- Allow lvm_t to create default targets for filesystem handling

- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setschedule
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys fo
- Allow cobbler to execute apache with domain transition
This commit is contained in:
Miroslav Grepl 2013-06-24 23:12:23 +02:00
parent 82acdf3079
commit 634d39b171
4 changed files with 648 additions and 176 deletions

View File

@ -2236,3 +2236,10 @@ pki = module
# policy for smsd
#
smsd = module
# Layer: contrib
# Module: pesign
#
# policy for pesign
#
pesign = module

View File

@ -2373,7 +2373,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d555767..4065a9a 100644
index d555767..ce0c1b4 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@ -2413,7 +2413,7 @@ index d555767..4065a9a 100644
type crack_t;
type crack_exec_t;
@@ -42,18 +43,21 @@ type groupadd_t;
@@ -42,18 +43,22 @@ type groupadd_t;
type groupadd_exec_t;
domain_obj_id_change_exemption(groupadd_t)
init_system_domain(groupadd_t, groupadd_exec_t)
@ -2424,6 +2424,7 @@ index d555767..4065a9a 100644
type passwd_t;
type passwd_exec_t;
domain_obj_id_change_exemption(passwd_t)
+domain_system_change_exemption(passwd_t)
application_domain(passwd_t, passwd_exec_t)
-role passwd_roles types passwd_t;
+#role passwd_roles types passwd_t;
@ -2438,7 +2439,7 @@ index d555767..4065a9a 100644
type sysadm_passwd_tmp_t;
files_tmp_file(sysadm_passwd_tmp_t)
@@ -61,8 +65,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exemption(useradd_t)
@ -2453,7 +2454,7 @@ index d555767..4065a9a 100644
########################################
#
@@ -86,6 +95,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto;
kernel_read_system_state(chfn_t)
kernel_read_kernel_sysctls(chfn_t)
@ -2461,7 +2462,7 @@ index d555767..4065a9a 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
@@ -94,25 +104,29 @@ selinux_compute_create_context(chfn_t)
@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@ -2497,7 +2498,7 @@ index d555767..4065a9a 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
@@ -120,19 +134,29 @@ files_dontaudit_search_home(chfn_t)
@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@ -2530,7 +2531,7 @@ index d555767..4065a9a 100644
########################################
#
# Crack local policy
@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t)
@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@ -2541,7 +2542,7 @@ index d555767..4065a9a 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t)
@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@ -2551,7 +2552,7 @@ index d555767..4065a9a 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
@@ -229,14 +253,15 @@ corecmd_exec_bin(groupadd_t)
@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
logging_send_audit_msgs(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@ -2570,7 +2571,7 @@ index d555767..4065a9a 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
@@ -253,7 +278,8 @@ optional_policy(`
@@ -253,7 +279,8 @@ optional_policy(`
')
optional_policy(`
@ -2580,7 +2581,7 @@ index d555767..4065a9a 100644
')
optional_policy(`
@@ -285,6 +311,7 @@ allow passwd_t self:shm create_shm_perms;
@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@ -2588,7 +2589,7 @@ index d555767..4065a9a 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
@@ -293,6 +320,7 @@ kernel_read_kernel_sysctls(passwd_t)
@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@ -2596,7 +2597,7 @@ index d555767..4065a9a 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
@@ -307,26 +335,38 @@ selinux_compute_create_context(passwd_t)
@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@ -2640,7 +2641,7 @@ index d555767..4065a9a 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -335,12 +375,11 @@ init_use_fds(passwd_t)
@@ -335,12 +376,11 @@ init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
logging_send_syslog_msg(passwd_t)
@ -2654,7 +2655,7 @@ index d555767..4065a9a 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
@@ -349,9 +388,15 @@ userdom_read_user_tmp_files(passwd_t)
@@ -349,9 +389,15 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@ -2671,7 +2672,7 @@ index d555767..4065a9a 100644
')
########################################
@@ -398,9 +443,10 @@ dev_read_urand(sysadm_passwd_t)
@@ -398,9 +444,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@ -2684,7 +2685,7 @@ index d555767..4065a9a 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -413,7 +459,6 @@ files_read_usr_files(sysadm_passwd_t)
@@ -413,7 +460,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@ -2692,7 +2693,7 @@ index d555767..4065a9a 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
@@ -423,19 +468,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
@@ -423,19 +469,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@ -2714,7 +2715,7 @@ index d555767..4065a9a 100644
')
########################################
@@ -443,7 +486,8 @@ optional_policy(`
@@ -443,7 +487,8 @@ optional_policy(`
# Useradd local policy
#
@ -2724,7 +2725,7 @@ index d555767..4065a9a 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@@ -458,6 +502,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
@@ -458,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@ -2735,7 +2736,7 @@ index d555767..4065a9a 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
@@ -465,36 +513,36 @@ corecmd_exec_shell(useradd_t)
@@ -465,36 +514,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@ -2784,7 +2785,7 @@ index d555767..4065a9a 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
@@ -505,33 +553,36 @@ init_rw_utmp(useradd_t)
@@ -505,33 +554,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@ -2835,7 +2836,7 @@ index d555767..4065a9a 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
@@ -542,7 +593,12 @@ optional_policy(`
@@ -542,7 +594,12 @@ optional_policy(`
')
optional_policy(`
@ -2849,7 +2850,7 @@ index d555767..4065a9a 100644
')
optional_policy(`
@@ -550,6 +606,11 @@ optional_policy(`
@@ -550,6 +607,11 @@ optional_policy(`
')
optional_policy(`
@ -2861,7 +2862,7 @@ index d555767..4065a9a 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
@@ -559,3 +620,12 @@ optional_policy(`
@@ -559,3 +621,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@ -12254,16 +12255,17 @@ index 148d87a..822f6be 100644
allow files_unconfined_type file_type:file execmod;
')
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index cda5588..3035829 100644
index cda5588..924f856 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,9 +1,13 @@
@@ -1,9 +1,12 @@
-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-/cgroup/.* <<none>>
+# ecryptfs does not support xattr
+HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
+HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0)
+
/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/cgroup/.* <<none>>
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
/dev/hugepages(/.*)? <<none>>
@ -12272,10 +12274,13 @@ index cda5588..3035829 100644
/dev/shm/.* <<none>>
/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
@@ -14,3 +18,10 @@
@@ -12,5 +15,11 @@
/lib/udev/devices/shm/.* <<none>>
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-/sys/fs/cgroup/.* <<none>>
+/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
+
+/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.* <<none>>
@ -12284,7 +12289,7 @@ index cda5588..3035829 100644
+/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0)
+/var/run/[^/]*/gvfs/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..7170125 100644
index 8416beb..2216778 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -13087,7 +13092,32 @@ index 8416beb..7170125 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3263,6 +3803,24 @@ interface(`fs_getattr_nfsd_files',`
@@ -3137,6 +3677,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
+## Mount on nfsd_fs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_nfsd_fs', `
+ gen_require(`
+ type nfsd_fs_t;
+ ')
+
+ allow $1 nfsd_fs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@ -13112,7 +13142,7 @@ index 8416beb..7170125 100644
########################################
## <summary>
## Read and write NFS server files.
@@ -3283,6 +3841,24 @@ interface(`fs_rw_nfsd_fs',`
@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@ -13137,7 +13167,7 @@ index 8416beb..7170125 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
@@ -3392,7 +3968,7 @@ interface(`fs_search_ramfs',`
@@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@ -13146,7 +13176,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3429,7 +4005,7 @@ interface(`fs_manage_ramfs_dirs',`
@@ -3429,7 +4023,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@ -13155,7 +13185,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3447,7 +4023,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
@@ -3447,7 +4041,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@ -13164,7 +13194,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3815,6 +4391,24 @@ interface(`fs_unmount_tmpfs',`
@@ -3815,6 +4409,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@ -13189,7 +13219,7 @@ index 8416beb..7170125 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
@@ -3908,7 +4502,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3908,7 +4520,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@ -13198,7 +13228,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3916,17 +4510,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3916,17 +4528,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -13219,7 +13249,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3934,17 +4528,17 @@ interface(`fs_mounton_tmpfs',`
@@ -3934,17 +4546,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@ -13240,7 +13270,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3952,17 +4546,36 @@ interface(`fs_setattr_tmpfs_dirs',`
@@ -3952,17 +4564,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -13280,7 +13310,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3970,31 +4583,48 @@ interface(`fs_search_tmpfs',`
@@ -3970,31 +4601,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@ -13336,7 +13366,7 @@ index 8416beb..7170125 100644
')
########################################
@@ -4105,7 +4735,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
@@ -4105,7 +4753,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@ -13345,7 +13375,7 @@ index 8416beb..7170125 100644
')
########################################
@@ -4165,6 +4795,24 @@ interface(`fs_rw_tmpfs_files',`
@@ -4165,6 +4813,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@ -13370,7 +13400,7 @@ index 8416beb..7170125 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
@@ -4202,7 +4850,7 @@ interface(`fs_rw_tmpfs_chr_files',`
