rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix nameing of rpm macro 

- Fix creating of checksum file off installed policy
This commit is contained in:
Dan Walsh 2013-09-09 08:10:33 -04:00
parent 8f2f92723c
commit 26bb0a13ca
3 changed files with 374 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

217
policy-rawhide-base.patch
View File

@ -3582,7 +3582,7 @@ index 644d4d7..f9bcd44 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..43cdcb9 100644
index 9e9263a..7f08657 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -8,6 +8,22 @@
@ -3709,7 +3709,35 @@ index 9e9263a..43cdcb9 100644
mmap_files_pattern($1, bin_t, bin_t)
')
@@ -945,6 +990,7 @@ interface(`corecmd_shell_domtrans',`
@@ -440,10 +485,14 @@ interface(`corecmd_mmap_bin_files',`
interface(`corecmd_bin_spec_domtrans',`
gen_require(`
type bin_t;
+ type usr_t;
')
read_lnk_files_pattern($1, bin_t, bin_t)
domain_transition_pattern($1, bin_t, $2)
+
+ read_lnk_files_pattern($1, usr_t, usr_t)
+ domain_transition_pattern($1, usr_t, $2)
')
########################################
@@ -483,10 +532,12 @@ interface(`corecmd_bin_spec_domtrans',`
interface(`corecmd_bin_domtrans',`
gen_require(`
type bin_t;
+ type usr_t;
')
corecmd_bin_spec_domtrans($1, $2)
type_transition $1 bin_t:process $2;
+ type_transition $1 usr_t:process $2;
')
########################################
@@ -945,6 +996,7 @@ interface(`corecmd_shell_domtrans',`
interface(`corecmd_exec_chroot',`
gen_require(`
type chroot_exec_t;
@ -3717,7 +3745,7 @@ index 9e9263a..43cdcb9 100644
')
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -954,6 +1000,24 @@ interface(`corecmd_exec_chroot',`
@@ -954,6 +1006,24 @@ interface(`corecmd_exec_chroot',`
########################################
## <summary>
@ -3742,7 +3770,7 @@ index 9e9263a..43cdcb9 100644
## Get the attributes of all executable files.
## </summary>
## <param name="domain">
@@ -1012,6 +1076,10 @@ interface(`corecmd_exec_all_executables',`
@@ -1012,6 +1082,10 @@ interface(`corecmd_exec_all_executables',`
can_exec($1, exec_type)
list_dirs_pattern($1, bin_t, bin_t)
read_lnk_files_pattern($1, bin_t, exec_type)
@ -3753,7 +3781,7 @@ index 9e9263a..43cdcb9 100644
')
########################################
@@ -1049,6 +1117,7 @@ interface(`corecmd_manage_all_executables',`
@@ -1049,6 +1123,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@ -3761,7 +3789,7 @@ index 9e9263a..43cdcb9 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
@@ -1091,3 +1160,36 @@ interface(`corecmd_mmap_all_executables',`
@@ -1091,3 +1166,36 @@ interface(`corecmd_mmap_all_executables',`
mmap_files_pattern($1, bin_t, exec_type)
')
@ -5383,7 +5411,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 4edc40d..17a4eab 100644
index 4edc40d..cbc0e69 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5519,7 +5547,7 @@ index 4edc40d..17a4eab 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
@@ -139,45 +168,51 @@ network_port(hadoop_namenode, tcp,8020,s0)
@@ -139,45 +168,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5530,7 +5558,7 @@ index 4edc40d..17a4eab 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
-network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
+network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,512,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(interwise, tcp,7778,s0, udp,7778,s0)
network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
@ -5558,6 +5586,7 @@ index 4edc40d..17a4eab 100644
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@ -5585,7 +5614,7 @@ index 4edc40d..17a4eab 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -185,26 +220,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
@@ -185,26 +221,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@ -5624,7 +5653,7 @@ index 4edc40d..17a4eab 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
@@ -214,38 +258,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@ -5677,7 +5706,7 @@ index 4edc40d..17a4eab 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -257,8 +307,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -257,8 +308,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -5688,7 +5717,7 @@ index 4edc40d..17a4eab 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
@@ -268,10 +319,10 @@ network_port(varnishd, tcp,6081-6082,s0)
@@ -268,10 +320,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -5701,7 +5730,7 @@ index 4edc40d..17a4eab 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -292,12 +343,16 @@ network_port(zope, tcp,8021,s0)
@@ -292,12 +344,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@ -5720,7 +5749,7 @@ index 4edc40d..17a4eab 100644
########################################
#
@@ -330,6 +385,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -330,6 +386,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5729,7 +5758,7 @@ index 4edc40d..17a4eab 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -342,9 +399,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -16982,10 +17011,10 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 5da7870..93ac27a 100644
index 5da7870..70297bc 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,70 @@ policy_module(staff, 2.3.1)
@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@ -17027,6 +17056,7 @@ index 5da7870..93ac27a 100644
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
+seutil_dbus_chat_semanage(staff_t)
+seutil_read_login_config(staff_t)
+
+storage_read_scsi_generic(staff_t)
+storage_write_scsi_generic(staff_t)
