rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226 

- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- Add init_manage_config_transient_files() interface
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- Add interface domain_setrlimit_all_domains() interface
- Allow staff_t user to chat with fwupd_t domain via dbus
- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
- Allow systemd-networkd to read network state BZ(1400016)
- Allow systemd-resolved bind to dns port. BZ(1400023)
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
This commit is contained in:
Lukas Vrabec 2016-12-05 16:48:37 +01:00
parent 6a99358633
commit 7216220f4a
4 changed files with 221 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

261
policy-rawhide-base.patch
View File

@ -3667,7 +3667,7 @@ index 7590165..d81185e 100644
+ fs_mounton_fusefs(seunshare_domain) + fs_mounton_fusefs(seunshare_domain)
') ')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 33e0f8d..3437271 100644 index 33e0f8d..184c5a4 100644
--- a/policy/modules/kernel/corecommands.fc --- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
@ -4014,7 +4014,7 @@ index 33e0f8d..3437271 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
@@ -387,17 +472,34 @@ ifdef(`distro_suse', ` @@ -387,17 +472,36 @@ ifdef(`distro_suse', `
# #
# /var # /var
# #
@ -4042,6 +4042,8 @@ index 33e0f8d..3437271 100644
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
') ')
+ +
+/var/usrlocal/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t:s0)
+
+# +#
+# /usr/lib +# /usr/lib
+# +#
@ -10066,7 +10068,7 @@ index 0b1a871..29965c3 100644
+dev_getattr_all(devices_unconfined_type) +dev_getattr_all(devices_unconfined_type)
+ +
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..26e5558 100644 index 6a1e4d1..1a2713b 100644
--- a/policy/modules/kernel/domain.if --- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',` @@ -76,33 +76,8 @@ interface(`domain_type',`
@ -10312,7 +10314,7 @@ index 6a1e4d1..26e5558 100644
## Unconfined access to domains. ## Unconfined access to domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1530,4 +1632,63 @@ interface(`domain_unconfined',` @@ -1530,4 +1632,82 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity; typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context; typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt; typeattribute $1 process_uncond_exempt;
@ -10375,6 +10377,25 @@ index 6a1e4d1..26e5558 100644
+ ') + ')
+ +
+ dontaudit $1 domain:dir_file_class_set audit_access; + dontaudit $1 domain:dir_file_class_set audit_access;
+')
+
+########################################
+## <summary>
+## Allow set resource limits to all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_setrlimit_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process setrlimit;
') ')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..43876e0 100644 index cf04cb5..43876e0 100644
@ -25600,7 +25621,7 @@ index 234a940..a92415a 100644
######################################## ########################################
## <summary> ## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..c3b8b13 100644 index 0fef1fc..bfeb102 100644
--- a/policy/modules/roles/staff.te --- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@ -25677,7 +25698,7 @@ index 0fef1fc..c3b8b13 100644
optional_policy(` optional_policy(`
apache_role(staff_r, staff_t) apache_role(staff_r, staff_t)
') ')
@@ -23,11 +84,115 @@ optional_policy(` @@ -23,11 +84,119 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25731,6 +25752,10 @@ index 0fef1fc..c3b8b13 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ fwupd_dbus_chat(staff_t)
+')
+
+optional_policy(`
+ irc_role(staff_r, staff_t) + irc_role(staff_r, staff_t)
+') +')
+ +
@ -25794,7 +25819,7 @@ index 0fef1fc..c3b8b13 100644
') ')
optional_policy(` optional_policy(`
@@ -35,15 +200,31 @@ optional_policy(` @@ -35,15 +204,31 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25828,7 +25853,7 @@ index 0fef1fc..c3b8b13 100644
') ')
optional_policy(` optional_policy(`
@@ -52,11 +233,61 @@ optional_policy(` @@ -52,11 +237,61 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25891,7 +25916,7 @@ index 0fef1fc..c3b8b13 100644
') ')
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
@@ -65,10 +296,6 @@ ifndef(`distro_redhat',` @@ -65,10 +300,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -25902,7 +25927,7 @@ index 0fef1fc..c3b8b13 100644
