From 4696e7ec09e9a873c598ee898706e42f55367159 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Fri, 21 Jul 2017 14:21:02 +0200 Subject: [PATCH] * Fri Jul 21 2017 Lukas Vrabec - 3.13.1-265 - Allow llpdad send dgram to libvirt - Allow abrt_t domain dac_read_search capability - Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476) - Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036) --- container-selinux.tgz | Bin 6901 -> 6904 bytes policy-rawhide-base.patch | 161 +++++++++++++------------ policy-rawhide-contrib.patch | 225 ++++++++++++++++++++--------------- selinux-policy.spec | 9 +- 4 files changed, 218 insertions(+), 177 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 423a8cbbc3581e46792f029fa15c49461f69ae52..715e8fa7e47b88ca144cd05f3e9d6e90722a2c8f 100644 GIT binary patch literal 6904 zcmVRQEEBy9%5j|u~hYtERw}yu~>@Aq7Bm`sn65x zizoWIgrE2Czr)|}e)#@U{S80Y@2}szd-3l2-Sv0ZKU`k_@czZ+yX&iW*Dr$0r>c

g1$-tdtf=p7xF5VFD6Zw>J*1yxKNI@%n7F zI*H0UiSl^eBw-!x*PFCB{pQ`->O@p%U4<>w8=u;XGreigR#?D-UCEJ^F5PKwSg-ka z?a8FBJ+XDIRzO{5i2?qv@K}O}QIs^z7%Cz~VRbP&eBk$_k<<0QcqRIq^*$C1{a&XV z?1FEu%oqsq6mu1X^lT?84)`gemh;g$+oG@_O6M#)azgzz31gCPRhKyU0$8a){N;8y z#TJ@D9)sK>Y^ds*syAy?SD>|68%MO)u_FB&b)zD`EZqb#R5NPJI!&4hgZF6!$;TN~ z%SVuRVU47nAgTP|n|CIf575ql$bY20 z^n`lwxPfBPY%@e|5c+?FMYz)!lIJnUa;n;s={633jCK^G0z;T(oX{ypQuShiQ5lX1p{gG-z~cr`Q_h#ekSWI zS?pCBPqUHgLt#-k0M$&`{1K4x;o>fiCaLchIl@@T&u#HBJvMEUM{PFMSEs)_6lqK1 z?>dTM$9z*E3SzyLB6*!;C2mYXQYnlldK2&;!OXjLTQcwp6w7^#HDNdg--}X{5BMvP zBSU&$M!0x|0=|IpKLz(^bWzeY4vRRruT#@zGEZ_?xxW0Qz6TlQv%I~Ao{%)q4|%|_ zh3qFtQx|3sXwvLY%c^~xx`YQBzEzyT#N&!X1B0!7B=v}Mp)XW1Lp0IG$z9cw-HR_# zQ25&*UqSdG+A~8JWel}gM#%WXTqB(`gsr}cu<>6>(M}OH{tQcUh@2QEiM?B>vHW<= zYl*$!-wn$0Z=sO>5`3pmkgVJ}Se3QVLa{INL>~iuQRIuRI4HC%jY#q)cq!kV1K-QD z**I|--OdMTfO|ct5k8%R2ByA>^ES#-=-&BAtZfU_WR`3gMj6eMtX6}DW5Dp+fxS$_ z(1t=oR3KyzQLlJ0{9RSx#;&CbGjRrjn2ccP&Y2i*Gf;PpIQwYXw<2)_cT7-w5w&}wbD}i(_UjW*XuAj0fgnvUC9oYCF48YKT2$~j5 zlAP9;r2XRdGph~S8(8bvQDnvqt|fBJvWf23WY$L7vJdiu)@nQTm3c#`aefe9_Mmrs zIK%pN4!pnp@>5rb<~fhPD)JtINQ-tE{POk7u*bCJT0>pQKw&L!v@JY=e?SR|`Y^hH zSF0_L>>b#b2=8EhfLaB-edIho7fwO$1q@*Zv?AExOnE=zG!+LD!&y*e2T-xz z#*mj0tYiAVn?7L-y{R8mk%Mtl9*Vf334^Dp%jhz8AS~gJ2q=t1p;U`G z-TE=y9hi75!`O$M#_(9BI@)Uok}-Z#tBW6!F`TeN(qBs?HF(TnxN0o-55Q^0} z@RI7W3>LBXV*xaw%a@K?^-r*EMyr`uJ!n%{#bZ~g!?nZa&vBucx8AP3`SG_g>{p4P zG{t4{rPpX|yU$%BavO}?9wM4W;>j9Xu^Ku@W=@1{iAK&QY|^N|fC~BgEtgfDY|{sW zJb$4VR1Ef7hh~>24EzeuAXITOzO{H|lxKHqQ0G(EN>J8)!$XpYGJxn5iO%FB^bDi= z%V}4)Zo_()w1OtjnlK00Qguvk3CC5i`$tZUvU_=;ACFMW~vpY%ue z=y{twRT=L4|L@;let$i<|9}1U{{LtBVV;(CUdEuG<&Ti#AJl~=EVpA*2TDX{>oIV)0SaneLQ#HQlGH3^2OKy`xqeFA#0R>Mg`GLMCy zn7p}J7X1CEUxKQvTN#5>aXrb(9<|^`83X9*VcW?-bJGwP8nP-t2RaS!KD98$DIzZplN{7D zQ`)D7l3W*@xvFmto8Q-9xJ7$Z>7CLy!AT}m=bjwWp<$|?y>_m(ZKWC#>LSMN2Ge50 zsdZ7aO?Y3#?Af4KRHxyP-m71nZn-n1U5bOEA189!dpjIs(w*I}q7vrB?@FM!%wBL~ zh*BR;ge{2!WHJ}%A@afA?^Nd>;tJP&AGteeVD;pGQ`3!Zf8)_cA5$E6FvLs*DV^$E zCbU5X`4Nd8d2^~UIc9%e4Kx5gl05@|Xox*lCo&$G4zSrlvP6eJ?fBcqHmYdA4M&xE zl$y^+G*sO=)(0QD>a1nxq{E_=V~l<&y@N7w9w8r|8WD!@B1W^1-Gz9vaLxAdbjUIU z;}IKuEE$E!gpileW#nEt9WWXM4Xf%vy!7m5g?{KFY3c7%odws@bQ>qz)87(W^VVSA z<5uJqj|j&FAU0BUEuqe$0sRqX z0kg;874wmq7XBv5wjZLf3O8w%wvWNbAljGrMR1#f0knmG;SI|sY125!Z;LVxuxsc5 zkN&ku3mJb;59$zXnxx$VBrbSs48EfDPoHkaY5`V^IIypi4D90!59~*n#2)z{P-t|h zVd%8uJbi<6gnAoeSkgEdIvHselxPr)QuDJ#jGa~v8rk8cH?wkW)RQ-Fc63|{zdboH zh@J&ttAX@mO#6;$@5=;r`a^KxzdhMZ0Ux|*^`R$P8&wOS9O41W6!vaHUIiPn1)4)s zB}MGw)ODrW6m${MWc3=yObG=rP0A>R%6rTxYTOYmK7tigPP#;&f%?kQ;&y$@FDM?8 zI}8svqGkdSIwDTPodzY|&VqE+N-m)|07yf_CNZhgXblS7Xl9*B796+}SwQ|%S!iU! zaITZ+js|ipZk9=|8)@9x;^px-ouqBh?e3z{72x=@$91V8c8Mvk^x_ zo;{HbG0*~UDT}i!M9n0BVW2x!pOngtw$x6=?ce3L1 z#GUSp@&ul&1;=oGG+{4w_ry)0DPx3xl@~N%$8w#`9lc(dQ;kSZ;CaK$19;XjbK&;m z3cQB_hcpcX*>)NbKErsJ!+KE;;uIem=p4l$+Ee<1q@P;38CBZx zVK`bPJsPzO@DpKuubp#+QO!Qe7wkN|pmPYJgK1-q9y#k%HTxvXJm~x!OGlg<_RjMJ zTe_XWG_x!%SZLv+y?xtOo<#_jsLb;!OCHuVCdYYur<=YKG&1>}@yrb~4JA zJDTcT-LVLA3%x=fb-|cU;!el)v;$sOo6I#@7(dDMBjz`JL)$!78hdE)Qd*A3|2~i` z+k;p04h8vPG{3d2yU>Niq)*Z1&NgyN=Jy$?yoWHFeor_`yS4WjcHuoTcCMHTXA2_OhrWa{$Obl zCnzg7zfB#{d$En=C#IAq0wZA@9lh#Oh2VszR_D#mLfs<<8wpRYfZDeCPMb)X1{B(u z{%>dx@b4J9E?~C^*K{DYjuKn@O{~JM-NF+<2m!;PI<(pnlNaUwJ`UT^F^|ah7L(3i zfmgwh+R<~4y#V8tNstxq^NQ&U`Po3r+m4X_ee&)pvA5B-jX@))7UWw$z583S}wNbhy&!0L(;Tsvgz~- zrUrW6o^=kh1dJKC3q}yT9V`Z7AO8-0-p&j8sXRk{C5Y5G1YFjkr{Rp4Es-$IO!}BhM;F6XdK5!mlbsVhYx`G_CGBSx! z*r_~rb*Cg(P^Kzlq}(c@&A43g3?U-?6rMQhpbdVp~3B$le#4L{P*b6Nc%d+N7GVf=FnCNp5ZCcpe zXDpGTspM^1C-*R8;?ah_wh9%u^RvAF2f5F;9cb7XiwKWo3OsqW=1nlLnd034mN--73%9c~swJ;O4h;Q_z7bahifd-+4>lGyr%^o5S(0w{! z-P0~+pRve$CUZ59XmiObW21O8g<4apZ5t}Y0D2|FqbN>~`DIc{5^K?Dc8|WH!iID; z>}>R;N8DZSbB~b2W)1Q^byfpOVn)O>vZ&N!DJY9rA1x(LSYuoNOqvI^&^c! zhb5>N<{P6lIZqPiDK=(EqMUrk+=X=|`Wt-3!Z=$7#mMBtQ~8z1aE{;@;q>XG?o`ow zZfMAlY@YOfCGv4<2#|--s)ifm$kmo`UWDo3xqXJe{de5tEb-Zs4^>ZvP9N8I|XblPfy zGxmLukt}CCmFA3uTPo+o^it9cx4)q(pj)mZz zmoXM9!