From 2b14b695c44c5d396a26d3d6ec0eddeda794be8a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sat, 26 Aug 2017 13:17:21 +0200 Subject: [PATCH] * Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276 - Allow couple map rules --- container-selinux.tgz | Bin 6905 -> 6904 bytes policy-rawhide-base.patch | 1278 +++++++++++++++++++++++----------- policy-rawhide-contrib.patch | 16 +- selinux-policy.spec | 5 +- 4 files changed, 878 insertions(+), 421 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index bad12d0e789f755d8f87366dbe4aff0090b32723..cbeb3df143cd5da26e2fb224f92c1963f97e5e55 100644 GIT binary patch delta 6875 zcmV<18YJcUHTX4uABzY8saK&{00Zq^>yO+vlF!%aze2DBcqZ^XJdS;UC%cD5vcTPk z1A^TJ_QU0_qn6a&%IFnIJ&!ZIfBRMyAEGFdqSP9D_TT}M@kmual0~vuEEY>qS+rqV zB=tqQ{pN{&uHfhW`|t7hn}2(ErT&JWx9{J+dGpPiw{PBmU0uI>`~KaVZ?4|Fy}o+) zO>p&86;gi=O&iuh@J)7Chnpm_(v7|U7yVhid>Q=E9P&J@AOHBbeG-&aQk*yCp^lOu ztg0-H!Zt07AQA&5NQxc&zWCu%u&n^Z@26K9{BiQe>@q*J=gSWtJG= z{{oLCco;=V(~O}aQWRE~qr(S&PZ~L0?~7NWzgh2N!O-t@y1_2^_S%er5Kl2zK}gSb zqT+y`B5FAwowF?p3!-$+vLh$dUy?8;`Br~*iGweIl?udPZiiEBp&8^c$SuN#s;;Se zvqp6VT8p)DM0*`8(!WwSD)P(HO%OvhqqeNmq?s^ypGJ^;oI$mG1bG+MNZJXK$`8JM zW1{&0?F=|R{BvC;b>0BuHqDYo6wIkRH;fIJRv<=Rk%>K3z7> zofWsU5&S!R(A|HcS&vI{QzcQlO`(HWN20ls3{)PK8M6U_{72eLPpAiv8z>gdHbdkF zq5oG{ggbp9c^-2tr>Z@fZsYLBXg7a>F*aeIR7(ze@LBbqch52T$$seMIJm^j?;6Jf_4%aw+{|7@XZcEZy2^4${z)~>k6<0(7J2g<$h$%RM5uHH zl+x>tM`XEA+kFrM;h_Zyw`mkm>pR~AEbT}aDrwZF13o%) zsVU`_tPUm=G*lvz(v+eY?>frDrm+-7?}lY<5?)+9r9Axqi=eDf{$ciq7j1p8H4#a* zVmC=z?7WIKPZ6=6dpmfI6U60>RVKl=*YMw4`0x8=_aZ<4=TFaMoh6ICO5cR{H zO`82_S+$Q-m+(Ntw~8~EcwBL4V6e51q#kiD^o1&Bh$h-NxvN^Td+{X-3V$2qD+oVC zduHgOjG-3G2pNBvYov3Au+>))HvTIq+9{&OpJ7Q3krTrtv3CnKmLIQqEwLB;yFpq0 zEfmsUg75SRl9f9LtFnI3~eYhLS6 zml{^>br|Pq!PX)?^t4SMwpaPiL*Yk8w>;R*Z$N=Vd)(FMF(ZFywx zz`jIy2kQgWD&XxSHwx*j6bgp5n|!?eFxR`ZE{lB9rsaQWx{K<0thdJMco#kDcJB;# zEnugcU+j#}nK|R>1`r`{A7PVTgEWFB-4$WRCT#HOW|~6=3ZvD@OeiYmKG|>~D90Dp zIWfl1J(3zfO4$Q|bp~<^YhLp2yx4j34Nk&wZe^T|d*_6o4b{TH$tE2B>#EGs=#fUa za0+rSU?U~DrvKVO@NT0h6 zU>(!<-Si1#=uQ2giX4oa@=(MLO&B~)T}GF&17Uv&e?(Y+SH)Rp5NZpDRIq#Bs2UAzoJ!>kXw^%<0yT z;qJi1V;ROiRpb1^RbkwSUf^9Qe&AjSCo5Cs{yGk9d9X5ZC3&p(kcJ0lNzl~wPN(7}T zE{iX{Mq}H3?h=vPVC41?(JT^A*3gR8&^a=5B5X@EayDU;M*Rg;$k%VVtm5J6=qCc`n zFWTg(%5dNRfB*jK-P^(a|Ld>!|3AwQ^R%qm{re@5miq= zl%Dgz?_FIUs^FBnrOvpP_NWCn${2q@R}b4x2AZ3OxX_SQ0XooWc=xG=F-{SAahT+w zo|)1x$a zf*V7W`fws_NgN=Pxj+w*5B7eiI{y$?xbFMN-AMzhC;yw8Zgl$_k2d<4;<$q$W+F)G zROd3G4JycwNc6~?Q;o?n`}1m`0q~LR8Tdm(?6EqL@xXL|%?^?!I{azJ-!`^UMFVa) zs?4L*d_JO~>dvt~_|R2nEkl1N9Tue=WAsbu9h8al2>I~Th%kf~F`9ksF2s|CYqpQ4 zLzW>JkJ#vA$tXl7guH|t{+iI5 zw+8bbw<0fjL^v)0@iEH~?DejK^8j}ZO#1tDw}+LNHsJk|Gq&$vtYClK#;9dZwuCy1 z2J}am1zb(o* zz^pz%(hN6e{mAqo{F5wD^ArR!}+V5`6~hD@%*p z^)0`kcu4LrJm83$2}J0KI1P6ilz2M}(p4+DgyH}o4Go*bq)wwXC~%{hbtYMG;7()# z`A=n`kqN`OPNF*&)P>vZ@tV!yp{jY(OMy+Gmm7XJ%Szi~XL%;3@3jNVhXb?2e59nfN55IpV$_X3s(a^8eMinAHb(!G{wu{PjSp*3iI$b=>`1kljt_MFYDV2Ap4K9O16hAdqjsj zNFXoo$Qxe-_ero1;g2xbBq)HODYFB5aDnUZoB(;^l8!L9CAI@P_cecuaJerJS{ReDW!4cap4j}-XGHI$=;?u&nn;Qiac9TQJkh`4qBlx0jd zxTloivx;a;WH>9!$Blpc5X)8iR&}{gohGbps#!6wIWluV=P;Ww%Up>W=MEMR%*lhp z19NG-$+O*s>C?lUc%tFsJBnphma&w~*KVH#ySsz?l)NbKErsJh2wd*MF?G_^qS(~!>CQ~U_Ql`@;QBs z?+!7g)8mD(H;qduB33WmMf8urff1Y5eD!8CufEG<}Q;iJ8M+g6@M2$rbK z^D0Xo)-)!^d3&duz7jMt`JM63K1rQ%lstAa%9cBt>RjEi2yzR(LLPO&m`>tO$Mv)W zURRsUHCh-y$@C-UH+)0eJXRWeXz)^6j>rE#kSyDSSMv@9`C&A_wXM6*g~X&!(dEuI za!Tg+8L5A~hcKFcPdG}wUzY_-4$D);nA_5{WsN2r#xRije!w8Uw7Ip=)6qRHVnx&3 zr){)1)A95O`tX5`Xrj#cFBVimJ zz3Nhh;Do1E=grPS-6IAY2~Vzo+P3*ln@E`k6xx57{$FSh@b4J9E?~C^*K{DYjuKn@ zO{~JM-NF+<2m!;PI<(pnlNaUwJ`UT^F^|ah7L(3iftSIM+R<~4y#V8tNstxq^NQ&U z`Po3r+m4X_ee&)pvA5B-jX@))7UWw$z583S}wNbhy#D*_e0XO zYqII|3#JBo-kx<1vjmJ8w+luPyB#bBVjuqwecsLs`KdfiK+1-r2d&zNWQ+?h74dqq z_KdC3W)CebWO3OnZbrLlG~i=dB~c;6kV^JR29wccey>(>a;NS=ES@NZ2n2_R?KU?T zP*S(UVr!W#lH}k)liksp+tz=jqiXm`1gw>lA}hGbg9{EZ^G@j*Vf;h zXKWv@dL~@k{ltUJR{~A{_PlFI>7*mB5K!3-kGyfUMQ*g#4{YP8!TyBqeFp z<_``MA$dTuN}dRXA7GSF%!@;T24oacC)f|%&;o;k{C5Y5G1YFjkr{Rp4Es-$IO!}BhM;F6XdK5!mlbsVhY zx`G_CGBSx!*r_~rb*Cg(P^Kzlq}(c@&A43g3?U-?6rMQhpbmE1pc zg5N6NkJ4Kp9m0P;%{3%pw6krSUPK1#Q)Y_TnQ)8Maf!8@ZSu@q78h<<(eVa#kn<2$ zP>PTn_c~}PZC7=s4E)>bV6d>$GS9<(XvL@Raaroi(jW=Lz(vF?j_%kCEfveM=1em0 zXN8#Pa}aG>*xY9(=KM8vB-NSb2X1>bIB@Wqj)ogT2rcR8!E&AdL_i8C{B<0Wl~BK zYtd+SkG_AQ!iID;>}>R;N8DZSbB~b2W)1Q^byfpOVn)O>vZ&N!DJY9rA1x( zLSYuoNOqvI^&^c!hb5>N<{P6lIZqPiDK=(EqMUrk+=X=|`Wt-3!Z=$7#mMBtQ~8z1 zaE{;@;q>XG?o`owZfMAlY@YOfCGv4<2#|--s)m0XD0>FY1jn`dLHTzsjkQ{Fbc zChDmxNk`oJtaRFHf;0AgkdZ8BJeB5*gj*`-#Pm|q47b230Sq#g+KrkW#%foH&vT62 z=NNzg#)#|P=+%ye;GLH-7AnJaFXPxE+*dSw(8sT7SU&bLqV|vd`U|=1r`#2qCOE&F z0CKErcQp)-FG=c(&6Gq+z@11RV+8XHI+Wz&@o18CrowA=ZTB+xk>xwg9$D6llzm_a z7Hu%6Q5j$0hX@0M?JAS_clA5tc`sN>PPKnn_Jl1CXnT@%cB5aO&=P#IH2MT+NSoZd zXTsMdDttv{v(|ldc=eyu)z`6;fm+b)RXlpL~FQ}#2VBO*&SwaG-Ul1k{ETBqmQrq zbf{kb(72KGH!f-s45?6?E?t?T9=VB4{@w;Q`nSyUo8+eGykUv45_@^W2e1rM7R^X? z!5gNw$rIJ8u~#*^e+P4{9gpN{`;mWPhETTF?=mBwHm*w>bW-hm1FZGG7u5RaiEJn2 zhioU@W-`@wgwA@;}OmtQ)2Tx-%5a_Oz5p7=X8JNnCR^Q z#8KLC$??c4;fXX9mrkQDh#y(7bHESRs8z;$A5CoEjN9EV9>+hHRUJe%fwEuAK!Ziy;VlK2Jw)dSw`AJ^^K!u|!n1}XldA@yeqRqo}5n?h4K-<4!R*B*J-)bsCo*#GD_p6 z@ER3xnOW4=9*cL8Qo?