From 6e9c2276f7a5356ef36e32f83322bb9b05412dbf Mon Sep 17 00:00:00 2001 From: Miroslav Date: Fri, 22 Jul 2011 12:37:49 +0200 Subject: [PATCH] - Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories --- policy-F16.patch | 309 ++++++++++++++++++++++++-------------------- selinux-policy.spec | 7 +- 2 files changed, 178 insertions(+), 138 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index db25c5af..ece00d4f 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -757,7 +757,7 @@ index 8fa451c..f3a67c9 100644 ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index c4d8998..d62fdd2 100644 +index c4d8998..419d14a 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -75,12 +75,7 @@ logging_send_syslog_msg(firstboot_t) @@ -793,6 +793,15 @@ index c4d8998..d62fdd2 100644 optional_policy(` samba_rw_config(firstboot_t) +@@ -113,7 +118,7 @@ optional_policy(` + optional_policy(` + unconfined_domtrans(firstboot_t) + # The big hammer +- unconfined_domain(firstboot_t) ++ unconfined_domain_noaudit(firstboot_t) + ') + + optional_policy(` @@ -125,6 +130,7 @@ optional_policy(` ') @@ -11303,7 +11312,7 @@ index 4f3b542..4581434 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..e2f9c64 100644 +index 99b71cb..b49e084 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -11423,8 +11432,12 @@ index 99b71cb..e2f9c64 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -158,10 +188,18 @@ network_port(ntp, udp,123,s0) - network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) +@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) + network_port(nmbd, udp,137,s0, udp,138,s0) + network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) + network_port(ntp, udp,123,s0) +-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) +network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0) @@ -15422,6 +15435,13 @@ index 0e5b661..3168d72 100644 attribute mcsreadall; +attribute mcsuntrustedproc; +attribute mcsnetwrite; +diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc +index 7be4ddf..4d4c577 100644 +--- a/policy/modules/kernel/selinux.fc ++++ b/policy/modules/kernel/selinux.fc +@@ -1 +1 @@ +-# This module currently does not have any file contexts. ++/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index ca7e808..23a065c 100644 --- a/policy/modules/kernel/selinux.if @@ -19261,7 +19281,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..2fe2895 100644 +index 30861ec..ced411a 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19473,7 +19493,7 @@ index 30861ec..2fe2895 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +293,130 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -19595,6 +19615,7 @@ index 30861ec..2fe2895 100644 + +kernel_read_kernel_sysctls(abrt_dump_oops_t) +kernel_read_ring_buffer(abrt_dump_oops_t) ++kernel_read_system_state(abrt_dump_oops_t) + +domain_use_interactive_fds(abrt_dump_oops_t) + @@ -20782,7 +20803,7 @@ index 6480167..970916e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..8115e0e 100644 +index 3136c6a..0966da0 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -21233,8 +21254,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) -+ corenet_tcp_connect_oracledb_port(httpd_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -21499,8 +21520,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_php_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracledb_port(httpd_php_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ') optional_policy(` @@ -21566,8 +21587,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_oracledb_port(httpd_suexec_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -21649,8 +21670,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -50934,7 +50955,7 @@ index 7c5d8d8..59ba27c 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..6182880 100644 +index 3eca020..b2c36e4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -51443,7 +51464,7 @@ index 3eca020..6182880 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +613,166 @@ optional_policy(` +@@ -457,8 +613,176 @@ optional_policy(` ') optional_policy(` @@ -51572,8 +51593,12 @@ index 3eca020..6182880 100644 +allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; + ++allow virt_lxc_t virt_image_type:dir mounton; ++ ++allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++ +domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t) -+allow virtd_t virt_lxc_t:process signal; ++allow virtd_t virt_lxc_t:process { signal signull sigkill }; + +manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) @@ -51592,9 +51617,15 @@ index 3eca020..6182880 100644 +files_mount_all_file_type_fs(virt_lxc_t) +files_unmount_all_file_type_fs(virt_lxc_t) + ++fs_manage_tmpfs_dirs(virt_lxc_t) ++fs_manage_tmpfs_chr_files(virt_lxc_t) ++fs_manage_tmpfs_symlinks(virt_lxc_t) +fs_manage_cgroup_dirs(virt_lxc_t) +fs_rw_cgroup_files(virt_lxc_t) + ++selinux_mount_fs(virt_lxc_t) ++selinux_unmount_fs(virt_lxc_t) ++ +term_use_generic_ptys(virt_lxc_t) +term_use_ptmx(virt_lxc_t) + @@ -56329,7 +56360,7 @@ index 94fd8dd..0d7aa40 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..fcf5d6c 100644 +index 29a9565..70532cc 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56424,7 +56455,7 @@ index 29a9565..fcf5d6c 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -114,24 +151,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -56455,9 +56486,11 @@ index 29a9565..fcf5d6c 100644 files_dontaudit_search_isid_type_dirs(init_t) +files_read_etc_runtime_files(init_t) files_manage_etc_runtime_files(init_t) ++files_manage_etc_symlinks(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: -@@ -151,10 +196,19 @@ mls_file_read_all_levels(init_t) + files_exec_etc_files(init_t) +@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -56478,7 +56511,7 @@ index 29a9565..fcf5d6c 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +216,16 @@ init_domtrans_script(init_t) +@@ -162,12 +217,16 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -56495,7 +56528,7 @@ index 29a9565..fcf5d6c 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +236,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +237,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -56504,7 +56537,7 @@ index 29a9565..fcf5d6c 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,131 @@ tunable_policy(`init_upstart',` +@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56636,7 +56669,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -199,10 +376,26 @@ optional_policy(` +@@ -199,10 +377,26 @@ optional_policy(` ') optional_policy(` @@ -56663,7 +56696,7 @@ index 29a9565..fcf5d6c 100644 unconfined_domain(init_t) ') -@@ -212,7 +405,7 @@ optional_policy(` +@@ -212,7 +406,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56672,7 +56705,7 @@ index 29a9565..fcf5d6c 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56688,7 +56721,7 @@ index 29a9565..fcf5d6c 100644 init_write_initctl(initrc_t) -@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56725,7 +56758,7 @@ index 29a9565..fcf5d6c 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56733,7 +56766,7 @@ index 29a9565..fcf5d6c 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56744,7 +56777,7 @@ index 29a9565..fcf5d6c 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -56761,7 +56794,7 @@ index 29a9565..fcf5d6c 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56769,7 +56802,7 @@ index 29a9565..fcf5d6c 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56781,7 +56814,7 @@ index 29a9565..fcf5d6c 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56795,7 +56828,7 @@ index 29a9565..fcf5d6c 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56804,7 +56837,7 @@ index 29a9565..fcf5d6c 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56812,7 +56845,7 @@ index 29a9565..fcf5d6c 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56820,7 +56853,7 @@ index 29a9565..fcf5d6c 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56842,7 +56875,7 @@ index 29a9565..fcf5d6c 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56853,7 +56886,7 @@ index 29a9565..fcf5d6c 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +704,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56862,7 +56895,7 @@ index 29a9565..fcf5d6c 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +719,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56870,7 +56903,7 @@ index 29a9565..fcf5d6c 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +749,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56904,7 +56937,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -531,10 +783,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +784,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56931,7 +56964,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -549,6 +817,39 @@ ifdef(`distro_suse',` +@@ -549,6 +818,39 @@ ifdef(`distro_suse',` ') ') @@ -56971,7 +57004,7 @@ index 29a9565..fcf5d6c 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +862,8 @@ optional_policy(` +@@ -561,6 +863,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56980,7 +57013,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -577,6 +880,7 @@ optional_policy(` +@@ -577,6 +881,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56988,7 +57021,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -589,6 +893,11 @@ optional_policy(` +@@ -589,6 +894,11 @@ optional_policy(` ') optional_policy(` @@ -57000,7 +57033,7 @@ index 29a9565..fcf5d6c 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +914,13 @@ optional_policy(` +@@ -605,9 +915,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -57014,7 +57047,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -649,6 +962,11 @@ optional_policy(` +@@ -649,6 +963,11 @@ optional_policy(` ') optional_policy(` @@ -57026,7 +57059,7 @@ index 29a9565..fcf5d6c 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1007,7 @@ optional_policy(` +@@ -689,6 +1008,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -57034,7 +57067,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -706,7 +1025,13 @@ optional_policy(` +@@ -706,7 +1026,13 @@ optional_policy(` ') optional_policy(` @@ -57048,7 +57081,7 @@ index 29a9565..fcf5d6c 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1054,10 @@ optional_policy(` +@@ -729,6 +1055,10 @@ optional_policy(` ') optional_policy(` @@ -57059,7 +57092,7 @@ index 29a9565..fcf5d6c 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1067,20 @@ optional_policy(` +@@ -738,10 +1068,20 @@ optional_policy(` ') optional_policy(` @@ -57080,7 +57113,7 @@ index 29a9565..fcf5d6c 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1089,10 @@ optional_policy(` +@@ -750,6 +1090,10 @@ optional_policy(` ') optional_policy(` @@ -57091,7 +57124,7 @@ index 29a9565..fcf5d6c 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1114,6 @@ optional_policy(` +@@ -771,8 +1115,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -57100,7 +57133,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -790,10 +1131,12 @@ optional_policy(` +@@ -790,10 +1132,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -57113,7 +57146,7 @@ index 29a9565..fcf5d6c 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1148,6 @@ optional_policy(` +@@ -805,7 +1149,6 @@ optional_policy(` ') optional_policy(` @@ -57121,7 +57154,7 @@ index 29a9565..fcf5d6c 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1157,24 @@ optional_policy(` +@@ -815,11 +1158,24 @@ optional_policy(` ') optional_policy(` @@ -57147,7 +57180,7 @@ index 29a9565..fcf5d6c 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1184,25 @@ optional_policy(` +@@ -829,6 +1185,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -57173,7 +57206,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -844,6 +1218,10 @@ optional_policy(` +@@ -844,6 +1219,10 @@ optional_policy(` ') optional_policy(` @@ -57184,7 +57217,7 @@ index 29a9565..fcf5d6c 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1232,45 @@ optional_policy(` +@@ -854,3 +1233,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -59496,7 +59529,7 @@ index 8b5c196..1ac1567 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..43f0a0b 100644 +index 15832c7..ed497ff 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -59573,7 +59606,7 @@ index 15832c7..43f0a0b 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,50 +95,74 @@ kernel_request_load_module(mount_t) +@@ -57,65 +95,93 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -59655,8 +59688,9 @@ index 15832c7..43f0a0b 100644 +mls_process_write_to_clearance(mount_t) selinux_get_enforce_mode(mount_t) ++selinux_mounton_fs(mount_t) -@@ -108,14 +170,17 @@ storage_raw_read_fixed_disk(mount_t) + storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -59675,7 +59709,7 @@ index 15832c7..43f0a0b 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +191,12 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +192,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -59688,7 +59722,7 @@ index 15832c7..43f0a0b 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +212,29 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',` ') ') @@ -59726,7 +59760,7 @@ index 15832c7..43f0a0b 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +248,8 @@ optional_policy(` +@@ -174,6 +249,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -59735,7 +59769,7 @@ index 15832c7..43f0a0b 100644 ') optional_policy(` -@@ -181,6 +257,28 @@ optional_policy(` +@@ -181,6 +258,28 @@ optional_policy(` ') optional_policy(` @@ -59764,7 +59798,7 @@ index 15832c7..43f0a0b 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +286,52 @@ optional_policy(` +@@ -188,13 +287,52 @@ optional_policy(` ') ') @@ -59817,7 +59851,7 @@ index 15832c7..43f0a0b 100644 ') ######################################## -@@ -203,6 +340,43 @@ optional_policy(` +@@ -203,6 +341,43 @@ optional_policy(` # optional_policy(` @@ -63453,7 +63487,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..181ada4 100644 +index 4b2878a..c0e5c10 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -63467,7 +63501,7 @@ index 4b2878a..181ada4 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,103 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,104 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -63559,6 +63593,7 @@ index 4b2878a..181ada4 100644 + + files_read_etc_files($1_usertype) + files_list_mnt($1_usertype) ++ files_list_var($1_usertype) + files_read_mnt_files($1_usertype) + files_dontaudit_access_check_mnt($1_usertype) + files_read_etc_runtime_files($1_usertype) @@ -63620,7 +63655,7 @@ index 4b2878a..181ada4 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +151,20 @@ template(`userdom_base_user_template',` +@@ -116,6 +152,20 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -63641,7 +63676,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +199,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -63650,7 +63685,7 @@ index 4b2878a..181ada4 100644 ############################## # # Domain access to home dir -@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +218,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -63678,7 +63713,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +249,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -63690,7 +63725,7 @@ index 4b2878a..181ada4 100644 ############################## # # Domain access to home dir -@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +262,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -63722,7 +63757,7 @@ index 4b2878a..181ada4 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +284,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -63752,7 +63787,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +322,63 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -63821,7 +63856,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +398,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -63829,7 +63864,7 @@ index 4b2878a..181ada4 100644 files_search_tmp($1) ') -@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +430,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -63924,7 +63959,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +516,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -63932,7 +63967,7 @@ index 4b2878a..181ada4 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -462,8 +548,8 @@ template(`userdom_change_password_template',` +@@ -462,8 +549,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -63943,7 +63978,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -490,7 +576,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +577,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -63952,7 +63987,7 @@ index 4b2878a..181ada4 100644 ############################## # -@@ -500,73 +586,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +587,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -64076,7 +64111,7 @@ index 4b2878a..181ada4 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +668,123 @@ template(`userdom_common_user_template',` +@@ -574,67 +669,123 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -64218,7 +64253,7 @@ index 4b2878a..181ada4 100644 ') optional_policy(` -@@ -650,41 +800,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +801,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -64280,7 +64315,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -712,13 +871,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +872,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -64312,7 +64347,7 @@ index 4b2878a..181ada4 100644 userdom_change_password_template($1) -@@ -736,72 +908,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +909,76 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -64422,7 +64457,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -833,6 +1009,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -64432,7 +64467,7 @@ index 4b2878a..181ada4 100644 ############################## # # Local policy -@@ -874,45 +1053,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -64562,7 +64597,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -64571,7 +64606,7 @@ index 4b2878a..181ada4 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -64589,7 +64624,7 @@ index 4b2878a..181ada4 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,32 +1233,76 @@ template(`userdom_unpriv_user_template', ` +@@ -978,32 +1234,76 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -64678,7 +64713,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -1039,7 +1338,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1339,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -64687,7 +64722,7 @@ index 4b2878a..181ada4 100644 ') ############################## -@@ -1066,6 +1365,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1366,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -64695,7 +64730,7 @@ index 4b2878a..181ada4 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1375,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -64705,7 +64740,7 @@ index 4b2878a..181ada4 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1392,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -64713,7 +64748,7 @@ index 4b2878a..181ada4 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1410,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -64727,7 +64762,7 @@ index 4b2878a..181ada4 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1426,22 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1427,22 