From 3b489b72053eae989cb16ecd1776dada3556f538 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 29 Aug 2013 16:00:31 +0200 Subject: [PATCH] * Thu Aug 29 2013 Miroslav Grepl 3.12.1-74 - Add selinux-policy-sandbox pkg --- policy-rawhide-base.patch | 203 +++++--- policy-rawhide-contrib.patch | 903 ++++++++++++++++++++--------------- selinux-policy.spec | 5 +- 3 files changed, 656 insertions(+), 455 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a6f54f77..a8e95ddb 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3046,7 +3046,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..51181b8 100644 +index 644d4d7..f9bcd44 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3350,7 +3350,15 @@ index 644d4d7..51181b8 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +457,15 @@ ifdef(`distro_suse', ` +@@ -342,6 +416,7 @@ ifdef(`distro_redhat', ` + /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) +@@ -383,11 +458,15 @@ ifdef(`distro_suse', ` # # /var # @@ -3367,7 +3375,7 @@ index 644d4d7..51181b8 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +475,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +476,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8283,7 +8291,7 @@ index 6529bd9..831344c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..57cc8d1 100644 +index 6a1e4d1..84e8030 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -8426,7 +8434,7 @@ index 6a1e4d1..57cc8d1 100644 ## Unconfined access to domains. ## ## -@@ -1530,4 +1561,45 @@ interface(`domain_unconfined',` +@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -8471,6 +8479,24 @@ index 6a1e4d1..57cc8d1 100644 + ') + + allow $1 domain:process transition; ++') ++ ++######################################## ++## ++## Do not audit attempts to access check /proc ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`domain_dontaudit_access_check',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index cf04cb5..2b917b5 100644 @@ -17142,7 +17168,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..98d1e34 100644 +index 88d0028..897634a 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) @@ -17581,7 +17607,7 @@ index 88d0028..98d1e34 100644 virt_stream_connect(sysadm_t) + virt_filetrans_home_content(sysadm_t) + virt_manage_pid_dirs(sysadm_t) -+ virt_transition_svirt_lxc(sysadm_t, sysadm_r) ++ virt_transition_svirt_sandbox(sysadm_t, sysadm_r) ') optional_policy(` @@ -18396,7 +18422,7 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..d74943c +index 0000000..36f6ee2 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,332 @@ @@ -18723,7 +18749,7 @@ index 0000000..d74943c + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) -+ virt_transition_svirt_lxc(unconfined_t, unconfined_r) ++ virt_transition_svirt_sandbox(unconfined_t, unconfined_r) +') + +optional_policy(` @@ -20223,7 +20249,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..2d08ed2 100644 +index 5fc0391..7931fba 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20602,8 +20628,8 @@ index 5fc0391..2d08ed2 100644 optional_policy(` + kernel_write_proc_files(sshd_t) -+ virt_transition_svirt_lxc(sshd_t, system_r) -+ virt_stream_connect_lxc(sshd_t) ++ virt_transition_svirt_sandbox(sshd_t, system_r) ++ virt_stream_connect_sandbox(sshd_t) + virt_stream_connect(sshd_t) +') + @@ -20975,7 +21001,7 @@ index d1f64a0..8f50bb9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..307cefc 100644 +index 6bf0ecc..9b46e11 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21204,14 +21230,18 @@ index 6bf0ecc..307cefc 100644 class x_synthetic_event all_x_synthetic_event_perms; + class x_client destroy; + class x_server manage; -+ class x_screen { saver_setattr saver_hide saver_show }; ++ class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; + class x_pointer { get_property set_property manage }; -+ class x_keyboard { read manage }; ++ class x_keyboard { read manage freeze }; ') ############################## -@@ -386,6 +328,15 @@ template(`xserver_common_x_domain_template',` - allow $2 xevent_t:{ x_event x_synthetic_event } receive; +@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',` + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + # can receive default events + allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; +- allow $2 xevent_t:{ x_event x_synthetic_event } receive; ++ allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; + @@ -21220,9 +21250,9 @@ index 6bf0ecc..307cefc 100644 + + allow $2 root_xdrawable_t:x_drawable write; + allow $2 xserver_t:x_server manage; -+ allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show }; ++ allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show }; + allow $2 xserver_t:x_pointer { get_property set_property manage }; -+ allow $2 xserver_t:x_keyboard { read manage }; ++ allow $2 xserver_t:x_keyboard { read manage freeze }; ') ####################################### @@ -21903,32 +21933,36 @@ index 6bf0ecc..307cefc 100644 ## ## ## -@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` - type xserver_t; -+ type xserver_t, root_xdrawable_t; ++ type xserver_t, root_xdrawable_t, xevent_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; + class x_screen all_x_screen_perms; + class x_drawable { manage }; + attribute x_domain; -+ class x_drawable { read manage setattr show }; -+ class x_resource { write read }; ++ class x_drawable all_x_drawable_perms; ++ class x_resource all_x_resource_perms; ++ class x_synthetic_event all_x_synthetic_event_perms; ++ class x_cursor all_x_cursor_perms; ') allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + allow $1 xserver_t:{ x_screen } setattr; + -+ allow $1 x_domain:x_drawable { read manage setattr show }; -+ allow $1 x_domain:x_resource { write read }; -+ allow $1 root_xdrawable_t:x_drawable { manage read }; ++ allow $1 x_domain:x_cursor all_x_cursor_perms; ++ allow $1 x_domain:x_drawable all_x_drawable_perms; ++ allow $1 x_domain:x_resource all_x_resource_perms; ++ allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; ++ allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; ') ######################################## -@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1658,623 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22555,7 +22589,7 @@ index 6bf0ecc..307cefc 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..0c869cb 100644 +index 2696452..b67997e 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -23059,7 +23093,7 @@ index 2696452..0c869cb 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +557,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23083,6 +23117,7 @@ index 2696452..0c869cb 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) ++dev_rw_wireless(xdm_t) dev_getattr_xserver_misc_dev(xdm_t) dev_setattr_xserver_misc_dev(xdm_t) +dev_rw_xserver_misc(xdm_t) @@ -23112,7 +23147,7 @@ index 2696452..0c869cb 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +609,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +610,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23141,7 +23176,7 @@ index 2696452..0c869cb 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +639,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23190,7 +23225,7 @@ index 2696452..0c869cb 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +686,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23341,7 +23376,7 @@ index 2696452..0c869cb 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +837,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23368,7 +23403,7 @@ index 2696452..0c869cb 100644 ') optional_policy(` -@@ -514,12 +864,56 @@ optional_policy(` +@@ -514,12 +865,56 @@ optional_policy(` ') optional_policy(` @@ -23425,7 +23460,7 @@ index 2696452..0c869cb 100644 hostname_exec(xdm_t) ') -@@ -537,28 +931,78 @@ optional_policy(` +@@ -537,28 +932,78 @@ optional_policy(` ') optional_policy(` @@ -23513,7 +23548,7 @@ index 2696452..0c869cb 100644 ') optional_policy(` -@@ -570,6 +1014,14 @@ optional_policy(` +@@ -570,6 +1015,14 @@ optional_policy(` ') optional_policy(` @@ -23528,7 +23563,16 @@ index 2696452..0c869cb 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1046,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -584,7 +1037,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; + type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; + + allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; +-allow xserver_t input_xevent_t:x_event send; ++allow xserver_t xevent_type:x_event send; + + # setuid/setgid for the wrapper program to change UID + # sys_rawio is for iopl access - should not be needed for frame-buffer +@@ -594,8 +1047,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23541,7 +23585,7 @@ index 2696452..0c869cb 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1063,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1064,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23557,7 +23601,7 @@ index 2696452..0c869cb 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1079,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1080,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23568,7 +23612,7 @@ index 2696452..0c869cb 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1094,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1095,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23590,7 +23634,7 @@ index 2696452..0c869cb 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1114,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1115,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23604,7 +23648,7 @@ index 2696452..0c869cb 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1140,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1141,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23636,7 +23680,7 @@ index 2696452..0c869cb 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1172,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23654,7 +23698,7 @@ index 2696452..0c869cb 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1195,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1196,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23678,7 +23722,7 @@ index 2696452..0c869cb 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1214,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23687,7 +23731,7 @@ index 2696452..0c869cb 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1258,44 @@ optional_policy(` +@@ -775,16 +1259,44 @@ optional_policy(` ') optional_policy(` @@ -23733,7 +23777,7 @@ index 2696452..0c869cb 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1304,10 @@ optional_policy(` +@@ -793,6 +1305,10 @@ optional_policy(` ') optional_policy(` @@ -23744,7 +23788,7 @@ index 2696452..0c869cb 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1323,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23758,7 +23802,7 @@ index 2696452..0c869cb 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1334,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23767,7 +23811,7 @@ index 2696452..0c869cb 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1347,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1348,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23802,7 +23846,7 @@ index 2696452..0c869cb 100644 ') optional_policy(` -@@ -902,7 +1412,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23811,7 +23855,7 @@ index 2696452..0c869cb 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1466,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23843,7 +23887,7 @@ index 2696452..0c869cb 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1512,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1513,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -25895,10 +25939,10 @@ index 9dfecf7..6d00f5c 100644 + +/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index f6cbda9..8c37105 100644 +index f6cbda9..51e9aef 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te -@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config; +@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config; kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) @@ -25925,8 +25969,7 @@ index f6cbda9..8c37105 100644 term_dontaudit_use_console(hostname_t) -term_use_all_ttys(hostname_t) -term_use_all_ptys(hostname_t) -+term_use_all_inherited_ttys(hostname_t) -+term_use_all_inherited_ptys(hostname_t) ++term_use_all_inherited_terms(hostname_t) init_use_fds(hostname_t) init_use_script_fds(hostname_t) @@ -28848,7 +28891,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..323d9ec 100644 +index 9e54bf9..bc0e6c2 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28930,7 +28973,7 @@ index 9e54bf9..323d9ec 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t) +@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -28945,7 +28988,16 @@ index 9e54bf9..323d9ec 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -187,10 +200,10 @@ optional_policy(` + + optional_policy(` ++ iptables_domtrans(ipsec_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ipsec_t) + ') + +@@ -187,10 +204,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -28960,7 +29012,7 @@ index 9e54bf9..323d9ec 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -210,10 +223,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +@@ -210,10 +227,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -28973,7 +29025,7 @@ index 