diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 107f454a..a53f917f 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index d34fe0db..a5c7403b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15451,7 +15451,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..cdeecad 100644 +index 8416beb..843f849 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15899,7 +15899,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',` +@@ -1878,117 +2085,346 @@ interface(`fs_search_fusefs',` ## ## # @@ -16069,74 +16069,61 @@ index 8416beb..cdeecad 100644 -## read, write, and delete files -## on a FUSEFS filesystem. +## Unmount a FUSE filesystem. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` ++## ++## ++# +interface(`fs_unmount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem unmount; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mounton a FUSEFS filesystem. - ## - ## - ## -@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mounton_fusefs',` - gen_require(` - type fusefs_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:dir mounton; - ') - - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. ++') ++ ++######################################## ++## +## Search directories +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_getattr_hugetlbfs',` ++# +interface(`fs_search_fusefs',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; ++ ') ++ + allow $1 fusefs_t:dir search_dir_perms; - ') - - ######################################## - ## --## List hugetlbfs. ++') ++ ++######################################## ++## +## Do not audit attempts to list the contents +## of directories on a FUSEFS filesystem. +## @@ -16158,28 +16145,24 @@ index 8416beb..cdeecad 100644 +## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_list_hugetlbfs',` ++# +interface(`fs_manage_fusefs_dirs',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:dir list_dir_perms; ++ ') ++ + allow $1 fusefs_t:dir manage_dir_perms; - ') - - ######################################## - ## --## Manage hugetlbfs dirs. ++') ++ ++######################################## ++## +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. @@ -16201,178 +16184,118 @@ index 8416beb..cdeecad 100644 +######################################## +## +## Read, a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_read_fusefs_files',` - gen_require(` -- type hugetlbfs_t; -+ type fusefs_t; - ') - -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ read_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Read and write hugetlbfs files. -+## Execute files on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_exec_fusefs_files',` - gen_require(` -- type hugetlbfs_t; -+ type fusefs_t; - ') - -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ exec_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Allow the type to associate to hugetlbfs filesystems. -+## Make general progams in FUSEFS an entrypoint for -+## the specified domain. - ## --## ++## +## - ## --## The type of the object to be associated. -+## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_associate_hugetlbfs',` -+interface(`fs_fusefs_entry_type',` - gen_require(` -- type hugetlbfs_t; ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_read_fusefs_files',` ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem associate; -+ domain_entry_file($1, fusefs_t) - ') - - ######################################## - ## --## Search inotifyfs filesystem. ++ ') ++ ++ read_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Execute files on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_exec_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ exec_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_search_inotifyfs',` -+interface(`fs_fusefs_entrypoint',` - gen_require(` -- type inotifyfs_t; ++## ++## ++# ++interface(`fs_fusefs_entry_type',` ++ gen_require(` + type fusefs_t; - ') - -- allow $1 inotifyfs_t:dir search_dir_perms; ++ ') ++ ++ domain_entry_file($1, fusefs_t) ++') ++ ++######################################## ++## ++## Make general progams in FUSEFS an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which fusefs_t is an entrypoint. ++## ++## ++# ++interface(`fs_fusefs_entrypoint',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:file entrypoint; - ') - - ######################################## - ## --## List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Create, read, write, and delete files +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_list_inotifyfs',` ++# +interface(`fs_manage_fusefs_files',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 inotifyfs_t:dir list_dir_perms; ++ ') ++ + manage_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Dontaudit List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. ## ## ## -@@ -2160,53 +2432,136 @@ interface(`fs_list_inotifyfs',` - ## - ## - # --interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_dontaudit_manage_fusefs_files',` - gen_require(` -- type inotifyfs_t; -+ type fusefs_t; - ') - -- dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ dontaudit $1 fusefs_t:file manage_file_perms; - ') +@@ -2025,6 +2461,87 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. -+## Read symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## +## Manage symbolic links on a FUSEFS filesystem. +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# +interface(`fs_manage_fusefs_symlinks',` + gen_require(` @@ -16407,20 +16330,16 @@ index 8416beb..cdeecad 100644 +##

