* Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272

- Allow sssd_t domain to map sssd_var_lib_t files
- allow map permission where needed
- contrib: allow map permission where needed
- Allow syslogd_t to map syslogd_var_run_t files
- allow map permission where needed
This commit is contained in:
Lukas Vrabec 2017-08-15 16:29:24 +02:00
parent c6aaaee231
commit 284401b055
4 changed files with 188 additions and 126 deletions

Binary file not shown.

View File

@ -6849,7 +6849,7 @@ index b31c05491..3ad1127cc 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285ea6..732931f47 100644 index 76f285ea6..917fc3cc5 100644
--- a/policy/modules/kernel/devices.if --- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -8135,7 +8135,7 @@ index 76f285ea6..732931f47 100644
') ')
######################################## ########################################
@@ -3669,6 +4404,7 @@ interface(`dev_read_sound_mixer',` @@ -3633,6 +4368,7 @@ interface(`dev_read_sound',`
') ')
read_chr_files_pattern($1, device_t, sound_device_t) read_chr_files_pattern($1, device_t, sound_device_t)
@ -8143,7 +8143,15 @@ index 76f285ea6..732931f47 100644
') ')
######################################## ########################################
@@ -3855,7 +4591,7 @@ interface(`dev_getattr_sysfs_dirs',` @@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',`
')
read_chr_files_pattern($1, device_t, sound_device_t)
+ allow $1 sound_device_t:chr_file map;
')
########################################
@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -8152,7 +8160,7 @@ index 76f285ea6..732931f47 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3863,91 +4599,89 @@ interface(`dev_getattr_sysfs_dirs',` @@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8263,7 +8271,7 @@ index 76f285ea6..732931f47 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -3955,60 +4689,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` @@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8500,7 +8508,7 @@ index 76f285ea6..732931f47 100644
read_lnk_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t)
@@ -4016,6 +4905,81 @@ interface(`dev_rw_sysfs',` @@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',`
######################################## ########################################
## <summary> ## <summary>
@ -8582,7 +8590,7 @@ index 76f285ea6..732931f47 100644
## Read and write the TPM device. ## Read and write the TPM device.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4113,6 +5077,25 @@ interface(`dev_write_urand',` @@ -4113,6 +5078,25 @@ interface(`dev_write_urand',`
######################################## ########################################
## <summary> ## <summary>
@ -8608,7 +8616,7 @@ index 76f285ea6..732931f47 100644
## Getattr generic the USB devices. ## Getattr generic the USB devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4123,7 +5106,7 @@ interface(`dev_write_urand',` @@ -4123,7 +5107,7 @@ interface(`dev_write_urand',`
# #
interface(`dev_getattr_generic_usb_dev',` interface(`dev_getattr_generic_usb_dev',`
gen_require(` gen_require(`
@ -8617,7 +8625,7 @@ index 76f285ea6..732931f47 100644
') ')
getattr_chr_files_pattern($1, device_t, usb_device_t) getattr_chr_files_pattern($1, device_t, usb_device_t)
@@ -4409,9 +5392,9 @@ interface(`dev_rw_usbfs',` @@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t)
') ')
@ -8629,7 +8637,7 @@ index 76f285ea6..732931f47 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4419,17 +5402,17 @@ interface(`dev_rw_usbfs',` @@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8652,7 +8660,7 @@ index 76f285ea6..732931f47 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -4437,12 +5420,12 @@ interface(`dev_getattr_video_dev',` @@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -8668,7 +8676,7 @@ index 76f285ea6..732931f47 100644
') ')
######################################## ########################################
@@ -4539,6 +5522,134 @@ interface(`dev_write_video_dev',` @@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',`
######################################## ########################################
## <summary> ## <summary>
@ -8803,7 +8811,7 @@ index 76f285ea6..732931f47 100644
## Allow read/write the vhost net device ## Allow read/write the vhost net device
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4557,6 +5668,24 @@ interface(`dev_rw_vhost',` @@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',`
######################################## ########################################
## <summary> ## <summary>
@ -8828,7 +8836,7 @@ index 76f285ea6..732931f47 100644
## Read and write VMWare devices. ## Read and write VMWare devices.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4589,7 +5718,7 @@ interface(`dev_rwx_vmware',` @@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',`
') ')
dev_rw_vmware($1) dev_rw_vmware($1)
@ -8837,7 +8845,7 @@ index 76f285ea6..732931f47 100644
') ')
######################################## ########################################
@@ -4630,6 +5759,24 @@ interface(`dev_write_watchdog',` @@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',`
######################################## ########################################
## <summary> ## <summary>
@ -8862,7 +8870,7 @@ index 76f285ea6..732931f47 100644