@ -17056,7 +17086,7 @@ index 5da7870..93ac27a 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -23,11 +81,106 @@ optional_policy(`
@@ -23,11 +82,106 @@ optional_policy(`
')
optional_policy(`
@ -17164,7 +17194,7 @@ index 5da7870..93ac27a 100644
')
optional_policy(`
@@ -35,15 +188,31 @@ optional_policy(`
@@ -35,15 +189,31 @@ optional_policy(`
')
optional_policy(`
@ -17198,7 +17228,7 @@ index 5da7870..93ac27a 100644
')
optional_policy(`
@@ -52,10 +221,55 @@ optional_policy(`
@@ -52,10 +222,55 @@ optional_policy(`
')
optional_policy(`
@ -17254,7 +17284,7 @@ index 5da7870..93ac27a 100644
xserver_role(staff_r, staff_t)
')
@@ -65,10 +279,6 @@ ifndef(`distro_redhat',`
@@ -65,10 +280,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -17265,7 +17295,7 @@ index 5da7870..93ac27a 100644
cdrecord_role(staff_r, staff_t)
')
@@ -78,10 +288,6 @@ ifndef(`distro_redhat',`
@@ -78,10 +289,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@ -17276,7 +17306,7 @@ index 5da7870..93ac27a 100644
')
optional_policy(`
@@ -101,10 +307,6 @@ ifndef(`distro_redhat',`
@@ -101,10 +308,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -17287,7 +17317,7 @@ index 5da7870..93ac27a 100644
java_role(staff_r, staff_t)
')
@@ -125,10 +327,6 @@ ifndef(`distro_redhat',`
@@ -125,10 +328,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -17298,7 +17328,7 @@ index 5da7870..93ac27a 100644
pyzor_role(staff_r, staff_t)
')
@@ -141,10 +339,6 @@ ifndef(`distro_redhat',`
@@ -141,10 +340,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -17309,7 +17339,7 @@ index 5da7870..93ac27a 100644
spamassassin_role(staff_r, staff_t)
')
@@ -176,3 +370,22 @@ ifndef(`distro_redhat',`
@@ -176,3 +371,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@ -19700,11 +19730,12 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..02d4ea6 100644
index 76d9f66..e3c8586 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,16 +1,36 @@
@@ -1,16 +1,37 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
@ -20442,7 +20473,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5fc0391..7931fba 100644
index 5fc0391..007ac2e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@ -20552,12 +20583,13 @@ index 5fc0391..7931fba 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -107,33 +120,41 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
@@ -107,33 +120,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
-userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, sock_file)
+userdom_user_home_content_filetrans(ssh_t, ssh_home_t, sock_file)
+userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, dir, ".ssh")
+userdom_read_all_users_keys(ssh_t)
+userdom_stream_connect(ssh_t)
@ -20599,7 +20631,7 @@ index 5fc0391..7931fba 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
@@ -154,40 +175,46 @@ files_read_var_files(ssh_t)
@@ -154,40 +176,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@ -20665,7 +20697,7 @@ index 5fc0391..7931fba 100644
')
optional_policy(`
@@ -195,6 +222,7 @@ optional_policy(`
@@ -195,6 +223,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@ -20673,7 +20705,7 @@ index 5fc0391..7931fba 100644
##############################
#
# ssh_keysign_t local policy
@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -206,6 +235,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@ -20681,7 +20713,7 @@ index 5fc0391..7931fba 100644
files_read_etc_files(ssh_keysign_t)
@@ -223,33 +252,54 @@ optional_policy(`
@@ -223,33 +253,54 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -20745,7 +20777,7 @@ index 5fc0391..7931fba 100644
')
optional_policy(`
@@ -257,11 +307,28 @@ optional_policy(`
@@ -257,11 +308,28 @@ optional_policy(`
')
optional_policy(`
@ -20775,7 +20807,7 @@ index 5fc0391..7931fba 100644
')
optional_policy(`
@@ -269,6 +336,10 @@ optional_policy(`
@@ -269,6 +337,10 @@ optional_policy(`
')
optional_policy(`
@ -20786,7 +20818,7 @@ index 5fc0391..7931fba 100644
rpm_use_script_fds(sshd_t)
')
@@ -279,13 +350,69 @@ optional_policy(`
@@ -279,13 +351,69 @@ optional_policy(`
')
optional_policy(`
@ -20856,7 +20888,7 @@ index 5fc0391..7931fba 100644
########################################
#
# ssh_keygen local policy
@@ -294,19 +421,26 @@ optional_policy(`
@@ -294,19 +422,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@ -20884,7 +20916,7 @@ index 5fc0391..7931fba 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
@@ -323,6 +458,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -20897,7 +20929,7 @@ index 5fc0391..7931fba 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
@@ -331,3 +471,138 @@ optional_policy(`
@@ -331,3 +472,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@ -24496,7 +24528,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..2f6ba05 100644
index 3efd5b6..362b3af 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -24553,13 +24585,12 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -95,48 +115,21 @@ interface(`auth_use_pam',`
@@ -95,48 +115,20 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
+ attribute polydomain;
+ attribute login_pgm;
+ type auth_home_t;
')
domain_type($1)
@ -24608,7 +24639,7 @@ index 3efd5b6..2f6ba05 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',`
@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_use_pam($1)
@ -24660,7 +24691,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',`
@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@ -24686,7 +24717,7 @@ index 3efd5b6..2f6ba05 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
