From 1f53e623964f511eff7e6177a204411764ed1d6d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 26 Mar 2014 10:51:19 +0100 Subject: [PATCH] - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices - Allow nsswitch_domains to stream connect to nmbd - Allow rasdaemon to rw /dev/cpu//msr - fix /var/log/pki file spec - make bacula_t as auth_nsswitch domain - Allow certmonger to manage ipa lib files - Add support for /var/lib/ipa --- policy-rawhide-base.patch | 275 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 70 +++++++-- selinux-policy.spec | 12 +- 3 files changed, 207 insertions(+), 150 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 8268e423..a373432c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3224,7 +3224,7 @@ index 7590165..fb30c11 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..7238b9d 100644 +index 33e0f8d..d3434a9 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3538,7 +3538,7 @@ index 33e0f8d..7238b9d 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,11 +462,15 @@ ifdef(`distro_suse', ` +@@ -387,11 +462,16 @@ ifdef(`distro_suse', ` # # /var # @@ -3548,6 +3548,7 @@ index 33e0f8d..7238b9d 100644 /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3555,7 +3556,7 @@ index 33e0f8d..7238b9d 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -401,3 +480,12 @@ ifdef(`distro_suse', ` +@@ -401,3 +481,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -26981,7 +26982,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..8e6648e 100644 +index 09b791d..1a3d5b3 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -27284,7 +27285,7 @@ index 09b791d..8e6648e 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,6 +499,8 @@ optional_policy(` +@@ -456,10 +499,145 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -27293,7 +27294,8 @@ index 09b791d..8e6648e 100644 ') optional_policy(` -@@ -463,3 +508,135 @@ optional_policy(` + samba_stream_connect_winbind(nsswitch_domain) ++ samba_stream_connect_nmbd(nsswitch_domain) samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -33210,7 +33212,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..19dc9ce 100644 +index 59b04c1..cdc1c76 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -33286,16 +33288,18 @@ index 59b04c1..19dc9ce 100644 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; -@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +137,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) -term_use_all_terms(auditctl_t) ++storage_getattr_removable_dev(auditctl_t) ++ +term_use_all_inherited_terms(auditctl_t) init_dontaudit_use_fds(auditctl_t) -@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +176,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -33303,7 +33307,7 @@ index 59b04c1..19dc9ce 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +184,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -33313,7 +33317,7 @@ index 59b04c1..19dc9ce 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +209,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -33335,7 +33339,7 @@ index 59b04c1..19dc9ce 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +264,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -33366,7 +33370,7 @@ index 59b04c1..19dc9ce 100644 ') ######################################## -@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +305,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -33374,7 +33378,7 @@ index 59b04c1..19dc9ce 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +316,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -33394,7 +33398,7 @@ index 59b04c1..19dc9ce 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +370,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -33402,7 +33406,7 @@ index 59b04c1..19dc9ce 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +396,12 @@ optional_policy(` +@@ -355,13 +398,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -33419,7 +33423,7 @@ index 59b04c1..19dc9ce 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -33427,7 +33431,7 @@ index 59b04c1..19dc9ce 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -33477,7 +33481,7 @@ index 59b04c1..19dc9ce 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -33486,7 +33490,7 @@ index 59b04c1..19dc9ce 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -33514,7 +33518,7 @@ index 59b04c1..19dc9ce 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -33532,7 +33536,7 @@ index 59b04c1..19dc9ce 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +546,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +548,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -33547,7 +33551,7 @@ index 59b04c1..19dc9ce 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -507,15 +587,40 @@ optional_policy(` +@@ -507,15 +589,40 @@ optional_policy(` ') optional_policy(` @@ -33588,7 +33592,7 @@ index 59b04c1..19dc9ce 100644 ') optional_policy(` -@@ -526,3 +631,26 @@ optional_policy(` +@@ -526,3 +633,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -41777,7 +41781,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..858bd7a 100644 +index 9dc60c6..b921b57 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42476,7 +42480,7 @@ index 9dc60c6..858bd7a 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +747,128 @@ template(`userdom_common_user_template',` +@@ -546,93 +747,132 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -42593,6 +42597,10 @@ index 9dc60c6..858bd7a 100644 + kde_dbus_chat_backlighthelper($1_usertype) ') ++ optional_policy(` ++ memcached_stream_connect($1_usertype) ++ ') ++ optional_policy(` - cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) @@ -42619,31 +42627,31 @@ index 9dc60c6..858bd7a 100644 - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) -+ ') -+ -+ optional_policy(` + lircd_stream_connect($1_usertype) ') optional_policy(` -@@ -642,23 +878,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +882,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -42672,7 +42680,7 @@ index 9dc60c6..858bd7a 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +905,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +909,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -42681,7 +42689,7 @@ index 9dc60c6..858bd7a 100644 ') optional_policy(` -@@ -680,9 +914,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +918,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -42694,45 +42702,45 @@ index 9dc60c6..858bd7a 100644 ') ') -@@ -693,32 +927,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +931,35 @@ template(`userdom_common_user_template',` ') optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpc_dontaudit_getattr_exports($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpc_dontaudit_getattr_exports($1_usertype) - ') - - optional_policy(` -- samba_stream_connect_winbind($1_t) + rpcbind_stream_connect($1_usertype) ') optional_policy(` -- slrnpull_search_spool($1_t) +- samba_stream_connect_winbind($1_t) + samba_stream_connect_winbind($1_usertype) ') optional_policy(` -- usernetctl_run($1_t, $1_r) +- slrnpull_search_spool($1_t) + sandbox_transition($1_usertype, $1_r) ') + optional_policy(` +- usernetctl_run($1_t, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) + ') + optional_policy(` - virt_home_filetrans_virt_home($1_t, dir, ".libvirt") - virt_home_filetrans_virt_home($1_t, dir, ".virtinst") - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") - virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") -+ seunshare_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + slrnpull_search_spool($1_usertype) + ') + @@ -42741,7 +42749,7 @@ index 9dc60c6..858bd7a 100644 ') ') -@@ -743,17 +980,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +984,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -42758,12 +42766,12 @@ index 9dc60c6..858bd7a 100644 - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable($1_exec_content, true) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable($1_exec_content, true) ++ + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -42779,7 +42787,7 @@ index 9dc60c6..858bd7a 100644 userdom_change_password_template($1) -@@ -761,83 +1014,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +1018,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -42873,7 +42881,8 @@ index 9dc60c6..858bd7a 100644 + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) -+ + +- seutil_read_config($1_t) + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -42884,8 +42893,7 @@ index 9dc60c6..858bd7a 100644 + kerberos_use($1_usertype) + init_write_key($1_usertype) + ') - -- seutil_read_config($1_t) ++ + optional_policy(` + mysql_filetrans_named_content($1_usertype) + ') @@ -42923,7 +42931,7 @@ index 9dc60c6..858bd7a 100644 ') ####################################### -@@ -868,6 +1145,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -42936,7 +42944,7 @@ index 9dc60c6..858bd7a 100644 ############################## # # Local policy -@@ -907,53 +1190,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -42990,11 +42998,8 @@ index 9dc60c6..858bd7a 100644 optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) - ') - -- optional_policy(` -- dbus_role_template($1, $1_r, $1_t) -- dbus_system_bus_client($1_t) ++ ') ++ + # cjp: needed by KDE apps + # bug: #682499 + optional_policy(` @@ -43005,9 +43010,11 @@ index 9dc60c6..858bd7a 100644 + + optional_policy(` + obex_role($1_r, $1_t, $1) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- dbus_role_template($1, $1_r, $1_t) +- dbus_system_bus_client($1_t) + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; @@ -43088,7 +43095,7 @@ index 9dc60c6..858bd7a 100644 ') ####################################### -@@ -987,27 +1354,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -43126,7 +43133,7 @@ index 9dc60c6..858bd7a 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1391,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1395,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -43178,16 +43185,16 @@ index 9dc60c6..858bd7a 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` + wine_role_template($1, $1_r, $1_t) + ') + @@ -43197,7 +43204,7 @@ index 9dc60c6..858bd7a 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1453,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1457,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -43208,7 +43215,7 @@ index 9dc60c6..858bd7a 100644 ') ') -@@ -1079,7 +1491,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1495,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -43219,7 +43226,7 @@ index 9dc60c6..858bd7a 100644 ') ############################## -@@ -1095,6 +1509,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1513,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -43227,7 +43234,7 @@ index 9dc60c6..858bd7a 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1520,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1524,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -43244,7 +43251,7 @@ index 9dc60c6..858bd7a 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1537,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1541,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -43252,7 +43259,7 @@ index 9dc60c6..858bd7a 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1555,14 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1559,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -43267,7 +43274,7 @@ index 9dc60c6..858bd7a 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1573,38 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1577,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -43310,7 +43317,7 @@ index 9dc60c6..858bd7a 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1614,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1618,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -43319,7 +43326,7 @@ index 9dc60c6..858bd7a 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1623,17 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1627,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -43338,7 +43345,7 @@ index 9dc60c6..858bd7a 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1669,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1673,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -43347,7 +43354,7 @@ index 9dc60c6..858bd7a 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1679,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1683,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -43356,7 +43363,7 @@ index 9dc60c6..858bd7a 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1693,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1697,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -43368,7 +43375,7 @@ index 9dc60c6..858bd7a 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1707,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1711,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -43411,7 +43418,7 @@ index 9dc60c6..858bd7a 100644 ') optional_policy(` -@@ -1357,14 +1792,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1796,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -43430,7 +43437,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -1405,6 +1843,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1405,6 +1847,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -43482,7 +43489,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## Domain allowed access. -@@ -1509,11 +1992,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -43514,7 +43521,7 @@ index 9dc60c6..858bd7a 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2058,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -43529,7 +43536,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -1570,9 +2081,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -43541,7 +43548,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -1629,6 +2142,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2146,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -43584,7 +43591,7 @@ index 9dc60c6..858bd7a 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2257,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2261,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -43593,7 +43600,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -1741,10 +2292,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2296,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -43608,7 +43615,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -1769,7 +2322,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2326,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -43635,7 +43642,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -1779,53 +2350,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1779,53 +2354,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -43718,7 +43725,7 @@ index 9dc60c6..858bd7a 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1845,6 +2433,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1845,6 +2437,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -43744,7 +43751,7 @@ index 9dc60c6..858bd7a 100644 ## Mmap user home files. ## ## -@@ -1875,15 +2482,18 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1875,15 +2486,18 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -43765,7 +43772,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -1891,18 +2501,18 @@ interface(`userdom_read_user_home_content_files',` +@@ -1891,18 +2505,18 @@ interface(`userdom_read_user_home_content_files',` ## ## # @@ -43789,7 +43796,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -1910,17 +2520,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',` +@@ -1910,17 +2524,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',` ## ## # @@ -43815,7 +43822,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -1928,7 +2542,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',` +@@ -1928,7 +2546,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',` ## ## # @@ -43842,7 +43849,7 @@ index 9dc60c6..858bd7a 100644 gen_require(` type user_home_t; ') -@@ -1938,7 +2570,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2574,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -43851,7 +43858,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -1946,10 +2578,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2582,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -43864,7 +43871,7 @@ index 9dc60c6..858bd7a 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2589,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2593,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -43873,7 +43880,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -1966,12 +2597,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2601,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -43942,7 +43949,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2007,8 +2692,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2696,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -43952,7 +43959,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2024,20 +2708,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2712,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -43977,7 +43984,7 @@ index 9dc60c6..858bd7a 100644 ######################################## ## -@@ -2120,7 +2798,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2802,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -43986,7 +43993,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -2128,19 +2806,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2810,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -44010,7 +44017,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -2148,12 +2824,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2828,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -44026,7 +44033,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2390,11 +3066,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2390,11 +3070,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -44041,7 +44048,7 @@ index 9dc60c6..858bd7a 100644 files_search_tmp($1) ') -@@ -2414,7 +3090,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3094,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -44050,7 +44057,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2661,6 +3337,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -44076,7 +44083,7 @@ index 9dc60c6..858bd7a 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3372,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -44092,7 +44099,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -2704,7 +3400,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -44101,7 +44108,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -2712,14 +3408,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -44136,7 +44143,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2814,6 +3526,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -44161,7 +44168,7 @@ index 9dc60c6..858bd7a 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3562,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -44204,7 +44211,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -2856,14 +3598,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -44242,7 +44249,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2882,8 +3643,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -44272,7 +44279,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -2955,69 +3735,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -44373,7 +44380,7 @@ index 9dc60c6..858bd7a 100644 ## ## ## -@@ -3025,12 +3804,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -44388,7 +44395,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -3094,7 +3873,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -44397,7 +44404,7 @@ index 9dc60c6..858bd7a 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +3889,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -44431,7 +44438,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -3214,30 +3977,48 