diff --git a/container-selinux.tgz b/container-selinux.tgz index bad12d0e..cbeb3df1 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 42b44f0f..9a64a865 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -11381,7 +11381,7 @@ index b876c48ad..2e591a538 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76ad..c1b46d8f3 100644 +index f962f76ad..de87579ff 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13978,7 +13978,32 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5112,6 +6425,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -4814,6 +6127,24 @@ interface(`files_delete_usr_files',` + + ######################################## + ## ++## Map files in /usr in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mmap_usr_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ allow $1 usr_t:file map; ++') ++ ++######################################## ++## + ## Get the attributes of files in /usr. + ## + ## +@@ -5112,6 +6443,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -14003,7 +14028,7 @@ index f962f76ad..c1b46d8f3 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6572,24 @@ interface(`files_list_var',` +@@ -5241,6 +6590,24 @@ interface(`files_list_var',` ######################################## ## @@ -14028,7 +14053,7 @@ index f962f76ad..c1b46d8f3 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6695,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -14037,7 +14062,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',` +@@ -5419,6 +6786,24 @@ interface(`files_var_filetrans',` filetrans_pattern($1, var_t, $2, $3, $4) ') @@ -14062,7 +14087,7 @@ index f962f76ad..c1b46d8f3 100644 ######################################## ## ## Get the attributes of the /var/lib directory. -@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6912,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -14088,7 +14113,7 @@ index f962f76ad..c1b46d8f3 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +7000,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -14114,7 +14139,7 @@ index f962f76ad..c1b46d8f3 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',` +@@ -5619,6 +7042,42 @@ interface(`files_manage_urandom_seed',` manage_files_pattern($1, var_lib_t, var_lib_t) ') @@ -14157,7 +14182,7 @@ index f962f76ad..c1b46d8f3 100644 ######################################## ## ## Allow domain to manage mount tables -@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +7100,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -14166,7 +14191,7 @@ index f962f76ad..c1b46d8f3 100644 ## ## ## -@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +7108,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -14182,7 +14207,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5672,6 +7114,7 @@ interface(`files_search_locks',` +@@ -5672,6 +7132,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14190,7 +14215,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +7159,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -14218,7 +14243,7 @@ index f962f76ad..c1b46d8f3 100644 ## ## ## -@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7186,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14235,7 +14260,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7210,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14244,7 +14269,7 @@ index f962f76ad..c1b46d8f3 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7243,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -14252,7 +14277,7 @@ index f962f76ad..c1b46d8f3 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7257,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -14261,7 +14286,7 @@ index f962f76ad..c1b46d8f3 100644 ## ## ## -@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7265,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -14296,7 +14321,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7307,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14314,7 +14339,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7331,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14325,7 +14350,7 @@ index f962f76ad..c1b46d8f3 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7373,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14335,7 +14360,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7395,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14345,7 +14370,7 @@ index f962f76ad..c1b46d8f3 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7432,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14355,7 +14380,7 @@ index f962f76ad..c1b46d8f3 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7471,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -14364,7 +14389,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7473,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7491,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -14413,69 +14438,113 @@ index f962f76ad..c1b46d8f3 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,47 +7555,45 @@ interface(`files_dontaudit_search_pids',` ######################################## ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Allow search the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). ## -@@ -6039,7 +7588,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` +- type var_t, var_run_t; ++ attribute pidfile; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) +- list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; ') -@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; + ######################################## + ## +-## Read generic process ID files. ++## Allow search the all /var/run directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_search_all_pids',` + gen_require(` +- type var_t, var_run_t; ++ attribute pidfile; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) ++ allow $1 pidfile:dir search_dir_perms; ') -@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',` + + ######################################## + ## +-## Write named generic process ID pipes ++## List the contents of the runtime process ++## ID directories (/var/run). + ## + ## + ## +@@ -6073,12 +7601,51 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` ++interface(`files_list_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` + gen_require(` type var_run_t; ') @@ -14484,7 +14553,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7707,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14492,264 +14561,341 @@ index f962f76ad..c1b46d8f3 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7735,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## --## Read and write generic process ID files. +## rw generic pid files inherited from another process - ## - ## - ## -@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',` - ## - ## - # --interface(`files_rw_generic_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_rw_inherited_generic_pid_files',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ ') ++ + allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Read and write generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ + ## Read and write generic process ID files. + ## + ## +@@ -6182,7 +7766,7 @@ interface(`files_rw_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7833,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## +-## Read all process ID files. +## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## -+## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## -+## manage all pidfile directories -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## - ## Read all process ID files. ## ## -@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` gen_require(` attribute pidfile; - type var_t, var_run_t; -+ type var_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Relable all pid files -+## -+## -+## +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Delete all process IDs. ++## Delete all pid sockets + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process ID directories. ++## Create all pid sockets + ## + ## + ## +@@ -6305,42 +7877,35 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` ++interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content ++## Create all pid named pipes + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_files',` -+ gen_require(` + ## + ## + # +-interface(`files_manage_all_pids',` ++interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:fifo_file create_fifo_file_perms; + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all pid named pipes + ## + ## + ## +@@ -6348,18 +7913,18 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_pipes',` + gen_require(` +- attribute polymember; + attribute pidfile; -+ ') + ') + +- allow $1 polymember:dir mounton; ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). ++## manage all pidfile directories ++## in the /var/run directory. + ## + ## + ## +@@ -6367,37 +7932,40 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` ++interface(`files_manage_all_pid_dirs',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- search_dirs_pattern($1, var_t, var_spool_t) ++ manage_dirs_pattern($1,pidfile,pidfile) + ') + + -+ relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Execute generic programs in /var/run in the caller domain. -+## -+## -+## + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. ++## Read all process ID files. + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## ++## + # +-interface(`files_dontaudit_search_spool',` ++interface(`files_read_all_pids',` + gen_require(` +- type var_spool_t; ++ attribute pidfile; ++ type var_t; + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. ++## Relable all pid files + ## + ## + ## +@@ -6405,18 +7973,17 @@ interface(`files_dontaudit_search_spool',` + ## + ## + # +-interface(`files_list_spool',` ++interface(`files_relabel_all_pid_files',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- list_dirs_pattern($1, var_t, var_spool_t) ++ relabel_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). ++## Execute generic programs in /var/run in the caller domain. + ## + ## + ## +@@ -6424,18 +7991,18 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_exec_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Write all sockets +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6443,19 +8010,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_write_all_pid_sockets',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + allow $1 pidfile:sock_file write_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6463,55 +8029,62 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` +interface(`files_manage_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + manage_files_pattern($1,pidfile,pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Mount filesystems on all polyinstantiation +## member directories. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +# +interface(`files_mounton_all_poly_members',` + gen_require(` @@ -14757,33 +14903,100 @@ index f962f76ad..c1b46d8f3 100644 + ') + + allow $1 polymember:dir mounton; - ') - - ######################################## -@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',` - type var_t, var_run_t; ++') ++ ++######################################## ++## ++## Delete all process IDs. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_spool_filetrans',` ++interface(`files_delete_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; ++ type var_t, var_run_t; ') + files_search_pids($1) allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) -@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) +- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content +-## Allow access to manage all polyinstantiated +-## directories on the system. ++## Delete all process ID directories. + ## + ## + ## +@@ -6519,53 +8092,332 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` ++interface(`files_delete_all_pid_dirs',` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; ++ attribute pidfile; ++ type var_t, var_run_t; + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') + +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) ++######################################## ++## +## Make the specified type a file +## used for spool files. +## @@ -14824,56 +15037,46 @@ index f962f76ad..c1b46d8f3 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; -+ ') + ') + + files_type($1) + typeattribute $1 spoolfile; -+') -+ -+######################################## -+## -+## Create all spool sockets - ## - ## - ## --## Domain alloed access. -+## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` -+interface(`files_create_all_spool_sockets',` - gen_require(` -- attribute pidfile; -+ attribute spoolfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all spool sockets - ## - ## - ## -@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute polymember; +-## Unconfined access to files. ++## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` ++ gen_require(` + attribute spoolfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -14896,10 +15099,222 @@ index f962f76ad..c1b46d8f3 100644 + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6580,3 +8414,623 @@ interface(`files_unconfined',` ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++ ++ dontaudit $1 var_spool_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of generic spool ++## (/var/spool) directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool_dirs',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Read generic spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_spool_filetrans',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Allow access to manage all polyinstantiated ++## directories on the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_polyinstantiate_all',` ++ gen_require(` ++ attribute