## Read and write the the wireless device. ## Read and write the the wireless device.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4762,6 +5909,44 @@ interface(`dev_rw_xserver_misc',` @@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',`
######################################## ########################################
## <summary> ## <summary>
@ -8907,7 +8915,7 @@ index 76f285ea6..732931f47 100644
## Read and write to the zero device (/dev/zero). ## Read and write to the zero device (/dev/zero).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -4794,7 +5979,7 @@ interface(`dev_rwx_zero',` @@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',`
') ')
dev_rw_zero($1) dev_rw_zero($1)
@ -8916,7 +8924,7 @@ index 76f285ea6..732931f47 100644
') ')
######################################## ########################################
@@ -4851,3 +6036,1042 @@ interface(`dev_unconfined',` @@ -4851,3 +6037,1042 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type; typeattribute $1 devices_unconfined_type;
') ')
@ -28908,7 +28916,7 @@ index 8274418c6..a47fd0b4d 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+ +
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc2d..e6be63aa8 100644 index 6bf0ecc2d..29db5fd25 100644
--- a/policy/modules/services/xserver.if --- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@ @@ -18,100 +18,36 @@
@ -29625,7 +29633,7 @@ index 6bf0ecc2d..e6be63aa8 100644
+ type xdm_var_lib_t; + type xdm_var_lib_t;
+ ') + ')
+ +
+ allow $1 xdm_var_lib_t:file read_inherited_file_perms; + allow $1 xdm_var_lib_t:file { read_inherited_file_perms map };
') ')
######################################## ########################################
@ -40037,7 +40045,7 @@ index b50c5fe81..9eacd9ba1 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ +
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e9488463..7b395456f 100644 index 4e9488463..5f5045ae1 100644
--- a/policy/modules/system/logging.if --- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -40361,7 +40369,13 @@ index 4e9488463..7b395456f 100644
') ')
######################################## ########################################
@@ -885,6 +1107,63 @@ interface(`logging_read_generic_logs',` @@ -880,11 +1102,69 @@ interface(`logging_read_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:file map;
read_files_pattern($1, var_log_t, var_log_t)
')
######################################## ########################################
## <summary> ## <summary>
@ -40425,7 +40439,7 @@ index 4e9488463..7b395456f 100644
## Write generic log files. ## Write generic log files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -905,6 +1184,24 @@ interface(`logging_write_generic_logs',` @@ -905,6 +1185,24 @@ interface(`logging_write_generic_logs',`
######################################## ########################################
## <summary> ## <summary>
@ -40450,7 +40464,7 @@ index 4e9488463..7b395456f 100644
## Dontaudit Write generic log files. ## Dontaudit Write generic log files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -984,11 +1281,16 @@ interface(`logging_admin_audit',` @@ -984,11 +1282,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t; type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t; type auditd_var_run_t;
type auditd_initrc_exec_t; type auditd_initrc_exec_t;
@ -40468,7 +40482,7 @@ index 4e9488463..7b395456f 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
@@ -1004,6 +1306,55 @@ interface(`logging_admin_audit',` @@ -1004,6 +1307,55 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r; role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r; allow $2 system_r;
@ -40524,7 +40538,7 @@ index 4e9488463..7b395456f 100644
') ')
######################################## ########################################
@@ -1032,10 +1383,15 @@ interface(`logging_admin_syslog',` @@ -1032,10 +1384,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t; type syslogd_initrc_exec_t;
') ')
@ -40542,7 +40556,7 @@ index 4e9488463..7b395456f 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
@@ -1057,6 +1413,8 @@ interface(`logging_admin_syslog',` @@ -1057,6 +1414,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1) logging_manage_all_logs($1)
@ -40551,7 +40565,7 @@ index 4e9488463..7b395456f 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t) init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -1085,3 +1443,110 @@ interface(`logging_admin',` @@ -1085,3 +1444,110 @@ interface(`logging_admin',`
logging_admin_audit($1, $2) logging_admin_audit($1, $2)
logging_admin_syslog($1, $2) logging_admin_syslog($1, $2)
') ')
@ -40663,7 +40677,7 @@ index 4e9488463..7b395456f 100644
+') +')
+ +
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1a2..2ad89c533 100644 index 59b04c1a2..483fb780e 100644
--- a/policy/modules/system/logging.te --- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@ -40947,7 +40961,7 @@ index 59b04c1a2..2ad89c533 100644
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t) files_search_spool(syslogd_t)
@@ -389,30 +456,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) @@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -40964,6 +40978,7 @@ index 59b04c1a2..2ad89c533 100644
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
