdom_execmod_user_home_files(mozilla_plugin_t) + ') diff --git a/mpd.fc b/mpd.fc index ddc14d6..c74bf3d 100644 --- a/mpd.fc @@ -30863,7 +31421,7 @@ index d8ea41d..8bdc526 100644 + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --git a/mplayer.te b/mplayer.te -index 0cdea57..55015bf 100644 +index 0cdea57..85c6ad2 100644 --- a/mplayer.te +++ b/mplayer.te @@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0) @@ -30961,7 +31519,15 @@ index 0cdea57..55015bf 100644 manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t) -@@ -222,10 +184,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) +@@ -206,7 +168,6 @@ domain_use_interactive_fds(mplayer_t) + # Access to DVD/CD/V4L + storage_raw_read_removable_device(mplayer_t) + +-files_read_etc_files(mplayer_t) + files_dontaudit_list_non_security(mplayer_t) + files_dontaudit_getattr_non_security_files(mplayer_t) + files_read_non_security_files(mplayer_t) +@@ -222,10 +183,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) fs_list_inotifyfs(mplayer_t) @@ -30977,7 +31543,7 @@ index 0cdea57..55015bf 100644 # Read media files userdom_list_user_tmp(mplayer_t) userdom_read_user_tmp_files(mplayer_t) -@@ -233,6 +199,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) +@@ -233,6 +198,7 @@ userdom_read_user_tmp_symlinks(mplayer_t) userdom_read_user_home_content_files(mplayer_t) userdom_read_user_home_content_symlinks(mplayer_t) userdom_write_user_tmp_sockets(mplayer_t) @@ -30985,7 +31551,7 @@ index 0cdea57..55015bf 100644 xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) -@@ -243,62 +210,31 @@ ifdef(`enable_mls',`',` +@@ -243,62 +209,31 @@ ifdef(`enable_mls',`',` fs_read_removable_symlinks(mplayer_t) ') @@ -31057,7 +31623,7 @@ index 0cdea57..55015bf 100644 optional_policy(` diff --git a/mrtg.te b/mrtg.te -index 0e19d80..a3a38b1 100644 +index 0e19d80..7f822c5 100644 --- a/mrtg.te +++ b/mrtg.te @@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t) @@ -31073,7 +31639,15 @@ index 0e19d80..a3a38b1 100644 manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t) logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir }) -@@ -112,9 +115,10 @@ miscfiles_read_localization(mrtg_t) +@@ -88,7 +91,6 @@ files_getattr_tmp_dirs(mrtg_t) + # for uptime + files_read_etc_runtime_files(mrtg_t) + # read config files +-files_read_etc_files(mrtg_t) + + fs_search_auto_mountpoints(mrtg_t) + fs_getattr_xattr_fs(mrtg_t) +@@ -112,9 +114,10 @@ miscfiles_read_localization(mrtg_t) selinux_dontaudit_getattr_dir(mrtg_t) @@ -32243,7 +32817,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..601d1dd 100644 +index f17583b..d6ebc6b 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -32297,7 +32871,15 @@ index f17583b..601d1dd 100644 kernel_read_system_state(munin_t) kernel_read_network_state(munin_t) -@@ -116,6 +126,7 @@ logging_read_all_logs(munin_t) +@@ -101,7 +111,6 @@ dev_read_urand(munin_t) + domain_use_interactive_fds(munin_t) + domain_read_all_domains_state(munin_t) + +-files_read_etc_files(munin_t) + files_read_etc_runtime_files(munin_t) + files_read_usr_files(munin_t) + files_list_spool(munin_t) +@@ -116,6 +125,7 @@ logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) miscfiles_read_localization(munin_t) @@ -32305,7 +32887,7 @@ index f17583b..601d1dd 100644 sysnet_exec_ifconfig(munin_t) -@@ -145,6 +156,7 @@ optional_policy(` +@@ -145,6 +155,7 @@ optional_policy(` optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -32313,7 +32895,7 @@ index f17583b..601d1dd 100644 mta_read_queue(munin_t) ') -@@ -159,6 +171,7 @@ optional_policy(` +@@ -159,6 +170,7 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -32321,7 +32903,7 @@ index f17583b..601d1dd 100644 ') optional_policy(` -@@ -182,6 +195,7 @@ optional_policy(` +@@ -182,6 +194,7 @@ optional_policy(` # local policy for disk plugins # @@ -32329,9 +32911,11 @@ index f17583b..601d1dd 100644 allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -192,13 +206,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) +@@ -190,15 +203,14 @@ corecmd_exec_shell(disk_munin_plugin_t) - files_read_etc_files(disk_munin_plugin_t) + corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) + +-files_read_etc_files(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) +files_read_usr_files(disk_munin_plugin_t) @@ -32346,7 +32930,7 @@ index f17583b..601d1dd 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +235,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +233,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -32397,7 +32981,7 @@ index f17583b..601d1dd 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +282,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +280,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -32412,7 +32996,7 @@ index f17583b..601d1dd 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +303,10 @@ optional_policy(` +@@ -279,6 +301,10 @@ optional_policy(` ') optional_policy(` @@ -32423,7 +33007,7 @@ index f17583b..601d1dd 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +314,10 @@ optional_policy(` +@@ -286,6 +312,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -32434,7 +33018,7 @@ index f17583b..601d1dd 100644 ################################## # # local policy for system plugins -@@ -295,21 +327,53 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,21 +325,52 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -32483,7 +33067,6 @@ index f17583b..601d1dd 100644 +corecmd_exec_shell(munin_plugin_domain) + +files_search_var_lib(munin_plugin_domain) -+files_read_etc_files(munin_plugin_domain) +files_read_usr_files(munin_plugin_domain) + +fs_getattr_all_fs(munin_plugin_domain) @@ -32761,7 +33344,7 @@ index e9c0982..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 1cf05a3..c7badcf 100644 +index 1cf05a3..7289391 100644 --- a/mysql.te +++ b/mysql.te @@ -29,6 +29,12 @@ files_type(mysqld_db_t) @@ -32814,7 +33397,15 @@ index 1cf05a3..c7badcf 100644 corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) -@@ -122,13 +137,8 @@ miscfiles_read_localization(mysqld_t) +@@ -110,7 +125,6 @@ domain_use_interactive_fds(mysqld_t) + + files_getattr_var_lib_dirs(mysqld_t) + files_read_etc_runtime_files(mysqld_t) +-files_read_etc_files(mysqld_t) + files_read_usr_files(mysqld_t) + files_search_var_lib(mysqld_t) + +@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t) sysnet_read_config(mysqld_t) @@ -32829,7 +33420,7 @@ index 1cf05a3..c7badcf 100644 ') tunable_policy(`mysql_connect_any',` -@@ -154,10 +164,11 @@ optional_policy(` +@@ -154,10 +163,11 @@ optional_policy(` # allow mysqld_safe_t self:capability { chown dac_override fowner kill }; @@ -32842,7 +33433,7 @@ index 1cf05a3..c7badcf 100644 domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) -@@ -170,26 +181,34 @@ kernel_read_system_state(mysqld_safe_t) +@@ -170,26 +180,33 @@ kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) @@ -32852,8 +33443,8 @@ index 1cf05a3..c7badcf 100644 domain_read_all_domains_state(mysqld_safe_t) +-files_read_etc_files(mysqld_safe_t) +files_dontaudit_search_all_mountpoints(mysqld_safe_t) - files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) @@ -32878,6 +33469,14 @@ index 1cf05a3..c7badcf 100644 ######################################## # # MySQL Manager Policy +@@ -231,7 +248,6 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) + + dev_read_urand(mysqlmanagerd_t) + +-files_read_etc_files(mysqlmanagerd_t) + files_read_usr_files(mysqlmanagerd_t) + + miscfiles_read_localization(mysqlmanagerd_t) diff --git a/nagios.fc b/nagios.fc index 1238f2e..d80b4db 100644 --- a/nagios.fc @@ -33091,7 +33690,7 @@ index 8581040..7d8e93b 100644 init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff --git a/nagios.te b/nagios.te -index 1fadd94..1f9d8e1 100644 +index 1fadd94..d680d93 100644 --- a/nagios.te +++ b/nagios.te @@ -1,10 +1,12 @@ @@ -33145,7 +33744,11 @@ index 1fadd94..1f9d8e1 100644 corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) -@@ -107,13 +121,11 @@ files_read_etc_files(nagios_t) +@@ -103,17 +117,14 @@ domain_use_interactive_fds(nagios_t) + # for ps + domain_read_all_domains_state(nagios_t) + +-files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) files_search_spool(nagios_t) @@ -33160,7 +33763,7 @@ index 1fadd94..1f9d8e1 100644 auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) -@@ -124,10 +136,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) +@@ -124,10 +135,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) mta_send_mail(nagios_t) @@ -33173,7 +33776,7 @@ index 1fadd94..1f9d8e1 100644 netutils_kill_ping(nagios_t) ') -@@ -143,6 +155,7 @@ optional_policy(` +@@ -143,6 +154,7 @@ optional_policy(` # # Nagios CGI local policy # @@ -33181,7 +33784,7 @@ index 1fadd94..1f9d8e1 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -180,29 +193,31 @@ optional_policy(` +@@ -180,29 +192,31 @@ optional_policy(` # allow nrpe_t self:capability { setuid setgid }; @@ -33218,15 +33821,16 @@ index 1fadd94..1f9d8e1 100644 dev_read_sysfs(nrpe_t) dev_read_urand(nrpe_t) -@@ -212,6 +227,7 @@ domain_read_all_domains_state(nrpe_t) +@@ -211,7 +225,7 @@ domain_use_interactive_fds(nrpe_t) + domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) - files_read_etc_files(nrpe_t) +-files_read_etc_files(nrpe_t) +files_read_usr_files(nrpe_t) fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -252,7 +268,6 @@ optional_policy(` +@@ -252,11 +266,9 @@ optional_policy(` corecmd_read_bin_files(nagios_admin_plugin_t) corecmd_read_bin_symlinks(nagios_admin_plugin_t) @@ -33234,7 +33838,11 @@ index 1fadd94..1f9d8e1 100644 dev_getattr_all_chr_files(nagios_admin_plugin_t) dev_getattr_all_blk_files(nagios_admin_plugin_t) -@@ -271,19 +286,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +-files_read_etc_files(nagios_admin_plugin_t) + # for check_file_age plugin + files_getattr_all_dirs(nagios_admin_plugin_t) + files_getattr_all_files(nagios_admin_plugin_t) +@@ -271,20 +283,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -33251,10 +33859,11 @@ index 1fadd94..1f9d8e1 100644 -dev_read_urand(nagios_mail_plugin_t) - - files_read_etc_files(nagios_mail_plugin_t) +-files_read_etc_files(nagios_mail_plugin_t) logging_send_syslog_msg(nagios_mail_plugin_t) -@@ -300,7 +311,7 @@ optional_policy(` + +@@ -300,7 +307,7 @@ optional_policy(` optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) @@ -33263,7 +33872,7 @@ index 1fadd94..1f9d8e1 100644 ') ###################################### -@@ -311,7 +322,9 @@ optional_policy(` +@@ -311,7 +318,9 @@ optional_policy(` # needed by ioctl() allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; @@ -33274,7 +33883,7 @@ index 1fadd94..1f9d8e1 100644 files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,11 +336,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -323,11 +332,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # local policy for service check plugins # @@ -33288,7 +33897,7 @@ index 1fadd94..1f9d8e1 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -342,6 +355,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -342,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -33297,7 +33906,7 @@ index 1fadd94..1f9d8e1 100644 ') optional_policy(` -@@ -365,6 +380,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -365,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -33306,7 +33915,7 @@ index 1fadd94..1f9d8e1 100644 kernel_read_system_state(nagios_system_plugin_t) kernel_read_kernel_sysctls(nagios_system_plugin_t) -@@ -372,12 +389,15 @@ corecmd_exec_bin(nagios_system_plugin_t) +@@ -372,11 +385,13 @@ corecmd_exec_bin(nagios_system_plugin_t) corecmd_exec_shell(nagios_system_plugin_t) dev_read_sysfs(nagios_system_plugin_t) @@ -33314,16 +33923,15 @@ index 1fadd94..1f9d8e1 100644 domain_read_all_domains_state(nagios_system_plugin_t) - files_read_etc_files(nagios_system_plugin_t) - +-files_read_etc_files(nagios_system_plugin_t) ++ +fs_getattr_all_fs(nagios_system_plugin_t) + +auth_read_passwd(nagios_system_plugin_t) -+ + # needed by check_users plugin optional_policy(` - init_read_utmp(nagios_system_plugin_t) -@@ -391,3 +411,52 @@ optional_policy(` +@@ -391,3 +406,52 @@ optional_policy(` optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -33441,10 +34049,10 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..2f7149c +index 0000000..3857701 --- /dev/null +++ b/namespace.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,44 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -33474,7 +34082,6 @@ index 0000000..2f7149c +domain_use_interactive_fds(namespace_init_t) +domain_obj_id_change_exemption(namespace_init_t) + -+files_read_etc_files(namespace_init_t) +files_polyinstantiate_all(namespace_init_t) + +mcs_file_write_all(namespace_init_t) @@ -33829,7 +34436,7 @@ index 2324d9e..da61d01 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..ff617f1 100644 +index 0619395..d7078ce 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -33914,20 +34521,20 @@ index 0619395..ff617f1 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,10 +144,10 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) -domain_read_confined_domains_state(NetworkManager_t) +domain_read_all_domains_state(NetworkManager_t) - files_read_etc_files(NetworkManager_t) +-files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) +files_read_system_conf_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t) +@@ -128,35 +159,44 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -33974,7 +34581,7 @@ index 0619395..ff617f1 100644 ') optional_policy(` -@@ -176,10 +217,17 @@ optional_policy(` +@@ -176,10 +216,17 @@ optional_policy(` ') optional_policy(` @@ -33992,7 +34599,7 @@ index 0619395..ff617f1 100644 ') ') -@@ -191,6 +239,7 @@ optional_policy(` +@@ -191,6 +238,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -34000,7 +34607,7 @@ index 0619395..ff617f1 100644 ') optional_policy(` -@@ -202,23 +251,45 @@ optional_policy(` +@@ -202,23 +250,45 @@ optional_policy(` ') optional_policy(` @@ -34046,7 +34653,7 @@ index 0619395..ff617f1 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +305,10 @@ optional_policy(` +@@ -234,6 +304,10 @@ optional_policy(` ') optional_policy(` @@ -34057,7 +34664,7 @@ index 0619395..ff617f1 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +316,7 @@ optional_policy(` +@@ -241,6 +315,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -34065,7 +34672,7 @@ index 0619395..ff617f1 100644 ') optional_policy(` -@@ -254,6 +330,10 @@ optional_policy(` +@@ -254,6 +329,10 @@ optional_policy(` ') optional_policy(` @@ -34076,7 +34683,7 @@ index 0619395..ff617f1 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +343,7 @@ optional_policy(` +@@ -263,6 +342,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -34427,10 +35034,10 @@ index 0000000..0d11800 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..415b098 +index 0000000..2c10bbf --- /dev/null +++ b/nova.