From 4dfc5f64ab749b144dc4d7e52a1c2577d092d252 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 11 Sep 2017 22:04:43 +0200 Subject: [PATCH] * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282 - Add new bunch of map rules - Merge pull request #25 from NetworkManager/nm-ovs - Make working webadm_t userdomain - Allow redis domain to execute shell scripts. - Allow system_cronjob_t to create redhat-access-insights.log with var_log_t - Add couple capabilities to keepalived domain and allow get attributes of all domains - Allow dmidecode read rhsmcertd lock files - Add new interface rhsmcertd_rw_lock_files() - Add new bunch of map rules - Merge pull request #199 from mscherer/add_conntrackd - Add support labeling for vmci and vsock device - Add userdom_dontaudit_manage_admin_files() interface --- container-selinux.tgz | Bin 7000 -> 6999 bytes policy-rawhide-base.patch | 4765 ++++++++++++++++++++-------------- policy-rawhide-contrib.patch | 394 +-- selinux-policy.spec | 16 +- 4 files changed, 3093 insertions(+), 2082 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 001fc23b3453e947d372292bd49a3bd0fe90f2f7..9d0d555801436c0998901fc75462111a4529ad5a 100644 GIT binary patch delta 6696 zcmV+@8rS96HrF^00Zq^ZI9eGlFrxZUm@55JQLV6o^j#>JlQ=gk^}BO z91!d-a33yr9krzHRz`1;)bnx!?{B}V;)^JWq$su8o&`i8X^&L(kSvnLVzEdCc~<*z z7L}Lr_L~!>_mDn*{2qU=|K*4G>Mx`ZA3t1Qe{=oe`iCEXe)#zP%?~%T_Dj$ECb=*DO%xdEhTi{^rq%1$-jCHGP5tue&wt-XUS34myDC4FLFD;G zk;H*t$9d)jqN8|Gwu9fxAFl-43P9XaD>wM#?B5=v;7~^jdYpOnUVRYeDg5J-Sg#ab z@5jO~{nX2U{51O0D@OI|&%GRerWc-{B>6)WdUfvArJq$XR!RqYMX2!aRh-pPx%GqS z{5M&eb$Q6@IE~hjAK|=t``hYl7iH@*`r{CnK)X6StDg#`29l?Kt9clK1lIMfg)1$# z6;ZsoSgp>2yo`c0Tvw4_2K)6U&d$HRzF3`!0<8;wzlL(-Q*(B@H}%B|Gnla{IkM8E zyUrWdYVJ*YHmYgQOikO#pv;p<1OHceEW!OCh^lG`6_EnJxEky}@H?vKG_5aQiS}l# zj~PR|m+=Oh;M*HL211--tb&kU>_Ej1KStDYJX%Lv;Acc>9c4!jsJ}*jNb)Vp96O%} zGZlz`Ki~F;*i0kHp_3bg4Mkm3@h0`^0<;#Zn;t#2YV!Vg_|y#!)q* z^PWbKyq`g_Tm*UVmq^+OlJfVyz1Gouf_i!!AO5*6qB5<3aT_O5B{JsJ)X8U_4PKh4 zX^ehJK^t_2rV3BbO!{=1#J^$q4QZ-fQl^(5S~LxhkR{-p0^CtRc}{iFzuJ z@(fvrK>j1`r4#DG<2s5#vrQ1WM(F?PXa24`k-UsCmQvA9rrS9DG1^UF3=No*YRO)I z3%;nj{3kRo|=}lvqpuU_`Uz*vg=qy+1j#pV0 z$)8ly`~=nkE|E9CgS;#BPxwkxKrXH3ctVzkxZZm{5FTofa2*F8)xPmPz|@X(zB1<* zWqgnMAmtZq&<-*$#TrYY!AEB!QW}#L<6Q@dUsZ;z=v_arO~kVc z$K;3qf92%`%HL1^^r|iorYa(7C)-UFXFI2C^+QC==gtmZ?EtZPW0gVh?G60*0si}b z-nGat|MBw+nPv(S4eW8GphjZ&DozW$(o02!r| zyuF&1kTlQ^smHK|>_qxUbEQ|VS>=f>G@Qvd1Ms8OeD(GzW6RAfW3vHo_ z5z-ND7~K~&*}eD@1%6}R*w-irhZNq zkrTrxu{RSn<{z$kDX|sYn?afW4HVK}g73NmB*}LcR%I?UQ0((G>h=MDJ}L4^S8Nm- zrbZ-r>%EfiE`jgW#blf?5ALReRKUINl?b0sK?74?#d#MbF*NUVBv!W>N-{|{3?mPw zNw!mhieo_c+kw4I-Oz+WT~r_>k3lPY(fw^j;Kr_@2orI7f*6gUY0ill?-EdVmD;l$ z?SGBay6OGfcy}3P_j96u?(?dy<_4to+KiZGROQM2B}!lxSk_V%7y_I8F`B3P3=@so z8R2qRKP3Ls{D?O*Li%-{#zF^x;Znk^z4pU2&e&Xpo1UiO!zL?%bSYl|+L5lGJj;ZC zLmC}edC&L2(0}x*8cdRu=9j4c>h?1$4cZ%6>d8@L+6As5a?G%Qh;El;(n8v>4swI; zly>YZ{erN=`AK-$z1H^O1nbw@@&5M9PfZ!Bm)!e`z_|w^E!t)9!ZhO&}@ z!fIZ1mhc4r2_+=T!{|I-tU5okbzog0yo2QdO6BqTksF0{Rty=#+)X~-c9`pZT;^Fi zYSD6<=Av>Q>#Z?=I^IQ#+TA<-RSVeZ`WHLxb7sysx&cJU+cPZEOOS?F#k^mDa1ZDfeI3|Ypxks|Yk5YC3V2y#?!kU--J12HteT|cFm|N*5 z!`?aJXG68nbFvAC|GLPNIC!ESE}Vkg3+TfLs70{Bh4OxXz-jnqZfEb>Kh%33=-Ko5 z(#sbX5KHA96ShtaEp4Gx`N(i|1*!M=xELLMLmeBcd?LLrq~P2fM@1(q2*>WTYK(0r z=a*~qQ0>Q?-ThHeBnMEj&c=|F5!}UeeK&rpuK!tqWrpuy?w(+Azp1;rw$_87lK{Lw}I(~tB5UMyC-&(xV%Ck8&*yU5_ zN>J8+ZNo#7h&+Jk9EmREBlHZT`b%k5x32wi7uA9$O{z8MjU9JJcU}e+_I-5BKxUzM zj8ha35?PnLP4E@X4qy8q^*?EnEqYl;r^>^A{{Q1gJnY{+|Nr5`a{m8IB<5*Zr+Em9 z?OgVTx8BX=&47NYwza>a7wyZ0Op((sj@Jt0v=*h z@Zg#VLsXzR-oriuJy@#YBtDtP!cR=z+$8b-{?jjBk(afM!6~?&WawC#`jGh>wXSk$ z2Il%(Z|f&jbkQjiFA=lq`8J~J>4)4?9{9a0^F!gCbGOt5*U}E9;6@n(Xv$$)$v|~~ zV;?6PvMN9aS`F_uwJ^phA}{o#6x1_Q+UJ^_YzLgVs;>^4-`8Nc1$$KKjndb_NhVb1 zjvUgVp(~!bbhf!|r5Y0IB*yIq-DJb5yP{@`@V1EAvtFyHPQyOEQ@dE*au-Uy6bD5+ zPUO7xw%^C3JG)&(CCrJRl|XUnz2Mq^5T!Pp2wM^x$Yd_iL*#?C-+7n6k1JgFZRBRB zft8d0O;y*r{k2;gZA`Jq;%fp(xLSV$hSzkkvHcZCd=qgi=GC+N3vz$j}Bss z)ryQ8raf%7ku1^SPc#0uGW9CzaQ$AT@1^?vkq&CtIo1a6yXuU2bV>VJDccx-?Oa+L zWnw=i}T)Cd}8)t-3i z+3gDb&{@ z4>K<K7 z`g}W73b10thJ6_&U>_&AVL!km*2w>WOoKxSU8f%AX&ama)Y}lll7`8D(8)-nAV-5> zkecr;V(hfC(a1J0otc$mqmI03wWIA)_;uvKAbJ*ntp?H$G3^_sy(<%x=?}q$|8`{4 z1$^+V)rXE~bx_QJatM1UW7wMkdE;%!7N`zY5oMu`v#TrBs-TOA2CGv)W=hC|VUhfJ5@&boJAOd%5Zz;Vz!4=Ah|myW?C&~I;_W0zTdCv} ziXDJ7G%OOMG7i?Dz_n)9g=E2wJCX(DKbD1hCUoaA3hr4@7cR4hOE!gvisnc!1vY|S zF8J*%tIiUu=N>TdWXL;6UT4i^d z2UDwR#Tq@dOnCZ#qeyOGir{3h_h&avM+l$95N5X=z`Ruhre5)VW=rUHfZISZwc)qC z?A_yT?|!fH>=ItSvQ^+&>$2lMb{&s~p*)1Ls_hZdF(OV+8MB z2k!YeWhUZ(SoM)UIuFOxj_FXbt?pxKTKX#a~x~X={wCc#K2^x>w zgi&U@`EhDzaljniIUF$O#v47_ZI~`C%!x-@R<6BR7G)k&On*hVH(bGVmRLF-I#sN8Hhh&k=XL(dh_0S_=;0 zx@f}I-QXivnYt?}+>1P;0XuY=+SK0bggMrTbOfH(%^ZLybu$}oJ8;3d8*oTnH;{Fw z4&l;```1Wy`tF0&GyJ43^luEp>OTI=!x{KqNIR-QTbCx(ffzAdAJ^VBhV1M0^Bo91 zN_aSbIg8_>sB%5IN}WYD`afLB=_u<{71W8LD1!I_k)23EY*nz2LbuFuL){>RCKP*3 z0r!4T$M-OvLPP$XKE!v2knZc_nXosNO(-H5Fy00Gq{U^WA6vKyMcVOhI9Q}^xN8$Z zDB=d+SjP&Znj9-2*m?Xy<8eX{)%X<}ZT zXe0yM)V;%fT^Ej72$mpE(;|r;*VHG6d0X43t`gKTxosj(-m0CjS3R`#%BDLS>RjEi z5Oo8+LLM~Ho>t;U$F;Nro`)OFHJBOSDs>~~M~HpXI94iqsPNQVitz<5knB1Mr|KPl zGV;T89OI_uLKhN~K83Ga>&PjY-)Erk4#KF~En&&^VV!5}_E~-xjlM2botJ3BVUPr= z??;RhjH^2XJ;es#B$idxLtF=YJsrP)q1%06VH)NS255d|t~d~Q(V)I*E)zy_1CcqyLJmt0Ko?gi|Xi{c z|IM0RB4`*ioS00Zcx%Pg+)7hb`{u;3mg|k4u`E)fbMu0|W}?|xD9iwcT(>az^Q0PR z8v}D(Fbi=SH-1j`o~cEr_$dmYhW?s72JEaY9uISmh5pAgg)lQ)!6ATIjoJj>)DPC^ zJ}u)gqCZ&Jv=a^m>txlGBHSo{yyhaf##KLiFt<=JxBS5#gTKWt4n48B?A@v58psGL zKn5^+Y*pKjigXT(eB74ZAmF3IEV+U{9*}~R!(G|LC_n3hH$9xOn7eL#)bq0?`qc}> z9e4wcWAHOJ8)@TM`x|ktTQceiFmAQCrp#fV#*R5i?&AW~a< z!K$I>^;xGdO2C-0yI=&d-NB+EcJc4f_w$^PPvv0(Qq~GBreWL&QJ6)4hKa34dXk{@-;PH8u)6rNbh&>^%`utUkh ze5~H!4u@S&oXIIHGYzaWWdgGj(F{IRoyM4_vRO>|H#UKPSAM$jJ0cHaXHgQVQ}Ynz zIH?oMu-HjlLuED!fnVuE!q~$9w(>h%O+namOFgyZmeOeH?KKrF)O{F-l~D9F2T~H? zaG~{XKEzPSyO(EHEg`c_?u!mn@19IE6LV+i-fMzS+1VGi{dU{QvmI2W15_>-q8{4CLEstilZPkj%U~S4w5i=7mu^KKhm$OBlp3C6E^$XhGpa!yT!U{?e za$}zd4Y}=##*~478yyS=cADmSxDUy>F6V7rMh`Gz!oiBZF$xuz^OL-P{|C9wH*IK`7_$JkWHQ`&HD1he zv3ji%HfO*_Wko|_aCeE3S+;K2h;pzRb(CT#4&^O}tZiZ@Y7yV)N-s>l76Wxc1J`T1 zoiuq2I6(7lf^|!~=zYfGVl{ag^nf;(tTHx=S5v4prP!vfLJXi+eB6rS^mu_yOt;V) zG@99eqpvBj<~|&@H+t40Zq5(dd&pt42Kk;_i-DvelIcIA^GqL89o$>c8AeTRL32N% zFpDPKrl7L5BaM8ECD_f(HAZRlMND`Rvi1rly7cdu!?w1Y1bd&!(2kZ~Hu84kvHVJ8 zI7hJbaQZe=v#V&_H`H9ftRM7lIr4t036O_>-l~QhW6$kO;XDiNp1pZWnJW?VoiNxBl30b>A-nx+A~n|v3rP&R z%F)Nye4DhJf8V%~^tU!@5e%tN>keJ%q8_=4P5#~r7W#M0^BbkQ=)8W8p%Qy}%R8_P zQWn*SyMosYZJj5oR%5S9bpQ5$##lWZ$yK)_!!)66wcBAvK5T4D}Ij!1oRb!pTI@tFlXdwg?^YNb8*QHAEkxY_OEu>E7$o^A+Q zQDxoDdTmr%XCvLHZo$GM0QdBu|a8HIrf^w?FdP&@G?v`x;3$%;olE-?p=V|L^+x=Hqqm z`+x73@Be*~bcN>K)vuTAi$3&qQ0x-XW6eKdw?2I0b4K~88O8iD3iIkc4F9V`RbD0W z2B*|3hI4iK-PyZ$&S+xY%)hFGs5(&gGY>Qvyba!5fXQR<4wHWw7$V>Qd-XrxvAu$M z8~h!5xvP4%5_44kDWkbzv;00!4r%mmlerl~0)IV|{uwS3SG-5o8C1kS=^!Olh3J>x y{fd)58lDmLvWUY`=HdVxddUH=ng{P4lkFNJ0d12I8$1jZ)Bghrte@ck@Bjdb8#)RA delta 6697 zcmV+^8rJ34HrO_QABzY8wm-I600Zq^ZI9eGlFrxZUm@55JQLV6p0VQvJlQ=gk_GNQ z91!d-upcgW9krzHRz`1;)bnx!?{D9#;)^JWq$su8_5vc1v`4CXNEXRru~?*nJgfaU zi^|J*`^|~cTSy;1yvN_`KYagI{e|@I!@KM2Z?4~6fB*e|`*(l%@ZrNZZ?E6o+`RwB zdwZ$^sp(MFe(8DNB=@Dii2@_t(EESWw0il{`=L6dsb4<*>F@i<%Zn&`Q{{&;h&;b2 zk~r||IM2L5bQCYjcJO=o!%3vD=H9etqnh^2)U=%p$~=iQ@PCEJ65J1hsH%og5h?JCtHJIAzoU9i)B56-Xm8f~ zm@%|_8E>!&zP-_7AjB!gDhTPT9jMsh$B0^vN9$+{{ER5AqwL55_1DM`NxnsyW9Rc= zrULPQ=iB}en`s0&baI2Rp{Q#r-lSe#fYxGl9ME3Jiu7;PjEek{c;kgo%%IN8II2c; z-qQ$@_cJJ#iy-g)5=k3DQvTkz*E*VyP*0EJ!#~$WRHhX$ZsR1XM8=$&I{D1A!Ph2g z8l#_6&<33$`Q}g;ZE;i6esMvQa=;o=aVCj>+t^3X2%Npvs}70v8Dw7V{WAKRq)r8L zmpdbOka`kVHTG?j&^eIikxP>eb0^u|WCZsH?=|KT0j74O^OZTj zDC2v~2Pr>egLaU4Db`pD4L&+^sVez@maGmY6f{%*{|hfKQ2u`M#}{>ZFjWyrJK1icINLd8s~;j_K6iHTY6pnT8>|8+=TEPgNbI zL7j~C)pg$;vbZMkHx0$GL%ygG8L`%ik-UtO92ce_sTlebz43Sw%)D8*IRh_1u{?xW z5{9Gky(lI5h(Dg}8PfYQz{LyX@d=FoDY!qQi;{-1pM~B-8S564X_Ugu_2mck1IQ?y zMHxdW<`FU`<{D|7A#CJQONp)E-VDn0Z=jI=5`5PkAW6Qnuqtz*fnuMhQMV6&@JW$Rx?-cy zFf}5{Ywv}8cL{tiE+*rId2lx!qyp}BuSEEC3L2RDD$biAiJ^I?BeA;8P?AZqVHkNZ zO|qR5R2&1k-wy0$>V_s1>Y@T6c???Fi|%hL0ylOIMVN@w6U1l)O><7fc$0v-tJI$5 zX#Z=R)=lr<#=FZXyPp$(b)Q#tH8&uw*Ji{lqbg7CFHr)sz_OOAz!2EvkI_8UXP9Wz z&Ip&o`XTY3=107l5z?>oG!{Al43`pS?X@4KamMB%-1IaJA2wMDq)Yh%(2jKdA5lW0JdDoc#j5ioTL;!9!aGekygkDry##4^RlLjmgbi5l z)9pBi3}i;Llb%o%%)YZ>Lr}IajALSmpL--b{3vAy0M;1DEv$LTzjI>e)z>%)hq;x0 zGVGlbel}DKJtv!R_^*pRiGwHV;le4%y?{Q9fLa6_Tqy5<2b_kl=63e3{X@Oyfu22& zFTMQA0%EDWW5U*np`|U9Djyk+t|0Xu9~YyeZ>VEKl~1JCg%q5dx9zR*kXE z5m<9dpNdwR43?>UOIblL8pNbr+%PiHnn)h7H%tu$6 z;!ZtQVKe<09oxifa$>Ea6pK0C+A-V>n0PG1*!!H?@K~ido!1s5ZTw`XEN)2JaKZ+u z`&uH|p=6Yg775>4iqsE5{5duh{nFdEHb4F}hWRKF}6!g0jI@YtYQ{gpOa}9)v1R#~dSl0((Vdq;g?%3#Gmu#* z9^(|ngGAOPZxeh)v%{A@Nd0e`WQ$(b(W&yVpa1{x;pX~%@BIJ!cgy+z&ykp?Wu4|B zD7JIi8(w=impAV&-(IXb`htadGVh94=6Rie-;FhuS1-MvBETu>VgZ1H2=rj7hLiYY9t%G)d2^G*`}>bSdqrN>G6tvMdXk}IW$HubZ`8WV zr5Tv(uf46GRMADJNW4VMs^{B?s;3`vPkG??uFMaGch22X7hFp_l!6;&44^58X(a=H z)s20eXvnGn9cVSY+tk7sr-;1Jk5W+2OlhBMa%Z z?KqM1*4us`lkV(x5tT3}epUj-rT2n=YeSUUa3X9;Y#@`lKo5}*)_&(*{ywg7-M5jO zod#A;{x?-!>-N`fZL~4Pb_YXDM3B;XmrIA%DHk zEmkWsZkYD4*+#NNhd<5u+sf3dsKfPpmA;qi_eVOYUFTREyziI|_i_nJ`F`8}cCd8A4Yt~QaeU?5LkJxBq$tXl7gfxdHBlpUAk5MCNm{oh? zrDwM*^h0M+O@E(vS#U0mw_&tB|23jHZw=->E=6AQh;W<$!egc(SnIv@-gvlbVA9{m zyFJXjv;c4CoUnEOY#HM+M$L17v?bJ7G@w8H#AEgtykb5w-Nau-$@XL57yc$r;`+&Z z_JV!>ka>487(iS27oM=JqB;(}^e)Ro51WQI@aSKgIFs@B^q};?ritn;K;neA#^5Wu z{^`^0P$|HQ5gYbplz@Gl;D-GGlUO7F6EY1BC3Ky7n5S)U4p47H3`-h+CPOD9je;Bv zfdKOdvu-gt5QtK#8}LAZ?|R zQz&)-($KI-jLJAzg96u@Sr?K8JMKspkpEZ~>Y31;%P6>KL0!1a9xmAw9x9q6y%g98 zdb!}Yv#dHxtd3V+&%^cmCg~pQAFwQ#S=fJaArR%kh#4SVG!hSg*ul$;p84dyE%UUQ z=;^|fG!MZ{SZOaq7$}|y1@15Nbf?IV1?%6lFd1<$5n40fhmHM!QP+TG#w#)6hoNZascyI4VZex_lYf`+W~F^#ngu1 z^0If2yS@3X%Ck#&`NCF#XRXVw?*sVMkEVF({W%O-OkwKZMXi9JeH7ez4|#ca31t77 z7t!{RBv0sY2MMJ4J$d6Z?;-N`KK$W(n+OHqRe5qi4=!+j{eu%APngpd<~GNAK;yn< z5iSq;Aqjcr_;(7^Gnh-T9*h9M8lJ=5r|bs^ZygyLe~0jZG$J8WK^JQ91n;W09U(fY#`zwHcl(k2~fgH}1RMF-Bg9Nns}_{Rv| zy$;;-amq}8#Ig2M<}uo$ACrg6G}U1u%UqeCZtc5dw%oU>Pk-z%VRcjOmTA?IR}(ZI zxe24pcJt%Z&fh#?Qsb}~}UFhE!gw=igiH9@ry^wZPgSIYBr~@%#xIV7EYYf@f>*qTV zdX(^gaB>#MMN#E?a+NxZYV?1&lG9Pvrz)ruLs10r10p+-g4n8HABAq26W_zOs%LMm0HBK(O=pg~sEA9;}T%JmsQ)O;zoqBypf~^IRRVE!o;I6m0Q!0@K92 zI?+f5wyArE`?@Y1vk)vno~A_-J+7%w4)eCQPhBObWpdj@p1f5%VXt~<>y=G+G}O7e zVC~B zJ7naC={Uws&4n%`CVdKDx7LwUGQZD2;T?ogwOhiH>%%(F*zL3YE*gDZsyZ*xgu@^S zQs0jlB^XzC26~DOz)38ts)x7^_If&g|3bI>z```l9}Lj^%3N_EPESQd`2Jw15hutC zJHJUC(R;CsiO+(m+a1D0%aIb>}34^ zzWD?}!_YJVJEpj%9j|o|nd+}&6?W|wo&bUm7#7vhDJ?NMQSKi?zxFNTh-_~$=*$Ip z>Gi2CEoWH^FkX4fvf_PSF?}JwOK2Ee(V>pH?HWc~|B%$o&+=#ziORvcp9%VZslq8H z^)P9PVrL|Kn?vhc?{TDTRa}-9t-`?X9{6vwt_yFtK5g;{b1eLNrqDTlkViBW#m1#fydV=;H#_^9V+OZ2N3 zh&%8G8pq&gY&O!yvGzCOT(@M@6JXqGZ%vuQK8+o7kle=wsO4;%4>&-7em_K2y(XKk zdxBL%&+D^JVU&O|V|T#_V!MMyL+s+;q3`E8A)m^_1f;AxI?$?ZNXEGEQW38sYs=Ug ztajhhLKd6NVrMj)Mm;`uZ6zvX=u*)>N?4`qO`gIgv{b94k_GgaEZ>B zDn~F3uF!iNE^F`}liZUV#U*##hWrhTXE+0{yO7$2E`$FlP%qYd?RB{A`kLCC^9-%y zRnLTNxgR-@xk{jFAJ4aSsV?b&D+E+_#UpQQb&(6L^&?w&x)GCqlVuh^3{6@40}RJx zV}W$^#SmJY<#oJ$vb${JY#*UU4wVq4ff~tD&hLgAkmrM2-m7L4OFFBKD@jRO)aj#z zL`WWxjFKlp;RhHb6yxHMp#d5A)ClGcH?+WDrQR$Qq3tSoXkM<q7Ea^N1I#$ z4NF$cc>u#@ttx3*-*7yvA-JSvhYzfqSPchjxF#cu zth7ub6m~3+S=}kOHz-4uG1BENzR9>;@hecIv*134MkPP$mYvdWR4F{Ml%YdtsbGha zh51;$!5t2}o;Z_JSY{enXUYU-C88O8s5*@?Pi3>1@~>=v0}qN(ZQ1E<`){ zweo?gZVjY=L)fLdnp+;tY}=|8k-^%OnIdK;Tw*m`VlHQkJUy4eh3glzy+I9R-GmjC zBIL$C4;pgY6^$ta|28@p4D2+`^Kc)U@#%wKhVrs|mV{woBVrauv+aeJieXx_-eT`& zh3M#05N({9+-K~jMqSR^xQrfP#Ds$tePt9XF6SqIdH)Y`op0LEFfnEUZpmc0^J=`9 zqEP#nrz4q4m8Ow=O2(Uo49d@Tm*ga)pc zbUSJC7;u2*+XU;DcG3Hc#l>p!GUx$qE?H%46tAXGYf7&|#$)-F z$Z(Ee>EZNkre;^sxNoSrfLTB2-E!ppR1+Y754}|lH^!dZnZkJ%+C6*ol*+lxv$S%T zw8`cm^2YFxn955K5UNMzt?TT!&T=y28dUa}eH^J3)@ny?G)r55k>0!*Qsv@PV2$!N z=`~T#u9CFGtxvkITfISzeSl=(8Z~}b=Y$)*RL+t2S4lJ60H*{n$h+EZ)$3=Bc7^zV z{>Q+1j^U4(*xn5u?U)JPdKhD-JZ$GOj?Kb;M8gGr_?U*_Ycd0B|JcvVkh^}&S)p-) zb2|wj`+DcBhQ{$FNo}#2l1K@-6Zg|-!Q6rlCHZhXnk1d5@anF%d+GhiE>ujO*tHrl z`+^Tl+F(wjGQPww9eNtuRemL)Dc=QuzgUCa`Ke~hp0LRQZBMe!Zo7vkIyZ>2d-@4b zb1!r2oDn~3;dCZx%83ix`eHVq!AmInl@RAXbQ1>8sykt@n?Ch(jGpDjYhO_4-L{8R zT>h>ZQo>2p^7xaVzq55E2?uPA)-xI?-GzSLjUm>C1@o=rEN2^|olB{i*N#Vjz{=YZ z`QB{HB`PSjotTHcvg1F}snLy?umm<(;yP^c93Ay!JPJ{3P9?DlwL^CM*Fmk&dca?=?wD>91wCaXvbvgb|lD2 zG^D#7Vk5*NHj))`d9Kj|PPRfXu6 z-~EDLyJs diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 7a71a37c..a257b3f0 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6160,7 +6160,7 @@ index 8e0f9cd14..2fe34db47 100644 +create_ibendport_type_interfaces($*) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055f9..c3bbc8ea2 100644 +index b191055f9..15ec98f76 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6236,7 +6236,7 @@ index b191055f9..c3bbc8ea2 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -76,63 +101,82 @@ type server_packet_t, packet_type, server_packet_type; +@@ -76,63 +101,83 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) @@ -6284,6 +6284,7 @@ index b191055f9..c3bbc8ea2 100644 -network_port(ctdb, tcp,4379,s0, udp,4397,s0) +network_port(conman, tcp,7890,s0, udp,7890,s0) +network_port(connlcli, tcp,1358,s0, udp,1358,s0) ++network_port(conntrackd, udp,3780,s0) +network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0) +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) @@ -6329,7 +6330,7 @@ index b191055f9..c3bbc8ea2 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +184,61 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +185,61 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -6407,7 +6408,7 @@ index b191055f9..c3bbc8ea2 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +246,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +247,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -6558,7 +6559,7 @@ index b191055f9..c3bbc8ea2 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +377,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +378,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6585,7 +6586,7 @@ index b191055f9..c3bbc8ea2 100644 ######################################## # -@@ -333,6 +426,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +427,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6594,7 +6595,7 @@ index b191055f9..c3bbc8ea2 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +440,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +441,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -6686,7 +6687,7 @@ index 3f6e16889..abd046c56 100644 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl +') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c05491..a7b0f009a 100644 +index b31c05491..b15a7aa05 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6779,10 +6780,12 @@ index b31c05491..a7b0f009a 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +138,13 @@ +@@ -118,6 +138,15 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') ++/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) ++/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0) +/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0) +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) @@ -6793,7 +6796,7 @@ index b31c05491..a7b0f009a 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +156,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +158,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6808,7 +6811,7 @@ index b31c05491..a7b0f009a 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -169,18 +198,26 @@ ifdef(`distro_suse', ` +@@ -169,18 +200,26 @@ ifdef(`distro_suse', ` /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -6835,7 +6838,7 @@ index b31c05491..a7b0f009a 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +235,27 @@ ifdef(`distro_debian',` +@@ -198,12 +237,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6866,7 +6869,7 @@ index b31c05491..a7b0f009a 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..c28d65c08 100644 +index 76f285ea6..8c3bbb82c 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7309,16 +7312,101 @@ index 76f285ea6..c28d65c08 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -1879,6 +2101,26 @@ interface(`dev_rw_dri',` +@@ -1865,7 +2087,7 @@ interface(`dev_setattr_dri_dev',` + + ######################################## + ## +-## Read and write the dri devices. ++## Mmap the dri devices. + ## + ## + ## +@@ -1873,35 +2095,36 @@ interface(`dev_setattr_dri_dev',` + ## + ## + # +-interface(`dev_rw_dri',` ++interface(`dev_map_dri',` + gen_require(` + type device_t, dri_device_t; ') - rw_chr_files_pattern($1, device_t, dri_device_t) +- rw_chr_files_pattern($1, device_t, dri_device_t) + allow $1 dri_device_t:chr_file map; + ') + + ######################################## + ## +-## Dontaudit read and write on the dri devices. ++## Read and write the dri devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_rw_dri',` ++interface(`dev_rw_dri',` + gen_require(` +- type dri_device_t; ++ type device_t, dri_device_t; + ') + +- dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; ++ rw_chr_files_pattern($1, device_t, dri_device_t) ++ allow $1 dri_device_t:chr_file map; + ') + + ######################################## + ## +-## Create, read, write, and delete the dri devices. ++## Read and write the dri devices. + ## + ## + ## +@@ -1909,26 +2132,63 @@ interface(`dev_dontaudit_rw_dri',` + ## + ## + # +-interface(`dev_manage_dri_dev',` ++interface(`dev_rw_inherited_dri',` + gen_require(` + type device_t, dri_device_t; + ') + +- manage_chr_files_pattern($1, device_t, dri_device_t) ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## + ## +-## Automatic type transition to the type +-## for DRI device nodes when created in /dev. ++## Dontaudit read and write on the dri devices. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## +-## +-## ++# ++interface(`dev_dontaudit_rw_dri',` ++ gen_require(` ++ type dri_device_t; ++ ') ++ ++ dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; +') + +######################################## +## -+## Read and write the dri devices. ++## Create, read, write, and delete the dri devices. +## +## +## @@ -7326,53 +7414,60 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_rw_inherited_dri',` ++interface(`dev_manage_dri_dev',` + gen_require(` + type device_t, dri_device_t; + ') + -+ allow $1 device_t:dir search_dir_perms; -+ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## -@@ -2017,7 +2259,7 @@ interface(`dev_rw_input_dev',` ++ manage_chr_files_pattern($1, device_t, dri_device_t) ++') ++ ++######################################## ++## ++## Automatic type transition to the type ++## for DRI device nodes when created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## + ## The name of the object being created. + ## + ## +@@ -2017,6 +2277,180 @@ interface(`dev_rw_input_dev',` ######################################## ## --## Get the attributes of the framebuffer device node. +## Read input event devices (/dev/input). - ## - ## - ## -@@ -2025,17 +2267,18 @@ interface(`dev_rw_input_dev',` - ## - ## - # --interface(`dev_getattr_framebuffer_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_rw_inherited_input_dev',` - gen_require(` -- type device_t, framebuf_device_t; ++ gen_require(` + type device_t, event_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, framebuf_device_t) ++ ') ++ + allow $1 device_t:dir search_dir_perms; + allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## - ## --## Set the attributes of the framebuffer device node. ++') ++ ++######################################## ++## +## Read ipmi devices. - ## - ## - ## -@@ -2043,7 +2286,180 @@ interface(`dev_getattr_framebuffer_dev',` - ## - ## - # --interface(`dev_setattr_framebuffer_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_read_ipmi_dev',` + gen_require(` + type device_t, ipmi_device_t; @@ -7520,147 +7615,291 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## -+## Get the attributes of the framebuffer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_framebuffer_dev',` -+ gen_require(` -+ type device_t, framebuf_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, framebuf_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the framebuffer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_framebuffer_dev',` - gen_require(` - type device_t, framebuf_device_t; - ') -@@ -2402,7 +2818,97 @@ interface(`dev_filetrans_lirc',` + ## Get the attributes of the framebuffer device node. + ## + ## +@@ -2402,7 +2836,7 @@ interface(`dev_filetrans_lirc',` ######################################## ## -## Get the attributes of the lvm comtrol device. +## Get the attributes of the loop comtrol device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2410,17 +2844,17 @@ interface(`dev_filetrans_lirc',` + ## + ## + # +-interface(`dev_getattr_lvm_control',` +interface(`dev_getattr_loop_control',` -+ gen_require(` + gen_require(` +- type device_t, lvm_control_t; + type device_t, loop_control_device_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, lvm_control_t) + getattr_chr_files_pattern($1, device_t, loop_control_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read the lvm comtrol device. +## Read the loop comtrol device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2428,17 +2862,17 @@ interface(`dev_getattr_lvm_control',` + ## + ## + # +-interface(`dev_read_lvm_control',` +interface(`dev_read_loop_control',` -+ gen_require(` + gen_require(` +- type device_t, lvm_control_t; + type device_t, loop_control_device_t; -+ ') -+ + ') + +- read_chr_files_pattern($1, device_t, lvm_control_t) + read_chr_files_pattern($1, device_t, loop_control_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write the lvm control device. +## Read and write the loop control device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2446,17 +2880,17 @@ interface(`dev_read_lvm_control',` + ## + ## + # +-interface(`dev_rw_lvm_control',` +interface(`dev_rw_loop_control',` -+ gen_require(` + gen_require(` +- type device_t, lvm_control_t; + type device_t, loop_control_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, lvm_control_t) + rw_chr_files_pattern($1, device_t, loop_control_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and write lvm control device. +## Do not audit attempts to read and write loop control device. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -2464,17 +2898,17 @@ interface(`dev_rw_lvm_control',` + ## + ## + # +-interface(`dev_dontaudit_rw_lvm_control',` +interface(`dev_dontaudit_rw_loop_control',` -+ gen_require(` + gen_require(` +- type lvm_control_t; + type loop_control_device_t; -+ ') -+ + ') + +- dontaudit $1 lvm_control_t:chr_file rw_file_perms; + dontaudit $1 loop_control_device_t:chr_file rw_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete the lvm control device. +## Delete the loop control device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2482,35 +2916,35 @@ interface(`dev_dontaudit_rw_lvm_control',` + ## + ## + # +-interface(`dev_delete_lvm_control_dev',` +interface(`dev_delete_loop_control_dev',` -+ gen_require(` + gen_require(` +- type device_t, lvm_control_t; + type device_t, loop_control_device_t; -+ ') -+ + ') + +- delete_chr_files_pattern($1, device_t, lvm_control_t) + delete_chr_files_pattern($1, device_t, loop_control_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## dontaudit getattr raw memory devices (e.g. /dev/mem). +## Get the attributes of the loop comtrol device. ## ## ## -@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',` +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_getattr_memory_dev',` ++interface(`dev_getattr_lvm_control',` + gen_require(` +- type memory_device_t; ++ type device_t, lvm_control_t; ') - read_chr_files_pattern($1, device_t, memory_device_t) -+ allow $1 memory_device_t:chr_file map; - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; -@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',` +- dontaudit $1 memory_device_t:chr_file getattr; ++ getattr_chr_files_pattern($1, device_t, lvm_control_t) + ') ######################################## ## +-## Read raw memory devices (e.g. /dev/mem). ++## Read the lvm comtrol device. + ## + ## + ## +@@ -2518,62 +2952,53 @@ interface(`dev_dontaudit_getattr_memory_dev',` + ## + ## + # +-interface(`dev_read_raw_memory',` ++interface(`dev_read_lvm_control',` + gen_require(` +- type device_t, memory_device_t; +- attribute memory_raw_read; ++ type device_t, lvm_control_t; + ') + +- read_chr_files_pattern($1, device_t, memory_device_t) +- +- allow $1 self:capability sys_rawio; +- typeattribute $1 memory_raw_read; ++ read_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Do not audit attempts to read raw memory devices +-## (e.g. /dev/mem). ++## Read and write the lvm control device. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_read_raw_memory',` ++interface(`dev_rw_lvm_control',` + gen_require(` +- type memory_device_t; ++ type device_t, lvm_control_t; + ') + +- dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++ rw_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Write raw memory devices (e.g. /dev/mem). ++## Do not audit attempts to read and write lvm control device. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_raw_memory',` ++interface(`dev_dontaudit_rw_lvm_control',` + gen_require(` +- type device_t, memory_device_t; +- attribute memory_raw_write; ++ type lvm_control_t; + ') + +- write_chr_files_pattern($1, device_t, memory_device_t) +- +- allow $1 self:capability sys_rawio; +- typeattribute $1 memory_raw_write; ++ dontaudit $1 lvm_control_t:chr_file rw_file_perms; + ') + + ######################################## + ## +-## Read and execute raw memory devices (e.g. /dev/mem). ++## Delete the lvm control device. + ## + ## + ## +@@ -2581,32 +3006,168 @@ interface(`dev_write_raw_memory',` + ## + ## + # +-interface(`dev_rx_raw_memory',` ++interface(`dev_delete_lvm_control_dev',` + gen_require(` +- type device_t, memory_device_t; ++ type device_t, lvm_control_t; + ') + +- dev_read_raw_memory($1) +- allow $1 memory_device_t:chr_file execute; ++ delete_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Write and execute raw memory devices (e.g. /dev/mem). ++## dontaudit getattr raw memory devices (e.g. /dev/mem). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_wx_raw_memory',` ++interface(`dev_dontaudit_getattr_memory_dev',` + gen_require(` +- type device_t, memory_device_t; ++ type memory_device_t; ++ ') ++ ++ dontaudit $1 memory_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Read raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_raw_memory',` ++ gen_require(` ++ type device_t, memory_device_t; ++ attribute memory_raw_read; ++ ') ++ ++ read_chr_files_pattern($1, device_t, memory_device_t) ++ allow $1 memory_device_t:chr_file map; ++ ++ allow $1 self:capability sys_rawio; ++ typeattribute $1 memory_raw_read; ++') ++ ++######################################## ++## +## Allow to be reader of raw memory devices (e.g. /dev/mem). +## +## @@ -7679,13 +7918,47 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Do not audit attempts to read raw memory devices - ## (e.g. /dev/mem). - ## -@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',` - - ######################################## - ## ++## Do not audit attempts to read raw memory devices ++## (e.g. /dev/mem). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_raw_memory',` ++ gen_require(` ++ type memory_device_t; ++ ') ++ ++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++') ++ ++######################################## ++## ++## Write raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_raw_memory',` ++ gen_require(` ++ type device_t, memory_device_t; ++ attribute memory_raw_write; ++ ') ++ ++ write_chr_files_pattern($1, device_t, memory_device_t) ++ ++ allow $1 self:capability sys_rawio; ++ typeattribute $1 memory_raw_write; ++') ++ ++######################################## ++## +## Allow to be writer of raw memory devices (e.g. /dev/mem). +## +## @@ -7704,19 +7977,36 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Read and execute raw memory devices (e.g. /dev/mem). - ## - ## -@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',` - ') - - dev_read_raw_memory($1) -- allow $1 memory_device_t:chr_file execute; ++## Read and execute raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rx_raw_memory',` ++ gen_require(` ++ type device_t, memory_device_t; ++ ') ++ ++ dev_read_raw_memory($1) + allow $1 memory_device_t:chr_file { map execute }; - ') - - ######################################## -@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',` ++') ++ ++######################################## ++## ++## Write and execute raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_wx_raw_memory',` ++ gen_require(` ++ type device_t, memory_device_t; ') dev_write_raw_memory($1) @@ -7725,7 +8015,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3286,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7734,71 +8024,59 @@ index 76f285ea6..c28d65c08 100644 ## ## # -@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',` +@@ -2811,6 +3372,78 @@ interface(`dev_rw_modem',` ######################################## ## --## Get the attributes of the mouse devices. +## Get the attributes of the monitor devices. - ## - ## - ## -@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',` - ## - ## - # --interface(`dev_getattr_mouse_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_getattr_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; ++ gen_require(` + type device_t, monitor_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, mouse_device_t) ++ ') ++ + getattr_chr_files_pattern($1, device_t, monitor_device_t) - ') - - ######################################## - ## --## Set the attributes of the mouse devices. ++') ++ ++######################################## ++## +## Set the attributes of the monitor devices. - ## - ## - ## -@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',` - ## - ## - # --interface(`dev_setattr_mouse_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_setattr_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; ++ gen_require(` + type device_t, monitor_device_t; - ') - -- setattr_chr_files_pattern($1, device_t, mouse_device_t) ++ ') ++ + setattr_chr_files_pattern($1, device_t, monitor_device_t) - ') - - ######################################## - ## --## Read the mouse devices. ++') ++ ++######################################## ++## +## Read the monitor devices. - ## - ## - ## -@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',` - ## - ## - # --interface(`dev_read_mouse',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_read_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; ++ gen_require(` + type device_t, monitor_device_t; - ') - -- read_chr_files_pattern($1, device_t, mouse_device_t) ++ ') ++ + read_chr_files_pattern($1, device_t, monitor_device_t) +') + @@ -7822,60 +8100,10 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## -+## Get the attributes of the mouse devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_mouse_dev',` -+ gen_require(` -+ type device_t, mouse_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, mouse_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the mouse devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_mouse_dev',` -+ gen_require(` -+ type device_t, mouse_device_t; -+ ') -+ -+ setattr_chr_files_pattern($1, device_t, mouse_device_t) -+') -+ -+######################################## -+## -+## Read the mouse devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_read_mouse',` -+ gen_require(` -+ type device_t, mouse_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, mouse_device_t) - ') - - ######################################## -@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',` + ## Get the attributes of the mouse devices. + ## + ## +@@ -2903,20 +3536,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -7900,7 +8128,7 @@ index 76f285ea6..c28d65c08 100644 ##

## ## -@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3558,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -7956,7 +8184,7 @@ index 76f285ea6..c28d65c08 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3594,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -7992,59 +8220,74 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',` +@@ -3144,44 +3787,43 @@ interface(`dev_create_null_dev',` ######################################## ## +-## Do not audit attempts to get the attributes +-## of the BIOS non-volatile RAM device. +## Get the status of a null device service. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_dontaudit_getattr_nvram_dev',` +interface(`dev_service_status_null_dev',` -+ gen_require(` + gen_require(` +- type nvram_device_t; + type null_device_t; -+ ') -+ + ') + +- dontaudit $1 nvram_device_t:chr_file getattr; + allow $1 null_device_t:service status; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write BIOS non-volatile RAM. +## Configure null_device as a unit files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+# + ## + ## + # +-interface(`dev_rw_nvram',` +interface(`dev_config_null_dev_service',` -+ gen_require(` + gen_require(` +- type nvram_device_t; + type null_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, nvram_device_t) + allow $1 null_device_t:service manage_service_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of the printer device nodes. +## Read Non-Volatile Memory Host Controller Interface. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3189,12 +3831,105 @@ interface(`dev_rw_nvram',` + ## + ## + # +-interface(`dev_getattr_printer_dev',` +interface(`dev_read_nvme',` -+ gen_require(` + gen_require(` +- type device_t, printer_device_t; + type nvme_device_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, printer_device_t) + read_chr_files_pattern($1, device_t, nvme_device_t) + read_blk_files_pattern($1, device_t, nvme_device_t) +') @@ -8070,13 +8313,25 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Do not audit attempts to get the attributes - ## of the BIOS non-volatile RAM device. - ## -@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` - - ######################################## - ## ++## Do not audit attempts to get the attributes ++## of the BIOS non-volatile RAM device. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_nvram_dev',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ dontaudit $1 nvram_device_t:chr_file getattr; ++') ++ ++######################################## ++## +## Read BIOS non-volatile RAM. +## +## @@ -8095,10 +8350,42 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Read and write BIOS non-volatile RAM. - ## - ## -@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',` ++## Read and write BIOS non-volatile RAM. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_nvram',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, nvram_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of the printer device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_printer_dev',` ++ gen_require(` ++ type device_t, printer_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, printer_device_t) + ') + + ######################################## +@@ -3254,7 +3989,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -8125,7 +8412,7 @@ index 76f285ea6..c28d65c08 100644 ## ## ## -@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +4015,13 @@ interface(`dev_rw_printer',` ## ## # @@ -8142,7 +8429,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4153,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -8151,7 +8438,7 @@ index 76f285ea6..c28d65c08 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4167,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -8160,7 +8447,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',` +@@ -3633,6 +4387,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8168,7 +8455,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',` +@@ -3669,6 +4424,7 @@ interface(`dev_read_sound_mixer',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8176,7 +8463,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4611,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -8185,7 +8472,7 @@ index 76f285ea6..c28d65c08 100644 ## ## ## -@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4619,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8296,7 +8583,7 @@ index 76f285ea6..c28d65c08 100644 ## ## ## -@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4709,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8362,132 +8649,187 @@ index 76f285ea6..c28d65c08 100644 ') - rw_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) + dontaudit $1 sysfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write the TPM device. +## List the contents of the sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4024,114 +4763,97 @@ interface(`dev_rw_sysfs',` + ## + ## + # +-interface(`dev_rw_tpm',` +interface(`dev_list_sysfs',` -+ gen_require(` + gen_require(` +- type device_t, tpm_device_t; + type sysfs_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, tpm_device_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read from pseudo random number generator devices (e.g., /dev/urandom). +## Write in a sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## +-## +-##

+-## Allow the specified domain to read from pseudo random number +-## generator devices (e.g., /dev/urandom). Typically this is +-## used in situations when a cryptographically secure random +-## number is not necessarily needed. One example is the Stack +-## Smashing Protector (SSP, formerly known as ProPolice) support +-## that may be compiled into programs. +-##

+-##

+-## Related interface: +-##

+-##
    +-##
  • dev_read_rand()
    • +-##
+-##

+-## Related tunable: +-##

+-##
    +-##
  • global_ssp
    • +-##
+-## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`dev_read_urand',` +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` -+ gen_require(` + gen_require(` +- type device_t, urandom_device_t; + type sysfs_t; -+ ') -+ + ') + +- read_chr_files_pattern($1, device_t, urandom_device_t) + allow $1 sysfs_t:dir write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read from pseudo +-## random devices (e.g., /dev/urandom) +## Access check for a sysfs directories. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_dontaudit_read_urand',` +interface(`dev_access_check_sysfs',` -+ gen_require(` + gen_require(` +- type urandom_device_t; + type sysfs_t; -+ ') -+ + ') + +- dontaudit $1 urandom_device_t:chr_file { getattr read }; + allow $1 sysfs_t:dir audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write to the pseudo random device (e.g., /dev/urandom). This +-## sets the random number generator seed. +## Do not audit attempts to write in a sysfs directory. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`dev_write_urand',` +interface(`dev_dontaudit_write_sysfs_dirs',` -+ gen_require(` + gen_require(` +- type device_t, urandom_device_t; + type sysfs_t; -+ ') -+ + ') + +- write_chr_files_pattern($1, device_t, urandom_device_t) + dontaudit $1 sysfs_t:dir write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Getattr generic the USB devices. +## Read cpu online hardware state information. -+## + ## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online file. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`dev_getattr_generic_usb_dev',` +interface(`dev_read_cpu_online',` -+ gen_require(` + gen_require(` +- type usb_device_t; + type cpu_online_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, usb_device_t) + dev_search_sysfs($1) + read_files_pattern($1, cpu_online_t, cpu_online_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Setattr generic the USB devices. +## Relabel cpu online hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4139,35 +4861,50 @@ interface(`dev_getattr_generic_usb_dev',` + ## + ## + # +-interface(`dev_setattr_generic_usb_dev',` +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` +- type usb_device_t; + type cpu_online_t; + type sysfs_t; -+ ') -+ + ') + +- setattr_chr_files_pattern($1, device_t, usb_device_t) + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; -+') + ') + + -+ -+######################################## -+## + ######################################## + ## +-## Read generic the USB devices. +## Read hardware state information. -+## + ## +## +##

+## Allow the specified domain to read the contents of @@ -8496,47 +8838,54 @@ index 76f285ea6..c28d65c08 100644 +## hardware installed on the system. +##

+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`dev_read_generic_usb_dev',` +interface(`dev_read_sysfs',` -+ gen_require(` + gen_require(` +- type usb_device_t; + type sysfs_t; -+ ') -+ + ') + +- read_chr_files_pattern($1, device_t, usb_device_t) + read_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + ++ list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read and write generic the USB devices. ++## Allow caller to modify hardware state information. + ## + ## + ## +@@ -4175,12 +4912,278 @@ interface(`dev_read_generic_usb_dev',` + ## + ## + # +-interface(`dev_rw_generic_usb_dev',` ++interface(`dev_rw_sysfs',` + gen_require(` +- type device_t, usb_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, usb_device_t) ++ rw_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ + list_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Allow caller to modify hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) -@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',` - - ######################################## - ## +## Relabel hardware state directories. +## +## @@ -8612,13 +8961,103 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Read and write the TPM device. - ## - ## -@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',` - - ######################################## - ## ++## Read and write the TPM device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_tpm',` ++ gen_require(` ++ type device_t, tpm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, tpm_device_t) ++') ++ ++######################################## ++## ++## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## ++## ++##

++## Allow the specified domain to read from pseudo random number ++## generator devices (e.g., /dev/urandom). Typically this is ++## used in situations when a cryptographically secure random ++## number is not necessarily needed. One example is the Stack ++## Smashing Protector (SSP, formerly known as ProPolice) support ++## that may be compiled into programs. ++##

++##

++## Related interface: ++##

++##
    ++##
  • dev_read_rand()
    • ++##
++##

++## Related tunable: ++##

++##
    ++##
  • global_ssp
    • ++##
++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_read_urand',` ++ gen_require(` ++ type device_t, urandom_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, urandom_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to read from pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file { getattr read }; ++') ++ ++######################################## ++## ++## Write to the pseudo random device (e.g., /dev/urandom). This ++## sets the random number generator seed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_urand',` ++ gen_require(` ++ type device_t, urandom_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, urandom_device_t) ++') ++ ++######################################## ++## +## Do not audit attempts to write to pseudo +## random devices (e.g., /dev/urandom) +## @@ -8638,73 +9077,391 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Getattr generic the USB devices. - ## - ## -@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',` - # - interface(`dev_getattr_generic_usb_dev',` - gen_require(` -- type usb_device_t; ++## Getattr generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_generic_usb_dev',` ++ gen_require(` + type usb_device_t,device_t; - ') - - getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',` - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - ') - --######################################## -+###################################### - ## --## Get the attributes of video4linux devices. -+## Read and write userio device. - ## - ## - ## -@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',` - ## - ## - # --interface(`dev_getattr_video_dev',` -+interface(`dev_rw_userio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, userio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, userio_device_t) - ') - --###################################### ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, usb_device_t) ++') ++ +######################################## - ## --## Read and write userio device. -+## Get the attributes of video4linux devices. - ## - ## - ## -@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` -+interface(`dev_getattr_video_dev',` - gen_require(` -- type device_t, userio_device_t; -+ type device_t, v4l_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) ++## ++## Setattr generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read and write generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_generic_usb_dev',` ++ gen_require(` ++ type device_t, usb_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## -@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',` - - ######################################## - ## +@@ -4249,33 +5252,462 @@ interface(`dev_write_usbmon_dev',` + # + interface(`dev_mount_usbfs',` + gen_require(` +- type usbfs_t; ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Associate a file to a usbfs filesystem. ++## ++## ++## ++## The type of the file to be associated to usbfs. ++## ++## ++# ++interface(`dev_associate_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:filesystem associate; ++') ++ ++######################################## ++## ++## Get the attributes of a directory in the usb filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_usbfs_dirs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:dir getattr_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of a directory in the usb filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_usbfs_dirs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ dontaudit $1 usbfs_t:dir getattr_dir_perms; ++') ++ ++######################################## ++## ++## Search the directory containing USB hardware information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_search_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ search_dirs_pattern($1, usbfs_t, usbfs_t) ++') ++ ++######################################## ++## ++## Allow caller to get a list of usb hardware. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_list_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_files_pattern($1, usbfs_t, usbfs_t) ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++') ++ ++######################################## ++## ++## Set the attributes of usbfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_usbfs_files',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ setattr_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++') ++ ++######################################## ++## ++## Read USB hardware information using ++## the usbfs filesystem interface. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ read_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++') ++ ++######################################## ++## ++## Allow caller to modify usb hardware configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++') ++ ++###################################### ++## ++## Read and write userio device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_userio_dev',` ++ gen_require(` ++ type device_t, userio_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, userio_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of video4linux device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_video_dev',` ++ gen_require(` ++ type v4l_device_t; ++ ') ++ ++ dontaudit $1 v4l_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Set the attributes of video4linux device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of video4linux device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_setattr_video_dev',` ++ gen_require(` ++ type v4l_device_t; ++ ') ++ ++ dontaudit $1 v4l_device_t:chr_file setattr; ++') ++ ++######################################## ++## ++## Read the video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## ++## Mmap the video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_map_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ allow $1 v4l_device_t:chr_file map; ++ ++') ++ ++######################################## ++## ++## Write the video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## +## Get the attributes of vfio devices. +## +## @@ -8826,313 +9583,735 @@ index 76f285ea6..c28d65c08 100644 +interface(`dev_rw_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; -+ ') -+ + ') + +- allow $1 usbfs_t:filesystem mount; + rw_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## - ## Allow read/write the vhost net device - ## - ## -@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',` + ') ######################################## ## -+## Allow read/write inheretid the vhost net device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_inherited_vhost',` -+ gen_require(` -+ type device_t, vhost_device_t; -+ ') -+ -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## - ## Read and write VMWare devices. +-## Associate a file to a usbfs filesystem. ++## Allow read/write the vhost net device ## - ## -@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',` +-## ++## + ## +-## The type of the file to be associated to usbfs. ++## Domain allowed access. + ## + ## + # +-interface(`dev_associate_usbfs',` ++interface(`dev_rw_vhost',` + gen_require(` +- type usbfs_t; ++ type device_t, vhost_device_t; ') - dev_rw_vmware($1) -- allow $1 vmware_device_t:chr_file execute; +- allow $1 usbfs_t:filesystem associate; ++ rw_chr_files_pattern($1, device_t, vhost_device_t) + ') + + ######################################## + ## +-## Get the attributes of a directory in the usb filesystem. ++## Allow read/write inheretid the vhost net device + ## + ## + ## +@@ -4283,36 +5715,35 @@ interface(`dev_associate_usbfs',` + ## + ## + # +-interface(`dev_getattr_usbfs_dirs',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` +- type usbfs_t; ++ type device_t, vhost_device_t; + ') + +- allow $1 usbfs_t:dir getattr_dir_perms; ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of a directory in the usb filesystem. ++## Read and write VMWare devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_getattr_usbfs_dirs',` ++interface(`dev_rw_vmware',` + gen_require(` +- type usbfs_t; ++ type device_t, vmware_device_t; + ') + +- dontaudit $1 usbfs_t:dir getattr_dir_perms; ++ rw_chr_files_pattern($1, device_t, vmware_device_t) + ') + + ######################################## + ## +-## Search the directory containing USB hardware information. ++## Read, write, and mmap VMWare devices. + ## + ## + ## +@@ -4320,17 +5751,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` + ## + ## + # +-interface(`dev_search_usbfs',` ++interface(`dev_rwx_vmware',` + gen_require(` +- type usbfs_t; ++ type device_t, vmware_device_t; + ') + +- search_dirs_pattern($1, usbfs_t, usbfs_t) ++ dev_rw_vmware($1) + allow $1 vmware_device_t:chr_file { map execute }; ') - ######################################## -@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',` - ######################################## ## -+## RW to watchdog devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_watchdog',` -+ gen_require(` -+ type device_t, watchdog_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, watchdog_device_t) -+') -+ -+######################################## -+## - ## Read and write the the wireless device. +-## Allow caller to get a list of usb hardware. ++## Read from watchdog devices. ## ## -@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',` + ## +@@ -4338,20 +5770,17 @@ interface(`dev_search_usbfs',` + ## + ## + # +-interface(`dev_list_usbfs',` ++interface(`dev_read_watchdog',` + gen_require(` +- type usbfs_t; ++ type device_t, watchdog_device_t; + ') + +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- getattr_files_pattern($1, usbfs_t, usbfs_t) +- +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ read_chr_files_pattern($1, device_t, watchdog_device_t) + ') ######################################## ## -+## Dontaudit attempts to Read and write X server miscellaneous devices. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_leaked_xserver_misc',` -+ gen_require(` -+ type xserver_misc_device_t; -+ ') -+ -+ dontaudit $1 xserver_misc_device_t:chr_file { read write }; -+') -+ +-## Set the attributes of usbfs filesystem. ++## Write to watchdog devices. + ## + ## + ## +@@ -4359,19 +5788,17 @@ interface(`dev_list_usbfs',` + ## + ## + # +-interface(`dev_setattr_usbfs_files',` ++interface(`dev_write_watchdog',` + gen_require(` +- type usbfs_t; ++ type device_t, watchdog_device_t; + ') + +- setattr_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ write_chr_files_pattern($1, device_t, watchdog_device_t) + ') + + ######################################## + ## +-## Read USB hardware information using +-## the usbfs filesystem interface. ++## RW to watchdog devices. + ## + ## + ## +@@ -4379,19 +5806,17 @@ interface(`dev_setattr_usbfs_files',` + ## + ## + # +-interface(`dev_read_usbfs',` ++interface(`dev_rw_watchdog',` + gen_require(` +- type usbfs_t; ++ type device_t, watchdog_device_t; + ') + +- read_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_chr_files_pattern($1, device_t, watchdog_device_t) + ') + + ######################################## + ## +-## Allow caller to modify usb hardware configuration files. ++## Read and write the the wireless device. + ## + ## + ## +@@ -4399,19 +5824,17 @@ interface(`dev_read_usbfs',` + ## + ## + # +-interface(`dev_rw_usbfs',` ++interface(`dev_rw_wireless',` + gen_require(` +- type usbfs_t; ++ type device_t, wireless_device_t; + ') + +- list_dirs_pattern($1, usbfs_t, usbfs_t) +- rw_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ rw_chr_files_pattern($1, device_t, wireless_device_t) + ') + + ######################################## + ## +-## Get the attributes of video4linux devices. ++## Read and write Xen devices. + ## + ## + ## +@@ -4419,17 +5842,17 @@ interface(`dev_rw_usbfs',` + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_rw_xen',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, xen_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, xen_device_t) + ') + +-###################################### +######################################## -+## -+## Read and write X server miscellaneous devices. -+## -+## -+## + ## +-## Read and write userio device. ++## Create, read, write, and delete Xen devices. + ## + ## + ## +@@ -4437,36 +5860,41 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_manage_xen',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, xen_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ manage_chr_files_pattern($1, device_t, xen_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of video4linux device nodes. ++## Automatic type transition to the type ++## for xen device nodes when created in /dev. + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. +## +## -+# -+interface(`dev_manage_xserver_misc',` -+ gen_require(` ++## ++## ++## The name of the object being created. + ## + ## + # +-interface(`dev_dontaudit_getattr_video_dev',` ++interface(`dev_filetrans_xen',` + gen_require(` +- type v4l_device_t; ++ type device_t, xen_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file getattr; ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) + ') + + ######################################## + ## +-## Set the attributes of video4linux device nodes. ++## Get the attributes of X server miscellaneous devices. + ## + ## + ## +@@ -4474,36 +5902,35 @@ interface(`dev_dontaudit_getattr_video_dev',` + ## + ## + # +-interface(`dev_setattr_video_dev',` ++interface(`dev_getattr_xserver_misc_dev',` + gen_require(` +- type device_t, v4l_device_t; + type device_t, xserver_misc_device_t; -+ ') -+ + ') + +- setattr_chr_files_pattern($1, device_t, v4l_device_t) ++ getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to set the attributes +-## of video4linux device nodes. ++## Set the attributes of X server miscellaneous devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_setattr_video_dev',` ++interface(`dev_setattr_xserver_misc_dev',` + gen_require(` +- type v4l_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file setattr; ++ setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + ') + + ######################################## + ## +-## Read the video4linux devices. ++## Read and write X server miscellaneous devices. + ## + ## + ## +@@ -4511,35 +5938,35 @@ interface(`dev_dontaudit_setattr_video_dev',` + ## + ## + # +-interface(`dev_read_video_dev',` ++interface(`dev_rw_xserver_misc',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- read_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + ') + + ######################################## + ## +-## Write the video4linux devices. ++## Dontaudit attempts to Read and write X server miscellaneous devices. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_video_dev',` ++interface(`dev_dontaudit_leaked_xserver_misc',` + gen_require(` +- type device_t, v4l_device_t; ++ type xserver_misc_device_t; + ') + +- write_chr_files_pattern($1, device_t, v4l_device_t) ++ dontaudit $1 xserver_misc_device_t:chr_file { read write }; + ') + + ######################################## + ## +-## Allow read/write the vhost net device ++## Read and write X server miscellaneous devices. + ## + ## + ## +@@ -4547,17 +5974,19 @@ interface(`dev_write_video_dev',` + ## + ## + # +-interface(`dev_rw_vhost',` ++interface(`dev_manage_xserver_misc',` + gen_require(` +- type device_t, vhost_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vhost_device_t) + manage_chr_files_pattern($1, device_t, xserver_misc_device_t) + + dev_filetrans_xserver_named_dev($1) -+') -+ -+######################################## -+## - ## Read and write to the zero device (/dev/zero). + ') + + ######################################## + ## +-## Read and write VMWare devices. ++## Read and write to the zero device (/dev/zero). ## ## -@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',` + ## +@@ -4565,17 +5994,17 @@ interface(`dev_rw_vhost',` + ## + ## + # +-interface(`dev_rw_vmware',` ++interface(`dev_rw_zero',` + gen_require(` +- type device_t, vmware_device_t; ++ type device_t, zero_device_t; ') - dev_rw_zero($1) -- allow $1 zero_device_t:chr_file execute; +- rw_chr_files_pattern($1, device_t, vmware_device_t) ++ rw_chr_files_pattern($1, device_t, zero_device_t) + ') + + ######################################## + ## +-## Read, write, and mmap VMWare devices. ++## Read, write, and execute the zero device (/dev/zero). + ## + ## + ## +@@ -4583,18 +6012,18 @@ interface(`dev_rw_vmware',` + ## + ## + # +-interface(`dev_rwx_vmware',` ++interface(`dev_rwx_zero',` + gen_require(` +- type device_t, vmware_device_t; ++ type zero_device_t; + ') + +- dev_rw_vmware($1) +- allow $1 vmware_device_t:chr_file execute; ++ dev_rw_zero($1) + allow $1 zero_device_t:chr_file { map execute }; ') ######################################## -@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',` + ## +-## Read from watchdog devices. ++## Execmod the zero device (/dev/zero). + ## + ## + ## +@@ -4602,17 +6031,18 @@ interface(`dev_rwx_vmware',` + ## + ## + # +-interface(`dev_read_watchdog',` ++interface(`dev_execmod_zero',` + gen_require(` +- type device_t, watchdog_device_t; ++ type zero_device_t; + ') - typeattribute $1 devices_unconfined_type; +- read_chr_files_pattern($1, device_t, watchdog_device_t) ++ dev_rw_zero($1) ++ allow $1 zero_device_t:chr_file execmod; ') -+ -+######################################## -+## + + ######################################## + ## +-## Write to watchdog devices. ++## Create the zero device (/dev/zero). + ## + ## + ## +@@ -4620,17 +6050,17 @@ interface(`dev_read_watchdog',` + ## + ## + # +-interface(`dev_write_watchdog',` ++interface(`dev_create_zero_dev',` + gen_require(` +- type device_t, watchdog_device_t; ++ type device_t, zero_device_t; + ') + +- write_chr_files_pattern($1, device_t, watchdog_device_t) ++ create_chr_files_pattern($1, device_t, zero_device_t) + ') + + ######################################## + ## +-## Read and write the the wireless device. ++## Unconfined access to devices. + ## + ## + ## +@@ -4638,35 +6068,36 @@ interface(`dev_write_watchdog',` + ## + ## + # +-interface(`dev_rw_wireless',` ++interface(`dev_unconfined',` + gen_require(` +- type device_t, wireless_device_t; ++ attribute devices_unconfined_type; + ') + +- rw_chr_files_pattern($1, device_t, wireless_device_t) ++ typeattribute $1 devices_unconfined_type; + ') + + ######################################## + ## +-## Read and write Xen devices. +## Dontaudit getattr on all device nodes. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`dev_rw_xen',` +interface(`dev_dontaudit_getattr_all',` -+ gen_require(` + gen_require(` +- type device_t, xen_device_t; + attribute device_node; + type device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, xen_device_t) + dontaudit $1 { device_t device_node }:dir_file_class_set getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete Xen devices. +## Get the attributes of the mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4674,41 +6105,35 @@ interface(`dev_rw_xen',` + ## + ## + # +-interface(`dev_manage_xen',` +interface(`dev_getattr_mei',` -+ gen_require(` + gen_require(` +- type device_t, xen_device_t; + type device_t, mei_device_t; -+ ') -+ + ') + +- manage_chr_files_pattern($1, device_t, xen_device_t) + getattr_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Automatic type transition to the type +-## for xen device nodes when created in /dev. +## Read the mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`dev_filetrans_xen',` +interface(`dev_read_mei',` -+ gen_require(` + gen_require(` +- type device_t, xen_device_t; + type device_t, mei_device_t; -+ ') -+ + ') + +- filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) + read_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of X server miscellaneous devices. +## Read and write to mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4716,17 +6141,17 @@ interface(`dev_filetrans_xen',` + ## + ## + # +-interface(`dev_getattr_xserver_misc_dev',` +interface(`dev_rw_mei',` -+ gen_require(` + gen_require(` +- type device_t, xserver_misc_device_t; + type device_t, mei_device_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of X server miscellaneous devices. +## Read and write uhid devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4734,17 +6159,18 @@ interface(`dev_getattr_xserver_misc_dev',` + ## + ## + # +-interface(`dev_setattr_xserver_misc_dev',` +interface(`dev_rw_uhid_dev',` -+ gen_require(` + gen_require(` +- type device_t, xserver_misc_device_t; + type device_t, uhid_device_t; -+ ') -+ + ') + +- setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, uhid_device_t) -+') + ') + + -+ -+######################################## -+## + ######################################## + ## +-## Read and write X server miscellaneous devices. +## Allow read/write the hypervkvp device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4752,17 +6178,17 @@ interface(`dev_setattr_xserver_misc_dev',` + ## + ## + # +-interface(`dev_rw_xserver_misc',` +interface(`dev_rw_hypervkvp',` -+ gen_require(` + gen_require(` +- type device_t, xserver_misc_device_t; + type device_t, hypervkvp_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, hypervkvp_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write to the zero device (/dev/zero). +## Allow read/write the hypervkvp device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4770,17 +6196,17 @@ interface(`dev_rw_xserver_misc',` + ## + ## + # +-interface(`dev_rw_zero',` +interface(`dev_read_gpfs',` -+ gen_require(` + gen_require(` +- type device_t, zero_device_t; + type device_t, gpfs_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, zero_device_t) + read_chr_files_pattern($1, device_t, gpfs_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read, write, and execute the zero device (/dev/zero). +## Allow read/write the gpiochip device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4788,18 +6214,17 @@ interface(`dev_rw_zero',` + ## + ## + # +-interface(`dev_rwx_zero',` +interface(`dev_read_gpio',` -+ gen_require(` + gen_require(` +- type zero_device_t; + type device_t, gpio_device_t; -+ ') -+ + ') + +- dev_rw_zero($1) +- allow $1 zero_device_t:chr_file execute; + read_chr_files_pattern($1, device_t, gpio_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execmod the zero device (/dev/zero). +## Allow read/write the hypervvssd device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4807,47 +6232,911 @@ interface(`dev_rwx_zero',` + ## + ## + # +-interface(`dev_execmod_zero',` +interface(`dev_rw_hypervvssd',` -+ gen_require(` + gen_require(` +- type zero_device_t; + type device_t, hypervvssd_device_t; -+ ') -+ + ') + +- dev_rw_zero($1) +- allow $1 zero_device_t:chr_file execmod; + rw_chr_files_pattern($1, device_t, hypervvssd_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create the zero device (/dev/zero). +## Create all named devices with the correct label -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_create_zero_dev',` +interface(`dev_filetrans_printer_named_dev',` + -+ gen_require(` + gen_require(` +- type device_t, zero_device_t; +- ') + type printer_device_t; -+ + +- create_chr_files_pattern($1, device_t, zero_device_t) + ') + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") @@ -9174,18 +10353,26 @@ index 76f285ea6..c28d65c08 100644 + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to devices. +## Create all named devices with the correct label -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_unconfined',` +- gen_require(` +- attribute devices_unconfined_type; +- ') +- +- typeattribute $1 devices_unconfined_type; +interface(`dev_filetrans_all_named_dev',` + +gen_require(` @@ -9201,6 +10388,8 @@ index 76f285ea6..c28d65c08 100644 + type dlm_control_device_t; + type clock_device_t; + type v4l_device_t; ++ type vsock_device_t; ++ type vmci_device_t; + type vfio_device_t; + type event_device_t; + type xen_device_t; @@ -9368,6 +10557,8 @@ index 76f285ea6..c28d65c08 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") ++ filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock") ++ filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") @@ -10013,9 +11204,9 @@ index 76f285ea6..c28d65c08 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") -+') + ') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a8715a..5c45b9323 100644 +index 0b1a8715a..849b00191 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -10180,7 +11371,7 @@ index 0b1a8715a..5c45b9323 100644 # # Type for /dev/tpm # -@@ -266,6 +330,15 @@ dev_node(usbmon_device_t) +@@ -266,14 +330,30 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -10196,7 +11387,14 @@ index 0b1a8715a..5c45b9323 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +347,7 @@ dev_node(v4l_device_t) ++type vsock_device_t; ++dev_node(vsock_device_t) ++ ++type vmci_device_t; ++dev_node(vmci_device_t) ++ + # + # vhost_device_t is the type for /dev/vhost-net # type vhost_device_t; dev_node(vhost_device_t) @@ -10204,7 +11402,7 @@ index 0b1a8715a..5c45b9323 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +393,8 @@ files_associate_tmp(device_node) +@@ -319,5 +399,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -11402,7 +12600,7 @@ index b876c48ad..2e591a538 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76ad..de87579ff 100644 +index f962f76ad..f2b8e4558 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13353,7 +14551,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',` +@@ -3921,6 +4817,45 @@ interface(`files_read_mnt_symlinks',` read_lnk_files_pattern($1, mnt_t, mnt_t) ') @@ -13376,11 +14574,30 @@ index f962f76ad..de87579ff 100644 + files_read_kernel_modules($1) + allow $1 modules_object_t:system module_load; +') ++ ++######################################## ++## ++## Mmap kernel module files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_map_kernel_modules',` ++ gen_require(` ++ type modules_object_t; ++ ') ++ ++ allow $1 modules_object_t:file map; ++ ++') + ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4947,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -13388,7 +14605,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,48 +5153,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13460,26 +14677,18 @@ index f962f76ad..de87579ff 100644 -## Do not audit attempts to get the -## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t, usr_t; + ') - -- dontaudit $1 tmp_t:dir getattr; ++ + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -13500,24 +14709,18 @@ index f962f76ad..de87579ff 100644 + filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") - ') - --######################################## ++') ++ +###################################### - ## --## Search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_search_tmp',` ++## ++# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; @@ -13644,13 +14847,13 @@ index f962f76ad..de87579ff 100644 +######################################## +## +## Get the attributes of the tmp directory (/tmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4266,6 +5372,45 @@ interface(`files_getattr_tmp_dirs',` + ## + ## + # +interface(`files_getattr_tmp_dirs',` + gen_require(` + type tmp_t; @@ -13690,27 +14893,11 @@ index f962f76ad..de87579ff 100644 +## +## +# -+interface(`files_dontaudit_getattr_tmp_dirs',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ dontaudit $1 tmp_t:dir getattr; -+') -+ -+######################################## -+## -+## Search the tmp directory (/tmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_tmp',` + interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; +@@ -4289,6 +5434,8 @@ interface(`files_search_tmp',` + type tmp_t; ') + fs_search_tmpfs($1) @@ -13718,7 +14905,7 @@ index f962f76ad..de87579ff 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5472,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -13726,7 +14913,7 @@ index f962f76ad..de87579ff 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5482,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13735,7 +14922,7 @@ index f962f76ad..de87579ff 100644 ## ## # -@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5494,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13761,7 +14948,7 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5528,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -13769,7 +14956,7 @@ index f962f76ad..de87579ff 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5570,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13802,7 +14989,7 @@ index f962f76ad..de87579ff 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5650,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13845,7 +15032,7 @@ index f962f76ad..de87579ff 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5704,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -13906,7 +15093,7 @@ index f962f76ad..de87579ff 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5803,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13915,7 +15102,7 @@ index f962f76ad..de87579ff 100644 ## ## # -@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5863,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13924,7 +15111,7 @@ index f962f76ad..de87579ff 100644 ## ## # -@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',` +@@ -4611,17 +5895,55 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -13955,7 +15142,8 @@ index f962f76ad..de87579ff 100644 +## all leaked tmpfiles files. +## +## -+## + ## +-## The type of the object to be created. +## Domain to not audit. +## +## @@ -13979,10 +15167,12 @@ index f962f76ad..de87579ff 100644 +## +## +## - ## - ## The type of the object to be created. ++## ++## The type of the object to be created. ## -@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',` + ## + ## +@@ -4664,6 +5986,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13999,7 +15189,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -4814,6 +6127,24 @@ interface(`files_delete_usr_files',` +@@ -4814,6 +6146,24 @@ interface(`files_delete_usr_files',` ######################################## ## @@ -14024,7 +15214,7 @@ index f962f76ad..de87579ff 100644 ## Get the attributes of files in /usr. ## ## -@@ -5112,6 +6443,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6462,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -14049,7 +15239,7 @@ index f962f76ad..de87579ff 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6590,24 @@ interface(`files_list_var',` +@@ -5241,6 +6609,24 @@ interface(`files_list_var',` ######################################## ## @@ -14074,7 +15264,7 @@ index f962f76ad..de87579ff 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6695,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6714,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -14083,7 +15273,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5419,6 +6786,24 @@ interface(`files_var_filetrans',` +@@ -5419,6 +6805,24 @@ interface(`files_var_filetrans',` filetrans_pattern($1, var_t, $2, $3, $4) ') @@ -14108,7 +15298,7 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Get the attributes of the /var/lib directory. -@@ -5527,6 +6912,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6931,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -14134,7 +15324,7 @@ index f962f76ad..de87579ff 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +7000,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +7019,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -14160,7 +15350,7 @@ index f962f76ad..de87579ff 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5619,6 +7042,42 @@ interface(`files_manage_urandom_seed',` +@@ -5619,6 +7061,42 @@ interface(`files_manage_urandom_seed',` manage_files_pattern($1, var_lib_t, var_lib_t) ') @@ -14203,7 +15393,7 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Allow domain to manage mount tables -@@ -5641,7 +7100,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +7119,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -14212,7 +15402,7 @@ index f962f76ad..de87579ff 100644 ## ## ## -@@ -5649,12 +7108,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +7127,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -14228,7 +15418,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5672,6 +7132,7 @@ interface(`files_search_locks',` +@@ -5672,6 +7151,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14236,7 +15426,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +7159,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +7178,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -14264,7 +15454,7 @@ index f962f76ad..de87579ff 100644 ## ## ## -@@ -5706,13 +7186,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7205,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14281,7 +15471,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5731,7 +7210,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7229,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14290,7 +15480,7 @@ index f962f76ad..de87579ff 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7243,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7262,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -14298,7 +15488,7 @@ index f962f76ad..de87579ff 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7257,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7276,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -14307,7 +15497,7 @@ index f962f76ad..de87579ff 100644 ## ## ## -@@ -5787,13 +7265,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7284,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -14342,7 +15532,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7307,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7326,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14360,7 +15550,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5834,9 +7331,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7350,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14371,7 +15561,7 @@ index f962f76ad..de87579ff 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7373,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7392,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14381,7 +15571,7 @@ index f962f76ad..de87579ff 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7395,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7414,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14391,7 +15581,7 @@ index f962f76ad..de87579ff 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7432,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7451,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14401,7 +15591,7 @@ index f962f76ad..de87579ff 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7471,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7490,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -14410,7 +15600,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7491,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7510,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -14459,113 +15649,69 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,47 +7555,45 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7574,43 @@ interface(`files_dontaudit_search_pids',` ######################################## ## --## List the contents of the runtime process --## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_pids',` ++## ++## ++# +interface(`files_dontaudit_search_all_pids',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) ++ ') ++ + dontaudit $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Read generic process ID files. ++') ++ ++######################################## ++## +## Allow search the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_read_generic_pids',` ++## ++## ++# +interface(`files_search_all_pids',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + attribute pidfile; ++ ') ++ ++ allow $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6039,7 +7625,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) -+ allow $1 pidfile:dir search_dir_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) ') - ######################################## - ## --## Write named generic process ID pipes -+## List the contents of the runtime process -+## ID directories (/var/run). - ## - ## - ## -@@ -6073,12 +7601,51 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` -+interface(`files_list_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ +@@ -6058,7 +7644,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## Write named generic process ID pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_write_generic_pid_pipes',` - gen_require(` + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6078,7 +7664,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -14574,7 +15720,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7707,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7726,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14582,7 +15728,7 @@ index f962f76ad..de87579ff 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7735,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7754,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -14607,7 +15753,7 @@ index f962f76ad..de87579ff 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7766,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7785,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -14616,307 +15762,221 @@ index f962f76ad..de87579ff 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7833,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,6 +7852,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. +## Relable all pid directories - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_read_all_pids',` -+interface(`files_relabel_all_pid_dirs',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) -+ relabel_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Delete all process IDs. -+## Delete all pid sockets - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_pids',` -+interface(`files_delete_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+ allow $1 pidfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. -+## Create all pid sockets - ## - ## - ## -@@ -6305,42 +7877,35 @@ interface(`files_delete_all_pids',` - ## - ## - # --interface(`files_delete_all_pid_dirs',` -+interface(`files_create_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content -+## Create all pid named pipes - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` -+interface(`files_create_all_pid_pipes',` - gen_require(` - attribute pidfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:fifo_file create_fifo_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all pid named pipes - ## - ## - ## -@@ -6348,18 +7913,18 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_pid_pipes',` - gen_require(` -- attribute polymember; ++## ++## ++# ++interface(`files_relabel_all_pid_dirs',` ++ gen_require(` + attribute pidfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ ++ relabel_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Delete all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:fifo_file delete_fifo_file_perms; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## manage all pidfile directories +## in the /var/run directory. - ## - ## - ## -@@ -6367,37 +7932,40 @@ interface(`files_mounton_all_poly_members',` - ## - ## - # --interface(`files_search_spool',` -+interface(`files_manage_all_pid_dirs',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) -+ manage_dirs_pattern($1,pidfile,pidfile) - ') - -+ - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. -+## Read all process ID files. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_search_spool',` -+interface(`files_read_all_pids',` - gen_require(` -- type var_spool_t; ++## ++## ++# ++interface(`files_manage_all_pid_dirs',` ++ gen_require(` + attribute pidfile; ++ ') ++ ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## + ## Read all process ID files. + ## + ## +@@ -6261,12 +7974,105 @@ interface(`files_dontaudit_ioctl_all_pids',` + interface(`files_read_all_pids',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + type var_t; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++') ++ ++######################################## ++## +## Relable all pid files - ## - ## - ## -@@ -6405,18 +7973,17 @@ interface(`files_dontaudit_search_spool',` - ## - ## - # --interface(`files_list_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + relabel_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Execute generic programs in /var/run in the caller domain. - ## - ## - ## -@@ -6424,18 +7991,18 @@ interface(`files_list_spool',` - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_exec_generic_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + exec_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## Write all sockets +## in the /var/run directory. - ## - ## - ## -@@ -6443,19 +8010,18 @@ interface(`files_manage_generic_spool_dirs',` - ## - ## - # --interface(`files_read_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_write_all_pid_sockets',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + allow $1 pidfile:sock_file write_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. - ## - ## - ## -@@ -6463,55 +8029,62 @@ interface(`files_read_generic_spool',` - ## - ## - # --interface(`files_manage_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pids',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Mount filesystems on all polyinstantiation +## member directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`files_mounton_all_poly_members',` + gen_require(` @@ -14924,100 +15984,33 @@ index f962f76ad..de87579ff 100644 + ') + + allow $1 polymember:dir mounton; -+') -+ -+######################################## -+## -+## Delete all process IDs. -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_spool_filetrans',` -+interface(`files_delete_all_pids',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; -+ type var_t, var_run_t; + ') + + ######################################## +@@ -6286,8 +8092,8 @@ interface(`files_delete_all_pids',` + type var_t, var_run_t; ') + files_search_pids($1) allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) +@@ -6311,36 +8117,80 @@ interface(`files_delete_all_pid_dirs',` + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) ') ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all process ID directories. - ## - ## - ## -@@ -6519,53 +8092,332 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_pid_dirs',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; -+ attribute pidfile; -+ type var_t, var_run_t; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') - -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -+######################################## -+## +-## Create, read, write and delete all +-## var_run (pid) content +## Make the specified type a file +## used for spool files. +## @@ -15058,46 +16051,56 @@ index f962f76ad..de87579ff 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; - ') ++ ') + + files_type($1) + typeattribute $1 spoolfile; - ') - - ######################################## - ## --## Unconfined access to files. -+## Create all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_spool_sockets',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ allow $1 spoolfile:sock_file create_sock_file_perms; +') + +######################################## +## -+## Delete all spool sockets -+## -+## -+## ++## Create all spool sockets + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_spool_sockets',` -+ gen_require(` + ## + ## + # +-interface(`files_manage_all_pids',` ++interface(`files_create_all_spool_sockets',` + gen_require(` +- attribute pidfile; + attribute spoolfile; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 spoolfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all spool sockets + ## + ## + ## +@@ -6348,12 +8198,33 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` +- attribute polymember; ++ attribute spoolfile; + ') + +- allow $1 polymember:dir mounton; + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -15120,222 +16123,10 @@ index f962f76ad..de87579ff 100644 + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+## -+## Search the contents of generic spool -+## directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search generic -+## spool directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+ -+ dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of generic spool -+## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool_dirs',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create objects in the spool directory -+## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_spool_filetrans',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` -+ gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; -+ ') -+ -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') -+ -+######################################## -+## -+## Unconfined access to files. - ## - ## - ## -@@ -6580,3 +8432,623 @@ interface(`files_unconfined',` + ') + + ######################################## +@@ -6580,3 +8451,623 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -24690,10 +25481,10 @@ index 234a940f9..a92415a9d 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fca2..88ac7d6bb 100644 +index 0fef1fca2..6773aa784 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,11 +8,73 @@ policy_module(staff, 2.4.0) +@@ -8,11 +8,75 @@ policy_module(staff, 2.4.0) role staff_r; userdom_unpriv_user_template(staff) @@ -24726,6 +25517,7 @@ index 0fef1fca2..88ac7d6bb 100644 + +dev_read_cpuid(staff_t) +dev_read_kmsg(staff_t) ++dev_map_video_dev(staff_t) + +domain_read_all_domains_state(staff_t) +domain_getcap_all_domains(staff_t) @@ -24752,6 +25544,7 @@ index 0fef1fca2..88ac7d6bb 100644 +init_status(staff_t) + +miscfiles_read_hwdata(staff_t) ++miscfiles_map_generic_certs(staff_t) + +ifndef(`enable_mls',` + selinux_read_policy(staff_t) @@ -24767,7 +25560,7 @@ index 0fef1fca2..88ac7d6bb 100644 optional_policy(` apache_role(staff_r, staff_t) -@@ -23,11 +85,128 @@ optional_policy(` +@@ -23,11 +87,132 @@ optional_policy(` ') optional_policy(` @@ -24854,6 +25647,10 @@ index 0fef1fca2..88ac7d6bb 100644 +') + +optional_policy(` ++ mandb_map_cache_files(staff_t) ++') ++ ++optional_policy(` + mock_role(staff_r, staff_t) +') + @@ -24897,7 +25694,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') optional_policy(` -@@ -35,20 +214,74 @@ optional_policy(` +@@ -35,20 +220,74 @@ optional_policy(` ') optional_policy(` @@ -24974,7 +25771,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') optional_policy(` -@@ -56,7 +289,20 @@ optional_policy(` +@@ -56,7 +295,20 @@ optional_policy(` ') optional_policy(` @@ -24996,7 +25793,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +311,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +317,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25007,7 +25804,7 @@ index 0fef1fca2..88ac7d6bb 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +320,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +326,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -25018,7 +25815,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') optional_policy(` -@@ -101,10 +339,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +345,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25029,7 +25826,7 @@ index 0fef1fca2..88ac7d6bb 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +359,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +365,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25040,7 +25837,7 @@ index 0fef1fca2..88ac7d6bb 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +371,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +377,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25051,7 +25848,7 @@ index 0fef1fca2..88ac7d6bb 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +402,24 @@ ifndef(`distro_redhat',` +@@ -176,3 +408,24 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -25105,10 +25902,10 @@ index ff9243078..36740eab3 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6c0..800f41930 100644 +index 2522ca6c0..7aeed7254 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,105 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -25179,6 +25976,8 @@ index 2522ca6c0..800f41930 100644 +init_undefined(sysadm_t) + +logging_filetrans_named_content(sysadm_t) ++logging_map_audit_config(sysadm_t) ++logging_map_audit_log(sysadm_t) + +miscfiles_filetrans_named_content(sysadm_t) +miscfiles_read_hwdata(sysadm_t) @@ -25224,7 +26023,7 @@ index 2522ca6c0..800f41930 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +121,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +123,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -25239,7 +26038,7 @@ index 2522ca6c0..800f41930 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +131,9 @@ optional_policy(` +@@ -71,9 +133,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -25250,7 +26049,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -87,6 +147,7 @@ optional_policy(` +@@ -87,6 +149,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -25258,7 +26057,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -110,11 +171,17 @@ optional_policy(` +@@ -110,11 +173,17 @@ optional_policy(` ') optional_policy(` @@ -25276,7 +26075,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -122,11 +189,27 @@ optional_policy(` +@@ -122,11 +191,27 @@ optional_policy(` ') optional_policy(` @@ -25306,7 +26105,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -140,6 +223,10 @@ optional_policy(` +@@ -140,6 +225,10 @@ optional_policy(` ') optional_policy(` @@ -25317,7 +26116,7 @@ index 2522ca6c0..800f41930 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +243,10 @@ optional_policy(` +@@ -156,6 +245,10 @@ optional_policy(` ') optional_policy(` @@ -25328,7 +26127,7 @@ index 2522ca6c0..800f41930 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -164,6 +255,11 @@ optional_policy(` +@@ -164,6 +257,11 @@ optional_policy(` ') optional_policy(` @@ -25340,7 +26139,7 @@ index 2522ca6c0..800f41930 100644 hadoop_role(sysadm_r, sysadm_t) ') -@@ -172,13 +268,31 @@ optional_policy(` +@@ -172,13 +270,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -25372,7 +26171,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -190,11 +304,12 @@ optional_policy(` +@@ -190,11 +306,12 @@ optional_policy(` ') optional_policy(` @@ -25387,7 +26186,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -210,22 +325,21 @@ optional_policy(` +@@ -210,22 +327,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25417,7 +26216,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -237,14 +351,32 @@ optional_policy(` +@@ -237,14 +353,32 @@ optional_policy(` ') optional_policy(` @@ -25450,7 +26249,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -252,10 +384,20 @@ optional_policy(` +@@ -252,10 +386,20 @@ optional_policy(` ') optional_policy(` @@ -25471,7 +26270,7 @@ index 2522ca6c0..800f41930 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +408,46 @@ optional_policy(` +@@ -266,35 +410,46 @@ optional_policy(` ') optional_policy(` @@ -25525,7 +26324,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -308,6 +461,7 @@ optional_policy(` +@@ -308,6 +463,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25533,7 +26332,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -315,12 +469,20 @@ optional_policy(` +@@ -315,12 +471,20 @@ optional_policy(` ') optional_policy(` @@ -25555,7 +26354,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -345,30 +507,38 @@ optional_policy(` +@@ -345,30 +509,38 @@ optional_policy(` ') optional_policy(` @@ -25603,7 +26402,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -380,10 +550,6 @@ optional_policy(` +@@ -380,10 +552,6 @@ optional_policy(` ') optional_policy(` @@ -25614,7 +26413,7 @@ index 2522ca6c0..800f41930 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +557,9 @@ optional_policy(` +@@ -391,6 +559,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25624,7 +26423,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -398,31 +567,34 @@ optional_policy(` +@@ -398,31 +569,34 @@ optional_policy(` ') optional_policy(` @@ -25665,7 +26464,7 @@ index 2522ca6c0..800f41930 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +607,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +609,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25676,7 +26475,7 @@ index 2522ca6c0..800f41930 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +627,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +629,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -31153,7 +31952,7 @@ index 6bf0ecc2d..29db5fd25 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..a03fa4661 100644 +index 8b403774f..af9ee8070 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32216,7 +33015,7 @@ index 8b403774f..a03fa4661 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1129,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,36 +1129,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32227,7 +33026,12 @@ index 8b403774f..a03fa4661 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1144,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) + manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++allow xserver_t xserver_tmpfs_t:file map; + + manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32269,11 +33073,12 @@ index 8b403774f..a03fa4661 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1195,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1196,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) -dev_filetrans_dri(xserver_t) ++dev_map_dri(xserver_t) dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer @@ -32301,7 +33106,7 @@ index 8b403774f..a03fa4661 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1228,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1230,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32316,7 +33121,7 @@ index 8b403774f..a03fa4661 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1249,18 @@ init_getpgid(xserver_t) +@@ -718,28 +1251,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32340,16 +33145,16 @@ index 8b403774f..a03fa4661 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1268,6 @@ userdom_setattr_user_ttys(xserver_t) + userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) - --xserver_use_user_fonts(xserver_t) - +-xserver_use_user_fonts(xserver_t) ++userdom_map_tmp_files(xserver_t) + ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; - domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1312,54 @@ optional_policy(` +@@ -785,17 +1315,54 @@ optional_policy(` ') optional_policy(` @@ -32406,7 +33211,7 @@ index 8b403774f..a03fa4661 100644 ') optional_policy(` -@@ -803,6 +1367,10 @@ optional_policy(` +@@ -803,6 +1370,10 @@ optional_policy(` ') optional_policy(` @@ -32417,7 +33222,7 @@ index 8b403774f..a03fa4661 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1386,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1389,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32442,7 +33247,7 @@ index 8b403774f..a03fa4661 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1409,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1412,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32477,7 +33282,7 @@ index 8b403774f..a03fa4661 100644 ') optional_policy(` -@@ -912,7 +1474,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1477,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32486,7 +33291,7 @@ index 8b403774f..a03fa4661 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1528,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1531,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32518,7 +33323,7 @@ index 8b403774f..a03fa4661 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1574,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1577,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -40543,7 +41348,7 @@ index b50c5fe81..9eacd9ba1 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e9488463..e7d5f42a5 100644 +index 4e9488463..2db173f77 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',` @@ -40571,7 +41376,32 @@ index 4e9488463..e7d5f42a5 100644 ## Set login uid ## ## -@@ -233,7 +251,7 @@ interface(`logging_run_auditd',` +@@ -146,6 +164,24 @@ interface(`logging_read_audit_log',` + + ######################################## + ## ++## Map the audit log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_map_audit_log',` ++ gen_require(` ++ type auditd_log_t; ++ ') ++ ++ allow $1 auditd_log_t:file map; ++') ++######################################## ++## + ## Execute auditctl in the auditctl domain. + ## + ## +@@ -233,7 +269,7 @@ interface(`logging_run_auditd',` ######################################## ## @@ -40580,7 +41410,7 @@ index 4e9488463..e7d5f42a5 100644 ## ## ## -@@ -318,7 +336,7 @@ interface(`logging_dispatcher_domain',` +@@ -318,7 +354,7 @@ interface(`logging_dispatcher_domain',` ######################################## ## @@ -40589,7 +41419,7 @@ index 4e9488463..e7d5f42a5 100644 ## ## ## -@@ -496,6 +514,68 @@ interface(`logging_log_filetrans',` +@@ -496,6 +532,68 @@ interface(`logging_log_filetrans',` filetrans_pattern($1, var_log_t, $2, $3, $4) ') @@ -40658,7 +41488,7 @@ index 4e9488463..e7d5f42a5 100644 ######################################## ## ## Send system log messages. -@@ -530,22 +610,107 @@ interface(`logging_log_filetrans',` +@@ -530,22 +628,107 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` @@ -40778,10 +41608,29 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -571,6 +736,25 @@ interface(`logging_read_audit_config',` +@@ -571,6 +754,44 @@ interface(`logging_read_audit_config',` ######################################## ## ++## Map the auditd configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_map_audit_config',` ++ gen_require(` ++ type auditd_etc_t; ++ ') ++ ++ allow $1 auditd_etc_t:file map; ++') ++ ++######################################## ++## +## dontaudit search of auditd log files. +## +## @@ -40804,7 +41653,7 @@ index 4e9488463..e7d5f42a5 100644 ## dontaudit search of auditd configuration files. ## ## -@@ -609,6 +793,25 @@ interface(`logging_read_syslog_config',` +@@ -609,6 +830,25 @@ interface(`logging_read_syslog_config',` ######################################## ## @@ -40830,7 +41679,7 @@ index 4e9488463..e7d5f42a5 100644 ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -722,6 +925,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +962,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -40856,7 +41705,7 @@ index 4e9488463..e7d5f42a5 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +998,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +1035,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -40883,7 +41732,7 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -859,7 +1099,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1136,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -40892,7 +41741,7 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -880,11 +1120,69 @@ interface(`logging_read_generic_logs',` +@@ -880,11 +1157,69 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -40962,7 +41811,7 @@ index 4e9488463..e7d5f42a5 100644 ## Write generic log files. ## ## -@@ -905,6 +1203,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1240,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -40987,7 +41836,7 @@ index 4e9488463..e7d5f42a5 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1300,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1337,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -41005,7 +41854,7 @@ index 4e9488463..e7d5f42a5 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1325,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1362,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -41061,7 +41910,7 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -1032,10 +1402,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1439,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -41079,7 +41928,7 @@ index 4e9488463..e7d5f42a5 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1432,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1469,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -41088,7 +41937,7 @@ index 4e9488463..e7d5f42a5 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1462,110 @@ interface(`logging_admin',` +@@ -1085,3 +1499,110 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -41200,7 +42049,7 @@ index 4e9488463..e7d5f42a5 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..370f8a825 100644 +index 59b04c1a2..ba742cd03 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -41283,7 +42132,7 @@ index 59b04c1a2..370f8a825 100644 ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) -@@ -94,6 +129,8 @@ ifdef(`enable_mls',` +@@ -94,8 +129,11 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; @@ -41291,8 +42140,11 @@ index 59b04c1a2..370f8a825 100644 + read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; ++allow auditctl_t auditd_etc_t:file map; -@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t) + # Needed for adding watches + files_getattr_all_dirs(auditctl_t) +@@ -111,7 +149,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -41303,7 +42155,7 @@ index 59b04c1a2..370f8a825 100644 init_dontaudit_use_fds(auditctl_t) -@@ -134,11 +173,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; +@@ -134,11 +174,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; @@ -41318,7 +42170,7 @@ index 59b04c1a2..370f8a825 100644 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +189,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -41326,7 +42178,7 @@ index 59b04c1a2..370f8a825 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +197,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -41336,7 +42188,7 @@ index 59b04c1a2..370f8a825 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +222,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -41358,7 +42210,7 @@ index 59b04c1a2..370f8a825 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -219,7 +258,7 @@ optional_policy(` +@@ -219,7 +259,7 @@ optional_policy(` # audit dispatcher local policy # @@ -41367,7 +42219,7 @@ index 59b04c1a2..370f8a825 100644 allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; -@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +277,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -41399,7 +42251,7 @@ index 59b04c1a2..370f8a825 100644 ') ######################################## -@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +@@ -266,9 +316,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) @@ -41411,7 +42263,7 @@ index 59b04c1a2..370f8a825 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,13 +331,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -41439,7 +42291,7 @@ index 59b04c1a2..370f8a825 100644 ######################################## # # klogd local policy -@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +390,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -41447,7 +42299,7 @@ index 59b04c1a2..370f8a825 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +417,13 @@ optional_policy(` +@@ -355,13 +418,13 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -41465,7 +42317,7 @@ index 59b04c1a2..370f8a825 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,15 +431,20 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,15 +432,20 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -41487,7 +42339,7 @@ index 59b04c1a2..370f8a825 100644 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) -@@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +457,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -41539,7 +42391,7 @@ index 59b04c1a2..370f8a825 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +508,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -41548,7 +42400,7 @@ index 59b04c1a2..370f8a825 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +520,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -41582,7 +42434,7 @@ index 59b04c1a2..370f8a825 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +559,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -41600,7 +42452,7 @@ index 59b04c1a2..370f8a825 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +580,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +581,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -41616,7 +42468,7 @@ index 59b04c1a2..370f8a825 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +612,7 @@ optional_policy(` +@@ -497,6 +613,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -41624,7 +42476,7 @@ index 59b04c1a2..370f8a825 100644 ') optional_policy(` -@@ -507,15 +623,44 @@ optional_policy(` +@@ -507,15 +624,44 @@ optional_policy(` ') optional_policy(` @@ -41669,7 +42521,7 @@ index 59b04c1a2..370f8a825 100644 ') optional_policy(` -@@ -526,3 +671,29 @@ optional_policy(` +@@ -526,3 +672,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -42154,7 +43006,7 @@ index 58bc27f22..90f567300 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c410..b0cb1e565 100644 +index 79048c410..924fa2e75 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -42280,7 +43132,7 @@ index 79048c410..b0cb1e565 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,10 +222,13 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -42291,8 +43143,11 @@ index 79048c410..b0cb1e565 100644 +init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) ++allow lvm_t lvm_etc_t:file map; read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t) + # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d + manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) +@@ -220,6 +243,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -42300,7 +43155,7 @@ index 79048c410..b0cb1e565 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +254,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -42315,7 +43170,7 @@ index 79048c410..b0cb1e565 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +272,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -42323,7 +43178,7 @@ index 79048c410..b0cb1e565 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +282,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -42346,7 +43201,7 @@ index 79048c410..b0cb1e565 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +316,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -42355,7 +43210,7 @@ index 79048c410..b0cb1e565 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +323,23 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +324,23 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -42380,7 +43235,7 @@ index 79048c410..b0cb1e565 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +351,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +352,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -42392,7 +43247,7 @@ index 79048c410..b0cb1e565 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -321,6 +364,10 @@ optional_policy(` +@@ -321,6 +365,10 @@ optional_policy(` ') optional_policy(` @@ -42403,7 +43258,7 @@ index 79048c410..b0cb1e565 100644 gpm_dontaudit_getattr_gpmctl(lvm_t) ') -@@ -333,14 +380,30 @@ optional_policy(` +@@ -333,14 +381,30 @@ optional_policy(` ') optional_policy(` @@ -43062,7 +43917,7 @@ index 7449974f6..b79290062 100644 + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8b2..aa59857ad 100644 +index 7a363b8b2..3a6ded940 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -43177,7 +44032,7 @@ index 7a363b8b2..aa59857ad 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -115,20 +124,28 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) +@@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) @@ -43193,6 +44048,7 @@ index 7a363b8b2..aa59857ad 100644 kernel_load_module(insmod_t) -kernel_request_load_module(insmod_t) +files_manage_kernel_modules(insmod_t) ++files_map_kernel_modules(insmod_t) kernel_read_system_state(insmod_t) kernel_read_network_state(insmod_t) kernel_write_proc_files(insmod_t) @@ -43208,7 +44064,7 @@ index 7a363b8b2..aa59857ad 100644 kernel_setsched(insmod_t) corecmd_exec_bin(insmod_t) -@@ -142,40 +159,55 @@ dev_rw_agp(insmod_t) +@@ -142,40 +160,55 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -43268,7 +44124,7 @@ index 7a363b8b2..aa59857ad 100644 kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +216,33 @@ optional_policy(` +@@ -184,28 +217,33 @@ optional_policy(` ') optional_policy(` @@ -43309,7 +44165,7 @@ index 7a363b8b2..aa59857ad 100644 ') optional_policy(` -@@ -225,6 +262,7 @@ optional_policy(` +@@ -225,6 +263,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -43317,7 +44173,7 @@ index 7a363b8b2..aa59857ad 100644 ') optional_policy(` -@@ -233,6 +271,10 @@ optional_policy(` +@@ -233,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -43328,7 +44184,7 @@ index 7a363b8b2..aa59857ad 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +333,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +334,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -45143,7 +45999,7 @@ index 38220721d..abac74231 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc4642022..27d8d49ba 100644 +index dc4642022..0e7086c60 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -45556,7 +46412,7 @@ index dc4642022..27d8d49ba 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +512,85 @@ optional_policy(` +@@ -440,81 +512,86 @@ optional_policy(` # semodule local policy # @@ -45640,6 +46496,7 @@ index dc4642022..27d8d49ba 100644 userdom_read_user_home_content_files(semanage_t) userdom_read_user_tmp_files(semanage_t) +userdom_home_reader(semanage_t) ++userdom_map_tmp_files(semanage_t) ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) @@ -45698,7 +46555,7 @@ index dc4642022..27d8d49ba 100644 ') ######################################## -@@ -522,111 +598,204 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +599,204 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -51529,7 +52386,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..597fe227f 100644 +index 9dc60c6c0..6a26bba87 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -51844,7 +52701,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -273,6 +316,82 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +316,101 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -51865,6 +52722,25 @@ index 9dc60c6c0..597fe227f 100644 + +####################################### +## ++## Mmap user temporary files ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_map_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file map; ++') ++ ++####################################### ++## +## Manage user temporary sockets +## +## @@ -51927,7 +52803,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## Role allowed access. -@@ -287,17 +406,65 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +425,65 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -51998,7 +52874,7 @@ index 9dc60c6c0..597fe227f 100644 ') ####################################### -@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,11 +503,31 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -52030,7 +52906,7 @@ index 9dc60c6c0..597fe227f 100644 ## Role access for the user tmpfs type ## that the user has full access. ## -@@ -347,60 +534,45 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,60 +553,45 @@ interface(`userdom_exec_user_tmp_files',` ## # interface(`userdom_manage_tmpfs_role',` @@ -52111,7 +52987,7 @@ index 9dc60c6c0..597fe227f 100644 ') ####################################### -@@ -431,6 +603,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +622,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -52119,7 +52995,7 @@ index 9dc60c6c0..597fe227f 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +636,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +655,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -52130,7 +53006,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -491,51 +664,69 @@ template(`userdom_common_user_template',` +@@ -491,51 +683,69 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -52224,7 +53100,7 @@ index 9dc60c6c0..597fe227f 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +737,137 @@ template(`userdom_common_user_template',` +@@ -546,93 +756,137 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -52400,7 +53276,7 @@ index 9dc60c6c0..597fe227f 100644 ') optional_policy(` -@@ -642,23 +877,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +896,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -52429,7 +53305,7 @@ index 9dc60c6c0..597fe227f 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +904,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +923,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -52438,7 +53314,7 @@ index 9dc60c6c0..597fe227f 100644 ') optional_policy(` -@@ -680,9 +913,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +932,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -52451,7 +53327,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -693,32 +926,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +945,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -52498,7 +53374,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -743,17 +979,32 @@ template(`userdom_common_user_template',` +@@ -743,17 +998,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -52535,7 +53411,7 @@ index 9dc60c6c0..597fe227f 100644 userdom_change_password_template($1) -@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', ` +@@ -761,86 +1031,117 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -52627,65 +53503,71 @@ index 9dc60c6c0..597fe227f 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ + +- seutil_read_config($1_t) + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) -+ -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') -+ -+ optional_policy(` -+ kerberos_use($1_usertype) -+ init_write_key($1_usertype) -+ ') - -- seutil_read_config($1_t) -+ optional_policy(` -+ mysql_filetrans_named_content($1_usertype) -+ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ kerberos_use($1_usertype) ++ init_write_key($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ mysql_filetrans_named_content($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ oddjob_run_mkhomedir($1_t, $1_r) -+ oddjob_run($1_t, $1_r) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') + optional_policy(` +- rpm_read_db($1_t) +- rpm_dontaudit_manage_db($1_t) ++ quota_dontaudit_getattr_db($1_usertype) + ') +-') + +-####################################### ++ optional_policy(` ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` ++ oddjob_run_mkhomedir($1_t, $1_r) ++ oddjob_run($1_t, $1_r) ++ ') ++ + optional_policy(` + ipa_run_helper($1_t, $1_r) + ') + - optional_policy(` -- rpm_read_db($1_t) -- rpm_dontaudit_manage_db($1_t) ++ optional_policy(` + wine_filetrans_named_content($1_usertype) - ') - ') - -@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',` ++ ') ++') ++ ++####################################### + ## + ## The template for creating a unprivileged login user. + ## +@@ -868,6 +1169,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -52698,7 +53580,7 @@ index 9dc60c6c0..597fe227f 100644 ############################## # # Local policy -@@ -907,53 +1195,143 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1214,143 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -52720,9 +53602,7 @@ index 9dc60c6c0..597fe227f 100644 + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) - -- logging_send_syslog_msg($1_t) -- logging_dontaudit_send_audit_msgs($1_t) ++ + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) @@ -52743,9 +53623,9 @@ index 9dc60c6c0..597fe227f 100644 + storage_raw_read_removable_device($1_usertype) + storage_raw_write_removable_device($1_usertype) + ') -+ -+ logging_send_syslog_msg($1_t) -+ logging_dontaudit_send_audit_msgs($1_t) + + logging_send_syslog_msg($1_t) + logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) @@ -52856,7 +53736,7 @@ index 9dc60c6c0..597fe227f 100644 ') ####################################### -@@ -987,27 +1365,36 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1384,36 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -52897,7 +53777,7 @@ index 9dc60c6c0..597fe227f 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1405,64 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1424,64 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -52935,11 +53815,9 @@ index 9dc60c6c0..597fe227f 100644 + + optional_policy(` + cron_role($1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + games_manage_data_files($1_usertype) + ') + @@ -52964,15 +53842,17 @@ index 9dc60c6c0..597fe227f 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1471,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1490,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -52983,7 +53863,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -1079,7 +1509,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1528,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -52994,7 +53874,7 @@ index 9dc60c6c0..597fe227f 100644 ') ############################## -@@ -1095,6 +1527,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1546,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -53002,7 +53882,7 @@ index 9dc60c6c0..597fe227f 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1538,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1557,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -53019,7 +53899,7 @@ index 9dc60c6c0..597fe227f 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1555,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1574,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -53028,7 +53908,7 @@ index 9dc60c6c0..597fe227f 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1574,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1593,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -53044,7 +53924,7 @@ index 9dc60c6c0..597fe227f 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1593,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1612,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -53089,7 +53969,7 @@ index 9dc60c6c0..597fe227f 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1636,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1655,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -53098,7 +53978,7 @@ index 9dc60c6c0..597fe227f 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1645,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1664,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -53121,7 +54001,7 @@ index 9dc60c6c0..597fe227f 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1695,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -53130,7 +54010,7 @@ index 9dc60c6c0..597fe227f 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1705,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -53139,7 +54019,7 @@ index 9dc60c6c0..597fe227f 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1719,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1738,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -53151,7 +54031,7 @@ index 9dc60c6c0..597fe227f 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1733,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1752,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -53194,7 +54074,7 @@ index 9dc60c6c0..597fe227f 100644 ') optional_policy(` -@@ -1357,14 +1818,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1837,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -53213,7 +54093,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1397,12 +1861,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1880,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -53267,7 +54147,7 @@ index 9dc60c6c0..597fe227f 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +2013,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2032,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -53299,7 +54179,7 @@ index 9dc60c6c0..597fe227f 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2079,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2098,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53314,7 +54194,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1570,9 +2102,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2121,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53326,7 +54206,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1613,6 +2147,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2166,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -53351,7 +54231,7 @@ index 9dc60c6c0..597fe227f 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2183,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2202,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -53411,7 +54291,7 @@ index 9dc60c6c0..597fe227f 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2309,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2328,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -53426,7 +54306,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1741,10 +2348,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2367,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53441,7 +54321,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1769,7 +2378,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2397,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -53450,7 +54330,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1777,19 +2386,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2405,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -53474,7 +54354,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1797,55 +2404,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,47 +2423,157 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -53532,30 +54412,21 @@ index 9dc60c6c0..597fe227f 100644 gen_require(` - type user_home_t; + type user_tmp_t; - ') - -- dontaudit $1 user_home_t:file setattr_file_perms; ++ ') ++ + allow $1 user_tmp_t:file setattr; - ') - - ######################################## - ## --## Mmap user home files. ++') ++ ++######################################## ++## +## Create a user tmp sockets. - ## - ## - ## -@@ -1853,18 +2460,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` - ## - ## - # --interface(`userdom_mmap_user_home_content_files',` -- gen_require(` -- type user_home_dir_t, user_home_t; -- ') -- -- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_create_user_tmp_sockets',` + gen_require(` + type user_tmp_t; @@ -53564,29 +54435,23 @@ index 9dc60c6c0..597fe227f 100644 + files_search_tmp($1) + allow $1 user_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Read user home files. ++') ++ ++######################################## ++## +## Dontaudit getattr on user tmp sockets. - ## - ## - ## -@@ -1872,17 +2480,167 @@ interface(`userdom_mmap_user_home_content_files',` - ## - ## - # --interface(`userdom_read_user_home_content_files',` -- gen_require(` -- type user_home_dir_t, user_home_t; -- ') ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) +') - -- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ +######################################## +## +## Dontaudit getattr on user tmp sockets. @@ -53657,13 +54522,13 @@ index 9dc60c6c0..597fe227f 100644 +interface(`userdom_dontaudit_setattr_user_home_content_files',` + gen_require(` + type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file setattr_file_perms; -+') -+ -+######################################## -+## + ') + + dontaudit $1 user_home_t:file setattr_file_perms; +@@ -1845,6 +2581,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` + + ######################################## + ## +## Set the attributes of all user home directories. +## +## @@ -53683,39 +54548,17 @@ index 9dc60c6c0..597fe227f 100644 + +######################################## +## -+## Mmap user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_mmap_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ files_search_home($1) -+') -+ -+######################################## -+## -+## Read user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; + ## Mmap user home files. + ## + ## +@@ -1875,14 +2630,36 @@ interface(`userdom_mmap_user_home_content_files',` + interface(`userdom_read_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; -+ ') -+ + ') + +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) + read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) @@ -53746,7 +54589,7 @@ index 9dc60c6c0..597fe227f 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2651,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2670,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -53764,7 +54607,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1938,7 +2699,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2718,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -53773,7 +54616,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1946,10 +2707,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2726,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -53786,7 +54629,7 @@ index 9dc60c6c0..597fe227f 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2718,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2737,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -53795,7 +54638,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1966,12 +2726,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2745,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -53864,7 +54707,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2007,8 +2821,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2840,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -53874,7 +54717,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2024,20 +2837,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2856,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -53899,7 +54742,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## -@@ -2120,7 +2927,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2946,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -53908,7 +54751,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2128,19 +2935,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2954,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -53932,7 +54775,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2148,12 +2953,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2972,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -53948,7 +54791,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2388,18 +3193,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3212,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -54006,7 +54849,7 @@ index 9dc60c6c0..597fe227f 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3255,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3274,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -54015,7 +54858,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2455,6 +3296,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3315,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -54041,7 +54884,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## -@@ -2538,7 +3398,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3417,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -54050,7 +54893,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2546,19 +3406,60 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3425,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -54070,51 +54913,98 @@ index 9dc60c6c0..597fe227f 100644 ## Create, read, write, and delete user -## temporary named pipes. +## temporary symbolic links. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2566,19 +3445,19 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # +-interface(`userdom_manage_user_tmp_pipes',` +interface(`userdom_manage_user_tmp_symlinks',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ + gen_require(` + type user_tmp_t; + ') + +- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary named pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_rw_inherited_user_tmp_pipes',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; -+ files_search_tmp($1) -+') -+ -+ -+######################################## -+## -+## Create, read, write, and delete user + files_search_tmp($1) + ') + + ######################################## + ## + ## Create, read, write, and delete user +-## temporary named sockets. +## temporary named pipes. ## ## ## -@@ -2661,6 +3562,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2586,19 +3465,60 @@ interface(`userdom_manage_user_tmp_pipes',` + ## + ## + # +-interface(`userdom_manage_user_tmp_sockets',` ++interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + +- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp($1) + ') + ++ + ######################################## + ## +-## Create objects in a user temporary directory +-## with an automatic type transition to ++## Create, read, write, and delete user ++## temporary named pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_pipes',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user ++## temporary named sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_manage_user_tmp_sockets',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create objects in a user temporary directory ++## with an automatic type transition to + ## a specified private type. + ## + ## +@@ -2661,6 +3581,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -54136,7 +55026,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3588,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3607,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -54158,7 +55048,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2692,19 +3603,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3622,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -54181,7 +55071,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2713,13 +3618,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3637,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -54242,7 +55132,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2814,6 +3762,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3781,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -54267,7 +55157,7 @@ index 9dc60c6c0..597fe227f 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3798,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3817,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -54310,7 +55200,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2856,14 +3834,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3853,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -54348,7 +55238,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2882,8 +3879,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3898,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -54378,7 +55268,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2955,6 +3971,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3990,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54421,7 +55311,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4030,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4049,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54446,7 +55336,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4048,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4067,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -54458,7 +55348,7 @@ index 9dc60c6c0..597fe227f 100644 ## memory segments. ## ## -@@ -3025,17 +4059,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4078,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -54479,7 +55369,7 @@ index 9dc60c6c0..597fe227f 100644 ## memory segments. ## ## -@@ -3044,12 +4078,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4097,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -54494,7 +55384,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -3094,7 +4128,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4147,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54503,7 +55393,7 @@ index 9dc60c6c0..597fe227f 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4144,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4163,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54537,7 +55427,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -3214,7 +4232,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4251,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54564,7 +55454,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -3269,12 +4305,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4324,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54580,7 +55470,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -3282,54 +4319,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,49 +4338,125 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -54642,21 +55532,19 @@ index 9dc60c6c0..597fe227f 100644 - allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains ++') ++ ++######################################## ++## +## Allow domain to read/write inherited users +## fifo files. - ## - ## - ## -@@ -3337,7 +4376,81 @@ interface(`userdom_getattr_all_users',` - ## - ## - # --interface(`userdom_use_all_users_fds',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; @@ -54719,23 +55607,10 @@ index 9dc60c6c0..597fe227f 100644 + ') + + allow $1 userdomain:process getattr; -+') -+ -+######################################## -+## -+## Inherit the file descriptors from all user domains -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_all_users_fds',` - gen_require(` - attribute userdomain; - ') -@@ -3382,6 +4495,42 @@ interface(`userdom_signal_all_users',` + ') + + ######################################## +@@ -3382,6 +4514,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -54778,7 +55653,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4551,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4570,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -54839,7 +55714,7 @@ index 9dc60c6c0..597fe227f 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4638,1817 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4657,1835 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -55067,6 +55942,24 @@ index 9dc60c6c0..597fe227f 100644 + +######################################## +## ++## dontaudit manage files /root ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_manage_admin_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file manage_file_perms; ++') ++ ++######################################## ++## +## RW unpriviledged user SysV sempaphores. +## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b3a8a86c..e8ea30d3 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -18519,7 +18519,7 @@ index ad0bae948..615a947aa 100644 +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') diff --git a/cron.if b/cron.if -index 1303b3036..f13c53200 100644 +index 1303b3036..f5bd4aee8 100644 --- a/cron.if +++ b/cron.if @@ -2,11 +2,12 @@ @@ -18705,6 +18705,15 @@ index 1303b3036..f13c53200 100644 - # - # Declarations - # +- +- role $1 types { unconfined_cronjob_t crontab_t }; +- +- ############################## +- # +- # Local policy +- # +- +- domtrans_pattern($2, crontab_exec_t, crontab_t) + ############################## + # + # Declarations @@ -18712,41 +18721,32 @@ index 1303b3036..f13c53200 100644 + + role $1 types unconfined_cronjob_t; -- role $1 types { unconfined_cronjob_t crontab_t }; +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; + ############################## + # + # Local policy + # -- ############################## -- # -- # Local policy -- # -+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - -- domtrans_pattern($2, crontab_exec_t, crontab_t) -+ allow $2 crond_t:process sigchld; - -- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -- allow $2 crond_t:process sigchld; -+ allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; -+ # cronjob shows up in user ps -+ ps_process_pattern($2, unconfined_cronjob_t) -+ allow $2 unconfined_cronjob_t:process signal_perms; ++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) -- ++ allow $2 crond_t:process sigchld; + - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) -- ++ allow $2 user_cron_spool_t:file { getattr read write ioctl }; + - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; -- ++ # cronjob shows up in user ps ++ ps_process_pattern($2, unconfined_cronjob_t) ++ allow $2 unconfined_cronjob_t:process signal_perms; + - allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`deny_ptrace',`',` + allow $2 unconfined_cronjob_t:process ptrace; @@ -18871,25 +18871,23 @@ index 1303b3036..f13c53200 100644 - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; -- -- allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; -- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- allow $2 user_cron_spool_t:file entrypoint; + allow $2 user_cron_spool_t:file entrypoint; +- allow $2 crond_t:fifo_file rw_fifo_file_perms; ++ allow $2 crond_t:fifo_file rw_fifo_file_perms; + - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; -+ allow $2 crond_t:fifo_file rw_fifo_file_perms; - -- dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 cronjob_t:process { signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` @@ -18897,6 +18895,8 @@ index 1303b3036..f13c53200 100644 + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; +- dontaudit $2 user_cron_spool_t:file entrypoint; +- - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; @@ -19205,10 +19205,11 @@ index 1303b3036..f13c53200 100644 - allow $1 crond_t:fifo_file rw_fifo_file_perms; + allow $1 user_cron_spool_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write crond TCP sockets. +## Read and write inherited spool files. +## +## @@ -19223,11 +19224,10 @@ index 1303b3036..f13c53200 100644 + ') + + allow $1 cron_spool_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read and write crond TCP sockets. ++') ++ ++######################################## ++## +## Read, and write cron daemon TCP sockets. ## ## @@ -19455,7 +19455,7 @@ index 1303b3036..f13c53200 100644 ## ## ## -@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -19552,9 +19552,38 @@ index 1303b3036..f13c53200 100644 + ') + + logging_log_filetrans($1, cron_log_t, $2, $3) ++') ++ ++####################################### ++## ++## Create specified objects in generic ++## log directories with the cron log file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`cron_generic_log_filetrans_log_insights',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..61dcff6a5 100644 +index 7de385956..e4c99bdd4 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20221,7 +20250,7 @@ index 7de385956..61dcff6a5 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -20237,10 +20266,14 @@ index 7de385956..61dcff6a5 100644 + +optional_policy(` + bind_read_config(system_cronjob_t) ++') ++ ++optional_policy(` ++ cron_generic_log_filetrans_log_insights(system_cronjob_t) ') optional_policy(` -@@ -551,10 +569,6 @@ optional_policy(` +@@ -551,10 +573,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -20251,7 +20284,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -567,6 +581,10 @@ optional_policy(` +@@ -567,6 +585,10 @@ optional_policy(` ') optional_policy(` @@ -20262,7 +20295,7 @@ index 7de385956..61dcff6a5 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +609,8 @@ optional_policy(` +@@ -591,6 +613,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -20271,7 +20304,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -598,7 +618,31 @@ optional_policy(` +@@ -598,7 +622,31 @@ optional_policy(` ') optional_policy(` @@ -20303,7 +20336,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -607,7 +651,12 @@ optional_policy(` +@@ -607,7 +655,12 @@ optional_policy(` ') optional_policy(` @@ -20316,7 +20349,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -615,12 +664,27 @@ optional_policy(` +@@ -615,12 +668,27 @@ optional_policy(` ') optional_policy(` @@ -20346,7 +20379,7 @@ index 7de385956..61dcff6a5 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +692,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20380,7 +20413,7 @@ index 7de385956..61dcff6a5 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +725,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -26116,7 +26149,7 @@ index 41c3f6770..653a1ecbb 100644 ## ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te -index aa0ef6e94..02bdb681d 100644 +index aa0ef6e94..3c52d892c 100644 --- a/dmidecode.te +++ b/dmidecode.te @@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t) @@ -26127,7 +26160,7 @@ index aa0ef6e94..02bdb681d 100644 +userdom_use_inherited_user_terminals(dmidecode_t) + +optional_policy(` -+ rhsmcertd_rw_inherited_lock_files(dmidecode_t) ++ rhsmcertd_rw_lock_files(dmidecode_t) +') diff --git a/dnsmasq.fc b/dnsmasq.fc index 23ab808d8..84735a8cb 100644 @@ -36837,7 +36870,7 @@ index 180f1b7cc..3c8757e47 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82f1..2569781e9 100644 +index 0e97e82f1..4bcee621d 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -37194,7 +37227,7 @@ index 0e97e82f1..2569781e9 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +322,87 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +322,88 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -37246,6 +37279,7 @@ index 0e97e82f1..2569781e9 100644 -') +userdom_home_reader(gpg_pinentry_t) +userdom_stream_connect(gpg_pinentry_t) ++userdom_map_tmp_files(gpg_pinentry_t) -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) @@ -43283,10 +43317,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..202ac2b59 +index 000000000..923edd01e --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,100 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43312,7 +43346,7 @@ index 000000000..202ac2b59 +# keepalived local policy +# + -+allow keepalived_t self:capability { net_admin net_raw kill }; ++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace }; +allow keepalived_t self:process { signal_perms }; +allow keepalived_t self:netlink_socket create_socket_perms; +allow keepalived_t self:netlink_generic_socket create_socket_perms; @@ -43343,6 +43377,7 @@ index 000000000..202ac2b59 +corenet_tcp_connect_squid_port(keepalived_t) + +domain_read_all_domains_state(keepalived_t) ++domain_getattr_all_domains(keepalived_t) + +dev_read_urand(keepalived_t) + @@ -49535,7 +49570,7 @@ index 8ae78b5bf..b365cddec 100644 + +/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if -index 327f3f726..4f6156138 100644 +index 327f3f726..36d4af101 100644 --- a/mandb.if +++ b/mandb.if @@ -1,14 +1,14 @@ @@ -49611,16 +49646,37 @@ index 327f3f726..4f6156138 100644 ######################################## ## -## Search mandb cache directories. -+## Relabel mandb cache files/directories ++## Mmap mandb cache files. ## ## ## -@@ -56,13 +68,18 @@ interface(`mandb_run',` +@@ -56,13 +68,17 @@ interface(`mandb_run',` ## ## # -interface(`mandb_search_cache',` - refpolicywarn(`$0($*) has been deprecated') ++interface(`mandb_map_cache_files',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ allow $1, mandb_cache_t:file map; + ') + + ######################################## + ## +-## Delete mandb cache content. ++## Relabel mandb cache files/directories + ## + ## + ## +@@ -70,13 +86,18 @@ interface(`mandb_search_cache',` + ## + ## + # +-interface(`mandb_delete_cache_content',` +- refpolicywarn(`$0($*) has been deprecated') +interface(`mandb_relabel_cache',` + gen_require(` + type mandb_cache_t; @@ -49632,16 +49688,16 @@ index 327f3f726..4f6156138 100644 ######################################## ## --## Delete mandb cache content. +-## Read mandb cache content. +## Set attributes on mandb cache files. ## ## ## -@@ -70,13 +87,18 @@ interface(`mandb_search_cache',` +@@ -84,8 +105,35 @@ interface(`mandb_delete_cache_content',` ## ## # --interface(`mandb_delete_cache_content',` +-interface(`mandb_read_cache_content',` - refpolicywarn(`$0($*) has been deprecated') +interface(`mandb_setattr_cache_dirs',` + gen_require(` @@ -49650,21 +49706,18 @@ index 327f3f726..4f6156138 100644 + + files_search_var($1) + allow $1 mandb_cache_t:dir setattr; - ') - - ######################################## - ## --## Read mandb cache content. ++') ++ ++######################################## ++## +## Delete mandb cache files. - ## - ## - ## -@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',` - ## - ## - # --interface(`mandb_read_cache_content',` -- refpolicywarn(`$0($*) has been deprecated') ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`mandb_delete_cache',` + gen_require(` + type mandb_cache_t; @@ -49678,7 +49731,7 @@ index 327f3f726..4f6156138 100644 ') ######################################## -@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',` +@@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',` ## ## # @@ -49691,17 +49744,20 @@ index 327f3f726..4f6156138 100644 + + files_search_var($1) + manage_files_pattern($1, mandb_cache_t, mandb_cache_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## All of the rules required to +-## administrate an mandb environment. +## Manage mandb cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`mandb_manage_cache_dirs',` + gen_require(` @@ -49710,22 +49766,19 @@ index 327f3f726..4f6156138 100644 + + files_search_var($1) + manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) - ') - - ######################################## - ## --## All of the rules required to --## administrate an mandb environment. ++') ++ ++######################################## ++## +## Create configuration files in user +## home directories with a named file +## type transition. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`mandb_filetrans_named_home_content',` + gen_require(` @@ -49761,12 +49814,12 @@ index 327f3f726..4f6156138 100644 - mandb_run($1, $2) + files_search_var($1) + admin_pattern($1, mandb_cache_t) -+ -+ files_search_locks($1) -+ admin_pattern($1, mandb_lock_t) - # pending - # miscfiles_manage_man_cache_content(mandb_t) ++ files_search_locks($1) ++ admin_pattern($1, mandb_lock_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) @@ -60730,9 +60783,15 @@ index 86dc29dfa..cb39739a5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f20095e..4419e3531 100644 +index 55f20095e..3ed3ed0b3 100644 --- a/networkmanager.te +++ b/networkmanager.te +@@ -1,4 +1,4 @@ +-policy_module(networkmanager, 1.15.2) ++policy_module(networkmanager, 1.15.3) + + ######################################## + # @@ -9,15 +9,18 @@ type NetworkManager_t; type NetworkManager_exec_t; init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -60950,10 +61009,10 @@ index 55f20095e..4419e3531 100644 -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) +systemd_machined_read_pid_files(NetworkManager_t) -+ -+term_use_unallocated_ttys(NetworkManager_t) -userdom_write_user_tmp_sockets(NetworkManager_t) ++term_use_unallocated_ttys(NetworkManager_t) ++ +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) @@ -61019,16 +61078,16 @@ index 55f20095e..4419e3531 100644 dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) + dnsmasq_systemctl(NetworkManager_t) ++') ++ ++optional_policy(` ++ dnssec_trigger_domtrans(NetworkManager_t) ++ dnssec_trigger_signull(NetworkManager_t) ++ dnssec_trigger_sigkill(NetworkManager_t) ') optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) -+ dnssec_trigger_domtrans(NetworkManager_t) -+ dnssec_trigger_signull(NetworkManager_t) -+ dnssec_trigger_sigkill(NetworkManager_t) -+') -+ -+optional_policy(` + fcoe_dgram_send_fcoemon(NetworkManager_t) ') @@ -61157,7 +61216,7 @@ index 55f20095e..4419e3531 100644 ') optional_policy(` -@@ -338,12 +431,19 @@ optional_policy(` +@@ -338,12 +431,23 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -61167,6 +61226,10 @@ index 55f20095e..4419e3531 100644 + openfortivpn_signal(NetworkManager_t) + openfortivpn_signull(NetworkManager_t) +') ++ ++optional_policy(` ++ openvswitch_stream_connect(NetworkManager_t) ++') + ######################################## # @@ -61178,7 +61241,7 @@ index 55f20095e..4419e3531 100644 allow wpa_cli_t self:unix_dgram_socket create_socket_perms; allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; -@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -87845,7 +87908,7 @@ index 16c8ecbe3..4e021eca7 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd4175f..61de8277a 100644 +index 25cd4175f..84c02e325 100644 --- a/redis.te +++ b/redis.te @@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t) @@ -87877,7 +87940,7 @@ index 25cd4175f..61de8277a 100644 manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) manage_files_pattern(redis_t, redis_log_t, redis_log_t) manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) -@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) @@ -87895,7 +87958,12 @@ index 25cd4175f..61de8277a 100644 corenet_sendrecv_redis_server_packets(redis_t) corenet_tcp_bind_redis_port(redis_t) -@@ -60,6 +71,4 @@ dev_read_urand(redis_t) + corenet_tcp_sendrecv_redis_port(redis_t) + ++corecmd_exec_shell(redis_t) ++ + dev_read_sysfs(redis_t) + dev_read_urand(redis_t) logging_send_syslog_msg(redis_t) @@ -90773,7 +90841,7 @@ index 8c0280418..896c8c67f 100644 /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905b3..4b17c933e 100644 +index 6dbc905b3..42e4306c8 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -90869,23 +90937,21 @@ index 6dbc905b3..4b17c933e 100644 ## ## ## -@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',` +@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',` allow $1 rhsmcertd_var_run_t:file read_file_perms; ') -#################################### +######################################## - ## --## Connect to rhsmcertd with a --## unix domain stream socket. ++## +## Read rhsmcertd PID files. - ## - ## - ## -@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',` - ## - ## - # ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`rhsmcertd_manage_pid_files',` + gen_require(` + type rhsmcertd_var_run_t; @@ -90914,6 +90980,27 @@ index 6dbc905b3..4b17c933e 100644 + allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms; +') + ++######################################## + ## +-## Connect to rhsmcertd with a +-## unix domain stream socket. ++## Read/wirte lock files. + ## + ## + ## +@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',` + ## + ## + # ++interface(`rhsmcertd_rw_lock_files',` ++ gen_require(` ++ type rhsmcertd_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 rhsmcertd_lock_t:file rw_file_perms; ++') ++ +#################################### +## +## Connect to rhsmcertd over a unix domain @@ -90928,7 +91015,7 @@ index 6dbc905b3..4b17c933e 100644 interface(`rhsmcertd_stream_connect',` gen_require(` type rhsmcertd_t, rhsmcertd_var_run_t; -@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',` +@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',` ###################################### ## @@ -90972,7 +91059,7 @@ index 6dbc905b3..4b17c933e 100644 ## ## ## -@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` +@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` ## ## ## @@ -91004,24 +91091,24 @@ index 6dbc905b3..4b17c933e 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') -+ + +- logging_search_logs($1) +- admin_pattern($1, rhsmcertd_log_t) + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; -- logging_search_logs($1) -- admin_pattern($1, rhsmcertd_log_t) +- files_search_var_lib($1) +- admin_pattern($1, rhsmcertd_var_lib_t) + logging_search_logs($1) + admin_pattern($1, rhsmcertd_log_t) -- files_search_var_lib($1) -- admin_pattern($1, rhsmcertd_var_lib_t) -+ files_search_var_lib($1) -+ admin_pattern($1, rhsmcertd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) ++ files_search_var_lib($1) ++ admin_pattern($1, rhsmcertd_var_lib_t) ++ + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) + @@ -120344,10 +120431,10 @@ index 4815a93f4..24dcf5174 100644 + rhcs_rw_cluster_tmpfs(wdmd_t) ') diff --git a/webadm.te b/webadm.te -index 2a6cae773..6d0a2a1c5 100644 +index 2a6cae773..d2752d9bb 100644 --- a/webadm.te +++ b/webadm.te -@@ -25,6 +25,9 @@ role webadm_r; +@@ -25,12 +25,21 @@ role webadm_r; userdom_base_user_template(webadm) @@ -120357,26 +120444,43 @@ index 2a6cae773..6d0a2a1c5 100644 ######################################## # # Local policy -@@ -32,6 +35,12 @@ userdom_base_user_template(webadm) - - allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; + # +-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; ++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource }; ++ +manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir }) +can_exec(webadm_t, webadm_tmp_t) -+ + files_dontaudit_search_all_dirs(webadm_t) files_list_var(webadm_t) +@@ -38,12 +47,26 @@ files_list_var(webadm_t) + selinux_get_enforce_mode(webadm_t) + seutil_domtrans_setfiles(webadm_t) -@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t) ++init_rw_pipes(webadm_t) ++init_status(webadm_t) ++ + logging_send_audit_msgs(webadm_t) + logging_send_syslog_msg(webadm_t) userdom_dontaudit_search_user_home_dirs(webadm_t) ++userdom_dontaudit_manage_admin_files(webadm_t) ++ ++optional_policy(` ++ apache_admin(webadm_t, webadm_r) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(webadm_t) ++') -apache_admin(webadm_t, webadm_r) +optional_policy(` -+ apache_admin(webadm_t, webadm_r) ++ policykit_dbus_chat(webadm_t) +') tunable_policy(`webadm_manage_user_files',` diff --git a/selinux-policy.spec b/selinux-policy.spec index 56ba655f..86361947 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 281%{?dist} +Release: 282%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,20 @@ exit 0 %endif %changelog +* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282 +- Add new bunch of map rules +- Merge pull request #25 from NetworkManager/nm-ovs +- Make working webadm_t userdomain +- Allow redis domain to execute shell scripts. +- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t +- Add couple capabilities to keepalived domain and allow get attributes of all domains +- Allow dmidecode read rhsmcertd lock files +- Add new interface rhsmcertd_rw_lock_files() +- Add new bunch of map rules +- Merge pull request #199 from mscherer/add_conntrackd +- Add support labeling for vmci and vsock device +- Add userdom_dontaudit_manage_admin_files() interface + * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281 - Allow domains reading raw memory also use mmap.