@@ -4202,7 +4868,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@ -13379,7 +13409,7 @@ index 8416beb..7170125 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4221,6 +4869,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -4221,6 +4887,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@ -13440,7 +13470,7 @@ index 8416beb..7170125 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
@@ -4278,6 +4980,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
@@ -4278,6 +4998,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@ -13485,7 +13515,7 @@ index 8416beb..7170125 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
@@ -4297,6 +5037,25 @@ interface(`fs_manage_tmpfs_files',`
@@ -4297,6 +5055,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@ -13511,7 +13541,7 @@ index 8416beb..7170125 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
@@ -4503,6 +5262,8 @@ interface(`fs_mount_all_fs',`
@@ -4503,6 +5280,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@ -13520,7 +13550,7 @@ index 8416beb..7170125 100644
')
########################################
@@ -4549,7 +5310,7 @@ interface(`fs_unmount_all_fs',`
@@ -4549,7 +5328,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@ -13529,7 +13559,7 @@ index 8416beb..7170125 100644
## Example attributes:
## </p>
## <ul>
@@ -4596,6 +5357,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
@@ -4596,6 +5375,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@ -13556,7 +13586,7 @@ index 8416beb..7170125 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
@@ -4912,3 +5693,43 @@ interface(`fs_unconfined',`
@@ -4912,3 +5711,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -19310,7 +19340,7 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..3063a17 100644
index 76d9f66..5cb2095 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,4 +1,15 @@
@ -19329,12 +19359,13 @@ index 76d9f66..3063a17 100644
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
@@ -8,9 +19,15 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
@@ -8,9 +19,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0)
+/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
@ -20604,7 +20635,7 @@ index 5fc0391..994eec2 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index d1f64a0..156a29f 100644
index d1f64a0..8f50bb9 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -20694,7 +20725,7 @@ index d1f64a0..156a29f 100644
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@ -30891,7 +30922,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e8c59a5..5c935e3 100644
index e8c59a5..d2df072 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -30953,17 +30984,17 @@ index e8c59a5..5c935e3 100644
corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_generic_if(clvmd_t)
corenet_udp_sendrecv_generic_if(clvmd_t)
@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
@@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t)
logging_send_syslog_msg(clvmd_t)
-miscfiles_read_localization(clvmd_t)
-
-seutil_dontaudit_search_config(clvmd_t)
seutil_sigchld_newrole(clvmd_t)
seutil_read_config(clvmd_t)
seutil_read_file_contexts(clvmd_t)
@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
@@ -141,6 +147,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -30975,7 +31006,7 @@ index e8c59a5..5c935e3 100644
ccs_stream_connect(clvmd_t)
')
@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@ -30983,17 +31014,19 @@ index e8c59a5..5c935e3 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms;
@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms;
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+allow lvm_t lvm_unit_file_t:file manage_file_perms;
+systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file)
+systemd_create_unit_file_dirs(lvm_t)
+systemd_create_unit_file_lnk(lvm_t)
+
manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@ -31006,7 +31039,7 @@ index e8c59a5..5c935e3 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@ -31018,7 +31051,7 @@ index e8c59a5..5c935e3 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t)
@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@ -31026,7 +31059,7 @@ index e8c59a5..5c935e3 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t)
@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@ -31041,7 +31074,7 @@ index e8c59a5..5c935e3 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@ -31049,7 +31082,7 @@ index e8c59a5..5c935e3 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t)
@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@ -31072,7 +31105,7 @@ index e8c59a5..5c935e3 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@ -31081,7 +31114,7 @@ index e8c59a5..5c935e3 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t)
@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@ -31105,7 +31138,7 @@ index e8c59a5..5c935e3 100644
ifdef(`distro_redhat',`
# this is from the initrd:
@@ -313,6 +348,11 @@ ifdef(`distro_redhat',`
@@ -313,6 +349,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -31117,7 +31150,7 @@ index e8c59a5..5c935e3 100644
bootloader_rw_tmp_files(lvm_t)
')
@@ -333,14 +373,26 @@ optional_policy(`
@@ -333,14 +374,26 @@ optional_policy(`
')
optional_policy(`
@ -31145,7 +31178,7 @@ index e8c59a5..5c935e3 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9fe8e01..a70c055 100644
index 9fe8e01..5985e0f 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@ -31188,8 +31221,12 @@ index 9fe8e01..a70c055 100644