9e54bf9..323d9ec 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -28990,7 +29042,7 @@ index 9e54bf9..323d9ec 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -28999,7 +29051,7 @@ index 9e54bf9..323d9ec 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -29011,7 +29063,7 @@ index 9e54bf9..323d9ec 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -29035,7 +29087,7 @@ index 9e54bf9..323d9ec 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +352,10 @@ optional_policy(` +@@ -322,6 +356,10 @@ optional_policy(` ') optional_policy(` @@ -29046,7 +29098,7 @@ index 9e54bf9..323d9ec 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +369,7 @@ optional_policy(` +@@ -335,7 +373,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -29055,7 +29107,7 @@ index 9e54bf9..323d9ec 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -29075,7 +29127,7 @@ index 9e54bf9..323d9ec 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -29088,7 +29140,7 @@ index 9e54bf9..323d9ec 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -33769,7 +33821,7 @@ index 3822072..ec95692 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..063ef61 100644 +index ec01d0b..59ed766 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -34297,7 +34349,7 @@ index ec01d0b..063ef61 100644 ') ######################################## -@@ -522,108 +598,189 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +598,191 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -34565,6 +34617,8 @@ index ec01d0b..063ef61 100644 + +files_rw_inherited_generic_pid_files(setfiles_domain) +files_rw_inherited_generic_pid_files(policy_manager_domain) ++files_create_boot_flag(policy_manager_domain, ".autorelabel") ++files_delete_boot_flag(policy_manager_domain) + optional_policy(` - hotplug_use_fds(setfiles_t) @@ -42960,7 +43014,7 @@ index 3c5dba7..5dc956a 100644 + dontaudit $1 user_home_type:dir_file_class_set audit_access; ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..211263f 100644 +index e2b538b..3a775a7 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -43048,7 +43102,7 @@ index e2b538b..211263f 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -43106,6 +43160,7 @@ index e2b538b..211263f 100644 +allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms; + +# Nautilus causes this avc ++domain_dontaudit_access_check(unpriv_userdomain) +dontaudit unpriv_userdomain self:dir setattr; +allow unpriv_userdomain self:key manage_key_perms; + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8060cc3b..69b9cf39 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -15490,7 +15490,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..9436993 100644 +index 28e1b86..f871609 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -15731,7 +15731,7 @@ index 28e1b86..9436993 100644 logging_log_filetrans(crond_t, cron_log_t, file) manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -@@ -237,72 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -15802,6 +15802,7 @@ index 28e1b86..9436993 100644 +# Read from /var/spool/cron. files_search_var_lib(crond_t) files_search_default(crond_t) ++files_read_all_locks(crond_t) -mls_fd_share_all_levels(crond_t) +fs_manage_cgroup_dirs(crond_t) @@ -15834,7 +15835,7 @@ index 28e1b86..9436993 100644 auth_use_nsswitch(crond_t) logging_send_audit_msgs(crond_t) -@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t) +@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -15897,7 +15898,7 @@ index 28e1b86..9436993 100644 ') optional_policy(` -@@ -353,102 +296,136 @@ optional_policy(` +@@ -353,102 +297,136 @@ optional_policy(` ') optional_policy(` @@ -16065,7 +16066,7 @@ index 28e1b86..9436993 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -16078,7 +16079,7 @@ index 28e1b86..9436993 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -16086,7 +16087,7 @@ index 28e1b86..9436993 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t) +@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -16109,7 +16110,7 @@ index 28e1b86..9436993 100644 init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -16139,7 +16140,7 @@ index 28e1b86..9436993 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -16157,7 +16158,7 @@ index 28e1b86..9436993 100644 ') optional_policy(` -@@ -546,10 +541,6 @@ optional_policy(` +@@ -546,10 +542,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -16168,7 +16169,7 @@ index 28e1b86..9436993 100644 ') optional_policy(` -@@ -581,6 +572,7 @@ optional_policy(` +@@ -581,6 +573,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -16176,7 +16177,7 @@ index 28e1b86..9436993 100644 ') optional_policy(` -@@ -588,15 +580,19 @@ optional_policy(` +@@ -588,15 +581,19 @@ optional_policy(` ') optional_policy(` @@ -16198,7 +16199,7 @@ index 28e1b86..9436993 100644 ') optional_policy(` -@@ -606,6 +602,7 @@ optional_policy(` +@@ -606,6 +603,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -16206,7 +16207,7 @@ index 28e1b86..9436993 100644 ') optional_policy(` -@@ -613,12 +610,24 @@ optional_policy(` +@@ -613,12 +611,24 @@ optional_policy(` ') optional_policy(` @@ -16233,7 +16234,7 @@ index 28e1b86..9436993 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -16267,7 +16268,7 @@ index 28e1b86..9436993 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -51301,7 +51302,7 @@ index 0000000..fdc4a03 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..c1eed44 +index 0000000..9724884 --- /dev/null +++ b/openshift.te @@ -0,0 +1,549 @@ @@ -51403,7 +51404,7 @@ index 0000000..c1eed44 +unconfined_domain_noaudit(openshift_initrc_t) +mcs_process_set_categories(openshift_initrc_t) + -+virt_lxc_domain(openshift_initrc_t) ++virt_sandbox_domain(openshift_initrc_t) + +systemd_dbus_chat_logind(openshift_initrc_t) + @@ -79994,7 +79995,7 @@ index 3a9a70b..039b0c8 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..46356db 100644 +index 49b12ae..e5948ba 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -80091,7 +80092,15 @@ index 49b12ae..46356db 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t) +@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t) + term_dontaudit_use_all_ptys(setroubleshootd_t) + term_dontaudit_use_all_ttys(setroubleshootd_t) + ++mls_dbus_recv_all_levels(setroubleshootd_t) ++ + auth_use_nsswitch(setroubleshootd_t) + + init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -80124,7 +80133,7 @@ index 49b12ae..46356db 100644 ') optional_policy(` -@@ -135,10 +137,18 @@ optional_policy(` +@@ -135,10 +139,18 @@ optional_policy(` ') optional_policy(` @@ -80143,7 +80152,7 @@ index 49b12ae..46356db 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,15 +158,17 @@ optional_policy(` +@@ -148,15 +160,17 @@ optional_policy(` ######################################## # @@ -80162,7 +80171,7 @@ index 49b12ae..46356db 100644 setroubleshoot_stream_connect(setroubleshoot_fixit_t) kernel_read_system_state(setroubleshoot_fixit_t) -@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -165,9 +179,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t) @@ -80179,7 +80188,7 @@ index 49b12ae..46356db 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +195,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -84071,7 +84080,7 @@ index a240455..54c5c1f 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 8b537aa..e9632c3 100644 +index 8b537aa..3bce4df 100644 --- a/sssd.te +++ b/sssd.te @@ -1,4 +1,4 @@ @@ -84160,7 +84169,7 @@ index 8b537aa..e9632c3 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -84170,6 +84179,7 @@ index 8b537aa..e9632c3 100644 sysnet_use_ldap(sssd_t) +userdom_manage_tmp_role(system_r, sssd_t) ++userdom_manage_all_users_keys(sssd_t) + optional_policy(` dbus_system_bus_client(sssd_t) @@ -87277,10 +87287,10 @@ index 0000000..8b2dfff +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..bf58d50 +index 0000000..ec3eb8f --- /dev/null +++ b/thumb.te -@@ -0,0 +1,146 @@ +@@ -0,0 +1,147 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -87355,6 +87365,7 @@ index 0000000..bf58d50 +dev_rw_xserver_misc(thumb_t) + +domain_use_interactive_fds(thumb_t) ++domain_dontaudit_read_all_domains_state(thumb_t) + +files_read_non_security_files(thumb_t) + @@ -90079,7 +90090,7 @@ index c30da4c..b81eaa0 100644 +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..bdba959 100644 +index 9dec06c..4e31afe 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -91221,17 +91232,17 @@ index 9dec06c..bdba959 100644 -## # -interface(`virt_pid_filetrans',` -+interface(`virt_stream_connect_lxc',` ++interface(`virt_stream_connect_sandbox',` gen_require(` - type virt_var_run_t; -+ attribute svirt_lxc_domain; -+ type svirt_lxc_file_t; ++ attribute svirt_sandbox_domain; ++ type svirt_sandbox_file_t; ') files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -+ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain) -+ ps_process_pattern(svirt_lxc_domain, $1) ++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) ++ ps_process_pattern(svirt_sandbox_domain, $1) ') + @@ -91555,16 +91566,16 @@ index 9dec06c..bdba959 100644 - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) -- ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") + - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") -+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") - +- - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) @@ -91613,7 +91624,7 @@ index 9dec06c..bdba959 100644 -## # -interface(`virt_admin',` -+template(`virt_lxc_domain_template',` ++template(`virt_sandbox_domain_template',` gen_require(` - attribute virt_domain, virt_image_type, virt_tmpfs_type; - attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; @@ -91623,14 +91634,14 @@ index 9dec06c..bdba959 100644 - type virt_var_run_t, virt_tmp_t, virt_log_t; - type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; - type virt_etc_t, svirt_cache_t; -+ attribute svirt_lxc_domain; ++ attribute svirt_sandbox_domain; ') - allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) - ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) -+ type $1_t, svirt_lxc_domain; ++ type $1_t, svirt_sandbox_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) @@ -91656,14 +91667,14 @@ index 9dec06c..bdba959 100644 +## +## +# -+template(`virt_lxc_domain',` ++template(`virt_sandbox_domain',` + gen_require(` -+ attribute svirt_lxc_domain; ++ attribute svirt_sandbox_domain; + ') - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -+ typeattribute $1 svirt_lxc_domain; ++ typeattribute $1 svirt_sandbox_domain; +') - files_search_etc($1) @@ -91732,16 +91743,16 @@ index 9dec06c..bdba959 100644 +## +## +# -+interface(`virt_transition_svirt_lxc',` ++interface(`virt_transition_svirt_sandbox',` + gen_require(` -+ attribute svirt_lxc_domain; ++ attribute svirt_sandbox_domain; + ') + -+ allow $1 svirt_lxc_domain:process transition; -+ role $2 types svirt_lxc_domain; -+ allow $1 svirt_lxc_domain:unix_dgram_socket sendto; ++ allow $1 svirt_sandbox_domain:process transition; ++ role $2 types svirt_sandbox_domain; ++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + -+ allow svirt_lxc_domain $1:process sigchld; ++ allow svirt_sandbox_domain $1:process sigchld; +') - files_search_locks($1) @@ -91766,7 +91777,7 @@ index 9dec06c..bdba959 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..cbd02ae 100644 +index 1f22fba..d200be6 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -92028,7 +92039,7 @@ index 1f22fba..cbd02ae 100644 -# Common virt domain local policy +# Declarations # -+attribute svirt_lxc_domain; ++attribute svirt_sandbox_domain; -allow virt_domain self:process { signal getsched signull }; -allow virt_domain self:fifo_file rw_fifo_file_perms; @@ -92181,8 +92192,8 @@ index 1f22fba..cbd02ae 100644 - dev_rw_sysfs(virt_domain) -') +# virt lxc container files -+type svirt_lxc_file_t; -+files_mountpoint(svirt_lxc_file_t) ++type svirt_sandbox_file_t alias svirt_lxc_file_t; ++files_mountpoint(svirt_sandbox_file_t) -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) @@ -92247,11 +92258,11 @@ index 1f22fba..cbd02ae 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- --filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; +-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -92402,14 +92413,14 @@ index 1f22fba..cbd02ae 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) - -kernel_read_crypto_sysctls(virtd_t) @@ -92547,7 +92558,7 @@ index 1f22fba..cbd02ae 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +504,326 @@ optional_policy(` +@@ -658,20 +504,12 @@ optional_policy(` ') optional_policy(` @@ -92561,95 +92572,82 @@ index 1f22fba..cbd02ae 100644 optional_policy(` networkmanager_dbus_chat(virtd_t) ') -+') -+ -+optional_policy(` -+ dmidecode_domtrans(virtd_t) -+') -+ -+optional_policy(` -+ dnsmasq_domtrans(virtd_t) -+ dnsmasq_signal(virtd_t) -+ dnsmasq_kill(virtd_t) -+ dnsmasq_signull(virtd_t) -+ dnsmasq_create_pid_dirs(virtd_t) +- +- optional_policy(` +- policykit_dbus_chat(virtd_t) +- ') + ') + + optional_policy(` +@@ -684,14 +522,20 @@ optional_policy(` + dnsmasq_kill(virtd_t) + dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) +- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") +- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") + dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); -+ dnsmasq_manage_pid_files(virtd_t) -+') -+ -+optional_policy(` + dnsmasq_manage_pid_files(virtd_t) + ') + + optional_policy(` + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` -+ iptables_domtrans(virtd_t) -+ iptables_initrc_domtrans(virtd_t) + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + + # Manages /etc/sysconfig/system-config-firewall -+ iptables_manage_config(virtd_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(virtd, virtd_t) -+') -+ -+optional_policy(` -+ lvm_domtrans(virtd_t) -+') -+ -+optional_policy(` + iptables_manage_config(virtd_t) + ') + +@@ -704,11 +548,13 @@ optional_policy(` + ') + + optional_policy(` + # Run mount in the mount_t domain. -+ mount_domtrans(virtd_t) -+ mount_signal(virtd_t) -+') -+ -+optional_policy(` + mount_domtrans(virtd_t) + mount_signal(virtd_t) + ') + + optional_policy(` + policykit_dbus_chat(virtd_t) -+ policykit_domtrans_auth(virtd_t) -+ policykit_domtrans_resolve(virtd_t) -+ policykit_read_lib(virtd_t) -+') -+ -+optional_policy(` -+ qemu_exec(virtd_t) -+') -+ -+optional_policy(` + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +@@ -719,10 +565,18 @@ optional_policy(` + ') + + optional_policy(` + sanlock_stream_connect(virtd_t) +') + +optional_policy(` -+ sasl_connect(virtd_t) -+') -+ -+optional_policy(` + sasl_connect(virtd_t) + ') + + optional_policy(` + setrans_manage_pid_files(virtd_t) +') + +optional_policy(` -+ kernel_read_xen_state(virtd_t) -+ kernel_write_xen_state(virtd_t) -+ -+ xen_exec(virtd_t) -+ xen_stream_connect(virtd_t) -+ xen_stream_connect_xenstore(virtd_t) -+ xen_read_image_files(virtd_t) -+') -+ -+optional_policy(` -+ udev_domtrans(virtd_t) -+ udev_read_db(virtd_t) -+') -+ + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + +@@ -737,44 +591,261 @@ optional_policy(` + udev_read_db(virtd_t) + ') + +optional_policy(` + unconfined_domain(virtd_t) +') + -+######################################## -+# + ######################################## + # +-# Virsh local policy +# virtual domains common policy -+# + # +allow virt_domain self:capability2 compromise_kernel; +allow virt_domain self:process { setrlimit signal_perms getsched setsched }; +allow virt_domain self:fifo_file rw_fifo_file_perms; @@ -92658,12 +92656,20 @@ index 1f22fba..cbd02ae 100644 +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:udp_socket create_socket_perms; -+ + +-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +-allow virsh_t self:process { getcap getsched setsched setcap signal }; +-allow virsh_t self:fifo_file rw_fifo_file_perms; +-allow virsh_t self:unix_stream_socket { accept connectto listen }; +-allow virsh_t self:tcp_socket { accept listen }; +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) +read_files_pattern(virt_domain, virt_content_t, virt_content_t) +dontaudit virt_domain virt_content_t:file write_file_perms; +dontaudit virt_domain virt_content_t:dir write; -+ + +-manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -92677,7 +92683,13 @@ index 1f22fba..cbd02ae 100644 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) -+ + +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -92708,13 +92720,19 @@ index 1f22fba..cbd02ae 100644 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; -+ + +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +dontaudit virt_domain virt_tmpfs_type:file { read write }; -+ + +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ + +-allow virsh_t svirt_lxc_domain:process transition; +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +-can_exec(virsh_t, virsh_exec_t) +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -92761,10 +92779,7 @@ index 1f22fba..cbd02ae 100644 +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) - -- optional_policy(` -- policykit_dbus_chat(virtd_t) -- ') ++ +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -92772,78 +92787,53 @@ index 1f22fba..cbd02ae 100644 + +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; - ') - - optional_policy(` -- dmidecode_domtrans(virtd_t) ++') ++ ++optional_policy(` + alsa_read_rw_config(virt_domain) - ') - - optional_policy(` -- dnsmasq_domtrans(virtd_t) -- dnsmasq_signal(virtd_t) -- dnsmasq_kill(virtd_t) -- dnsmasq_signull(virtd_t) -- dnsmasq_create_pid_dirs(virtd_t) -- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") -- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") -- dnsmasq_manage_pid_files(virtd_t) ++') ++ ++optional_policy(` + ptchown_domtrans(virt_domain) - ') - - optional_policy(` -- iptables_domtrans(virtd_t) -- iptables_initrc_domtrans(virtd_t) -- iptables_manage_config(virtd_t) ++') ++ ++optional_policy(` + pulseaudio_dontaudit_exec(virt_domain) - ') - - optional_policy(` -- kerberos_keytab_template(virtd, virtd_t) ++') ++ ++optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) + virt_read_pid_symlinks(virt_domain) + virt_domtrans_bridgehelper(virt_domain) - ') ++') - optional_policy(` -- lvm_domtrans(virtd_t) ++optional_policy(` + xserver_rw_shm(virt_domain) - ') - --optional_policy(` -- mount_domtrans(virtd_t) -- mount_signal(virtd_t) ++') ++ +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) - ') - --optional_policy(` -- policykit_domtrans_auth(virtd_t) -- policykit_domtrans_resolve(virtd_t) -- policykit_read_lib(virtd_t) ++') ++ +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) - ') - --optional_policy(` -- qemu_exec(virtd_t) ++') ++ +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) + fs_manage_nfs_named_sockets(virt_domain) + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) - ') - --optional_policy(` -- sasl_connect(virtd_t) ++') ++ +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -92855,102 +92845,81 @@ index 1f22fba..cbd02ae 100644 +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) ++ fs_getattr_dos_fs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) - ') - - optional_policy(` -- kernel_read_xen_state(virtd_t) -- kernel_write_xen_state(virtd_t) ++') ++ ++optional_policy(` + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + ') +') - -- xen_exec(virtd_t) -- xen_stream_connect(virtd_t) -- xen_stream_connect_xenstore(virtd_t) -- xen_read_image_files(virtd_t) ++ +tunable_policy(`virt_use_rawip',` + allow virt_domain self:rawip_socket create_socket_perms; - ') - - optional_policy(` -- udev_domtrans(virtd_t) -- udev_read_db(virtd_t) ++') ++ ++optional_policy(` + tunable_policy(`virt_use_xserver',` + xserver_stream_connect(virt_domain) + ') - ') - - ######################################## - # --# Virsh local policy ++') ++ ++######################################## ++# +# xm local policy - # ++# +type virsh_t; +type virsh_exec_t; +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; - --allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; --allow