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -44464,6 +44471,7 @@ index 9dc60c6..858bd7a 100644 ######################################## ## -## Do not audit attempts to relabel files from +-## user pty types. +## Relabel files to unprivileged user pty types. +## +## @@ -44483,10 +44491,11 @@ index 9dc60c6..858bd7a 100644 +######################################## +## +## Do not audit attempts to relabel files from - ## user pty types. ++## user pty types. ## ## -@@ -3269,7 +4050,83 @@ interface(`userdom_write_user_tmp_files',` + ## +@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -44571,7 +44580,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -3287,7 +4144,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -44580,7 +44589,7 @@ index 9dc60c6..858bd7a 100644 ') ######################################## -@@ -3306,6 +4163,7 @@ interface(`userdom_read_all_users_state',` +@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -44588,7 +44597,7 @@ index 9dc60c6..858bd7a 100644 kernel_search_proc($1) ') -@@ -3382,6 +4240,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -44631,7 +44640,7 @@ index 9dc60c6..858bd7a 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4296,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -44656,7 +44665,7 @@ index 9dc60c6..858bd7a 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4347,1680 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 2c2a5408..54cdf61e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8465,7 +8465,7 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b000..6cf82b3 100644 +index f16b000..941d3fd 100644 --- a/bacula.te +++ b/bacula.te @@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t; @@ -8488,7 +8488,15 @@ index f16b000..6cf82b3 100644 corenet_sendrecv_hplip_server_packets(bacula_t) corenet_tcp_bind_hplip_port(bacula_t) corenet_udp_bind_hplip_port(bacula_t) -@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) +@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t) + fs_getattr_xattr_fs(bacula_t) + fs_list_all(bacula_t) + ++auth_use_nsswitch(bacula_t) + auth_read_shadow(bacula_t) + + logging_send_syslog_msg(bacula_t) +@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) domain_use_interactive_fds(bacula_admin_t) @@ -10875,7 +10883,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..b988f57 100644 +index 550b287..ad3330f 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -10960,7 +10968,7 @@ index 550b287..b988f57 100644 ') optional_policy(` -@@ -92,11 +108,47 @@ optional_policy(` +@@ -92,11 +108,51 @@ optional_policy(` ') optional_policy(` @@ -10970,6 +10978,10 @@ index 550b287..b988f57 100644 + dirsrv_signull(certmonger_t) +') + ++optional_policy(` ++ ipa_manage_lib(certmonger_t) ++') ++ +optional_policy(` kerberos_use(certmonger_t) + kerberos_read_keytab(certmonger_t) @@ -33304,20 +33316,22 @@ index d443fee..6cbbf7d 100644 diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..9278f85 +index 0000000..48d7322 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,4 @@ +@@ -0,0 +1,6 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + ++/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) ++ diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..70c67d3 +index 0000000..4095bed --- /dev/null +++ b/ipa.if -@@ -0,0 +1,38 @@ +@@ -0,0 +1,58 @@ +## Policy for IPA services. + +######################################## @@ -33356,12 +33370,32 @@ index 0000000..70c67d3 + allow $1 ipa_otpd_t:unix_stream_socket connectto; +') + ++######################################## ++## ++## Allow domain to manage ipa lib files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_manage_lib',` ++ gen_require(` ++ type ipa_var_lib_t; ++ ') ++ ++ manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++ manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++') ++ ++') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..0fd2678 +index 0000000..b60bc5f --- /dev/null +++ b/ipa.te -@@ -0,0 +1,40 @@ +@@ -0,0 +1,43 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -33378,6 +33412,9 @@ index 0000000..0fd2678 +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + ++type ipa_var_lib_t; ++files_type(ipa_var_lib_t) ++ +######################################## +# +# ipa_otpd local policy @@ -61065,7 +61102,7 @@ index 8eb3f7b..1ff0fe3 100644 +userdom_read_all_users_state(pkcs_slotd_t) diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..726d992 +index 0000000..e6592ea --- /dev/null +++ b/pki.fc @@ -0,0 +1,56 @@ @@ -61074,7 +61111,7 @@ index 0000000..726d992 +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) ++/var/log/pki(/.*)? gen_context(system_u:object_r:pki_log_t,s0) +/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) +/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) + @@ -61420,7 +61457,7 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..b7dfce7 +index 0000000..22f672d --- /dev/null +++ b/pki.te @@ -0,0 +1,274 @@ @@ -61453,7 +61490,7 @@ index 0000000..b7dfce7 +files_type(pki_tomcat_etc_rw_t) + +type pki_tomcat_cert_t; -+files_type(pki_tomcat_cert_t) ++miscfiles_cert_type(pki_tomcat_cert_t) + +tomcat_domain_template(pki_tomcat) + @@ -91068,10 +91105,10 @@ index 0000000..ddfed09 +') diff --git a/speech-dispatcher.te b/speech-dispatcher.te new file mode 100644 -index 0000000..57372d0 +index 0000000..931fa6c --- /dev/null +++ b/speech-dispatcher.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,51 @@ +policy_module(speech-dispatcher, 1.0.0) + +######################################## @@ -91082,6 +91119,7 @@ index 0000000..57372d0 +type speech-dispatcher_t; +type speech-dispatcher_exec_t; +init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t) ++application_executable_file(speech-dispatcher_exec_t) + +type speech-dispatcher_log_t; +logging_log_file(speech-dispatcher_log_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 1affd658..57bb4e88 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 39%{?dist} +Release: 40%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -584,6 +584,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Mar 26 2014 Miroslav Grepl 3.13.1-40 +- update storage_filetrans_all_named_dev for sg* devices +- Allow auditctl_t to getattr on all removeable devices +- Allow nsswitch_domains to stream connect to nmbd +- Allow rasdaemon to rw /dev/cpu//msr +- fix /var/log/pki file spec +- make bacula_t as auth_nsswitch domain +- Allow certmonger to manage ipa lib files +- Add support for /var/lib/ipa + * Tue Mar 25 2014 Miroslav Grepl 3.13.1-39 - Manage_service_perms should include enable and disable, need backport to RHEL7 - Allow also unpriv user to run vmtools