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
@@ -75,9 +74,11 @@ ifdef(`distro_redhat',`
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0)
@ -31197,7 +31234,7 @@ index 9fe8e01..a70c055 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
@@ -90,6 +91,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@ -31555,7 +31592,7 @@ index 7449974..6375786 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7a49e28..1d374a0 100644
index 7a49e28..de1dcdd 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@ -31695,10 +31732,12 @@ index 7a49e28..1d374a0 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
@@ -151,30 +162,37 @@ files_read_etc_runtime_files(insmod_t)
@@ -151,30 +162,38 @@ files_read_etc_runtime_files(insmod_t)
files_read_etc_files(insmod_t)
files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
+# users installing vbox put kernel modules in /var/lib
+files_read_var_lib_files(insmod_t)
+files_read_kernel_symbol_table(insmod_t)
# for nscd:
files_dontaudit_search_pids(insmod_t)
@ -31727,7 +31766,7 @@ index 7a49e28..1d374a0 100644
logging_search_logs(insmod_t)
-miscfiles_read_localization(insmod_t)
-
seutil_read_file_contexts(insmod_t)
-userdom_use_user_terminals(insmod_t)
@ -31736,7 +31775,7 @@ index 7a49e28..1d374a0 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
@@ -184,28 +202,33 @@ optional_policy(`
@@ -184,28 +203,33 @@ optional_policy(`
')
optional_policy(`
@ -31760,24 +31799,24 @@ index 7a49e28..1d374a0 100644
optional_policy(`
- mount_domtrans(insmod_t)
+ hal_write_log(insmod_t)
+')
+
+optional_policy(`
+ hotplug_search_config(insmod_t)
')
optional_policy(`
- nis_use_ypbind(insmod_t)
+ kdump_manage_kdumpctl_tmp_files(insmod_t)
+ hotplug_search_config(insmod_t)
')
optional_policy(`
- nscd_use(insmod_t)
+ kdump_manage_kdumpctl_tmp_files(insmod_t)
+')
+
+optional_policy(`
+ mount_domtrans(insmod_t)
')
optional_policy(`
@@ -225,6 +248,7 @@ optional_policy(`
@@ -225,6 +249,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@ -31785,7 +31824,7 @@ index 7a49e28..1d374a0 100644
')
optional_policy(`
@@ -233,6 +257,10 @@ optional_policy(`
@@ -233,6 +258,10 @@ optional_policy(`
')
optional_policy(`
@ -31796,7 +31835,7 @@ index 7a49e28..1d374a0 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t)
@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)
@ -34862,10 +34901,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..2e5b822
index 0000000..6862d53
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,1195 @@
@@ -0,0 +1,1231 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@ -35747,6 +35786,42 @@ index 0000000..2e5b822
+ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
+')
+
+#######################################
+## <summary>
+## Create a directory in the /usr/lib/systemd/system directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_create_unit_file_dirs',`
+ gen_require(`
+ type systemd_unit_file_t;
+ ')
+
+ create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
+')
+
+#######################################
+## <summary>
+## Create a link in the /usr/lib/systemd/system directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_create_unit_file_lnk',`
+ gen_require(`
+ type systemd_unit_file_t;
+ ')
+
+ create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
+')
+
+########################################
+## <summary>
+## Transition to systemd named content
@ -38094,7 +38169,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3c5dba7..08ce1e5 100644
index 3c5dba7..4f43578 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -40601,16 +40676,34 @@ index 3c5dba7..08ce1e5 100644
')
########################################
@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
@@ -3217,7 +3864,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
- dontaudit $1 user_devpts_t:chr_file rw_file_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to open user ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_open_user_ptys',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+
+ dontaudit $1 user_devpts_t:chr_file open;
')
########################################
@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',`
@@ -3272,7 +3937,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@ -40676,7 +40769,7 @@ index 3c5dba7..08ce1e5 100644
')
########################################
@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
@@ -3290,7 +4012,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@ -40685,7 +40778,7 @@ index 3c5dba7..08ce1e5 100644
')
########################################
@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',`
@@ -3309,6 +4031,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@ -40693,7 +40786,7 @@ index 3c5dba7..08ce1e5 100644
kernel_search_proc($1)
')
@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',`
@@ -3385,6 +4108,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@ -40736,7 +40829,7 @@ index 3c5dba7..08ce1e5 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',`
@@ -3405,6 +4164,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@ -40761,7 +40854,7 @@ index 3c5dba7..08ce1e5 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',`
@@ -3438,4 +4215,1455 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;

View File

@ -2572,10 +2572,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000..36cb011
index 0000000..badbc17
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,252 @@
@@ -0,0 +1,256 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@ -2669,6 +2669,7 @@ index 0000000..36cb011
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
@ -2716,6 +2717,9 @@ index 0000000..36cb011
+corenet_tcp_connect_http_port(antivirus_domain)
+corenet_tcp_sendrecv_http_port(antivirus_domain)
+
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
+corenet_tcp_connect_snmp_port(antivirus_domain)
+
+corenet_sendrecv_squid_client_packets(antivirus_domain)
+corenet_tcp_connect_squid_port(antivirus_domain)
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
@ -11974,7 +11978,7 @@ index c223f81..3bcdf6a 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
index 2a71346..c1eef8d 100644
index 2a71346..9f877a1 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@ -11994,7 +11998,13 @@ index 2a71346..c1eef8d 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -117,9 +118,7 @@ dev_read_urand(cobblerd_t)
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
corenet_tcp_connect_http_port(cobblerd_t)
corenet_sendrecv_http_client_packets(cobblerd_t)
+dev_read_sysfs(cobblerd_t)
dev_read_urand(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
files_read_boot_files(cobblerd_t)
@ -12004,7 +12014,7 @@ index 2a71346..c1eef8d 100644
fs_getattr_all_fs(cobblerd_t)
fs_read_iso9660_files(cobblerd_t)
@@ -128,6 +127,8 @@ selinux_get_enforce_mode(cobblerd_t)
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
term_use_console(cobblerd_t)
@ -12013,7 +12023,24 @@ index 2a71346..c1eef8d 100644
logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
@@ -193,12 +194,11 @@ optional_policy(`
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
')
optional_policy(`
+ apache_domtrans(cobblerd_t)
apache_search_sys_content(cobblerd_t)
')
@@ -188,17 +191,20 @@ optional_policy(`
')
optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
+optional_policy(`
rpm_exec(cobblerd_t)
')
optional_policy(`
rsync_read_config(cobblerd_t)
@ -12987,7 +13014,7 @@ index 3fe3cb8..b8e08c6 100644
+ ')
')
diff --git a/condor.te b/condor.te
index 3f2b672..2af6e1e 100644
index 3f2b672..c0501e0 100644
--- a/condor.te
+++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@ -13071,7 +13098,16 @@ index 3f2b672..2af6e1e 100644
optional_policy(`
mta_send_mail(condor_master_t)
@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
@@ -169,6 +175,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
+corenet_tcp_bind_http_port(condor_collector_t)
+
#####################################
#
# Negotiator local policy
@@ -178,6 +186,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@ -13080,7 +13116,7 @@ index 3f2b672..2af6e1e 100644
######################################
#
# Procd local policy
@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
@@ -201,6 +211,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@ -13089,7 +13125,7 @@ index 3f2b672..2af6e1e 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
@@ -209,6 +221,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@ -13098,7 +13134,7 @@ index 3f2b672..2af6e1e 100644
#####################################
#
# Startd local policy
@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t)
@@ -233,11 +247,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@ -13111,7 +13147,7 @@ index 3f2b672..2af6e1e 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
@@ -249,3 +260,7 @@ optional_policy(`
@@ -249,3 +262,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@ -13120,24 +13156,15 @@ index 3f2b672..2af6e1e 100644
+ unconfined_domain(condor_startd_t)
+')
diff --git a/consolekit.fc b/consolekit.fc
index 23c9558..ee585a7 100644
index 23c9558..29e5fd3 100644
--- a/consolekit.fc
+++ b/consolekit.fc
@@ -1,7 +1,9 @@
-/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
+#/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+#/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
-/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+#/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
@@ -1,3 +1,5 @@
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+
+#/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
+#/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+#/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..0647a3b 100644
--- a/consolekit.if
@ -16384,10 +16411,18 @@ index b25b01d..4f7d237 100644
')
+
diff --git a/ctdb.te b/ctdb.te
index 6ce66e7..1d0337a 100644
index 6ce66e7..f2a7a61 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -85,12 +85,10 @@ dev_read_urand(ctdbd_t)
@@ -75,6 +75,7 @@ corenet_tcp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
+corenet_udp_bind_ctdb_port(ctdbd_t)
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
@@ -85,12 +86,10 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@ -16400,7 +16435,7 @@ index 6ce66e7..1d0337a 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
@@ -109,6 +107,7 @@ optional_policy(`
@@ -109,6 +108,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@ -20417,10 +20452,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000..1a57396
index 0000000..05c070d
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,193 @@
@@ -0,0 +1,194 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@ -20512,6 +20547,7 @@ index 0000000..1a57396
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+kernel_read_network_state(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+kernel_read_kernel_sysctls(dirsrv_t)