_7lc0mhdmRvcu>shU5#>#othU1W->@i(moNC9Cx>n5fkoR0J5AASG3U=ojDp zf?p8u7b5!>!8owU{pyeGUujDFx(qNz9!(ubEf|vROuieDz{>ZZj2h5P7EPF#uLbUm+v|#2zGe>|`=PJiCX*%mH^F z4jAk%a35~&deoA-TVuVAr1r}h+24Lu#TQW&Nl|J!@g8De#<5iOkSvnLVzF3?%AyU^ zBB{^Q?Ke;K^A>(Se0Yz)FMs&{t@;~&-hFs?dHK!dyUX`~KfL?!!w(<6|K{!GyQ`}o zz6stwRfW`_L(_(J5PXx}*5M|JtaM}V|4DyVFJA^fHitY9>xV!8eV+tnl@xE9@=!-f z5LQ)|Mq!(lMG%RB5+ubAexLt%A=p*`;`h@l4gNU!*ZU+ow26YA7D2mLAH-!2|2QYs z3xzlMu?p*7Fb|3_PyY0RQN8%{poE|4MG$6Ld6&dNTLx_%7EOwcGJ#$YD*Stu7Hv{* z!zelZP1a^zABr~3lQon_IImv+wmR7*#kx-ZIHWbuu1-$che~OIM~0V z@PCEJ5aR%{lYFaxy2Qa3z)A(;FSo-fw$Kdn7~~dVLsi#Q zy;-BW0yiX%YKF*+8K7zarYb5OiN#zIM zUYck=LOTPF5C2?ONu4*qxJ|R95e0K<8srPF2G32@G)F(Dpe;H>@-3k*`r@Xp{o;au zCgp%Fr0UEPw{?u35IB2nRvi-SGswKzhjsFtq)rv`mpdc(kb0IjEskxQ&^eIdkx!S6 zb7#fPYy|%fA9VL$Xx8JB+*C=FZd2$W){$tgBm zLFoSx7U51`NS?|W%TfB*TJtg~dXS7|)WMyd~m zMd1KcGhy>bK*ooQyEvMpzFp*h2xB2Xx5dZw(6mV&wb@i(o&N4nq%DcR>nMgD^G$^) zi1k*AeoEvxon>JlDk_*QWS6OStn4GgySfz%_;g}zY54ADdzC%08gb}zm}LE&$MdW)0 zzlB2jOYogOL9%k^U{%(CLJP&d%oBYK@I{d?y5gYFvNR&e>)?facMg0n&SvApWppzi zqyg^rphoy~4jP#HD$biIOQCz`BeAwEP?K4*VHjmJPqJDK8jbu&UaZ`0j*Qrs?yx-Xly zSsIY`YYSr5NmFLG=O}?iU|CN!U8YG82l5xlcA+2+Hw= zbxw@&bC0CPk5cvkV4Z>7!kU--J1=(Le1ns4oLd`JhXcr=sEEC(#vNS5KHx)61GkZJ#C>h`N(i| z1!?g3xELLCM;#lg{6u_Aw5!XFXV-&Jwe8HC!xAr&lN$D5t7 z3Wmjl0iLfJOcr2r!h%*mR3$W*S*mHX?7f(UudZ~}oqMgqW%@BXc8J%N#Ck)i7IV7w zW4Jpo@mPkj4>^tDu}XEc*A66O{G?VFKO|!~VTYu@mPl?W8RcU{!nckp4MQOmt8w5Z z)ngfdEMo7+0%$^)FCDe&pJ3aJRx_`9(5A48$F5R`YlqFB<3cfSy5oCw_QO9*S_IwpDJ;z+8VFY{RTc&a^7=8ZoP$A0w)s zekeWXf#18jJXFCccT1gdE$vYYZj>>9fUX|4oeVTL4RN6%s{(YO)9~(73uBxj^5QVb zK|M32eQGGlb-|gd`sT3teGP_Nv`3ZRDSZ>1WI}cB$srvYrs~;i=UUrVsv)5+V%%;p zEjFB57d6|2_eIQ}4SGd&8V>2b`o-y%J5$=FI4JsYBB#B#!!ah^+5IXiVNU#it^|t9 z>;*T5DD~k)*pfIvCUb!vA|LGiPIdkvu5jJ=k-L)yR!{ynHQng;Hy&;DF~xBQL(D{w z(y7j6LK{?&ACc&hH>VntWA^9OKm*_-*)#BmhS+0uBIAMS0Gk~oOLX|tj=ybeqlyOH za8#K`srh_FL)D#Qeej{H&RT|lPC6_~ImYOh(mN;<=MnPZsS#laFJd(N*jl9v8H)md;YO}BBfJ^d}A zHE#{(J#Ix_@`!L;0ODhoA=vA^4c-K}Yhcpfr@K9@ytD!Dmz=SE|6&Dy<2FVubFwAW zSu~(O!Yp9+7`$RWGSkA}B-!?36jtFT&C>QEcnqR_c~=BCDHuRo_!r)=Y?3yOgZ!o_ z;{dyc4)Ew-o3xPe_w=9+!KO*tEkNRex5nTrO8@lfdaM>;#fSs@I?2F3&hWr~gh}j? z{{e+YhZ=@XJI>QLI7g^|w=sq#jgz61k!C@O2EiybKU>7uY2~1i9bS4fE7wLndGlsR z$EEPwlLLe3Spc>gNI%B3@0j+!Oi-sk1Q-6>lg$+H!HZTOdZM*awE)T?9-vHN?`@Kg+?X}=Q@dQSx^^lv&U;Thli@>NiPL9fnIL--7G6@i=}zx%{*McZ!-N_|A=M5 z%);T5Gl3{CMl1k->7$W&zz!xedgP1ywl4E-p{Il=c^QM5urek?7^$8J1s-nmOt;97 z1smpBn2k6Z^6ZIhh=CT+ywa{cv0>0n5t!Kinj_)n^rst ze4p4Bx*y;+QcYv{Ew8(N-R;fqO>9LX(jO`Ck!vVN z3*8t07{U9ufjcIivJi3W{3*+rY;aF0!)F!In89+;B{hX>};c#~(l3)82EIq^ip$9ELVsw`tEnXlbG33hh} z_bK78md7{U8-JQ2lsn%~R{&nqUcKySx{`XiI+nA!#!}PGnfRWVla-z)?qtR1i96jH zh6h~KvTvD|0*wNz>eiQn>%{FFsB-kp1|{lnFsK!Vdlc^#}#-F z0}g2#2D0rmAbf`LFw2uRcJHK~;TLIPd}EB1{`eD*HsD7U{h$M5Te?UDV#H{A+#0tS zQE%4IHz4#R~&Wb!-Xoqduz<0yITWRxv; zG}XDfV-e&QdWAgdf-#-MosR2i2fVH}nQOE#ev;`&%y0OHwt1{H_R!#^v>cEBeIQx3 z2e0NG3i88fersEIp$mygpQ6j1ZRC{9?=w<=c@JSU{hn}?dbchMmK>I+iZQpPY0DZ- zIE-N+^?i>)d}(uIp{JvJT*Qi|xl7wHnv5%l2$8`HSFvq1BVw&K2;nTm+;{lU^A zPEb~Eew#X?_hK8#PfRIK1V+L*I(pTm3c(3atp&4JfpK zG5z1r9^l_GbX~x15w7V#Y8@rE_M2FRUAu)RfDi(PLv?7iB_=P*{aqZkp<^DA?JXvq zy#g&e!{WM&C7spQounkK+Wg)@A|ww;R>>2g@B@qzig|G;(146W>ID0N8(Ltn zQ|~s4(02_yv~Snx9y9Y?(SVWHmu;?qj-_tb@-OkJCnryTyg8ut5u&-cOKpp$ydUAS zSCzDEYBHxo}olK z3vN^BRPv*4*(K^umBJH89W+8m12sw(=Hv7RYaDJpaUz$n!Zxu^lm*O5L@W4Mb2?+5 z>gF)zU%3Q--h}xk)I=Vo-l8N@ukInrX;LSaaj}!Q#_DVp0?)WZ!q~$9w(>JsT}9Y) zM>~z=j@lUM-7OU?G<+C`lTeH_4^k4~c%{v5KEzPS_1uiP zIxex6vrV3v%i_WfD>~kw4sssC3Q7@j<6Z|XrR}QDl!1R+9SjzBTIPAU53Tt0JuXXq zSsEl^7`TX-#nBymp`~J3)|^S^{j3lZeGZ~c3!D3lB~mn%yiM!m4rWX|+R#^4q2hLa zmiPaEAouyU0}UHv5#f9B z*>cLd7G|Or@r}Op!sP2Q&>*yMy`H$B+AKm z%w1SlqQAjcER3^dP>f7IJe6OG4Ce@r5l){@>P{7{=Z1#-$mU7!S0W#$h5&gOt!lV` zF^*hq3Fk!^&+P3>D(AAV(n_jlo6SMwo#7!dm6sqORFBGA-_>tjlw`(rsO&NOc2O^^ z)s5U~mcITXy?HjK%EgzuI^}KCYoeaIl61ta&q}AQCOBi?2N}t7##3p|NVuhPPE0Q) z&2S5x62Kr+sa>ntVXStA_&mqReU9;eZ;ZI!jb80o2;O-aW1%u!_cD$x!hJ=<2YvjS zhUH@~BWnNHufLGHe#%{;X@c{+2_VP1c2~pT_>!cq*i1>J1l)=AF-9=IphHPM9*-tT zXDYl_*LE+1pIE-b?15#yNZAK=V9^G18kO-meuywI*sd~(e^=IX5m``-{bZMsq|C8zJs}m=+9Pl)hlF zM4aX|#>{dR^z#P>*ZnD#)_)kLlyDODJpSb8*N(0v;fSr#dqxvQ-{`k`46!jRm>(S% zB|8|^az-<+9gl#O$qV_}Y|kZsDkzPEn1{Wx>p#+|p+`(O0vjB09jC%-c>XDn+1l^4mZubI z3HjM7ozoQ45xfG%$YztCV6X&?U@uCx&IB$j_&Ih_Wob~$eusn zKH0bJ+~5DZeEa_D`@#4BF28>N@3Z_|p#6C9>pAE5hS9K881j>Fb0}U2+hqn}9b|1Y# zxFy>Tm=_CH5#B}1R1nc5)qnlZ#eaXtP7apsoj2(7Zra6a%u)Gwhn9vd%G)wKv8dXn$S4L^P6kekOE;Ebz+GFu9Qc75VZW46Rd~3>o&r?