From 368fb803a8351a5b4b7d4f0c3814798fc0ab28e7 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 17 Jan 2014 16:40:25 +0100 Subject: [PATCH] See spec file --- modules-targeted-contrib.conf | 14 + policy-rawhide-base.patch | 681 +++++++++++++++------ policy-rawhide-contrib.patch | 1061 ++++++++++++++++++++++++--------- selinux-policy.spec | 57 +- 4 files changed, 1357 insertions(+), 456 deletions(-) diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index aa1b9649..4c7f533a 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2457,3 +2457,17 @@ ipa = module # mirrormanager policy # mirrormanager = module + +# Layer: contrib +# Module: snapper +# +# snapper policy +# +snapper = module + +# Layer: contrib +# Module: pcp +# +# pcp policy +# +pcp = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5a49e8ce..400398ac 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..9647c14 100644 +index 1d732f1..e0fc276 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -2921,7 +2921,7 @@ index 1d732f1..9647c14 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +509,27 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +509,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -2937,6 +2937,7 @@ index 1d732f1..9647c14 100644 files_relabel_etc_files(useradd_t) files_read_etc_runtime_files(useradd_t) +files_manage_etc_files(useradd_t) ++files_create_var_lib_dirs(useradd_t) +files_rw_var_lib_dirs(useradd_t) fs_search_auto_mountpoints(useradd_t) @@ -2960,7 +2961,7 @@ index 1d732f1..9647c14 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +537,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +538,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -2968,7 +2969,7 @@ index 1d732f1..9647c14 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +548,32 @@ init_rw_utmp(useradd_t) +@@ -508,33 +549,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3013,7 +3014,7 @@ index 1d732f1..9647c14 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -549,10 +588,19 @@ optional_policy(` +@@ -549,10 +589,19 @@ optional_policy(` ') optional_policy(` @@ -3033,7 +3034,7 @@ index 1d732f1..9647c14 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +610,12 @@ optional_policy(` +@@ -562,3 +611,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -5920,7 +5921,7 @@ index b31c054..53df7ae 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..9f56be1 100644 +index 76f285e..fb27ae5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7448,7 +7449,7 @@ index 76f285e..9f56be1 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',` +@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7790,6 +7791,7 @@ index 76f285e..9f56be1 100644 + filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") ++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event21") + filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") + filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") @@ -8395,7 +8397,7 @@ index 76f285e..9f56be1 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..a3a5f7f 100644 +index 0b1a871..2844021 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -8485,13 +8487,15 @@ index 0b1a871..a3a5f7f 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +338,5 @@ files_associate_tmp(device_node) +@@ -319,5 +338,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; -+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; - allow devices_unconfined_type mtrr_device_t:file *; +-allow devices_unconfined_type mtrr_device_t:file *; ++allow devices_unconfined_type device_node:{ blk_file lnk_file } *; ++allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint }; ++allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint }; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6a1e4d1..84e8030 100644 --- a/policy/modules/kernel/domain.if @@ -14884,15 +14888,16 @@ index e7d1738..79f6c51 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc -index 7be4ddf..f7021a0 100644 +index 7be4ddf..30d9666 100644 --- a/policy/modules/kernel/kernel.fc +++ b/policy/modules/kernel/kernel.fc -@@ -1 +1,2 @@ +@@ -1 +1,3 @@ -# This module currently does not have any file contexts. + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) ++/sys/kernel/uevent_helper -- gen_context(system_u:object_r:proc_usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..2b0a5b3 100644 +index e100d88..71ca594 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -15235,7 +15240,7 @@ index e100d88..2b0a5b3 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3179,300 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3179,527 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -15335,7 +15340,7 @@ index e100d88..2b0a5b3 100644 + ') + + dontaudit $1 sysctl_type:file getattr; -+') + ') + +######################################## +## @@ -15536,9 +15541,236 @@ index e100d88..2b0a5b3 100644 + kernel_search_vm_sysctl($1) + rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) - ') ++') ++ ++######################################## ++## ++## Do not audit attempts to search the security ++## state directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_search_security_state',` ++ gen_require(` ++ type proc_security_t; ++ ') ++ ++ dontaudit $1 proc_security_t:dir search; ++') ++ ++######################################## ++## ++## Allow searching of security state directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_search_security_state',` ++ gen_require(` ++ type proc_security_t; ++ ') ++ ++ search_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Read the security state information. ++## ++## ++##

++## Allow the specified domain to read the securitying ++## state information. This includes several pieces ++## of securitying information, such as security interface ++## names, securityfilter (iptables) statistics, protocol ++## information, routes, and remote procedure call (RPC) ++## information. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`kernel_read_security_state',` ++ gen_require(` ++ type proc_t, proc_security_t; ++ ') ++ ++ read_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ ++ list_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Allow caller to read the security state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_security_state_symlinks',` ++ gen_require(` ++ type proc_t, proc_security_t; ++ ') ++ ++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ ++ list_dirs_pattern($1, proc_t, proc_security_t) ++') ++ ++######################################## ++## ++## Read and write userhelper state ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_userhelper_state',` ++ gen_require(` ++ type proc_t, proc_userhelper_t; ++ ') ++ ++ dev_search_sysfs($1) ++ rw_files_pattern($1, proc_t, proc_userhelper_t) ++ list_dirs_pattern($1, proc_t, proc_userhelper_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the userhelper ++## state directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_search_userhelper_state',` ++ gen_require(` ++ type proc_userhelper_t; ++ ') ++ ++ dontaudit $1 proc_userhelper_t:dir search; ++') ++ ++######################################## ++## ++## Allow searching of userhelper state directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_search_userhelper_state',` ++ gen_require(` ++ type proc_userhelper_t; ++ ') ++ ++ search_dirs_pattern($1, proc_t, proc_userhelper_t) ++') ++ ++######################################## ++## ++## Read the userhelper state information. ++## ++## ++##

++## Allow the specified domain to read the userhelpering ++## state information. This includes several pieces ++## of userhelpering information, such as userhelper interface ++## names, userhelperfilter (iptables) statistics, protocol ++## information, routes, and remote procedure call (RPC) ++## information. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++# ++interface(`kernel_read_userhelper_state',` ++ gen_require(` ++ type proc_t, proc_userhelper_t; ++ ') ++ ++ read_files_pattern($1, { proc_t proc_userhelper_t }, proc_userhelper_t) ++ read_lnk_files_pattern($1, { proc_t proc_userhelper_t }, proc_userhelper_t) ++ ++ list_dirs_pattern($1, proc_t, proc_userhelper_t) ++') ++ ++######################################## ++## ++## Allow caller to read the userhelper state symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_userhelper_state_symlinks',` ++ gen_require(` ++ type proc_t, proc_userhelper_t; ++ ') ++ ++ read_lnk_files_pattern($1, { proc_t proc_userhelper_t }, proc_userhelper_t) ++ ++ list_dirs_pattern($1, proc_t, proc_userhelper_t) ++') ++ ++######################################## ++## ++## Read and write userhelper state ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_userhelper_state',` ++ gen_require(` ++ type proc_t, proc_userhelper_t; ++ ') ++ ++ dev_search_sysfs($1) ++ rw_files_pattern($1, proc_t, proc_userhelper_t) ++ list_dirs_pattern($1, proc_t, proc_userhelper_t) ++') ++ diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..b33d885 100644 +index 8dbab4c..2150f2c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -15567,7 +15799,7 @@ index 8dbab4c..b33d885 100644 allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) -@@ -95,6 +100,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +@@ -95,9 +100,29 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -15578,7 +15810,26 @@ index 8dbab4c..b33d885 100644 type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) -@@ -153,6 +162,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) ++type proc_security_t, proc_type; ++genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security_t:s0 ++genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security_t:s0 ++genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security_t:s0 ++genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security_t:s0 ++genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security_t:s0 ++genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security_t:s0 ++genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security_t:s0 ++ ++type proc_usermodehelper_t, proc_type; ++genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper_t:s0 ++genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper_t:s0 ++genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper_t:s0 ++genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper_t:s0 ++genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper_t:s0 ++ + type proc_xen_t, proc_type; + files_mountpoint(proc_xen_t) + genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) +@@ -153,6 +178,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -15589,7 +15840,7 @@ index 8dbab4c..b33d885 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +178,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +194,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -15604,7 +15855,7 @@ index 8dbab4c..b33d885 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +210,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +226,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -15612,7 +15863,7 @@ index 8dbab4c..b33d885 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +255,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +271,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -15620,7 +15871,7 @@ index 8dbab4c..b33d885 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +265,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +281,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -15646,7 +15897,7 @@ index 8dbab4c..b33d885 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +288,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +304,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -15656,7 +15907,7 @@ index 8dbab4c..b33d885 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +303,49 @@ files_list_root(kernel_t) +@@ -277,25 +319,49 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -15706,7 +15957,7 @@ index 8dbab4c..b33d885 100644 ') optional_policy(` -@@ -305,6 +355,19 @@ optional_policy(` +@@ -305,6 +371,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -15726,18 +15977,19 @@ index 8dbab4c..b33d885 100644 ') optional_policy(` -@@ -312,6 +375,10 @@ optional_policy(` +@@ -312,6 +391,11 @@ optional_policy(` ') optional_policy(` + plymouthd_create_log(kernel_t) ++ plymouthd_filetrans_named_content(kernel_t) +') + +optional_policy(` # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +399,6 @@ optional_policy(` +@@ -332,9 +416,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -15747,7 +15999,7 @@ index 8dbab4c..b33d885 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +407,7 @@ optional_policy(` +@@ -343,9 +424,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -15758,7 +16010,7 @@ index 8dbab4c..b33d885 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +416,7 @@ optional_policy(` +@@ -354,7 +433,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -15767,7 +16019,7 @@ index 8dbab4c..b33d885 100644 ') ') -@@ -367,6 +429,15 @@ optional_policy(` +@@ -367,6 +446,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -15783,7 +16035,7 @@ index 8dbab4c..b33d885 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +480,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +497,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -16342,7 +16594,7 @@ index 54f1827..39faa3f 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 64c4cd0..bb2156a 100644 +index 64c4cd0..69be610 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` @@ -16471,7 +16723,7 @@ index 64c4cd0..bb2156a 100644 ######################################## ## ## Allow the caller to directly read -@@ -813,3 +897,401 @@ interface(`storage_unconfined',` +@@ -813,3 +897,411 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -16572,6 +16824,16 @@ index 64c4cd0..bb2156a 100644 + dev_filetrans($1, removable_device_t, blk_file, "cm207") + dev_filetrans($1, removable_device_t, blk_file, "cm208") + dev_filetrans($1, removable_device_t, blk_file, "cm209") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") + dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") @@ -19505,10 +19767,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..bba3177 +index 0000000..83eac25 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,327 @@ +@@ -0,0 +1,332 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19800,9 +20062,9 @@ index 0000000..bba3177 +') + +optional_policy(` -+ rpm_run(unconfined_t, unconfined_r) ++# rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution -+ rpm_transition_script(unconfined_t) ++ rpm_transition_script(unconfined_t, unconfined_r) + rpm_dbus_chat(unconfined_t) +') + @@ -19836,6 +20098,11 @@ index 0000000..bba3177 +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ ++gen_require(` ++ attribute rpm_script_roles; ++') ++roleattribute unconfined_r rpm_script_roles; diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if index 3835596..fbca2be 100644 --- a/policy/modules/roles/unprivuser.if @@ -27392,7 +27659,7 @@ index bc0ffc8..8de430d 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..edf52ea 100644 +index 79a45f6..e1589ac 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28030,69 +28297,113 @@ index 79a45f6..edf52ea 100644 ') ######################################## -@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',` +@@ -1314,7 +1593,7 @@ interface(`init_signal_script',` + ######################################## ## - ## Send and receive messages from --## init scripts over dbus. -+## init over dbus. +-## Send null signals to init scripts. ++## Send kill signals to init scripts. ## ## ## -@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',` +@@ -1322,17 +1601,17 @@ interface(`init_signal_script',` ## ## # --interface(`init_dbus_chat_script',` -+interface(`init_dbus_chat',` +-interface(`init_signull_script',` ++interface(`init_sigkill_script',` gen_require(` -- type initrc_t; -+ type init_t; - class dbus send_msg; + type initrc_t; ') -- allow $1 initrc_t:dbus send_msg; -- allow initrc_t $1:dbus send_msg; -+ allow $1 init_t:dbus send_msg; -+ allow init_t $1:dbus send_msg; +- allow $1 initrc_t:process signull; ++ allow $1 initrc_t:process sigkill; ') ######################################## ## --## Read and write the init script pty. -+## Send and receive messages from -+## init scripts over dbus. +-## Read and write init script unnamed pipes. ++## Send null signals to init scripts. ## --## --##

--## Read and write the init script pty. This + ## + ##

+@@ -1340,17 +1619,17 @@ interface(`init_signull_script',` + ## + ## + # +-interface(`init_rw_script_pipes',` ++interface(`init_signull_script',` + gen_require(` + type initrc_t; + ') + +- allow $1 initrc_t:fifo_file { read write }; ++ allow $1 initrc_t:process signull; + ') + + ######################################## + ## +-## Send UDP network traffic to init scripts. (Deprecated) ++## Read and write init script unnamed pipes. + ## + ## + ## +@@ -1358,7 +1637,25 @@ interface(`init_rw_script_pipes',` + ## + ## + # +-interface(`init_udp_send_script',` ++interface(`init_rw_script_pipes',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ allow $1 initrc_t:fifo_file { read write }; ++') ++ ++######################################## ++## ++## Send UDP network traffic to init scripts. (Deprecated) ++## +## +## +## Domain allowed access. +## +## +# -+interface(`init_dbus_chat_script',` ++interface(`init_udp_send_script',` + refpolicywarn(`$0($*) has been deprecated.') + ') + +@@ -1440,6 +1737,27 @@ interface(`init_dbus_send_script',` + ######################################## + ## + ## Send and receive messages from ++## init over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dbus_chat',` + gen_require(` -+ type initrc_t; ++ type init_t; + class dbus send_msg; + ') + -+ allow $1 initrc_t:dbus send_msg; -+ allow initrc_t $1:dbus send_msg; ++ allow $1 init_t:dbus send_msg; ++ allow init_t $1:dbus send_msg; +') + +######################################## +## -+## Read and write the init script pty. -+## -+## -+##

-+## Read and write the init script pty. This - ## pty is generally opened by the open_init_pty - ## portion of the run_init program so that the - ## daemon does not require direct access to -@@ -1547,6 +1847,25 @@ interface(`init_getattr_script_status_files',` ++## Send and receive messages from + ## init scripts over dbus. + ##

+ ## +@@ -1547,6 +1865,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -28118,7 +28429,7 @@ index 79a45f6..edf52ea 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +1924,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +1942,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -28143,7 +28454,7 @@ index 79a45f6..edf52ea 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2014,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2032,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -28187,7 +28498,7 @@ index 79a45f6..edf52ea 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2139,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2157,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -28196,7 +28507,7 @@ index 79a45f6..edf52ea 100644 ') ######################################## -@@ -1806,6 +2180,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,6 +2198,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -28330,7 +28641,7 @@ index 79a45f6..edf52ea 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2341,360 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2359,360 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -28692,7 +29003,7 @@ index 79a45f6..edf52ea 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..7acba2b 100644 +index 17eda24..b4a2519 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28799,8 +29110,12 @@ index 17eda24..7acba2b 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module; + allow init_t self:fifo_file rw_fifo_file_perms; + ++allow init_t self:service manage_service_perms; ++ # Re-exec itself can_exec(init_t, init_exec_t) - @@ -28839,7 +29154,7 @@ index 17eda24..7acba2b 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -28859,7 +29174,7 @@ index 17eda24..7acba2b 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -28880,7 +29195,7 @@ index 17eda24..7acba2b 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -28926,17 +29241,17 @@ index 17eda24..7acba2b 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) - --miscfiles_read_localization(init_t) ++ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) -+ + +-miscfiles_read_localization(init_t) +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +284,210 @@ ifdef(`distro_gentoo',` +@@ -186,29 +286,212 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28967,19 +29282,19 @@ index 17eda24..7acba2b 100644 + +optional_policy(` + chronyd_read_keys(init_t) -+') -+ -+optional_policy(` -+ kdump_read_crash(init_t) ') optional_policy(` - auth_rw_login_records(init_t) -+ gnome_filetrans_home_content(init_t) -+ gnome_manage_data(init_t) ++ kdump_read_crash(init_t) ') optional_policy(` ++ gnome_filetrans_home_content(init_t) ++ gnome_manage_data(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) +') + @@ -29012,6 +29327,8 @@ index 17eda24..7acba2b 100644 +kernel_list_unlabeled(init_t) +kernel_read_network_state(init_t) +kernel_rw_all_sysctls(init_t) ++kernel_rw_security_state(init_t) ++kernel_rw_userhelper_state(init_t) +kernel_read_software_raid_state(init_t) +kernel_unmount_debugfs(init_t) +kernel_setsched(init_t) @@ -29141,21 +29458,21 @@ index 17eda24..7acba2b 100644 + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` -+ networkmanager_stream_connect(init_t) ') optional_policy(` - nscd_use(init_t) ++ networkmanager_stream_connect(init_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) ') optional_policy(` -@@ -216,7 +495,30 @@ optional_policy(` +@@ -216,7 +499,30 @@ optional_policy(` ') optional_policy(` @@ -29186,7 +29503,7 @@ index 17eda24..7acba2b 100644 ') ######################################## -@@ -225,9 +527,9 @@ optional_policy(` +@@ -225,9 +531,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29198,7 +29515,7 @@ index 17eda24..7acba2b 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +560,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +564,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29215,7 +29532,7 @@ index 17eda24..7acba2b 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +589,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29258,7 +29575,7 @@ index 17eda24..7acba2b 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +626,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29270,7 +29587,7 @@ index 17eda24..7acba2b 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +634,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +638,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29281,7 +29598,7 @@ index 17eda24..7acba2b 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +645,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +649,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29291,7 +29608,7 @@ index 17eda24..7acba2b 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +654,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +658,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29299,7 +29616,7 @@ index 17eda24..7acba2b 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +665,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29307,7 +29624,7 @@ index 17eda24..7acba2b 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +669,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +673,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29325,7 +29642,7 @@ index 17eda24..7acba2b 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +687,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +691,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29339,7 +29656,7 @@ index 17eda24..7acba2b 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +702,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +706,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29353,7 +29670,7 @@ index 17eda24..7acba2b 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,6 +715,7 @@ mls_process_read_up(initrc_t) +@@ -387,6 +719,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29361,7 +29678,7 @@ index 17eda24..7acba2b 100644 selinux_get_enforce_mode(initrc_t) -@@ -398,6 +727,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +731,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29369,7 +29686,7 @@ index 17eda24..7acba2b 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +746,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +750,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -29393,7 +29710,7 @@ index 17eda24..7acba2b 