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,327 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -34500,7 +35107,6 @@ index 0000000..415b098 + +libs_exec_ldconfig(nova_domain) + -+files_read_etc_files(nova_domain) + +miscfiles_read_localization(nova_domain) + @@ -34882,7 +35488,7 @@ index 85188dc..783accb 100644 + allow $1 ncsd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index 7936e09..bf34c78 100644 +index 7936e09..d1861d5 100644 --- a/nscd.te +++ b/nscd.te @@ -4,6 +4,13 @@ gen_require(` @@ -34926,15 +35532,17 @@ index 7936e09..bf34c78 100644 kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) -@@ -90,6 +102,7 @@ selinux_compute_create_context(nscd_t) +@@ -90,8 +102,8 @@ selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) domain_use_interactive_fds(nscd_t) +domain_search_all_domains_state(nscd_t) - files_read_etc_files(nscd_t) +-files_read_etc_files(nscd_t) files_read_generic_tmp_symlinks(nscd_t) -@@ -112,6 +125,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) + # Needed to read files created by firstboot "/etc/hesiod.conf" + files_read_etc_runtime_files(nscd_t) +@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` @@ -34945,7 +35553,7 @@ index 7936e09..bf34c78 100644 cron_read_system_job_tmp_files(nscd_t) ') -@@ -127,3 +144,17 @@ optional_policy(` +@@ -127,3 +143,17 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -34982,7 +35590,7 @@ index 53cc800..5348e92 100644 -/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) diff --git a/nsd.te b/nsd.te -index 4b15536..e829ac3 100644 +index 4b15536..da79065 100644 --- a/nsd.te +++ b/nsd.te @@ -18,15 +18,11 @@ domain_type(nsd_crond_t) @@ -35034,9 +35642,11 @@ index 4b15536..e829ac3 100644 can_exec(nsd_t, nsd_exec_t) -@@ -81,15 +76,18 @@ domain_use_interactive_fds(nsd_t) +@@ -79,17 +74,19 @@ dev_read_sysfs(nsd_t) - files_read_etc_files(nsd_t) + domain_use_interactive_fds(nsd_t) + +-files_read_etc_files(nsd_t) files_read_etc_runtime_files(nsd_t) +files_search_var_lib(nsd_t) @@ -35054,7 +35664,7 @@ index 4b15536..e829ac3 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -121,8 +119,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms; +@@ -121,8 +118,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms; allow nsd_crond_t nsd_conf_t:file read_file_perms; @@ -35063,7 +35673,11 @@ index 4b15536..e829ac3 100644 files_search_var_lib(nsd_crond_t) allow nsd_crond_t nsd_t:process signal; -@@ -159,6 +155,8 @@ files_read_etc_files(nsd_crond_t) +@@ -155,10 +150,11 @@ dev_read_urand(nsd_crond_t) + + domain_dontaudit_read_all_domains_state(nsd_crond_t) + +-files_read_etc_files(nsd_crond_t) files_read_etc_runtime_files(nsd_crond_t) files_search_var_lib(nsd_t) @@ -35110,7 +35724,7 @@ index 23c769c..0398e70 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 4e28d58..bee3070 100644 +index 4e28d58..0551354 100644 --- a/nslcd.te +++ b/nslcd.te @@ -16,7 +16,7 @@ type nslcd_var_run_t; @@ -35131,10 +35745,11 @@ index 4e28d58..bee3070 100644 allow nslcd_t self:unix_stream_socket create_stream_socket_perms; allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -37,9 +37,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +@@ -36,10 +36,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + kernel_read_system_state(nslcd_t) - files_read_etc_files(nslcd_t) +-files_read_etc_files(nslcd_t) +files_read_usr_symlinks(nslcd_t) +files_list_tmp(nslcd_t) @@ -35651,10 +36266,10 @@ index 0000000..fce899a +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 0000000..5f14e91 +index 0000000..d19d3da --- /dev/null +++ b/nsplugin.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,326 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -35783,7 +36398,6 @@ index 0000000..5f14e91 + +files_dontaudit_getattr_lost_found_dirs(nsplugin_t) +files_dontaudit_list_home(nsplugin_t) -+files_read_etc_files(nsplugin_t) +files_read_usr_files(nsplugin_t) +files_read_config_files(nsplugin_t) + @@ -35921,7 +36535,6 @@ index 0000000..5f14e91 + +domain_use_interactive_fds(nsplugin_config_t) + -+files_read_etc_files(nsplugin_config_t) +files_read_usr_files(nsplugin_config_t) +files_dontaudit_search_home(nsplugin_config_t) +files_list_tmp(nsplugin_config_t) @@ -35983,6 +36596,18 @@ index 0000000..5f14e91 + pulseaudio_manage_home_files(nsplugin_t) + pulseaudio_setattr_home_dir(nsplugin_t) +') +diff --git a/ntop.te b/ntop.te +index ded9fb6..2d30258 100644 +--- a/ntop.te ++++ b/ntop.te +@@ -85,7 +85,6 @@ dev_rw_generic_usb_dev(ntop_t) + + domain_use_interactive_fds(ntop_t) + +-files_read_etc_files(ntop_t) + files_read_usr_files(ntop_t) + + fs_getattr_all_fs(ntop_t) diff --git a/ntp.fc b/ntp.fc index e79dccc..e8d3e38 100644 --- a/ntp.fc @@ -36104,7 +36729,7 @@ index e80f8c0..0044e73 100644 + allow $1 ntpd_unit_file_t:service all_service_perms; ') diff --git a/ntp.te b/ntp.te -index c61adc8..09bb140 100644 +index c61adc8..b3dd6cc 100644 --- a/ntp.te +++ b/ntp.te @@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) @@ -36133,6 +36758,14 @@ index c61adc8..09bb140 100644 auth_use_nsswitch(ntpd_t) +@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t) + domain_use_interactive_fds(ntpd_t) + domain_dontaudit_list_all_domains_state(ntpd_t) + +-files_read_etc_files(ntpd_t) + files_read_etc_runtime_files(ntpd_t) + files_read_usr_files(ntpd_t) + files_list_var_lib(ntpd_t) diff --git a/numad.fc b/numad.fc new file mode 100644 index 0000000..be6fcb0 @@ -36614,19 +37247,28 @@ index bd76ec2..28c4f00 100644 ## ## Execute a domain transition to run oddjob_mkhomedir. diff --git a/oddjob.te b/oddjob.te -index 36df5a2..f2c3fc1 100644 +index 36df5a2..2fee791 100644 --- a/oddjob.te +++ b/oddjob.te -@@ -53,6 +53,8 @@ selinux_compute_create_context(oddjob_t) +@@ -51,7 +51,8 @@ mcs_process_set_categories(oddjob_t) - files_read_etc_files(oddjob_t) + selinux_compute_create_context(oddjob_t) -+auth_use_nsswitch(oddjob_t) +-files_read_etc_files(oddjob_t) + ++auth_use_nsswitch(oddjob_t) + miscfiles_read_localization(oddjob_t) - locallogin_dontaudit_use_fds(oddjob_t) -@@ -99,8 +101,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) +@@ -78,7 +79,6 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + + kernel_read_system_state(oddjob_mkhomedir_t) + +-files_read_etc_files(oddjob_mkhomedir_t) + + auth_use_nsswitch(oddjob_mkhomedir_t) + +@@ -99,8 +99,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t) # Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) @@ -37357,10 +37999,10 @@ index 0000000..e05c78f +') diff --git a/pacemaker.te b/pacemaker.te new file mode 100644 -index 0000000..99ab306 +index 0000000..0fcbb7f --- /dev/null +++ b/pacemaker.te -@@ -0,0 +1,49 @@ +@@ -0,0 +1,53 @@ +policy_module(pacemaker, 1.0.0) + +######################################## @@ -37403,13 +38045,17 @@ index 0000000..99ab306 + +domain_use_interactive_fds(pacemaker_t) + -+files_read_etc_files(pacemaker_t) + +auth_use_nsswitch(pacemaker_t) + +logging_send_syslog_msg(pacemaker_t) + +miscfiles_read_localization(pacemaker_t) ++ ++optional_policy(` ++ corosync_stream_connect(pacemaker_t) ++') ++ diff --git a/pads.fc b/pads.fc index 0870c56..6d5fb1d 100644 --- a/pads.fc @@ -37575,7 +38221,7 @@ index f68b573..30b3188 100644 + manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) +') diff --git a/passenger.te b/passenger.te -index 3470036..56099c9 100644 +index 3470036..0592ca4 100644 --- a/passenger.te +++ b/passenger.te @@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) @@ -37590,10 +38236,11 @@ index 3470036..56099c9 100644 kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) -@@ -64,9 +69,12 @@ corecmd_exec_shell(passenger_t) +@@ -63,10 +68,12 @@ corecmd_exec_shell(passenger_t) + dev_read_urand(passenger_t) - files_read_etc_files(passenger_t) +-files_read_etc_files(passenger_t) +files_read_usr_files(passenger_t) auth_use_nsswitch(passenger_t) @@ -37603,7 +38250,7 @@ index 3470036..56099c9 100644 miscfiles_read_localization(passenger_t) userdom_dontaudit_use_user_terminals(passenger_t) -@@ -75,3 +83,9 @@ optional_policy(` +@@ -75,3 +82,9 @@ optional_policy(` apache_append_log(passenger_t) apache_read_sys_content(passenger_t) ') @@ -37695,7 +38342,7 @@ index ceafba6..a401838 100644 + udev_read_db(pcscd_t) +') diff --git a/pegasus.te b/pegasus.te -index 3185114..95cabdd 100644 +index 3185114..6fc91e8 100644 --- a/pegasus.te +++ b/pegasus.te @@ -16,7 +16,7 @@ type pegasus_tmp_t; @@ -37747,7 +38394,7 @@ index 3185114..95cabdd 100644 corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) -@@ -95,6 +99,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -95,11 +99,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -37755,7 +38402,12 @@ index 3185114..95cabdd 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -121,10 +126,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) + +-files_read_etc_files(pegasus_t) + files_list_var_lib(pegasus_t) + files_read_var_lib_files(pegasus_t) + files_read_var_lib_symlinks(pegasus_t) +@@ -121,10 +125,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_user_home_dirs(pegasus_t) optional_policy(` @@ -37786,7 +38438,7 @@ index 3185114..95cabdd 100644 seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +161,14 @@ optional_policy(` +@@ -136,3 +160,14 @@ optional_policy(` optional_policy(` unconfined_signull(pegasus_t) ') @@ -38067,10 +38719,10 @@ index 0000000..548d0a2 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..44c7098 +index 0000000..355013e --- /dev/null +++ b/piranha.te -@@ -0,0 +1,302 @@ +@@ -0,0 +1,301 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -38363,7 +39015,6 @@ index 0000000..44c7098 +corenet_tcp_bind_generic_node(piranha_domain) +corenet_udp_bind_generic_node(piranha_domain) + -+files_read_etc_files(piranha_domain) + +corecmd_exec_bin(piranha_domain) +corecmd_exec_shell(piranha_domain) @@ -38754,7 +39405,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 44db896..9e61080 100644 +index 44db896..5bf2bf0 100644 --- a/policykit.te +++ b/policykit.te @@ -1,51 +1,73 @@ @@ -38844,16 +39495,16 @@ index 44db896..9e61080 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +78,110 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) +kernel_read_system_state(policykit_t) kernel_read_kernel_sysctls(policykit_t) +-files_read_etc_files(policykit_t) +domain_read_all_domains_state(policykit_t) + - files_read_etc_files(policykit_t) files_read_usr_files(policykit_t) +files_dontaudit_search_all_mountpoints(policykit_t) + @@ -38942,7 +39593,7 @@ index 44db896..9e61080 100644 + +dev_read_video_dev(policykit_auth_t) - files_read_etc_files(policykit_auth_t) +-files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) +files_search_home(policykit_auth_t) @@ -38969,7 +39620,7 @@ index 44db896..9e61080 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +196,26 @@ optional_policy(` +@@ -118,14 +194,26 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -38998,8 +39649,11 @@ index 44db896..9e61080 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t - files_read_etc_files(policykit_grant_t) +@@ -142,22 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t + + manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) + +-files_read_etc_files(policykit_grant_t) files_read_usr_files(policykit_grant_t) -auth_use_nsswitch(policykit_grant_t) @@ -39023,7 +39677,7 @@ index 44db896..9e61080 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +256,8 @@ optional_policy(` +@@ -167,9 +253,8 @@ optional_policy(` # polkit_resolve local policy # @@ -39035,8 +39689,11 @@ index 44db896..9e61080 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t) - files_read_etc_files(policykit_resolve_t) +@@ -182,17 +267,10 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t + can_exec(policykit_resolve_t, policykit_resolve_exec_t) + corecmd_search_bin(policykit_resolve_t) + +-files_read_etc_files(policykit_resolve_t) files_read_usr_files(policykit_resolve_t) -mcs_ptrace_all(policykit_resolve_t) @@ -39050,7 +39707,7 @@ index 44db896..9e61080 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -207,4 +289,3 @@ optional_policy(` +@@ -207,4 +285,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -39672,19 +40329,28 @@ index 3cdcd9f..2061efe 100644 /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) diff --git a/portmap.te b/portmap.te -index c1db652..418c2ec 100644 +index c1db652..faa16a6 100644 --- a/portmap.te +++ b/portmap.te -@@ -75,6 +75,8 @@ domain_use_interactive_fds(portmap_t) +@@ -73,7 +73,8 @@ fs_search_auto_mountpoints(portmap_t) - files_read_etc_files(portmap_t) + domain_use_interactive_fds(portmap_t) -+auth_use_nsswitch(portmap_t) +-files_read_etc_files(portmap_t) + ++auth_use_nsswitch(portmap_t) + logging_send_syslog_msg(portmap_t) - miscfiles_read_localization(portmap_t) -@@ -142,7 +144,7 @@ logging_send_syslog_msg(portmap_helper_t) +@@ -133,7 +134,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t) + + domain_dontaudit_use_interactive_fds(portmap_helper_t) + +-files_read_etc_files(portmap_helper_t) + files_rw_generic_pids(portmap_helper_t) + + init_rw_utmp(portmap_helper_t) +@@ -142,7 +142,7 @@ logging_send_syslog_msg(portmap_helper_t) sysnet_read_config(portmap_helper_t) @@ -40254,7 +40920,7 @@ index 46bee12..99499ef 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index 69cbd06..080e2e1 100644 +index 69cbd06..fca2d47 100644 --- a/postfix.te +++ b/postfix.te @@ -1,10 +1,19 @@ @@ -40441,7 +41107,7 @@ index 69cbd06..080e2e1 100644 allow postfix_local_t self:process { setsched setrlimit }; # connect to master process -@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,12 +303,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -40450,7 +41116,13 @@ index 69cbd06..080e2e1 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t) + corecmd_exec_bin(postfix_local_t) + +-files_read_etc_files(postfix_local_t) + + logging_dontaudit_search_logs(postfix_local_t) + +@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -40469,7 +41141,7 @@ index 69cbd06..080e2e1 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +334,14 @@ optional_policy(` +@@ -297,6 +333,14 @@ optional_policy(` ') optional_policy(` @@ -40484,7 +41156,7 @@ index 69cbd06..080e2e1 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +349,22 @@ optional_policy(` +@@ -304,9 +348,22 @@ optional_policy(` ') optional_policy(` @@ -40507,7 +41179,15 @@ index 69cbd06..080e2e1 100644 ######################################## # # Postfix map local policy -@@ -379,18 +437,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -348,7 +405,6 @@ corecmd_read_bin_sockets(postfix_map_t) + + files_list_home(postfix_map_t) + files_read_usr_files(postfix_map_t) +-files_read_etc_files(postfix_map_t) + files_read_etc_runtime_files(postfix_map_t) + files_dontaudit_search_var(postfix_map_t) + +@@ -379,18 +435,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -40533,7 +41213,7 @@ index 69cbd06..080e2e1 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +465,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -40542,7 +41222,7 @@ index 69cbd06..080e2e1 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +486,7 @@ optional_policy(` +@@ -420,6 +484,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -40550,7 +41230,7 @@ index 69cbd06..080e2e1 100644 ') optional_policy(` -@@ -436,11 +503,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -40568,7 +41248,7 @@ index 69cbd06..080e2e1 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +560,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -40579,7 +41259,7 @@ index 69cbd06..080e2e1 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -40592,7 +41272,7 @@ index 69cbd06..080e2e1 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -40603,7 +41283,7 @@ index 69cbd06..080e2e1 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +637,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +635,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -40612,7 +41292,7 @@ index 69cbd06..080e2e1 100644 files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +646,14 @@ optional_policy(` +@@ -565,6 +644,14 @@ optional_policy(` ') optional_policy(` @@ -40627,7 +41307,7 @@ index 69cbd06..080e2e1 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +670,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +668,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -40654,7 +41334,7 @@ index 69cbd06..080e2e1 100644 ') optional_policy(` -@@ -599,6 +696,12 @@ optional_policy(` +@@ -599,6 +694,12 @@ optional_policy(` ') optional_policy(` @@ -40667,7 +41347,7 @@ index 69cbd06..080e2e1 