* Tue Oct 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-295

- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)
- Allow fail2ban_t domain to mmap journals. BZ(1500089)
- Add dac_override to abrt_t domain BZ(1499860)
- Allow pppd domain to mmap own pid files BZ(1498587)
- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)
- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules
- Allow systemd to read sysfs sym links. BZ(1499327)
- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)
- Make systemd_networkd_var_run as mountpoint BZ(1499862)
- Allow noatsecure for java-based unconfined services. BZ(1358476)
- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015)
This commit is contained in:
Lukas Vrabec 2017-10-10 12:31:41 +02:00
parent f2424e7390
commit 2b83a4bd1d
4 changed files with 202 additions and 152 deletions

Binary file not shown.

View File

@ -37908,7 +37908,7 @@ index 79a45f62e..6ed0c399a 100644
+ allow $1 init_var_lib_t:dir search_dir_perms; + allow $1 init_var_lib_t:dir search_dir_perms;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda2480..fa8d5f276 100644 index 17eda2480..cc1720cf2 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -38089,7 +38089,7 @@ index 17eda2480..fa8d5f276 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file) dev_filetrans(init_t, initctl_t, fifo_file)
@@ -125,13 +213,28 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -125,13 +213,29 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t) kernel_read_system_state(init_t)
kernel_share_state(init_t) kernel_share_state(init_t)
@ -38107,6 +38107,7 @@ index 17eda2480..fa8d5f276 100644
+corenet_udp_bind_all_ports(init_t) +corenet_udp_bind_all_ports(init_t)
+ +
+dev_create_all_chr_files(init_t) +dev_create_all_chr_files(init_t)
+dev_list_sysfs(init_t)
+dev_manage_sysfs(init_t) +dev_manage_sysfs(init_t)
+dev_read_urand(init_t) +dev_read_urand(init_t)
+dev_read_raw_memory(init_t) +dev_read_raw_memory(init_t)
@ -38119,7 +38120,7 @@ index 17eda2480..fa8d5f276 100644
domain_getpgid_all_domains(init_t) domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
@@ -139,45 +242,103 @@ domain_signal_all_domains(init_t) @@ -139,45 +243,103 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t) domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t) domain_sigchld_all_domains(init_t)
@ -38230,7 +38231,7 @@ index 17eda2480..fa8d5f276 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',` @@ -186,29 +348,294 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -38451,6 +38452,7 @@ index 17eda2480..fa8d5f276 100644
+systemd_config_all_services(initrc_t) +systemd_config_all_services(initrc_t)
+systemd_read_unit_files(initrc_t) +systemd_read_unit_files(initrc_t)
+systemd_login_status(init_t) +systemd_login_status(init_t)
+systemd_map_networkd_exec_files(init_t)
+ +
+create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) +create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+ +
@ -38533,7 +38535,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +641,34 @@ optional_policy(` @@ -216,7 +643,35 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38566,10 +38568,11 @@ index 17eda2480..fa8d5f276 100644
+optional_policy(` +optional_policy(`
+ domain_named_filetrans(init_t) + domain_named_filetrans(init_t)
+ unconfined_server_domtrans(init_t) + unconfined_server_domtrans(init_t)
+ unconfined_server_noatsecure(init_t)
') ')
######################################## ########################################
@@ -225,9 +677,9 @@ optional_policy(` @@ -225,9 +680,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38581,7 +38584,7 @@ index 17eda2480..fa8d5f276 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -258,12 +710,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -258,12 +713,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38598,7 +38601,7 @@ index 17eda2480..fa8d5f276 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +735,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -279,23 +738,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -38641,7 +38644,7 @@ index 17eda2480..fa8d5f276 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +772,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -303,9 +775,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -38653,7 +38656,7 @@ index 17eda2480..fa8d5f276 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -313,8 +784,10 @@ dev_write_framebuffer(initrc_t) @@ -313,8 +787,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -38664,7 +38667,7 @@ index 17eda2480..fa8d5f276 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -322,8 +795,7 @@ dev_manage_generic_files(initrc_t) @@ -322,8 +798,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -38674,7 +38677,7 @@ index 17eda2480..fa8d5f276 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -332,7 +804,6 @@ domain_sigstop_all_domains(initrc_t) @@ -332,7 +807,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -38682,7 +38685,7 @@ index 17eda2480..fa8d5f276 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -340,6 +811,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -340,6 +814,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38690,7 +38693,7 @@ index 17eda2480..fa8d5f276 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -347,14 +819,15 @@ files_getattr_all_symlinks(initrc_t) @@ -347,14 +822,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -38708,7 +38711,7 @@ index 17eda2480..fa8d5f276 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -364,8 +837,12 @@ files_list_isid_type_dirs(initrc_t) @@ -364,8 +840,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -38722,7 +38725,7 @@ index 17eda2480..fa8d5f276 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -375,10 +852,11 @@ fs_mount_all_fs(initrc_t) @@ -375,10 +855,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -38736,7 +38739,7 @@ index 17eda2480..fa8d5f276 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -387,8 +865,10 @@ mls_process_read_up(initrc_t) @@ -387,8 +868,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -38747,7 +38750,7 @@ index 17eda2480..fa8d5f276 100644
storage_getattr_fixed_disk_dev(initrc_t) storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +878,7 @@ term_use_all_terms(initrc_t) @@ -398,6 +881,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -38755,7 +38758,7 @@ index 17eda2480..fa8d5f276 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -416,20 +897,18 @@ logging_read_all_logs(initrc_t) @@ -416,20 +900,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -38779,7 +38782,7 @@ index 17eda2480..fa8d5f276 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +930,6 @@ ifdef(`distro_gentoo',` @@ -451,7 +933,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -38787,7 +38790,7 @@ index 17eda2480..fa8d5f276 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -486,6 +964,10 @@ ifdef(`distro_gentoo',` @@ -486,6 +967,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -38798,7 +38801,7 @@ index 17eda2480..fa8d5f276 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -506,7 +988,7 @@ ifdef(`distro_redhat',` @@ -506,7 +991,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -38807,7 +38810,7 @@ index 17eda2480..fa8d5f276 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -521,6 +1003,7 @@ ifdef(`distro_redhat',` @@ -521,6 +1006,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -38815,7 +38818,7 @@ index 17eda2480..fa8d5f276 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -541,6 +1024,7 @@ ifdef(`distro_redhat',` @@ -541,6 +1027,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -38823,7 +38826,7 @@ index 17eda2480..fa8d5f276 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -550,8 +1034,44 @@ ifdef(`distro_redhat',` @@ -550,8 +1037,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -38868,7 +38871,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -559,14 +1079,31 @@ ifdef(`distro_redhat',` @@ -559,14 +1082,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -38900,7 +38903,7 @@ index 17eda2480..fa8d5f276 100644
') ')
') ')
@@ -577,6 +1114,39 @@ ifdef(`distro_suse',` @@ -577,6 +1117,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -38940,7 +38943,7 @@ index 17eda2480..fa8d5f276 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1159,8 @@ optional_policy(` @@ -589,6 +1162,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -38949,7 +38952,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -610,6 +1182,7 @@ optional_policy(` @@ -610,6 +1185,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -38957,7 +38960,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -626,6 +1199,17 @@ optional_policy(` @@ -626,6 +1202,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38975,7 +38978,7 @@ index 17eda2480..fa8d5f276 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -642,9 +1226,13 @@ optional_policy(` @@ -642,9 +1229,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -38989,7 +38992,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -657,15 +1245,11 @@ optional_policy(` @@ -657,15 +1248,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39007,7 +39010,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -686,6 +1270,15 @@ optional_policy(` @@ -686,6 +1273,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39023,7 +39026,7 @@ index 17eda2480..fa8d5f276 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -726,6 +1319,7 @@ optional_policy(` @@ -726,6 +1322,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -39031,7 +39034,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -743,7 +1337,13 @@ optional_policy(` @@ -743,7 +1340,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39046,7 +39049,7 @@ index 17eda2480..fa8d5f276 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -766,6 +1366,10 @@ optional_policy(` @@ -766,6 +1369,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39057,7 +39060,7 @@ index 17eda2480..fa8d5f276 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -775,10 +1379,20 @@ optional_policy(` @@ -775,10 +1382,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39078,7 +39081,7 @@ index 17eda2480..fa8d5f276 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -787,6 +1401,10 @@ optional_policy(` @@ -787,6 +1404,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39089,7 +39092,7 @@ index 17eda2480..fa8d5f276 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -808,8 +1426,6 @@ optional_policy(` @@ -808,8 +1429,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -39098,7 +39101,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -818,6 +1434,10 @@ optional_policy(` @@ -818,6 +1437,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39109,7 +39112,7 @@ index 17eda2480..fa8d5f276 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -827,10 +1447,12 @@ optional_policy(` @@ -827,10 +1450,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -39122,7 +39125,7 @@ index 17eda2480..fa8d5f276 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1479,62 @@ optional_policy(` @@ -857,21 +1482,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39186,7 +39189,7 @@ index 17eda2480..fa8d5f276 100644
') ')
optional_policy(` optional_policy(`
@@ -887,6 +1550,10 @@ optional_policy(` @@ -887,6 +1553,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39197,7 +39200,7 @@ index 17eda2480..fa8d5f276 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1564,218 @@ optional_policy(` @@ -897,3 +1567,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -47755,7 +47758,7 @@ index 2cea692c0..853ddefe4 100644
+ files_pid_filetrans($1, net_conf_t, dir, "cloud-init") + files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
+') +')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4bc..d29b7f6fb 100644 index a392fc4bc..a61ba7d4e 100644
--- a/policy/modules/system/sysnetwork.te --- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -47821,7 +47824,7 @@ index a392fc4bc..d29b7f6fb 100644
+ +
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file relabel_file_perms; +allow dhcpc_t dhcpc_state_t:file { map relabel_file_perms };
# create pid file # create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@ -48270,10 +48273,10 @@ index 000000000..121b42208
+/var/run/initramfs(/.*)? <<none>> +/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644 new file mode 100644
index 000000000..634d9596a index 000000000..5871e072d
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1862 @@ @@ -0,0 +1,1880 @@
+## <summary>SELinux policy for systemd components</summary> +## <summary>SELinux policy for systemd components</summary>
+ +
+###################################### +######################################
@ -50136,12 +50139,30 @@ index 000000000..634d9596a
+ files_type($1) + files_type($1)
+ typeattribute $1 systemd_mount_directory; + typeattribute $1 systemd_mount_directory;
+') +')
+
+########################################
+## <summary>
+## Mmap systemd_networkd_exec_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_map_networkd_exec_files',`
+ gen_require(`
+ type systemd_networkd_exec_t;
+ ')
+
+ allow $1 systemd_networkd_exec_t:file map;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 000000000..e83a61cca index 000000000..e944cee17
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1027 @@ @@ -0,0 +1,1029 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -50195,6 +50216,7 @@ index 000000000..e83a61cca
+ +
+type systemd_networkd_var_run_t; +type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t) +files_pid_file(systemd_networkd_var_run_t)
+files_mountpoint(systemd_networkd_var_run_t)
+ +
+systemd_domain_template(systemd_initctl) +systemd_domain_template(systemd_initctl)
+ +
@ -51138,6 +51160,7 @@ index 000000000..e83a61cca
+ +
+dev_read_sysfs(systemd_modules_load_t) +dev_read_sysfs(systemd_modules_load_t)
+ +
+files_map_kernel_modules(systemd_modules_load_t)
+files_read_kernel_modules(systemd_modules_load_t) +files_read_kernel_modules(systemd_modules_load_t)
+modutils_read_module_config(systemd_modules_load_t) +modutils_read_module_config(systemd_modules_load_t)
+ +
@ -51768,7 +51791,7 @@ index 0abaf8432..8b34dbc09 100644
-/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-') -')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a97d..5454d1668 100644 index 5ca20a97d..43bb011b3 100644
--- a/policy/modules/system/unconfined.if --- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@ @@ -12,53 +12,57 @@
@ -51880,7 +51903,7 @@ index 5ca20a97d..5454d1668 100644
') ')
######################################## ########################################
@@ -175,343 +185,12 @@ interface(`unconfined_alias_domain',` @@ -175,258 +185,12 @@ interface(`unconfined_alias_domain',`
## </param> ## </param>
# #
interface(`unconfined_execmem_alias_program',` interface(`unconfined_execmem_alias_program',`
@ -52131,18 +52154,20 @@ index 5ca20a97d..5454d1668 100644
- ') - ')
- -
- dontaudit $1 unconfined_t:fifo_file read; - dontaudit $1 unconfined_t:fifo_file read;
-') + refpolicywarn(`$0() has been deprecated.')
- ')
-########################################
-## <summary> ########################################
## <summary>
-## Read and write unconfined domain unnamed pipes. -## Read and write unconfined domain unnamed pipes.
-## </summary> +## Connect to unconfined_server with a unix socket.
