From 34303355645a5bbfa6a59c2588557c755c242513 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 22 Sep 2014 15:16:17 +0200 Subject: [PATCH 1/8] * Mon Sep 22 2014 Lukas Vrabec 3.13.1-83 - Make sure /run/systemd/generator and system is labeled correctly on creation. - Additional access required by usbmuxd - Allow sensord read in /proc BZ(#1143799) --- policy-rawhide-base.patch | 7 ++- policy-rawhide-contrib.patch | 116 +++++++++++++++++++---------------- selinux-policy.spec | 7 ++- 3 files changed, 73 insertions(+), 57 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 24cc48b9..6c2ab50f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -29122,7 +29122,7 @@ index bc0ffc8..7198bd9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..c4546e2 100644 +index 79a45f6..f142c45 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -30144,7 +30144,7 @@ index 79a45f6..c4546e2 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2380,470 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -30608,12 +30608,15 @@ index 79a45f6..c4546e2 100644 + type initrc_var_run_t; + type machineid_t; + type initctl_t; ++ type systemd_unit_file_t; + ') + + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") + files_pid_filetrans($1, init_var_run_t, file, "random-seed") + files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) ++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") ++ init_pid_filetrans($1, systemd_unit_file_t, dir, "system") +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 17eda24..dd417eb 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 5a3fddc1..e5049a0c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -13983,10 +13983,10 @@ index 0000000..2b8cac8 + unconfined_domtrans(cockpit_session_t) +') diff --git a/collectd.fc b/collectd.fc -index 79a3abe..8d70290 100644 +index 79a3abe..3237fb0 100644 --- a/collectd.fc +++ b/collectd.fc -@@ -1,9 +1,11 @@ +@@ -1,9 +1,12 @@ /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) +/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) @@ -13996,6 +13996,7 @@ index 79a3abe..8d70290 100644 /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) ++/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0) -/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) +/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0) @@ -14182,10 +14183,10 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..e6d320a 100644 +index 6471fa8..1d00efb 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t) +@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -14215,9 +14216,12 @@ index 6471fa8..e6d320a 100644 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -46,23 +56,29 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) + files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) + manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) - files_pid_filetrans(collectd_t, collectd_var_run_t, file) +-files_pid_filetrans(collectd_t, collectd_var_run_t, file) ++manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) ++files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file }) -domain_use_interactive_fds(collectd_t) +kernel_read_all_sysctls(collectd_t) @@ -14227,8 +14231,7 @@ index 6471fa8..e6d320a 100644 -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) -+auth_getattr_passwd(collectd_t) -+auth_read_passwd(collectd_t) ++auth_use_nsswitch(collectd_t) + +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) @@ -21265,7 +21268,7 @@ index 62d22cb..cbf09ce 100644 + files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te -index c9998c8..9c12159 100644 +index c9998c8..94ff984 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -21389,7 +21392,7 @@ index c9998c8..9c12159 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +122,162 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -21407,7 +21410,6 @@ index c9998c8..9c12159 100644 init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) -init_all_labeled_script_domtrans(system_dbusd_t) -+init_bin_domtrans_spec(system_dbusd_t) +init_domtrans_script(system_dbusd_t) +init_rw_stream_sockets(system_dbusd_t) +init_status(system_dbusd_t) @@ -21442,9 +21444,10 @@ index c9998c8..9c12159 100644 + +optional_policy(` + getty_start_services(system_dbusd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) + gnome_exec_gconf(system_dbusd_t) + gnome_read_inherited_home_icc_data_files(system_dbusd_t) +') @@ -21466,10 +21469,9 @@ index c9998c8..9c12159 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -21487,6 +21489,10 @@ index c9998c8..9c12159 100644 + # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc + xserver_read_inherited_xdm_lib_files(system_dbusd_t) +') ++ ++optional_policy(` ++ unconfined_server_domtrans(system_dbusd_t) ++') + ######################################## # @@ -21510,7 +21516,7 @@ index c9998c8..9c12159 100644 +init_rw_stream_sockets(system_bus_type) + +ps_process_pattern(system_dbusd_t, system_bus_type) - ++ +userdom_dontaudit_search_admin_dir(system_bus_type) +userdom_read_all_users_state(system_bus_type) + @@ -21525,7 +21531,7 @@ index c9998c8..9c12159 100644 +optional_policy(` + unconfined_dbus_send(system_bus_type) +') -+ + +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') @@ -21566,7 +21572,7 @@ index c9998c8..9c12159 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +286,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -21591,7 +21597,7 @@ index c9998c8..9c12159 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +305,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -21599,7 +21605,7 @@ index c9998c8..9c12159 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +314,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -21641,7 +21647,7 @@ index c9998c8..9c12159 100644 ') ######################################## -@@ -244,5 +351,9 @@ optional_policy(` +@@ -244,5 +354,9 @@ optional_policy(` # Unconfined access to this module # @@ -91145,10 +91151,10 @@ index d204752..31cc6e6 100644 + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..64e130f 100644 +index 5e82fd6..d31876d 100644 --- a/sensord.te +++ b/sensord.te -@@ -9,27 +9,35 @@ type sensord_t; +@@ -9,27 +9,37 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) @@ -91180,10 +91186,12 @@ index 5e82fd6..64e130f 100644 manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) files_pid_filetrans(sensord_t, sensord_var_run_t, file) - dev_read_sysfs(sensord_t) +-dev_read_sysfs(sensord_t) ++kernel_read_system_state(sensord_t) -files_read_etc_files(sensord_t) -- ++dev_read_sysfs(sensord_t) + logging_send_syslog_msg(sensord_t) -miscfiles_read_localization(sensord_t) @@ -94331,7 +94339,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..de9c4d9 100644 +index cc58e35..025b7d5 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -94635,7 +94643,7 @@ index cc58e35..de9c4d9 100644 ') ######################################## -@@ -167,72 +248,90 @@ optional_policy(` +@@ -167,72 +248,92 @@ optional_policy(` # Client local policy # @@ -94736,18 +94744,20 @@ index cc58e35..de9c4d9 100644 -auth_use_nsswitch(spamc_t) +fs_search_auto_mountpoints(spamc_t) ++ ++libs_exec_ldconfig(spamc_t) logging_send_syslog_msg(spamc_t) -miscfiles_read_localization(spamc_t) -- ++auth_use_nsswitch(spamc_t) + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamc_t) - fs_manage_nfs_files(spamc_t) - fs_manage_nfs_symlinks(spamc_t) -') -+auth_use_nsswitch(spamc_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamc_t) - fs_manage_cifs_files(spamc_t) @@ -94757,7 +94767,7 @@ index cc58e35..de9c4d9 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +342,7 @@ optional_policy(` +@@ -243,6 +344,7 @@ optional_policy(` ') optional_policy(` @@ -94765,7 +94775,7 @@ index cc58e35..de9c4d9 100644 evolution_stream_connect(spamc_t) ') -@@ -251,10 +351,16 @@ optional_policy(` +@@ -251,10 +353,16 @@ optional_policy(` ') optional_policy(` @@ -94783,7 +94793,7 @@ index cc58e35..de9c4d9 100644 sendmail_stub(spamc_t) ') -@@ -267,36 +373,38 @@ optional_policy(` +@@ -267,36 +375,38 @@ optional_policy(` ######################################## # @@ -94839,7 +94849,7 @@ index cc58e35..de9c4d9 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +418,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -94849,7 +94859,7 @@ index cc58e35..de9c4d9 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +428,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -94865,7 +94875,7 @@ index cc58e35..de9c4d9 