@@ -402,6 +439,8 @@ interface(`auth_domtrans_chk_passwd',`
@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@ -24695,7 +24726,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -448,6 +487,25 @@ interface(`auth_run_chk_passwd',`
@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@ -24721,7 +24752,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -467,7 +525,6 @@ interface(`auth_domtrans_upd_passwd',`
@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@ -24729,7 +24760,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -664,6 +721,10 @@ interface(`auth_manage_shadow',`
@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -24740,7 +24771,7 @@ index 3efd5b6..2f6ba05 100644
')
#######################################
@@ -763,7 +824,50 @@ interface(`auth_rw_faillog',`
@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@ -24792,7 +24823,7 @@ index 3efd5b6..2f6ba05 100644
')
#######################################
@@ -824,9 +928,29 @@ interface(`auth_rw_lastlog',`
@@ -824,9 +927,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@ -24823,7 +24854,7 @@ index 3efd5b6..2f6ba05 100644
## </summary>
## <param name="domain">
## <summary>
@@ -834,12 +958,27 @@ interface(`auth_rw_lastlog',`
@@ -834,12 +957,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@ -24854,7 +24885,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -854,15 +993,15 @@ interface(`auth_domtrans_pam',`
@@ -854,15 +992,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@ -24873,7 +24904,7 @@ index 3efd5b6..2f6ba05 100644
## </summary>
## <param name="domain">
## <summary>
@@ -875,13 +1014,33 @@ interface(`auth_signal_pam',`
@@ -875,13 +1013,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@ -24911,7 +24942,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -959,9 +1118,30 @@ interface(`auth_manage_var_auth',`
@@ -959,9 +1117,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@ -24945,7 +24976,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -1040,6 +1220,10 @@ interface(`auth_manage_pam_pid',`
@@ -1040,6 +1219,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@ -24956,7 +24987,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -1176,6 +1360,7 @@ interface(`auth_manage_pam_console_data',`
@@ -1176,6 +1359,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -24964,7 +24995,7 @@ index 3efd5b6..2f6ba05 100644
')
#######################################
@@ -1576,6 +1761,25 @@ interface(`auth_setattr_login_records',`
@@ -1576,6 +1760,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@ -24990,7 +25021,7 @@ index 3efd5b6..2f6ba05 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
@@ -1726,24 +1930,7 @@ interface(`auth_manage_login_records',`
@@ -1726,24 +1929,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@ -25016,7 +25047,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -1767,11 +1954,13 @@ interface(`auth_relabel_login_records',`
@@ -1767,11 +1953,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@ -25033,7 +25064,7 @@ index 3efd5b6..2f6ba05 100644
')
########################################
@@ -1805,3 +1994,219 @@ interface(`auth_unconfined',`
@@ -1805,3 +1993,241 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@ -25214,6 +25245,28 @@ index 3efd5b6..2f6ba05 100644
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
+
+
+########################################
+## <summary>
+## Read the authorization data in the user home directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_read_home_content',`
+
+ gen_require(`
+ type auth_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, auth_home_t, auth_home_t)
+')
+
+
+########################################
+## <summary>
+## Create auth directory in the user home directory
@ -29085,7 +29138,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 9e54bf9..bc0e6c2 100644
index 9e54bf9..788c774 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@ -29158,7 +29211,7 @@ index 9e54bf9..bc0e6c2 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t)
@@ -157,24 +166,33 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@ -29167,7 +29220,9 @@ index 9e54bf9..bc0e6c2 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
auth_use_nsswitch(ipsec_t)
+auth_read_home_content(ipsec_t)
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
@ -29191,7 +29246,7 @@ index 9e54bf9..bc0e6c2 100644
seutil_sigchld_newrole(ipsec_t)
')
@@ -187,10 +204,10 @@ optional_policy(`
@@ -187,10 +205,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@ -29206,7 +29261,7 @@ index 9e54bf9..bc0e6c2 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
@@ -210,10 +227,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
@@ -210,10 +228,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@ -29219,7 +29274,7 @@ index 9e54bf9..bc0e6c2 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
@@ -246,6 +265,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@ -29236,7 +29291,7 @@ index 9e54bf9..bc0e6c2 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -255,6 +284,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@ -29245,7 +29300,7 @@ index 9e54bf9..bc0e6c2 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
@@ -278,9 +309,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@ -29257,7 +29312,7 @@ index 9e54bf9..bc0e6c2 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
@@ -290,15 +322,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@ -29281,7 +29336,7 @@ index 9e54bf9..bc0e6c2 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
@@ -322,6 +356,10 @@ optional_policy(`
