diff --git a/policy-rawhide.patch b/policy-rawhide.patch index cc2839ad..803caa96 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -70640,7 +70640,7 @@ index cda5588..91d1e25 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..aad6319 100644 +index 7c6b791..b40a5a5 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -71137,7 +71137,7 @@ index 7c6b791..aad6319 100644 ######################################## ## ## Mount a FUSE filesystem. -@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -71202,11 +71202,30 @@ index 7c6b791..aad6319 100644 +') + +######################################## ++## ++## Get the attributes of a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_getattr_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:filesystem getattr; ++') ++ ++######################################## +## ## Get the attributes of an hugetlbfs ## filesystem. ## -@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -71231,7 +71250,7 @@ index 7c6b791..aad6319 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',` +@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -71245,7 +71264,7 @@ index 7c6b791..aad6319 100644 ## ## ## -@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -71253,7 +71272,7 @@ index 7c6b791..aad6319 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -71261,7 +71280,7 @@ index 7c6b791..aad6319 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -71287,7 +71306,7 @@ index 7c6b791..aad6319 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -71296,7 +71315,7 @@ index 7c6b791..aad6319 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -71339,7 +71358,7 @@ index 7c6b791..aad6319 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -71348,7 +71367,7 @@ index 7c6b791..aad6319 100644 ') ######################################## -@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -71357,7 +71376,7 @@ index 7c6b791..aad6319 100644 ## ## ## -@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',` ## ## ## @@ -71366,7 +71385,7 @@ index 7c6b791..aad6319 100644 ## ## # -@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -71375,7 +71394,7 @@ index 7c6b791..aad6319 100644 ## ## # -@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -71383,7 +71402,7 @@ index 7c6b791..aad6319 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -71391,7 +71410,7 @@ index 7c6b791..aad6319 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -71399,7 +71418,7 @@ index 7c6b791..aad6319 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -71424,7 +71443,7 @@ index 7c6b791..aad6319 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -71449,7 +71468,7 @@ index 7c6b791..aad6319 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -71458,7 +71477,7 @@ index 7c6b791..aad6319 100644 ## ## ## -@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -71467,7 +71486,7 @@ index 7c6b791..aad6319 100644 ## ## ## -@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -71476,7 +71495,7 @@ index 7c6b791..aad6319 100644 ## ## ## -@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -71501,7 +71520,7 @@ index 7c6b791..aad6319 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3963,6 +4539,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -71544,7 +71563,7 @@ index 7c6b791..aad6319 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4069,7 +4681,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -71553,7 +71572,7 @@ index 7c6b791..aad6319 100644 ') ######################################## -@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4129,6 +4741,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -71578,7 +71597,7 @@ index 7c6b791..aad6319 100644 ## Read tmpfs link files. ## ## -@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4166,7 +4796,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -71587,7 +71606,7 @@ index 7c6b791..aad6319 100644 ## ## ## -@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4185,6 +4815,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -71630,7 +71649,7 @@ index 7c6b791..aad6319 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4242,6 +4908,43 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -71674,7 +71693,7 @@ index 7c6b791..aad6319 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4261,6 +4964,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -71700,7 +71719,7 @@ index 7c6b791..aad6319 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',` +@@ -4467,6 +5189,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -71709,7 +71728,7 @@ index 7c6b791..aad6319 100644 ') ######################################## -@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',` +@@ -4513,7 +5237,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -71718,7 +71737,7 @@ index 7c6b791..aad6319 100644 ## Example attributes: ##

##
    -@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',` +@@ -4876,3 +5600,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -87697,14 +87716,15 @@ index cbbda4a..8dcc346 100644 +userdom_use_inherited_user_terminals(netlabel_mgmt_t) + diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc -index d43f3b1..5858c5f 100644 +index d43f3b1..c4182e8 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc -@@ -6,13 +6,13 @@ +@@ -6,13 +6,14 @@ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) -/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) ++/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0) +/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) @@ -87717,7 +87737,7 @@ index d43f3b1..5858c5f 100644 # # /root -@@ -35,12 +35,14 @@ +@@ -35,12 +36,14 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) @@ -87733,7 +87753,7 @@ index d43f3b1..5858c5f 100644 # # /var/lib -@@ -51,3 +53,7 @@ +@@ -51,3 +54,7 @@ # /var/run # /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) @@ -87742,7 +87762,7 @@ index d43f3b1..5858c5f 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..cac0b1e 100644 +index 3822072..beae2dc 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` @@ -87899,7 +87919,7 @@ index 3822072..cac0b1e 100644 ## Execute setfiles in the caller domain. ##
## -@@ -680,6 +776,7 @@ interface(`seutil_manage_config',` +@@ -680,10 +776,94 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -87907,7 +87927,160 @@ index 3822072..cac0b1e 100644 manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',` + ++######################################## ++## ++## Do not audit attempts to search the SELinux ++## login configuration directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`seutil_dontaudit_search_login_config',` ++ gen_require(` ++ type selinux_login_config_t; ++ ') ++ ++ dontaudit $1 selinux_login_config_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read the SELinux ++## login configuration. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`seutil_dontaudit_read_login_config',` ++ gen_require(` ++ type selinux_login_config_t; ++ ') ++ dontaudit $1 selinux_login_config_t:dir search_dir_perms; ++ dontaudit $1 selinux_login_config_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Read the SELinux login configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_read_login_config',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ allow $1 selinux_login_config_t:dir list_dir_perms; ++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++') ++ ++######################################## ++## ++## Read and write the SELinux login configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_rw_login_config',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ allow $1 selinux_login_config_t:dir list_dir_perms; ++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++') ++ + ####################################### + ## + ## Create, read, write, and delete +@@ -694,15 +874,62 @@ interface(`seutil_manage_config',` + ## Domain allowed access. + ## + ## +-## + # +-interface(`seutil_manage_config_dirs',` ++interface(`seutil_rw_login_config_dirs',` + gen_require(` + type selinux_config_t; ++ type selinux_login_config_t; + ') + + files_search_etc($1) +- allow $1 selinux_config_t:dir manage_dir_perms; ++ allow $1 selinux_config_t:dir search_dir_perms; ++ allow $1 selinux_login_config_t:dir rw_dir_perms; ++') ++ ++###################################### ++## ++## Create, read, write, and delete ++## the general selinux configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_manage_login_config',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++') ++ ++###################################### ++## ++## manage the login selinux configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_manage_login_config_files',` ++ gen_require(` ++ type selinux_config_t; ++ type selinux_login_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 selinux_config_t:dir search_dir_perms; ++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) + ') + + ######################################## +@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -87937,7 +88110,7 @@ index 3822072..cac0b1e 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -87964,7 +88137,7 @@ index 3822072..cac0b1e 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -88033,7 +88206,17 @@ index 3822072..cac0b1e 100644 ') ######################################## -@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',` + manage_dirs_pattern($1, selinux_config_t, semanage_store_t) + manage_files_pattern($1, semanage_store_t, semanage_store_t) + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") ++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") + ') + + ####################################### +@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -88093,7 +88276,7 @@ index 3822072..cac0b1e 100644 + auth_relabelto_shadow($1) +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..98094ae 100644 +index ec01d0b..12ed3ea 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -88119,17 +88302,20 @@ index ec01d0b..98094ae 100644 # # selinux_config_t is the type applied to -@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles; +@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles; type selinux_config_t; files_type(selinux_config_t) ++type selinux_login_config_t; ++files_type(selinux_login_config_t) ++ +type selinux_var_lib_t; +files_type(selinux_var_lib_t) + type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t) +@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t) domain_role_change_exemption(newrole_t) domain_obj_id_change_exemption(newrole_t) domain_interactive_fd(newrole_t) @@ -88153,7 +88339,7 @@ index ec01d0b..98094ae 100644 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -83,7 +95,6 @@ type restorecond_t; +@@ -83,7 +98,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -88161,7 +88347,7 @@ index ec01d0b..98094ae 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,25 +103,33 @@ type run_init_t; +@@ -92,25 +106,32 @@ type run_init_t; type run_init_exec_t; application_domain(run_init_t, run_init_exec_t) domain_system_change_exemption(run_init_t) @@ -88172,7 +88358,6 @@ index ec01d0b..98094ae 100644 type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) -+dbus_system_domain(semanage_t, semanage_exec_t) +init_daemon_domain(semanage_t, semanage_exec_t) domain_interactive_fd(semanage_t) -role semanage_roles types semanage_t; @@ -88200,7 +88385,7 @@ index ec01d0b..98094ae 100644 type semanage_var_lib_t; files_type(semanage_var_lib_t) -@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t; +@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -88212,7 +88397,15 @@ index ec01d0b..98094ae 100644 ######################################## # # Checkpolicy local policy -@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t) +@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) + read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) + read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) + allow checkpolicy_t selinux_config_t:dir search_dir_perms; ++allow checkpolicy_t selinux_login_config_t:dir search_dir_perms; + + domain_use_interactive_fds(checkpolicy_t) + +@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) @@ -88221,7 +88414,7 @@ index ec01d0b..98094ae 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` -@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t) +@@ -188,13 +215,15 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -88238,7 +88431,15 @@ index ec01d0b..98094ae 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -220,7 +246,7 @@ optional_policy(` +@@ -205,6 +234,7 @@ ifdef(`distro_ubuntu',` + ifdef(`hide_broken_symptoms',` + # cjp: cover up stray file descriptors. + dontaudit load_policy_t selinux_config_t:file write; ++ dontaudit load_policy_t selinux_login_config_t:file write; + + optional_policy(` + unconfined_dontaudit_read_pipes(load_policy_t) +@@ -220,7 +250,7 @@ optional_policy(` # Newrole local policy # @@ -88247,7 +88448,7 @@ index ec01d0b..98094ae 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -232,7 +262,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -88256,7 +88457,7 @@ index ec01d0b..98094ae 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t) +@@ -249,6 +279,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -88264,7 +88465,7 @@ index ec01d0b..98094ae 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t) +@@ -276,25 +307,39 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -88310,7 +88511,7 @@ index ec01d0b..98094ae 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -309,7 +350,7 @@ if(secure_mode) { +@@ -309,7 +354,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } @@ -88319,7 +88520,7 @@ index ec01d0b..98094ae 100644 files_polyinstantiate_all(newrole_t) ') -@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t) +@@ -328,9 +373,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -88334,7 +88535,7 @@ index ec01d0b..98094ae 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,6 +390,7 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -88342,7 +88543,7 @@ index ec01d0b..98094ae 100644 auth_use_nsswitch(restorecond_t) locallogin_dontaudit_use_fds(restorecond_t) -@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t) +@@ -351,6 +401,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -88351,7 +88552,7 @@ index ec01d0b..98094ae 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -366,21 +414,24 @@ optional_policy(` +@@ -366,21 +418,24 @@ optional_policy(` # Run_init local policy # @@ -88378,7 +88579,7 @@ index ec01d0b..98094ae 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t) +@@ -398,14 +453,23 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -88404,7 +88605,7 @@ index ec01d0b..98094ae 100644 logging_send_syslog_msg(run_init_t) -@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t) +@@ -414,7 +478,7 @@ miscfiles_read_localization(run_init_t) seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) @@ -88413,7 +88614,7 @@ index ec01d0b..98094ae 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +489,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -88433,7 +88634,7 @@ index ec01d0b..98094ae 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +513,83 @@ optional_policy(` +@@ -440,81 +517,87 @@ optional_policy(` # semodule local policy # @@ -88480,11 +88681,11 @@ index ec01d0b..98094ae 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) +- +-locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) --locallogin_use_fds(semanage_t) -- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) @@ -88527,6 +88728,10 @@ index ec01d0b..98094ae 100644 - unconfined_domain(semanage_t) - ') +optional_policy(` ++ dbus_system_domain(semanage_t, semanage_exec_t) ++') ++ ++optional_policy(` + mock_manage_lib_files(semanage_t) + mock_manage_lib_dirs(semanage_t) +') @@ -88570,7 +88775,7 @@ index ec01d0b..98094ae 100644 ') ######################################## -@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +605,184 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -88647,14 +88852,15 @@ index ec01d0b..98094ae 100644 + devicekit_dontaudit_read_pid_files(setfiles_t) + devicekit_dontaudit_rw_log(setfiles_t) +') - --seutil_libselinux_linked(setfiles_t) ++ +optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) +') -+ + +-seutil_libselinux_linked(setfiles_t) +ifdef(`hide_broken_symptoms',` -+ + +-userdom_use_all_users_fds(setfiles_t) + optional_policy(` + setroubleshoot_fixit_dontaudit_leaks(setfiles_t) + setroubleshoot_fixit_dontaudit_leaks(setsebool_t) @@ -88665,8 +88871,7 @@ index ec01d0b..98094ae 100644 + unconfined_domain(setfiles_t) + ') +') - --userdom_use_all_users_fds(setfiles_t) ++ +######################################## +# +# Setfiles common policy diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 49247694..8e5df662 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -841,7 +841,7 @@ index c0f858d..d75aae9 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 1632f10..1cb95bc 100644 +index 1632f10..1b42ac3 100644 --- a/accountsd.te +++ b/accountsd.te @@ -1,5 +1,9 @@ @@ -854,10 +854,11 @@ index 1632f10..1cb95bc 100644 ######################################## # # Declarations -@@ -8,34 +12,46 @@ policy_module(accountsd, 1.0.0) +@@ -7,35 +11,46 @@ policy_module(accountsd, 1.0.0) + type accountsd_t; type accountsd_exec_t; - dbus_system_domain(accountsd_t, accountsd_exec_t) +-dbus_system_domain(accountsd_t, accountsd_exec_t) +init_daemon_domain(accountsd_t, accountsd_exec_t) +role system_r types accountsd_t; @@ -902,11 +903,15 @@ index 1632f10..1cb95bc 100644 miscfiles_read_localization(accountsd_t) -@@ -50,8 +66,15 @@ usermanage_domtrans_passwd(accountsd_t) +@@ -50,8 +65,19 @@ usermanage_domtrans_passwd(accountsd_t) optional_policy(` consolekit_read_log(accountsd_t) + consolekit_dbus_chat(accountsd_t) ++') ++ ++optional_policy(` ++ dbus_system_domain(accountsd_t, accountsd_exec_t) ') optional_policy(` @@ -5399,15 +5404,27 @@ index 6355318..98ba16a 