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +779,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +783,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -29401,7 +29718,7 @@ index 17eda24..7acba2b 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +813,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +817,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -29412,7 +29729,7 @@ index 17eda24..7acba2b 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +837,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +841,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29421,7 +29738,7 @@ index 17eda24..7acba2b 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +852,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +856,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -29429,7 +29746,7 @@ index 17eda24..7acba2b 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +873,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +877,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -29437,7 +29754,7 @@ index 17eda24..7acba2b 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +883,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +887,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -29482,7 +29799,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -559,14 +928,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +932,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29514,7 +29831,7 @@ index 17eda24..7acba2b 100644 ') ') -@@ -577,6 +963,39 @@ ifdef(`distro_suse',` +@@ -577,6 +967,39 @@ ifdef(`distro_suse',` ') ') @@ -29554,7 +29871,7 @@ index 17eda24..7acba2b 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1008,8 @@ optional_policy(` +@@ -589,6 +1012,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29563,7 +29880,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -610,6 +1031,7 @@ optional_policy(` +@@ -610,6 +1035,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29571,7 +29888,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -626,6 +1048,17 @@ optional_policy(` +@@ -626,6 +1052,17 @@ optional_policy(` ') optional_policy(` @@ -29589,7 +29906,7 @@ index 17eda24..7acba2b 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1075,13 @@ optional_policy(` +@@ -642,9 +1079,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29603,7 +29920,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -657,15 +1094,11 @@ optional_policy(` +@@ -657,15 +1098,11 @@ optional_policy(` ') optional_policy(` @@ -29621,7 +29938,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -686,6 +1119,15 @@ optional_policy(` +@@ -686,6 +1123,15 @@ optional_policy(` ') optional_policy(` @@ -29637,7 +29954,7 @@ index 17eda24..7acba2b 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1168,7 @@ optional_policy(` +@@ -726,6 +1172,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -29645,7 +29962,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -743,7 +1186,13 @@ optional_policy(` +@@ -743,7 +1190,13 @@ optional_policy(` ') optional_policy(` @@ -29660,7 +29977,7 @@ index 17eda24..7acba2b 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1215,10 @@ optional_policy(` +@@ -766,6 +1219,10 @@ optional_policy(` ') optional_policy(` @@ -29671,7 +29988,7 @@ index 17eda24..7acba2b 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1228,20 @@ optional_policy(` +@@ -775,10 +1232,20 @@ optional_policy(` ') optional_policy(` @@ -29692,7 +30009,7 @@ index 17eda24..7acba2b 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1250,10 @@ optional_policy(` +@@ -787,6 +1254,10 @@ optional_policy(` ') optional_policy(` @@ -29703,7 +30020,7 @@ index 17eda24..7acba2b 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1275,6 @@ optional_policy(` +@@ -808,8 +1279,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29712,7 +30029,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -818,6 +1283,10 @@ optional_policy(` +@@ -818,6 +1287,10 @@ optional_policy(` ') optional_policy(` @@ -29723,7 +30040,7 @@ index 17eda24..7acba2b 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1296,12 @@ optional_policy(` +@@ -827,10 +1300,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29736,7 +30053,7 @@ index 17eda24..7acba2b 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1328,35 @@ optional_policy(` +@@ -857,12 +1332,35 @@ optional_policy(` ') optional_policy(` @@ -29773,13 +30090,13 @@ index 17eda24..7acba2b 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1366,18 @@ optional_policy(` +@@ -872,6 +1370,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution -+ rpm_transition_script(initrc_t) ++ rpm_transition_script(initrc_t, system_r) + + optional_policy(` + rtkit_scheduled(initrc_t) @@ -29792,7 +30109,7 @@ index 17eda24..7acba2b 100644 ') optional_policy(` -@@ -887,6 +1393,10 @@ optional_policy(` +@@ -887,6 +1397,10 @@ optional_policy(` ') optional_policy(` @@ -29803,7 +30120,7 @@ index 17eda24..7acba2b 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1407,218 @@ optional_policy(` +@@ -897,3 +1411,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -30266,7 +30583,7 @@ index 0d4c8d3..e6ffda3 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..43369e6 100644 +index 312cd04..36ad32e 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -30286,7 +30603,7 @@ index 312cd04..43369e6 100644 -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_t self:process { getcap setcap getsched signal setsched }; -+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid }; ++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid sigkill }; +dontaudit ipsec_t self:capability sys_tty_config; +allow ipsec_t self:process { getcap setcap getsched signal signull setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; @@ -30649,7 +30966,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..121cda3 100644 +index be8ed1e..8fc86ce 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -30690,15 +31007,16 @@ index be8ed1e..121cda3 100644 kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) -@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t) +@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) +dev_read_urand(iptables_t) ++dev_read_rand(iptables_t) fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t) +@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -30713,7 +31031,7 @@ index be8ed1e..121cda3 100644 auth_use_nsswitch(iptables_t) -@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -30731,7 +31049,7 @@ index be8ed1e..121cda3 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -30740,7 +31058,7 @@ index be8ed1e..121cda3 100644 ') optional_policy(` -@@ -110,6 +114,11 @@ optional_policy(` +@@ -110,6 +115,11 @@ optional_policy(` ') optional_policy(` @@ -30752,7 +31070,7 @@ index be8ed1e..121cda3 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +133,12 @@ optional_policy(` +@@ -124,6 +134,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -30765,7 +31083,7 @@ index be8ed1e..121cda3 100644 ') optional_policy(` -@@ -135,9 +150,9 @@ optional_policy(` +@@ -135,9 +151,9 @@ optional_policy(` ') optional_policy(` @@ -31754,7 +32072,7 @@ index b50c5fe..e55a556 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..ae63d78 100644 +index 4e94884..6118015 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -31961,7 +32279,33 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -722,6 +866,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',` + + ######################################## + ## ++## Manage syslog configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_manage_syslog_config',` ++ gen_require(` ++ type syslog_conf_t; ++ ') ++ ++ manage_files_pattern($1, syslog_conf_t, syslog_conf_t) ++') ++ ++######################################## ++## + ## Allows the domain to open a file in the + ## log directory, but does not allow the listing + ## of the contents of the log directory. +@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -31987,7 +32331,7 @@ index 4e94884..ae63d78 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +939,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -32014,7 +32358,7 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -859,7 +1040,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -32023,7 +32367,7 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -885,6 +1066,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -32068,7 +32412,7 @@ index 4e94884..ae63d78 100644 ## Write generic log files. ## ## -@@ -905,6 +1124,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -32093,7 +32437,7 @@ index 4e94884..ae63d78 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1221,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -32111,7 +32455,7 @@ index 4e94884..ae63d78 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1246,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -32145,7 +32489,7 @@ index 4e94884..ae63d78 100644 ') ######################################## -@@ -1032,10 +1301,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -32163,7 +32507,7 @@ index 4e94884..ae63d78 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1331,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -32172,7 +32516,7 @@ index 4e94884..ae63d78 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1361,35 @@ interface(`logging_admin',` +@@ -1085,3 +1380,35 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -36286,7 +36630,7 @@ index 40edc18..7cc0c8a 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..b324c5c 100644 +index 2cea692..f1e2130 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -36534,8 +36878,11 @@ index 2cea692..b324c5c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -722,6 +872,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -720,8 +870,11 @@ interface(`sysnet_dns_name_resolve',` + corenet_tcp_sendrecv_dns_port($1) + corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) ++ corenet_tcp_connect_dnssec_port($1) corenet_sendrecv_dns_client_packets($1) + miscfiles_read_generic_certs($1) @@ -36543,7 +36890,7 @@ index 2cea692..b324c5c 100644 sysnet_read_config($1) optional_policy(` -@@ -750,8 +902,6 @@ interface(`sysnet_use_ldap',` +@@ -750,8 +903,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -36552,7 +36899,7 @@ index 2cea692..b324c5c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -763,6 +913,9 @@ interface(`sysnet_use_ldap',` +@@ -763,6 +914,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -36562,7 +36909,7 @@ index 2cea692..b324c5c 100644 ') ######################################## -@@ -784,7 +937,6 @@ interface(`sysnet_use_portmap',` +@@ -784,7 +938,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -36570,7 +36917,7 @@ index 2cea692..b324c5c 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +948,76 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +949,76 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 107f50a6..1c4bbfb2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -68,7 +68,7 @@ index 1a93dc5..40dda9e 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..9d57403 100644 +index 058d908..70eb89d 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -249,8 +249,30 @@ index 058d908..9d57403 100644 ## ## ## -@@ -220,7 +279,7 @@ interface(`abrt_read_config',` +@@ -218,9 +277,29 @@ interface(`abrt_read_config',` + read_files_pattern($1, abrt_etc_t, abrt_etc_t) + ') ++#################################### ++## ++## Dontaudit read abrt configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_dontaudit_read_config',` ++ gen_require(` ++ type abrt_etc_t; ++ ') ++ ++ files_search_etc($1) ++ dontaudit $1 abrt_etc_t:dir list_dir_perms; ++ dontaudit $1 abrt_etc_t:file read_file_perms; ++') ++ ###################################### ## -## Read abrt log files. @@ -258,7 +280,7 @@ index 058d908..9d57403 100644 ## ## ## -@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',` +@@ -258,8 +337,7 @@ interface(`abrt_read_pid_files',` ###################################### ## @@ -268,7 +290,7 @@ index 058d908..9d57403 100644 ## ## ## -@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',` +@@ -276,10 +354,51 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -322,7 +344,7 @@ index 058d908..9d57403 100644 ## ## ## -@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +407,172 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -442,7 +464,7 @@ index 058d908..9d57403 100644 + list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+') + ') + + +##################################### @@ -463,7 +485,7 @@ index 058d908..9d57403 100644 + list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) - ') ++') + +######################################## +## @@ -509,7 +531,7 @@ index 058d908..9d57403 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..021ddae 100644 +index eb50f07..84c5ad6 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -701,7 +723,7 @@ index eb50f07..021ddae 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +187,39 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +187,40 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -738,13 +760,14 @@ index eb50f07..021ddae 100644 +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) ++miscfiles_dontaudit_access_check_cert(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +227,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +228,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -761,7 +784,7 @@ index eb50f07..021ddae 100644 ') optional_policy(` -@@ -222,6 +239,20 @@ optional_policy(` +@@ -222,6 +240,20 @@ optional_policy(` ') optional_policy(` @@ -782,7 +805,7 @@ index eb50f07..021ddae 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -233,6 +264,7 @@ optional_policy(` +@@ -233,6 +265,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -790,7 +813,7 @@ index eb50f07..021ddae 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -243,6 +275,7 @@ optional_policy(` +@@ -243,6 +276,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -798,7 +821,7 @@ index eb50f07..021ddae 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +286,17 @@ optional_policy(` +@@ -253,9 +287,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -817,7 +840,7 @@ index eb50f07..021ddae 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +307,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +308,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -832,7 +855,7 @@ index eb50f07..021ddae 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +327,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -840,7 +863,7 @@ index eb50f07..021ddae 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +336,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -861,7 +884,7 @@ index eb50f07..021ddae 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +356,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +357,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -888,7 +911,7 @@ index eb50f07..021ddae 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +393,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -902,7 +925,7 @@ index eb50f07..021ddae 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +410,11 @@ optional_policy(` +@@ -343,10 +411,11 @@ optional_policy(` ####################################### # @@ -916,7 +939,7 @@ index eb50f07..021ddae 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +433,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +434,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -968,7 +991,7 @@ index eb50f07..021ddae 100644 ####################################### # -@@ -404,7 +482,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +483,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -977,7 +1000,7 @@ index eb50f07..021ddae 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +491,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +492,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -992,7 +1015,7 @@ index eb50f07..021ddae 100644 # Upload watch local policy # -+allow abrt_upload_watch_t self:capability dac_override; ++allow abrt_upload_watch_t self:capability { dac_override chown }; + +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -1021,7 +1044,7 @@ index eb50f07..021ddae 100644 ') ####################################### -@@ -430,10 +534,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +535,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -1932,7 +1955,7 @@ index ca8d8cf..2cc5ce6 100644 ######################################### diff --git a/alsa.te b/alsa.te -index 4b153f1..2403849 100644 +index 4b153f1..9b67ee0 100644 --- a/alsa.te +++ b/alsa.te @@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t) @@ -1961,7 +1984,7 @@ index 4b153f1..2403849 100644 allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; -@@ -57,6 +64,11 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) +@@ -57,7 +64,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) @@ -1971,9 +1994,11 @@ index 4b153f1..2403849 100644 +files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir }) + kernel_read_system_state(alsa_t) ++kernel_signal(alsa_t) corecmd_exec_bin(alsa_t) -@@ -67,7 +79,6 @@ dev_read_sysfs(alsa_t) + +@@ -67,7 +80,6 @@ dev_read_sysfs(alsa_t) dev_read_urand(alsa_t) dev_write_sound(alsa_t) @@ -1981,7 +2006,7 @@ index 4b153f1..2403849 100644 files_search_var_lib(alsa_t) term_dontaudit_use_console(alsa_t) -@@ -80,8 +91,6 @@ init_use_fds(alsa_t) +@@ -80,8 +92,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -4756,7 +4781,7 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..8d471e8 100644 +index 6649962..7954b3b 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) @@ -5437,7 +5462,7 @@ index 6649962..8d471e8 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +544,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +544,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5503,7 +5528,7 @@ index 6649962..8d471e8 100644 -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t) -+ + +auth_use_nsswitch(httpd_t) + +application_exec_all(httpd_t) @@ -5514,7 +5539,8 @@ index 6649962..8d471e8 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) - ++ ++files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) +files_exec_usr_files(httpd_t) @@ -5670,7 +5696,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +715,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +716,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5730,7 +5756,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +767,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +768,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5821,7 +5847,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,66 +814,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,66 +815,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5919,7 +5945,7 @@ index 6649962..8d471e8 100644 ') optional_policy(` -@@ -770,6 +879,23 @@ optional_policy(` +@@ -770,6 +880,23 @@ optional_policy(` ') optional_policy(` @@ -5943,7 +5969,7 @@ index 6649962..8d471e8 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +912,54 @@ optional_policy(` +@@ -786,35 +913,55 @@ optional_policy(` ') optional_policy(` @@ -5966,6 +5992,7 @@ index 6649962..8d471e8 100644 - ldap_tcp_connect(httpd_t) - ') +optional_policy(` ++ mirrormanager_manage_pid_files(httpd_t) + mirrormanager_read_lib_files(httpd_t) + mirrormanager_read_log(httpd_t) +') @@ -6011,7 +6038,7 @@ index 6649962..8d471e8 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +967,18 @@ optional_policy(` +@@ -822,8 +969,18 @@ optional_policy(` ') optional_policy(` @@ -6030,7 +6057,7 @@ index 6649962..8d471e8 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +987,7 @@ optional_policy(` +@@ -832,6 +989,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6038,7 +6065,7 @@ index 6649962..8d471e8 100644 ') optional_policy(` -@@ -842,20 +998,39 @@ optional_policy(` +@@ -842,20 +1000,39 @@ optional_policy(` ') optional_policy(` @@ -6084,7 +6111,7 @@ index 6649962..8d471e8 100644 ') optional_policy(` -@@ -863,19 +1038,35 @@ optional_policy(` +@@ -863,19 +1040,35 @@ optional_policy(` ') optional_policy(` @@ -6120,7 +6147,7 @@ index 6649962..8d471e8 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1074,173 @@ optional_policy(` +@@ -883,65 +1076,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6316,7 +6343,7 @@ index 6649962..8d471e8 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1251,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6471,7 +6498,7 @@ index 6649962..8d471e8 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1333,106 @@ optional_policy(` +@@ -1083,172 +1335,106 @@ optional_policy(` ') ') @@ -6708,7 +6735,7 @@ index 6649962..8d471e8 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1442,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6805,7 +6832,7 @@ index 6649962..8d471e8 100644 ######################################## # -@@ -1321,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1517,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6822,7 +6849,7 @@ index 6649962..8d471e8 100644 ') ######################################## -@@ -1330,49 +1531,38 @@ optional_policy(` +@@ -1330,49 +1533,38 @@ optional_policy(` # User content local policy # @@ -6887,7 +6914,7 @@ index 6649962..8d471e8 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1572,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1574,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7835,10 +7862,10 @@ index 0000000..316c324 +') diff --git a/authconfig.te b/authconfig.te new file mode 100644 -index 0000000..f2aa4e6 +index 0000000..362a049 --- /dev/null +++ b/authconfig.te -@@ -0,0 +1,32 @@ +@@ -0,0 +1,33 @@ +policy_module(authconfig, 1.0.0) + +######################################## @@ -7867,6 +7894,7 @@ index 0000000..f2aa4e6 +files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file }) + +domain_use_interactive_fds(authconfig_t) ++domain_named_filetrans(authconfig_t) + +init_domtrans_script(authconfig_t) + @@ -7981,7 +8009,7 @@ index f24e369..9bce868 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index 27d2f40..1268d7d 100644 +index 27d2f40..5eec4ff 100644 --- a/automount.te +++ b/automount.te @@ -22,6 +22,9 @@ type automount_tmp_t; @@ -8020,7 +8048,15 @@ index 27d2f40..1268d7d 100644 files_search_boot(automount_t) files_search_all(automount_t) files_unmount_all_file_type_fs(automount_t) -@@ -135,15 +137,18 @@ auth_use_nsswitch(automount_t) +@@ -113,6 +115,7 @@ fs_manage_autofs_symlinks(automount_t) + fs_mount_all_fs(automount_t) + fs_mount_autofs(automount_t) + fs_read_nfs_files(automount_t) ++fs_read_nfs_symlinks(automount_t) + fs_search_all(automount_t) + fs_search_auto_mountpoints(automount_t) + fs_unmount_all_fs(automount_t) +@@ -135,15 +138,18 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) @@ -8043,7 +8079,7 @@ index 27d2f40..1268d7d 100644 fstools_domtrans(automount_t) ') -@@ -166,3 +171,8 @@ optional_policy(` +@@ -166,3 +172,8 @@ optional_policy(` optional_policy(` udev_read_db(automount_t) ') @@ -8389,13 +8425,14 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..1742ebf 100644 +index 2b9a3a1..ab80059 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,71 @@ +@@ -1,54 +1,74 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -8418,12 +8455,14 @@ index 2b9a3a1..1742ebf 100644 + +/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0) +/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) ++/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0) /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) -/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) +/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/named-sdb -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) +/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0) /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) @@ -10014,10 +10053,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..b3aa772 +index 0000000..3de0f69 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,54 @@ +@@ -0,0 +1,55 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10068,6 +10107,7 @@ index 0000000..b3aa772 + +xserver_domtrans(bumblebee_t) +xserver_manage_xkb_libs(bumblebee_t) ++corenet_tcp_connect_xserver_port(bumblebee_t) + +optional_policy(` + apm_stream_connect(bumblebee_t) @@ -12273,10 +12313,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..786d623 +index 0000000..0e17a32 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,298 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -12439,8 +12479,7 @@ index 0000000..786d623 +') + +optional_policy(` -+ rpm_domtrans(cloud_init_t) -+ rpm_transition_script(cloud_init_t) ++ rpm_run(cloud_init_t, system_r) + unconfined_domain(cloud_init_t) +') + @@ -17293,18 +17332,26 @@ index 7de3859..d8264c4 100644 type unconfined_cronjob_t; diff --git a/ctdb.fc b/ctdb.fc -index 8401fe6..507804b 100644 +index 8401fe6..9131995 100644 --- a/ctdb.fc +++ b/ctdb.fc -@@ -2,6 +2,8 @@ +@@ -2,11 +2,16 @@ /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) +/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) + ++/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) + /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) + ++ ++/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + + /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if index b25b01d..e99c5c6 100644 --- a/ctdb.if @@ -17596,7 +17643,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..f3809a2 100644 +index 001b502..83fb1f9 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -17624,19 +17671,26 @@ index 001b502..f3809a2 100644 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) + exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) + manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) - files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) - +-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir) ++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb") ++ +manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) +manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) +manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) ++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd") +files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb") -+ + manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) ++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) -@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) + + kernel_read_network_state(ctdbd_t) +@@ -72,9 +84,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -17648,7 +17702,7 @@ index 001b502..f3809a2 100644 corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t) +@@ -85,12 +99,14 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -17665,7 +17719,7 @@ index 001b502..f3809a2 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +123,7 @@ optional_policy(` +@@ -109,6 +125,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -27300,7 +27354,7 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..4b88195 +index 0000000..c63f92f --- /dev/null +++ b/glusterd.te @@ -0,0 +1,200 @@ @@ -27458,7 +27512,7 @@ index 0000000..4b88195 +fs_unmount_all_fs(glusterd_t) +fs_getattr_all_fs(glusterd_t) + -+files_mounton_mnt(glusterd_t) ++files_mounton_non_security(glusterd_t) + +storage_rw_fuse(glusterd_t) + @@ -27715,10 +27769,10 @@ index 4e95c7e..0000000 - -miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index e39de43..4c8113b 100644 +index e39de43..6a6db28 100644 --- a/gnome.fc +++ b/gnome.fc -@@ -1,15 +1,59 @@ +@@ -1,15 +1,61 @@ -HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) @@ -27732,6 +27786,7 @@ index e39de43..4c8113b 100644 +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0) ++HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) @@ -27740,6 +27795,7 @@ index e39de43..4c8113b 100644 +HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) @@ -27788,7 +27844,7 @@ index e39de43..4c8113b 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..d36aa1e 100644 +index ab09d61..edd1c94 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,78 @@ @@ -28835,7 +28891,7 @@ index ab09d61..d36aa1e 100644 ## ## ## -@@ -706,12 +820,912 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +820,931 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -29247,6 +29303,24 @@ index ab09d61..d36aa1e 100644 + delete_files_pattern($1, config_home_t, config_home_t) +') + ++######################################## ++## ++## Create gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_create_home_config_dirs',` ++ gen_require(` ++ type cache_home_t; ++ ') ++ ++ allow $1 config_home_t:dir create_dir_perms; ++') ++ +####################################### +## +## setattr gnome homedir content (.config) @@ -29384,6 +29458,7 @@ index ab09d61..d36aa1e 100644 + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") + userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") + gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") @@ -29754,7 +29829,7 @@ index ab09d61..d36aa1e 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..76cc0d8 100644 +index 63893eb..e9adc23 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -29793,7 +29868,7 @@ index 63893eb..76cc0d8 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -31,105 +50,224 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; @@ -30052,6 +30127,7 @@ index 63893eb..76cc0d8 100644 optional_policy(` - telepathy_mission_control_read_state(gkeyringd_domain) ++ gnome_create_home_config_dirs(gkeyringd_domain) + gnome_read_home_config(gkeyringd_domain) + gnome_manage_generic_cache_files(gkeyringd_domain) + gnome_manage_cache_home_dir(gkeyringd_domain) @@ -31721,10 +31797,10 @@ index 6517fad..b7ca833 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..3543847 100644 +index 4eb7041..b2d134d 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,61 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,70 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -31759,7 +31835,7 @@ index 4eb7041..3543847 100644 # -# Local policy +# hyperv domain local policy - # ++# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -31768,24 +31844,33 @@ index 4eb7041..3543847 100644 +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; + +corecmd_exec_shell(hyperv_domain) ++corecmd_exec_bin(hyperv_domain) + +dev_read_sysfs(hyperv_domain) + +######################################## # +# hypervkvp local policy -+# -+ -+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) -+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) + # -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) ++ ++files_dontaudit_search_home(hypervkvp_t) ++ +logging_send_syslog_msg(hypervkvp_t) ++ ++sysnet_dns_name_resolve(hypervkvp_t) -logging_send_syslog_msg(hypervkvpd_t) -+sysnet_dns_name_resolve(hypervkvp_t) ++userdom_dontaudit_search_admin_dir(hypervkvp_t) ++ ++optional_policy(` ++ sysnet_exec_ifconfig(hypervkvp_t) ++') + +######################################## +# @@ -37459,10 +37544,10 @@ index 483c87b..af0698b 100644 - sysnet_dns_name_resolve(lircd_t) diff --git a/livecd.if b/livecd.if -index e354181..c6b2383 100644 +index e354181..fc614ba 100644 --- a/livecd.if +++ b/livecd.if -@@ -38,11 +38,32 @@ interface(`livecd_domtrans',` +@@ -38,11 +38,36 @@ interface(`livecd_domtrans',` # interface(`livecd_run',` gen_require(` @@ -37474,6 +37559,10 @@ index e354181..c6b2383 100644 livecd_domtrans($1) roleattribute $2 livecd_roles; + role_transition $2 livecd_exec_t system_r; ++ ++ optional_policy(` ++ rpm_transition_script(livecd_t, $2) ++ ') +') + +######################################## @@ -37496,7 +37585,7 @@ index e354181..c6b2383 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 2f974bf..54f10e4 100644 +index 2f974bf..f6e97fa 100644 --- a/livecd.te +++ b/livecd.te @@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) @@ -37513,18 +37602,14 @@ index 2f974bf..54f10e4 100644 manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t) +@@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t) optional_policy(` hal_dbus_chat(livecd_t) ') -+ -+optional_policy(` -+ mount_run(livecd_t, livecd_roles) -+') + optional_policy(` - mount_run(livecd_t, livecd_roles) -+ rpm_transition_script(livecd_t) ++ mount_run(livecd_t, livecd_roles) ') optional_policy(` @@ -38590,7 +38675,7 @@ index d314333..da30c5d 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..c7e1da8 100644 +index 4ec0eea..5bf5627 100644 --- a/lsm.te +++ b/lsm.te @@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) @@ -38611,7 +38696,7 @@ index 4ec0eea..c7e1da8 100644 ######################################## # # Local policy -@@ -26,4 +37,34 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +37,36 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -38627,6 +38712,7 @@ index 4ec0eea..c7e1da8 100644 +allow lsmd_plugin_t self:udp_socket create_socket_perms; + +domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t) ++allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write }; + +allow lsmd_t lsmd_plugin_exec_t:file read_file_perms; +stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t) @@ -38642,6 +38728,7 @@ index 4ec0eea..c7e1da8 100644 +corecmd_exec_bin(lsmd_plugin_t) + +init_stream_connect(lsmd_plugin_t) ++init_dontaudit_rw_stream_socket(lsmd_plugin_t) + +logging_send_syslog_msg(lsmd_plugin_t) + @@ -40730,10 +40817,10 @@ index 0000000..c713b27 +/var/run/mirrormanager(/.*)? gen_context(system_u:object_r:mirrormanager_var_run_t,s0) diff --git a/mirrormanager.if b/mirrormanager.if new file mode 100644 -index 0000000..dd049c7 +index 0000000..adf2319 --- /dev/null +++ b/mirrormanager.if -@@ -0,0 +1,224 @@ +@@ -0,0 +1,243 @@ + +## policy for mirrormanager + @@ -40851,6 +40938,7 @@ index 0000000..dd049c7 + ') + + files_search_var_lib($1) ++ list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) + read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) +') + @@ -40911,6 +40999,24 @@ index 0000000..dd049c7 + read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) +') + ++######################################## ++## ++## Manage mirrormanager PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mirrormanager_manage_pid_files',` ++ gen_require(` ++ type mirrormanager_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) ++') + +######################################## +## @@ -42270,7 +42376,7 @@ index 6ffaba2..cb1e8b0 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..b8952a1 100644 +index 6194b80..03c6414 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -42556,7 +42662,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` @@ -42656,6 +42762,8 @@ index 6194b80..b8952a1 100644 + allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms }; + allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; + allow mozilla_plugin_t $1:sem create_sem_perms; ++ allow $1 mozilla_plugin_t:sem rw_sem_perms; ++ allow $1 mozilla_plugin_t:shm rw_shm_perms; + + ps_process_pattern($1, mozilla_plugin_t) + allow $1 mozilla_plugin_t:process signal_perms; @@ -42770,7 +42878,7 @@ index 6194b80..b8952a1 100644 ') ######################################## -@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -42780,7 +42888,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -433,76 +353,144 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -42954,7 +43062,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -510,19 +498,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -42979,7 +43087,7 @@ index 6194b80..b8952a1 100644 ## ## ## -@@ -530,45 +517,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +519,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -44394,6 +44502,36 @@ index 0f03cd9..e3ed393 100644 allow mplayer_t mplayer_tmpfs_t:file execute; ') +diff --git a/mrtg.if b/mrtg.if +index c595094..2346458 100644 +--- a/mrtg.if ++++ b/mrtg.if +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Read mrtg lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mrtg_read_lib_files',` ++ gen_require(` ++ type mrtg_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t) ++') ++ ++######################################## ++## + ## Create and append mrtg log files. + ## + ## diff --git a/mrtg.te b/mrtg.te index 65a246a..fa86320 100644 --- a/mrtg.te @@ -48101,7 +48239,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..1726e88 100644 +index 7b3e682..6d966d5 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -48363,7 +48501,7 @@ index 7b3e682..1726e88 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +436,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,14 +436,18 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -48376,7 +48514,15 @@ index 7b3e682..1726e88 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,11 +458,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) + ++optional_policy(` ++ mrtg_read_lib_files(nagios_system_plugin_t) ++') ++ + ####################################### + # + # Event local policy +@@ -442,11 +462,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -48487,10 +48633,10 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..c674894 +index 0000000..e289f2d --- /dev/null +++ b/namespace.te -@@ -0,0 +1,39 @@ +@@ -0,0 +1,41 