*ws?*dp9lGWa;j zL`uM&NFQSa^9wqZsMdDttv{v(|ldc=ey zu)z`6;fm+b)RXlpL~FQ}#2VBO*&SwaG-Ul1k{ETBqmQrqbf{kb(72KGH!f-s45?6? zE?t?T9=VB4{@w;Q`nSyUo8+eGykUv45_@^W2e1rM7R^X?!5gNw$rIJ8u~#*^e+P4{ z9gpN{`;lRWP`1|ZG9#Zhu1gzqQtf*Kto6Sa)cWU%Y$xQ0Y$x1iGSzm3&Usm^_0Ruk znyNE1#2%NPc9>#$N}?B($KAdn;q%mG{P?719^;*oDS8ZRg5G-lCit!U+_xH6ZM)6qD>q^$sg2(d^u~mh z7SvJWX^9Rl>5TJ?ToCdwXr~nFcO}S6G^D#d%#}WDAgZ2HNjJuHOiH$k`st%%>K-sTl zpuwW<@RkD19-_Ahw`AJ^^J2j&!n&HO}ki)IV%6| z(9*C)c~@qKJb61^6v{{ZI_QRkT&Lwyqv|Q}$|#MO!fRB(WoA)ddo12XN(swNf)1K* zP5JM6Dogq797j)Dp;S*nxt#sWi8odxzR5rW=y3QvJsu86=TRuDi@T7?4x_Uek}psf ze?#>VKs`|{f(1|)tk%C`qE>HE5nyD3lvE9(pMU!+enG%ri0oSg>Kt3R@Tr77*} zGQb#lG<6)g@OawZiG#oc@#+Z34zrWvGQ(8qm#{7Kbm~kpHe3PaS)7&>s~!Cq5leVn zm6nk$B3*D7Kr*$z%-w&K5_W1Tj`;)%OCX!|*3oLq48N%MvKO(85)=3f>oNhmxJuK2 zkJoHq8qKs*y3i(BPXv<$bEdKZk5%s1^D2!enPeky=;{T$W*NM<{Fco!BIK(VvvZrN ypo7RWMUMfnVzW)q0QBiB6=*jPM`)5S?UecY^Y!QJ&)1*N@biB);)g5%$N&JoK&=M= literal 6901 zcmVzf8u~hYtERw}yu~>@Aq7Bm`sV~y) zH_!C*4t_p-_#S^>{mT#U)Zg&){=@sLt8cE}U%h{Sb^YN7q`P{5ef92};N5doNc}l9 zZCD4vH`!esZj#7KH}?LY^k?<@b?{?z$n&s%{NvyDNl;cvao&`NI!c1DsSzDwgM2ppI&M3$H|``lIYMT3VK=u?OuHlmpT07f> zG*8x09^t%s``hYdmlW$d`TdaAK)X6QX&)=41(K(IYj~J|1lH}1gDbDL4N<%~Tdhu_ zvQDBrUN=ctNBi|AEl$6^I$NEH3azWKg?i&tdvT^W?b!+oSgt%PcX#{{+ z?X?*LA)aHdf{zJAcks2ZCR&DGhy&Pk0ALtgKGH* z@-D2Av=bziAAEadqWK8z3^+dgb6q8M-T>n^&5}kG%&BRRFT5JOG*QzW{hWff=nToX zgu3X9o4WRk3!0PzwvehbOWf8mdP3mrwOMsYtj{3xW*^qcOOiTO$Y1V^+(YVF+O#;f zZ9?ZjhDSbKHqMfZ@dhkW{o_EhN`N@9s z=pD{sc;w$RE{tV+W%`qIo^MQ8a+ce=`QNd8$h%}-z*;1+rF zcaV33{)tfO3Mi%59goOzpSJrT1j0iL5^mEdpw@T32UyyXE>zb1s!s2)9Hjh=9jYPo zTCA}a27GkpQd7z;SshF$XsARar71-*-gT6PO=BsF-VMvzB)qtIN_qJIS3y~!{KM=I zuiE-xYa)_r#cqEyG4#L7V>jjd`yo`o8(cOP4(63?+!)UlK8uh zV%Ra?REUCDZ>30HCs~ObQ;<{&yX|4({vJw3*D499FI`KdJ9QM)@pnuc0R-4fI1EFl-_F z3DVSs83dX%`_r;&AEz$ifrf7tXE5=&;?TfgYadBH;#}wpRm>1gv~hA*wPg3=OB59T zHpo{HevJ0a&_x+TEtU~7{xH`_=L})1uOe*xS5mZ7M2$bgk{lu@hDl=Y7HTX%Uh`UF zFZg$Zviw^pq`w5;=@TR?cMeu%EwoVV%RJG?0ACdOqALyxElVSkybWH-cNf6->TEVn zTt>I^K^ov*4{C%@=b(Y9ui~6XSqj}dABnYXftt*c4Z|p-d6Ly?&~OYGemk(2X&Bm2 zXow1g>>=tEFNVLX3f$PWRADC0KoFA=4Ba^s<2(a(*Qg`Q)BZO&t-H~`O?MYbaknJu zzHHiNX+YYqEr?ksO_|+Ypad3yWj)n^A+RYQl4Y9DFwv-85Uzy%Ll!oCsKf~`e(=xLiiY_SqZ7xD$59qIZhi$eG}q|t$m55fQp{fD4w!6eCP zeM#CcZa=fypuK^$o*hMI+~8Uw$1I!Zeoba=q%Hd(KWMGCQ(u`kgc|2Z;bjkc$A>el zU+2L4>n}fbb!cAl=&K^{5s0*Cm%%SzzYKd!Tdp)$>?yjn(lkderUS z8SYxZPB*{U8J{zA#?uWTLf)QWlU{=~f+pP+Va6tG@ablnLk0??)yYgKD&{`fa3Lti z7uGp3#?L*H8b3K{)oD)nIHhIlo++hgv_~>>kd7Dm#FR^)`mQ zj9?wp_ucdfW9Uu&po$!foAOY^4NVw4O)ZVe?(Y+SH)Rp5NZpDRIq#Bs2UAzoJ!>kXw^%<0yT z;qJi1V;ROiSUWf807g2 zy`W;S*E%%2JYnEhcm|=0lku&^E2BKSTZ1~Ex>ka+?i(JGM3ezUr$}@rAE9R$)n87# zx^)}YyQCE~dDg5!Z|t};T6-BaIQG#o1BJ!nF)mR&NMv2}KEYSCI(+Gi)c>SEvPUo4 z$OWu2EXD7I5M8r}xi7uQ!8@6J}5zF=XV%)1iQ zW!aXuQ%&X7>)_`EaB4~{0Bg>QR9T!f5f8DccyLXEAu3Rv;C`Qg9<0@Hl90?};U^|< zZk7dq`{|dUD(hCp;8a{sGIVTAdnm$<+E%$W19Satunn^&In%1dYs9R2evGJk`l0lk z2Y&DB@=yh*+%0v+wX{bqxKYLcx_a1lGSJ*K#D#{e3ebU0!@Ex{jB$#{i^C)b^~{v^ zsi7p-1!u16o5SYsYcSlRJ*xCh>6_pr6RLAh4(ZS^RnJ~K*V?vH4GDD-<935-vEkIZ zsM#jGFJks=&?~Cba7gdfFHX1InbI!BLD7#BIqkh2jxp)Z?pIL>bK-X;P+Vp&xG_Yj z4=2Kw!~rsy3-l2AVDERT^AB-_>%NcNoiwm|^1rF+Mz_E5XrqrQjyo7)CW4esbuJUy zpo08}M31~V)tDT!Kd%NF03XSofj>0F9;*`>4@?Kx>>yd9!=HBiZDSi%G~kA#$~;QV z=OY@b?i}lb4_$TEGIY{mQOYq!zm(oVnK+M-4^NEc;YiYWTlkMqm39Wf+Fz<0I z@|s74;{p&Lvkbvr?_F>n;I4s5f1mF5u=3IdykBz0_Wg?$jN2Hs%*mEeXVHNE2(y6M zWAKXk$V>}=lVsbEQCNkWG)vpZ;34iU zZPG%<-_wIS1e+#lw*ZL?-Wr3iDE-r?o3UDe6(bJp>m&pFIKu<`5hk%m{s$Bq9cmal z?Kn^0;2fde#u%0~PKHiKngt~q1f$gaY!PFpm4ilhcn~>MRhHQc6&{Rng zyEt`SsWt^&L^N5w#xYYu0ZfxJN}=)|Gm08_M2nAL1(lO7(PyB(vb4Be-|`EJhvW{! z1CFSfK!lEn({QIjiMO*LUA2-+C=LM9(6C8N>NHw|0ymmjXOaa6?nD-l|5O$lnJ}E| zB)VfkUAWC2uh|?Ps+uRg6xalMx#4%Sth6nb=9M?|aQ(i?^lSYimIX5lhfmG~qP!Tf z0Hlvb;sHCD%;+-p5$c=X2Qyt3}K{tA{2PI%`@F1KNf75XJIztXvniC zvLOaqK=Vqw_QZxkH$`A#`)iJbo710eLg>=7OAAc4HRBX4{W+$X_4gg?Sylb`^CrpylL!3D1W z=u_sS&U;MtW(rdD7(3VMmq`*h6 zp&TuAU;JYP@81UQn0U@Y#I5t^EMv04J*5nvRYYSV!&zBAZrq1huF|)v%YEuJVQo{* zih0eEnFBh9*^F7{O3XNSuy|lj9vmK+OXE$R?Ji889_GXo4Ikf8EUU7NrDVQ#`z+Yq z9o*-Hzg`~SbZ`85ics!+KVJcOO?&maqv=ZO)H)rB|Vop|ip16}0pC|5g zXOt)KWGy&`>!S&Ksk!*--6JSj7NL3Fe?iBHj}H=Mbe^s!k3(Gnm#sBn^~$Ni0={EixkAxMEfN6D;&?e zEkfubrPmY>A4Y9@2lFYml+Wp7e0PW`ogOcQy=h!R5wUvdF4|{3E+_re%FU?Kjt|4p zD(TUvU4Wkm>wDvzD~xLPQNCd3;RT&T2pvotbM(krpQ_m>S>{3K=U6)8)UbD+C)m>M z45pc7X~9AZAMNeiw(=}Outa5^S6T9~rZG9r+dJL#m7tNy?~Hf$N$QNFgO}2BJpT8AWZ53P zns+G352N|5ZQX?~Bqn`|E_b$(Q!