rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow staff_t to communicate and run docker 

- Fix *_ecryptfs_home_dirs booleans
- Allow ldconfig_t to read/write inherited user tmp pipes
- Allow storaged to dbus chat with lvm_t
- Add support for storaged  and storaged-lvm-helper. Labeled it as lvm_exec_t.
- Use proper calling in ssh.te for userdom_home_manager attribute
- Use userdom_home_manager_type() also for ssh_keygen_t
- Allow locate to list directories without labels
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do  SNMP stuff
- Allow staff_t to communicate and run docker
- Dontaudit search mgrepl/.local for cobblerd_t
- Allow neutron to execute kmod in insmod_t
- Allow neutron to execute udevadm in udev_t
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- rhsmcertd seems to need these accesses.  We need this backported to RHEL7 and perhaps RHEL6 policy
- Add cups_execmem boolean
- Allow gear to manage gear service
- New requires for gear to use systemctl and init var_run_t
- Allow cups to execute its rw_etc_t files, for brothers printers
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin co
- Allow swift to execute bin_t
- Allow swift to bind http_cache
This commit is contained in:
Miroslav Grepl 2014-06-09 09:05:58 +02:00
parent 07a8be1e18
commit 686a38099f
3 changed files with 446 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

327
policy-rawhide-base.patch
View File

@ -18601,7 +18601,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..ee4b689 100644
index 0fef1fc..46aa66e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
@ -18676,7 +18676,7 @@ index 0fef1fc..ee4b689 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -23,11 +82,110 @@ optional_policy(`
@@ -23,11 +82,115 @@ optional_policy(`
')
optional_policy(`
@ -18705,6 +18705,11 @@ index 0fef1fc..ee4b689 100644
optional_policy(`
- git_role(staff_r, staff_t)
+ docker_stream_connect(staff_t)
+ docker_exec(staff_t)
+')
+
+optional_policy(`
+ dnsmasq_read_pid_files(staff_t)
+')
+
@ -18788,7 +18793,7 @@ index 0fef1fc..ee4b689 100644
')
optional_policy(`
@@ -35,15 +193,31 @@ optional_policy(`
@@ -35,15 +198,31 @@ optional_policy(`
')
optional_policy(`
@ -18822,7 +18827,7 @@ index 0fef1fc..ee4b689 100644
')
optional_policy(`
@@ -52,11 +226,61 @@ optional_policy(`
@@ -52,11 +231,61 @@ optional_policy(`
')
optional_policy(`
@ -18884,7 +18889,7 @@ index 0fef1fc..ee4b689 100644
')
ifndef(`distro_redhat',`
@@ -65,10 +289,6 @@ ifndef(`distro_redhat',`
@@ -65,10 +294,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -18895,7 +18900,7 @@ index 0fef1fc..ee4b689 100644
cdrecord_role(staff_r, staff_t)
')
@@ -78,10 +298,6 @@ ifndef(`distro_redhat',`
@@ -78,10 +303,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@ -18906,7 +18911,7 @@ index 0fef1fc..ee4b689 100644
')
optional_policy(`
@@ -101,10 +317,6 @@ ifndef(`distro_redhat',`
@@ -101,10 +322,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -18917,7 +18922,7 @@ index 0fef1fc..ee4b689 100644
java_role(staff_r, staff_t)
')
@@ -125,10 +337,6 @@ ifndef(`distro_redhat',`
@@ -125,10 +342,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -18928,7 +18933,7 @@ index 0fef1fc..ee4b689 100644
pyzor_role(staff_r, staff_t)
')
@@ -141,10 +349,6 @@ ifndef(`distro_redhat',`
@@ -141,10 +354,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -18939,7 +18944,7 @@ index 0fef1fc..ee4b689 100644
spamassassin_role(staff_r, staff_t)
')
@@ -176,3 +380,22 @@ ifndef(`distro_redhat',`
@@ -176,3 +385,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@ -22141,7 +22146,7 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..1d92018 100644
index cc877c7..b153547 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
@ -22630,20 +22635,17 @@ index cc877c7..1d92018 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -333,6 +507,12 @@ auth_use_nsswitch(ssh_keygen_t)
@@ -332,7 +506,9 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
+userdom_home_manager(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(ssh_keygen_t)
+ fs_manage_nfs_dirs(ssh_keygen_t)
+')
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
@@ -341,3 +521,140 @@ optional_policy(`
@@ -341,3 +517,140 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@ -32471,7 +32473,7 @@ index 808ba93..57a68da 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 54f8fa5..b4c7957 100644
index 54f8fa5..caf32d6 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@ -32535,7 +32537,7 @@ index 54f8fa5..b4c7957 100644
userdom_use_all_users_fds(ldconfig_t)
ifdef(`distro_ubuntu',`
@@ -103,6 +109,12 @@ ifdef(`distro_ubuntu',`
@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',`
')
')
@ -32544,11 +32546,12 @@ index 54f8fa5..b4c7957 100644
+userdom_manage_user_home_content_files(ldconfig_t)
+userdom_manage_user_tmp_files(ldconfig_t)
+userdom_manage_user_tmp_symlinks(ldconfig_t)
+userdom_rw_inherited_user_tmp_pipes(ldconfig_t)
+
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',`
@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',`
')
')
@ -32560,7 +32563,7 @@ index 54f8fa5..b4c7957 100644
optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
')
@@ -131,6 +148,14 @@ optional_policy(`
@@ -131,6 +149,14 @@ optional_policy(`
')
optional_policy(`
@ -32575,7 +32578,7 @@ index 54f8fa5..b4c7957 100644
puppet_rw_tmp(ldconfig_t)
')
@@ -141,6 +166,3 @@ optional_policy(`
@@ -141,6 +167,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