@@ -322,6 +357,10 @@ optional_policy(`
')
optional_policy(`
@ -29292,7 +29347,7 @@ index 9e54bf9..bc0e6c2 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -335,7 +373,7 @@ optional_policy(`
@@ -335,7 +374,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@ -29301,7 +29356,7 @@ index 9e54bf9..bc0e6c2 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t)
@@ -370,13 +409,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@ -29321,12 +29376,12 @@ index 9e54bf9..bc0e6c2 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t)
@@ -401,10 +439,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
-miscfiles_read_localization(racoon_t)
-
sysnet_exec_ifconfig(racoon_t)
+auth_use_pam(racoon_t)
@ -33408,7 +33463,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..ec95692 100644
index 3822072..9fcc183 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@ -33652,8 +33707,8 @@ index 3822072..ec95692 100644
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir list_dir_perms;
+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
+########################################
@ -33674,8 +33729,8 @@ index 3822072..ec95692 100644
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir list_dir_perms;
+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ allow $1 selinux_login_config_t:dir list_dir_perms;
+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
#######################################

339
policy-rawhide-contrib.patch
View File

@ -4640,7 +4640,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 1a82e29..12b3640 100644
index 1a82e29..217ba9e 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@ -5829,7 +5829,7 @@ index 1a82e29..12b3640 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
@@ -781,34 +917,42 @@ optional_policy(`
@@ -781,34 +917,46 @@ optional_policy(`
')
optional_policy(`
@ -5839,6 +5839,10 @@ index 1a82e29..12b3640 100644
+')
+
+optional_policy(`
+ gssproxy_stream_connect(httpd_t)
+')
+
+optional_policy(`
+ jetty_admin(httpd_t)
+')
+
@ -5883,7 +5887,7 @@ index 1a82e29..12b3640 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
@@ -816,8 +960,18 @@ optional_policy(`
@@ -816,8 +964,18 @@ optional_policy(`
')
optional_policy(`
@ -5902,7 +5906,7 @@ index 1a82e29..12b3640 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -826,6 +980,7 @@ optional_policy(`
@@ -826,6 +984,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@ -5910,7 +5914,7 @@ index 1a82e29..12b3640 100644
')
optional_policy(`
@@ -836,20 +991,39 @@ optional_policy(`
@@ -836,20 +995,39 @@ optional_policy(`
')
optional_policy(`
@ -5956,7 +5960,7 @@ index 1a82e29..12b3640 100644
')
optional_policy(`
@@ -857,19 +1031,35 @@ optional_policy(`
@@ -857,19 +1035,35 @@ optional_policy(`
')
optional_policy(`
@ -5992,7 +5996,7 @@ index 1a82e29..12b3640 100644
udev_read_db(httpd_t)
')
@@ -877,65 +1067,170 @@ optional_policy(`
@@ -877,65 +1071,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -6062,11 +6066,10 @@ index 1a82e29..12b3640 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
')
########################################
#
-# Suexec local policy
+')
+
+########################################
+#
+# Apache PHP script local policy
+#
+
@ -6125,10 +6128,11 @@ index 1a82e29..12b3640 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
+')
+
+########################################
+#
')
########################################
#
-# Suexec local policy
+# Apache suexec local policy
#
@ -6185,7 +6189,7 @@ index 1a82e29..12b3640 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t)
@@ -944,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@ -6340,7 +6344,7 @@ index 1a82e29..12b3640 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1077,172 +1323,104 @@ optional_policy(`
@@ -1077,172 +1327,104 @@ optional_policy(`
')
')
@ -6360,13 +6364,13 @@ index 1a82e29..12b3640 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-
+allow httpd_sys_script_t self:process getsched;
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+allow httpd_sys_script_t self:process getsched;
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@ -6521,8 +6525,7 @@ index 1a82e29..12b3640 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@ -6538,7 +6541,8 @@ index 1a82e29..12b3640 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@ -6576,7 +6580,7 @@ index 1a82e29..12b3640 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1250,64 +1432,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -6673,7 +6677,7 @@ index 1a82e29..12b3640 100644
########################################
#
@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1315,8 +1507,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -6690,15 +6694,14 @@ index 1a82e29..12b3640 100644
')
########################################
@@ -1324,49 +1519,38 @@ optional_policy(`
@@ -1324,49 +1523,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
+auth_use_nsswitch(httpd_user_script_t)
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
@ -6708,7 +6711,8 @@ index 1a82e29..12b3640 100644
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_user_script_t)
-')
-
+auth_use_nsswitch(httpd_user_script_t)
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_nfs_files(httpd_user_script_t)
@ -6755,7 +6759,7 @@ index 1a82e29..12b3640 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t)
@@ -1376,38 +1564,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -6773,8 +6777,7 @@ index 1a82e29..12b3640 100644