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +714,6 @@ optional_policy(` +@@ -611,7 +712,6 @@ optional_policy(` # Postfix virtual local policy # @@ -40675,7 +41355,15 @@ index 69cbd06..080e2e1 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +732,76 @@ mta_delete_spool(postfix_virtual_t) +@@ -622,7 +722,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } + corecmd_exec_shell(postfix_virtual_t) + corecmd_exec_bin(postfix_virtual_t) + +-files_read_etc_files(postfix_virtual_t) + files_read_usr_files(postfix_virtual_t) + + mta_read_aliases(postfix_virtual_t) +@@ -630,3 +729,75 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -40730,7 +41418,6 @@ index 69cbd06..080e2e1 100644 + +corecmd_exec_shell(postfix_domain) + -+files_read_etc_files(postfix_domain) +files_read_etc_runtime_files(postfix_domain) +files_read_usr_files(postfix_domain) +files_read_usr_symlinks(postfix_domain) @@ -41044,7 +41731,7 @@ index de4bdb7..a4cad0b 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..92cec2b 100644 +index bcbf9ac..fd793b3 100644 --- a/ppp.te +++ b/ppp.te @@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) @@ -41146,7 +41833,14 @@ index bcbf9ac..92cec2b 100644 # allow running ip-up and ip-down scripts and running chat. corecmd_exec_bin(pppd_t) -@@ -170,6 +178,9 @@ init_dontaudit_write_utmp(pppd_t) +@@ -163,13 +171,15 @@ files_manage_etc_runtime_files(pppd_t) + files_dontaudit_write_etc_files(pppd_t) + + # for scripts +-files_read_etc_files(pppd_t) + + init_read_utmp(pppd_t) + init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -41156,7 +41850,7 @@ index bcbf9ac..92cec2b 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -180,24 +191,34 @@ sysnet_exec_ifconfig(pppd_t) +@@ -180,24 +190,34 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -41194,7 +41888,7 @@ index bcbf9ac..92cec2b 100644 ') optional_policy(` -@@ -247,14 +268,18 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -247,14 +267,18 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -41214,8 +41908,16 @@ index bcbf9ac..92cec2b 100644 dev_read_sysfs(pptp_t) +@@ -273,7 +297,6 @@ corenet_tcp_connect_generic_port(pptp_t) + corenet_tcp_connect_all_reserved_ports(pptp_t) + corenet_sendrecv_generic_client_packets(pptp_t) + +-files_read_etc_files(pptp_t) + + fs_getattr_all_fs(pptp_t) + fs_search_auto_mountpoints(pptp_t) diff --git a/prelink.te b/prelink.te -index af55369..e97defd 100644 +index af55369..f977b84 100644 --- a/prelink.te +++ b/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -41240,7 +41942,7 @@ index af55369..e97defd 100644 kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) -@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t) +@@ -73,11 +74,11 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) @@ -41248,7 +41950,12 @@ index af55369..e97defd 100644 files_list_all(prelink_t) files_getattr_all_files(prelink_t) -@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t) + files_write_non_security_dirs(prelink_t) +-files_read_etc_files(prelink_t) + files_read_etc_runtime_files(prelink_t) + files_dontaudit_read_all_symlinks(prelink_t) + files_manage_usr_files(prelink_t) +@@ -86,6 +87,8 @@ files_relabelfrom_usr_files(prelink_t) fs_getattr_xattr_fs(prelink_t) @@ -41257,7 +41964,7 @@ index af55369..e97defd 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +101,15 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -41274,7 +41981,7 @@ index af55369..e97defd 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,6 +121,15 @@ optional_policy(` +@@ -109,6 +120,15 @@ optional_policy(` ') optional_policy(` @@ -41290,7 +41997,7 @@ index af55369..e97defd 100644 rpm_manage_tmp_files(prelink_t) ') -@@ -129,6 +150,7 @@ optional_policy(` +@@ -129,6 +149,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -41298,8 +42005,11 @@ index af55369..e97defd 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +170,33 @@ optional_policy(` - files_read_etc_files(prelink_cron_system_t) +@@ -145,20 +166,35 @@ optional_policy(` + corecmd_exec_shell(prelink_cron_system_t) + + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) +- files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) + fs_search_cgroup_dirs(prelink_cron_system_t) @@ -41403,7 +42113,7 @@ index 2316653..f41a4f7 100644 + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index b1bc02c..f1cdaed 100644 +index b1bc02c..818d0a9 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -41415,7 +42125,31 @@ index b1bc02c..f1cdaed 100644 type prelude_log_t; logging_log_file(prelude_log_t) -@@ -210,8 +210,8 @@ prelude_manage_spool(prelude_correlator_t) +@@ -95,7 +95,6 @@ corenet_tcp_connect_mysqld_port(prelude_t) + dev_read_rand(prelude_t) + dev_read_urand(prelude_t) + +-files_read_etc_files(prelude_t) + files_read_etc_runtime_files(prelude_t) + files_read_usr_files(prelude_t) + files_search_tmp(prelude_t) +@@ -156,7 +155,6 @@ dev_read_urand(prelude_audisp_t) + # Init script handling + domain_use_interactive_fds(prelude_audisp_t) + +-files_read_etc_files(prelude_audisp_t) + files_read_etc_runtime_files(prelude_audisp_t) + files_search_tmp(prelude_audisp_t) + +@@ -192,7 +190,6 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t) + dev_read_rand(prelude_correlator_t) + dev_read_urand(prelude_correlator_t) + +-files_read_etc_files(prelude_correlator_t) + files_read_usr_files(prelude_correlator_t) + files_search_spool(prelude_correlator_t) + +@@ -210,8 +207,8 @@ prelude_manage_spool(prelude_correlator_t) # allow prelude_lml_t self:capability dac_override; @@ -41426,7 +42160,7 @@ index b1bc02c..f1cdaed 100644 allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; -@@ -236,6 +236,8 @@ kernel_read_sysctl(prelude_lml_t) +@@ -236,6 +233,8 @@ kernel_read_sysctl(prelude_lml_t) corecmd_exec_bin(prelude_lml_t) @@ -41435,6 +42169,22 @@ index b1bc02c..f1cdaed 100644 corenet_tcp_sendrecv_generic_if(prelude_lml_t) corenet_tcp_sendrecv_generic_node(prelude_lml_t) corenet_tcp_recvfrom_netlabel(prelude_lml_t) +@@ -247,7 +246,6 @@ dev_read_rand(prelude_lml_t) + dev_read_urand(prelude_lml_t) + + files_list_etc(prelude_lml_t) +-files_read_etc_files(prelude_lml_t) + files_read_etc_runtime_files(prelude_lml_t) + + fs_getattr_all_fs(prelude_lml_t) +@@ -283,7 +281,6 @@ optional_policy(` + + can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + +- files_read_etc_files(httpd_prewikka_script_t) + files_search_tmp(httpd_prewikka_script_t) + + kernel_read_sysctl(httpd_prewikka_script_t) diff --git a/privoxy.if b/privoxy.if index afd1751..5aff531 100644 --- a/privoxy.if @@ -41453,7 +42203,7 @@ index afd1751..5aff531 100644 init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff --git a/privoxy.te b/privoxy.te -index 2dbf4d4..50ce8a5 100644 +index 2dbf4d4..54a6eca 100644 --- a/privoxy.te +++ b/privoxy.te @@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file) @@ -41475,7 +42225,15 @@ index 2dbf4d4..50ce8a5 100644 corenet_sendrecv_http_cache_client_packets(privoxy_t) corenet_sendrecv_squid_client_packets(privoxy_t) corenet_sendrecv_http_cache_server_packets(privoxy_t) -@@ -87,7 +89,7 @@ miscfiles_read_localization(privoxy_t) +@@ -76,7 +78,6 @@ fs_search_auto_mountpoints(privoxy_t) + + domain_use_interactive_fds(privoxy_t) + +-files_read_etc_files(privoxy_t) + + auth_use_nsswitch(privoxy_t) + +@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t) userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed @@ -41522,7 +42280,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/procmail.te b/procmail.te -index 29b9295..624afe6 100644 +index 29b9295..59d1db3 100644 --- a/procmail.te +++ b/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -41544,15 +42302,15 @@ index 29b9295..624afe6 100644 create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -67,7 +70,6 @@ auth_use_nsswitch(procmail_t) +@@ -67,18 +70,26 @@ auth_use_nsswitch(procmail_t) corecmd_exec_bin(procmail_t) corecmd_exec_shell(procmail_t) -corecmd_read_bin_symlinks(procmail_t) - files_read_etc_files(procmail_t) +-files_read_etc_files(procmail_t) files_read_etc_runtime_files(procmail_t) -@@ -75,10 +77,20 @@ files_search_pids(procmail_t) + files_search_pids(procmail_t) # for spamassasin files_read_usr_files(procmail_t) @@ -41573,7 +42331,7 @@ index 29b9295..624afe6 100644 # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +99,8 @@ userdom_manage_user_home_content_pipes(procmail_t) +@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -41584,7 +42342,7 @@ index 29b9295..624afe6 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -97,21 +109,19 @@ ifdef(`hide_broken_symptoms',` +@@ -97,21 +108,19 @@ ifdef(`hide_broken_symptoms',` mta_dontaudit_rw_queue(procmail_t) ') @@ -41614,7 +42372,7 @@ index 29b9295..624afe6 100644 ') optional_policy(` -@@ -125,6 +135,11 @@ optional_policy(` +@@ -125,6 +134,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -41946,7 +42704,7 @@ index f40c64d..a3352d3 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ') diff --git a/pulseaudio.te b/pulseaudio.te -index 901ac9b..e53b4b7 100644 +index 901ac9b..2094fc8 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -41972,7 +42730,14 @@ index 901ac9b..e53b4b7 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -83,8 +89,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t) +@@ -76,15 +82,14 @@ dev_write_sound(pulseaudio_t) + dev_read_sysfs(pulseaudio_t) + dev_read_urand(pulseaudio_t) + +-files_read_etc_files(pulseaudio_t) + files_read_usr_files(pulseaudio_t) + + fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) fs_list_inotifyfs(pulseaudio_t) @@ -41983,7 +42748,7 @@ index 901ac9b..e53b4b7 100644 auth_use_nsswitch(pulseaudio_t) -@@ -92,10 +98,29 @@ logging_send_syslog_msg(pulseaudio_t) +@@ -92,10 +97,29 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -42017,7 +42782,7 @@ index 901ac9b..e53b4b7 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -125,16 +150,35 @@ optional_policy(` +@@ -125,16 +149,35 @@ optional_policy(` ') optional_policy(` @@ -42053,7 +42818,7 @@ index 901ac9b..e53b4b7 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -146,3 +190,7 @@ optional_policy(` +@@ -146,3 +189,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -42216,7 +42981,7 @@ index 2855a44..2f72e9a 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/puppet.te b/puppet.te -index d792d53..e67606e 100644 +index d792d53..561e0e7 100644 --- a/puppet.te +++ b/puppet.te @@ -13,6 +13,13 @@ policy_module(puppet, 1.2.1) @@ -42335,7 +43100,7 @@ index d792d53..e67606e 100644 portage_domtrans(puppet_t) portage_domtrans_fetch(puppet_t) portage_domtrans_gcc_config(puppet_t) -@@ -164,8 +194,131 @@ optional_policy(` +@@ -164,8 +194,130 @@ optional_policy(` ') optional_policy(` @@ -42442,7 +43207,6 @@ index d792d53..e67606e 100644 +dev_read_urand(puppetca_t) +dev_search_sysfs(puppetca_t) + -+files_read_etc_files(puppetca_t) +files_search_var_lib(puppetca_t) + +selinux_validate_context(puppetca_t) @@ -42469,7 +43233,7 @@ index d792d53..e67606e 100644 ') ######################################## -@@ -184,24 +337,32 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -184,24 +336,32 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -42504,7 +43268,7 @@ index d792d53..e67606e 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -213,22 +374,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t) +@@ -213,22 +373,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t) corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -42556,7 +43320,7 @@ index d792d53..e67606e 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -239,3 +426,9 @@ optional_policy(` +@@ -239,3 +425,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -42657,10 +43421,10 @@ index 0000000..86d25ea +') diff --git a/pwauth.te b/pwauth.te new file mode 100644 -index 0000000..11bb8e1 +index 0000000..8d2c891 --- /dev/null +++ b/pwauth.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,41 @@ +policy_module(pwauth, 1.0.0) + +######################################## @@ -42691,7 +43455,6 @@ index 0000000..11bb8e1 + +domain_use_interactive_fds(pwauth_t) + -+files_read_etc_files(pwauth_t) + +auth_domtrans_chkpwd(pwauth_t) +auth_use_nsswitch(pwauth_t) @@ -42807,7 +43570,7 @@ index 494f7e2..2c411af 100644 + admin_pattern($1, pyzor_var_lib_t) +') diff --git a/pyzor.te b/pyzor.te -index c8fb70b..a272112 100644 +index c8fb70b..764de6b 100644 --- a/pyzor.te +++ b/pyzor.te @@ -1,42 +1,66 @@ @@ -42910,13 +43673,13 @@ index c8fb70b..a272112 100644 ######################################## # -@@ -74,12 +98,16 @@ corenet_tcp_connect_http_port(pyzor_t) +@@ -74,12 +98,15 @@ corenet_tcp_connect_http_port(pyzor_t) dev_read_urand(pyzor_t) +-files_read_etc_files(pyzor_t) +fs_getattr_xattr_fs(pyzor_t) + - files_read_etc_files(pyzor_t) auth_use_nsswitch(pyzor_t) @@ -42927,7 +43690,7 @@ index c8fb70b..a272112 100644 userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` -@@ -109,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms; +@@ -109,8 +136,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms; can_exec(pyzord_t, pyzor_exec_t) manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) @@ -42938,6 +43701,14 @@ index c8fb70b..a272112 100644 kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) +@@ -128,7 +155,6 @@ corenet_udp_bind_generic_node(pyzord_t) + corenet_udp_bind_pyzor_port(pyzord_t) + corenet_sendrecv_pyzor_server_packets(pyzord_t) + +-files_read_etc_files(pyzord_t) + + auth_use_nsswitch(pyzord_t) + diff --git a/qemu.if b/qemu.if index 268d691..da3a26d 100644 --- a/qemu.if @@ -43294,7 +44065,7 @@ index a55bf44..c6dee66 100644 + allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; +') diff --git a/qmail.te b/qmail.te -index 355b2a2..88e6f40 100644 +index 355b2a2..2eb3c5c 100644 --- a/qmail.te +++ b/qmail.te @@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) @@ -43343,7 +44114,15 @@ index 355b2a2..88e6f40 100644 allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) -@@ -121,13 +121,17 @@ mta_append_spool(qmail_local_t) +@@ -109,7 +109,6 @@ kernel_read_system_state(qmail_local_t) + corecmd_exec_bin(qmail_local_t) + corecmd_exec_shell(qmail_local_t) + +-files_read_etc_files(qmail_local_t) + files_read_etc_runtime_files(qmail_local_t) + + auth_use_nsswitch(qmail_local_t) +@@ -121,13 +120,17 @@ mta_append_spool(qmail_local_t) qmail_domtrans_queue(qmail_local_t) optional_policy(` @@ -43362,7 +44141,14 @@ index 355b2a2..88e6f40 100644 # allow qmail_lspawn_t self:capability { setuid setgid }; -@@ -150,15 +154,15 @@ files_search_tmp(qmail_lspawn_t) +@@ -143,22 +146,21 @@ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) + + corecmd_search_bin(qmail_lspawn_t) + +-files_read_etc_files(qmail_lspawn_t) + files_search_pids(qmail_lspawn_t) + files_search_tmp(qmail_lspawn_t) + ######################################## # # qmail-queue local policy @@ -43380,7 +44166,7 @@ index 355b2a2..88e6f40 100644 manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) -@@ -175,7 +179,7 @@ optional_policy(` +@@ -175,7 +177,7 @@ optional_policy(` ######################################## # # qmail-remote local policy @@ -43389,7 +44175,7 @@ index 355b2a2..88e6f40 100644 # allow qmail_remote_t self:tcp_socket create_socket_perms; -@@ -202,7 +206,7 @@ sysnet_read_config(qmail_remote_t) +@@ -202,7 +204,7 @@ sysnet_read_config(qmail_remote_t) ######################################## # # qmail-rspawn local policy @@ -43398,7 +44184,7 @@ index 355b2a2..88e6f40 100644 # allow qmail_rspawn_t self:process signal_perms; -@@ -217,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t) +@@ -217,7 +219,7 @@ corecmd_search_bin(qmail_rspawn_t) ######################################## # # qmail-send local policy @@ -43407,7 +44193,7 @@ index 355b2a2..88e6f40 100644 # allow qmail_send_t self:process signal_perms; -@@ -236,7 +240,7 @@ optional_policy(` +@@ -236,7 +238,7 @@ optional_policy(` ######################################## # # qmail-smtpd local policy @@ -43416,7 +44202,7 @@ index 355b2a2..88e6f40 100644 # allow qmail_smtpd_t self:process signal_perms; -@@ -265,7 +269,7 @@ optional_policy(` +@@ -265,12 +267,11 @@ optional_policy(` ######################################## # # splogger local policy @@ -43425,7 +44211,12 @@ index 355b2a2..88e6f40 100644 # allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; -@@ -279,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t) + +-files_read_etc_files(qmail_splogger_t) + + init_dontaudit_use_script_fds(qmail_splogger_t) + +@@ -279,13 +280,13 @@ miscfiles_read_localization(qmail_splogger_t) ######################################## # # qmail-start local policy @@ -43441,7 +44232,7 @@ index 355b2a2..88e6f40 100644 can_exec(qmail_start_t, qmail_start_exec_t) -@@ -303,7 +307,7 @@ optional_policy(` +@@ -303,7 +304,7 @@ optional_policy(` ######################################## # # tcp-env local policy @@ -44020,10 +44811,10 @@ index 0000000..010b2be +') diff --git a/quantum.te b/quantum.te new file mode 100644 -index 0000000..616ed06 +index 0000000..a5fa6b6 --- /dev/null +++ b/quantum.