@ -33885,7 +33888,7 @@ index 59b04c1..13c21e8 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 6b91740..633e449 100644
index 6b91740..562d1fd 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
@ -33922,7 +33925,7 @@ index 6b91740..633e449 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',`
@@ -89,8 +95,74 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@ -33993,11 +33996,13 @@ index 6b91740..633e449 100644
+/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/system-generators/lvm2.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/storaged/storaged-lvm-helper -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
# /var
@@ -98,5 +168,9 @@ ifdef(`distro_gentoo',`
@@ -98,5 +170,9 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@ -34177,7 +34182,7 @@ index 58bc27f..f887230 100644
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..55d6ce4 100644
index 79048c4..f505f63 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -34405,7 +34410,7 @@ index 79048c4..55d6ce4 100644
bootloader_rw_tmp_files(lvm_t)
')
@@ -333,14 +374,30 @@ optional_policy(`
@@ -333,14 +374,34 @@ optional_policy(`
')
optional_policy(`
@ -34429,6 +34434,10 @@ index 79048c4..55d6ce4 100644
')
optional_policy(`
+ policykit_dbus_chat(lvm_t)
+')
+
+optional_policy(`
+ systemd_manage_passwd_run(lvm_t)
+')
+
@ -42130,7 +42139,7 @@ index db75976..4ca3a28 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..87b5cc3 100644
index 9dc60c6..139edc7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -44434,7 +44443,35 @@ index 9dc60c6..87b5cc3 100644
## temporary symbolic links.
## </summary>
## <param name="domain">
@@ -2661,6 +3362,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
@@ -2566,6 +3267,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
## </summary>
## </param>
#
+interface(`userdom_rw_inherited_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp($1)
+')
+
+
+########################################
+## <summary>
+## Create, read, write, and delete user
+## temporary named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`userdom_manage_user_tmp_pipes',`
gen_require(`
type user_tmp_t;
@@ -2661,6 +3383,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@ -44460,7 +44497,7 @@ index 9dc60c6..87b5cc3 100644
########################################
## <summary>
## Read user tmpfs files.
@@ -2677,13 +3397,14 @@ interface(`userdom_read_user_tmpfs_files',`
@@ -2677,13 +3418,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -44476,7 +44513,7 @@ index 9dc60c6..87b5cc3 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2704,7 +3425,7 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2704,7 +3446,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@ -44485,7 +44522,7 @@ index 9dc60c6..87b5cc3 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2712,14 +3433,30 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2712,14 +3454,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@ -44520,7 +44557,7 @@ index 9dc60c6..87b5cc3 100644
')
########################################
@@ -2814,6 +3551,24 @@ interface(`userdom_use_user_ttys',`
@@ -2814,6 +3572,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@ -44545,7 +44582,7 @@ index 9dc60c6..87b5cc3 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
@@ -2832,22 +3587,34 @@ interface(`userdom_use_user_ptys',`
@@ -2832,22 +3608,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@ -44588,7 +44625,7 @@ index 9dc60c6..87b5cc3 100644
## </desc>
## <param name="domain">
## <summary>
@@ -2856,14 +3623,33 @@ interface(`userdom_use_user_ptys',`
@@ -2856,14 +3644,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@ -44626,7 +44663,7 @@ index 9dc60c6..87b5cc3 100644
')
########################################
@@ -2882,8 +3668,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
@@ -2882,8 +3689,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@ -44656,96 +44693,95 @@ index 9dc60c6..87b5cc3 100644
')
########################################
@@ -2955,69 +3760,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
@@ -2955,6 +3781,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
-########################################
+#####################################
## <summary>
-## Execute an Xserver session in all unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
+## <summary>
+## Allow domain dyntrans to unpriv userdomain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
+## </param>
+#
+interface(`userdom_dyntransition_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
+
+ allow $1 unpriv_userdomain:process dyntransition;
')
-#######################################
+')
+
+####################################
## <summary>
-## Read and write unpriviledged user SysV sempaphores.
+## <summary>
+## Allow domain dyntrans to admin userdomain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`userdom_rw_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
+## </param>
+#
+interface(`userdom_dyntransition_admin_users',`
+ gen_require(`
+ attribute admindomain;
+ ')
+
+ allow $1 admindomain:process dyntransition;
+')
+
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
@@ -2978,9 +3840,9 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
-#######################################
+########################################
## <summary>
-## Read and write unpriviledged user SysV sempaphores.
+## Manage unpriviledged user SysV sempaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -2988,17 +3850,18 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
## </summary>
## </param>
#
-interface(`userdom_rw_unpriv_user_semaphores',`
+interface(`userdom_manage_unpriv_user_semaphores',`
gen_require(`
attribute unpriv_userdomain;
')
- allow $1 unpriv_userdomain:sem rw_sem_perms;
+ allow $1 admindomain:process dyntransition;
+ allow $1 unpriv_userdomain:sem create_sem_perms;
')
########################################
## <summary>
-## Manage unpriviledged user SysV sempaphores.
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
+## Manage unpriviledged user SysV shared
+## memory segments.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain allowed to transition.
@@ -3006,57 +3869,19 @@ interface(`userdom_rw_unpriv_user_semaphores',`
## </summary>
## </param>
#
-interface(`userdom_manage_unpriv_user_semaphores',`
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+interface(`userdom_manage_unpriv_user_shared_mem',`
gen_require(`
attribute unpriv_userdomain;
')
- allow $1 unpriv_userdomain:sem create_sem_perms;
+ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
+ allow $1 unpriv_userdomain:shm create_shm_perms;
')
-#######################################
@ -44753,26 +44789,52 @@ index 9dc60c6..87b5cc3 100644
## <summary>
-## Read and write unpriviledged user SysV shared
-## memory segments.
+## Manage unpriviledged user SysV sempaphores.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_rw_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:shm rw_shm_perms;
-')
-
-########################################
-## <summary>
-## Manage unpriviledged user SysV shared
-## memory segments.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`userdom_manage_unpriv_user_shared_mem',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:shm create_shm_perms;
-')
-
-########################################
-## <summary>
-## Execute bin_t in the unprivileged user domains. This
-## is an explicit transition, requiring the
-## caller to use setexeccon().
+## Execute bin_t in the unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
## </summary>
## <param name="domain">
## <summary>
@@ -3025,12 +3829,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
-interface(`userdom_rw_unpriv_user_shared_mem',`
+interface(`userdom_manage_unpriv_user_semaphores',`
gen_require(`
attribute unpriv_userdomain;
')
- allow $1 unpriv_userdomain:shm rw_shm_perms;
+ allow $1 unpriv_userdomain:sem create_sem_perms;
')
########################################
@@ -3094,7 +3898,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3094,7 +3919,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@ -44781,7 +44843,7 @@ index 9dc60c6..87b5cc3 100644
allow unpriv_userdomain $1:process sigchld;
')
@@ -3110,16 +3914,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3110,29 +3935,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -44792,33 +44854,11 @@ index 9dc60c6..87b5cc3 100644
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Send signull to unprivileged user domains.
+## Send general signals to unprivileged user domains.
## </summary>
## <param name="domain">
## <summary>
@@ -3127,30 +3933,12 @@ interface(`userdom_search_user_home_content',`
## </summary>
## </param>
#
-interface(`userdom_signull_unpriv_users',`
+interface(`userdom_signal_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
- allow $1 unpriv_userdomain:process signull;
-')
-
-########################################
-## <summary>
-## Send general signals to unprivileged user domains.
-## Send signull to unprivileged user domains.
-## </summary>
-## <param name="domain">
-## <summary>
@ -44826,17 +44866,18 @@ index 9dc60c6..87b5cc3 100644
-## </summary>
-## </param>
-#
-interface(`userdom_signal_unpriv_users',`
-interface(`userdom_signull_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- allow $1 unpriv_userdomain:process signal;
+ allow $1 unpriv_userdomain:process signal;
- allow $1 unpriv_userdomain:process signull;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
')
########################################
@@ -3214,7 +4002,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
@@ -3214,7 +4023,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@ -44863,7 +44904,7 @@ index 9dc60c6..87b5cc3 100644
')
########################################
@@ -3269,7 +4075,83 @@ interface(`userdom_write_user_tmp_files',`
@@ -3269,7 +4096,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@ -44948,7 +44989,7 @@ index 9dc60c6..87b5cc3 100644
')
########################################
@@ -3287,7 +4169,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
@@ -3287,7 +4190,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@ -44957,7 +44998,7 @@ index 9dc60c6..87b5cc3 100644
')
########################################
@@ -3306,6 +4188,7 @@ interface(`userdom_read_all_users_state',`
@@ -3306,6 +4209,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@ -44965,7 +45006,7 @@ index 9dc60c6..87b5cc3 100644
kernel_search_proc($1)
')
@@ -3382,6 +4265,42 @@ interface(`userdom_signal_all_users',`
@@ -3382,6 +4286,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@ -45008,7 +45049,7 @@ index 9dc60c6..87b5cc3 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
@@ -3402,6 +4321,24 @@ interface(`userdom_sigchld_all_users',`
@@ -3402,6 +4342,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@ -45033,7 +45074,7 @@ index 9dc60c6..87b5cc3 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4372,1680 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4393,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@ -45145,7 +45186,7 @@ index 9dc60c6..87b5cc3 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 userdomain:process ptrace;
+ ')
+')
')
+
+########################################
+## <summary>
@ -45202,7 +45243,7 @@ index 9dc60c6..87b5cc3 100644
+
+ allow $1 admin_home_t:lnk_file read_lnk_file_perms;
+ allow $1 admin_home_t:dir list_dir_perms;
')
+')
+
+########################################
+## <summary>
@ -46715,7 +46756,7 @@ index 9dc60c6..87b5cc3 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f4ac38d..7283238 100644
index f4ac38d..9284c24 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@ -46804,7 +46845,7 @@ index f4ac38d..7283238 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
@@ -70,26 +83,390 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -46913,6 +46954,7 @@ index f4ac38d..7283238 100644
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(userdom_home_reader_certs_type)
+ fs_read_ecryptfs_symlinks(userdom_home_reader_certs_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@ -46930,6 +46972,7 @@ index f4ac38d..7283238 100644
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(userdom_home_reader_type)
+ fs_read_ecryptfs_symlinks(userdom_home_reader_type)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@ -46954,7 +46997,9 @@ index f4ac38d..7283238 100644
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_manage_ecryptfs_dirs(userdom_home_manager_type)
+ fs_manage_ecryptfs_files(userdom_home_manager_type)
+ fs_manage_ecryptfs_symlinks(userdom_home_manager_type)
+')
+
+# vi /etc/mtab can cause an avc trying to relabel to self.