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-allow httpd_gpg_t self:process setrlimit;
+
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
+
@ -6808,7 +6811,8 @@ index 1a82e29..12b3640 100644
+
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
+
-allow httpd_gpg_t self:process setrlimit;
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-allow httpd_gpg_t httpd_t:fd use;
@ -17095,7 +17099,7 @@ index 06da9a0..6d69a2f 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
index 9f34c2e..09ef91c 100644
index 9f34c2e..d084359 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@ -17537,7 +17541,7 @@ index 9f34c2e..09ef91c 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@ -17550,6 +17554,7 @@ index 9f34c2e..09ef91c 100644
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
@ -17570,7 +17575,7 @@ index 9f34c2e..09ef91c 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -546,7 +557,6 @@ optional_policy(`
@@ -546,7 +558,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -17578,7 +17583,7 @@ index 9f34c2e..09ef91c 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@ -17730,7 +17735,7 @@ index 9f34c2e..09ef91c 100644
########################################
#
@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t)
@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@ -17738,7 +17743,7 @@ index 9f34c2e..09ef91c 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -17752,7 +17757,7 @@ index 9f34c2e..09ef91c 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t)
@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@ -17761,7 +17766,7 @@ index 9f34c2e..09ef91c 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -769,3 +649,4 @@ optional_policy(`
@@ -769,3 +650,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@ -17811,7 +17816,7 @@ index 9fa7ffb..fd3262c 100644
domain_system_change_exemption($1)
role_transition $2 cvs_initrc_exec_t system_r;
diff --git a/cvs.te b/cvs.te
index 53fc3af..989aabf 100644
index 53fc3af..897ad64 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
@ -17828,7 +17833,7 @@ index 53fc3af..989aabf 100644
application_executable_file(cvs_exec_t)
type cvs_data_t; # customizable
@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t)
@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
@ -17839,11 +17844,12 @@ index 53fc3af..989aabf 100644
+corenet_udp_sendrecv_generic_node(cvs_t)
+corenet_tcp_sendrecv_all_ports(cvs_t)
+corenet_udp_sendrecv_all_ports(cvs_t)
+corenet_tcp_bind_cvs_port(cvs_t)
+
dev_read_urand(cvs_t)
files_read_etc_runtime_files(cvs_t)
@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t)
@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t)
init_read_utmp(cvs_t)
@ -17865,7 +17871,7 @@ index 53fc3af..989aabf 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
@@ -103,4 +112,5 @@ optional_policy(`
@@ -103,4 +113,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@ -18178,7 +18184,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
index afcf3a2..8c49f40 100644
index afcf3a2..e6ecc4d 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@ -18196,7 +18202,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="role_prefix">
## <summary>
@@ -41,59 +41,64 @@ interface(`dbus_stub',`
@@ -41,59 +41,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
@ -18271,8 +18277,11 @@ index afcf3a2..8c49f40 100644
- ifdef(`hide_broken_symptoms',`
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
- ')
+ logging_send_syslog_msg($1_dbusd_t)
+
+ optional_policy(`
+ mozilla_domtrans_spec($1_dbusd_t, $1_t)
')
')
#######################################
@ -18283,7 +18292,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -103,65 +108,29 @@ template(`dbus_role_template',`
@@ -103,65 +112,29 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@ -18358,7 +18367,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="role_prefix">
## <summary>
@@ -175,19 +144,21 @@ interface(`dbus_connect_all_session_bus',`
@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
## </summary>
## </param>
#
@ -18385,7 +18394,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -196,72 +167,23 @@ interface(`dbus_connect_spec_session_bus',`
@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
## </param>
#
interface(`dbus_session_bus_client',`
@ -18465,7 +18474,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -270,59 +192,17 @@ interface(`dbus_spec_session_bus_client',`
@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
## </param>
#
interface(`dbus_send_session_bus',`
@ -18527,7 +18536,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -380,69 +260,32 @@ interface(`dbus_manage_lib_files',`
@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',`
########################################
## <summary>
@ -18608,7 +18617,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## </param>
## <param name="domain">
@@ -457,20 +300,21 @@ interface(`dbus_all_session_domain',`
@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',`
## </summary>
## </param>
#
@ -18634,7 +18643,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -489,7 +333,7 @@ interface(`dbus_connect_system_bus',`
@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',`
########################################
## <summary>
@ -18643,7 +18652,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -508,7 +352,7 @@ interface(`dbus_send_system_bus',`
@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',`
########################################
## <summary>
@ -18652,7 +18661,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -527,8 +371,8 @@ interface(`dbus_system_bus_unconfined',`