~-XXiM2 z(h8+|3d-f|UrxNSBJoWI5 ++## Map files in /usr in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mmap_usr_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ allow $1 usr_t:file map; ++') ++ ++######################################## ++## + ## Get the attributes of files in /usr. + ## + ## +@@ -5112,6 +6443,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -14003,7 +14028,7 @@ index f962f76ad..c1b46d8f3 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6572,24 @@ interface(`files_list_var',` +@@ -5241,6 +6590,24 @@ interface(`files_list_var',` ######################################## ## @@ -14028,7 +14053,7 @@ index f962f76ad..c1b46d8f3 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6695,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -14037,7 +14062,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',` +@@ -5419,6 +6786,24 @@ interface(`files_var_filetrans',` filetrans_pattern($1, var_t, $2, $3, $4) ') @@ -14062,7 +14087,7 @@ index f962f76ad..c1b46d8f3 100644 ######################################## ## ## Get the attributes of the /var/lib directory. -@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6912,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -14088,7 +14113,7 @@ index f962f76ad..c1b46d8f3 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +7000,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -14114,7 +14139,7 @@ index f962f76ad..c1b46d8f3 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',` +@@ -5619,6 +7042,42 @@ interface(`files_manage_urandom_seed',` manage_files_pattern($1, var_lib_t, var_lib_t) ') @@ -14157,7 +14182,7 @@ index f962f76ad..c1b46d8f3 100644 ######################################## ## ## Allow domain to manage mount tables -@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +7100,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -14166,7 +14191,7 @@ index f962f76ad..c1b46d8f3 100644 ## ## ## -@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +7108,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -14182,7 +14207,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5672,6 +7114,7 @@ interface(`files_search_locks',` +@@ -5672,6 +7132,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14190,7 +14215,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +7159,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -14218,7 +14243,7 @@ index f962f76ad..c1b46d8f3 100644 ## ## ## -@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7186,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14235,7 +14260,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7210,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14244,7 +14269,7 @@ index f962f76ad..c1b46d8f3 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7243,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -14252,7 +14277,7 @@ index f962f76ad..c1b46d8f3 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7257,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -14261,7 +14286,7 @@ index f962f76ad..c1b46d8f3 100644 ## ## ## -@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7265,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -14296,7 +14321,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7307,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14314,7 +14339,7 @@ index f962f76ad..c1b46d8f3 100644 ') ######################################## -@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7331,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14325,7 +14350,7 @@ index f962f76ad..c1b46d8f3 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7373,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14335,7 +14360,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7395,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14345,7 +14370,7 @@ index f962f76ad..c1b46d8f3 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7432,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14355,7 +14380,7 @@ index f962f76ad..c1b46d8f3 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7471,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -14364,7 +14389,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7473,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7491,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -14413,69 +14438,113 @@ index f962f76ad..c1b46d8f3 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,47 +7555,45 @@ interface(`files_dontaudit_search_pids',` ######################################## ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Allow search the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). ## -@@ -6039,7 +7588,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` +- type var_t, var_run_t; ++ attribute pidfile; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) +- list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; ') -@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; + ######################################## + ## +-## Read generic process ID files. ++## Allow search the all /var/run directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_search_all_pids',` + gen_require(` +- type var_t, var_run_t; ++ attribute pidfile; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) ++ allow $1 pidfile:dir search_dir_perms; ') -@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',` + + ######################################## + ## +-## Write named generic process ID pipes ++## List the contents of the runtime process ++## ID directories (/var/run). + ## + ## + ## +@@ -6073,12 +7601,51 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` ++interface(`files_list_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` + gen_require(` type var_run_t; ') @@ -14484,7 +14553,7 @@ index f962f76ad..c1b46d8f3 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7707,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14492,264 +14561,341 @@ index f962f76ad..c1b46d8f3 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7735,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## --## Read and write generic process ID files. +## rw generic pid files inherited from another process - ## - ## - ## -@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',` - ## - ## - # --interface(`files_rw_generic_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_rw_inherited_generic_pid_files',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ ') ++ + allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Read and write generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ + ## Read and write generic process ID files. + ## + ## +@@ -6182,7 +7766,7 @@ interface(`files_rw_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7833,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## +-## Read all process ID files. +## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## -+## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## -+## manage all pidfile directories -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## - ## Read all process ID files. ## ## -@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` gen_require(` attribute pidfile; - type var_t, var_run_t; -+ type var_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Relable all pid files -+## -+## -+## +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Delete all process IDs. ++## Delete all pid sockets + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process ID directories. ++## Create all pid sockets + ## + ## + ## +@@ -6305,42 +7877,35 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` ++interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content ++## Create all pid named pipes + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_files',` -+ gen_require(` + ## + ## + # +-interface(`files_manage_all_pids',` ++interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:fifo_file create_fifo_file_perms; + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all pid named pipes + ## + ## + ## +@@ -6348,18 +7913,18 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_pipes',` + gen_require(` +- attribute polymember; + attribute pidfile; -+ ') + ') + +- allow $1 polymember:dir mounton; ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). ++## manage all pidfile directories ++## in the /var/run directory. + ## + ## + ## +@@ -6367,37 +7932,40 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` ++interface(`files_manage_all_pid_dirs',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- search_dirs_pattern($1, var_t, var_spool_t) ++ manage_dirs_pattern($1,pidfile,pidfile) + ') + + -+ relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Execute generic programs in /var/run in the caller domain. -+## -+## -+## + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. ++## Read all process ID files. + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## ++## + # +-interface(`files_dontaudit_search_spool',` ++interface(`files_read_all_pids',` + gen_require(` +- type var_spool_t; ++ attribute pidfile; ++ type var_t; + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. ++## Relable all pid files + ## + ## + ## +@@ -6405,18 +7973,17 @@ interface(`files_dontaudit_search_spool',` + ## + ## + # +-interface(`files_list_spool',` ++interface(`files_relabel_all_pid_files',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- list_dirs_pattern($1, var_t, var_spool_t) ++ relabel_files_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). ++## Execute generic programs in /var/run in the caller domain. + ## + ## + ## +@@ -6424,18 +7991,18 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_exec_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Write all sockets +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6443,19 +8010,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_write_all_pid_sockets',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + allow $1 pidfile:sock_file write_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6463,55 +8029,62 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` +interface(`files_manage_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + manage_files_pattern($1,pidfile,pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Mount filesystems on all polyinstantiation +## member directories. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## Type to which the created node will be transitioned. +-## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +# +interface(`files_mounton_all_poly_members',` + gen_require(` @@ -14757,33 +14903,100 @@ index f962f76ad..c1b46d8f3 100644 + ') + + allow $1 polymember:dir mounton; - ') - - ######################################## -@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',` - type var_t, var_run_t; ++') ++ ++######################################## ++## ++## Delete all process IDs. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_spool_filetrans',` ++interface(`files_delete_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; ++ type var_t, var_run_t; ') + files_search_pids($1) allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) -@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) +- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content +-## Allow access to manage all polyinstantiated +-## directories on the system. ++## Delete all process ID directories. + ## + ## + ## +@@ -6519,53 +8092,332 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` ++interface(`files_delete_all_pid_dirs',` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; ++ attribute pidfile; ++ type var_t, var_run_t; + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') + +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) ++######################################## ++## +## Make the specified type a file +## used for spool files. +## @@ -14824,56 +15037,46 @@ index f962f76ad..c1b46d8f3 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; -+ ') + ') + + files_type($1) + typeattribute $1 spoolfile; -+') -+ -+######################################## -+## -+## Create all spool sockets - ## - ## - ## --## Domain alloed access. -+## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` -+interface(`files_create_all_spool_sockets',` - gen_require(` -- attribute pidfile; -+ attribute spoolfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all spool sockets - ## - ## - ## -@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_spool_sockets',` - gen_require(` -- attribute polymember; +-## Unconfined access to files. ++## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` ++ gen_require(` + attribute spoolfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -14896,10 +15099,222 @@ index f962f76ad..c1b46d8f3 100644 + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6580,3 +8414,623 @@ interface(`files_unconfined',` ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++ ++ dontaudit $1 var_spool_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of generic spool ++## (/var/spool) directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool_dirs',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Read generic spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_spool_filetrans',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Allow access to manage all polyinstantiated ++## directories on the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_polyinstantiate_all',` ++ gen_require(` ++ attribute polydir, polymember, polyparent; ++ type poly_t; ++ ') ++ ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') ++') ++ ++######################################## ++## ++## Unconfined access to files. + ## + ## + ## +@@ -6580,3 +8432,623 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15770,7 +16185,7 @@ index d7c11a0b3..f521a50f8 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb43..b5b7a0ae8 100644 +index 8416beb43..2aa8d9ff4 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -16654,7 +17069,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -1839,174 +2234,988 @@ interface(`fs_unmount_fusefs',` +@@ -1839,174 +2234,989 @@ interface(`fs_unmount_fusefs',` ## ## # @@ -17199,6 +17614,7 @@ index 8416beb43..b5b7a0ae8 100644 + type hugetlbfs_t; + ') + ++ allow $1 hugetlbfs_t:file map; + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +') + @@ -17694,7 +18110,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2014,19 +3223,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,19 +3224,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # @@ -17721,7 +18137,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2034,17 +3244,18 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2034,17 +3245,18 @@ interface(`fs_read_fusefs_symlinks',` ## ## # @@ -17744,7 +18160,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2052,17 +3263,38 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +3264,38 @@ interface(`fs_getattr_hugetlbfs',` ## ## # @@ -17787,7 +18203,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2070,17 +3302,19 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +3303,19 @@ interface(`fs_list_hugetlbfs',` ## ## # @@ -17811,7 +18227,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2088,35 +3322,41 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +3323,41 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # @@ -17864,7 +18280,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2124,17 +3364,19 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +3365,19 @@ interface(`fs_associate_hugetlbfs',` ## ## # @@ -17888,7 +18304,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2142,17 +3384,23 @@ interface(`fs_search_inotifyfs',` +@@ -2142,17 +3385,23 @@ interface(`fs_search_inotifyfs',` ## ## # @@ -17916,7 +18332,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2160,53 +3408,39 @@ interface(`fs_list_inotifyfs',` +@@ -2160,53 +3409,39 @@ interface(`fs_list_inotifyfs',` ## ## # @@ -17982,7 +18398,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2214,19 +3448,18 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3449,18 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -18007,7 +18423,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2234,18 +3467,18 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3468,18 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -18031,7 +18447,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2253,58 +3486,54 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,58 +3487,54 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -18103,7 +18519,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2312,19 +3541,17 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,19 +3542,17 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -18127,7 +18543,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2332,18 +3559,17 @@ interface(`fs_read_iso9660_files',` +@@ -2332,18 +3560,17 @@ interface(`fs_read_iso9660_files',` ## ## # @@ -18149,7 +18565,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2351,240 +3577,243 @@ interface(`fs_mount_nfs',` +@@ -2351,240 +3578,243 @@ interface(`fs_mount_nfs',` ## ## # @@ -18449,7 +18865,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -2603,7 +3832,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3833,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -18458,7 +18874,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -2627,7 +3856,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3857,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -18467,7 +18883,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -2719,6 +3948,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3949,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -18533,7 +18949,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +4029,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +4030,7 @@ interface(`fs_search_removable',` ## ## ## @@ -18542,7 +18958,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## # -@@ -2777,7 +4065,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +4066,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -18551,7 +18967,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## # -@@ -2970,6 +4258,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4259,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -18559,7 +18975,7 @@ index 8416beb43..b5b7a0ae8 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4299,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4300,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -18567,7 +18983,7 @@ index 8416beb43..b5b7a0ae8 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4340,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4341,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -18575,7 +18991,7 @@ index 8416beb43..b5b7a0ae8 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4428,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4429,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -18600,7 +19016,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3239,15 +4548,198 @@ interface(`fs_search_nfsd_fs',` +@@ -3239,15 +4549,198 @@ interface(`fs_search_nfsd_fs',` # interface(`fs_list_nfsd_fs',` gen_require(` @@ -18802,7 +19218,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3255,35 +4747,35 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,35 +4748,35 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -18847,7 +19263,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3291,12 +4783,12 @@ interface(`fs_rw_nfsd_fs',` +@@ -3291,12 +4784,12 @@ interface(`fs_rw_nfsd_fs',` ## ## # @@ -18863,7 +19279,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -3392,7 +4884,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4885,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -18872,7 +19288,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3429,7 +4921,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4922,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -18881,7 +19297,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3447,7 +4939,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4940,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -18890,7 +19306,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3779,6 +5271,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5272,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -18915,7 +19331,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5325,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5326,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -18940,7 +19356,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5436,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5437,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -18949,7 +19365,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3916,17 +5444,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5445,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -18970,7 +19386,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3934,17 +5462,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5463,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -18991,7 +19407,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3952,17 +5480,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5481,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -19031,7 +19447,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -3970,31 +5517,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5518,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -19087,7 +19503,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -4057,23 +5621,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5622,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -19264,7 +19680,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4081,18 +5792,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5793,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -19287,7 +19703,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4100,54 +5811,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5812,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -19354,7 +19770,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4155,17 +5865,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5866,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -19376,7 +19792,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4173,17 +5884,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5885,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -19398,7 +19814,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4191,37 +5903,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5904,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -19444,7 +19860,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4229,18 +5940,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5941,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -19466,7 +19882,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4248,18 +5959,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5960,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -19490,7 +19906,7 @@ index 8416beb43..b5b7a0ae8 100644 ## ## ## -@@ -4267,32 +5979,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5980,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -19529,7 +19945,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -4407,6 +6118,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6119,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -19555,7 +19971,7 @@ index 8416beb43..b5b7a0ae8 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6233,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6234,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -19564,7 +19980,7 @@ index 8416beb43..b5b7a0ae8 100644 ') ######################################## -@@ -4549,7 +6281,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6282,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -19573,7 +19989,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6328,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6329,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -19600,7 +20016,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6423,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6424,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -19626,7 +20042,7 @@ index 8416beb43..b5b7a0ae8 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6683,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6684,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -27098,7 +27514,7 @@ index 9d2f31168..2d782e051 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 03061349c..bb5f3dd51 100644 +index 03061349c..e30703d3c 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -27182,7 +27598,15 @@ index 03061349c..bb5f3dd51 100644 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) -@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run +@@ -291,6 +303,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) + files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) ++allow postgresql_t postgresql_tmp_t:file map; + fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) + + manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) +@@ -299,12 +312,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) kernel_read_kernel_sysctls(postgresql_t) @@ -27196,7 +27620,7 @@ index 03061349c..bb5f3dd51 100644 corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -342,8 +355,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -27206,7 +27630,7 @@ index 03061349c..bb5f3dd51 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t) +@@ -354,20 +366,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) @@ -27238,7 +27662,7 @@ index 03061349c..bb5f3dd51 100644 allow postgresql_t self:process execmem; ') -@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin +@@ -485,10 +505,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; @@ -27295,7 +27719,7 @@ index 03061349c..bb5f3dd51 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +598,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -27304,7 +27728,7 @@ index 03061349c..bb5f3dd51 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +651,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -41373,7 +41797,7 @@ index 6b917403e..772411608 100644 + +/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f22..842ce28c4 100644 +index 58bc27f22..90f567300 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,41 @@ @@ -41609,7 +42033,7 @@ index 58bc27f22..842ce28c4 100644 + type lvm_var_run_t; + ') + -+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; ++ allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms; +') + +######################################## @@ -43812,7 +44236,7 @@ index d43f3b194..c5053dbbd 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 38220721d..0395f4810 100644 +index 38220721d..abac74231 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -44364,7 +44788,7 @@ index 38220721d..0395f4810 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1407,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1407,125 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -44453,6 +44877,26 @@ index 38220721d..0395f4810 100644 + read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) +') + ++######################################## ++## ++## Dontaudit read selinux module store ++## module store. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dontaudit_read_module_store',` ++ gen_require(` ++ type semanage_store_t; ++ ') ++ ++dontaudit $1 semanage_store_t:dir list_dir_perms; ++dontaudit $1 semanage_store_t:file read_file_perms; ++') ++ +####################################### +## +## Dontaudit access check on module store @@ -44472,7 +44916,7 @@ index 38220721d..0395f4810 100644 ') ######################################## -@@ -1041,9 +1525,15 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1545,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) @@ -44488,7 +44932,7 @@ index 38220721d..0395f4810 100644 ') ####################################### -@@ -1067,6 +1557,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1577,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -44513,7 +44957,7 @@ index 38220721d..0395f4810 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1645,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1665,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 62951782..b27035ab 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -108616,10 +108616,10 @@ index 000000000..a6e216c73 + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 000000000..4cc8557fc +index 000000000..681ec9f67 --- /dev/null +++ b/targetd.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,101 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -108646,7 +108646,7 @@ index 000000000..4cc8557fc +allow targetd_t self:fifo_file rw_fifo_file_perms; +allow targetd_t self:unix_stream_socket create_stream_socket_perms; +allow targetd_t self:unix_dgram_socket create_socket_perms; -+allow targetd_t self:tcp_socket listen; ++allow targetd_t self:tcp_socket { accept listen }; +allow targetd_t self:netlink_route_socket r_netlink_socket_perms; +allow targetd_t self:process { setfscreate setsched }; + @@ -108654,6 +108654,8 @@ index 000000000..4cc8557fc +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) + ++files_rw_isid_type_dirs(targetd_t) ++ +fs_getattr_xattr_fs(targetd_t) +fs_manage_configfs_files(targetd_t) +fs_manage_configfs_lnk_files(targetd_t) @@ -108665,6 +108667,8 @@ index 000000000..4cc8557fc +kernel_read_system_state(targetd_t) +kernel_read_network_state(targetd_t) +kernel_load_module(targetd_t) ++kernel_request_load_module(targetd_t) ++kernel_dgram_send(targetd_t) + +rpc_read_exports(targetd_t) + @@ -108685,6 +108689,8 @@ index 000000000..4cc8557fc + +libs_exec_ldconfig(targetd_t) + ++seutil_dontaudit_read_module_store(targetd_t) ++ +storage_raw_read_fixed_disk(targetd_t) +storage_raw_read_removable_device(targetd_t) + @@ -108708,6 +108714,10 @@ index 000000000..4cc8557fc +') + +optional_policy(` ++ rpm_dontaudit_read_db(targetd_t) ++') ++ ++optional_policy(` + udev_read_pid_files(targetd_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 8445df78..56debaba 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 275%{?dist} +Release: 276%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,9 @@ exit 0 %endif %changelog +* Sat Aug 26 2017 Lukas Vrabec - 3.13.1-276 +- Allow couple map rules + * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-275 - Make confined users working - Allow ipmievd_t domain to load kernel modules