+dontaudit userdomain self:file relabelto;
+

353
policy-rawhide-contrib.patch
View File

@ -9231,7 +9231,7 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index f5c1a48..7d8669f 100644
index f5c1a48..f255b29 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@ -9269,7 +9269,17 @@ index f5c1a48..7d8669f 100644
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -109,16 +114,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
corenet_sendrecv_ircd_server_packets(bitlbee_t)
corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_bind_interwise_port(bitlbee_t)
corenet_sendrecv_ircd_client_packets(bitlbee_t)
+corenet_tcp_connect_interwise_port(bitlbee_t)
corenet_tcp_connect_ircd_port(bitlbee_t)
corenet_tcp_sendrecv_ircd_port(bitlbee_t)
@@ -109,16 +116,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
@ -13147,7 +13157,7 @@ index c223f81..8b567c1 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
index 5f306dd..e01156f 100644
index 5f306dd..1543aec 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@ -13208,7 +13218,7 @@ index 5f306dd..e01156f 100644
')
optional_policy(`
@@ -179,12 +183,22 @@ optional_policy(`
@@ -179,12 +183,26 @@ optional_policy(`
optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
@ -13223,6 +13233,10 @@ index 5f306dd..e01156f 100644
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
+ libs_exec_ldconfig(cobblerd_t)
+')
+
@ -13231,7 +13245,7 @@ index 5f306dd..e01156f 100644
')
optional_policy(`
@@ -192,13 +206,13 @@ optional_policy(`
@@ -192,13 +210,13 @@ optional_policy(`
')
optional_policy(`
@ -18752,14 +18766,21 @@ index 3023be7..303af85 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
index c91813c..2230476 100644
index c91813c..dbd69b1 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
# Declarations
#
-type cupsd_config_t;
+## <desc>
+## <p>
+## Allow cups execmem/execstack
+## </p>
+## </desc>
+gen_tunable(cups_execmem, false)
+
+attribute cups_domain;
+
+type cupsd_config_t, cups_domain;
@ -18782,7 +18803,7 @@ index c91813c..2230476 100644
files_config_file(cupsd_etc_t)
type cupsd_initrc_exec_t;
@@ -33,13 +38,15 @@ type cupsd_lock_t;
@@ -33,13 +45,15 @@ type cupsd_lock_t;
files_lock_file(cupsd_lock_t)
type cupsd_log_t;
@ -18802,7 +18823,7 @@ index c91813c..2230476 100644
type cupsd_lpd_tmp_t;
files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
@@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
type cupsd_lpd_var_run_t;
files_pid_file(cupsd_lpd_var_run_t)
@ -18811,7 +18832,7 @@ index c91813c..2230476 100644
type cups_pdf_exec_t;
cups_backend(cups_pdf_t, cups_pdf_exec_t)
@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
@@ -55,29 +69,17 @@ type cups_pdf_tmp_t;
files_tmp_file(cups_pdf_tmp_t)
type cupsd_tmp_t;
@ -18845,7 +18866,7 @@ index c91813c..2230476 100644
type ptal_t;
type ptal_exec_t;
@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
@@ -97,21 +99,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@ -18899,7 +18920,7 @@ index c91813c..2230476 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
@@ -120,11 +150,14 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@ -18910,10 +18931,11 @@ index c91813c..2230476 100644
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
+cups_filetrans_named_content(cupsd_t)
+can_exec(cupsd_t, cupsd_rw_etc_t)
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
@@ -136,22 +161,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
@@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@ -18941,7 +18963,7 @@ index c91813c..2230476 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
@@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@ -18953,7 +18975,7 @@ index c91813c..2230476 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
@@ -186,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
@@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@ -18978,7 +19000,7 @@ index c91813c..2230476 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
@@ -203,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
@@ -203,7 +243,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@ -18986,7 +19008,7 @@ index c91813c..2230476 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
@@ -212,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
@@ -212,17 +251,19 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@ -19008,7 +19030,7 @@ index c91813c..2230476 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
@@ -232,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
@@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@ -19017,7 +19039,7 @@ index c91813c..2230476 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -244,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
@@ -244,23 +287,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@ -19043,8 +19065,15 @@ index c91813c..2230476 100644
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
+tunable_policy(`cups_execmem',`
+ allow cupsd_t self:process { execmem execstack };
