From 69374e6e6556c1cf28870f95cc48dc9eda431f3a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 31 Aug 2016 12:07:56 +0200 Subject: [PATCH] * Wed Aug 31 2016 Lukas Vrabec 3.13.1-212 - udisk2 module is part of devicekit module now - Fix file context for /etc/pki/pki-tomcat/ca/ - new interface oddjob_mkhomedir_entrypoint() - Allow mdadm to get attributes from all devices. - Label /etc/puppetlabs as puppet_etc_t. - quota: allow init to run quota tools - Add new domain ipa_ods_exporter_t BZ(1366640) - Create new interface opendnssec_stream_connect() - Allow VirtualBox to manage udev rules. - Allow systemd_resolved to send dbus msgs to userdomains - Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t - Label all files in /dev/oracleasmfs/ as oracleasmfs_t --- docker-selinux.tgz | Bin 4316 -> 4318 bytes policy-rawhide-base.patch | 135 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 116 +++++++++++++++++++++--------- selinux-policy.spec | 16 ++++- 4 files changed, 169 insertions(+), 98 deletions(-) diff --git a/docker-selinux.tgz b/docker-selinux.tgz index ac570a010cfe7997125c8a7daf48eabe512f40ef..f1022abdae4825cad9c7ef7943bb8016783d6f49 100644 GIT binary patch literal 4318 zcmV<45Fzg$iwFQdtj1RW1MOVhkJ~m9&#V1c2uXqL9+KV7rb&QJ+ry!~hkH1nxc0Gt zDoeDjuD(vB*6R!MzuyeML{X$Z*4|`$X90@%uHd^Ws-rw8qMUsH zTu?p#p@;nwZwR6+D|aLbSQ)T7Drkz+ae-cPRQSG33r6a76qB>x#ZW@%gfqW<_4{(M zAw^h|e>Z6j1k1&O?JG6rkiAmh2uv+xAD4@l=gZ|HE^89!Nk~al$J=m~7H8kQIbSXm za9BkQI>oydg8s?Qmk4!aS;rusrzLBg_NbhvNjHuPPT800fwKICcces_rK=!;QO2yS zQ$lA*aWN#tD2@r`Xp0%*lQMuYjSBHDs*$dhBkwu*=1q^_2BsHCWcV6Zq|PaDt<#K9 z)up87qCcjlJ}L2X_4zWwb!o3=I#9&_B2i+>moMbkm23?|;&bC;nJ-_jE-pB-Xm*%c z4fLo&rrW3{Pe#mqG!q3aXeWp{ODRJIc1l^I*uO_tXM`^+ZXduqeN}sF`ZxX*q)tXH-NR^2BUZ&Ik24R!U+& z%uXrp!RO)eEM0%Gp3H`AEE(FSM_4hR$$LC;{|L4ZtW3H317u9mm5-F{p^J|E_ej4> z**1uPs$n2fmc{{}aqFXl?LxZ9Fltqu-eD(5`2|4|38O#8|5Em-#=${v$%V z{hAijI-dw{)M{w`H`nm*E&TiTh>q0H|M=-C>;&BVsM2J{K2SG>$EpAho$9J`l>VLL zhFp}?cZcU=2F2dX5zGp5_mq)5X4!Z`=A(6^DN@EI+^&T{OQbWTpv8iuNM4hyM6Vg7 zl7h1EmOx&LS+3l=6yOzDid}+hBXI2K<uHegt~ub^JHPB8L*lElB=Utjk3O`cs#v z*e*RfN?;QeNwBNap0}Hm9JZaW{B-U>B>5!eaK`2+;5-m0N~kj=W(zC`EQuLURmJvm z_t?M!_lhi-lXq(<=nva-TZW3=6`WFcQ+x@zs~ANoVhhR#KW$kms+)LQheFkNA#{Em z!Qv%ivNj46yP^^>X0A!W=7<-sem4VR<_yzC-EN@Rc@oMYqU0xv-q@2}%{ofMhK|Z- z<%X-h3s7!QF2HS>6MLcMHYN8!J|E9!h3&6`=c3^PIG&%+M4)gd?84x!**M@9YlPQv zmV(qJ1_)*YE)^G$6NO7oA!PS)r*E|$-u_h}VDxVQO!21dq=u9R=*~LbT#(}KIC$HV zGI~5H?&Tf@ttPb0?k;e?2Lg&kz@1$Jf$6Kk0EAJJr-jgUOvE}DQ#=U@AWfUvK8y1<8m1`EeK<2Y=p1KjOkrW1TL2gg{CUw;0v zJ^Z9kc3rA?^4cIRnpF6hx+>x}_gz95C^xlY+SGDyIrt5VM~z3&1#(!doVDRQ6R;{2 zt{WItAm_&;3jP46&@t@)JfTsj=Lzg%T9-vW%M*Bnh2kTeAGNr1Nowf^0vv1ehh5Zh zchkQqwv{0dS;iN^CvahFm|{TFO%Y|ns|!AVoDhTnEVsChR@MJ-2F}ZFWZJw+J;*GB zYKs{KIL0l6jI7F~(9D~0UO8nu&K==1)_f$^RDmNt#l5IeC8NTs%+h$z)l$W`GN6TM zvtTOae{Qso#J?|(nxF`yhHd3hem6_OTb@!m10U(+`VmguKIFzU52++EV7m7XI}3BH z$)RN>k704uC`M&tDdYM6HEyqlH}ch84sn=_gBx)-lsr9K0;f5) z4=oh(i8^dtS!R0EmT{=E2DXoOy8 zR9$-N4)hpjmHPEu8__5-=q)Cf@YgP_{Zm{rm&V8=_Ayfb{o&eC|9yRZs{j5HmvHpM zyi6dLJ`>vTDtL2ob#XPzMlD|iKan_t#~*!Ua7>om2qc8Y^2DN&XB7lf|KPm@yDb41 zr`Bouh}$QXC*aXMg!;e!_;XN|HPh!Al{7U18Vv_)ifE-ruQxcbkgtMulu-gRvCOl} zzVMU2BqDiPgu)amM7yZ_d@0&P+N}Nv(4%xd`%#rRe8T|pY<&YBPqa$2l@li!uoc!bCcde}m9cR~Yacb+iLawgyPdrn!0p%cs(-HOXLq$}qj^qHL3O8v@}P ztGn4c=%>!oJY~E`Di2USz3LJ5AqW;%4`pqV9_uJiyN=hv zia+tRp%p0-u($pQ&NS%Ga?aj{qEC~$mdsUIIFq+u2|5*E^fb&5WSxmkn};&Pj@<7w zAr1ftPQv1$;T!zjKK*`q2HX z6SU9C?mmV0@f!119R{Dz?FZWAxlx)d>O8^VGC+~Wb6uBtYe>=jO_L$tth>La%5aEv zf()JPU5~;eLCNWn;N*FuzhVELG510CY4aZ$f!v)Az))pN2SBW{htI^V%(9ukI%a6^ z$E8k8`+5NVFnveAdWhkere$m}y1*+hn}U_a)aS?hp3XEq8e^ZJM_vf`gk|$wW8z;M z-QNp&!&4#Va4?2NJNOR5bOoORGeOCxz#IW$!h#RNxEHJXj?@ zUCLt+x+L#FoQbRDg>e=C4I#K>tLMU{>|XzV9jmqIJN+cJQ5A+-_U+Fyl9j=T5zw~d zH9}kXS&&Q~wTTQ6KXEf`fk^_P|DMJyqYjE4V))x(Ry5v{WB?nZP197# zgcep9^P_+$X6YR$VPe8dq6AMjn}k>0OE}R&dsAAf(^;OTS{Vtu^KKK}k}R_sagrES z^1yooKkGCOAucBtilU5krcKvVDd(VKveQG$N6O`k2~iJ`N`Gz{tA@Z7U0mjQ zm67|9OW(u5L+DBKcT#%h-=Q6v7ZOfcCQau8lZJw8m5~fINd!f!fihPjln`w0L{b|T zJucDhrY@VR->qyGeiYs3Sz6p$1oAjH>gX}t@ATX0l(Mo$`&vi4kSA*H!H-B%dTSE# zBnCd01*N-`#ap9MR<77H1Yad7cP5B@M@E$b7)`tdZ#JEwwS`f*RvbO2845AhYF;8e zwNO+kn=+6T+z_SfK7ym@s;=^`qj)aviJ`9S+ZO3dH|QD^qRgmE6dsPWVtBAJhXwz9 z(4EjEe{PH)e=lDI*?lZ(IPth>G@F`4afrnnb(#>|S~qEe9~I_D;j_V?dnz-k_-$2| zjDLasSACVGis+4xrb#8R{6Hb|{$#&=5A4-EI#FTy@re%M;n&H>Ky0)8ekUF2&POUz z@vwBWnNApg9yZz3Z5sBIDQzx9)iP_vw14-Go^4BFGmvi05k7LCBh|?cqna51h zVQGz<->KOMU+6Ba;PEZirOWO4cS9%(`8$H0lT?F94lv9?y}&9v{3=D^aG)F%UiYji zxJwGQp4UTkP7!+~y$4&DVlBY~H8&U2Q8QX#7??<)Rx>wL4In43hU|`81y+|fEWUAv zi2d7HSyp}~H=^96)mT#sF#?Liy_d^yWGHc6B$U4#&qyb;#W#6}t^p?w=i9n*#P zTygqiYbm(THq)2me<)|$fL>;+uFuBfLUhM;G{E*Ifo`u@esAAbdJa6@A@f!_Xiuw> zXH%fbjq#5Pgsj{55=|R;LajRh_K?C&%N^q9yTa$=tEW$PJ5E(gSF=$6QZHB=i0U-T z>rH3^;URmg1PoFgS>la;T-lNdk+qQaG@O(w^FE2tQc#yqwW->*h41(_z^EUVtQxAa z1^89G>S#KSq7a0)ZKHmRSQt_Ejurp7ism>6-xbiXc<7RLHUSq=9>v?V=xn~Ce$v&) zI<3hL)-G`m{-swWjoyDc9<-0T;GTLRHp!@yTQD2j63=nWyR>GWI6}19K0m+dReV=- zNMX-imG@3))!5TcL89_{gG5S!J5+o{P0|;^x~$Q^mt5`Z6Co9&wubpi7dPqANQ-24 zWOVUDP{BhHVW=UAuplDkg{H<}Y#-JffLvThC51RnS#*fo3ey&U!B<<>py|by%|!!W^cmSw z5k(9bDreFDx!V*C7-8dG4By7W8QR@tgr#Rn!Lj5~*9hOR@5$4{ zkp~W=MnT69rpC`v^g`cukA&=efu{2&fHj4YV^wujeV7T!SWP>UGF5b6yEOj);u12y zSU={A4a4t$T)n-1``&*4TE=@RB635C5U? zExvT8HTpT9!7Z6LT}$3T*raJQxsZ5XT@EOumth_G`%be3Y%*JEpue#1YIHC<;$u+V`3 zFnRmwKoh3nH~jl#^YOm+?s&RR*XcT4r|Wc`uG4k8PS@!=U8n1G{cl|V M1q#EDjD2mi$?M=3K7LeE$XMQAyqv6bOv`HD?lKLWDKYP6E3a zzs1k%5AUwbPq^N^d;9k7v+Fk>-hFuY{`&p9ch9b_-@Lni|17wA#4+isp)9I{;8}K8 zM=KJ0>Bidsq}TGri{Lxj-=%4I-iBLzDbqw-(TC&DzkIH$PbmOStlzpilD9c}XM@p1gx(X5)Wz5Pt zC3J=q7ei8v;+Rm5wwNJ4DFYbOs1Wa>8tGa&@}7flu6qPGFugz`!`HAPbxwh6oo0lp zE+sV={V_H5Nr{)M&zBLdOM5lbfg=7Fi4s%3d?CNCWNR1_pBo>`eEE8Halw&Av%}14 zphp!l-9|NeGGgYVnJ8#MJ3-7@N*OA!Q_2#>{yn-nBYatL`vBhQtJ+)BzwxIScTQT7 zI9;bCk((#(dZcT)c!!Btb!0wp&wVU&c7QgxY}5n9>=5)nqaxanCuXB^KB&jBQWE=N zc1m#%J`ay)>H3THWHxML$47t%$BQLF0o4m&~0FSvphvK&Q-qj2D3#LA~quDN9u5UKraVl$~*$1|bq z*R+_{`9yf5RzvH*c?196!oP2i=t%wikDs2xPQbm7DotkW19ek)tP0@JsjezV>EAhS z$VEwgcX&Q#Q0%=N!K@&6PZ`N$mW?N5K3X@LB4u2{?OF)5L^?wXS}aJ4_U2jA7j1N1#_;$A3dCawvh^g5*!dx?EJCKXr+U z?b4&81U6BT1iL!zdAm8uVcYr2Pv;Iql21|&XKaoF&I5s>ggQfFw!nhGl9=&SRct?Z zj}0tvugHQqdAEjw{;)l_WvJL)!6|h&#g~w~icypzwxE3Q)0U;8x{0@SC{%qHLg&X3 zEM6ieYojo+D=GnF=9(02j(G9vcQYVn&M;ln?FNdSC!ri7N`9i~jXl}btfMq+=%{>F zZn)aJ0Obbd0^F84u@_oyQ*saF^YLs}*#0VbE*dU?1gSRay zqsN2dUhYxQYC_BG?gHm~AfQ+T+}R}%n7$eeKo})?S_oaoM67c$#gm{wF7#3!7SNSN zA%h8NwMz8Aq5$^%`+zbqXgPld2>Z&X3w$VOuyDLHj>D!pz}*gJI>ASCaE$f%<>w#U z!%zBT*QJUluMN_oNrjK8t0Hc5-z9{Ba#Jg&O)dA9gWsTd)OZA4Acw`uSsT7H0jomc zx`9yza(+Cb;16&L9mD?56B>njp1?k)by?)IJb_18C_cjZQHwj5q?T?Vz_B)e*hL+8 zH~pJpTN(0@Wqc8Q0vEQ1DF!s%6j3I;y5RH22|)F=gUm9h zwwO_XW86Z>$f{fl&Ab`sl~cCk+z~!w%|~KQ6*%Hk+>07jGAgXfERFYEEmeFg16qhS z3#L;3=SKTT{QL5#35qak*j66pce50{urj^kK!aZsb- z=i2dhT+`Ev##~erY|Do`z_7bV#a>~`ZBWb)JYLwK>wQ(i6ojLkQYpbNr||H-E;ABG z)upHIK#y@&sb9~v5se~)-ePhIf9=xRKgA_;X^cE#A0zeOAKp0Xzu#V;>c79lB^>=Q zFB6ER&xAI-3a&4%F0N+TsO5{`ClY7y_@j>uj>(c6frQXlo>)}!tb$ z)H+Qcar>n51U#CDQ2*B-e-5g$X8Js%lBPyLqv2pp5v}y-^#%tP@>Q^oGD=`3mU(vB z7k<*0L?kbZP?$o6Xcu*#FGYJuo7Ep-nuPH-DmDaLa~?ryMoo#InvV_5S|j4JA7-$nS?zc)Thf9PQj&+s<7S@*L}t0i*dxI%F8xjABW*O`OL&f=%I zDbGvJI)oN?o4^n~%HMpb{TzcUOCtC(b@Fi5Y3}jxuIxjEGqc%N!@M%&0Y6Lz-q>eY z(+&&#w3v{DW<{t#82NiB@TrvVHI=h_~gg2yRm_V{7;Z2y04M zngsc6Q6@n_m`DfmZxCAQ3Il$lj&^{_)&PmwG*@q6`BZwfCK>Ec8KzfVlx?zZLm*sZ zbvIiF{nS~Sr;PVVgAI!`dT3{a%;T-RmZ8d5ZW(`3ju>+Y|qG8|%^ zAVVj6*Q4-AP;z=CICr!!5D#@Hw5kr%=}Vc9&_nE2O5 z_xD2H@KlI79E@Sn4!(mhUBRcoOi=PEFh_uxu;7C*?nUpsuQ_AceFb7eV>-wz4_1j! zm+}~dF3CF(XX0vkVO+(3LkKR}>bYB+x-jtT=be5;7Rz||^yxT;#B+G0@oFqn- zJn-JY&pM4mh|7tEqUb0@e}H+XY18#o$~mZ*?DWv`k#hNBLexW~(w|$#sv$5%7ngZn zW#m5O()Td%5PH)5os^#WcW8&^g@jX^WkKib}s;j)~D4vUZVyG+ownh5V4Y~$}C^PC3g@+@p7#^(5VZlEi zbSE^)pBv-H-^&+4b{~rxPCPCe&88+%9AYs?ohAgg)=iq=M}_%O_-yd!p300Wep{6# z<6mI^RbOSPB6{PaX;KL+KTycLKiMze1A8@(PE=Tae4;~m_;vCz5Zf%j-$_Th^O1^F zJS^R8rW3}WhfOwhn}+@5N{I&e)CuQxVm9~FKvK4?{B;S)>2iDi-4Mz`{*GYhB-J320}OLeFR;oEze-U!94H5c*F9?r z?vjG7=k*YsQ^X!g@4?okSWECg&CSJh)QlDw1||}y)yxf51IUT1A-m&Nfz_oAi*MW^ zV*hqlmX)8$jVL#1HP)0ujDX^B@8vQanM>vNA$nx4UENKo!|`!a9dh?b#co5@`^kMM zsY*!VZ7kp)C2>=yMu_4<=nmZSe8dLa^G~3qDg13U@wE+(UkgdPTJ{>+?M_!r$8_O6 zSDgOXS_$CB=5Zy5y4Y0jQpxY~!-`n?gki+j#Jgr)hyJ%)C<-IqB@Q8 zdJ~#Jc*x!=0fSUWmUyEdSGHtAWG$pU4JW0_yiX#u6x8KYZK`%{;XA$!FzSaTtA?s< z0e%&)I+~87C<-HSHHTJYqkf^-gAdynw4i#Tflk`QfE^GAfC0G0UL`cP`tzo{>#Z7uN(ju81 z8C|>(RPazl7-~o&EQm;Xp{X$#+lMs=AQ#tBNg<9?79HZY!nDO-@YR+zXnL__vr&tt zUaNQIU|i`6leU{AiDLfVotw0iQ*zh4M&2&*HVmIB9gONfW;z(!d-C*f zuD(Rb!0@bKwcN+U70mGc`a<@bWHO-XAKNqk_7hQKNP;j zm+qAOl>J=DbjI}Y8%6Nl@jLPDdFcKg+THRJ47>zCyS(_z`Ck{)fOG+^K!H8Ykoqj7 z)~)69S4g)F1Xt`BNKzB-)>NVmgLQ+&j;s(7cJ7DHQf&HqY%S7n_y@A4>&yriIuHOx zj{qkBUe@tudMWgl&O+?@O@__^#btIM&%%>6)F#U20U$o@zr<|XEG!krxzx6O^&b!~ z`Jd`~6jb!fjsOg3!ZiGbf1hkV-q+q8PuJ->U8n1Govzb$x=z>WI$fvhbe*pMjqAVt Km`+{*cmM!jlYi0x diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c9c96bde..736b123d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17860,10 +17860,10 @@ index 1a03abd..3221f80 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..efcd377 100644 +index d7c11a0..f521a50 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,23 +1,29 @@ +@@ -1,23 +1,28 @@ -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> +# ecryptfs does not support xattr @@ -17882,8 +17882,7 @@ index d7c11a0..efcd377 100644 +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> -+/dev/oracleasm -d gen_context(system_u:object_r:oracleasmfs_t,s0) -+/dev/oracleasm/.* <> ++/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> @@ -27189,10 +27188,10 @@ index 0000000..15b42ae + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..a298e23 +index 0000000..79f40da --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,354 @@ +@@ -0,0 +1,358 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -27392,6 +27391,10 @@ index 0000000..a298e23 +') + +optional_policy(` ++ oddjob_mkhomedir_entrypoint(unconfined_t) ++') ++ ++optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) + role system_r types unconfined_dbusd_t; + @@ -37422,7 +37425,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..97e35aa 100644 +index 17eda24..022bbb7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37652,7 +37655,7 @@ index 17eda24..97e35aa 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +261,70 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +261,72 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -37714,6 +37717,8 @@ index 17eda24..97e35aa 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) ++ ++udev_manage_rules_files(init_t) -miscfiles_read_localization(init_t) +userdom_use_user_ttys(init_t) @@ -37728,7 +37733,7 @@ index 17eda24..97e35aa 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +333,264 @@ ifdef(`distro_gentoo',` +@@ -186,29 +335,264 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37783,13 +37788,14 @@ index 17eda24..97e35aa 100644 + +optional_policy(` + ipa_delete_tmp(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + rpm_read_db(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) +') @@ -37955,15 +37961,14 @@ index 17eda24..97e35aa 100644 + sysnet_relabelfrom_dhcpc_state(init_t) + sysnet_setattr_dhcp_state(init_t) + ') - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -38002,7 +38007,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -216,7 +598,30 @@ optional_policy(` +@@ -216,7 +600,30 @@ optional_policy(` ') optional_policy(` @@ -38034,7 +38039,7 @@ index 17eda24..97e35aa 100644 ') ######################################## -@@ -225,9 +630,9 @@ optional_policy(` +@@ -225,9 +632,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38046,7 +38051,7 @@ index 17eda24..97e35aa 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +665,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38063,7 +38068,7 @@ index 17eda24..97e35aa 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +690,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38106,7 +38111,7 @@ index 17eda24..97e35aa 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +727,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38118,7 +38123,7 @@ index 17eda24..97e35aa 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +739,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38129,7 +38134,7 @@ index 17eda24..97e35aa 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +750,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38139,7 +38144,7 @@ index 17eda24..97e35aa 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +759,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38147,7 +38152,7 @@ index 17eda24..97e35aa 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +766,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38155,7 +38160,7 @@ index 17eda24..97e35aa 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +774,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38173,7 +38178,7 @@ index 17eda24..97e35aa 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +792,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38187,7 +38192,7 @@ index 17eda24..97e35aa 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +807,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38201,7 +38206,7 @@ index 17eda24..97e35aa 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +820,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38212,7 +38217,7 @@ index 17eda24..97e35aa 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +833,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38220,7 +38225,7 @@ index 17eda24..97e35aa 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +852,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38244,7 +38249,7 @@ index 17eda24..97e35aa 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +885,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38252,7 +38257,7 @@ index 17eda24..97e35aa 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +919,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38263,7 +38268,7 @@ index 17eda24..97e35aa 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +941,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +943,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38272,7 +38277,7 @@ index 17eda24..97e35aa 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +956,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +958,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38280,7 +38285,7 @@ index 17eda24..97e35aa 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +977,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +979,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38288,7 +38293,7 @@ index 17eda24..97e35aa 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +987,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +989,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38333,7 +38338,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1034,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38365,7 +38370,7 @@ index 17eda24..97e35aa 100644 ') ') -@@ -577,6 +1067,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1069,39 @@ ifdef(`distro_suse',` ') ') @@ -38405,7 +38410,7 @@ index 17eda24..97e35aa 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1112,8 @@ optional_policy(` +@@ -589,6 +1114,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38414,7 +38419,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -610,6 +1135,7 @@ optional_policy(` +@@ -610,6 +1137,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38422,7 +38427,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -626,6 +1152,17 @@ optional_policy(` +@@ -626,6 +1154,17 @@ optional_policy(` ') optional_policy(` @@ -38440,7 +38445,7 @@ index 17eda24..97e35aa 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1179,13 @@ optional_policy(` +@@ -642,9 +1181,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38454,7 +38459,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -657,15 +1198,11 @@ optional_policy(` +@@ -657,15 +1200,11 @@ optional_policy(` ') optional_policy(` @@ -38472,7 +38477,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -686,6 +1223,15 @@ optional_policy(` +@@ -686,6 +1225,15 @@ optional_policy(` ') optional_policy(` @@ -38488,7 +38493,7 @@ index 17eda24..97e35aa 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1272,7 @@ optional_policy(` +@@ -726,6 +1274,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38496,7 +38501,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -743,7 +1290,13 @@ optional_policy(` +@@ -743,7 +1292,13 @@ optional_policy(` ') optional_policy(` @@ -38511,7 +38516,7 @@ index 17eda24..97e35aa 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1319,10 @@ optional_policy(` +@@ -766,6 +1321,10 @@ optional_policy(` ') optional_policy(` @@ -38522,7 +38527,7 @@ index 17eda24..97e35aa 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1332,20 @@ optional_policy(` +@@ -775,10 +1334,20 @@ optional_policy(` ') optional_policy(` @@ -38543,7 +38548,7 @@ index 17eda24..97e35aa 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1354,10 @@ optional_policy(` +@@ -787,6 +1356,10 @@ optional_policy(` ') optional_policy(` @@ -38554,7 +38559,7 @@ index 17eda24..97e35aa 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1379,6 @@ optional_policy(` +@@ -808,8 +1381,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38563,7 +38568,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -818,6 +1387,10 @@ optional_policy(` +@@ -818,6 +1389,10 @@ optional_policy(` ') optional_policy(` @@ -38574,7 +38579,7 @@ index 17eda24..97e35aa 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1400,12 @@ optional_policy(` +@@ -827,10 +1402,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38587,7 +38592,7 @@ index 17eda24..97e35aa 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1432,62 @@ optional_policy(` +@@ -857,21 +1434,62 @@ optional_policy(` ') optional_policy(` @@ -38651,7 +38656,7 @@ index 17eda24..97e35aa 100644 ') optional_policy(` -@@ -887,6 +1503,10 @@ optional_policy(` +@@ -887,6 +1505,10 @@ optional_policy(` ') optional_policy(` @@ -38662,7 +38667,7 @@ index 17eda24..97e35aa 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1517,218 @@ optional_policy(` +@@ -897,3 +1519,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -49030,10 +49035,10 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..7abdaa0 +index 0000000..d141c81 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,967 @@ +@@ -0,0 +1,969 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49943,6 +49948,8 @@ index 0000000..7abdaa0 + +sysnet_manage_config(systemd_resolved_t) + ++userdom_dbus_send_all_users(systemd_resolved_t) ++ +optional_policy(` + dbus_system_bus_client(systemd_resolved_t) + dbus_connect_system_bus(systemd_resolved_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d1cd8074..522ac0cc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -23749,6 +23749,24 @@ index 583a527..91c4104 100644 +optional_policy(` + gnome_dontaudit_search_config(denyhosts_t) +') +diff --git a/devicekit.fc b/devicekit.fc +index ae49c9d..6eb0842 100644 +--- a/devicekit.fc ++++ b/devicekit.fc +@@ -11,6 +11,8 @@ + /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) ++/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_exec_t,s0) ++/usr/bin/udisksctl -- gen_context(system_u:object_r:devicekit_exec_t,s0) + + /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +@@ -24,3 +26,4 @@ + /var/run/pm-utils(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) + /var/run/udisks.* gen_context(system_u:object_r:devicekit_var_run_t,s0) + /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++ diff --git a/devicekit.if b/devicekit.if index 8ce99ff..1bc5d3a 100644 --- a/devicekit.if @@ -24167,7 +24185,7 @@ index 8ce99ff..1bc5d3a 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..9e56e3e 100644 +index 77a5003..360db40 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -24189,7 +24207,18 @@ index 77a5003..9e56e3e 100644 type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) -@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t) +@@ -29,6 +29,10 @@ files_type(devicekit_var_lib_t) + type devicekit_var_log_t; + logging_log_file(devicekit_var_log_t) + ++typealias devicekit_t alias { udisks2_t }; ++typealias devicekit_var_lib_t alias { udisks2_var_lib_t }; ++typealias devicekit_var_run_t alias { udisks2_var_run_t }; ++ + ######################################## + # + # Local policy +@@ -45,11 +49,8 @@ kernel_read_system_state(devicekit_t) dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) @@ -24202,7 +24231,7 @@ index 77a5003..9e56e3e 100644 dbus_system_bus_client(devicekit_t) allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; -@@ -64,7 +61,8 @@ optional_policy(` +@@ -64,7 +65,8 @@ optional_policy(` # Disk local policy # @@ -24212,7 +24241,7 @@ index 77a5003..9e56e3e 100644 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -81,17 +79,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; +@@ -81,17 +83,18 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton; manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) @@ -24233,7 +24262,7 @@ index 77a5003..9e56e3e 100644 corecmd_exec_bin(devicekit_disk_t) corecmd_exec_shell(devicekit_disk_t) -@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) +@@ -99,6 +102,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -24242,7 +24271,7 @@ index 77a5003..9e56e3e 100644 dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_urand(devicekit_disk_t) -@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t) +@@ -117,8 +122,8 @@ files_getattr_all_pipes(devicekit_disk_t) files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) @@ -24252,7 +24281,7 @@ index 77a5003..9e56e3e 100644 fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) -@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -135,18 +140,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -24274,7 +24303,7 @@ index 77a5003..9e56e3e 100644 dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -170,6 +171,7 @@ optional_policy(` +@@ -170,6 +175,7 @@ optional_policy(` optional_policy(` mount_domtrans(devicekit_disk_t) @@ -24282,7 +24311,7 @@ index 77a5003..9e56e3e 100644 ') optional_policy(` -@@ -183,6 +185,11 @@ optional_policy(` +@@ -183,6 +189,11 @@ optional_policy(` ') optional_policy(` @@ -24294,7 +24323,7 @@ index 77a5003..9e56e3e 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) udev_read_pid_files(devicekit_disk_t) -@@ -192,12 +199,19 @@ optional_policy(` +@@ -192,12 +203,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -24315,7 +24344,7 @@ index 77a5003..9e56e3e 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -212,9 +230,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -24326,7 +24355,7 @@ index 77a5003..9e56e3e 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) +@@ -224,12 +240,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) kernel_read_fs_sysctls(devicekit_power_t) kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) @@ -24341,7 +24370,7 @@ index 77a5003..9e56e3e 100644 corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t) +@@ -248,21 +264,18 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -24364,7 +24393,7 @@ index 77a5003..9e56e3e 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -277,6 +286,12 @@ optional_policy(` +@@ -277,6 +290,12 @@ optional_policy(` ') optional_policy(` @@ -24377,7 +24406,7 @@ index 77a5003..9e56e3e 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -307,8 +322,11 @@ optional_policy(` +@@ -307,8 +326,11 @@ optional_policy(` ') optional_policy(` @@ -24390,7 +24419,7 @@ index 77a5003..9e56e3e 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -347,3 +365,9 @@ optional_policy(` +@@ -347,3 +369,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -63813,7 +63842,7 @@ index dd1d9ef..c48733a 100644 -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if -index c87bd2a..284e4de 100644 +index c87bd2a..6180fba 100644 --- a/oddjob.if +++ b/oddjob.if @@ -1,4 +1,8 @@ @@ -63925,7 +63954,7 @@ index c87bd2a..284e4de 100644 ## ## ## -@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',` +@@ -105,46 +141,114 @@ interface(`oddjob_domtrans_mkhomedir',` # interface(`oddjob_run_mkhomedir',` gen_require(` @@ -63971,8 +64000,7 @@ index c87bd2a..284e4de 100644 -###################################### +####################################### - ## --## Send child terminated signals to oddjob. ++## +## Execute oddjob in the oddjob domain. +## +## @@ -63996,7 +64024,8 @@ index c87bd2a..284e4de 100644 +') + +######################################## -+## + ## +-## Send child terminated signals to oddjob. +## Create a domain which can be started by init, +## with a range transition. ## @@ -64034,6 +64063,24 @@ index c87bd2a..284e4de 100644 + range_transition oddjob_t $2:process $3; + mls_rangetrans_target($1) + ') ++') ++ ++######################################## ++## ++## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`oddjob_mkhomedir_entrypoint',` ++ gen_require(` ++ type oddjob_mkhomedir_exec_t; ++ ') ++ allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ') diff --git a/oddjob.te b/oddjob.te index e403097..45d387d 100644 @@ -71277,12 +71324,12 @@ index 0000000..a2cb118 + diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..b2b20f0 +index 0000000..47cd0f8 --- /dev/null +++ b/pki.fc @@ -0,0 +1,57 @@ +/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -+/etc/pki/pki-tomcat/ca/(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) ++/etc/pki/pki-tomcat/ca(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) +/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) @@ -79106,12 +79153,13 @@ index 6643b49..dd0c3d3 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..d2c4d2a 100644 +index d68e26d..2542f5a 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,21 @@ +@@ -1,18 +1,22 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) ++/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) @@ -83115,7 +83163,7 @@ index da64218..3fb8575 100644 + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) ') diff --git a/quota.te b/quota.te -index f47c8e8..3710974 100644 +index f47c8e8..d4e9042 100644 --- a/quota.te +++ b/quota.te @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) @@ -83177,7 +83225,7 @@ index f47c8e8..3710974 100644 fs_get_xattr_fs_quotas(quota_t) fs_set_xattr_fs_quotas(quota_t) fs_getattr_xattr_fs(quota_t) -@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t) +@@ -80,17 +67,29 @@ term_dontaudit_use_console(quota_t) domain_use_interactive_fds(quota_t) @@ -83190,6 +83238,7 @@ index f47c8e8..3710974 100644 +# Read /etc/mtab. +files_read_etc_runtime_files(quota_t) + ++init_domain(quota_t, quota_exec_t) init_use_fds(quota_t) init_use_script_ptys(quota_t) @@ -83209,7 +83258,7 @@ index f47c8e8..3710974 100644 ') optional_policy(` -@@ -103,12 +101,12 @@ optional_policy(` +@@ -103,12 +102,12 @@ optional_policy(` ####################################### # @@ -83224,7 +83273,7 @@ index f47c8e8..3710974 100644 manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) -@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t) +@@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t) logging_send_syslog_msg(quota_nld_t) @@ -83990,10 +84039,10 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..357db0b 100644 +index c99753f..31ff402 100644 --- a/raid.te +++ b/raid.te -@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t; +@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -84074,6 +84123,7 @@ index c99753f..357db0b 100644 -dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_read_all_blk_files(mdadm_t) +dev_dontaudit_read_all_chr_files(mdadm_t) ++dev_getattr_generic_chr_files(mdadm_t) +dev_read_crash(mdadm_t) +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) @@ -84106,7 +84156,7 @@ index c99753f..357db0b 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -84133,7 +84183,7 @@ index c99753f..357db0b 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -90,17 +149,38 @@ optional_policy(` +@@ -90,17 +150,38 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 483ed2ca..25f2f24a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 211%{?dist} +Release: 212%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,20 @@ exit 0 %endif %changelog +* Wed Aug 31 2016 Lukas Vrabec 3.13.1-212 +- udisk2 module is part of devicekit module now +- Fix file context for /etc/pki/pki-tomcat/ca/ +- new interface oddjob_mkhomedir_entrypoint() +- Allow mdadm to get attributes from all devices. +- Label /etc/puppetlabs as puppet_etc_t. +- quota: allow init to run quota tools +- Add new domain ipa_ods_exporter_t BZ(1366640) +- Create new interface opendnssec_stream_connect() +- Allow VirtualBox to manage udev rules. +- Allow systemd_resolved to send dbus msgs to userdomains +- Make entrypoint oddjob_mkhomedir_exec_t for unconfined_t +- Label all files in /dev/oracleasmfs/ as oracleasmfs_t + * Thu Aug 25 2016 Lukas Vrabec 3.13.1-211 - Add new domain ipa_ods_exporter_t BZ(1366640) - Create new interface opendnssec_stream_connect()