+kernel_rw_stream_socket_perms(syslogd_t) +kernel_rw_stream_socket_perms(syslogd_t)
@ -40998,7 +41013,7 @@ index 59b04c1a2..2ad89c533 100644
# syslog-ng can listen and connect on tcp port 514 (rsh) # syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +506,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) @@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to # Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_bind_syslogd_port(syslogd_t)
@ -41007,7 +41022,7 @@ index 59b04c1a2..2ad89c533 100644
corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +518,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) @@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -41041,7 +41056,7 @@ index 59b04c1a2..2ad89c533 100644
domain_use_interactive_fds(syslogd_t) domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t) files_read_etc_files(syslogd_t)
@@ -448,13 +557,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) @@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t) fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t) fs_search_auto_mountpoints(syslogd_t)
@ -41059,7 +41074,7 @@ index 59b04c1a2..2ad89c533 100644
# for sending messages to logged in users # for sending messages to logged in users
init_read_utmp(syslogd_t) init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +579,12 @@ init_use_fds(syslogd_t) @@ -466,11 +580,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense # cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t) logging_send_syslog_msg(syslogd_t)
@ -41075,7 +41090,7 @@ index 59b04c1a2..2ad89c533 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel # default gentoo syslog-ng config appends kernel
@@ -497,6 +611,7 @@ optional_policy(` @@ -497,6 +612,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cron_manage_log_files(syslogd_t) cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -41083,7 +41098,7 @@ index 59b04c1a2..2ad89c533 100644
') ')
optional_policy(` optional_policy(`
@@ -507,15 +622,44 @@ optional_policy(` @@ -507,15 +623,44 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -41128,7 +41143,7 @@ index 59b04c1a2..2ad89c533 100644
') ')
optional_policy(` optional_policy(`
@@ -526,3 +670,29 @@ optional_policy(` @@ -526,3 +671,29 @@ optional_policy(`
# log to the xconsole # log to the xconsole
xserver_rw_console(syslogd_t) xserver_rw_console(syslogd_t)
') ')
@ -46632,10 +46647,10 @@ index 000000000..121b42208
+/var/run/initramfs(/.*)? <<none>> +/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644 new file mode 100644
index 000000000..d1356af89 index 000000000..278a1f69b
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1842 @@ @@ -0,0 +1,1843 @@
+## <summary>SELinux policy for systemd components</summary> +## <summary>SELinux policy for systemd components</summary>
+ +
+###################################### +######################################
@ -48435,6 +48450,7 @@ index 000000000..d1356af89
+ +
+ files_search_etc($1) + files_search_etc($1)
+ manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) + manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
+ mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
+ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; + allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto};
+ files_etc_filetrans($1, systemd_hwdb_etc_t, file) + files_etc_filetrans($1, systemd_hwdb_etc_t, file)
+') +')

View File

@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index eb50f070f..4e5a59207 100644 index eb50f070f..53dd1ab4d 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -738,7 +738,7 @@ index eb50f070f..4e5a59207 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file) logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -125,48 +136,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) @@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@ -748,6 +748,7 @@ index eb50f070f..4e5a59207 100644
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
+mmap_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") +files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
@ -805,7 +806,7 @@ index eb50f070f..4e5a59207 100644
domain_getattr_all_domains(abrt_t) domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t) domain_read_all_domains_state(abrt_t)
@@ -176,29 +198,44 @@ files_getattr_all_files(abrt_t) @@ -176,29 +199,44 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t) files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t) files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t) files_read_var_symlinks(abrt_t)
@ -853,7 +854,7 @@ index eb50f070f..4e5a59207 100644
tunable_policy(`abrt_anon_write',` tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t) miscfiles_manage_public_files(abrt_t)
@@ -206,15 +243,11 @@ tunable_policy(`abrt_anon_write',` @@ -206,15 +244,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(` optional_policy(`
apache_list_modules(abrt_t) apache_list_modules(abrt_t)
@ -870,7 +871,7 @@ index eb50f070f..4e5a59207 100644
') ')
optional_policy(` optional_policy(`
@@ -222,6 +255,37 @@ optional_policy(` @@ -222,6 +256,37 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -908,7 +909,7 @@ index eb50f070f..4e5a59207 100644
