From 284401b05513b0c2446a6b182bc80cd943be66ac Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 15 Aug 2017 16:29:24 +0200 Subject: [PATCH] * Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272 - Allow sssd_t domain to map sssd_var_lib_t files - allow map permission where needed - contrib: allow map permission where needed - Allow syslogd_t to map syslogd_var_run_t files - allow map permission where needed --- container-selinux.tgz | Bin 6903 -> 6902 bytes policy-rawhide-base.patch | 94 +++++++++------- policy-rawhide-contrib.patch | 211 +++++++++++++++++++++-------------- selinux-policy.spec | 9 +- 4 files changed, 188 insertions(+), 126 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 205a2b583a4c686dabb9ffa06f165570ce01adbf..0b63ac3ad988ee774e5dd85e37379250636570dd 100644 GIT binary patch delta 6583 zcmV;o8A#^$HTE@sABzY8_5_nz00Zq^>u=;XlFwK7Um?r{7&{n0#*@qeEX)SpAshIJ5plik(fCW)+cWAFb-e^#$w2R}B4JP+%~KmKi>1Z9;J=S_L2qa+Bc zDodlVP0J#P#6Ss>Vh6u3e!LWHD**BP>6He5oc#GAi4JX|pr=L9?$rlznZrLWi1kw8 z4SuY`I?RKABFvLNykb*xz2@JwCzHDN#MZT10d<)r2Kc|gV+kHcQPMPHsE8DW)#d2$f!~uxPS^Y5mFREQ z`&cmad!25u3%ojR5 z4BqDvBp+u`EgwPNg*B3Pf~4|;Z{L$b0&)RpleGfv0mGA{115j{vU`zV{{80{vd)sl zUZwFg8>v1N7KH;)&4kS#0T~}I?&4^Y`fiaUjD`H%79Z1N(bB2`nyAswj}

|o(*GX35#uOx#!g!)L0sj%qyj!;=1Ft}_+{aiGhGX!(C^h+rzXCZj zr1xcni&rS%3mAX@Q*eJq7bQ*Ou!w{EIyG%3^CX9r>&s8-dyr8+%iC+{2}uL}kOvG~ z$bNz}bzug9Ce8k|tlGz^OL(B+Tg4enJgzu2Fxc8hQja(n`a%^mL=$bC+*K{vz4#IZ zg})8*6@(w7Ju`Gs#!!o8gp5DTHPSgl*y^hY8~>FQ?G%4eE1j)*sgH>4zEfo7QPxLXs7e&74ii1MS(ugE)gIDt11@OH( zn~f8f(d~SY2DsOQ8sXD9XkhBAIOkE8Lif%`Vr^TXCbMM2Fv@72WVISJ90P{m4(w$b zhBg!$q5^**dx(0)i{bC80ylOoRhWr05X58zLwC-^IL|=cHR{OnwEqoG>u&UK)7?c< z+%1W^FPpYm8j$vD3u4wuQ)YJ;D1k*_Sx+@!2yDuSWSQnOOf+g2gezhHkcE%SBVI2E z8MbAf3LOB3OAV{`I*jwQU~3T`dfKKBTdV}qg?xVjXh*t!%Ayed4QX^>(@E({`$*LT^*X2Jo>80djuja+GX&|*Du2!)0S%ubtMCZwY<@`@C5!5B_!&@ z=mLLUt+qU}cVJ&4yo2=tY8CMIksF0{Rtg2f+D$&*ewgcBT9-vWY18sN-9`00)>~tB zyo(-nyLX1W7O>OJFLuV~%$)Ib1Bj5fC)lLdAdR3&cSV@72^)O6ndXpz!f16e6N-wt zPc~c#%JGGDPK@z$kEF(rQuY8~oq^oKnwNk4J1=(Le1ns4oLdZw0j=tIq>+>%NG_9OZA-+woVK^ zZJ{*z$Z&K8Y4G^C7#(v*9UH3rOnO~N!Mi(-icVG#jy-2J7~4$FFW2Uw)=xLPhqHg6 z$_}7ny^SF+BUs1ueK&o=7_Aw;9}(8yRdLoCgxbO( z6)a!Jo1L%u9PB{Y{=s%f+Ay_kisu5{I%d#%D{`Y}3oh}V_G zdPAuebGr3oxH~ZMScb6=IgR15N_Bs<*A66O{G?VFKO|!~VTYu@mPl?W8RcU{!nckp z4MQOmt8w5Z)ngefV(-TSXhN4S9kuG8VB3sVGp~Bkrm%{~u2P3U3>H6 zZ)4c65F~(b#sMyF}zR7`Z(}G>gQOHMC+ibdJoN2-^~koK4uIQGb5{74r34 zE~`4(rVj>r{z5OP80@tU%`Q(E_!XW(sN!UNYw^k`&+gWs&Zn-Gpsf3bha?eY0MRKD zoykY&8AkP&)2?pahV?FK1x=ncYtS1z?u^!6Mh%XAbj(0uv3QJ26b}+v*St^g6|D|m z`Xco|>5uHui#B<#GTit7KYV|<`r-ZH{{Q>0_y0f35A(FF^D+j-b}C21+u-`*`rXCV z*-FzFEXj}cW*Ka`&H!0%mM9;)D!yQR*!miDLxH_8}5R}b4x2AZ3OxX_SQ0XooWc=xG= zF-{SAahT+wo|)1e*}OTH98t zA)zi}+-@)}Hk?`)HQRrL_eIQ}4SGd&8V>2b`o-y%J5$=FI4JsYBB#B#!!ah^+5IXi zVNU$61d7Y-1viE$_2ER=k~lynbAcWrAME{3b^al)aNYNjyORc1PyRPG-RSl=9&Pk7 z#c>Bi%tVmVsm^6W8&r@Vk?4^(ry7%E_UF|=1K=asGw_Fo*kgZnBIAMS0Gk~oOLX|t zj=ybeqlyOHa8#K`srh_FL)D#Qeej{H&RT{}IxI>##^{&QJ17(95%S@w5n%`~Vl?~M zU5F241zFKxj4C1-5kzgWSz zjZw>-YzcK14d{zb(o*z^#VG?`fe?Xzpp@yN;j`Q>l&JpTujA2RRWawn1Sx}-uFiOqO7BO~OIcQ{um)^|E zwNX#ryxGxlDg5^2z#w`SfUO47k1_2#roAr{)aiG@h5zkoqZBIdF{7w)N3{3|R!}+V z5`6~hD@%*p^)0`kcu4LrJm83$2}J0KI1P6ilz2M}(p4+DgyH}o4Go*bq)wwXC~%{h zbtYMG;7()#`A=n`kqN`OPNF*&)P>vZ@tV!yp{jp*(o2C&pqCqdH_J-fVrgD^GY{AA zn@qpfKVn%hvvBz2Od!gO5eq>2Xe1u6gUO7Z_~O2;%e-6YDd9<8#$YC_jL8s2swYB$ zhub{UE%IZ*hItldBaVhVdmteDpvnK__yn9Z1FuEdOU2a5;h0wSh(eUvd#j+~PSW4z=x6gvz-NAo-PWbEP@lE%}pQi}r&iC^bfY-EFuREHqq+YI$ zbHssb}~_S{Q%d7$c=W z{=}mV_)$ea=)l;PE)szlF`6E?#w|wFoAvW82tCPov^NX0qM&axxk_CmExIRs$?2x) zV-vNRr7D8>9+ACBL2OO5Ph!8q@x0q2gf3EgP4Vzy)TVbZpJGe-oIb{PhnUjo@j}>} z#w8RHtC#Mgeb(c0(oe12j4FTa_%Ix;k{*rP1^9`uzBkUf!l-5+9y=Lj%Nn*hcabQ_2&8kuZ*qUUjKLaKclo z^JZtE?h%8HgeO-(ZQFdOO{7c%3T;gPH?#-%cMM$@uv>&{I*?jNiLL!6R$tIOj=sCw;fbq&C$clgWdByaF{A{3QawUg0 z<+f{_Y{Ns=GC#|MO(ZG@8-6zE#|D>}nEP+mEXSW^(r{ujh0?7P*N`-(Y4+WPUL)5V zGhm5^zUg1p?-wfk5dx+Ro zSiHUEAFBM1CyIYCX10Pye6bo-3A}k2toK}VML}`}eLNt= z5XZZ^3n6|o#a0HmVlj8!^q}M?M{sHoi4=7son!Gcb_aiH(^!WGalS_~>IE%swfC0H zai7MHIY{o(3e5Y>^}f51QnvQ4*-ZkJ73>=V?;u@a&*(jr;Q z<=s#t^1Syed(|CcNoTcnCn-s*Hh*xC2+0GIRq{kA`~ahbVqP2yG$5mpI>CP6h87s? z)VqI;BJ^DY5AEA^y2s2sS2SSc^<|qYpkt}qwfswb>dDCyZw_dEglI1AQrn^_???FT zRV6JO8=iM51edhz@PYFXtK(oD*A?WDm61t=!cOI}t2-sRf-+SZBjr{JZN}w_XDE@* zg1ZztmHen%c8R)ErSQa22aV9tK#h`x`8a>Q!5W8KPn^gltgub26J-H&6444i)|}3m zr@A>z`8O_sH(|aBHIYZDw1&SJ-21k6EZvGKGT>6X)Ntb%$ zdT$6mWmi+!@!O47WMOsxYt2TX}hX3W#Hdd2ZM#3mU$lTLn}UgkIPbD zmIg@}1}-9IadgLCXsKA1HD{7}KP!L4M4y9b)57LHV~G?^C2!L@xrZ4Ok2ds;Rj9a~ zpXL2O$bG);K*PpZM0g}q;K{2sZ_3%~wMy7s(VA2gO@-0ZB}V2rx?wZQ!)i29im5nO zww$uAg_)>De4{VDF!_26GzcwRuPJ$G_7HJ^?