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,82 @@ +policy_module(quantum, 1.0.0) + +######################################## @@ -44086,7 +44877,6 @@ index 0000000..616ed06 + +domain_use_interactive_fds(quantum_t) + -+files_read_etc_files(quantum_t) +files_read_usr_files(quantum_t) + +auth_use_nsswitch(quantum_t) @@ -44253,7 +45043,7 @@ index bf75d99..3fb8575 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) +') diff --git a/quota.te b/quota.te -index 5dd42f5..b4ebb85 100644 +index 5dd42f5..634182b 100644 --- a/quota.te +++ b/quota.te @@ -7,7 +7,8 @@ policy_module(quota, 1.5.0) @@ -44303,7 +45093,7 @@ index 5dd42f5..b4ebb85 100644 userdom_dontaudit_use_unpriv_user_fds(quota_t) optional_policy(` -@@ -82,3 +97,34 @@ optional_policy(` +@@ -82,3 +97,33 @@ optional_policy(` optional_policy(` udev_read_db(quota_t) ') @@ -44322,7 +45112,6 @@ index 5dd42f5..b4ebb85 100644 + +kernel_read_network_state(quota_nld_t) + -+files_read_etc_files(quota_nld_t) + +auth_use_nsswitch(quota_nld_t) + @@ -44488,7 +45277,7 @@ index 75e5dc4..87d75fe 100644 init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/radius.te b/radius.te -index b1ed1bf..4719120 100644 +index b1ed1bf..7658e20 100644 --- a/radius.te +++ b/radius.te @@ -62,6 +62,7 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) @@ -44507,7 +45296,15 @@ index b1ed1bf..4719120 100644 corenet_tcp_connect_mysqld_port(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) corenet_sendrecv_radius_server_packets(radiusd_t) -@@ -113,6 +115,8 @@ logging_send_syslog_msg(radiusd_t) +@@ -99,7 +101,6 @@ corecmd_exec_shell(radiusd_t) + domain_use_interactive_fds(radiusd_t) + + files_read_usr_files(radiusd_t) +-files_read_etc_files(radiusd_t) + files_read_etc_runtime_files(radiusd_t) + + auth_use_nsswitch(radiusd_t) +@@ -113,6 +114,8 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) @@ -44539,6 +45336,18 @@ index be05bff..7b00e1e 100644 init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) +diff --git a/radvd.te b/radvd.te +index f9a2162..8f0c6bc 100644 +--- a/radvd.te ++++ b/radvd.te +@@ -61,7 +61,6 @@ fs_search_auto_mountpoints(radvd_t) + + domain_use_interactive_fds(radvd_t) + +-files_read_etc_files(radvd_t) + files_list_usr(radvd_t) + + auth_use_nsswitch(radvd_t) diff --git a/raid.fc b/raid.fc index ed9c70d..c298507 100644 --- a/raid.fc @@ -44589,7 +45398,7 @@ index b1a85b5..db0d815 100644 ## ## diff --git a/raid.te b/raid.te -index 641f677..6e754eb 100644 +index 641f677..1e3cf4c 100644 --- a/raid.te +++ b/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -44633,7 +45442,7 @@ index 641f677..6e754eb 100644 kernel_rw_software_raid_state(mdadm_t) kernel_getattr_core_if(mdadm_t) -@@ -52,14 +52,17 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) +@@ -52,14 +52,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) @@ -44642,7 +45451,7 @@ index 641f677..6e754eb 100644 +domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) - files_read_etc_files(mdadm_t) +-files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) -files_dontaudit_getattr_all_files(mdadm_t) +files_dontaudit_getattr_tmpfs_files(mdadm_t) @@ -44653,7 +45462,7 @@ index 641f677..6e754eb 100644 fs_dontaudit_list_tmpfs(mdadm_t) mls_file_read_all_levels(mdadm_t) -@@ -69,10 +72,13 @@ mls_file_write_all_levels(mdadm_t) +@@ -69,10 +71,13 @@ mls_file_write_all_levels(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_dev_filetrans_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) @@ -44667,7 +45476,7 @@ index 641f677..6e754eb 100644 init_dontaudit_getattr_initctl(mdadm_t) logging_send_syslog_msg(mdadm_t) -@@ -86,6 +92,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) +@@ -86,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) mta_send_mail(mdadm_t) optional_policy(` @@ -45179,7 +45988,7 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/remotelogin.te b/remotelogin.te -index 0a76027..a475797 100644 +index 0a76027..a3bc03a 100644 --- a/remotelogin.te +++ b/remotelogin.te @@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t) @@ -45212,7 +46021,15 @@ index 0a76027..a475797 100644 auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) -@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t) +@@ -64,7 +59,6 @@ corecmd_read_bin_sockets(remote_login_t) + + domain_read_all_entry_files(remote_login_t) + +-files_read_etc_files(remote_login_t) + files_read_etc_runtime_files(remote_login_t) + files_list_home(remote_login_t) + files_read_usr_files(remote_login_t) +@@ -77,7 +71,7 @@ files_list_mnt(remote_login_t) # for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) @@ -45221,7 +46038,7 @@ index 0a76027..a475797 100644 miscfiles_read_localization(remote_login_t) -@@ -87,34 +82,28 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,34 +81,28 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) @@ -45808,7 +46625,7 @@ index de37806..3e870b7 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/rhcs.te b/rhcs.te -index 93c896a..cdee904 100644 +index 93c896a..708da10 100644 --- a/rhcs.te +++ b/rhcs.te @@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0) @@ -45937,7 +46754,7 @@ index 93c896a..cdee904 100644 ') optional_policy(` -@@ -114,13 +154,43 @@ optional_policy(` +@@ -114,13 +154,42 @@ optional_policy(` lvm_read_config(fenced_t) ') @@ -45960,7 +46777,6 @@ index 93c896a..cdee904 100644 + +dev_read_urand(foghorn_t) + -+files_read_etc_files(foghorn_t) +files_read_usr_files(foghorn_t) + +optional_policy(` @@ -45982,7 +46798,7 @@ index 93c896a..cdee904 100644 allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +209,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -139,10 +208,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -45993,7 +46809,7 @@ index 93c896a..cdee904 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,9 +220,10 @@ optional_policy(` +@@ -154,12 +219,12 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -46004,8 +46820,11 @@ index 93c896a..cdee904 100644 + dev_list_sysfs(groupd_t) - files_read_etc_files(groupd_t) -@@ -168,8 +235,7 @@ init_rw_script_tmp_files(groupd_t) +-files_read_etc_files(groupd_t) + + init_rw_script_tmp_files(groupd_t) + +@@ -168,8 +233,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -46015,7 +46834,7 @@ index 93c896a..cdee904 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -182,7 +248,7 @@ kernel_read_system_state(qdiskd_t) +@@ -182,7 +246,7 @@ kernel_read_system_state(qdiskd_t) kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) @@ -46024,16 +46843,17 @@ index 93c896a..cdee904 100644 corecmd_exec_shell(qdiskd_t) dev_read_sysfs(qdiskd_t) -@@ -199,6 +265,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t) - files_dontaudit_getattr_all_pipes(qdiskd_t) - files_read_etc_files(qdiskd_t) +@@ -197,7 +261,8 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t) -+fs_list_hugetlbfs(qdiskd_t) + files_dontaudit_getattr_all_sockets(qdiskd_t) + files_dontaudit_getattr_all_pipes(qdiskd_t) +-files_read_etc_files(qdiskd_t) + ++fs_list_hugetlbfs(qdiskd_t) + storage_raw_read_removable_device(qdiskd_t) storage_raw_write_removable_device(qdiskd_t) - storage_raw_read_fixed_disk(qdiskd_t) -@@ -207,10 +275,6 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -207,10 +272,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -46044,7 +46864,7 @@ index 93c896a..cdee904 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +287,28 @@ optional_policy(` +@@ -223,18 +284,28 @@ optional_policy(` # rhcs domains common policy # @@ -46658,7 +47478,7 @@ index f7826f9..23d579c 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/ricci.te b/ricci.te -index 33e72e8..8e98863 100644 +index 33e72e8..858e0be 100644 --- a/ricci.te +++ b/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -46704,7 +47524,15 @@ index 33e72e8..8e98863 100644 corecmd_exec_bin(ricci_t) -@@ -170,6 +175,10 @@ optional_policy(` +@@ -123,7 +128,6 @@ dev_read_urand(ricci_t) + + domain_read_all_domains_state(ricci_t) + +-files_read_etc_files(ricci_t) + files_read_etc_runtime_files(ricci_t) + files_create_boot_flag(ricci_t) + +@@ -170,6 +174,10 @@ optional_policy(` ') optional_policy(` @@ -46715,7 +47543,7 @@ index 33e72e8..8e98863 100644 unconfined_use_fds(ricci_t) ') -@@ -193,7 +202,8 @@ corecmd_exec_shell(ricci_modcluster_t) +@@ -193,15 +201,17 @@ corecmd_exec_shell(ricci_modcluster_t) corecmd_exec_bin(ricci_modcluster_t) corenet_tcp_bind_cluster_port(ricci_modclusterd_t) @@ -46725,8 +47553,9 @@ index 33e72e8..8e98863 100644 domain_read_all_domains_state(ricci_modcluster_t) -@@ -202,6 +212,8 @@ files_read_etc_runtime_files(ricci_modcluster_t) - files_read_etc_files(ricci_modcluster_t) + files_search_locks(ricci_modcluster_t) + files_read_etc_runtime_files(ricci_modcluster_t) +-files_read_etc_files(ricci_modcluster_t) files_search_usr(ricci_modcluster_t) +auth_use_nsswitch(ricci_modcluster_t) @@ -46734,7 +47563,7 @@ index 33e72e8..8e98863 100644 init_exec(ricci_modcluster_t) init_domtrans_script(ricci_modcluster_t) -@@ -209,13 +221,9 @@ logging_send_syslog_msg(ricci_modcluster_t) +@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t) miscfiles_read_localization(ricci_modcluster_t) @@ -46751,7 +47580,7 @@ index 33e72e8..8e98863 100644 optional_policy(` aisexec_stream_connect(ricci_modcluster_t) -@@ -233,7 +241,15 @@ optional_policy(` +@@ -233,7 +239,15 @@ optional_policy(` ') optional_policy(` @@ -46768,7 +47597,7 @@ index 33e72e8..8e98863 100644 ') optional_policy(` -@@ -241,8 +257,7 @@ optional_policy(` +@@ -241,8 +255,7 @@ optional_policy(` ') optional_policy(` @@ -46778,7 +47607,7 @@ index 33e72e8..8e98863 100644 ') ######################################## -@@ -261,6 +276,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +274,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -46789,7 +47618,7 @@ index 33e72e8..8e98863 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +291,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +289,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -46797,16 +47626,39 @@ index 33e72e8..8e98863 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -363,6 +383,8 @@ corecmd_exec_bin(ricci_modrpm_t) - files_search_usr(ricci_modrpm_t) - files_read_etc_files(ricci_modrpm_t) +@@ -283,7 +301,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t) -+logging_send_syslog_msg(ricci_modrpm_t) + domain_read_all_domains_state(ricci_modclusterd_t) + +-files_read_etc_files(ricci_modclusterd_t) + files_read_etc_runtime_files(ricci_modclusterd_t) + + fs_getattr_xattr_fs(ricci_modclusterd_t) +@@ -334,7 +351,6 @@ corecmd_exec_bin(ricci_modlog_t) + + domain_read_all_domains_state(ricci_modlog_t) + +-files_read_etc_files(ricci_modlog_t) + files_search_usr(ricci_modlog_t) + + logging_read_generic_logs(ricci_modlog_t) +@@ -361,7 +377,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) + corecmd_exec_bin(ricci_modrpm_t) + + files_search_usr(ricci_modrpm_t) +-files_read_etc_files(ricci_modrpm_t) + ++logging_send_syslog_msg(ricci_modrpm_t) + miscfiles_read_localization(ricci_modrpm_t) - optional_policy(` -@@ -394,10 +416,10 @@ files_search_usr(ricci_modservice_t) +@@ -388,16 +405,15 @@ kernel_read_system_state(ricci_modservice_t) + corecmd_exec_bin(ricci_modservice_t) + corecmd_exec_shell(ricci_modservice_t) + +-files_read_etc_files(ricci_modservice_t) + files_read_etc_runtime_files(ricci_modservice_t) + files_search_usr(ricci_modservice_t) # Needed for running chkconfig files_manage_etc_symlinks(ricci_modservice_t) @@ -46819,7 +47671,7 @@ index 33e72e8..8e98863 100644 miscfiles_read_localization(ricci_modservice_t) optional_policy(` -@@ -405,6 +427,10 @@ optional_policy(` +@@ -405,6 +421,10 @@ optional_policy(` ') optional_policy(` @@ -46830,7 +47682,7 @@ index 33e72e8..8e98863 100644 nscd_dontaudit_search_pid(ricci_modservice_t) ') -@@ -418,7 +444,6 @@ optional_policy(` +@@ -418,7 +438,6 @@ optional_policy(` # allow ricci_modstorage_t self:process { setsched signal }; @@ -46838,7 +47690,7 @@ index 33e72e8..8e98863 100644 allow ricci_modstorage_t self:capability { mknod sys_nice }; allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; -@@ -444,22 +469,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -444,22 +463,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -46868,7 +47720,7 @@ index 33e72e8..8e98863 100644 optional_policy(` aisexec_stream_connect(ricci_modstorage_t) corosync_stream_connect(ricci_modstorage_t) -@@ -471,12 +496,24 @@ optional_policy(` +@@ -471,12 +490,24 @@ optional_policy(` ') optional_policy(` @@ -46941,7 +47793,7 @@ index 63e78c6..fdd8228 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d654552..706700d 100644 +index d654552..f8415f4 100644 --- a/rlogin.te +++ b/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -46970,7 +47822,7 @@ index d654552..706700d 100644 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -69,8 +67,10 @@ fs_getattr_xattr_fs(rlogind_t) +@@ -69,10 +67,11 @@ fs_getattr_xattr_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -46979,9 +47831,11 @@ index d654552..706700d 100644 auth_use_nsswitch(rlogind_t) +auth_login_pgm_domain(rlogind_t) - files_read_etc_files(rlogind_t) +-files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t) + files_search_home(rlogind_t) + files_search_default(rlogind_t) +@@ -88,27 +87,24 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -47073,7 +47927,7 @@ index 5c70c0c..b0c22f7 100644 /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + diff --git a/rpc.if b/rpc.if -index dddabcf..fa20a5d 100644 +index dddabcf..758d5bd 100644 --- a/rpc.if +++ b/rpc.if @@ -32,7 +32,11 @@ interface(`rpc_stub',` @@ -47089,7 +47943,15 @@ index dddabcf..fa20a5d 100644 ######################################## # # Declarations -@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',` +@@ -95,7 +99,6 @@ template(`rpc_domain_template', ` + fs_rw_rpc_named_pipes($1_t) + fs_search_auto_mountpoints($1_t) + +- files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) + files_search_var($1_t) + files_search_var_lib($1_t) +@@ -152,7 +155,7 @@ interface(`rpc_dontaudit_getattr_exports',` type exports_t; ') @@ -47098,7 +47960,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -188,7 +192,7 @@ interface(`rpc_write_exports',` +@@ -188,7 +191,7 @@ interface(`rpc_write_exports',` type exports_t; ') @@ -47107,7 +47969,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -229,6 +233,29 @@ interface(`rpc_initrc_domtrans_nfsd',` +@@ -229,6 +232,29 @@ interface(`rpc_initrc_domtrans_nfsd',` ######################################## ## @@ -47137,7 +47999,7 @@ index dddabcf..fa20a5d 100644 ## Execute domain in rpcd domain. ## ## -@@ -246,6 +273,32 @@ interface(`rpc_domtrans_rpcd',` +@@ -246,6 +272,32 @@ interface(`rpc_domtrans_rpcd',` allow rpcd_t $1:process signal; ') @@ -47170,7 +48032,7 @@ index dddabcf..fa20a5d 100644 ####################################### ## ## Execute domain in rpcd domain. -@@ -266,6 +319,29 @@ interface(`rpc_initrc_domtrans_rpcd',` +@@ -266,6 +318,29 @@ interface(`rpc_initrc_domtrans_rpcd',` ######################################## ## @@ -47200,7 +48062,7 @@ index dddabcf..fa20a5d 100644 ## Read NFS exported content. ## ## -@@ -282,7 +358,7 @@ interface(`rpc_read_nfs_content',` +@@ -282,7 +357,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; @@ -47209,7 +48071,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -329,7 +405,7 @@ interface(`rpc_manage_nfs_ro_content',` +@@ -329,7 +404,7 @@ interface(`rpc_manage_nfs_ro_content',` ######################################## ## @@ -47218,7 +48080,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -337,17 +413,17 @@ interface(`rpc_manage_nfs_ro_content',` +@@ -337,17 +412,17 @@ interface(`rpc_manage_nfs_ro_content',` ## ## # @@ -47239,7 +48101,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -355,17 +431,13 @@ interface(`rpc_tcp_rw_nfs_sockets',` +@@ -355,17 +430,13 @@ interface(`rpc_tcp_rw_nfs_sockets',` ## ## # @@ -47260,7 +48122,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -373,13 +445,18 @@ interface(`rpc_udp_rw_nfs_sockets',` +@@ -373,13 +444,18 @@ interface(`rpc_udp_rw_nfs_sockets',` ## ## # @@ -47282,7 +48144,7 @@ index dddabcf..fa20a5d 100644 ## ## ## -@@ -387,13 +464,13 @@ interface(`rpc_udp_send_nfs',` +@@ -387,13 +463,13 @@ interface(`rpc_udp_send_nfs',` ## ## # @@ -47298,7 +48160,7 @@ index dddabcf..fa20a5d 100644 ') ######################################## -@@ -432,4 +509,5 @@ interface(`rpc_manage_nfs_state_data',` +@@ -432,4 +508,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -48232,6 +49094,26 @@ index 4c091ca..a58f123 100644 /usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0) + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) +diff --git a/rssh.te b/rssh.te +index ffb9605..11dbdb2 100644 +--- a/rssh.te ++++ b/rssh.te +@@ -63,7 +63,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) + kernel_read_system_state(rssh_t) + kernel_read_kernel_sysctls(rssh_t) + +-files_read_etc_files(rssh_t) + files_read_etc_runtime_files(rssh_t) + files_list_home(rssh_t) + files_read_usr_files(rssh_t) +@@ -95,7 +94,6 @@ allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms; + + domain_use_interactive_fds(rssh_chroot_helper_t) + +-files_read_etc_files(rssh_chroot_helper_t) + + auth_use_nsswitch(rssh_chroot_helper_t) + diff --git a/rsync.if b/rsync.if index 3386f29..8d8f6c5 100644 --- a/rsync.if @@ -48309,7 +49191,7 @@ index 3386f29..8d8f6c5 100644 + files_etc_filetrans($1, rsync_etc_t, $2) +') diff --git a/rsync.te b/rsync.te -index ba98794..77a6381 100644 +index ba98794..19a06d9 100644 --- a/rsync.te +++ b/rsync.te @@ -7,6 +7,27 @@ policy_module(rsync, 1.11.1) @@ -48358,7 +49240,15 @@ index ba98794..77a6381 100644 allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) -@@ -105,7 +126,7 @@ logging_send_syslog_msg(rsync_t) +@@ -95,7 +116,6 @@ dev_read_urand(rsync_t) + + fs_getattr_xattr_fs(rsync_t) + +-files_read_etc_files(rsync_t) + files_search_home(rsync_t) + + auth_use_nsswitch(rsync_t) +@@ -105,7 +125,7 @@ logging_send_syslog_msg(rsync_t) miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -48367,7 +49257,7 @@ index ba98794..77a6381 100644 miscfiles_manage_public_files(rsync_t) ') -@@ -121,13 +142,39 @@ optional_policy(` +@@ -121,13 +141,39 @@ optional_policy(` inetd_service_domain(rsync_t, rsync_exec_t) ') @@ -48852,7 +49742,7 @@ index 82cb169..9642fe3 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index fc22785..350850b 100644 +index fc22785..98b89c4 100644 --- a/samba.te +++ b/samba.te @@ -12,7 +12,7 @@ policy_module(samba, 1.14.1) @@ -48899,7 +49789,15 @@ index fc22785..350850b 100644 type winbind_var_run_t; files_pid_file(winbind_var_run_t) -@@ -211,26 +219,35 @@ auth_manage_cache(samba_net_t) +@@ -203,7 +211,6 @@ dev_read_urand(samba_net_t) + + domain_use_interactive_fds(samba_net_t) + +-files_read_etc_files(samba_net_t) + files_read_usr_symlinks(samba_net_t) + + auth_use_nsswitch(samba_net_t) +@@ -211,26 +218,35 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -48938,7 +49836,7 @@ index fc22785..350850b 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -249,6 +266,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -249,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; allow smbd_t nmbd_var_run_t:file rw_file_perms; @@ -48946,7 +49844,7 @@ index fc22785..350850b 100644 allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -263,12 +281,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -48961,7 +49859,7 @@ index fc22785..350850b 100644 allow smbd_t smbcontrol_t:process { signal signull }; -@@ -279,7 +298,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -48970,7 +49868,7 @@ index fc22785..350850b 100644 allow smbd_t swat_t:process signal; -@@ -316,6 +335,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -48978,7 +49876,7 @@ index fc22785..350850b 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -323,15 +343,18 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,26 +342,29 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -48997,7 +49895,11 @@ index fc22785..350850b 100644 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -343,6 +366,7 @@ files_read_usr_files(smbd_t) + + files_list_var_lib(smbd_t) +-files_read_etc_files(smbd_t) + files_read_etc_runtime_files(smbd_t) + files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -49005,7 +49907,7 @@ index fc22785..350850b 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -354,6 +378,8 @@ logging_send_syslog_msg(smbd_t) +@@ -354,6 +376,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -49014,7 +49916,7 @@ index fc22785..350850b 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -368,8 +394,13 @@ ifdef(`hide_broken_symptoms', ` +@@ -368,8 +392,13 @@ ifdef(`hide_broken_symptoms', ` fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') @@ -49029,7 +49931,7 @@ index fc22785..350850b 100644 ') tunable_policy(`samba_domain_controller',` -@@ -385,12 +416,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +414,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -49043,7 +49945,7 @@ index fc22785..350850b 100644 ') # Support Samba sharing of NFS mount points -@@ -411,6 +437,11 @@ tunable_policy(`samba_share_fusefs',` +@@ -411,6 +435,11 @@ tunable_policy(`samba_share_fusefs',` ') optional_policy(` @@ -49055,7 +49957,7 @@ index fc22785..350850b 100644 cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -421,6 +452,11 @@ optional_policy(` +@@ -421,6 +450,11 @@ optional_policy(` ') optional_policy(` @@ -49067,7 +49969,7 @@ index fc22785..350850b 100644 lpd_exec_lpr(smbd_t) ') -@@ -444,26 +480,26 @@ optional_policy(` +@@ -444,26 +478,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -49106,7 +50008,7 @@ index fc22785..350850b 100644 ######################################## # # nmbd Local policy -@@ -483,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -483,8 +517,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -49119,7 +50021,7 @@ index fc22785..350850b 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -496,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +@@ -496,8 +533,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) allow nmbd_t smbcontrol_t:process signal; @@ -49128,7 +50030,15 @@ index fc22785..350850b 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -554,18 +591,21 @@ optional_policy(` +@@ -528,7 +563,6 @@ fs_search_auto_mountpoints(nmbd_t) + domain_use_interactive_fds(nmbd_t) + + files_read_usr_files(nmbd_t) +-files_read_etc_files(nmbd_t) + files_list_var_lib(nmbd_t) + + auth_use_nsswitch(nmbd_t) +@@ -554,18 +588,21 @@ optional_policy(` # smbcontrol local policy # @@ -49154,15 +50064,15 @@ index fc22785..350850b 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -573,11 +613,21 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -573,11 +610,20 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) +-files_read_etc_files(smbcontrol_t) +dev_read_urand(smbcontrol_t) + +term_use_console(smbcontrol_t) + - files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -49177,7 +50087,7 @@ index fc22785..350850b 100644 ######################################## # -@@ -596,7 +646,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; +@@ -596,7 +642,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) @@ -49186,7 +50096,13 @@ index fc22785..350850b 100644 allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -643,19 +693,21 @@ auth_use_nsswitch(smbmount_t) +@@ -637,25 +683,26 @@ files_list_mnt(smbmount_t) + files_mounton_mnt(smbmount_t) + files_manage_etc_runtime_files(smbmount_t) + files_etc_filetrans_etc_runtime(smbmount_t, file) +-files_read_etc_files(smbmount_t) + + auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -49211,7 +50127,7 @@ index fc22785..350850b 100644 ######################################## # # SWAT Local policy -@@ -676,7 +728,8 @@ samba_domtrans_nmbd(swat_t) +@@ -676,7 +723,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -49221,7 +50137,7 @@ index fc22785..350850b 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -691,12 +744,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -691,12 +739,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -49236,7 +50152,7 @@ index fc22785..350850b 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -709,6 +764,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -709,6 +759,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -49244,7 +50160,15 @@ index fc22785..350850b 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -751,8 +807,12 @@ logging_send_syslog_msg(swat_t) +@@ -736,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) + dev_read_urand(swat_t) + + files_list_var_lib(swat_t) +-files_read_etc_files(swat_t) + files_search_home(swat_t) + files_read_usr_files(swat_t) + fs_getattr_xattr_fs(swat_t) +@@ -751,8 +801,12 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -49257,16 +50181,17 @@ index fc22785..350850b 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -782,7 +842,7 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -782,7 +836,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; -allow winbind_t nmbd_var_run_t:file read_file_perms; +read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) ++samba_stream_connect_nmbd(winbind_t) allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -805,15 +865,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -805,15 +860,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -49291,7 +50216,7 @@ index fc22785..350850b 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -832,6 +896,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -832,6 +891,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -49299,9 +50224,11 @@ index fc22785..350850b 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -849,10 +914,14 @@ domain_use_interactive_fds(winbind_t) +@@ -847,12 +907,15 @@ auth_manage_cache(winbind_t) - files_read_etc_files(winbind_t) + domain_use_interactive_fds(winbind_t) + +-files_read_etc_files(winbind_t) files_read_usr_symlinks(winbind_t) +files_list_var_lib(winbind_t) @@ -49314,7 +50241,7 @@ index fc22785..350850b 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +932,11 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -863,6 +926,11 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -49326,7 +50253,7 @@ index fc22785..350850b 100644 kerberos_use(winbind_t) ') -@@ -901,9 +975,10 @@ auth_use_nsswitch(winbind_helper_t) +@@ -901,9 +969,10 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -49339,7 +50266,7 @@ index fc22785..350850b 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -921,19 +996,34 @@ optional_policy(` +@@ -921,19 +990,34 @@ optional_policy(` # optional_policy(` @@ -49385,15 +50312,15 @@ index fc22785..350850b 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index 1898dbd..ba62525 100644 +index 1898dbd..1651a2f 100644 --- a/sambagui.te +++ b/sambagui.te -@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t) +@@ -27,16 +27,19 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) +-files_read_etc_files(sambagui_t) +files_read_usr_files(sambagui_t) - files_read_etc_files(sambagui_t) files_search_var_lib(sambagui_t) files_read_usr_files(sambagui_t) @@ -49409,7 +50336,7 @@ index 1898dbd..ba62525 100644 optional_policy(` consoletype_exec(sambagui_t) ') -@@ -56,6 +60,7 @@ optional_policy(` +@@ -56,6 +59,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -50416,7 +51343,7 @@ index cfe3172..3eb745d 100644 + ') diff --git a/sanlock.te b/sanlock.te -index e02eb6c..c4130e0 100644 +index e02eb6c..d3d5c26 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -50460,7 +51387,7 @@ index e02eb6c..c4130e0 100644 allow sanlock_t self:fifo_file rw_fifo_file_perms; allow sanlock_t self:unix_stream_socket create_stream_socket_perms; -@@ -58,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +@@ -58,15 +59,17 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) @@ -50468,7 +51395,9 @@ index e02eb6c..c4130e0 100644 domain_use_interactive_fds(sanlock_t) -@@ -67,6 +69,8 @@ storage_raw_rw_fixed_disk(sanlock_t) +-files_read_etc_files(sanlock_t) + + storage_raw_rw_fixed_disk(sanlock_t) dev_read_urand(sanlock_t) @@ -50477,7 +51406,7 @@ index e02eb6c..c4130e0 100644 init_read_utmp(sanlock_t) init_dontaudit_write_utmp(sanlock_t) -@@ -75,19 +79,25 @@ logging_send_syslog_msg(sanlock_t) +@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t) miscfiles_read_localization(sanlock_t) tunable_policy(`sanlock_use_nfs',` @@ -51135,7 +52064,7 @@ index 7e94c7c..ca74cd9 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/sendmail.te b/sendmail.te -index 22dac1f..e2f2d7d 100644 +index 22dac1f..ba891c5 100644 --- a/sendmail.te +++ b/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -51150,7 +52079,12 @@ index 22dac1f..e2f2d7d 100644 ######################################## # -@@ -84,12 +83,14 @@ files_read_usr_files(sendmail_t) +@@ -79,17 +78,18 @@ corecmd_exec_bin(sendmail_t) + + domain_use_interactive_fds(sendmail_t) + +-files_read_etc_files(sendmail_t) + files_read_usr_files(sendmail_t) files_search_spool(sendmail_t) # for piping mail to a command files_read_etc_runtime_files(sendmail_t) @@ -51165,7 +52099,7 @@ index 22dac1f..e2f2d7d 100644 auth_use_nsswitch(sendmail_t) -@@ -103,7 +104,7 @@ miscfiles_read_generic_certs(sendmail_t) +@@ -103,7 +103,7 @@ miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) @@ -51174,7 +52108,7 @@ index 22dac1f..e2f2d7d 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t) +@@ -115,6 +115,10 @@ mta_manage_spool(sendmail_t) mta_sendmail_exec(sendmail_t) optional_policy(` @@ -51185,7 +52119,7 @@ index 22dac1f..e2f2d7d 100644 cron_read_pipes(sendmail_t) ') -@@ -128,7 +133,14 @@ optional_policy(` +@@ -128,7 +132,14 @@ optional_policy(` ') optional_policy(` @@ -51200,7 +52134,7 @@ index 22dac1f..e2f2d7d 100644 ') optional_policy(` -@@ -149,7 +161,9 @@ optional_policy(` +@@ -149,7 +160,9 @@ optional_policy(` ') optional_policy(` @@ -51210,7 +52144,7 @@ index 22dac1f..e2f2d7d 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +182,13 @@ optional_policy(` +@@ -168,20 +181,13 @@ optional_policy(` ') optional_policy(` @@ -51306,7 +52240,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..4e69f51 100644 +index 086cd5f..4a9afaa 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -51352,7 +52286,13 @@ index 086cd5f..4e69f51 100644 corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) -@@ -85,6 +92,7 @@ files_getattr_all_files(setroubleshootd_t) +@@ -79,12 +86,12 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t) + domain_signull_all_domains(setroubleshootd_t) + + files_read_usr_files(setroubleshootd_t) +-files_read_etc_files(setroubleshootd_t) + files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) files_getattr_all_sockets(setroubleshootd_t) files_read_all_symlinks(setroubleshootd_t) @@ -51360,7 +52300,7 @@ index 086cd5f..4e69f51 100644 fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) -@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) +@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -51368,7 +52308,7 @@ index 086cd5f..4e69f51 100644 term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) -@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t) +@@ -104,6 +112,8 @@ auth_use_nsswitch(setroubleshootd_t) init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) @@ -51377,7 +52317,7 @@ index 086cd5f..4e69f51 100644 miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) -@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t) +@@ -112,8 +122,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -51386,7 +52326,7 @@ index 086cd5f..4e69f51 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -51410,7 +52350,7 @@ index 086cd5f..4e69f51 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -51422,8 +52362,11 @@ index 086cd5f..4e69f51 100644 +seutil_read_module_store(setroubleshoot_fixit_t) files_read_usr_files(setroubleshoot_fixit_t) - files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +-files_read_etc_files(setroubleshoot_fixit_t) + files_list_tmp(setroubleshoot_fixit_t) + + auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -164,6 +189,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -51459,10 +52402,10 @@ index 0000000..839f1b3 + diff --git a/sge.te b/sge.te new file mode 100644 -index 0000000..803c998 +index 0000000..fc15a71 --- /dev/null +++ b/sge.