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +443,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -94969,7 +94979,7 @@ index cc58e35..de9c4d9 100644 ') optional_policy(` -@@ -421,21 +512,13 @@ optional_policy(` +@@ -421,21 +514,13 @@ optional_policy(` ') optional_policy(` @@ -94993,7 +95003,7 @@ index cc58e35..de9c4d9 100644 ') optional_policy(` -@@ -443,8 +526,8 @@ optional_policy(` +@@ -443,8 +528,8 @@ optional_policy(` ') optional_policy(` @@ -95003,7 +95013,7 @@ index cc58e35..de9c4d9 100644 ') optional_policy(` -@@ -455,7 +538,17 @@ optional_policy(` +@@ -455,7 +540,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -95022,7 +95032,7 @@ index cc58e35..de9c4d9 100644 ') optional_policy(` -@@ -463,9 +556,9 @@ optional_policy(` +@@ -463,9 +558,9 @@ optional_policy(` ') optional_policy(` @@ -95033,7 +95043,7 @@ index cc58e35..de9c4d9 100644 ') optional_policy(` -@@ -474,32 +567,32 @@ optional_policy(` +@@ -474,32 +569,32 @@ optional_policy(` ######################################## # @@ -95076,7 +95086,7 @@ index cc58e35..de9c4d9 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +603,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -100978,7 +100988,7 @@ index 1ec5e99..88e287d 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 34a8917..21add3e 100644 +index 34a8917..a6b9e84 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; @@ -101004,9 +101014,10 @@ index 34a8917..21add3e 100644 # -allow usbmuxd_t self:capability { kill setgid setuid }; -+allow usbmuxd_t self:capability { chown kill setgid setuid }; +-allow usbmuxd_t self:process { signal signull }; ++allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid }; +dontaudit usbmuxd_t self:capability sys_resource; - allow usbmuxd_t self:process { signal signull }; ++allow usbmuxd_t self:process { signal_perms setrlimit }; allow usbmuxd_t self:fifo_file rw_fifo_file_perms; +allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow usbmuxd_t self:unix_stream_socket connectto; @@ -104104,7 +104115,7 @@ index facdee8..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..fe1bceb 100644 +index f03dcf5..e74f60a 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,227 @@ @@ -104889,7 +104900,7 @@ index f03dcf5..fe1bceb 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +444,27 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +444,25 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -104917,11 +104928,8 @@ index f03dcf5..fe1bceb 100644 +fs_read_tmpfs_symlinks(virtd_t) fs_list_auto_mountpoints(virtd_t) --fs_getattr_all_fs(virtd_t) -+fs_getattr_xattr_fs(virtd_t) + fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) - fs_list_inotifyfs(virtd_t) - fs_manage_cgroup_dirs(virtd_t) @@ -601,15 +495,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6ee3ce09..541ac062 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 82%{?dist} +Release: 83%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Sep 22 2014 Lukas Vrabec 3.13.1-83 +- Make sure /run/systemd/generator and system is labeled correctly on creation. +- Additional access required by usbmuxd +- Allow sensord read in /proc BZ(#1143799) + * Thu Sep 18 2014 Miroslav Grepl 3.13.1-82 - Allow du running in logwatch_t read hwdata. - Allow sys_admin capability for antivirus domians. From 245c83ebf9d15cb00a79bff94f1443ccc729b2ef Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 30 Sep 2014 09:38:06 +0200 Subject: [PATCH 2/8] * Tue Sep 30 2014 Lukas Vrabec 3.13.1-84 - Allow all domains to read fonts - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins. --- policy-rawhide-base.patch | 11 +++--- policy-rawhide-contrib.patch | 71 +++++++++++++++++++++++------------- selinux-policy.spec | 10 ++++- 3 files changed, 60 insertions(+), 32 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6c2ab50f..24328464 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8827,7 +8827,7 @@ index 6a1e4d1..1b9b0b5 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..8fd98fc 100644 +index cf04cb5..16c88de 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -8926,7 +8926,7 @@ index cf04cb5..8fd98fc 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +173,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -8942,10 +8942,11 @@ index cf04cb5..8fd98fc 100644 +optional_policy(` + miscfiles_read_localization(domain) + miscfiles_read_man_pages(domain) ++ miscfiles_read_fonts(domain) ') optional_policy(` -@@ -133,6 +195,9 @@ optional_policy(` +@@ -133,6 +196,9 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -8955,7 +8956,7 @@ index cf04cb5..8fd98fc 100644 ') ######################################## -@@ -147,12 +212,18 @@ optional_policy(` +@@ -147,12 +213,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -8975,7 +8976,7 @@ index cf04cb5..8fd98fc 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e5049a0c..1999f982 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3623,7 +3623,7 @@ index 7caefc3..7e70f67 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..918ae86 100644 +index f6eb485..f6d065e 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3772,7 +3772,7 @@ index f6eb485..918ae86 100644 + manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) + manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) + -+ allow $1_script_t httpd_t:unix_stream_socket { accept getattr read write }; ++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; + + # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` @@ -13887,10 +13887,10 @@ index 0000000..573dcae +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..2b8cac8 +index 0000000..4d89495 --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,98 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -13946,6 +13946,8 @@ index 0000000..2b8cac8 + +auth_use_nsswitch(cockpit_ws_t) + ++init_stream_connect(cockpit_ws_t) ++ +logging_send_syslog_msg(cockpit_ws_t) + +# cockpit-ws launches cockpit-session @@ -13956,6 +13958,11 @@ index 0000000..2b8cac8 +allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms; + +optional_policy(` ++ kerberos_use(cockpit_ws_t) ++ kerberos_etc_filetrans_keytab(cockpit_ws_t) ++') ++ ++optional_policy(` + ssh_read_user_home_files(cockpit_ws_t) +') + @@ -29646,7 +29653,7 @@ index 1e29af1..6c64f55 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index dc49c71..3ef1e93 100644 +index dc49c71..54df5e3 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -29672,7 +29679,7 @@ index dc49c71..3ef1e93 100644 type git_system_t, git_daemon; type gitd_exec_t; -@@ -93,10 +86,10 @@ type git_session_t, git_daemon; +@@ -93,12 +86,15 @@ type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; @@ -29684,8 +29691,13 @@ index dc49c71..3ef1e93 100644 +type git_user_content_t alias git_session_content_t; userdom_user_home_content(git_user_content_t) ++type git_script_tmp_t; ++files_tmp_file(git_script_tmp_t) ++ ######################################## -@@ -110,6 +103,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) + # + # Session policy +@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -29694,7 +29706,7 @@ index dc49c71..3ef1e93 100644 corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) -@@ -130,9 +125,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` +@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_sendrecv_all_ports(git_session_t) ') @@ -29705,7 +29717,7 @@ index dc49c71..3ef1e93 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(git_session_t) -@@ -158,6 +151,9 @@ tunable_policy(`use_samba_home_dirs',` +@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) @@ -29715,31 +29727,34 @@ index dc49c71..3ef1e93 100644 corenet_all_recvfrom_unlabeled(git_system_t) corenet_all_recvfrom_netlabel(git_system_t) corenet_tcp_sendrecv_generic_if(git_system_t) -@@ -176,6 +172,10 @@ logging_send_syslog_msg(git_system_t) +@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t) tunable_policy(`git_system_enable_homedirs',` userdom_search_user_home_dirs(git_system_t) -+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t) ++ list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t) + list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t) + read_files_pattern(git_system_t, git_user_content_t, git_user_content_t) + ') tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` -@@ -215,48 +215,48 @@ tunable_policy(`git_system_use_nfs',` +@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',` # CGI policy # -list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -files_search_var_lib(httpd_git_script_t) ++manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t) ++manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t) ++manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t) ++files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir }) + +-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +files_search_var_lib(git_script_t) --files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) -+files_dontaudit_getattr_tmp_dirs(git_script_t) - -auth_use_nsswitch(httpd_git_script_t) +auth_use_nsswitch(git_script_t) @@ -29748,6 +29763,7 @@ index dc49c71..3ef1e93 100644 + userdom_search_user_home_dirs(git_script_t) ') ++fs_getattr_tmpfs(git_script_t) tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` - fs_getattr_nfs(httpd_git_script_t) - fs_list_nfs(httpd_git_script_t) @@ -29797,7 +29813,7 @@ index dc49c71..3ef1e93 100644 ') ######################################## -@@ -266,12 +266,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -65027,10 +65043,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..0cb8f0a +index 0000000..995cc23 --- /dev/null +++ b/pki.te -@@ -0,0 +1,280 @@ +@@ -0,0 +1,281 @@ +policy_module(pki,10.0.11) + +######################################## @@ -65063,6 +65079,7 @@ index 0000000..0cb8f0a +miscfiles_cert_type(pki_tomcat_cert_t) + +tomcat_domain_template(pki_tomcat) ++domain_obj_id_change_exemption(pki_tomcat_t) + +type pki_tomcat_unit_file_t; +systemd_unit_file(pki_tomcat_unit_file_t) @@ -76560,7 +76577,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..8c4255e 100644 +index dc3b0ed..42203ed 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) @@ -76594,7 +76611,7 @@ index dc3b0ed..8c4255e 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,98 +31,81 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,98 +31,82 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -76700,6 +76717,7 @@ index dc3b0ed..8c4255e 100644 + +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) ++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t) +files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file }) + +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t) @@ -76845,7 +76863,7 @@ index 4460582..60cf556 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..de6f803 100644 +index 403a4fe..8fc3712 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -76871,16 +76889,17 @@ index 403a4fe..de6f803 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,6 +77,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) +corenet_tcp_connect_postgresql_port(radiusd_t) ++corenet_tcp_connect_http_port(radiusd_t) + corenet_sendrecv_radacct_server_packets(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) -@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t) +@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -76888,7 +76907,7 @@ index 403a4fe..de6f803 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -76896,7 +76915,7 @@ index 403a4fe..de6f803 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -122,6 +125,11 @@ optional_policy(` +@@ -122,6 +126,11 @@ optional_policy(` ') optional_policy(` @@ -76908,7 +76927,7 @@ index 403a4fe..de6f803 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +148,10 @@ optional_policy(` +@@ -140,5 +149,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 541ac062..a7730c19 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 83%{?dist} +Release: 84%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 30 2014 Lukas Vrabec 3.13.1-84 +- Allow all domains to read fonts +- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) +- Allow pki-tomcat to change SELinux object identity. +- Allow radious to connect to apache ports to do OCSP check +- Allow git cgi scripts to create content in /tmp +- Allow cockpit-session to do GSSAPI logins. + * Mon Sep 22 2014 Lukas Vrabec 3.13.1-83 - Make sure /run/systemd/generator and system is labeled correctly on creation. - Additional access required by usbmuxd From 98ab4a3d8041bc4f2fd90457eadff62d1fde935b Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Oct 2014 13:05:03 +0200 Subject: [PATCH 3/8] Activated module brltty policy --- modules-targeted-contrib.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 4aadcd07..01595edb 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2467,3 +2467,10 @@ gear = module # naemon policy # naemon = module + +# Layer: contrib +# Module: brltty +# +# brltty policy +# +brltty = module From dbbe68629e46150eb777230b3695156f9a46f6b3 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Oct 2014 13:10:48 +0200 Subject: [PATCH 4/8] Add brltty policy to permissive policies. --- permissivedomains.pp | Bin 75691 -> 77519 bytes permissivedomains.te | 7 +++++++ 2 files changed, 7 insertions(+) diff --git a/permissivedomains.pp b/permissivedomains.pp index a03fff4fdab3f7ab2154179a9a9d78a047a1f3ad..8b0ccf4a4dd5b9c38b8fca8a8c455a25a9413fc7 100644 GIT binary patch delta 162 zcmZ2|p5^>q7NP$CH9r{{7#NsR delta 66 zcmX?qmu2;N7NP$CH9r{{7#Ns diff --git a/permissivedomains.te b/permissivedomains.te index 1db0deac..048c6b84 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -55,3 +55,10 @@ optional_policy(` ') permissive naemon_t; ') + +optional_policy(` + gen_require(` + type brltty_t; + ') + permissive brltty_t; +') From 1e232a7f1c2e9ff6c328f285b138ecf143e8f9b1 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Oct 2014 15:21:58 +0200 Subject: [PATCH 5/8] Activate cpuplug policy --- modules-targeted-contrib.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 01595edb..551dc4d2 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2474,3 +2474,10 @@ naemon = module # brltty policy # brltty = module + +# Layer: contrib +# Module: cpuplug +# +# cpuplug policy +# +cpuplug = module From d805f9bbca0c1a8342fa96bc541b53765167c16b Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Oct 2014 15:23:35 +0200 Subject: [PATCH 6/8] Make cpuplug policy permissive --- permissivedomains.pp | Bin 77519 -> 79349 bytes permissivedomains.te | 7 +++++++ 2 files changed, 7 insertions(+) diff --git a/permissivedomains.pp b/permissivedomains.pp index 8b0ccf4a4dd5b9c38b8fca8a8c455a25a9413fc7..f06a07b3e696df21787e035d32984479767b1633 100644 GIT binary patch delta 149 zcmX?qm*wkg7NP$CH9r{{7#NseVw=37iDmQK f1HG(_T$8JhNsEC@NQP*RF9GQQ>)Jf|m`w%%nTRPU delta 141 zcmezRn&tdm7NP$CH9r{{7#Ns&)Q@F0MFhehX4Qo diff --git a/permissivedomains.te b/permissivedomains.te index 048c6b84..32d5d868 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -62,3 +62,10 @@ optional_policy(` ') permissive brltty_t; ') + +optional_policy(` + gen_require(` + type cpuplug_t; + ') + permissive cpuplug_t; +') From cf8979858613137cc8306d69d6a984b982795908 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Oct 2014 16:53:41 +0200 Subject: [PATCH 7/8] * Mon Oct 06 2014 Lukas Vrabec 3.13.1-85 - Allow nova domains to getattr on all filesystems. - ALlow zebra for user/group look-ups. - Allow lsmd to search own plguins. - Allow sssd to read selinux config to add SELinux user mapping. - Allow swift to connect to all ephemeral ports by default. - Allow NetworkManager to create Bluetooth SDP sockets - Allow keepalived manage snmp var lib sock files. BZ(1102228) - Added policy for blrtty. BZ(1083162) - Allow rhsmcertd manage rpm db. BZ(#1134173) - Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173) - Label /usr/libexec/rhsmd as rhsmcertd_exec_t - Fix broken interfaces - Added sendmail_domtrans_unconfined interface - Added support for cpuplug. BZ (#1077831) - Fix bug in drbd policy, BZ (#1134883) - Make keystone_cgi_script_t domain. BZ (#1138424) - fix dev_getattr_generic_usb_dev interface - Label 4101 tcp port as brlp port - Allow libreswan to connect to VPN via NM-libreswan. - Add userdom_manage_user_tmpfs_files interface --- policy-rawhide-base.patch | 255 ++++++++-------- policy-rawhide-contrib.patch | 563 ++++++++++++++++++++++++++++------- selinux-policy.spec | 24 +- 3 files changed, 596 insertions(+), 246 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 24328464..35c1045b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5466,7 +5466,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..6b99aea 100644 +index b191055..04e9cc8 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5540,7 +5540,7 @@ index b191055..6b99aea 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5557,6 +5557,7 @@ index b191055..6b99aea 100644 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) ++network_port(brlp, tcp,4101,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) +network_port(collectd, udp,25826,s0) @@ -5617,7 +5618,7 @@ index b191055..6b99aea 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +176,54 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +177,54 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5686,7 +5687,7 @@ index b191055..6b99aea 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +231,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +232,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5727,7 +5728,7 @@ index b191055..6b99aea 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -213,68 +268,79 @@ network_port(postgrey, tcp,60000,s0) +@@ -213,68 +269,79 @@ network_port(postgrey, tcp,60000,s0) network_port(pptp, tcp,1723,s0, udp,1723,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) @@ -5739,9 +5740,11 @@ index b191055..6b99aea 100644 network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) +-network_port(radacct, udp,1646,s0, udp,1813,s0) +-network_port(radius, udp,1645,s0, udp,1812,s0) +network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0) - network_port(radacct, udp,1646,s0, udp,1813,s0) - network_port(radius, udp,1645,s0, udp,1812,s0) ++network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0) ++network_port(radius, udp,1645,s0, tpc,1645,s0, tcp,1812,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) +network_port(time, tcp,37,s0, udp,37,s0) @@ -5818,7 +5821,7 @@ index b191055..6b99aea 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +354,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +355,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5845,7 +5848,7 @@ index b191055..6b99aea 100644 ######################################## # -@@ -333,6 +403,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +404,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5854,7 +5857,7 @@ index b191055..6b99aea 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +417,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +418,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -6019,7 +6022,7 @@ index b31c054..5e37a40 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..a3c0103 100644 +index 76f285e..03d4787 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7297,6 +7300,15 @@ index 76f285e..a3c0103 100644 ## Getattr generic the USB devices. ## ## +@@ -4123,7 +4766,7 @@ interface(`dev_write_urand',` + # + interface(`dev_getattr_generic_usb_dev',` + gen_require(` +- type usb_device_t; ++ type usb_device_t,device_t; + ') + + getattr_chr_files_pattern($1, device_t, usb_device_t) @@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -32274,7 +32286,7 @@ index 0d4c8d3..e6ffda3 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..3c62b4c 100644 +index 312cd04..efe343f 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -32459,7 +32471,15 @@ index 312cd04..3c62b4c 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +314,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -269,6 +305,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) + files_read_etc_files(ipsec_mgmt_t) + files_exec_etc_files(ipsec_mgmt_t) + files_read_etc_runtime_files(ipsec_mgmt_t) ++files_list_kernel_modules(ipsec_mgmt_t) + files_read_usr_files(ipsec_mgmt_t) + files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) + files_dontaudit_getattr_default_files(ipsec_mgmt_t) +@@ -278,9 +315,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -32471,7 +32491,7 @@ index 312cd04..3c62b4c 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +325,23 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +326,23 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -32500,7 +32520,7 @@ index 312cd04..3c62b4c 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +365,10 @@ optional_policy(` +@@ -322,6 +366,10 @@ optional_policy(` ') optional_policy(` @@ -32511,7 +32531,7 @@ index 312cd04..3c62b4c 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +382,7 @@ optional_policy(` +@@ -335,7 +383,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -32520,7 +32540,7 @@ index 312cd04..3c62b4c 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +417,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +418,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -32540,7 +32560,7 @@ index 312cd04..3c62b4c 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +447,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +448,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -32553,7 +32573,7 @@ index 312cd04..3c62b4c 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +484,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +485,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -43072,7 +43092,7 @@ index db75976..1ee08ec 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..3104d12 100644 +index 9dc60c6..d04015e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -45704,15 +45724,35 @@ index 9dc60c6..3104d12 100644 ## ## ## -@@ -2692,19 +3517,43 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3517,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') +- +- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- allow $1 user_tmpfs_t:dir list_dir_perms; +- fs_search_tmpfs($1) + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') + userdom_rw_user_tmp_files($1) + ') + + ######################################## + ## +-## Create, read, write, and delete user tmpfs files. ++## Manage user tmpfs files. + ## + ## + ## +@@ -2713,13 +3532,56 @@ interface(`userdom_rw_user_tmpfs_files',` + ## + # + interface(`userdom_manage_user_tmpfs_files',` ++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.') ++ userdom_manage_user_tmp_files($1) +') + +######################################## @@ -45729,11 +45769,7 @@ index 9dc60c6..3104d12 100644 + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') + userdom_rw_inherited_user_tmp_files($1) +') - -- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -- allow $1 user_tmpfs_t:dir list_dir_perms; -- fs_search_tmpfs($1) ++ +######################################## +## +## Execute user tmpfs files. @@ -45747,20 +45783,18 @@ index 9dc60c6..3104d12 100644 +interface(`userdom_execute_user_tmpfs_files',` + refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') + userdom_execute_user_tmp_files($1) - ') - - ######################################## - ## --## Create, read, write, and delete user tmpfs files. ++') ++ ++######################################## ++## +## Execute user tmpfs files. - ## - ## - ## -@@ -2712,14 +3561,12 @@ interface(`userdom_rw_user_tmpfs_files',` - ## - ## - # --interface(`userdom_manage_user_tmpfs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_execute_user_tmp_files',` gen_require(` - type user_tmpfs_t; @@ -45774,7 +45808,7 @@ index 9dc60c6..3104d12 100644 ') ######################################## -@@ -2814,6 +3661,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3676,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -45799,7 +45833,7 @@ index 9dc60c6..3104d12 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3697,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3712,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -45842,7 +45876,7 @@ index 9dc60c6..3104d12 100644 ## ## ## -@@ -2856,14 +3733,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3748,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -45880,7 +45914,7 @@ index 9dc60c6..3104d12 100644 ') ######################################## -@@ -2882,8 +3778,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3793,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -45910,7 +45944,7 @@ index 9dc60c6..3104d12 100644 ') ######################################## -@@ -2955,69 +3870,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3885,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -46011,7 +46045,7 @@ index 9dc60c6..3104d12 100644 ## ## ## -@@ -3025,12 +3939,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3954,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46026,7 +46060,7 @@ index 9dc60c6..3104d12 100644 ') ######################################## -@@ -3094,7 +4008,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4023,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46035,7 +46069,7 @@ index 9dc60c6..3104d12 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4024,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4039,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46069,7 +46103,7 @@ index 9dc60c6..3104d12 100644 ') ######################################## -@@ -3214,7 +4112,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4127,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46096,7 +46130,7 @@ index 9dc60c6..3104d12 100644 ') ######################################## -@@ -3269,12 +4185,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4200,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46112,7 +46146,7 @@ index 9dc60c6..3104d12 100644 ## ## ## -@@ -3282,54 +4199,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,46 +4214,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -46170,54 +46204,45 @@ index 9dc60c6..3104d12 100644 gen_require(` - attribute userdomain; + type user_tmp_t; - ') - -- allow $1 userdomain:process getattr; ++ ') ++ + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains ++') ++ ++######################################## ++## +## Allow domain to read/write inherited users +## fifo files. - ## - ## - ## -@@ -3337,18 +4256,17 @@ interface(`userdom_getattr_all_users',` - ## - ## - # --interface(`userdom_use_all_users_fds',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_rw_inherited_user_pipes',` - gen_require(` - attribute userdomain; - ') - -- allow $1 userdomain:fd use; ++ gen_require(` ++ attribute userdomain; ++ ') ++ + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to inherit the file --## descriptors from any user domains. ++') ++ ++######################################## ++## +## Do not audit attempts to use user ttys. - ## - ## - ## -@@ -3356,12 +4274,87 @@ interface(`userdom_use_all_users_fds',` - ## - ## - # --interface(`userdom_dontaudit_use_all_users_fds',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`userdom_dontaudit_use_user_ttys',` - gen_require(` -- attribute userdomain; ++ gen_require(` + type user_tty_device_t; - ') - -- dontaudit $1 userdomain:fd use; ++ ') ++ + dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; +') + @@ -46254,50 +46279,10 @@ index 9dc60c6..3104d12 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process getattr; -+') -+ -+######################################## -+## -+## Inherit the file descriptors from all user domains -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_all_users_fds',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:fd use; -+') -+ -+######################################## -+## -+## Do not audit attempts to inherit the file -+## descriptors from any user domains. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_use_all_users_fds',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ dontaudit $1 userdomain:fd use; - ') + ') - ######################################## -@@ -3382,6 +4375,42 @@ interface(`userdom_signal_all_users',` + allow $1 userdomain:process getattr; +@@ -3382,6 +4390,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46340,7 +46325,7 @@ index 9dc60c6..3104d12 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4431,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4446,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46401,7 +46386,7 @@ index 9dc60c6..3104d12 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4518,1686 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4533,1686 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 1999f982..8299b969 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -538,7 +538,7 @@ index 058d908..2f6c3a9 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..0a78b7e 100644 +index eb50f07..95bf222 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -686,7 +686,7 @@ index eb50f07..0a78b7e 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,41 +135,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,48 +135,54 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -740,6 +740,14 @@ index eb50f07..0a78b7e 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) + dev_read_rand(abrt_t) + dev_read_urand(abrt_t) + dev_rw_sysfs(abrt_t) +-dev_dontaudit_read_raw_memory(abrt_t) ++dev_read_raw_memory(abrt_t) + + domain_getattr_all_domains(abrt_t) + domain_read_all_domains_state(abrt_t) @@ -176,29 +192,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) @@ -10307,6 +10315,159 @@ index c5a9113..6ad8ccb 100644 optional_policy(` xen_append_log(brctl_t) xen_dontaudit_rw_unix_stream_sockets(brctl_t) +diff --git a/brltty.fc b/brltty.fc +new file mode 100644 +index 0000000..d541924 +--- /dev/null ++++ b/brltty.fc +@@ -0,0 +1,6 @@ ++/usr/lib/systemd/system/brltty.* -- gen_context(system_u:object_r:brltty_unit_file_t,s0) ++ ++/usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0) ++ ++/var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0) ++ +diff --git a/brltty.if b/brltty.if +new file mode 100644 +index 0000000..b552259 +--- /dev/null ++++ b/brltty.if +@@ -0,0 +1,79 @@ ++ ++## brltty is refreshable braille display driver for Linux/Unix ++ ++######################################## ++## ++## Execute brltty in the brltty domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`brltty_domtrans',` ++ gen_require(` ++ type brltty_t, brltty_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, brltty_exec_t, brltty_t) ++') ++######################################## ++## ++## Execute brltty server in the brltty domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`brltty_systemctl',` ++ gen_require(` ++ type brltty_t; ++ type brltty_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 brltty_unit_file_t:file read_file_perms; ++ allow $1 brltty_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, brltty_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an brltty environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`brltty_admin',` ++ gen_require(` ++ type brltty_t; ++ type brltty_unit_file_t; ++ ') ++ ++ allow $1 brltty_t:process { signal_perms }; ++ ps_process_pattern($1, brltty_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 brltty_t:process ptrace; ++ ') ++ ++ brltty_systemctl($1) ++ admin_pattern($1, brltty_unit_file_t) ++ allow $1 brltty_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/brltty.te b/brltty.te +new file mode 100644 +index 0000000..d1b76d8 +--- /dev/null ++++ b/brltty.te +@@ -0,0 +1,50 @@ ++policy_module(brltty, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type brltty_t; ++type brltty_exec_t; ++init_daemon_domain(brltty_t, brltty_exec_t) ++ ++type brltty_var_lib_t; ++files_type(brltty_var_lib_t) ++ ++type brltty_unit_file_t; ++systemd_unit_file(brltty_unit_file_t) ++ ++######################################## ++# ++# brltty local policy ++# ++allow brltty_t self:capability { sys_admin sys_tty_config }; ++allow brltty_t self:process { fork signal_perms }; ++ ++allow brltty_t self:fifo_file rw_fifo_file_perms; ++allow brltty_t self:unix_stream_socket create_stream_socket_perms; ++allow brltty_t self:tcp_socket listen; ++ ++manage_dirs_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t) ++manage_files_pattern(brltty_t, brltty_var_lib_t, brltty_var_lib_t) ++manage_sock_files_pattern(brltty_t,brltty_var_lib_t, brltty_var_lib_t) ++files_var_lib_filetrans(brltty_t, brltty_var_lib_t, {file sock_file dir}) ++ ++kernel_read_system_state(brltty_t) ++kernel_read_usermodehelper_state(brltty_t) ++ ++auth_use_nsswitch(brltty_t) ++ ++corenet_tcp_bind_brlp_port(brltty_t) ++ ++dev_read_sysfs(brltty_t) ++dev_getattr_generic_usb_dev(brltty_t) ++ ++logging_send_syslog_msg(brltty_t) ++ ++modutils_domtrans_insmod(brltty_t) ++ ++sysnet_dns_name_resolve(brltty_t) ++ ++term_use_unallocated_ttys(brltty_t) diff --git a/bugzilla.fc b/bugzilla.fc index fce0b6e..9efceac 100644 --- a/bugzilla.fc @@ -14190,7 +14351,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..1d00efb 100644 +index 6471fa8..74ffeda 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,59 @@ files_type(collectd_var_lib_t) @@ -14212,7 +14373,7 @@ index 6471fa8..1d00efb 100644 # -allow collectd_t self:capability { ipc_lock sys_nice }; -+allow collectd_t self:capability { ipc_lock net_admin sys_nice }; ++allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override }; allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; @@ -16463,6 +16624,86 @@ index 6cedb87..530e250 100644 +optional_policy(` + xserver_dbus_chat_xdm(cpufreqselector_t) +') +diff --git a/cpuplug.fc b/cpuplug.fc +new file mode 100644 +index 0000000..be203ff +--- /dev/null ++++ b/cpuplug.fc +@@ -0,0 +1,3 @@ ++/etc/rc.d/init.d/cpuplugd -- gen_context(system_u:object_r:cpuplug_initrc_exec_t,s0) ++ ++/usr/sbin/cpuplugd -- gen_context(system_u:object_r:cpuplug_exec_t,s0) +diff --git a/cpuplug.if b/cpuplug.if +new file mode 100644 +index 0000000..c68d1d3 +--- /dev/null ++++ b/cpuplug.if +@@ -0,0 +1,20 @@ ++## cpuplugd - Linux on System z CPU and memory hotplug daemon ++ ++######################################## ++## ++## Execute cpuplug in the cpuplug domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cpuplug_domtrans',` ++ gen_require(` ++ type cpuplug_t, cpuplug_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cpuplug_exec_t, cpuplug_t) ++') +diff --git a/cpuplug.te b/cpuplug.te +new file mode 100644 +index 0000000..11361fc +--- /dev/null ++++ b/cpuplug.te +@@ -0,0 +1,39 @@ ++policy_module(cpuplug, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type cpuplug_t; ++type cpuplug_exec_t; ++init_daemon_domain(cpuplug_t, cpuplug_exec_t) ++ ++type cpuplug_initrc_exec_t; ++init_script_file(cpuplug_initrc_exec_t) ++ ++type cpuplug_lock_t; ++files_lock_file(cpuplug_lock_t) ++ ++type cpuplug_var_run_t; ++files_pid_file(cpuplug_var_run_t) ++ ++######################################## ++# ++# cpuplug local policy ++# ++allow cpuplug_t self:fifo_file rw_fifo_file_perms; ++allow cpuplug_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(cpuplug_t, cpuplug_lock_t, cpuplug_lock_t) ++files_lock_filetrans(cpuplug_t, cpuplug_lock_t, { file }) ++ ++manage_files_pattern(cpuplug_t, cpuplug_var_run_t, cpuplug_var_run_t) ++files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file }) ++ ++kernel_read_system_state(cpuplug_t) ++ ++dev_rw_sysfs(cpuplug_t) ++ ++logging_send_syslog_msg(cpuplug_t) ++ diff --git a/cron.fc b/cron.fc index ad0bae9..615a947 100644 --- a/cron.fc @@ -25874,10 +26115,24 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..fa9ba56 100644 +index f2516cc..5138658 100644 --- a/drbd.te +++ b/drbd.te -@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config; +@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t) + type drbd_lock_t; + files_lock_file(drbd_lock_t) + ++type drbd_tmp_t; ++files_tmp_file(drbd_tmp_t) ++ + ######################################## + # + # Local policy + # + +-allow drbd_t self:capability { kill net_admin }; ++allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin }; + dontaudit drbd_t self:capability sys_tty_config; allow drbd_t self:fifo_file rw_fifo_file_perms; allow drbd_t self:unix_stream_socket create_stream_socket_perms; allow drbd_t self:netlink_socket create_socket_perms; @@ -25886,10 +26141,21 @@ index f2516cc..fa9ba56 100644 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -@@ -42,14 +42,16 @@ can_exec(drbd_t, drbd_exec_t) +@@ -38,18 +41,32 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) + manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) + files_lock_filetrans(drbd_t, drbd_lock_t, file) + +-can_exec(drbd_t, drbd_exec_t) ++manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) ++manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) ++files_tmp_filetrans(drbd_t, drbd_tmp_t, dir) kernel_read_system_state(drbd_t) ++auth_read_passwd(drbd_t) ++ ++can_exec(drbd_t, drbd_exec_t) ++ +corecmd_exec_bin(drbd_t) + dev_read_rand(drbd_t) @@ -25897,15 +26163,21 @@ index f2516cc..fa9ba56 100644 dev_read_urand(drbd_t) -files_read_etc_files(drbd_t) -- - storage_raw_read_fixed_disk(drbd_t) ++logging_send_syslog_msg(drbd_t) --miscfiles_read_localization(drbd_t) -+auth_read_passwd(drbd_t) -+ +-storage_raw_read_fixed_disk(drbd_t) +modutils_exec_insmod(drbd_t) +-miscfiles_read_localization(drbd_t) ++storage_raw_read_fixed_disk(drbd_t) + sysnet_dns_name_resolve(drbd_t) ++ ++optional_policy(` ++ rhcs_read_log_cluster(drbd_t) ++ rhcs_rw_cluster_tmpfs(drbd_t) ++ rhcs_manage_cluster_lib_files(drbd_t) ++') diff --git a/dspam.fc b/dspam.fc index 5eddac5..b5fcb77 100644 --- a/dspam.fc @@ -38111,10 +38383,10 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..a5b2f96 +index 0000000..ad2d023 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,57 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -38169,6 +38441,8 @@ index 0000000..a5b2f96 + +optional_policy(` + snmp_manage_var_lib_files(keepalived_t) ++ snmp_manage_var_lib_sock_files(keepalived_t) ++ snmp_manage_var_lib_dirs(keepalived_t) +') diff --git a/kerberos.fc b/kerberos.fc index 4fe75fd..b029c28 100644 @@ -39583,7 +39857,7 @@ index e88fb16..f20248c 100644 + ') ') diff --git a/keystone.te b/keystone.te -index 9929647..eea253d 100644 +index 9929647..4a4ccf1 100644 --- a/keystone.te +++ b/keystone.te @@ -18,13 +18,20 @@ logging_log_file(keystone_log_t) @@ -39618,7 +39892,7 @@ index 9929647..eea253d 100644 can_exec(keystone_t, keystone_tmp_t) kernel_read_system_state(keystone_t) -@@ -57,20 +68,36 @@ corenet_all_recvfrom_netlabel(keystone_t) +@@ -57,20 +68,53 @@ corenet_all_recvfrom_netlabel(keystone_t) corenet_tcp_sendrecv_generic_if(keystone_t) corenet_tcp_sendrecv_generic_node(keystone_t) corenet_tcp_bind_generic_node(keystone_t) @@ -39656,6 +39930,23 @@ index 9929647..eea253d 100644 + +optional_policy(` + rpm_exec(keystone_t) ++') ++ ++####################################### ++# ++# Cgi local policy ++# ++ ++optional_policy(` ++ apache_content_template(keystone_cgi) ++ apache_content_alias_template(keystone_cgi, keystone_cgi) ++ ++ getattr_dirs_pattern(keystone_cgi_script_t, keystone_var_lib_t, keystone_var_lib_t) ++ ++ read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t) ++ ++ corenet_tcp_bind_commplex_main_port(keystone_t) ++ corenet_tcp_sendrecv_commplex_main_port(keystone_t) ') diff --git a/kismet.if b/kismet.if index aa2a337..7ff229f 100644 @@ -42534,7 +42825,7 @@ index d314333..da30c5d 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..0f702df 100644 +index 4ec0eea..2eaa558 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -42569,11 +42860,12 @@ index 4ec0eea..0f702df 100644 ######################################## # # Local policy -@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,48 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) +corecmd_exec_bin(lsmd_t) ++corecmd_getattr_all_executables(lsmd_t) + logging_send_syslog_msg(lsmd_t) + @@ -49840,7 +50132,7 @@ index ed81cac..837a43a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..c8070da 100644 +index ff1d68c..bc8340d 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -49877,7 +50169,13 @@ index ff1d68c..c8070da 100644 userdom_user_tmp_file(user_mail_tmp_t) ######################################## -@@ -66,8 +64,6 @@ allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; +@@ -61,13 +59,11 @@ allow user_mail_domain self:fifo_file rw_fifo_file_perms; + + allow user_mail_domain mta_exec_type:file entrypoint; + +-allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; ++manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t) + manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) @@ -53894,7 +54192,7 @@ index 86dc29d..1cd0d0e 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..5fa2fb5 100644 +index 55f2009..4e7b106 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -53919,7 +54217,7 @@ index 55f2009..5fa2fb5 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,25 +42,53 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,54 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -53961,6 +54259,7 @@ index 55f2009..5fa2fb5 100644 +allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:rawip_socket create_socket_perms; ++allow NetworkManager_t self:socket create_socket_perms; allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; @@ -53982,7 +54281,7 @@ index 55f2009..5fa2fb5 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +99,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +100,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -53990,7 +54289,7 @@ index 55f2009..5fa2fb5 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +113,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +114,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -54009,7 +54308,7 @@ index 55f2009..5fa2fb5 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +131,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +132,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -54035,7 +54334,7 @@ index 55f2009..5fa2fb5 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +147,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +148,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -54049,7 +54348,7 @@ index 55f2009..5fa2fb5 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +155,33 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +156,33 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -54084,7 +54383,7 @@ index 55f2009..5fa2fb5 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +196,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +197,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -54121,7 +54420,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -196,10 +237,6 @@ optional_policy(` +@@ -196,10 +238,6 @@ optional_policy(` ') optional_policy(` @@ -54132,7 +54431,7 @@ index 55f2009..5fa2fb5 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +247,11 @@ optional_policy(` +@@ -210,16 +248,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -54151,7 +54450,7 @@ index 55f2009..5fa2fb5 100644 ') ') -@@ -231,10 +263,11 @@ optional_policy(` +@@ -231,10 +264,11 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -54164,7 +54463,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -246,10 +279,26 @@ optional_policy(` +@@ -246,10 +280,26 @@ optional_policy(` ') optional_policy(` @@ -54191,7 +54490,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -257,15 +306,19 @@ optional_policy(` +@@ -257,15 +307,19 @@ optional_policy(` ') optional_policy(` @@ -54213,7 +54512,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -274,10 +327,17 @@ optional_policy(` +@@ -274,10 +328,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -54231,7 +54530,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -289,6 +349,7 @@ optional_policy(` +@@ -289,6 +350,7 @@ optional_policy(` ') optional_policy(` @@ -54239,7 +54538,7 @@ index 55f2009..5fa2fb5 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +357,7 @@ optional_policy(` +@@ -296,7 +358,7 @@ optional_policy(` ') optional_policy(` @@ -54248,7 +54547,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -307,6 +368,7 @@ optional_policy(` +@@ -307,6 +369,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -54256,7 +54555,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -320,14 +382,20 @@ optional_policy(` +@@ -320,14 +383,20 @@ optional_policy(` ') optional_policy(` @@ -54282,7 +54581,7 @@ index 55f2009..5fa2fb5 100644 ') optional_policy(` -@@ -357,6 +425,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +426,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -55141,7 +55440,7 @@ index 0000000..ce897e2 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..459a025 +index 0000000..6d3a4fe --- /dev/null +++ b/nova.te @@ -0,0 +1,335 @@ @@ -55222,7 +55521,7 @@ index 0000000..459a025 +dev_read_sysfs(nova_domain) +dev_read_urand(nova_domain) + -+fs_getattr_xattr_fs(nova_domain) ++fs_getattr_all_fs(nova_domain) + +init_read_utmp(nova_domain) + @@ -69736,7 +70035,7 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..414a04f 100644 +index d616ca3..e7f793e 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -69829,7 +70128,7 @@ index d616ca3..414a04f 100644 -allow pppd_t self:netlink_route_socket nlmsg_write; -allow pppd_t self:tcp_socket { accept listen }; +allow pppd_t self:unix_dgram_socket create_socket_perms; -+allow pppd_t self:unix_stream_socket create_socket_perms; ++allow pppd_t self:unix_stream_socket { connectto create_socket_perms }; +allow pppd_t self:netlink_route_socket rw_netlink_socket_perms; +allow pppd_t self:tcp_socket create_stream_socket_perms; +allow pppd_t self:udp_socket { connect connected_socket_perms }; @@ -74086,7 +74385,7 @@ index 86ea53c..a2dcf7b 100644 /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/qemu.if b/qemu.if -index eaf56b8..c32349e 100644 +index eaf56b8..aa90671 100644 --- a/qemu.if +++ b/qemu.if @@ -1,19 +1,21 @@ @@ -74137,7 +74436,7 @@ index eaf56b8..c32349e 100644 + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -+ files_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir }) ++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir }) + kernel_read_system_state($1_t) @@ -81616,10 +81915,10 @@ index 0000000..4c6fd7a +') diff --git a/rhnsd.te b/rhnsd.te new file mode 100644 -index 0000000..898d82c +index 0000000..b947f09 --- /dev/null +++ b/rhnsd.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,48 @@ +policy_module(rhnsd, 1.0.0) + +######################################## @@ -81658,6 +81957,7 @@ index 0000000..898d82c +files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file }) + +manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t) ++manage_lnk_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t) + +corecmd_exec_bin(rhnsd_t) + @@ -81667,6 +81967,19 @@ index 0000000..898d82c + # execute rhn_check + rpm_domtrans(rhnsd_t) +') +diff --git a/rhsmcertd.fc b/rhsmcertd.fc +index 8c02804..896c8c6 100644 +--- a/rhsmcertd.fc ++++ b/rhsmcertd.fc +@@ -2,6 +2,8 @@ + + /usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) + ++/usr/libexec/rhsmd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) ++ + /var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) + + /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) diff --git a/rhsmcertd.if b/rhsmcertd.if index 6dbc905..4b17c93 100644 --- a/rhsmcertd.if @@ -81927,7 +82240,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..b541f8f 100644 +index d32e1a2..902fa17 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -81966,7 +82279,7 @@ index d32e1a2..b541f8f 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,57 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,61 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -82009,6 +82322,7 @@ index d32e1a2..b541f8f 100644 sysnet_dns_name_resolve(rhsmcertd_t) optional_policy(` +- rpm_read_db(rhsmcertd_t) + dmidecode_domtrans(rhsmcertd_t) +') + @@ -82025,7 +82339,11 @@ index d32e1a2..b541f8f 100644 +') + +optional_policy(` - rpm_read_db(rhsmcertd_t) ++ setroubleshoot_signull(rhsmcertd_t) ++') ++ ++optional_policy(` ++ rpm_manage_db(rhsmcertd_t) + rpm_signull(rhsmcertd_t) ') diff --git a/ricci.if b/ricci.if @@ -88210,7 +88528,7 @@ index e18b0a2..463e207 100644 samba_domtrans_nmbd(sambagui_t) ') diff --git a/samhain.if b/samhain.if -index f0236d6..78a792a 100644 +index f0236d6..37665a1 100644 --- a/samhain.if +++ b/samhain.if @@ -23,6 +23,8 @@ template(`samhain_service_template',` @@ -88218,7 +88536,7 @@ index f0236d6..78a792a 100644 mls_file_write_all_levels($1_t) + -+ logging_send_sylog_msg($1_t) ++ logging_send_syslog_msg($1_t) ') ######################################## @@ -90605,7 +90923,7 @@ index d14b6bf..da5d41d 100644 +/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/sendmail.if b/sendmail.if -index 35ad2a7..6f947f6 100644 +index 35ad2a7..6b75e85 100644 --- a/sendmail.if +++ b/sendmail.if @@ -1,4 +1,4 @@ @@ -90640,7 +90958,10 @@ index 35ad2a7..6f947f6 100644 - corecmd_search_bin($1) mta_sendmail_domtrans($1, sendmail_t) +') -+ + +- allow sendmail_t $1:fd use; +- allow sendmail_t $1:fifo_file rw_fifo_file_perms; +- allow sendmail_t $1:process sigchld; +####################################### +## +## Execute sendmail in the sendmail domain. @@ -90655,10 +90976,7 @@ index 35ad2a7..6f947f6 100644 + gen_require(` + type sendmail_initrc_exec_t; + ') - -- allow sendmail_t $1:fd use; -- allow sendmail_t $1:fifo_file rw_fifo_file_perms; -- allow sendmail_t $1:process sigchld; ++ + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ') @@ -90689,10 +91007,27 @@ index 35ad2a7..6f947f6 100644 ') ######################################## -@@ -102,6 +114,34 @@ interface(`sendmail_signal',` - allow $1 sendmail_t:process signal; - ') +@@ -104,6 +116,53 @@ interface(`sendmail_signal',` + ######################################## + ## ++## Execute sendmail in the sendmail_unconfined domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sendmail_domtrans_unconfined',` ++ gen_require(` ++ type unconfined_sendmail_t, sendmail_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) ++') ++ +####################################### +## +## Execute sendmail in the unconfined @@ -90721,10 +91056,12 @@ index 35ad2a7..6f947f6 100644 + roleattribute $2 sendmail_unconfined_roles; +') + - ######################################## - ## ++######################################## ++## ## Read and write sendmail TCP sockets. -@@ -141,8 +181,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',` + ## + ## +@@ -141,8 +200,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -90734,7 +91071,7 @@ index 35ad2a7..6f947f6 100644 ## ## ## -@@ -179,7 +218,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` +@@ -179,7 +237,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` ######################################## ## @@ -90743,7 +91080,7 @@ index 35ad2a7..6f947f6 100644 ## ## ## -@@ -199,8 +238,7 @@ interface(`sendmail_read_log',` +@@ -199,8 +257,7 @@ interface(`sendmail_read_log',` ######################################## ## @@ -90753,7 +91090,7 @@ index 35ad2a7..6f947f6 100644 ## ## ## -@@ -220,8 +258,7 @@ interface(`sendmail_manage_log',` +@@ -220,8 +277,7 @@ interface(`sendmail_manage_log',` ######################################## ## @@ -90763,7 +91100,7 @@ index 35ad2a7..6f947f6 100644 ## ## ## -@@ -265,8 +302,7 @@ interface(`sendmail_log_filetrans_sendmail_log',` +@@ -265,8 +321,7 @@ interface(`sendmail_log_filetrans_sendmail_log',` ######################################## ## @@ -90773,15 +91110,14 @@ index 35ad2a7..6f947f6 100644 ## ## ## -@@ -285,58 +321,27 @@ interface(`sendmail_manage_tmp_files',` +@@ -285,58 +340,27 @@ interface(`sendmail_manage_tmp_files',` ######################################## ## -## Execute sendmail in the unconfined sendmail domain. -+## Set the attributes of sendmail pid files. - ## - ## - ## +-## +-## +-## -## Domain allowed to transition. -## -## @@ -90804,9 +91140,10 @@ index 35ad2a7..6f947f6 100644 -## sendmail domain, and allow the -## specified role the unconfined -## sendmail domain. --## --## --## ++## Set the attributes of sendmail pid files. + ## + ## + ## -## Domain allowed to transition. -## -## @@ -90840,7 +91177,7 @@ index 35ad2a7..6f947f6 100644 ## ## ## -@@ -355,12 +360,17 @@ interface(`sendmail_admin',` +@@ -355,12 +379,17 @@ interface(`sendmail_admin',` type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; type sendmail_keytab_t; @@ -90861,7 +91198,7 @@ index 35ad2a7..6f947f6 100644 domain_system_change_exemption($1) role_transition $2 sendmail_initrc_exec_t system_r; -@@ -376,6 +386,6 @@ interface(`sendmail_admin',` +@@ -376,6 +405,6 @@ interface(`sendmail_admin',` files_list_pids($1) admin_pattern($1, sendmail_var_run_t) @@ -93244,7 +93581,7 @@ index 2f0a2f2..1569e33 100644 +/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/snmp.if b/snmp.if -index 7a9cc9d..86cbca9 100644 +index 7a9cc9d..d55da32 100644 --- a/snmp.if +++ b/snmp.if @@ -57,8 +57,7 @@ interface(`snmp_udp_chat',` @@ -93257,7 +93594,7 @@ index 7a9cc9d..86cbca9 100644 ## ## ## -@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',` +@@ -66,19 +65,58 @@ interface(`snmp_udp_chat',` ## ## # @@ -93268,7 +93605,6 @@ index 7a9cc9d..86cbca9 100644 ') files_search_var_lib($1) -- allow $1 snmpd_var_lib_t:dir manage_dir_perms; + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) @@ -93291,32 +93627,36 @@ index 7a9cc9d..86cbca9 100644 + + files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Manage snmpd libraries directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_manage_var_lib_dirs',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ + allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) ') ######################################## ## -## Create, read, write, and delete -## snmp lib files. -+## Manage snmpd libraries directories ++## Manage snmpd libraries. ## ## ## -@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',` - ## - ## - # --interface(`snmp_manage_var_lib_files',` -+interface(`snmp_manage_var_lib_dirs',` - gen_require(` - type snmpd_var_lib_t; - ') - -- files_search_var_lib($1) -- allow $1 snmpd_var_lib_t:dir list_dir_perms; -- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ allow $1 snmpd_var_lib_t:dir manage_dir_perms; -+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) - ') +@@ -98,7 +136,7 @@ interface(`snmp_manage_var_lib_files',` ######################################## ## @@ -93325,12 +93665,12 @@ index 7a9cc9d..86cbca9 100644 ## ## ## -@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',` +@@ -106,14 +144,14 @@ interface(`snmp_manage_var_lib_files',` ## ## # -interface(`snmp_read_snmp_var_lib_files',` -+interface(`snmp_manage_var_lib_files',` ++interface(`snmp_manage_var_lib_sock_files',` gen_require(` type snmpd_var_lib_t; ') @@ -93339,11 +93679,11 @@ index 7a9cc9d..86cbca9 100644 allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ') ######################################## -@@ -179,8 +197,12 @@ interface(`snmp_admin',` +@@ -179,8 +217,12 @@ interface(`snmp_admin',` type snmpd_var_lib_t, snmpd_var_run_t; ') @@ -96042,7 +96382,7 @@ index a240455..f4d8c79 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..e1c568a 100644 +index 2d8db1f..ababeba 100644 --- a/sssd.te +++ b/sssd.te @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) @@ -96100,7 +96440,7 @@ index 2d8db1f..e1c568a 100644 corecmd_exec_bin(sssd_t) -@@ -83,9 +79,7 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +79,30 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -96110,7 +96450,9 @@ index 2d8db1f..e1c568a 100644 files_list_var_lib(sssd_t) fs_list_inotifyfs(sssd_t) -@@ -94,17 +88,20 @@ selinux_validate_context(sssd_t) + + selinux_validate_context(sssd_t) ++seutil_read_config(sssd_t) seutil_read_file_contexts(sssd_t) # sssd wants to write /etc/selinux//logins/ for SELinux PAM module @@ -96133,7 +96475,7 @@ index 2d8db1f..e1c568a 100644 init_read_utmp(sssd_t) -@@ -112,18 +109,36 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +110,36 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -96906,10 +97248,10 @@ index 0000000..6a1f575 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..43a0495 +index 0000000..c2f086f --- /dev/null +++ b/swift.te -@@ -0,0 +1,128 @@ +@@ -0,0 +1,129 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -97004,6 +97346,7 @@ index 0000000..43a0495 +corenet_tcp_connect_swift_port(swift_t) +corenet_tcp_connect_keystone_port(swift_t) +corenet_tcp_connect_memcache_port(swift_t) ++corenet_tcp_connect_all_ephemeral_ports(swift_t) + +corecmd_exec_shell(swift_t) +corecmd_exec_bin(swift_t) @@ -110526,7 +110869,7 @@ index 3416401..676925c 100644 + allow $1 zebra_unit_file_t:service all_service_perms; ') diff --git a/zebra.te b/zebra.te -index 2e80d04..3a76167 100644 +index 2e80d04..5bf04b2 100644 --- a/zebra.te +++ b/zebra.te @@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0) @@ -110656,7 +110999,7 @@ index 2e80d04..3a76167 100644 +files_read_etc_runtime_files(zebra_t) -miscfiles_read_localization(zebra_t) -+auth_read_passwd(zebra_t) ++auth_use_nsswitch(zebra_t) + +logging_send_syslog_msg(zebra_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a7730c19..bfb08536 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 84%{?dist} +Release: 85%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Oct 06 2014 Lukas Vrabec 3.13.1-85 +- Allow nova domains to getattr on all filesystems. +- ALlow zebra for user/group look-ups. +- Allow lsmd to search own plguins. +- Allow sssd to read selinux config to add SELinux user mapping. +- Allow swift to connect to all ephemeral ports by default. +- Allow NetworkManager to create Bluetooth SDP sockets +- Allow keepalived manage snmp var lib sock files. BZ(1102228) +- Added policy for blrtty. BZ(1083162) +- Allow rhsmcertd manage rpm db. BZ(#1134173) +- Allow rhsmcertd send signull to setroubleshoot. BZ (#1134173) +- Label /usr/libexec/rhsmd as rhsmcertd_exec_t +- Fix broken interfaces +- Added sendmail_domtrans_unconfined interface +- Added support for cpuplug. BZ (#1077831) +- Fix bug in drbd policy, BZ (#1134883) +- Make keystone_cgi_script_t domain. BZ (#1138424) +- fix dev_getattr_generic_usb_dev interface +- Label 4101 tcp port as brlp port +- Allow libreswan to connect to VPN via NM-libreswan. +- Add userdom_manage_user_tmpfs_files interface + * Tue Sep 30 2014 Lukas Vrabec 3.13.1-84 - Allow all domains to read fonts - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) From a76f317a36819544a5da382c8339e29b2f56552f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Oct 2014 17:09:50 +0200 Subject: [PATCH 8/8] Fix typo bug. --- policy-rawhide-base.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 35c1045b..c4b22b1f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5466,7 +5466,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..04e9cc8 100644 +index b191055..57afd42 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5744,7 +5744,7 @@ index b191055..04e9cc8 100644 -network_port(radius, udp,1645,s0, udp,1812,s0) +network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0) +network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0) -+network_port(radius, udp,1645,s0, tpc,1645,s0, tcp,1812,s0, udp,1812,s0) ++network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) +network_port(time, tcp,37,s0, udp,37,s0)