virsh_t self:process { getcap getsched setsched setcap signal }; ++ +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; - allow virsh_t self:fifo_file rw_fifo_file_perms; --allow virsh_t self:unix_stream_socket { accept connectto listen }; --allow virsh_t self:tcp_socket { accept listen }; ++allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; + -+ps_process_pattern(virsh_t, svirt_lxc_domain) ++ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) -+virt_domtrans(virsh_t) -+virt_manage_images(virsh_t) -+virt_manage_config(virsh_t) -+virt_stream_connect(virsh_t) -+ + virt_domtrans(virsh_t) + virt_manage_images(virsh_t) + virt_manage_config(virsh_t) + virt_stream_connect(virsh_t) + +-kernel_read_crypto_sysctls(virsh_t) +manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t) +manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t) +manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t) +files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file }) - - manage_files_pattern(virsh_t, virt_image_type, virt_image_type) - manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) - manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) - manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) - manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -+virt_transition_svirt_lxc(virsh_t, system_r) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --dontaudit virsh_t virt_var_lib_t:file read_file_perms; ++ ++manage_files_pattern(virsh_t, virt_image_type, virt_image_type) ++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) ++ ++manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++virt_transition_svirt_sandbox(virsh_t, system_r) ++ +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") - --allow virsh_t svirt_lxc_domain:process transition; ++ +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; - --can_exec(virsh_t, virsh_exec_t) -- --virt_domtrans(virsh_t) --virt_manage_images(virsh_t) --virt_manage_config(virsh_t) --virt_stream_connect(virsh_t) -- --kernel_read_crypto_sysctls(virsh_t) ++ +kernel_write_proc_files(virsh_t) kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -92977,7 +92946,7 @@ index 1f22fba..cbd02ae 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -93009,7 +92978,7 @@ index 1f22fba..cbd02ae 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +908,20 @@ optional_policy(` +@@ -847,14 +909,20 @@ optional_policy(` ') optional_policy(` @@ -93031,7 +93000,7 @@ index 1f22fba..cbd02ae 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +946,45 @@ optional_policy(` +@@ -879,49 +947,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -93061,7 +93030,7 @@ index 1f22fba..cbd02ae 100644 +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow virtd_lxc_t self:packet_socket create_socket_perms; -+ps_process_pattern(virtd_lxc_t, svirt_lxc_domain) ++ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain) +allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; -allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; @@ -93078,19 +93047,30 @@ index 1f22fba..cbd02ae 100644 -manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir }) +- +-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; +-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; +manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) +filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") - - manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) - manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) - manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) - allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; - allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; -+files_associate_rootfs(svirt_lxc_file_t) ++ ++manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom }; ++allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom }; ++files_associate_rootfs(svirt_sandbox_file_t) + +seutil_read_file_contexts(virtd_lxc_t) @@ -93104,7 +93084,7 @@ index 1f22fba..cbd02ae 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -93115,15 +93095,16 @@ index 1f22fba..cbd02ae 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) + files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) - files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) +-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) ++files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set) +fs_read_fusefs_files(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -93147,7 +93128,7 @@ index 1f22fba..cbd02ae 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -93185,135 +93166,202 @@ index 1f22fba..cbd02ae 100644 ######################################## # -# Common virt lxc domain local policy -+# virt_lxc_domain local policy ++# svirt_sandbox_domain local policy # -- ++allow svirt_sandbox_domain self:key manage_key_perms; ++allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; ++allow svirt_sandbox_domain self:fifo_file manage_file_perms; ++allow svirt_sandbox_domain self:sem create_sem_perms; ++allow svirt_sandbox_domain self:shm create_shm_perms; ++allow svirt_sandbox_domain self:msgq create_msgq_perms; ++allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; ++ ++ ++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; ++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; ++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; ++ ++allow svirt_sandbox_domain virtd_lxc_t:process sigchld; ++allow svirt_sandbox_domain virtd_lxc_t:fd use; ++allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms; ++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; ++ ++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; ++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; ++ ++kernel_getattr_proc(svirt_sandbox_domain) ++kernel_list_all_proc(svirt_sandbox_domain) ++kernel_read_all_sysctls(svirt_sandbox_domain) ++kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++ ++corecmd_exec_all_executables(svirt_sandbox_domain) ++ ++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) ++files_dontaudit_getattr_all_files(svirt_sandbox_domain) ++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) ++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) ++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) ++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) ++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) ++files_entrypoint_all_files(svirt_sandbox_domain) ++files_list_var(svirt_sandbox_domain) ++files_list_var_lib(svirt_sandbox_domain) ++files_search_all(svirt_sandbox_domain) ++files_read_config_files(svirt_sandbox_domain) ++files_read_usr_symlinks(svirt_sandbox_domain) ++files_search_locks(svirt_sandbox_domain) ++ ++fs_getattr_all_fs(svirt_sandbox_domain) ++fs_list_inotifyfs(svirt_sandbox_domain) ++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) ++fs_read_fusefs_files(svirt_sandbox_domain) ++ ++auth_dontaudit_read_passwd(svirt_sandbox_domain) ++auth_dontaudit_read_login_records(svirt_sandbox_domain) ++auth_dontaudit_write_login_records(svirt_sandbox_domain) ++auth_search_pam_console_data(svirt_sandbox_domain) ++ ++clock_read_adjtime(svirt_sandbox_domain) ++ ++init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_write_utmp(svirt_sandbox_domain) ++ ++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) ++ ++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) ++miscfiles_read_fonts(svirt_sandbox_domain) ++miscfiles_read_hwdata(svirt_sandbox_domain) ++ ++systemd_read_unit_files(svirt_sandbox_domain) ++ ++userdom_use_inherited_user_terminals(svirt_sandbox_domain) ++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) ++ ++optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') + -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -+allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; - allow svirt_lxc_domain self:fifo_file manage_file_perms; - allow svirt_lxc_domain self:sem create_sem_perms; - allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; - allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; - allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; - +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- -allow svirt_lxc_domain virtd_lxc_t:fd use; -allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; -allow svirt_lxc_domain virtd_lxc_t:process sigchld; - -allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; - +- -allow svirt_lxc_domain virsh_t:fd use; -allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; -allow svirt_lxc_domain virsh_t:process sigchld; -+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virtd_t svirt_lxc_domain:process { signal_perms getattr }; -+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms }; - +- -allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; -allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -+allow svirt_lxc_domain virtd_lxc_t:process sigchld; -+allow svirt_lxc_domain virtd_lxc_t:fd use; -+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms; -+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; - - manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) - manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) - manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) - rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) - rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) - -+can_exec(svirt_lxc_domain, svirt_lxc_file_t) - allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; - allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; - +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- -can_exec(svirt_lxc_domain, svirt_lxc_file_t) - - kernel_getattr_proc(svirt_lxc_domain) - kernel_list_all_proc(svirt_lxc_domain) +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) -kernel_read_kernel_sysctls(svirt_lxc_domain) -+kernel_read_all_sysctls(svirt_lxc_domain) - kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) -kernel_read_system_state(svirt_lxc_domain) - kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) - - corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) - files_dontaudit_getattr_all_sockets(svirt_lxc_domain) - files_dontaudit_list_all_mountpoints(svirt_lxc_domain) - files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) -# files_entrypoint_all_files(svirt_lxc_domain) -+files_entrypoint_all_files(svirt_lxc_domain) - files_list_var(svirt_lxc_domain) - files_list_var_lib(svirt_lxc_domain) - files_search_all(svirt_lxc_domain) - files_read_config_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) -files_read_usr_files(svirt_lxc_domain) - files_read_usr_symlinks(svirt_lxc_domain) -+files_search_locks(svirt_lxc_domain) - - fs_getattr_all_fs(svirt_lxc_domain) - fs_list_inotifyfs(svirt_lxc_domain) -+fs_rw_inherited_tmpfs_files(svirt_lxc_domain) -+fs_read_fusefs_files(svirt_lxc_net_t) - +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- -# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) -# fs_rw_inherited_cifs_files(svirt_lxc_domain) -# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) - -+auth_dontaudit_read_passwd(svirt_lxc_domain) - auth_dontaudit_read_login_records(svirt_lxc_domain) - auth_dontaudit_write_login_records(svirt_lxc_domain) - auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain) - - libs_dontaudit_setattr_lib_files(svirt_lxc_domain) - +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- -miscfiles_read_localization(svirt_lxc_domain) -+miscfiles_dontaudit_access_check_cert(svirt_lxc_domain) - miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) - miscfiles_read_fonts(svirt_lxc_domain) -+miscfiles_read_hwdata(svirt_lxc_domain) -+ -+systemd_read_unit_files(svirt_lxc_domain) -+ -+userdom_use_inherited_user_terminals(svirt_lxc_domain) -+userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain) -+userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_lxc_domain) -+ apache_read_sys_content(svirt_lxc_domain) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+') - +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ ssh_use_ptys(svirt_lxc_net_t) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ ssh_use_ptys(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) +- udev_read_pid_files(svirt_lxc_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ userhelper_dontaudit_write_config(svirt_lxc_domain) ++ userhelper_dontaudit_write_config(svirt_sandbox_domain) ') --######################################## --# + ######################################## + # -# Lxc net local policy --# -+virt_lxc_domain_template(svirt_lxc_net) ++# svirt_lxc_net_t local policy + # ++virt_sandbox_domain_template(svirt_lxc_net) -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; +allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; @@ -93369,13 +93417,13 @@ index 1f22fba..cbd02ae 100644 - files_read_kernel_modules(svirt_lxc_net_t) -+fs_noxattr_type(svirt_lxc_file_t) ++fs_noxattr_type(svirt_sandbox_file_t) fs_mount_cgroup(svirt_lxc_net_t) fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) + -+term_pty(svirt_lxc_file_t) ++term_pty(svirt_sandbox_file_t) auth_use_nsswitch(svirt_lxc_net_t) @@ -93388,14 +93436,62 @@ index 1f22fba..cbd02ae 100644 -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -') -- + -####################################### --# ++######################################## + # -# Prot exec local policy --# -- ++# svirt_lxc_net_t local policy + # ++virt_sandbox_domain_template(svirt_qemu_net) ++ ++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++dontaudit svirt_qemu_net_t self:capability2 block_suspend; ++allow svirt_qemu_net_t self:process { execstack execmem }; ++allow svirt_qemu_net_t self:netlink_socket create_socket_perms; ++allow svirt_qemu_net_t self:udp_socket create_socket_perms; ++allow svirt_qemu_net_t self:tcp_socket create_stream_socket_perms; ++allow svirt_qemu_net_t self:netlink_route_socket create_netlink_socket_perms; ++allow svirt_qemu_net_t self:packet_socket create_socket_perms; ++allow svirt_qemu_net_t self:socket create_socket_perms; ++allow svirt_qemu_net_t self:rawip_socket create_socket_perms; ++allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; + -allow svirt_prot_exec_t self:process { execmem execstack }; -- ++kernel_read_network_state(svirt_qemu_net_t) ++kernel_read_irq_sysctls(svirt_qemu_net_t) ++ ++dev_read_sysfs(svirt_qemu_net_t) ++dev_getattr_mtrr_dev(svirt_qemu_net_t) ++dev_read_rand(svirt_qemu_net_t) ++dev_read_urand(svirt_qemu_net_t) ++ ++corenet_tcp_bind_generic_node(svirt_qemu_net_t) ++corenet_udp_bind_generic_node(svirt_qemu_net_t) ++corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t) ++corenet_udp_sendrecv_all_ports(svirt_qemu_net_t) ++corenet_udp_bind_all_ports(svirt_qemu_net_t) ++corenet_tcp_bind_all_ports(svirt_qemu_net_t) ++corenet_tcp_connect_all_ports(svirt_qemu_net_t) ++ ++files_read_kernel_modules(svirt_qemu_net_t) ++ ++fs_noxattr_type(svirt_sandbox_file_t) ++fs_mount_cgroup(svirt_qemu_net_t) ++fs_manage_cgroup_dirs(svirt_qemu_net_t) ++fs_manage_cgroup_files(svirt_qemu_net_t) ++ ++term_pty(svirt_sandbox_file_t) ++ ++auth_use_nsswitch(svirt_qemu_net_t) ++ ++rpm_read_db(svirt_qemu_net_t) ++ ++logging_send_audit_msgs(svirt_qemu_net_t) ++ ++userdom_use_user_ptys(svirt_qemu_net_t) + ######################################## # -# Qmf local policy @@ -93410,7 +93506,7 @@ index 1f22fba..cbd02ae 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -93425,7 +93521,7 @@ index 1f22fba..cbd02ae 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1276,8 @@ optional_policy(` +@@ -1183,9 +1334,8 @@ optional_policy(` ######################################## # @@ -93436,7 +93532,7 @@ index 1f22fba..cbd02ae 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -94518,7 +94614,7 @@ index 304ae09..c1d10a1 100644 -/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) +/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0) diff --git a/wm.if b/wm.if -index 25b702d..177cf16 100644 +index 25b702d..36b2f81 100644 --- a/wm.if +++ b/wm.if @@ -1,4 +1,4 @@ @@ -94527,7 +94623,7 @@ index 25b702d..177cf16 100644 ####################################### ## -@@ -29,58 +29,44 @@ +@@ -29,54 +29,46 @@ # template(`wm_role_template',` gen_require(` @@ -94577,6 +94673,8 @@ index 25b702d..177cf16 100644 + auth_use_nsswitch($1_wm_t) + + kernel_read_system_state($1_wm_t) ++ ++ auth_use_nsswitch($1_wm_t) + mls_file_read_all_levels($1_wm_t) mls_file_write_all_levels($1_wm_t) @@ -94594,15 +94692,11 @@ index 25b702d..177cf16 100644 - wm_dbus_chat($1, $3) - ') - ') -- -- optional_policy(` -- pulseaudio_run($1_wm_t, $2) -- ') - optional_policy(` - xserver_role($2, $1_wm_t) - xserver_manage_core_devices($1_wm_t) -@@ -89,7 +75,7 @@ template(`wm_role_template',` + pulseaudio_run($1_wm_t, $2) + ') +@@ -89,7 +81,7 @@ template(`wm_role_template',` ######################################## ## @@ -94611,7 +94705,7 @@ index 25b702d..177cf16 100644 ## ## ## -@@ -102,33 +88,5 @@ interface(`wm_exec',` +@@ -102,33 +94,5 @@ interface(`wm_exec',` type wm_exec_t; ') @@ -94646,10 +94740,10 @@ index 25b702d..177cf16 100644 - allow $1_wm_t $2:dbus send_msg; -') diff --git a/wm.te b/wm.te -index 7c7f7fa..dfeac3e 100644 +index 7c7f7fa..20ce90b 100644 --- a/wm.te +++ b/wm.te -@@ -1,36 +1,40 @@ +@@ -1,36 +1,88 @@ -policy_module(wm, 1.2.5) +policy_module(wm, 1.2.0) + @@ -94671,28 +94765,75 @@ index 7c7f7fa..dfeac3e 100644 +corecmd_executable_file(wm_exec_t) allow wm_domain self:fifo_file rw_fifo_file_perms; - allow wm_domain self:process getsched; +-allow wm_domain self:process getsched; ++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; ++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; -kernel_read_system_state(wm_domain) - dev_read_urand(wm_domain) ++dev_read_sound(wm_domain) ++dev_write_sound(wm_domain) ++dev_rw_wireless(wm_domain) ++dev_read_sysfs(wm_domain) ++ ++fs_getattr_all_fs(wm_domain) ++ ++corecmd_dontaudit_access_all_executables(wm_domain) ++corecmd_getattr_all_executables(wm_domain) -files_read_usr_files(wm_domain) -+ -+fs_getattr_tmpfs(wm_domain) -+ +application_signull(wm_domain) ++ ++init_read_state(wm_domain) miscfiles_read_fonts(wm_domain) -miscfiles_read_localization(wm_domain) -userdom_manage_user_tmp_sockets(wm_domain) -userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) ++systemd_dbus_chat_logind(wm_domain) ++systemd_read_logind_sessions_files(wm_domain) ++systemd_write_inhibit_pipes(wm_domain) ++systemd_login_read_pid_files(wm_domain) ++ ++userdom_read_user_home_content_files(wm_domain) ++ ++udev_read_pid_files(wm_domain) ++ ++optional_policy(` ++ gnome_stream_connect_gkeyringd(wm_domain) ++') ++ +optional_policy(` + dbus_system_bus_client(wm_domain) + dbus_session_bus_client(wm_domain) ++ optional_policy(` ++ accountsd_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ bluetooth_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat_power(wm_domain) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ policykit_dbus_chat(wm_domain) ++ ') ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(wm_domain) ++ ') +') + +optional_policy(` @@ -94700,13 +94841,15 @@ index 7c7f7fa..dfeac3e 100644 +') + +optional_policy(` -+ xserver_manage_core_devices(wm_domain) ++ userhelper_exec_console(wm_domain) +') -+ -userdom_manage_user_home_content_dirs(wm_domain) -userdom_manage_user_home_content_files(wm_domain) -userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) ++optional_policy(` ++ xserver_manage_core_devices(wm_domain) ++') diff --git a/xen.fc b/xen.fc index 42d83b0..7977c2c 100644 --- a/xen.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index ce9f03a4..7054d3fa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 73%{?dist} +Release: 74%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -554,6 +554,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Aug 29 2013 Miroslav Grepl 3.12.1-74 +- Add selinux-policy-sandbox pkg + * Tue Aug 27 2013 Miroslav Grepl 3.12.1-73 0 - Allow rhsmcertd to read init state