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -48522,6 +48668,8 @@ index 0000000..c674894 + +files_polyinstantiate_all(namespace_init_t) + ++fs_getattr_xattr_fs(namespace_init_t) ++ +auth_use_nsswitch(namespace_init_t) + +term_use_console(namespace_init_t) @@ -49105,7 +49253,7 @@ index 86dc29d..5b73942 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..fae4607 100644 +index 55f2009..c8ed2bd 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -49139,7 +49287,7 @@ index 55f2009..fae4607 100644 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +# networkmanager will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) -+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; +dontaudit NetworkManager_t self:capability sys_tty_config; + +ifdef(`hide_broken_symptoms',` @@ -49257,7 +49405,7 @@ index 55f2009..fae4607 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +152,31 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +152,33 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -49278,6 +49426,8 @@ index 55f2009..fae4607 100644 init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +init_signull_script(NetworkManager_t) ++init_signal_script(NetworkManager_t) ++init_sigkill_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -49290,7 +49440,7 @@ index 55f2009..fae4607 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +191,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +193,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -49327,7 +49477,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -196,10 +232,6 @@ optional_policy(` +@@ -196,10 +234,6 @@ optional_policy(` ') optional_policy(` @@ -49338,7 +49488,7 @@ index 55f2009..fae4607 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +242,11 @@ optional_policy(` +@@ -210,16 +244,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -49357,7 +49507,7 @@ index 55f2009..fae4607 100644 ') ') -@@ -231,18 +258,23 @@ optional_policy(` +@@ -231,18 +260,23 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -49384,7 +49534,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -250,6 +282,10 @@ optional_policy(` +@@ -250,6 +284,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49395,7 +49545,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -257,11 +293,14 @@ optional_policy(` +@@ -257,11 +295,14 @@ optional_policy(` ') optional_policy(` @@ -49412,7 +49562,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -274,10 +313,17 @@ optional_policy(` +@@ -274,10 +315,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -49430,7 +49580,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -289,6 +335,7 @@ optional_policy(` +@@ -289,6 +337,7 @@ optional_policy(` ') optional_policy(` @@ -49438,7 +49588,7 @@ index 55f2009..fae4607 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +343,7 @@ optional_policy(` +@@ -296,7 +345,7 @@ optional_policy(` ') optional_policy(` @@ -49447,7 +49597,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -307,6 +354,7 @@ optional_policy(` +@@ -307,6 +356,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -49455,7 +49605,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -320,14 +368,20 @@ optional_policy(` +@@ -320,14 +370,20 @@ optional_policy(` ') optional_policy(` @@ -49481,7 +49631,7 @@ index 55f2009..fae4607 100644 ') optional_policy(` -@@ -357,6 +411,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -57394,6 +57544,259 @@ index 8176e4a..2df1789 100644 seutil_sigchld_newrole(cardmgr_t) ') +diff --git a/pcp.fc b/pcp.fc +new file mode 100644 +index 0000000..59d23a4 +--- /dev/null ++++ b/pcp.fc +@@ -0,0 +1,20 @@ ++/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmwie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0) ++ ++/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) ++/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) ++/usr/libexec/pcp/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) ++/usr/libexec/pcp/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0) ++/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) ++ ++/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0) ++ ++/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) ++ ++/var/run/pcp(/.*)? gen_context(system_u:object_r:pcp_var_run_t,s0) ++ +diff --git a/pcp.if b/pcp.if +new file mode 100644 +index 0000000..9ca6d26 +--- /dev/null ++++ b/pcp.if +@@ -0,0 +1,80 @@ ++## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation ++ ++###################################### ++## ++## Creates types and rules for a basic ++## pcp daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`pcp_domain_template',` ++ gen_require(` ++ attribute pcp_domain; ++ ') ++ ++ type pcp_$1_t, pcp_domain; ++ type pcp_$1_exec_t; ++ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t) ++ ++ type pcp_$1_initrc_exec_t; ++ init_script_file(pcp_$1_initrc_exec_t) ++ ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pcp environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`pcp_admin',` ++ gen_require(` ++ type pcp_pmcd_t; ++ type pcp_pmlogger_t; ++ type pcp_pmproxy_t; ++ type pcp_pmwebd_t; ++ type pcp_pmie_t; ++ type pcp_pmmgr_t; ++ type pcp_var_run_t; ++ ') ++ ++ allow $1 pcp_pmcd_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmcd_t) ++ ++ allow $1 pcp_pmlogger_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmlogger_t) ++ ++ allow $1 pcp_pmproxy_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmproxy_t) ++ ++ allow $1 pcp_pmwebd_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmwebd_t) ++ ++ allow $1 pcp_pmie_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmie_t) ++ ++ allow $1 pcp_pmmgr_t:process signal_perms; ++ ps_process_pattern($1, pcp_pmmgr_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 pcp_pmcd_t:process ptrace; ++ allow $1 pcp_pmlogger_t:process ptrace; ++ allow $1 pcp_pmproxy_t:process ptrace; ++ allow $1 pcp_pmwebd_t:process ptrace; ++ allow $1 pcp_pmie_t:process ptrace; ++ allow $1 pcp_pmmgr_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, pcp_var_run_t) ++') +diff --git a/pcp.te b/pcp.te +new file mode 100644 +index 0000000..51d765d +--- /dev/null ++++ b/pcp.te +@@ -0,0 +1,135 @@ ++policy_module(pcp, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute pcp_domain; ++ ++pcp_domain_template(pmcd) ++pcp_domain_template(pmlogger) ++pcp_domain_template(pmproxy) ++pcp_domain_template(pmwebd) ++pcp_domain_template(pmie) ++pcp_domain_template(pmmgr) ++ ++type pcp_log_t; ++logging_log_file(pcp_log_t) ++ ++type pcp_var_lib_t; ++files_type(pcp_var_lib_t) ++ ++type pcp_var_run_t; ++files_pid_file(pcp_var_run_t) ++ ++type pcp_tmp_t; ++files_tmp_file(pcp_tmp_t) ++ ++type pcp_tmpfs_t; ++files_tmpfs_file(pcp_tmpfs_t) ++ ++######################################## ++# ++# pcp domain local policy ++# ++ ++allow pcp_domain self:capability { setuid setgid dac_override }; ++ ++manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t) ++manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t) ++logging_log_filetrans(pcp_domain, pcp_log_t, { dir }) ++ ++manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t) ++files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir}) ++ ++manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t) ++files_pid_filetrans(pcp_domain, pcp_var_run_t, { file }) ++ ++manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) ++manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t) ++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file }) ++ ++manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) ++manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) ++fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file }) ++ ++dev_read_urand(pcp_domain) ++ ++auth_read_passwd(pcp_domain) ++ ++miscfiles_read_generic_certs(pcp_domain) ++ ++sysnet_read_config(pcp_domain) ++ ++######################################## ++# ++# pcp_pmcd local policy ++# ++ ++allow pcp_pmcd_t self:process { setsched signal }; ++allow pcp_pmcd_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmcd_t self:tcp_socket create_socket_perms; ++allow pcp_pmcd_t self:tcp_socket listen; ++allow pcp_pmcd_t self:udp_socket create_socket_perms; ++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;; ++ ++kernel_read_system_state(pcp_pmcd_t) ++kernel_read_network_state(pcp_pmcd_t) ++kernel_read_state(pcp_pmcd_t) ++ ++corecmd_exec_bin(pcp_pmcd_t) ++ ++dev_read_sysfs(pcp_pmcd_t) ++ ++domain_read_all_domains_state(pcp_pmcd_t) ++ ++auth_use_nsswitch(pcp_pmcd_t) ++ ++optional_policy(` ++ dbus_system_bus_client(pcp_pmcd_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(pcp_pmcd_t) ++ ') ++') ++ ++######################################## ++# ++# pcp_pmproxy local policy ++# ++ ++allow pcp_pmproxy_t self:process setsched; ++allow pcp_pmproxy_t self:tcp_socket listen; ++allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms; ++allow pcp_pmproxy_t self:tcp_socket create_socket_perms; ++allow pcp_pmproxy_t self:udp_socket create_socket_perms; ++ ++auth_use_nsswitch(pcp_pmproxy_t) ++ ++######################################## ++# ++# pcp_pmwebd local policy ++# ++ ++allow pcp_pmwebd_t self:tcp_socket listen; ++allow pcp_pmwebd_t self:tcp_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(pcp_pmwebd_t) ++ ++######################################## ++# ++# pcp_pmmgr local policy ++# ++ ++allow pcp_pmmgr_t self:process { setpgid signal signull }; ++ ++kernel_read_system_state(pcp_pmmgr_t) ++ ++corecmd_exec_bin(pcp_pmmgr_t) ++ ++auth_use_nsswitch(pcp_pmmgr_t) diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -57603,7 +58006,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..b4c36a9 100644 +index 608f454..a5787c2 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -57622,7 +58025,7 @@ index 608f454..b4c36a9 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,290 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,293 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -57779,6 +58182,7 @@ index 608f454..b4c36a9 100644 +dev_read_urand(pegasus_openlmi_system_t) + +systemd_config_power_services(pegasus_openlmi_system_t) ++systemd_dbus_chat_logind(pegasus_openlmi_system_t) + +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_system_t) @@ -57860,6 +58264,8 @@ index 608f454..b4c36a9 100644 +udev_domtrans(pegasus_openlmi_storage_t) +udev_read_pid_files(pegasus_openlmi_storage_t) + ++miscfiles_read_hwdata(pegasus_openlmi_storage_t) ++ +optional_policy(` + dmidecode_domtrans(pegasus_openlmi_storage_t) +') @@ -57918,7 +58324,7 @@ index 608f454..b4c36a9 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +323,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -57949,7 +58355,7 @@ index 608f454..b4c36a9 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +349,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -57982,7 +58388,7 @@ index 608f454..b4c36a9 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +377,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -57994,7 +58400,7 @@ index 608f454..b4c36a9 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +393,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -58030,7 +58436,7 @@ index 608f454..b4c36a9 100644 ') optional_policy(` -@@ -151,16 +427,24 @@ optional_policy(` +@@ -151,16 +430,24 @@ optional_policy(` ') optional_policy(` @@ -58059,7 +58465,7 @@ index 608f454..b4c36a9 100644 ') optional_policy(` -@@ -168,7 +452,7 @@ optional_policy(` +@@ -168,7 +455,7 @@ optional_policy(` ') optional_policy(` @@ -59818,7 +60224,7 @@ index 30e751f..78fb7c6 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 3078ce9..d0cdb5d 100644 +index 3078ce9..d2f68fa 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; @@ -59858,13 +60264,13 @@ index 3078ce9..d0cdb5d 100644 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t) +@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t) fs_getattr_all_fs(plymouthd_t) -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - +- term_getattr_pty_fs(plymouthd_t) term_use_all_terms(plymouthd_t) term_use_ptmx(plymouthd_t) @@ -59890,12 +60296,16 @@ index 3078ce9..d0cdb5d 100644 ') optional_policy(` -@@ -90,35 +97,33 @@ optional_policy(` +@@ -90,35 +96,37 @@ optional_policy(` ') optional_policy(` - xserver_manage_xdm_spool_files(plymouthd_t) - xserver_read_xdm_state(plymouthd_t) ++ udev_read_pid_files(plymouthd_t) ++') ++ ++optional_policy(` + xserver_xdm_manage_spool(plymouthd_t) + xserver_read_state_xdm(plymouthd_t) ') @@ -73545,7 +73955,7 @@ index 47de2d6..a7e8263 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..f1ee87e 100644 +index c8bdea2..1337d42 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -73916,7 +74326,7 @@ index c8bdea2..f1ee87e 100644 ') ###################################### -@@ -446,52 +497,360 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -74169,6 +74579,7 @@ index c8bdea2..f1ee87e 100644 + ') + + rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) ++ delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) +') + +##################################### @@ -74306,7 +74717,7 @@ index c8bdea2..f1ee87e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..65c88c9 100644 +index 6cf79c4..00a6db2 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -74645,7 +75056,7 @@ index 6cf79c4..65c88c9 100644 +logging_send_syslog_msg(dlm_controld_t) + +optional_policy(` -+ corosync_rw_tmpfs(dlm_controld_t) ++ rhcs_rw_cluster_tmpfs(dlm_controld_t) +') + +optional_policy(` @@ -74682,7 +75093,15 @@ index 6cf79c4..65c88c9 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -140,6 +425,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) + + corenet_sendrecv_zented_server_packets(fenced_t) + corenet_tcp_bind_zented_port(fenced_t) ++corenet_udp_bind_zented_port(fenced_t) + corenet_tcp_sendrecv_zented_port(fenced_t) + + corenet_sendrecv_http_client_packets(fenced_t) +@@ -148,9 +434,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -74693,7 +75112,7 @@ index 6cf79c4..65c88c9 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +444,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -74702,7 +75121,7 @@ index 6cf79c4..65c88c9 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +465,8 @@ optional_policy(` +@@ -182,7 +466,8 @@ optional_policy(` ') optional_policy(` @@ -74712,7 +75131,7 @@ index 6cf79c4..65c88c9 100644 ') optional_policy(` -@@ -190,12 +474,12 @@ optional_policy(` +@@ -190,12 +475,12 @@ optional_policy(` ') optional_policy(` @@ -74728,7 +75147,7 @@ index 6cf79c4..65c88c9 100644 ') optional_policy(` -@@ -203,6 +487,13 @@ optional_policy(` +@@ -203,6 +488,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -74742,7 +75161,7 @@ index 6cf79c4..65c88c9 100644 ####################################### # # foghorn local policy -@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +513,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -74763,7 +75182,7 @@ index 6cf79c4..65c88c9 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +551,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -74772,7 +75191,7 @@ index 6cf79c4..65c88c9 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +571,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -74814,7 +75233,7 @@ index 6cf79c4..65c88c9 100644 ###################################### # # qdiskd local policy -@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +646,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -75320,7 +75739,7 @@ index 0000000..0e965c3 + rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905..78746ef 100644 +index 6dbc905..4b17c93 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -75425,14 +75844,33 @@ index 6dbc905..78746ef 100644 ## -## Connect to rhsmcertd with a -## unix domain stream socket. -+## Read/wirte inherited lock files. ++## Read rhsmcertd PID files. ## ## ## -@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',` +@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',` ## ## # ++interface(`rhsmcertd_manage_pid_files',` ++ gen_require(` ++ type rhsmcertd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t) ++') ++ ++######################################## ++## ++## Read/wirte inherited lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`rhsmcertd_rw_inherited_lock_files',` + gen_require(` + type rhsmcertd_lock_t; @@ -75456,7 +75894,7 @@ index 6dbc905..78746ef 100644 interface(`rhsmcertd_stream_connect',` gen_require(` type rhsmcertd_t, rhsmcertd_var_run_t; -@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',` +@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',` ###################################### ## @@ -75500,7 +75938,7 @@ index 6dbc905..78746ef 100644 ## ## ## -@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` +@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` ## ## ## @@ -75532,24 +75970,24 @@ index 6dbc905..78746ef 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') - -- logging_search_logs($1) -- admin_pattern($1, rhsmcertd_log_t) ++ + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; -- files_search_var_lib($1) -- admin_pattern($1, rhsmcertd_var_lib_t) +- logging_search_logs($1) +- admin_pattern($1, rhsmcertd_log_t) + logging_search_logs($1) + admin_pattern($1, rhsmcertd_log_t) -- files_search_pids($1) -- admin_pattern($1, rhsmcertd_var_run_t) +- files_search_var_lib($1) +- admin_pattern($1, rhsmcertd_var_lib_t) + files_search_var_lib($1) + admin_pattern($1, rhsmcertd_var_lib_t) -+ + +- files_search_pids($1) +- admin_pattern($1, rhsmcertd_var_run_t) + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) + @@ -77358,7 +77796,7 @@ index ebe91fc..576ca21 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..064712b 100644 +index ef3b225..d248cd3 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -77589,12 +78027,10 @@ index ef3b225..064712b 100644 - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm log files. ++') ++ ++######################################## ++## +## Create, read, write, and delete the RPM log. +## +## @@ -77609,10 +78045,12 @@ index ef3b225..064712b 100644 + ') + + read_files_pattern($1, rpm_log_t, rpm_log_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm log files. +## Create, read, write, and delete the RPM log. ## ## @@ -77817,7 +78255,7 @@ index ef3b225..064712b 100644 ## ## ## -@@ -573,66 +688,104 @@ interface(`rpm_manage_pid_files',` +@@ -573,43 +688,54 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -77889,18 +78327,36 @@ index ef3b225..064712b 100644 ## ## ## - ## Domain allowed access. +@@ -617,22 +743,56 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## -+# + ## +-## +-## Role allowed access. +-## ++## ++## Role allowed access. ++## + ## +-## + # +-interface(`rpm_admin',` +interface(`rpm_transition_script',` -+ gen_require(` + gen_require(` +- type rpm_t, rpm_script_t, rpm_initrc_exec_t; +- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; +- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; +- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; + type rpm_script_t; + attribute rpm_transition_domain; -+ ') -+ ++ attribute_role rpm_script_roles; + ') + +- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { rpm_t rpm_script_t }) + typeattribute $1 rpm_transition_domain; + allow $1 rpm_script_t:process transition; ++ roleattribute $2 rpm_script_roles; + + allow $1 rpm_script_t:fd use; + allow rpm_script_t $1:fd use; @@ -77918,23 +78374,14 @@ index ef3b225..064712b 100644 +## Domain allowed access. +## +## - ## --## --## Role allowed access. --## ++## +## +## Role allowed access. +## - ## - ## - # - interface(`rpm_admin',` -- gen_require(` -- type rpm_t, rpm_script_t, rpm_initrc_exec_t; -- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; -- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; -- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; -- ') ++## ++## ++# ++interface(`rpm_admin',` + gen_require(` + type rpm_t, rpm_script_t, rpm_initrc_exec_t; + type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; @@ -77942,16 +78389,14 @@ index ef3b225..064712b 100644 + type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; + type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; + ') - -- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { rpm_t rpm_script_t }) ++ + allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { rpm_t rpm_script_t }) init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..955caa1 100644 +index 6fc360e..8c53520 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -78349,7 +78794,7 @@ index 6fc360e..955caa1 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +379,59 @@ ifdef(`distro_redhat',` +@@ -363,41 +379,63 @@ ifdef(`distro_redhat',` ') ') @@ -78369,6 +78814,10 @@ index 6fc360e..955caa1 100644 + +optional_policy(` + cups_filetrans_named_content(rpm_script_t) ++') ++ ++optional_policy(` ++ sblim_filetrans_named_content(rpm_script_t) ') optional_policy(` @@ -78420,7 +78869,7 @@ index 6fc360e..955caa1 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +443,6 @@ optional_policy(` +@@ -409,6 +447,6 @@ optional_policy(` ') optional_policy(` @@ -79319,10 +79768,10 @@ index 0000000..0ec3302 +') diff --git a/rtas.te b/rtas.te new file mode 100644 -index 0000000..4e6663f +index 0000000..52a39f8 --- /dev/null +++ b/rtas.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,62 @@ +policy_module(rtas, 1.0.0) + +######################################## @@ -79351,7 +79800,7 @@ index 0000000..4e6663f +# rtas_errd local policy +# + -+allow rtas_errd_t self:capability sys_admin; ++allow rtas_errd_t self:capability { chown sys_admin }; +allow rtas_errd_t self:process fork; +allow rtas_errd_t self:fifo_file rw_fifo_file_perms; +allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; @@ -79376,6 +79825,8 @@ index 0000000..4e6663f + +corecmd_exec_bin(rtas_errd_t) + ++dev_read_rand(rtas_errd_t) ++dev_read_urand(rtas_errd_t) +dev_read_raw_memory(rtas_errd_t) +dev_write_raw_memory(rtas_errd_t) + @@ -83196,7 +83647,7 @@ index 68a550d..e976fc6 100644 /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if -index 98c9e0a..df51942 100644 +index 98c9e0a..d4aa009 100644 --- a/sblim.if +++ b/sblim.if @@ -1,8 +1,36 @@ @@ -83247,25 +83698,41 @@ index 98c9e0a..df51942 100644 ## ## ## -@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',` +@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',` ######################################## ## -## All of the rules required to -## administrate an sblim environment. -+## All of the rules required to administrate -+## an gatherd environment ++## Transition to sblim named content ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain allowed access. ## ## -## --## ++# ++interface(`sblim_filetrans_named_content',` ++ gen_require(` ++ type sblim_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, sblim_var_run_t, dir, "gather") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gatherd environment ++## ++## + ## -## Role allowed access. --## --## ++## Domain allowed access. + ## + ## ## # interface(`sblim_admin',` @@ -86392,7 +86859,7 @@ index 0000000..ad232be + mount_domtrans(snapperd_t) +') diff --git a/snmp.fc b/snmp.fc -index 2f0a2f2..77bdf95 100644 +index 2f0a2f2..1569e33 100644 --- a/snmp.fc +++ b/snmp.fc @@ -1,6 +1,6 @@ @@ -86411,10 +86878,11 @@ index 2f0a2f2..77bdf95 100644 /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) +-/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) + - /var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) --/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) ++/var/run/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/snmp.if b/snmp.if @@ -86709,7 +87177,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..399c345 100644 +index f2f507d..3d93f55 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -86871,7 +87339,7 @@ index f2f507d..399c345 100644 ') optional_policy(` -@@ -147,13 +195,33 @@ optional_policy(` +@@ -147,13 +195,34 @@ optional_policy(` ') optional_policy(` @@ -86887,6 +87355,7 @@ index f2f507d..399c345 100644 - rpm_dontaudit_manage_db(sosreport_t) - rpm_read_db(sosreport_t) + rhsmcertd_manage_lib_files(sosreport_t) ++ rhsmcertd_manage_pid_files(sosreport_t) +') + +optional_policy(` @@ -87476,7 +87945,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..ecd30f3 100644 +index cc58e35..6e9cde8 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -87549,7 +88018,7 @@ index cc58e35..ecd30f3 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +39,196 @@ type spamd_log_t; +@@ -72,87 +39,198 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -87686,6 +88155,8 @@ index cc58e35..ecd30f3 100644 +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) ++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") ++userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") +userdom_home_manager(spamassassin_t) + kernel_read_kernel_sysctls(spamassassin_t) @@ -87768,7 +88239,7 @@ index cc58e35..ecd30f3 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +236,8 @@ optional_policy(` +@@ -160,6 +238,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -87777,7 +88248,7 @@ index cc58e35..ecd30f3 100644 ') ######################################## -@@ -167,72 +245,85 @@ optional_policy(` +@@ -167,72 +247,85 @@ optional_policy(` # Client local policy # @@ -87894,7 +88365,7 @@ index cc58e35..ecd30f3 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +334,7 @@ optional_policy(` +@@ -243,6 +336,7 @@ optional_policy(` ') optional_policy(` @@ -87902,7 +88373,7 @@ index cc58e35..ecd30f3 100644 evolution_stream_connect(spamc_t) ') -@@ -251,10 +343,16 @@ optional_policy(` +@@ -251,10 +345,16 @@ optional_policy(` ') optional_policy(` @@ -87920,7 +88391,7 @@ index cc58e35..ecd30f3 100644 sendmail_stub(spamc_t) ') -@@ -267,36 +365,38 @@ optional_policy(` +@@ -267,36 +367,38 @@ optional_policy(` ######################################## # @@ -87976,7 +88447,7 @@ index cc58e35..ecd30f3 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +408,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +410,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -87986,7 +88457,7 @@ index cc58e35..ecd30f3 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +418,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +420,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -88002,7 +88473,7 @@ index cc58e35..ecd30f3 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +433,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +435,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -88105,7 +88576,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -421,21 +503,13 @@ optional_policy(` +@@ -421,21 +505,13 @@ optional_policy(` ') optional_policy(` @@ -88129,7 +88600,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -443,8 +517,8 @@ optional_policy(` +@@ -443,8 +519,8 @@ optional_policy(` ') optional_policy(` @@ -88139,7 +88610,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -455,7 +529,12 @@ optional_policy(` +@@ -455,7 +531,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -88153,7 +88624,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -463,9 +542,9 @@ optional_policy(` +@@ -463,9 +544,9 @@ optional_policy(` ') optional_policy(` @@ -88164,7 +88635,7 @@ index cc58e35..ecd30f3 100644 ') optional_policy(` -@@ -474,32 +553,32 @@ optional_policy(` +@@ -474,32 +555,32 @@ optional_policy(` ######################################## # @@ -88207,7 +88678,7 @@ index cc58e35..ecd30f3 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +587,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +589,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -93429,7 +93900,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..44b286b 100644 +index 393a330..0075849 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -93492,7 +93963,7 @@ index 393a330..44b286b 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +78,57 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +78,59 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -93514,10 +93985,12 @@ index 393a330..44b286b 100644 +auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) ++#bug in tuned ++logging_manage_syslog_config(tuned_t) ++ ++mount_read_pid_files(tuned_t) -miscfiles_read_localization(tuned_t) -+mount_read_pid_files(tuned_t) -+ +modutils_domtrans_insmod(tuned_t) udev_read_pid_files(tuned_t) @@ -96942,7 +97415,7 @@ index facdee8..3ad56e3 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..11a3c6f 100644 +index f03dcf5..2249f86 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -98204,7 +98677,7 @@ index f03dcf5..11a3c6f 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +926,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +926,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -98224,20 +98697,21 @@ index f03dcf5..11a3c6f 100644 -miscfiles_read_localization(virsh_t) +auth_read_passwd(virsh_t) - --sysnet_dns_name_resolve(virsh_t) ++ +logging_send_syslog_msg(virsh_t) + sysnet_dns_name_resolve(virsh_t) + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virsh_t) - fs_manage_fusefs_files(virsh_t) - fs_read_fusefs_symlinks(virsh_t) -') -+sysnet_dns_name_resolve(virsh_t) ++userdom_stream_connect(virsh_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +961,20 @@ optional_policy(` +@@ -856,14 +963,20 @@ optional_policy(` ') optional_policy(` @@ -98259,7 +98733,7 @@ index f03dcf5..11a3c6f 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +999,65 @@ optional_policy(` +@@ -888,49 +1001,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -98343,7 +98817,7 @@ index f03dcf5..11a3c6f 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1069,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1071,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -98363,7 +98837,7 @@ index f03dcf5..11a3c6f 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1090,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1092,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -98387,7 +98861,7 @@ index f03dcf5..11a3c6f 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1115,271 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1117,274 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -98420,12 +98894,12 @@ index f03dcf5..11a3c6f 100644 +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -98523,6 +98997,15 @@ index f03dcf5..11a3c6f 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') ++ ++optional_policy(` ++ docker_read_lib_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -98607,26 +99090,17 @@ index f03dcf5..11a3c6f 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ docker_read_lib_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ ssh_use_ptys(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ') @@ -98654,10 +99128,6 @@ index f03dcf5..11a3c6f 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -98669,6 +99139,13 @@ index f03dcf5..11a3c6f 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -98677,16 +99154,13 @@ index f03dcf5..11a3c6f 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) - ++ +dev_read_sysfs(svirt_lxc_net_t) dev_getattr_mtrr_dev(svirt_lxc_net_t) dev_read_rand(svirt_lxc_net_t) @@ -98696,10 +99170,13 @@ index f03dcf5..11a3c6f 100644 files_read_kernel_modules(svirt_lxc_net_t) +fs_noxattr_type(svirt_sandbox_file_t) ++# Do we actually need these? fs_mount_cgroup(svirt_lxc_net_t) fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) ++# Needed for docker ++fs_unmount_xattr_fs(svirt_lxc_net_t) -auth_use_nsswitch(svirt_lxc_net_t) +term_pty(svirt_sandbox_file_t) @@ -98750,11 +99227,11 @@ index f03dcf5..11a3c6f 100644 +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -98797,7 +99274,7 @@ index f03dcf5..11a3c6f 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1392,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1397,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -98812,7 +99289,7 @@ index f03dcf5..11a3c6f 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1410,8 @@ optional_policy(` +@@ -1192,9 +1415,8 @@ optional_policy(` ######################################## # @@ -98823,7 +99300,7 @@ index f03dcf5..11a3c6f 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1424,198 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1429,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -101669,7 +102146,7 @@ index 0928c5d..d270a72 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..0f7c96d 100644 +index a64aad3..fe078eb 100644 --- a/xguest.te +++ b/xguest.te @@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) @@ -101774,18 +102251,26 @@ index a64aad3..0f7c96d 100644 ') ') -@@ -84,12 +97,17 @@ optional_policy(` +@@ -84,12 +97,25 @@ optional_policy(` ') ') + optional_policy(` - apache_role(xguest_r, xguest_t) ++ abrt_dontaudit_read_config(xguest_t) ++') ++ ++optional_policy(` + colord_dbus_chat(xguest_t) +') + +optional_policy(` + chrome_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ thumb_role(xguest_r, xguest_t) ') optional_policy(` @@ -101794,7 +102279,7 @@ index a64aad3..0f7c96d 100644 ') optional_policy(` -@@ -97,75 +115,78 @@ optional_policy(` +@@ -97,75 +123,78 @@ optional_policy(` ') optional_policy(` @@ -101812,7 +102297,7 @@ index a64aad3..0f7c96d 100644 - kernel_read_network_state(xguest_t) + mount_run_fusermount(xguest_t, xguest_r) +') - ++ +optional_policy(` + pcscd_read_pid_files(xguest_t) + pcscd_stream_connect(xguest_t) @@ -101821,20 +102306,20 @@ index a64aad3..0f7c96d 100644 +optional_policy(` + rhsmcertd_dontaudit_dbus_chat(xguest_t) +') -+ + +optional_policy(` + tunable_policy(`xguest_connect_network',` networkmanager_dbus_chat(xguest_t) networkmanager_read_lib_files(xguest_t) + ') +') -+ -+optional_policy(` -+ tunable_policy(`xguest_connect_network',` -+ kernel_read_network_state(xguest_t) - corenet_all_recvfrom_unlabeled(xguest_t) - corenet_all_recvfrom_netlabel(xguest_t) ++optional_policy(` ++ tunable_policy(`xguest_connect_network',` ++ kernel_read_network_state(xguest_t) ++ + corenet_tcp_connect_pulseaudio_port(xguest_t) corenet_tcp_sendrecv_generic_if(xguest_t) corenet_raw_sendrecv_generic_if(xguest_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index bc5e1462..74e736aa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -576,6 +576,61 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jan 17 2014 Miroslav Grepl 3.13.1-14 +- Make rpm_transition_script accept a role +- Clean up pcp.te +- Added new policy for pcp +- Allow bumbleed to connect to xserver port +- Added support for named-sdb in bind policy +- Allow NetworkManager to signal and sigkill init scripts +- Allow pegasus_openlmi_storage_t to read hwdata +- Fix rhcs_rw_cluster_tmpfs() +- Allow fenced_t to bind on zented udp port +- Fix mirrormanager_read_lib_files() +- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files +- Dontaudit read/write to init stream socket for lsmd_plugin_t +- Allow automount to read nfs link files +- Allow lsm plugins to read/write lsmd stream socket +- Allow svirt_lxc domains to umount dockersocket filesytem +- Allow gnome keyring domains to create gnome config dirs +- Allow rpm scritplets to create /run/gather with correct labeling +- Add sblim_filetrans_named_content() interface +- Allow ctdb to create sock files in /var/run/ctdb +- Add also labeling for /var/run/ctdb +- Add missing labeling for /var/lib/ctdb +- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446 +- Dontaudit hypervkvp to search homedirs +- Dontaudit hypervkvp to search admin homedirs +- Allow hypervkvp to execute bin_t and ifconfig in the caller domain +- Dontaudit xguest_t to read ABRT conf files +- Add abrt_dontaudit_read_config() +- Allow namespace-init to getattr on fs +- Add thumb_role() also for xguest +- Add filename transitions to create .spamassassin with correct labeling +- Allow apache domain to read mirrormanager pid files +- Allow domains to read/write shm and sem owned by mozilla_plugin_t +- Allow alsactl to send a generic signal to kernel_t +- Allow plymouthd to read run/udev/queue.bin +- Allow sys_chroot for NM required by iodine service +- Change glusterd to allow mounton all non security +- Labeled ~/.nv/GLCache as being gstreamer output +- Restrict the ability to set usermodehelpers and proc security settings. +- Limit the ability to write to the files that configure kernel i +- usermodehelpers and security-sensitive proc settings to the init domain. i +- Permissive domains can also continue to set these values. +- The current list is not exhaustive, just an initial set. +- Not all of these files will exist on all kernels/devices. +- Controlling access to certain kernel usermodehelpers, e.g. cgroup +- release_agent, will require kernel changes to support and cannot be +- addressed here. +- Ideas come from Stephen Smalley and seandroid +- Make rpm_transition_script accept a role +- Make rpm_transition_script accept a role +- Allow NetworkManager to signal and sigkill init scripts +- Allow init_t to work on transitient and snapshot unit files +- Add logging_manage_syslog_config() +- Update sysnet_dns_name_resolve() to allow connect to dnssec port + * Mon Jan 13 2014 Miroslav Grepl 3.13.1-13 - Remove file_t from the system and realias it with unlabeled_t