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,194 @@ +policy_module(sge, 1.0.0) + +######################################## @@ -51626,7 +52569,6 @@ index 0000000..803c998 + +domain_read_all_domains_state(sge_domain) + -+files_read_etc_files(sge_domain) +files_read_usr_files(sge_domain) + +dev_read_urand(sge_domain) @@ -51751,7 +52693,7 @@ index 781ad7e..d5ce40a 100644 init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) diff --git a/shorewall.te b/shorewall.te -index 4723c6b..7b0d35f 100644 +index 4723c6b..b0c2be4 100644 --- a/shorewall.te +++ b/shorewall.te @@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t) @@ -51773,7 +52715,15 @@ index 4723c6b..7b0d35f 100644 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; -@@ -83,13 +86,22 @@ fs_getattr_all_fs(shorewall_t) +@@ -75,7 +78,6 @@ dev_read_urand(shorewall_t) + domain_read_all_domains_state(shorewall_t) + + files_getattr_kernel_modules(shorewall_t) +-files_read_etc_files(shorewall_t) + files_read_usr_files(shorewall_t) + files_search_kernel_modules(shorewall_t) + +@@ -83,13 +85,22 @@ fs_getattr_all_fs(shorewall_t) init_rw_utmp(shorewall_t) @@ -51914,7 +52864,7 @@ index d0604cf..b66057c 100644 ## ## diff --git a/shutdown.te b/shutdown.te -index 8966ec9..d3528a0 100644 +index 8966ec9..7b4a2d4 100644 --- a/shutdown.te +++ b/shutdown.te @@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0) @@ -51936,7 +52886,7 @@ index 8966ec9..d3528a0 100644 allow shutdown_t self:fifo_file manage_fifo_file_perms; allow shutdown_t self:unix_stream_socket create_stream_socket_perms; -@@ -33,18 +34,22 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file) +@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file) manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) @@ -51944,7 +52894,7 @@ index 8966ec9..d3528a0 100644 + domain_use_interactive_fds(shutdown_t) - files_read_etc_files(shutdown_t) +-files_read_etc_files(shutdown_t) files_read_generic_pids(shutdown_t) +files_delete_boot_flag(shutdown_t) + @@ -51962,7 +52912,7 @@ index 8966ec9..d3528a0 100644 init_stream_connect(shutdown_t) init_telinit(shutdown_t) -@@ -54,10 +59,24 @@ logging_send_audit_msgs(shutdown_t) +@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t) miscfiles_read_localization(shutdown_t) optional_policy(` @@ -51987,6 +52937,18 @@ index 8966ec9..d3528a0 100644 xserver_dontaudit_write_log(shutdown_t) + xserver_xdm_append_log(shutdown_t) ') +diff --git a/slocate.te b/slocate.te +index a225c02..b53997a 100644 +--- a/slocate.te ++++ b/slocate.te +@@ -43,7 +43,6 @@ files_getattr_all_files(locate_t) + files_getattr_all_pipes(locate_t) + files_getattr_all_sockets(locate_t) + files_read_etc_runtime_files(locate_t) +-files_read_etc_files(locate_t) + + fs_getattr_all_fs(locate_t) + fs_getattr_all_files(locate_t) diff --git a/slrnpull.te b/slrnpull.te index e5e72fd..92eecec 100644 --- a/slrnpull.te @@ -52101,8 +53063,28 @@ index 8265278..017b923 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) +diff --git a/smokeping.te b/smokeping.te +index 740994a..55643cb 100644 +--- a/smokeping.te ++++ b/smokeping.te +@@ -40,7 +40,6 @@ corecmd_read_bin_symlinks(smokeping_t) + + dev_read_urand(smokeping_t) + +-files_read_etc_files(smokeping_t) + files_read_usr_files(smokeping_t) + files_search_tmp(smokeping_t) + +@@ -73,5 +72,7 @@ optional_policy(` + files_search_tmp(httpd_smokeping_cgi_script_t) + files_search_var_lib(httpd_smokeping_cgi_script_t) + ++ auth_read_passwd(httpd_smokeping_cgi_script_t) ++ + sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) + ') diff --git a/smoltclient.te b/smoltclient.te -index bc00875..2efc0d7 100644 +index bc00875..7c8590e 100644 --- a/smoltclient.te +++ b/smoltclient.te @@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) @@ -52113,7 +53095,7 @@ index bc00875..2efc0d7 100644 type smoltclient_tmp_t; files_tmp_file(smoltclient_tmp_t) -@@ -39,6 +38,7 @@ corecmd_exec_shell(smoltclient_t) +@@ -39,22 +38,32 @@ corecmd_exec_shell(smoltclient_t) corenet_tcp_connect_http_port(smoltclient_t) dev_read_sysfs(smoltclient_t) @@ -52121,10 +53103,10 @@ index bc00875..2efc0d7 100644 fs_getattr_all_fs(smoltclient_t) fs_getattr_all_dirs(smoltclient_t) -@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t) + fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) - files_read_etc_files(smoltclient_t) +-files_read_etc_files(smoltclient_t) +files_read_etc_runtime_files(smoltclient_t) files_read_usr_files(smoltclient_t) @@ -52285,7 +53267,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 595942d..7580a6a 100644 +index 595942d..5273d6c 100644 --- a/snmp.te +++ b/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.12.1) @@ -52337,15 +53319,18 @@ index 595942d..7580a6a 100644 corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) -@@ -83,7 +87,6 @@ dev_getattr_usbfs_dirs(snmpd_t) +@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t) domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) -domain_dontaudit_ptrace_all_domains(snmpd_t) domain_exec_all_entry_files(snmpd_t) - files_read_etc_files(snmpd_t) -@@ -94,15 +97,19 @@ files_search_home(snmpd_t) +-files_read_etc_files(snmpd_t) + files_read_usr_files(snmpd_t) + files_read_etc_runtime_files(snmpd_t) + files_search_home(snmpd_t) +@@ -94,15 +96,19 @@ files_search_home(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) @@ -52366,7 +53351,7 @@ index 595942d..7580a6a 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -52375,7 +53360,7 @@ index 595942d..7580a6a 100644 optional_policy(` rpm_read_db(snmpd_t) rpm_dontaudit_manage_db(snmpd_t) -@@ -140,6 +147,10 @@ optional_policy(` +@@ -140,6 +146,10 @@ optional_policy(` ') optional_policy(` @@ -52466,7 +53451,7 @@ index 94c01b5..f64bd93 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index b66e657..1a8e3bc 100644 +index b66e657..9214bcc 100644 --- a/sosreport.te +++ b/sosreport.te @@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) @@ -52478,7 +53463,15 @@ index b66e657..1a8e3bc 100644 allow sosreport_t self:process { setsched signull }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket create_stream_socket_perms; -@@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t) +@@ -64,7 +64,6 @@ files_getattr_all_sockets(sosreport_t) + files_exec_etc_files(sosreport_t) + files_list_all(sosreport_t) + files_read_config_files(sosreport_t) +-files_read_etc_files(sosreport_t) + files_read_generic_tmp_files(sosreport_t) + files_read_usr_files(sosreport_t) + files_read_var_lib_files(sosreport_t) +@@ -74,13 +73,17 @@ files_read_all_symlinks(sosreport_t) # for blkid.tab files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) @@ -52497,7 +53490,7 @@ index b66e657..1a8e3bc 100644 auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) -@@ -92,13 +96,11 @@ logging_send_syslog_msg(sosreport_t) +@@ -92,13 +95,11 @@ logging_send_syslog_msg(sosreport_t) miscfiles_read_localization(sosreport_t) @@ -52512,7 +53505,7 @@ index b66e657..1a8e3bc 100644 ') optional_policy(` -@@ -110,6 +112,11 @@ optional_policy(` +@@ -110,6 +111,11 @@ optional_policy(` ') optional_policy(` @@ -52821,7 +53814,7 @@ index c954f31..82fc7f6 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..716877c 100644 +index 1bbf73b..2269290 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0) @@ -53004,7 +53997,15 @@ index 1bbf73b..716877c 100644 # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -144,6 +218,9 @@ tunable_policy(`spamassassin_can_network',` +@@ -114,7 +188,6 @@ corecmd_read_bin_sockets(spamassassin_t) + + domain_use_interactive_fds(spamassassin_t) + +-files_read_etc_files(spamassassin_t) + files_read_etc_runtime_files(spamassassin_t) + files_list_home(spamassassin_t) + files_read_usr_files(spamassassin_t) +@@ -144,6 +217,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -53014,7 +54015,7 @@ index 1bbf73b..716877c 100644 sysnet_read_config(spamassassin_t) ') -@@ -154,25 +231,13 @@ tunable_policy(`spamd_enable_home_dirs',` +@@ -154,25 +230,13 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') @@ -53041,7 +54042,7 @@ index 1bbf73b..716877c 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -180,6 +245,8 @@ optional_policy(` +@@ -180,6 +244,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -53050,7 +54051,7 @@ index 1bbf73b..716877c 100644 ') ######################################## -@@ -202,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto; +@@ -202,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -53083,7 +54084,7 @@ index 1bbf73b..716877c 100644 corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -222,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) +@@ -222,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) @@ -53091,7 +54092,13 @@ index 1bbf73b..716877c 100644 fs_search_auto_mountpoints(spamc_t) -@@ -240,9 +325,14 @@ files_read_usr_files(spamc_t) +@@ -234,15 +318,19 @@ corecmd_read_bin_sockets(spamc_t) + + domain_use_interactive_fds(spamc_t) + +-files_read_etc_files(spamc_t) + files_read_etc_runtime_files(spamc_t) + files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -53106,7 +54113,7 @@ index 1bbf73b..716877c 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -250,27 +340,35 @@ seutil_read_config(spamc_t) +@@ -250,27 +338,35 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -53148,7 +54155,7 @@ index 1bbf73b..716877c 100644 ') ######################################## -@@ -282,7 +380,7 @@ optional_policy(` +@@ -282,7 +378,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -53157,7 +54164,7 @@ index 1bbf73b..716877c 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -298,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -298,10 +394,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -53176,7 +54183,7 @@ index 1bbf73b..716877c 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -310,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -310,11 +413,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -53194,7 +54201,14 @@ index 1bbf73b..716877c 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -363,23 +472,23 @@ files_read_var_lib_files(spamd_t) +@@ -356,30 +463,29 @@ corecmd_exec_bin(spamd_t) + domain_use_interactive_fds(spamd_t) + + files_read_usr_files(spamd_t) +-files_read_etc_files(spamd_t) + files_read_etc_runtime_files(spamd_t) + # /var/lib/spamassin + files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -53226,7 +54240,7 @@ index 1bbf73b..716877c 100644 ') optional_policy(` -@@ -395,7 +504,9 @@ optional_policy(` +@@ -395,7 +501,9 @@ optional_policy(` ') optional_policy(` @@ -53236,7 +54250,7 @@ index 1bbf73b..716877c 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -404,25 +515,17 @@ optional_policy(` +@@ -404,25 +512,17 @@ optional_policy(` ') optional_policy(` @@ -53264,7 +54278,7 @@ index 1bbf73b..716877c 100644 postgresql_stream_connect(spamd_t) ') -@@ -433,6 +536,10 @@ optional_policy(` +@@ -433,6 +533,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -53275,7 +54289,7 @@ index 1bbf73b..716877c 100644 ') optional_policy(` -@@ -440,6 +547,7 @@ optional_policy(` +@@ -440,6 +544,7 @@ optional_policy(` ') optional_policy(` @@ -53283,7 +54297,7 @@ index 1bbf73b..716877c 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -@@ -447,3 +555,51 @@ optional_policy(` +@@ -447,3 +552,50 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -53319,7 +54333,6 @@ index 1bbf73b..716877c 100644 + +domain_use_interactive_fds(spamd_update_t) + -+files_read_etc_files(spamd_update_t) +files_read_usr_files(spamd_update_t) + +auth_use_nsswitch(spamd_update_t) @@ -53375,7 +54388,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/squid.te b/squid.te -index d24bd07..daf200c 100644 +index d24bd07..624dd50 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -53422,7 +54435,15 @@ index d24bd07..daf200c 100644 files_dontaudit_getattr_boot_dirs(squid_t) -@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -145,7 +154,6 @@ corecmd_exec_shell(squid_t) + + domain_use_interactive_fds(squid_t) + +-files_read_etc_files(squid_t) + files_read_etc_runtime_files(squid_t) + files_read_usr_files(squid_t) + files_search_spool(squid_t) +@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) @@ -53432,7 +54453,7 @@ index d24bd07..daf200c 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -185,6 +195,7 @@ optional_policy(` +@@ -185,6 +194,7 @@ optional_policy(` corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) @@ -53440,7 +54461,7 @@ index d24bd07..daf200c 100644 sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -206,3 +217,7 @@ optional_policy(` +@@ -206,3 +216,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -53547,7 +54568,7 @@ index 941380a..e1095f0 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/sssd.te b/sssd.te -index 8ffa257..20d8944 100644 +index 8ffa257..ac9bf23 100644 --- a/sssd.te +++ b/sssd.te @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t) @@ -53584,7 +54605,7 @@ index 8ffa257..20d8944 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,18 +52,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,18 +52,24 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -53603,14 +54624,14 @@ index 8ffa257..20d8944 100644 domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) - files_read_etc_files(sssd_t) +-files_read_etc_files(sssd_t) +files_read_etc_runtime_files(sssd_t) files_read_usr_files(sssd_t) +files_list_var_lib(sssd_t) fs_list_inotifyfs(sssd_t) -@@ -68,10 +79,14 @@ selinux_validate_context(sssd_t) +@@ -68,10 +78,14 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -53626,7 +54647,7 @@ index 8ffa257..20d8944 100644 init_read_utmp(sssd_t) -@@ -79,6 +94,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +93,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -53639,7 +54660,7 @@ index 8ffa257..20d8944 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +108,19 @@ optional_policy(` +@@ -87,4 +107,19 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -53660,7 +54681,7 @@ index 8ffa257..20d8944 100644 + + diff --git a/stunnel.te b/stunnel.te -index f646c66..dd0efe6 100644 +index f646c66..6fef759 100644 --- a/stunnel.te +++ b/stunnel.te @@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms; @@ -53672,7 +54693,15 @@ index f646c66..dd0efe6 100644 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) -@@ -120,4 +120,5 @@ ifdef(`distro_gentoo', ` +@@ -106,7 +106,6 @@ ifdef(`distro_gentoo', ` + + dev_read_urand(stunnel_t) + +- files_read_etc_files(stunnel_t) + files_read_etc_runtime_files(stunnel_t) + files_search_home(stunnel_t) + +@@ -120,4 +119,5 @@ ifdef(`distro_gentoo', ` gen_require(` type stunnel_port_t; ') @@ -53916,7 +54945,7 @@ index 32822ab..bc5b962 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/sysstat.te b/sysstat.te -index 200ea66..1404284 100644 +index 200ea66..04e4828 100644 --- a/sysstat.te +++ b/sysstat.te @@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t) @@ -53937,7 +54966,13 @@ index 200ea66..1404284 100644 corecmd_exec_bin(sysstat_t) dev_read_urand(sysstat_t) -@@ -51,12 +51,16 @@ fs_getattr_xattr_fs(sysstat_t) +@@ -45,18 +45,21 @@ files_search_var(sysstat_t) + # for mtab + files_read_etc_runtime_files(sysstat_t) + #for fstab +-files_read_etc_files(sysstat_t) + + fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) term_use_console(sysstat_t) @@ -53955,7 +54990,7 @@ index 200ea66..1404284 100644 miscfiles_read_localization(sysstat_t) userdom_dontaudit_list_user_home_dirs(sysstat_t) -@@ -65,6 +69,3 @@ optional_policy(` +@@ -65,6 +68,3 @@ optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) ') @@ -53979,6 +55014,18 @@ index 595f5a7..4e518cf 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) +diff --git a/tcsd.te b/tcsd.te +index ee9f3c6..2832d96 100644 +--- a/tcsd.te ++++ b/tcsd.te +@@ -38,7 +38,6 @@ dev_read_urand(tcsd_t) + # Access /dev/tpm0. + dev_rw_tpm(tcsd_t) + +-files_read_etc_files(tcsd_t) + files_read_usr_files(tcsd_t) + + auth_use_nsswitch(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc index b07ee19..a275bd6 100644 --- a/telepathy.fc @@ -54469,7 +55516,7 @@ index 58e7ec0..e4119f7 100644 + allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; +') diff --git a/telnet.te b/telnet.te -index f40e67b..0634c00 100644 +index f40e67b..e4cae03 100644 --- a/telnet.te +++ b/telnet.te @@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t) @@ -54497,7 +55544,15 @@ index f40e67b..0634c00 100644 manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) -@@ -81,15 +80,10 @@ miscfiles_read_localization(telnetd_t) +@@ -68,7 +67,6 @@ auth_use_nsswitch(telnetd_t) + corecmd_search_bin(telnetd_t) + + files_read_usr_files(telnetd_t) +-files_read_etc_files(telnetd_t) + files_read_etc_runtime_files(telnetd_t) + # for identd; cjp: this should probably only be inetd_child rules? + files_search_home(telnetd_t) +@@ -81,15 +79,10 @@ miscfiles_read_localization(telnetd_t) seutil_read_config(telnetd_t) @@ -54515,7 +55570,7 @@ index f40e67b..0634c00 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +92,13 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -98,3 +91,13 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') @@ -54691,7 +55746,7 @@ index 38bb312..cab8c77 100644 + tftp_manage_config($1) ') diff --git a/tftp.te b/tftp.te -index d50c10d..4ee4bd3 100644 +index d50c10d..787bfb2 100644 --- a/tftp.te +++ b/tftp.te @@ -26,21 +26,26 @@ files_type(tftpdir_t) @@ -54723,7 +55778,15 @@ index d50c10d..4ee4bd3 100644 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -@@ -94,6 +99,10 @@ tunable_policy(`tftp_anon_write',` +@@ -72,7 +77,6 @@ fs_search_auto_mountpoints(tftpd_t) + + domain_use_interactive_fds(tftpd_t) + +-files_read_etc_files(tftpd_t) + files_read_etc_runtime_files(tftpd_t) + files_read_var_files(tftpd_t) + files_read_var_symlinks(tftpd_t) +@@ -94,6 +98,10 @@ tunable_policy(`tftp_anon_write',` ') optional_policy(` @@ -54798,6 +55861,181 @@ index 80fe75c..cdeafc5 100644 +optional_policy(` + iscsi_manage_semaphores(tgtd_t) +') +diff --git a/thin.fc b/thin.fc +new file mode 100644 +index 0000000..62d2c77 +--- /dev/null ++++ b/thin.fc +@@ -0,0 +1,10 @@ ++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) ++/usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0) ++ ++/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0) ++ ++/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0) ++/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0) ++ ++/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0) ++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) +diff --git a/thin.if b/thin.if +new file mode 100644 +index 0000000..6de86e5 +--- /dev/null ++++ b/thin.if +@@ -0,0 +1,42 @@ ++## thin policy ++ ++####################################### ++## ++## Creates types and rules for a basic ++## thin daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`thin_domain_template',` ++ gen_require(` ++ attribute thin_domain; ++ ') ++ ++ type $1_t, thin_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ can_exec($1_t, $1_exec_t) ++') ++ ++###################################### ++## ++## Execute mongod in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thin_exec',` ++ gen_require(` ++ type thin_exec_t; ++ ') ++ ++ can_exec($1, thin_exec_t) ++') +diff --git a/thin.te b/thin.te +new file mode 100644 +index 0000000..d1903e6 +--- /dev/null ++++ b/thin.te +@@ -0,0 +1,105 @@ ++policy_module(thin, 1.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute thin_domain; ++ ++thin_domain_template(thin) ++ ++type thin_log_t; ++logging_log_file(thin_log_t) ++ ++type thin_var_run_t; ++files_pid_file(thin_var_run_t) ++ ++thin_domain_template(thin_aeolus_configserver) ++ ++type thin_aeolus_configserver_lib_t; ++files_type(thin_aeolus_configserver_lib_t) ++ ++type thin_aeolus_configserver_log_t; ++logging_log_file(thin_aeolus_configserver_log_t) ++ ++type thin_aeolus_configserver_var_run_t; ++files_pid_file(thin_aeolus_configserver_var_run_t) ++ ++######################################## ++# ++# thin_domain local policy ++# ++ ++allow thin_domain self:fifo_file rw_fifo_file_perms; ++allow thin_domain self:tcp_socket create_stream_socket_perms; ++ ++# we want to stay in a new thin domain if we call thin binary from a script ++# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t ++can_exec(thin_domain, thin_exec_t) ++ ++kernel_read_system_state(thin_domain) ++ ++corecmd_exec_bin(thin_domain) ++ ++dev_read_rand(thin_domain) ++dev_read_urand(thin_domain) ++ ++files_read_etc_files(thin_domain) ++ ++auth_read_passwd(thin_domain) ++ ++miscfiles_read_certs(thin_domain) ++miscfiles_read_localization(thin_domain) ++ ++files_read_usr_files(thin_domain) ++ ++fs_search_auto_mountpoints(thin_domain) ++ ++init_read_utmp(thin_domain) ++ ++kernel_read_kernel_sysctls(thin_domain) ++ ++optional_policy(` ++ sysnet_read_config(thin_domain) ++') ++ ++######################################## ++# ++# thin local policy ++# ++ ++allow thin_t self:capability { setuid kill setgid dac_override }; ++ ++allow thin_t self:netlink_route_socket r_netlink_socket_perms; ++allow thin_t self:udp_socket create_socket_perms; ++allow thin_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(thin_t, thin_log_t, thin_log_t) ++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t) ++logging_log_filetrans(thin_t, thin_log_t, { file dir }) ++ ++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++files_pid_filetrans(thin_t, thin_var_run_t, { file }) ++ ++corenet_tcp_bind_generic_node(thin_t) ++corenet_tcp_bind_ntop_port(thin_t) ++corenet_tcp_connect_postgresql_port(thin_t) ++ ++ ++####################################### ++# ++# thin aeolus configserver local policy ++# ++ ++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) ++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) ++files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir }) ++ ++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) ++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) ++logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir }) ++ ++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) ++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) ++files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 index 0000000..3a7c395 @@ -54952,10 +56190,10 @@ index 0000000..9127cec +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..f6538d0 +index 0000000..c759103 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,111 @@ +@@ -0,0 +1,110 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -55022,7 +56260,6 @@ index 0000000..f6538d0 + +domain_use_interactive_fds(thumb_t) + -+files_read_etc_files(thumb_t) +files_read_usr_files(thumb_t) +files_read_non_security_files(thumb_t) + @@ -55068,10 +56305,18 @@ index 0000000..f6538d0 + gnome_exec_gstreamer_home_files(thumb_t) +') diff --git a/thunderbird.te b/thunderbird.te -index bf37d98..204ac7e 100644 +index bf37d98..2feb849 100644 --- a/thunderbird.te +++ b/thunderbird.te -@@ -112,17 +112,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) +@@ -82,7 +82,6 @@ dev_dontaudit_search_sysfs(thunderbird_t) + + files_list_tmp(thunderbird_t) + files_read_usr_files(thunderbird_t) +-files_read_etc_files(thunderbird_t) + files_read_etc_runtime_files(thunderbird_t) + files_read_var_files(thunderbird_t) + files_read_var_symlinks(thunderbird_t) +@@ -112,17 +111,7 @@ xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) # Access ~/.thunderbird @@ -55091,7 +56336,7 @@ index bf37d98..204ac7e 100644 tunable_policy(`mail_read_content && use_nfs_home_dirs',` files_list_home(thunderbird_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 0521d5a..3d3f88a 100644 +index 0521d5a..1d41128 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0) @@ -55102,7 +56347,7 @@ index 0521d5a..3d3f88a 100644 application_domain(tmpreaper_t, tmpreaper_exec_t) role system_r types tmpreaper_t; -@@ -18,33 +19,46 @@ role system_r types tmpreaper_t; +@@ -18,33 +19,45 @@ role system_r types tmpreaper_t; allow tmpreaper_t self:process { fork sigchld }; allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; @@ -55113,7 +56358,7 @@ index 0521d5a..3d3f88a 100644 fs_getattr_xattr_fs(tmpreaper_t) +fs_list_all(tmpreaper_t) - files_read_etc_files(tmpreaper_t) +-files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) +files_delete_all_non_security_files(tmpreaper_t) @@ -55153,7 +56398,7 @@ index 0521d5a..3d3f88a 100644 ') optional_policy(` -@@ -52,7 +66,9 @@ optional_policy(` +@@ -52,7 +65,9 @@ optional_policy(` ') optional_policy(` @@ -55163,7 +56408,7 @@ index 0521d5a..3d3f88a 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +82,13 @@ optional_policy(` +@@ -66,9 +81,13 @@ optional_policy(` ') optional_policy(` @@ -55748,7 +56993,7 @@ index 904f13e..26f16dd 100644 + ') ') diff --git a/tor.te b/tor.te -index c842cad..799fac3 100644 +index c842cad..d59fe83 100644 --- a/tor.te +++ b/tor.te @@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t) @@ -55776,7 +57021,7 @@ index c842cad..799fac3 100644 corenet_udp_bind_dns_port(tor_t) corenet_sendrecv_tor_server_packets(tor_t) corenet_sendrecv_dns_server_packets(tor_t) -@@ -95,9 +100,11 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -55788,6 +57033,10 @@ index c842cad..799fac3 100644 domain_use_interactive_fds(tor_t) +-files_read_etc_files(tor_t) + files_read_etc_runtime_files(tor_t) + files_read_usr_files(tor_t) + diff --git a/tripwire.te b/tripwire.te index 2ae8b62..a8e786b 100644 --- a/tripwire.te @@ -55884,7 +57133,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/tuned.te b/tuned.te -index db9d2a5..c7b09c0 100644 +index db9d2a5..28c4b84 100644 --- a/tuned.te +++ b/tuned.te @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t) @@ -55900,7 +57149,7 @@ index db9d2a5..c7b09c0 100644 type tuned_log_t; logging_log_file(tuned_log_t) -@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t) +@@ -23,30 +29,49 @@ files_pid_file(tuned_var_run_t) # tuned local policy # @@ -55944,7 +57193,7 @@ index db9d2a5..c7b09c0 100644 # to allow cpu tuning dev_rw_netcontrol(tuned_t) -@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t) +-files_read_etc_files(tuned_t) files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) @@ -55955,7 +57204,7 @@ index db9d2a5..c7b09c0 100644 logging_send_syslog_msg(tuned_t) miscfiles_read_localization(tuned_t) -@@ -58,6 +84,14 @@ optional_policy(` +@@ -58,6 +83,14 @@ optional_policy(` fstools_domtrans(tuned_t) ') @@ -56190,10 +57439,17 @@ index 74354da..f04565f 100644 + modutils_read_module_deps(usbmodules_t) +') diff --git a/usbmuxd.te b/usbmuxd.te -index 4440aa6..34ffbfd 100644 +index 4440aa6..65b2c3a 100644 --- a/usbmuxd.te +++ b/usbmuxd.te -@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t) +@@ -33,10 +33,13 @@ kernel_read_system_state(usbmuxd_t) + dev_read_sysfs(usbmuxd_t) + dev_rw_generic_usb_dev(usbmuxd_t) + +-files_read_etc_files(usbmuxd_t) + + miscfiles_read_localization(usbmuxd_t) + auth_use_nsswitch(usbmuxd_t) logging_send_syslog_msg(usbmuxd_t) @@ -56211,7 +57467,7 @@ index e70b0e8..cd83b89 100644 /usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) +/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) diff --git a/userhelper.if b/userhelper.if -index 65baaac..821bcea 100644 +index 65baaac..77560a1 100644 --- a/userhelper.if +++ b/userhelper.if @@ -25,6 +25,7 @@ template(`userhelper_role_template',` @@ -56222,7 +57478,15 @@ index 65baaac..821bcea 100644 ') ######################################## -@@ -121,6 +122,9 @@ template(`userhelper_role_template',` +@@ -89,7 +90,6 @@ template(`userhelper_role_template',` + + files_list_var_lib($1_userhelper_t) + # Read the /etc/security/default_type file +- files_read_etc_files($1_userhelper_t) + # Read /var. + files_read_var_files($1_userhelper_t) + files_read_var_symlinks($1_userhelper_t) +@@ -121,6 +121,9 @@ template(`userhelper_role_template',` auth_manage_pam_pid($1_userhelper_t) auth_manage_var_auth($1_userhelper_t) auth_search_pam_console_data($1_userhelper_t) @@ -56232,7 +57496,7 @@ index 65baaac..821bcea 100644 # Inherit descriptors from the current session. init_use_fds($1_userhelper_t) -@@ -145,18 +149,6 @@ template(`userhelper_role_template',` +@@ -145,18 +148,6 @@ template(`userhelper_role_template',` ') optional_policy(` @@ -56251,7 +57515,7 @@ index 65baaac..821bcea 100644 tunable_policy(`! secure_mode',` #if we are not in secure mode then we can transition to sysadm_t sysadm_bin_spec_domtrans($1_userhelper_t) -@@ -255,3 +247,88 @@ interface(`userhelper_exec',` +@@ -255,3 +246,88 @@ interface(`userhelper_exec',` can_exec($1, userhelper_exec_t) ') @@ -56461,7 +57725,7 @@ index d45c715..2d4f1ba 100644 + ') diff --git a/usernetctl.te b/usernetctl.te -index 19c70bb..35b12a6 100644 +index 19c70bb..1434b51 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) @@ -56481,7 +57745,15 @@ index 19c70bb..35b12a6 100644 ######################################## # -@@ -60,31 +61,33 @@ miscfiles_read_localization(usernetctl_t) +@@ -42,7 +43,6 @@ corecmd_exec_shell(usernetctl_t) + + domain_dontaudit_read_all_domains_state(usernetctl_t) + +-files_read_etc_files(usernetctl_t) + files_exec_etc_files(usernetctl_t) + files_read_etc_runtime_files(usernetctl_t) + files_list_pids(usernetctl_t) +@@ -60,31 +60,33 @@ miscfiles_read_localization(usernetctl_t) seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) @@ -56546,7 +57818,7 @@ index ebc5414..8f8ac45 100644 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index d4349e9..2f0887d 100644 +index d4349e9..f015de0 100644 --- a/uucp.te +++ b/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -56558,7 +57830,15 @@ index d4349e9..2f0887d 100644 type uucpd_log_t; logging_log_file(uucpd_log_t) -@@ -125,6 +125,8 @@ optional_policy(` +@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t) + corecmd_exec_bin(uucpd_t) + corecmd_exec_shell(uucpd_t) + +-files_read_etc_files(uucpd_t) + files_search_home(uucpd_t) + files_search_spool(uucpd_t) + +@@ -125,15 +124,18 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -56567,7 +57847,9 @@ index d4349e9..2f0887d 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) -@@ -134,6 +136,8 @@ files_read_etc_files(uux_t) + corecmd_exec_bin(uux_t) + +-files_read_etc_files(uux_t) fs_rw_anon_inodefs_files(uux_t) @@ -56576,7 +57858,7 @@ index d4349e9..2f0887d 100644 logging_send_syslog_msg(uux_t) miscfiles_read_localization(uux_t) -@@ -145,5 +149,5 @@ optional_policy(` +@@ -145,5 +147,5 @@ optional_policy(` ') optional_policy(` @@ -56883,7 +58165,7 @@ index 1f872b5..8af4bce 100644 - ') diff --git a/vhostmd.te b/vhostmd.te -index 32a3c13..803eea6 100644 +index 32a3c13..759f08c 100644 --- a/vhostmd.te +++ b/vhostmd.te @@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t) @@ -56905,24 +58187,24 @@ index 32a3c13..803eea6 100644 kernel_read_system_state(vhostmd_t) kernel_read_network_state(vhostmd_t) kernel_write_xen_state(vhostmd_t) -@@ -44,9 +45,16 @@ corecmd_exec_shell(vhostmd_t) +@@ -44,9 +45,15 @@ corecmd_exec_shell(vhostmd_t) corenet_tcp_connect_soundd_port(vhostmd_t) +-files_read_etc_files(vhostmd_t) +dev_read_rand(vhostmd_t) +dev_read_urand(vhostmd_t) +dev_read_sysfs(vhostmd_t) + +# 579803 +files_list_tmp(vhostmd_t) - files_read_etc_files(vhostmd_t) files_read_usr_files(vhostmd_t) +dev_read_rand(vhostmd_t) dev_read_sysfs(vhostmd_t) auth_use_nsswitch(vhostmd_t) -@@ -66,6 +74,7 @@ optional_policy(` +@@ -66,6 +73,7 @@ optional_policy(` optional_policy(` virt_stream_connect(vhostmd_t) @@ -57682,7 +58964,7 @@ index 7c5d8d8..85b7d8b 100644 + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ') diff --git a/virt.te b/virt.te -index ad3068a..caef8cf 100644 +index ad3068a..452693b 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2) @@ -58043,7 +59325,7 @@ index ad3068a..caef8cf 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -247,22 +375,32 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +375,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -58062,7 +59344,7 @@ index ad3068a..caef8cf 100644 +domain_read_all_domains_state(virtd_t) files_read_usr_files(virtd_t) - files_read_etc_files(virtd_t) +-files_read_etc_files(virtd_t) +files_read_usr_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) @@ -58077,7 +59359,7 @@ index ad3068a..caef8cf 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +407,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -58096,7 +59378,7 @@ index ad3068a..caef8cf 100644 mcs_process_set_categories(virtd_t) -@@ -284,6 +434,8 @@ term_use_ptmx(virtd_t) +@@ -284,6 +433,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -58105,7 +59387,7 @@ index ad3068a..caef8cf 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +445,32 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +444,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -58138,7 +59420,7 @@ index ad3068a..caef8cf 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +489,10 @@ optional_policy(` +@@ -322,6 +488,10 @@ optional_policy(` ') optional_policy(` @@ -58149,7 +59431,7 @@ index ad3068a..caef8cf 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +506,30 @@ optional_policy(` +@@ -335,19 +505,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -58181,7 +59463,7 @@ index ad3068a..caef8cf 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +544,12 @@ optional_policy(` +@@ -362,6 +543,12 @@ optional_policy(` ') optional_policy(` @@ -58194,7 +59476,7 @@ index ad3068a..caef8cf 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +557,11 @@ optional_policy(` +@@ -369,11 +556,11 @@ optional_policy(` ') optional_policy(` @@ -58211,7 +59493,7 @@ index ad3068a..caef8cf 100644 ') optional_policy(` -@@ -384,6 +572,7 @@ optional_policy(` +@@ -384,6 +571,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -58219,7 +59501,7 @@ index ad3068a..caef8cf 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,20 +592,36 @@ optional_policy(` +@@ -403,20 +591,36 @@ optional_policy(` # virtual domains common policy # @@ -58259,7 +59541,7 @@ index ad3068a..caef8cf 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -427,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -58273,7 +59555,7 @@ index ad3068a..caef8cf 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +645,12 @@ dev_write_sound(virt_domain) +@@ -438,10 +644,11 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -58281,12 +59563,12 @@ index ad3068a..caef8cf 100644 domain_use_interactive_fds(virt_domain) - files_read_etc_files(virt_domain) +-files_read_etc_files(virt_domain) +files_read_mnt_symlinks(virt_domain) files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,25 +658,430 @@ files_search_all(virt_domain) +@@ -449,25 +656,426 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -58374,7 +59656,6 @@ index ad3068a..caef8cf 100644 +files_read_usr_files(virsh_t) +files_list_mnt(virsh_t) +# Some common macros (you might be able to remove some) -+files_read_etc_files(virsh_t) + +fs_getattr_all_fs(virsh_t) +fs_manage_xenfs_dirs(virsh_t) @@ -58492,7 +59773,6 @@ index ad3068a..caef8cf 100644 + +files_search_all(virtd_lxc_t) +files_getattr_all_files(virtd_lxc_t) -+files_read_etc_files(virtd_lxc_t) +files_read_usr_files(virtd_lxc_t) +files_relabel_rootfs(virtd_lxc_t) +files_mounton_non_security(virtd_lxc_t) @@ -58687,7 +59967,6 @@ index ad3068a..caef8cf 100644 + +domain_use_interactive_fds(virt_qmf_t) + -+files_read_etc_files(virt_qmf_t) + +logging_send_syslog_msg(virt_qmf_t) + @@ -58717,7 +59996,6 @@ index ad3068a..caef8cf 100644 + +corenet_rw_tun_tap_dev(virt_bridgehelper_t) + -+files_read_etc_files(virt_bridgehelper_t) + +userdom_use_inherited_user_ptys(virt_bridgehelper_t) diff --git a/vlock.te b/vlock.te @@ -58876,7 +60154,7 @@ index 7b93e07..a4e2f60 100644 ######################################## diff --git a/vpn.te b/vpn.te -index 83a80ba..d2585bb 100644 +index 83a80ba..a7aefa0 100644 --- a/vpn.te +++ b/vpn.te @@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0) @@ -58907,7 +60185,7 @@ index 83a80ba..d2585bb 100644 allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -@@ -80,8 +82,8 @@ domain_use_interactive_fds(vpnc_t) +@@ -80,18 +82,19 @@ domain_use_interactive_fds(vpnc_t) fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) @@ -58918,7 +60196,10 @@ index 83a80ba..d2585bb 100644 corecmd_exec_all_executables(vpnc_t) -@@ -92,6 +94,8 @@ files_dontaudit_search_home(vpnc_t) + files_exec_etc_files(vpnc_t) + files_read_etc_runtime_files(vpnc_t) +-files_read_etc_files(vpnc_t) + files_dontaudit_search_home(vpnc_t) auth_use_nsswitch(vpnc_t) @@ -58927,7 +60208,7 @@ index 83a80ba..d2585bb 100644 libs_exec_ld_so(vpnc_t) libs_exec_lib_files(vpnc_t) -@@ -105,12 +109,13 @@ miscfiles_read_localization(vpnc_t) +@@ -105,12 +108,13 @@ miscfiles_read_localization(vpnc_t) seutil_dontaudit_search_config(vpnc_t) seutil_use_newrole_fds(vpnc_t) @@ -59105,10 +60386,10 @@ index 0000000..8e3570d +') diff --git a/wdmd.te b/wdmd.te new file mode 100644 -index 0000000..df9a759 +index 0000000..14c5c0a --- /dev/null +++ b/wdmd.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,45 @@ +policy_module(wdmd,1.0.0) + +######################################## @@ -59146,7 +60427,6 @@ index 0000000..df9a759 + +domain_use_interactive_fds(wdmd_t) + -+files_read_etc_files(wdmd_t) + +fs_read_anon_inodefs_files(wdmd_t) + @@ -59169,10 +60449,16 @@ index 0ecc786..e0f21c3 100644 files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) diff --git a/webalizer.te b/webalizer.te -index 32b4f76..ecb9d3a 100644 +index 32b4f76..d11a7ca 100644 --- a/webalizer.te +++ b/webalizer.te -@@ -75,18 +75,22 @@ files_read_etc_runtime_files(webalizer_t) +@@ -69,24 +69,27 @@ fs_search_auto_mountpoints(webalizer_t) + fs_getattr_xattr_fs(webalizer_t) + fs_rw_anon_inodefs_files(webalizer_t) + +-files_read_etc_files(webalizer_t) + files_read_etc_runtime_files(webalizer_t) + logging_list_logs(webalizer_t) logging_send_syslog_msg(webalizer_t) @@ -59329,7 +60615,7 @@ index 7a17516..56fbcc2 100644 ') diff --git a/wireshark.te b/wireshark.te -index fc0adf8..01473bc 100644 +index fc0adf8..1647930 100644 --- a/wireshark.te +++ b/wireshark.te @@ -31,18 +31,19 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) @@ -59362,7 +60648,15 @@ index fc0adf8..01473bc 100644 corenet_tcp_connect_generic_port(wireshark_t) corenet_tcp_sendrecv_generic_if(wireshark_t) -@@ -84,6 +84,8 @@ fs_search_auto_mountpoints(wireshark_t) +@@ -76,7 +76,6 @@ dev_read_rand(wireshark_t) + dev_read_sysfs(wireshark_t) + dev_read_urand(wireshark_t) + +-files_read_etc_files(wireshark_t) + files_read_usr_files(wireshark_t) + + fs_list_inotifyfs(wireshark_t) +@@ -84,6 +83,8 @@ fs_search_auto_mountpoints(wireshark_t) libs_read_lib_files(wireshark_t) @@ -59371,7 +60665,7 @@ index fc0adf8..01473bc 100644 miscfiles_read_fonts(wireshark_t) miscfiles_read_localization(wireshark_t) -@@ -92,23 +94,8 @@ seutil_use_newrole_fds(wireshark_t) +@@ -92,23 +93,8 @@ seutil_use_newrole_fds(wireshark_t) sysnet_read_config(wireshark_t) userdom_manage_user_home_content_files(wireshark_t) @@ -59397,10 +60691,18 @@ index fc0adf8..01473bc 100644 # Manual transition from userhelper optional_policy(` diff --git a/wm.if b/wm.if -index b3efef7..50c1a74 100644 +index b3efef7..75d280c 100644 --- a/wm.if +++ b/wm.if -@@ -77,6 +77,11 @@ template(`wm_role_template',` +@@ -59,7 +59,6 @@ template(`wm_role_template',` + + dev_read_urand($1_wm_t) + +- files_read_etc_files($1_wm_t) + files_read_usr_files($1_wm_t) + + fs_getattr_tmpfs($1_wm_t) +@@ -77,6 +76,11 @@ template(`wm_role_template',` miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) @@ -59821,6 +61123,18 @@ index d995c70..1282d4c 100644 - unconfined_domain(xend_t) - ') ') +diff --git a/xfs.te b/xfs.te +index 11c1b12..2eb8770 100644 +--- a/xfs.te ++++ b/xfs.te +@@ -57,7 +57,6 @@ fs_search_auto_mountpoints(xfs_t) + + domain_use_interactive_fds(xfs_t) + +-files_read_etc_files(xfs_t) + files_read_etc_runtime_files(xfs_t) + files_read_usr_files(xfs_t) + diff --git a/xguest.te b/xguest.te index e88b95f..6b9303f 100644 --- a/xguest.te @@ -59993,10 +61307,18 @@ index 1487a4e..f6b4217 100644 userdom_read_user_home_content_files(xscreensaver_t) diff --git a/yam.te b/yam.te -index 223ad43..26e5b2c 100644 +index 223ad43..9e53fad 100644 --- a/yam.te +++ b/yam.te -@@ -83,6 +83,8 @@ fs_search_auto_mountpoints(yam_t) +@@ -71,7 +71,6 @@ corenet_sendrecv_rsync_client_packets(yam_t) + # mktemp + dev_read_urand(yam_t) + +-files_read_etc_files(yam_t) + files_read_etc_runtime_files(yam_t) + # /usr/share/createrepo/genpkgmetadata.py: + files_exec_usr_files(yam_t) +@@ -83,6 +82,8 @@ fs_search_auto_mountpoints(yam_t) # Content can also be on ISO image files. fs_read_iso9660_files(yam_t) @@ -60005,7 +61327,7 @@ index 223ad43..26e5b2c 100644 logging_send_syslog_msg(yam_t) miscfiles_read_localization(yam_t) -@@ -92,7 +94,7 @@ seutil_read_config(yam_t) +@@ -92,7 +93,7 @@ seutil_read_config(yam_t) sysnet_dns_name_resolve(yam_t) sysnet_read_config(yam_t) @@ -60086,7 +61408,7 @@ index c9981d1..38ce620 100644 init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zabbix.te b/zabbix.te -index 8c0bd70..e5191a2 100644 +index 8c0bd70..be5502f 100644 --- a/zabbix.te +++ b/zabbix.te @@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0) @@ -60144,7 +61466,7 @@ index 8c0bd70..e5191a2 100644 # shared memory rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -@@ -58,26 +75,54 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -58,26 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) @@ -60160,16 +61482,16 @@ index 8c0bd70..e5191a2 100644 +corenet_tcp_connect_http_port(zabbix_t) +# to monitor ftp urls +corenet_tcp_connect_ftp_port(zabbix_t) -+ + +-files_read_etc_files(zabbix_t) +dev_read_urand(zabbix_t) - files_read_etc_files(zabbix_t) +-miscfiles_read_localization(zabbix_t) +files_read_usr_files(zabbix_t) --miscfiles_read_localization(zabbix_t) -+auth_use_nsswitch(zabbix_t) - -sysnet_dns_name_resolve(zabbix_t) ++auth_use_nsswitch(zabbix_t) ++ +miscfiles_read_localization(zabbix_t) zabbix_agent_tcp_connect(zabbix_t) @@ -60202,6 +61524,14 @@ index 8c0bd70..e5191a2 100644 ######################################## # # zabbix agent local policy +@@ -121,7 +165,6 @@ domain_search_all_domains_state(zabbix_agent_t) + files_getattr_all_dirs(zabbix_agent_t) + files_getattr_all_files(zabbix_agent_t) + files_read_all_symlinks(zabbix_agent_t) +-files_read_etc_files(zabbix_agent_t) + + fs_getattr_all_fs(zabbix_agent_t) + diff --git a/zarafa.fc b/zarafa.fc index 3defaa1..7436a1c 100644 --- a/zarafa.fc @@ -60828,10 +62158,10 @@ index 0000000..b34b8b4 + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..9562539 +index 0000000..d12357b --- /dev/null +++ b/zoneminder.te -@@ -0,0 +1,124 @@ +@@ -0,0 +1,123 @@ +policy_module(zoneminder, 1.0.0) + +######################################## @@ -60916,7 +62246,6 @@ index 0000000..9562539 +dev_read_video_dev(zoneminder_t) +dev_write_video_dev(zoneminder_t) + -+files_read_etc_files(zoneminder_t) +files_read_usr_files(zoneminder_t) + +auth_use_nsswitch(zoneminder_t) @@ -60977,10 +62306,10 @@ index 702e768..2a4f2cc 100644 interface(`zosremote_run',` gen_require(` diff --git a/zosremote.te b/zosremote.te -index f9a06d2..3d407c6 100644 +index f9a06d2..aed9d14 100644 --- a/zosremote.te +++ b/zosremote.te -@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) +@@ -16,10 +16,9 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) # allow zos_remote_t self:process signal; @@ -60988,4 +62317,7 @@ index f9a06d2..3d407c6 100644 +allow zos_remote_t self:fifo_file rw_fifo_file_perms; allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; - files_read_etc_files(zos_remote_t) +-files_read_etc_files(zos_remote_t) + + auth_use_nsswitch(zos_remote_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 700b9533..7846eb86 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,26 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jun 27 2012 Miroslav Grepl 3.11.0-7 +- add ptrace_child access to process +- remove files_read_etc_files() calling from all policies which have auth_use_nsswith() +- Allow boinc domains to manage boinc_lib_t lnk_files +- Add support for boinc-client.service unit file +- Add support for boinc.log +- Allow mozilla_plugin execmod on mozilla home files if allow_ex +- Allow dovecot_deliver_t to read dovecot_var_run_t +- Allow ldconfig and insmod to manage kdumpctl tmp files +- Move thin policy out from cloudform.pp and add a new thin poli +- pacemaker needs to communicate with corosync streams +- abrt is now started on demand by dbus +- Allow certmonger to talk directly to Dogtag servers +- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c +- Allow mozila_plugin to execute gstreamer home files +- Allow useradd to delete all file types stored in the users hom +- rhsmcertd reads the rpm database +- Add support for lightdm + + * Mon Jun 25 2012 Miroslav Grepl 3.11.0-6 - Add tomcat policy - Remove pyzor/razor policy