+')
+
+
optional_policy(`
@@ -272,6 +307,8 @@ optional_policy(`
apm_domtrans_client(cupsd_t)
')
@@ -272,6 +320,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@ -19053,7 +19082,7 @@ index c91813c..2230476 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -282,8 +319,10 @@ optional_policy(`
@@ -282,8 +332,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@ -19064,7 +19093,7 @@ index c91813c..2230476 100644
')
')
@@ -296,8 +335,8 @@ optional_policy(`
@@ -296,8 +348,8 @@ optional_policy(`
')
optional_policy(`
@ -19074,7 +19103,7 @@ index c91813c..2230476 100644
')
optional_policy(`
@@ -306,7 +345,6 @@ optional_policy(`
@@ -306,7 +358,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@ -19082,7 +19111,7 @@ index c91813c..2230476 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -334,7 +372,11 @@ optional_policy(`
@@ -334,7 +385,11 @@ optional_policy(`
')
optional_policy(`
@ -19095,7 +19124,7 @@ index c91813c..2230476 100644
')
########################################
@@ -342,12 +384,11 @@ optional_policy(`
@@ -342,12 +397,11 @@ optional_policy(`
# Configuration daemon local policy
#
@ -19111,7 +19140,7 @@ index c91813c..2230476 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -372,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -19132,7 +19161,7 @@ index c91813c..2230476 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@ -19153,7 +19182,7 @@ index c91813c..2230476 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@ -19165,7 +19194,7 @@ index c91813c..2230476 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -449,9 +475,12 @@ optional_policy(`
@@ -449,9 +488,12 @@ optional_policy(`
')
optional_policy(`
@ -19179,7 +19208,7 @@ index c91813c..2230476 100644
')
optional_policy(`
@@ -487,10 +516,6 @@ optional_policy(`
@@ -487,10 +529,6 @@ optional_policy(`
# Lpd local policy
#
@ -19190,7 +19219,7 @@ index c91813c..2230476 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +533,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
@@ -508,15 +546,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@ -19208,7 +19237,7 @@ index c91813c..2230476 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +562,6 @@ auth_use_nsswitch(cupsd_lpd_t)
@@ -537,9 +575,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@ -19218,7 +19247,7 @@ index c91813c..2230476 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -550,7 +572,6 @@ optional_policy(`
@@ -550,7 +585,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -19226,7 +19255,7 @@ index c91813c..2230476 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +587,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
@@ -566,148 +600,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@ -19255,13 +19284,11 @@ index c91813c..2230476 100644
- fs_manage_cifs_dirs(cups_pdf_t)
- fs_manage_cifs_files(cups_pdf_t)
-')
+userdom_home_manager(cups_pdf_t)
optional_policy(`
-
-optional_policy(`
- lpd_manage_spool(cups_pdf_t)
+ gnome_read_config(cups_pdf_t)
')
-')
-
-########################################
-#
-# HPLIP local policy
@ -19350,15 +19377,17 @@ index c91813c..2230476 100644
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
-
-optional_policy(`
+userdom_home_manager(cups_pdf_t)
optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
-')
-
+ gnome_read_config(cups_pdf_t)
')
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
@ -19378,7 +19407,7 @@ index c91813c..2230476 100644
########################################
#
@@ -735,7 +631,6 @@ kernel_read_kernel_sysctls(ptal_t)
@@ -735,7 +644,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@ -19386,7 +19415,7 @@ index c91813c..2230476 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +640,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
@@ -745,13 +653,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -19400,7 +19429,7 @@ index c91813c..2230476 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -759,8 +652,6 @@ fs_search_auto_mountpoints(ptal_t)
@@ -759,8 +665,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@ -19409,7 +19438,7 @@ index c91813c..2230476 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +664,4 @@ optional_policy(`
@@ -773,3 +677,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@ -23805,10 +23834,10 @@ index 0000000..fd679a1
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
index 0000000..1048292
index 0000000..76eb32e
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,345 @@
@@ -0,0 +1,364 @@
+
+## <summary>The open-source application container engine.</summary>
+
@ -23833,6 +23862,25 @@ index 0000000..1048292
+
+########################################
+## <summary>
+## Execute docker in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`docker_exec',`
+ gen_require(`
+ type docker_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, docker_exec_t)
+')
+
+########################################
+## <summary>
+## Search docker lib directories.
