diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 1782a37e..4ab6b636 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9585,7 +9585,7 @@ index b876c48..b2aed45 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..9157763 100644 +index f962f76..d79969b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11031,7 +11031,35 @@ index f962f76..9157763 100644 ') ######################################## -@@ -3814,20 +4554,38 @@ interface(`files_list_mnt',` +@@ -3552,6 +4292,27 @@ interface(`files_dontaudit_getattr_home_dir',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on home root directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_access_check_home_dir',` ++ gen_require(` ++ type home_root_t; ++ ') ++ ++ dontaudit $1 home_root_t:dir_file_class_set audit_access; ++') ++ ++ ++ ++######################################## ++## + ## Search home directories root (/home). + ## + ## +@@ -3814,20 +4575,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -11075,7 +11103,7 @@ index f962f76..9157763 100644 ') ######################################## -@@ -4217,192 +4975,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,174 +4996,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11310,36 +11338,26 @@ index f962f76..9157763 100644 +## File name transition for system db files in /var/lib. ## ## --## --## Domain allowed access. --## +## +## Domain allowed access. +## - ## - # --interface(`files_delete_tmp_dir_entry',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_filetrans_system_db_named_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - -- allow $1 tmp_t:dir del_entry_dir_perms; ++ + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") - ') - - ######################################## - ## --## Read files in the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). - ## --## ++## +## ## -## Domain allowed access. @@ -11347,19 +11365,19 @@ index f962f76..9157763 100644 ## ## # --interface(`files_read_generic_tmp_files',` +-interface(`files_delete_tmp_dir_entry',` +interface(`files_associate_tmp',` gen_require(` type tmp_t; ') -- read_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 tmp_t:filesystem associate; ') ######################################## ## --## Manage temporary directories in /tmp. +-## Read files in the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system @@ -11372,42 +11390,42 @@ index f962f76..9157763 100644 ## ## # --interface(`files_manage_generic_tmp_dirs',` +-interface(`files_read_generic_tmp_files',` +interface(`files_associate_rootfs',` gen_require(` - type tmp_t; + type root_t; ') -- manage_dirs_pattern($1, tmp_t, tmp_t) +- read_files_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; ') ######################################## ## --## Manage temporary files and directories in /tmp. +-## Manage temporary directories in /tmp. +## Get the attributes of the tmp directory (/tmp). ## ## ## -@@ -4410,53 +5194,56 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4392,53 +5215,56 @@ interface(`files_read_generic_tmp_files',` ## ## # --interface(`files_manage_generic_tmp_files',` +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- manage_files_pattern($1, tmp_t, tmp_t) +- manage_dirs_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## --## Read symbolic links in the tmp directory (/tmp). +-## Manage temporary files and directories in /tmp. +## Do not audit attempts to check the +## access on tmp files ## @@ -11418,20 +11436,20 @@ index f962f76..9157763 100644 ## ## # --interface(`files_read_generic_tmp_symlinks',` +-interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_access_check_tmp',` gen_require(` - type tmp_t; + type etc_t; ') -- read_lnk_files_pattern($1, tmp_t, tmp_t) +- manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## --## Read and write generic named sockets in the tmp directory (/tmp). +-## Read symbolic links in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). ## @@ -11442,35 +11460,34 @@ index f962f76..9157763 100644 ## ## # --interface(`files_rw_generic_tmp_sockets',` +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) +- read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') ######################################## ## --## Set the attributes of all tmp directories. +-## Read and write generic named sockets in the tmp directory (/tmp). +## Search the tmp directory (/tmp). ## ## ## -@@ -4464,77 +5251,93 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,35 +5272,37 @@ interface(`files_read_generic_tmp_symlinks',` ## ## # --interface(`files_setattr_all_tmp_dirs',` +-interface(`files_rw_generic_tmp_sockets',` +interface(`files_search_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir { search_dir_perms setattr }; +- rw_sock_files_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; @@ -11478,7 +11495,7 @@ index f962f76..9157763 100644 ######################################## ## --## List all tmp directories. +-## Set the attributes of all tmp directories. +## Do not audit attempts to search the tmp directory (/tmp). ## ## @@ -11488,32 +11505,56 @@ index f962f76..9157763 100644 ## ## # --interface(`files_list_all_tmp',` +-interface(`files_setattr_all_tmp_dirs',` +interface(`files_dontaudit_search_tmp',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; +- allow $1 tmpfile:dir { search_dir_perms setattr }; + dontaudit $1 tmp_t:dir search_dir_perms; ') + ######################################## + ## +-## List all tmp directories. ++## Read the tmp directory (/tmp). + ## + ## + ## +@@ -4482,59 +5310,55 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_list_all_tmp',` ++interface(`files_list_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:dir list_dir_perms; + ') + ######################################## ## -## Relabel to and from all temporary -## directory types. -+## Read the tmp directory (/tmp). ++## Do not audit listing of the tmp directory (/tmp). ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`files_relabel_all_tmp_dirs',` -+interface(`files_list_tmp',` ++interface(`files_dontaudit_list_tmp',` gen_require(` - attribute tmpfile; - type var_t; @@ -11522,49 +11563,35 @@ index f962f76..9157763 100644 - allow $1 var_t:dir search_dir_perms; - relabel_dirs_pattern($1, tmpfile, tmpfile) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir list_dir_perms; ++ dontaudit $1 tmp_t:dir list_dir_perms; ') - ######################################## +-######################################## ++####################################### ## -## Do not audit attempts to get the attributes -## of all tmp files. -+## Do not audit listing of the tmp directory (/tmp). ++## Allow read and write to the tmp directory (/tmp). ## ## - ## +-## -## Domain not to audit. -+## Domain to not audit. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -+interface(`files_dontaudit_list_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- dontaudit $1 tmpfile:file getattr; -+ dontaudit $1 tmp_t:dir list_dir_perms; -+') -+ -+####################################### -+## -+## Allow read and write to the tmp directory (/tmp). -+## -+## +-## +## +## Domain not to audit. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` +- gen_require(` +- attribute tmpfile; +- ') +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; + ') -+ + +- dontaudit $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') @@ -11577,7 +11604,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4542,110 +5345,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4542,110 +5366,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -11716,7 +11743,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4653,22 +5444,17 @@ interface(`files_tmp_filetrans',` +@@ -4653,22 +5465,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -11743,7 +11770,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4676,17 +5462,17 @@ interface(`files_purge_tmp',` +@@ -4676,17 +5483,17 @@ interface(`files_purge_tmp',` ## ## # @@ -11765,7 +11792,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4694,18 +5480,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4694,18 +5501,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -11788,7 +11815,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4713,35 +5498,35 @@ interface(`files_search_usr',` +@@ -4713,35 +5519,35 @@ interface(`files_search_usr',` ## ## # @@ -11833,7 +11860,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4749,36 +5534,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4749,36 +5555,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -11879,7 +11906,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4786,17 +5570,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4786,17 +5591,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -11901,7 +11928,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4804,73 +5588,59 @@ interface(`files_delete_usr_dirs',` +@@ -4804,73 +5609,59 @@ interface(`files_delete_usr_dirs',` ## ## # @@ -11938,9 +11965,10 @@ index f962f76..9157763 100644 ') - getattr_files_pattern($1, usr_t, usr_t) +-') + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) - ') ++') ######################################## ## @@ -11994,7 +12022,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4878,55 +5648,58 @@ interface(`files_read_usr_files',` +@@ -4878,55 +5669,58 @@ interface(`files_read_usr_files',` ## ## # @@ -12069,7 +12097,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -4934,67 +5707,70 @@ interface(`files_manage_usr_files',` +@@ -4934,67 +5728,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -12158,7 +12186,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5003,35 +5779,50 @@ interface(`files_read_usr_symlinks',` +@@ -5003,35 +5800,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -12218,7 +12246,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5039,20 +5830,17 @@ interface(`files_dontaudit_search_src',` +@@ -5039,20 +5851,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -12243,7 +12271,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5060,20 +5848,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5060,20 +5869,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -12268,7 +12296,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5081,38 +5867,35 @@ interface(`files_read_usr_src_files',` +@@ -5081,38 +5888,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -12316,7 +12344,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5120,37 +5903,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5120,37 +5924,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -12364,7 +12392,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5158,35 +5940,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5158,35 +5961,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -12409,7 +12437,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5194,36 +5976,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5194,36 +5997,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -12475,7 +12503,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5231,36 +6032,37 @@ interface(`files_dontaudit_search_var',` +@@ -5231,36 +6053,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -12523,7 +12551,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5268,17 +6070,17 @@ interface(`files_manage_var_dirs',` +@@ -5268,17 +6091,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -12545,7 +12573,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5286,17 +6088,17 @@ interface(`files_read_var_files',` +@@ -5286,17 +6109,17 @@ interface(`files_read_var_files',` ## ## # @@ -12567,7 +12595,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5304,73 +6106,86 @@ interface(`files_append_var_files',` +@@ -5304,73 +6127,86 @@ interface(`files_append_var_files',` ## ## # @@ -12674,7 +12702,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5378,50 +6193,41 @@ interface(`files_read_var_symlinks',` +@@ -5378,50 +6214,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -12739,7 +12767,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5429,69 +6235,56 @@ interface(`files_var_filetrans',` +@@ -5429,69 +6256,56 @@ interface(`files_var_filetrans',` ## ## # @@ -12824,7 +12852,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5499,17 +6292,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,17 +6313,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -12848,7 +12876,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5517,70 +6311,54 @@ interface(`files_list_var_lib',` +@@ -5517,70 +6332,54 @@ interface(`files_list_var_lib',` ## ## # @@ -12932,7 +12960,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5588,41 +6366,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6387,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -12984,7 +13012,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5630,36 +6403,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,36 +6424,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -13031,7 +13059,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5667,38 +6440,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,38 +6461,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -13079,7 +13107,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5706,19 +6476,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,19 +6497,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13103,7 +13131,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5726,60 +6494,54 @@ interface(`files_list_locks',` +@@ -5726,60 +6515,54 @@ interface(`files_list_locks',` ## ## # @@ -13179,7 +13207,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5787,20 +6549,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,20 +6570,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -13205,7 +13233,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5808,165 +6568,156 @@ interface(`files_getattr_generic_locks',` +@@ -5808,165 +6589,156 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -13433,7 +13461,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -5974,59 +6725,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5974,59 +6746,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -13524,7 +13552,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6034,18 +6797,18 @@ interface(`files_dontaudit_search_pids',` +@@ -6034,18 +6818,18 @@ interface(`files_dontaudit_search_pids',` ## ## # @@ -13548,47 +13576,38 @@ index f962f76..9157763 100644 ## ## ## -@@ -6053,19 +6816,21 @@ interface(`files_list_pids',` +@@ -6053,19 +6837,1172 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` +interface(`files_manage_var_lib_symlinks',` gen_require(` -- type var_t, var_run_t; + type var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + manage_lnk_files_pattern($1,var_lib_t,var_lib_t) - ') - ++') ++ +# cjp: the next two interfaces really need to be fixed +# in some way. They really neeed their own types. + - ######################################## - ## --## Write named generic process ID pipes ++######################################## ++## +## Create, read, write, and delete the +## pseudorandom number generator seed. - ## - ## - ## -@@ -6073,43 +6838,1340 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_urandom_seed',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) +') @@ -14573,9 +14592,12 @@ index f962f76..9157763 100644 +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; -+ type var_t, var_run_t; -+ ') -+ + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -14726,26 +14748,31 @@ index f962f76..9157763 100644 ######################################## ## --## Create an object in the process ID directory, with a private type. +-## Write named generic process ID pipes +## List the contents of generic spool +## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +8010,189 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_list_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Create, read, write, and delete generic +## spool directories (/var/spool). +## @@ -14944,7 +14971,7 @@ index f962f76..9157763 100644 ##

## ## -@@ -6117,14 +8179,82 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,14 +8200,82 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -15030,7 +15057,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6132,65 +8262,56 @@ interface(`files_write_generic_pid_pipes',` +@@ -6132,65 +8283,56 @@ interface(`files_write_generic_pid_pipes',` ## The name of the object being created. ## ## @@ -15114,7 +15141,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6198,19 +8319,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8340,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -15138,7 +15165,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6218,38 +8337,43 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,38 +8358,43 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -15194,7 +15221,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6258,127 +8382,111 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6258,127 +8403,111 @@ interface(`files_dontaudit_ioctl_all_pids',` ## ## # @@ -15356,7 +15383,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6386,132 +8494,189 @@ interface(`files_search_spool',` +@@ -6386,132 +8515,189 @@ interface(`files_search_spool',` ## ## # @@ -15599,7 +15626,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6519,53 +8684,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8705,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -15657,7 +15684,7 @@ index f962f76..9157763 100644 ## ## ## -@@ -6573,10 +8702,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8723,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -22190,10 +22217,10 @@ index 0000000..0e8654b +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..b1163a6 +index 0000000..0573c76 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,637 @@ +@@ -0,0 +1,653 @@ +## Unconfined user role + +######################################## @@ -22360,6 +22387,22 @@ index 0000000..b1163a6 + userdom_use_user_terminals($1) +') + ++###################################### ++## ++## Stub unconfined role. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_stub_role',` ++ gen_require(` ++ role unconfined_r; ++ ') ++') ++ +######################################## +## +## Inherit file descriptors from the unconfined domain. @@ -25358,15 +25401,16 @@ index cc877c7..2ef9dc6 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..a20467d 100644 +index 8274418..2873da0 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,35 @@ +@@ -2,13 +2,36 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) +HOME_DIR/\.fonts\.d(/.*)? gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++HOME_DIR/\.local/share/fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) +HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:user_fonts_cache_t,s0) HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0) @@ -25397,7 +25441,7 @@ index 8274418..a20467d 100644 # # /dev -@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -25420,7 +25464,7 @@ index 8274418..a20467d 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +77,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -25458,7 +25502,7 @@ index 8274418..a20467d 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,18 +127,32 @@ ifndef(`distro_debian',` +@@ -92,18 +128,32 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -25495,7 +25539,7 @@ index 8274418..a20467d 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +160,18 @@ ifndef(`distro_debian',` +@@ -111,7 +161,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -25515,7 +25559,7 @@ index 8274418..a20467d 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..44be5f2 100644 +index 6bf0ecc..28c914d 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -26591,7 +26635,7 @@ index 6bf0ecc..44be5f2 100644 ') ######################################## -@@ -1284,10 +1640,657 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -27128,6 +27172,9 @@ index 6bf0ecc..44be5f2 100644 + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") ++ optional_policy(` ++ gnome_data_filetrans($1, user_fonts_t, dir, "fonts") ++ ') + userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") + filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") + files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") @@ -31038,7 +31085,7 @@ index bc0ffc8..7198bd9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..c6373d9 100644 +index 79a45f6..c4546e2 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -31558,10 +31605,30 @@ index 79a45f6..c6373d9 100644 files_search_etc($1) ') -@@ -1012,6 +1222,42 @@ interface(`init_read_state',` +@@ -1012,6 +1222,62 @@ interface(`init_read_state',` ######################################## ## ++## Dontaudit read the process state (/proc/pid) of init. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_dontaudit_read_state',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:dir search_dir_perms; ++ dontaudit $1 init_t:file read_file_perms; ++ dontaudit $1 init_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## +## Read the process keyring of init. +## +## @@ -31601,7 +31668,7 @@ index 79a45f6..c6373d9 100644 ## Ptrace init ## ## -@@ -1026,7 +1272,9 @@ interface(`init_ptrace',` +@@ -1026,7 +1292,9 @@ interface(`init_ptrace',` type init_t; ') @@ -31612,12 +31679,103 @@ index 79a45f6..c6373d9 100644 ') ######################################## -@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',` +@@ -1125,7 +1393,8 @@ interface(`init_getattr_all_script_files',` ######################################## ## +-## Read all init script files. +## Allow the specified domain to modify the systemd configuration of +## all init scripts. + ## + ## + ## +@@ -1133,59 +1402,95 @@ interface(`init_getattr_all_script_files',` + ## + ## + # +-interface(`init_read_all_script_files',` ++interface(`init_config_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + +- files_search_etc($1) +- allow $1 init_script_file_type:file read_file_perms; ++ allow $1 init_script_file_type:service all_service_perms; + ') + +-####################################### ++######################################## + ## +-## Dontaudit read all init script files. ++## Read all init script files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`init_dontaudit_read_all_script_files',` ++interface(`init_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + +- dontaudit $1 init_script_file_type:file read_file_perms; ++ files_search_etc($1) ++ allow $1 init_script_file_type:file read_file_perms; + ') + +-######################################## ++####################################### + ## +-## Execute all init scripts in the caller domain. ++## Dontaudit getattr all init script files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`init_exec_all_script_files',` ++interface(`init_dontaudit_getattr_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + +- files_list_etc($1) +- can_exec($1, init_script_file_type) ++ dontaudit $1 init_script_file_type:file getattr; + ') + +-######################################## ++####################################### + ## +-## Read the process state (/proc/pid) of the init scripts. ++## Dontaudit read all init script files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_read_all_script_files',` ++ gen_require(` ++ attribute init_script_file_type; ++ ') ++ ++ dontaudit $1 init_script_file_type:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute all init scripts in the caller domain. +## +## +## @@ -31625,45 +31783,26 @@ index 79a45f6..c6373d9 100644 +## +## +# -+interface(`init_config_all_script_files',` ++interface(`init_exec_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + -+ allow $1 init_script_file_type:service all_service_perms; ++ files_list_etc($1) ++ can_exec($1, init_script_file_type) +') + +######################################## +## - ## Read all init script files. - ## - ## -@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',` - - ####################################### - ## -+## Dontaudit getattr all init script files. ++## Read the process state (/proc/pid) of the init scripts. +## +## +## -+## Domain to not audit. -+## -+## -+# -+interface(`init_dontaudit_getattr_all_script_files',` -+ gen_require(` -+ attribute init_script_file_type; -+ ') -+ -+ dontaudit $1 init_script_file_type:file getattr; -+') -+ -+####################################### -+## - ## Dontaudit read all init script files. - ## - ## -@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',` ++## Domain allowed access. + ## + ## + # +@@ -1195,12 +1500,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -31677,73 +31816,11 @@ index 79a45f6..c6373d9 100644 ') ######################################## -@@ -1314,7 +1594,7 @@ interface(`init_signal_script',` +@@ -1314,6 +1614,24 @@ interface(`init_signal_script',` ######################################## ## --## Send null signals to init scripts. +## Send kill signals to init scripts. - ## - ## - ## -@@ -1322,17 +1602,17 @@ interface(`init_signal_script',` - ## - ## - # --interface(`init_signull_script',` -+interface(`init_sigkill_script',` - gen_require(` - type initrc_t; - ') - -- allow $1 initrc_t:process signull; -+ allow $1 initrc_t:process sigkill; - ') - - ######################################## - ## --## Read and write init script unnamed pipes. -+## Send null signals to init scripts. - ## - ## - ## -@@ -1340,17 +1620,17 @@ interface(`init_signull_script',` - ## - ## - # --interface(`init_rw_script_pipes',` -+interface(`init_signull_script',` - gen_require(` - type initrc_t; - ') - -- allow $1 initrc_t:fifo_file { read write }; -+ allow $1 initrc_t:process signull; - ') - - ######################################## - ## --## Send UDP network traffic to init scripts. (Deprecated) -+## Read and write init script unnamed pipes. - ## - ## - ## -@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',` - ## - ## - # --interface(`init_udp_send_script',` -+interface(`init_rw_script_pipes',` -+ gen_require(` -+ type initrc_t; -+ ') -+ -+ allow $1 initrc_t:fifo_file { read write }; -+') -+ -+######################################## -+## -+## Send UDP network traffic to init scripts. (Deprecated) +## +## +## @@ -31751,11 +31828,20 @@ index 79a45f6..c6373d9 100644 +## +## +# -+interface(`init_udp_send_script',` - refpolicywarn(`$0($*) has been deprecated.') - ') - -@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',` ++interface(`init_sigkill_script',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ allow $1 initrc_t:process sigkill; ++') ++ ++######################################## ++## + ## Send null signals to init scripts. + ## + ## +@@ -1440,6 +1758,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -31783,7 +31869,7 @@ index 79a45f6..c6373d9 100644 ## init scripts over dbus. ## ## -@@ -1547,6 +1866,25 @@ interface(`init_getattr_script_status_files',` +@@ -1547,6 +1886,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -31809,7 +31895,7 @@ index 79a45f6..c6373d9 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +1943,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +1963,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -31834,7 +31920,7 @@ index 79a45f6..c6373d9 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2033,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2053,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -31878,7 +31964,7 @@ index 79a45f6..c6373d9 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2158,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2178,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -31887,7 +31973,7 @@ index 79a45f6..c6373d9 100644 ') ######################################## -@@ -1806,6 +2199,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,6 +2219,133 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -32021,7 +32107,7 @@ index 79a45f6..c6373d9 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2360,470 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2380,470 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -41327,10 +41413,10 @@ index a392fc4..4302955 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..916c8ed +index 0000000..a6664be --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,49 @@ +@@ -0,0 +1,50 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -41379,6 +41465,7 @@ index 0000000..916c8ed +/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) +/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) +/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) ++/var/run/systemd/netif(/.*)? gen_context(system_u:object_r:systemd_networkd_var_run_t,s0) +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 @@ -42848,10 +42935,10 @@ index 0000000..d2a8fc7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..08a4e91 +index 0000000..4fa43d7 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,686 @@ +@@ -0,0 +1,695 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -42892,6 +42979,9 @@ index 0000000..08a4e91 +type systemd_networkd_unit_file_t; +systemd_unit_file(systemd_networkd_unit_file_t) + ++type systemd_networkd_var_run_t; ++files_pid_file(systemd_networkd_var_run_t) ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -43092,6 +43182,10 @@ index 0000000..08a4e91 +allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; +allow systemd_networkd_t self:packet_socket create_socket_perms; + ++manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) ++manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) ++manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) ++ +kernel_dgram_send(systemd_networkd_t) + +dev_read_sysfs(systemd_networkd_t) @@ -43100,6 +43194,8 @@ index 0000000..08a4e91 +sysnet_manage_config(systemd_networkd_t) +sysnet_manage_config_dirs(systemd_networkd_t) + ++init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "netif") ++ +optional_policy(` + dbus_system_bus_client(systemd_networkd_t) + dbus_connect_system_bus(systemd_networkd_t) @@ -43836,7 +43932,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..f5aa25f 100644 +index 39f185f..880b174 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -43882,7 +43978,7 @@ index 39f185f..f5aa25f 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -64,31 +66,38 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -64,31 +66,39 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -43903,6 +43999,7 @@ index 39f185f..f5aa25f 100644 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev") +allow udev_t udev_var_run_t:file mounton; ++allow udev_t udev_var_run_t:dir mounton; +allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms; +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) @@ -43928,7 +44025,7 @@ index 39f185f..f5aa25f 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -99,6 +108,7 @@ corecmd_exec_all_executables(udev_t) +@@ -99,6 +109,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -43936,7 +44033,7 @@ index 39f185f..f5aa25f 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -107,23 +117,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -107,23 +118,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -43972,7 +44069,7 @@ index 39f185f..f5aa25f 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -145,17 +163,20 @@ auth_use_nsswitch(udev_t) +@@ -145,17 +164,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -43994,7 +44091,7 @@ index 39f185f..f5aa25f 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,7 +190,11 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -169,7 +191,11 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) @@ -44007,7 +44104,7 @@ index 39f185f..f5aa25f 100644 userdom_dontaudit_search_user_home_content(udev_t) -@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',` +@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -44026,7 +44123,7 @@ index 39f185f..f5aa25f 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -242,6 +260,7 @@ optional_policy(` +@@ -242,6 +261,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -44034,7 +44131,7 @@ index 39f185f..f5aa25f 100644 ') optional_policy(` -@@ -249,17 +268,31 @@ optional_policy(` +@@ -249,17 +269,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` @@ -44068,7 +44165,7 @@ index 39f185f..f5aa25f 100644 ') optional_policy(` -@@ -289,6 +322,10 @@ optional_policy(` +@@ -289,6 +323,10 @@ optional_policy(` ') optional_policy(` @@ -44079,7 +44176,7 @@ index 39f185f..f5aa25f 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -303,6 +340,15 @@ optional_policy(` +@@ -303,6 +341,15 @@ optional_policy(` ') optional_policy(` @@ -44095,7 +44192,7 @@ index 39f185f..f5aa25f 100644 unconfined_signal(udev_t) ') -@@ -315,6 +361,7 @@ optional_policy(` +@@ -315,6 +362,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -44668,10 +44765,10 @@ index 5ca20a9..e749152 100644 + corecmd_bin_domtrans($1, unconfined_service_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 5fe902d..b8aeff9 100644 +index 5fe902d..a349d18 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,207 +1,24 @@ +@@ -1,207 +1,28 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) @@ -44700,7 +44797,8 @@ index 5fe902d..b8aeff9 100644 -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -role unconfined_r types unconfined_execmem_t; -- ++unconfined_stub_role() + -######################################## -# -# Local policy @@ -44737,16 +44835,13 @@ index 5fe902d..b8aeff9 100644 -optional_policy(` - ada_domtrans(unconfined_t) -') -+corecmd_bin_entry_type(unconfined_service_t) -+corecmd_shell_entry_type(unconfined_service_t) - - optional_policy(` +- +-optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) -+ rpm_transition_script(unconfined_service_t, system_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - bind_run_ndc(unconfined_t, unconfined_r) -') - @@ -44761,7 +44856,8 @@ index 5fe902d..b8aeff9 100644 -optional_policy(` - firstboot_run(unconfined_t, unconfined_r) -') -- ++role unconfined_r types unconfined_service_t; + -optional_policy(` - ftp_run_ftpdctl(unconfined_t, unconfined_r) -') @@ -44777,12 +44873,15 @@ index 5fe902d..b8aeff9 100644 -optional_policy(` - java_run_unconfined(unconfined_t, unconfined_r) -') -- --optional_policy(` ++corecmd_bin_entry_type(unconfined_service_t) ++corecmd_shell_entry_type(unconfined_service_t) + + optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) --') -- --optional_policy(` ++ rpm_transition_script(unconfined_service_t, system_r) + ') + + optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -') - @@ -44932,7 +45031,7 @@ index db75976..1ee08ec 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..ce8b28d 100644 +index 9dc60c6..3104d12 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -48200,7 +48299,7 @@ index 9dc60c6..ce8b28d 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4431,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4431,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -48221,11 +48320,47 @@ index 9dc60c6..ce8b28d 100644 +') + +######################################## ++## ++## Write keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_write_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key write; ++') ++ ++######################################## ++## ++## Read and write keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key { read view write }; ++') ++ ++######################################## +## ## Create keys for all user domains. ## ## -@@ -3435,4 +4482,1686 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4518,1686 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 566ed574..fb586b55 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3623,7 +3623,7 @@ index 7caefc3..7e70f67 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..499800e 100644 +index f6eb485..918ae86 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3818,11 +3818,11 @@ index f6eb485..499800e 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) ++ ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) -+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; -+ + # apache runs the script: + domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) + allow httpd_t $1_script_t:unix_dgram_socket sendto; @@ -4073,12 +4073,31 @@ index f6eb485..499800e 100644 ## ## ## -@@ -348,13 +389,13 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +389,32 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Allow attempts to read and write Apache ++## unix domain stream sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`apache_rw_stream_sockets',` ++ gen_require(` ++ type httpd_t; ++ ') ++ ++ allow $1 httpd_t:unix_stream_socket { getattr read write }; ') ######################################## @@ -4090,7 +4109,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -367,13 +408,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -367,13 +427,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` type httpd_t; ') @@ -4107,7 +4126,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -391,8 +432,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +451,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -4117,7 +4136,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -417,7 +457,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +476,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -4127,7 +4146,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -435,7 +476,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +495,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -4137,7 +4156,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -453,7 +495,8 @@ interface(`apache_list_cache',` +@@ -453,7 +514,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -4147,7 +4166,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -471,7 +514,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +533,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -4157,7 +4176,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -489,7 +533,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +552,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -4167,7 +4186,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -507,49 +552,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +571,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -4230,7 +4249,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -570,8 +617,8 @@ interface(`apache_manage_config',` +@@ -570,8 +636,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -4241,7 +4260,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -608,16 +655,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +674,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -4283,7 +4302,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -639,7 +708,8 @@ interface(`apache_read_log',` +@@ -639,7 +727,8 @@ interface(`apache_read_log',` ######################################## ## @@ -4293,7 +4312,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -657,10 +727,29 @@ interface(`apache_append_log',` +@@ -657,10 +746,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -4325,7 +4344,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -678,8 +767,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +786,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -4336,7 +4355,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -687,20 +776,21 @@ interface(`apache_dontaudit_append_log',` +@@ -687,20 +795,21 @@ interface(`apache_dontaudit_append_log',` ## ## # @@ -4366,7 +4385,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -708,19 +798,21 @@ interface(`apache_manage_log',` +@@ -708,19 +817,21 @@ interface(`apache_manage_log',` ## ## # @@ -4392,7 +4411,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -738,7 +830,8 @@ interface(`apache_dontaudit_search_modules',` +@@ -738,7 +849,8 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -4402,7 +4421,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -746,17 +839,19 @@ interface(`apache_dontaudit_search_modules',` +@@ -746,17 +858,19 @@ interface(`apache_dontaudit_search_modules',` ## ## # @@ -4425,7 +4444,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -764,19 +859,19 @@ interface(`apache_list_modules',` +@@ -764,19 +878,19 @@ interface(`apache_list_modules',` ## ## # @@ -4449,7 +4468,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -784,19 +879,19 @@ interface(`apache_exec_modules',` +@@ -784,19 +898,19 @@ interface(`apache_exec_modules',` ## ## # @@ -4474,7 +4493,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -809,13 +904,50 @@ interface(`apache_domtrans_rotatelogs',` +@@ -809,13 +923,50 @@ interface(`apache_domtrans_rotatelogs',` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') @@ -4527,7 +4546,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -829,13 +961,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +980,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4544,7 +4563,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -844,6 +977,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +996,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4552,37 +4571,17 @@ index f6eb485..499800e 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +989,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +1008,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') -######################################## -+###################################### -+## -+## Allow the specified domain to read -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_files',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ +###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw dirs. ++## apache system content rw files. ## ## ## @@ -4592,12 +4591,32 @@ index f6eb485..499800e 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_dirs',` ++interface(`apache_read_sys_content_rw_files',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to read ++## apache system content rw dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_dirs',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -4659,7 +4678,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -888,10 +1088,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1107,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4678,7 +4697,7 @@ index f6eb485..499800e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1108,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1127,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4690,7 +4709,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -916,7 +1122,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` +@@ -916,7 +1141,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` type httpd_sys_script_t; ') @@ -4699,7 +4718,7 @@ index f6eb485..499800e 100644 ') ######################################## -@@ -941,7 +1147,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1166,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4708,7 +4727,7 @@ index f6eb485..499800e 100644 ## to the specified role. ## ## -@@ -954,6 +1160,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1179,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4716,7 +4735,7 @@ index f6eb485..499800e 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1173,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1192,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4726,7 +4745,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -979,12 +1187,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1206,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4742,7 +4761,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1002,7 +1211,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1230,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4751,7 +4770,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1015,13 +1224,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1243,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4766,7 +4785,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1041,7 +1249,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1268,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4775,7 +4794,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1059,8 +1267,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1286,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4785,7 +4804,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1071,18 +1278,21 @@ interface(`apache_search_sys_scripts',` +@@ -1071,18 +1297,21 @@ interface(`apache_search_sys_scripts',` # interface(`apache_manage_all_user_content',` gen_require(` @@ -4813,7 +4832,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1100,7 +1310,8 @@ interface(`apache_search_sys_script_state',` +@@ -1100,7 +1329,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -4823,7 +4842,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1117,10 +1328,29 @@ interface(`apache_read_tmp_files',` +@@ -1117,10 +1347,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -4855,7 +4874,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1133,7 +1363,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1133,7 +1382,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -4864,7 +4883,7 @@ index f6eb485..499800e 100644 ') ######################################## -@@ -1142,6 +1372,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1142,6 +1391,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -4874,7 +4893,7 @@ index f6eb485..499800e 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1171,8 +1404,30 @@ interface(`apache_cgi_domain',` +@@ -1171,8 +1423,30 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -4907,7 +4926,7 @@ index f6eb485..499800e 100644 ## ## ## -@@ -1189,18 +1444,19 @@ interface(`apache_cgi_domain',` +@@ -1189,18 +1463,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -4936,7 +4955,7 @@ index f6eb485..499800e 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1210,10 +1466,10 @@ interface(`apache_admin',` +@@ -1210,10 +1485,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -4950,7 +4969,7 @@ index f6eb485..499800e 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1480,141 @@ interface(`apache_admin',` +@@ -1224,9 +1499,141 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -8915,10 +8934,10 @@ index c3fd7b1..e189593 100644 - -miscfiles_read_localization(bcfg2_t) diff --git a/bind.fc b/bind.fc -index 2b9a3a1..f755e6b 100644 +index 2b9a3a1..750788c 100644 --- a/bind.fc +++ b/bind.fc -@@ -1,54 +1,75 @@ +@@ -1,54 +1,76 @@ -/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) -/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) @@ -8958,6 +8977,7 @@ index 2b9a3a1..f755e6b 100644 /usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0) ++/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0) -/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -13865,10 +13885,10 @@ index 0000000..573dcae +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..4c9b3b1 +index 0000000..2b8cac8 --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,85 @@ +@@ -0,0 +1,91 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -13886,6 +13906,9 @@ index 0000000..4c9b3b1 +type cockpit_unit_file_t; +systemd_unit_file(cockpit_unit_file_t) + ++type cockpit_var_lib_t; ++files_type(cockpit_var_lib_t) ++ +type cockpit_session_t; +type cockpit_session_exec_t; +domain_type(cockpit_session_t) @@ -13916,6 +13939,9 @@ index 0000000..4c9b3b1 +manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) +files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file }) + ++read_files_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) ++list_dirs_pattern(cockpit_ws_t, cockpit_var_lib_t, cockpit_var_lib_t) ++ +auth_use_nsswitch(cockpit_ws_t) + +logging_send_syslog_msg(cockpit_ws_t) @@ -24628,10 +24654,10 @@ index 0000000..76eb32e +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..ef1b924 +index 0000000..d03d41b --- /dev/null +++ b/docker.te -@@ -0,0 +1,280 @@ +@@ -0,0 +1,281 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24749,6 +24775,7 @@ index 0000000..ef1b924 +kernel_read_all_sysctls(docker_t) +kernel_rw_net_sysctls(docker_t) +kernel_setsched(docker_t) ++kernel_read_all_proc(docker_t) + +domain_use_interactive_fds(docker_t) + @@ -29389,10 +29416,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..105d6ae +index 0000000..b669406 --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,58 @@ +@@ -0,0 +1,62 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -29451,6 +29478,10 @@ index 0000000..105d6ae + networkmanager_dbus_chat(geoclue_t) + ') +') ++ ++optional_policy(` ++ pcscd_stream_connect(geoclue_t) ++') diff --git a/gift.te b/gift.te index 8a820fa..996b30c 100644 --- a/gift.te @@ -30681,7 +30712,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..5f39122 100644 +index ab09d61..c416ef4 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,78 @@ @@ -31728,7 +31759,7 @@ index ab09d61..5f39122 100644 ## ## ## -@@ -706,12 +820,966 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +820,985 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -32490,6 +32521,25 @@ index ab09d61..5f39122 100644 + userdom_search_user_home_dirs($1) +') + ++######################################## ++## ++## Check whether sendmail executable ++## files are executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_access_check_usr_config',` ++ gen_require(` ++ type config_usr_t; ++ ') ++ ++ allow $1 config_usr_t:dir_file_class_set audit_access;; ++') ++ +###################################### +## +## Allow read kde config content @@ -33537,7 +33587,7 @@ index 180f1b7..3c8757e 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82..fe77236 100644 +index 0e97e82..b983d2f 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -33831,7 +33881,7 @@ index 0e97e82..fe77236 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,37 +273,41 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,37 +273,42 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -33857,6 +33907,7 @@ index 0e97e82..fe77236 100644 userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) - userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file) ++ userdom_manage_all_user_tmp_content(gpg_agent_t) ') -tunable_policy(`use_nfs_home_dirs',` @@ -33885,7 +33936,7 @@ index 0e97e82..fe77236 100644 ############################## # # Pinentry local policy -@@ -277,8 +315,17 @@ optional_policy(` +@@ -277,8 +316,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -33904,7 +33955,7 @@ index 0e97e82..fe77236 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +334,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +335,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -34678,10 +34729,10 @@ index 6517fad..b7ca833 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..b2d134d 100644 +index 4eb7041..6f859e1 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,70 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,72 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -34716,7 +34767,7 @@ index 4eb7041..b2d134d 100644 # -# Local policy +# hyperv domain local policy -+# + # + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -34732,10 +34783,8 @@ index 4eb7041..b2d134d 100644 +######################################## # +# hypervkvp local policy - # - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++# ++ +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) @@ -34746,7 +34795,8 @@ index 4eb7041..b2d134d 100644 + +sysnet_dns_name_resolve(hypervkvp_t) --logging_send_syslog_msg(hypervkvpd_t) +-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +userdom_dontaudit_search_admin_dir(hypervkvp_t) + +optional_policy(` @@ -34758,9 +34808,12 @@ index 4eb7041..b2d134d 100644 +# hypervvssd local policy +# --miscfiles_read_localization(hypervkvpd_t) +-logging_send_syslog_msg(hypervkvpd_t) +allow hypervvssd_t self:capability sys_admin; +-miscfiles_read_localization(hypervkvpd_t) ++files_list_boot(hypervvssd_t) + -sysnet_dns_name_resolve(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te @@ -36992,10 +37045,31 @@ index 2fb7a20..c6ba007 100644 + ') +') diff --git a/jockey.te b/jockey.te -index d59ec10..dec1b3b 100644 +index d59ec10..a46018d 100644 --- a/jockey.te +++ b/jockey.te -@@ -44,16 +44,19 @@ dev_read_urand(jockey_t) +@@ -15,6 +15,9 @@ files_type(jockey_cache_t) + type jockey_var_log_t; + logging_log_file(jockey_var_log_t) + ++type jockey_tmpfs_t; ++files_tmpfs_file(jockey_tmpfs_t) ++ + ######################################## + # + # Local policy +@@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) + setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) + logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) + ++manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t) ++manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t) ++fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file }) ++ + kernel_read_system_state(jockey_t) + + corecmd_exec_bin(jockey_t) +@@ -44,16 +51,19 @@ dev_read_urand(jockey_t) domain_use_interactive_fds(jockey_t) @@ -48496,10 +48570,10 @@ index 65a246a..fa86320 100644 netutils_domtrans_ping(mrtg_t) diff --git a/mta.fc b/mta.fc -index f42896c..1e1a679 100644 +index f42896c..bd1eb52 100644 --- a/mta.fc +++ b/mta.fc -@@ -1,34 +1,45 @@ +@@ -1,34 +1,44 @@ -HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0) HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0) @@ -48538,7 +48612,7 @@ index f42896c..1e1a679 100644 /usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +-/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) @@ -50471,7 +50545,7 @@ index b744fe3..50c386e 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..78fa61c 100644 +index b708708..aebb4c1 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -50669,7 +50743,18 @@ index b708708..78fa61c 100644 ') optional_policy(` -@@ -361,7 +366,11 @@ optional_policy(` +@@ -348,6 +353,10 @@ optional_policy(` + ') + + optional_policy(` ++ fail2ban_domtrans_client(services_munin_plugin_t) ++') ++ ++optional_policy(` + lpd_exec_lpr(services_munin_plugin_t) + ') + +@@ -361,7 +370,11 @@ optional_policy(` ') optional_policy(` @@ -50682,7 +50767,7 @@ index b708708..78fa61c 100644 ') optional_policy(` -@@ -393,6 +402,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -393,6 +406,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -50690,7 +50775,7 @@ index b708708..78fa61c 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +431,33 @@ optional_policy(` +@@ -421,3 +435,33 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -59678,10 +59763,10 @@ index 0000000..a60155c +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..577c683 +index 0000000..69697c7 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,631 @@ +@@ -0,0 +1,630 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -60195,16 +60280,6 @@ index 0000000..577c683 +kernel_read_network_state(openshift_net_read_t) +kernel_read_system_state(openshift_net_read_t) + -+term_dontaudit_use_generic_ptys(openshift_net_read_t) -+ -+auth_read_passwd(openshift_net_read_t) -+ -+miscfiles_read_localization(openshift_net_read_t) -+ -+optional_policy(` -+ ssh_use_ptys(openshift_net_read_t) -+') -+ +corecmd_exec_bin(openshift_net_read_t) +corecmd_exec_shell(openshift_net_read_t) + @@ -60214,9 +60289,18 @@ index 0000000..577c683 + +fs_dontaudit_rw_anon_inodefs_files(openshift_net_read_t) + ++term_dontaudit_use_generic_ptys(openshift_net_read_t) ++ ++auth_read_passwd(openshift_net_read_t) ++ +userdom_use_inherited_user_ptys(openshift_net_read_t) + +miscfiles_read_generic_certs(openshift_net_read_t) ++miscfiles_read_localization(openshift_net_read_t) ++ ++optional_policy(` ++ ssh_use_ptys(openshift_net_read_t) ++') + +domtrans_pattern(openshift_domain, openshift_net_read_exec_t, openshift_net_read_t) +role system_r types openshift_net_read_t; @@ -62369,7 +62453,7 @@ index bf59ef7..0e33327 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33b..e478148 100644 +index 08ec33b..231f2e2 100644 --- a/passenger.te +++ b/passenger.te @@ -14,6 +14,9 @@ role system_r types passenger_t; @@ -62452,7 +62536,15 @@ index 08ec33b..e478148 100644 auth_use_nsswitch(passenger_t) logging_send_syslog_msg(passenger_t) -@@ -94,14 +99,21 @@ optional_policy(` +@@ -83,6 +88,7 @@ userdom_dontaudit_use_user_terminals(passenger_t) + optional_policy(` + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) ++ apache_rw_stream_sockets(passenger_t) + ') + + optional_policy(` +@@ -94,14 +100,21 @@ optional_policy(` ') optional_policy(` @@ -65938,7 +66030,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778..9baeb1b 100644 +index ee91778..6df7cf0 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) @@ -66104,7 +66196,7 @@ index ee91778..9baeb1b 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,65 +159,79 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -66114,7 +66206,10 @@ index ee91778..9baeb1b 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) -@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t) + + files_read_etc_runtime_files(policykit_auth_t) + files_search_home(policykit_auth_t) ++files_dontaudit_access_check_home_dir(policykit_auth_t) fs_getattr_all_fs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t) @@ -66142,10 +66237,14 @@ index ee91778..9baeb1b 100644 optional_policy(` consolekit_dbus_chat(policykit_auth_t) ') -- ++') + - optional_policy(` - policykit_dbus_chat(policykit_auth_t) - ') ++optional_policy(` ++ gnome_read_config(policykit_auth_t) ++ gnome_access_check_usr_config(policykit_auth_t) ') optional_policy(` @@ -66189,7 +66288,7 @@ index ee91778..9baeb1b 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +239,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -66216,7 +66315,7 @@ index ee91778..9baeb1b 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +254,28 @@ optional_policy(` +@@ -235,26 +260,28 @@ optional_policy(` ######################################## # @@ -66251,7 +66350,7 @@ index ee91778..9baeb1b 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +287,6 @@ optional_policy(` +@@ -266,6 +293,6 @@ optional_policy(` ') optional_policy(` @@ -69555,7 +69654,7 @@ index cd8b8b9..6c73980 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..979a6e0 100644 +index d616ca3..414a04f 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -69625,7 +69724,7 @@ index d616ca3..979a6e0 100644 type pptp_log_t; logging_log_file(pptp_log_t) -@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t) +@@ -67,54 +74,59 @@ logging_log_file(pptp_log_t) type pptp_var_run_t; files_pid_file(pptp_var_run_t) @@ -69641,6 +69740,7 @@ index d616ca3..979a6e0 100644 allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; dontaudit pppd_t self:capability sys_tty_config; -allow pppd_t self:process { getsched setsched signal }; ++dontaudit pppd_t self:capability2 block_suspend; +allow pppd_t self:process { getsched setsched signal_perms }; allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; @@ -69682,6 +69782,7 @@ index d616ca3..979a6e0 100644 manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) ++manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file }) -can_exec(pppd_t, pppd_exec_t) @@ -69699,7 +69800,7 @@ index d616ca3..979a6e0 100644 kernel_read_kernel_sysctls(pppd_t) kernel_read_system_state(pppd_t) kernel_rw_net_sysctls(pppd_t) -@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t) +@@ -122,10 +134,10 @@ kernel_read_network_state(pppd_t) kernel_request_load_module(pppd_t) dev_read_urand(pppd_t) @@ -69711,7 +69812,7 @@ index d616ca3..979a6e0 100644 corenet_all_recvfrom_netlabel(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t) corenet_raw_sendrecv_generic_if(pppd_t) -@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) +@@ -135,9 +147,22 @@ corenet_raw_sendrecv_generic_node(pppd_t) corenet_udp_sendrecv_generic_node(pppd_t) corenet_tcp_sendrecv_all_ports(pppd_t) corenet_udp_sendrecv_all_ports(pppd_t) @@ -69735,7 +69836,7 @@ index d616ca3..979a6e0 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t) +@@ -147,36 +172,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) @@ -69781,7 +69882,7 @@ index d616ca3..979a6e0 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -186,11 +204,13 @@ optional_policy(` +@@ -186,11 +206,13 @@ optional_policy(` l2tpd_dgram_send(pppd_t) l2tpd_rw_socket(pppd_t) l2tpd_stream_connect(pppd_t) @@ -69796,7 +69897,7 @@ index d616ca3..979a6e0 100644 ') ') -@@ -218,16 +238,19 @@ optional_policy(` +@@ -218,16 +240,19 @@ optional_policy(` ######################################## # @@ -69819,7 +69920,7 @@ index d616ca3..979a6e0 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +261,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -69876,7 +69977,7 @@ index d616ca3..979a6e0 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +305,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -69891,7 +69992,7 @@ index d616ca3..979a6e0 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +320,10 @@ optional_policy(` +@@ -299,6 +322,10 @@ optional_policy(` ') optional_policy(` @@ -86662,7 +86763,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..b07107b 100644 +index 2b7c441..e89790e 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -87334,9 +87435,11 @@ index 2b7c441..b07107b 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +586,42 @@ kernel_read_network_state(nmbd_t) +@@ -547,53 +585,44 @@ kernel_read_kernel_sysctls(nmbd_t) + kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) ++kernel_read_usermodehelper_state(nmbd_t) -corenet_all_recvfrom_unlabeled(nmbd_t) corenet_all_recvfrom_netlabel(nmbd_t) @@ -87401,7 +87504,7 @@ index 2b7c441..b07107b 100644 ') optional_policy(` -@@ -606,16 +634,22 @@ optional_policy(` +@@ -606,16 +635,22 @@ optional_policy(` ######################################## # @@ -87428,7 +87531,7 @@ index 2b7c441..b07107b 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +661,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +662,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -87446,7 +87549,7 @@ index 2b7c441..b07107b 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +673,23 @@ optional_policy(` +@@ -644,22 +674,23 @@ optional_policy(` ######################################## # @@ -87478,7 +87581,7 @@ index 2b7c441..b07107b 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +698,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +699,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -87514,7 +87617,7 @@ index 2b7c441..b07107b 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +725,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +726,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -87606,7 +87709,7 @@ index 2b7c441..b07107b 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +804,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +805,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -87630,7 +87733,7 @@ index 2b7c441..b07107b 