policykit_domtrans_auth(abrt_t) policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t) policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t) policykit_read_reload(abrt_t)
@@ -234,18 +298,25 @@ optional_policy(` @@ -234,18 +299,25 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -937,7 +938,7 @@ index eb50f070f..4e5a59207 100644
optional_policy(` optional_policy(`
sosreport_domtrans(abrt_t) sosreport_domtrans(abrt_t)
@@ -253,9 +324,21 @@ optional_policy(` @@ -253,9 +325,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t) sosreport_delete_tmp_files(abrt_t)
') ')
@ -960,7 +961,7 @@ index eb50f070f..4e5a59207 100644
# #
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +349,13 @@ tunable_policy(`abrt_handle_event',` @@ -266,9 +350,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t) can_exec(abrt_t, abrt_handle_event_exec_t)
') ')
@ -975,7 +976,7 @@ index eb50f070f..4e5a59207 100644
# #
allow abrt_helper_t self:capability { chown setgid sys_nice }; allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +368,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) @@ -281,6 +369,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -983,7 +984,7 @@ index eb50f070f..4e5a59207 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +377,20 @@ corecmd_read_all_executables(abrt_helper_t) @@ -289,15 +378,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t)
@ -1004,7 +1005,7 @@ index eb50f070f..4e5a59207 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +398,25 @@ ifdef(`hide_broken_symptoms',` @@ -305,11 +399,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -1031,7 +1032,7 @@ index eb50f070f..4e5a59207 100644
# #
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +434,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) @@ -327,10 +435,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t)
@ -1045,7 +1046,7 @@ index eb50f070f..4e5a59207 100644
optional_policy(` optional_policy(`
rpm_exec(abrt_retrace_coredump_t) rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +452,11 @@ optional_policy(` @@ -343,10 +453,11 @@ optional_policy(`
####################################### #######################################
# #
@ -1059,7 +1060,7 @@ index eb50f070f..4e5a59207 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +475,84 @@ corecmd_exec_shell(abrt_retrace_worker_t) @@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t)
@ -1135,6 +1136,8 @@ index eb50f070f..4e5a59207 100644
logging_read_generic_logs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t)
+logging_read_syslog_pid(abrt_dump_oops_t) +logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t)
+logging_mmap_generic_logs(abrt_dump_oops_t)
+logging_mmap_journal(abrt_dump_oops_t)
+ +
+init_read_var_lib_files(abrt_dump_oops_t) +init_read_var_lib_files(abrt_dump_oops_t)
+ +
@ -1148,7 +1151,7 @@ index eb50f070f..4e5a59207 100644
####################################### #######################################
# #
@@ -404,25 +560,60 @@ logging_read_generic_logs(abrt_dump_oops_t) @@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
# #
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1211,7 +1214,7 @@ index eb50f070f..4e5a59207 100644
') ')
####################################### #######################################
@@ -430,10 +621,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` @@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy # Global local policy
# #
@ -10663,7 +10666,7 @@ index c723a0ae0..1c29d21e7 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms; + allow $1 bluetooth_unit_file_t:service all_service_perms;
') ')
diff --git a/bluetooth.te b/bluetooth.te diff --git a/bluetooth.te b/bluetooth.te
index 851769e55..4b11e9620 100644 index 851769e55..4bb326132 100644
--- a/bluetooth.te --- a/bluetooth.te
+++ b/bluetooth.te +++ b/bluetooth.te
@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t) @@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
@ -10683,7 +10686,7 @@ index 851769e55..4b11e9620 100644
dontaudit bluetooth_t self:capability sys_tty_config; dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms }; allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms; allow bluetooth_t self:fifo_file rw_fifo_file_perms;
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) @@ -78,10 +81,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
@ -10693,7 +10696,11 @@ index 851769e55..4b11e9620 100644
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
@@ -90,27 +94,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) +mmap_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } )
manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t)
@@ -90,27 +95,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
can_exec(bluetooth_t, bluetooth_helper_exec_t) can_exec(bluetooth_t, bluetooth_helper_exec_t)
@ -10736,7 +10743,7 @@ index 851769e55..4b11e9620 100644
fs_getattr_all_fs(bluetooth_t) fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t)
@@ -122,7 +136,6 @@ auth_use_nsswitch(bluetooth_t) @@ -122,7 +137,6 @@ auth_use_nsswitch(bluetooth_t)
logging_send_syslog_msg(bluetooth_t) logging_send_syslog_msg(bluetooth_t)
@ -10744,7 +10751,7 @@ index 851769e55..4b11e9620 100644
miscfiles_read_fonts(bluetooth_t) miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t) miscfiles_read_hwdata(bluetooth_t)