-## <param name="domain"> ## </summary>
-## <summary> ## <param name="domain">
-## Domain allowed access. ## <summary>
-## </summary> @@ -434,84 +198,19 @@ interface(`unconfined_dontaudit_read_pipes',`
-## </param> ## </summary>
-# ## </param>
#
-interface(`unconfined_rw_pipes',` -interface(`unconfined_rw_pipes',`
- gen_require(` - gen_require(`
- type unconfined_t; - type unconfined_t;
@ -52211,12 +52236,16 @@ index 5ca20a97d..5454d1668 100644
-## </param> -## </param>
-# -#
-interface(`unconfined_dontaudit_rw_tcp_sockets',` -interface(`unconfined_dontaudit_rw_tcp_sockets',`
- gen_require(` +interface(`unconfined_server_stream_connect',`
gen_require(`
- type unconfined_t; - type unconfined_t;
- ') + type unconfined_service_t;
- ')
- dontaudit $1 unconfined_t:tcp_socket { read write }; - dontaudit $1 unconfined_t:tcp_socket { read write };
+ refpolicywarn(`$0() has been deprecated.') + files_search_pids($1)
+ files_write_generic_pid_pipes($1)
+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
') ')
######################################## ########################################
@ -52226,59 +52255,33 @@ index 5ca20a97d..5454d1668 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -519,17 +198,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',` @@ -519,17 +218,17 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`unconfined_create_keys',` -interface(`unconfined_create_keys',`
+interface(`unconfined_server_stream_connect',` +interface(`unconfined_server_domtrans',`
gen_require(` gen_require(`
- type unconfined_t; - type unconfined_t;
+ type unconfined_service_t; + type unconfined_service_t;
') ')
- allow $1 unconfined_t:key create; - allow $1 unconfined_t:key create;
+ files_search_pids($1)
+ files_write_generic_pid_pipes($1)
+ allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
')
########################################
## <summary>
-## Send messages to the unconfined domain over dbus.
+## Connect to unconfined_server with a unix socket.
## </summary>
## <param name="domain">
## <summary>
@@ -537,19 +218,17 @@ interface(`unconfined_create_keys',`
## </summary>
## </param>
#
-interface(`unconfined_dbus_send',`
+interface(`unconfined_server_domtrans',`
gen_require(`
- type unconfined_t;
- class dbus send_msg;
+ type unconfined_service_t;
')
- allow $1 unconfined_t:dbus send_msg;
+ corecmd_bin_domtrans($1, unconfined_service_t) + corecmd_bin_domtrans($1, unconfined_service_t)
') ')
######################################## ########################################
## <summary> ## <summary>
-## Send and receive messages from -## Send messages to the unconfined domain over dbus.
-## unconfined_t over dbus.
+## Allow caller domain to dbus chat unconfined_server. +## Allow caller domain to dbus chat unconfined_server.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -557,20 +236,19 @@ interface(`unconfined_dbus_send',` @@ -537,19 +236,19 @@ interface(`unconfined_create_keys',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`unconfined_dbus_chat',` -interface(`unconfined_dbus_send',`
+interface(`unconfined_server_dbus_chat',` +interface(`unconfined_server_dbus_chat',`
gen_require(` gen_require(`
- type unconfined_t; - type unconfined_t;
@ -52288,25 +52291,49 @@ index 5ca20a97d..5454d1668 100644
') ')
- allow $1 unconfined_t:dbus send_msg; - allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
+ allow $1 unconfined_service_t:dbus send_msg; + allow $1 unconfined_service_t:dbus send_msg;
+ allow unconfined_service_t $1:dbus send_msg; + allow unconfined_service_t $1:dbus send_msg;
') ')
######################################## ########################################
## <summary> ## <summary>
-## Connect to the the unconfined DBUS -## Send and receive messages from
-## for service (acquire_svc). -## unconfined_t over dbus.
+## Send signull to unconfined_service_t. +## Send signull to unconfined_service_t.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -578,11 +256,10 @@ interface(`unconfined_dbus_chat',` @@ -557,20 +256,17 @@ interface(`unconfined_dbus_send',`
## </summary>
## </param>
#
-interface(`unconfined_dbus_chat',`
+interface(`unconfined_server_signull',`
gen_require(`
- type unconfined_t;
- class dbus send_msg;
+ type unconfined_service_t;
')
- allow $1 unconfined_t:dbus send_msg;
- allow unconfined_t $1:dbus send_msg;
+ allow $1 unconfined_service_t:process signull;
')
########################################
## <summary>
-## Connect to the the unconfined DBUS
-## for service (acquire_svc).
+## Allow noatsecure.
## </summary>
## <param name="domain">
## <summary>
@@ -578,11 +274,10 @@ interface(`unconfined_dbus_chat',`
## </summary> ## </summary>
## </param> ## </param>
# #
-interface(`unconfined_dbus_connect',` -interface(`unconfined_dbus_connect',`
+interface(`unconfined_server_signull',` +interface(`unconfined_server_noatsecure',`
gen_require(` gen_require(`
- type unconfined_t; - type unconfined_t;
- class dbus acquire_svc; - class dbus acquire_svc;
@ -52314,7 +52341,7 @@ index 5ca20a97d..5454d1668 100644
') ')
- allow $1 unconfined_t:dbus acquire_svc; - allow $1 unconfined_t:dbus acquire_svc;
+ allow $1 unconfined_service_t:process signull; + allow $1 unconfined_service_t:process { noatsecure };
') ')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 5fe902db3..0a7c3bb00 100644 index 5fe902db3..0a7c3bb00 100644

View File

@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index eb50f070f..aa5b1112e 100644 index eb50f070f..64589c601 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -718,7 +718,7 @@ index eb50f070f..aa5b1112e 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio; -dontaudit abrt_t self:capability sys_rawio;
+allow abrt_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; +dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+ +
@ -5615,7 +5615,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure }; + allow $1 httpd_t:process { noatsecure };
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index 6649962b6..721dab24b 100644 index 6649962b6..513f68674 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6303,7 +6303,7 @@ index 6649962b6..721dab24b 100644
logging_log_filetrans(httpd_t, httpd_log_t, file) logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms; allow httpd_t httpd_modules_t:dir list_dir_perms;
@@ -412,13 +524,20 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -6322,10 +6322,11 @@ index 6649962b6..721dab24b 100644
+allow httpd_t httpd_sys_content_t:dir list_dir_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms;
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
+allow httpd_t httpd_sys_content_t:file map;
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
@@ -438,6 +557,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi @@ -438,6 +558,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
@ -6333,7 +6334,7 @@ index 6649962b6..721dab24b 100644
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
@@ -450,140 +570,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -450,140 +571,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@ -6576,7 +6577,7 @@ index 6649962b6..721dab24b 100644
') ')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
@@ -594,28 +752,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` @@ -594,28 +753,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t) fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
') ')
@ -6636,7 +6637,7 @@ index 6649962b6..721dab24b 100644
') ')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -624,68 +805,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t) fs_read_nfs_symlinks(httpd_t)
') ')
@ -6739,7 +6740,7 @@ index 6649962b6..721dab24b 100644
') ')
tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_setrlimit',`
@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',` @@ -695,49 +864,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',` tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6820,7 +6821,7 @@ index 6649962b6..721dab24b 100644
') ')
optional_policy(` optional_policy(`
@@ -749,24 +916,32 @@ optional_policy(` @@ -749,24 +917,32 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6859,7 +6860,7 @@ index 6649962b6..721dab24b 100644
') ')
optional_policy(` optional_policy(`
@@ -775,6 +950,10 @@ optional_policy(` @@ -775,6 +951,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',` tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t) avahi_dbus_chat(httpd_t)
') ')
@ -6870,7 +6871,7 @@ index 6649962b6..721dab24b 100644
') ')
optional_policy(` optional_policy(`
@@ -786,35 +965,62 @@ optional_policy(` @@ -786,35 +966,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6946,7 +6947,7 @@ index 6649962b6..721dab24b 100644
tunable_policy(`httpd_manage_ipa',` tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t) memcached_manage_pid_files(httpd_t)
@@ -822,8 +1028,31 @@ optional_policy(` @@ -822,8 +1029,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6978,7 +6979,7 @@ index 6649962b6..721dab24b 100644
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t) mysql_tcp_connect(httpd_t)
@@ -832,6 +1061,8 @@ optional_policy(` @@ -832,6 +1062,8 @@ optional_policy(`
