From 8db354a9b7727f747640c142e75db6f6dee25da6 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 14 Oct 2014 11:51:56 +0200 Subject: [PATCH] * Tue Oct 14 2014 Lukas Vrabec 3.13.1-86 - Dontaudit aicuu to search home config dir. BZ (#1104076) - couchdb is using erlang so it needs execmem privs - ALlow sanlock to send a signal to virtd_t. - Allow mondogdb to 'accept' accesses on the tcp_socket port. - Make sosreport as unconfined domain. - Allow nova-console to connect to mem_cache port. - Allow mandb to getattr on file systems - Allow read antivirus domain all kernel sysctls. - Allow lmsd_plugin to read passwd file. BZ(1093733) - Label /usr/share/corosync/corosync as cluster_exec_t. - ALlow sensord to getattr on sysfs. - automount policy is non-base module so it needs to be called in optional block. - Add auth_use_nsswitch for portreserve to make it working with sssd. - Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. - Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. - Allow openvpn to access /sys/fs/cgroup dir. - Allow nova-scheduler to read certs - Add support for /var/lib/swiftdirectory. - Allow neutron connections to system dbus. - Allow mongodb to manage own log files. - Allow opensm_t to read/write /dev/infiniband/umad1. - Added policy for mon_statd and mon_procd services. BZ (1077821) - kernel_read_system_state needs to be called with type. Moved it to antivirus.if. - Allow dnssec_trigger_t to execute unbound-control in own domain. - Allow all RHCS services to read system state. - Added monitor device - Add interfaces for /dev/infiniband - Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type. - Add files_dontaudit_search_security_files() - Add selinuxuser_udp_server boolean - ALlow syslogd_t to create /var/log/cron with correct labeling - Add support for /etc/.updated and /var/.updated - Allow iptables read fail2ban logs. BZ (1147709) - ALlow ldconfig to read proc//net/sockstat. --- policy-rawhide-base.patch | 1012 +++++++++++++++++++--------------- policy-rawhide-contrib.patch | 741 ++++++++++++++++--------- selinux-policy.spec | 38 +- 3 files changed, 1095 insertions(+), 696 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c4b22b1f..bf9912e6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -900,7 +900,7 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..b7e7ea5 100644 +index 4705ab6..b82865c 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,52 +6,59 @@ @@ -989,7 +989,7 @@ index 4705ab6..b7e7ea5 100644 ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false) +@@ -105,9 +103,39 @@ gen_tunable(use_samba_home_dirs,false) ## ##

@@ -1017,6 +1017,15 @@ index 4705ab6..b7e7ea5 100644 + +## +##

++## Allow users to run UDP servers (bind to ports and accept connection from ++## the same domain and outside users) disabling this may break avahi ++## discovering services on the network and other udp related services. ++##

++## ++gen_tunable(selinuxuser_udp_server,false) ++ ++## ++##

+## Allow the mount commands to mount any directory or file. +##

+## @@ -5913,7 +5922,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..5e37a40 100644 +index b31c054..50bfabf 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5937,7 +5946,16 @@ index b31c054..5e37a40 100644 /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -61,7 +64,8 @@ +@@ -44,6 +47,8 @@ + /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) + /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) + /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) ++/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) ++/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) + /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) + /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) + /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +@@ -61,7 +66,8 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -5947,7 +5965,15 @@ index b31c054..5e37a40 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -106,6 +110,7 @@ +@@ -72,6 +78,7 @@ + /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) ++/dev/monwriter -c gen_context(system_u:object_r:monitor_device_t,s0) + /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) + /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) +@@ -106,6 +113,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -5955,7 +5981,7 @@ index b31c054..5e37a40 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +123,11 @@ +@@ -118,6 +126,11 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -5967,7 +5993,7 @@ index b31c054..5e37a40 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +139,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +142,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -5982,7 +6008,7 @@ index b31c054..5e37a40 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,6 +184,8 @@ ifdef(`distro_suse', ` +@@ -172,6 +187,8 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -5991,7 +6017,7 @@ index b31c054..5e37a40 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +212,27 @@ ifdef(`distro_debian',` +@@ -198,12 +215,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6022,7 +6048,7 @@ index b31c054..5e37a40 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..03d4787 100644 +index 76f285e..d36451a 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6500,7 +6526,7 @@ index 76f285e..03d4787 100644 ## ## ## -@@ -2025,17 +2266,73 @@ interface(`dev_rw_input_dev',` +@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',` ## ## # @@ -6516,18 +6542,18 @@ index 76f285e..03d4787 100644 + allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; ') -+ ######################################## ## -## Set the attributes of the framebuffer device node. +## Read ipmi devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2043,7 +2285,101 @@ interface(`dev_getattr_framebuffer_dev',` + ## + ## + # +-interface(`dev_setattr_framebuffer_dev',` +interface(`dev_read_ipmi_dev',` + gen_require(` + type device_t, ipmi_device_t; @@ -6556,6 +6582,46 @@ index 76f285e..03d4787 100644 + +######################################## +## ++## Read infiniband devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_infiniband_dev',` ++ gen_require(` ++ type device_t, infiniband_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, infiniband_device_t) ++ read_blk_files_pattern($1, device_t, infiniband_device_t) ++') ++ ++######################################## ++## ++## Read and write ipmi devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_infiniband_dev',` ++ gen_require(` ++ type device_t, infiniband_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, infiniband_device_t) ++ rw_blk_files_pattern($1, device_t, infiniband_device_t) ++') ++ ++ ++ ++######################################## ++## +## Get the attributes of the framebuffer device node. +## +## @@ -6575,10 +6641,18 @@ index 76f285e..03d4787 100644 +######################################## +## +## Set the attributes of the framebuffer device node. - ## - ## - ## -@@ -2402,7 +2699,97 @@ interface(`dev_filetrans_lirc',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_framebuffer_dev',` + gen_require(` + type device_t, framebuf_device_t; + ') +@@ -2402,7 +2738,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -6677,7 +6751,7 @@ index 76f285e..03d4787 100644 ## ## ## -@@ -2725,7 +3112,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3151,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6686,7 +6760,86 @@ index 76f285e..03d4787 100644 ## ## # -@@ -2903,20 +3290,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2811,6 +3237,78 @@ interface(`dev_rw_modem',` + + ######################################## + ## ++## Get the attributes of the monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_monitor_dev',` ++ gen_require(` ++ type device_t, monitor_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, monitor_device_t) ++') ++ ++######################################## ++## ++## Set the attributes of the monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_monitor_dev',` ++ gen_require(` ++ type device_t, monitor_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, monitor_device_t) ++') ++ ++######################################## ++## ++## Read the monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_monitor_dev',` ++ gen_require(` ++ type device_t, monitor_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, monitor_device_t) ++') ++ ++######################################## ++## ++## Read and write to monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_monitor_dev',` ++ gen_require(` ++ type device_t, monitor_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, monitor_device_t) ++') ++ ++######################################## ++## + ## Get the attributes of the mouse devices. + ## + ## +@@ -2903,20 +3401,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -6711,7 +6864,7 @@ index 76f285e..03d4787 100644 ##

## ## -@@ -2925,43 +3312,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3423,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -6767,7 +6920,7 @@ index 76f285e..03d4787 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3348,13 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3459,13 @@ interface(`dev_write_mtrr',` ## ## # @@ -6784,53 +6937,78 @@ index 76f285e..03d4787 100644 ') ######################################## -@@ -3144,6 +3522,42 @@ interface(`dev_create_null_dev',` +@@ -3144,48 +3633,102 @@ interface(`dev_create_null_dev',` ######################################## ## +-## Do not audit attempts to get the attributes +-## of the BIOS non-volatile RAM device. +## Get the status of a null device service. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_service_status_null_dev',` -+ gen_require(` -+ type null_device_t; -+ ') -+ -+ allow $1 null_device_t:service status; -+') -+ -+######################################## -+## -+## Configure null_device as a unit files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`dev_config_null_dev_service',` -+ gen_require(` -+ type null_device_t; -+ ') -+ -+ allow $1 null_device_t:service manage_service_perms; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the attributes - ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3577,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_getattr_nvram_dev',` ++interface(`dev_service_status_null_dev',` + gen_require(` +- type nvram_device_t; ++ type null_device_t; + ') + +- dontaudit $1 nvram_device_t:chr_file getattr; ++ allow $1 null_device_t:service status; + ') ######################################## ## +-## Read and write BIOS non-volatile RAM. ++## Configure null_device as a unit files. + ## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. + ## + ## + # +-interface(`dev_rw_nvram',` ++interface(`dev_config_null_dev_service',` + gen_require(` +- type nvram_device_t; ++ type null_device_t; + ') + +- rw_chr_files_pattern($1, device_t, nvram_device_t) ++ allow $1 null_device_t:service manage_service_perms; + ') + + ######################################## + ## +-## Get the attributes of the printer device nodes. ++## Do not audit attempts to get the attributes ++## of the BIOS non-volatile RAM device. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_nvram_dev',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ dontaudit $1 nvram_device_t:chr_file getattr; ++') ++ ++######################################## ++## +## Read BIOS non-volatile RAM. +## +## @@ -6849,10 +7027,33 @@ index 76f285e..03d4787 100644 + +######################################## +## - ## Read and write BIOS non-volatile RAM. - ## - ## -@@ -3254,7 +3686,25 @@ interface(`dev_rw_printer',` ++## Read and write BIOS non-volatile RAM. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_nvram',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, nvram_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of the printer device nodes. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +@@ -3254,7 +3797,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6879,7 +7080,7 @@ index 76f285e..03d4787 100644 ## ## ## -@@ -3262,12 +3712,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3823,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6896,7 +7097,7 @@ index 76f285e..03d4787 100644 ') ######################################## -@@ -3399,7 +3850,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +3961,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -6905,7 +7106,7 @@ index 76f285e..03d4787 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +3864,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +3975,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -6914,243 +7115,131 @@ index 76f285e..03d4787 100644 ') ######################################## -@@ -3855,7 +4306,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,6 +4417,96 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## --## Search the sysfs directories. +## Set the attributes of sysfs directories. - ## - ## - ## -@@ -3863,53 +4314,53 @@ interface(`dev_getattr_sysfs_dirs',` - ## - ## - # --interface(`dev_search_sysfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_setattr_sysfs_dirs',` - gen_require(` - type sysfs_t; - ') - -- search_dirs_pattern($1, sysfs_t, sysfs_t) ++ gen_require(` ++ type sysfs_t; ++ ') ++ + allow $1 sysfs_t:dir setattr_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to search sysfs. ++') ++ ++######################################## ++## +## Get attributes of sysfs filesystems. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_search_sysfs',` ++## ++## ++# +interface(`dev_getattr_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - -- dontaudit $1 sysfs_t:dir search_dir_perms; ++ gen_require(` ++ type sysfs_t; ++ ') ++ + allow $1 sysfs_t:filesystem getattr; - ') - - ######################################## - ## --## List the contents of the sysfs directories. ++') ++ ++######################################## ++## +## Mount a filesystem on /sys - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allow access. - ## - ## - # --interface(`dev_list_sysfs',` ++## ++## ++# +interface(`dev_mounton_sysfs',` - gen_require(` - type sysfs_t; - ') - -- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ gen_require(` ++ type sysfs_t; ++ ') ++ + allow $1 sysfs_t:dir mounton; - ') - - ######################################## - ## --## Write in a sysfs directories. ++') ++ ++######################################## ++## +## Mount sysfs filesystems. - ## - ## - ## -@@ -3917,37 +4368,35 @@ interface(`dev_list_sysfs',` - ## - ## - # --# cjp: added for cpuspeed --interface(`dev_write_sysfs_dirs',` -+interface(`dev_mount_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - -- allow $1 sysfs_t:dir write; -+ allow $1 sysfs_t:filesystem mount; - ') - - ######################################## - ## --## Do not audit attempts to write in a sysfs directory. -+## Unmount sysfs filesystems. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_write_sysfs_dirs',` ++## ++## ++# ++interface(`dev_mount_sysfs_fs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount sysfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_unmount_sysfs_fs',` - gen_require(` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Search the sysfs directories. + ## + ## +@@ -3904,6 +4556,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') -- dontaudit $1 sysfs_t:dir write; -+ allow $1 sysfs_t:filesystem unmount; ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) ') +@@ -3946,23 +4599,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` + ######################################## ## -## Create, read, write, and delete sysfs -## directories. -+## Search the sysfs directories. - ## - ## - ## -@@ -3955,41 +4404,160 @@ interface(`dev_dontaudit_write_sysfs_dirs',` - ## - ## - # --interface(`dev_manage_sysfs_dirs',` -+interface(`dev_search_sysfs',` - gen_require(` - type sysfs_t; - ') - -- manage_dirs_pattern($1, sysfs_t, sysfs_t) -+ search_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read hardware state information. -+## Do not audit attempts to search sysfs. - ## --## --##

--## Allow the specified domain to read the contents of --## the sysfs filesystem. This filesystem contains --## information, parameters, and other settings on the --## hardware installed on the system. --##

--## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## --## - # --interface(`dev_read_sysfs',` -+interface(`dev_dontaudit_search_sysfs',` - gen_require(` - type sysfs_t; - ') - -- read_files_pattern($1, sysfs_t, sysfs_t) -- read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- -+ dontaudit $1 sysfs_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of the sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_list_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Write in a sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+# cjp: added for cpuspeed -+interface(`dev_write_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:dir write; -+') -+ -+######################################## -+## -+## Do not audit attempts to write in a sysfs directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_write_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ dontaudit $1 sysfs_t:dir write; -+') -+ -+######################################## -+## +## Read cpu online hardware state information. -+## + ## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online file. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` + gen_require(` + type cpu_online_t; @@ -7171,47 +7260,21 @@ index 76f285e..03d4787 100644 +## +# +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; -+ type sysfs_t; -+ ') -+ + type sysfs_t; + ') + +- manage_dirs_pattern($1, sysfs_t, sysfs_t) + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; -+') -+ -+ -+######################################## -+## -+## Read hardware state information. -+## -+## -+##

-+## Allow the specified domain to read the contents of -+## the sysfs filesystem. This filesystem contains -+## information, parameters, and other settings on the -+## hardware installed on the system. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ read_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ - list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -4016,6 +4584,62 @@ interface(`dev_rw_sysfs',` ++ + ######################################## + ## + ## Read hardware state information. +@@ -4016,6 +4695,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7274,7 +7337,7 @@ index 76f285e..03d4787 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4737,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4848,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7300,7 +7363,7 @@ index 76f285e..03d4787 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +4766,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +4877,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -7309,7 +7372,7 @@ index 76f285e..03d4787 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5163,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7321,7 +7384,7 @@ index 76f285e..03d4787 100644 ## ## ## -@@ -4419,17 +5062,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5173,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7344,7 +7407,7 @@ index 76f285e..03d4787 100644 ## ## ## -@@ -4437,12 +5080,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5191,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7360,7 +7423,7 @@ index 76f285e..03d4787 100644 ') ######################################## -@@ -4539,6 +5182,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5293,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7495,7 +7558,7 @@ index 76f285e..03d4787 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5328,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5439,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7520,7 +7583,7 @@ index 76f285e..03d4787 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5551,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5662,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7565,7 +7628,7 @@ index 76f285e..03d4787 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5678,946 @@ interface(`dev_unconfined',` +@@ -4851,3 +5789,948 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7743,6 +7806,7 @@ index 76f285e..03d4787 100644 + type cpu_device_t; + type scanner_device_t; + type modem_device_t; ++ type monitor_device_t; + type vhost_device_t; + type netcontrol_device_t; + type nvram_device_t; @@ -8081,6 +8145,7 @@ index 76f285e..03d4787 100644 + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9") + filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab") + filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem") ++ filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012") @@ -8513,7 +8578,7 @@ index 76f285e..03d4787 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..2844021 100644 +index 0b1a871..f52e603 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -8550,7 +8615,20 @@ index 0b1a871..2844021 100644 # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) -@@ -111,6 +112,7 @@ dev_node(ksm_device_t) +@@ -94,6 +95,12 @@ type ipmi_device_t; + dev_node(ipmi_device_t) + + # ++# Type for /dev/infiniband ++# ++type infiniband_device_t; ++dev_node(infiniband_device_t) ++ ++# + # Type for /dev/kmsg + # + type kmsg_device_t; +@@ -111,6 +118,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -8558,7 +8636,7 @@ index 0b1a871..2844021 100644 # # Type for /dev/lirc -@@ -118,6 +120,9 @@ dev_node(kvm_device_t) +@@ -118,6 +126,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -8568,7 +8646,20 @@ index 0b1a871..2844021 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -227,6 +232,10 @@ files_mountpoint(sysfs_t) +@@ -150,6 +161,12 @@ type modem_device_t; + dev_node(modem_device_t) + + # ++# A general type for monitor devices. ++# ++type monitor_device_t; ++dev_node(monitor_device_t) ++ ++# + # A more general type for mouse devices. + # + type mouse_device_t; +@@ -227,6 +244,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -8579,7 +8670,7 @@ index 0b1a871..2844021 100644 # # Type for /dev/tpm # -@@ -266,6 +275,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +287,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -8595,7 +8686,7 @@ index 0b1a871..2844021 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +292,7 @@ dev_node(v4l_device_t) +@@ -274,6 +304,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -8603,7 +8694,7 @@ index 0b1a871..2844021 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +338,6 @@ files_associate_tmp(device_node) +@@ -319,5 +350,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -9338,7 +9429,7 @@ index cf04cb5..16c88de 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..b2aed45 100644 +index b876c48..ad25566 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9358,7 +9449,7 @@ index b876c48..b2aed45 100644 /boot/.