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -64751,7 +64786,7 @@ index 4b2878a..181ada4 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1453,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1454,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -64763,7 +64798,7 @@ index 4b2878a..181ada4 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1466,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -64772,7 +64807,7 @@ index 4b2878a..181ada4 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1527,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -64781,7 +64816,7 @@ index 4b2878a..181ada4 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1541,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1542,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -64789,7 +64824,7 @@ index 4b2878a..181ada4 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1234,13 +1554,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -64818,7 +64853,7 @@ index 4b2878a..181ada4 100644 ') optional_policy(` -@@ -1251,12 +1582,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -64834,7 +64869,7 @@ index 4b2878a..181ada4 100644 ') optional_policy(` -@@ -1279,54 +1610,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1611,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -64916,7 +64951,7 @@ index 4b2878a..181ada4 100644 ## ## ## -@@ -1334,9 +1677,46 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,9 +1678,46 @@ interface(`userdom_setattr_user_ptys',` ## ## # @@ -64965,7 +65000,7 @@ index 4b2878a..181ada4 100644 ') term_create_pty($1, user_devpts_t) -@@ -1395,6 +1775,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -64973,7 +65008,7 @@ index 4b2878a..181ada4 100644 files_search_home($1) ') -@@ -1441,6 +1822,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1823,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -64988,7 +65023,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1456,9 +1845,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -65000,7 +65035,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1515,6 +1906,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -65043,7 +65078,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2016,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -65052,7 +65087,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1603,10 +2032,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -65067,7 +65102,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1649,6 +2080,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -65111,7 +65146,7 @@ index 4b2878a..181ada4 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2136,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -65137,7 +65172,7 @@ index 4b2878a..181ada4 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2187,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -65170,7 +65205,7 @@ index 4b2878a..181ada4 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -65188,7 +65223,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -65249,7 +65284,7 @@ index 4b2878a..181ada4 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -65259,7 +65294,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2391,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -65284,7 +65319,7 @@ index 4b2878a..181ada4 100644 ######################################## ## -@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -65309,7 +65344,7 @@ index 4b2878a..181ada4 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -65318,7 +65353,7 @@ index 4b2878a..181ada4 100644 files_search_home($1) ') -@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -65327,7 +65362,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -2435,13 +3010,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3011,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -65343,7 +65378,7 @@ index 4b2878a..181ada4 100644 ## ## ## -@@ -2462,26 +3038,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3039,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -65370,7 +65405,7 @@ index 4b2878a..181ada4 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3128,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3129,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -65379,7 +65414,7 @@ index 4b2878a..181ada4 100644 ## ## ## -@@ -2580,70 +3136,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3137,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -65548,7 +65583,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3360,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3361,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -65573,7 +65608,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3378,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3379,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -65599,7 +65634,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3439,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3440,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -65608,7 +65643,7 @@ index 4b2878a..181ada4 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3455,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3456,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -65642,7 +65677,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -2972,7 +3543,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3544,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -65651,7 +65686,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -3027,7 +3598,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3599,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -65698,7 +65733,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -3064,6 +3673,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3674,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -65706,7 +65741,7 @@ index 4b2878a..181ada4 100644 kernel_search_proc($1) ') -@@ -3142,6 +3752,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3753,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -65731,7 +65766,7 @@ index 4b2878a..181ada4 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3822,1075 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3823,1075 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 34f536cc..2ea5fbe7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 22 2011 Miroslav Grepl 3.10.0-8 +- Fix oracledb_port definition +- Allow mount to mounton the selinux file system +- Allow users to list /var directories + * Thu Jul 21 2011 Miroslav Grepl 3.10.0-7 - systemd fixes