$ZJ5o^~<&j78ovnX7q3n@fLI85_l$ zDb$)$ZQD>G2GA=Z9z}6_%rBEtl30sIvwQRn6*i=+VP~T!J>u?qpL>KHHfxaYsk0hL z8Y7wcD>qN{t<%x71(RXal@@jB3x!!UBiVt<){is_9hRV8m~V{I$#yJKeBn!`<2MYsUbifMyncb zj3ZZD!g&$KGkg1z%DL>Tw36!CW^)jEXLv|Vo4T4pK@1dn&A9y0?4th-PJHSz9gwDHd7KQ0e2#Oj1kN)=unc6$D>Ko znF_DfwcYFBCzkIpdt`rEFH-h_9ayx%oJM7Qfgd6a47RIG;@{QpjOV>zDLK_**%P)n zpzTT4*^PdALQC+;(&!VQA#HN+o)N!m;dLiz&W#J#{$eqp(HxP(Mu>YKrUio+r7svP z5vO^LF|%9;{rrK!O@B(I_3wr$C7eV(k3aeOwWBLZIAUw`p3#3q(Kq_79z$#l3+6}1 zMad3EwVct+YsVvCW%5FPHrsQF3QFT3=3%ew`j2#K=n)f+zy?QLhbx{#Q%}~b5Ut@> z5^GRDWOtaw(UA35NMh7gjy}Hb)1i9#L*qu$-?*qnFr-3lx^!iVdgLZH`Fk7K=-)EW zZ<3p$^M)nHO6-5-4IjWVNLe%^)dg>u+9pp_tHxf{=>8qdv35L?tL;aI8A91wzsrn# z+PE%l&`GuL4Y1b#UQp|wC$gQ8AF`cro5@t$5jy8(vDQETqiL$n%n*BAdfH)%6OO@0kH0;Rz5R~6eMQ3Osmu8B zNzFXQJ0*Wp^cdCzz4hj8@LTt}Z#AykcAL*vZp2Jd8^0mwjR`9)sH4Wy5*=L98Rr?f zAmm}tPASyyN|2XmNOyb6g=oDR!ztekb0*M^N!}V`dnUz3?tg=`qx<@Wz5ka#vga?h z&-QIQ_xJzaU44K3!{GaWS6{#X_gQ`}(SE%A^@4wW(TBbcibEoKX!$4X)`yRLQK~<7 zYJ#UQZ>~VUTppVGGD|nOW?wR#%Zu+$&dW`pzPN&&|pz_cuN6h579Zo zE!lR!yj-w~@Ge@Wf`}%m{_B4(|NA?3a@YfuA^8Gz@i$Z-0n`)KB3J-* z$!h&8CTjHt6#+&jNJ-To`o(v@;ui$`g~)%tMKBI5a=-c``&XLMzAgidkw;Uars9~-ps)n8S#KS!w#@L0YA<^c%P28{zpyS7u#2lS4fuG?2By(WJEdC- zZIbmwFi9|HDjV=v<$k@W(s+_dHUfvPUchUX!8_--Y?curU%i-}+e`%=M4l;n41g7z pZGr}%PiLt>yLmW5lYD8X%-5fav1gJ6#@RhAk^}BO z91!d-a33yr9krzH)>?0o)P6Z*_P1YE@kJCxQj}Vr@gBxN;;~fqkSvnLVzF3?%AyU^ zBB?LZ?KjW#^A3J~_~8TozWT%W@6_M$^ZtkTS6AO$y}$Z@@ZtUShwtCR^Q-sQ@7{kC zynC(+sXvFN4eKEICcCS{O%hq@#@_#v{;XcV4t{J7c^=k}fBM@#3Cb!d&YSX3M@bM? zRhC9!o0dfoiGdO%#SVU7{CFwYRsiDn(<=@BIQiFyBs#Q-f}R#ZyH_8?We)$iAl6HT zH~6s%>o5<0iZD<9_=-`z`qQ9T0Vlj3u`3p1WDxw-(HhK0&)RqleGfv0ppXS115iA*}cdw|Nip}S!c;& zuhMv$jZ_~Bi^2h@X2Rx=fQ%0pcX2dHeYeOF#zKB>i;wBCX_Gu^v#Gv1{oSERTM~cQ zQ4Blgn+j17>#Y>Y>m)02V+xW=VLZ{Bfd2?)-mTk`fmfhd?qjS8!!h_?l$w0RUx6GM z()%*P#VZu>1&n|HDY!qQi;|{sSj547otie2d6L7*_2nn^J;*4ZO$O9#KxlUcH17-ck1vRVxqjse4O2lg@z zLmLVWQGtJuJw(0Y#qf7kfg8J)D$K+g2x2mVp*v?{oM)i!8g*oO+W!WpbvOFA>Fy#a z?v_N|mrdI&4M_X71u^TSDYLr^l)xgetfv|<1UBVEvP|-LJ{4jkIMSz84VY0I^Sx{`syTHa_|cmn^35)$=c zbOC>_R$Cs~JFqVi-og3+wF-Fq$c;ieD}{n#?Is^@Kg{(mt;-^xv}t*s?xK1g>#eam z-bIhP-8;iw3)t!A7dzu~X3luJ0Yu2#6Kv9JkVep?yCTfkgbhC3OmoOUVYE7#2}Q-+ zCmSvV<@mxnC&u`>M^fWQDSH60&OmNq%}am&ofkWAzQIX2&aI4-aqpb)v!PlTIN5~5 ze_fSX8a>ho7fwO$1q@*Zv?AExOnE=zG<>tPvv(aH+C2~S9C&=`!+LD!&!e& zWd~5P-o}uZ5v*hSzMDQ_485rzRFQ*mQyz-Ap$UVhsmtgxb|5U_j|l7UsyOQmLT%xY z3YM?q%}!Va!{X5Z&({nl3otohL8~9D5}L~_)wEgmUd+N*SGwxXy;k8e{TLlP#Oq38 zy`fZ#Ioah$KvG-#EG@;9vj#~9kux&=GnO8k%Q&`1gSE<9b!{*O%p_sScuD$v3 zw=wKjiJ&yaW$~rgXl%RBT_SQDjNBd~nnmKt8d|X$I!9(sgl&mN&L(WqsK0-J3iiw&m?qQ+f3|_&EWbni31ZnzJHR7AH-_Lu@J@T$5mk3REY!-zT64 zYc-rCB=cDKiOHLrWx?Nm`X#8!x|K0F71xst9UIdgig2U0Rc_6|Tz`KXY{RTc&a^7= z8ZoP$A0w)sekeWXf#18jJXFCccT1gdE$vYYZj>>At{%3X3^X?laiJlr0(79$@a|I! zW1J%L;xNfUJu{_!YADHd!I`W2=CJwu8Vt8+k1D-W`X)HZgzDUrLpn4})w9>mwYIHP zLqc7|xZPk{Y&f+pYPNp~?~9l{8}y3mG#t`<^^4Ojcc!#UaZvQ*L{58ehht2-v-?$4 z!kqYB2^5#v3vLWi>cfe!C2@dE<^nxLKG^%6>ik1o;kxf5cP9<3p8RiWy3y@#Jlg1E zisKH3n28{zQ=Q9%HmD#!BGDsnPBkXS?9Z!#2Ea$MXW$PFvB!VvM8*Tt0X92Gmgw-O z9e>-{MimXX;ixi?QuFzUhN?Tq`rt!XowW>|bXb&fjL|QpcTgtIBjm$VBf=0~#Ax=h zyAV$nuGv1G4q1j^JYu7dC8H3T5b_ebjNB`y14e_OVO1T7m!93M&<|ZCE&Y9}v*22q zZsTNo`ddP4-Wq?*d)$h=<`Lnz0K~^EL$KF-7n}#UYhcpfr@K9@ytD!Dmz=SE|6&E> zHbyOTvL)16G@w7iEMWE+ykb5w)56~*+4f@;R^cYi()KZU3Zi{^Uj(-)7(iS27v8XJ zk~WQl{I)3L0K0|`@aSKgw2<-l^q>yGrb*f@K;nY8#^8S|O8@lfW~>%q#fSs@I?2F3 z&hWr~gh}j?{{e+YhZ=@XJI>QLI7g_rF@`0LlcAH5W<`;xyc8P~z<@NLQ`o5{d(WG&F1ylRAyopuml0 z)|q6%fjf}}0^YAw51^n!j=r(`2FYDV2Ap5tnO16hAdqjsjNFXoo$Qxe- z_ero1;g2xbBq)HODYFB5aDnSTIRWy-B^_aIOKb;p?pqe&a$g>@m=}(J=de73xdi*c z1OS}jIoy59egWZ)Cqw7&5FU_DBxDL09U__uf#G%<8_WBJ{so&IF=P7n+;!F$^QM3E zMC{4a+ZVs@tMr=e8nk87A1UyWYbZwx-538D!TYy?J0_m95OM4LIm?)Aa8D`2XBE+y z$Z%Gcj~n+PmaFuw>T;htO<3DhvtnLzWafa*VK!ryxe_zZ9V{N0lLvIpMFD$2Z*@f1V(X&MHy?KB{KhVd}VlQwqmrJmszX<>hSV~mvk z_!Eyd;71kxpaWxDx<~|K#Atfl8n+lxZ`RMZAoL{T(cUb~ih{n)wk~-rkdF*7AEq654xw>N!uG-nyskExYqT(a zlIcgxZ}^6`d8{<{(BP%C9FPBfAX&BtujU;J^22C;Yg>1r3yDdeqRX9awQRVjIa%Oes$UM#4Bcdex;0!3j^T z&YPWux@^e3#zA2Ru#~!m$zNv8NZ(kP(~4P$^SJSAuXju>dWAPpd^3#K>>*-T zVe$5sf2i_5o+y99nAr**@x^LTCGh59v_|)7oyH0M!J?YIa443hXy#PmTH&=&e!EE7r4Jn;;#1#T6yWx>H zuC~aH*7|{MJpG8t$+CzahL)`T0j6WNaX@>{WM&C7spQounkK+Wf&mA|ww;R>>2g@B@qzig|G;(146W>ID0N8(Ltn zQ}2H^iqLlrJhX4u=^iulT+x7$*OzUsfR3eZ*YYp%sV65-yg8ut5u&-cOKpp$ydUAS zSCzDEYBHxo}olK z3+__rRPv*4*(K^umBJH89W+8m12sw(=Hq|#25TH{J#iwJu);R6PLu`ANkl97SaUjK zp6cc><=?mj-h}xk)I=Vo-l8N@ukInrX;LSaaj}!Q#_DVp0?)WZ!q~$9w(>JsT}9Y) zM>~z=j@lUM-7OU?G<+C`lTeH_4^k4~c%{v5KEzPS_1uAfNNlwD0>$8R@Unf;(D6QGj&hfeTY<@-^33#3EXr@4kCjCQtd(~HPpeacJ`I}>iP zIxex6vrV3v%i_WfD>~kw4sssC3Q7@j<6Z|XrR}QDl!1R+9SjzBTIPAU53Tt0JuXXq zSsEl^7`TX-#nBymp`~J3)|^S^{j7fw6MYV%O$(d*j3rVumAp;s9B z*>cLd7G|Or@r}Op!sP2Q&>*yMy{6=$*+awux=#nJd)me9GZuNzWUl5BZ7zRVWo#60 zrci52wQWO%7(lOtcofCyF~3YoNn$M;&F;}RRM?QNhMkR`^oYCbeeMx**sMXmr_O31 zX^dp%uiQM*w@ydT7EFdwS6bAiFBE3cjAREYTR+k$bXbCVVZJd+lk+5Do?>H$B+AKm z%w1SlqQAjcER3^dP>f7IJe7Z6i45lmjuB3uPU=n-t>=b@{K)1>?^hxpr-lG|7_Dl! zF^*hq3Fk!^&+P3>D(AAV(n_jlo6SMwo#7!dm6sqORFBGA-_>tjlw`(rsO&NOc2O^^ z)s5U~mcITXy?HjK%EgzuI^}KCYoeaIl61ta&q}AQCOBi?2N}t7##4W3&PceWa!yPy zCCzXPoD#qwQ>opk*!cq*i1>J1l)=AF-9=IphHPM9*-tT zXDYl_*LJUipIE-b?2&(Ey-3*yc3{y4a~hTL1%8MyFxaj#iGNqWGoJT?rQ}qLWlz}R zfVL-DXE*xg2`#}VOQTPKhP27Odq(`Oh1Z>=IX5m``-{bZMsq|C8zJs}m=+9Pl)hlF zM4aX|#>{dZ^z#P>H~lG<*1sF3lyDODJpSb8*N(0v;fSr#dq#f~Mc?SRdJM5KESMi1 z7bQCw)pABNuN{womB|bF*=)}xDkzPEn1{Wx>p#+|p+`(O0vjB09jC%-c>XDn+1l^4mZubI z3@g)a&-1MWNXmrXN^(wDj)~q5KpdqFmmH6*5}rsyap^Sbg80OOodbTjMy)d5`)FeO zX58*}@i_jm98Y%yy{Iz%u-+JzrX8ePmHaati~AmjPdEl2J^uDM_VzpO_7w@Ar!M2i zCpGgJ@05Q`(PLN>^wyiV!EfE?zSX#D+igByxe+r-ZTyCyHzusKppF_(OLTBaXPjr` zf{=$nJEc&+D?whOA>HjM7ozoQ45xfE%$YztCV6X&?U@uCx&IB$j_&Ih_Wob~$ezF0 zKHInL+~5DZdiUY_d;R-=SAY2W{lCxhbBXrj<*$Di?2A71bx<4<$wSLOVYfbfSIq=FTjhDh}RKR6sQD1v3-bG3Y%T0m~nr}_{?|CXq`Rp7= zPg{|rmz#{jnKeB(NDedbrz!-TnbsV|y zc-r2HgTMpv`UuDlvy)ur2d+>P#{=Tmj`-oR$=;9sL*)OL$zBmXR$YU2+#d zGPS?V-G7u4c4{h)`3wq6Ae;5p(Q3;Kzo_=I7qN^I6Zi}3G6B1|O4ERk*KA-K&9q!o zy3i(BPXv<$bEdKZk5%s1izSV5%SfG*}2VB&_U#xqQ?MO qvDqeQ0Qz*63bdPtBQ(jEcFKJH`TFzq=j+dB`1wD1TK!D`$N&HqzzOpJ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4bbdffa6..a46284e6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6849,7 +6849,7 @@ index b31c05491..3ad1127cc 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..732931f47 100644 +index 76f285ea6..917fc3cc5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8135,7 +8135,7 @@ index 76f285ea6..732931f47 100644 ') ######################################## -@@ -3669,6 +4404,7 @@ interface(`dev_read_sound_mixer',` +@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8143,7 +8143,15 @@ index 76f285ea6..732931f47 100644 ') ######################################## -@@ -3855,7 +4591,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',` + ') + + read_chr_files_pattern($1, device_t, sound_device_t) ++ allow $1 sound_device_t:chr_file map; + ') + + ######################################## +@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ##

@@ -8152,7 +8160,7 @@ index 76f285ea6..732931f47 100644 ## ## ## -@@ -3863,91 +4599,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8263,7 +8271,7 @@ index 76f285ea6..732931f47 100644 ## ## ## -@@ -3955,60 +4689,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8500,7 +8508,7 @@ index 76f285ea6..732931f47 100644 read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) -@@ -4016,6 +4905,81 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -8582,7 +8590,7 @@ index 76f285ea6..732931f47 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +5077,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -8608,7 +8616,7 @@ index 76f285ea6..732931f47 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5106,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8617,7 +8625,7 @@ index 76f285ea6..732931f47 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5392,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -8629,7 +8637,7 @@ index 76f285ea6..732931f47 100644 ## ## ## -@@ -4419,17 +5402,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -8652,7 +8660,7 @@ index 76f285ea6..732931f47 100644 ## ## ## -@@ -4437,12 +5420,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8668,7 +8676,7 @@ index 76f285ea6..732931f47 100644 ') ######################################## -@@ -4539,6 +5522,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -8803,7 +8811,7 @@ index 76f285ea6..732931f47 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5668,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -8828,7 +8836,7 @@ index 76f285ea6..732931f47 100644 ## Read and write VMWare devices. ## ## -@@ -4589,7 +5718,7 @@ interface(`dev_rwx_vmware',` +@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',` ') dev_rw_vmware($1) @@ -8837,7 +8845,7 @@ index 76f285ea6..732931f47 100644 ') ######################################## -@@ -4630,6 +5759,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8862,7 +8870,7 @@ index 76f285ea6..732931f47 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5909,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8907,7 +8915,7 @@ index 76f285ea6..732931f47 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4794,7 +5979,7 @@ interface(`dev_rwx_zero',` +@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',` ') dev_rw_zero($1) @@ -8916,7 +8924,7 @@ index 76f285ea6..732931f47 100644 ') ######################################## -@@ -4851,3 +6036,1042 @@ interface(`dev_unconfined',` +@@ -4851,3 +6037,1042 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -28908,7 +28916,7 @@ index 8274418c6..a47fd0b4d 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc2d..e6be63aa8 100644 +index 6bf0ecc2d..29db5fd25 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -29625,7 +29633,7 @@ index 6bf0ecc2d..e6be63aa8 100644 + type xdm_var_lib_t; + ') + -+ allow $1 xdm_var_lib_t:file read_inherited_file_perms; ++ allow $1 xdm_var_lib_t:file { read_inherited_file_perms map }; ') ######################################## @@ -40037,7 +40045,7 @@ index b50c5fe81..9eacd9ba1 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e9488463..7b395456f 100644 +index 4e9488463..5f5045ae1 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -40361,7 +40369,13 @@ index 4e9488463..7b395456f 100644 ') ######################################## -@@ -885,6 +1107,63 @@ interface(`logging_read_generic_logs',` +@@ -880,11 +1102,69 @@ interface(`logging_read_generic_logs',` + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; ++ allow $1 var_log_t:file map; + read_files_pattern($1, var_log_t, var_log_t) + ') ######################################## ## @@ -40425,7 +40439,7 @@ index 4e9488463..7b395456f 100644 ## Write generic log files. ## ## -@@ -905,6 +1184,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1185,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -40450,7 +40464,7 @@ index 4e9488463..7b395456f 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1281,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1282,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -40468,7 +40482,7 @@ index 4e9488463..7b395456f 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1306,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1307,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -40524,7 +40538,7 @@ index 4e9488463..7b395456f 100644 ') ######################################## -@@ -1032,10 +1383,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1384,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -40542,7 +40556,7 @@ index 4e9488463..7b395456f 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1413,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1414,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -40551,7 +40565,7 @@ index 4e9488463..7b395456f 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1443,110 @@ interface(`logging_admin',` +@@ -1085,3 +1444,110 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -40663,7 +40677,7 @@ index 4e9488463..7b395456f 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..2ad89c533 100644 +index 59b04c1a2..483fb780e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -40947,7 +40961,7 @@ index 59b04c1a2..2ad89c533 100644 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) -@@ -389,30 +456,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -40964,6 +40978,7 @@ index 59b04c1a2..2ad89c533 100644 manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) ++mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) +kernel_rw_stream_socket_perms(syslogd_t) @@ -40998,7 +41013,7 @@ index 59b04c1a2..2ad89c533 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +506,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -41007,7 +41022,7 @@ index 59b04c1a2..2ad89c533 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +518,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -41041,7 +41056,7 @@ index 59b04c1a2..2ad89c533 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +557,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -41059,7 +41074,7 @@ index 59b04c1a2..2ad89c533 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +579,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +580,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -41075,7 +41090,7 @@ index 59b04c1a2..2ad89c533 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +611,7 @@ optional_policy(` +@@ -497,6 +612,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -41083,7 +41098,7 @@ index 59b04c1a2..2ad89c533 100644 ') optional_policy(` -@@ -507,15 +622,44 @@ optional_policy(` +@@ -507,15 +623,44 @@ optional_policy(` ') optional_policy(` @@ -41128,7 +41143,7 @@ index 59b04c1a2..2ad89c533 100644 ') optional_policy(` -@@ -526,3 +670,29 @@ optional_policy(` +@@ -526,3 +671,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -46632,10 +46647,10 @@ index 000000000..121b42208 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 000000000..d1356af89 +index 000000000..278a1f69b --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1842 @@ +@@ -0,0 +1,1843 @@ +## SELinux policy for systemd components + +###################################### @@ -48435,6 +48450,7 @@ index 000000000..d1356af89 + + files_search_etc($1) + manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) ++ mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) + allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; + files_etc_filetrans($1, systemd_hwdb_etc_t, file) +') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 5fbe0bc6..6703246f 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f070f..4e5a59207 100644 +index eb50f070f..53dd1ab4d 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -738,7 +738,7 @@ index eb50f070f..4e5a59207 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -748,6 +748,7 @@ index eb50f070f..4e5a59207 100644 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) ++mmap_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) +files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") @@ -805,7 +806,7 @@ index eb50f070f..4e5a59207 100644 domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +198,44 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -853,7 +854,7 @@ index eb50f070f..4e5a59207 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +243,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -870,7 +871,7 @@ index eb50f070f..4e5a59207 100644 ') optional_policy(` -@@ -222,6 +255,37 @@ optional_policy(` +@@ -222,6 +256,37 @@ optional_policy(` ') optional_policy(` @@ -908,7 +909,7 @@ index eb50f070f..4e5a59207 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,18 +298,25 @@ optional_policy(` +@@ -234,18 +299,25 @@ optional_policy(` ') optional_policy(` @@ -937,7 +938,7 @@ index eb50f070f..4e5a59207 100644 optional_policy(` sosreport_domtrans(abrt_t) -@@ -253,9 +324,21 @@ optional_policy(` +@@ -253,9 +325,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -960,7 +961,7 @@ index eb50f070f..4e5a59207 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +349,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -975,7 +976,7 @@ index eb50f070f..4e5a59207 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +368,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -983,7 +984,7 @@ index eb50f070f..4e5a59207 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +377,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -1004,7 +1005,7 @@ index eb50f070f..4e5a59207 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +398,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1031,7 +1032,7 @@ index eb50f070f..4e5a59207 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +434,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1045,7 +1046,7 @@ index eb50f070f..4e5a59207 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +452,11 @@ optional_policy(` +@@ -343,10 +453,11 @@ optional_policy(` ####################################### # @@ -1059,7 +1060,7 @@ index eb50f070f..4e5a59207 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +475,84 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1135,6 +1136,8 @@ index eb50f070f..4e5a59207 100644 logging_read_generic_logs(abrt_dump_oops_t) +logging_read_syslog_pid(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) ++logging_mmap_generic_logs(abrt_dump_oops_t) ++logging_mmap_journal(abrt_dump_oops_t) + +init_read_var_lib_files(abrt_dump_oops_t) + @@ -1148,7 +1151,7 @@ index eb50f070f..4e5a59207 100644 ####################################### # -@@ -404,25 +560,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1211,7 +1214,7 @@ index eb50f070f..4e5a59207 100644 ') ####################################### -@@ -430,10 +621,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -10663,7 +10666,7 @@ index c723a0ae0..1c29d21e7 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 851769e55..4b11e9620 100644 +index 851769e55..4bb326132 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t) @@ -10683,7 +10686,7 @@ index 851769e55..4b11e9620 100644 dontaudit bluetooth_t self:capability sys_tty_config; allow bluetooth_t self:process { getcap setcap getsched signal_perms }; allow bluetooth_t self:fifo_file rw_fifo_file_perms; -@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) +@@ -78,10 +81,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) @@ -10693,7 +10696,11 @@ index 851769e55..4b11e9620 100644 manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) -@@ -90,27 +94,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) ++mmap_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) + files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) + + manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) +@@ -90,27 +95,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) can_exec(bluetooth_t, bluetooth_helper_exec_t) @@ -10736,7 +10743,7 @@ index 851769e55..4b11e9620 100644 fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) -@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t) +@@ -122,7 +137,6 @@ auth_use_nsswitch(bluetooth_t) logging_send_syslog_msg(bluetooth_t) @@ -10744,7 +10751,7 @@ index 851769e55..4b11e9620 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) +@@ -130,6 +144,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) @@ -10755,7 +10762,7 @@ index 851769e55..4b11e9620 100644 optional_policy(` dbus_system_bus_client(bluetooth_t) dbus_connect_system_bus(bluetooth_t) -@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t) +@@ -200,7 +218,6 @@ dev_read_urand(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t) @@ -33889,7 +33896,7 @@ index e39de436a..5edcb8330 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d6195..72d67c2cb 100644 +index ab09d6195..0007f00b3 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -34307,7 +34314,7 @@ index ab09d6195..72d67c2cb 100644 + ') + + allow $1 gnome_home_type:dir manage_dir_perms; -+ allow $1 gnome_home_type:file manage_file_perms; ++ allow $1 gnome_home_type:file { manage_file_perms map }; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; + allow $1 gnome_home_type:sock_file manage_sock_file_perms; + userdom_search_user_home_dirs($1) @@ -34543,7 +34550,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',` +@@ -433,17 +519,19 @@ interface(`gnome_home_filetrans',` ## ## # @@ -34557,6 +34564,7 @@ index ab09d6195..72d67c2cb 100644 - allow $1 gconf_home_t:dir create_dir_perms; + append_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) ++ allow $1 gnome_home_t:file { read_file_perms map }; ') ######################################## @@ -34566,7 +34574,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -451,23 +539,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -34594,7 +34602,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -475,22 +558,18 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -34621,7 +34629,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -498,79 +577,59 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -34719,7 +34727,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -579,12 +638,12 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## ## @@ -34734,7 +34742,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -593,18 +652,18 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -34759,7 +34767,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',` +@@ -612,46 +671,81 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -34844,6 +34852,7 @@ index ab09d6195..72d67c2cb 100644 - allow $1_gkeyringd_t $2:dbus send_msg; + userdom_search_user_home_dirs($1) + allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; ++ allow $1 icc_data_home_t:file map; + list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) + read_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) @@ -34857,7 +34866,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -659,46 +753,64 @@ interface(`gnome_dbus_chat_gkeyringd',` ## ## # @@ -34939,7 +34948,7 @@ index ab09d6195..72d67c2cb 100644 ## ## ## -@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +818,1003 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -60092,7 +60101,7 @@ index 94b973407..448a7e836 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29dfa..c7d9376d5 100644 +index 86dc29dfa..cb39739a5 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -60262,10 +60271,21 @@ index 86dc29dfa..c7d9376d5 100644 ## ## ## -@@ -211,9 +259,30 @@ interface(`networkmanager_read_lib_files',` - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +@@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',` + + files_search_var_lib($1) + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++ allow $1 NetworkManager_var_lib_t:file map; ') + ######################################## +@@ -209,11 +258,33 @@ interface(`networkmanager_read_lib_files',` + files_search_var_lib($1) + list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++ allow $1 NetworkManager_var_lib_t:file map; ++') ++ +####################################### +## +## Read NetworkManager conf files. @@ -60285,8 +60305,8 @@ index 