diff --git a/container-selinux.tgz b/container-selinux.tgz index 4927c340..99a1c17a 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0b8dd195..98851bf8 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3854,13 +3854,6 @@ index 759016583..1b9a61d18 100644 +tunable_policy(`use_fusefs_home_dirs',` + fs_mounton_fusefs(seunshare_domain) ') -diff --git a/policy/modules/contrib b/policy/modules/contrib -index 298b88741..b35f071ea 160000 ---- a/policy/modules/contrib -+++ b/policy/modules/contrib -@@ -1 +1 @@ --Subproject commit 298b887411b663a7da40a7a465915a7352bac80d -+Subproject commit b35f071eace9e06117f78cdda3dd6692388dff6f diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 33e0f8dad..6fd767031 100644 --- a/policy/modules/kernel/corecommands.fc @@ -6701,10 +6694,10 @@ index 3f6e16889..abd046c56 100644 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl +') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c05491..c3fd31813 100644 +index b31c05491..4e585f24c 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -15,15 +15,18 @@ +@@ -15,15 +15,19 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -6719,13 +6712,14 @@ index b31c05491..c3fd31813 100644 +/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) +/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/drm_dp_aux.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh) +/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -42,8 +45,15 @@ +@@ -42,8 +46,15 @@ /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) @@ -6741,7 +6735,7 @@ index b31c05491..c3fd31813 100644 /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -61,8 +71,10 @@ +@@ -61,8 +72,10 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -6753,7 +6747,7 @@ index b31c05491..c3fd31813 100644 /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) -@@ -72,7 +84,9 @@ +@@ -72,7 +85,9 @@ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) @@ -6763,7 +6757,7 @@ index b31c05491..c3fd31813 100644 /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -@@ -80,7 +94,10 @@ +@@ -80,7 +95,10 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -6774,7 +6768,7 @@ index b31c05491..c3fd31813 100644 /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -90,9 +107,11 @@ +@@ -90,9 +108,11 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6786,7 +6780,7 @@ index b31c05491..c3fd31813 100644 /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -106,6 +125,7 @@ +@@ -106,6 +126,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6794,7 +6788,7 @@ index b31c05491..c3fd31813 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +138,15 @@ +@@ -118,6 +139,15 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6810,7 +6804,7 @@ index b31c05491..c3fd31813 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +158,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +159,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6825,7 +6819,7 @@ index b31c05491..c3fd31813 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -169,18 +200,27 @@ ifdef(`distro_suse', ` +@@ -169,18 +201,27 @@ ifdef(`distro_suse', ` /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -6853,7 +6847,7 @@ index b31c05491..c3fd31813 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +238,27 @@ ifdef(`distro_debian',` +@@ -198,12 +239,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6884,7 +6878,7 @@ index b31c05491..c3fd31813 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..1de2a51f0 100644 +index 76f285ea6..e689c2c5b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7634,7 +7628,32 @@ index 76f285ea6..1de2a51f0 100644 ## Get the attributes of the framebuffer device node. ## ## -@@ -2402,7 +2837,7 @@ interface(`dev_filetrans_lirc',` +@@ -2126,6 +2561,24 @@ interface(`dev_write_framebuffer',` + + ######################################## + ## ++## Mmap the framebuffer. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_map_framebuffer',` ++ gen_require(` ++ type framebuf_device_t; ++ ') ++ ++ allow $1 framebuf_device_t:file map; ++') ++ ++######################################## ++## + ## Read and write the framebuffer. + ## + ## +@@ -2402,7 +2855,7 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -7643,7 +7662,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -2410,17 +2845,17 @@ interface(`dev_filetrans_lirc',` +@@ -2410,17 +2863,17 @@ interface(`dev_filetrans_lirc',` ## ## # @@ -7665,7 +7684,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -2428,17 +2863,17 @@ interface(`dev_getattr_lvm_control',` +@@ -2428,17 +2881,17 @@ interface(`dev_getattr_lvm_control',` ## ## # @@ -7687,7 +7706,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -2446,17 +2881,17 @@ interface(`dev_read_lvm_control',` +@@ -2446,17 +2899,17 @@ interface(`dev_read_lvm_control',` ## ## # @@ -7709,7 +7728,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -2464,17 +2899,17 @@ interface(`dev_rw_lvm_control',` +@@ -2464,17 +2917,17 @@ interface(`dev_rw_lvm_control',` ## ## # @@ -7731,7 +7750,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -2482,35 +2917,35 @@ interface(`dev_dontaudit_rw_lvm_control',` +@@ -2482,35 +2935,35 @@ interface(`dev_dontaudit_rw_lvm_control',` ## ## # @@ -7776,7 +7795,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -2518,62 +2953,53 @@ interface(`dev_dontaudit_getattr_memory_dev',` +@@ -2518,62 +2971,189 @@ interface(`dev_dontaudit_getattr_memory_dev',` ## ## # @@ -7850,41 +7869,33 @@ index 76f285ea6..1de2a51f0 100644 ## -## Read and execute raw memory devices (e.g. /dev/mem). +## Delete the lvm control device. - ## - ## - ## -@@ -2581,32 +3007,168 @@ interface(`dev_write_raw_memory',` - ## - ## - # --interface(`dev_rx_raw_memory',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_delete_lvm_control_dev',` - gen_require(` -- type device_t, memory_device_t; ++ gen_require(` + type device_t, lvm_control_t; - ') - -- dev_read_raw_memory($1) -- allow $1 memory_device_t:chr_file execute; ++ ') ++ + delete_chr_files_pattern($1, device_t, lvm_control_t) - ') - - ######################################## - ## --## Write and execute raw memory devices (e.g. /dev/mem). ++') ++ ++######################################## ++## +## dontaudit getattr raw memory devices (e.g. /dev/mem). - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`dev_wx_raw_memory',` ++## ++## ++# +interface(`dev_dontaudit_getattr_memory_dev',` - gen_require(` -- type device_t, memory_device_t; ++ gen_require(` + type memory_device_t; + ') + @@ -7994,35 +8005,19 @@ index 76f285ea6..1de2a51f0 100644 +######################################## +## +## Read and execute raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rx_raw_memory',` -+ gen_require(` -+ type device_t, memory_device_t; -+ ') -+ -+ dev_read_raw_memory($1) + ## + ## + ## +@@ -2587,7 +3167,7 @@ interface(`dev_rx_raw_memory',` + ') + + dev_read_raw_memory($1) +- allow $1 memory_device_t:chr_file execute; + allow $1 memory_device_t:chr_file { map execute }; -+') -+ -+######################################## -+## -+## Write and execute raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_wx_raw_memory',` -+ gen_require(` -+ type device_t, memory_device_t; + ') + + ######################################## +@@ -2606,7 +3186,7 @@ interface(`dev_wx_raw_memory',` ') dev_write_raw_memory($1) @@ -8031,7 +8026,7 @@ index 76f285ea6..1de2a51f0 100644 ') ######################################## -@@ -2725,7 +3287,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3305,7 @@ interface(`dev_write_misc',` ## ## ## @@ -8040,7 +8035,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## # -@@ -2811,6 +3373,78 @@ interface(`dev_rw_modem',` +@@ -2811,6 +3391,78 @@ interface(`dev_rw_modem',` ######################################## ## @@ -8119,7 +8114,7 @@ index 76f285ea6..1de2a51f0 100644 ## Get the attributes of the mouse devices. ## ## -@@ -2903,20 +3537,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3555,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -8144,7 +8139,7 @@ index 76f285ea6..1de2a51f0 100644 ##

## ## -@@ -2925,43 +3559,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3577,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -8200,7 +8195,7 @@ index 76f285ea6..1de2a51f0 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3595,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3613,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -8236,7 +8231,7 @@ index 76f285ea6..1de2a51f0 100644 ') ######################################## -@@ -3144,44 +3788,43 @@ interface(`dev_create_null_dev',` +@@ -3144,44 +3806,43 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -8292,7 +8287,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -3189,12 +3832,105 @@ interface(`dev_rw_nvram',` +@@ -3189,9 +3850,102 @@ interface(`dev_rw_nvram',` ## ## # @@ -8301,9 +8296,8 @@ index 76f285ea6..1de2a51f0 100644 gen_require(` - type device_t, printer_device_t; + type nvme_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, printer_device_t) ++ ') ++ + read_chr_files_pattern($1, device_t, nvme_device_t) + read_blk_files_pattern($1, device_t, nvme_device_t) +') @@ -8395,13 +8389,10 @@ index 76f285ea6..1de2a51f0 100644 +interface(`dev_getattr_printer_dev',` + gen_require(` + type device_t, printer_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, printer_device_t) - ') + ') - ######################################## -@@ -3254,7 +3990,25 @@ interface(`dev_rw_printer',` + getattr_chr_files_pattern($1, device_t, printer_device_t) +@@ -3254,7 +4008,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -8428,7 +8419,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -3262,12 +4016,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +4034,13 @@ interface(`dev_rw_printer',` ## ## # @@ -8445,7 +8436,7 @@ index 76f285ea6..1de2a51f0 100644 ') ######################################## -@@ -3399,7 +4154,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4172,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -8454,7 +8445,7 @@ index 76f285ea6..1de2a51f0 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4168,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4186,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -8463,7 +8454,7 @@ index 76f285ea6..1de2a51f0 100644 ') ######################################## -@@ -3633,6 +4388,7 @@ interface(`dev_read_sound',` +@@ -3633,6 +4406,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8471,7 +8462,7 @@ index 76f285ea6..1de2a51f0 100644 ') ######################################## -@@ -3669,6 +4425,7 @@ interface(`dev_read_sound_mixer',` +@@ -3669,6 +4443,7 @@ interface(`dev_read_sound_mixer',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8479,7 +8470,7 @@ index 76f285ea6..1de2a51f0 100644 ') ######################################## -@@ -3855,7 +4612,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4630,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -8488,7 +8479,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -3863,91 +4620,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4638,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8599,7 +8590,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -3955,68 +4710,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4728,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8678,7 +8669,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4024,114 +4764,97 @@ interface(`dev_rw_sysfs',` +@@ -4024,114 +4782,97 @@ interface(`dev_rw_sysfs',` ## ## # @@ -8823,7 +8814,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4139,35 +4862,50 @@ interface(`dev_getattr_generic_usb_dev',` +@@ -4139,35 +4880,50 @@ interface(`dev_getattr_generic_usb_dev',` ## ## # @@ -8882,7 +8873,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4175,12 +4913,278 @@ interface(`dev_read_generic_usb_dev',` +@@ -4175,17 +4931,20 @@ interface(`dev_read_generic_usb_dev',` ## ## # @@ -8894,22 +8885,25 @@ index 76f285ea6..1de2a51f0 100644 ') - rw_chr_files_pattern($1, device_t, usb_device_t) +-') + rw_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + + list_dirs_pattern($1, sysfs_t, sysfs_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## Relabel generic the USB devices. +## Relabel hardware state directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4193,17 +4952,226 @@ interface(`dev_rw_generic_usb_dev',` + ## + ## + # +-interface(`dev_relabel_generic_usb_dev',` +interface(`dev_relabel_sysfs_dirs',` + gen_require(` + type sysfs_t; @@ -9120,55 +9114,144 @@ index 76f285ea6..1de2a51f0 100644 +## +# +interface(`dev_setattr_generic_usb_dev',` -+ gen_require(` -+ type usb_device_t; -+ ') -+ + gen_require(` + type usb_device_t; + ') + +- relabel_chr_files_pattern($1, device_t, usb_device_t) + setattr_chr_files_pattern($1, device_t, usb_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read USB monitor devices. +## Read generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4211,17 +5179,17 @@ interface(`dev_relabel_generic_usb_dev',` + ## + ## + # +-interface(`dev_read_usbmon_dev',` +interface(`dev_read_generic_usb_dev',` -+ gen_require(` + gen_require(` +- type device_t, usbmon_device_t; + type usb_device_t; -+ ') -+ + ') + +- read_chr_files_pattern($1, device_t, usbmon_device_t) + read_chr_files_pattern($1, device_t, usb_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write USB monitor devices. +## Read and write generic the USB devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4229,17 +5197,17 @@ interface(`dev_read_usbmon_dev',` + ## + ## + # +-interface(`dev_write_usbmon_dev',` +interface(`dev_rw_generic_usb_dev',` -+ gen_require(` + gen_require(` +- type device_t, usbmon_device_t; + type device_t, usb_device_t; -+ ') -+ + ') + +- write_chr_files_pattern($1, device_t, usbmon_device_t) + rw_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## -@@ -4249,33 +5253,462 @@ interface(`dev_write_usbmon_dev',` + ## +-## Mount a usbfs filesystem. ++## Relabel generic the USB devices. + ## + ## + ## +@@ -4247,35 +5215,536 @@ interface(`dev_write_usbmon_dev',` + ## + ## # - interface(`dev_mount_usbfs',` - gen_require(` -- type usbfs_t; +-interface(`dev_mount_usbfs',` ++interface(`dev_relabel_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ relabel_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read USB monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_usbmon_dev',` ++ gen_require(` ++ type device_t, usbmon_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, usbmon_device_t) ++') ++ ++######################################## ++## ++## Mmap USB monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_map_usbmon_dev',` ++ gen_require(` ++ type usbmon_device_t; ++ ') ++ ++ allow $1 usbmon_device_t:chr_file map; ++') ++ ++######################################## ++## ++## Write USB monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_usbmon_dev',` ++ gen_require(` ++ type device_t, usbmon_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, usbmon_device_t) ++') ++ ++######################################## ++## ++## Mount a usbfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_mount_usbfs',` ++ gen_require(` + type usbfs_t; + ') + @@ -9597,7 +9680,8 @@ index 76f285ea6..1de2a51f0 100644 +## +# +interface(`dev_rw_vfio_dev',` -+ gen_require(` + gen_require(` +- type usbfs_t; + type device_t, vfio_device_t; ') @@ -9636,7 +9720,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4283,36 +5716,35 @@ interface(`dev_associate_usbfs',` +@@ -4283,36 +5752,35 @@ interface(`dev_associate_usbfs',` ## ## # @@ -9682,7 +9766,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4320,17 +5752,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` +@@ -4320,17 +5788,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` ## ## # @@ -9705,7 +9789,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4338,20 +5771,17 @@ interface(`dev_search_usbfs',` +@@ -4338,20 +5807,17 @@ interface(`dev_search_usbfs',` ## ## # @@ -9730,7 +9814,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4359,19 +5789,17 @@ interface(`dev_list_usbfs',` +@@ -4359,19 +5825,17 @@ interface(`dev_list_usbfs',` ## ## # @@ -9754,7 +9838,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4379,19 +5807,17 @@ interface(`dev_setattr_usbfs_files',` +@@ -4379,19 +5843,17 @@ interface(`dev_setattr_usbfs_files',` ## ## # @@ -9778,7 +9862,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4399,19 +5825,17 @@ interface(`dev_read_usbfs',` +@@ -4399,19 +5861,17 @@ interface(`dev_read_usbfs',` ## ## # @@ -9802,7 +9886,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4419,17 +5843,18 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5879,18 @@ interface(`dev_rw_usbfs',` ## ## # @@ -9826,7 +9910,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4437,36 +5862,41 @@ interface(`dev_getattr_video_dev',` +@@ -4437,36 +5898,41 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -9878,7 +9962,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4474,36 +5904,35 @@ interface(`dev_dontaudit_getattr_video_dev',` +@@ -4474,36 +5940,35 @@ interface(`dev_dontaudit_getattr_video_dev',` ## ## # @@ -9924,7 +10008,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4511,35 +5940,36 @@ interface(`dev_dontaudit_setattr_video_dev',` +@@ -4511,35 +5976,36 @@ interface(`dev_dontaudit_setattr_video_dev',` ## ## # @@ -9970,7 +10054,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4547,17 +5977,19 @@ interface(`dev_write_video_dev',` +@@ -4547,17 +6013,19 @@ interface(`dev_write_video_dev',` ## ## # @@ -9994,7 +10078,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4565,17 +5997,17 @@ interface(`dev_rw_vhost',` +@@ -4565,17 +6033,17 @@ interface(`dev_rw_vhost',` ## ## # @@ -10016,7 +10100,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4583,18 +6015,18 @@ interface(`dev_rw_vmware',` +@@ -4583,18 +6051,18 @@ interface(`dev_rw_vmware',` ## ## # @@ -10040,7 +10124,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4602,17 +6034,18 @@ interface(`dev_rwx_vmware',` +@@ -4602,17 +6070,18 @@ interface(`dev_rwx_vmware',` ## ## # @@ -10063,7 +10147,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4620,17 +6053,17 @@ interface(`dev_read_watchdog',` +@@ -4620,17 +6089,17 @@ interface(`dev_read_watchdog',` ## ## # @@ -10085,7 +10169,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4638,35 +6071,36 @@ interface(`dev_write_watchdog',` +@@ -4638,35 +6107,36 @@ interface(`dev_write_watchdog',` ## ## # @@ -10131,7 +10215,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4674,41 +6108,35 @@ interface(`dev_rw_xen',` +@@ -4674,41 +6144,35 @@ interface(`dev_rw_xen',` ## ## # @@ -10181,7 +10265,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4716,17 +6144,17 @@ interface(`dev_filetrans_xen',` +@@ -4716,17 +6180,17 @@ interface(`dev_filetrans_xen',` ## ## # @@ -10203,7 +10287,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4734,17 +6162,18 @@ interface(`dev_getattr_xserver_misc_dev',` +@@ -4734,17 +6198,18 @@ interface(`dev_getattr_xserver_misc_dev',` ## ## # @@ -10226,7 +10310,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4752,17 +6181,17 @@ interface(`dev_setattr_xserver_misc_dev',` +@@ -4752,17 +6217,17 @@ interface(`dev_setattr_xserver_misc_dev',` ## ## # @@ -10248,7 +10332,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4770,17 +6199,17 @@ interface(`dev_rw_xserver_misc',` +@@ -4770,17 +6235,17 @@ interface(`dev_rw_xserver_misc',` ## ## # @@ -10270,7 +10354,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4788,18 +6217,17 @@ interface(`dev_rw_zero',` +@@ -4788,18 +6253,17 @@ interface(`dev_rw_zero',` ## ## # @@ -10293,7 +10377,7 @@ index 76f285ea6..1de2a51f0 100644 ## ## ## -@@ -4807,47 +6235,912 @@ interface(`dev_rwx_zero',` +@@ -4807,47 +6271,912 @@ interface(`dev_rwx_zero',` ## ## # @@ -17439,7 +17523,7 @@ index d7c11a0b3..f521a50f8 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb43..0444eacf4 100644 +index 8416beb43..1cc0d9ad9 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -17779,7 +17863,35 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -1542,48 +1740,48 @@ interface(`fs_cifs_domtrans',` +@@ -1363,6 +1561,27 @@ interface(`fs_exec_cifs_files',` + + ######################################## + ## ++## Mmap files on a CIFS or SMB ++## network filesystem, in the caller ++## domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_map_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file map; ++') ++ ++######################################## ++## + ## Create, read, write, and delete directories + ## on a CIFS or SMB network filesystem. + ## +@@ -1542,48 +1761,48 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -17845,7 +17957,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1591,19 +1789,18 @@ interface(`fs_manage_configfs_files',` +@@ -1591,19 +1810,18 @@ interface(`fs_manage_configfs_files',` ## ## # @@ -17871,7 +17983,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1611,18 +1808,18 @@ interface(`fs_mount_dos_fs',` +@@ -1611,18 +1829,18 @@ interface(`fs_mount_dos_fs',` ## ## # @@ -17896,7 +18008,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1630,38 +1827,37 @@ interface(`fs_remount_dos_fs',` +@@ -1630,38 +1848,37 @@ interface(`fs_remount_dos_fs',` ## ## # @@ -17947,7 +18059,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1669,17 +1865,18 @@ interface(`fs_getattr_dos_fs',` +@@ -1669,17 +1886,18 @@ interface(`fs_getattr_dos_fs',` ## ## # @@ -17971,7 +18083,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1687,17 +1884,17 @@ interface(`fs_relabelfrom_dos_fs',` +@@ -1687,17 +1905,17 @@ interface(`fs_relabelfrom_dos_fs',` ## ## # @@ -17993,7 +18105,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1705,18 +1902,18 @@ interface(`fs_search_dos',` +@@ -1705,18 +1923,151 @@ interface(`fs_search_dos',` ## ## # @@ -18014,60 +18126,52 @@ index 8416beb43..0444eacf4 100644 -## on a DOS filesystem. +## Mount a DOS filesystem, such as +## FAT32 or NTFS. - ## - ## - ## -@@ -1724,17 +1921,19 @@ interface(`fs_list_dos',` - ## - ## - # --interface(`fs_manage_dos_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mount_dos_fs',` - gen_require(` - type dosfs_t; - ') - -- manage_dirs_pattern($1, dosfs_t, dosfs_t) ++ gen_require(` ++ type dosfs_t; ++ ') ++ + allow $1 dosfs_t:filesystem mount; - ') - - ######################################## - ## --## Read files on a DOS filesystem. ++') ++ ++######################################## ++## +## Remount a DOS filesystem, such as +## FAT32 or NTFS. This allows +## some mount options to be changed. - ## - ## - ## -@@ -1742,18 +1941,18 @@ interface(`fs_manage_dos_dirs',` - ## - ## - # --interface(`fs_read_dos_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_remount_dos_fs',` - gen_require(` - type dosfs_t; - ') - -- read_files_pattern($1, dosfs_t, dosfs_t) ++ gen_require(` ++ type dosfs_t; ++ ') ++ + allow $1 dosfs_t:filesystem remount; - ') - - ######################################## - ## --## Create, read, write, and delete files --## on a DOS filesystem. ++') ++ ++######################################## ++## +## Unmount a DOS filesystem, such as +## FAT32 or NTFS. - ## - ## - ## -@@ -1761,7 +1960,138 @@ interface(`fs_read_dos_files',` - ## - ## - # --interface(`fs_manage_dos_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_unmount_dos_fs',` + gen_require(` + type dosfs_t; @@ -18155,6 +18259,14 @@ index 8416beb43..0444eacf4 100644 +## +## Create, read, write, and delete dirs +## on a DOS filesystem. + ## + ## + ## +@@ -1734,6 +2085,24 @@ interface(`fs_manage_dos_dirs',` + + ######################################## + ## ++## Mmap files on a DOS filesystem. +## +## +## @@ -18162,48 +18274,20 @@ index 8416beb43..0444eacf4 100644 +## +## +# -+interface(`fs_manage_dos_dirs',` ++interface(`fs_map_dos_files',` + gen_require(` + type dosfs_t; + ') + -+ manage_dirs_pattern($1, dosfs_t, dosfs_t) ++ allow $1 dosfs_t:file map; +') + +######################################## +## -+## Read files on a DOS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_dos_files',` -+ gen_require(` -+ type dosfs_t; -+ ') -+ -+ read_files_pattern($1, dosfs_t, dosfs_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete files -+## on a DOS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_manage_dos_files',` - gen_require(` - type dosfs_t; - ') -@@ -1793,45 +2123,110 @@ interface(`fs_read_eventpollfs',` + ## Read files on a DOS filesystem. + ## + ## +@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -18302,39 +18386,46 @@ index 8416beb43..0444eacf4 100644 +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_ecryptfs_files',` -+ gen_require(` -+ type ecryptfs_t; -+ ') -+ -+ dontaudit $1 ecryptfs_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Read symbolic links on a FUSEFS filesystem. ## ## ## -@@ -1839,115 +2234,875 @@ interface(`fs_unmount_fusefs',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`fs_mounton_fusefs',` -+interface(`fs_read_ecryptfs_symlinks',` ++interface(`fs_dontaudit_manage_ecryptfs_files',` gen_require(` - type fusefs_t; + type ecryptfs_t; ') - allow $1 fusefs_t:dir mounton; ++ dontaudit $1 ecryptfs_t:file manage_file_perms; + ') + + ######################################## + ## +-## Search directories +-## on a FUSEFS filesystem. ++## Read symbolic links on a FUSEFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_search_fusefs',` ++interface(`fs_read_ecryptfs_symlinks',` + gen_require(` +- type fusefs_t; ++ type ecryptfs_t; + ') + +- allow $1 fusefs_t:dir search_dir_perms; + allow $1 ecryptfs_t:dir list_dir_perms; + read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) +') @@ -18358,32 +18449,32 @@ index 8416beb43..0444eacf4 100644 ######################################## ## --## Search directories --## on a FUSEFS filesystem. +-## Do not audit attempts to list the contents +-## of directories on a FUSEFS filesystem. +## Manage symbolic links on a FUSEFS filesystem. ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## --## # --interface(`fs_search_fusefs',` +-interface(`fs_dontaudit_list_fusefs',` +interface(`fs_manage_ecryptfs_symlinks',` gen_require(` - type fusefs_t; + type ecryptfs_t; ') -- allow $1 fusefs_t:dir search_dir_perms; +- dontaudit $1 fusefs_t:dir list_dir_perms; + manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ') ######################################## ## --## Do not audit attempts to list the contents --## of directories on a FUSEFS filesystem. +-## Create, read, write, and delete directories +-## on a FUSEFS filesystem. +## Execute a file on a FUSE filesystem +## in the specified domain. ## @@ -18408,7 +18499,7 @@ index 8416beb43..0444eacf4 100644 +## ## ## --## Domain to not audit. +-## Domain allowed access. +## Domain allowed to transition. +## +## @@ -18417,48 +18508,26 @@ index 8416beb43..0444eacf4 100644 +## The type of the new process. ## ## +-## # --interface(`fs_dontaudit_list_fusefs',` +-interface(`fs_manage_fusefs_dirs',` +interface(`fs_ecryptfs_domtrans',` gen_require(` - type fusefs_t; + type ecryptfs_t; ') -- dontaudit $1 fusefs_t:dir list_dir_perms; +- allow $1 fusefs_t:dir manage_dir_perms; + allow $1 ecryptfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, ecryptfs_t, $2) ') - ######################################## - ## --## Create, read, write, and delete directories --## on a FUSEFS filesystem. -+## Mount a FUSE filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_manage_fusefs_dirs',` -+interface(`fs_mount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- allow $1 fusefs_t:dir manage_dir_perms; -+ allow $1 fusefs_t:filesystem mount; - ') - ######################################## ## -## Do not audit attempts to create, read, -## write, and delete directories -## on a FUSEFS filesystem. -+## Unmount a FUSE filesystem. ++## Mount a FUSE filesystem. ## ## ## @@ -18468,18 +18537,35 @@ index 8416beb43..0444eacf4 100644 ## # -interface(`fs_dontaudit_manage_fusefs_dirs',` -+interface(`fs_unmount_fusefs',` ++interface(`fs_mount_fusefs',` gen_require(` type fusefs_t; ') - dontaudit $1 fusefs_t:dir manage_dir_perms; ++ allow $1 fusefs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount a FUSE filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem unmount; - ') - - ######################################## - ## --## Read, a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mounton a FUSEFS filesystem. +## +## @@ -18573,17 +18659,14 @@ index 8416beb43..0444eacf4 100644 + ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Read, a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ') + + ######################################## +@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` + ## Domain allowed access. + ## + ## +-## +## +# +interface(`fs_read_fusefs_files',` @@ -19204,13 +19287,12 @@ index 8416beb43..0444eacf4 100644 +## +## Unmount an iso9660 filesystem, which +## is usually used on CDs. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## # -interface(`fs_read_fusefs_files',` +interface(`fs_unmount_iso9660_fs',` @@ -19231,7 +19313,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -1956,57 +3111,59 @@ interface(`fs_read_fusefs_files',` +@@ -1956,57 +3150,59 @@ interface(`fs_read_fusefs_files',` ## ## # @@ -19308,7 +19390,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2014,19 +3171,17 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,19 +3210,17 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # @@ -19332,7 +19414,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2034,17 +3189,17 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2034,17 +3228,17 @@ interface(`fs_read_fusefs_symlinks',` ## ## # @@ -19354,7 +19436,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2052,17 +3207,17 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +3246,17 @@ interface(`fs_getattr_hugetlbfs',` ## ## # @@ -19376,7 +19458,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2070,17 +3225,17 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +3264,17 @@ interface(`fs_list_hugetlbfs',` ## ## # @@ -19398,7 +19480,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2088,35 +3243,39 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +3282,39 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # @@ -19448,7 +19530,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2124,89 +3283,78 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,89 +3322,78 @@ interface(`fs_associate_hugetlbfs',` ## ## # @@ -19569,7 +19651,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2214,19 +3362,21 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3401,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -19597,7 +19679,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2234,18 +3384,19 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3423,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -19622,7 +19704,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2253,38 +3404,41 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3443,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -19676,7 +19758,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2292,19 +3446,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3485,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19704,7 +19786,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2312,16 +3468,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3507,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19725,7 +19807,7 @@ index 8416beb43..0444eacf4 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3553,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3592,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -19750,7 +19832,7 @@ index 8416beb43..0444eacf4 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3658,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3697,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19758,7 +19840,7 @@ index 8416beb43..0444eacf4 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,73 +3692,148 @@ interface(`fs_dontaudit_read_nfs_files',` +@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',` ## ## # @@ -19926,7 +20008,7 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -2603,7 +3852,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3891,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19935,7 +20017,7 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -2627,7 +3876,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3915,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19944,7 +20026,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -2719,6 +3968,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +4007,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -20010,7 +20092,7 @@ index 8416beb43..0444eacf4 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +4049,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +4088,7 @@ interface(`fs_search_removable',` ## ## ## @@ -20019,7 +20101,7 @@ index 8416beb43..0444eacf4 100644 ## ## # -@@ -2777,7 +4085,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -20028,7 +20110,7 @@ index 8416beb43..0444eacf4 100644 ## ## # -@@ -2970,6 +4278,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -20036,7 +20118,7 @@ index 8416beb43..0444eacf4 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,11 +4319,31 @@ interface(`fs_manage_nfs_files',` +@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -20068,7 +20150,7 @@ index 8416beb43..0444eacf4 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a NFS filesystem. -@@ -3050,6 +4379,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -20076,7 +20158,7 @@ index 8416beb43..0444eacf4 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4467,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -20101,7 +20183,7 @@ index 8416beb43..0444eacf4 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3239,15 +4587,198 @@ interface(`fs_search_nfsd_fs',` +@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',` # interface(`fs_list_nfsd_fs',` gen_require(` @@ -20303,7 +20385,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3255,35 +4786,35 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20348,7 +20430,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3291,12 +4822,12 @@ interface(`fs_rw_nfsd_fs',` +@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',` ## ## # @@ -20364,7 +20446,7 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -3392,7 +4923,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20373,7 +20455,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3429,7 +4960,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20382,7 +20464,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3447,7 +4978,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20391,7 +20473,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3779,6 +5310,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20416,7 +20498,7 @@ index 8416beb43..0444eacf4 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5364,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20441,7 +20523,7 @@ index 8416beb43..0444eacf4 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5475,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20450,7 +20532,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3916,17 +5483,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20471,7 +20553,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3934,17 +5501,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20492,7 +20574,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3952,17 +5519,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20532,7 +20614,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -3970,31 +5556,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20588,7 +20670,7 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -4057,23 +5660,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20765,7 +20847,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4081,18 +5831,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20788,7 +20870,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4100,54 +5850,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20855,7 +20937,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4155,17 +5904,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -20877,7 +20959,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4173,17 +5923,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20899,7 +20981,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4191,37 +5942,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -20945,7 +21027,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4229,18 +5979,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20967,7 +21049,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4248,18 +5998,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20991,7 +21073,7 @@ index 8416beb43..0444eacf4 100644 ## ## ## -@@ -4267,32 +6018,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -21030,7 +21112,7 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -4407,6 +6157,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -21056,7 +21138,7 @@ index 8416beb43..0444eacf4 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6272,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -21065,7 +21147,7 @@ index 8416beb43..0444eacf4 100644 ') ######################################## -@@ -4549,7 +6320,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -21074,7 +21156,7 @@ index 8416beb43..0444eacf4 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6367,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21101,7 +21183,7 @@ index 8416beb43..0444eacf4 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6462,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21127,7 +21209,7 @@ index 8416beb43..0444eacf4 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6722,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -26193,7 +26275,7 @@ index ff9243078..36740eab3 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6c0..c8ef8c8e4 100644 +index 2522ca6c0..b1c6b714d 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1) @@ -26561,7 +26643,7 @@ index 2522ca6c0..c8ef8c8e4 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +410,46 @@ optional_policy(` +@@ -266,35 +410,47 @@ optional_policy(` ') optional_policy(` @@ -26588,6 +26670,7 @@ index 2522ca6c0..c8ef8c8e4 100644 optional_policy(` - rpc_domtrans_nfsd(sysadm_t) + puppet_run_puppetca(sysadm_t, sysadm_r) ++ puppet_run(sysadm_t, sysadm_r) ') optional_policy(` @@ -26615,7 +26698,7 @@ index 2522ca6c0..c8ef8c8e4 100644 ') optional_policy(` -@@ -308,6 +463,7 @@ optional_policy(` +@@ -308,6 +464,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -26623,7 +26706,7 @@ index 2522ca6c0..c8ef8c8e4 100644 ') optional_policy(` -@@ -315,12 +471,20 @@ optional_policy(` +@@ -315,12 +472,20 @@ optional_policy(` ') optional_policy(` @@ -26645,7 +26728,7 @@ index 2522ca6c0..c8ef8c8e4 100644 ') optional_policy(` -@@ -345,30 +509,38 @@ optional_policy(` +@@ -345,30 +510,38 @@ optional_policy(` ') optional_policy(` @@ -26693,7 +26776,7 @@ index 2522ca6c0..c8ef8c8e4 100644 ') optional_policy(` -@@ -380,10 +552,6 @@ optional_policy(` +@@ -380,10 +553,6 @@ optional_policy(` ') optional_policy(` @@ -26704,7 +26787,7 @@ index 2522ca6c0..c8ef8c8e4 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +559,9 @@ optional_policy(` +@@ -391,6 +560,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -26714,7 +26797,7 @@ index 2522ca6c0..c8ef8c8e4 100644 ') optional_policy(` -@@ -398,31 +569,34 @@ optional_policy(` +@@ -398,31 +570,34 @@ optional_policy(` ') optional_policy(` @@ -26755,7 +26838,7 @@ index 2522ca6c0..c8ef8c8e4 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +609,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +610,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -26766,7 +26849,7 @@ index 2522ca6c0..c8ef8c8e4 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +629,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +630,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -30529,7 +30612,7 @@ index 8274418c6..a47fd0b4d 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc2d..75b2f31f9 100644 +index 6bf0ecc2d..a6b6087eb 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -31033,7 +31116,7 @@ index 6bf0ecc2d..75b2f31f9 100644 ') ######################################## -@@ -765,11 +816,92 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,16 +816,19 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -31046,93 +31129,330 @@ index 6bf0ecc2d..75b2f31f9 100644 + files_search_pids($1) + stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) + userdom_stream_connect($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read xdm-writable configuration files. +## Allow domain to append XDM unix domain +## stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -782,18 +836,18 @@ interface(`xserver_stream_connect_xdm',` + ## + ## + # +-interface(`xserver_read_xdm_rw_config',` + +interface(`xserver_append_xdm_stream_socket',` -+ gen_require(` + gen_require(` +- type xdm_rw_etc_t; + type xdm_t; -+ ') -+ + ') + +- files_search_etc($1) +- allow $1 xdm_rw_etc_t:file read_file_perms; + allow $1 xdm_t:unix_stream_socket append; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of XDM temporary directories. +## Read XDM files in user home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -801,18 +855,18 @@ interface(`xserver_read_xdm_rw_config',` + ## + ## + # +-interface(`xserver_setattr_xdm_tmp_dirs',` +interface(`xserver_read_xdm_home_files',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xdm_home_t; -+ ') -+ + ') + +- allow $1 xdm_tmp_t:dir setattr; + userdom_search_user_home_dirs($1) + allow $1 xdm_home_t:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create a named socket in a XDM +-## temporary directory. +## Read xserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -820,19 +874,19 @@ interface(`xserver_setattr_xdm_tmp_dirs',` + ## + ## + # +-interface(`xserver_create_xdm_tmp_sockets',` +interface(`xserver_read_config',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xserver_etc_t; -+ ') -+ + ') + +- files_search_tmp($1) +- allow $1 xdm_tmp_t:dir list_dir_perms; +- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + files_search_etc($1) + read_files_pattern($1, xserver_etc_t, xserver_etc_t) + read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read XDM pid files. +## Manage xserver configuration files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -840,18 +894,19 @@ interface(`xserver_create_xdm_tmp_sockets',` + ## + ## + # +-interface(`xserver_read_xdm_pid',` +interface(`xserver_manage_config',` -+ gen_require(` + gen_require(` +- type xdm_var_run_t; + type xserver_etc_t; -+ ') -+ + ') + +- files_search_pids($1) +- allow $1 xdm_var_run_t:file read_file_perms; + files_search_etc($1) + manage_files_pattern($1, xserver_etc_t, xserver_etc_t) + manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') ######################################## -@@ -793,6 +925,21 @@ interface(`xserver_read_xdm_rw_config',` + ## +-## Read XDM var lib files. ++## Read xdm-writable configuration files. + ## + ## + ## +@@ -859,110 +914,79 @@ interface(`xserver_read_xdm_pid',` + ## + ## + # +-interface(`xserver_read_xdm_lib_files',` ++interface(`xserver_read_xdm_rw_config',` + gen_require(` +- type xdm_var_lib_t; ++ type xdm_rw_etc_t; + ') + +- allow $1 xdm_var_lib_t:file read_file_perms; ++ files_search_etc($1) ++ allow $1 xdm_rw_etc_t:file read_file_perms; + ') ######################################## ## +-## Make an X session script an entrypoint for the specified domain. +## Search XDM temporary directories. + ## + ## + ## +-## The domain for which the shell is an entrypoint. ++## Domain allowed access. + ## + ## + # +-interface(`xserver_xsession_entry_type',` +- gen_require(` +- type xsession_exec_t; +- ') +- +- domain_entry_file($1, xsession_exec_t) ++interface(`xserver_search_xdm_tmp_dirs',` ++ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') ++ userdom_search_user_tmp_dirs($1) + ') + + ######################################## + ## +-## Execute an X session in the target domain. This +-## is an explicit transition, requiring the +-## caller to use setexeccon(). ++## Set the attributes of XDM temporary directories. + ## +-## +-##

    +-## Execute an Xsession in the target domain. This +-## is an explicit transition, requiring the +-## caller to use setexeccon(). +-##

    +-##

    +-## No interprocess communication (signals, pipes, +-## etc.) is provided by this interface since +-## the domains are not owned by this module. +-##

    +-##     + ## + ## +-## Domain allowed to transition. +-## +-## +-## +-## +-## The type of the shell process. ++## Domain allowed access. + ## + ## + # +-interface(`xserver_xsession_spec_domtrans',` +- gen_require(` +- type xsession_exec_t; +- ') +- +- domain_trans($1, xsession_exec_t, $2) ++interface(`xserver_setattr_xdm_tmp_dirs',` ++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') ++ userdom_dontaudit_setattr_user_tmp($1) + ') + + ######################################## + ## +-## Get the attributes of X server logs. ++## Dont audit attempts to set the attributes of XDM temporary directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`xserver_getattr_log',` +- gen_require(` +- type xserver_log_t; +- ') +- +- logging_search_logs($1) +- allow $1 xserver_log_t:file getattr; ++interface(`xserver_dontaudit_xdm_tmp_dirs',` ++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') ++ userdom_dontaudit_setattr_user_tmp($1) + ') + + ######################################## + ## +-## Do not audit attempts to write the X server +-## log files. ++## Create a named socket in a XDM ++## temporary directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`xserver_dontaudit_write_log',` +- gen_require(` +- type xserver_log_t; +- ') +- +- dontaudit $1 xserver_log_t:file { append write }; ++interface(`xserver_create_xdm_tmp_sockets',` ++ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') ++ userdom_create_user_tmp_sockets($1) + ') + + ######################################## + ## +-## Delete X server log files. ++## Read XDM pid files. + ## + ## + ## +@@ -970,20 +994,18 @@ interface(`xserver_dontaudit_write_log',` + ## + ## + # +-interface(`xserver_delete_log',` ++interface(`xserver_read_xdm_pid',` + gen_require(` +- type xserver_log_t; ++ type xdm_var_run_t; + ') + +- logging_search_logs($1) +- allow $1 xserver_log_t:dir list_dir_perms; +- delete_files_pattern($1, xserver_log_t, xserver_log_t) +- delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) ++ files_search_pids($1) ++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) + ') + + ######################################## + ## +-## Read X keyboard extension libraries. ++## Mmap XDM pid files. + ## + ## + ## +@@ -991,39 +1013,562 @@ interface(`xserver_delete_log',` + ## + ## + # +-interface(`xserver_read_xkb_libs',` ++interface(`xserver_map_xdm_pid',` + gen_require(` +- type xkb_var_lib_t; ++ type xdm_var_run_t; + ') + +- files_search_var_lib($1) +- allow $1 xkb_var_lib_t:dir list_dir_perms; +- read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) +- read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ++ allow $1 xdm_var_run_t:file map; + ') + +-######################################## ++###################################### + ## +-## Read xdm temporary files. ++## Dontaudit Read XDM pid files. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain to not audit. ++## + ## + # +-interface(`xserver_read_xdm_tmp_files',` +- gen_require(` +- type xdm_tmp_t; +- ') ++interface(`xserver_dontaudit_read_xdm_pid',` ++ gen_require(` ++ type xdm_var_run_t; ++ ') + +- files_search_tmp($1) +- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ dontaudit $1 xdm_var_run_t:dir search_dir_perms; ++ dontaudit $1 xdm_var_run_t:file read_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to read xdm temporary files. ++## Read XDM var lib files. +## +## +## @@ -31140,93 +31460,11 @@ index 6bf0ecc2d..75b2f31f9 100644 +## +## +# -+interface(`xserver_search_xdm_tmp_dirs',` -+ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') -+ userdom_search_user_tmp_dirs($1) -+') ++interface(`xserver_read_xdm_lib_files',` ++ gen_require(` ++ type xdm_var_lib_t; ++ ') + -+######################################## -+## - ## Set the attributes of XDM temporary directories. - ## - ## -@@ -802,11 +949,23 @@ interface(`xserver_read_xdm_rw_config',` - ## - # - interface(`xserver_setattr_xdm_tmp_dirs',` -- gen_require(` -- type xdm_tmp_t; -- ') -+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') -+ userdom_dontaudit_setattr_user_tmp($1) -+') - -- allow $1 xdm_tmp_t:dir setattr; -+######################################## -+## -+## Dont audit attempts to set the attributes of XDM temporary directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_xdm_tmp_dirs',` -+ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') -+ userdom_dontaudit_setattr_user_tmp($1) - ') - - ######################################## -@@ -821,13 +980,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',` - ## - # - interface(`xserver_create_xdm_tmp_sockets',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- files_search_tmp($1) -- allow $1 xdm_tmp_t:dir list_dir_perms; -- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') -+ userdom_create_user_tmp_sockets($1) - ') - - ######################################## -@@ -846,7 +1000,26 @@ interface(`xserver_read_xdm_pid',` - ') - - files_search_pids($1) -- allow $1 xdm_var_run_t:file read_file_perms; -+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) -+') -+ -+###################################### -+## -+## Dontaudit Read XDM pid files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_read_xdm_pid',` -+ gen_require(` -+ type xdm_var_run_t; -+ ') -+ -+ dontaudit $1 xdm_var_run_t:dir search_dir_perms; -+ dontaudit $1 xdm_var_run_t:file read_file_perms; - ') - - ######################################## -@@ -864,7 +1037,26 @@ interface(`xserver_read_xdm_lib_files',` - type xdm_var_lib_t; - ') - -- allow $1 xdm_var_lib_t:file read_file_perms; + read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) + read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) +') @@ -31247,27 +31485,87 @@ index 6bf0ecc2d..75b2f31f9 100644 + ') + + allow $1 xdm_var_lib_t:file { read_inherited_file_perms map }; - ') - - ######################################## -@@ -938,17 +1130,36 @@ interface(`xserver_getattr_log',` - ') - - logging_search_logs($1) -- allow $1 xserver_log_t:file getattr; ++') ++ ++######################################## ++## ++## Make an X session script an entrypoint for the specified domain. ++## ++## ++## ++## The domain for which the shell is an entrypoint. ++## ++## ++# ++interface(`xserver_xsession_entry_type',` ++ gen_require(` ++ type xsession_exec_t; ++ ') ++ ++ domain_entry_file($1, xsession_exec_t) ++') ++ ++######################################## ++## ++## Execute an X session in the target domain. This ++## is an explicit transition, requiring the ++## caller to use setexeccon(). ++## ++## ++##

    ++## Execute an Xsession in the target domain. This ++## is an explicit transition, requiring the ++## caller to use setexeccon(). ++##

    ++##

    ++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

    ++##     ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the shell process. ++## ++## ++# ++interface(`xserver_xsession_spec_domtrans',` ++ gen_require(` ++ type xsession_exec_t; ++ ') ++ ++ domain_trans($1, xsession_exec_t, $2) ++') ++ ++######################################## ++## ++## Get the attributes of X server logs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_getattr_log',` ++ gen_require(` ++ type xserver_log_t; ++ ') ++ ++ logging_search_logs($1) + allow $1 xserver_log_t:file getattr_file_perms; - ') - --######################################## ++') ++ +####################################### - ## --## Do not audit attempts to write the X server --## log files. ++## +## Allow domain to read X server logs. - ## - ## --## --## Domain to not audit. ++## ++## +## +## Domain allowed access. +## @@ -31290,83 +31588,108 @@ index 6bf0ecc2d..75b2f31f9 100644 +## +## +## Domain to not audit. - ## - ## - # -@@ -957,7 +1168,7 @@ interface(`xserver_dontaudit_write_log',` - type xserver_log_t; - ') - -- dontaudit $1 xserver_log_t:file { append write }; ++## ++## ++# ++interface(`xserver_dontaudit_write_log',` ++ gen_require(` ++ type xserver_log_t; ++ ') ++ + dontaudit $1 xserver_log_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -1004,7 +1215,7 @@ interface(`xserver_read_xkb_libs',` - - ######################################## - ## --## Read xdm temporary files. -+## Manage X keyboard extension libraries. - ## - ## - ## -@@ -1012,51 +1223,117 @@ interface(`xserver_read_xkb_libs',` - ## - ## - # --interface(`xserver_read_xdm_tmp_files',` -+interface(`xserver_manage_xkb_libs',` - gen_require(` -- type xdm_tmp_t; ++') ++ ++######################################## ++## ++## Delete X server log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_delete_log',` ++ gen_require(` ++ type xserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 xserver_log_t:dir list_dir_perms; ++ delete_files_pattern($1, xserver_log_t, xserver_log_t) ++ delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) ++') ++ ++######################################## ++## ++## Read X keyboard extension libraries. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_xkb_libs',` ++ gen_require(` + type xkb_var_lib_t; - ') - -- files_search_tmp($1) -- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 xkb_var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ++ read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) ++') ++ ++######################################## ++## ++## Manage X keyboard extension libraries. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xkb_libs',` ++ gen_require(` ++ type xkb_var_lib_t; ++ ') ++ + files_search_var_lib($1) + allow $1 xkb_var_lib_t:dir list_dir_perms; + manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) - ') - - ######################################## - ## --## Do not audit attempts to read xdm temporary files. ++') ++ ++######################################## ++## +## dontaudit access checks X keyboard extension libraries. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`xserver_dontaudit_read_xdm_tmp_files',` ++## ++## ++# +interface(`xserver_dontaudit_xkb_libs_access',` - gen_require(` -- type xdm_tmp_t; ++ gen_require(` + type xkb_var_lib_t; - ') - -- dontaudit $1 xdm_tmp_t:dir search_dir_perms; -- dontaudit $1 xdm_tmp_t:file read_file_perms; ++ ') ++ + dontaudit $1 xkb_var_lib_t:dir audit_access; + dontaudit $1 xkb_var_lib_t:file audit_access; - ') - - ######################################## - ## --## Read write xdm temporary files. ++') ++ ++######################################## ++## +## Read xdm config files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit - ## - ## - # --interface(`xserver_rw_xdm_tmp_files',` ++## ++## ++# +interface(`xserver_read_xdm_etc_files',` + gen_require(` + type xdm_etc_t; @@ -31388,13 +31711,10 @@ index 6bf0ecc2d..75b2f31f9 100644 +## +# +interface(`xserver_manage_xdm_etc_files',` - gen_require(` -- type xdm_tmp_t; ++ gen_require(` + type xdm_etc_t; - ') - -- allow $1 xdm_tmp_t:dir search_dir_perms; -- allow $1 xdm_tmp_t:file rw_file_perms; ++ ') ++ + files_search_etc($1) + manage_files_pattern($1, xdm_etc_t, xdm_etc_t) +') @@ -31442,16 +31762,19 @@ index 6bf0ecc2d..75b2f31f9 100644 +interface(`xserver_rw_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') + userdom_rw_user_tmpfs_files($1) - ') - - ######################################## -@@ -1070,11 +1347,38 @@ interface(`xserver_rw_xdm_tmp_files',` - ## - # - interface(`xserver_manage_xdm_tmp_files',` -- gen_require(` -- type xdm_tmp_t; -- ') ++') ++ ++######################################## ++## ++## Create, read, write, and delete xdm temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_xdm_tmp_files',` + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') + userdom_manage_user_tmp_files($1) +') @@ -31470,8 +31793,7 @@ index 6bf0ecc2d..75b2f31f9 100644 + refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') + userdom_relabel_user_tmp_dirs($1) +') - -- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ +######################################## +## +## Create, read, write, and delete xdm temporary dirs. @@ -31485,30 +31807,41 @@ index 6bf0ecc2d..75b2f31f9 100644 +interface(`xserver_manage_xdm_tmp_dirs',` + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') + userdom_manage_user_tmp_dirs($1) - ') - - ######################################## -@@ -1089,11 +1393,8 @@ interface(`xserver_manage_xdm_tmp_files',` - ## - # - interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` -- gen_require(` -- type xdm_tmp_t; -- ') -- -- dontaudit $1 xdm_tmp_t:sock_file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## xdm temporary named sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.') + userdom_dontaudit_user_getattr_tmp_sockets($1) - ') - - ######################################## -@@ -1111,8 +1412,28 @@ interface(`xserver_domtrans',` - type xserver_t, xserver_exec_t; - ') - -- allow $1 xserver_t:process siginh; ++') ++ ++######################################## ++## ++## Execute the X server in the X server domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`xserver_domtrans',` ++ gen_require(` ++ type xserver_t, xserver_exec_t; ++ ') ++ + allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t) ++ domtrans_pattern($1, xserver_exec_t, xserver_t) + + allow xserver_t $1:process getpgid; +') @@ -31529,13 +31862,28 @@ index 6bf0ecc2d..75b2f31f9 100644 + ') + + can_exec($1, xserver_exec_t) - ') - - ######################################## -@@ -1135,6 +1456,24 @@ interface(`xserver_signal',` - - ######################################## - ## ++') ++ ++######################################## ++## ++## Signal X servers ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_signal',` ++ gen_require(` ++ type xserver_t; ++ ') ++ ++ allow $1 xserver_t:process signal; ++') ++ ++######################################## ++## +## Send a null signal to xdm processes. +## +## @@ -31554,14 +31902,63 @@ index 6bf0ecc2d..75b2f31f9 100644 + +######################################## +## - ## Kill X servers - ## - ## -@@ -1210,6 +1549,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` - - ######################################## - ## -+## Do not audit attempts to read and write xdm ++## Kill X servers ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_kill',` ++ gen_require(` ++ type xserver_t; ++ ') ++ ++ allow $1 xserver_t:process sigkill; ++') ++ ++######################################## ++## ++## Read and write X server Sys V Shared ++## memory segments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_rw_shm',` ++ gen_require(` ++ type xserver_t; ++ ') ++ ++ allow $1 xserver_t:shm rw_shm_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write to ++## X server sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_rw_tcp_sockets',` ++ gen_require(` ++ type xserver_t; ++ ') ++ ++ dontaudit $1 xserver_t:tcp_socket { read write }; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write X server +## unix domain stream sockets. +## +## @@ -31570,6 +31967,26 @@ index 6bf0ecc2d..75b2f31f9 100644 +## +## +# ++interface(`xserver_dontaudit_rw_stream_sockets',` ++ gen_require(` ++ type xserver_t; ++ ') ++ ++ dontaudit $1 xserver_t:unix_stream_socket { read write }; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write xdm ++## unix domain stream sockets. + ## + ## + ## +@@ -1031,18 +1576,245 @@ interface(`xserver_read_xdm_tmp_files',` + ## + ## + # +-interface(`xserver_dontaudit_read_xdm_tmp_files',` +interface(`xserver_dontaudit_xdm_rw_stream_sockets',` + gen_require(` + type xdm_t; @@ -31580,13 +31997,22 @@ index 6bf0ecc2d..75b2f31f9 100644 + +######################################## +## - ## Connect to the X server over a unix domain - ## stream socket. - ## -@@ -1226,6 +1584,26 @@ interface(`xserver_stream_connect',` - - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) ++## Connect to the X server over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_stream_connect',` ++ gen_require(` ++ type xserver_t, xserver_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + allow xserver_t $1:shm rw_shm_perms; +') + @@ -31607,27 +32033,45 @@ index 6bf0ecc2d..75b2f31f9 100644 + ') + + stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) - ') - - ######################################## -@@ -1251,7 +1629,7 @@ interface(`xserver_read_tmp_files',` - ## - ## Interface to provide X object permissions on a given X server to - ## an X client domain. Gives the domain permission to read the --## virtual core keyboard and virtual core pointer devices. ++') ++ ++######################################## ++## ++## Read X server temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_tmp_files',` ++ gen_require(` ++ type xserver_tmp_t; ++ ') ++ ++ allow $1 xserver_tmp_t:file read_file_perms; ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Gives the domain permission to read the +## virtual core keyboard and virtual core pointer devices. - ## - ## - ## -@@ -1261,13 +1639,27 @@ interface(`xserver_read_tmp_files',` - # - interface(`xserver_manage_core_devices',` - gen_require(` -- type xserver_t; ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_manage_core_devices',` ++ gen_require(` + type xserver_t, root_xdrawable_t, xevent_t; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; ++ class x_device all_x_device_perms; ++ class x_pointer all_x_pointer_perms; ++ class x_keyboard all_x_keyboard_perms; + class x_screen all_x_screen_perms; + class x_drawable { manage }; + attribute x_domain; @@ -31635,9 +32079,9 @@ index 6bf0ecc2d..75b2f31f9 100644 + class x_resource all_x_resource_perms; + class x_synthetic_event all_x_synthetic_event_perms; + class x_cursor all_x_cursor_perms; - ') - - allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; ++ ') ++ ++ allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + allow $1 xserver_t:{ x_screen } setattr; + + allow $1 x_domain:x_cursor all_x_cursor_perms; @@ -31645,21 +32089,28 @@ index 6bf0ecc2d..75b2f31f9 100644 + allow $1 x_domain:x_resource all_x_resource_perms; + allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; + allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; - ') - - ######################################## -@@ -1284,10 +1676,662 @@ interface(`xserver_manage_core_devices',` - # - interface(`xserver_unconfined',` - gen_require(` -- attribute x_domain; -- attribute xserver_unconfined_type; ++') ++ ++######################################## ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Gives the domain complete control over the ++## display. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_unconfined',` ++ gen_require(` + attribute x_domain, xserver_unconfined_type; - ') - - typeattribute $1 x_domain; - typeattribute $1 xserver_unconfined_type; - ') ++ ') ++ ++ typeattribute $1 x_domain; ++ typeattribute $1 xserver_unconfined_type; ++') + +######################################## +## @@ -31763,115 +32214,144 @@ index 6bf0ecc2d..75b2f31f9 100644 +## +# +interface(`xserver_xdm_manage_spool',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xdm_spool_t; -+ ') -+ + ') + +- dontaudit $1 xdm_tmp_t:dir search_dir_perms; +- dontaudit $1 xdm_tmp_t:file read_file_perms; + files_search_spool($1) + manage_files_pattern($1, xdm_spool_t, xdm_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read write xdm temporary files. +## Send and receive messages from +## xdm over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1050,18 +1822,20 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',` + ## + ## + # +-interface(`xserver_rw_xdm_tmp_files',` +interface(`xserver_dbus_chat_xdm',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xdm_t; + class dbus send_msg; -+ ') -+ + ') + +- allow $1 xdm_tmp_t:dir search_dir_perms; +- allow $1 xdm_tmp_t:file rw_file_perms; + allow $1 xdm_t:dbus send_msg; + allow xdm_t $1:dbus send_msg; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete xdm temporary files. +## Send and receive messages from +## xdm over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1069,55 +1843,57 @@ interface(`xserver_rw_xdm_tmp_files',` + ## + ## + # +-interface(`xserver_manage_xdm_tmp_files',` +interface(`xserver_dbus_chat',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xserver_t; + class dbus send_msg; -+ ') -+ + ') + +- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + allow $1 xserver_t:dbus send_msg; + allow xserver_t $1:dbus send_msg; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## xdm temporary named sockets. +## Read xserver files created in /var/run -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +interface(`xserver_read_pid',` -+ gen_require(` + gen_require(` +- type xdm_tmp_t; + type xserver_var_run_t; -+ ') -+ + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; + files_search_pids($1) + read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute the X server in the X server domain. +## Execute xserver files created in /var/run -+## -+## -+## + ## + ## + ## +-## Domain allowed to transition. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`xserver_domtrans',` +interface(`xserver_exec_pid',` -+ gen_require(` + gen_require(` +- type xserver_t, xserver_exec_t; + type xserver_var_run_t; -+ ') -+ + ') + +- allow $1 xserver_t:process siginh; +- domtrans_pattern($1, xserver_exec_t, xserver_t) + files_search_pids($1) + exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Signal X servers +## Write xserver files created in /var/run -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1125,17 +1901,73 @@ interface(`xserver_domtrans',` + ## + ## + # +-interface(`xserver_signal',` +interface(`xserver_write_pid',` -+ gen_require(` + gen_require(` +- type xserver_t; + type xserver_var_run_t; -+ ') -+ + ') + +- allow $1 xserver_t:process signal; + files_search_pids($1) + write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Kill X servers +## Allow append the xdm +## log files. +## @@ -31928,71 +32408,89 @@ index 6bf0ecc2d..75b2f31f9 100644 +######################################## +## +## Read a user Iceauthority domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1143,18 +1975,18 @@ interface(`xserver_signal',` + ## + ## + # +-interface(`xserver_kill',` +interface(`xserver_read_user_iceauth',` -+ gen_require(` + gen_require(` +- type xserver_t; + type iceauth_home_t; -+ ') -+ + ') + +- allow $1 xserver_t:process sigkill; + # Read .Iceauthority file + allow $1 iceauth_home_t:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write X server Sys V Shared +-## memory segments. +## Read/write inherited user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1162,132 +1994,362 @@ interface(`xserver_kill',` + ## + ## + # +-interface(`xserver_rw_shm',` +interface(`xserver_rw_inherited_user_fonts',` -+ gen_require(` + gen_require(` +- type xserver_t; + type user_fonts_t, user_fonts_config_t; -+ ') -+ + ') + +- allow $1 xserver_t:shm rw_shm_perms; + allow $1 user_fonts_t:file rw_inherited_file_perms; + allow $1 user_fonts_t:file read_lnk_file_perms; + + allow $1 user_fonts_config_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and write to +-## X server sockets. +## Search XDM var lib dirs. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`xserver_dontaudit_rw_tcp_sockets',` +interface(`xserver_search_xdm_lib',` -+ gen_require(` + gen_require(` +- type xserver_t; + type xdm_var_lib_t; -+ ') -+ + ') + +- dontaudit $1 xserver_t:tcp_socket { read write }; + allow $1 xdm_var_lib_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and write X server +-## unix domain stream sockets. +## Make an X executable an entrypoint for the specified domain. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## The domain for which the shell is an entrypoint. -+## -+## -+# + ## + ## + # +-interface(`xserver_dontaudit_rw_stream_sockets',` +interface(`xserver_entry_type',` + gen_require(` + type xserver_exec_t; @@ -32019,99 +32517,128 @@ index 6bf0ecc2d..75b2f31f9 100644 +## +# +interface(`xserver_run',` -+ gen_require(` -+ type xserver_t; -+ ') -+ + gen_require(` + type xserver_t; + ') + +- dontaudit $1 xserver_t:unix_stream_socket { read write }; + xserver_domtrans($1) + role $2 types xserver_t; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to the X server over a unix domain +-## stream socket. +## Execute xsever in the xserver domain, and +## allow the specified role the xserver domain. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## The role to be allowed the xserver domain. +## +## +## -+# + # +-interface(`xserver_stream_connect',` +interface(`xserver_run_xauth',` -+ gen_require(` + gen_require(` +- type xserver_t, xserver_tmp_t; + type xauth_t; -+ ') -+ + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + xserver_domtrans_xauth($1) + role $2 types xauth_t; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read X server temporary files. +## Read user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`xserver_read_tmp_files',` +interface(`xserver_read_home_fonts',` -+ gen_require(` + gen_require(` +- type xserver_tmp_t; + type user_fonts_t, user_fonts_config_t; -+ ') -+ + ') + +- allow $1 xserver_tmp_t:file read_file_perms; +- files_search_tmp($1) + list_dirs_pattern($1, user_fonts_t, user_fonts_t) + read_files_pattern($1, user_fonts_t, user_fonts_t) + read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) + + read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Interface to provide X object permissions on a given X server to +-## an X client domain. Gives the domain permission to read the +-## virtual core keyboard and virtual core pointer devices. +## Manage user fonts dir. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`xserver_manage_core_devices',` +interface(`xserver_manage_user_fonts_dir',` -+ gen_require(` + gen_require(` +- type xserver_t; +- class x_device all_x_device_perms; +- class x_pointer all_x_pointer_perms; +- class x_keyboard all_x_keyboard_perms; + type user_fonts_t; -+ ') -+ + ') + +- allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Interface to provide X object permissions on a given X server to +-## an X client domain. Gives the domain complete control over the +-## display. +## Manage user homedir fonts. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`xserver_unconfined',` +interface(`xserver_manage_home_fonts',` -+ gen_require(` + gen_require(` +- attribute x_domain; +- attribute xserver_unconfined_type; + type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; -+ ') -+ + ') + +- typeattribute $1 x_domain; +- typeattribute $1 xserver_unconfined_type; + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + manage_files_pattern($1, user_fonts_t, user_fonts_t) + manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) @@ -32293,7 +32820,7 @@ index 6bf0ecc2d..75b2f31f9 100644 + ') + + dontaudit $1 xserver_log_t:dir search_dir_perms; -+') + ') + +######################################## +## @@ -35072,7 +35599,7 @@ index 3efd5b669..a8cb6df3d 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791dcc..498375fcf 100644 +index 09b791dcc..c6721f846 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -35156,7 +35683,7 @@ index 09b791dcc..498375fcf 100644 type updpwd_t; type updpwd_exec_t; domain_type(updpwd_t) -@@ -90,7 +112,7 @@ logging_log_file(wtmp_t) +@@ -90,11 +112,11 @@ logging_log_file(wtmp_t) # Check password local policy # @@ -35165,6 +35692,11 @@ index 09b791dcc..498375fcf 100644 dontaudit chkpwd_t self:capability sys_tty_config; allow chkpwd_t self:process { getattr signal }; +-allow chkpwd_t shadow_t:file read_file_perms; ++allow chkpwd_t shadow_t:file { read_file_perms map }; + files_list_etc(chkpwd_t) + + kernel_read_crypto_sysctls(chkpwd_t) @@ -109,6 +131,9 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd @@ -38209,7 +38741,7 @@ index 79a45f62e..0244681f0 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..fecc37500 100644 +index 17eda2480..5bff55bd3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38534,7 +39066,7 @@ index 17eda2480..fecc37500 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +350,303 @@ ifdef(`distro_gentoo',` +@@ -186,29 +350,304 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38762,6 +39294,7 @@ index 17eda2480..fecc37500 100644 +systemd_read_unit_files(initrc_t) +systemd_login_status(init_t) +systemd_map_networkd_exec_files(init_t) ++systemd_map_resolved_exec_files(init_t) + +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + @@ -38847,7 +39380,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -216,7 +654,35 @@ optional_policy(` +@@ -216,7 +655,35 @@ optional_policy(` ') optional_policy(` @@ -38884,7 +39417,7 @@ index 17eda2480..fecc37500 100644 ') ######################################## -@@ -225,9 +691,9 @@ optional_policy(` +@@ -225,9 +692,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38896,7 +39429,7 @@ index 17eda2480..fecc37500 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +724,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +725,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38913,7 +39446,7 @@ index 17eda2480..fecc37500 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +749,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +750,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38956,7 +39489,7 @@ index 17eda2480..fecc37500 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +786,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +787,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38968,7 +39501,7 @@ index 17eda2480..fecc37500 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +798,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +799,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38979,7 +39512,7 @@ index 17eda2480..fecc37500 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +809,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +810,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38989,7 +39522,7 @@ index 17eda2480..fecc37500 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +818,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +819,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38997,7 +39530,7 @@ index 17eda2480..fecc37500 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +825,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +826,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -39005,7 +39538,7 @@ index 17eda2480..fecc37500 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +833,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +834,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -39023,7 +39556,7 @@ index 17eda2480..fecc37500 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +851,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +852,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -39037,7 +39570,7 @@ index 17eda2480..fecc37500 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +866,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +867,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -39051,7 +39584,7 @@ index 17eda2480..fecc37500 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +879,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +880,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -39062,7 +39595,7 @@ index 17eda2480..fecc37500 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +892,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +893,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -39070,7 +39603,7 @@ index 17eda2480..fecc37500 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +911,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +912,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -39094,7 +39627,7 @@ index 17eda2480..fecc37500 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +944,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +945,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -39102,7 +39635,7 @@ index 17eda2480..fecc37500 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +978,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +979,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -39113,7 +39646,7 @@ index 17eda2480..fecc37500 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +1002,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +1003,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -39122,7 +39655,7 @@ index 17eda2480..fecc37500 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +1017,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +1018,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -39130,7 +39663,7 @@ index 17eda2480..fecc37500 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1038,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1039,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -39138,7 +39671,7 @@ index 17eda2480..fecc37500 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1048,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1049,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -39183,7 +39716,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -559,14 +1093,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1094,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -39215,7 +39748,7 @@ index 17eda2480..fecc37500 100644 ') ') -@@ -577,6 +1128,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1129,39 @@ ifdef(`distro_suse',` ') ') @@ -39255,7 +39788,7 @@ index 17eda2480..fecc37500 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1173,8 @@ optional_policy(` +@@ -589,6 +1174,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -39264,7 +39797,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -610,6 +1196,7 @@ optional_policy(` +@@ -610,6 +1197,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -39272,7 +39805,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -626,6 +1213,17 @@ optional_policy(` +@@ -626,6 +1214,17 @@ optional_policy(` ') optional_policy(` @@ -39290,7 +39823,7 @@ index 17eda2480..fecc37500 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1240,13 @@ optional_policy(` +@@ -642,9 +1241,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -39304,7 +39837,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -657,15 +1259,11 @@ optional_policy(` +@@ -657,15 +1260,11 @@ optional_policy(` ') optional_policy(` @@ -39322,7 +39855,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -686,6 +1284,15 @@ optional_policy(` +@@ -686,6 +1285,15 @@ optional_policy(` ') optional_policy(` @@ -39338,7 +39871,7 @@ index 17eda2480..fecc37500 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1333,7 @@ optional_policy(` +@@ -726,6 +1334,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -39346,7 +39879,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -743,7 +1351,13 @@ optional_policy(` +@@ -743,7 +1352,13 @@ optional_policy(` ') optional_policy(` @@ -39361,7 +39894,7 @@ index 17eda2480..fecc37500 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1380,10 @@ optional_policy(` +@@ -766,6 +1381,10 @@ optional_policy(` ') optional_policy(` @@ -39372,7 +39905,7 @@ index 17eda2480..fecc37500 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1393,20 @@ optional_policy(` +@@ -775,10 +1394,20 @@ optional_policy(` ') optional_policy(` @@ -39393,7 +39926,7 @@ index 17eda2480..fecc37500 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1415,10 @@ optional_policy(` +@@ -787,6 +1416,10 @@ optional_policy(` ') optional_policy(` @@ -39404,7 +39937,7 @@ index 17eda2480..fecc37500 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1440,6 @@ optional_policy(` +@@ -808,8 +1441,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39413,7 +39946,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -818,6 +1448,10 @@ optional_policy(` +@@ -818,6 +1449,10 @@ optional_policy(` ') optional_policy(` @@ -39424,7 +39957,7 @@ index 17eda2480..fecc37500 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1461,12 @@ optional_policy(` +@@ -827,10 +1462,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39437,7 +39970,7 @@ index 17eda2480..fecc37500 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1493,62 @@ optional_policy(` +@@ -857,21 +1494,63 @@ optional_policy(` ') optional_policy(` @@ -39446,6 +39979,7 @@ index 17eda2480..fecc37500 100644 + virt_noatsecure(init_t) + virt_rlimitinh(init_t) + virt_transition_svirt_sandbox(init_t, system_r) ++ virt_manage_sandbox_files(init_t) +') + +optional_policy(` @@ -39501,7 +40035,7 @@ index 17eda2480..fecc37500 100644 ') optional_policy(` -@@ -887,6 +1564,10 @@ optional_policy(` +@@ -887,6 +1566,10 @@ optional_policy(` ') optional_policy(` @@ -39512,7 +40046,7 @@ index 17eda2480..fecc37500 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1578,218 @@ optional_policy(` +@@ -897,3 +1580,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -40036,7 +40570,7 @@ index 0d4c8d35e..537aa4274 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd0417..07a92cc93 100644 +index 312cd0417..45c4b21dc 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -40152,7 +40686,7 @@ index 312cd0417..07a92cc93 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,22 +180,32 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,22 +180,34 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -40172,7 +40706,8 @@ index 312cd0417..07a92cc93 100644 logging_send_syslog_msg(ipsec_t) -miscfiles_read_localization(ipsec_t) -- ++miscfiles_map_generic_certs(ipsec_t) + sysnet_domtrans_ifconfig(ipsec_t) +sysnet_manage_config(ipsec_t) +sysnet_etc_filetrans_config(ipsec_t) @@ -40187,7 +40722,7 @@ index 312cd0417..07a92cc93 100644 optional_policy(` seutil_sigchld_newrole(ipsec_t) -@@ -182,19 +215,30 @@ optional_policy(` +@@ -182,19 +217,30 @@ optional_policy(` udev_read_db(ipsec_t) ') @@ -40222,7 +40757,7 @@ index 312cd0417..07a92cc93 100644 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -208,12 +252,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +254,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -40238,7 +40773,7 @@ index 312cd0417..07a92cc93 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +292,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +294,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -40255,7 +40790,7 @@ index 312cd0417..07a92cc93 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +311,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +313,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -40264,7 +40799,7 @@ index 312cd0417..07a92cc93 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +327,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +329,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -40272,7 +40807,7 @@ index 312cd0417..07a92cc93 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +337,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +339,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -40284,7 +40819,7 @@ index 312cd0417..07a92cc93 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +348,28 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +350,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -40318,7 +40853,7 @@ index 312cd0417..07a92cc93 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +393,10 @@ optional_policy(` +@@ -322,6 +395,10 @@ optional_policy(` ') optional_policy(` @@ -40329,7 +40864,7 @@ index 312cd0417..07a92cc93 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +410,7 @@ optional_policy(` +@@ -335,7 +412,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -40338,7 +40873,7 @@ index 312cd0417..07a92cc93 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +445,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +447,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -40358,7 +40893,7 @@ index 312cd0417..07a92cc93 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +475,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +477,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -40371,7 +40906,7 @@ index 312cd0417..07a92cc93 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +512,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +514,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -41828,7 +42363,7 @@ index b50c5fe81..9eacd9ba1 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e9488463..2db173f77 100644 +index 4e9488463..c54641fbb 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',` @@ -42212,16 +42747,18 @@ index 4e9488463..2db173f77 100644 ') ######################################## -@@ -859,7 +1136,7 @@ interface(`logging_manage_all_logs',` +@@ -858,8 +1135,9 @@ interface(`logging_manage_all_logs',` + ') files_search_var($1) ++ manage_dirs_pattern($1, logfile, logfile) manage_files_pattern($1, logfile, logfile) - read_lnk_files_pattern($1, logfile, logfile) + manage_lnk_files_pattern($1, logfile, logfile) ') ######################################## -@@ -880,11 +1157,69 @@ interface(`logging_read_generic_logs',` +@@ -880,11 +1158,69 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -42291,7 +42828,7 @@ index 4e9488463..2db173f77 100644 ## Write generic log files. ## ## -@@ -905,6 +1240,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1241,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -42316,7 +42853,7 @@ index 4e9488463..2db173f77 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1337,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1338,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -42334,7 +42871,7 @@ index 4e9488463..2db173f77 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1362,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1363,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -42390,7 +42927,7 @@ index 4e9488463..2db173f77 100644 ') ######################################## -@@ -1032,10 +1439,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1440,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -42408,7 +42945,7 @@ index 4e9488463..2db173f77 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1469,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1470,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -42417,7 +42954,7 @@ index 4e9488463..2db173f77 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1499,110 @@ interface(`logging_admin',` +@@ -1085,3 +1500,110 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -43848,7 +44385,7 @@ index 9fe8e01e3..6aa1ea05a 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc31b..1701f0861 100644 +index fc28bc31b..73fc71dbc 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -43966,7 +44503,7 @@ index fc28bc31b..1701f0861 100644 ## Manage SSL certificates. ## ## -@@ -191,6 +269,7 @@ interface(`miscfiles_read_fonts',` +@@ -191,11 +269,13 @@ interface(`miscfiles_read_fonts',` allow $1 fonts_t:dir list_dir_perms; read_files_pattern($1, fonts_t, fonts_t) @@ -43974,7 +44511,13 @@ index fc28bc31b..1701f0861 100644 read_lnk_files_pattern($1, fonts_t, fonts_t) allow $1 fonts_cache_t:dir list_dir_perms; -@@ -414,6 +493,7 @@ interface(`miscfiles_read_localization',` + read_files_pattern($1, fonts_cache_t, fonts_cache_t) + read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) ++ allow $1 fonts_cache_t:file map; + ') + + ######################################## +@@ -414,6 +494,7 @@ interface(`miscfiles_read_localization',` allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) @@ -43982,7 +44525,7 @@ index fc28bc31b..1701f0861 100644 ') ######################################## -@@ -434,6 +514,7 @@ interface(`miscfiles_rw_localization',` +@@ -434,6 +515,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) @@ -43990,7 +44533,7 @@ index fc28bc31b..1701f0861 100644 ') ######################################## -@@ -453,6 +534,7 @@ interface(`miscfiles_relabel_localization',` +@@ -453,6 +535,7 @@ interface(`miscfiles_relabel_localization',` files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) @@ -43998,7 +44541,7 @@ index fc28bc31b..1701f0861 100644 ') ######################################## -@@ -470,7 +552,6 @@ interface(`miscfiles_legacy_read_localization',` +@@ -470,7 +553,6 @@ interface(`miscfiles_legacy_read_localization',` type locale_t; ') @@ -44006,7 +44549,7 @@ index fc28bc31b..1701f0861 100644 allow $1 locale_t:file execute; ') -@@ -531,6 +612,10 @@ interface(`miscfiles_read_man_pages',` +@@ -531,6 +613,10 @@ interface(`miscfiles_read_man_pages',` allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -44017,7 +44560,7 @@ index fc28bc31b..1701f0861 100644 ') ######################################## -@@ -554,6 +639,29 @@ interface(`miscfiles_delete_man_pages',` +@@ -554,6 +640,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -44047,7 +44590,7 @@ index fc28bc31b..1701f0861 100644 ') ######################################## -@@ -622,6 +730,30 @@ interface(`miscfiles_manage_man_cache',` +@@ -622,6 +731,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -44078,7 +44621,7 @@ index fc28bc31b..1701f0861 100644 ## Read public files used for file ## transfer services. ## -@@ -784,8 +916,11 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +917,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -44092,7 +44635,7 @@ index fc28bc31b..1701f0861 100644 ') ######################################## -@@ -809,3 +944,81 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +945,81 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -48621,10 +49164,10 @@ index 000000000..121b42208 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 000000000..dc06d3b3f +index 000000000..a739a2645 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1898 @@ +@@ -0,0 +1,1916 @@ +## SELinux policy for systemd components + +###################################### @@ -50523,12 +51066,30 @@ index 000000000..dc06d3b3f + + allow $1 systemd_networkd_exec_t:file map; +') ++ ++######################################## ++## ++## Mmap systemd_resolved_exec_t files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_map_resolved_exec_files',` ++ gen_require(` ++ type systemd_resolved_exec_t; ++ ') ++ ++ allow $1 systemd_resolved_exec_t:file map; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 000000000..598ce3fca +index 000000000..621b8cffc --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,1041 @@ +@@ -0,0 +1,1042 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -50596,6 +51157,7 @@ index 000000000..598ce3fca +files_pid_file(systemd_bootchart_var_run_t) + +systemd_domain_template(systemd_resolved) ++init_nnp_daemon_domain(systemd_resolved_t) + +type systemd_resolved_var_run_t; +files_pid_file(systemd_resolved_var_run_t) @@ -52993,7 +53555,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..562afbe9a 100644 +index 9dc60c6c0..3f5aa5f3b 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -55352,7 +55914,15 @@ index 9dc60c6c0..562afbe9a 100644 ######################################## ## -@@ -2120,7 +2950,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2075,6 +2905,7 @@ interface(`userdom_manage_user_home_content_files',` + + manage_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; ++ allow $1 user_home_t:file map; + files_search_home($1) + ') + +@@ -2120,7 +2951,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -55361,7 +55931,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2128,19 +2958,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2959,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -55385,7 +55955,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2148,12 +2976,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2977,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -55401,7 +55971,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -2388,18 +3216,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3217,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -55459,7 +56029,7 @@ index 9dc60c6c0..562afbe9a 100644 ## Do not audit attempts to read users ## temporary files. ##     -@@ -2414,7 +3278,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3279,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -55468,7 +56038,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -2455,6 +3319,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3320,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -55494,7 +56064,7 @@ index 9dc60c6c0..562afbe9a 100644 ######################################## ## -@@ -2538,7 +3421,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3422,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -55503,7 +56073,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2546,19 +3429,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3430,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -55526,7 +56096,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2566,19 +3449,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3450,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -55549,7 +56119,7 @@ index 9dc60c6c0..562afbe9a 100644 ##
