From 5991fc804927b20ed6f86a1d107caba2d9c9fccd Mon Sep 17 00:00:00 2001 From: rhatdan Date: Wed, 8 Aug 2012 11:20:07 -0400 Subject: [PATCH] Make sure content created in the homedir by uncnfined domains get created with the corect label. specifically /.readahead --- policy-rawhide.patch | 302 +++++++++++++++++++---------------- policy_contrib-rawhide.patch | 24 +-- selinux-policy.spec | 5 +- 3 files changed, 187 insertions(+), 144 deletions(-) diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 803caa96..29ce9f6d 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..f2026cd 100644 +index 28802c5..c73c1d2 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -62032,7 +62032,7 @@ index 28802c5..f2026cd 100644 } # -@@ -443,9 +448,10 @@ class capability +@@ -443,10 +448,11 @@ class capability class capability2 { mac_override # unused by SELinux @@ -62040,10 +62040,11 @@ index 28802c5..f2026cd 100644 + mac_admin syslog wake_alarm -+ epollwakeup block_suspend ++ secure_firmware } + # @@ -862,3 +868,20 @@ inherits database implement execute @@ -63491,7 +63492,7 @@ index 98b8b2d..da75471 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 673180c..1187de6 100644 +index 673180c..6274145 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0) @@ -63859,13 +63860,14 @@ index 673180c..1187de6 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -507,31 +549,34 @@ logging_send_syslog_msg(useradd_t) +@@ -507,31 +549,35 @@ logging_send_syslog_msg(useradd_t) miscfiles_read_localization(useradd_t) +seutil_semanage_policy(useradd_t) +seutil_manage_file_contexts(useradd_t) +seutil_manage_config(useradd_t) ++seutil_manage_login_config(useradd_t) +seutil_manage_default_contexts(useradd_t) + seutil_read_config(useradd_t) @@ -63907,7 +63909,7 @@ index 673180c..1187de6 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +587,8 @@ optional_policy(` +@@ -542,7 +588,8 @@ optional_policy(` ') optional_policy(` @@ -63917,7 +63919,7 @@ index 673180c..1187de6 100644 ') optional_policy(` -@@ -550,6 +596,11 @@ optional_policy(` +@@ -550,6 +597,11 @@ optional_policy(` ') optional_policy(` @@ -63929,7 +63931,7 @@ index 673180c..1187de6 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +610,7 @@ optional_policy(` +@@ -559,3 +611,7 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -80434,7 +80436,7 @@ index 28ad538..47fdb65 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index f416ce9..1409940 100644 +index f416ce9..2fa575e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -80559,8 +80561,11 @@ index f416ce9..1409940 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +198,91 @@ interface(`auth_login_pgm_domain',` +@@ -153,11 +196,94 @@ interface(`auth_login_pgm_domain',` + logging_set_tty_audit($1) + seutil_read_config($1) ++ seutil_read_login_config($1) seutil_read_default_contexts($1) - tunable_policy(`allow_polyinstantiation',` @@ -80653,7 +80658,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -231,6 +356,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +357,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -80679,7 +80684,7 @@ index f416ce9..1409940 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -395,13 +539,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -395,13 +540,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -80696,7 +80701,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -448,6 +594,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +595,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -80722,7 +80727,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -467,7 +632,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +633,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -80730,7 +80735,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -664,6 +828,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +829,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -80741,7 +80746,7 @@ index f416ce9..1409940 100644 ') ####################################### -@@ -763,7 +931,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +932,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -80793,7 +80798,7 @@ index f416ce9..1409940 100644 ') ####################################### -@@ -959,9 +1170,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1171,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -80827,7 +80832,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -1040,6 +1272,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1273,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -80838,7 +80843,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -1157,6 +1393,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1157,6 +1394,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -80846,7 +80851,7 @@ index f416ce9..1409940 100644 ') ####################################### -@@ -1526,6 +1763,25 @@ interface(`auth_setattr_login_records',` +@@ -1526,6 +1764,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -80872,7 +80877,7 @@ index f416ce9..1409940 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,24 +1932,7 @@ interface(`auth_manage_login_records',` +@@ -1676,24 +1933,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -80898,7 +80903,7 @@ index f416ce9..1409940 100644 ') ######################################## -@@ -1717,9 +1956,9 @@ interface(`auth_relabel_login_records',` +@@ -1717,9 +1957,9 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -80911,7 +80916,7 @@ index f416ce9..1409940 100644 typeattribute $1 nsswitch_domain; ') -@@ -1755,3 +1994,194 @@ interface(`auth_unconfined',` +@@ -1755,3 +1995,194 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -82890,7 +82895,7 @@ index d26fe81..3f3a57f 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..582f563 100644 +index 4a88fa1..9895bfe 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -83126,7 +83131,7 @@ index 4a88fa1..582f563 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -196,16 +289,148 @@ tunable_policy(`init_upstart',` +@@ -196,16 +289,151 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -83143,11 +83148,13 @@ index 4a88fa1..582f563 100644 +') + +tunable_policy(`init_systemd',` ++ allow init_t self:system all_system_perms; + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; + allow init_t self:process { setsockcreate setfscreate setrlimit }; + allow init_t self:process { getcap setcap }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; ++ allow init_t self:netlink_selinux_socket create_socket_perms; + # Until systemd is fixed + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; + allow init_t self:udp_socket create_socket_perms; @@ -83214,6 +83221,8 @@ index 4a88fa1..582f563 100644 + fs_relabel_cgroup_dirs(init_t) + fs_search_cgroup_dirs(daemon) + ++ ++ selinux_compute_access_vector(init_t) + selinux_compute_create_context(init_t) + selinux_validate_context(init_t) + selinux_unmount_fs(init_t) @@ -83235,6 +83244,9 @@ index 4a88fa1..582f563 100644 + systemd_manage_unit_dirs(init_t) + systemd_manage_all_unit_files(init_t) + systemd_logger_stream_connect(init_t) ++ systemd_config_all_services(init_t) ++ ++ systemd_config_all_services(initrc_t) + + create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + @@ -83242,21 +83254,17 @@ index 4a88fa1..582f563 100644 + +auth_use_nsswitch(init_t) +auth_rw_login_records(init_t) -+ -+optional_policy(` -+ systemd_filetrans_named_content(init_t) -+') -+ -+optional_policy(` -+ lvm_rw_pipes(init_t) -+') + optional_policy(` - auth_rw_login_records(init_t) -+ consolekit_manage_log(init_t) ++ lvm_rw_pipes(init_t) ') optional_policy(` ++ consolekit_manage_log(init_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -83277,10 +83285,14 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -213,6 +438,18 @@ optional_policy(` +@@ -213,6 +441,22 @@ optional_policy(` ') optional_policy(` ++ systemd_filetrans_named_content(init_t) ++') ++ ++optional_policy(` + udev_read_db(init_t) + udev_relabelto_db(init_t) + udev_create_kobject_uevent_socket(init_t) @@ -83296,18 +83308,19 @@ index 4a88fa1..582f563 100644 unconfined_domain(init_t) ') -@@ -222,8 +459,8 @@ optional_policy(` +@@ -222,8 +466,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; -dontaudit initrc_t self:capability sys_module; # sysctl is triggering this +allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; ++allow initrc_t self:capability2 block_suspend; +dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -251,12 +488,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -251,12 +496,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -83323,7 +83336,7 @@ index 4a88fa1..582f563 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -272,23 +512,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -272,23 +520,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -83366,7 +83379,7 @@ index 4a88fa1..582f563 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -296,6 +549,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -296,6 +557,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -83374,7 +83387,7 @@ index 4a88fa1..582f563 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -306,8 +560,10 @@ dev_write_framebuffer(initrc_t) +@@ -306,8 +568,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -83385,7 +83398,7 @@ index 4a88fa1..582f563 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -315,17 +571,16 @@ dev_manage_generic_files(initrc_t) +@@ -315,17 +579,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -83405,7 +83418,7 @@ index 4a88fa1..582f563 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -333,6 +588,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -333,6 +596,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -83413,7 +83426,7 @@ index 4a88fa1..582f563 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -340,8 +596,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -340,8 +604,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -83425,7 +83438,7 @@ index 4a88fa1..582f563 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -357,8 +615,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -357,8 +623,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -83439,7 +83452,7 @@ index 4a88fa1..582f563 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -368,9 +630,12 @@ fs_mount_all_fs(initrc_t) +@@ -368,9 +638,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -83453,7 +83466,7 @@ index 4a88fa1..582f563 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -380,6 +645,7 @@ mls_process_read_up(initrc_t) +@@ -380,6 +653,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -83461,7 +83474,7 @@ index 4a88fa1..582f563 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,6 +657,7 @@ term_use_all_terms(initrc_t) +@@ -391,6 +665,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -83469,7 +83482,7 @@ index 4a88fa1..582f563 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -411,18 +678,17 @@ logging_read_audit_config(initrc_t) +@@ -411,18 +686,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -83491,7 +83504,7 @@ index 4a88fa1..582f563 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -476,6 +742,10 @@ ifdef(`distro_gentoo',` +@@ -476,6 +750,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -83502,7 +83515,7 @@ index 4a88fa1..582f563 100644 alsa_read_lib(initrc_t) ') -@@ -496,7 +766,7 @@ ifdef(`distro_redhat',` +@@ -496,7 +774,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -83511,7 +83524,7 @@ index 4a88fa1..582f563 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -511,6 +781,7 @@ ifdef(`distro_redhat',` +@@ -511,6 +789,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -83519,7 +83532,7 @@ index 4a88fa1..582f563 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -531,6 +802,7 @@ ifdef(`distro_redhat',` +@@ -531,6 +810,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -83527,7 +83540,7 @@ index 4a88fa1..582f563 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -540,8 +812,35 @@ ifdef(`distro_redhat',` +@@ -540,8 +820,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -83563,7 +83576,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -549,14 +848,27 @@ ifdef(`distro_redhat',` +@@ -549,14 +856,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -83591,7 +83604,7 @@ index 4a88fa1..582f563 100644 ') ') -@@ -567,6 +879,39 @@ ifdef(`distro_suse',` +@@ -567,6 +887,39 @@ ifdef(`distro_suse',` ') ') @@ -83631,7 +83644,7 @@ index 4a88fa1..582f563 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +924,8 @@ optional_policy(` +@@ -579,6 +932,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -83640,7 +83653,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -600,6 +947,7 @@ optional_policy(` +@@ -600,6 +955,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -83648,7 +83661,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -612,6 +960,17 @@ optional_policy(` +@@ -612,6 +968,17 @@ optional_policy(` ') optional_policy(` @@ -83666,7 +83679,7 @@ index 4a88fa1..582f563 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -628,9 +987,13 @@ optional_policy(` +@@ -628,9 +995,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -83680,7 +83693,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -655,6 +1018,10 @@ optional_policy(` +@@ -655,6 +1026,10 @@ optional_policy(` ') optional_policy(` @@ -83691,7 +83704,7 @@ index 4a88fa1..582f563 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -672,6 +1039,15 @@ optional_policy(` +@@ -672,6 +1047,15 @@ optional_policy(` ') optional_policy(` @@ -83707,7 +83720,7 @@ index 4a88fa1..582f563 100644 inn_exec_config(initrc_t) ') -@@ -712,6 +1088,7 @@ optional_policy(` +@@ -712,6 +1096,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -83715,7 +83728,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -729,7 +1106,13 @@ optional_policy(` +@@ -729,7 +1114,13 @@ optional_policy(` ') optional_policy(` @@ -83729,7 +83742,7 @@ index 4a88fa1..582f563 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -752,6 +1135,10 @@ optional_policy(` +@@ -752,6 +1143,10 @@ optional_policy(` ') optional_policy(` @@ -83740,7 +83753,7 @@ index 4a88fa1..582f563 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -761,10 +1148,20 @@ optional_policy(` +@@ -761,10 +1156,20 @@ optional_policy(` ') optional_policy(` @@ -83761,7 +83774,7 @@ index 4a88fa1..582f563 100644 quota_manage_flags(initrc_t) ') -@@ -773,6 +1170,10 @@ optional_policy(` +@@ -773,6 +1178,10 @@ optional_policy(` ') optional_policy(` @@ -83772,7 +83785,7 @@ index 4a88fa1..582f563 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -794,8 +1195,6 @@ optional_policy(` +@@ -794,8 +1203,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -83781,7 +83794,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -804,6 +1203,10 @@ optional_policy(` +@@ -804,6 +1211,10 @@ optional_policy(` ') optional_policy(` @@ -83792,7 +83805,7 @@ index 4a88fa1..582f563 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -813,10 +1216,12 @@ optional_policy(` +@@ -813,10 +1224,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -83805,7 +83818,7 @@ index 4a88fa1..582f563 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -828,8 +1233,6 @@ optional_policy(` +@@ -828,8 +1241,6 @@ optional_policy(` ') optional_policy(` @@ -83814,7 +83827,7 @@ index 4a88fa1..582f563 100644 udev_manage_pid_files(initrc_t) udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) -@@ -840,12 +1243,30 @@ optional_policy(` +@@ -840,12 +1251,30 @@ optional_policy(` ') optional_policy(` @@ -83847,7 +83860,7 @@ index 4a88fa1..582f563 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -855,6 +1276,18 @@ optional_policy(` +@@ -855,6 +1284,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -83866,7 +83879,7 @@ index 4a88fa1..582f563 100644 ') optional_policy(` -@@ -870,6 +1303,10 @@ optional_policy(` +@@ -870,6 +1311,10 @@ optional_policy(` ') optional_policy(` @@ -83877,7 +83890,7 @@ index 4a88fa1..582f563 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1317,165 @@ optional_policy(` +@@ -880,3 +1325,164 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -84042,7 +84055,6 @@ index 4a88fa1..582f563 100644 +#ifdef(`enable_mls',` +# mls_rangetrans_target(systemprocess) +#') -+ diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index ec85acb..662e79b 100644 --- a/policy/modules/system/ipsec.fc @@ -86241,7 +86253,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index f8eeecd..310893f 100644 +index f8eeecd..7b9437a 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -86433,7 +86445,7 @@ index f8eeecd..310893f 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,14 +364,27 @@ optional_policy(` +@@ -331,14 +364,26 @@ optional_policy(` ') optional_policy(` @@ -86453,7 +86465,6 @@ index f8eeecd..310893f 100644 ') optional_policy(` -+ #systemd_passwd_agent_dev_template(lvm) + systemd_manage_passwd_run(lvm_t) +') + @@ -87762,7 +87773,7 @@ index d43f3b1..c4182e8 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..beae2dc 100644 +index 3822072..239ab62 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` @@ -87919,7 +87930,7 @@ index 3822072..beae2dc 100644 ## Execute setfiles in the caller domain. ## ## -@@ -680,10 +776,94 @@ interface(`seutil_manage_config',` +@@ -680,10 +776,115 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -87928,6 +87939,27 @@ index 3822072..beae2dc 100644 read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') ++###################################### ++## ++## Create, read, write, and delete ++## the general selinux configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`seutil_manage_config_dirs',` ++ gen_require(` ++ type selinux_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir manage_dir_perms; ++') ++ +######################################## +## +## Do not audit attempts to search the SELinux @@ -88014,7 +88046,7 @@ index 3822072..beae2dc 100644 ####################################### ## ## Create, read, write, and delete -@@ -694,15 +874,62 @@ interface(`seutil_manage_config',` +@@ -694,15 +895,62 @@ interface(`seutil_manage_config',` ## Domain allowed access. ## ## @@ -88080,7 +88112,7 @@ index 3822072..beae2dc 100644 ') ######################################## -@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',` +@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -88110,7 +88142,7 @@ index 3822072..beae2dc 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1270,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -88137,7 +88169,7 @@ index 3822072..beae2dc 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1308,66 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -88206,7 +88238,7 @@ index 3822072..beae2dc 100644 ') ######################################## -@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',` +@@ -1044,6 +1390,9 @@ interface(`seutil_manage_module_store',` manage_dirs_pattern($1, selinux_config_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") @@ -88216,7 +88248,7 @@ index 3822072..beae2dc 100644 ') ####################################### -@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1486,58 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -89816,10 +89848,10 @@ index 0000000..7da5bf6 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..40fe8f5 +index 0000000..6d1582c --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,734 @@ +@@ -0,0 +1,735 @@ +## SELinux policy for systemd components + +####################################### @@ -89877,6 +89909,7 @@ index 0000000..40fe8f5 + + systemd_login_list_pid_dirs($1) + systemd_login_read_pid_files($1) ++ systemd_passwd_agent_exec($1) +') + +####################################### @@ -90177,11 +90210,12 @@ index 0000000..40fe8f5 +## +# +interface(`systemd_passwd_agent_exec',` -+ gen_require(` -+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; -+ ') ++ gen_require(` ++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ++ ') + + can_exec($1, systemd_passwd_agent_exec_t) ++ systemd_manage_passwd_run($1) +') + +######################################## @@ -90309,8 +90343,7 @@ index 0000000..40fe8f5 + ') + + init_search_pid_dirs($1) -+ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) -+ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + + allow systemd_passwd_agent_t $1:process signull; + allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; @@ -92347,7 +92380,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..c4ae660 100644 +index e720dcd..512678a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -93775,7 +93808,7 @@ index e720dcd..c4ae660 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1235,13 +1592,18 @@ template(`userdom_security_admin_template',` +@@ -1235,13 +1592,19 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -93786,6 +93819,7 @@ index e720dcd..c4ae660 100644 + seutil_manage_file_contexts($1) + seutil_manage_module_store($1) + seutil_manage_config($1) ++ seutil_manage_login_config($1) + seutil_run_checkpolicy($1,$2) + seutil_run_loadpolicy($1,$2) + seutil_run_semanage($1,$2) @@ -93798,7 +93832,7 @@ index e720dcd..c4ae660 100644 ') optional_policy(` -@@ -1252,12 +1614,12 @@ template(`userdom_security_admin_template',` +@@ -1252,12 +1615,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -93814,7 +93848,7 @@ index e720dcd..c4ae660 100644 ') optional_policy(` -@@ -1317,12 +1679,15 @@ interface(`userdom_user_application_domain',` +@@ -1317,12 +1680,15 @@ interface(`userdom_user_application_domain',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -93831,7 +93865,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1363,13 +1728,58 @@ interface(`userdom_user_tmpfs_file',` +@@ -1363,13 +1729,58 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -93893,7 +93927,7 @@ index e720dcd..c4ae660 100644 gen_require(` attribute admindomain; ') -@@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1467,11 +1878,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -93925,7 +93959,7 @@ index e720dcd..c4ae660 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1513,6 +1943,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1513,6 +1944,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -93940,7 +93974,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1528,9 +1966,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1528,9 +1967,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -93952,7 +93986,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1587,6 +2027,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1587,6 +2028,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -93995,7 +94029,7 @@ index e720dcd..c4ae660 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1666,6 +2142,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1666,6 +2143,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -94004,7 +94038,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1680,10 +2158,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1680,10 +2159,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -94019,7 +94053,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1726,6 +2206,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1726,6 +2207,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -94063,7 +94097,7 @@ index e720dcd..c4ae660 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1745,6 +2262,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1745,6 +2263,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -94089,7 +94123,7 @@ index e720dcd..c4ae660 100644 ## Mmap user home files. ## ## -@@ -1775,14 +2311,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1775,14 +2312,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -94127,7 +94161,7 @@ index e720dcd..c4ae660 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1793,11 +2351,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1793,11 +2352,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -94145,7 +94179,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1856,6 +2417,78 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1856,6 +2418,78 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -94224,7 +94258,7 @@ index e720dcd..c4ae660 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1887,8 +2520,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1887,8 +2521,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -94234,7 +94268,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -1904,20 +2536,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1904,20 +2537,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -94259,7 +94293,7 @@ index e720dcd..c4ae660 100644 ######################################## ## -@@ -2018,6 +2644,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -2018,6 +2645,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -94284,7 +94318,7 @@ index e720dcd..c4ae660 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2250,11 +2894,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2250,11 +2895,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -94299,7 +94333,7 @@ index e720dcd..c4ae660 100644 files_search_tmp($1) ') -@@ -2274,7 +2918,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2274,7 +2919,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -94308,7 +94342,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -2521,6 +3165,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2521,6 +3166,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -94334,7 +94368,7 @@ index e720dcd..c4ae660 100644 ######################################## ## ## Read user tmpfs files. -@@ -2537,13 +3200,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2537,13 +3201,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -94350,7 +94384,7 @@ index e720dcd..c4ae660 100644 ## ## ## -@@ -2564,7 +3228,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2564,7 +3229,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -94359,7 +94393,7 @@ index e720dcd..c4ae660 100644 ## ## ## -@@ -2572,19 +3236,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2572,19 +3237,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -94382,7 +94416,7 @@ index e720dcd..c4ae660 100644 ## ## ## -@@ -2592,9 +3254,27 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2592,9 +3255,27 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -94412,7 +94446,7 @@ index e720dcd..c4ae660 100644 ') allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; -@@ -2674,6 +3354,24 @@ interface(`userdom_use_user_ttys',` +@@ -2674,6 +3355,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -94437,7 +94471,7 @@ index e720dcd..c4ae660 100644 ## Read and write a user domain pty. ## ## -@@ -2692,22 +3390,34 @@ interface(`userdom_use_user_ptys',` +@@ -2692,22 +3391,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -94480,7 +94514,7 @@ index e720dcd..c4ae660 100644 ## ## ## -@@ -2716,14 +3426,33 @@ interface(`userdom_use_user_ptys',` +@@ -2716,14 +3427,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -94518,7 +94552,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -2742,8 +3471,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2742,8 +3472,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -94548,7 +94582,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -2815,69 +3563,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2815,69 +3564,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -94649,7 +94683,7 @@ index e720dcd..c4ae660 100644 ## ## ## -@@ -2885,12 +3632,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2885,12 +3633,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -94664,7 +94698,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -2954,7 +3701,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2954,7 +3702,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -94673,7 +94707,7 @@ index e720dcd..c4ae660 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,29 +3717,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2970,29 +3718,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -94707,7 +94741,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -3074,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3074,7 +3806,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -94716,7 +94750,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -3129,7 +3860,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3129,7 +3861,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -94763,7 +94797,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -3147,7 +3916,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3147,7 +3917,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -94772,7 +94806,7 @@ index e720dcd..c4ae660 100644 ') ######################################## -@@ -3166,6 +3935,7 @@ interface(`userdom_read_all_users_state',` +@@ -3166,6 +3936,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -94780,7 +94814,7 @@ index e720dcd..c4ae660 100644 kernel_search_proc($1) ') -@@ -3242,6 +4012,42 @@ interface(`userdom_signal_all_users',` +@@ -3242,6 +4013,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -94823,7 +94857,7 @@ index e720dcd..c4ae660 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4068,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4069,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -94848,7 +94882,7 @@ index e720dcd..c4ae660 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4120,1282 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4121,1282 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 0bafcb39..78e36a3f 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -47944,10 +47944,10 @@ index 0000000..48ea717 +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..3f5f701 +index 0000000..314e17e --- /dev/null +++ b/realmd.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,44 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -47958,7 +47958,6 @@ index 0000000..3f5f701 +type realmd_t; +type realmd_exec_t; +application_domain(realmd_t, realmd_exec_t) -+role system_r types realmd_t; + +######################################## +# @@ -52468,20 +52467,19 @@ index 905883f..564240d 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index 1898dbd..eec2a5a 100644 +index 1898dbd..43fcb73 100644 --- a/sambagui.te +++ b/sambagui.te -@@ -7,7 +7,8 @@ policy_module(sambagui, 1.1.0) +@@ -7,7 +7,7 @@ policy_module(sambagui, 1.1.0) type sambagui_t; type sambagui_exec_t; -dbus_system_domain(sambagui_t, sambagui_exec_t) +application_domain(sambagui_t, sambagui_exec_t) -+role system_r types sambagui_t; ######################################## # -@@ -27,21 +28,30 @@ corecmd_exec_bin(sambagui_t) +@@ -27,21 +27,30 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -52513,7 +52511,7 @@ index 1898dbd..eec2a5a 100644 nscd_dontaudit_search_pid(sambagui_t) ') -@@ -56,6 +66,7 @@ optional_policy(` +@@ -56,6 +65,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -63450,7 +63448,7 @@ index 0000000..14c5c0a + +miscfiles_read_localization(wdmd_t) diff --git a/webadm.te b/webadm.te -index 0ecc786..e0f21c3 100644 +index 0ecc786..3e7e984 100644 --- a/webadm.te +++ b/webadm.te @@ -28,7 +28,7 @@ userdom_base_user_template(webadm) @@ -63462,6 +63460,14 @@ index 0ecc786..e0f21c3 100644 files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) +@@ -38,6 +38,7 @@ selinux_get_enforce_mode(webadm_t) + seutil_domtrans_setfiles(webadm_t) + + logging_send_syslog_msg(webadm_t) ++logging_send_audit_msgs(webadm_t) + + userdom_dontaudit_search_user_home_dirs(webadm_t) + diff --git a/webalizer.te b/webalizer.te index 32b4f76..ea008d8 100644 --- a/webalizer.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 4d986fed..93de10b6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 3%{?dist} +Release: 3.1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 8 2012 Dan Walsh 3.11.1-3.1 +- Update with fixes for SECure linux containers + * Tue Aug 7 2012 Miroslav Grepl 3.11.1-3 - Add role rules for realmd, sambagui