+## </summary>
+## <param name="domain">
@ -28316,10 +28364,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000..cb68ca9
index 0000000..91ed5f4
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,125 @@
@@ -0,0 +1,134 @@
+policy_module(gear, 1.0.0)
+
+########################################
@ -28348,13 +28396,17 @@ index 0000000..cb68ca9
+# gear local policy
+#
+allow gear_t self:capability { chown net_admin fowner dac_override };
+dontaudit gear_t self:capability sys_ptrace;
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
+allow gear_t self:fifo_file rw_fifo_file_perms;
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+allow gear_t gear_unit_file_t:file read_file_perms;
+allow gear_t gear_unit_file_t:service manage_service_perms;
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+manage_dirs_pattern(gear_t, gear_unit_file_t, gear_unit_file_t)
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
@ -28376,6 +28428,7 @@ index 0000000..cb68ca9
+manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+init_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
+
+kernel_read_system_state(gear_t)
+kernel_read_network_state(gear_t)
@ -28401,8 +28454,10 @@ index 0000000..cb68ca9
+files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_list_cgroup_dirs(gear_t)
+fs_read_cgroup_files(gear_t)
+fs_read_tmpfs_symlinks(gear_t)
+fs_getattr_all_fs(gear_t)
+
+auth_use_nsswitch(gear_t)
+
@ -28414,6 +28469,7 @@ index 0000000..cb68ca9
+
+logging_send_audit_msgs(gear_t)
+logging_send_syslog_msg(gear_t)
+logging_read_generic_logs(gear_t)
+
+miscfiles_read_localization(gear_t)
+
@ -28427,6 +28483,7 @@ index 0000000..cb68ca9
+sysnet_manage_ifconfig_run(gear_t)
+
+systemd_manage_all_unit_files(gear_t)
+systemd_exec_systemctl(gear_t)
+
+optional_policy(`
+ hostname_exec(gear_t)
@ -28621,10 +28678,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
index 0000000..351f145
index 0000000..204995f
--- /dev/null
+++ b/geoclue.te
@@ -0,0 +1,53 @@
@@ -0,0 +1,54 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@ -28647,6 +28704,7 @@ index 0000000..351f145
+#
+# geoclue local policy
+#
+allow geoclue_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
+manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t)
@ -37100,10 +37158,10 @@ index 0000000..0d61849
+')
diff --git a/keepalived.te b/keepalived.te
new file mode 100644
index 0000000..535f79b
index 0000000..2c08717
--- /dev/null
+++ b/keepalived.te
@@ -0,0 +1,47 @@
@@ -0,0 +1,55 @@
+policy_module(keepalived, 1.0.0)
+
+########################################
@ -37139,6 +37197,11 @@ index 0000000..535f79b
+kernel_read_system_state(keepalived_t)
+kernel_read_network_state(keepalived_t)
+
+corecmd_exec_bin(keepalived_t)
+corecmd_exec_shell(keepalived_t)
+
+corenet_tcp_connect_snmp_port(keepalived_t)
+
+auth_use_nsswitch(keepalived_t)
+
+corenet_tcp_connect_connlcli_port(keepalived_t)
@ -37151,6 +37214,9 @@ index 0000000..535f79b
+
+logging_send_syslog_msg(keepalived_t)
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(keepalived_t)
+')
diff --git a/kerberos.fc b/kerberos.fc
index 4fe75fd..b029c28 100644
--- a/kerberos.fc
@ -40291,7 +40357,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
index be0ab84..f4550f1 100644
index be0ab84..44689e1 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -40488,7 +40554,7 @@ index be0ab84..f4550f1 100644
')
optional_policy(`
@@ -170,6 +216,10 @@ optional_policy(`
@@ -170,6 +216,11 @@ optional_policy(`
')
optional_policy(`
@ -40496,10 +40562,11 @@ index be0ab84..f4550f1 100644
+')
+
+optional_policy(`
+ fail2ban_domtrans_client(logrotate_t)
fail2ban_stream_connect(logrotate_t)
')
@@ -178,7 +228,7 @@ optional_policy(`
@@ -178,7 +229,7 @@ optional_policy(`
')
optional_policy(`
@ -40508,7 +40575,7 @@ index be0ab84..f4550f1 100644
')
optional_policy(`
@@ -198,21 +248,26 @@ optional_policy(`
@@ -198,21 +249,26 @@ optional_policy(`
')
optional_policy(`
@ -40539,7 +40606,7 @@ index be0ab84..f4550f1 100644
')
optional_policy(`
@@ -228,10 +283,21 @@ optional_policy(`
@@ -228,10 +284,21 @@ optional_policy(`
')
optional_policy(`
@ -40561,7 +40628,7 @@ index be0ab84..f4550f1 100644
su_exec(logrotate_t)
')
@@ -241,13 +307,11 @@ optional_policy(`
@@ -241,13 +308,11 @@ optional_policy(`
#######################################
#
@ -44972,7 +45039,7 @@ index 6ffaba2..549fb8c 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b80..cafb2b0 100644
index 6194b80..7490fe3 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -45258,7 +45325,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',`
@@ -265,140 +173,156 @@ interface(`mozilla_exec_user_plugin_home_files',`
## </param>
#
interface(`mozilla_execmod_user_home_files',`
@ -45362,7 +45429,8 @@ index 6194b80..cafb2b0 100644
+ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process signal_perms;
+ ps_process_pattern(mozilla_plugin_t, $1)
+ allow $1 mozilla_plugin_t:process { signal_perms noatsecure };
+
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
@ -45474,7 +45542,7 @@ index 6194b80..cafb2b0 100644
')
########################################