@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',`
########################################
## <summary>
@ -18663,7 +18672,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -543,33 +387,24 @@ interface(`dbus_system_bus_unconfined',`
@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@ -18701,7 +18710,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -587,26 +422,25 @@ interface(`dbus_use_system_bus_fds',`
@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
## <summary>
@ -18734,7 +18743,7 @@ index afcf3a2..8c49f40 100644
## </summary>
## <param name="domain">
## <summary>
@@ -614,10 +448,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
## </summary>
## </param>
#
@ -24947,7 +24956,7 @@ index 1e29af1..c67e44e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
index 93b0301..11a76a5 100644
index 93b0301..ad8eb38 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@ -24998,17 +25007,19 @@ index 93b0301..11a76a5 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(git_session_t)
@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',`
@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',`
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
+kernel_read_network_state(git_system_t)
+kernel_read_system_state(git_system_t)
+
+corenet_tcp_bind_git_port(git_system_t)
+
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',`
@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@ -25845,7 +25856,7 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
index d03fd43..71aa685 100644
index d03fd43..237de86 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,123 +1,155 @@
@ -26562,7 +26573,7 @@ index d03fd43..71aa685 100644
## </summary>
## <param name="domain">
## <summary>
@@ -473,82 +517,72 @@ interface(`gnome_read_generic_gconf_home_content',`
@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary>
## </param>
#
@ -26640,6 +26651,7 @@ index d03fd43..71aa685 100644
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+ gnome_read_usr_config($1)
')
########################################
@ -26668,7 +26680,7 @@ index d03fd43..71aa685 100644
## </summary>
## </param>
## <param name="name" optional="true">
@@ -557,52 +591,76 @@ interface(`gnome_home_filetrans_gconf_home',`
@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',`
## </summary>
## </param>
#
@ -26766,7 +26778,7 @@ index d03fd43..71aa685 100644
## </summary>
## <param name="domain">
## <summary>
@@ -610,93 +668,126 @@ interface(`gnome_gconf_home_filetrans',`
@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',`
## </summary>
## </param>
#
@ -26927,7 +26939,7 @@ index d03fd43..71aa685 100644
## </summary>
## <param name="domain">
## <summary>
@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',`
@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary>
## </param>
#
@ -34124,7 +34136,7 @@ index 19777b8..63d46d3 100644
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
index 2cf3815..cb979b0 100644
index 2cf3815..a43a4f6 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
@ -34143,7 +34155,7 @@ index 2cf3815..cb979b0 100644
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@ -34154,6 +34166,7 @@ index 2cf3815..cb979b0 100644
+corenet_udp_sendrecv_generic_node(ktalkd_t)
+corenet_tcp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_sendrecv_all_ports(ktalkd_t)
+corenet_udp_bind_ktalkd_port(ktalkd_t)
+
dev_read_urand(ktalkd_t)
@ -39119,7 +39132,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b80..3209b1c 100644
index 6194b80..f1a5676 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -39273,7 +39286,8 @@ index 6194b80..3209b1c 100644
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-
+ mozilla_filetrans_home_content($2)
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@ -39288,8 +39302,7 @@ index 6194b80..3209b1c 100644
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
+ mozilla_filetrans_home_content($2)
-
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@ -39405,42 +39418,69 @@ index 6194b80..3209b1c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -265,27 +173,11 @@ interface(`mozilla_exec_user_plugin_home_files',`
@@ -265,140 +173,152 @@ interface(`mozilla_exec_user_plugin_home_files',`
## </param>
#
interface(`mozilla_execmod_user_home_files',`
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
- mozilla_execmod_user_plugin_home_files($1)
-')
-
-########################################
-## <summary>
-## Mozilla plugin home directory file
-## text relocation.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`mozilla_execmod_user_plugin_home_files',`
gen_require(`
- type mozilla_plugin_home_t;
+ gen_require(`
+ type mozilla_home_t;
')
- allow $1 mozilla_plugin_home_t:file execmod;
+ ')
+
+ allow $1 mozilla_home_t:file execmod;
')
########################################
@@ -303,102 +195,107 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
## <summary>
-## Mozilla plugin home directory file
-## text relocation.
+## Run mozilla in the mozilla domain.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
## </summary>
## </param>
#
-interface(`mozilla_execmod_user_plugin_home_files',`
+interface(`mozilla_domtrans',`
gen_require(`
- type mozilla_plugin_home_t;
+ type mozilla_t, mozilla_exec_t;
')
- allow $1 mozilla_plugin_home_t:file execmod;
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
')
########################################
## <summary>
-## Run mozilla in the mozilla domain.