## ## -@@ -2586,20 +3469,61 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,20 +3470,61 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -55616,7 +56186,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2661,6 +3585,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3586,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -55638,7 +56208,7 @@ index 9dc60c6c0..562afbe9a 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3611,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3612,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -55660,7 +56230,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2692,19 +3626,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3627,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -55683,7 +56253,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2713,13 +3641,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3642,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -55744,7 +56314,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -2814,6 +3785,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3786,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -55769,7 +56339,7 @@ index 9dc60c6c0..562afbe9a 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3821,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3822,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -55812,7 +56382,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -2856,14 +3857,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3858,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -55850,7 +56420,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -2882,8 +3902,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3903,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -55880,7 +56450,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -2955,6 +3994,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3995,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -55923,7 +56493,7 @@ index 9dc60c6c0..562afbe9a 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4053,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4054,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -55948,7 +56518,7 @@ index 9dc60c6c0..562afbe9a 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4071,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4072,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -55960,7 +56530,7 @@ index 9dc60c6c0..562afbe9a 100644 ## memory segments. ## ## -@@ -3025,17 +4082,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4083,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -55981,7 +56551,7 @@ index 9dc60c6c0..562afbe9a 100644 ## memory segments. ## ## -@@ -3044,12 +4101,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4102,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -55996,7 +56566,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -3094,7 +4151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4152,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -56005,7 +56575,7 @@ index 9dc60c6c0..562afbe9a 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4168,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -56039,7 +56609,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -3214,7 +4255,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4256,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -56066,7 +56636,7 @@ index 9dc60c6c0..562afbe9a 100644 ') ######################################## -@@ -3269,12 +4328,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4329,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -56082,7 +56652,7 @@ index 9dc60c6c0..562afbe9a 100644 ## ## ## -@@ -3282,46 +4342,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,46 +4343,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -56218,7 +56788,7 @@ index 9dc60c6c0..562afbe9a 100644 ') allow $1 userdomain:process getattr; -@@ -3382,6 +4518,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4519,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -56261,7 +56831,7 @@ index 9dc60c6c0..562afbe9a 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4574,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4575,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -56322,7 +56892,7 @@ index 9dc60c6c0..562afbe9a 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4661,1835 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4662,1853 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -57303,6 +57873,24 @@ index 9dc60c6c0..562afbe9a 100644 + +######################################## +## ++## mmap system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_map_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ allow $1 home_cert_t:file map; ++') ++ ++######################################## ++## +## Manage system SSL certificates in the users homedir. +## +## @@ -58159,7 +58747,7 @@ index 9dc60c6c0..562afbe9a 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38dc7..f3819687f 100644 +index f4ac38dc7..0fce86e80 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -58248,7 +58836,7 @@ index f4ac38dc7..f3819687f 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,397 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -58397,12 +58985,14 @@ index f4ac38dc7..f3819687f 100644 + fs_manage_cifs_dirs(userdom_home_manager_type) + fs_manage_cifs_files(userdom_home_manager_type) + fs_manage_cifs_symlinks(userdom_home_manager_type) ++ fs_map_cifs_files(userdom_home_manager_type) +') + +tunable_policy(`use_fusefs_home_dirs',` + fs_manage_fusefs_dirs(userdom_home_manager_type) + fs_manage_fusefs_files(userdom_home_manager_type) + fs_manage_fusefs_symlinks(userdom_home_manager_type) ++ fs_mmap_fusefs_files(userdom_home_manager_type) +') + +tunable_policy(`use_ecryptfs_home_dirs',` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 72de4e24..3e59f8bb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3302,10 +3302,10 @@ index 000000000..36251b926 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 000000000..547ee89dd +index 000000000..1d22415a4 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,275 @@ +@@ -0,0 +1,276 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3389,6 +3389,7 @@ index 000000000..547ee89dd +manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) +manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t) ++allow antivirus_t antivirus_db_t:file map; + +manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) +manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t) @@ -8635,7 +8636,7 @@ index 50c9b9c87..533a555a2 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 2d7bf345b..766a91a41 100644 +index 2d7bf345b..bb5b35fe4 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -8648,16 +8649,19 @@ index 2d7bf345b..766a91a41 100644 ######################################## # # Local policy -@@ -33,6 +36,8 @@ allow arpwatch_t self:unix_stream_socket { accept listen }; +@@ -31,8 +34,10 @@ dontaudit arpwatch_t self:capability sys_tty_config; + allow arpwatch_t self:process signal_perms; + allow arpwatch_t self:unix_stream_socket { accept listen }; allow arpwatch_t self:tcp_socket { accept listen }; - allow arpwatch_t self:packet_socket create_socket_perms; +-allow arpwatch_t self:packet_socket create_socket_perms; ++allow arpwatch_t self:packet_socket { create_socket_perms map }; allow arpwatch_t self:socket create_socket_perms; +allow arpwatch_t self:netlink_socket create_socket_perms; +allow arpwatch_t self:netlink_netfilter_socket create_socket_perms; manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) -@@ -45,11 +50,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) +@@ -45,13 +50,26 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) @@ -8681,8 +8685,11 @@ index 2d7bf345b..766a91a41 100644 + dev_read_sysfs(arpwatch_t) dev_read_usbmon_dev(arpwatch_t) ++dev_map_usbmon_dev(arpwatch_t) dev_rw_generic_usb_dev(arpwatch_t) -@@ -59,15 +76,12 @@ fs_search_auto_mountpoints(arpwatch_t) + + fs_getattr_all_fs(arpwatch_t) +@@ -59,15 +77,12 @@ fs_search_auto_mountpoints(arpwatch_t) domain_use_interactive_fds(arpwatch_t) @@ -11707,10 +11714,10 @@ index 1b22262d5..d9ea246a1 100644 + ') ') diff --git a/bugzilla.te b/bugzilla.te -index 18623e39e..c62f617e1 100644 +index 18623e39e..300b2b0c0 100644 --- a/bugzilla.te +++ b/bugzilla.te -@@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0) +@@ -6,42 +6,57 @@ policy_module(bugzilla, 1.1.0) # apache_content_template(bugzilla) @@ -11725,7 +11732,9 @@ index 18623e39e..c62f617e1 100644 # -allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; ++allow bugzilla_script_t self:netlink_route_socket create_netlink_socket_perms; +allow bugzilla_script_t self:tcp_socket { accept listen }; ++allow bugzilla_script_t self:udp_socket create_socket_perms; + +corenet_all_recvfrom_netlabel(bugzilla_script_t) +corenet_tcp_sendrecv_generic_if(bugzilla_script_t) @@ -16275,7 +16284,7 @@ index 8e27a37c1..c69be28b9 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb233..5f29a909f 100644 +index 9f2dfb233..e8a9f990a 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) @@ -16382,7 +16391,7 @@ index 9f2dfb233..5f29a909f 100644 ') optional_policy(` -@@ -134,6 +145,23 @@ optional_policy(` +@@ -134,6 +145,24 @@ optional_policy(` ') optional_policy(` @@ -16401,6 +16410,7 @@ index 9f2dfb233..5f29a909f 100644 + xserver_read_inherited_xdm_lib_files(colord_t) + # allow to read /run/initial-setup-$username + xserver_read_xdm_pid(colord_t) ++ xserver_map_xdm_pid(colord_t) +') + +optional_policy(` @@ -21748,7 +21758,7 @@ index 3023be7f6..5afde8039 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813ccb..dd52ab6ad 100644 +index c91813ccb..a4f635cb9 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21941,10 +21951,10 @@ index c91813ccb..dd52ab6ad 100644 files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) -allow cupsd_t hplip_t:process { signal sigkill }; +- +-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) +allow cupsd_t cupsd_unit_file_t:file read_file_perms; --read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) -- -allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) @@ -22292,7 +22302,7 @@ index c91813ccb..dd52ab6ad 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -549,9 +609,9 @@ optional_policy(` +@@ -549,9 +609,12 @@ optional_policy(` # Pdf local policy # @@ -22301,10 +22311,13 @@ index c91813ccb..dd52ab6ad 100644 +allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search }; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; +allow cups_pdf_t cupsd_rw_etc_t:dir search; ++ ++ ++allow cups_pdf_t cupsd_etc_t:dir list_dir_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) create_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +626,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +629,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -22333,13 +22346,11 @@ index c91813ccb..dd52ab6ad 100644 - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') -+userdom_home_manager(cups_pdf_t) - - optional_policy(` +- +-optional_policy(` - lpd_manage_spool(cups_pdf_t) -+ gnome_read_config(cups_pdf_t) - ') - +-') +- -######################################## -# -# HPLIP local policy @@ -22441,11 +22452,13 @@ index c91813ccb..dd52ab6ad 100644 - lpd_read_config(hplip_t) - lpd_manage_spool(hplip_t) -') -- --optional_policy(` ++userdom_home_manager(cups_pdf_t) + + optional_policy(` - seutil_sigchld_newrole(hplip_t) --') -- ++ gnome_read_config(cups_pdf_t) + ') + -optional_policy(` - snmp_read_snmp_var_lib_files(hplip_t) -') @@ -22456,7 +22469,7 @@ index c91813ccb..dd52ab6ad 100644 ######################################## # -@@ -735,7 +670,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +673,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -22464,7 +22477,7 @@ index c91813ccb..dd52ab6ad 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +679,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +682,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -22478,7 +22491,7 @@ index c91813ccb..dd52ab6ad 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +691,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +694,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -22487,7 +22500,7 @@ index c91813ccb..dd52ab6ad 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +703,4 @@ optional_policy(` +@@ -773,3 +706,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -32813,7 +32826,7 @@ index 1e29af196..6c64f55c3 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index dc49c715e..54df5e36e 100644 +index dc49c715e..e25890c3d 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -32898,7 +32911,7 @@ index dc49c715e..54df5e36e 100644 ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` -@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',` +@@ -215,48 +218,53 @@ tunable_policy(`git_system_use_nfs',` # CGI policy # @@ -32914,6 +32927,7 @@ index dc49c715e..54df5e36e 100644 +list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +files_search_var_lib(git_script_t) ++allow git_script_t git_sys_content_t:file map; -auth_use_nsswitch(httpd_git_script_t) +auth_use_nsswitch(git_script_t) @@ -32973,7 +32987,7 @@ index dc49c715e..54df5e36e 100644 ') ######################################## -@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -266,12 +274,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -37998,6 +38012,16 @@ index 000000000..800eb43a1 + kerberos_keytab_template(gssproxy, gssproxy_t) + kerberos_manage_host_rcache(gssproxy_t) +') +diff --git a/guest.if b/guest.if +index ad1653f9a..ff424b8e7 100644 +--- a/guest.if ++++ b/guest.if +@@ -1,4 +1,4 @@ +-## Least privledge terminal user role. ++## Least privileged terminal user role. + + ######################################## + ## diff --git a/guest.te b/guest.te index 19cdbe1d7..060577633 100644 --- a/guest.te @@ -47901,7 +47925,7 @@ index dd8e01af3..9cd6b0b8e 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84b3..af94fb163 100644 +index be0ab84b3..a1dd2bcb9 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0) @@ -48139,17 +48163,18 @@ index be0ab84b3..af94fb163 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +257,8 @@ optional_policy(` +@@ -178,7 +257,9 @@ optional_policy(` ') optional_policy(` - chronyd_read_key_files(logrotate_t) ++ chronyd_domtrans_chronyc(logrotate_t) + chronyd_read_keys(logrotate_t) + chronyd_manage_pid(logrotate_t) ') optional_policy(` -@@ -198,17 +278,18 @@ optional_policy(` +@@ -198,17 +279,18 @@ optional_policy(` ') optional_policy(` @@ -48171,7 +48196,7 @@ index be0ab84b3..af94fb163 100644 ') optional_policy(` -@@ -216,6 +297,14 @@ optional_policy(` +@@ -216,6 +298,14 @@ optional_policy(` ') optional_policy(` @@ -48186,7 +48211,7 @@ index be0ab84b3..af94fb163 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +317,50 @@ optional_policy(` +@@ -228,26 +318,50 @@ optional_policy(` ') optional_policy(` @@ -50230,7 +50255,7 @@ index 327f3f726..d6ae4eab6 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd37..afaa79b11 100644 +index e6136fd37..6975de1e6 100644 --- a/mandb.te +++ b/mandb.te @@ -10,22 +10,46 @@ roleattribute system_r mandb_roles; @@ -50299,6 +50324,15 @@ index e6136fd37..afaa79b11 100644 ifdef(`distro_debian',` optional_policy(` +@@ -55,3 +82,8 @@ ifdef(`distro_debian',` + optional_policy(` + cron_system_entry(mandb_t, mandb_exec_t) + ') ++ ++optional_policy(` ++ sssd_read_public_files(mandb_t) ++ sssd_stream_connect(mandb_t) ++') diff --git a/mcelog.if b/mcelog.if index f89651e75..c73214d81 100644 --- a/mcelog.if @@ -55567,7 +55601,7 @@ index f42896cbf..fce39c1ce 100644 +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac5a..4ea31b5e2 100644 +index ed81cac5a..120f913ab 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -56364,10 +56398,12 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -911,45 +897,9 @@ interface(`mta_manage_spool',` +@@ -909,47 +895,12 @@ interface(`mta_manage_spool',` + manage_dirs_pattern($1, mail_spool_t, mail_spool_t) + manage_files_pattern($1, mail_spool_t, mail_spool_t) manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) - ') - +-') +- -####################################### -## -## Create specified objects in the @@ -56402,8 +56438,9 @@ index ed81cac5a..4ea31b5e2 100644 - - files_search_spool($1) - filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) --') -- ++ allow $1 mail_spool_t:file map; + ') + ######################################## ## -## Search mail queue directories. @@ -56411,7 +56448,7 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -968,7 +918,7 @@ interface(`mta_search_queue',` +@@ -968,7 +919,7 @@ interface(`mta_search_queue',` ####################################### ## @@ -56420,7 +56457,7 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -981,13 +931,13 @@ interface(`mta_list_queue',` +@@ -981,13 +932,13 @@ interface(`mta_list_queue',` type mqueue_spool_t; ') @@ -56436,7 +56473,7 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -1000,14 +950,14 @@ interface(`mta_read_queue',` +@@ -1000,14 +951,14 @@ interface(`mta_read_queue',` type mqueue_spool_t; ') @@ -56453,7 +56490,7 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -1027,7 +977,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -1027,7 +978,7 @@ interface(`mta_dontaudit_rw_queue',` ######################################## ## ## Create, read, write, and delete @@ -56462,7 +56499,7 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -1047,6 +997,41 @@ interface(`mta_manage_queue',` +@@ -1047,6 +998,41 @@ interface(`mta_manage_queue',` ####################################### ## @@ -56504,7 +56541,7 @@ index ed81cac5a..4ea31b5e2 100644 ## Read sendmail binary. ## ## -@@ -1055,6 +1040,7 @@ interface(`mta_manage_queue',` +@@ -1055,6 +1041,7 @@ interface(`mta_manage_queue',` ## ## # @@ -56512,7 +56549,7 @@ index ed81cac5a..4ea31b5e2 100644 interface(`mta_read_sendmail_bin',` gen_require(` type sendmail_exec_t; -@@ -1065,8 +1051,8 @@ interface(`mta_read_sendmail_bin',` +@@ -1065,8 +1052,8 @@ interface(`mta_read_sendmail_bin',` ####################################### ## @@ -56523,7 +56560,7 @@ index ed81cac5a..4ea31b5e2 100644 ## ## ## -@@ -1081,3 +1067,228 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1068,228 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -57844,10 +57881,10 @@ index b70870816..e2a5280c3 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666df..2accd90d2 100644 +index 06f8666df..0256ba244 100644 --- a/mysql.fc +++ b/mysql.fc -@@ -1,27 +1,46 @@ +@@ -1,27 +1,47 @@ -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) @@ -57881,6 +57918,7 @@ index 06f8666df..2accd90d2 100644 +# /usr +# /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) ++/usr/bin/mysqld_safe_helper -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) @@ -58464,7 +58502,7 @@ index 687af38bb..5381f1b39 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe7c..327af4639 100644 +index 7584bbe7c..da5e85fc6 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -58515,7 +58553,7 @@ index 7584bbe7c..327af4639 100644 type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t) +@@ -62,83 +66,102 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # @@ -58553,7 +58591,12 @@ index 7584bbe7c..327af4639 100644 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) + files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) ++allow mysqld_t mysqld_tmp_t:file map; + + manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) + manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -58638,7 +58681,7 @@ index 7584bbe7c..327af4639 100644 ') optional_policy(` -@@ -146,6 +168,10 @@ optional_policy(` +@@ -146,6 +169,10 @@ optional_policy(` ') optional_policy(` @@ -58649,7 +58692,7 @@ index 7584bbe7c..327af4639 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +181,20 @@ optional_policy(` +@@ -155,21 +182,20 @@ optional_policy(` ####################################### # @@ -58677,7 +58720,7 @@ index 7584bbe7c..327af4639 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +203,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -58688,7 +58731,7 @@ index 7584bbe7c..327af4639 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +211,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -58724,7 +58767,7 @@ index 7584bbe7c..327af4639 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,20 +240,21 @@ optional_policy(` +@@ -209,20 +241,21 @@ optional_policy(` ######################################## # @@ -58753,7 +58796,7 @@ index 7584bbe7c..327af4639 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +263,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -61257,7 +61300,7 @@ index 86dc29dfa..cb39739a5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f20095e..3299cc6c7 100644 +index 55f20095e..768b6d003 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -61354,7 +61397,7 @@ index 55f20095e..3299cc6c7 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,30 +102,30 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,30 +102,32 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -61387,10 +61430,12 @@ index 55f20095e..3299cc6c7 100644 +kernel_signull(NetworkManager_t) -corenet_all_recvfrom_unlabeled(NetworkManager_t) ++corenet_ib_manage_subnet_unlabeled_endports(NetworkManager_t) ++corenet_ib_access_unlabeled_pkeys(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,36 +136,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,36 +138,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -61432,7 +61477,7 @@ index 55f20095e..3299cc6c7 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +162,36 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +164,36 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -61470,7 +61515,7 @@ index 55f20095e..3299cc6c7 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +208,37 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -61512,7 +61557,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -196,10 +252,6 @@ optional_policy(` +@@ -196,10 +254,6 @@ optional_policy(` ') optional_policy(` @@ -61523,7 +61568,7 @@ index 55f20095e..3299cc6c7 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,31 +262,34 @@ optional_policy(` +@@ -210,31 +264,34 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -61566,7 +61611,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -246,10 +301,26 @@ optional_policy(` +@@ -246,10 +303,26 @@ optional_policy(` ') optional_policy(` @@ -61593,7 +61638,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -257,15 +328,19 @@ optional_policy(` +@@ -257,15 +330,19 @@ optional_policy(` ') optional_policy(` @@ -61615,7 +61660,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -274,10 +349,17 @@ optional_policy(` +@@ -274,10 +351,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -61633,7 +61678,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -286,9 +368,12 @@ optional_policy(` +@@ -286,9 +370,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -61646,7 +61691,7 @@ index 55f20095e..3299cc6c7 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +381,7 @@ optional_policy(` +@@ -296,7 +383,7 @@ optional_policy(` ') optional_policy(` @@ -61655,7 +61700,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -307,6 +392,7 @@ optional_policy(` +@@ -307,6 +394,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -61663,7 +61708,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -320,14 +406,21 @@ optional_policy(` +@@ -320,14 +408,21 @@ optional_policy(` ') optional_policy(` @@ -61690,7 +61735,7 @@ index 55f20095e..3299cc6c7 100644 ') optional_policy(` -@@ -338,12 +431,23 @@ optional_policy(` +@@ -338,12 +433,23 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -61715,7 +61760,7 @@ index 55f20095e..3299cc6c7 100644 allow wpa_cli_t self:unix_dgram_socket create_socket_perms; allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; -@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +463,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -62168,7 +62213,7 @@ index 46e55c3ff..afe399a0e 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3a6b0352e..062e20c8c 100644 +index 3a6b0352e..6aecea23d 100644 --- a/nis.te +++ b/nis.te @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) @@ -62282,7 +62327,16 @@ index 3a6b0352e..062e20c8c 100644 init_dbus_chat_script(ypbind_t) optional_policy(` -@@ -145,11 +144,12 @@ optional_policy(` +@@ -140,16 +139,21 @@ optional_policy(` + udev_read_db(ypbind_t) + ') + ++optional_policy(` ++ rpcbind_stream_connect(ypbind_t) ++') ++ + ######################################## + # # yppasswdd local policy # @@ -62297,7 +62351,7 @@ index 3a6b0352e..062e20c8c 100644 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; allow yppasswdd_t self:tcp_socket create_stream_socket_perms; allow yppasswdd_t self:udp_socket create_socket_perms; -@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +@@ -160,14 +164,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) @@ -62313,7 +62367,7 @@ index 3a6b0352e..062e20c8c 100644 corenet_all_recvfrom_netlabel(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) corenet_udp_sendrecv_generic_if(yppasswdd_t) -@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) +@@ -177,23 +180,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_generic_node(yppasswdd_t) corenet_udp_bind_generic_node(yppasswdd_t) @@ -62339,7 +62393,7 @@ index 3a6b0352e..062e20c8c 100644 dev_read_sysfs(yppasswdd_t) fs_getattr_all_fs(yppasswdd_t) -@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t) +@@ -202,12 +195,20 @@ fs_search_auto_mountpoints(yppasswdd_t) selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) @@ -62361,7 +62415,7 @@ index 3a6b0352e..062e20c8c 100644 sysnet_read_config(yppasswdd_t) -@@ -219,6 +216,14 @@ optional_policy(` +@@ -219,6 +220,14 @@ optional_policy(` ') optional_policy(` @@ -62376,7 +62430,7 @@ index 3a6b0352e..062e20c8c 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -234,7 +239,8 @@ optional_policy(` +@@ -234,7 +243,8 @@ optional_policy(` dontaudit ypserv_t self:capability sys_tty_config; allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; @@ -62386,7 +62440,7 @@ index 3a6b0352e..062e20c8c 100644 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; -@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t) +@@ -254,7 +264,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) @@ -62394,7 +62448,7 @@ index 3a6b0352e..062e20c8c 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -264,31 +269,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) +@@ -264,31 +273,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t) corenet_tcp_bind_generic_node(ypserv_t) corenet_udp_bind_generic_node(ypserv_t) @@ -62433,7 +62487,7 @@ index 3a6b0352e..062e20c8c 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -310,8 +312,8 @@ optional_policy(` +@@ -310,8 +316,8 @@ optional_policy(` # ypxfr local policy # @@ -62444,7 +62498,7 @@ index 3a6b0352e..062e20c8c 100644 allow ypxfr_t self:tcp_socket create_stream_socket_perms; allow ypxfr_t self:udp_socket create_socket_perms; allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; -@@ -326,7 +328,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -326,7 +332,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -62452,7 +62506,7 @@ index 3a6b0352e..062e20c8c 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -336,23 +337,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) +@@ -336,23 +341,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t) corenet_tcp_bind_generic_node(ypxfr_t) corenet_udp_bind_generic_node(ypxfr_t) @@ -68803,10 +68857,10 @@ index 000000000..45de66477 +') diff --git a/opensm.te b/opensm.te new file mode 100644 -index 000000000..87c86edb9 +index 000000000..81c7870cf --- /dev/null +++ b/opensm.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,49 @@ +policy_module(opensm, 1.0.0) + +######################################## @@ -68846,6 +68900,9 @@ index 000000000..87c86edb9 + +auth_use_nsswitch(opensm_t) + ++corenet_ib_access_unlabeled_pkeys(opensm_t) ++corenet_ib_manage_subnet_unlabeled_endports(opensm_t) ++ +corecmd_exec_bin(opensm_t) + +dev_read_sysfs(opensm_t) @@ -68854,10 +68911,10 @@ index 000000000..87c86edb9 + +logging_send_syslog_msg(opensm_t) diff --git a/openvpn.fc b/openvpn.fc -index 300213f83..4cdfe097c 100644 +index 300213f83..4fd25a689 100644 --- a/openvpn.fc +++ b/openvpn.fc -@@ -1,10 +1,13 @@ +@@ -1,12 +1,16 @@ /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) @@ -68871,6 +68928,9 @@ index 300213f83..4cdfe097c 100644 /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) ++/var/run/openvpn-server(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) + /var/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/openvpn.if b/openvpn.if index 6837e9a2b..8d6e33b00 100644 --- a/openvpn.if @@ -68962,7 +69022,7 @@ index 6837e9a2b..8d6e33b00 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a362..91dead6e7 100644 +index 63957a362..970f6f03c 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -69104,7 +69164,7 @@ index 63957a362..91dead6e7 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -164,10 +192,20 @@ tunable_policy(`openvpn_can_network_connect',` +@@ -164,10 +192,21 @@ tunable_policy(`openvpn_can_network_connect',` ') optional_policy(` @@ -69119,13 +69179,14 @@ index 63957a362..91dead6e7 100644 + networkmanager_stream_connect(openvpn_t) + networkmanager_manage_pid_files(openvpn_t) + networkmanager_manage_pid_sock_files(openvpn_t) ++ networkmanager_attach_tun_iface(openvpn_t) +') + +optional_policy(` dbus_system_bus_client(openvpn_t) dbus_connect_system_bus(openvpn_t) -@@ -175,3 +213,27 @@ optional_policy(` +@@ -175,3 +214,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -71149,10 +71210,10 @@ index 000000000..abb250dba +') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 000000000..89e89b240 +index 000000000..7ce81f1bd --- /dev/null +++ b/pcp.te -@@ -0,0 +1,315 @@ +@@ -0,0 +1,319 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -71445,6 +71506,10 @@ index 000000000..89e89b240 +allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto; +allow pcp_pmlogger_t self:unix_dgram_socket create_socket_perms; + ++allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans; ++ ++dontaudit pcp_pmlogger_t self:cap_userns { sys_ptrace }; ++ +kernel_read_system_state(pcp_pmlogger_t) +kernel_read_network_state(pcp_pmlogger_t) + @@ -73601,10 +73666,10 @@ index 000000000..47cd0f8ba +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 000000000..f69ae0298 +index 000000000..0a7951358 --- /dev/null +++ b/pki.if -@@ -0,0 +1,503 @@ +@@ -0,0 +1,523 @@ + +## policy for pki + @@ -74108,6 +74173,26 @@ index 000000000..f69ae0298 + + ps_process_pattern($1, pki_tomcat_t) +') ++ ++######################################## ++## ++## Create, read, write, and delete ++## pki tomcat pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_tomcat_pid',` ++ gen_require(` ++ type pki_tomcat_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t) ++') diff --git a/pki.te b/pki.te new file mode 100644 index 000000000..701ebda54 @@ -74741,7 +74826,7 @@ index 30e751f18..61feb3a81 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce905..a1f9e1aa1 100644 +index 3078ce905..66ecfd9d2 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -74781,7 +74866,13 @@ index 3078ce905..a1f9e1aa1 100644 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t) +@@ -65,24 +64,33 @@ dev_rw_dri(plymouthd_t) + dev_read_sysfs(plymouthd_t) + dev_read_framebuffer(plymouthd_t) + dev_write_framebuffer(plymouthd_t) ++dev_map_framebuffer(plymouthd_t) + + domain_use_interactive_fds(plymouthd_t) fs_getattr_all_fs(plymouthd_t) @@ -74814,7 +74905,7 @@ index 3078ce905..a1f9e1aa1 100644 ') optional_policy(` -@@ -90,35 +97,37 @@ optional_policy(` +@@ -90,35 +98,37 @@ optional_policy(` ') optional_policy(` @@ -81420,10 +81511,10 @@ index 45843b55c..4d1adace5 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 6643b49c2..22214f676 100644 +index 6643b49c2..6c374240b 100644 --- a/pulseaudio.te +++ b/pulseaudio.te -@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0) +@@ -8,61 +8,51 @@ policy_module(pulseaudio, 1.6.0) attribute pulseaudio_client; attribute pulseaudio_tmpfsfile; @@ -81492,6 +81583,7 @@ index 6643b49c2..22214f676 100644 +manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t) +userdom_search_user_home_dirs(pulseaudio_t) +pulseaudio_filetrans_home_content(pulseaudio_t) ++allow pulseaudio_t pulseaudio_home_t:file map; -manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) -manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) @@ -81503,7 +81595,7 @@ index 6643b49c2..22214f676 100644 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) +@@ -72,10 +62,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -81515,7 +81607,7 @@ index 6643b49c2..22214f676 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,62 +72,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -81597,7 +81689,7 @@ index 6643b49c2..22214f676 100644 ') optional_policy(` -@@ -153,8 +135,9 @@ optional_policy(` +@@ -153,8 +136,9 @@ optional_policy(` optional_policy(` dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) @@ -81609,7 +81701,7 @@ index 6643b49c2..22214f676 100644 optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -174,29 +157,49 @@ optional_policy(` +@@ -174,29 +158,49 @@ optional_policy(` ') optional_policy(` @@ -81661,7 +81753,7 @@ index 6643b49c2..22214f676 100644 # # Client local policy # -@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi +@@ -210,8 +214,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi fs_getattr_tmpfs(pulseaudio_client) @@ -81670,7 +81762,7 @@ index 6643b49c2..22214f676 100644 corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) -@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +@@ -220,38 +222,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) pulseaudio_stream_connect(pulseaudio_client) @@ -81763,10 +81855,10 @@ index d68e26d1f..3b08cfd9d 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f9c..bef72173b 100644 +index 7cb8b1f9c..4c805a42e 100644 --- a/puppet.if +++ b/puppet.if -@@ -1,4 +1,32 @@ +@@ -1,4 +1,52 @@ -## Configuration management system. +## Puppet client daemon +## @@ -81796,27 +81888,96 @@ index 7cb8b1f9c..bef72173b 100644 + + corecmd_search_bin($1) + domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) ++') ++ ++######################################## ++## ++## Execute puppet in the puppet ++## domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`puppet_domtrans',` ++ gen_require(` ++ type puppet_t, puppet_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, puppet_exec_t, puppet_t) +') ######################################## ## -@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',` +@@ -22,7 +70,7 @@ interface(`puppet_domtrans_puppetca',` + + ##################################### + ## +-## Execute puppetca in the puppetca ++## Execute puppet in the puppet + ## domain and allow the specified + ## role the puppetca domain. + ## +@@ -38,39 +86,49 @@ interface(`puppet_domtrans_puppetca',` + ## + ## # - interface(`puppet_run_puppetca',` +-interface(`puppet_run_puppetca',` ++interface(`puppet_run',` gen_require(` - attribute_role puppetca_roles; -+ type puppetca_t, puppetca_exec_t; ++ type puppet_t, puppet_exec_t; ') - puppet_domtrans_puppetca($1) +- puppet_domtrans_puppetca($1) - roleattribute $2 puppetca_roles; -+ role $2 types puppetca_t; ++ puppet_domtrans($1) ++ role $2 types puppet_t; ') -#################################### -+################################################ ++##################################### ## -## Read puppet configuration content. ++## Execute puppetca in the puppetca ++## domain and allow the specified ++## role the puppetca domain. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## ++## ++## ++## Role allowed access. ++## ++## ++## + # +-interface(`puppet_read_config',` ++interface(`puppet_run_puppetca',` + gen_require(` +- type puppet_etc_t; ++ type puppetca_t, puppetca_exec_t; + ') + +- files_search_etc($1) +- allow $1 puppet_etc_t:dir list_dir_perms; +- allow $1 puppet_etc_t:file read_file_perms; +- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; ++ puppet_domtrans_puppetca($1) ++ role $2 types puppetca_t; + ') + ++ + ################################################ + ## +-## Read Puppet lib files. +## Read / Write to Puppet temp files. Puppet uses +## some system binaries (groupadd, etc) that run in +## a non-puppet domain and redirects output into temp @@ -81824,76 +81985,52 @@ index 7cb8b1f9c..bef72173b 100644 ## ## ## -@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',` - ## - ## - # --interface(`puppet_read_config',` -+interface(`puppet_rw_tmp', ` - gen_require(` -- type puppet_etc_t; -+ type puppet_tmp_t; - ') - -- files_search_etc($1) -- allow $1 puppet_etc_t:dir list_dir_perms; -- allow $1 puppet_etc_t:file read_file_perms; -- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms; -+ allow $1 puppet_tmp_t:file rw_inherited_file_perms; -+ files_search_tmp($1) - ') - - ################################################ -@@ -78,158 +107,165 @@ interface(`puppet_read_config',` +@@ -78,19 +136,18 @@ interface(`puppet_read_config',` ## ## # -interface(`puppet_read_lib_files',` ++interface(`puppet_rw_tmp', ` + gen_require(` +- type puppet_var_lib_t; ++ type puppet_tmp_t; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) ++ allow $1 puppet_tmp_t:file rw_inherited_file_perms; ++ files_search_tmp($1) + ') + +-############################################### ++################################################ + ## +-## Create, read, write, and delete +-## puppet lib files. ++## Read Puppet lib files. + ## + ## + ## +@@ -98,138 +155,165 @@ interface(`puppet_read_lib_files',` + ## + ## + # +-interface(`puppet_manage_lib_files',` +interface(`puppet_read_lib',` gen_require(` type puppet_var_lib_t; ') -- files_search_var_lib($1) - read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -+ files_search_var_lib($1) - ') - - ############################################### - ## --## Create, read, write, and delete --## puppet lib files. -+## Manage Puppet lib files. - ## - ## --## --## Domain allowed access. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`puppet_manage_lib_files',` -- gen_require(` -- type puppet_var_lib_t; -- ') -+interface(`puppet_manage_lib',` -+ gen_require(` -+ type puppet_var_lib_t; -+ ') - -- files_search_var_lib($1) ++ read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + files_search_var_lib($1) - manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) -+ files_search_var_lib($1) ') -##################################### -+###################################### ++############################################### ## -## Append puppet log files. -+## Allow the specified domain to search puppet's log files. ++## Manage Puppet lib files. ## ## -## @@ -81908,21 +82045,22 @@ index 7cb8b1f9c..bef72173b 100644 - gen_require(` - type puppet_log_t; - ') -+interface(`puppet_search_log',` ++interface(`puppet_manage_lib',` + gen_require(` -+ type puppet_log_t; ++ type puppet_var_lib_t; + ') - logging_search_logs($1) - append_files_pattern($1, puppet_log_t, puppet_log_t) -+ logging_search_logs($1) -+ allow $1 puppet_log_t:dir search_dir_perms; ++ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) ++ files_search_var_lib($1) ') - ##################################### +-##################################### ++###################################### ## -## Create puppet log files. -+## Allow the specified domain to read puppet's log files. ++## Allow the specified domain to search puppet's log files. ## ## -## @@ -81937,7 +82075,7 @@ index 7cb8b1f9c..bef72173b 100644 - gen_require(` - type puppet_log_t; - ') -+interface(`puppet_read_log',` ++interface(`puppet_search_log',` + gen_require(` + type puppet_log_t; + ') @@ -81945,13 +82083,13 @@ index 7cb8b1f9c..bef72173b 100644 - logging_search_logs($1) - create_files_pattern($1, puppet_log_t, puppet_log_t) + logging_search_logs($1) -+ read_files_pattern($1, puppet_log_t, puppet_log_t) ++ allow $1 puppet_log_t:dir search_dir_perms; ') ##################################### ## -## Read puppet log files. -+## Allow the specified domain to create puppet's log files. ++## Allow the specified domain to read puppet's log files. ## ## -## @@ -81966,22 +82104,21 @@ index 7cb8b1f9c..bef72173b 100644 - gen_require(` - type puppet_log_t; - ') -+interface(`puppet_create_log',` ++interface(`puppet_read_log',` + gen_require(` + type puppet_log_t; + ') - logging_search_logs($1) -- read_files_pattern($1, puppet_log_t, puppet_log_t) + logging_search_logs($1) -+ create_files_pattern($1, puppet_log_t, puppet_log_t) + read_files_pattern($1, puppet_log_t, puppet_log_t) ') -################################################ -+#################################### ++##################################### ## -## Read and write to puppet tempoprary files. -+## Allow the specified domain to append puppet's log files. ++## Allow the specified domain to create puppet's log files. ## ## -## @@ -81996,7 +82133,7 @@ index 7cb8b1f9c..bef72173b 100644 - gen_require(` - type puppet_tmp_t; - ') -+interface(`puppet_append_log',` ++interface(`puppet_create_log',` + gen_require(` + type puppet_log_t; + ') @@ -82004,7 +82141,7 @@ index 7cb8b1f9c..bef72173b 100644 - files_search_tmp($1) - allow $1 puppet_tmp_t:file rw_file_perms; + logging_search_logs($1) -+ append_files_pattern($1, puppet_log_t, puppet_log_t) ++ create_files_pattern($1, puppet_log_t, puppet_log_t) ') -######################################## @@ -82012,7 +82149,7 @@ index 7cb8b1f9c..bef72173b 100644 ## -## All of the rules required to -## administrate an puppet environment. -+## Allow the specified domain to manage puppet's log files. ++## Allow the specified domain to append puppet's log files. ## ## -## @@ -82036,19 +82173,36 @@ index 7cb8b1f9c..bef72173b 100644 - type puppet_var_run_t, puppetmaster_tmp_t; - type puppet_t, puppetca_t, puppetmaster_t; - ') -- -- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) -+interface(`puppet_manage_log',` ++interface(`puppet_append_log',` + gen_require(` + type puppet_log_t; + ') +- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) ++ logging_search_logs($1) ++ append_files_pattern($1, puppet_log_t, puppet_log_t) ++') + - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; - allow $2 system_r; -- ++#################################### ++## ++## Allow the specified domain to manage puppet's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`puppet_manage_log',` ++ gen_require(` ++ type puppet_log_t; ++ ') + - files_search_etc($1) - admin_pattern($1, puppet_etc_t) + logging_search_logs($1) @@ -84765,7 +84919,7 @@ index fe2adf8ae..f7e9c70b0 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 83eb09ef6..8f641fc92 100644 +index 83eb09ef6..a5e7068f6 100644 --- a/qpid.te +++ b/qpid.te @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -84778,7 +84932,7 @@ index 83eb09ef6..8f641fc92 100644 type qpidd_tmpfs_t; files_tmpfs_file(qpidd_tmpfs_t) -@@ -33,41 +36,57 @@ allow qpidd_t self:shm create_shm_perms; +@@ -33,41 +36,58 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket { accept listen }; allow qpidd_t self:unix_stream_socket { accept listen }; @@ -84797,6 +84951,7 @@ index 83eb09ef6..8f641fc92 100644 +manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file }) ++allow qpidd_t qpidd_var_lib_t:file map; -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) @@ -86712,10 +86867,10 @@ index 951db7f1b..65666b765 100644 + allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms; ') diff --git a/raid.te b/raid.te -index c99753f2c..082d5f686 100644 +index c99753f2c..e465414a3 100644 --- a/raid.te +++ b/raid.te -@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; +@@ -15,54 +15,105 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -86748,6 +86903,7 @@ index c99753f2c..082d5f686 100644 -allow mdadm_t self:process { getsched setsched signal_perms }; +allow mdadm_t self:capability { dac_read_search sys_admin ipc_lock }; +dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit mdadm_t self:cap_userns { sys_ptrace }; +allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal }; allow mdadm_t self:fifo_file rw_fifo_file_perms; allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -86830,7 +86986,7 @@ index c99753f2c..082d5f686 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -71,15 +122,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -86857,7 +87013,7 @@ index c99753f2c..082d5f686 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -90,17 +150,38 @@ optional_policy(` +@@ -90,17 +151,38 @@ optional_policy(` ') optional_policy(` @@ -93642,7 +93798,7 @@ index 0bf13c220..2ee527f2a 100644 + allow nfsd_t $1:dbus send_msg; +') diff --git a/rpc.te b/rpc.te -index 2da9fca2f..f06eb2732 100644 +index 2da9fca2f..03471672e 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -94028,10 +94184,14 @@ index 2da9fca2f..f06eb2732 100644 ') optional_policy(` -@@ -314,9 +398,12 @@ optional_policy(` +@@ -314,9 +398,16 @@ optional_policy(` ') optional_policy(` ++ realmd_read_var_lib(gssd_t) ++') ++ ++optional_policy(` + gssproxy_stream_connect(gssd_t) +') +optional_policy(` @@ -96833,7 +96993,7 @@ index b8b66ff4d..a93346efe 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb2e..e1474fde7 100644 +index 50d07fb2e..a15cd5b6b 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -97213,13 +97373,14 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -421,33 +538,55 @@ interface(`samba_manage_var_files',` +@@ -421,33 +538,56 @@ interface(`samba_manage_var_files',` ') files_search_var_lib($1) + files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) ++ allow $1 samba_var_t:file { map}; ') ######################################## @@ -97276,7 +97437,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -462,16 +601,16 @@ interface(`samba_domtrans_smbcontrol',` +@@ -462,16 +602,16 @@ interface(`samba_domtrans_smbcontrol',` # interface(`samba_run_smbcontrol',` gen_require(` @@ -97296,7 +97457,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -488,9 +627,27 @@ interface(`samba_domtrans_smbd',` +@@ -488,9 +628,27 @@ interface(`samba_domtrans_smbd',` domtrans_pattern($1, smbd_exec_t, smbd_t) ') @@ -97325,7 +97486,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -505,10 +662,26 @@ interface(`samba_signal_smbd',` +@@ -505,10 +663,26 @@ interface(`samba_signal_smbd',` allow $1 smbd_t:process signal; ') @@ -97354,7 +97515,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -526,7 +699,7 @@ interface(`samba_dontaudit_use_fds',` +@@ -526,7 +700,7 @@ interface(`samba_dontaudit_use_fds',` ######################################## ## @@ -97363,7 +97524,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -544,7 +717,7 @@ interface(`samba_write_smbmount_tcp_sockets',` +@@ -544,7 +718,7 @@ interface(`samba_write_smbmount_tcp_sockets',` ######################################## ## @@ -97372,7 +97533,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -560,49 +733,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` +@@ -560,49 +734,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` allow $1 smbmount_t:tcp_socket { read write }; ') @@ -97441,7 +97602,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -618,16 +789,16 @@ interface(`samba_getattr_winbind_exec',` +@@ -618,16 +790,16 @@ interface(`samba_getattr_winbind_exec',` # interface(`samba_run_winbind_helper',` gen_require(` @@ -97461,7 +97622,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -637,17 +808,71 @@ interface(`samba_run_winbind_helper',` +@@ -637,17 +809,71 @@ interface(`samba_run_winbind_helper',` # interface(`samba_read_winbind_pid',` gen_require(` @@ -97537,7 +97698,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -657,17 +882,61 @@ interface(`samba_read_winbind_pid',` +@@ -657,17 +883,61 @@ interface(`samba_read_winbind_pid',` # interface(`samba_stream_connect_winbind',` gen_require(` @@ -97604,7 +97765,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -676,7 +945,7 @@ interface(`samba_stream_connect_winbind',` +@@ -676,7 +946,7 @@ interface(`samba_stream_connect_winbind',` ## ## ## @@ -97613,7 +97774,7 @@ index 50d07fb2e..e1474fde7 100644 ## ## ## -@@ -689,11 +958,30 @@ interface(`samba_admin',` +@@ -689,11 +959,30 @@ interface(`samba_admin',` type samba_etc_t, samba_share_t, samba_initrc_exec_t; type swat_var_run_t, swat_tmp_t, winbind_log_t; type winbind_var_run_t, winbind_tmp_t; @@ -97647,7 +97808,7 @@ index 50d07fb2e..e1474fde7 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -703,23 +991,34 @@ interface(`samba_admin',` +@@ -703,23 +992,34 @@ interface(`samba_admin',` files_list_etc($1) admin_pattern($1, { samba_etc_t smbd_keytab_t }) @@ -111850,10 +112011,10 @@ index 000000000..d371f62f6 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..a34bf9b9f +index 000000000..1b34bc7b6 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,174 @@ +@@ -0,0 +1,175 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -111946,6 +112107,7 @@ index 000000000..a34bf9b9f +fs_getattr_all_fs(thumb_t) +fs_read_dos_files(thumb_t) +fs_rw_inherited_tmpfs_files(thumb_t) ++fs_map_dos_files(thumb_t) + +auth_read_passwd(thumb_t) + @@ -112995,10 +113157,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..6db6edad3 +index 000000000..6ebd1ea7c --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,126 @@ +@@ -0,0 +1,127 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -113036,6 +113198,7 @@ index 000000000..6db6edad3 + pki_manage_tomcat_lib(tomcat_t) + pki_manage_tomcat_etc_rw(tomcat_t) + pki_search_log_dirs(tomcat_t) ++ pki_manage_tomcat_pid(tomcat_t) + pki_manage_tomcat_log(tomcat_t) + pki_manage_common_files(tomcat_t) + pki_exec_common_files(tomcat_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0fbaeed3..fcd59870 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 305%{?dist} +Release: 306%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,47 @@ exit 0 %endif %changelog +* Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306 +- Allow thumb_t domain to dosfs_t BZ(1517720) +- Allow gssd_t to read realmd_var_lib_t files BZ(1521125) +- Allow domain transition from logrotate_t to chronyc_t BZ(1436013) +- Allow git_script_t to mmap git_sys_content_t BZ(1517541) +- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t BZ(1464803) +- Label /run/openvpn-server/ as openvpn_var_run_t BZ(1478642) +- Allow colord_t to mmap xdm pid files BZ(1518382) +- Allow arpwatch to mmap usbmon device BZ(152456) +- Allow mandb_t to read public sssd files BZ(1514093) +- Allow ypbind_t stream connect to rpcbind_t domain BZ(1508659) +- Allow qpid to map files. +- Allow plymouthd_t to mmap firamebuf device BZ(1517405) +- Dontaudit pcp_pmlogger_t to sys_ptrace capability BZ(1416611) +- Update mta_manage_spool() interface to allow caller domain also mmap mta_spool_t files BZ(1517449) +- Allow antivirus_t domain to mmap antivirus_db_t files BZ(1516816) +- Allow cups_pdf_t domain to read cupd_etc_t dirs BZ(1516282) +- Allow openvpn_t domain to relabel networkmanager tun device BZ(1436048) +- Allow mysqld_t to mmap mysqld_tmp_t files BZ(1516899) +- Update samba_manage_var_files() interface by adding map permission. BZ(1517125) +- Allow pcp_pmlogger_t domain to execute itself. BZ(1517395) +- Dontaudit sys_ptrace capability for mdadm_t BZ(1515849) +- Allow pulseaudio_t domain to mmap pulseaudio_home_t files BZ(1515956) +- Allow bugzilla_script_t domain to create netlink route sockets and udp sockets BZ(1427019) +- Add interface fs_map_dos_files() +- Update interface userdom_manage_user_home_content_files() to allow caller domain to mmap user_home_t files. BZ(1519729) +- Add interface xserver_map_xdm_pid() BZ(1518382) +- Add new interface dev_map_usbmon_dev() BZ(1524256) +- Update miscfiles_read_fonts() interface to allow also mmap fonts_cache_t for caller domains BZ(1521137) +- Allow ipsec_t to mmap cert_t and home_cert_t files BZ(1519810) +- Fix typo in filesystem.if +- Add interface dev_map_framebuffer() +- Allow chkpwd command to mmap /etc/shadow BZ(1513704) +- Fix systemd-resolved to run properly with SELinux in enforcing state BZ(1517529) +- Allow thumb_t domain to mmap fusefs_t files BZ(1517517) +- Allow userdom_home_reader_type attribute to mmap cifs_t files BZ(1517125) +- Add interface fs_map_cifs_files() +- Merge pull request #207 from rhatdan/labels +- Merge pull request #208 from rhatdan/logdir +- Allow domains that manage logfiles to man logdirs + * Fri Nov 24 2017 Lukas Vrabec - 3.13.1-305 - Make ganesha nfs server