100644 /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.te b/blueman.te -index 70969fa..5d26a60 100644 +index 70969fa..2734ef8 100644 --- a/blueman.te +++ b/blueman.te -@@ -44,3 +44,11 @@ miscfiles_read_localization(blueman_t) +@@ -7,7 +7,6 @@ policy_module(blueman, 1.0.0) + + type blueman_t; + type blueman_exec_t; +-dbus_system_domain(blueman_t, blueman_exec_t) + init_daemon_domain(blueman_t, blueman_exec_t) + + type blueman_var_lib_t; +@@ -44,3 +43,15 @@ miscfiles_read_localization(blueman_t) optional_policy(` avahi_domtrans(blueman_t) ') + +optional_policy(` ++ dbus_system_domain(blueman_t, blueman_exec_t) ++') ++ ++optional_policy(` + gnome_search_gconf(blueman_t) +') + @@ -15410,28 +15427,29 @@ index f706b99..aa049fc 100644 + #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 1819518..b2dd360 100644 +index 1819518..84a3fbd 100644 --- a/devicekit.te +++ b/devicekit.te -@@ -8,14 +8,17 @@ policy_module(devicekit, 1.2.0) +@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0) + type devicekit_t; type devicekit_exec_t; - dbus_system_domain(devicekit_t, devicekit_exec_t) +-dbus_system_domain(devicekit_t, devicekit_exec_t) +init_daemon_domain(devicekit_t, devicekit_exec_t) type devicekit_power_t; type devicekit_power_exec_t; - dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) +-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) +init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) type devicekit_disk_t; type devicekit_disk_exec_t; - dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) +-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) +init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) -@@ -26,6 +29,9 @@ files_pid_file(devicekit_var_run_t) +@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) type devicekit_var_lib_t; files_type(devicekit_var_lib_t) @@ -15441,7 +15459,7 @@ index 1819518..b2dd360 100644 ######################################## # # DeviceKit local policy -@@ -42,7 +48,6 @@ kernel_read_system_state(devicekit_t) +@@ -42,11 +45,11 @@ kernel_read_system_state(devicekit_t) dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) @@ -15449,7 +15467,12 @@ index 1819518..b2dd360 100644 miscfiles_read_localization(devicekit_t) -@@ -62,7 +67,8 @@ optional_policy(` + optional_policy(` ++ dbus_system_domain(devicekit_t, devicekit_exec_t) + dbus_system_bus_client(devicekit_t) + + allow devicekit_t devicekit_disk_t:dbus send_msg; +@@ -62,7 +65,8 @@ optional_policy(` # DeviceKit disk local policy # @@ -15459,7 +15482,7 @@ index 1819518..b2dd360 100644 allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -75,10 +81,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -75,10 +79,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -15474,7 +15497,7 @@ index 1819518..b2dd360 100644 kernel_getattr_message_if(devicekit_disk_t) kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_network_state(devicekit_disk_t) -@@ -97,6 +107,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) +@@ -97,6 +105,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) @@ -15482,7 +15505,7 @@ index 1819518..b2dd360 100644 domain_getattr_all_pipes(devicekit_disk_t) domain_getattr_all_sockets(devicekit_disk_t) -@@ -105,14 +116,16 @@ domain_read_all_domains_state(devicekit_disk_t) +@@ -105,14 +114,16 @@ domain_read_all_domains_state(devicekit_disk_t) files_dontaudit_read_all_symlinks(devicekit_disk_t) files_getattr_all_sockets(devicekit_disk_t) @@ -15501,7 +15524,7 @@ index 1819518..b2dd360 100644 fs_list_inotifyfs(devicekit_disk_t) fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) -@@ -127,14 +140,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -127,16 +138,20 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -15519,8 +15542,11 @@ index 1819518..b2dd360 100644 +userdom_manage_user_tmp_dirs(devicekit_disk_t) optional_policy(` ++ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) dbus_system_bus_client(devicekit_disk_t) -@@ -170,6 +186,10 @@ optional_policy(` + + allow devicekit_disk_t devicekit_t:dbus send_msg; +@@ -170,6 +185,10 @@ optional_policy(` ') optional_policy(` @@ -15531,7 +15557,7 @@ index 1819518..b2dd360 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -178,55 +198,84 @@ optional_policy(` +@@ -178,55 +197,84 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -15622,7 +15648,7 @@ index 1819518..b2dd360 100644 userdom_read_all_users_state(devicekit_power_t) -@@ -235,7 +284,12 @@ optional_policy(` +@@ -235,10 +283,16 @@ optional_policy(` ') optional_policy(` @@ -15635,6 +15661,10 @@ index 1819518..b2dd360 100644 ') optional_policy(` ++ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + dbus_system_bus_client(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; @@ -261,14 +315,21 @@ optional_policy(` ') @@ -19725,18 +19755,19 @@ index ebad8c4..640293e 100644 ') - diff --git a/fprintd.te b/fprintd.te -index 7df52c7..1eb75fd 100644 +index 7df52c7..d27d645 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0) +@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0) + type fprintd_t; type fprintd_exec_t; - dbus_system_domain(fprintd_t, fprintd_exec_t) +-dbus_system_domain(fprintd_t, fprintd_exec_t) +init_daemon_domain(fprintd_t, fprintd_exec_t) type fprintd_var_lib_t; files_type(fprintd_var_lib_t) -@@ -17,9 +18,10 @@ files_type(fprintd_var_lib_t) +@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t) # Local policy # @@ -19749,7 +19780,7 @@ index 7df52c7..1eb75fd 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -33,7 +35,6 @@ dev_list_usbfs(fprintd_t) +@@ -33,7 +34,6 @@ dev_list_usbfs(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) dev_read_sysfs(fprintd_t) @@ -19757,7 +19788,15 @@ index 7df52c7..1eb75fd 100644 files_read_usr_files(fprintd_t) fs_getattr_all_fs(fprintd_t) -@@ -54,4 +55,5 @@ optional_policy(` +@@ -50,8 +50,13 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_domain(fprintd_t, fprintd_exec_t) ++') ++ ++optional_policy(` + policykit_read_reload(fprintd_t) policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) @@ -22952,7 +22991,7 @@ index f5afe78..7861fc8 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/gnome.te b/gnome.te -index 783c5fb..6667fec 100644 +index 783c5fb..9d2b881 100644 --- a/gnome.te +++ b/gnome.te @@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0) @@ -22988,7 +23027,7 @@ index 783c5fb..6667fec 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -28,12 +48,35 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; +@@ -28,12 +48,33 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) @@ -23014,18 +23053,16 @@ index 783c5fb..6667fec 100644 + +type gconfdefaultsm_t; +type gconfdefaultsm_exec_t; -+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) +init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) + +type gnomesystemmm_t; +type gnomesystemmm_exec_t; -+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) +init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) + ############################## # # Local Policy -@@ -73,3 +116,157 @@ optional_policy(` +@@ -73,3 +114,165 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -23059,6 +23096,10 @@ index 783c5fb..6667fec 100644 +') + +optional_policy(` ++ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) ++') ++ ++optional_policy(` + nscd_dontaudit_search_pid(gconfdefaultsm_t) +') + @@ -23106,6 +23147,10 @@ index 783c5fb..6667fec 100644 +') + +optional_policy(` ++ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t) ++') ++ ++optional_policy(` + nscd_dontaudit_search_pid(gnomesystemmm_t) +') + @@ -23224,13 +23269,14 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/gnomeclock.te b/gnomeclock.te -index 4fde46b..469a6e3 100644 +index 4fde46b..eb8918a 100644 --- a/gnomeclock.te +++ b/gnomeclock.te -@@ -8,25 +8,37 @@ policy_module(gnomeclock, 1.0.0) +@@ -7,26 +7,37 @@ policy_module(gnomeclock, 1.0.0) + type gnomeclock_t; type gnomeclock_exec_t; - dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +-dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +init_daemon_domain(gnomeclock_t, gnomeclock_exec_t) ######################################## @@ -23253,10 +23299,10 @@ index 4fde46b..469a6e3 100644 +corecmd_dontaudit_access_check_bin(gnomeclock_t) + +corenet_tcp_connect_time_port(gnomeclock_t) -+ -+dev_read_sysfs(gnomeclock_t) -files_read_etc_files(gnomeclock_t) ++dev_read_sysfs(gnomeclock_t) ++ +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) @@ -23269,7 +23315,7 @@ index 4fde46b..469a6e3 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +47,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +46,38 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -23289,6 +23335,10 @@ index 4fde46b..469a6e3 100644 +') + +optional_policy(` ++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++') ++ ++optional_policy(` + gnome_manage_usr_config(gnomeclock_t) +') + @@ -26090,10 +26140,10 @@ index 0000000..868c7d0 +') diff --git a/jockey.te b/jockey.te new file mode 100644 -index 0000000..0316d53 +index 0000000..9632221 --- /dev/null +++ b/jockey.te -@@ -0,0 +1,52 @@ +@@ -0,0 +1,55 @@ +policy_module(jockey, 1.0.0) + +######################################## @@ -26103,7 +26153,6 @@ index 0000000..0316d53 + +type jockey_t; +type jockey_exec_t; -+dbus_system_domain(jockey_t, jockey_exec_t) +init_daemon_domain(jockey_t, jockey_exec_t) + +type jockey_cache_t; @@ -26143,6 +26192,10 @@ index 0000000..0316d53 +miscfiles_read_localization(jockey_t) + +optional_policy(` ++ dbus_system_domain(jockey_t, jockey_exec_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(jockey_t) + modutils_read_module_config(jockey_t) +') @@ -26183,10 +26236,10 @@ index 0000000..cf65577 +') diff --git a/kde.te b/kde.te new file mode 100644 -index 0000000..f9b9c0f +index 0000000..3d7b011 --- /dev/null +++ b/kde.te -@@ -0,0 +1,41 @@ +@@ -0,0 +1,44 @@ +policy_module(kde,1.0.0) + +######################################## @@ -26196,7 +26249,6 @@ index 0000000..f9b9c0f + +type kdebacklighthelper_t; +type kdebacklighthelper_exec_t; -+dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) +init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) + +######################################## @@ -26221,6 +26273,10 @@ index 0000000..f9b9c0f +miscfiles_read_localization(kdebacklighthelper_t) + +optional_policy(` ++ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) ++') ++ ++optional_policy(` + consolekit_dbus_chat(kdebacklighthelper_t) +') + @@ -26476,13 +26532,14 @@ index b29d8e2..c1b4a64 100644 + unconfined_domain(kdumpctl_t) +') diff --git a/kdumpgui.te b/kdumpgui.te -index 0c52f60..a085fbd 100644 +index 0c52f60..38c154f 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -8,6 +8,10 @@ policy_module(kdumpgui, 1.1.0) +@@ -7,7 +7,10 @@ policy_module(kdumpgui, 1.1.0) + type kdumpgui_t; type kdumpgui_exec_t; - dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) +-dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) +init_daemon_domain(kdumpgui_t, kdumpgui_exec_t) + +type kdumpgui_tmp_t; @@ -26490,7 +26547,7 @@ index 0c52f60..a085fbd 100644 ###################################### # -@@ -18,6 +22,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; +@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; allow kdumpgui_t self:fifo_file rw_fifo_file_perms; allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -26501,7 +26558,7 @@ index 0c52f60..a085fbd 100644 kernel_read_system_state(kdumpgui_t) kernel_read_network_state(kdumpgui_t) -@@ -36,6 +44,8 @@ files_manage_etc_runtime_files(kdumpgui_t) +@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) @@ -26510,7 +26567,7 @@ index 0c52f60..a085fbd 100644 storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) -@@ -45,8 +55,20 @@ logging_send_syslog_msg(kdumpgui_t) +@@ -45,19 +54,36 @@ logging_send_syslog_msg(kdumpgui_t) miscfiles_read_localization(kdumpgui_t) @@ -26523,15 +26580,23 @@ index 0c52f60..a085fbd 100644 +optional_policy(` + bootloader_exec(kdumpgui_t) +') -+ -+optional_policy(` -+ consoletype_exec(kdumpgui_t) -+') + optional_policy(` consoletype_exec(kdumpgui_t) ') -@@ -58,6 +80,7 @@ optional_policy(` + + optional_policy(` ++ consoletype_exec(kdumpgui_t) ++') ++ ++optional_policy(` ++ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) ++') ++ ++optional_policy(` + dev_rw_lvm_control(kdumpgui_t) + ') + optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -31315,18 +31380,19 @@ index 0000000..00d38c5 + userdom_read_user_home_content_files(mock_build_t) +') diff --git a/modemmanager.te b/modemmanager.te -index b3ace16..46f4b11 100644 +index b3ace16..35c92dd 100644 --- a/modemmanager.te +++ b/modemmanager.te -@@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0) +@@ -7,7 +7,7 @@ policy_module(modemmanager, 1.1.0) + type modemmanager_t; type modemmanager_exec_t; - dbus_system_domain(modemmanager_t, modemmanager_exec_t) +-dbus_system_domain(modemmanager_t, modemmanager_exec_t) +init_daemon_domain(modemmanager_t, modemmanager_exec_t) typealias modemmanager_t alias ModemManager_t; typealias modemmanager_exec_t alias ModemManager_exec_t; -@@ -16,7 +17,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; +@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; # ModemManager local policy # @@ -31336,7 +31402,7 @@ index b3ace16..46f4b11 100644 allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,13 +30,27 @@ dev_rw_modem(modemmanager_t) +@@ -28,13 +29,31 @@ dev_rw_modem(modemmanager_t) files_read_etc_files(modemmanager_t) @@ -31353,6 +31419,10 @@ index b3ace16..46f4b11 100644 -networkmanager_dbus_chat(modemmanager_t) +optional_policy(` ++ dbus_system_domain(modemmanager_t, modemmanager_exec_t) ++') ++ ++optional_policy(` + networkmanager_dbus_chat(modemmanager_t) +') + @@ -40065,7 +40135,7 @@ index 0000000..20ea9f5 + diff --git a/piranha.if b/piranha.if new file mode 100644 -index 0000000..548d0a2 +index 0000000..242567b --- /dev/null +++ b/piranha.if @@ -0,0 +1,175 @@ @@ -40105,11 +40175,11 @@ index 0000000..548d0a2 + # piranha_$1_t local policy + # + -+ allow piranha_$1_t self:process signal_perms; -+ + manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) + files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) ++ ++ auth_use_nsswitch(piranha_$1_t) +') + +######################################## @@ -40246,10 +40316,10 @@ index 0000000..548d0a2 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..925b0a2 +index 0000000..f29bf1d --- /dev/null +++ b/piranha.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,298 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -40451,8 +40521,6 @@ index 0000000..925b0a2 + +fs_getattr_all_fs(piranha_pulse_t) + -+auth_use_nsswitch(piranha_pulse_t) -+ +logging_send_syslog_msg(piranha_pulse_t) + +miscfiles_read_localization(piranha_pulse_t) @@ -40519,6 +40587,7 @@ index 0000000..925b0a2 +# piranha domains common policy +# + ++allow piranha_domain self:process signal_perms; +allow piranha_domain self:fifo_file rw_fifo_file_perms; +allow piranha_domain self:tcp_socket create_stream_socket_perms; +allow piranha_domain self:udp_socket create_socket_perms; @@ -44456,7 +44525,7 @@ index f40c64d..a3352d3 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ') diff --git a/pulseaudio.te b/pulseaudio.te -index 901ac9b..122431f 100644 +index 901ac9b..10dbb29 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -44542,12 +44611,14 @@ index 901ac9b..122431f 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -125,16 +148,35 @@ optional_policy(` +@@ -125,16 +148,37 @@ optional_policy(` ') optional_policy(` + gnome_read_gkeyringd_state(pulseaudio_t) + gnome_signull_gkeyringd(pulseaudio_t) ++ gnome_manage_gstreamer_home_files(pulseaudio_t) ++ gnome_exec_gstreamer_home_files(pulseaudio_t) +') + +optional_policy(` @@ -44578,7 +44649,7 @@ index 901ac9b..122431f 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -146,3 +188,7 @@ optional_policy(` +@@ -146,3 +190,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -47873,10 +47944,10 @@ index 0000000..48ea717 +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..2102bd0 +index 0000000..314e17e --- /dev/null +++ b/realmd.te -@@ -0,0 +1,40 @@ +@@ -0,0 +1,44 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -47886,7 +47957,7 @@ index 0000000..2102bd0 + +type realmd_t; +type realmd_exec_t; -+dbus_system_domain(realmd_t, realmd_exec_t) ++application_domain(realmd_t, realmd_exec_t) + +######################################## +# @@ -47904,6 +47975,10 @@ index 0000000..2102bd0 +miscfiles_read_localization(realmd_t) + +optional_policy(` ++ dbus_system_domain(realmd_t, realmd_exec_t) ++') ++ ++optional_policy(` + kerberos_use(realmd_t) +') + @@ -51347,17 +51422,27 @@ index 46dad1f..051addd 100644 allow rtkit_daemon_t $1:process { getsched setsched }; rtkit_daemon_dbus_chat($1) diff --git a/rtkit.te b/rtkit.te -index 6f8e268..7d64285 100644 +index 6f8e268..a50b694 100644 --- a/rtkit.te +++ b/rtkit.te -@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0) +@@ -7,7 +7,7 @@ policy_module(rtkit, 1.1.0) + type rtkit_daemon_t; type rtkit_daemon_exec_t; - dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) +-dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) +init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) ######################################## # +@@ -31,5 +31,8 @@ logging_send_syslog_msg(rtkit_daemon_t) + miscfiles_read_localization(rtkit_daemon_t) + + optional_policy(` ++ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) ++') ++optional_policy(` + policykit_dbus_chat(rtkit_daemon_t) + ') diff --git a/rwho.if b/rwho.if index 71ea0ea..886a45e 100644 --- a/rwho.if @@ -52382,10 +52467,19 @@ index 905883f..564240d 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/sambagui.te b/sambagui.te -index 1898dbd..fc38344 100644 +index 1898dbd..43fcb73 100644 --- a/sambagui.te +++ b/sambagui.te -@@ -27,16 +27,21 @@ corecmd_exec_bin(sambagui_t) +@@ -7,7 +7,7 @@ policy_module(sambagui, 1.1.0) + + type sambagui_t; + type sambagui_exec_t; +-dbus_system_domain(sambagui_t, sambagui_exec_t) ++application_domain(sambagui_t, sambagui_exec_t) + + ######################################## + # +@@ -27,21 +27,30 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -52408,7 +52502,16 @@ index 1898dbd..fc38344 100644 optional_policy(` consoletype_exec(sambagui_t) ') -@@ -56,6 +61,7 @@ optional_policy(` + + optional_policy(` ++ dbus_system_domain(sambagui_t, sambagui_exec_t) ++') ++ ++optional_policy(` + nscd_dontaudit_search_pid(sambagui_t) + ') + +@@ -56,6 +65,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -53416,7 +53519,7 @@ index cfe3172..3eb745d 100644 + ') diff --git a/sanlock.te b/sanlock.te -index e02eb6c..d015830 100644 +index e02eb6c..8e19451 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -53454,7 +53557,7 @@ index e02eb6c..d015830 100644 # -allow sanlock_t self:capability { sys_nice ipc_lock }; -allow sanlock_t self:process { setsched signull }; -+allow sanlock_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice sys_resource }; ++allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource }; +allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; + allow sanlock_t self:fifo_file rw_fifo_file_perms; @@ -53970,18 +54073,19 @@ index 1ed6870..3f1dac5 100644 -/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0) +/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) diff --git a/sectoolm.te b/sectoolm.te -index c8ef84b..c761721 100644 +index c8ef84b..ffa81dd 100644 --- a/sectoolm.te +++ b/sectoolm.te -@@ -8,6 +8,7 @@ policy_module(sectoolm, 1.0.0) +@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0) + type sectoolm_t; type sectoolm_exec_t; - dbus_system_domain(sectoolm_t, sectoolm_exec_t) +-dbus_system_domain(sectoolm_t, sectoolm_exec_t) +init_daemon_domain(sectoolm_t, sectoolm_exec_t) type sectool_var_lib_t; files_type(sectool_var_lib_t) -@@ -23,7 +24,7 @@ files_tmp_file(sectool_tmp_t) +@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t) # sectool local policy # @@ -53990,7 +54094,7 @@ index c8ef84b..c761721 100644 allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; -@@ -70,12 +71,6 @@ application_exec_all(sectoolm_t) +@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t) auth_use_nsswitch(sectoolm_t) @@ -54003,13 +54107,17 @@ index c8ef84b..c761721 100644 libs_exec_ld_so(sectoolm_t) logging_send_syslog_msg(sectoolm_t) -@@ -84,6 +79,17 @@ logging_send_syslog_msg(sectoolm_t) +@@ -84,6 +78,21 @@ logging_send_syslog_msg(sectoolm_t) sysnet_domtrans_ifconfig(sectoolm_t) userdom_manage_user_tmp_sockets(sectoolm_t) +userdom_dgram_send(sectoolm_t) + +optional_policy(` ++ dbus_system_domain(sectoolm_t, sectoolm_exec_t) ++') ++ ++optional_policy(` + # tests related to network + hostname_exec(sectoolm_t) +') @@ -54341,18 +54449,19 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..6bc7784 100644 +index 086cd5f..ffb516b 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te -@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) +@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) + type setroubleshoot_fixit_t; type setroubleshoot_fixit_exec_t; - dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +-dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) type setroubleshoot_var_lib_t; files_type(setroubleshoot_var_lib_t) -@@ -30,8 +31,10 @@ files_pid_file(setroubleshoot_var_run_t) +@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t) # setroubleshootd local policy # @@ -54364,7 +54473,7 @@ index 086cd5f..6bc7784 100644 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,19 +52,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble +@@ -49,19 +51,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file @@ -54390,7 +54499,7 @@ index 086cd5f..6bc7784 100644 corenet_all_recvfrom_netlabel(setroubleshootd_t) corenet_tcp_sendrecv_generic_if(setroubleshootd_t) corenet_tcp_sendrecv_generic_node(setroubleshootd_t) -@@ -74,17 +81,18 @@ dev_read_urand(setroubleshootd_t) +@@ -74,17 +80,18 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) @@ -54410,7 +54519,7 @@ index 086cd5f..6bc7784 100644 fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) -@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) +@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -54418,7 +54527,7 @@ index 086cd5f..6bc7784 100644 term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) -@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t) +@@ -104,6 +112,8 @@ auth_use_nsswitch(setroubleshootd_t) init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) @@ -54427,7 +54536,7 @@ index 086cd5f..6bc7784 100644 miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) -@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t) +@@ -112,8 +122,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -54436,7 +54545,7 @@ index 086cd5f..6bc7784 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -54460,7 +54569,7 @@ index 086cd5f..6bc7784 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,10 +173,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -54476,7 +54585,7 @@ index 086cd5f..6bc7784 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +189,17 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -54484,6 +54593,10 @@ index 086cd5f..6bc7784 100644 +userdom_signull_unpriv_users(setroubleshoot_fixit_t) + +optional_policy(` ++ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) ++') ++ ++optional_policy(` + gnome_dontaudit_search_config(setroubleshoot_fixit_t) +') + @@ -56816,7 +56929,7 @@ index 941380a..ff89df6 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/sssd.te b/sssd.te -index a1b61bc..1df45e7 100644 +index a1b61bc..8fc2d2d 100644 --- a/sssd.te +++ b/sssd.te @@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t) @@ -56863,7 +56976,7 @@ index a1b61bc..1df45e7 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,18 +57,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,30 +57,44 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -56889,8 +57002,12 @@ index a1b61bc..1df45e7 100644 fs_list_inotifyfs(sssd_t) -@@ -68,10 +84,14 @@ selinux_validate_context(sssd_t) + selinux_validate_context(sssd_t) + seutil_read_file_contexts(sssd_t) ++# sssd wants to write /etc/selinux//logins/ for SELinux PAM module ++seutil_rw_login_config_dirs(sssd_t) ++seutil_manage_login_config_files(sssd_t) mls_file_read_to_clearance(sssd_t) +mls_socket_read_to_clearance(sssd_t) @@ -56905,7 +57022,7 @@ index a1b61bc..1df45e7 100644 init_read_utmp(sssd_t) -@@ -79,6 +99,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +102,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -56918,7 +57035,7 @@ index a1b61bc..1df45e7 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,8 +113,17 @@ optional_policy(` +@@ -87,8 +116,17 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -61752,7 +61869,7 @@ index 6f0736b..3e6749b 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..d0b1ae9 100644 +index 947bbc6..eb0a7dc 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.5.0) @@ -61975,7 +62092,17 @@ index 947bbc6..d0b1ae9 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -150,11 +231,17 @@ tunable_policy(`virt_use_fusefs',` +@@ -143,18 +224,26 @@ tunable_policy(`virt_use_comm',` + ') + + tunable_policy(`virt_use_fusefs',` +- fs_read_fusefs_files(svirt_t) ++ fs_manage_fusefs_dirs(svirt_t) ++ fs_manage_fusefs_files(svirt_t) + fs_read_fusefs_symlinks(svirt_t) ++ fs_getattr_fusefs(svirt_t) + ') + tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -61993,7 +62120,7 @@ index 947bbc6..d0b1ae9 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -163,11 +250,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -163,11 +252,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -62022,7 +62149,7 @@ index 947bbc6..d0b1ae9 100644 xen_rw_image_files(svirt_t) ') -@@ -176,22 +280,41 @@ optional_policy(` +@@ -176,22 +282,41 @@ optional_policy(` # virtd local policy # @@ -62071,7 +62198,7 @@ index 947bbc6..d0b1ae9 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +325,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +327,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -62106,7 +62233,7 @@ index 947bbc6..d0b1ae9 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +357,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +359,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -62129,7 +62256,7 @@ index 947bbc6..d0b1ae9 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +384,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +386,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -62163,7 +62290,7 @@ index 947bbc6..d0b1ae9 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +416,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +418,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -62182,7 +62309,7 @@ index 947bbc6..d0b1ae9 100644 mcs_process_set_categories(virtd_t) -@@ -284,6 +442,8 @@ term_use_ptmx(virtd_t) +@@ -284,6 +444,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -62191,7 +62318,7 @@ index 947bbc6..d0b1ae9 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +453,32 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +455,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -62224,7 +62351,7 @@ index 947bbc6..d0b1ae9 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +497,10 @@ optional_policy(` +@@ -322,6 +499,10 @@ optional_policy(` ') optional_policy(` @@ -62235,7 +62362,7 @@ index 947bbc6..d0b1ae9 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +514,30 @@ optional_policy(` +@@ -335,19 +516,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -62267,7 +62394,7 @@ index 947bbc6..d0b1ae9 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +552,12 @@ optional_policy(` +@@ -362,6 +554,12 @@ optional_policy(` ') optional_policy(` @@ -62280,7 +62407,7 @@ index 947bbc6..d0b1ae9 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +565,11 @@ optional_policy(` +@@ -369,11 +567,11 @@ optional_policy(` ') optional_policy(` @@ -62297,7 +62424,7 @@ index 947bbc6..d0b1ae9 100644 ') optional_policy(` -@@ -384,6 +580,7 @@ optional_policy(` +@@ -384,6 +582,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -62305,7 +62432,7 @@ index 947bbc6..d0b1ae9 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,34 +600,51 @@ optional_policy(` +@@ -403,34 +602,51 @@ optional_policy(` # virtual domains common policy # @@ -62362,7 +62489,7 @@ index 947bbc6..d0b1ae9 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +652,11 @@ dev_write_sound(virt_domain) +@@ -438,10 +654,11 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -62375,7 +62502,7 @@ index 947bbc6..d0b1ae9 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,8 +664,16 @@ files_search_all(virt_domain) +@@ -449,8 +666,16 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -62393,7 +62520,7 @@ index 947bbc6..d0b1ae9 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -459,13 +682,461 @@ logging_send_syslog_msg(virt_domain) +@@ -459,13 +684,461 @@ logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index cea5aa0c..e35ab78b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 7 2012 Miroslav Grepl 3.11.1-2 +- Add new type selinux_login_config_t for /etc/selinux//logins/ +- Additional fixes for seutil_manage_module_store() +- dbus_system_domain() should be used with optional_policy +- Fix svirt to be allowed to use fusefs file system +- Allow login programs to read /run/ data created by systemd_login +- sssd wants to write /etc/selinux//logins/ for SELinux PAM module +- Fix svirt to be allowed to use fusefs file system +- Allow piranha domain to use nsswitch +- Sanlock needs to send Kill Signals to non root processes +- Pulseaudio wants to execute /run/user/PID/.orc + * Fri Aug 3 2012 Miroslav Grepl 3.11.1-1 - Fix saslauthd when it tries to read /etc/shadow - Label gnome-boxes as a virt homedir