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +818,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +819,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -87673,7 +87776,7 @@ index 2b7c441..b07107b 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +848,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +849,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -87687,7 +87790,7 @@ index 2b7c441..b07107b 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +871,20 @@ optional_policy(` +@@ -840,17 +872,20 @@ optional_policy(` # Winbind local policy # @@ -87713,7 +87816,7 @@ index 2b7c441..b07107b 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +894,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +895,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -87724,7 +87827,7 @@ index 2b7c441..b07107b 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +905,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +906,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -87754,7 +87857,7 @@ index 2b7c441..b07107b 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +928,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +929,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -87775,7 +87878,7 @@ index 2b7c441..b07107b 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +946,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +947,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -87834,7 +87937,7 @@ index 2b7c441..b07107b 100644 ') optional_policy(` -@@ -959,31 +1007,29 @@ optional_policy(` +@@ -959,31 +1008,29 @@ optional_policy(` # Winbind helper local policy # @@ -87872,7 +87975,7 @@ index 2b7c441..b07107b 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1043,38 @@ optional_policy(` +@@ -997,25 +1044,38 @@ optional_policy(` ######################################## # @@ -95034,10 +95137,10 @@ index 0000000..ddfed09 +') diff --git a/speech-dispatcher.te b/speech-dispatcher.te new file mode 100644 -index 0000000..931fa6c +index 0000000..4739473 --- /dev/null +++ b/speech-dispatcher.te -@@ -0,0 +1,51 @@ +@@ -0,0 +1,61 @@ +policy_module(speech-dispatcher, 1.0.0) + +######################################## @@ -95050,6 +95153,9 @@ index 0000000..931fa6c +init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t) +application_executable_file(speech-dispatcher_exec_t) + ++type speech-dispatcher_home_t; ++userdom_user_home_content(speech-dispatcher_home_t) ++ +type speech-dispatcher_log_t; +logging_log_file(speech-dispatcher_log_t) + @@ -95066,7 +95172,9 @@ index 0000000..931fa6c +# +# speech-dispatcher local policy +# -+allow speech-dispatcher_t self:process { fork signal_perms }; ++ ++allow speech-dispatcher_t self:process signal_perms; ++ +allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms; +allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms; +allow speech-dispatcher_t self:tcp_socket create_socket_perms; @@ -95081,6 +95189,11 @@ index 0000000..931fa6c +manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t) +fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file }) + ++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t) ++manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t) ++manage_fifo_files_pattern(speech-dispatcher_t, speech-dispatcher_home_t, speech-dispatcher_home_t) ++userdom_filetrans_home_content(speech-dispatcher_t,speech-dispatcher_home_t, dir, ".speech-dispatcher") ++ +kernel_read_system_state(speech-dispatcher_t) + +auth_read_passwd(speech-dispatcher_t) @@ -103839,7 +103952,7 @@ index facdee8..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..329e056 100644 +index f03dcf5..58d42f6 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,227 @@ @@ -104140,7 +104253,7 @@ index f03dcf5..329e056 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +230,132 @@ ifdef(`enable_mls',` +@@ -153,299 +230,134 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -104431,6 +104544,8 @@ index f03dcf5..329e056 100644 -corenet_sendrecv_all_client_packets(svirt_t) corenet_tcp_connect_all_ports(svirt_t) ++init_dontaudit_read_state(svirt_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -104515,7 +104630,7 @@ index f03dcf5..329e056 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +365,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +367,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -104562,24 +104677,24 @@ index f03dcf5..329e056 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +400,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +402,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -104593,7 +104708,7 @@ index f03dcf5..329e056 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +421,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +423,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -104621,7 +104736,7 @@ index f03dcf5..329e056 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +441,27 @@ dev_rw_vhost(virtd_t) +@@ -555,22 +443,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -104654,7 +104769,7 @@ index f03dcf5..329e056 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -601,15 +492,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +494,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -104674,7 +104789,7 @@ index f03dcf5..329e056 100644 selinux_validate_context(virtd_t) -@@ -620,18 +514,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +516,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -104711,7 +104826,7 @@ index f03dcf5..329e056 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +542,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +544,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -104720,7 +104835,7 @@ index f03dcf5..329e056 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +567,12 @@ optional_policy(` +@@ -665,20 +569,12 @@ optional_policy(` ') optional_policy(` @@ -104741,7 +104856,7 @@ index f03dcf5..329e056 100644 ') optional_policy(` -@@ -691,20 +585,26 @@ optional_policy(` +@@ -691,20 +587,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -104772,7 +104887,7 @@ index f03dcf5..329e056 100644 ') optional_policy(` -@@ -712,11 +612,18 @@ optional_policy(` +@@ -712,11 +614,18 @@ optional_policy(` ') optional_policy(` @@ -104791,26 +104906,29 @@ index f03dcf5..329e056 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +634,18 @@ optional_policy(` +@@ -727,11 +636,19 @@ optional_policy(` ') optional_policy(` +- sasl_connect(virtd_t) + sanlock_stream_connect(virtd_t) + ') + + optional_policy(` +- kernel_read_xen_state(virtd_t) ++ sasl_connect(virtd_t) +') + +optional_policy(` - sasl_connect(virtd_t) - ') - - optional_policy(` + setrans_manage_pid_files(virtd_t) +') + +optional_policy(` - kernel_read_xen_state(virtd_t) ++ kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +661,277 @@ optional_policy(` + xen_exec(virtd_t) +@@ -746,44 +663,277 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -104848,13 +104966,7 @@ index f03dcf5..329e056 100644 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) - --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++ +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -104864,15 +104976,17 @@ index f03dcf5..329e056 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++ +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -104904,14 +105018,18 @@ index f03dcf5..329e056 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --allow virsh_t svirt_lxc_domain:process transition; +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +dontaudit virt_domain virt_tmpfs_type:file { read write }; --can_exec(virsh_t, virsh_exec_t) +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ + +-allow virsh_t svirt_lxc_domain:process transition; +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +-can_exec(virsh_t, virsh_exec_t) +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -105000,7 +105118,7 @@ index f03dcf5..329e056 100644 + virt_read_pid_symlinks(virt_domain) + virt_domtrans_bridgehelper(virt_domain) +') -+ + +optional_policy(` + xserver_rw_shm(virt_domain) +') @@ -105074,7 +105192,7 @@ index f03dcf5..329e056 100644 +allow virsh_t self:tcp_socket create_stream_socket_perms; + +ps_process_pattern(virsh_t, svirt_sandbox_domain) - ++ +can_exec(virsh_t, virsh_exec_t) virt_domtrans(virsh_t) virt_manage_images(virsh_t) @@ -105110,7 +105228,7 @@ index f03dcf5..329e056 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +942,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +944,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -105137,7 +105255,7 @@ index f03dcf5..329e056 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +962,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +964,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -105171,7 +105289,7 @@ index f03dcf5..329e056 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +999,20 @@ optional_policy(` +@@ -856,14 +1001,20 @@ optional_policy(` ') optional_policy(` @@ -105193,7 +105311,7 @@ index f03dcf5..329e056 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1037,65 @@ optional_policy(` +@@ -888,49 +1039,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -105277,7 +105395,7 @@ index f03dcf5..329e056 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1107,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1109,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -105297,7 +105415,7 @@ index f03dcf5..329e056 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1128,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1130,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -105321,7 +105439,7 @@ index f03dcf5..329e056 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1153,317 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1155,319 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -105370,6 +105488,8 @@ index f03dcf5..329e056 100644 +# svirt_sandbox_domain local policy # +allow svirt_sandbox_domain self:key manage_key_perms; ++dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; ++ +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow svirt_sandbox_domain self:fifo_file manage_file_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; @@ -105383,82 +105503,6 @@ index f03dcf5..329e056 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ -+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; -+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; -+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; -+ -+allow svirt_sandbox_domain virtd_lxc_t:process