optional_policy(` optional_policy(`
nagios_read_config(httpd_t) nagios_read_config(httpd_t)
@ -6987,7 +6988,7 @@ index 6649962b6..721dab24b 100644
') ')
optional_policy(` optional_policy(`
@@ -842,20 +1073,48 @@ optional_policy(` @@ -842,20 +1074,48 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -7042,7 +7043,7 @@ index 6649962b6..721dab24b 100644
') ')
optional_policy(` optional_policy(`
@@ -863,16 +1122,31 @@ optional_policy(` @@ -863,16 +1123,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -7076,7 +7077,7 @@ index 6649962b6..721dab24b 100644
') ')
optional_policy(` optional_policy(`
@@ -883,65 +1157,189 @@ optional_policy(` @@ -883,65 +1158,189 @@ optional_policy(`
yam_read_content(httpd_t) yam_read_content(httpd_t)
') ')
@ -7288,7 +7289,7 @@ index 6649962b6..721dab24b 100644
files_dontaudit_search_pids(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t) files_search_home(httpd_suexec_t)
@@ -950,123 +1348,75 @@ auth_use_nsswitch(httpd_suexec_t) @@ -950,123 +1349,75 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t) logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t)
@ -7442,7 +7443,7 @@ index 6649962b6..721dab24b 100644
mysql_read_config(httpd_suexec_t) mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1433,107 @@ optional_policy(` @@ -1083,172 +1434,107 @@ optional_policy(`
') ')
') ')
@ -7680,7 +7681,7 @@ index 6649962b6..721dab24b 100644
') ')
tunable_policy(`httpd_read_user_content',` tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1541,74 @@ tunable_policy(`httpd_read_user_content',` @@ -1256,64 +1542,74 @@ tunable_policy(`httpd_read_user_content',`
') ')
tunable_policy(`httpd_use_cifs',` tunable_policy(`httpd_use_cifs',`
@ -7778,7 +7779,7 @@ index 6649962b6..721dab24b 100644
######################################## ########################################
# #
@@ -1321,8 +1616,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -1321,8 +1617,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
# #
optional_policy(` optional_policy(`
@ -7795,7 +7796,7 @@ index 6649962b6..721dab24b 100644
') ')
######################################## ########################################
@@ -1330,49 +1632,41 @@ optional_policy(` @@ -1330,49 +1633,41 @@ optional_policy(`
# User content local policy # User content local policy
# #
@ -7862,7 +7863,7 @@ index 6649962b6..721dab24b 100644
kernel_read_system_state(httpd_passwd_t) kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1676,109 @@ dev_read_urand(httpd_passwd_t) @@ -1382,38 +1677,109 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t)
@ -11061,7 +11062,7 @@ index 02fefaaf7..308616e8d 100644
+ ') + ')
') ')
diff --git a/boinc.te b/boinc.te diff --git a/boinc.te b/boinc.te
index 687d4c48d..ff5713723 100644 index 687d4c48d..7ee6d41fd 100644
--- a/boinc.te --- a/boinc.te
+++ b/boinc.te +++ b/boinc.te
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -11162,7 +11163,7 @@ index 687d4c48d..ff5713723 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -61,84 +103,62 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) @@ -61,84 +103,63 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@ -11186,6 +11187,7 @@ index 687d4c48d..ff5713723 100644
-logging_log_filetrans(boinc_t, boinc_log_t, file) -logging_log_filetrans(boinc_t, boinc_log_t, file)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+allow boinc_t boinc_project_var_lib_t:file map;
-can_exec(boinc_t, boinc_var_lib_t) -can_exec(boinc_t, boinc_var_lib_t)
- -
@ -11275,7 +11277,7 @@ index 687d4c48d..ff5713723 100644
tunable_policy(`boinc_execmem',` tunable_policy(`boinc_execmem',`
allow boinc_t self:process { execstack execmem }; allow boinc_t self:process { execstack execmem };
@@ -148,48 +168,69 @@ optional_policy(` @@ -148,48 +169,69 @@ optional_policy(`
mta_send_mail(boinc_t) mta_send_mail(boinc_t)
') ')
@ -29249,7 +29251,7 @@ index 50d0084d4..94e193606 100644
fail2ban_run_client($1, $2) fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te diff --git a/fail2ban.te b/fail2ban.te
index cf0e56772..839025a07 100644 index cf0e56772..040e11be6 100644
--- a/fail2ban.te --- a/fail2ban.te
+++ b/fail2ban.te +++ b/fail2ban.te
@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t;
@ -29279,7 +29281,7 @@ index cf0e56772..839025a07 100644
files_list_var(fail2ban_t) files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t)
@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t) @@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t) auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t) logging_read_all_logs(fail2ban_t)
@ -29287,6 +29289,7 @@ index cf0e56772..839025a07 100644