@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',`
@@ -424,8 +348,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@ -45484,7 +45552,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',`
@@ -433,76 +356,144 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@ -45658,7 +45726,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
@@ -510,19 +501,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@ -45683,7 +45751,7 @@ index 6194b80..cafb2b0 100644
## </summary>
## <param name="domain">
## <summary>
@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
@@ -530,45 +520,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@ -49123,7 +49191,7 @@ index b744fe3..50c386e 100644
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
index b708708..7bdfb65 100644
index b708708..78fa61c 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@ -49342,7 +49410,7 @@ index b708708..7bdfb65 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -421,3 +431,32 @@ optional_policy(`
@@ -421,3 +431,33 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@ -49361,12 +49429,13 @@ index b708708..7bdfb65 100644
+
+manage_dirs_pattern(munin_script_t, munin_script_tmp_t, munin_script_tmp_t)
+manage_files_pattern(munin_script_t, munin_script_tmp_t,munin_script_tmp_t)
+files_tmp_filetrans(munin_script_t, munin_script_tmp_t, { dir file })
+
+read_files_pattern(munin_script_t, munin_var_lib_t, munin_var_lib_t)
+list_dirs_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+read_files_pattern(munin_script_t, munin_etc_t, munin_etc_t)
+
+read_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+append_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+manage_files_pattern(munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(munin_script_t)
+
@ -73727,10 +73796,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b..f7958c0 100644
index 8644d8b..e815665 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,138 @@ policy_module(quantum, 1.1.0)
@@ -5,92 +5,146 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@ -73792,40 +73861,42 @@ index 8644d8b..f7958c0 100644
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+can_exec(neutron_t, neutron_tmp_t)
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+can_exec(neutron_t, neutron_tmp_t)
-can_exec(quantum_t, quantum_tmp_t)
+kernel_rw_kernel_sysctl(neutron_t)
+kernel_rw_net_sysctls(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
-can_exec(quantum_t, quantum_tmp_t)
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
+corecmd_exec_shell(neutron_t)
+corecmd_exec_bin(neutron_t)
-kernel_read_kernel_sysctls(quantum_t)
-kernel_read_system_state(quantum_t)
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
+corenet_all_recvfrom_unlabeled(neutron_t)
+corenet_all_recvfrom_netlabel(neutron_t)
+corenet_tcp_sendrecv_generic_if(neutron_t)
@ -73833,49 +73904,47 @@ index 8644d8b..f7958c0 100644
+corenet_tcp_sendrecv_all_ports(neutron_t)
+corenet_tcp_bind_generic_node(neutron_t)
-corecmd_exec_shell(quantum_t)
-corecmd_exec_bin(quantum_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
-corenet_all_recvfrom_unlabeled(quantum_t)
-corenet_all_recvfrom_netlabel(quantum_t)
-corenet_tcp_sendrecv_generic_if(quantum_t)
-corenet_tcp_sendrecv_generic_node(quantum_t)
-corenet_tcp_sendrecv_all_ports(quantum_t)
-corenet_tcp_bind_generic_node(quantum_t)
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
+corenet_tcp_bind_neutron_port(neutron_t)
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
+corenet_tcp_connect_osapi_compute_port(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
+domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
-files_read_usr_files(quantum_t)
+dev_read_sysfs(neutron_t)
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
+dev_unmount_sysfs_fs(neutron_t)
-files_read_usr_files(quantum_t)
-auth_use_nsswitch(quantum_t)
+files_mounton_non_security(neutron_t)
-auth_use_nsswitch(quantum_t)
+auth_use_nsswitch(neutron_t)
-libs_exec_ldconfig(quantum_t)
+libs_exec_ldconfig(neutron_t)
+auth_use_nsswitch(neutron_t)
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+libs_exec_ldconfig(neutron_t)
-miscfiles_read_localization(quantum_t)
+logging_send_audit_msgs(neutron_t)
+logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
+netutils_exec(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
+netutils_exec(neutron_t)
+
+# need to stay in neutron
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
@ -73902,13 +73971,17 @@ index 8644d8b..f7958c0 100644
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ modutils_domtrans_insmod(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
+ mysql_stream_connect(neutron_t)
+ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
+ mysql_tcp_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
')
+
+optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
@ -73918,10 +73991,14 @@ index 8644d8b..f7958c0 100644
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
')
+')
+
+optional_policy(`
+ sudo_exec(neutron_t)
+')
+
+optional_policy(`
+ udev_domtrans(neutron_t)
+')
diff --git a/quota.fc b/quota.fc