+## Execute a mozilla_exec_t in the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
#
-interface(`mozilla_domtrans',`
+interface(`mozilla_domtrans_spec',`
gen_require(`
- type mozilla_t, mozilla_exec_t;
+ type mozilla_exec_t;
')
- corecmd_search_bin($1)
domtrans_pattern($1, mozilla_exec_t, mozilla_t)
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
+ domtrans_pattern($1, mozilla_exec_t, $2)
')
########################################
@ -39591,7 +39631,7 @@ index 6194b80..3209b1c 100644
')
########################################
@@ -424,8 +321,7 @@ interface(`mozilla_dbus_chat',`
@@ -424,8 +344,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@ -39601,7 +39641,7 @@ index 6194b80..3209b1c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -433,76 +329,108 @@ interface(`mozilla_dbus_chat',`
@@ -433,76 +352,126 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@ -39644,6 +39684,24 @@ index 6194b80..3209b1c 100644
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Read/Write mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`mozilla_plugin_rw_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
+ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
')
########################################
@ -39739,7 +39797,7 @@ index 6194b80..3209b1c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -510,19 +438,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
@@ -510,19 +479,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@ -39764,7 +39822,7 @@ index 6194b80..3209b1c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -530,45 +457,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@ -46343,7 +46401,7 @@ index 8aa1bfa..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
index 46e55c3..346242e 100644
index 46e55c3..6e4e061 100644
--- a/nis.if
+++ b/nis.if
@@ -1,4 +1,4 @@
@ -46352,13 +46410,14 @@ index 46e55c3..346242e 100644
########################################
## <summary>
@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',`
@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
gen_require(`
type var_yp_t;
')
-
- allow $1 self:capability net_bind_service;
-
+ dontaudit $1 self:capability net_bind_service;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
@ -46372,7 +46431,7 @@ index 46e55c3..346242e 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -49,14 +44,11 @@ interface(`nis_use_ypbind_uncond',`
@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
@ -46388,7 +46447,7 @@ index 46e55c3..346242e 100644
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
@@ -88,14 +80,14 @@ interface(`nis_use_ypbind_uncond',`
@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
## <rolecap/>
#
interface(`nis_use_ypbind',`
@ -46405,7 +46464,7 @@ index 46e55c3..346242e 100644
## </summary>
## <param name="domain">
## <summary>
@@ -105,7 +97,7 @@ interface(`nis_use_ypbind',`
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
## <rolecap/>
#
interface(`nis_authenticate',`
@ -46414,7 +46473,7 @@ index 46e55c3..346242e 100644
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
@@ -133,20 +125,19 @@ interface(`nis_domtrans_ypbind',`
@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
#######################################
## <summary>
@ -46442,7 +46501,7 @@ index 46e55c3..346242e 100644
can_exec($1, ypbind_exec_t)
')
@@ -169,11 +160,11 @@ interface(`nis_exec_ypbind',`
@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
#
interface(`nis_run_ypbind',`
gen_require(`
@ -46456,7 +46515,7 @@ index 46e55c3..346242e 100644
')
########################################
@@ -196,7 +187,7 @@ interface(`nis_signal_ypbind',`
@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
########################################
## <summary>
@ -46465,7 +46524,7 @@ index 46e55c3..346242e 100644
## </summary>
## <param name="domain">
## <summary>
@@ -272,10 +263,11 @@ interface(`nis_read_ypbind_pid',`
@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
#
interface(`nis_delete_ypbind_pid',`
gen_require(`
@ -46479,7 +46538,7 @@ index 46e55c3..346242e 100644
')
########################################
@@ -355,8 +347,57 @@ interface(`nis_initrc_domtrans_ypbind',`
@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@ -46539,7 +46598,7 @@ index 46e55c3..346242e 100644
## </summary>
## <param name="domain">
## <summary>
@@ -372,32 +413,56 @@ interface(`nis_initrc_domtrans_ypbind',`
@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@ -56815,7 +56874,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
index 49694e8..ad46f29 100644
index 49694e8..a1497cd 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@ -57134,14 +57193,14 @@ index 49694e8..ad46f29 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
@@ -266,6 +287,7 @@ optional_policy(`
@@ -266,6 +287,6 @@ optional_policy(`
')
optional_policy(`
+ kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
-
diff --git a/polipo.fc b/polipo.fc
index d35614b..11f77ee 100644
--- a/polipo.fc
@ -67365,7 +67424,7 @@ index 951db7f..7736755 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
index 2c1730b..0bf7d02 100644
index 2c1730b..8e46216 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@ -67417,7 +67476,7 @@ index 2c1730b..0bf7d02 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t)
@@ -49,19 +63,27 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@ -67438,6 +67497,7 @@ index 2c1730b..0bf7d02 100644
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
+fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
fs_list_hugetlbfs(mdadm_t)
fs_rw_cgroup_files(mdadm_t)
@ -67446,7 +67506,7 @@ index 2c1730b..0bf7d02 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
@@ -70,15 +92,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@ -67468,7 +67528,7 @@ index 2c1730b..0bf7d02 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -97,9 +123,17 @@ optional_policy(`
@@ -97,9 +124,17 @@ optional_policy(`
')
optional_policy(`
@ -72020,7 +72080,7 @@ index 050479d..0e1b364 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
index d34cdec..f41c9c5 100644
index d34cdec..33f56c0 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
@ -72050,7 +72110,15 @@ index d34cdec..f41c9c5 100644
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
@@ -58,6 +58,7 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
corenet_udp_sendrecv_generic_node(rlogind_t)
corenet_tcp_sendrecv_all_ports(rlogind_t)
corenet_udp_sendrecv_all_ports(rlogind_t)
+corenet_tcp_bind_rlogin_port(rlogind_t)
dev_read_urand(rlogind_t)
@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@ -72058,7 +72126,7 @@ index d34cdec..f41c9c5 100644
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
@ -78009,10 +78077,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..ce3ac47
index 0000000..23af146
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,481 @@
@@ -0,0 +1,482 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@ -78487,10 +78555,11 @@ index 0000000..ce3ac47
+logging_send_syslog_msg(sandbox_net_client_t)
+
+optional_policy(`
+ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
@ -86750,7 +86819,7 @@ index e9c0964..ff77783 100644
xserver_rw_xdm_pipes(telepathy_domain)
')
diff --git a/telnet.te b/telnet.te
index 9f89916..5f4c85e 100644
index 9f89916..1bdef51 100644
--- a/telnet.te
+++ b/telnet.te
@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
@ -86780,7 +86849,15 @@ index 9f89916..5f4c85e 100644
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_generic_if(telnetd_t)
corenet_udp_sendrecv_generic_if(telnetd_t)
@@ -56,7 +59,6 @@ dev_read_urand(telnetd_t)
@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t)
corenet_udp_sendrecv_generic_node(telnetd_t)
corenet_tcp_sendrecv_all_ports(telnetd_t)
corenet_udp_sendrecv_all_ports(telnetd_t)
+corenet_tcp_bind_telnetd_port(telnetd_t)
corecmd_search_bin(telnetd_t)
@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t)
domain_interactive_fd(telnetd_t)
@ -86788,7 +86865,7 @@ index 9f89916..5f4c85e 100644
files_read_etc_runtime_files(telnetd_t)
files_search_home(telnetd_t)
@@ -69,12 +71,12 @@ init_rw_utmp(telnetd_t)
@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t)
logging_send_syslog_msg(telnetd_t)
@ -86803,7 +86880,7 @@ index 9f89916..5f4c85e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
@@ -86,7 +88,7 @@ tunable_policy(`use_samba_home_dirs',`
@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)

35
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 76%{?dist}
Release: 77.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -69,7 +69,7 @@ SELinux Base package
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
%{_rpmconfigdir}/macros.d/selinux-policy.macros
%{_rpmconfigdir}/macros.d/macros.selinux-policy
%package sandbox
Summary: SELinux policy sandbox
@ -204,7 +204,6 @@ rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
@ -215,6 +214,7 @@ rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \
%ghost %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
@ -276,7 +276,8 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
fi; \
touch /etc/selinux/%1/.rebuild; \
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
if [ "$sha512" == "$checksha512" ] ; then \
rm /etc/selinux/%1/.rebuild; \
@ -387,7 +388,7 @@ mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html
rm -rf ${htmldir}
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/selinux-policy.macros
echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
rm -rf selinux_config
%clean
@ -569,6 +570,30 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Sep 9 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-77.1
- Fix nameing of rpm macro
- Fix creating of checksum file off installed policy
* Thu Sep 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-77
- Split out rlogin ports from inetd
- Treat files labeld as usr_t like bin_t when it comes to transitions
- Allow staff_t to read login config
- Allow ipsec_t to read .google authenticator data
- Allow systemd running as git_systemd to bind git port
- Fix mozilla_plugin_rw_tmpfs_files()
- Call the correct interface - corenet_udp_bind_ktalkd_port()
- Allow all domains that can read gnome_config to read kde config
- Allow sandbox domain to read/write mozilla_plugin_tmpfs_t so pulseaudio will work
- Allow mdadm to getattr any file system
- Allow a confined domain to executes mozilla_exec_t via dbus
- Allow cupsd_lpd_t to bind to the printer port
- Dontaudit attempts to bind to ports < 1024 when nis is turned on
- Allow apache domain to connect to gssproxy socket
- Allow rlogind to bind to the rlogin_port
- Allow telnetd to bind to the telnetd_port
- Allow ktalkd to bind to the ktalkd_port
- Allow cvs to bind to the cvs_port
* Wed Sep 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-76
- Cleanup related to init_domain()+inetd_domain fixes
- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain