From 73d7285c9262d09996fbc781b02f1e6bbe059551 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 19 Dec 2017 16:18:46 +0100 Subject: [PATCH] * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307 - Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) - Allow certwatch_t to mmap generic certs. BZ(1527173) - Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) - Add interface userdom_map_user_home_files() - Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) - Allow xdm_t dbus chat with modemmanager_t BZ(1526722) - All domains accessing home_cert_t objects should also mmap it. BZ(1519810) --- container-selinux.tgz | Bin 7247 -> 7244 bytes policy-rawhide-base.patch | 510 +++++++++++++++++++++-------------- policy-rawhide-contrib.patch | 158 ++++++----- selinux-policy.spec | 12 +- 4 files changed, 408 insertions(+), 272 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 99a1c17aa1b7ef1fdadbd03ccf2507dd1f36524b..b681098df99e28e21f3b261c24903a9e47fe1c8f 100644 GIT binary patch literal 7244 zcmb8z16v&o!vNrgWh|Xs%UHH;EL+RAxmC+{EuU=T$+l0nPj&Lie80c&UDy39Zt@tU zFTBkB`d{EKj35b{Jjt^wr@a#Oa6Yv4*5|G>2tsQlfN@xFattId{8h}1&Uk%w?;k}v z)b~O&*B=)KS^<$jxoCBJ2l6@iZCNM z^Y>3sv)_l%Qz8GMude9F(_cd@}omU4|rxMBKJ(TR3!eZ;T@nY0=t@B9T?3=X+#7qc8-TG`%o049vWHgvDdE}}g)yfR=dU+$cH6RQXZD9Ek0+(kZrM8PRz34xtQD6EH*wdbiyK)*!F<$R z>xM+ArE*OZFj7jJdUCG^?s}`wp6Z))VP8z^lXHf9)q&7?`rB5l(Ej>FH=szo*da1{ zJuv{&59ayTf%V@N!1RJ{V(;9@=E=@l8LQ8*x)ow?M_znG03va++)YXc`m=x0yj40n zZ1xQT@l(d5(Ra>^vC(gh9ymj)Q{~JME?ZiU?J_LtD{ECIa`Ejj?qsi!;Q=Nj%LP$i}Om9V*)p5JuobM4nYTo+5+$4+Nqut+FZHLgzkz zFb(APBnFV0GnD~_*EUD?60)}7M^^v%F6g<Ruv1l&8RsOtUBQJi7MX#iQs#iDQA_Q<9t7}a# z+mb5LmzPUXmoVtDZ+oVODVvW+Z=*xksf9Xy6oQ^Ut;O{U-v-ZBX4hYSRZ%9}tvMw( zulicrlTn%pKk{4?Ax2ITRiTAA*X{MTUGF?jUP=c&&*t|gd!}%EAf3< zQd)h(O1#e{QxD-j;2W*wAd^V=tg3zZY#(L2 zAF;FwL?fnHh>xCj>q^J+7(Z4r$QK{K7X_rZtju92Bdk+k60|11!`q$>pusBtdpFf< zNzll+78`7f=FIdlbhRmHYDwS{-q$@r)r$S5-0bS6(^CAnuZWBLL3H>7NmRhiyH;uHQ^kQZ>KflyZw3MN3=Ecn4UB@Lu+Skqqmd|afa{kCY zAVfLsOOomdeVfA73}4_QOb`97vUl&i0sEEOq# zMjTGdWY`zal7Z_gfLgols{)524_Z;|vAp&V@j>>2*9$R|QYRb9LKenvjS=M;-6tQl zlrEMl>VLEN;KY?=*toz-u{wlG-f`U-uMNMJ@IYZX;JvCBhxE%FHmn43~s!`ICesg*VG27AMlfr`o~rkJX{J&ZwNyiT4c8Q?zZEC=1N{8P#avF!U&AW@I(%=fO|-~c zzu4407E5dx1J1O>*h zviVv$)`>{Td}eulV4q={U_03o-k2ORV7F~!-~;>l2OImy)B}c9+kk9Mpq>?Lx&P%$ z35w7ASgeG*HVWb3x-!ppPd3CzKSNr?7Ie!sEqx@ktZ&ZU6$9|h_73j^%z>s^y+*)F zxi?&JNEvMj_40M%MB*uz(QM{$JWn2+)8FB;=Fco>alg9fJG6gGJwSzI5*&a5@^R!P z=P-RlaQ}tzus(YmpLe|=Q0?)xEvSstxDU*Pg9iG>Xwg0(l~W5RNq+5YC~iM~AyF0J z%^=`UykZsY#gxQ#L$2p8|0@Fb?JKhOazyAdUg5TRnw?Ao6w(qrWOWh|5)z>E?7WK& zwG%2_b*KzJyrXK{<0u0S;A#ZR?D1#Fl5hC~Xz6l~zPu4msbPB}F$25W{G}&be|lstHP9AMiEc!JTjTnRW+{-6$?WPC)SfmZ?v>fHtVzu8ec(?ZkEL8$)rI-l59}=we#11VO(<~|{ zPk4Fa<@*)^_BRvsvzN;SGi9}DYN{~W6>o|+o8m&rNgy6^E>&jK_4(7gS zm+wgys_N>?5ijr6-i*ko;Jhs-me#{R-u55HF!PFiu z(+Q7Hv&EEdSA#IN9oHNA6FLl5%d<37-e5Nvk&4P_tN49?%n|&!I=fZ<3f^S$?Wglj zPS+BFbTB~0-tx#{MuVS71^jeGXzvffXdLSKn+ zA8is8{n}2lcd2n$z z+f_z6R%@sw#?ir*S9BiR{(|S`w|qq=Qp3}6J89ysSt{bOEOvo>d#$u2NODHS5o3t{ zpYFN8BY(s@y^L+i8^ zyz~p9Pqxu=7Zbf<^h|054hqBLPMvsiT}JwQW7QAOv)#0g<53;@oEct8Ec?1EsZqm? znd_06<`%m&TjH(CI8$^u=uS28&G_l$p+OMeOS z_Fy=f&;nB}(#VXwt?FwMpq&28tD$v&3)j}j_`_S<-{mfDhbtFMXwD8&-`DRVR)itl zACO(GKb`vxOLUi^LxiWB2+03s>Z&1E40jq@2GyN5d|RX z3&3~ReuE+?Y1rqB2d6g5oY~*O5!uVz>Ca=jd(Y(H<(%LkE(}@+y3fA@QV~QQnu0SR z9VyxJHujFHxRgDXEE(CT=mGkc#s)HnvhJ)j$WUIFZ&Q)E$J6~`-y|L|tpgQcuJjsj zdo>Af`6B7E*DJiH6fY)Ze_u$aPppMnK(Y@rf&1W8V2nt-fb~yOgGTy%e-W(O!f4|P z6hB`|SUbe+V`C`7MY&=Jmb=L=J|SsmMlaB;qm{NWF*~hXqe|Gg8fBZ%!+1?P_md?H z-ihmd!P4jcIhcz;vpo~yk)}`!TFtg0{F7^=UN%ppjayhx(_?e8>GXBRom{- z`?6r|cVKKvzz(5W!E5!*`r!v>r|(M``cls!vq`{^cg;(FNuykd691JL0h$@dccya{ z<>1ncKi4%^8`o9{QpU<$HP7B+1~-=xCy58YoUoQ*sCMSuIT)v95%wMC@RxOXaZP{Q z)6xlkz=9~~h=-`$O00BET%utfYcEA{``WBsPd#qE_2Kr96MxNrvl5Va`X0`PS^@(B zIOR;??9jEUT=}cT!NdIZLqbHJHyTzRK4p z`>t!^LEeLSGvoe(Ch=WXk7h$MT^OiEPMw(HZE?#Q@=CoL;q61)DX;oPT*C^H3kPmR zln>^1h$c71S+N?C>r(Mp#?yqXG1EH!H@IFXv;#hS68=k$$gfSA$)G>iBPoTPl}Mb5 zblB=&W3};>!^HA`#>IWjkfaJ%PRL{r@aGYS#P|;SQa*SLo0}n|fH6(pdWM(mdFBh4 znCaEPPFfbMP;r(Ja?^9%ci7;e)>!Z(c0f>++ORIa?vhKrQM&71mc1x0;|YK zlt^i-ohr9E>I67Gq^-BJ*(VJ5q`_VQ%&GC*K{$8YuJNL+uv5@Ljt|i4Xd}i_EnRJR zDq}PszOz&QBlUV^@*o>XE~E@lI1DM9{1S>@o#)ME^s_sXbCSW+90mYJ3s9LFPsyXZ zJdB#f@$OhSMHcb}kPO~uA^XFe&|PvUyQ;j!bQQn~0vep1uI>kNDy95jXCYQ(eN7!% zsBKrIdt2yy#TCS39U2kWrz3;9mijy08BjD)i|~)QJmZ%Gl}+oA{IEMCx>(QCH-<>8 ztG~P3ox}bV$Is7zzj+pKGqCP}qAFA?x3ms9{pR0K$)Lc~QCd4rMK$;vVM_m`kkx-S z`9ncj2d8hkGeu#Bo;q;LhhQ=pM?XYK)>bx`7lIv9vuN`1$-!+dmS<$}kO%%n6In(| zklmgYuI;G*xlNMC0Ltk` z>Kd{pXn^Z*>V*KB>f*YhN8Q*o9|_#h&eKCmFQ0-kDv~WP(vAB1)7A7~b8$T9^3IAZ z<+@f2dnrt6%MhIf^q8|i0e)dZXI(0}Lt7*(*`(J&#}>8oQ%@C@T8mr zZEWry($~Qjd&*sv-t=P@MQd}8(_zcBw1IAA-pffE960lGd%}O`?+gZ#AnzSax?C1y z#N&n;rOft=4|Dk;rB{e|`byabsKWnY?NVxUO$V;a_;ZpbAOgL~R|iLqy1)L5Z~@?R zO>0X1y~0cnUYmrwk`nXBsYl?=nf8$iC2De?qf0O8QQ6km1jT(<}`%NC< zctRjsTpA;8&Dsb3C3j)NKiV36Gf}=1UFbJ_jQX6bG`XvQ;W)9h$+s3BQEf?^g_td; ziLw0dFqeSN!p_cnU#+LAI9aeaRE$z$Kvzqlpbk3kBtDm^#kU&in5glZLw)!cWpz+c z52x$4HL%OtWL50QG-W%?HRQYbvMQ#wD zP(Xo}v)bD{(FfgD)Une11$sgtRZ!xkE36f0d6cAqO0cDZR;hj z-yaG?37mUG64<`VnT-B%{1btZx=ogfxuNeZA~HdhqB1uMm+bD*RVBD%(=;nwt80w$ zh~NxKz^L2!j?GReOEhYhd_J>T+JG^89-!j9NNj6pf5n`2aGXHeRI*uur!+a-O45+_ z<|_BkOIaW{sAySi7Sc3hn)-+1pmiC^jMX4k;oKYrc*Xys=bJZ1@U^&F&~L8NQEsB0 z%?7KE&R%7WsOCWxBmu~n*|%!0l7SNe$l%dgoT!hBjQ?WmSiD+d{CT-3965|#@-2Ax z+Hl+I7*@f~OV@$9NIIEB$fi+H-+iOQ0~fs)CZxno-NI7OSNz#BDhw_S==JZ*->C)K zxN%MgkC>S@Mp?Gl%Q-|65&vtL6rrB%AsS5Z$T@nfwGf<$H$@Ak5zJ?jiisW1b+*gv zeM<{3m~dmXDjj*nOZ4VDG))YIiNAZME^r#j0AG3@E_m90M#-xWL2SLbqoSpnr1T=t zZ+t)`h+i9lIkk?d*%FFAw zJcou#$&n>iC(}uoA`;Nx9_*_Yz!HWnB0V(mFZTT^+jhh)ydd(i*{KB$J6in*#Gtye z-%x@fRotpQGTGm-`kCkBE_OjB<>{KS4p8>h8MLlrwAI_W?pmQ}FSd%n%!$w?MYL~c zp^B)ERT{AOVoV6^&;ZKQOQx}_vt`Zs@r+A0%9-~Yp~NY8Ei!jsn919#aGH0;&aaIaDm&%Wqi?VVws8aO@}()ScC^D|DdW zj<_mtCfir#4b3fEQGz1~C`}#qej7X+wby<>|F0-d#!c2X_U`f@3gAp6c2J()?;j!q zvP;*T6(_kF{h=S*N-3R%*H~a7JNka>dR8X?;NA9a*+lJl{XrWs^K8#&8nP;~mlWMo z&22wdH^RdAa}6WOMK!^V)>B`LdLGNl$Xw($UD6EQ$u-(5xitUg|c+kBf_p6Q4gRD z<|TgfAi)X504k$qyT*TQ=Q<(@4aevC9jgsOsaJ*^k_i}{!lc$Vzj^x|0uYe* zujfvJ>VjRBwbezq>{rj4bY^ZuNXZoBM%U8QQ{jHEs7E<=Vjn#;@m zkuarA-)2|%gk_Kw7=SgFlr7{M1Sr)Aq-Ug0dH0c>uPK*7o~zY`S~I!BVhaT0Q#+L} zawbe(+tVe=z#uC=;jM^r4todet$ zJ<{eR%%KhzNH-O4(bht;E_W^{Gn=Go`k0dFYBSTJ+pMzND(L^P@3gh72lA?HF@#Wy zs6qm1z=mE&V#upb8lI6|AaCl@TWt8hAmHt?_p~8C&1oqqqyJQo*fMm+eU;F3PjeUZQ+EoamrYVf&lEWHKD?M;VS^qRH2uB80Wl{uI;!k+NPWP*2fa6U^ z3=jAv*50IrV9tgbWJ)tcLk0@zZ(6`d1IR3Qjb!T8h6bfh?v{!cFT7w5CSpUNb`W1o z2{zr+dskZbldW?N4EF|PrMt6WY*H#)x}szkDF{TksIZFIPJc^!>%?((pZY#B;kX^{LeBF!A&h-U}N6-m)x-Z`Ihg)JYNXBO0zb4!7O z*+z9;FS_?gbzk~o?20>f(Np5alUFNi1G)29&}0GyFX>kwNHNj#l52Ka)|b!ptUV47 zil#inJ0=1@j+wH5y4+B zPzZa|+`^A6+$77xqAQT5y5@(Ef^!TNMo`3$)%s+CxP7Jk2rZS@yU3PCL-y3+XDTQJ z^NHWBFA$!dBkG4mW&_(hlId}ky0QbW?`oVMne{(FLVSDyII`lkjewM&dj|)ia0j19 z-9tu=BP1&$EF&Z&{U#(8AU!~bnjrzk(F=_ARw#I6uSQM*$7H~e$wGz0{P6m{V3u{9 zhLqHado>|($dkfTQE_En!tED-#y2z;aRa9x`?e z?vx#S1p&(Eu=P8971Pnt!+4M5>Bk2+8`5^QgWmJ`e0*{Gnx9W)R2brS521Ml;(L0X z z%(pBMx4gPehn*q=>L9g|7D679eej2~edY^kZuH8JM%!d85Br+C1GD$QbYNfxLI8UUjD~*wORQ0clb@iuPMocZd9$I$J*aM1f9QX^@Oam zwjp3>TqKQERTbl{5ArK*;C}`k$Kgd?!Kz^il86|QVn)1w(5Egf8I8e5U{s@x@TZ<@uS@2y>BsChElLl=*r0B*LJ1hVi^%4$hQ5 z6Q2<5`j}Y_qU#$FUb)5KshxVSRZwzcH9Vi>XT8`osNUfS8{WN?(0(tdyL!PVnS&oT zf{yvm3RCD~^v!Cp|8mnM?JA*fnU^ZkA5 U&(r^}_B+<{YNgW)QUmM{t!LBF`sM#BFdTO5Z#o3e( z28-7(7y6oA5k)dlYCwDD8R(=(8BLPW-C7-nw4x@P!4{d*aksZgK_1D6J%M+FPfL!0&xf4vH?Jd(!Ar`Tq?|-qTs0xv+2?gA+_Dy> z1ioKi9JP7Er~!5;-o%UX!e8e3(3Yu~^;x$n(z0k;nrTv|*=dq!k#QJ5hEM{S13NJ6 z=^<|9yVtkln*;r2io~;Nj&0Ffd>=#&4zJ_o&AQdRLh`E`Q0@xg@AjFealy^`aJ=tw z%)u<V12fS}?@(BLeJ{2 zD58Lq%ugXm3z>NmK0znZ;qA!B%28CyVc8pt^sF$_~FcUwtNxSNxWd)$o2uQSogEMll&` zF(Hawetl8MM{4`L)%!F-Ctvh%Qm7`mUiMUjG_alB1+~)JcHV3Ygpdn`NBqLE!sDs6 zJ|%VScrEJsl`193G^&^?al#b_Yla+oD#w;_OEaC}4!_)cQrcpFRF z&(wNZ-o1f-N~?f*9_)%~YH+>ch2|lH@rhD?6Jb)|T;?Ip42n~9*9%~OqrjhBBkP;X z3Fin!(|Y-Z5d5#}nc&bh4#bMb+zZGwj}oL*&fcnd{s}l*Ve=5Xe_fbBhA>Ey*mjLn z7kNE603sb7x~#37R*WZ+rRls*Q<3Lj7Z<`bQ(h9u=a;UE7R?vS+juibXt^q)L=Tkx zgVDoiB`Z8aXSy4?YZ!93X_zi#dky$}#rXd8(d3)B_4%<>Z;?wG+by?e%ctf~!vH`L z;RJ96LRf0;CD`xMjW-GRWPp(iTSCgJQf153{ZfQis=m1M) zjHq=Z3Dgrb5I-U}p#>1EHfz?BerdBbu8-(o{5EgsrlItX7yfmQH}}dmFocA84HNT4 z+a_Ebne^LP=WoA%ZWdRvchcb4!vWlb;6Ivt%L~qy(2`#s|Db*|S_q3~b+CkpBwGdQ zXkF|rPzuak*Y19&BGx9vKeoT1P>koneig%_kO2J5S=VGd>3+t53G0P@K^%CR&7>tD&1@QlRJflh1HfQsrX^OH%d6dIH$^$=~tctq8GZWGvj2u?87Kdj7v5^=6H1sjDs z=V9A34u~tSU7JRyigctfLtMzrE9+to^pK^Z)cB#n790yhD{%NgOG(b6xjcXShetFB1rbHQxh;jA3P86Q4K%0ORDWj z)A~X*42w7vPRf7g;_%n^^vm!})!rvNpXD?(@3gS6G$Dk1b>Sc#RRV-;ts&u zgf;hv-3I)%c{Z~(zv2^U@x46eZFrs=ub&`G8{;4PnTzYw9Hw?au`!EP(!aOo=Qe@t zUQ>Mwm^>3h+?;ey@oWlqI_IqxU9occ^l>My`fzLYD#tFWpl;jM@zewZhP>Q%yEY;Ty&Cw8DF}wqpk@yy|D>80>UQ4 zROB=ifa5h0z?NBds|>!(Ry)=7hR#Pu)lQWGF>yq@?!1kQDp5l*4*n#UC<+2;4(H-Z z#lAIagcq$)qsPLPsY9rv$4bj&C-sy`1adwvxQW-b#WLdB@RC469a(o{*y!cA9*C@& z19|DnSL$W1Qt(7IaSLtDZX^BD&Z=qiQJczyzT?v7`|}#^W3@y=wpr8j9FSviZ4(s(A3W^t#x_nmaiw?ka(l3XA?j;z&s`Jj?uBKSBo0KNC5QNjv;ln_wx^L!t;e{Rk zz#rdL@$wlIYi=B^WhMS79}?;xd-Rx?!+tHjD#@Qal5dJO1dXa6?8JRtUp~YyUBTXv z)G6PP2+5nJf!vLT8ya%QH?P^+di>rlZy$!_vTZW5nVaii+;u?*7Yiqz4+77ekU3f3 zIAMzCuvz$BzvnJx)??UDFIa5C{f!K1jZ&JF>MeqL^QqwCR) zVoU>CYY0PLdw$&t2mGQUQ9a6u*Qr?Td_DW&e-!K}$%JXvpwL_b7Z*dPBYA(<<@a{j zA;HzXq)o$r*Hq|eG}y^LtyF{N7dPN&(l)H;7}c{I9iWHsjU_P?wcCU3E6G` z=9j?{$!=6}wvdbG+~2X$ud*tFc>fq_eSZb#^&vF&of3~a*UTAMn0;xBjw5jU@ILN` zH)jUqb)r4qv$*(qBVXc8pI^`W=2+dOdO)n5mla%%;w503AsQAaZN$`uJkkb))jemVm;E4O16J$iZ?r)R& zFFr4Cr5e^4Y$3bSudDk!`HCo=ogds!`BY zaRVZ^Z5k-Pe}r^3{Yla(JNR2mSl|xw8kOxl&p*d#Hk1b2V~F(6R#_zPuVCT@vSSX} zP8b=3>&0U~>78DojhNJLEx0=kH;J8ocfBvN{<#(foYn;-u^|X+qr!zOvxUEzz;So? zShMJ-KVvTK_AJ`u%Vt%Jidf`o?Q7uHY#pr*_!_AlH_wl8i2?+9uU*1yN-u+laOZo> zSKrt~Glk%p-v3Z%kD^Cd*9zTB0E_J)Q^W;CG6y!17tTz?`NUjps!AdZb6yFnv|t#O zI3l`VS+jG#;Zj+qi0ueUVQOAR;FI(ts;hQLWcRnEl@49t2Z+Km)&cL3DEk~<7?;Ie z!i8v%NX4p$ZQJGx{;ugJ)TxcS_p&9^+ryP2NbfyajOh1s~f+HDbGSqb|vImzd zl8@uOQFe_2x-4A1Ds1xZ)l2}#rJDVdO>>XVtF!T$;mp|C3h_j&MLjGVuFv~oq+@H` zNFuKaj_dT_DXjeWI|e{Zu9A)-iuBCpDkNIN5d;)NfX~Ch?h;y!{zj8Q6XIrc>5o&v zMC7=~Z&^62tv6h59kky7zV^+X2RV;!6l^pqBp(M0kap?Gd6U&_>`)mw>_-|)abs5S>RH%#uc`rTLBpKv9-o@L=TME+fS3_u4g&Zau z1F^~8yKjFVPyCt363y`ayS!H(_*3gY?Z8mY#|20XsoQ6Q(-o`0>N;>63zg?qDTW}*FlG==&2U(eI zzbY#Q2{_9h?XO{+LB_r%wX1HVhcg^z?rrfhOcyZqAF@G0l%wMQnQbB=?Yglzj-eZv zn2QY6fGh?}s*}x>tDBqmAIwCU&Qn-@-^x>*c{ST~%8L**yvfMu-+vjz>2-8|$Wr96 z8Lx4%h>kNT(Z)t{xLW#mIFk&uyKGg# z!KsHMRA*QHnW&D737pM*vWj8T_L^AZAAoJ_EVbRK5^t?I{7(~r13@k2B|9l2KWo}!O`7a@u8}bDr zn*HS`YkP9IF^cdG=z%Gu#_MhF%NaU84bC(uWlF-nAnDn6Gk$H1T%AzE6!nY$XH-H8 zqFSYHG(Pm=6HdFcA=BOf2XVf%hpT39_RmB!e$Npa_6*P1mA<`g;Et6K7~o~ykbJ8d zIVj23Yr~UVy&>k;`?2u>y0gIyh+)ndj8dI^R7E>qcPwI8Dr^Lrd!)A?t8>2n7#BEx zk1>$WF?pQAhSBfH?dM=;p5z}J;Cjk%-U6jsV+T{x-F1y6g>ycPI&W^uR@XzvDg+!& zHY>YZ69VIN=bBOzfAi&EWsG-)8Ii^FU8z$$bB{b&!FA>HW&%0b1FBA?C+b_mLC!TA zk2Bkh6NHB7ex$lyfcjG+M79+hE;oJG!q!OH{PmMu_x+R!2@W+cR8x+RG^c%^UM3`L z(+J-BOQ*5TC;%CX#zLqbuBB&oTeQA4 zVoJa_j9z(SHnW0sEr6@WuQ%2B)1-^-^p9DEQR9nP0QEduTatLT3n#Y{Xon1#DSOyY zg^?QKE=+K59wM(Wp(qH%UYKLE;bE;5J6VhbMkFn8yj{X}CZ2_5HrBaR6Ws@QTNSPF z(40f08T?^+9_s?*w^LH^+Mjac4r?5aDw%Kn&+-&dP- zgFz*+0qbLW-LdEum$oYHg?^eitQ+y{FR635Mmg19uSRd5O@FWkwT9)4AD}+szSnx# z5=QtRlMZLsPg5vB&MmQ;5NsDhmHvS{7z8cm#>e0O+Xvj=1nmHXWC(_N480NeD93{>ofemA6Bp~m|zmHyhTH#C~t0oSNggh`G@ zm^Z#QVIU$qi4t9F*&>q^0;lL94Rp{?k1N{Y7HQB>imG9tXQt_8Xml!2TTlW7CFrh} zuzLTFb(nq8I)MK@OY|BvXpJglk~HF(+_t~7p3(j5CdRt&h^geUkbYbE_C$UXHUQwz z+XH$$6fl4D0<-O`UQ!cV^kCS$?tC*al%pnM4eLwUaH1yCHr$s2e)MtW1^l(J(EW=d zF2DE*G03{cLn`=_H8c&|GTVV|j!b;8#p6-<|EYelqIcF*UUl#FKtc~5-M=?mxAzwXeg_e_wN zEcX*q6J@<7l@1z}J>@tMEGyWg5UBuq(^TFv*tQI9@`b9SaUGU_hC3@U^LWMz(D~>p zRN3N5%Q!SR~q>W7u~D4L&P^4p3Tj$(@Ys;7){EwXDg@gFga?~e4nNK06uf}RWWGM6;5iJOM%{bC#8&O8W`%6Fuc zka0Mx_J`u%!wgUlSMNh7P}-R}%0$<-_yO$J8Jh&}8Y`T59`7E-2P;p#Y>;&QamUcT znnD?6OCtE8{#C#TK0E6*F2VTki)9K}jqE$v)q5B~-nD%qT79ahNC!u3C}*A79R$wa zy9jL+#4VC1I^gI}ZTBdQ_cgnohK6K}{*O4B{DSE<-Ldf^IfT|h$-noRmnz5)q~k>= z?^YrCappzSqAj+j>{E>p>18?QGuH!$gEpMC5Nj<;mxc2~LTG7PqQJqL!N?E}@#QIf z`xwbkYAG1v@A`Yo1~qxrp&LIzvbwV}go5v87IDdxTm^zDdVtalgyGvX_TTc3q;@-% zC-Tf3bHq>&W=Kn}h=XC2xt(Yv=?So$M-5wKvwV!alp1!p&b-y76tD!Y7y7;gk4!2kW}uf5awEyw_I6 z-w*B1LIILNO9$BQqBLQ3+!R@%V~d{oh(xEgd71Tl;C&ly+@I^XM^Rx0Lc2|k^agv| z`W(ZvZ2zQwqvem)dkwonOQV)=Pi&}GKCmpH9jpr+f4J;_EELd+I%>L8owsKl_BFHc zkuPhzOj&B9qy$}XX@>vf_m?)KV-^+RVWe~PUz%`NO>$T*Y#KR7vJf;j9K`&i={r&;vxZB3TPG$GC*wIjX^kz}fG9mbN zcTO1~#mRDfehc_v_`>8Rf`zT3HJK)88clw>UXr?b%x&6o-EvMr3T*@by3uJoyo6of zY2#Wq-S(&%4H+xNMx-TXu*=GbD?snxZ(?dO35>}+;5(LX|L*WAPFE|8`#VJ^Ut53L z7cID7u0EbUQ~b&*-z6hj(WFQlHRTvrmLD%QltRz=3J=+ELuLMy=~SxT^)gc><$T>R zx}T|q)uka#RQP2!aC(=CCU!8&SCgHhl0)tUg%_nabMcaEfp0ym1!3N2zKqkr#~ka_ zHx#uvAHT>3Nj4_$Z$aXpH_Ya|FO`j?du}GX9bmOe_T_zMj@^q@cpN~4GR|S8Uo0s* zM>w2!I0|@$eAPDxXQV*^hH=cWS4jJ-<$h6p<7Ucoy5=n154!TQxlXbFr~`wvrum8~ zNJuQ}=q1MJ?76~0fJ=JN=bvT0FZk+<(0^4Ip`D&(b8$1g^<1FOM0G`qK&yhoy&?%z ziUQ@)h2svPQC`1*wnIGAta#+q;b z;-`Cw+r$*}cP#H?B@}xX^rk-z`_+B)37xO`4f=nlF4$sPzY5g&td>jHq#i^SGE9+V z8VB}GCqi9Ph$PAykPXI!ok+v88>iZtb&d`?EZp(Tw|Kd^K?_PNZ1fHt|Eqk-)6p)X zzW#CZK$^MD%XZ4TyFP&ZVi6y+G?(e>ccEFOlD!Snf4N;lp9pJMuR+nsPf@t+pl4L9}TG z`YOy=becU$#qr0-6^ExAHVMvrxm@ZzPLGp^F_U|Kd6LkB`xzG<;S1$Pfx;I2EG1Id)sgM^;>y8UoX6KSacQIy~a(< zKC0H`moGE7$~twZS1-Zpy;mI^UmYTM_&%@T!piz4w~(_Ntikq<_serIy(5RI%(gLD zOanmkrVER&@rdF`+jmap6XrC&GlaA!8IA40+rVgFndRT{6Gs&D1NPLnRprhj;l?b% zt4pjEF3N^gm93$4<_9?NV;US7IHI(aMif|oZBU_Gwu7bd3DaI`8hu+gf#Q8@*Flpq z-QqEWjL@z$UOLQsrWrjbq{y0Ilwz4OEWg7^x6Rfp6UeIHB}~i9z-`8F;{dbMd#9yx zKwt6U0^DW+6GwJ+$mtad<_xy@-!NNm>Lflhp{^C7J zKQeQK;Tpr@b_`V3= zKhjcCi9T@KWxWiL)6sFs4V|l%*jmvie)=q6UgQMu90Df9zO4x05eedC?