logging_send_syslog_msg(fail2ban_t) logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t) +logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t)
+logging_mmap_generic_logs(fail2ban_t)
-miscfiles_read_localization(fail2ban_t) -miscfiles_read_localization(fail2ban_t)
+mta_send_mail(fail2ban_t) +mta_send_mail(fail2ban_t)
@ -29321,7 +29324,7 @@ index cf0e56772..839025a07 100644
iptables_domtrans(fail2ban_t) iptables_domtrans(fail2ban_t)
') ')
@@ -118,6 +129,10 @@ optional_policy(` @@ -118,6 +130,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -29332,7 +29335,7 @@ index cf0e56772..839025a07 100644
shorewall_domtrans(fail2ban_t) shorewall_domtrans(fail2ban_t)
') ')
@@ -126,27 +141,37 @@ optional_policy(` @@ -126,27 +142,37 @@ optional_policy(`
# Client Local policy # Client Local policy
# #
@ -78567,7 +78570,7 @@ index cd8b8b9cb..2cfa88a2d 100644
+ allow $1 pppd_unit_file_t:service all_service_perms; + allow $1 pppd_unit_file_t:service all_service_perms;
') ')
diff --git a/ppp.te b/ppp.te diff --git a/ppp.te b/ppp.te
index d616ca3e3..0ad15efea 100644 index d616ca3e3..25b69407a 100644
--- a/ppp.te --- a/ppp.te
+++ b/ppp.te +++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@ -78637,7 +78640,7 @@ index d616ca3e3..0ad15efea 100644
type pptp_log_t; type pptp_log_t;
logging_log_file(pptp_log_t) logging_log_file(pptp_log_t)
@@ -67,54 +74,59 @@ logging_log_file(pptp_log_t) @@ -67,54 +74,60 @@ logging_log_file(pptp_log_t)
type pptp_var_run_t; type pptp_var_run_t;
files_pid_file(pptp_var_run_t) files_pid_file(pptp_var_run_t)
@ -78703,6 +78706,7 @@ index d616ca3e3..0ad15efea 100644
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
+manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
+files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file sock_file }) +files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file sock_file })
+allow pppd_t pppd_var_run_t:file map;
allow pppd_t pptp_t:process signal; allow pppd_t pptp_t:process signal;
@ -78715,7 +78719,7 @@ index d616ca3e3..0ad15efea 100644
kernel_read_kernel_sysctls(pppd_t) kernel_read_kernel_sysctls(pppd_t)
kernel_read_system_state(pppd_t) kernel_read_system_state(pppd_t)
kernel_rw_net_sysctls(pppd_t) kernel_rw_net_sysctls(pppd_t)
@@ -122,10 +134,10 @@ kernel_read_network_state(pppd_t) @@ -122,10 +135,10 @@ kernel_read_network_state(pppd_t)
kernel_request_load_module(pppd_t) kernel_request_load_module(pppd_t)
dev_read_urand(pppd_t) dev_read_urand(pppd_t)
@ -78727,7 +78731,7 @@ index d616ca3e3..0ad15efea 100644
corenet_all_recvfrom_netlabel(pppd_t) corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t) corenet_raw_sendrecv_generic_if(pppd_t)
@@ -135,9 +147,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) @@ -135,9 +148,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t) corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t) corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t) corenet_udp_sendrecv_all_ports(pppd_t)
@ -78751,7 +78755,7 @@ index d616ca3e3..0ad15efea 100644
corecmd_exec_bin(pppd_t) corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t) corecmd_exec_shell(pppd_t)
@@ -147,36 +172,31 @@ files_exec_etc_files(pppd_t) @@ -147,36 +173,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t) files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t) files_dontaudit_write_etc_files(pppd_t)
@ -78797,7 +78801,7 @@ index d616ca3e3..0ad15efea 100644
optional_policy(` optional_policy(`
ddclient_run(pppd_t, pppd_roles) ddclient_run(pppd_t, pppd_roles)
@@ -186,11 +206,13 @@ optional_policy(` @@ -186,11 +207,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t) l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t) l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t) l2tpd_stream_connect(pppd_t)
@ -78812,7 +78816,7 @@ index d616ca3e3..0ad15efea 100644
') ')
') ')
@@ -216,18 +238,26 @@ optional_policy(` @@ -216,18 +239,26 @@ optional_policy(`
udev_read_db(pppd_t) udev_read_db(pppd_t)
') ')
@ -78843,7 +78847,7 @@ index d616ca3e3..0ad15efea 100644
allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms; allow pptp_t pppd_etc_t:file read_file_perms;
@@ -236,45 +266,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; @@ -236,45 +267,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@ -78903,7 +78907,7 @@ index d616ca3e3..0ad15efea 100644
fs_getattr_all_fs(pptp_t) fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t) fs_search_auto_mountpoints(pptp_t)
@@ -282,12 +313,12 @@ term_ioctl_generic_ptys(pptp_t) @@ -282,12 +314,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t) term_search_ptys(pptp_t)
term_use_ptmx(pptp_t) term_use_ptmx(pptp_t)
@ -78918,7 +78922,7 @@ index d616ca3e3..0ad15efea 100644
sysnet_exec_ifconfig(pptp_t) sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t)
@@ -299,6 +330,10 @@ optional_policy(` @@ -299,6 +331,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -103395,7 +103399,7 @@ index e0644b5cf..ea347ccd5 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r; role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te diff --git a/smartmon.te b/smartmon.te
index 9cf6582d2..730889136 100644 index 9cf6582d2..d0be162c8 100644
--- a/smartmon.te --- a/smartmon.te
+++ b/smartmon.te +++ b/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',` @@ -38,7 +38,7 @@ ifdef(`enable_mls',`
@ -103407,8 +103411,12 @@ index 9cf6582d2..730889136 100644
dontaudit fsdaemon_t self:capability sys_tty_config; dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms; allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) @@ -58,23 +58,31 @@ kernel_read_network_state(fsdaemon_t)
kernel_read_software_raid_state(fsdaemon_t)
kernel_read_system_state(fsdaemon_t)
+auth_use_nsswitch(fsdaemon_t)
+
corecmd_exec_all_executables(fsdaemon_t) corecmd_exec_all_executables(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t) +corenet_all_recvfrom_netlabel(fsdaemon_t)
@ -103437,7 +103445,7 @@ index 9cf6582d2..730889136 100644
storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t)
@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t) @@ -83,7 +91,9 @@ storage_write_scsi_generic(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t) term_dontaudit_search_ptys(fsdaemon_t)
@ -103448,7 +103456,7 @@ index 9cf6582d2..730889136 100644
init_read_utmp(fsdaemon_t) init_read_utmp(fsdaemon_t)
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t) @@ -92,12 +102,13 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t) logging_send_syslog_msg(fsdaemon_t)
@ -103463,7 +103471,7 @@ index 9cf6582d2..730889136 100644
tunable_policy(`smartmon_3ware',` tunable_policy(`smartmon_3ware',`
allow fsdaemon_t self:process setfscreate; allow fsdaemon_t self:process setfscreate;
@@ -116,9 +125,9 @@ optional_policy(` @@ -116,9 +127,9 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -111773,10 +111781,10 @@ index 000000000..368e18842
+') +')
diff --git a/tlp.te b/tlp.te diff --git a/tlp.te b/tlp.te
new file mode 100644 new file mode 100644
index 000000000..1ef713150 index 000000000..5185a9e8e
--- /dev/null --- /dev/null
+++ b/tlp.te +++ b/tlp.te
@@ -0,0 +1,84 @@ @@ -0,0 +1,86 @@
+policy_module(tlp, 1.0.0) +policy_module(tlp, 1.0.0)
+ +
+######################################## +########################################
@ -111833,6 +111841,7 @@ index 000000000..1ef713150
+dev_rw_wireless(tlp_t) +dev_rw_wireless(tlp_t)
+ +
+files_read_kernel_modules(tlp_t) +files_read_kernel_modules(tlp_t)
+files_map_kernel_modules(tlp_t)
+files_load_kernel_modules(tlp_t) +files_load_kernel_modules(tlp_t)
+ +
+modutils_exec_insmod(tlp_t) +modutils_exec_insmod(tlp_t)
@ -111859,6 +111868,7 @@ index 000000000..1ef713150
+') +')
+ +
+optional_policy(` +optional_policy(`
+ sssd_read_public_files(tlp_t)
+ sssd_stream_connect(tlp_t) + sssd_stream_connect(tlp_t)
+') +')
diff --git a/tmpreaper.te b/tmpreaper.te diff --git a/tmpreaper.te b/tmpreaper.te

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 294%{?dist} Release: 295%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -678,6 +678,19 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Oct 10 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-295
- Allow boinc_t to mmap files with label boinc_project_var_lib_t BZ(1500088)
- Allow fail2ban_t domain to mmap journals. BZ(1500089)
- Add dac_override to abrt_t domain BZ(1499860)
- Allow pppd domain to mmap own pid files BZ(1498587)
- Allow webserver services to mmap files with label httpd_sys_content_t BZ(1498451)
- Allow tlp domain to read sssd public files Allow tlp domain to mmap kernel modules
- Allow systemd to read sysfs sym links. BZ(1499327)
- Allow systemd to mmap systemd_networkd_exec_t files BZ(1499863)
- Make systemd_networkd_var_run as mountpoint BZ(1499862)
- Allow noatsecure for java-based unconfined services. BZ(1358476)
- Allow systemd_modules_load_t domain to mmap kernel modules. BZ(1490015)
* Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294 * Mon Oct 09 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-294
- Allow cloud-init to create content in /var/run/cloud-init - Allow cloud-init to create content in /var/run/cloud-init
- Dontaudit VM to read gnome-boxes process data BZ(1415975) - Dontaudit VM to read gnome-boxes process data BZ(1415975)