+
@ -29820,10 +29856,18 @@ index 57304e4..46e5e3d 100644
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
diff --git a/isns.te b/isns.te
index bc11034..e393434 100644
index bc11034..107ed2f 100644
--- a/isns.te
+++ b/isns.te
@@ -46,8 +46,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
allow isnsd_t self:capability kill;
allow isnsd_t self:process signal;
allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen };
allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen };
@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
corenet_sendrecv_isns_server_packets(isnsd_t)
corenet_tcp_bind_isns_port(isnsd_t)
@ -37645,10 +37689,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2..bb33a48 100644
index 6ffaba2..99d4eeb 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,65 @@
@@ -1,38 +1,66 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@ -37688,6 +37732,7 @@ index 6ffaba2..bb33a48 100644
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+
@ -37749,7 +37794,7 @@ index 6ffaba2..bb33a48 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b80..af1201e 100644
index 6194b80..5fe7031 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -38388,7 +38433,7 @@ index 6194b80..af1201e 100644
## </summary>
## <param name="domain">
## <summary>
@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@ -38457,6 +38502,7 @@ index 6194b80..af1201e 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
@ -44418,7 +44464,7 @@ index 0e8508c..0b68b86 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 0b48a30..f3320a3 100644
index 0b48a30..c71f8e5 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@ -44567,7 +44613,7 @@ index 0b48a30..f3320a3 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t)
@@ -140,6 +144,17 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@ -44580,11 +44626,12 @@ index 0b48a30..f3320a3 100644
+files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
+files_read_usr_src_files(NetworkManager_t)
+files_read_isid_type_files(NetworkManager_t)
+
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t)
@@ -148,10 +163,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@ -44597,7 +44644,7 @@ index 0b48a30..f3320a3 100644
seutil_read_config(NetworkManager_t)
@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
@@ -166,21 +182,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@ -44634,7 +44681,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -196,10 +222,6 @@ optional_policy(`
@@ -196,10 +223,6 @@ optional_policy(`
')
optional_policy(`
@ -44645,7 +44692,7 @@ index 0b48a30..f3320a3 100644
consoletype_exec(NetworkManager_t)
')
@@ -210,16 +232,11 @@ optional_policy(`
@@ -210,16 +233,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@ -44664,7 +44711,7 @@ index 0b48a30..f3320a3 100644
')
')
@@ -231,18 +248,19 @@ optional_policy(`
@@ -231,18 +249,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@ -44687,7 +44734,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -250,6 +268,10 @@ optional_policy(`
@@ -250,6 +269,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@ -44698,7 +44745,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -257,11 +279,10 @@ optional_policy(`
@@ -257,11 +280,10 @@ optional_policy(`
')
optional_policy(`
@ -44714,7 +44761,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -274,10 +295,17 @@ optional_policy(`
@@ -274,10 +296,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@ -44732,7 +44779,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -289,6 +317,7 @@ optional_policy(`
@@ -289,6 +318,7 @@ optional_policy(`
')
optional_policy(`
@ -44740,7 +44787,7 @@ index 0b48a30..f3320a3 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
@@ -296,7 +325,7 @@ optional_policy(`
@@ -296,7 +326,7 @@ optional_policy(`
')
optional_policy(`
@ -44749,7 +44796,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -307,6 +336,7 @@ optional_policy(`
@@ -307,6 +337,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@ -44757,7 +44804,7 @@ index 0b48a30..f3320a3 100644
')
optional_policy(`
@@ -320,13 +350,15 @@ optional_policy(`
@@ -320,13 +351,19 @@ optional_policy(`
')
optional_policy(`
@ -44772,17 +44819,21 @@ index 0b48a30..f3320a3 100644
optional_policy(`
- # unconfined_dgram_send(NetworkManager_t)
- unconfined_stream_connect(NetworkManager_t)
+ ssh_exec(NetworkManager_t)
+')
+
+optional_policy(`
+ udev_exec(NetworkManager_t)
+ udev_read_db(NetworkManager_t)
')
optional_policy(`
@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
@@ -356,6 +393,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
-miscfiles_read_localization(wpa_cli_t)
-
term_dontaudit_use_console(wpa_cli_t)
diff --git a/nis.fc b/nis.fc
index 8aa1bfa..cd0e015 100644
@ -51929,10 +51980,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..9515043 100644
index dfd46e4..173813f 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,12 @@
@@ -1,15 +1,15 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
-/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
-
@ -51954,6 +52005,9 @@ index dfd46e4..9515043 100644
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
--- a/pegasus.if
@ -52055,7 +52109,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
index 7bcf327..ebc50dc 100644
index 7bcf327..fa856e9 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@ -52143,7 +52197,8 @@ index 7bcf327..ebc50dc 100644
allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
-allow pegasus_t self:process signal;
+allow pegasus_t self:process { setsched signal };
allow pegasus_t self:fifo_file rw_fifo_file_perms;
-allow pegasus_t self:unix_stream_socket { connectto accept listen };
-allow pegasus_t self:tcp_socket { accept listen };
@ -52298,6 +52353,176 @@ index 7bcf327..ebc50dc 100644
')
optional_policy(`
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
--- /dev/null
+++ b/pesign.fc
@@ -0,0 +1,6 @@
+/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0)
+
+/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0)
+
+/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0)
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
diff --git a/pesign.if b/pesign.if
new file mode 100644
index 0000000..c20674c
--- /dev/null
+++ b/pesign.if
@@ -0,0 +1,103 @@
+
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the pesign domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pesign_domtrans',`
+ gen_require(`
+ type pesign_t, pesign_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pesign_exec_t, pesign_t)
+')
+########################################
+## <summary>
+## Read pesign PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pesign_read_pid_files',`
+ gen_require(`
+ type pesign_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute pesign server in the pesign domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pesign_systemctl',`
+ gen_require(`
+ type pesign_t;
+ type pesign_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 pesign_unit_file_t:file read_file_perms;
+ allow $1 pesign_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, pesign_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an pesign environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pesign_admin',`
+ gen_require(`
+ type pesign_t;
+ type pesign_var_run_t;
+ type pesign_unit_file_t;
+ ')
+
+ allow $1 pesign_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pesign_t)
+
+ files_search_pids($1)
+ admin_pattern($1, pesign_var_run_t)
+
+ pesign_systemctl($1)
+ admin_pattern($1, pesign_unit_file_t)
+ allow $1 pesign_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/pesign.te b/pesign.te
new file mode 100644
index 0000000..513887d
--- /dev/null
+++ b/pesign.te
@@ -0,0 +1,43 @@
+policy_module(pesign, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pesign_t;
+type pesign_exec_t;
+init_daemon_domain(pesign_t, pesign_exec_t)
+
+type pesign_var_run_t;
+files_pid_file(pesign_var_run_t)
+
+type pesign_unit_file_t;
+systemd_unit_file(pesign_unit_file_t)
+
+########################################
+#
+# pesign local policy
+#
+
+allow pesign_t self:capability { setgid setuid };
+allow pesign_t self:process setsched;
+allow pesign_t self:fifo_file rw_fifo_file_perms;
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
+
+dev_read_urand(pesign_t)
+
+files_dontaudit_list_tmp(pesign_t)
+
+auth_use_nsswitch(pesign_t)
+
+logging_send_syslog_msg(pesign_t)
+
+miscfiles_read_certs(pesign_t)
+miscfiles_read_localization(pesign_t)
diff --git a/pingd.if b/pingd.if
index 21a6ecb..b99e4cb 100644
--- a/pingd.if
@ -53297,10 +53522,10 @@ index 0000000..0c167b7
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
index 0000000..e1d3320
index 0000000..6329c9c
--- /dev/null
+++ b/pki.if
@@ -0,0 +1,272 @@
@@ -0,0 +1,273 @@
+
+## <summary>policy for pki</summary>
+########################################
@ -53572,6 +53797,7 @@ index 0000000..e1d3320
+ ')
+
+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
+')
diff --git a/pki.te b/pki.te
new file mode 100644
@ -64656,7 +64882,7 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
index 2c1730b..e67ea1b 100644
index 2c1730b..0e15502 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@ -64702,8 +64928,11 @@ index 2c1730b..e67ea1b 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
@@ -49,19 +57,23 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
+dev_read_nvram(mdadm_t)
@ -64725,7 +64954,7 @@ index 2c1730b..e67ea1b 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
@@ -70,16 +82,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@ -69574,7 +69803,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
index e5212e6..74f3e1b 100644
index e5212e6..df782bf 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@ -69785,7 +70014,7 @@ index e5212e6..74f3e1b 100644
')
########################################
@@ -195,41 +141,55 @@ optional_policy(`
@@ -195,41 +141,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -69826,6 +70055,7 @@ index e5212e6..74f3e1b 100644
files_manage_mounttab(nfsd_t)
+files_read_etc_runtime_files(nfsd_t)
+fs_mounton_nfsd_fs(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
@ -69848,7 +70078,7 @@ index e5212e6..74f3e1b 100644
miscfiles_manage_public_files(nfsd_t)
')
@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@ -69856,7 +70086,7 @@ index e5212e6..74f3e1b 100644
')
tunable_policy(`nfs_export_all_ro',`
@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@ -69871,7 +70101,7 @@ index e5212e6..74f3e1b 100644
')
########################################
@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -69879,7 +70109,7 @@ index e5212e6..74f3e1b 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
@@ -279,25 +239,29 @@ kernel_signal(gssd_t)
@@ -279,25 +240,29 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@ -69912,7 +70142,7 @@ index e5212e6..74f3e1b 100644
')
optional_policy(`
@@ -306,8 +270,11 @@ optional_policy(`
@@ -306,8 +271,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@ -74773,10 +75003,10 @@ index 0000000..5da5bff
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..cb720ee
index 0000000..5021551
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,465 @@
@@ -0,0 +1,467 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@ -75146,6 +75376,7 @@ index 0000000..cb720ee
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type)
+
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
@ -75242,6 +75473,7 @@ index 0000000..cb720ee
+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
diff --git a/sanlock.fc b/sanlock.fc
index 3df2a0f..9059165 100644
--- a/sanlock.fc
@ -75820,7 +76052,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
index 4a23d84..bc26091 100644
index 4a23d84..49c7362 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
@ -75850,7 +76082,7 @@ index 4a23d84..bc26091 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
@@ -44,12 +37,6 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
@ -75863,6 +76095,15 @@ index 4a23d84..bc26091 100644
########################################
#
# Gatherd local policy
#
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:capability { dac_override sys_nice };
+allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@ -78661,6 +78902,100 @@ index cbfe369..085ac13 100644
########################################
## <summary>
## All of the rules required to
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
index 0000000..3f412d5
--- /dev/null
+++ b/snapper.fc
@@ -0,0 +1 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000..94105ee
--- /dev/null
+++ b/snapper.if
@@ -0,0 +1,42 @@
+
+## <summary>policy for snapperd</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the snapperd domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`snapper_domtrans',`
+ gen_require(`
+ type snapperd_t, snapperd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, snapperd_exec_t, snapperd_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## snapperd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`snapper_dbus_chat',`
+ gen_require(`
+ type snapperd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 snapperd_t:dbus send_msg;
+ allow snapperd_t $1:dbus send_msg;
+')
diff --git a/snapper.te b/snapper.te
new file mode 100644
index 0000000..ad232be
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,33 @@
+policy_module(snapper, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type snapperd_t;
+type snapperd_exec_t;
+init_daemon_domain(snapperd_t, snapperd_exec_t)
+
+########################################
+#
+# snapperd local policy
+#
+
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
+storage_raw_read_fixed_disk(snapperd_t)
+
+auth_use_nsswitch(snapperd_t)
+
+miscfiles_read_localization(snapperd_t)
+
+optional_policy(`
+ dbus_system_bus_client(snapperd_t)
+ dbus_connect_system_bus(snapperd_t)
+')
+
+optional_policy(`
+ mount_domtrans(snapperd_t)
+')
diff --git a/snmp.fc b/snmp.fc
index c73fa24..408ff61 100644
--- a/snmp.fc
@ -86781,10 +87116,10 @@ index 0be8535..b96e329 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
index c30da4c..f3e9b6d 100644
index c30da4c..e97572f 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,52 +1,85 @@
@@ -1,52 +1,86 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@ -86834,6 +87169,7 @@ index c30da4c..f3e9b6d 100644
-/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 54%{?dist}
Release: 56%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -535,6 +535,42 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Jun 24 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
- Allow insmod_t to read any file labeled var_lib_t
- Add policy for pesign
- Activate policy for cmpiLMI_Account-cimprovagt
- Allow isnsd syscall=listen
- /usr/libexec/pegasus/cimprovagt needs setsched caused by sched_setscheduler
- Allow ctdbd to use udp/4379
- gatherd wants sys_nice and setsched
- Add support for texlive2012
- Allow NM to read file_t (usb stick with no labels used to transfer keys for example)
- Allow cobbler to execute apache with domain transition
* Fri Jun 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-55
- condor_collector uses tcp/9000
- Label /usr/sbin/virtlockd as virtd_exec_t for now
- Allow cobbler to execute ldconfig
- Allow NM to execute ssh
- Allow mdadm to read /dev/crash
- Allow antivirus domains to connect to snmp port
- Make amavisd-snmp working correctly
- Allow nfsd_t to mounton nfsd_fs_t
- Add initial snapper policy
- We still need to have consolekit policy
- Dontaudit firefox attempting to connect to the xserver_port_t if run within sandbox_web_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow dirsrv to read network state
- Fix pki_read_tomcat_lib_files
- Add labeling for /usr/libexec/nm-ssh-service
- Add label cert_t for /var/lib/ipa/pki-ca/publish
- Lets label /sys/fs/cgroup as cgroup_t for now, to keep labels consistant
- Allow nfsd_t to mounton nfsd_fs_t
- Dontaudit sandbox apps attempting to open user_devpts_t
- Allow passwd_t to change role to system_r from unconfined_r
* Wed Jun 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-54
- Don't audit access checks by sandbox xserver on xdb var_lib
- Allow ntop to read usbmon devices