cdrecord_role(staff_r, staff_t) cdrecord_role(staff_r, staff_t)
') ')
@@ -78,10 +305,6 @@ ifndef(`distro_redhat',` @@ -78,10 +309,6 @@ ifndef(`distro_redhat',`
optional_policy(` optional_policy(`
dbus_role_template(staff, staff_r, staff_t) dbus_role_template(staff, staff_r, staff_t)
@ -25913,7 +25938,7 @@ index 0fef1fc..c3b8b13 100644
') ')
optional_policy(` optional_policy(`
@@ -101,10 +324,6 @@ ifndef(`distro_redhat',` @@ -101,10 +328,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -25924,7 +25949,7 @@ index 0fef1fc..c3b8b13 100644
java_role(staff_r, staff_t) java_role(staff_r, staff_t)
') ')
@@ -125,10 +344,6 @@ ifndef(`distro_redhat',` @@ -125,10 +348,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -25935,7 +25960,7 @@ index 0fef1fc..c3b8b13 100644
pyzor_role(staff_r, staff_t) pyzor_role(staff_r, staff_t)
') ')
@@ -141,10 +356,6 @@ ifndef(`distro_redhat',` @@ -141,10 +360,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -25946,7 +25971,7 @@ index 0fef1fc..c3b8b13 100644
spamassassin_role(staff_r, staff_t) spamassassin_role(staff_r, staff_t)
') ')
@@ -176,3 +387,23 @@ ifndef(`distro_redhat',` @@ -176,3 +391,23 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t) wireshark_role(staff_r, staff_t)
') ')
') ')
@ -35903,7 +35928,7 @@ index bc0ffc8..37b8ea5 100644
') ')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 79a45f6..d092e6e 100644 index 79a45f6..6126f21 100644
--- a/policy/modules/system/init.if --- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@ @@ -1,5 +1,21 @@
@ -36705,7 +36730,7 @@ index 79a45f6..d092e6e 100644
gen_require(` gen_require(`
attribute init_script_file_type; attribute init_script_file_type;
') ')
@@ -1125,6 +1449,44 @@ interface(`init_getattr_all_script_files',` @@ -1125,6 +1449,63 @@ interface(`init_getattr_all_script_files',`
######################################## ########################################
## <summary> ## <summary>
@ -36746,11 +36771,30 @@ index 79a45f6..d092e6e 100644
+') +')
+ +
+######################################## +########################################
+## <summary>
+## Allow the specified domain to modify the systemd configuration of
+## transient scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_config_transient_files',`
+ gen_require(`
+ attribute init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:service manage_service_perms;
+')
+
+########################################
+## <summary> +## <summary>
## Read all init script files. ## Read all init script files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1144,6 +1506,24 @@ interface(`init_read_all_script_files',` @@ -1144,6 +1525,24 @@ interface(`init_read_all_script_files',`
####################################### #######################################
## <summary> ## <summary>
@ -36775,7 +36819,7 @@ index 79a45f6..d092e6e 100644
## Dontaudit read all init script files. ## Dontaudit read all init script files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1195,12 +1575,7 @@ interface(`init_read_script_state',` @@ -1195,12 +1594,7 @@ interface(`init_read_script_state',`
') ')
kernel_search_proc($1) kernel_search_proc($1)
@ -36789,7 +36833,7 @@ index 79a45f6..d092e6e 100644
') ')
######################################## ########################################
@@ -1314,6 +1689,24 @@ interface(`init_signal_script',` @@ -1314,6 +1708,24 @@ interface(`init_signal_script',`
######################################## ########################################
## <summary> ## <summary>
@ -36814,7 +36858,7 @@ index 79a45f6..d092e6e 100644
## Send null signals to init scripts. ## Send null signals to init scripts.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1440,6 +1833,27 @@ interface(`init_dbus_send_script',` @@ -1440,6 +1852,27 @@ interface(`init_dbus_send_script',`
######################################## ########################################
## <summary> ## <summary>
## Send and receive messages from ## Send and receive messages from
@ -36842,7 +36886,7 @@ index 79a45f6..d092e6e 100644
## init scripts over dbus. ## init scripts over dbus.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1547,6 +1961,25 @@ interface(`init_getattr_script_status_files',` @@ -1547,6 +1980,25 @@ interface(`init_getattr_script_status_files',`
######################################## ########################################
## <summary> ## <summary>
@ -36868,7 +36912,7 @@ index 79a45f6..d092e6e 100644
## Do not audit attempts to read init script ## Do not audit attempts to read init script
## status files. ## status files.
## </summary> ## </summary>
@@ -1605,6 +2038,24 @@ interface(`init_rw_script_tmp_files',` @@ -1605,6 +2057,24 @@ interface(`init_rw_script_tmp_files',`
######################################## ########################################
## <summary> ## <summary>
@ -36893,7 +36937,7 @@ index 79a45f6..d092e6e 100644
## Create files in a init script ## Create files in a init script
## temporary data directory. ## temporary data directory.
## </summary> ## </summary>
@@ -1677,6 +2128,43 @@ interface(`init_read_utmp',` @@ -1677,6 +2147,43 @@ interface(`init_read_utmp',`
######################################## ########################################
## <summary> ## <summary>
@ -36937,7 +36981,7 @@ index 79a45f6..d092e6e 100644
## Do not audit attempts to write utmp. ## Do not audit attempts to write utmp.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1765,7 +2253,7 @@ interface(`init_dontaudit_rw_utmp',` @@ -1765,7 +2272,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t; type initrc_var_run_t;
') ')
@ -36946,7 +36990,7 @@ index 79a45f6..d092e6e 100644
') ')
######################################## ########################################
@@ -1806,37 +2294,708 @@ interface(`init_pid_filetrans_utmp',` @@ -1806,37 +2313,708 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp") files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
') ')
@ -36983,13 +37027,21 @@ index 79a45f6..d092e6e 100644
## <summary> ## <summary>
-## Allow the specified domain to connect to daemon with a udp socket -## Allow the specified domain to connect to daemon with a udp socket
+## Allow listing of the /run/systemd directory. +## Allow listing of the /run/systemd directory.
+## </summary> ## </summary>
+## <param name="domain"> ## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary> +## <summary>
+## Domain allowed access. +## Domain allowed access.
+## </summary> +## </summary>
+## </param> ## </param>
+# #
-interface(`init_udp_recvfrom_all_daemons',`
- gen_require(`
- attribute daemon;
- ')
- corenet_udp_recvfrom_labeled($1, daemon)
+interface(`init_list_pid_dirs',` +interface(`init_list_pid_dirs',`
+ gen_require(` + gen_require(`
+ type init_var_run_t; + type init_var_run_t;
@ -37022,8 +37074,8 @@ index 79a45f6..d092e6e 100644
+## Create objects in /run/systemd directory +## Create objects in /run/systemd directory
+## with an automatic type transition to +## with an automatic type transition to
+## a specified private type. +## a specified private type.
## </summary> +## </summary>
## <param name="domain"> +## <param name="domain">
+## <summary> +## <summary>
+## Domain allowed access. +## Domain allowed access.
+## </summary> +## </summary>
@ -37039,16 +37091,11 @@ index 79a45f6..d092e6e 100644
+## </summary> +## </summary>
+## </param> +## </param>
+## <param name="name" optional="true"> +## <param name="name" optional="true">
## <summary> +## <summary>
-## Domain allowed access.
+## The name of the object being created. +## The name of the object being created.
## </summary> +## </summary>
## </param> +## </param>
# +#
-interface(`init_udp_recvfrom_all_daemons',`
- gen_require(`
- attribute daemon;
- ')
+interface(`init_pid_filetrans',` +interface(`init_pid_filetrans',`
+ gen_require(` + gen_require(`
+ type init_var_run_t; + type init_var_run_t;
@ -37126,8 +37173,8 @@ index 79a45f6..d092e6e 100644
+ gen_require(` + gen_require(`
+ attribute daemon; + attribute daemon;
+ ') + ')
corenet_udp_recvfrom_labeled($1, daemon) + corenet_udp_recvfrom_labeled($1, daemon)
') +')
+ +
+######################################## +########################################
+## <summary> +## <summary>
@ -37671,9 +37718,9 @@ index 79a45f6..d092e6e 100644
+ +
+ files_search_var_lib($1) + files_search_var_lib($1)
+ allow $1 init_var_lib_t:dir search_dir_perms; + allow $1 init_var_lib_t:dir search_dir_perms;
+') ')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..e59e001 100644 index 17eda24..25e49cf 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -37878,12 +37925,13 @@ index 17eda24..e59e001 100644
domain_getpgid_all_domains(init_t) domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
@@ -139,14 +236,24 @@ domain_signal_all_domains(init_t) @@ -139,14 +236,25 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t) domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t) domain_sigchld_all_domains(init_t)
+domain_read_all_domains_state(init_t) +domain_read_all_domains_state(init_t)
+domain_getattr_all_domains(init_t) +domain_getattr_all_domains(init_t)
+domain_setrlimit_all_domains(init_t)
-files_read_etc_files(init_t) -files_read_etc_files(init_t)
+files_read_config_files(init_t) +files_read_config_files(init_t)
@ -37904,7 +37952,7 @@ index 17eda24..e59e001 100644
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t) files_dontaudit_rw_root_chr_files(init_t)
@@ -155,29 +262,73 @@ fs_list_inotifyfs(init_t) @@ -155,29 +263,73 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log # cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t) fs_write_ramfs_sockets(init_t)
@ -37983,7 +38031,7 @@ index 17eda24..e59e001 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +337,275 @@ ifdef(`distro_gentoo',` @@ -186,29 +338,275 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -38268,7 +38316,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +613,30 @@ optional_policy(` @@ -216,7 +614,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38300,7 +38348,7 @@ index 17eda24..e59e001 100644
') ')
######################################## ########################################
@@ -225,9 +645,9 @@ optional_policy(` @@ -225,9 +646,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38312,7 +38360,7 @@ index 17eda24..e59e001 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -258,12 +678,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -258,12 +679,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38329,7 +38377,7 @@ index 17eda24..e59e001 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +703,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -279,23 +704,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -38372,7 +38420,7 @@ index 17eda24..e59e001 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +740,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -303,9 +741,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -38384,7 +38432,7 @@ index 17eda24..e59e001 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -313,8 +752,10 @@ dev_write_framebuffer(initrc_t) @@ -313,8 +753,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -38395,7 +38443,7 @@ index 17eda24..e59e001 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -322,8 +763,7 @@ dev_manage_generic_files(initrc_t) @@ -322,8 +764,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -38405,7 +38453,7 @@ index 17eda24..e59e001 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -332,7 +772,6 @@ domain_sigstop_all_domains(initrc_t) @@ -332,7 +773,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -38413,7 +38461,7 @@ index 17eda24..e59e001 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -340,6 +779,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -340,6 +780,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38421,7 +38469,7 @@ index 17eda24..e59e001 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -347,14 +787,15 @@ files_getattr_all_symlinks(initrc_t) @@ -347,14 +788,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -38439,7 +38487,7 @@ index 17eda24..e59e001 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -364,8 +805,12 @@ files_list_isid_type_dirs(initrc_t) @@ -364,8 +806,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -38453,7 +38501,7 @@ index 17eda24..e59e001 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -375,10 +820,11 @@ fs_mount_all_fs(initrc_t) @@ -375,10 +821,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -38467,7 +38515,7 @@ index 17eda24..e59e001 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -387,8 +833,10 @@ mls_process_read_up(initrc_t) @@ -387,8 +834,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -38478,7 +38526,7 @@ index 17eda24..e59e001 100644
storage_getattr_fixed_disk_dev(initrc_t) storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +846,7 @@ term_use_all_terms(initrc_t) @@ -398,6 +847,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -38486,7 +38534,7 @@ index 17eda24..e59e001 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -416,20 +865,18 @@ logging_read_all_logs(initrc_t) @@ -416,20 +866,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -38510,7 +38558,7 @@ index 17eda24..e59e001 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +898,6 @@ ifdef(`distro_gentoo',` @@ -451,7 +899,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -38518,7 +38566,7 @@ index 17eda24..e59e001 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -486,6 +932,10 @@ ifdef(`distro_gentoo',` @@ -486,6 +933,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -38529,7 +38577,7 @@ index 17eda24..e59e001 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -506,7 +956,7 @@ ifdef(`distro_redhat',` @@ -506,7 +957,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -38538,7 +38586,7 @@ index 17eda24..e59e001 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -521,6 +971,7 @@ ifdef(`distro_redhat',` @@ -521,6 +972,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -38546,7 +38594,7 @@ index 17eda24..e59e001 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -541,6 +992,7 @@ ifdef(`distro_redhat',` @@ -541,6 +993,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -38554,7 +38602,7 @@ index 17eda24..e59e001 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -550,8 +1002,44 @@ ifdef(`distro_redhat',` @@ -550,8 +1003,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -38599,7 +38647,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -559,14 +1047,31 @@ ifdef(`distro_redhat',` @@ -559,14 +1048,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -38631,7 +38679,7 @@ index 17eda24..e59e001 100644
') ')
') ')
@@ -577,6 +1082,39 @@ ifdef(`distro_suse',` @@ -577,6 +1083,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -38671,7 +38719,7 @@ index 17eda24..e59e001 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1127,8 @@ optional_policy(` @@ -589,6 +1128,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -38680,7 +38728,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -610,6 +1150,7 @@ optional_policy(` @@ -610,6 +1151,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -38688,7 +38736,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -626,6 +1167,17 @@ optional_policy(` @@ -626,6 +1168,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38706,7 +38754,7 @@ index 17eda24..e59e001 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -642,9 +1194,13 @@ optional_policy(` @@ -642,9 +1195,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -38720,7 +38768,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -657,15 +1213,11 @@ optional_policy(` @@ -657,15 +1214,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38738,7 +38786,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -686,6 +1238,15 @@ optional_policy(` @@ -686,6 +1239,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38754,7 +38802,7 @@ index 17eda24..e59e001 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -726,6 +1287,7 @@ optional_policy(` @@ -726,6 +1288,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -38762,7 +38810,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -743,7 +1305,13 @@ optional_policy(` @@ -743,7 +1306,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38777,7 +38825,7 @@ index 17eda24..e59e001 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -766,6 +1334,10 @@ optional_policy(` @@ -766,6 +1335,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38788,7 +38836,7 @@ index 17eda24..e59e001 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -775,10 +1347,20 @@ optional_policy(` @@ -775,10 +1348,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38809,7 +38857,7 @@ index 17eda24..e59e001 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -787,6 +1369,10 @@ optional_policy(` @@ -787,6 +1370,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38820,7 +38868,7 @@ index 17eda24..e59e001 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -808,8 +1394,6 @@ optional_policy(` @@ -808,8 +1395,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -38829,7 +38877,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -818,6 +1402,10 @@ optional_policy(` @@ -818,6 +1403,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38840,7 +38888,7 @@ index 17eda24..e59e001 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -827,10 +1415,12 @@ optional_policy(` @@ -827,10 +1416,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -38853,7 +38901,7 @@ index 17eda24..e59e001 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1447,62 @@ optional_policy(` @@ -857,21 +1448,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38917,7 +38965,7 @@ index 17eda24..e59e001 100644
') ')
optional_policy(` optional_policy(`
@@ -887,6 +1518,10 @@ optional_policy(` @@ -887,6 +1519,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38928,7 +38976,7 @@ index 17eda24..e59e001 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1532,218 @@ optional_policy(` @@ -897,3 +1533,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -41132,7 +41180,7 @@ index b50c5fe..9eacd9b 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ +
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884..31be8ac 100644 index 4e94884..0690edf 100644
--- a/policy/modules/system/logging.if --- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@ -41222,7 +41270,7 @@ index 4e94884..31be8ac 100644
######################################## ########################################
## <summary> ## <summary>
## Send system log messages. ## Send system log messages.
@@ -530,22 +592,106 @@ interface(`logging_log_filetrans',` @@ -530,22 +592,107 @@ interface(`logging_log_filetrans',`
# #
interface(`logging_send_syslog_msg',` interface(`logging_send_syslog_msg',`
gen_require(` gen_require(`
@ -41249,6 +41297,7 @@ index 4e94884..31be8ac 100644
+ ') + ')
+ +
+ allow $1 devlog_t:lnk_file manage_lnk_file_perms; + allow $1 devlog_t:lnk_file manage_lnk_file_perms;
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, lnk_file, "log") + dev_filetrans($1, devlog_t, lnk_file, "log")
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog") + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+ logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") + logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
@ -41341,7 +41390,7 @@ index 4e94884..31be8ac 100644
') ')
######################################## ########################################
@@ -571,6 +717,25 @@ interface(`logging_read_audit_config',` @@ -571,6 +718,25 @@ interface(`logging_read_audit_config',`
######################################## ########################################
## <summary> ## <summary>
@ -41367,7 +41416,7 @@ index 4e94884..31be8ac 100644
## dontaudit search of auditd configuration files. ## dontaudit search of auditd configuration files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -609,6 +774,25 @@ interface(`logging_read_syslog_config',` @@ -609,6 +775,25 @@ interface(`logging_read_syslog_config',`
######################################## ########################################
## <summary> ## <summary>
@ -41393,7 +41442,7 @@ index 4e94884..31be8ac 100644
## Allows the domain to open a file in the ## Allows the domain to open a file in the
## log directory, but does not allow the listing ## log directory, but does not allow the listing
## of the contents of the log directory. ## of the contents of the log directory.
@@ -722,6 +906,25 @@ interface(`logging_setattr_all_log_dirs',` @@ -722,6 +907,25 @@ interface(`logging_setattr_all_log_dirs',`
allow $1 logfile:dir setattr; allow $1 logfile:dir setattr;
') ')
@ -41419,7 +41468,7 @@ index 4e94884..31be8ac 100644
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
@@ -776,7 +979,25 @@ interface(`logging_append_all_logs',` @@ -776,7 +980,25 @@ interface(`logging_append_all_logs',`
') ')
files_search_var($1) files_search_var($1)
@ -41446,7 +41495,7 @@ index 4e94884..31be8ac 100644
') ')
######################################## ########################################
@@ -859,7 +1080,7 @@ interface(`logging_manage_all_logs',` @@ -859,7 +1081,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1) files_search_var($1)
manage_files_pattern($1, logfile, logfile) manage_files_pattern($1, logfile, logfile)
@ -41455,7 +41504,7 @@ index 4e94884..31be8ac 100644
') ')
######################################## ########################################
@@ -885,6 +1106,44 @@ interface(`logging_read_generic_logs',` @@ -885,6 +1107,44 @@ interface(`logging_read_generic_logs',`
######################################## ########################################
## <summary> ## <summary>
@ -41500,7 +41549,7 @@ index 4e94884..31be8ac 100644
## Write generic log files. ## Write generic log files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -905,6 +1164,24 @@ interface(`logging_write_generic_logs',` @@ -905,6 +1165,24 @@ interface(`logging_write_generic_logs',`
######################################## ########################################
## <summary> ## <summary>
@ -41525,7 +41574,7 @@ index 4e94884..31be8ac 100644
## Dontaudit Write generic log files. ## Dontaudit Write generic log files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -984,11 +1261,16 @@ interface(`logging_admin_audit',` @@ -984,11 +1262,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t; type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t; type auditd_var_run_t;
type auditd_initrc_exec_t; type auditd_initrc_exec_t;
@ -41543,7 +41592,7 @@ index 4e94884..31be8ac 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',` @@ -1004,6 +1287,55 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r; role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r; allow $2 system_r;
@ -41599,7 +41648,7 @@ index 4e94884..31be8ac 100644
') ')
######################################## ########################################
@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',` @@ -1032,10 +1364,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t; type syslogd_initrc_exec_t;
') ')
@ -41617,7 +41666,7 @@ index 4e94884..31be8ac 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',` @@ -1057,6 +1394,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1) logging_manage_all_logs($1)
@ -41626,7 +41675,7 @@ index 4e94884..31be8ac 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t) init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
@@ -1085,3 +1423,90 @@ interface(`logging_admin',` @@ -1085,3 +1424,90 @@ interface(`logging_admin',`
logging_admin_audit($1, $2) logging_admin_audit($1, $2)
logging_admin_syslog($1, $2) logging_admin_syslog($1, $2)
') ')
@ -49362,10 +49411,10 @@ index 0000000..86e3d01
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..373d526 index 0000000..caba12b
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,974 @@ @@ -0,0 +1,978 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -49700,6 +49749,7 @@ index 0000000..373d526
+init_status(systemd_machined_t) +init_status(systemd_machined_t)
+init_start(systemd_machined_t) +init_start(systemd_machined_t)
+init_stop(systemd_machined_t) +init_stop(systemd_machined_t)
+init_manage_config_transient_files(systemd_machined_t)
+ +
+userdom_dbus_send_all_users(systemd_machined_t) +userdom_dbus_send_all_users(systemd_machined_t)
+ +
@ -49750,6 +49800,7 @@ index 0000000..373d526
+kernel_request_load_module(systemd_networkd_t) +kernel_request_load_module(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t) +kernel_rw_net_sysctls(systemd_networkd_t)
+kernel_read_xen_state(systemd_networkd_t) +kernel_read_xen_state(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+ +
+corenet_tcp_bind_all_nodes(systemd_networkd_t) +corenet_tcp_bind_all_nodes(systemd_networkd_t)
+corenet_udp_bind_all_nodes(systemd_networkd_t) +corenet_udp_bind_all_nodes(systemd_networkd_t)
@ -50254,7 +50305,7 @@ index 0000000..373d526
+# systemd_resolved domain +# systemd_resolved domain
+# +#
+ +
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid }; +allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
+allow systemd_resolved_t self:process setcap; +allow systemd_resolved_t self:process setcap;
+allow systemd_resolved_t self:tcp_socket { accept listen }; +allow systemd_resolved_t self:tcp_socket { accept listen };
+allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; +allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
@ -50274,6 +50325,8 @@ index 0000000..373d526
+corenet_tcp_bind_llmnr_port(systemd_resolved_t) +corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_llmnr_port(systemd_resolved_t)
+corenet_tcp_connect_llmnr_port(systemd_resolved_t) +corenet_tcp_connect_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
+ +
+dev_write_kmsg(systemd_resolved_t) +dev_write_kmsg(systemd_resolved_t)
+dev_read_sysfs(systemd_resolved_t) +dev_read_sysfs(systemd_resolved_t)

55
policy-rawhide-contrib.patch
View File

@ -3203,7 +3203,7 @@ index 0000000..36251b9
+') +')
diff --git a/antivirus.te b/antivirus.te diff --git a/antivirus.te b/antivirus.te
new file mode 100644 new file mode 100644
index 0000000..d8b04b5 index 0000000..6bd2eb9
--- /dev/null --- /dev/null
+++ b/antivirus.te +++ b/antivirus.te
@@ -0,0 +1,273 @@ @@ -0,0 +1,273 @@
@ -3223,7 +3223,7 @@ index 0000000..d8b04b5
+ +
+## <desc> +## <desc>
+## <p> +## <p>
+## Determine whether can antivirus programs use JIT compiler. +## Determine whether antivirus programs can use JIT compiler.
+## </p> +## </p>
+## </desc> +## </desc>
+gen_tunable(antivirus_use_jit, false) +gen_tunable(antivirus_use_jit, false)
@ -14188,9 +14188,18 @@ index 4cc4a5c..a6c6322 100644
+ +
') ')
diff --git a/clamav.te b/clamav.te diff --git a/clamav.te b/clamav.te
index ce3836a..94aa8a6 100644 index ce3836a..8dc2b45 100644
--- a/clamav.te --- a/clamav.te
+++ b/clamav.te +++ b/clamav.te
@@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false)
## <desc>
## <p>
-## Determine whether can clamd use JIT compiler.
+## Determine whether clamd can use JIT compiler.
## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
type clamd_initrc_exec_t; type clamd_initrc_exec_t;
init_script_file(clamd_initrc_exec_t) init_script_file(clamd_initrc_exec_t)
@ -30368,10 +30377,10 @@ index 0000000..859dc40
+/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0) +/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
diff --git a/fwupd.if b/fwupd.if diff --git a/fwupd.if b/fwupd.if
new file mode 100644 new file mode 100644
index 0000000..c4d2c2d index 0000000..daef190
--- /dev/null --- /dev/null
+++ b/fwupd.if +++ b/fwupd.if
@@ -0,0 +1,260 @@ @@ -0,0 +1,281 @@
+ +
+## <summary>fwupd is a daemon to allow session software to update device firmware</summary> +## <summary>fwupd is a daemon to allow session software to update device firmware</summary>
+ +
@ -30632,6 +30641,27 @@ index 0000000..c4d2c2d
+ systemd_read_fifo_file_passwd_run($1) + systemd_read_fifo_file_passwd_run($1)
+ ') + ')
+') +')
+
+########################################
+## <summary>
+## Send and receive messages from
+## fwupd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_dbus_chat',`
+ gen_require(`
+ type fwupd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 fwupd_t:dbus send_msg;
+ allow fwupd_t $1:dbus send_msg;
+')
diff --git a/fwupd.te b/fwupd.te diff --git a/fwupd.te b/fwupd.te
new file mode 100644 new file mode 100644
index 0000000..e0bb02d index 0000000..e0bb02d
@ -79739,7 +79769,7 @@ index 7cb8b1f..bef7217 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms; + allow $1 puppet_var_run_t:dir search_dir_perms;
') ')
diff --git a/puppet.te b/puppet.te diff --git a/puppet.te b/puppet.te
index 618dcfe..9f36ed5 100644 index 618dcfe..bba4a3e 100644
--- a/puppet.te --- a/puppet.te
+++ b/puppet.te +++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@ -80212,7 +80242,7 @@ index 618dcfe..9f36ed5 100644
selinux_validate_context(puppetmaster_t) selinux_validate_context(puppetmaster_t)
@@ -314,26 +342,31 @@ auth_use_nsswitch(puppetmaster_t) @@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t)
@ -80240,6 +80270,7 @@ index 618dcfe..9f36ed5 100644
optional_policy(` optional_policy(`
- mysql_stream_connect(puppetmaster_t) - mysql_stream_connect(puppetmaster_t)
+ systemd_dbus_chat_timedated(puppetagent_t)
+ systemd_dbus_chat_timedated(puppetmaster_t) + systemd_dbus_chat_timedated(puppetmaster_t)
') ')
@ -80249,7 +80280,7 @@ index 618dcfe..9f36ed5 100644
') ')
optional_policy(` optional_policy(`
@@ -342,3 +375,9 @@ optional_policy(` @@ -342,3 +376,9 @@ optional_policy(`
rpm_exec(puppetmaster_t) rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t) rpm_read_db(puppetmaster_t)
') ')
@ -108362,18 +108393,20 @@ index 5406b6e..dc5b46e 100644
admin_pattern($1, tgtd_tmpfs_t) admin_pattern($1, tgtd_tmpfs_t)
') ')
diff --git a/tgtd.te b/tgtd.te diff --git a/tgtd.te b/tgtd.te
index d010963..3822bc7 100644 index d010963..e7e55c7 100644
--- a/tgtd.te --- a/tgtd.te
+++ b/tgtd.te +++ b/tgtd.te
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
# Local policy # Local policy
# #
-allow tgtd_t self:capability sys_resource; -allow tgtd_t self:capability sys_resource;
-allow tgtd_t self:capability2 block_suspend;
+allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin }; +allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin };
allow tgtd_t self:capability2 block_suspend; +allow tgtd_t self:capability2 { block_suspend wake_alarm };
allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms; allow tgtd_t self:fifo_file rw_fifo_file_perms;
allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) @@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
kernel_read_system_state(tgtd_t) kernel_read_system_state(tgtd_t)

21
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 227%{?dist} Release: 228%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -675,6 +675,25 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Dec 05 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-228
- Fix some boolean descriptions.
- Add fwupd_dbus_chat() interface
- Allow tgtd_t domain wake_alarm
- Merge pull request #172 from vinzent/allow_puppetagent_timedated
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow systemd_machined_t to start unit files labeled as init_var_run_t
- Add init_manage_config_transient_files() interface
- In Atomic /usr/local is a soft symlink to /var/usrlocal, so the default policy to apply bin_t on /usr/...bin doesn't work and binaries dumped here get mislabeled as var_t.
- Allow systemd to raise rlimit to all domains.BZ(1365435)
- Add interface domain_setrlimit_all_domains() interface
- Allow staff_t user to chat with fwupd_t domain via dbus
- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
- Allow systemd-networkd to read network state BZ(1400016)
- Allow systemd-resolved bind to dns port. BZ(1400023)
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
* Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227 * Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow pmie daemon to send signal pcmd daemon BZ(1398078) - Allow pmie daemon to send signal pcmd daemon BZ(1398078)