sigchld; -+allow svirt_sandbox_domain virtd_lxc_t:fd use; -+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -+ -+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; -+ -+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; -+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) -+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) -+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; -+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; -+ -+kernel_getattr_proc(svirt_sandbox_domain) -+kernel_list_all_proc(svirt_sandbox_domain) -+kernel_read_all_sysctls(svirt_sandbox_domain) -+kernel_rw_net_sysctls(svirt_sandbox_domain) -+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) -+kernel_dontaudit_access_check_proc(svirt_sandbox_domain) -+ -+corecmd_exec_all_executables(svirt_sandbox_domain) -+ -+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) -+files_dontaudit_getattr_all_files(svirt_sandbox_domain) -+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) -+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) -+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) -+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) -+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) -+files_entrypoint_all_files(svirt_sandbox_domain) -+files_list_var(svirt_sandbox_domain) -+files_list_var_lib(svirt_sandbox_domain) -+files_search_all(svirt_sandbox_domain) -+files_read_config_files(svirt_sandbox_domain) -+files_read_usr_symlinks(svirt_sandbox_domain) -+files_search_locks(svirt_sandbox_domain) -+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) -+ -+fs_getattr_all_fs(svirt_sandbox_domain) -+fs_list_inotifyfs(svirt_sandbox_domain) -+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) -+fs_read_fusefs_files(svirt_sandbox_domain) -+fs_read_hugetlbfs_files(svirt_sandbox_domain) -+ -+auth_dontaudit_read_passwd(svirt_sandbox_domain) -+auth_dontaudit_read_login_records(svirt_sandbox_domain) -+auth_dontaudit_write_login_records(svirt_sandbox_domain) -+auth_search_pam_console_data(svirt_sandbox_domain) -+ -+clock_read_adjtime(svirt_sandbox_domain) -+ -+init_read_utmp(svirt_sandbox_domain) -+init_dontaudit_write_utmp(svirt_sandbox_domain) -+ -+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) -+ -+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) -+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) -+miscfiles_read_fonts(svirt_sandbox_domain) -+miscfiles_read_hwdata(svirt_sandbox_domain) -+ -+systemd_read_unit_files(svirt_sandbox_domain) -+ -+userdom_use_inherited_user_terminals(svirt_sandbox_domain) -+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) -+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -105542,24 +105586,100 @@ index f03dcf5..329e056 100644 -miscfiles_read_fonts(svirt_lxc_domain) - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') ++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; ++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; ++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; ++ ++allow svirt_sandbox_domain virtd_lxc_t:process sigchld; ++allow svirt_sandbox_domain virtd_lxc_t:fd use; ++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; ++ ++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto }; ++ ++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; ++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) ++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) ++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; ++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; ++ ++kernel_getattr_proc(svirt_sandbox_domain) ++kernel_list_all_proc(svirt_sandbox_domain) ++kernel_read_all_sysctls(svirt_sandbox_domain) ++kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) ++kernel_dontaudit_access_check_proc(svirt_sandbox_domain) ++ ++corecmd_exec_all_executables(svirt_sandbox_domain) ++ ++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) ++files_dontaudit_getattr_all_files(svirt_sandbox_domain) ++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) ++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) ++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) ++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) ++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) ++files_entrypoint_all_files(svirt_sandbox_domain) ++files_list_var(svirt_sandbox_domain) ++files_list_var_lib(svirt_sandbox_domain) ++files_search_all(svirt_sandbox_domain) ++files_read_config_files(svirt_sandbox_domain) ++files_read_usr_symlinks(svirt_sandbox_domain) ++files_search_locks(svirt_sandbox_domain) ++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) ++ ++fs_getattr_all_fs(svirt_sandbox_domain) ++fs_list_inotifyfs(svirt_sandbox_domain) ++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) ++fs_read_fusefs_files(svirt_sandbox_domain) ++fs_read_hugetlbfs_files(svirt_sandbox_domain) ++ ++auth_dontaudit_read_passwd(svirt_sandbox_domain) ++auth_dontaudit_read_login_records(svirt_sandbox_domain) ++auth_dontaudit_write_login_records(svirt_sandbox_domain) ++auth_search_pam_console_data(svirt_sandbox_domain) ++ ++clock_read_adjtime(svirt_sandbox_domain) ++ ++init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_write_utmp(svirt_sandbox_domain) ++ ++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) ++ ++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) ++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) ++miscfiles_read_fonts(svirt_sandbox_domain) ++miscfiles_read_hwdata(svirt_sandbox_domain) ++ ++systemd_read_unit_files(svirt_sandbox_domain) ++ ++userdom_use_inherited_user_terminals(svirt_sandbox_domain) ++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) ++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) optional_policy(` - udev_read_pid_files(svirt_lxc_domain) ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + docker_manage_lib_files(svirt_lxc_net_t) + docker_manage_lib_dirs(svirt_lxc_net_t) + docker_read_share_files(svirt_sandbox_domain) + docker_exec_lib(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + docker_use_ptys(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) +') + @@ -105618,10 +105738,6 @@ index f03dcf5..329e056 100644 -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; +manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -105633,6 +105749,10 @@ index f03dcf5..329e056 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') ++ +tunable_policy(`virt_sandbox_use_mknod',` + allow svirt_lxc_net_t self:capability mknod; +') @@ -105641,10 +105761,7 @@ index f03dcf5..329e056 100644 + allow svirt_lxc_net_t self:capability all_capability_perms; + allow svirt_lxc_net_t self:capability2 all_capability2_perms; +') - --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) ++ +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -105652,7 +105769,10 @@ index f03dcf5..329e056 100644 +', ` + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') -+ + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; @@ -105726,13 +105846,13 @@ index f03dcf5..329e056 100644 +term_use_ptmx(svirt_qemu_net_t) + +dev_rw_kvm(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -105777,7 +105897,7 @@ index f03dcf5..329e056 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1476,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1480,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -105792,7 +105912,7 @@ index f03dcf5..329e056 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1494,8 @@ optional_policy(` +@@ -1192,9 +1498,8 @@ optional_policy(` ######################################## # @@ -105803,7 +105923,7 @@ index f03dcf5..329e056 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1508,219 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1512,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -107330,7 +107450,7 @@ index fd2b6cc..938c4a7 100644 +') + diff --git a/wine.te b/wine.te -index 491b87b..391f3a1 100644 +index 491b87b..72ce165 100644 --- a/wine.te +++ b/wine.te @@ -14,10 +14,11 @@ policy_module(wine, 1.11.0) @@ -107346,7 +107466,7 @@ index 491b87b..391f3a1 100644 type wine_exec_t; userdom_user_application_domain(wine_t, wine_exec_t) role wine_roles types wine_t; -@@ -25,56 +26,58 @@ role wine_roles types wine_t; +@@ -25,56 +26,59 @@ role wine_roles types wine_t; type wine_home_t; userdom_user_home_content(wine_home_t) @@ -107383,6 +107503,7 @@ index 491b87b..391f3a1 100644 +can_exec(wine_domain, wine_exec_t) + +manage_files_pattern(wine_domain, wine_home_t, wine_home_t) ++manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) +userdom_tmpfs_filetrans(wine_domain, file) +wine_filetrans_named_content(wine_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index a2b39589..f3e652b1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 78%{?dist} +Release: 79%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,33 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Sep 10 2014 Lukas Vrabec 3.13.1-79 +- Re-arange openshift_net_read_t rules. +- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide +- Allow jockey_t to use tmpfs files +- Allow pppd to create sock_files in /var/run +- Allow geoclue to stream connect to smart card service +- Allow docker to read all of /proc +- ALlow passeneger to read/write apache stream socket. +- Dontaudit read init state for svirt_t. +- Label /usr/sbin/unbound-control as named_exec_t (#1130510) +- Add support for /var/lbi/cockpit directory. +- Add support for ~/. speech-dispatcher. +- Allow nmbd to read /proc/sys/kernel/core_pattern. +- aLlow wine domains to create wine_home symlinks. +- Allow policykit_auth_t access check and read usr config files. +- Dontaudit access check on home_root_t for policykit-auth. +- hv_vss_daemon wants to list /boot +- update gpg_agent_env_file booelan to allow manage user tmp files for gpg-agent +- Fix label for /usr/bin/courier/bin/sendmail +- Allow munin services plugins to execute fail2ban-client in fail2ban_client_t domain. +- Allow unconfined_r to access unconfined_service_t. +- Add label for ~/.local/share/fonts +- Add init_dontaudit_read_state() interface. +- Add systemd_networkd_var_run_t labeling for /var/run/systemd/netif and allow systemd-networkd to manage it. +- Allow udev_t mounton udev_var_run_t dirs #(1128618) +- Add files_dontaudit_access_check_home_dir() inteface. + * Tue Sep 02 2014 Lukas Vrabec 3.13.1-78 - Allow unconfined_service_t to dbus chat with all dbus domains - Assign rabbitmq port. BZ#1135523