@@ -130,6 +143,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) @@ -130,6 +144,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@ -10755,7 +10762,7 @@ index 851769e55..4b11e9620 100644
optional_policy(` optional_policy(`
dbus_system_bus_client(bluetooth_t) dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t) dbus_connect_system_bus(bluetooth_t)
@@ -200,7 +217,6 @@ dev_read_urand(bluetooth_helper_t) @@ -200,7 +218,6 @@ dev_read_urand(bluetooth_helper_t)
domain_read_all_domains_state(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t)
files_read_etc_runtime_files(bluetooth_helper_t) files_read_etc_runtime_files(bluetooth_helper_t)
@ -33889,7 +33896,7 @@ index e39de436a..5edcb8330 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if diff --git a/gnome.if b/gnome.if
index ab09d6195..72d67c2cb 100644 index ab09d6195..0007f00b3 100644
--- a/gnome.if --- a/gnome.if
+++ b/gnome.if +++ b/gnome.if
@@ -1,52 +1,76 @@ @@ -1,52 +1,76 @@
@ -34307,7 +34314,7 @@ index ab09d6195..72d67c2cb 100644
+ ') + ')
+ +
+ allow $1 gnome_home_type:dir manage_dir_perms; + allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms; + allow $1 gnome_home_type:file { manage_file_perms map };
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms; + allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+ userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1)
@ -34543,7 +34550,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',` @@ -433,17 +519,19 @@ interface(`gnome_home_filetrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34557,6 +34564,7 @@ index ab09d6195..72d67c2cb 100644
- allow $1 gconf_home_t:dir create_dir_perms; - allow $1 gconf_home_t:dir create_dir_perms;
+ append_files_pattern($1, cache_home_t, cache_home_t) + append_files_pattern($1, cache_home_t, cache_home_t)
+ userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1)
+ allow $1 gnome_home_t:file { read_file_perms map };
') ')
######################################## ########################################
@ -34566,7 +34574,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` @@ -451,23 +539,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34594,7 +34602,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',` @@ -475,22 +558,18 @@ interface(`gnome_read_generic_gconf_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34621,7 +34629,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',` @@ -498,79 +577,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34719,7 +34727,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',` @@ -579,12 +638,12 @@ interface(`gnome_home_filetrans_gnome_home',`
## </param> ## </param>
## <param name="private_type"> ## <param name="private_type">
## <summary> ## <summary>
@ -34734,7 +34742,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## </param> ## </param>
## <param name="name" optional="true"> ## <param name="name" optional="true">
@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',` @@ -593,18 +652,18 @@ interface(`gnome_home_filetrans_gnome_home',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34759,7 +34767,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',` @@ -612,46 +671,81 @@ interface(`gnome_gconf_home_filetrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34844,6 +34852,7 @@ index ab09d6195..72d67c2cb 100644
- allow $1_gkeyringd_t $2:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg;
+ userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1)
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; + allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
+ allow $1 icc_data_home_t:file map;
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) + list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_files_pattern($1, icc_data_home_t, icc_data_home_t)
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
@ -34857,7 +34866,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',` @@ -659,46 +753,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -34939,7 +34948,7 @@ index ab09d6195..72d67c2cb 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',` @@ -706,12 +818,1003 @@ interface(`gnome_stream_connect_gkeyringd',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -60092,7 +60101,7 @@ index 94b973407..448a7e836 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if diff --git a/networkmanager.if b/networkmanager.if
index 86dc29dfa..c7d9376d5 100644 index 86dc29dfa..cb39739a5 100644
--- a/networkmanager.if --- a/networkmanager.if
+++ b/networkmanager.if +++ b/networkmanager.if
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
@ -60262,10 +60271,21 @@ index 86dc29dfa..c7d9376d5 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -211,9 +259,30 @@ interface(`networkmanager_read_lib_files',` @@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',`
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
files_search_var_lib($1)
manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
') ')
########################################
@@ -209,11 +258,33 @@ interface(`networkmanager_read_lib_files',`
files_search_var_lib($1)
list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+')
+
+####################################### +#######################################
+## <summary> +## <summary>
+## Read NetworkManager conf files. +## Read NetworkManager conf files.
@ -60285,8 +60305,8 @@ index 86dc29dfa..c7d9376d5 100644
+ allow $1 NetworkManager_etc_t:dir list_dir_perms; + allow $1 NetworkManager_etc_t:dir list_dir_perms;
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) + read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
+ read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t) + read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t)
+') ')
+
######################################## ########################################
## <summary> ## <summary>
-## Append networkmanager log files. -## Append networkmanager log files.
@ -60294,7 +60314,7 @@ index 86dc29dfa..c7d9376d5 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -221,19 +290,18 @@ interface(`networkmanager_read_lib_files',` @@ -221,19 +292,18 @@ interface(`networkmanager_read_lib_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -60319,18 +60339,17 @@ index 86dc29dfa..c7d9376d5 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -241,13 +309,66 @@ interface(`networkmanager_append_log_files',` @@ -241,13 +311,66 @@ interface(`networkmanager_append_log_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`networkmanager_read_pid_files',` -interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',` +interface(`networkmanager_manage_pid_files',`
gen_require(` + gen_require(`
type NetworkManager_var_run_t; + type NetworkManager_var_run_t;
') + ')
+
files_search_pids($1) + files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+') +')
+ +
@ -60345,11 +60364,12 @@ index 86dc29dfa..c7d9376d5 100644
+## </param> +## </param>
+# +#
+interface(`networkmanager_manage_pid_sock_files',` +interface(`networkmanager_manage_pid_sock_files',`
+ gen_require(` gen_require(`
+ type NetworkManager_var_run_t; type NetworkManager_var_run_t;
+ ') ')
+
+ files_search_pids($1) files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+') +')
+ +
@ -60388,7 +60408,7 @@ index 86dc29dfa..c7d9376d5 100644
') ')
#################################### ####################################
@@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',` @@ -272,14 +395,33 @@ interface(`networkmanager_stream_connect',`
######################################## ########################################
## <summary> ## <summary>
@ -60424,7 +60444,7 @@ index 86dc29dfa..c7d9376d5 100644
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
## Role allowed access. ## Role allowed access.
@@ -287,33 +427,190 @@ interface(`networkmanager_stream_connect',` @@ -287,33 +429,194 @@ interface(`networkmanager_stream_connect',`
## </param> ## </param>
## <rolecap/> ## <rolecap/>
# #
@ -60470,10 +60490,12 @@ index 86dc29dfa..c7d9376d5 100644
- admin_pattern($1, NetworkManager_log_t) - admin_pattern($1, NetworkManager_log_t)
+ allow $1 NetworkManager_log_t:dir list_dir_perms; + allow $1 NetworkManager_log_t:dir list_dir_perms;
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+') + allow $1 NetworkManager_var_lib_t:file map;
- files_search_var_lib($1) - files_search_var_lib($1)
- admin_pattern($1, NetworkManager_var_lib_t) - admin_pattern($1, NetworkManager_var_lib_t)
+')
+
+####################################### +#######################################
+## <summary> +## <summary>
+## Allow the specified domain to manage +## Allow the specified domain to manage
@ -60491,6 +60513,8 @@ index 86dc29dfa..c7d9376d5 100644
+ ') + ')
+ +
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ allow $1 NetworkManager_var_lib_t:file map;
+
+') +')
+ +
+####################################### +#######################################
@ -93498,7 +93522,7 @@ index ebe91fc70..6ba4338cb 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
') ')
diff --git a/rpm.if b/rpm.if diff --git a/rpm.if b/rpm.if
index ef3b22507..b15d901a4 100644 index ef3b22507..d2b4c1697 100644
--- a/rpm.if --- a/rpm.if
+++ b/rpm.if +++ b/rpm.if
@@ -1,8 +1,8 @@ @@ -1,8 +1,8 @@
@ -93903,10 +93927,11 @@ index ef3b22507..b15d901a4 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -459,11 +585,12 @@ interface(`rpm_read_db',` @@ -459,11 +585,13 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms; allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ allow $1 rpm_var_lib_t:file map;
+ rpm_read_cache($1) + rpm_read_cache($1)
') ')
@ -93917,7 +93942,7 @@ index ef3b22507..b15d901a4 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -482,8 +609,7 @@ interface(`rpm_delete_db',` @@ -482,8 +610,7 @@ interface(`rpm_delete_db',`
######################################## ########################################
## <summary> ## <summary>
@ -93927,10 +93952,15 @@ index ef3b22507..b15d901a4 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -503,8 +629,28 @@ interface(`rpm_manage_db',` @@ -499,12 +626,33 @@ interface(`rpm_manage_db',`
files_search_var_lib($1)
######################################## manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
## <summary> manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+ allow $1 rpm_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,the RPM package database. +## Do not audit attempts to create, read,the RPM package database.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -93947,17 +93977,17 @@ index ef3b22507..b15d901a4 100644
+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms; + dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file read_file_perms; + dontaudit $1 rpm_var_lib_t:file read_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
+') ')
+
+######################################## ########################################
+## <summary> ## <summary>
## Do not audit attempts to create, read, ## Do not audit attempts to create, read,
-## write, and delete rpm lib content. -## write, and delete rpm lib content.
+## write, and delete the RPM package database. +## write, and delete the RPM package database.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',` @@ -517,9 +665,10 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t; type rpm_var_lib_t;
') ')
@ -93965,8 +93995,11 @@ index ef3b22507..b15d901a4 100644
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms; + dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+ dontaudit $1 rpm_var_lib_t:file map;
') ')
@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',`
#####################################
@@ -543,8 +692,7 @@ interface(`rpm_read_pid_files',`
##################################### #####################################
## <summary> ## <summary>
@ -93976,7 +94009,7 @@ index ef3b22507..b15d901a4 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',` @@ -563,8 +711,7 @@ interface(`rpm_manage_pid_files',`
###################################### ######################################
## <summary> ## <summary>
@ -93986,7 +94019,7 @@ index ef3b22507..b15d901a4 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',` @@ -573,43 +720,54 @@ interface(`rpm_manage_pid_files',`
## </param> ## </param>
# #
interface(`rpm_pid_filetrans',` interface(`rpm_pid_filetrans',`
@ -94058,7 +94091,7 @@ index ef3b22507..b15d901a4 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` @@ -617,22 +775,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
## </summary> ## </summary>
## </param> ## </param>
## <param name="role"> ## <param name="role">
@ -94127,7 +94160,7 @@ index ef3b22507..b15d901a4 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t) init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -641,9 +831,6 @@ interface(`rpm_admin',` @@ -641,9 +834,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t) admin_pattern($1, rpm_file_t)
@ -106555,7 +106588,7 @@ index dbb005aca..2655c75ab 100644
+/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if diff --git a/sssd.if b/sssd.if