+## +## - ## --## The object class of the object being created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +## - ## --## The name of the object being created. ++## +## The type of the new process. - ## - ## - # --interface(`fs_hugetlbfs_filetrans',` ++## ++## ++# +interface(`fs_fusefs_domtrans',` + gen_require(` + type fusefs_t; @@ -16451,8 +16370,15 @@ index 8416beb..cdeecad 100644 + +######################################## +## -+## Get the attributes of an hugetlbfs -+## filesystem. + ## Get the attributes of an hugetlbfs + ## filesystem. + ## +@@ -2062,7 +2579,43 @@ interface(`fs_list_hugetlbfs',` + + ######################################## + ## +-## Manage hugetlbfs dirs. ++## Manage hugetlbfs dirs. +## +## +## @@ -16460,327 +16386,95 @@ index 8416beb..cdeecad 100644 +## +## +# -+interface(`fs_getattr_hugetlbfs',` ++interface(`fs_manage_hugetlbfs_dirs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## ++## Read hugetlbfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## ++## Read and write hugetlbfs files. + ## + ## + ## +@@ -2070,17 +2623,17 @@ interface(`fs_list_hugetlbfs',` + ## + ## + # +-interface(`fs_manage_hugetlbfs_dirs',` ++interface(`fs_rw_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ allow $1 hugetlbfs_t:filesystem getattr; - ') - - ######################################## - ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. -+## List hugetlbfs. - ## - ## - ## -@@ -2214,19 +2569,17 @@ interface(`fs_hugetlbfs_filetrans',` - ## - ## - # --interface(`fs_mount_iso9660_fs',` -+interface(`fs_list_hugetlbfs',` - gen_require(` -- type iso9660_t; -+ type hugetlbfs_t; - ') - -- allow $1 iso9660_t:filesystem mount; -+ allow $1 hugetlbfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. -+## Manage hugetlbfs dirs. - ## - ## - ## -@@ -2234,18 +2587,17 @@ interface(`fs_mount_iso9660_fs',` - ## - ## - # --interface(`fs_remount_iso9660_fs',` -+interface(`fs_manage_hugetlbfs_dirs',` - gen_require(` -- type iso9660_t; -+ type hugetlbfs_t; - ') - -- allow $1 iso9660_t:filesystem remount; -+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## - ## --## Unmount an iso9660 filesystem, which --## is usually used on CDs. -+## Read hugetlbfs files. - ## - ## - ## -@@ -2253,38 +2605,557 @@ interface(`fs_remount_iso9660_fs',` - ## - ## - # --interface(`fs_unmount_iso9660_fs',` -+interface(`fs_read_hugetlbfs_files',` - gen_require(` -- type iso9660_t; -+ type hugetlbfs_t; - ') - -- allow $1 iso9660_t:filesystem unmount; -+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## - ## --## Get the attributes of an iso9660 --## filesystem, which is usually used on CDs. -+## Read and write hugetlbfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_hugetlbfs_files',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write hugetlbfs files. +## Execute hugetlbfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2088,12 +2641,13 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## + ## + # +-interface(`fs_rw_hugetlbfs_files',` +interface(`fs_exec_hugetlbfs_files',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ + gen_require(` + type hugetlbfs_t; + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 hugetlbfs_t:dir list_dir_perms; + exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+') -+ -+######################################## -+## -+## Allow the type to associate to hugetlbfs filesystems. -+## -+## -+## -+## The type of the object to be associated. -+## -+## -+# -+interface(`fs_associate_hugetlbfs',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ allow $1 hugetlbfs_t:filesystem associate; -+') -+ -+######################################## -+## -+## Search inotifyfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_search_inotifyfs',` -+ gen_require(` -+ type inotifyfs_t; -+ ') -+ -+ allow $1 inotifyfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List inotifyfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_list_inotifyfs',` -+ gen_require(` -+ type inotifyfs_t; -+ ') -+ -+ allow $1 inotifyfs_t:dir list_dir_perms; + ') + + ######################################## +@@ -2148,11 +2702,12 @@ interface(`fs_list_inotifyfs',` + ') + + allow $1 inotifyfs_t:dir list_dir_perms; + fs_read_anon_inodefs_files($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. +## Do not audit attempts to list inotifyfs filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_inotifyfs',` -+ gen_require(` -+ type inotifyfs_t; -+ ') -+ -+ dontaudit $1 inotifyfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Create an object in a hugetlbfs filesystem, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`fs_hugetlbfs_filetrans',` -+ gen_require(` -+ type hugetlbfs_t; -+ ') -+ -+ allow $2 hugetlbfs_t:filesystem associate; -+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Mount an iso9660 filesystem, which -+## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_mount_iso9660_fs',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ -+ allow $1 iso9660_t:filesystem mount; -+') -+ -+######################################## -+## -+## Remount an iso9660 filesystem, which -+## is usually used on CDs. This allows -+## some mount options to be changed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_remount_iso9660_fs',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ -+ allow $1 iso9660_t:filesystem remount; -+') -+ -+######################################## -+## -+## Unmount an iso9660 filesystem, which -+## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_unmount_iso9660_fs',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ -+ allow $1 iso9660_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Get the attributes of an iso9660 -+## filesystem, which is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`fs_getattr_iso9660_fs',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ -+ allow $1 iso9660_t:filesystem getattr; -+') -+ -+######################################## -+## -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_getattr_iso9660_files',` -+ gen_require(` -+ type iso9660_t; -+ ') -+ + ## + ## + ## +@@ -2297,14 +2852,332 @@ interface(`fs_getattr_iso9660_files',` + type iso9660_t; + ') + +- allow $1 iso9660_t:dir list_dir_perms; +- allow $1 iso9660_t:file getattr; + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; +') @@ -17067,48 +16761,37 @@ index 8416beb..cdeecad 100644 +## Do not audit attempts to open, +## get attributes, read and write +## cgroup files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`fs_getattr_iso9660_fs',` ++## ++## ++# +interface(`fs_dontaudit_rw_kdbus_files',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 iso9660_t:filesystem getattr; ++ ') ++ + dontaudit $1 kdbusfs_t:file rw_file_perms; - ') - - ######################################## - ## --## Read files on an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Manage kdbusfs files. - ## - ## - ## -@@ -2292,19 +3163,21 @@ interface(`fs_getattr_iso9660_fs',` - ## - ## - # --interface(`fs_getattr_iso9660_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_manage_kdbus_files',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type kdbusfs_t; + - ') - -- allow $1 iso9660_t:dir list_dir_perms; -- allow $1 iso9660_t:file getattr; ++ ') ++ + manage_files_pattern($1, kdbusfs_t, kdbusfs_t) + manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) @@ -17433,10 +17116,11 @@ index 8416beb..cdeecad 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,6 +4309,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,7 +4309,25 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') +-######################################## +####################################### +## +## read files on an nfsd filesystem @@ -17455,13 +17139,34 @@ index 8416beb..cdeecad 100644 + read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + - ######################################## ++####################################### ## ## Read and write NFS server files. -@@ -3283,6 +4347,24 @@ interface(`fs_rw_nfsd_fs',` + ## +@@ -3281,6 +4345,42 @@ interface(`fs_rw_nfsd_fs',` + rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') - ######################################## - ## ++####################################### ++## ++## Read nsfs inodes (e.g. /proc/pid/ns/uts) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_nsfs_files',` ++ gen_require(` ++ type nsfs_t; ++ ') ++ ++ allow $1 nsfs_t:file read_file_perms; ++') ++ ++######################################## ++## +## Manage NFS server files. +## +## @@ -17478,12 +17183,10 @@ index 8416beb..cdeecad 100644 + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + -+######################################## -+## + ######################################## + ## ## Allow the type to associate to ramfs filesystems. - ## - ## -@@ -3392,7 +4474,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4492,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17492,7 +17195,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3429,7 +4511,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4529,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17501,7 +17204,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3447,7 +4529,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4547,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17510,7 +17213,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3779,6 +4861,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4879,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17535,7 +17238,7 @@ index 8416beb..cdeecad 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +4915,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4933,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17560,7 +17263,7 @@ index 8416beb..cdeecad 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +4957,76 @@ interface(`fs_getattr_tmpfs',` +@@ -3839,39 +4975,76 @@ interface(`fs_getattr_tmpfs',` ## ## ## @@ -17646,7 +17349,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3879,36 +5034,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5052,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -17690,7 +17393,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3916,35 +5070,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5088,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -17734,7 +17437,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3952,17 +5107,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5125,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -17755,7 +17458,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -3970,31 +5125,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5143,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -17793,7 +17496,7 @@ index 8416beb..cdeecad 100644 ') ######################################## -@@ -4105,7 +5259,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5277,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -17802,7 +17505,7 @@ index 8416beb..cdeecad 100644 ') ######################################## -@@ -4165,6 +5319,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5337,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -17827,7 +17530,7 @@ index 8416beb..cdeecad 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5374,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5392,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -17836,7 +17539,7 @@ index 8416beb..cdeecad 100644 ## ## ## -@@ -4221,6 +5393,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5411,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -17897,7 +17600,7 @@ index 8416beb..cdeecad 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5504,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5522,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -17942,7 +17645,7 @@ index 8416beb..cdeecad 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5561,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5579,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -17968,7 +17671,7 @@ index 8416beb..cdeecad 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5690,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5708,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -17994,7 +17697,7 @@ index 8416beb..cdeecad 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5805,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5823,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -18003,7 +17706,7 @@ index 8416beb..cdeecad 100644 ') ######################################## -@@ -4549,7 +5853,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5871,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -18012,7 +17715,7 @@ index 8416beb..cdeecad 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5900,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5918,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -18039,7 +17742,7 @@ index 8416beb..cdeecad 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +5995,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6013,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -18065,7 +17768,7 @@ index 8416beb..cdeecad 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6255,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6273,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -18130,7 +17833,7 @@ index 8416beb..cdeecad 100644 + read_files_pattern($1, efivarfs_t, efivarfs_t) +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..3e3ed4e 100644 +index e7d1738..235b730 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -18214,13 +17917,17 @@ index e7d1738..3e3ed4e 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +142,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +142,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) +files_mountpoint(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) ++type nsfs_t; ++fs_type(nsfs_t) ++genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) ++ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -18230,7 +17937,7 @@ index e7d1738..3e3ed4e 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,11 +175,6 @@ fs_type(spufs_t) +@@ -150,11 +179,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -18242,7 +17949,7 @@ index e7d1738..3e3ed4e 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -172,6 +192,8 @@ type vxfs_t; +@@ -172,6 +196,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -18251,7 +17958,7 @@ index e7d1738..3e3ed4e 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +204,8 @@ fs_type(tmpfs_t) +@@ -182,6 +208,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -18260,7 +17967,7 @@ index e7d1738..3e3ed4e 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +285,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +289,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -18269,7 +17976,7 @@ index e7d1738..3e3ed4e 100644 files_mountpoint(removable_t) # -@@ -280,6 +306,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +310,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -18277,7 +17984,7 @@ index e7d1738..3e3ed4e 100644 ######################################## # -@@ -301,9 +328,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +332,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -33978,7 +33685,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..91eaead 100644 +index 17eda24..4eb70c7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -34273,7 +33980,7 @@ index 17eda24..91eaead 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,240 @@ ifdef(`distro_gentoo',` +@@ -186,29 +323,243 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -34347,6 +34054,7 @@ index 17eda24..91eaead 100644 +allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +allow init_t self:netlink_selinux_socket create_socket_perms; ++allow init_t self:unix_dgram_socket lock; +# Until systemd is fixed +allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; +allow init_t self:udp_socket create_socket_perms; @@ -34420,6 +34128,8 @@ index 17eda24..91eaead 100644 +fs_rw_tmpfs_files(init_t) +fs_relabel_cgroup_dirs(init_t) +fs_search_cgroup_dirs(init_t) ++# for network namespaces ++fs_read_nsfs_files(init_t) + +storage_getattr_removable_dev(init_t) + @@ -34523,7 +34233,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -216,7 +564,30 @@ optional_policy(` +@@ -216,7 +567,30 @@ optional_policy(` ') optional_policy(` @@ -34555,7 +34265,7 @@ index 17eda24..91eaead 100644 ') ######################################## -@@ -225,9 +596,9 @@ optional_policy(` +@@ -225,9 +599,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -34567,7 +34277,7 @@ index 17eda24..91eaead 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +629,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +632,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -34584,7 +34294,7 @@ index 17eda24..91eaead 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +654,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +657,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -34627,7 +34337,7 @@ index 17eda24..91eaead 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +691,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +694,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -34639,7 +34349,7 @@ index 17eda24..91eaead 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +703,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +706,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -34650,7 +34360,7 @@ index 17eda24..91eaead 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +714,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +717,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -34660,7 +34370,7 @@ index 17eda24..91eaead 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +723,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +726,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -34668,7 +34378,7 @@ index 17eda24..91eaead 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +730,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +733,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -34676,7 +34386,7 @@ index 17eda24..91eaead 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +738,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +741,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -34694,7 +34404,7 @@ index 17eda24..91eaead 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +756,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +759,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -34708,7 +34418,7 @@ index 17eda24..91eaead 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +771,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +774,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -34722,7 +34432,7 @@ index 17eda24..91eaead 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +784,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +787,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -34733,7 +34443,7 @@ index 17eda24..91eaead 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +797,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +800,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -34741,7 +34451,7 @@ index 17eda24..91eaead 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +816,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +819,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -34765,7 +34475,7 @@ index 17eda24..91eaead 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +849,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +852,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -34773,7 +34483,7 @@ index 17eda24..91eaead 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +883,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +886,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -34784,7 +34494,7 @@ index 17eda24..91eaead 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +907,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +910,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -34793,7 +34503,7 @@ index 17eda24..91eaead 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +922,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +925,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -34801,7 +34511,7 @@ index 17eda24..91eaead 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +943,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +946,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -34809,7 +34519,7 @@ index 17eda24..91eaead 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +953,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +956,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -34854,7 +34564,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -559,14 +998,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1001,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -34886,7 +34596,7 @@ index 17eda24..91eaead 100644 ') ') -@@ -577,6 +1033,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1036,39 @@ ifdef(`distro_suse',` ') ') @@ -34926,7 +34636,7 @@ index 17eda24..91eaead 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1078,8 @@ optional_policy(` +@@ -589,6 +1081,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -34935,7 +34645,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -610,6 +1101,7 @@ optional_policy(` +@@ -610,6 +1104,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -34943,7 +34653,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -626,6 +1118,17 @@ optional_policy(` +@@ -626,6 +1121,17 @@ optional_policy(` ') optional_policy(` @@ -34961,7 +34671,7 @@ index 17eda24..91eaead 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1145,13 @@ optional_policy(` +@@ -642,9 +1148,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -34975,7 +34685,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -657,15 +1164,11 @@ optional_policy(` +@@ -657,15 +1167,11 @@ optional_policy(` ') optional_policy(` @@ -34993,7 +34703,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -686,6 +1189,15 @@ optional_policy(` +@@ -686,6 +1192,15 @@ optional_policy(` ') optional_policy(` @@ -35009,7 +34719,7 @@ index 17eda24..91eaead 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1238,7 @@ optional_policy(` +@@ -726,6 +1241,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -35017,7 +34727,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -743,7 +1256,13 @@ optional_policy(` +@@ -743,7 +1259,13 @@ optional_policy(` ') optional_policy(` @@ -35032,7 +34742,7 @@ index 17eda24..91eaead 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1285,10 @@ optional_policy(` +@@ -766,6 +1288,10 @@ optional_policy(` ') optional_policy(` @@ -35043,7 +34753,7 @@ index 17eda24..91eaead 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1298,20 @@ optional_policy(` +@@ -775,10 +1301,20 @@ optional_policy(` ') optional_policy(` @@ -35064,7 +34774,7 @@ index 17eda24..91eaead 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1320,10 @@ optional_policy(` +@@ -787,6 +1323,10 @@ optional_policy(` ') optional_policy(` @@ -35075,7 +34785,7 @@ index 17eda24..91eaead 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1345,6 @@ optional_policy(` +@@ -808,8 +1348,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -35084,7 +34794,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -818,6 +1353,10 @@ optional_policy(` +@@ -818,6 +1356,10 @@ optional_policy(` ') optional_policy(` @@ -35095,7 +34805,7 @@ index 17eda24..91eaead 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1366,12 @@ optional_policy(` +@@ -827,10 +1369,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -35108,7 +34818,7 @@ index 17eda24..91eaead 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1398,60 @@ optional_policy(` +@@ -857,21 +1401,60 @@ optional_policy(` ') optional_policy(` @@ -35170,7 +34880,7 @@ index 17eda24..91eaead 100644 ') optional_policy(` -@@ -887,6 +1467,10 @@ optional_policy(` +@@ -887,6 +1470,10 @@ optional_policy(` ') optional_policy(` @@ -35181,7 +34891,7 @@ index 17eda24..91eaead 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1481,218 @@ optional_policy(` +@@ -897,3 +1484,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -37271,7 +36981,7 @@ index 446fa99..22f539c 100644 + plymouthd_exec_plymouth(sulogin_t) ') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..5c39fe5 100644 +index b50c5fe..9eacd9b 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -1,11 +1,15 @@ @@ -37286,7 +36996,7 @@ index b50c5fe..5c39fe5 100644 /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) +/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) -+/usr/lib/systemd/system/syslogd.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0) ++/usr/lib/systemd/system/rsyslog.* -- gen_context(system_u:object_r:syslogd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 854fb998..d8d0f0f2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -29627,6 +29627,340 @@ index 36838c2..8bfc879 100644 - fs_read_nfs_files(sftpd_t) - fs_read_nfs_symlinks(ftpd_t) -') +diff --git a/fwupd.fc b/fwupd.fc +new file mode 100644 +index 0000000..1f13f70 +--- /dev/null ++++ b/fwupd.fc +@@ -0,0 +1,8 @@ ++/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0) ++/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0) ++ ++/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) ++ ++/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) ++ ++/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0) +diff --git a/fwupd.if b/fwupd.if +new file mode 100644 +index 0000000..c4d2c2d +--- /dev/null ++++ b/fwupd.if +@@ -0,0 +1,260 @@ ++ ++## fwupd is a daemon to allow session software to update device firmware ++ ++######################################## ++## ++## Execute fwupd_exec_t in the fwupd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`fwupd_domtrans',` ++ gen_require(` ++ type fwupd_t, fwupd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, fwupd_exec_t, fwupd_t) ++') ++ ++###################################### ++## ++## Execute fwupd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_exec',` ++ gen_require(` ++ type fwupd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, fwupd_exec_t) ++') ++ ++######################################## ++## ++## Search fwupd cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_search_cache',` ++ gen_require(` ++ type fwupd_cache_t; ++ ') ++ ++ allow $1 fwupd_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read fwupd cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_read_cache_files',` ++ gen_require(` ++ type fwupd_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, fwupd_cache_t, fwupd_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## fwupd cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_manage_cache_files',` ++ gen_require(` ++ type fwupd_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t) ++') ++ ++######################################## ++## ++## Manage fwupd cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_manage_cache_dirs',` ++ gen_require(` ++ type fwupd_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t) ++') ++ ++ ++######################################## ++## ++## Search fwupd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_search_lib',` ++ gen_require(` ++ type fwupd_var_lib_t; ++ ') ++ ++ allow $1 fwupd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read fwupd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_read_lib_files',` ++ gen_require(` ++ type fwupd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage fwupd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_manage_lib_files',` ++ gen_require(` ++ type fwupd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage fwupd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_manage_lib_dirs',` ++ gen_require(` ++ type fwupd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t) ++') ++ ++######################################## ++## ++## Execute fwupd server in the fwupd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`fwupd_systemctl',` ++ gen_require(` ++ type fwupd_t; ++ type fwupd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 fwupd_unit_file_t:file read_file_perms; ++ allow $1 fwupd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, fwupd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an fwupd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fwupd_admin',` ++ gen_require(` ++ type fwupd_t; ++ type fwupd_cache_t; ++ type fwupd_var_lib_t; ++ type fwupd_unit_file_t; ++ ') ++ ++ allow $1 fwupd_t:process { signal_perms }; ++ ps_process_pattern($1, fwupd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 fwupd_t:process ptrace; ++ ') ++ ++ files_search_var($1) ++ admin_pattern($1, fwupd_cache_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, fwupd_var_lib_t) ++ ++ fwupd_systemctl($1) ++ admin_pattern($1, fwupd_unit_file_t) ++ allow $1 fwupd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/fwupd.te b/fwupd.te +new file mode 100644 +index 0000000..8937282 +--- /dev/null ++++ b/fwupd.te +@@ -0,0 +1,48 @@ ++policy_module(fwupd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type fwupd_t; ++type fwupd_exec_t; ++init_daemon_domain(fwupd_t, fwupd_exec_t) ++ ++type fwupd_cache_t; ++files_type(fwupd_cache_t) ++ ++type fwupd_var_lib_t; ++files_type(fwupd_var_lib_t) ++ ++type fwupd_unit_file_t; ++systemd_unit_file(fwupd_unit_file_t) ++ ++######################################## ++# ++# fwupd local policy ++# ++allow fwupd_t self:fifo_file rw_fifo_file_perms; ++allow fwupd_t self:unix_stream_socket create_stream_socket_perms; ++allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;; ++ ++manage_dirs_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t) ++manage_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t) ++manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t) ++files_var_filetrans(fwupd_t, fwupd_cache_t, { dir }) ++ ++manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) ++manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) ++manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t) ++files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir }) ++ ++auth_read_passwd(fwupd_t) ++ ++dev_rw_sysfs(fwupd_t) ++dev_rw_generic_usb_dev(fwupd_t) ++ ++udev_read_pid_files(fwupd_t) ++ ++optional_policy(` ++ dbus_system_domain(fwupd_t,fwupd_exec_t) ++') diff --git a/games.if b/games.if index e2a3e0d..50ebd40 100644 --- a/games.if @@ -37269,16 +37603,17 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..3a71430 +index 0000000..ce135f3 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,13 @@ +@@ -0,0 +1,14 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + +/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) +/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) ++/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0) + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 6b7292ce..6ff9647e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 166%{?dist} +Release: 167%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -664,6 +664,13 @@ exit 0 %endif %changelog +* Mon Jan 18 2016 Lukas Vrabec 3.13.1-167 +- Add fwupd policy for daemon to allow session software to update device firmware +- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930) +- Allow systemd services to use PrivateNetwork feature +- Add a type and genfscon for nsfs. +- Fix SELinux context for rsyslog unit file. BZ(1284173) + * Wed Jan 13 2016 Lukas Vrabec 3.13.1-166 - Allow logrotate to systemctl rsyslog service. BZ(1284173) - Allow condor_master_t domain capability chown. BZ(1297048)