86dc29dfa..c7d9376d5 100644 + allow $1 NetworkManager_etc_t:dir list_dir_perms; + read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) + read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t) -+') -+ + ') + ######################################## ## -## Append networkmanager log files. @@ -60294,7 +60314,7 @@ index 86dc29dfa..c7d9376d5 100644 ## ## ## -@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',` +@@ -221,19 +292,18 @@ interface(`networkmanager_read_lib_files',` ## ## # @@ -60319,18 +60339,17 @@ index 86dc29dfa..c7d9376d5 100644 ## ## ## -@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',` +@@ -241,13 +311,66 @@ interface(`networkmanager_append_log_files',` ## ## # -interface(`networkmanager_read_pid_files',` +interface(`networkmanager_manage_pid_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) -- allow $1 NetworkManager_var_run_t:file read_file_perms; ++ gen_require(` ++ type NetworkManager_var_run_t; ++ ') ++ ++ files_search_pids($1) + manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) +') + @@ -60345,11 +60364,12 @@ index 86dc29dfa..c7d9376d5 100644 +## +# +interface(`networkmanager_manage_pid_sock_files',` -+ gen_require(` -+ type NetworkManager_var_run_t; -+ ') -+ -+ files_search_pids($1) + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) +- allow $1 NetworkManager_var_run_t:file read_file_perms; + manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) +') + @@ -60388,7 +60408,7 @@ index 86dc29dfa..c7d9376d5 100644 ') #################################### -@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',` +@@ -272,14 +395,33 @@ interface(`networkmanager_stream_connect',` ######################################## ## @@ -60424,7 +60444,7 @@ index 86dc29dfa..c7d9376d5 100644 ## ## ## Role allowed access. -@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',` +@@ -287,33 +429,194 @@ interface(`networkmanager_stream_connect',` ## ## # @@ -60470,10 +60490,12 @@ index 86dc29dfa..c7d9376d5 100644 - admin_pattern($1, NetworkManager_log_t) + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -+') ++ allow $1 NetworkManager_var_lib_t:file map; - files_search_var_lib($1) - admin_pattern($1, NetworkManager_var_lib_t) ++') ++ +####################################### +## +## Allow the specified domain to manage @@ -60491,6 +60513,8 @@ index 86dc29dfa..c7d9376d5 100644 + ') + + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++ allow $1 NetworkManager_var_lib_t:file map; ++ +') + +####################################### @@ -93498,7 +93522,7 @@ index ebe91fc70..6ba4338cb 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b22507..b15d901a4 100644 +index ef3b22507..d2b4c1697 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -93903,10 +93927,11 @@ index ef3b22507..b15d901a4 100644 ## ## ## -@@ -459,11 +585,12 @@ interface(`rpm_read_db',` +@@ -459,11 +585,13 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) ++ allow $1 rpm_var_lib_t:file map; + rpm_read_cache($1) ') @@ -93917,7 +93942,7 @@ index ef3b22507..b15d901a4 100644 ## ## ## -@@ -482,8 +609,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +610,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -93927,10 +93952,15 @@ index ef3b22507..b15d901a4 100644 ## ## ## -@@ -503,8 +629,28 @@ interface(`rpm_manage_db',` - - ######################################## - ## +@@ -499,12 +626,33 @@ interface(`rpm_manage_db',` + files_search_var_lib($1) + manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) ++ allow $1 rpm_var_lib_t:file map; ++') ++ ++######################################## ++## +## Do not audit attempts to create, read,the RPM package database. +## +## @@ -93947,17 +93977,17 @@ index ef3b22507..b15d901a4 100644 + dontaudit $1 rpm_var_lib_t:dir list_dir_perms; + dontaudit $1 rpm_var_lib_t:file read_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## ## Do not audit attempts to create, read, -## write, and delete rpm lib content. +## write, and delete the RPM package database. ## ## ## -@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -93965,8 +93995,11 @@ index ef3b22507..b15d901a4 100644 + dontaudit $1 rpm_var_lib_t:dir manage_dir_perms; dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ++ dontaudit $1 rpm_var_lib_t:file map; ') -@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',` + + ##################################### +@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -93976,7 +94009,7 @@ index ef3b22507..b15d901a4 100644 ## ## ## -@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -93986,7 +94019,7 @@ index ef3b22507..b15d901a4 100644 ## ## ## -@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',` +@@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -94058,7 +94091,7 @@ index ef3b22507..b15d901a4 100644 ## ## ## -@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` +@@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## ## @@ -94127,7 +94160,7 @@ index ef3b22507..b15d901a4 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) -@@ -641,9 +831,6 @@ interface(`rpm_admin',` +@@ -641,9 +834,6 @@ interface(`rpm_admin',` admin_pattern($1, rpm_file_t) @@ -106555,7 +106588,7 @@ index dbb005aca..2655c75ab 100644 +/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a24045518..aac25848d 100644 +index a24045518..8e00992e4 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -106736,13 +106769,14 @@ index a24045518..aac25848d 100644 ') ######################################## -@@ -131,14 +171,13 @@ interface(`sssd_read_public_files',` +@@ -131,14 +171,14 @@ interface(`sssd_read_public_files',` ') sssd_search_lib($1) - allow $1 sssd_public_t:dir list_dir_perms; + list_dirs_pattern($1, sssd_public_t, sssd_public_t) read_files_pattern($1, sssd_public_t, sssd_public_t) ++ mmap_files_pattern($1, sssd_public_t, sssd_public_t) ') -####################################### @@ -106754,7 +106788,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -146,18 +185,55 @@ interface(`sssd_read_public_files',` +@@ -146,18 +186,55 @@ interface(`sssd_read_public_files',` ## ## # @@ -106813,7 +106847,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -176,8 +252,7 @@ interface(`sssd_read_pid_files',` +@@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',` ######################################## ## @@ -106823,7 +106857,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -216,8 +291,7 @@ interface(`sssd_search_lib',` +@@ -216,8 +292,7 @@ interface(`sssd_search_lib',` ######################################## ## @@ -106833,7 +106867,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -235,6 +309,24 @@ interface(`sssd_dontaudit_search_lib',` +@@ -235,6 +310,24 @@ interface(`sssd_dontaudit_search_lib',` ######################################## ## @@ -106858,7 +106892,7 @@ index a24045518..aac25848d 100644 ## Read sssd lib files. ## ## -@@ -297,8 +389,7 @@ interface(`sssd_dbus_chat',` +@@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',` ######################################## ## @@ -106868,7 +106902,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',` +@@ -317,8 +409,130 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -107001,7 +107035,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +541,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -107010,7 +107044,7 @@ index a24045518..aac25848d 100644 ## ## ## -@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +549,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -107052,10 +107086,10 @@ index a24045518..aac25848d 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1fa3..9b13b3058 100644 +index 2d8db1fa3..b4eaeb4cc 100644 --- a/sssd.te +++ b/sssd.te -@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) +@@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t) type sssd_var_run_t; files_pid_file(sssd_var_run_t) @@ -107091,8 +107125,13 @@ index 2d8db1fa3..9b13b3058 100644 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++mmap_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + + manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) + manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++mmap_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) @@ -107132,7 +107171,7 @@ index 2d8db1fa3..9b13b3058 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +97,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -107173,7 +107212,7 @@ index 2d8db1fa3..9b13b3058 100644 init_read_utmp(sssd_t) -@@ -112,18 +132,71 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +134,71 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index dc1602ba..02daddf0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 271%{?dist} +Release: 272%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,13 @@ exit 0 %endif %changelog +* Tue Aug 15 2017 Lukas Vrabec - 3.13.1-272 +- Allow sssd_t domain to map sssd_var_lib_t files +- allow map permission where needed +- contrib: allow map permission where needed +- Allow syslogd_t to map syslogd_var_run_t files +- allow map permission where needed + * Mon Aug 14 2017 Lukas Vrabec - 3.13.1-271 - Allow tomcat_t domain couple capabilities to make working tomcat-jsvc - Label /usr/libexec/sudo/sesh as shell_exec_t