polydir, polymember, polyparent; ++ type poly_t; ++ ') ++ ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') ++') ++ ++######################################## ++## ++## Unconfined access to files. + ## + ## + ## +@@ -6580,3 +8432,623 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15770,7 +16185,7 @@ index d7c11a0b3..f521a50f8 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb43..b5b7a0ae8 100644 +index 8416beb43..2aa8d9ff4 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -16654,7 +17069,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',` +@@ -1839,174 +2234,989 @@ interface(`fs_unmount_fusefs',` ## ## # @@ -17199,6 +17614,7 @@ index 8416beb43..b5b7a0ae8 100644 + type hugetlbfs_t; + ') + ++ allow $1 hugetlbfs_t:file map; + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +') + @@ -17694,7 +18110,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,19 +3224,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # @@ -17721,7 +18137,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2034,17 +3245,18 @@ interface(`fs_read_fusefs_symlinks',` ## ## # @@ -17744,7 +18160,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +3264,38 @@ interface(`fs_getattr_hugetlbfs',` ## ## # @@ -17787,7 +18203,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +3303,19 @@ interface(`fs_list_hugetlbfs',` ## ## # @@ -17811,7 +18227,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +3323,41 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # @@ -17864,7 +18280,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +3365,19 @@ interface(`fs_associate_hugetlbfs',` ## ## # @@ -17888,7 +18304,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',` +@@ -2142,17 +3385,23 @@ interface(`fs_search_inotifyfs',` ## ## # @@ -17916,7 +18332,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',` +@@ -2160,53 +3409,39 @@ interface(`fs_list_inotifyfs',` ## ## # @@ -17982,7 +18398,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3449,18 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -18007,7 +18423,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3468,18 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -18031,7 +18447,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,58 +3487,54 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -18103,7 +18519,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,19 +3542,17 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -18127,7 +18543,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',` +@@ -2332,18 +3560,17 @@ interface(`fs_read_iso9660_files',` ## ## # @@ -18149,7 +18565,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',` +@@ -2351,240 +3578,243 @@ interface(`fs_mount_nfs',` ## ## # @@ -18449,7 +18865,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3833,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -18458,7 +18874,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3857,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -18467,7 +18883,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2719,6 +3948,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3949,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -18533,7 +18949,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +4030,7 @@ interface(`fs_search_removable',` ## ## ## @@ -18542,7 +18958,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## # -@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +4066,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -18551,7 +18967,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## # -@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4259,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -18559,7 +18975,7 @@ index 8416beb43..b5b7a0ae8 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4300,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -18567,7 +18983,7 @@ index 8416beb43..b5b7a0ae8 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4341,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -18575,7 +18991,7 @@ index 8416beb43..b5b7a0ae8 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4428,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4429,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -18600,7 +19016,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',` +@@ -3239,15 +4549,198 @@ interface(`fs_search_nfsd_fs',` # interface(`fs_list_nfsd_fs',` gen_require(` @@ -18802,7 +19218,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,35 +4748,35 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -18847,7 +19263,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',` +@@ -3291,12 +4784,12 @@ interface(`fs_rw_nfsd_fs',` ## ## # @@ -18863,7 +19279,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4885,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -18872,7 +19288,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4922,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -18881,7 +19297,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4940,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -18890,7 +19306,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3779,6 +5271,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5272,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -18915,7 +19331,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5325,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5326,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -18940,7 +19356,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5437,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -18949,7 +19365,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5445,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -18970,7 +19386,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5463,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -18991,7 +19407,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5481,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -19031,7 +19447,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5518,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -19087,7 +19503,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5622,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -19264,7 +19680,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5793,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -19287,7 +19703,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5812,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -19354,7 +19770,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5866,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -19376,7 +19792,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5885,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -19398,7 +19814,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5904,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -19444,7 +19860,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5941,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -19466,7 +19882,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5960,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -19490,7 +19906,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5980,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -19529,7 +19945,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6119,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -19555,7 +19971,7 @@ index 8416beb43..b5b7a0ae8 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6234,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -19564,7 +19980,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6282,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -19573,7 +19989,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -19600,7 +20016,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -19626,7 +20042,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -27098,7 +27514,7 @@ index 9d2f31168..2d782e051 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 03061349c..bb5f3dd51 100644 +index 03061349c..e30703d3c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -27182,7 +27598,15 @@ index 03061349c..bb5f3dd51 100644 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) -@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run +@@ -291,6 +303,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) ++allow postgresql_t postgresql_tmp_t:file map; + fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) + + manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) +@@ -299,12 +312,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) kernel_read_kernel_sysctls(postgresql_t) @@ -27196,7 +27620,7 @@ index 03061349c..bb5f3dd51 100644 corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -342,8 +355,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -27206,7 +27630,7 @@ index 03061349c..bb5f3dd51 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t) +@@ -354,20 +366,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) @@ -27238,7 +27662,7 @@ index 03061349c..bb5f3dd51 100644 allow postgresql_t self:process execmem; ') -@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin +@@ -485,10 +505,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; @@ -27295,7 +27719,7 @@ index 03061349c..bb5f3dd51 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +598,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -27304,7 +27728,7 @@ index 03061349c..bb5f3dd51 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +651,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -41373,7 +41797,7 @@ index 6b917403e..772411608 100644 + +/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f22..842ce28c4 100644 +index 58bc27f22..90f567300 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,41 @@ @@ -41609,7 +42033,7 @@ index 58bc27f22..842ce28c4 100644 + type lvm_var_run_t; + ') + -+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms; +') + +######################################## @@ -43812,7 +44236,7 @@ index d43f3b194..c5053dbbd 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 38220721d..0395f4810 100644 +index 38220721d..abac74231 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -44364,7 +44788,7 @@ index 38220721d..0395f4810 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1407,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1407,125 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -44453,6 +44877,26 @@ index 38220721d..0395f4810 100644 + read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) +') + ++######################################## ++## ++## Dontaudit read selinux module store ++## module store. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dontaudit_read_module_store',` ++ gen_require(` ++ type semanage_store_t; ++ ') ++ ++dontaudit $1 semanage_store_t:dir list_dir_perms; ++dontaudit $1 semanage_store_t:file read_file_perms; ++') ++ +####################################### +## +## Dontaudit access check on module store @@ -44472,7 +44916,7 @@ index 38220721d..0395f4810 100644 ') ######################################## -@@ -1041,9 +1525,15 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1545,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) @@ -44488,7 +44932,7 @@ index 38220721d..0395f4810 100644 ') ####################################### -@@ -1067,6 +1557,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1577,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -44513,7 +44957,7 @@ index 38220721d..0395f4810 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1645,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1665,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 62951782..b27035ab 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -108616,10 +108616,10 @@ index 000000000..a6e216c73 + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 000000000..4cc8557fc +index 000000000..681ec9f67 --- /dev/null +++ b/targetd.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,101 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -108646,7 +108646,7 @@ index 000000000..4cc8557fc +allow targetd_t self:fifo_file rw_fifo_file_perms; +allow targetd_t self:unix_stream_socket create_stream_socket_perms; +allow targetd_t self:unix_dgram_socket create_socket_perms; -+allow targetd_t self:tcp_socket listen; ++allow targetd_t self:tcp_socket { accept listen }; +allow targetd_t self:netlink_route_socket r_netlink_socket_perms; +allow targetd_t self:process { setfscreate setsched }; + @@ -108654,6 +108654,8 @@ index 000000000..4cc8557fc +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) + ++files_rw_isid_type_dirs(targetd_t) ++ +fs_getattr_xattr_fs(targetd_t) +fs_manage_configfs_files(targetd_t) +fs_manage_configfs_lnk_files(targetd_t) @@ -108665,6 +108667,8 @@ index 000000000..4cc8557fc +kernel_read_system_state(targetd_t) +kernel_read_network_state(targetd_t) +kernel_load_module(targetd_t) ++kernel_request_load_module(targetd_t) ++kernel_dgram_send(targetd_t) + +rpc_read_exports(targetd_t) + @@ -108685,6 +108689,8 @@ index 000000000..4cc8557fc + +libs_exec_ldconfig(targetd_t) + ++seutil_dontaudit_read_module_store(targetd_t) ++ +storage_raw_read_fixed_disk(targetd_t) +storage_raw_read_removable_device(targetd_t) + @@ -108708,6 +108714,10 @@ index 000000000..4cc8557fc +') + +optional_policy(` ++ rpm_dontaudit_read_db(targetd_t) ++') ++ ++optional_policy(` + udev_read_pid_files(targetd_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 8445df78..56debaba 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 275%{?dist} +Release: 276%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,9 @@ exit 0 %endif %changelog +* Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276 +- Allow couple map rules + * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275 - Make confined users working - Allow ipmievd_t domain to load kernel modules