%?Dmo$E5N zvm?BRQPV(nJ`0pWk_a3AlH+jo}8py+lxB+Onw{h>(h($ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 98851bf8..08f8a56c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -4246,7 +4246,7 @@ index 33e0f8dad..6fd767031 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a68..cb425934b 100644 +index 9e9263a68..464be5733 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -4377,14 +4377,16 @@ index 9e9263a68..cb425934b 100644 manage_files_pattern($1, bin_t, bin_t) ') -@@ -398,6 +444,7 @@ interface(`corecmd_mmap_bin_files',` +@@ -398,7 +444,8 @@ interface(`corecmd_mmap_bin_files',` type bin_t; ') +- mmap_files_pattern($1, bin_t, bin_t) + corecmd_read_bin_symlinks($1) - mmap_files_pattern($1, bin_t, bin_t) ++ mmap_exec_files_pattern($1, bin_t, bin_t) ') + ######################################## @@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` interface(`corecmd_bin_spec_domtrans',` gen_require(` @@ -4480,10 +4482,13 @@ index 9e9263a68..cb425934b 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1145,74 @@ interface(`corecmd_mmap_all_executables',` +@@ -1089,5 +1143,76 @@ interface(`corecmd_mmap_all_executables',` + type bin_t; + ') - mmap_files_pattern($1, bin_t, exec_type) - ') +- mmap_files_pattern($1, bin_t, exec_type) ++ mmap_exec_files_pattern($1, bin_t, exec_type) ++') + +######################################## +## @@ -4554,7 +4559,7 @@ index 9e9263a68..cb425934b 100644 + ') + + filetrans_pattern($1, bin_t, $2, $3, $4) -+') + ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 20c76cff9..cc63dcc9c 100644 --- a/policy/modules/kernel/corecommands.te @@ -11517,7 +11522,7 @@ index 0b1a8715a..849b00191 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d156..452a80549 100644 +index 6a1e4d156..5fd375329 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -11556,7 +11561,13 @@ index 6a1e4d156..452a80549 100644 ') ######################################## -@@ -133,6 +108,10 @@ interface(`domain_entry_file',` +@@ -128,11 +103,15 @@ interface(`domain_entry_file',` + ') + + allow $1 $2:file entrypoint; +- allow $1 $2:file { mmap_file_perms ioctl lock }; ++ allow $1 $2:file { mmap_exec_file_perms ioctl lock }; + typeattribute $2 entry_type; corecmd_executable_file($2) @@ -11706,6 +11717,15 @@ index 6a1e4d156..452a80549 100644 ## Relabel to and from all entry point ## file types. ## +@@ -1390,7 +1462,7 @@ interface(`domain_mmap_all_entry_files',` + attribute entry_type; + ') + +- allow $1 entry_type:file mmap_file_perms; ++ allow $1 entry_type:file mmap_exec_file_perms; + ') + + ######################################## @@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',` ## ## Ability to mmap a low area of the address @@ -32841,7 +32861,7 @@ index 6bf0ecc2d..a6b6087eb 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..f17b76dec 100644 +index 8b403774f..676215ff3 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -33234,12 +33254,12 @@ index 8b403774f..f17b76dec 100644 +allow xdm_t xauth_home_t:file manage_file_perms; + +allow xdm_t xserver_unconfined_type:process { signull }; - --allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -+ + +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t) +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +xserver_filetrans_home_content(xdm_t) @@ -33712,7 +33732,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -518,8 +918,36 @@ optional_policy(` +@@ -518,8 +918,40 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -33731,8 +33751,7 @@ index 8b403774f..f17b76dec 100644 + cpufreqselector_dbus_chat(xdm_t) + ') + - optional_policy(` -- accountsd_dbus_chat(xdm_t) ++ optional_policy(` + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') @@ -33741,16 +33760,21 @@ index 8b403774f..f17b76dec 100644 + hal_dbus_chat(xdm_t) + ') + -+ optional_policy(` + optional_policy(` +- accountsd_dbus_chat(xdm_t) + gnomeclock_dbus_chat(xdm_t) + ') + + optional_policy(` ++ modemmanager_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(xdm_t) ') ') -@@ -530,6 +958,20 @@ optional_policy(` +@@ -530,6 +962,20 @@ optional_policy(` ') optional_policy(` @@ -33771,7 +33795,7 @@ index 8b403774f..f17b76dec 100644 hostname_exec(xdm_t) ') -@@ -547,28 +989,78 @@ optional_policy(` +@@ -547,28 +993,78 @@ optional_policy(` ') optional_policy(` @@ -33859,7 +33883,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -580,6 +1072,14 @@ optional_policy(` +@@ -580,6 +1076,14 @@ optional_policy(` ') optional_policy(` @@ -33874,7 +33898,7 @@ index 8b403774f..f17b76dec 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1094,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1098,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -33883,7 +33907,7 @@ index 8b403774f..f17b76dec 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1104,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1108,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -33896,7 +33920,7 @@ index 8b403774f..f17b76dec 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1121,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1125,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -33912,7 +33936,7 @@ index 8b403774f..f17b76dec 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,36 +1137,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,36 +1141,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -33970,7 +33994,7 @@ index 8b403774f..f17b76dec 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1204,29 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1208,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -34003,7 +34027,7 @@ index 8b403774f..f17b76dec 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1238,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1242,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -34018,7 +34042,7 @@ index 8b403774f..f17b76dec 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,28 +1259,25 @@ init_getpgid(xserver_t) +@@ -718,28 +1263,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -34051,7 +34075,7 @@ index 8b403774f..f17b76dec 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; -@@ -785,17 +1323,54 @@ optional_policy(` +@@ -785,17 +1327,54 @@ optional_policy(` ') optional_policy(` @@ -34108,7 +34132,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -803,6 +1378,10 @@ optional_policy(` +@@ -803,6 +1382,10 @@ optional_policy(` ') optional_policy(` @@ -34119,7 +34143,7 @@ index 8b403774f..f17b76dec 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1397,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1401,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -34144,7 +34168,7 @@ index 8b403774f..f17b76dec 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1420,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1424,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -34179,7 +34203,7 @@ index 8b403774f..f17b76dec 100644 ') optional_policy(` -@@ -912,7 +1485,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1489,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -34188,7 +34212,7 @@ index 8b403774f..f17b76dec 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1539,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1543,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -34220,7 +34244,7 @@ index 8b403774f..f17b76dec 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1585,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1589,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -41631,7 +41655,7 @@ index 73bb3c00c..4ddc8145a 100644 +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +/usr/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93eb..b717d9709 100644 +index 808ba93eb..16ed55e55 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -41660,9 +41684,12 @@ index 808ba93eb..b717d9709 100644 ## Use the dynamic link/loader for automatic loading ## of shared libraries. ## -@@ -86,7 +105,7 @@ interface(`libs_use_ld_so',` +@@ -84,9 +103,9 @@ interface(`libs_use_ld_so',` + allow $1 lib_t:dir list_dir_perms; + read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) +- mmap_files_pattern($1, lib_t, ld_so_t) ++ mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t }) - allow $1 ld_so_cache_t:file read_file_perms; + allow $1 ld_so_cache_t:file { map read_file_perms }; @@ -41810,7 +41837,7 @@ index 808ba93eb..b717d9709 100644 - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; + read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) -+ mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ++ mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) +# allow $1 lib_t:file execmod; allow $1 textrel_shlib_t:file execmod; ') @@ -43066,7 +43093,7 @@ index 4e9488463..c54641fbb 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..e9545b961 100644 +index 59b04c1a2..d4fd81a7b 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -43498,7 +43525,7 @@ index 59b04c1a2..e9545b961 100644 ') optional_policy(` -@@ -507,15 +625,44 @@ optional_policy(` +@@ -507,15 +625,45 @@ optional_policy(` ') optional_policy(` @@ -43536,6 +43563,7 @@ index 59b04c1a2..e9545b961 100644 + +optional_policy(` + systemd_rw_coredump_tmpfs_files(syslogd_t) ++ systemd_read_unit_files(syslogd_t) +') + +optional_policy(` @@ -43543,7 +43571,7 @@ index 59b04c1a2..e9545b961 100644 ') optional_policy(` -@@ -526,3 +673,29 @@ optional_policy(` +@@ -526,3 +674,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -47050,7 +47078,7 @@ index 38220721d..abac74231 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc4642022..5b26b2de2 100644 +index dc4642022..d3320bdd9 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -47473,7 +47501,7 @@ index dc4642022..5b26b2de2 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +512,86 @@ optional_policy(` +@@ -440,81 +512,87 @@ optional_policy(` # semodule local policy # @@ -47541,6 +47569,7 @@ index dc4642022..5b26b2de2 100644 -seutil_manage_module_store(semanage_t) -seutil_get_semanage_trans_lock(semanage_t) -seutil_get_semanage_read_lock(semanage_t) ++seutil_rw_login_config(semanage_t) +seutil_domtrans_setfiles(semanage_t) + +#seutil_run_setfiles(semanage_t, semanage_roles) @@ -47616,7 +47645,7 @@ index dc4642022..5b26b2de2 100644 ') ######################################## -@@ -522,111 +599,204 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +600,204 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -49077,10 +49106,10 @@ index a392fc4bc..4870f76fd 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 000000000..121b42208 +index 000000000..ce07ba149 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,81 @@ +@@ -0,0 +1,82 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -49108,6 +49137,7 @@ index 000000000..121b42208 +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) ++/run/systemd/units(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) @@ -53555,7 +53585,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..3f5aa5f3b 100644 +index 9dc60c6c0..8c0b17aa8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -55723,7 +55753,39 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2634,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1858,12 +2617,30 @@ interface(`userdom_mmap_user_home_content_files',` + type user_home_dir_t, user_home_t; + ') + +- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + files_search_home($1) + ') + + ######################################## + ## ++## map user home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_map_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file map; ++') ++ ++######################################## ++## + ## Read user home files. + ## + ## +@@ -1875,14 +2652,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -55761,7 +55823,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2674,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2692,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -55779,7 +55841,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -1938,7 +2722,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2740,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -55788,7 +55850,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -1946,10 +2730,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2748,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -55801,7 +55863,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2741,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2759,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -55810,7 +55872,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -1966,12 +2749,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2767,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -55879,7 +55941,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2007,8 +2844,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2862,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -55889,7 +55951,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2024,20 +2860,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2878,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -55914,7 +55976,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## -@@ -2075,6 +2905,7 @@ interface(`userdom_manage_user_home_content_files',` +@@ -2075,6 +2923,7 @@ interface(`userdom_manage_user_home_content_files',` manage_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; @@ -55922,7 +55984,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 files_search_home($1) ') -@@ -2120,7 +2951,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2969,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -55931,7 +55993,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2128,19 +2959,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2977,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -55955,7 +56017,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2148,12 +2977,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2995,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -55971,7 +56033,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2388,18 +3217,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3235,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -56029,7 +56091,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3279,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3297,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -56038,7 +56100,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2455,6 +3320,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3338,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -56064,7 +56126,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## -@@ -2538,7 +3422,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3440,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -56073,73 +56135,51 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2546,19 +3430,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,7 +3448,27 @@ interface(`userdom_manage_user_tmp_files',` ## ## # -interface(`userdom_manage_user_tmp_symlinks',` +interface(`userdom_filetrans_named_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ gen_require(` ++ type user_tmp_t; ++ ') ++ + files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user --## temporary named pipes. ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user +## temporary symbolic links. - ## - ## - ## -@@ -2566,19 +3450,19 @@ interface(`userdom_manage_user_tmp_symlinks',` - ## - ## - # --interface(`userdom_manage_user_tmp_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_manage_user_tmp_symlinks',` gen_require(` type user_tmp_t; ') - -- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user --## temporary named sockets. -+## temporary named pipes. - ## - ## - ## -@@ -2586,20 +3470,61 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2566,6 +3488,27 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # --interface(`userdom_manage_user_tmp_sockets',` +interface(`userdom_rw_inherited_user_tmp_pipes',` - gen_require(` - type user_tmp_t; - ') - -- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp($1) - ') - ++ gen_require(` ++ type user_tmp_t; ++ ') + - ######################################## - ## --## Create objects in a user temporary directory --## with an automatic type transition to --## a specified private type. ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ files_search_tmp($1) ++') ++ ++ ++######################################## ++## +## Create, read, write, and delete user +## temporary named pipes. +## @@ -56149,44 +56189,10 @@ index 9dc60c6c0..3f5aa5f3b 100644 +## +## +# -+interface(`userdom_manage_user_tmp_pipes',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user -+## temporary named sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_user_tmp_sockets',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create objects in a user temporary directory -+## with an automatic type transition to -+## a specified private type. - ## - ## - ## -@@ -2661,6 +3586,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` + interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; +@@ -2661,6 +3604,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -56208,7 +56214,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3612,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3630,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -56230,7 +56236,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2692,19 +3627,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3645,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -56253,7 +56259,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2713,13 +3642,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3660,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -56314,7 +56320,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2814,6 +3786,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3804,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -56339,7 +56345,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3822,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3840,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -56382,7 +56388,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -2856,14 +3858,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3876,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -56420,7 +56426,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2882,8 +3903,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3921,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -56450,7 +56456,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -2955,6 +3995,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +4013,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -56493,7 +56499,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4054,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4072,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -56518,7 +56524,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4072,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4090,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -56530,7 +56536,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## memory segments. ## ## -@@ -3025,17 +4083,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4101,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -56551,7 +56557,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## memory segments. ## ## -@@ -3044,12 +4102,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4120,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -56566,7 +56572,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -3094,7 +4152,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4170,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -56575,7 +56581,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4168,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4186,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -56609,7 +56615,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -3214,7 +4256,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4274,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -56636,7 +56642,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ') ######################################## -@@ -3269,12 +4329,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4347,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -56652,7 +56658,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## ## ## -@@ -3282,46 +4343,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4361,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -56710,32 +56716,37 @@ index 9dc60c6c0..3f5aa5f3b 100644 gen_require(` - attribute userdomain; + type user_tmp_t; -+ ') -+ + ') + +- allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Inherit the file descriptors from all user domains +## Allow domain to read/write inherited users +## fifo files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3337,17 +4418,91 @@ interface(`userdom_getattr_all_users',` + ## + ## + # +-interface(`userdom_use_all_users_fds',` +interface(`userdom_rw_inherited_user_pipes',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ + gen_require(` + attribute userdomain; + ') + +- allow $1 userdomain:fd use; + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to inherit the file +## Do not audit attempts to use user ttys. +## +## @@ -56785,10 +56796,36 @@ index 9dc60c6c0..3f5aa5f3b 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; - ') - - allow $1 userdomain:process getattr; -@@ -3382,6 +4519,42 @@ interface(`userdom_signal_all_users',` ++ ') ++ ++ allow $1 userdomain:process getattr; ++') ++ ++######################################## ++## ++## Inherit the file descriptors from all user domains ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_all_users_fds',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:fd use; ++') ++ ++######################################## ++## ++## Do not audit attempts to inherit the file + ## descriptors from any user domains. + ## + ## +@@ -3382,6 +4537,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -56831,7 +56868,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4575,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4593,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -56892,7 +56929,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4662,1853 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4680,1853 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -58747,7 +58784,7 @@ index 9dc60c6c0..3f5aa5f3b 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38dc7..0fce86e80 100644 +index f4ac38dc7..8bbc532c5 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -58836,7 +58873,7 @@ index f4ac38dc7..0fce86e80 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,400 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -58949,6 +58986,7 @@ index f4ac38dc7..0fce86e80 100644 +read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +read_lnk_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +userdom_search_user_home_content(userdom_home_reader_certs_type) ++allow userdom_home_reader_certs_type home_cert_t:file map; + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(userdom_home_reader_certs_type) @@ -59267,6 +59305,58 @@ index db3cbca45..3cc5cf448 100644 +policycap nnp_nosuid_transition; + + +diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt +index 8b785c9a3..8aa8c3610 100644 +--- a/policy/support/file_patterns.spt ++++ b/policy/support/file_patterns.spt +@@ -99,9 +99,21 @@ define(`read_files_pattern',` + allow $1 $3:file read_file_perms; + ') + ++define(`mmap_read_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:file mmap_read_file_perms; ++') ++ + define(`mmap_files_pattern',` ++ # deprecated 20171213 ++ refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') + allow $1 $2:dir search_dir_perms; +- allow $1 $3:file mmap_file_perms; ++ allow $1 $3:file mmap_exec_file_perms; ++') ++ ++define(`mmap_exec_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:file mmap_exec_file_perms; + ') + + define(`exec_files_pattern',` +@@ -124,6 +136,11 @@ define(`rw_files_pattern',` + allow $1 $3:file rw_file_perms; + ') + ++define(`mmap_rw_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:file mmap_rw_file_perms; ++') ++ + define(`create_files_pattern',` + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:file create_file_perms; +diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt +index 4ca5688c3..355ff953c 100644 +--- a/policy/support/misc_macros.spt ++++ b/policy/support/misc_macros.spt +@@ -67,7 +67,7 @@ define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'if + # + # can_exec(domain,executable) + # +-define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') ++define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };') + + ######################################## + # diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d54501..101086d66 100644 --- a/policy/support/misc_patterns.spt @@ -59299,7 +59389,7 @@ index e79d54501..101086d66 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e9131723..528c5d2d1 100644 +index 6e9131723..d63bb8b45 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -59321,7 +59411,7 @@ index 6e9131723..528c5d2d1 100644 # # Permissions for creating and using sockets. -@@ -153,12 +152,16 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') +@@ -153,12 +152,22 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') # define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -59334,6 +59424,10 @@ index 6e9131723..528c5d2d1 100644 +define(`read_inherited_file_perms',`{ getattr read ioctl lock }') +define(`read_file_perms',`{ open read_inherited_file_perms }') +define(`mmap_file_perms',`{ getattr open map read execute ioctl }') ++define(`mmap_read_inherited_file_perms',`{ getattr map read ioctl }') ++define(`mmap_read_file_perms',`{ getattr open map read ioctl }') ++define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }') ++define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') +define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') +define(`append_inherited_file_perms',`{ getattr append }') +define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') @@ -59341,10 +59435,12 @@ index 6e9131723..528c5d2d1 100644 +define(`write_file_perms',`{ open write_inherited_file_perms }') +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') +define(`rw_file_perms',`{ open rw_inherited_file_perms }') ++define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }') ++define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }') define(`create_file_perms',`{ getattr create open }') define(`rename_file_perms',`{ getattr rename }') define(`delete_file_perms',`{ getattr unlink }') -@@ -179,7 +182,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +@@ -179,7 +188,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') @@ -59353,7 +59449,7 @@ index 6e9131723..528c5d2d1 100644 define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }') -@@ -192,7 +195,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') +@@ -192,7 +201,8 @@ define(`setattr_fifo_file_perms',`{ setattr }') define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') @@ -59363,7 +59459,7 @@ index 6e9131723..528c5d2d1 100644 define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }') +@@ -208,8 +218,9 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') @@ -59375,7 +59471,7 @@ index 6e9131723..528c5d2d1 100644 define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') -@@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }') +@@ -225,7 +236,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') @@ -59385,7 +59481,7 @@ index 6e9131723..528c5d2d1 100644 define(`create_blk_file_perms',`{ getattr create }') define(`rename_blk_file_perms',`{ getattr rename }') define(`delete_blk_file_perms',`{ getattr unlink }') -@@ -242,7 +248,8 @@ define(`setattr_chr_file_perms',`{ setattr }') +@@ -242,7 +254,8 @@ define(`setattr_chr_file_perms',`{ setattr }') define(`read_chr_file_perms',`{ getattr open read lock ioctl }') define(`append_chr_file_perms',`{ getattr open append lock ioctl }') define(`write_chr_file_perms',`{ getattr open write append lock ioctl }') @@ -59395,7 +59491,7 @@ index 6e9131723..528c5d2d1 100644 define(`create_chr_file_perms',`{ getattr create }') define(`rename_chr_file_perms',`{ getattr rename }') define(`delete_chr_file_perms',`{ getattr unlink }') -@@ -259,7 +266,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') +@@ -259,7 +272,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') # # Use (read and write) terminals # @@ -59405,7 +59501,7 @@ index 6e9131723..528c5d2d1 100644 # # Sockets -@@ -271,3 +279,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -271,3 +285,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3e59f8bb..c0fc4738 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12792,10 +12792,10 @@ index 550b287ce..73104ec93 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 171fafb99..38614a0e9 100644 +index 171fafb99..6cf8b7957 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t; +@@ -18,35 +18,48 @@ role certwatch_roles types certwatch_t; # Local policy # @@ -12827,6 +12827,7 @@ index 171fafb99..38614a0e9 100644 miscfiles_read_all_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) +miscfiles_manage_generic_cert_dirs(certwatch_t) ++miscfiles_map_generic_certs(certwatch_t) + +sysnet_read_config(certwatch_t) @@ -20020,7 +20021,7 @@ index 1303b3036..f5bd4aee8 100644 + logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..46400791a 100644 +index 7de385956..31053c2a9 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20439,7 +20440,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -354,103 +314,141 @@ optional_policy(` +@@ -354,103 +314,145 @@ optional_policy(` ') optional_policy(` @@ -20448,22 +20449,20 @@ index 7de385956..46400791a 100644 - optional_policy(` - hal_dbus_chat(crond_t) - ') -- ++ djbdns_search_tinydns_keys(crond_t) ++ djbdns_link_tinydns_keys(crond_t) ++') + - optional_policy(` - unconfined_dbus_send(crond_t) - ') -+ djbdns_search_tinydns_keys(crond_t) -+ djbdns_link_tinydns_keys(crond_t) - ') - - optional_policy(` -- amanda_search_var_lib(crond_t) ++optional_policy(` + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) ') optional_policy(` -- amavis_search_lib(crond_t) +- amanda_search_var_lib(crond_t) + # these should probably be unconfined_crond_t + dbus_system_bus_client(crond_t) + init_dbus_send_script(crond_t) @@ -20471,28 +20470,32 @@ index 7de385956..46400791a 100644 ') optional_policy(` -- djbdns_search_tinydns_keys(crond_t) -- djbdns_link_tinydns_keys(crond_t) +- amavis_search_lib(crond_t) + amanda_search_var_lib(crond_t) ') optional_policy(` -- hal_write_log(crond_t) +- djbdns_search_tinydns_keys(crond_t) +- djbdns_link_tinydns_keys(crond_t) + antivirus_search_db(crond_t) ') + optional_policy(` ++ hal_dbus_chat(crond_t) + hal_write_log(crond_t) ++ hal_dbus_chat(system_cronjob_t) + ') + optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) -+ hal_dbus_chat(crond_t) -+ hal_write_log(crond_t) -+ hal_dbus_chat(system_cronjob_t) ++ # cjp: why? ++ munin_search_lib(crond_t) ') optional_policy(` - mta_send_mail(crond_t) -+ # cjp: why? -+ munin_search_lib(crond_t) ++ pcp_read_lib_files(crond_t) ') optional_policy(` @@ -20613,7 +20616,7 @@ index 7de385956..46400791a 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -461,11 +463,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -20626,7 +20629,7 @@ index 7de385956..46400791a 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -485,6 +487,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -20634,7 +20637,7 @@ index 7de385956..46400791a 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t) +@@ -495,17 +498,22 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -20659,7 +20662,7 @@ index 7de385956..46400791a 100644 auth_use_nsswitch(system_cronjob_t) -@@ -516,20 +520,28 @@ logging_read_generic_logs(system_cronjob_t) +@@ -516,20 +524,28 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -20690,7 +20693,7 @@ index 7de385956..46400791a 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +551,26 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +555,26 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -20717,7 +20720,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -551,10 +579,6 @@ optional_policy(` +@@ -551,10 +583,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -20728,7 +20731,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -567,6 +591,10 @@ optional_policy(` +@@ -567,6 +595,10 @@ optional_policy(` ') optional_policy(` @@ -20739,7 +20742,7 @@ index 7de385956..46400791a 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +619,8 @@ optional_policy(` +@@ -591,6 +623,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -20748,7 +20751,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -598,7 +628,31 @@ optional_policy(` +@@ -598,7 +632,31 @@ optional_policy(` ') optional_policy(` @@ -20780,7 +20783,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -607,7 +661,12 @@ optional_policy(` +@@ -607,7 +665,12 @@ optional_policy(` ') optional_policy(` @@ -20793,7 +20796,7 @@ index 7de385956..46400791a 100644 ') optional_policy(` -@@ -615,12 +674,27 @@ optional_policy(` +@@ -615,12 +678,27 @@ optional_policy(` ') optional_policy(` @@ -20823,7 +20826,7 @@ index 7de385956..46400791a 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +702,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +706,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20857,7 +20860,7 @@ index 7de385956..46400791a 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +735,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +739,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -23031,7 +23034,7 @@ index dda905b9c..60806a524 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb46..c0c2ed47d 100644 +index 62d22cb46..d9c0343da 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -23109,7 +23112,7 @@ index 62d22cb46..c0c2ed47d 100644 - - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + # For connecting to the bus -+ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms }; ++ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms create }; + allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; @@ -23561,7 +23564,7 @@ index 62d22cb46..c0c2ed47d 100644 ## ## ## Type to be used as a domain. -@@ -397,199 +410,250 @@ interface(`dbus_manage_lib_files',` +@@ -397,199 +410,251 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -23881,6 +23884,7 @@ index 62d22cb46..c0c2ed47d 100644 - allow $1 system_dbusd_t:fd use; + dontaudit $1 system_dbusd_t:unix_stream_socket connectto; ++ dontaudit $1 system_dbusd_t:sock_file write; ') ######################################## @@ -23892,7 +23896,7 @@ index 62d22cb46..c0c2ed47d 100644 ## ## ## -@@ -597,28 +661,68 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +662,68 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -23970,7 +23974,7 @@ index 62d22cb46..c0c2ed47d 100644 + manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ') diff --git a/dbus.te b/dbus.te -index c9998c80d..328aa81d2 100644 +index c9998c80d..5a9dfdf1e 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -24004,7 +24008,15 @@ index c9998c80d..328aa81d2 100644 type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t) +@@ -36,12 +31,16 @@ init_system_domain(system_dbusd_t, dbusd_exec_t) + type system_dbusd_tmp_t; + files_tmp_file(system_dbusd_tmp_t) + ++type system_dbusd_tmpfs_t; ++files_tmpfs_file(system_dbusd_tmpfs_t) ++ + type system_dbusd_var_lib_t; + files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) @@ -24014,7 +24026,7 @@ index c9998c80d..328aa81d2 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,64 @@ ifdef(`enable_mls',` +@@ -51,59 +50,69 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -24050,6 +24062,11 @@ index c9998c80d..328aa81d2 100644 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) ++ ++manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) ++manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) ++fs_tmpfs_filetrans(system_dbusd_t, system_dbusd_tmpfs_t, { dir file }) ++allow system_dbusd_t system_dbusd_tmpfs_t:file map; read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -24097,7 +24114,7 @@ index c9998c80d..328aa81d2 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +124,177 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +132,177 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -24175,14 +24192,14 @@ index c9998c80d..328aa81d2 100644 + +optional_policy(` + snapper_read_inherited_pipe(system_dbusd_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_dhcpc(system_dbusd_t) ') optional_policy(` - seutil_sigchld_newrole(system_dbusd_t) -+ sysnet_domtrans_dhcpc(system_dbusd_t) -+') -+ -+optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -24216,7 +24233,7 @@ index c9998c80d..328aa81d2 100644 # +role system_r types system_bus_type; +dontaudit system_bus_type self:capability net_admin; -+ + +allow system_bus_type system_dbusd_t:unix_stream_socket rw_socket_perms; + +fs_search_all(system_bus_type) @@ -24250,7 +24267,7 @@ index c9998c80d..328aa81d2 100644 +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') - ++ +######################################## +# +# session_bus_type rules @@ -24289,7 +24306,7 @@ index c9998c80d..328aa81d2 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +303,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +311,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -24314,7 +24331,7 @@ index c9998c80d..328aa81d2 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +322,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +330,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -24322,7 +24339,7 @@ index c9998c80d..328aa81d2 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +331,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +339,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -24364,7 +24381,7 @@ index c9998c80d..328aa81d2 100644 ') ######################################## -@@ -244,5 +368,9 @@ optional_policy(` +@@ -244,5 +376,9 @@ optional_policy(` # Unconfined access to this module # @@ -28598,7 +28615,7 @@ index 18f245250..a446210f0 100644 + ') diff --git a/dspam.te b/dspam.te -index ef6236335..084171673 100644 +index ef6236335..25dcb975a 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28624,7 +28641,7 @@ index ef6236335..084171673 100644 files_search_spool(dspam_t) -@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t) +@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) @@ -28634,6 +28651,9 @@ index ef6236335..084171673 100644 apache_content_template(dspam) + apache_content_alias_template(dspam, dspam) + ++ manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) ++ manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) ++ + read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) + + auth_read_passwd(dspam_script_t) @@ -28641,14 +28661,14 @@ index ef6236335..084171673 100644 + files_search_var_lib(dspam_script_t) + + domain_dontaudit_read_all_domains_state(dspam_script_t) -+ -+ term_dontaudit_search_ptys(dspam_script_t) -+ term_dontaudit_getattr_all_ttys(dspam_script_t) -+ term_dontaudit_getattr_all_ptys(dspam_script_t) - list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) - manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) - manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) ++ term_dontaudit_search_ptys(dspam_script_t) ++ term_dontaudit_getattr_all_ttys(dspam_script_t) ++ term_dontaudit_getattr_all_ptys(dspam_script_t) ++ + init_read_utmp(dspam_script_t) + + logging_send_syslog_msg(dspam_script_t) @@ -28662,7 +28682,7 @@ index ef6236335..084171673 100644 ') optional_policy(` -@@ -87,3 +114,12 @@ optional_policy(` +@@ -87,3 +117,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') @@ -50810,7 +50830,7 @@ index 1d4eb19b8..650014e0f 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te -index 29b752160..8c41e59db 100644 +index 29b752160..5000dd91c 100644 --- a/memcached.te +++ b/memcached.te @@ -8,6 +8,7 @@ policy_module(memcached, 1.3.1) @@ -50830,7 +50850,16 @@ index 29b752160..8c41e59db 100644 dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket { accept listen }; -@@ -59,4 +60,3 @@ term_dontaudit_use_console(memcached_t) +@@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen }; + allow memcached_t self:fifo_file rw_fifo_file_perms; + allow memcached_t self:unix_stream_socket create_stream_socket_perms; + ++allow memcached_t memcached_exec_t:file map; ++ + manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) + manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) + manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +@@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t) auth_use_nsswitch(memcached_t) @@ -54082,7 +54111,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..bb6533dae 100644 +index 11ac8e4fc..7e6607cab 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -54536,7 +54565,7 @@ index 11ac8e4fc..bb6533dae 100644 ') optional_policy(` -@@ -300,259 +340,265 @@ optional_policy(` +@@ -300,259 +340,266 @@ optional_policy(` ######################################## # @@ -54833,6 +54862,7 @@ index 11ac8e4fc..bb6533dae 100644 +userdom_read_user_tmp_symlinks(mozilla_plugin_t) +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) ++userdom_map_user_home_files(mozilla_plugin_t) -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) @@ -54948,7 +54978,7 @@ index 11ac8e4fc..bb6533dae 100644 ') optional_policy(` -@@ -560,7 +606,11 @@ optional_policy(` +@@ -560,7 +607,11 @@ optional_policy(` ') optional_policy(` @@ -54961,7 +54991,7 @@ index 11ac8e4fc..bb6533dae 100644 ') optional_policy(` -@@ -568,108 +618,144 @@ optional_policy(` +@@ -568,108 +619,144 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index fcd59870..92ae0c90 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 306%{?dist} +Release: 307%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,16 @@ exit 0 %endif %changelog +* Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307 +- Allow crond_t to read pcp lib files BZ(1525420) +- Allow mozilla plugin domain to mmap user_home_t files BZ(1452783) +- Allow certwatch_t to mmap generic certs. BZ(1527173) +- Allow dspam_t to manage dspam_rw_conent_t objects. BZ(1290876) +- Add interface userdom_map_user_home_files() +- Sytemd introduced new feature when journald(syslogd_t) is trying to read symlinks to unit files in /run/systemd/units. This commit label /run/systemd/units/* as systemd_unit_file_t and allow syslogd_t to read this content. BZ(1527202) +- Allow xdm_t dbus chat with modemmanager_t BZ(1526722) +- All domains accessing home_cert_t objects should also mmap it. BZ(1519810) + * Wed Dec 13 2017 Lukas Vrabec - 3.13.1-306 - Allow thumb_t domain to dosfs_t BZ(1517720) - Allow gssd_t to read realmd_var_lib_t files BZ(1521125)