>BLNaa0*(e!)5QR@A=ELd__o+`%NmZmLhG~qCY zfzF$~2(R#`J$f zdw_q(&~*X3MYyH|sdbdt+HYbNcI_6P073{D4%MO6mYBRK_xEwwhK_kewzrsc_6ocX zhSZLpbL<5euS|lhc%N5HU&zk}S|(R=Xj5*x#>qB3WG(ZvJlI5{a`|p0U?VG#dwn9l%oR7AAk0H6wjv zVNNS%Aa(Hh;S zbs8u12a9UdmervTO#inW%%aKzy6YL~`=*jx@$Uirouf(nrF zg#p{u4uclGqZS{wwH~8;R1_pv(8mK(3~{`xyAa|hQ*32`D;9ItO%FN1h`ypxCHQ99f1ych( zZ_hf1Spvq4+XW+t-3}H5v5$X;K5yrR{9GO;AZ5eRgI4WBGRB3Mig-O)d&bsivxk-z zvbby(H>2G&8t}2KlBkejNG1CugURSJzgMd`xl{Kb7EhEy1cJlEcAJ|ED5=|Fv9-(= zNpkR@$?j;)ZR^reHT)z3*2+ndm1X4xiZkOPe&NXsppKI^U`s!7#c* zA8`2W!3Rw8Ol}gFJaHTIH!z;@0=Vu%Y9G1+{-Zd$)au=68wvSgm6Rz!k z;z8ysfu?_Z-Zi9j(h*k(sO*ME-niN#H(Kilw(;~MCMU}xei&M^_6L}b*~S6s>5Cz> zv?$wj`{;Jrq{Ti#jT|c>N+T_jwOrl}H6qV@zp_`|A(nJjTX&L@v}*GQ2Z@k8AXz0( zgu)LnN+{;Vp+EyN3aJz92X1JA!A`x~C_>*g@X)?pr+duIb43G2USGDk0y>tuUCY13 zr=FZV@#cWmM~LR)F10P1@_vNRURBbvvEg}_LU2jT4j(uVu{sXcaa}l{UNi5JMr? zb6Yk&A+tm7GmUAG#?sEj+!?0#hTv0nHH96&-DqX@gQ`q`O70&z!EcrCN9iq)4q>0> z8j>*D*|tqDB7^lQGezu7xW($Y#9Gcad1fw)3pcFjc!N5~c?c^gMaYeN9ki6Tt2$E# z{%v(ISlDTq=ixrI;?wuIEcIn+kc462B4QRtckG3hie*`ICYkrMLQM2Ih&C;3?lYE1 z(Nyv_t&@A0G4W_a-&lo;+xc1E|AXA;+YU5rj75Y;G6kNzTJxrytzN5y-4(4#MbT6k zJzZjCj-wkkqdcre6Q!7nV`a-J>spwJTEsW{(hHNX$3TP7!u6Vxhh`5E2k1T>u#58g@2% z(j)G!_qj*NVY3GLo;s_6q%o42zjE_L-#Q&VTQC_$U1?F5zEGG&Gm;&sZ2d^1&|wMc zh55!PP0o{qd5Vo0k|-zNF?V5IiT(y(u`te-K`}D<@Kk;!GMpngMmT*ssXJA)o*NqS zBbz6^Ux|F28Uo~Dw5s98IC8ZmoEKp{v$rp)oXfsSE2*AsHV2V+hKIydUV?y7Jt}W~ zSHE>pk{Q>bvd8S(MZK_AH*%+0`udCX=GmAk7hme?l($W_CHZ(fnk1d6@LFBly$*h2`3|#3mh~cKAJ~CK8_a1`#uxY@!oXm=$|U|> z{myva3zm{oEtWlDiv!x8WS!mUmnXCYpDc|&0UFXK_wE_-yB1z|lIGmFaP2P^0~*Z{ zIc$Wu_hDKvcv1R-!4h$r*BCR)bM_K|uwZ_4T$Jo!RLdF7ymmYSRwggxXR|$*sGu|sVjlL&uK!4=$tjqYyI;-nx^W^ z46(HhW7{o^H;r5)}c!aaZl-NAaw-O*J6M8GjIbAs>dOHAdlr~&)JhDo7A`Qi*)2IvL6AN|@ z_~9D0%6RXiiS3(lyW7R%_{VZQ-4XPn%Jjo}V^o@UkZx7-&u}d6dmKLD7<}~j+vC{V z@3`AnBz&H_j31xW%wxP$GDVMJP0(9!-Uh#QpZiwhs%^LVeC0;WB(?Dyg5H?0(t}PF}7z?Y~=noI6Jzp zU)cM9`6GM&V*700wsU{~@9N$6*FOxt|M%|e_y0c2&n4QAm%m=HFZ$5eL2*bV4=w+M z-TLs6FG}^tPEGI>=FL0MFPDd=zRc1MuGyCi=knsalk;!2GFa-Eh-jjHFsE2A`C3a?QCmzhO%K&5K z(bRF|!sBUsCk_G+#Oos2 zh;+$a0Lj$;GI#$`O4zBXIOa1bEP-s+TSu!cGyJ03%U;AXN=)D{tjh%K;wnu8K3=nd zX*APL=|Y=iJrPV2%$dptJXX11FRC=2WRi`*p{p10nq~0L`7N7eM95b!X6H6jK?jj% viXH=C#b%qJ0qE0ND$s5oj?g4u+9~t(=j+ecpRYfk;phJV1V{p`0LTCUYsQbP diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index daa96903..1b0360a3 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -30397,7 +30397,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..e3436b4 100644 +index 8b40377..8c9110f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -30745,13 +30745,13 @@ index 8b40377..e3436b4 100644 +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) -+') -+ -+optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ') optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ++') ++ ++optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -30788,12 +30788,12 @@ index 8b40377..e3436b4 100644 +allow xdm_t self:dbus { send_msg acquire_svc }; + +allow xdm_t xauth_home_t:file manage_file_perms; - --allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+ + +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +xserver_filetrans_home_content(xdm_t) @@ -31051,7 +31051,7 @@ index 8b40377..e3436b4 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +700,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +700,167 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -31107,6 +31107,10 @@ index 8b40377..e3436b4 100644 +') + +optional_policy(` ++ dbus_read_lib_files(xdm_t) ++') ++ ++optional_policy(` + gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates") +') + @@ -31221,7 +31225,7 @@ index 8b40377..e3436b4 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +869,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +873,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -31253,7 +31257,7 @@ index 8b40377..e3436b4 100644 ') optional_policy(` -@@ -518,8 +904,36 @@ optional_policy(` +@@ -518,8 +908,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -31272,13 +31276,13 @@ index 8b40377..e3436b4 100644 + cpufreqselector_dbus_chat(xdm_t) + ') + - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') + -+ optional_policy(` + optional_policy(` +- accountsd_dbus_chat(xdm_t) + hal_dbus_chat(xdm_t) + ') + @@ -31291,7 +31295,7 @@ index 8b40377..e3436b4 100644 ') ') -@@ -530,6 +944,20 @@ optional_policy(` +@@ -530,6 +948,20 @@ optional_policy(` ') optional_policy(` @@ -31312,7 +31316,7 @@ index 8b40377..e3436b4 100644 hostname_exec(xdm_t) ') -@@ -547,28 +975,78 @@ optional_policy(` +@@ -547,28 +979,78 @@ optional_policy(` ') optional_policy(` @@ -31400,7 +31404,7 @@ index 8b40377..e3436b4 100644 ') optional_policy(` -@@ -580,6 +1058,14 @@ optional_policy(` +@@ -580,6 +1062,14 @@ optional_policy(` ') optional_policy(` @@ -31415,7 +31419,7 @@ index 8b40377..e3436b4 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1080,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1084,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -31424,7 +31428,7 @@ index 8b40377..e3436b4 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1090,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1094,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -31437,7 +31441,7 @@ index 8b40377..e3436b4 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1107,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1111,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -31453,7 +31457,7 @@ index 8b40377..e3436b4 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1123,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1127,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -31464,7 +31468,7 @@ index 8b40377..e3436b4 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1138,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1142,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -31506,7 +31510,7 @@ index 8b40377..e3436b4 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1189,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1193,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -31538,7 +31542,7 @@ index 8b40377..e3436b4 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1222,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1226,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -31553,7 +31557,7 @@ index 8b40377..e3436b4 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1243,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1247,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -31577,7 +31581,7 @@ index 8b40377..e3436b4 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1262,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1266,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -31586,7 +31590,7 @@ index 8b40377..e3436b4 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1306,54 @@ optional_policy(` +@@ -785,17 +1310,54 @@ optional_policy(` ') optional_policy(` @@ -31643,7 +31647,7 @@ index 8b40377..e3436b4 100644 ') optional_policy(` -@@ -803,6 +1361,10 @@ optional_policy(` +@@ -803,6 +1365,10 @@ optional_policy(` ') optional_policy(` @@ -31654,7 +31658,7 @@ index 8b40377..e3436b4 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1380,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1384,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -31679,7 +31683,7 @@ index 8b40377..e3436b4 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1403,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1407,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -31714,7 +31718,7 @@ index 8b40377..e3436b4 100644 ') optional_policy(` -@@ -912,7 +1468,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1472,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -31723,7 +31727,7 @@ index 8b40377..e3436b4 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1522,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1526,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -31755,7 +31759,7 @@ index 8b40377..e3436b4 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1568,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1572,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -36159,7 +36163,7 @@ index 79a45f6..054b9f7 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..fa4ad6a 100644 +index 17eda24..055193c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36284,7 +36288,7 @@ index 17eda24..fa4ad6a 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +161,48 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +161,49 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -36317,6 +36321,7 @@ index 17eda24..fa4ad6a 100644 +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_sock_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +files_var_lib_filetrans(init_t, init_var_lib_t, { dir file }) ++allow init_t init_var_lib_t:dir mounton; + +manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t) +manage_files_pattern(init_t, init_var_run_t, init_var_run_t) @@ -36339,7 +36344,7 @@ index 17eda24..fa4ad6a 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +212,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +213,26 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -36367,7 +36372,7 @@ index 17eda24..fa4ad6a 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +239,102 @@ domain_signal_all_domains(init_t) +@@ -139,45 +240,102 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -36477,7 +36482,7 @@ index 17eda24..fa4ad6a 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +343,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +344,283 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -36770,7 +36775,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -216,7 +627,30 @@ optional_policy(` +@@ -216,7 +628,30 @@ optional_policy(` ') optional_policy(` @@ -36802,7 +36807,7 @@ index 17eda24..fa4ad6a 100644 ') ######################################## -@@ -225,9 +659,9 @@ optional_policy(` +@@ -225,9 +660,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -36814,7 +36819,7 @@ index 17eda24..fa4ad6a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +692,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +693,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -36831,7 +36836,7 @@ index 17eda24..fa4ad6a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +717,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +718,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -36874,7 +36879,7 @@ index 17eda24..fa4ad6a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +754,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +755,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -36886,7 +36891,7 @@ index 17eda24..fa4ad6a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +766,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +767,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -36897,7 +36902,7 @@ index 17eda24..fa4ad6a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +777,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +778,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -36907,7 +36912,7 @@ index 17eda24..fa4ad6a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +786,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +787,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -36915,7 +36920,7 @@ index 17eda24..fa4ad6a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +793,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +794,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -36923,7 +36928,7 @@ index 17eda24..fa4ad6a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +801,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +802,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -36941,7 +36946,7 @@ index 17eda24..fa4ad6a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +819,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +820,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -36955,7 +36960,7 @@ index 17eda24..fa4ad6a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +834,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +835,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -36969,7 +36974,7 @@ index 17eda24..fa4ad6a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +847,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +848,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -36980,7 +36985,7 @@ index 17eda24..fa4ad6a 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +860,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +861,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -36988,7 +36993,7 @@ index 17eda24..fa4ad6a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +879,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +880,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37012,7 +37017,7 @@ index 17eda24..fa4ad6a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +912,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +913,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37020,7 +37025,7 @@ index 17eda24..fa4ad6a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +946,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +947,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37031,7 +37036,7 @@ index 17eda24..fa4ad6a 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +970,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +971,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37040,7 +37045,7 @@ index 17eda24..fa4ad6a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +985,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +986,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37048,7 +37053,7 @@ index 17eda24..fa4ad6a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1006,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1007,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37056,7 +37061,7 @@ index 