From 408ea919b7ea67e06b8d73e5903a784aeb9e6765 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 19 Jan 2011 18:43:03 +0000 Subject: [PATCH] - NetworkManager wants to read consolekit_var_run_t - Allow readahead to create /dev/.systemd/readahead - Remove permissive domains - Allow newrole to run namespace_init --- policy-F15.patch | 1233 ++++++++++++++++++++++++++++++++----------- selinux-policy.spec | 8 +- 2 files changed, 944 insertions(+), 297 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index 5b78df21..fd599d39 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -841,10 +841,10 @@ index 0000000..8c2e044 + diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te new file mode 100644 -index 0000000..eef0c87 +index 0000000..67296b9 --- /dev/null +++ b/policy/modules/admin/ncftool.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,89 @@ +policy_module(ncftool, 1.0.0) + +######################################## @@ -859,8 +859,6 @@ index 0000000..eef0c87 +domain_system_change_exemption(ncftool_t) +role system_r types ncftool_t; + -+permissive ncftool_t; -+ +######################################## +# +# ncftool local policy @@ -1184,15 +1182,16 @@ index af55369..bc4ae6d 100644 + ') +') diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc -index 7077413..70edcd6 100644 +index 7077413..56d1ecb 100644 --- a/policy/modules/admin/readahead.fc +++ b/policy/modules/admin/readahead.fc -@@ -1,3 +1,5 @@ +@@ -1,3 +1,6 @@ /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) +/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + ++/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if index 47c4723..4866a08 100644 --- a/policy/modules/admin/readahead.if @@ -1219,10 +1218,26 @@ index 47c4723..4866a08 100644 + domtrans_pattern($1, readahead_exec_t, readahead_t) +') diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te -index b4ac57e..8fa8451 100644 +index b4ac57e..39fbe42 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te -@@ -53,6 +53,7 @@ domain_read_all_domains_state(readahead_t) +@@ -16,6 +16,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; + + type readahead_var_run_t; + files_pid_file(readahead_var_run_t) ++dev_associate(readahead_var_run_t) + + ######################################## + # +@@ -32,6 +33,7 @@ files_search_var_lib(readahead_t) + + manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) + files_pid_filetrans(readahead_t, readahead_var_run_t, file) ++dev_filetrans(readahead_t, readahead_var_run_t, { dir file }) + + kernel_read_all_sysctls(readahead_t) + kernel_read_system_state(readahead_t) +@@ -53,6 +55,7 @@ domain_read_all_domains_state(readahead_t) files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) @@ -1230,7 +1245,7 @@ index b4ac57e..8fa8451 100644 files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) -@@ -66,6 +67,7 @@ fs_read_cgroup_files(readahead_t) +@@ -66,6 +69,7 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -1558,6 +1573,18 @@ index 47a8f7d..31f474e 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) +diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te +index c8ef84b..e241334 100644 +--- a/policy/modules/admin/sectoolm.te ++++ b/policy/modules/admin/sectoolm.te +@@ -84,6 +84,7 @@ logging_send_syslog_msg(sectoolm_t) + sysnet_domtrans_ifconfig(sectoolm_t) + + userdom_manage_user_tmp_sockets(sectoolm_t) ++userdom_dgram_send(sectoolm_t) + + optional_policy(` + mount_exec(sectoolm_t) diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc index 029cb7e..48d1363 100644 --- a/policy/modules/admin/shorewall.fc @@ -2710,15 +2737,16 @@ index 0000000..0bbd523 +') + diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc -index 00a19e3..46db5ff 100644 +index 00a19e3..1aaa958 100644 --- a/policy/modules/apps/gnome.fc +++ b/policy/modules/apps/gnome.fc -@@ -1,9 +1,30 @@ +@@ -1,9 +1,33 @@ -HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) +HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0) HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) ++HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0) @@ -2739,6 +2767,8 @@ index 00a19e3..46db5ff 100644 /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) ++#/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) ++ +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + @@ -2747,10 +2777,73 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..c4df4b9 100644 +index f5afe78..60258d1 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -37,8 +37,7 @@ interface(`gnome_role',` +@@ -1,24 +1,29 @@ + ## GNU network object model environment (GNOME) + +-############################################################ ++####################################### + ## +-## Role access for gnome ++## The role template for the gnome module. + ## +-## ++## + ## +-## Role allowed access ++## The user role. + ## + ## +-## ++## + ## +-## User domain for the role ++## The user domain associated with the role. + ## + ## + # + interface(`gnome_role',` + gen_require(` ++ type gkeyringd_t; ++ attribute gkeyringd_domain; ++ attribute gnome_domain; + type gconfd_t, gconfd_exec_t; + type gconf_tmp_t; ++ type gnome_home_t; ++ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t; + ') + + role $1 types gconfd_t; +@@ -33,12 +38,34 @@ interface(`gnome_role',` + #gnome_stream_connect_gconf_template($1, $2) + read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) + allow $2 gconfd_t:unix_stream_socket connectto; ++ ++ ####################################### ++ # ++ # keyringd policy ++ # ++ role $1 types gkeyringd_t; ++ ++ domtrans_pattern($2, gkeyringd_exec_t, gkeyringd_t) ++ ++ allow $2 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms }; ++ allow $2 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms }; ++ ++ allow $2 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms }; ++ allow $2 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; ++ ++ ps_process_pattern(gkeyringd_t, $2) ++ ++ ps_process_pattern($2, gkeyringd_t) ++ allow $2 gkeyringd_t:process { ptrace signal_perms }; ++ ++ # Looks like it wants to run gkeyringd in $2 domain using setexeccon or runcon. ++ dontaudit $2 gkeyringd_exec_t:file entrypoint; ++ + ') ######################################## ## @@ -2760,7 +2853,7 @@ index f5afe78..c4df4b9 100644 ## ## ## -@@ -46,25 +45,304 @@ interface(`gnome_role',` +@@ -46,25 +73,353 @@ interface(`gnome_role',` ## ## # @@ -2779,9 +2872,58 @@ index f5afe78..c4df4b9 100644 ######################################## ## -## Read gconf config files. -+## Run gconfd in gconfd domain. ++## Connect to gkeyringd with a unix stream socket. ## -## ++## ++## ++## Role prefix. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_stream_connect_gkeyringd',` ++ gen_require(` ++ type gkeyringd_t, gkeyringd_tmp_t; ++ ') ++ ++ stream_connect_pattern($2, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_t) ++ gnome_search_gconf_tmp_dirs($2) ++') ++ ++######################################## ++## ++## Connect to gkeyringd with a unix stream socket. ++## ++## ++## ++## Role prefix. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_stream_connect_all_gkeyringd',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ type gkeyringd_tmp_t; ++ ') ++ ++ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) ++ gnome_search_gconf_tmp_dirs($1) ++') ++ ++######################################## ++## ++## Run gconfd in gconfd domain. ++## +## +## +## Domain allowed access. @@ -2847,10 +2989,10 @@ index f5afe78..c4df4b9 100644 +# +interface(`gnome_signal_all',` + gen_require(` -+ attribute gnomedomain; ++ attribute gnome_domain; + ') + -+ allow $1 gnomedomain:process signal; ++ allow $1 gnome_domain:process signal; +') + +######################################## @@ -3071,7 +3213,7 @@ index f5afe78..c4df4b9 100644 gen_require(` type gconf_etc_t; ') -@@ -76,7 +354,27 @@ template(`gnome_read_gconf_config',` +@@ -76,7 +431,27 @@ template(`gnome_read_gconf_config',` ####################################### ## @@ -3100,7 +3242,7 @@ index f5afe78..c4df4b9 100644 ## ## ## -@@ -84,37 +382,40 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +459,36 @@ template(`gnome_read_gconf_config',` ## ## # @@ -3119,7 +3261,7 @@ index f5afe78..c4df4b9 100644 ######################################## ## -## gconf connection template. -+## Read gconf home files ++## Execute gnome keyringd in the caller domain. ## -## +## @@ -3129,52 +3271,90 @@ index f5afe78..c4df4b9 100644 ## # -interface(`gnome_stream_connect_gconf',` -+interface(`gnome_read_gconf_home_files',` ++interface(`gnome_exec_keyringd',` gen_require(` - type gconfd_t, gconf_tmp_t; -+ type gconf_home_t; -+ type data_home_t; ++ type gkeyringd_exec_t; ') - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -+ userdom_search_user_home_dirs($1) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ allow $1 data_home_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_files_pattern($1, data_home_t, data_home_t) ++ can_exec($1, gkeyringd_exec_t) ++ corecmd_search_bin($1) ') ######################################## ## -## Run gconfd in gconfd domain. -+## search gconf homedir (.local) ++## Read gconf home files ## ## ## -@@ -122,12 +423,13 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,12 +496,55 @@ interface(`gnome_stream_connect_gconf',` ## ## # -interface(`gnome_domtrans_gconfd',` -+interface(`gnome_search_gconf',` ++interface(`gnome_read_gconf_home_files',` gen_require(` - type gconfd_t, gconfd_exec_t; + type gconf_home_t; ++ type data_home_t; ') - domtrans_pattern($1, gconfd_exec_t, gconfd_t) ++ userdom_search_user_home_dirs($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ allow $1 data_home_t:dir list_dir_perms; ++ read_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_files_pattern($1, data_home_t, data_home_t) ++') ++ ++######################################## ++## ++## Search gkeyringd temporary directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_search_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 gkeyringd_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## search gconf homedir (.local) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_search_gconf',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ + allow $1 gconf_home_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) ') ######################################## -@@ -151,40 +453,174 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +568,257 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## -## Read gnome homedir content (.config) -+## Append gconf home files ++## Manage generic gnome home files. ## -## +## @@ -3184,21 +3364,61 @@ index f5afe78..c4df4b9 100644 ## # -template(`gnome_read_config',` -+interface(`gnome_append_gconf_home_files',` ++interface(`gnome_manage_generic_home_files',` gen_require(` -- type gnome_home_t; -+ type gconf_home_t; + type gnome_home_t; ') - list_dirs_pattern($1, gnome_home_t, gnome_home_t) - read_files_pattern($1, gnome_home_t, gnome_home_t) - read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) -+ append_files_pattern($1, gconf_home_t, gconf_home_t) ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, gnome_home_t, gnome_home_t) ') ######################################## ## -## manage gnome homedir content (.config) ++## Manage generic gnome home directories. + ## +-## ++## + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_manage_config',` ++interface(`gnome_manage_generic_home_dirs',` + gen_require(` + type gnome_home_t; + ') + ++ userdom_search_user_home_dirs($1) + allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Append gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## +## manage gconf home files +## +## @@ -3219,14 +3439,14 @@ index f5afe78..c4df4b9 100644 +######################################## +## +## Connect to gnome over an unix stream socket. - ## ++## +## +## +## Domain allowed access. +## +## - ## - ## ++## ++## +## The type of the user domain. +## +## @@ -3246,19 +3466,15 @@ index f5afe78..c4df4b9 100644 +## +## +## - ## Domain allowed access. - ## - ## - # --interface(`gnome_manage_config',` ++## Domain allowed access. ++## ++## ++# +interface(`gnome_list_home_config',` - gen_require(` -- type gnome_home_t; ++ gen_require(` + type config_home_t; - ') - -- allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; ++ ') ++ + allow $1 config_home_t:dir list_dir_perms; +') + @@ -3278,8 +3494,8 @@ index f5afe78..c4df4b9 100644 + ') + + setattr_dirs_pattern($1, config_home_t, config_home_t) - userdom_search_user_home_dirs($1) - ') ++ userdom_search_user_home_dirs($1) ++') + +######################################## +## @@ -3356,14 +3572,61 @@ index f5afe78..c4df4b9 100644 + allow $1 gconfdefaultsm_t:dbus send_msg; + allow gconfdefaultsm_t $1:dbus send_msg; +') ++ ++######################################## ++## ++## Send and receive messages from ++## gkeyringd over dbus. ++## ++## ++## ++## Role prefix. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_dbus_chat_gkeyringd',` ++ gen_require(` ++ type gkeyringd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $2 gkeyringd_t:dbus send_msg; ++ allow gkeyringd_t $2:dbus send_msg; ++') ++######################################## ++## ++## Create directories in user home directories ++## with the gnome home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_home_dir_filetrans',` ++ gen_require(` ++ type gnome_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, gnome_home_t, dir) + userdom_search_user_home_dirs($1) + ') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te -index 2505654..c1f491f 100644 +index 2505654..8e83829 100644 --- a/policy/modules/apps/gnome.te +++ b/policy/modules/apps/gnome.te -@@ -6,11 +6,24 @@ policy_module(gnome, 2.1.0) +@@ -5,12 +5,25 @@ policy_module(gnome, 2.1.0) + # Declarations # - attribute gnomedomain; +-attribute gnomedomain; ++attribute gnome_domain; +attribute gnome_home_type; type gconf_etc_t; @@ -3386,7 +3649,15 @@ index 2505654..c1f491f 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -30,12 +43,20 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -23,19 +36,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t; + files_tmp_file(gconf_tmp_t) + ubac_constrained(gconf_tmp_t) + +-type gconfd_t, gnomedomain; ++type gconfd_t, gnome_domain; + type gconfd_exec_t; + typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; + typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; application_domain(gconfd_t, gconfd_exec_t) ubac_constrained(gconfd_t) @@ -3397,6 +3668,19 @@ index 2505654..c1f491f 100644 typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) ++attribute gkeyringd_domain; ++type gkeyringd_t, gnome_domain, gkeyringd_domain; ++type gkeyringd_exec_t; ++application_domain(gkeyringd_t, gkeyringd_exec_t) ++ubac_constrained(gkeyringd_t) ++permissive gkeyringd_t; ++ ++type gkeyringd_gnome_home_t; ++userdom_user_home_content(gkeyringd_gnome_home_t) ++ ++type gkeyringd_tmp_t; ++userdom_user_tmp_content(gkeyringd_tmp_t) ++ +type gconfdefaultsm_t; +type gconfdefaultsm_exec_t; +dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) @@ -3408,21 +3692,11 @@ index 2505654..c1f491f 100644 ############################## # # Local Policy -@@ -75,3 +96,91 @@ optional_policy(` +@@ -75,3 +109,148 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_manage_nfs_dirs(gconfdefaultsm_t) -+ fs_manage_nfs_files(gconfdefaultsm_t) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_manage_cifs_dirs(gconfdefaultsm_t) -+ fs_manage_cifs_files(gconfdefaultsm_t) -+') -+ +####################################### +# +# gconf-defaults-mechanisms local policy @@ -3462,6 +3736,16 @@ index 2505654..c1f491f 100644 + policykit_read_reload(gconfdefaultsm_t) +') + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(gconfdefaultsm_t) ++ fs_manage_nfs_files(gconfdefaultsm_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(gconfdefaultsm_t) ++ fs_manage_cifs_files(gconfdefaultsm_t) ++') ++ +####################################### +# +# gnome-system-monitor-mechanisms local policy @@ -3500,6 +3784,63 @@ index 2505654..c1f491f 100644 + policykit_read_lib(gnomesystemmm_t) + policykit_read_reload(gnomesystemmm_t) +') ++ ++allow gkeyringd_t self:capability ipc_lock; ++allow gkeyringd_t self:process { getcap getsched signal }; ++allow gkeyringd_t self:fifo_file rw_fifo_file_perms; ++allow gkeyringd_t self:unix_stream_socket { connectto accept listen }; ++ ++userdom_user_home_dir_filetrans(gkeyringd_t, gnome_home_t, dir) ++ ++manage_dirs_pattern(gkeyringd_t, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) ++manage_files_pattern(gkeyringd_t, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t) ++filetrans_pattern(gkeyringd_t, gnome_home_t, gkeyringd_gnome_home_t, dir) ++ ++manage_dirs_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t) ++manage_sock_files_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t) ++files_tmp_filetrans(gkeyringd_t, gkeyringd_tmp_t, dir) ++ ++kernel_read_crypto_sysctls(gkeyringd_t) ++ ++corecmd_search_bin(gkeyringd_t) ++ ++dev_read_rand(gkeyringd_t) ++dev_read_urand(gkeyringd_t) ++ ++files_read_etc_files(gkeyringd_t) ++files_read_usr_files(gkeyringd_t) ++# for nscd? ++files_search_pids(gkeyringd_t) ++ ++fs_getattr_xattr_fs(gkeyringd_t) ++ ++selinux_getattr_fs(gkeyringd_t) ++ ++logging_send_syslog_msg(gkeyringd_t) ++ ++miscfiles_read_localization(gkeyringd_t) ++ ++xserver_append_xdm_home_files(gkeyringd_t) ++xserver_read_xdm_home_files(gkeyringd_t) ++xserver_use_xdm_fds(gkeyringd_t) ++ ++optional_policy(` ++ dbus_session_domain(gkeyringd_t, gkeyringd_exec_t) ++ ++ dbus_session_bus_client(gkeyringd_t) ++ gnome_home_dir_filetrans(gkeyringd_t) ++ gnome_manage_generic_home_dirs(gkeyringd_t) ++ ++ optional_policy(` ++ telepathy_mission_control_read_state(gkeyringd_t) ++ ') ++') ++ ++optional_policy(` ++ ssh_read_user_home_files(gkeyringd_t) ++') ++ ++userdom_use_user_terminals(gnome_domain) diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc index e9853d4..717d163 100644 --- a/policy/modules/apps/gpg.fc @@ -4160,10 +4501,10 @@ index 0000000..1c1d012 +') diff --git a/policy/modules/apps/mediawiki.te b/policy/modules/apps/mediawiki.te new file mode 100644 -index 0000000..b7f569d +index 0000000..d9e51a3 --- /dev/null +++ b/policy/modules/apps/mediawiki.te -@@ -0,0 +1,35 @@ +@@ -0,0 +1,33 @@ + +policy_module(mediawiki, 1.0.0) + @@ -4177,8 +4518,6 @@ index 0000000..b7f569d +type httpd_mediawiki_tmp_t; +files_tmp_file(httpd_mediawiki_tmp_t) + -+permissive httpd_mediawiki_script_t; -+ +######################################## +# +# mediawiki local policy @@ -6147,23 +6486,21 @@ index 7cdac1e..6f9f6e6 100644 + domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) +') diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te -index c605046..15c17a0 100644 +index c605046..97b3df2 100644 --- a/policy/modules/apps/rssh.te +++ b/policy/modules/apps/rssh.te -@@ -31,6 +31,12 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; +@@ -31,6 +31,10 @@ typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; userdom_user_home_content(rssh_rw_t) +type rssh_chroot_helper_t; +type rssh_chroot_helper_exec_t; +init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) -+ -+permissive rssh_chroot_helper_t; + ############################## # # Local policy -@@ -78,3 +84,25 @@ ssh_rw_stream_sockets(rssh_t) +@@ -78,3 +82,25 @@ ssh_rw_stream_sockets(rssh_t) optional_policy(` nis_use_ypbind(rssh_t) ') @@ -7043,7 +7380,7 @@ index 1f2cde4..7bb3047 100644 # # /usr diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index 320df26..3312145 100644 +index 320df26..174ca5e 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -64,6 +64,9 @@ template(`screen_role_template',` @@ -7073,6 +7410,14 @@ index 320df26..3312145 100644 manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) kernel_read_system_state($1_screen_t) +@@ -112,6 +114,7 @@ template(`screen_role_template',` + # for SSP + dev_read_urand($1_screen_t) + ++ domain_sigchld_interactive_fds($1_screen_t) + domain_use_interactive_fds($1_screen_t) + + files_search_tmp($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..7455c19 100644 --- a/policy/modules/apps/seunshare.if @@ -7229,10 +7574,10 @@ index 0000000..7866118 +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if new file mode 100644 -index 0000000..46368cc +index 0000000..6878d68 --- /dev/null +++ b/policy/modules/apps/telepathy.if -@@ -0,0 +1,168 @@ +@@ -0,0 +1,193 @@ + +## Telepathy framework. + @@ -7401,6 +7746,31 @@ index 0000000..46368cc + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) + files_search_tmp($1) +') ++ ++######################################## ++## ++## Read telepathy mission control state. ++## ++## ++## ++## Prefix to be used. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`telepathy_mission_control_read_state',` ++ gen_require(` ++ type telepathy_mission_control_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, telepathy_mission_control_t) ++') ++ diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 index 0000000..d4e5e9e @@ -8128,7 +8498,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..aecd1ff 100644 +index 34c9d01..b25eac7 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -8137,7 +8507,7 @@ index 34c9d01..aecd1ff 100644 /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) +/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0) -+/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) +etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -11775,7 +12145,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..5728fc1 100644 +index 2be17d2..dd62b91 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) @@ -11827,7 +12197,7 @@ index 2be17d2..5728fc1 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +63,112 @@ optional_policy(` +@@ -27,25 +63,116 @@ optional_policy(` ') optional_policy(` @@ -11844,6 +12214,10 @@ index 2be17d2..5728fc1 100644 +') + +optional_policy(` ++ gnome_role(staff_r, staff_t) ++') ++ ++optional_policy(` + lpd_list_spool(staff_t) +') + @@ -11942,6 +12316,17 @@ index 2be17d2..5728fc1 100644 optional_policy(` vlock_run(staff_t, staff_r) +@@ -89,10 +216,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- gnome_role(staff_r, staff_t) +- ') +- +- optional_policy(` + gpg_role(staff_r, staff_t) + ') + @@ -137,10 +260,6 @@ ifndef(`distro_redhat',` ') @@ -13479,10 +13864,10 @@ index 0000000..ec21f9a + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..f8785a0 100644 +index e5bfdd4..60cc0d5 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,51 @@ role user_r; +@@ -12,15 +12,55 @@ role user_r; userdom_unpriv_user_template(user) @@ -13493,6 +13878,10 @@ index e5bfdd4..f8785a0 100644 ') optional_policy(` ++ gnome_role(user_r, user_t) ++') ++ ++optional_policy(` + oident_manage_user_content(user_t) + oident_relabel_user_content(user_t) +') @@ -13534,6 +13923,17 @@ index e5bfdd4..f8785a0 100644 vlock_run(user_t, user_r) ') +@@ -62,10 +102,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- gnome_role(user_r, user_t) +- ') +- +- optional_policy(` + gpg_role(user_r, user_t) + ') + @@ -118,7 +154,7 @@ ifndef(`distro_redhat',` ') @@ -13561,7 +13961,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..8929065 100644 +index e88b95f..06b0e48 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -13630,7 +14030,7 @@ index e88b95f..8929065 100644 ') ') -@@ -76,23 +84,95 @@ optional_policy(` +@@ -76,23 +84,99 @@ optional_policy(` ') optional_policy(` @@ -13648,11 +14048,14 @@ index e88b95f..8929065 100644 +') + +optional_policy(` ++ gnome_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + gnomeclock_dontaudit_dbus_chat(xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + java_role_template(xguest, xguest_r, xguest_t) +') + @@ -13666,9 +14069,10 @@ index e88b95f..8929065 100644 + +optional_policy(` + nsplugin_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) + pcscd_read_pub_files(xguest_usertype) + pcscd_stream_connect(xguest_usertype) ') @@ -13713,7 +14117,7 @@ index e88b95f..8929065 100644 + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) -+ ') + ') + + optional_policy(` + telepathy_dbus_session_role(xguest_r, xguest_t) @@ -13723,7 +14127,7 @@ index e88b95f..8929065 100644 +optional_policy(` + gen_require(` + type mozilla_t; - ') ++ ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; @@ -14461,10 +14865,10 @@ index 0000000..8e6e2c3 +') diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te new file mode 100644 -index 0000000..cf6af13 +index 0000000..cee49e3 --- /dev/null +++ b/policy/modules/services/ajaxterm.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,54 @@ +policy_module(ajaxterm, 1.0.0) + +######################################## @@ -14485,8 +14889,6 @@ index 0000000..cf6af13 +type ajaxterm_devpts_t; +term_login_pty(ajaxterm_devpts_t) + -+permissive ajaxterm_t; -+ +######################################## +# +# ajaxterm local policy @@ -16868,10 +17270,10 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..6d8fdeb +index 0000000..11ad49a --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,173 @@ +@@ -0,0 +1,171 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -16899,8 +17301,6 @@ index 0000000..6d8fdeb +domain_type(boinc_project_t) +role system_r types boinc_project_t; + -+permissive boinc_project_t; -+ +type boinc_project_tmp_t; +files_tmp_file(boinc_project_tmp_t) + @@ -17985,6 +18385,18 @@ index fa82327..db20d26 100644 optional_policy(` gpsd_rw_shm(chronyd_t) ') +diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc +index e8e9a21..0af0260 100644 +--- a/policy/modules/services/clamav.fc ++++ b/policy/modules/services/clamav.fc +@@ -10,6 +10,7 @@ + + /var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) + /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) ++/var/lib/clamd.* gen_context(system_u:object_r:clamd_var_lib_t,s0) + /var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0) + /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) + /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 1f11572..7f6a7ab 100644 --- a/policy/modules/services/clamav.if @@ -18426,7 +18838,7 @@ index 1cf6c4e..e4bac67 100644 -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if -index 293e08d..e3787fb 100644 +index 293e08d..82306eb 100644 --- a/policy/modules/services/cobbler.if +++ b/policy/modules/services/cobbler.if @@ -1,12 +1,12 @@ @@ -18488,7 +18900,7 @@ index 293e08d..e3787fb 100644 ') - read_files_pattern($1, cobbler_etc_t, cobbler_etc_t); -+ list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) files_search_etc($1) ') @@ -20269,7 +20681,7 @@ index a8b93c0..831ce70 100644 type dante_var_run_t; files_pid_file(dante_var_run_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..3874025 100644 +index 0d5711c..bbc1a8f 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -20373,7 +20785,51 @@ index 0d5711c..3874025 100644 read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -431,14 +442,28 @@ interface(`dbus_system_domain',` +@@ -197,6 +208,34 @@ interface(`dbus_system_bus_client',` + + ####################################### + ## ++## Creating connections to specified ++## DBUS sessions. ++## ++## ++## ++## The prefix of the user role (e.g., user ++## is the prefix for user_r). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_session_client',` ++ gen_require(` ++ class dbus send_msg; ++ type $1_dbusd_t; ++ ') ++ ++ allow $2 $1_dbusd_t:fd use; ++ allow $2 { $1_dbusd_t self }:dbus send_msg; ++ allow $2 $1_dbusd_t:unix_stream_socket connectto; ++') ++ ++####################################### ++## + ## Template for creating connections to + ## a user DBUS. + ## +@@ -217,6 +256,8 @@ interface(`dbus_session_bus_client',` + + # For connecting to the bus + allow $1 session_bus_type:unix_stream_socket connectto; ++ ++ allow session_bus_type $1:process sigkill; + ') + + ######################################## +@@ -431,14 +472,28 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -20403,7 +20859,7 @@ index 0d5711c..3874025 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +522,22 @@ interface(`dbus_unconfined',` +@@ -497,3 +552,22 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -22287,10 +22743,10 @@ index 0000000..63f11d9 + diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te new file mode 100644 -index 0000000..19a27bc +index 0000000..1453c54 --- /dev/null +++ b/policy/modules/services/drbd.te -@@ -0,0 +1,57 @@ +@@ -0,0 +1,55 @@ + +policy_module(drbd,1.0.0) + @@ -22303,8 +22759,6 @@ index 0000000..19a27bc +type drbd_exec_t; +init_daemon_domain(drbd_t, drbd_exec_t) + -+permissive drbd_t; -+ +type drbd_var_lib_t; +files_type(drbd_var_lib_t) + @@ -24611,7 +25065,7 @@ index 9878499..9167dc9 100644 domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..e184dff 100644 +index da2127e..e141bc5 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0) @@ -24635,14 +25089,11 @@ index da2127e..e184dff 100644 type jabberd_log_t; logging_log_file(jabberd_log_t) -@@ -21,74 +27,94 @@ files_type(jabberd_var_lib_t) +@@ -21,74 +27,91 @@ files_type(jabberd_var_lib_t) type jabberd_var_run_t; files_pid_file(jabberd_var_run_t) -######################################## -+permissive jabberd_router_t; -+permissive jabberd_t; -+ +###################################### # -# Local policy @@ -24683,34 +25134,34 @@ index da2127e..e184dff 100644 -corenet_sendrecv_jabber_client_server_packets(jabberd_t) -corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; -+ + +-dev_read_sysfs(jabberd_t) +-# For SSL +-dev_read_rand(jabberd_t) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_router_port(jabberd_router_t) +corenet_tcp_connect_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) --dev_read_sysfs(jabberd_t) --# For SSL --dev_read_rand(jabberd_t) -+fs_getattr_all_fs(jabberd_router_t) - -domain_use_interactive_fds(jabberd_t) -+miscfiles_read_certs(jabberd_router_t) ++fs_getattr_all_fs(jabberd_router_t) -files_read_etc_files(jabberd_t) -files_read_etc_runtime_files(jabberd_t) -+optional_policy(` -+ kerberos_use(jabberd_router_t) -+') ++miscfiles_read_certs(jabberd_router_t) -fs_getattr_all_fs(jabberd_t) -fs_search_auto_mountpoints(jabberd_t) +optional_policy(` -+ nis_use_ypbind(jabberd_router_t) ++ kerberos_use(jabberd_router_t) +') -logging_send_syslog_msg(jabberd_t) ++optional_policy(` ++ nis_use_ypbind(jabberd_router_t) ++') ++ +##################################### +# +# Local policy for other jabberd components @@ -26611,10 +27062,10 @@ index 0000000..311aaed +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 -index 0000000..d87d442 +index 0000000..0b9257a --- /dev/null +++ b/policy/modules/services/mpd.te -@@ -0,0 +1,143 @@ +@@ -0,0 +1,141 @@ +policy_module(mpd, 1.0.0) + +######################################## @@ -26626,8 +27077,6 @@ index 0000000..d87d442 +type mpd_exec_t; +init_daemon_domain(mpd_t, mpd_exec_t) + -+permissive mpd_t; -+ +type mpd_initrc_exec_t; +init_script_file(mpd_initrc_exec_t) + @@ -28097,7 +28546,7 @@ index 2324d9e..8069487 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..5428249 100644 +index 0619395..cd5c974 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -28184,7 +28633,7 @@ index 0619395..5428249 100644 ') optional_policy(` -@@ -172,12 +198,14 @@ optional_policy(` +@@ -172,14 +198,17 @@ optional_policy(` ') optional_policy(` @@ -28199,8 +28648,11 @@ index 0619395..5428249 100644 + optional_policy(` consolekit_dbus_chat(NetworkManager_t) ++ consolekit_read_pid_files(NetworkManager_t) ') -@@ -202,6 +230,17 @@ optional_policy(` + ') + +@@ -202,6 +231,17 @@ optional_policy(` ') optional_policy(` @@ -28218,7 +28670,7 @@ index 0619395..5428249 100644 iptables_domtrans(NetworkManager_t) ') -@@ -219,6 +258,7 @@ optional_policy(` +@@ -219,6 +259,7 @@ optional_policy(` ') optional_policy(` @@ -28226,7 +28678,7 @@ index 0619395..5428249 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -263,6 +303,7 @@ optional_policy(` +@@ -263,6 +304,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -36120,7 +36572,7 @@ index c954f31..7f57f22 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..9948efa 100644 +index ec1eb1e..3c0c8c8 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0) @@ -36280,7 +36732,7 @@ index ec1eb1e..9948efa 100644 ') ######################################## -@@ -206,15 +251,30 @@ allow spamc_t self:unix_stream_socket connectto; +@@ -206,15 +251,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -36308,10 +36760,12 @@ index ec1eb1e..9948efa 100644 kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) ++ ++corecmd_exec_bin(spamc_t) corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -226,6 +286,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) +@@ -226,6 +288,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) @@ -36319,7 +36773,7 @@ index ec1eb1e..9948efa 100644 fs_search_auto_mountpoints(spamc_t) -@@ -244,9 +305,14 @@ files_read_usr_files(spamc_t) +@@ -244,9 +307,14 @@ files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -36334,7 +36788,7 @@ index ec1eb1e..9948efa 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -254,27 +320,40 @@ seutil_read_config(spamc_t) +@@ -254,27 +322,40 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -36381,7 +36835,7 @@ index ec1eb1e..9948efa 100644 ') ######################################## -@@ -286,7 +365,7 @@ optional_policy(` +@@ -286,7 +367,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -36390,7 +36844,7 @@ index ec1eb1e..9948efa 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -302,10 +381,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -302,10 +383,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -36409,7 +36863,7 @@ index ec1eb1e..9948efa 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,11 +400,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -314,11 +402,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -36427,7 +36881,7 @@ index ec1eb1e..9948efa 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +457,27 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +459,27 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -36459,7 +36913,7 @@ index ec1eb1e..9948efa 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +494,9 @@ optional_policy(` +@@ -399,7 +496,9 @@ optional_policy(` ') optional_policy(` @@ -36469,7 +36923,7 @@ index ec1eb1e..9948efa 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -408,25 +505,17 @@ optional_policy(` +@@ -408,25 +507,17 @@ optional_policy(` ') optional_policy(` @@ -36497,7 +36951,7 @@ index ec1eb1e..9948efa 100644 postgresql_stream_connect(spamd_t) ') -@@ -437,6 +526,10 @@ optional_policy(` +@@ -437,6 +528,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -38185,10 +38639,10 @@ index 0000000..83336ab + diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te new file mode 100644 -index 0000000..324365e +index 0000000..9fb3ea7 --- /dev/null +++ b/policy/modules/services/vdagent.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,48 @@ +policy_module(vdagent,1.0.0) + +######################################## @@ -38200,8 +38654,6 @@ index 0000000..324365e +type vdagent_exec_t; +init_daemon_domain(vdagent_t, vdagent_exec_t) + -+permissive vdagent_t; -+ +type vdagent_var_run_t; +files_pid_file(vdagent_var_run_t) + @@ -39382,10 +39834,10 @@ index 0000000..b9104b7 +') diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te new file mode 100644 -index 0000000..d861cf6 +index 0000000..ff32e95 --- /dev/null +++ b/policy/modules/services/vnstatd.te -@@ -0,0 +1,72 @@ +@@ -0,0 +1,70 @@ +policy_module(vnstatd, 1.0.0) + +######################################## @@ -39397,8 +39849,6 @@ index 0000000..d861cf6 +type vnstatd_exec_t; +init_daemon_domain(vnstatd_t, vnstatd_exec_t) + -+permissive vnstatd_t; -+ +type vnstatd_var_lib_t; +files_type(vnstatd_var_lib_t) + @@ -39624,7 +40074,7 @@ index 6f1e3c7..ecfe665 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..61bce48 100644 +index da2601a..06e7dd4 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -39992,7 +40442,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -724,11 +787,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +787,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -40004,10 +40454,29 @@ index da2601a..61bce48 100644 - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) + stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ++') ++ ++######################################## ++## ++## Read XDM files in user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_read_xdm_home_files',` ++ gen_require(` ++ type xdm_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 xdm_home_t:file read_file_perms; ') ######################################## -@@ -765,7 +829,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +848,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -40016,7 +40485,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -805,7 +869,25 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +888,25 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -40043,7 +40512,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -897,7 +979,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +998,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -40052,7 +40521,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -916,7 +998,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1017,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -40061,7 +40530,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -963,6 +1045,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1064,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -40107,7 +40576,7 @@ index da2601a..61bce48 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1097,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1116,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -40116,7 +40585,7 @@ index da2601a..61bce48 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1159,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1178,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -40159,7 +40628,7 @@ index da2601a..61bce48 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1209,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1228,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -40168,7 +40637,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -1070,8 +1227,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1246,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -40180,7 +40649,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -1185,6 +1344,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1363,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -40207,7 +40676,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -1210,7 +1389,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1408,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -40216,7 +40685,7 @@ index da2601a..61bce48 100644 ## ## ## -@@ -1220,13 +1399,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1418,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -40241,7 +40710,7 @@ index da2601a..61bce48 100644 ') ######################################## -@@ -1243,10 +1432,393 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1451,393 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -40638,7 +41107,7 @@ index da2601a..61bce48 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..f596720 100644 +index 145fc4b..bfb9c7a 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -41280,7 +41749,7 @@ index 145fc4b..f596720 100644 ') optional_policy(` -@@ -516,12 +737,49 @@ optional_policy(` +@@ -516,12 +737,50 @@ optional_policy(` ') optional_policy(` @@ -41320,6 +41789,7 @@ index 145fc4b..f596720 100644 ') optional_policy(` ++ gnome_exec_keyringd(xdm_t) + gnome_manage_config(xdm_t) + gnome_manage_gconf_home_files(xdm_t) + gnome_read_config(xdm_t) @@ -41330,7 +41800,7 @@ index 145fc4b..f596720 100644 hostname_exec(xdm_t) ') -@@ -539,28 +797,64 @@ optional_policy(` +@@ -539,28 +798,64 @@ optional_policy(` ') optional_policy(` @@ -41404,7 +41874,7 @@ index 145fc4b..f596720 100644 ') optional_policy(` -@@ -572,6 +866,10 @@ optional_policy(` +@@ -572,6 +867,10 @@ optional_policy(` ') optional_policy(` @@ -41415,7 +41885,7 @@ index 145fc4b..f596720 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +894,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +895,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -41424,7 +41894,7 @@ index 145fc4b..f596720 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +908,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +909,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -41439,7 +41909,7 @@ index 145fc4b..f596720 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +935,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +936,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -41461,7 +41931,7 @@ index 145fc4b..f596720 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +955,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +956,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -41469,7 +41939,7 @@ index 145fc4b..f596720 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +982,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +983,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -41477,7 +41947,7 @@ index 145fc4b..f596720 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +991,17 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +992,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -41495,7 +41965,7 @@ index 145fc4b..f596720 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1012,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +1013,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -41509,7 +41979,7 @@ index 145fc4b..f596720 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1040,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1041,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -41524,7 +41994,7 @@ index 145fc4b..f596720 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1100,28 @@ optional_policy(` +@@ -773,12 +1101,28 @@ optional_policy(` ') optional_policy(` @@ -41554,7 +42024,7 @@ index 145fc4b..f596720 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1130,10 @@ optional_policy(` +@@ -787,6 +1131,10 @@ optional_policy(` ') optional_policy(` @@ -41565,7 +42035,7 @@ index 145fc4b..f596720 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1149,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1150,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -41579,7 +42049,7 @@ index 145fc4b..f596720 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1160,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1161,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -41588,7 +42058,7 @@ index 145fc4b..f596720 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1173,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1174,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -41598,7 +42068,7 @@ index 145fc4b..f596720 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1183,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -833,6 +1184,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -41610,7 +42080,7 @@ index 145fc4b..f596720 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1196,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1197,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -41627,7 +42097,7 @@ index 145fc4b..f596720 100644 ') optional_policy(` -@@ -853,6 +1211,10 @@ optional_policy(` +@@ -853,6 +1212,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -41638,7 +42108,7 @@ index 145fc4b..f596720 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1258,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -41647,7 +42117,7 @@ index 145fc4b..f596720 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1312,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1313,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -41679,7 +42149,7 @@ index 145fc4b..f596720 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1358,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1359,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -41936,10 +42406,10 @@ index 0000000..8a909f5 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..d7c3f51 +index 0000000..6b80580 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,134 @@ +@@ -0,0 +1,127 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -41965,13 +42435,6 @@ index 0000000..d7c3f51 +type zarafa_share_t; +files_type(zarafa_share_t) + -+permissive zarafa_server_t; -+permissive zarafa_spooler_t; -+permissive zarafa_gateway_t; -+permissive zarafa_deliver_t; -+permissive zarafa_ical_t; -+permissive zarafa_monitor_t; -+ +######################################## +# +# zarafa-deliver local policy @@ -46798,7 +47261,7 @@ index 2cc4bda..9e81136 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 170e2c7..bbaa8cf 100644 +index 170e2c7..d95624d 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',` @@ -46812,7 +47275,18 @@ index 170e2c7..bbaa8cf 100644 ') ######################################## -@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',` +@@ -199,6 +203,10 @@ interface(`seutil_run_newrole',` + role $2 types newrole_t; + + auth_run_upd_passwd(newrole_t, $2) ++ ++ optional_policy(` ++ namespace_init_run(newrole_t, $2) ++ ') + ') + + ######################################## +@@ -361,6 +369,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -46840,7 +47314,7 @@ index 170e2c7..bbaa8cf 100644 ## Execute run_init in the run_init domain. ## ## -@@ -514,6 +539,10 @@ interface(`seutil_domtrans_setfiles',` +@@ -514,6 +543,10 @@ interface(`seutil_domtrans_setfiles',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) @@ -46851,7 +47325,7 @@ index 170e2c7..bbaa8cf 100644 ') ######################################## -@@ -545,6 +574,53 @@ interface(`seutil_run_setfiles',` +@@ -545,6 +578,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -46905,7 +47379,7 @@ index 170e2c7..bbaa8cf 100644 ## Execute setfiles in the caller domain. ## ## -@@ -690,6 +766,7 @@ interface(`seutil_manage_config',` +@@ -690,6 +770,7 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -46913,7 +47387,7 @@ index 170e2c7..bbaa8cf 100644 manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -1005,6 +1082,30 @@ interface(`seutil_domtrans_semanage',` +@@ -1005,6 +1086,30 @@ interface(`seutil_domtrans_semanage',` files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, semanage_exec_t, semanage_t) @@ -46944,7 +47418,7 @@ index 170e2c7..bbaa8cf 100644 ') ######################################## -@@ -1038,6 +1139,54 @@ interface(`seutil_run_semanage',` +@@ -1038,6 +1143,54 @@ interface(`seutil_run_semanage',` ######################################## ## @@ -46999,7 +47473,7 @@ index 170e2c7..bbaa8cf 100644 ## Full management of the semanage ## module store. ## -@@ -1149,3 +1298,194 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1149,3 +1302,194 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -48190,10 +48664,10 @@ index 0000000..5f0352b + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..85d3b7a +index 0000000..dae5641 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,103 @@ +@@ -0,0 +1,104 @@ + +policy_module(systemd, 1.0.0) + @@ -48223,6 +48697,7 @@ index 0000000..85d3b7a +# +type systemd_device_t; +files_type(systemd_device_t) ++dev_associate(systemd_device_t) + +####################################### +# @@ -49269,7 +49744,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..10340bc 100644 +index 28b88de..4a3297c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -50480,7 +50955,7 @@ index 28b88de..10340bc 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,12 +1514,15 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1514,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -50489,15 +50964,36 @@ index 28b88de..10340bc 100644 allow $1 user_home_t:filesystem associate; files_type($1) -- files_poly_member($1) - ubac_constrained($1) ++ ubac_constrained($1) + -+ files_poly_member($1) + files_poly_member($1) + typeattribute $1 user_home_type; ++') ++ ++######################################## ++## ++## Make the specified type usable in a ++## generic temporary directory. ++## ++## ++## ++## Type to be used as a file in the ++## generic temporary directory. ++## ++## ++# ++interface(`userdom_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ typeattribute $1 user_tmp_type; ++ ++ files_tmp_file($1) + ubac_constrained($1) ') - ######################################## -@@ -1395,6 +1633,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1656,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -50505,7 +51001,7 @@ index 28b88de..10340bc 100644 files_search_home($1) ') -@@ -1441,6 +1680,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1703,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -50520,7 +51016,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -1456,9 +1703,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1726,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -50532,7 +51028,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -1515,6 +1764,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1787,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -50575,7 +51071,7 @@ index 28b88de..10340bc 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +1874,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1897,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -50584,7 +51080,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -1603,10 +1890,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1913,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -50599,64 +51095,33 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -1649,30 +1938,49 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1961,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## --## Do not audit attempts to set the --## attributes of user home files. +## Set the attributes of user home files. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`userdom_dontaudit_setattr_user_home_content_files',` -+interface(`userdom_setattr_user_home_content_files',` - gen_require(` - type user_home_t; - ') - -- dontaudit $1 user_home_t:file setattr_file_perms; -+ allow $1 user_home_t:file setattr; - ') - - ######################################## - ## --## Mmap user home files. -+## Do not audit attempts to set the -+## attributes of user home files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. -+## -+## -+# -+interface(`userdom_dontaudit_setattr_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file setattr_file_perms; -+') -+ -+######################################## -+## -+## Mmap user home files. +## +## +## +## Domain allowed access. - ## - ## - # -@@ -1700,12 +2008,32 @@ interface(`userdom_read_user_home_content_files',` ++## ++## ++## ++# ++interface(`userdom_setattr_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file setattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to set the + ## attributes of user home files. + ## +@@ -1700,12 +2031,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -50689,7 +51154,7 @@ index 28b88de..10340bc 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2044,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2067,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -50707,7 +51172,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -1810,8 +2141,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2164,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -50717,7 +51182,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -1827,20 +2157,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2180,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -50742,7 +51207,7 @@ index 28b88de..10340bc 100644 ######################################## ## -@@ -2182,7 +2506,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2529,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -50751,7 +51216,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -2435,13 +2759,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2782,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -50767,7 +51232,7 @@ index 28b88de..10340bc 100644 ## ## ## -@@ -2462,26 +2787,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2810,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -50794,7 +51259,7 @@ index 28b88de..10340bc 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3120,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3143,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -50803,7 +51268,7 @@ index 28b88de..10340bc 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3136,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3159,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -50819,7 +51284,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -2917,7 +3224,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3247,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -50828,7 +51293,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -2972,7 +3279,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3302,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -50875,7 +51340,7 @@ index 28b88de..10340bc 100644 ') ######################################## -@@ -3009,6 +3354,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3377,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -50883,7 +51348,7 @@ index 28b88de..10340bc 100644 kernel_search_proc($1) ') -@@ -3139,3 +3485,873 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3508,1041 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -51459,6 +51924,137 @@ index 28b88de..10340bc 100644 + +######################################## +## ++## Do not audit attempts to write all user home content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_write_all_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ dontaudit $1 user_home_type:file write_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to write all user tmp content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_write_all_user_tmp_content_files',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ dontaudit $1 user_tmp_type:file write_file_perms; ++') ++ ++######################################## ++## ++## Manage all user temporary content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ manage_dirs_pattern($1, user_tmp_type, user_tmp_type) ++ manage_files_pattern($1, user_tmp_type, user_tmp_type) ++ manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) ++ manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) ++ manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## List all user temporary content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_list_all_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ list_dirs_pattern($1, user_tmp_type, user_tmp_type) ++ getattr_files_pattern($1, user_tmp_type, user_tmp_type) ++ read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) ++ getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) ++ getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ++ files_search_var($1) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Manage all user tmpfs content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_all_user_tmpfs_content',` ++ gen_require(` ++ attribute user_tmpfs_type; ++ ') ++ ++ manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) ++ fs_search_tmpfs($1) ++') ++ ++######################################## ++## ++## Delete all user temporary content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_tmp_content',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ delete_dirs_pattern($1, user_tmp_type, user_tmp_type) ++ delete_files_pattern($1, user_tmp_type, user_tmp_type) ++ delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) ++ delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) ++ delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) ++ # /var/tmp ++ files_search_var($1) ++ files_delete_tmp_dir_entry($1) ++') ++ ++######################################## ++## +## Read system SSL certificates in the users homedir. +## +## @@ -51757,8 +52353,45 @@ index 28b88de..10340bc 100644 + domain_transition_pattern($1, user_tmp_t, $2) + type_transition $1 user_tmp_t:process $2; +') ++ ++######################################## ++## ++## Do not audit attempts to read all user home content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_all_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ dontaudit $1 user_home_type:file read_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read all user tmp content files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_all_user_tmp_content_files',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ dontaudit $1 user_tmp_type:file read_file_perms; ++') ++ diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index df29ca1..b13e0f3 100644 +index df29ca1..2333dd8 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0) @@ -51784,23 +52417,27 @@ index df29ca1..b13e0f3 100644 ## Allow w to display everyone ##

## -@@ -59,6 +66,15 @@ attribute unpriv_userdomain; +@@ -59,6 +66,19 @@ attribute unpriv_userdomain; attribute untrusted_content_type; attribute untrusted_content_tmp_type; +# unprivileged user domains +attribute user_home_type; ++attribute user_tmp_type; ++attribute user_tmpfs_type; + +type admin_home_t; +files_type(admin_home_t) +files_associate_tmp(admin_home_t) +fs_associate_tmpfs(admin_home_t) +files_mountpoint(admin_home_t) ++files_poly_member(admin_home_t) ++files_poly_parent(admin_home_t) + type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,21 +87,25 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +91,54 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -51819,15 +52456,19 @@ index df29ca1..b13e0f3 100644 ubac_constrained(user_devpts_t) -type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; -+type user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; ++type user_tmp_t, user_tmp_type; ++typealias user_tmp_t alias { winbind_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; files_tmp_file(user_tmp_t) userdom_user_home_content(user_tmp_t) +files_poly_parent(user_tmp_t) - type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; +-type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; ++type user_tmpfs_t, user_tmpfs_type; ++typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; files_tmpfs_file(user_tmpfs_t) -@@ -94,3 +114,25 @@ userdom_user_home_content(user_tmpfs_t) + userdom_user_home_content(user_tmpfs_t) + type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 02dbe9c8..64128736 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.13 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,12 @@ exit 0 %endif %changelog +* Wed Jan 19 2011 Miroslav Grepl 3.9.13-3 +- NetworkManager wants to read consolekit_var_run_t +- Allow readahead to create /dev/.systemd/readahead +- Remove permissive domains +- Allow newrole to run namespace_init + * Tue Jan 18 2011 Miroslav Grepl 3.9.13-2 - Add sepgsql_contexts file