index cadabe3..54ba01d 100644
@ -79586,10 +79663,20 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
index d32e1a2..54838ad 100644
index d32e1a2..33ca060 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
type rhsmcertd_lock_t;
files_lock_file(rhsmcertd_lock_t)
+type rhsmcertd_tmp_t;
+files_tmp_file(rhsmcertd_tmp_t)
+
type rhsmcertd_var_lib_t;
files_type(rhsmcertd_var_lib_t)
@@ -30,18 +33,21 @@ files_pid_file(rhsmcertd_var_run_t)
#
allow rhsmcertd_t self:capability sys_nice;
@ -79607,7 +79694,15 @@ index d32e1a2..54838ad 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
@@ -50,25 +49,50 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
+files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file })
+
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
@@ -50,25 +56,53 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
@ -79632,8 +79727,11 @@ index d32e1a2..54838ad 100644
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+files_manage_system_conf_files(rhsmcertd_t)
+files_create_boot_flag(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
+
+libs_exec_ldconfig(rhsmcertd_t)
init_read_state(rhsmcertd_t)
@ -89876,10 +89974,18 @@ index e2544e1..d3fbd78 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
index 7292dc0..ce903d6 100644
index 7292dc0..103278d 100644
--- a/slocate.te
+++ b/slocate.te
@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
@@ -44,6 +44,7 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
+files_list_isid_type_dirs(locate_t)
files_dontaudit_read_all_symlinks(locate_t)
files_getattr_all_files(locate_t)
files_getattr_all_pipes(locate_t)
@@ -62,7 +63,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
auth_use_nsswitch(locate_t)
@ -89887,7 +89993,7 @@ index 7292dc0..ce903d6 100644
ifdef(`enable_mls',`
files_dontaudit_getattr_all_dirs(locate_t)
@@ -71,3 +70,8 @@ ifdef(`enable_mls',`
@@ -71,3 +71,8 @@ ifdef(`enable_mls',`
optional_policy(`
cron_system_entry(locate_t, locate_exec_t)
')
@ -94448,10 +94554,10 @@ index 0000000..6a1f575
+')
diff --git a/swift.te b/swift.te
new file mode 100644
index 0000000..9ee77b2
index 0000000..7fce837
--- /dev/null
+++ b/swift.te
@@ -0,0 +1,97 @@
@@ -0,0 +1,102 @@
+policy_module(swift, 1.0.0)
+
+########################################
@ -94527,7 +94633,12 @@ index 0000000..9ee77b2
+kernel_read_system_state(swift_t)
+kernel_read_network_state(swift_t)
+
+# bug in swift
+corenet_tcp_bind_xserver_port(swift_t)
+corenet_tcp_bind_http_cache_port(swift_t)
+
+corecmd_exec_shell(swift_t)
+corecmd_exec_bin(swift_t)
+
+dev_read_urand(swift_t)
+
@ -99388,7 +99499,7 @@ index 1c35171..2cba4df 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
index 9d4d8cb..a58e2dd 100644
index 9d4d8cb..8cade37 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@ -99413,22 +99524,22 @@ index 9d4d8cb..a58e2dd 100644
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
+allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown fowner };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket { accept listen };
@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
@@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
dev_read_urand(varnishd_t)
-files_read_usr_files(varnishd_t)
-
fs_getattr_all_fs(varnishd_t)
@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t)
auth_use_nsswitch(varnishd_t)
logging_send_syslog_msg(varnishd_t)

29
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 56%{?dist}
Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -588,6 +588,33 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Jun 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-57
- Allow staff_t to communicate and run docker
- Fix *_ecryptfs_home_dirs booleans
- Allow ldconfig_t to read/write inherited user tmp pipes
- Allow storaged to dbus chat with lvm_t
- Add support for storaged and storaged-lvm-helper. Labeled it as lvm_exec_t.
- Use proper calling in ssh.te for userdom_home_manager attribute
- Use userdom_home_manager_type() also for ssh_keygen_t
- Allow locate to list directories without labels
- Allow bitlbee to use tcp/7778 port
- /etc/cron.daily/logrotate to execute fail2ban-client.
- Allow keepalives to connect to SNMP port. Support to do SNMP stuff
- Allow staff_t to communicate and run docker
- Dontaudit search mgrepl/.local for cobblerd_t
- Allow neutron to execute kmod in insmod_t
- Allow neutron to execute udevadm in udev_t
- Allow also fowner cap for varnishd
- Allow keepalived to execute bin_t/shell_exec_t
- rhsmcertd seems to need these accesses. We need this backported to RHEL7 and perhaps RHEL6 policy
- Add cups_execmem boolean
- Allow gear to manage gear service
- New requires for gear to use systemctl and init var_run_t
- Allow cups to execute its rw_etc_t files, for brothers printers
- Add fixes to make munin and munin-cgi working. Allow munin-cgit to create files/dirs in /tmp, list munin conf dirs and manage munin logs.
- Allow swift to execute bin_t
- Allow swift to bind http_cache
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-56
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild