From 574431f1a2ff0362deb346c935a9892800ebfa1d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 4 Jun 2013 08:43:23 +0200 Subject: [PATCH] - Fix openshift_search_lib - Add support for abrt-uefioops-oops - Allow colord to getattr any file system - Allow chrome processes to look at each other - Allow sys_ptrace for abrt_t - Add new policy for gssproxy - Dontaudit leaked file descriptor writes from firewalld - openshift_net_type is interface not template - Dontaudit pppd to search gnome config - Update openshift_search_lib() interface - Add fs_list_pstorefs() - Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 - Better labels for raspberry pi devices - Allow init to create devpts_t directory - Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 - Allow sysadm_t to build kernels - Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 - Allow userdomains to stream connect to gssproxy - Dontaudit leaked file descriptor writes from firewalld - Allow xserver to read /dev/urandom - Add additional fixes for ipsec-mgmt - Make SSHing into an Openshift Enterprise Node working --- policy-rawhide-base.patch | 884 +++++++++++++++++++++-------------- policy-rawhide-contrib.patch | 473 ++++++++++++++++--- selinux-policy.spec | 30 +- 3 files changed, 965 insertions(+), 422 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 33979395..73387ffa 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3604,7 +3604,7 @@ index f9b25c1..9af1f7a 100644 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 07126bd..d6ec4a8 100644 +index 07126bd..38ba47d 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` @@ -4138,10 +4138,11 @@ index 07126bd..d6ec4a8 100644 ## Send and receive TCP network traffic on generic reserved ports. ## ## -@@ -1647,6 +1964,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` +@@ -1647,7 +1964,26 @@ interface(`corenet_udp_sendrecv_reserved_port',` ######################################## ## +-## Bind TCP sockets to generic reserved ports. +## Bind DCCP sockets to generic reserved ports. +## +## @@ -4161,9 +4162,10 @@ index 07126bd..d6ec4a8 100644 + +######################################## +## - ## Bind TCP sockets to generic reserved ports. ++## Bind TCP sockets to generic reserved ports. ## ## + ## @@ -1685,6 +2021,24 @@ interface(`corenet_udp_bind_reserved_port',` ######################################## @@ -4214,16 +4216,11 @@ index 07126bd..d6ec4a8 100644 ## Send and receive TCP network traffic on all reserved ports. ## ## -@@ -1752,12 +2124,210 @@ interface(`corenet_udp_receive_all_reserved_ports',` - attribute reserved_port_type; - ') +@@ -1757,7 +2129,259 @@ interface(`corenet_udp_receive_all_reserved_ports',` -- allow $1 reserved_port_type:udp_socket recv_msg; -+ allow $1 reserved_port_type:udp_socket recv_msg; -+') -+ -+######################################## -+## + ######################################## + ## +-## Send and receive UDP network traffic on all reserved ports. +## Send and receive UDP network traffic on all reserved ports. +## +## @@ -4418,56 +4415,116 @@ index 07126bd..d6ec4a8 100644 + ') + + allow $1 ephemeral_port_type:tcp_socket name_bind; - ') - - ######################################## - ## --## Send and receive UDP network traffic on all reserved ports. ++') ++ ++######################################## ++## +## Bind UDP sockets to all ports > 32768. - ## - ## - ## -@@ -1765,14 +2335,17 @@ interface(`corenet_udp_receive_all_reserved_ports',` - ## - ## - # --interface(`corenet_udp_sendrecv_all_reserved_ports',` -- corenet_udp_send_all_reserved_ports($1) -- corenet_udp_receive_all_reserved_ports($1) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`corenet_udp_bind_all_ephemeral_ports',` + gen_require(` + attribute ephemeral_port_type; + ') + + allow $1 ephemeral_port_type:udp_socket name_bind; - ') - - ######################################## - ## --## Bind TCP sockets to all reserved ports. ++') ++ ++######################################## ++## +## Connect DCCP sockets to reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dccp_connect_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:dccp_socket name_connect; ++') ++ ++######################################## ++## ++## Connect TCP sockets to reserved ports. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_connect_all_reserved_ports',` ++ gen_require(` ++ attribute reserved_port_type; ++ ') ++ ++ allow $1 reserved_port_type:tcp_socket name_connect; ++') ++ ++######################################## ++## ++## Connect DCCP sockets to all ports > 1024. ## ## ## -@@ -1780,36 +2353,35 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` +@@ -1765,51 +2389,53 @@ interface(`corenet_udp_receive_all_reserved_ports',` ## ## # +-interface(`corenet_udp_sendrecv_all_reserved_ports',` +- corenet_udp_send_all_reserved_ports($1) +- corenet_udp_receive_all_reserved_ports($1) ++interface(`corenet_dccp_connect_all_unreserved_ports',` ++ gen_require(` ++ attribute unreserved_port_type; ++ ') ++ ++ allow $1 unreserved_port_type:dccp_socket name_connect; + ') + +-######################################## ++####################################### + ## +-## Bind TCP sockets to all reserved ports. ++## Connect TCP sockets to ports > 1024. + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # -interface(`corenet_tcp_bind_all_reserved_ports',` -+interface(`corenet_dccp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') +- gen_require(` +- attribute reserved_port_type; +- ') ++interface(`corenet_tcp_connect_unreserved_ports',` ++ gen_require(` ++ type unreserved_port_t; ++ ') - allow $1 reserved_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; -+ allow $1 reserved_port_type:dccp_socket name_connect; ++ allow $1 unreserved_port_t:tcp_socket name_connect; ') ######################################## ## -## Do not audit attempts to bind TCP sockets to all reserved ports. -+## Connect TCP sockets to reserved ports. ++## Connect TCP sockets to all ports > 1024. ## ## ## @@ -4477,135 +4534,64 @@ index 07126bd..d6ec4a8 100644 ## # -interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` -+interface(`corenet_tcp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - -- dontaudit $1 reserved_port_type:tcp_socket name_bind; -+ allow $1 reserved_port_type:tcp_socket name_connect; - ') - - ######################################## - ## --## Bind UDP sockets to all reserved ports. -+## Connect DCCP sockets to all ports > 1024. - ## - ## - ## -@@ -1817,36 +2389,35 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` - ## - ## - # --interface(`corenet_udp_bind_all_reserved_ports',` -+interface(`corenet_dccp_connect_all_unreserved_ports',` ++interface(`corenet_tcp_connect_all_unreserved_ports',` gen_require(` - attribute reserved_port_type; + attribute unreserved_port_type; ') -- allow $1 reserved_port_type:udp_socket name_bind; -- allow $1 self:capability net_bind_service; -+ allow $1 unreserved_port_type:dccp_socket name_connect; - ') - --######################################## -+####################################### - ## --## Do not audit attempts to bind UDP sockets to all reserved ports. -+## Connect TCP sockets to ports > 1024. - ## - ## --## --## Domain to not audit. --## -+## -+## Domain allowed access. -+## - ## - # --interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` -- gen_require(` -- attribute reserved_port_type; -- ') -+interface(`corenet_tcp_connect_unreserved_ports',` -+ gen_require(` -+ type unreserved_port_t; -+ ') - -- dontaudit $1 reserved_port_type:udp_socket name_bind; -+ allow $1 unreserved_port_t:tcp_socket name_connect; - ') - - ######################################## - ## --## Bind TCP sockets to all ports > 1024. -+## Connect TCP sockets to all ports > 1024. - ## - ## - ## -@@ -1854,17 +2425,17 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` - ## - ## - # --interface(`corenet_tcp_bind_all_unreserved_ports',` -+interface(`corenet_tcp_connect_all_unreserved_ports',` - gen_require(` - attribute unreserved_port_type; - ') - -- allow $1 unreserved_port_type:tcp_socket name_bind; +- dontaudit $1 reserved_port_type:tcp_socket name_bind; + allow $1 unreserved_port_type:tcp_socket name_connect; ') ######################################## ## --## Bind UDP sockets to all ports > 1024. +-## Bind UDP sockets to all reserved ports. +## Connect TCP sockets to all ports > 32768. ## ## ## -@@ -1872,67 +2443,68 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` +@@ -1817,18 +2443,18 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` ## ## # --interface(`corenet_udp_bind_all_unreserved_ports',` +-interface(`corenet_udp_bind_all_reserved_ports',` +interface(`corenet_tcp_connect_all_ephemeral_ports',` gen_require(` -- attribute unreserved_port_type; +- attribute reserved_port_type; + attribute ephemeral_port_type; ') -- allow $1 unreserved_port_type:udp_socket name_bind; +- allow $1 reserved_port_type:udp_socket name_bind; +- allow $1 self:capability net_bind_service; + allow $1 ephemeral_port_type:tcp_socket name_connect; ') ######################################## ## --## Connect TCP sockets to reserved ports. +-## Do not audit attempts to bind UDP sockets to all reserved ports. +## Do not audit attempts to connect DCCP sockets +## all reserved ports. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -1836,35 +2462,36 @@ interface(`corenet_udp_bind_all_reserved_ports',` ## ## # --interface(`corenet_tcp_connect_all_reserved_ports',` +-interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') -- allow $1 reserved_port_type:tcp_socket name_connect; +- dontaudit $1 reserved_port_type:udp_socket name_bind; + dontaudit $1 reserved_port_type:dccp_socket name_connect; ') ######################################## ## --## Connect TCP sockets to all ports > 1024. +-## Bind TCP sockets to all ports > 1024. +## Do not audit attempts to connect TCP sockets +## all reserved ports. ## @@ -4616,94 +4602,180 @@ index 07126bd..d6ec4a8 100644 ## ## # --interface(`corenet_tcp_connect_all_unreserved_ports',` +-interface(`corenet_tcp_bind_all_unreserved_ports',` +interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` gen_require(` - attribute unreserved_port_type; + attribute reserved_port_type; ') -- allow $1 unreserved_port_type:tcp_socket name_connect; +- allow $1 unreserved_port_type:tcp_socket name_bind; + dontaudit $1 reserved_port_type:tcp_socket name_connect; ') ######################################## ## --## Do not audit attempts to connect TCP sockets --## all reserved ports. +-## Bind UDP sockets to all ports > 1024. +## Connect DCCP sockets to rpc ports. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -1872,17 +2499,17 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` + ## + ## + # +-interface(`corenet_udp_bind_all_unreserved_ports',` ++interface(`corenet_dccp_connect_all_rpc_ports',` + gen_require(` +- attribute unreserved_port_type; ++ attribute rpc_port_type; + ') + +- allow $1 unreserved_port_type:udp_socket name_bind; ++ allow $1 rpc_port_type:dccp_socket name_connect; + ') + + ######################################## + ## +-## Connect TCP sockets to reserved ports. ++## Connect TCP sockets to rpc ports. + ## + ## + ## +@@ -1890,36 +2517,37 @@ interface(`corenet_udp_bind_all_unreserved_ports',` + ## + ## + # +-interface(`corenet_tcp_connect_all_reserved_ports',` ++interface(`corenet_tcp_connect_all_rpc_ports',` + gen_require(` +- attribute reserved_port_type; ++ attribute rpc_port_type; + ') + +- allow $1 reserved_port_type:tcp_socket name_connect; ++ allow $1 rpc_port_type:tcp_socket name_connect; + ') + + ######################################## + ## +-## Connect TCP sockets to all ports > 1024. ++## Do not audit attempts to connect DCCP sockets ++## all rpc ports. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`corenet_tcp_connect_all_unreserved_ports',` ++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` + gen_require(` +- attribute unreserved_port_type; ++ attribute rpc_port_type; + ') + +- allow $1 unreserved_port_type:tcp_socket name_connect; ++ dontaudit $1 rpc_port_type:dccp_socket name_connect; + ') + + ######################################## + ## + ## Do not audit attempts to connect TCP sockets +-## all reserved ports. ++## all rpc ports. + ## + ## + ## +@@ -1927,54 +2555,54 @@ interface(`corenet_tcp_connect_all_unreserved_ports',` ## ## # -interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` -+interface(`corenet_dccp_connect_all_rpc_ports',` ++interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` gen_require(` - attribute reserved_port_type; + attribute rpc_port_type; ') - dontaudit $1 reserved_port_type:tcp_socket name_connect; -+ allow $1 rpc_port_type:dccp_socket name_connect; ++ dontaudit $1 rpc_port_type:tcp_socket name_connect; ') - ######################################## -@@ -1955,6 +2527,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` - ######################################## ## -+## Do not audit attempts to connect DCCP sockets -+## all rpc ports. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` -+ gen_require(` -+ attribute rpc_port_type; -+ ') -+ -+ dontaudit $1 rpc_port_type:dccp_socket name_connect; -+') -+ -+######################################## -+## - ## Do not audit attempts to connect TCP sockets - ## all rpc ports. +-## Connect TCP sockets to rpc ports. ++## Read and write the TUN/TAP virtual network device. ## -@@ -1993,6 +2584,24 @@ interface(`corenet_rw_tun_tap_dev',` - - ######################################## - ## -+## Read and write inherited TUN/TAP virtual network device. -+## -+## -+## + ## + ## +-## Domain allowed access. +## The domain allowed access. -+## -+## -+# -+interface(`corenet_rw_inherited_tun_tap_dev',` -+ gen_require(` + ## + ## + # +-interface(`corenet_tcp_connect_all_rpc_ports',` ++interface(`corenet_rw_tun_tap_dev',` + gen_require(` +- attribute rpc_port_type; + type tun_tap_device_t; -+ ') -+ -+ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to read or write the TUN/TAP - ## virtual network device. + ') + +- allow $1 rpc_port_type:tcp_socket name_connect; ++ dev_list_all_dev_nodes($1) ++ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to connect TCP sockets +-## all rpc ports. ++## Relabel to and from the TUN/TAP virtual network device. ## -@@ -2049,6 +2658,25 @@ interface(`corenet_rw_ppp_dev',` + ## + ## +-## Domain to not audit. ++## The domain allowed access. + ## + ## + # +-interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` ++interface(`corenet_relabel_tun_tap_dev',` + gen_require(` +- attribute rpc_port_type; ++ type tun_tap_device_t; + ') + +- dontaudit $1 rpc_port_type:tcp_socket name_connect; ++ relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) + ') + + ######################################## + ## +-## Read and write the TUN/TAP virtual network device. ++## Read and write inherited TUN/TAP virtual network device. + ## + ## + ## +@@ -1982,13 +2610,12 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` + ## + ## + # +-interface(`corenet_rw_tun_tap_dev',` ++interface(`corenet_rw_inherited_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + +- dev_list_all_dev_nodes($1) +- allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ++ allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -2049,6 +2676,25 @@ interface(`corenet_rw_ppp_dev',` ######################################## ## @@ -4729,7 +4801,7 @@ index 07126bd..d6ec4a8 100644 ## Bind TCP sockets to all RPC ports. ## ## -@@ -2068,6 +2696,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` +@@ -2068,6 +2714,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## ## @@ -4754,7 +4826,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## -@@ -2194,6 +2840,25 @@ interface(`corenet_tcp_recv_netlabel',` +@@ -2194,6 +2858,25 @@ interface(`corenet_tcp_recv_netlabel',` ######################################## ## @@ -4780,7 +4852,7 @@ index 07126bd..d6ec4a8 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,7 +2878,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,7 +2896,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## @@ -4789,7 +4861,7 @@ index 07126bd..d6ec4a8 100644 ## ## ## -@@ -2221,10 +2886,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2221,10 +2904,15 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## ## # @@ -4807,7 +4879,7 @@ index 07126bd..d6ec4a8 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2919,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2937,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -4834,7 +4906,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2959,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2977,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -4862,7 +4934,7 @@ index 07126bd..d6ec4a8 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,15 +3244,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,15 +3262,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` @@ -4882,7 +4954,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -2567,11 +3273,34 @@ interface(`corenet_all_recvfrom_unlabeled',` +@@ -2567,11 +3291,34 @@ interface(`corenet_all_recvfrom_unlabeled',` # interface(`corenet_all_recvfrom_netlabel',` gen_require(` @@ -4920,7 +4992,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -2585,6 +3314,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3332,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -4928,7 +5000,7 @@ index 07126bd..d6ec4a8 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3343,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3361,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -4965,7 +5037,7 @@ index 07126bd..d6ec4a8 100644 ') ######################################## -@@ -2727,6 +3485,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3503,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -4973,7 +5045,7 @@ index 07126bd..d6ec4a8 100644 corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) -@@ -3134,3 +3893,53 @@ interface(`corenet_unconfined',` +@@ -3134,3 +3911,53 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') @@ -5465,7 +5537,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..3035b45 100644 +index b31c054..17e11e0 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5499,15 +5571,25 @@ index b31c054..3035b45 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -118,6 +122,7 @@ +@@ -106,6 +110,7 @@ + /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) + /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/spidev.* -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) + /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) +@@ -118,6 +123,9 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') ++/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +134,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +137,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -5522,7 +5604,7 @@ index b31c054..3035b45 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -198,12 +205,22 @@ ifdef(`distro_debian',` +@@ -198,12 +208,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -12225,7 +12307,7 @@ index cda5588..3035829 100644 +/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..0776923 100644 +index 8416beb..7170125 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -12959,7 +13041,34 @@ index 8416beb..0776923 100644 ## ## ## -@@ -2741,7 +3258,7 @@ interface(`fs_search_removable',` +@@ -2719,6 +3236,26 @@ interface(`fs_search_rpc',` + + ######################################## + ## ++## Do not audit attempts to list removable storage directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_list_pstorefs',` ++ gen_require(` ++ type pstorefs_t; ++ ') ++ ++ allow $1 pstorefs_t:dir list_dir_perms; ++') ++ ++ ++ ++######################################## ++## + ## Search removable storage directories. + ## + ## +@@ -2741,7 +3278,7 @@ interface(`fs_search_removable',` ## ## ## @@ -12968,7 +13077,7 @@ index 8416beb..0776923 100644 ## ## # -@@ -2777,7 +3294,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3314,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -12977,7 +13086,7 @@ index 8416beb..0776923 100644 ## ## # -@@ -2970,6 +3487,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3507,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -12985,7 +13094,7 @@ index 8416beb..0776923 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3528,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3548,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -12993,7 +13102,7 @@ index 8416beb..0776923 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3569,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3589,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -13001,7 +13110,7 @@ index 8416beb..0776923 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3783,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -13026,7 +13135,7 @@ index 8416beb..0776923 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3821,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -13051,7 +13160,7 @@ index 8416beb..0776923 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3948,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -13060,7 +13169,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3429,7 +3985,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -13069,7 +13178,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3447,7 +4003,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -13078,7 +13187,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3815,6 +4371,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -13103,7 +13212,7 @@ index 8416beb..0776923 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +4482,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -13112,7 +13221,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3916,17 +4490,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -13133,7 +13242,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3934,17 +4508,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -13154,7 +13263,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3952,17 +4526,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -13194,7 +13303,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -3970,31 +4563,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -13250,7 +13359,7 @@ index 8416beb..0776923 100644 ') ######################################## -@@ -4105,7 +4715,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -13259,7 +13368,7 @@ index 8416beb..0776923 100644 ') ######################################## -@@ -4165,6 +4775,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -13284,7 +13393,7 @@ index 8416beb..0776923 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +4830,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -13293,7 +13402,7 @@ index 8416beb..0776923 100644 ## ## ## -@@ -4221,6 +4849,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -13354,7 +13463,7 @@ index 8416beb..0776923 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +4960,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -13399,7 +13508,7 @@ index 8416beb..0776923 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5017,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -13425,7 +13534,7 @@ index 8416beb..0776923 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5242,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -13434,7 +13543,7 @@ index 8416beb..0776923 100644 ') ######################################## -@@ -4549,7 +5290,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -13443,7 +13552,7 @@ index 8416beb..0776923 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5337,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -13470,7 +13579,7 @@ index 8416beb..0776923 100644 ## Get the quotas of all filesystems. ## ## -@@ -4912,3 +5673,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -13649,7 +13758,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..cc924ae 100644 +index 649e458..d47750f 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -13965,7 +14074,7 @@ index 649e458..cc924ae 100644 ## Unconfined access to kernel module resources. ##
## -@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -14028,6 +14137,7 @@ index 649e458..cc924ae 100644 + ') + + allow $1 kernel_t:unix_stream_socket rw_socket_perms; ++ allow $1 kernel_t:fd use; +') + +######################################## @@ -15603,7 +15713,7 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 771bce1..55ebf4b 100644 +index 771bce1..5bbf50b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -15615,7 +15725,33 @@ index 771bce1..55ebf4b 100644 # When user logs in from /dev/console, relabel it # to user tty type as well. type_change $1 console_device_t:chr_file $2; -@@ -208,6 +208,27 @@ interface(`term_use_all_terms',` +@@ -133,6 +133,25 @@ interface(`term_user_tty',` + + ######################################## + ## ++## Create the /dev/pts directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_create_pty_dir',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:dir create_dir_perms; ++ dev_filetrans($1, devpts_t, dir, "devpts") ++') ++ ++######################################## ++## + ## Create a pty in the /dev/pts directory. + ## + ## +@@ -208,6 +227,27 @@ interface(`term_use_all_terms',` ######################################## ## @@ -15643,7 +15779,7 @@ index 771bce1..55ebf4b 100644 ## Write to the console. ## ## -@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',` +@@ -274,7 +314,6 @@ interface(`term_dontaudit_read_console',` ## Domain allowed access. ## ## @@ -15651,7 +15787,7 @@ index 771bce1..55ebf4b 100644 # interface(`term_use_console',` gen_require(` -@@ -299,9 +319,12 @@ interface(`term_use_console',` +@@ -299,9 +338,12 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -15665,7 +15801,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',` +@@ -384,6 +426,42 @@ interface(`term_getattr_pty_fs',` ######################################## ## @@ -15708,7 +15844,7 @@ index 771bce1..55ebf4b 100644 ## Relabel from and to pty filesystem. ## ## -@@ -481,6 +540,24 @@ interface(`term_list_ptys',` +@@ -481,6 +559,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -15733,7 +15869,7 @@ index 771bce1..55ebf4b 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',` +@@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` ######################################## ## @@ -15742,7 +15878,7 @@ index 771bce1..55ebf4b 100644 ## write the generic pty type. This is ## generally only used in the targeted policy. ## -@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -15750,7 +15886,7 @@ index 771bce1..55ebf4b 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',` +@@ -879,6 +976,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -15777,7 +15913,7 @@ index 771bce1..55ebf4b 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -15786,7 +15922,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',` +@@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) @@ -15795,7 +15931,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -15804,7 +15940,7 @@ index 771bce1..55ebf4b 100644 ## ## # -@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -15853,7 +15989,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -15867,7 +16003,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -15880,7 +16016,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -15909,7 +16045,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -15918,7 +16054,7 @@ index 771bce1..55ebf4b 100644 ') ######################################## -@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -15927,7 +16063,7 @@ index 771bce1..55ebf4b 100644 ## ## # -@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -16857,10 +16993,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..45f4d0a 100644 +index 88d0028..c461b2b 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,80 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -16932,6 +17068,7 @@ index 88d0028..45f4d0a 100644 +sysnet_filetrans_named_content(sysadm_t) # Add/remove user home directories ++userdom_manage_user_tmp_chr_files(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +userdom_manage_tmp_role(sysadm_r, sysadm_t) @@ -16951,7 +17088,7 @@ index 88d0028..45f4d0a 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +96,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -16966,7 +17103,7 @@ index 88d0028..45f4d0a 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +105,9 @@ optional_policy(` +@@ -71,9 +106,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -16977,7 +17114,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -87,6 +121,7 @@ optional_policy(` +@@ -87,6 +122,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -16985,7 +17122,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -110,11 +145,17 @@ optional_policy(` +@@ -110,11 +146,17 @@ optional_policy(` ') optional_policy(` @@ -17003,7 +17140,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -122,11 +163,19 @@ optional_policy(` +@@ -122,11 +164,19 @@ optional_policy(` ') optional_policy(` @@ -17025,7 +17162,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -140,6 +189,10 @@ optional_policy(` +@@ -140,6 +190,10 @@ optional_policy(` ') optional_policy(` @@ -17036,7 +17173,7 @@ index 88d0028..45f4d0a 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +209,11 @@ optional_policy(` +@@ -156,11 +210,11 @@ optional_policy(` ') optional_policy(` @@ -17050,7 +17187,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -179,6 +232,13 @@ optional_policy(` +@@ -179,6 +233,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -17064,7 +17201,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -186,15 +246,20 @@ optional_policy(` +@@ -186,15 +247,20 @@ optional_policy(` ') optional_policy(` @@ -17088,7 +17225,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -214,22 +279,20 @@ optional_policy(` +@@ -214,22 +280,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -17117,7 +17254,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -241,14 +304,27 @@ optional_policy(` +@@ -241,14 +305,27 @@ optional_policy(` ') optional_policy(` @@ -17145,7 +17282,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -256,10 +332,20 @@ optional_policy(` +@@ -256,10 +333,20 @@ optional_policy(` ') optional_policy(` @@ -17166,7 +17303,7 @@ index 88d0028..45f4d0a 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +356,36 @@ optional_policy(` +@@ -270,31 +357,36 @@ optional_policy(` ') optional_policy(` @@ -17210,7 +17347,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -319,12 +410,18 @@ optional_policy(` +@@ -319,12 +411,18 @@ optional_policy(` ') optional_policy(` @@ -17230,7 +17367,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -349,7 +446,18 @@ optional_policy(` +@@ -349,7 +447,18 @@ optional_policy(` ') optional_policy(` @@ -17250,7 +17387,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -360,19 +468,15 @@ optional_policy(` +@@ -360,19 +469,15 @@ optional_policy(` ') optional_policy(` @@ -17272,7 +17409,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -384,10 +488,6 @@ optional_policy(` +@@ -384,10 +489,6 @@ optional_policy(` ') optional_policy(` @@ -17283,7 +17420,7 @@ index 88d0028..45f4d0a 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +495,9 @@ optional_policy(` +@@ -395,6 +496,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -17293,7 +17430,7 @@ index 88d0028..45f4d0a 100644 ') optional_policy(` -@@ -402,31 +505,34 @@ optional_policy(` +@@ -402,31 +506,34 @@ optional_policy(` ') optional_policy(` @@ -17334,7 +17471,7 @@ index 88d0028..45f4d0a 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +545,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +546,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17345,7 +17482,7 @@ index 88d0028..45f4d0a 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +565,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +566,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19896,7 +20033,7 @@ index fe0c682..871b8fd 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..b87b076 100644 +index 5fc0391..994eec2 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20129,7 +20266,7 @@ index 5fc0391..b87b076 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +248,50 @@ optional_policy(` +@@ -223,33 +248,53 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20144,6 +20281,9 @@ index 5fc0391..b87b076 100644 kernel_link_key(sshd_t) +files_search_all(sshd_t) ++ ++fs_search_cgroup_dirs(sshd_t) ++fs_rw_cgroup_files(sshd_t) + term_use_all_ptys(sshd_t) term_setattr_all_ptys(sshd_t) @@ -20189,7 +20329,7 @@ index 5fc0391..b87b076 100644 ') optional_policy(` -@@ -257,11 +299,24 @@ optional_policy(` +@@ -257,11 +302,24 @@ optional_policy(` ') optional_policy(` @@ -20215,7 +20355,7 @@ index 5fc0391..b87b076 100644 ') optional_policy(` -@@ -269,6 +324,10 @@ optional_policy(` +@@ -269,6 +327,10 @@ optional_policy(` ') optional_policy(` @@ -20226,7 +20366,7 @@ index 5fc0391..b87b076 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +338,69 @@ optional_policy(` +@@ -279,13 +341,69 @@ optional_policy(` ') optional_policy(` @@ -20296,7 +20436,7 @@ index 5fc0391..b87b076 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +409,26 @@ optional_policy(` +@@ -294,19 +412,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20324,7 +20464,7 @@ index 5fc0391..b87b076 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +445,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +448,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20337,7 +20477,7 @@ index 5fc0391..b87b076 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +459,138 @@ optional_policy(` +@@ -331,3 +462,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -22179,7 +22319,7 @@ index 6bf0ecc..f0080ba 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..cb2c21b 100644 +index 2696452..4690551 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,57 @@ gen_require(` @@ -23228,7 +23368,7 @@ index 2696452..cb2c21b 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1142,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23238,6 +23378,7 @@ index 2696452..cb2c21b 100644 # raw memory access is needed if not using the frame buffer dev_read_raw_memory(xserver_t) dev_wx_raw_memory(xserver_t) ++dev_read_urand(xserver_t) # for other device nodes such as the NVidia binary-only driver -dev_rw_xserver_misc(xserver_t) +dev_manage_xserver_misc(xserver_t) @@ -23259,7 +23400,7 @@ index 2696452..cb2c21b 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23277,7 +23418,7 @@ index 2696452..cb2c21b 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1196,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1197,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23301,7 +23442,7 @@ index 2696452..cb2c21b 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23310,7 +23451,7 @@ index 2696452..cb2c21b 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1259,44 @@ optional_policy(` +@@ -775,16 +1260,44 @@ optional_policy(` ') optional_policy(` @@ -23356,7 +23497,7 @@ index 2696452..cb2c21b 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1305,10 @@ optional_policy(` +@@ -793,6 +1306,10 @@ optional_policy(` ') optional_policy(` @@ -23367,7 +23508,7 @@ index 2696452..cb2c21b 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23381,7 +23522,7 @@ index 2696452..cb2c21b 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23390,7 +23531,7 @@ index 2696452..cb2c21b 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1348,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1349,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23425,7 +23566,7 @@ index 2696452..cb2c21b 100644 ') optional_policy(` -@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23434,7 +23575,7 @@ index 2696452..cb2c21b 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23466,7 +23607,7 @@ index 2696452..cb2c21b 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1513,41 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1514,41 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -26804,7 +26945,7 @@ index 24e7804..d0780a9 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..969bda2 100644 +index dd3be8d..71d7cb6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -26991,7 +27132,7 @@ index dd3be8d..969bda2 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +222,48 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -27015,6 +27156,7 @@ index dd3be8d..969bda2 100644 +allow init_t security_t:security load_policy; -term_use_all_terms(init_t) ++term_create_pty_dir(init_t) +term_use_unallocated_ttys(init_t) +term_use_console(init_t) +term_use_all_inherited_terms(init_t) @@ -27043,7 +27185,7 @@ index dd3be8d..969bda2 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +272,178 @@ ifdef(`distro_gentoo',` +@@ -186,29 +273,178 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27230,7 +27372,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -216,6 +451,27 @@ optional_policy(` +@@ -216,6 +452,27 @@ optional_policy(` ') optional_policy(` @@ -27258,7 +27400,7 @@ index dd3be8d..969bda2 100644 unconfined_domain(init_t) ') -@@ -225,8 +481,9 @@ optional_policy(` +@@ -225,8 +482,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -27270,7 +27412,7 @@ index dd3be8d..969bda2 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +514,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +515,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -27287,7 +27429,7 @@ index dd3be8d..969bda2 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +539,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +540,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -27330,7 +27472,7 @@ index dd3be8d..969bda2 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +576,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +577,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -27342,7 +27484,7 @@ index dd3be8d..969bda2 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +588,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +589,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -27353,7 +27495,7 @@ index dd3be8d..969bda2 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +599,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +600,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -27363,7 +27505,7 @@ index dd3be8d..969bda2 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +608,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +609,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -27371,7 +27513,7 @@ index dd3be8d..969bda2 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +616,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -27379,7 +27521,7 @@ index dd3be8d..969bda2 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +623,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +624,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -27397,7 +27539,7 @@ index dd3be8d..969bda2 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +641,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -27411,7 +27553,7 @@ index dd3be8d..969bda2 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +656,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +657,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -27425,7 +27567,7 @@ index dd3be8d..969bda2 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +669,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +670,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -27433,7 +27575,7 @@ index dd3be8d..969bda2 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +681,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +682,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -27441,7 +27583,7 @@ index dd3be8d..969bda2 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +700,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +701,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -27465,7 +27607,7 @@ index dd3be8d..969bda2 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +733,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +734,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -27473,7 +27615,7 @@ index dd3be8d..969bda2 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +767,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +768,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -27484,7 +27626,7 @@ index dd3be8d..969bda2 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +791,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +792,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -27493,7 +27635,7 @@ index dd3be8d..969bda2 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +806,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +807,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -27501,7 +27643,7 @@ index dd3be8d..969bda2 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +827,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +828,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -27509,7 +27651,7 @@ index dd3be8d..969bda2 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +837,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +838,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -27554,7 +27696,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -558,14 +882,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +883,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -27586,7 +27728,7 @@ index dd3be8d..969bda2 100644 ') ') -@@ -576,6 +917,39 @@ ifdef(`distro_suse',` +@@ -576,6 +918,39 @@ ifdef(`distro_suse',` ') ') @@ -27626,7 +27768,7 @@ index dd3be8d..969bda2 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +962,8 @@ optional_policy(` +@@ -588,6 +963,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -27635,7 +27777,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -609,6 +985,7 @@ optional_policy(` +@@ -609,6 +986,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -27643,7 +27785,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -625,6 +1002,17 @@ optional_policy(` +@@ -625,6 +1003,17 @@ optional_policy(` ') optional_policy(` @@ -27661,7 +27803,7 @@ index dd3be8d..969bda2 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1029,13 @@ optional_policy(` +@@ -641,9 +1030,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -27675,7 +27817,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -656,15 +1048,11 @@ optional_policy(` +@@ -656,15 +1049,11 @@ optional_policy(` ') optional_policy(` @@ -27693,7 +27835,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -685,6 +1073,15 @@ optional_policy(` +@@ -685,6 +1074,15 @@ optional_policy(` ') optional_policy(` @@ -27709,7 +27851,7 @@ index dd3be8d..969bda2 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1122,7 @@ optional_policy(` +@@ -725,6 +1123,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -27717,7 +27859,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -742,7 +1140,14 @@ optional_policy(` +@@ -742,7 +1141,14 @@ optional_policy(` ') optional_policy(` @@ -27732,7 +27874,7 @@ index dd3be8d..969bda2 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1170,10 @@ optional_policy(` +@@ -765,6 +1171,10 @@ optional_policy(` ') optional_policy(` @@ -27743,7 +27885,7 @@ index dd3be8d..969bda2 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1183,20 @@ optional_policy(` +@@ -774,10 +1184,20 @@ optional_policy(` ') optional_policy(` @@ -27764,7 +27906,7 @@ index dd3be8d..969bda2 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1205,10 @@ optional_policy(` +@@ -786,6 +1206,10 @@ optional_policy(` ') optional_policy(` @@ -27775,7 +27917,7 @@ index dd3be8d..969bda2 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1230,6 @@ optional_policy(` +@@ -807,8 +1231,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -27784,7 +27926,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -817,6 +1238,10 @@ optional_policy(` +@@ -817,6 +1239,10 @@ optional_policy(` ') optional_policy(` @@ -27795,7 +27937,7 @@ index dd3be8d..969bda2 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1251,12 @@ optional_policy(` +@@ -826,10 +1252,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -27808,7 +27950,7 @@ index dd3be8d..969bda2 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1283,27 @@ optional_policy(` +@@ -856,12 +1284,27 @@ optional_policy(` ') optional_policy(` @@ -27837,7 +27979,7 @@ index dd3be8d..969bda2 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1313,18 @@ optional_policy(` +@@ -871,6 +1314,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -27856,7 +27998,7 @@ index dd3be8d..969bda2 100644 ') optional_policy(` -@@ -886,6 +1340,10 @@ optional_policy(` +@@ -886,6 +1341,10 @@ optional_policy(` ') optional_policy(` @@ -27867,7 +28009,7 @@ index dd3be8d..969bda2 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1354,196 @@ optional_policy(` +@@ -896,3 +1355,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28294,7 +28436,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..35992c7 100644 +index 9e54bf9..b6e9ebc 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28377,20 +28519,30 @@ index 9e54bf9..35992c7 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -187,9 +197,9 @@ optional_policy(` +@@ -187,10 +197,10 @@ optional_policy(` # ipsec_mgmt Local policy # -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; +-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; +allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace }; +dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; - allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; ++allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -246,6 +256,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) + allow ipsec_mgmt_t self:key_socket create_socket_perms; +@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; + files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) + + manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) ++manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) + manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) + + allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; +@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -28407,7 +28559,7 @@ index 9e54bf9..35992c7 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +275,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -28416,7 +28568,7 @@ index 9e54bf9..35992c7 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +300,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -28428,7 +28580,7 @@ index 9e54bf9..35992c7 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +313,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -28441,6 +28593,8 @@ index 9e54bf9..35992c7 100644 sysnet_etc_filetrans_config(ipsec_mgmt_t) -userdom_use_user_terminals(ipsec_mgmt_t) ++systemd_exec_systemctl(ipsec_mgmt_t) ++ +userdom_use_inherited_user_terminals(ipsec_mgmt_t) + +optional_policy(` @@ -28450,7 +28604,7 @@ index 9e54bf9..35992c7 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -370,13 +394,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -28470,7 +28624,7 @@ index 9e54bf9..35992c7 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +424,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -28483,7 +28637,7 @@ index 9e54bf9..35992c7 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -28583,7 +28737,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..aa4d8fc 100644 +index 5dfa44b..022d91d 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -28665,7 +28819,7 @@ index 5dfa44b..aa4d8fc 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,11 +104,14 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -28674,7 +28828,13 @@ index 5dfa44b..aa4d8fc 100644 ') optional_policy(` -@@ -124,6 +128,7 @@ optional_policy(` + firstboot_use_fds(iptables_t) + firstboot_rw_pipes(iptables_t) ++ firewalld_dontaudit_write_tmp_files(iptables_t) + ') + + optional_policy(` +@@ -124,6 +129,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -28682,7 +28842,7 @@ index 5dfa44b..aa4d8fc 100644 ') optional_policy(` -@@ -135,9 +140,9 @@ optional_policy(` +@@ -135,9 +141,9 @@ optional_policy(` ') optional_policy(` @@ -28694,7 +28854,7 @@ index 5dfa44b..aa4d8fc 100644 optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..46439b4 100644 +index 73bb3c0..dc79c6f 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -28856,7 +29016,7 @@ index 73bb3c0..46439b4 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +310,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -28891,6 +29051,7 @@ index 73bb3c0..46439b4 100644 -/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) +/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib/libbcm_host\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -31893,7 +32054,7 @@ index 4584457..e432df3 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..ca097a7 100644 +index 6a50270..8288fd0 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -31974,7 +32135,7 @@ index 6a50270..ca097a7 100644 +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) -+files_pid_filetrans(mount_t,mount_var_run_t,dir) ++files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount") +files_var_filetrans(mount_t,mount_var_run_t,dir) +dev_filetrans(mount_t, mount_var_run_t, dir) + @@ -32165,7 +32326,7 @@ index 6a50270..ca097a7 100644 ') optional_policy(` -@@ -186,6 +262,36 @@ optional_policy(` +@@ -186,6 +262,40 @@ optional_policy(` ') optional_policy(` @@ -32177,6 +32338,10 @@ index 6a50270..ca097a7 100644 +') + +optional_policy(` ++ fsadm_manage_pid(mount_t) ++') ++ ++optional_policy(` + glusterd_domtrans(mount_t) +') + @@ -32202,7 +32367,7 @@ index 6a50270..ca097a7 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +300,129 @@ optional_policy(` +@@ -194,24 +304,128 @@ optional_policy(` ') optional_policy(` @@ -32270,17 +32435,17 @@ index 6a50270..ca097a7 100644 + +optional_policy(` + unconfined_write_keys(mount_t) ++') ++ ++optional_policy(` ++ virt_read_blk_images(mount_t) +') optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) -+ virt_read_blk_images(mount_t) - ') -+ -+optional_policy(` + vmware_exec_host(mount_t) -+') + ') + +###################################### +# @@ -32338,7 +32503,6 @@ index 6a50270..ca097a7 100644 +fs_read_ecryptfs_files(mount_ecryptfs_t) + +auth_use_nsswitch(mount_ecryptfs_t) -+ diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc index b263a8a..9348c8c 100644 --- a/policy/modules/system/netlabel.fc @@ -41933,7 +42097,7 @@ index 3c5dba7..08ce1e5 100644 + userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..77626dd 100644 +index e2b538b..211263f 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -42021,7 +42185,7 @@ index e2b538b..77626dd 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +82,222 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -42089,6 +42253,10 @@ index e2b538b..77626dd 100644 +') + +optional_policy(` ++ gssproxy_stream_connect(userdomain) ++') ++ ++optional_policy(` + gnome_filetrans_home_content(userdomain) +') + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 407bc60e..f091d89f 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index e4f84de..ad5a65f 100644 +index e4f84de..4e4cbd4 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,30 +1,39 @@ +@@ -1,30 +1,40 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -15,6 +15,7 @@ index e4f84de..ad5a65f 100644 +/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0) + +/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) ++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) +/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) +/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0) + @@ -517,7 +518,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..ffbe9e5 100644 +index cc43d25..5e60ff3 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -666,7 +667,8 @@ index cc43d25..ffbe9e5 100644 +# abrt local policy # - allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; +-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; ++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace }; dontaudit abrt_t self:capability sys_rawio; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + @@ -939,7 +941,7 @@ index cc43d25..ffbe9e5 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -981,8 +983,10 @@ index cc43d25..ffbe9e5 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) + domain_use_interactive_fds(abrt_dump_oops_t) + fs_list_inotifyfs(abrt_dump_oops_t) ++fs_list_pstorefs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) @@ -999,7 +1003,7 @@ index cc43d25..ffbe9e5 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -10385,10 +10389,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..ba0a059 +index 0000000..f4a8884 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,236 @@ +@@ -0,0 +1,237 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -10596,6 +10600,7 @@ index 0000000..ba0a059 + +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) +ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t) + +manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) @@ -12168,7 +12173,7 @@ index 8e27a37..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..f0cade4 100644 +index 09f18e2..9d70983 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -12219,8 +12224,9 @@ index 09f18e2..f0cade4 100644 files_list_mnt(colord_t) -files_read_usr_files(colord_t) - fs_getattr_noxattr_fs(colord_t) +-fs_getattr_noxattr_fs(colord_t) -fs_getattr_tmpfs(colord_t) ++fs_getattr_all_fs(colord_t) fs_list_noxattr_fs(colord_t) fs_read_noxattr_fs_files(colord_t) fs_search_all(colord_t) @@ -22900,7 +22906,7 @@ index 21d7b84..0e272bd 100644 /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if -index 5cf6ac6..839999e 100644 +index 5cf6ac6..62547ee 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,6 +2,66 @@ @@ -22970,18 +22976,37 @@ index 5cf6ac6..839999e 100644 ## Send and receive messages from ## firewalld over dbus. ## -@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',` +@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',` ######################################## ## -## All of the rules required to -## administrate an firewalld environment. ++## Dontaudit attempts to write ++## firewalld tmp files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`firewalld_dontaudit_write_tmp_files',` ++ gen_require(` ++ type firewalld_tmp_t; ++ ') ++ ++ dontaudit $1 firewalld_tmp_t:file write; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an firewalld environment ## ## ## -@@ -45,10 +105,14 @@ interface(`firewalld_admin',` +@@ -45,10 +124,14 @@ interface(`firewalld_admin',` type firewalld_var_log_t; ') @@ -22998,7 +23023,7 @@ index 5cf6ac6..839999e 100644 domain_system_change_exemption($1) role_transition $2 firewalld_initrc_exec_t system_r; allow $2 system_r; -@@ -59,6 +123,9 @@ interface(`firewalld_admin',` +@@ -59,6 +142,9 @@ interface(`firewalld_admin',` logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) @@ -28202,6 +28227,298 @@ index 25f09ae..3085534 100644 optional_policy(` chronyd_rw_shm(gpsd_t) chronyd_stream_connect(gpsd_t) +diff --git a/gssproxy.fc b/gssproxy.fc +new file mode 100644 +index 0000000..404ae4f +--- /dev/null ++++ b/gssproxy.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0) ++ ++/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) ++ ++/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) ++ ++/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) +diff --git a/gssproxy.if b/gssproxy.if +new file mode 100644 +index 0000000..072ddb0 +--- /dev/null ++++ b/gssproxy.if +@@ -0,0 +1,203 @@ ++ ++## policy for gssproxy ++ ++######################################## ++## ++## Execute TEMPLATE in the gssproxy domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gssproxy_domtrans',` ++ gen_require(` ++ type gssproxy_t, gssproxy_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) ++') ++ ++######################################## ++## ++## Search gssproxy lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_search_lib',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ allow $1 gssproxy_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read gssproxy lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_read_lib_files',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gssproxy lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_manage_lib_files',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gssproxy lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_manage_lib_dirs',` ++ gen_require(` ++ type gssproxy_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) ++') ++ ++######################################## ++## ++## Read gssproxy PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_read_pid_files',` ++ gen_require(` ++ type gssproxy_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t) ++') ++ ++######################################## ++## ++## Execute gssproxy server in the gssproxy domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gssproxy_systemctl',` ++ gen_require(` ++ type gssproxy_t; ++ type gssproxy_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 gssproxy_unit_file_t:file read_file_perms; ++ allow $1 gssproxy_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, gssproxy_t) ++') ++ ++######################################## ++## ++## Connect to gssproxy over an unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_stream_connect',` ++ gen_require(` ++ type gssproxy_t, gssproxy_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gssproxy environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`gssproxy_admin',` ++ gen_require(` ++ type gssproxy_t; ++ type gssproxy_var_lib_t; ++ type gssproxy_var_run_t; ++ type gssproxy_unit_file_t; ++ ') ++ ++ allow $1 gssproxy_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, gssproxy_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, gssproxy_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, gssproxy_var_run_t) ++ ++ gssproxy_systemctl($1) ++ admin_pattern($1, gssproxy_unit_file_t) ++ allow $1 gssproxy_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/gssproxy.te b/gssproxy.te +new file mode 100644 +index 0000000..6f0253c +--- /dev/null ++++ b/gssproxy.te +@@ -0,0 +1,64 @@ ++policy_module(gssproxy, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type gssproxy_t; ++type gssproxy_exec_t; ++init_daemon_domain(gssproxy_t, gssproxy_exec_t) ++ ++type gssproxy_var_lib_t; ++files_type(gssproxy_var_lib_t) ++ ++type gssproxy_var_run_t; ++files_pid_file(gssproxy_var_run_t) ++ ++type gssproxy_unit_file_t; ++systemd_unit_file(gssproxy_unit_file_t) ++ ++######################################## ++# ++# gssproxy local policy ++# ++allow gssproxy_t self:capability2 block_suspend; ++allow gssproxy_t self:fifo_file rw_fifo_file_perms; ++allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) ++files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file }) ++ ++kernel_rw_rpc_sysctls(gssproxy_t) ++ ++domain_use_interactive_fds(gssproxy_t) ++ ++files_read_etc_files(gssproxy_t) ++ ++auth_use_nsswitch(gssproxy_t) ++ ++dev_read_urand(gssproxy_t) ++ ++logging_send_syslog_msg(gssproxy_t) ++ ++miscfiles_read_localization(gssproxy_t) ++ ++userdom_manage_user_tmp_dirs(gssproxy_t) ++userdom_manage_user_tmp_files(gssproxy_t) ++ ++optional_policy(` ++ kerberos_use(gssproxy_t) ++') ++ ++optional_policy(` ++ kerberos_keytab_template(gssproxy, gssproxy_t) ++ kerberos_manage_host_rcache(gssproxy_t) ++') diff --git a/guest.te b/guest.te index d928711..93d2d83 100644 --- a/guest.te @@ -48498,10 +48815,10 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..0dd82f8 +index 0000000..6c841fa --- /dev/null +++ b/openshift.if -@@ -0,0 +1,656 @@ +@@ -0,0 +1,676 @@ + +## policy for openshift + @@ -48740,7 +49057,27 @@ index 0000000..0dd82f8 + type openshift_var_lib_t; + ') + -+ allow $1 openshift_var_lib_t:dir search_dir_perms; ++ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Getattr openshift lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_getattr_lib',` ++ gen_require(` ++ type openshift_var_lib_t; ++ ') ++ ++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) + files_search_var_lib($1) +') + @@ -48986,7 +49323,7 @@ index 0000000..0dd82f8 +## +## +# -+template(`openshift_net_type',` ++interface(`openshift_net_type',` + gen_require(` + attribute openshift_net_domain; + ') @@ -57211,7 +57548,7 @@ index cd8b8b9..cde0d62 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..49bdf0d 100644 +index b2b5dba..7b8a7d1 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -57402,14 +57739,14 @@ index b2b5dba..49bdf0d 100644 -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) -- ++# for scripts + -term_use_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t) -term_ioctl_generic_ptys(pppd_t) -term_create_pty(pppd_t, pppd_devpts_t) -term_use_generic_ptys(pppd_t) -+# for scripts - +- -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t) init_read_utmp(pppd_t) -init_signal_script(pppd_t) @@ -57551,6 +57888,17 @@ index b2b5dba..49bdf0d 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) +@@ -299,6 +318,10 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_dontaudit_search_config(pppd_t) ++') ++ ++optional_policy(` + dbus_system_domain(pppd_t, pppd_exec_t) + + optional_policy(` diff --git a/prelink.fc b/prelink.fc index a90d623..62af9a4 100644 --- a/prelink.fc @@ -69772,7 +70120,7 @@ index 0628d50..84f2fd7 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 5cbe81c..decdd95 100644 +index 5cbe81c..f79d5f4 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -69830,7 +70178,13 @@ index 5cbe81c..decdd95 100644 type rpm_script_tmp_t; files_tmp_file(rpm_script_tmp_t) -@@ -75,23 +69,28 @@ allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exec +@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t) + # rpm Local policy + # + ++allow rpm_t self:capability2 block_suspend; + allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; + allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; allow rpm_t self:fifo_file rw_fifo_file_perms; @@ -69864,7 +70218,7 @@ index 5cbe81c..decdd95 100644 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) -@@ -99,23 +98,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) +@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -69892,7 +70246,7 @@ index 5cbe81c..decdd95 100644 kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) -@@ -126,41 +121,34 @@ kernel_rw_irq_sysctls(rpm_t) +@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t) corecmd_exec_all_executables(rpm_t) @@ -69948,7 +70302,7 @@ index 5cbe81c..decdd95 100644 fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -183,29 +171,49 @@ selinux_compute_relabel_context(rpm_t) +@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t) selinux_compute_user_contexts(rpm_t) storage_raw_write_fixed_disk(rpm_t) @@ -70000,7 +70354,7 @@ index 5cbe81c..decdd95 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -224,13 +232,17 @@ optional_policy(` +@@ -224,13 +233,17 @@ optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -70022,7 +70376,7 @@ index 5cbe81c..decdd95 100644 ') ######################################## -@@ -239,19 +251,20 @@ optional_policy(` +@@ -239,19 +252,20 @@ optional_policy(` # allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; @@ -70046,7 +70400,7 @@ index 5cbe81c..decdd95 100644 allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; -@@ -267,8 +280,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -70057,7 +70411,7 @@ index 5cbe81c..decdd95 100644 kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,45 +291,27 @@ kernel_read_network_state(rpm_script_t) +@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) @@ -70107,7 +70461,7 @@ index 5cbe81c..decdd95 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,30 +327,48 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -70165,7 +70519,7 @@ index 5cbe81c..decdd95 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,40 +377,54 @@ ifdef(`distro_redhat',` +@@ -363,40 +378,54 @@ ifdef(`distro_redhat',` ') ') @@ -70230,7 +70584,7 @@ index 5cbe81c..decdd95 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -409,6 +437,6 @@ optional_policy(` +@@ -409,6 +438,6 @@ optional_policy(` ') optional_policy(` @@ -87519,7 +87873,7 @@ index 9dec06c..7877729 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..4d026c1 100644 +index 1f22fba..a8390d3 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -88168,7 +88522,7 @@ index 1f22fba..4d026c1 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -88190,12 +88544,13 @@ index 1f22fba..4d026c1 100644 -corenet_tcp_sendrecv_soundd_port(virtd_t) - corenet_rw_tun_tap_dev(virtd_t) ++corenet_relabel_tun_tap_dev(virtd_t) +dev_rw_vfio_dev(virtd_t) dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -88224,7 +88579,7 @@ index 1f22fba..4d026c1 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -88244,7 +88599,7 @@ index 1f22fba..4d026c1 100644 selinux_validate_context(virtd_t) -@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -88279,7 +88634,7 @@ index 1f22fba..4d026c1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -88288,7 +88643,7 @@ index 1f22fba..4d026c1 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +491,321 @@ optional_policy(` +@@ -658,95 +492,321 @@ optional_policy(` ') optional_policy(` @@ -88658,7 +89013,7 @@ index 1f22fba..4d026c1 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -88688,7 +89043,7 @@ index 1f22fba..4d026c1 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -88715,7 +89070,7 @@ index 1f22fba..4d026c1 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -88747,7 +89102,7 @@ index 1f22fba..4d026c1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +889,20 @@ optional_policy(` +@@ -847,14 +890,20 @@ optional_policy(` ') optional_policy(` @@ -88769,7 +89124,7 @@ index 1f22fba..4d026c1 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +927,44 @@ optional_policy(` +@@ -879,34 +928,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -88823,7 +89178,7 @@ index 1f22fba..4d026c1 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -88841,7 +89196,7 @@ index 1f22fba..4d026c1 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -88852,7 +89207,7 @@ index 1f22fba..4d026c1 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -88860,7 +89215,7 @@ index 1f22fba..4d026c1 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -88879,7 +89234,7 @@ index 1f22fba..4d026c1 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -88924,7 +89279,7 @@ index 1f22fba..4d026c1 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -88951,7 +89306,7 @@ index 1f22fba..4d026c1 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -88970,7 +89325,7 @@ index 1f22fba..4d026c1 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -88997,7 +89352,7 @@ index 1f22fba..4d026c1 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -89136,7 +89491,7 @@ index 1f22fba..4d026c1 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -89151,7 +89506,7 @@ index 1f22fba..4d026c1 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1246,8 @@ optional_policy(` +@@ -1183,9 +1247,8 @@ optional_policy(` ######################################## # @@ -89162,7 +89517,7 @@ index 1f22fba..4d026c1 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index faf18515..e7e810dc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 47%{?dist} +Release: 48%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -94,10 +94,6 @@ SELinux policy development and man page package %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* -%post devel -selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null -exit 0 - %package doc Summary: SELinux policy documentation Group: System Environment/Base @@ -534,6 +530,30 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 3 2013 Miroslav Grepl 3.12.1-48 +- Fix openshift_search_lib +- Add support for abrt-uefioops-oops +- Allow colord to getattr any file system +- Allow chrome processes to look at each other +- Allow sys_ptrace for abrt_t +- Add new policy for gssproxy +- Dontaudit leaked file descriptor writes from firewalld +- openshift_net_type is interface not template +- Dontaudit pppd to search gnome config +- Update openshift_search_lib() interface +- Add fs_list_pstorefs() +- Fix label on libbcm_host.so since it is built incorrectly on raspberry pi, needs back port to F18 +- Better labels for raspberry pi devices +- Allow init to create devpts_t directory +- Temporarily label rasbery pi devices as memory_device_t, needs back port to f18 +- Allow sysadm_t to build kernels +- Make sure mount creates /var/run/blkid with the correct label, needs back port to F18 +- Allow userdomains to stream connect to gssproxy +- Dontaudit leaked file descriptor writes from firewalld +- Allow xserver to read /dev/urandom +- Add additional fixes for ipsec-mgmt +- Make SSHing into an Openshift Enterprise Node working + * Wed May 29 2013 Miroslav Grepl 3.12.1-47 - Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime - with the proper label.