index a24045518..aac25848d 100644 index a24045518..8e00992e4 100644
--- a/sssd.if --- a/sssd.if
+++ b/sssd.if +++ b/sssd.if
@@ -1,21 +1,21 @@ @@ -1,21 +1,21 @@
@ -106736,13 +106769,14 @@ index a24045518..aac25848d 100644
') ')
######################################## ########################################
@@ -131,14 +171,13 @@ interface(`sssd_read_public_files',` @@ -131,14 +171,14 @@ interface(`sssd_read_public_files',`
') ')
sssd_search_lib($1) sssd_search_lib($1)
- allow $1 sssd_public_t:dir list_dir_perms; - allow $1 sssd_public_t:dir list_dir_perms;
+ list_dirs_pattern($1, sssd_public_t, sssd_public_t) + list_dirs_pattern($1, sssd_public_t, sssd_public_t)
read_files_pattern($1, sssd_public_t, sssd_public_t) read_files_pattern($1, sssd_public_t, sssd_public_t)
+ mmap_files_pattern($1, sssd_public_t, sssd_public_t)
') ')
-####################################### -#######################################
@ -106754,7 +106788,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -146,18 +185,55 @@ interface(`sssd_read_public_files',` @@ -146,18 +186,55 @@ interface(`sssd_read_public_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -106813,7 +106847,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -176,8 +252,7 @@ interface(`sssd_read_pid_files',` @@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',`
######################################## ########################################
## <summary> ## <summary>
@ -106823,7 +106857,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -216,8 +291,7 @@ interface(`sssd_search_lib',` @@ -216,8 +292,7 @@ interface(`sssd_search_lib',`
######################################## ########################################
## <summary> ## <summary>
@ -106833,7 +106867,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -235,6 +309,24 @@ interface(`sssd_dontaudit_search_lib',` @@ -235,6 +310,24 @@ interface(`sssd_dontaudit_search_lib',`
######################################## ########################################
## <summary> ## <summary>
@ -106858,7 +106892,7 @@ index a24045518..aac25848d 100644
## Read sssd lib files. ## Read sssd lib files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -297,8 +389,7 @@ interface(`sssd_dbus_chat',` @@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',`
######################################## ########################################
## <summary> ## <summary>
@ -106868,7 +106902,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',` @@ -317,8 +409,130 @@ interface(`sssd_stream_connect',`
######################################## ########################################
## <summary> ## <summary>
@ -107001,7 +107035,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',` @@ -327,7 +541,7 @@ interface(`sssd_stream_connect',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -107010,7 +107044,7 @@ index a24045518..aac25848d 100644
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',` @@ -335,27 +549,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',` interface(`sssd_admin',`
gen_require(` gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t; type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -107052,10 +107086,10 @@ index a24045518..aac25848d 100644
- admin_pattern($1, sssd_log_t) - admin_pattern($1, sssd_log_t)
') ')
diff --git a/sssd.te b/sssd.te diff --git a/sssd.te b/sssd.te
index 2d8db1fa3..9b13b3058 100644 index 2d8db1fa3..b4eaeb4cc 100644
--- a/sssd.te --- a/sssd.te
+++ b/sssd.te +++ b/sssd.te
@@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) @@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t)
type sssd_var_run_t; type sssd_var_run_t;
files_pid_file(sssd_var_run_t) files_pid_file(sssd_var_run_t)
@ -107091,8 +107125,13 @@ index 2d8db1fa3..9b13b3058 100644
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +mmap_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+mmap_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
@ -107132,7 +107171,7 @@ index 2d8db1fa3..9b13b3058 100644
corecmd_exec_bin(sssd_t) corecmd_exec_bin(sssd_t)
@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t) @@ -83,28 +97,36 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t) domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t) files_list_tmp(sssd_t)
@ -107173,7 +107212,7 @@ index 2d8db1fa3..9b13b3058 100644
init_read_utmp(sssd_t) init_read_utmp(sssd_t)
@@ -112,18 +132,71 @@ logging_send_syslog_msg(sssd_t) @@ -112,18 +134,71 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t) logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t) miscfiles_read_generic_certs(sssd_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 271%{?dist} Release: 272%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -681,6 +681,13 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Aug 15 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-272
- Allow sssd_t domain to map sssd_var_lib_t files
- allow map permission where needed
- contrib: allow map permission where needed
- Allow syslogd_t to map syslogd_var_run_t files
- allow map permission where needed
* Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271 * Mon Aug 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-271
- Allow tomcat_t domain couple capabilities to make working tomcat-jsvc - Allow tomcat_t domain couple capabilities to make working tomcat-jsvc
- Label /usr/libexec/sudo/sesh as shell_exec_t - Label /usr/libexec/sudo/sesh as shell_exec_t