17eda24..fa4ad6a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1016,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1017,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37101,7 +37106,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -559,14 +1061,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1062,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37133,7 +37138,7 @@ index 17eda24..fa4ad6a 100644 ') ') -@@ -577,6 +1096,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1097,39 @@ ifdef(`distro_suse',` ') ') @@ -37173,7 +37178,7 @@ index 17eda24..fa4ad6a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1141,8 @@ optional_policy(` +@@ -589,6 +1142,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37182,7 +37187,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -610,6 +1164,7 @@ optional_policy(` +@@ -610,6 +1165,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37190,7 +37195,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -626,6 +1181,17 @@ optional_policy(` +@@ -626,6 +1182,17 @@ optional_policy(` ') optional_policy(` @@ -37208,7 +37213,7 @@ index 17eda24..fa4ad6a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1208,13 @@ optional_policy(` +@@ -642,9 +1209,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37222,7 +37227,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -657,15 +1227,11 @@ optional_policy(` +@@ -657,15 +1228,11 @@ optional_policy(` ') optional_policy(` @@ -37240,7 +37245,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -686,6 +1252,15 @@ optional_policy(` +@@ -686,6 +1253,15 @@ optional_policy(` ') optional_policy(` @@ -37256,7 +37261,7 @@ index 17eda24..fa4ad6a 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1301,7 @@ optional_policy(` +@@ -726,6 +1302,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37264,7 +37269,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -743,7 +1319,13 @@ optional_policy(` +@@ -743,7 +1320,13 @@ optional_policy(` ') optional_policy(` @@ -37279,7 +37284,7 @@ index 17eda24..fa4ad6a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1348,10 @@ optional_policy(` +@@ -766,6 +1349,10 @@ optional_policy(` ') optional_policy(` @@ -37290,7 +37295,7 @@ index 17eda24..fa4ad6a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1361,20 @@ optional_policy(` +@@ -775,10 +1362,20 @@ optional_policy(` ') optional_policy(` @@ -37311,7 +37316,7 @@ index 17eda24..fa4ad6a 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1383,10 @@ optional_policy(` +@@ -787,6 +1384,10 @@ optional_policy(` ') optional_policy(` @@ -37322,7 +37327,7 @@ index 17eda24..fa4ad6a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1408,6 @@ optional_policy(` +@@ -808,8 +1409,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37331,7 +37336,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -818,6 +1416,10 @@ optional_policy(` +@@ -818,6 +1417,10 @@ optional_policy(` ') optional_policy(` @@ -37342,7 +37347,7 @@ index 17eda24..fa4ad6a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1429,12 @@ optional_policy(` +@@ -827,10 +1430,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37355,7 +37360,7 @@ index 17eda24..fa4ad6a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1461,62 @@ optional_policy(` +@@ -857,21 +1462,62 @@ optional_policy(` ') optional_policy(` @@ -37419,7 +37424,7 @@ index 17eda24..fa4ad6a 100644 ') optional_policy(` -@@ -887,6 +1532,10 @@ optional_policy(` +@@ -887,6 +1533,10 @@ optional_policy(` ') optional_policy(` @@ -37430,7 +37435,7 @@ index 17eda24..fa4ad6a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1546,218 @@ optional_policy(` +@@ -897,3 +1547,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d932b5db..cffafc09 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..ca625e9 100644 +index eb50f07..f893465 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -718,7 +718,7 @@ index eb50f07..ca625e9 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; -+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + @@ -46962,7 +46962,7 @@ index d18c960..b7bd752 100644 + allow $1 lldpad_tmpfs_t:file relabelto; +') diff --git a/lldpad.te b/lldpad.te -index 2a491d9..42e5578 100644 +index 2a491d9..3399d59 100644 --- a/lldpad.te +++ b/lldpad.te @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) @@ -46974,7 +46974,7 @@ index 2a491d9..42e5578 100644 allow lldpad_t self:shm create_shm_perms; allow lldpad_t self:fifo_file rw_fifo_file_perms; allow lldpad_t self:unix_stream_socket { accept listen }; -@@ -51,12 +51,16 @@ kernel_request_load_module(lldpad_t) +@@ -51,12 +51,20 @@ kernel_request_load_module(lldpad_t) dev_read_sysfs(lldpad_t) @@ -46993,6 +46993,10 @@ index 2a491d9..42e5578 100644 +optional_policy(` + networkmanager_dgram_send(lldpad_t) +') ++ ++optional_policy(` ++ virt_dgram_send(lldpad_t) ++') diff --git a/loadkeys.te b/loadkeys.te index d2f4643..c8e6b37 100644 --- a/loadkeys.te @@ -113788,7 +113792,7 @@ index a4f20bc..9777de2 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..b5a815a 100644 +index facdee8..2a619ba 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,111 @@ @@ -114641,7 +114645,7 @@ index facdee8..b5a815a 100644 ## ## ##

-@@ -673,54 +565,571 @@ interface(`virt_home_filetrans',` +@@ -673,54 +565,607 @@ interface(`virt_home_filetrans',` ## ## # @@ -115218,6 +115222,43 @@ index facdee8..b5a815a 100644 +# +interface(`virt_dontaudit_write_pipes',` + gen_require(` ++ type virtd_t; ++ ') ++ ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++') ++ ++######################################## ++## ++## Send a sigkill to virtual machines ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_kill_svirt',` ++ gen_require(` ++ attribute virt_domain; ++ ') ++ ++ allow $1 virt_domain:process sigkill; ++') ++ ++######################################## ++## ++## Send a sigkill to virtd daemon. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_kill',` ++ gen_require(` + type virtd_t; ') @@ -115226,26 +115267,25 @@ index facdee8..b5a815a 100644 - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++ allow $1 virtd_t:process sigkill; ') ######################################## ## -## Relabel virt home content. -+## Send a sigkill to virtual machines ++## Send a signal to virtd daemon. ## ## ## -@@ -728,52 +1137,53 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +1173,35 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # -interface(`virt_relabel_generic_virt_home_content',` -+interface(`virt_kill_svirt',` ++interface(`virt_signal',` gen_require(` - type virt_home_t; -+ attribute virt_domain; ++ type virtd_t; ') - userdom_search_user_home_dirs($1) @@ -115254,7 +115294,7 @@ index facdee8..b5a815a 100644 - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -+ allow $1 virt_domain:process sigkill; ++ allow $1 virtd_t:process signal; ') ######################################## @@ -115262,7 +115302,7 @@ index facdee8..b5a815a 100644 -## Create specified objects in user home -## directories with the generic virt -## home type. -+## Send a sigkill to virtd daemon. ++## Send null signal to virtd daemon. ## ## ## @@ -115275,73 +115315,34 @@ index facdee8..b5a815a 100644 -## -## -## -+# -+interface(`virt_kill',` -+ gen_require(` -+ type virtd_t; -+ ') -+ -+ allow $1 virtd_t:process sigkill; -+') -+ -+######################################## -+## -+## Send a signal to virtd daemon. -+## -+## - ## +-## -## The name of the object being created. -+## Domain allowed access. - ## - ## +-## +-## # -interface(`virt_home_filetrans_virt_home',` -+interface(`virt_signal',` ++interface(`virt_signull',` gen_require(` - type virt_home_t; + type virtd_t; ') - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -+ allow $1 virtd_t:process signal; - ') - - ######################################## - ## --## Read virt pid files. -+## Send null signal to virtd daemon. - ## - ## - ## -@@ -781,19 +1191,17 @@ interface(`virt_home_filetrans_virt_home',` - ## - ## - # --interface(`virt_read_pid_files',` -+interface(`virt_signull',` - gen_require(` -- type virt_var_run_t; -+ type virtd_t; - ') - -- files_search_pids($1) -- read_files_pattern($1, virt_var_run_t, virt_var_run_t) + allow $1 virtd_t:process signull; ') ######################################## ## --## Create, read, write, and delete --## virt pid files. +-## Read virt pid files. +## Send a signal to virtual machines ## ## ## -@@ -801,18 +1209,17 @@ interface(`virt_read_pid_files',` +@@ -781,19 +1209,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # --interface(`virt_manage_pid_files',` +-interface(`virt_read_pid_files',` +interface(`virt_signal_svirt',` gen_require(` - type virt_var_run_t; @@ -115349,45 +115350,46 @@ index facdee8..b5a815a 100644 ') - files_search_pids($1) -- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) +- read_files_pattern($1, virt_var_run_t, virt_var_run_t) + allow $1 virt_domain:process signal; ') ######################################## ## --## Search virt lib directories. +-## Create, read, write, and delete +-## virt pid files. +## Send a signal to sandbox domains ## ## ## -@@ -820,18 +1227,17 @@ interface(`virt_manage_pid_files',` +@@ -801,18 +1227,17 @@ interface(`virt_read_pid_files',` ## ## # --interface(`virt_search_lib',` +-interface(`virt_manage_pid_files',` +interface(`virt_signal_sandbox',` gen_require(` -- type virt_var_lib_t; +- type virt_var_run_t; + attribute svirt_sandbox_domain; ') -- files_search_var_lib($1) -- allow $1 virt_var_lib_t:dir search_dir_perms; +- files_search_pids($1) +- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + allow $1 svirt_sandbox_domain:process signal; ') ######################################## ## --## Read virt lib files. +-## Search virt lib directories. +## Manage virt home files. ## ## ## -@@ -839,192 +1245,247 @@ interface(`virt_search_lib',` +@@ -820,211 +1245,247 @@ interface(`virt_manage_pid_files',` ## ## # --interface(`virt_read_lib_files',` +-interface(`virt_search_lib',` +interface(`virt_manage_home_files',` gen_require(` - type virt_var_lib_t; @@ -115395,16 +115397,14 @@ index facdee8..b5a815a 100644 ') - files_search_var_lib($1) -- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- allow $1 virt_var_lib_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) + manage_files_pattern($1, virt_home_t, virt_home_t) ') ######################################## ## --## Create, read, write, and delete --## virt lib files. +-## Read virt lib files. +## allow domain to read +## virt tmpfs files ## @@ -115415,7 +115415,7 @@ index facdee8..b5a815a 100644 ## ## # --interface(`virt_manage_lib_files',` +-interface(`virt_read_lib_files',` +interface(`virt_read_tmpfs_files',` gen_require(` - type virt_var_lib_t; @@ -115423,14 +115423,15 @@ index facdee8..b5a815a 100644 ') - files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + allow $1 virt_tmpfs_type:file read_file_perms; ') ######################################## ## --## Create objects in virt pid --## directories with a private type. +-## Create, read, write, and delete +-## virt lib files. +## allow domain to manage +## virt tmpfs files ## @@ -115440,27 +115441,36 @@ index facdee8..b5a815a 100644 +## Domain allowed access ## ## --## -+# + # +-interface(`virt_manage_lib_files',` +interface(`virt_manage_tmpfs_files',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; + attribute virt_tmpfs_type; -+ ') -+ + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + allow $1 virt_tmpfs_type:file manage_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. +## Create .virt directory in the user home directory +## with an correct label. -+## -+## + ## + ## ## --## The type of the object to be created. -+## Domain allowed access. + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created. +-## +-## -## +# +interface(`virt_filetrans_home_content',` @@ -115827,7 +115837,7 @@ index facdee8..b5a815a 100644 ## ## ## -@@ -1136,50 +1574,129 @@ interface(`virt_manage_images',` +@@ -1136,50 +1574,148 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -115963,9 +115973,7 @@ index facdee8..b5a815a 100644 + + domtrans_pattern($1,container_file_t, $2) +') - -- files_search_locks($1) -- admin_pattern($1, virt_lock_t) ++ +######################################## +## +## Dontaudit read the process state (/proc/pid) of libvirt @@ -115980,12 +115988,33 @@ index facdee8..b5a815a 100644 + gen_require(` + type virtd_t; + ') - -- dev_list_all_dev_nodes($1) -- allow $1 virt_ptynode:chr_file rw_term_perms; ++ + dontaudit $1 virtd_t:dir search_dir_perms; + dontaudit $1 virtd_t:file read_file_perms; + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ++') + +- files_search_locks($1) +- admin_pattern($1, virt_lock_t) ++####################################### ++## ++## Send to libvirt with a unix dgram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_dgram_send',` ++ gen_require(` ++ type virtd_t, virt_var_run_t; ++ ') + +- dev_list_all_dev_nodes($1) +- allow $1 virt_ptynode:chr_file rw_term_perms; ++ files_search_pids($1) ++ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te index f03dcf5..49d4083 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index c214cd80..f16931be 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 264%{?dist} +Release: 265%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -690,6 +690,13 @@ exit 0 %endif %changelog +* Fri Jul 21 2017 Lukas Vrabec - 3.13.1-265 +- Allow llpdad send dgram to libvirt +- Allow abrt_t domain dac_read_search capability +- Allow init_t domain mounton dirs labeled as init_var_lib_t BZ(1471476) +- Allow xdm_t domain read unique machine-id generated during system installation. BZ(1467036) +- Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518) + * Mon Jul 17 2017 Lukas Vrabec - 3.13.1-264 - Dontaudit xdm_t to setattr lib_t dirs. BZ(#1458518)