* gen_context(system_u:object_r:boot_t,s0) /boot/\.journal <> /boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0) -@@ -38,13 +39,13 @@ ifdef(`distro_suse',` +@@ -38,27 +39,35 @@ ifdef(`distro_suse',` # # /emul # @@ -9373,8 +9464,9 @@ index b876c48..b2aed45 100644 +/etc gen_context(system_u:object_r:etc_t,s0) /etc/.* gen_context(system_u:object_r:etc_t,s0) /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ++/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -52,13 +53,20 @@ ifdef(`distro_suse',` + /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9400,7 +9492,7 @@ index b876c48..b2aed45 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -70,7 +78,10 @@ ifdef(`distro_suse',` +@@ -70,7 +79,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -9412,7 +9504,7 @@ index b876c48..b2aed45 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -78,10 +89,6 @@ ifdef(`distro_gentoo', ` +@@ -78,10 +90,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -9423,7 +9515,7 @@ index b876c48..b2aed45 100644 ifdef(`distro_suse',` /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -104,7 +111,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -9432,7 +9524,7 @@ index b876c48..b2aed45 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -125,10 +132,12 @@ ifdef(`distro_debian',` +@@ -125,10 +133,13 @@ ifdef(`distro_debian',` # # Mount points; do not relabel subdirectories, since # we don't want to change any removable media by default. @@ -9443,10 +9535,11 @@ index b876c48..b2aed45 100644 /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) +/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/var/run/media/.* <> ++/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) # # /misc -@@ -138,7 +147,7 @@ ifdef(`distro_debian',` +@@ -138,7 +149,7 @@ ifdef(`distro_debian',` # # /mnt # @@ -9455,7 +9548,7 @@ index b876c48..b2aed45 100644 /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> -@@ -150,10 +159,10 @@ ifdef(`distro_debian',` +@@ -150,10 +161,10 @@ ifdef(`distro_debian',` # # /opt # @@ -9468,7 +9561,7 @@ index b876c48..b2aed45 100644 # # /proc -@@ -161,6 +170,12 @@ ifdef(`distro_debian',` +@@ -161,6 +172,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -9481,7 +9574,7 @@ index b876c48..b2aed45 100644 # # /run # -@@ -169,6 +184,7 @@ ifdef(`distro_debian',` +@@ -169,6 +186,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) @@ -9489,7 +9582,7 @@ index b876c48..b2aed45 100644 # # /selinux # -@@ -178,13 +194,14 @@ ifdef(`distro_debian',` +@@ -178,13 +196,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9506,7 +9599,7 @@ index b876c48..b2aed45 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +211,11 @@ ifdef(`distro_debian',` +@@ -194,9 +213,11 @@ ifdef(`distro_debian',` # # /usr # @@ -9519,7 +9612,7 @@ index b876c48..b2aed45 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +223,9 @@ ifdef(`distro_debian',` +@@ -204,15 +225,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9536,7 +9629,7 @@ index b876c48..b2aed45 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +233,6 @@ ifdef(`distro_debian',` +@@ -220,8 +235,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9545,7 +9638,7 @@ index b876c48..b2aed45 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +240,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +242,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9554,7 +9647,7 @@ index b876c48..b2aed45 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +248,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +250,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9581,7 +9674,7 @@ index b876c48..b2aed45 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +281,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +283,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9596,14 +9689,14 @@ index b876c48..b2aed45 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +298,5 @@ ifdef(`distro_debian',` +@@ -271,3 +300,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..693ce96 100644 +index f962f76..6eef570 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12919,7 +13012,7 @@ index f962f76..693ce96 100644 ## ## ## -@@ -6573,10 +7950,819 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7950,839 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -13380,6 +13473,24 @@ index f962f76..693ce96 100644 + +######################################## +## ++## Do not audit attempts to search security files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_security_files',` ++ gen_require(` ++ attribute security_file_type; ++ ') ++ ++ dontaudit $1 security_file_type:dir search_dir_perms; ++') ++ ++######################################## ++## +## rw any files inherited from another process +## +## @@ -13599,6 +13710,7 @@ index f962f76..693ce96 100644 + files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") + files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") + files_etc_filetrans($1, etc_t, file, "hwdb.bin") ++ files_etc_filetrans_etc_runtime($1, file, ".updated") + files_etc_filetrans_etc_runtime($1, file, "runtime") + files_etc_filetrans_etc_runtime($1, dir, "blkid") + files_etc_filetrans_etc_runtime($1, dir, "cmtab") @@ -13612,7 +13724,8 @@ index f962f76..693ce96 100644 + files_etc_filetrans_etc_runtime($1, file, "iptables.save") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") -+ files_var_filetrans($1, var_run_t, dir, "run") ++ files_var_filetrans($1, var_run_t, dir, "run") ++ files_var_filetrans($1, etc_runtime_t, file, ".updated") +') + +######################################## @@ -17552,7 +17665,7 @@ index e0a973b..7d3e431 100644 ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 54f1827..39faa3f 100644 +index 54f1827..6910c88 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -7,6 +7,7 @@ @@ -17563,14 +17676,7 @@ index 54f1827..39faa3f 100644 /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0) /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) -@@ -23,12 +24,15 @@ - /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) - /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) - /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/infiniband/.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -+/dev/infiniband/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) - /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -28,7 +29,8 @@ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) @@ -17580,7 +17686,7 @@ index 54f1827..39faa3f 100644 /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -51,7 +55,8 @@ ifdef(`distro_redhat', ` +@@ -51,7 +53,8 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) @@ -17590,7 +17696,7 @@ index 54f1827..39faa3f 100644 /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -81,3 +86,6 @@ ifdef(`distro_redhat', ` +@@ -81,3 +84,6 @@ ifdef(`distro_redhat', ` /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) @@ -32691,7 +32797,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..5e28da7 100644 +index be8ed1e..f0ed532 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -32780,16 +32886,17 @@ index be8ed1e..5e28da7 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +105,9 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) ++ fail2ban_read_log(iptables_t) + fail2ban_dontaudit_leaks(iptables_t) + fail2ban_rw_inherited_tmp_files(iptables_t) ') optional_policy(` -@@ -110,6 +115,11 @@ optional_policy(` +@@ -110,6 +116,11 @@ optional_policy(` ') optional_policy(` @@ -32801,7 +32908,7 @@ index be8ed1e..5e28da7 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +134,12 @@ optional_policy(` +@@ -124,6 +135,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -32814,7 +32921,7 @@ index be8ed1e..5e28da7 100644 ') optional_policy(` -@@ -135,9 +151,9 @@ optional_policy(` +@@ -135,9 +152,9 @@ optional_policy(` ') optional_policy(` @@ -33322,7 +33429,7 @@ index 808ba93..57a68da 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5..caf32d6 100644 +index 54f8fa5..1584203 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -33355,7 +33462,11 @@ index 54f8fa5..caf32d6 100644 files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t) +@@ -72,14 +74,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) + manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) + + kernel_read_system_state(ldconfig_t) ++kernel_read_network_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) @@ -33372,7 +33483,7 @@ index 54f8fa5..caf32d6 100644 files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) files_search_tmp(ldconfig_t) -@@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t) +@@ -90,11 +97,11 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) init_read_script_tmp_files(ldconfig_t) @@ -33386,7 +33497,7 @@ index 54f8fa5..caf32d6 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +109,13 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +110,13 @@ ifdef(`distro_ubuntu',` ') ') @@ -33400,7 +33511,7 @@ index 54f8fa5..caf32d6 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +127,11 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +128,11 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -33412,7 +33523,7 @@ index 54f8fa5..caf32d6 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +149,14 @@ optional_policy(` +@@ -131,6 +150,14 @@ optional_policy(` ') optional_policy(` @@ -33427,7 +33538,7 @@ index 54f8fa5..caf32d6 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +167,3 @@ optional_policy(` +@@ -141,6 +168,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -34339,7 +34450,7 @@ index 4e94884..8de26ad 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..5d3197b 100644 +index 59b04c1..077c808 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -34693,7 +34804,15 @@ index 59b04c1..5d3197b 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -507,15 +591,40 @@ optional_policy(` +@@ -497,6 +581,7 @@ optional_policy(` + optional_policy(` + cron_manage_log_files(syslogd_t) + cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") ++ cron_generic_log_filetrans_log(syslogd_t, file, "cron") + ') + + optional_policy(` +@@ -507,15 +592,40 @@ optional_policy(` ') optional_policy(` @@ -34734,7 +34853,7 @@ index 59b04c1..5d3197b 100644 ') optional_policy(` -@@ -526,3 +635,26 @@ optional_policy(` +@@ -526,3 +636,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -43092,7 +43211,7 @@ index db75976..1ee08ec 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..d04015e 100644 +index 9dc60c6..0bed312 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44442,7 +44561,7 @@ index 9dc60c6..d04015e 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1382,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1382,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -44470,6 +44589,9 @@ index 9dc60c6..d04015e 100644 + corenet_tcp_bind_all_unreserved_ports($1_usertype) + ') + ++ tunable_policy(`selinuxuser_udp_server',` ++ corenet_udp_bind_all_unreserved_ports($1_usertype) ++ ') + optional_policy(` + cdrecord_role($1_r, $1_t) + ') @@ -44499,21 +44621,21 @@ index 9dc60c6..d04015e 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` ++ wine_role_template($1, $1_r, $1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) -+ wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1444,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1447,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -44524,7 +44646,7 @@ index 9dc60c6..d04015e 100644 ') ') -@@ -1079,7 +1482,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1485,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -44535,7 +44657,7 @@ index 9dc60c6..d04015e 100644 ') ############################## -@@ -1095,6 +1500,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1503,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -44543,7 +44665,7 @@ index 9dc60c6..d04015e 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1511,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1514,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -44560,7 +44682,7 @@ index 9dc60c6..d04015e 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1528,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1531,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -44568,7 +44690,7 @@ index 9dc60c6..d04015e 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1546,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1549,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -44584,7 +44706,7 @@ index 9dc60c6..d04015e 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1565,38 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1568,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -44627,7 +44749,7 @@ index 9dc60c6..d04015e 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1606,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1609,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -44636,7 +44758,7 @@ index 9dc60c6..d04015e 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1615,17 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1618,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -44651,11 +44773,15 @@ index 9dc60c6..d04015e 100644 + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_t) + ') -+ ++ ++ tunable_policy(`selinuxuser_udp_server',` ++ corenet_udp_bind_all_unreserved_ports($1_t) ++ ') ++ optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1661,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1668,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -44664,7 +44790,7 @@ index 9dc60c6..d04015e 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1671,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1678,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -44673,7 +44799,7 @@ index 9dc60c6..d04015e 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1685,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1692,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -44685,7 +44811,7 @@ index 9dc60c6..d04015e 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1699,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1706,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -44728,7 +44854,7 @@ index 9dc60c6..d04015e 100644 ') optional_policy(` -@@ -1357,14 +1784,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1791,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -44747,7 +44873,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -1397,12 +1827,51 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1834,51 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -44800,7 +44926,7 @@ index 9dc60c6..d04015e 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +1978,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1985,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -44832,7 +44958,7 @@ index 9dc60c6..d04015e 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2044,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2051,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -44847,7 +44973,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -1570,9 +2067,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2074,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -44859,7 +44985,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -1629,6 +2128,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2135,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -44902,7 +45028,7 @@ index 9dc60c6..d04015e 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2243,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2250,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -44911,7 +45037,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -1741,10 +2278,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2285,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -44926,7 +45052,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -1769,7 +2308,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2315,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -44935,7 +45061,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -1777,19 +2316,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2323,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -44959,7 +45085,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -1797,55 +2334,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2341,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -45030,7 +45156,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -1853,18 +2390,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2397,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -45058,7 +45184,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -1872,55 +2410,55 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,55 +2417,55 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -45133,7 +45259,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -1928,32 +2466,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',` +@@ -1928,32 +2473,149 @@ interface(`userdom_dontaudit_append_user_home_content_files',` ## ## # @@ -45291,7 +45417,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -1971,7 +2626,80 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1971,7 +2633,80 @@ interface(`userdom_delete_user_home_content_files',` type user_home_t; ') @@ -45373,7 +45499,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2007,8 +2735,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2742,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45383,7 +45509,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2024,20 +2751,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2758,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45408,7 +45534,7 @@ index 9dc60c6..d04015e 100644 ######################################## ## -@@ -2120,7 +2841,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2848,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -45417,7 +45543,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2128,19 +2849,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2856,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -45441,7 +45567,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2148,12 +2867,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2874,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -45457,7 +45583,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2388,18 +3107,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3114,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -45515,7 +45641,7 @@ index 9dc60c6..d04015e 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3169,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3176,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45524,7 +45650,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2455,6 +3210,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3217,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -45550,7 +45676,7 @@ index 9dc60c6..d04015e 100644 ######################################## ## -@@ -2538,7 +3312,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3319,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -45559,7 +45685,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2546,19 +3320,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3327,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -45582,7 +45708,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2566,19 +3340,19 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,19 +3347,19 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -45605,7 +45731,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2586,27 +3360,68 @@ interface(`userdom_manage_user_tmp_pipes',` +@@ -2586,27 +3367,68 @@ interface(`userdom_manage_user_tmp_pipes',` ## ## # @@ -45680,7 +45806,7 @@ index 9dc60c6..d04015e 100644 ## ## The type of the object to create. ## -@@ -2661,6 +3476,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3483,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -45702,7 +45828,7 @@ index 9dc60c6..d04015e 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3502,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3509,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -45724,7 +45850,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2692,19 +3517,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3524,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -45747,7 +45873,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2713,13 +3532,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3539,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -45808,7 +45934,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2814,6 +3676,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3683,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -45833,7 +45959,7 @@ index 9dc60c6..d04015e 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3712,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3719,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -45876,7 +46002,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -2856,14 +3748,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3755,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -45914,7 +46040,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2882,8 +3793,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3800,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -45944,7 +46070,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -2955,69 +3885,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3892,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -46045,7 +46171,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -3025,12 +3954,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3961,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -46060,7 +46186,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -3094,7 +4023,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4030,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -46069,7 +46195,7 @@ index 9dc60c6..d04015e 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4039,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4046,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -46103,7 +46229,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -3214,7 +4127,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4134,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46130,7 +46256,7 @@ index 9dc60c6..d04015e 100644 ') ######################################## -@@ -3269,12 +4200,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4207,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46146,7 +46272,7 @@ index 9dc60c6..d04015e 100644 ## ## ## -@@ -3282,46 +4214,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,46 +4221,122 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -46282,7 +46408,7 @@ index 9dc60c6..d04015e 100644 ') allow $1 userdomain:process getattr; -@@ -3382,6 +4390,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4397,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46325,7 +46451,7 @@ index 9dc60c6..d04015e 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4446,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4453,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46386,7 +46512,7 @@ index 9dc60c6..d04015e 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4533,1686 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4540,1686 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8299b969..e886127d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1547,7 +1547,7 @@ index 3b5dcb9..fbe187f 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 5d2b90e..bb8adeb 100644 +index 5d2b90e..7374df0 100644 --- a/aiccu.te +++ b/aiccu.te @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) @@ -1558,17 +1558,20 @@ index 5d2b90e..bb8adeb 100644 corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) corenet_tcp_connect_sixxsconfig_port(aiccu_t) corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) -@@ -60,17 +59,20 @@ domain_use_interactive_fds(aiccu_t) +@@ -60,17 +59,24 @@ domain_use_interactive_fds(aiccu_t) dev_read_rand(aiccu_t) dev_read_urand(aiccu_t) -files_read_etc_files(aiccu_t) - --logging_send_syslog_msg(aiccu_t) ++ +auth_read_passwd(aiccu_t) + logging_send_syslog_msg(aiccu_t) + -miscfiles_read_localization(aiccu_t) -+logging_send_syslog_msg(aiccu_t) ++optional_policy(` ++ gnome_dontaudit_search_config(aiccu_t) ++') optional_policy(` modutils_domtrans_insmod(aiccu_t) @@ -2678,10 +2681,10 @@ index 0000000..219f32d + diff --git a/antivirus.if b/antivirus.if new file mode 100644 -index 0000000..df5b3be +index 0000000..ae5f0a3 --- /dev/null +++ b/antivirus.if -@@ -0,0 +1,322 @@ +@@ -0,0 +1,324 @@ +## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan + +###################################### @@ -2701,6 +2704,8 @@ index 0000000..df5b3be + ') + + typeattribute $1 antivirus_domain; ++ ++ kernel_read_system_state($1) +') + +####################################### @@ -3006,10 +3011,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..8cc6120 +index 0000000..cb58319 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,273 @@ +@@ -0,0 +1,270 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -3115,11 +3120,8 @@ index 0000000..8cc6120 + +can_exec(antivirus_domain, antivirus_exec_t) + -+kernel_read_network_state(antivirus_t) -+kernel_read_net_sysctls(antivirus_t) -+kernel_read_kernel_sysctls(antivirus_domain) -+kernel_read_sysctl(antivirus_domain) -+kernel_read_system_state(antivirus_t) ++kernel_read_network_state(antivirus_domain) ++kernel_read_all_sysctls(antivirus_domain) + +corecmd_exec_bin(antivirus_domain) +corecmd_exec_shell(antivirus_domain) @@ -3284,10 +3286,10 @@ index 0000000..8cc6120 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..7e70f67 100644 +index 7caefc3..3009a35 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,203 @@ +@@ -1,162 +1,204 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3495,6 +3497,7 @@ index 7caefc3..7e70f67 100644 +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/graphite-web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -5124,7 +5127,7 @@ index f6eb485..f6d065e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..a78899a 100644 +index 6649962..3226dec 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -6126,7 +6129,7 @@ index 6649962..a78899a 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6147,8 +6150,10 @@ index 6649962..a78899a 100644 -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) + -+tunable_policy(`httpd_use_nfs',` -+ automount_search_tmp_dirs(httpd_t) ++optional_policy(` ++ tunable_policy(`httpd_use_nfs',` ++ automount_search_tmp_dirs(httpd_t) ++ ') ') -tunable_policy(`httpd_execmem',` @@ -6217,7 +6222,7 @@ index 6649962..a78899a 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +843,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6298,7 +6303,7 @@ index 6649962..a78899a 100644 ') optional_policy(` -@@ -749,24 +896,32 @@ optional_policy(` +@@ -749,24 +898,32 @@ optional_policy(` ') optional_policy(` @@ -6337,7 +6342,7 @@ index 6649962..a78899a 100644 ') optional_policy(` -@@ -775,6 +930,10 @@ optional_policy(` +@@ -775,6 +932,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6348,7 +6353,7 @@ index 6649962..a78899a 100644 ') optional_policy(` -@@ -786,35 +945,60 @@ optional_policy(` +@@ -786,35 +947,60 @@ optional_policy(` ') optional_policy(` @@ -6422,7 +6427,7 @@ index 6649962..a78899a 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1006,18 @@ optional_policy(` +@@ -822,8 +1008,18 @@ optional_policy(` ') optional_policy(` @@ -6441,7 +6446,7 @@ index 6649962..a78899a 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1026,7 @@ optional_policy(` +@@ -832,6 +1028,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6449,7 +6454,7 @@ index 6649962..a78899a 100644 ') optional_policy(` -@@ -842,20 +1037,40 @@ optional_policy(` +@@ -842,20 +1039,40 @@ optional_policy(` ') optional_policy(` @@ -6496,7 +6501,7 @@ index 6649962..a78899a 100644 ') optional_policy(` -@@ -863,19 +1078,35 @@ optional_policy(` +@@ -863,19 +1080,35 @@ optional_policy(` ') optional_policy(` @@ -6532,7 +6537,7 @@ index 6649962..a78899a 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1114,189 @@ optional_policy(` +@@ -883,65 +1116,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6744,7 +6749,7 @@ index 6649962..a78899a 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1305,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6899,7 +6904,7 @@ index 6649962..a78899a 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1389,106 @@ optional_policy(` +@@ -1083,172 +1391,106 @@ optional_policy(` ') ') @@ -7136,7 +7141,7 @@ index 6649962..a78899a 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1496,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7233,7 +7238,7 @@ index 6649962..a78899a 100644 ######################################## # -@@ -1321,8 +1571,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7250,7 +7255,7 @@ index 6649962..a78899a 100644 ') ######################################## -@@ -1330,49 +1587,38 @@ optional_policy(` +@@ -1330,49 +1589,38 @@ optional_policy(` # User content local policy # @@ -7315,7 +7320,7 @@ index 6649962..a78899a 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1628,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -16208,10 +16213,10 @@ index 715a826..3f0c0dc 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..d461e44 100644 +index ae1c1b1..003fe15 100644 --- a/couchdb.te +++ b/couchdb.te -@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t) +@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) type couchdb_var_run_t; files_pid_file(couchdb_var_run_t) @@ -16221,8 +16226,10 @@ index ae1c1b1..d461e44 100644 ######################################## # # Local policy -@@ -35,10 +38,10 @@ files_pid_file(couchdb_var_run_t) - allow couchdb_t self:process { setsched signal signull sigkill }; + # + +-allow couchdb_t self:process { setsched signal signull sigkill }; ++allow couchdb_t self:process { execmem setsched signal signull sigkill }; allow couchdb_t self:fifo_file rw_fifo_file_perms; allow couchdb_t self:unix_stream_socket create_stream_socket_perms; +allow couchdb_t self:unix_dgram_socket create_socket_perms; @@ -24476,10 +24483,10 @@ index 0000000..a952041 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..c1ab586 +index 0000000..7f0943f --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,58 @@ +@@ -0,0 +1,59 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -24533,6 +24540,7 @@ index 0000000..c1ab586 +sysnet_manage_config(dnssec_trigger_t) + +optional_policy(` ++ bind_domtrans(dnssec_trigger_t) + bind_read_config(dnssec_trigger_t) + bind_read_dnssec_keys(dnssec_trigger_t) +') @@ -42825,7 +42833,7 @@ index d314333..da30c5d 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..2eaa558 100644 +index 4ec0eea..01db8ca 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -42860,7 +42868,7 @@ index 4ec0eea..2eaa558 100644 ######################################## # # Local policy -@@ -26,4 +44,48 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,50 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -42895,6 +42903,8 @@ index 4ec0eea..2eaa558 100644 + +kernel_read_system_state(lsmd_plugin_t) + ++auth_read_passwd(lsmd_plugin_t) ++ +dev_read_urand(lsmd_plugin_t) + +corecmd_exec_bin(lsmd_plugin_t) @@ -43899,7 +43909,7 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd..813c98d 100644 +index e6136fd..56fa2cf 100644 --- a/mandb.te +++ b/mandb.te @@ -10,19 +10,40 @@ roleattribute system_r mandb_roles; @@ -43945,13 +43955,15 @@ index e6136fd..813c98d 100644 kernel_read_kernel_sysctls(mandb_t) kernel_read_system_state(mandb_t) -@@ -33,11 +54,12 @@ dev_search_sysfs(mandb_t) +@@ -33,11 +54,14 @@ dev_search_sysfs(mandb_t) domain_use_interactive_fds(mandb_t) -files_read_etc_files(mandb_t) +files_search_locks(mandb_t) +files_dontaudit_search_all_mountpoints(mandb_t) ++ ++fs_getattr_all_fs(mandb_t) miscfiles_manage_man_cache(mandb_t) +miscfiles_setattr_man_pages(mandb_t) @@ -46111,6 +46123,145 @@ index b94102e..25d1d33 100644 + postgresql_stream_connect(mojomojo_script_t) + ') +') +diff --git a/mon_statd.fc b/mon_statd.fc +new file mode 100644 +index 0000000..60c11c0 +--- /dev/null ++++ b/mon_statd.fc +@@ -0,0 +1,7 @@ ++/etc/rc\.d/init\.d/mon_statd -- gen_context(system_u:object_r:mon_statd_initrc_exec_t,s0) ++ ++/usr/sbin/mon_fsstatd -- gen_context(system_u:object_r:mon_statd_exec_t,s0) ++/usr/sbin/mon_procd -- gen_context(system_u:object_r:mon_procd_exec_t,s0) ++ ++/var/run/procd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0) ++/var/run/fstatd.* -- gen_context(system_u:object_r:mon_statd_var_run_t,s0) +diff --git a/mon_statd.if b/mon_statd.if +new file mode 100644 +index 0000000..1ce3e44 +--- /dev/null ++++ b/mon_statd.if +@@ -0,0 +1,39 @@ ++## policy for mon_statd ++ ++######################################## ++## ++## Execute mon_statd in the mon_statd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mon_statd_domtrans',` ++ gen_require(` ++ type mon_statd_t, mon_statd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mon_statd_exec_t, mon_statd_t) ++') ++ ++######################################## ++## ++## Execute mon_procd in the mon_procd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mon_procd_domtrans',` ++ gen_require(` ++ type mon_procd_t, mon_procd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mon_procd_exec_t, mon_procd_t) ++') +diff --git a/mon_statd.te b/mon_statd.te +new file mode 100644 +index 0000000..39c5287 +--- /dev/null ++++ b/mon_statd.te +@@ -0,0 +1,75 @@ ++policy_module(mon_statd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute mon_statd_domain; ++ ++type mon_statd_t, mon_statd_domain; ++type mon_statd_exec_t; ++init_daemon_domain(mon_statd_t, mon_statd_exec_t) ++ ++type mon_procd_t, mon_statd_domain; ++type mon_procd_exec_t; ++init_daemon_domain(mon_procd_t, mon_procd_exec_t) ++ ++type mon_statd_initrc_exec_t; ++init_script_file(mon_statd_initrc_exec_t) ++ ++type mon_statd_var_run_t; ++files_pid_file(mon_statd_var_run_t) ++ ++######################################## ++# ++# mon_statd domain policy ++# ++ ++manage_files_pattern(mon_statd_domain, mon_statd_var_run_t, mon_statd_var_run_t) ++files_pid_filetrans(mon_statd_domain, mon_statd_var_run_t, file) ++ ++domain_read_all_domains_state(mon_statd_domain) ++ ++dev_rw_monitor_dev(mon_statd_domain) ++ ++######################################## ++# ++# mon_fstatd local policy ++# ++allow mon_statd_t self:process { fork signal }; ++allow mon_statd_t self:fifo_file rw_fifo_file_perms; ++ ++allow mon_statd_t self:unix_stream_socket create_stream_socket_perms; ++allow mon_statd_t self:unix_dgram_socket create_socket_perms; ++ ++kernel_dgram_send(mon_statd_t) ++ ++fs_getattr_all_fs(mon_statd_t) ++fs_getattr_all_dirs(mon_statd_t) ++ ++fs_search_cgroup_dirs(mon_statd_t) ++ ++logging_send_syslog_msg(mon_procd_t) ++ ++optional_policy(` ++ rpc_read_nfs_state_data(mon_statd_t) ++') ++ ++######################################## ++# ++# mon_procd local policy ++# ++allow mon_procd_t self:capability sys_ptrace; ++ ++allow mon_procd_t self:unix_dgram_socket { create connect }; ++ ++auth_read_passwd(mon_procd_t) ++ ++kernel_dgram_send(mon_procd_t) ++kernel_read_system_state(mon_procd_t) ++ ++init_read_utmp(mon_procd_t) ++ ++logging_send_syslog_msg(mon_procd_t) ++ diff --git a/mongodb.fc b/mongodb.fc index 6fcfc31..85dcd4b 100644 --- a/mongodb.fc @@ -46132,10 +46283,10 @@ index 6fcfc31..85dcd4b 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..2184be0 100644 +index 169f236..1f19104 100644 --- a/mongodb.te +++ b/mongodb.te -@@ -21,19 +21,27 @@ files_type(mongod_var_lib_t) +@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t) type mongod_var_run_t; files_pid_file(mongod_var_run_t) @@ -46152,20 +46303,22 @@ index 169f236..2184be0 100644 +allow mongod_t self:process { setsched signal }; allow mongod_t self:fifo_file rw_fifo_file_perms; +-manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) +-append_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +-create_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +-setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +-logging_log_filetrans(mongod_t, mongod_log_t, dir) +allow mongod_t self:netlink_route_socket r_netlink_socket_perms; +allow mongod_t self:unix_stream_socket create_stream_socket_perms; +allow mongod_t self:udp_socket create_socket_perms; ++allow mongod_t self:tcp_socket { accept listen }; + - manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) - append_files_pattern(mongod_t, mongod_log_t, mongod_log_t) - create_files_pattern(mongod_t, mongod_log_t, mongod_log_t) - setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t) --logging_log_filetrans(mongod_t, mongod_log_t, dir) ++manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +logging_log_filetrans(mongod_t, mongod_log_t, { dir file }) manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -@@ -41,21 +49,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -41,21 +47,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) @@ -55440,10 +55593,10 @@ index 0000000..ce897e2 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..6d3a4fe +index 0000000..2d92a3d --- /dev/null +++ b/nova.te -@@ -0,0 +1,335 @@ +@@ -0,0 +1,339 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -55640,6 +55793,8 @@ index 0000000..6d3a4fe + +allow nova_console_t self:udp_socket create_socket_perms; + ++corenet_tcp_connect_memcache_port(nova_console_t) ++ +auth_use_nsswitch(nova_console_t) + +####################################### @@ -55736,6 +55891,8 @@ index 0000000..6d3a4fe + +init_read_utmp(nova_scheduler_t) + ++miscfiles_read_certs(nova_scheduler_t) ++ +####################################### +# +# nova vncproxy local policy @@ -61020,10 +61177,10 @@ index 0000000..776fda7 +') diff --git a/opensm.te b/opensm.te new file mode 100644 -index 0000000..a055461 +index 0000000..32d1db4 --- /dev/null +++ b/opensm.te -@@ -0,0 +1,44 @@ +@@ -0,0 +1,45 @@ +policy_module(opensm, 1.0.0) + +######################################## @@ -61066,6 +61223,7 @@ index 0000000..a055461 +corecmd_exec_bin(opensm_t) + +dev_read_sysfs(opensm_t) ++dev_rw_infiniband_dev(opensm_t) + +logging_send_syslog_msg(opensm_t) diff --git a/openvpn.fc b/openvpn.fc @@ -61132,7 +61290,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a3..69cc01a 100644 +index 63957a3..e059df5 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -61223,7 +61381,11 @@ index 63957a3..69cc01a 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -135,18 +150,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -132,21 +147,30 @@ files_read_etc_runtime_files(openvpn_t) + + fs_getattr_all_fs(openvpn_t) + fs_search_auto_mountpoints(openvpn_t) ++fs_list_cgroup_dirs(openvpn_t) auth_use_pam(openvpn_t) @@ -61239,6 +61401,8 @@ index 63957a3..69cc01a 100644 sysnet_use_ldap(openvpn_t) -userdom_use_user_terminals(openvpn_t) ++systemd_passwd_agent_domtrans(openvpn_t) ++ +userdom_use_inherited_user_terminals(openvpn_t) +userdom_read_home_certs(openvpn_t) +userdom_attach_admin_tun_iface(openvpn_t) @@ -61251,7 +61415,7 @@ index 63957a3..69cc01a 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -164,6 +185,10 @@ tunable_policy(`openvpn_can_network_connect',` +@@ -164,6 +188,10 @@ tunable_policy(`openvpn_can_network_connect',` ') optional_policy(` @@ -61262,7 +61426,7 @@ index 63957a3..69cc01a 100644 daemontools_service_domain(openvpn_t, openvpn_exec_t) ') -@@ -175,3 +200,27 @@ optional_policy(` +@@ -175,3 +203,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -67377,7 +67541,7 @@ index 5ad5291..7f1ae2a 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 00b01e2..47ab4d9 100644 +index 00b01e2..10b4512 100644 --- a/portreserve.te +++ b/portreserve.te @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } @@ -67388,7 +67552,7 @@ index 00b01e2..47ab4d9 100644 corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_sendrecv_generic_if(portreserve_t) corenet_udp_sendrecv_generic_if(portreserve_t) -@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t) +@@ -56,6 +55,7 @@ corenet_sendrecv_all_server_packets(portreserve_t) corenet_tcp_bind_all_ports(portreserve_t) corenet_udp_bind_all_ports(portreserve_t) @@ -67396,9 +67560,8 @@ index 00b01e2..47ab4d9 100644 - userdom_dontaudit_search_user_home_content(portreserve_t) + -+optional_policy(` -+ sssd_search_lib(portreserve_t) -+') ++auth_use_nsswitch(portreserve_t) ++ diff --git a/portslave.te b/portslave.te index cbe36c1..8ebeb87 100644 --- a/portslave.te @@ -76182,10 +76345,10 @@ index afc0068..97bbea4 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..e8c81df 100644 +index 8644d8b..f45e193 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,173 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,177 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -76274,8 +76437,6 @@ index 8644d8b..e8c81df 100644 -dev_read_urand(quantum_t) - -files_read_usr_files(quantum_t) -- --auth_use_nsswitch(quantum_t) +allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; @@ -76363,6 +76524,11 @@ index 8644d8b..e8c81df 100644 + corenet_tcp_sendrecv_all_ports(neutron_t) +') +-auth_use_nsswitch(quantum_t) ++optional_policy(` ++ dbus_system_bus_client(neutron_t) ++') + -libs_exec_ldconfig(quantum_t) +optional_policy(` + brctl_domtrans(neutron_t) @@ -77162,7 +77328,7 @@ index 4460582..60cf556 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..8fc3712 100644 +index 403a4fe..f6923e3 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -77175,7 +77341,18 @@ index 403a4fe..8fc3712 100644 ######################################## # # Local policy -@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -49,9 +52,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) + filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) + + manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +-append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +-create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +-setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) ++manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) + logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) + + manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) +@@ -60,11 +61,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -77188,7 +77365,7 @@ index 403a4fe..8fc3712 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,6 +77,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,6 +75,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) @@ -77198,7 +77375,7 @@ index 403a4fe..8fc3712 100644 corenet_sendrecv_radacct_server_packets(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) -@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t) +@@ -97,7 +101,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -77206,7 +77383,7 @@ index 403a4fe..8fc3712 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -77214,7 +77391,7 @@ index 403a4fe..8fc3712 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -122,6 +126,11 @@ optional_policy(` +@@ -122,6 +124,11 @@ optional_policy(` ') optional_policy(` @@ -77226,7 +77403,7 @@ index 403a4fe..8fc3712 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +149,10 @@ optional_policy(` +@@ -140,5 +147,10 @@ optional_policy(` ') optional_policy(` @@ -79935,10 +80112,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..5ad36aa 100644 +index 47de2d6..d5caec9 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,88 @@ +@@ -1,31 +1,90 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -80024,6 +80201,8 @@ index 47de2d6..5ad36aa 100644 +/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0) + ++/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) ++ +/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) @@ -80051,7 +80230,7 @@ index 47de2d6..5ad36aa 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..e6bcb25 100644 +index c8bdea2..b68d5b7 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -80080,7 +80259,7 @@ index c8bdea2..e6bcb25 100644 ') ############################## -@@ -43,33 +43,27 @@ template(`rhcs_domain_template',` +@@ -43,33 +43,29 @@ template(`rhcs_domain_template',` manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) @@ -80101,6 +80280,8 @@ index c8bdea2..e6bcb25 100644 - optional_policy(` - dbus_system_bus_client($1_t) - ') ++ kernel_read_system_state($1_t) ++ + auth_use_nsswitch($1_t) + + logging_send_syslog_msg($1_t) @@ -80121,7 +80302,7 @@ index c8bdea2..e6bcb25 100644 ## # interface(`rhcs_domtrans_dlm_controld',` -@@ -83,8 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',` +@@ -83,8 +79,8 @@ interface(`rhcs_domtrans_dlm_controld',` ##################################### ## @@ -80132,7 +80313,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -92,18 +86,19 @@ interface(`rhcs_domtrans_dlm_controld',` +@@ -92,18 +88,19 @@ interface(`rhcs_domtrans_dlm_controld',` ## ## # @@ -80157,7 +80338,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -111,18 +106,18 @@ interface(`rhcs_getattr_fenced_exec_files',` +@@ -111,18 +108,18 @@ interface(`rhcs_getattr_fenced_exec_files',` ## ## # @@ -80180,7 +80361,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -160,9 +155,27 @@ interface(`rhcs_domtrans_fenced',` +@@ -160,9 +157,27 @@ interface(`rhcs_domtrans_fenced',` domtrans_pattern($1, fenced_exec_t, fenced_t) ') @@ -80209,7 +80390,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -181,10 +194,9 @@ interface(`rhcs_rw_fenced_semaphores',` +@@ -181,10 +196,9 @@ interface(`rhcs_rw_fenced_semaphores',` manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) ') @@ -80222,7 +80403,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -192,19 +204,18 @@ interface(`rhcs_rw_fenced_semaphores',` +@@ -192,19 +206,18 @@ interface(`rhcs_rw_fenced_semaphores',` ## ## # @@ -80246,7 +80427,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -221,10 +232,28 @@ interface(`rhcs_stream_connect_fenced',` +@@ -221,10 +234,28 @@ interface(`rhcs_stream_connect_fenced',` stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) ') @@ -80277,7 +80458,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -243,7 +272,7 @@ interface(`rhcs_domtrans_gfs_controld',` +@@ -243,7 +274,7 @@ interface(`rhcs_domtrans_gfs_controld',` #################################### ## @@ -80286,7 +80467,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -264,7 +293,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` +@@ -264,7 +295,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` ######################################## ## @@ -80295,7 +80476,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -285,8 +314,7 @@ interface(`rhcs_rw_gfs_controld_shm',` +@@ -285,8 +316,7 @@ interface(`rhcs_rw_gfs_controld_shm',` ##################################### ## @@ -80305,7 +80486,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -324,8 +352,8 @@ interface(`rhcs_domtrans_groupd',` +@@ -324,8 +354,8 @@ interface(`rhcs_domtrans_groupd',` ##################################### ## @@ -80316,7 +80497,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -342,10 +370,51 @@ interface(`rhcs_stream_connect_groupd',` +@@ -342,10 +372,51 @@ interface(`rhcs_stream_connect_groupd',` stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) ') @@ -80370,7 +80551,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -366,8 +435,7 @@ interface(`rhcs_rw_cluster_shm',` +@@ -366,8 +437,7 @@ interface(`rhcs_rw_cluster_shm',` #################################### ## @@ -80380,7 +80561,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -383,9 +451,10 @@ interface(`rhcs_rw_cluster_semaphores',` +@@ -383,9 +453,10 @@ interface(`rhcs_rw_cluster_semaphores',` allow $1 cluster_domain:sem { rw_sem_perms destroy }; ') @@ -80393,7 +80574,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -393,20 +462,44 @@ interface(`rhcs_rw_cluster_semaphores',` +@@ -393,20 +464,44 @@ interface(`rhcs_rw_cluster_semaphores',` ## ## # @@ -80444,7 +80625,7 @@ index c8bdea2..e6bcb25 100644 ## ## ## -@@ -414,15 +507,12 @@ interface(`rhcs_rw_groupd_semaphores',` +@@ -414,15 +509,12 @@ interface(`rhcs_rw_groupd_semaphores',` ## ## # @@ -80463,7 +80644,7 @@ index c8bdea2..e6bcb25 100644 ') ###################################### -@@ -446,52 +536,361 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +538,361 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -80514,11 +80695,7 @@ index c8bdea2..e6bcb25 100644 + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; ++ +##################################### +## +## Allow domain to manage cluster lib files @@ -80533,15 +80710,15 @@ index c8bdea2..e6bcb25 100644 + gen_require(` + type cluster_var_lib_t; + ') - -- files_search_pids($1) -- admin_pattern($1, cluster_pid) ++ + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; +#################################### +## +## Allow domain to relabel cluster lib files @@ -80562,8 +80739,8 @@ index c8bdea2..e6bcb25 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) +- files_search_pids($1) +- admin_pattern($1, cluster_pid) +###################################### +## +## Execute a domain transition to run cluster administrative domain. @@ -80579,14 +80756,14 @@ index c8bdea2..e6bcb25 100644 + type cluster_t, cluster_exec_t; + ') -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) +####################################### +## +## Execute cluster init scripts in @@ -80602,10 +80779,14 @@ index c8bdea2..e6bcb25 100644 + gen_require(` + type cluster_initrc_exec_t; + ') -+ + +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) + init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') -+ + +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) +##################################### +## +## Execute cluster in the caller domain. @@ -80854,7 +81035,7 @@ index c8bdea2..e6bcb25 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..37290b0 100644 +index 6cf79c4..25c0f70 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -80893,7 +81074,7 @@ index 6cf79c4..37290b0 100644 attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -44,34 +73,282 @@ type foghorn_initrc_exec_t; +@@ -44,34 +73,281 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) rhcs_domain_template(gfs_controld) @@ -80998,7 +81179,6 @@ index 6cf79c4..37290b0 100644 + +kernel_kill(cluster_t) +kernel_read_all_sysctls(cluster_t) -+kernel_read_system_state(cluster_t) +kernel_rw_rpc_sysctls(cluster_t) +kernel_search_debugfs(cluster_t) +kernel_search_network_state(cluster_t) @@ -81180,7 +81360,7 @@ index 6cf79c4..37290b0 100644 ') ##################################### -@@ -79,9 +356,11 @@ optional_policy(` +@@ -79,13 +355,14 @@ optional_policy(` # dlm_controld local policy # @@ -81193,7 +81373,11 @@ index 6cf79c4..37290b0 100644 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -@@ -98,16 +377,30 @@ fs_manage_configfs_dirs(dlm_controld_t) +-kernel_read_system_state(dlm_controld_t) + kernel_rw_net_sysctls(dlm_controld_t) + + corecmd_exec_bin(dlm_controld_t) +@@ -98,16 +375,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -81227,18 +81411,18 @@ index 6cf79c4..37290b0 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +411,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +409,7 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) -can_exec(fenced_t, fenced_exec_t) - - kernel_read_system_state(fenced_t) +-kernel_read_system_state(fenced_t) +kernel_read_network_state(fenced_t) corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -140,6 +432,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) +@@ -140,6 +429,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) @@ -81247,7 +81431,7 @@ index 6cf79c4..37290b0 100644 corenet_tcp_sendrecv_zented_port(fenced_t) corenet_sendrecv_http_client_packets(fenced_t) -@@ -148,9 +442,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +439,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -81258,7 +81442,7 @@ index 6cf79c4..37290b0 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +452,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +449,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -81267,7 +81451,7 @@ index 6cf79c4..37290b0 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +474,8 @@ optional_policy(` +@@ -182,7 +471,8 @@ optional_policy(` ') optional_policy(` @@ -81277,7 +81461,7 @@ index 6cf79c4..37290b0 100644 ') optional_policy(` -@@ -190,12 +483,12 @@ optional_policy(` +@@ -190,12 +480,12 @@ optional_policy(` ') optional_policy(` @@ -81293,7 +81477,7 @@ index 6cf79c4..37290b0 100644 ') optional_policy(` -@@ -203,6 +496,13 @@ optional_policy(` +@@ -203,6 +493,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -81307,7 +81491,7 @@ index 6cf79c4..37290b0 100644 ####################################### # # foghorn local policy -@@ -221,16 +521,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +518,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -81328,7 +81512,12 @@ index 6cf79c4..37290b0 100644 snmp_stream_connect(foghorn_t) ') -@@ -252,11 +554,16 @@ kernel_read_system_state(gfs_controld_t) +@@ -247,16 +546,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ + stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) + stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +-kernel_read_system_state(gfs_controld_t) + dev_rw_dlm_control(gfs_controld_t) dev_setattr_dlm_control(gfs_controld_t) dev_rw_sysfs(gfs_controld_t) @@ -81345,7 +81534,7 @@ index 6cf79c4..37290b0 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +582,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +578,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -81405,7 +81594,15 @@ index 6cf79c4..37290b0 100644 ###################################### # # qdiskd local policy -@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -292,7 +642,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) + manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) + files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) + +-kernel_read_system_state(qdiskd_t) + kernel_read_software_raid_state(qdiskd_t) + kernel_getattr_core_if(qdiskd_t) + +@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -81517,10 +81714,10 @@ index 0000000..bf11e25 +') diff --git a/rhev.te b/rhev.te new file mode 100644 -index 0000000..26f7884 +index 0000000..eeee78a --- /dev/null +++ b/rhev.te -@@ -0,0 +1,116 @@ +@@ -0,0 +1,124 @@ +policy_module(rhev,1.0) + +######################################## @@ -81604,10 +81801,18 @@ index 0000000..26f7884 + dbus_system_bus_client(rhev_agentd_t) + dbus_connect_system_bus(rhev_agentd_t) + dbus_session_bus_client(rhev_agentd_t) ++ ++ optional_policy(` ++ systemd_dbus_chat_logind(rhev_agentd_t) ++ ') ++ ++ optional_policy(` ++ xserver_dbus_chat_xdm(rhev_agentd_t) ++ ') ++ +') + +optional_policy(` -+ xserver_dbus_chat_xdm(rhev_agentd_t) + xserver_stream_connect(rhev_agentd_t) +') + @@ -87233,7 +87438,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..e89790e 100644 +index 2b7c441..d16940f 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -87828,7 +88033,7 @@ index 2b7c441..e89790e 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +513,36 @@ optional_policy(` +@@ -499,9 +513,44 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -87842,9 +88047,13 @@ index 2b7c441..e89790e 100644 +tunable_policy(`samba_export_all_ro',` + allow nmbd_t self:capability { dac_read_search dac_override }; + fs_read_noxattr_fs_files(smbd_t) -+ files_read_non_security_files(smbd_t) ++ files_read_non_security_files(smbd_t) ++ files_dontaudit_search_security_files(smbd_t) ++ files_dontaudit_read_security_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + files_read_non_security_files(nmbd_t) ++ files_dontaudit_search_security_files(nmbd_t) ++ files_dontaudit_read_security_files(nmbd_t) +') + +tunable_policy(`samba_export_all_rw',` @@ -87852,9 +88061,13 @@ index 2b7c441..e89790e 100644 + fs_manage_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) + files_manage_non_security_dirs(smbd_t) ++ files_dontaudit_search_security_files(smbd_t) ++ files_dontaudit_read_security_files(smbd_t) + fs_manage_noxattr_fs_files(nmbd_t) + files_manage_non_security_files(nmbd_t) + files_manage_non_security_dirs(nmbd_t) ++ files_dontaudit_search_security_files(nmbd_t) ++ files_dontaudit_read_security_files(nmbd_t) +') + +userdom_filetrans_home_content(nmbd_t) @@ -87866,7 +88079,7 @@ index 2b7c441..e89790e 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +553,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +561,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -87881,7 +88094,7 @@ index 2b7c441..e89790e 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +569,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +577,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -87905,7 +88118,7 @@ index 2b7c441..e89790e 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +585,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +593,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -87974,7 +88187,7 @@ index 2b7c441..e89790e 100644 ') optional_policy(` -@@ -606,16 +635,22 @@ optional_policy(` +@@ -606,16 +643,22 @@ optional_policy(` ######################################## # @@ -88001,7 +88214,7 @@ index 2b7c441..e89790e 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +662,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +670,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -88019,7 +88232,7 @@ index 2b7c441..e89790e 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +674,23 @@ optional_policy(` +@@ -644,22 +682,23 @@ optional_policy(` ######################################## # @@ -88051,7 +88264,7 @@ index 2b7c441..e89790e 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +699,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +707,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -88087,7 +88300,7 @@ index 2b7c441..e89790e 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +726,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +734,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -88179,7 +88392,7 @@ index 2b7c441..e89790e 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +805,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +813,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -88203,7 +88416,7 @@ index 2b7c441..e89790e 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +819,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +827,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -88246,7 +88459,7 @@ index 2b7c441..e89790e 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +849,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +857,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -88260,7 +88473,7 @@ index 2b7c441..e89790e 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +872,20 @@ optional_policy(` +@@ -840,17 +880,20 @@ optional_policy(` # Winbind local policy # @@ -88286,7 +88499,7 @@ index 2b7c441..e89790e 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +895,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +903,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -88297,7 +88510,7 @@ index 2b7c441..e89790e 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +906,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +914,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -88327,7 +88540,7 @@ index 2b7c441..e89790e 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +929,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +937,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -88348,7 +88561,7 @@ index 2b7c441..e89790e 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +947,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +955,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -88407,7 +88620,7 @@ index 2b7c441..e89790e 100644 ') optional_policy(` -@@ -959,31 +1008,29 @@ optional_policy(` +@@ -959,31 +1016,29 @@ optional_policy(` # Winbind helper local policy # @@ -88445,7 +88658,7 @@ index 2b7c441..e89790e 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1044,38 @@ optional_policy(` +@@ -997,25 +1052,38 @@ optional_policy(` ######################################## # @@ -89800,7 +90013,7 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index 0045465..7d3129e 100644 +index 0045465..027faf2 100644 --- a/sanlock.te +++ b/sanlock.te @@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0) @@ -89870,7 +90083,7 @@ index 0045465..7d3129e 100644 logging_log_filetrans(sanlock_t, sanlock_log_t, file) manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) @@ -89885,11 +90098,12 @@ index 0045465..7d3129e 100644 +dev_read_rand(sanlock_t) +dev_read_urand(sanlock_t) ++dev_read_sysfs(sanlock_t) + auth_use_nsswitch(sanlock_t) init_read_utmp(sanlock_t) -@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -89928,13 +90142,14 @@ index 0045465..7d3129e 100644 ') optional_policy(` -@@ -100,7 +117,8 @@ optional_policy(` +@@ -100,7 +118,9 @@ optional_policy(` ') optional_policy(` - virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) + virt_kill(sanlock_t) ++ virt_signal(sanlock_t) virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) @@ -91507,10 +91722,10 @@ index d204752..31cc6e6 100644 + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..d31876d 100644 +index 5e82fd6..80cb2bc 100644 --- a/sensord.te +++ b/sensord.te -@@ -9,27 +9,37 @@ type sensord_t; +@@ -9,27 +9,38 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) @@ -91547,6 +91762,7 @@ index 5e82fd6..d31876d 100644 -files_read_etc_files(sensord_t) +dev_read_sysfs(sensord_t) ++dev_getattr_sysfs_fs(sensord_t) logging_send_syslog_msg(sensord_t) @@ -93924,7 +94140,7 @@ index 634c6b4..f6db7a7 100644 +') + diff --git a/sosreport.te b/sosreport.te -index f2f507d..0d4a35c 100644 +index f2f507d..9cf6dda 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -94092,7 +94308,7 @@ index f2f507d..0d4a35c 100644 ') optional_policy(` -@@ -147,13 +201,34 @@ optional_policy(` +@@ -147,13 +201,35 @@ optional_policy(` ') optional_policy(` @@ -94127,6 +94343,7 @@ index f2f507d..0d4a35c 100644 + +optional_policy(` + unconfined_signull(sosreport_t) ++ unconfined_domain(sosreport_t) ') optional_policy(` @@ -97048,10 +97265,10 @@ index 49d688d..f07cc80 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..7e59e7e +index 0000000..79e43aa --- /dev/null +++ b/swift.fc -@@ -0,0 +1,33 @@ +@@ -0,0 +1,35 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -97078,6 +97295,8 @@ index 0000000..7e59e7e +/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) +/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) + ++/var/lib/swift(/.*)? gen_context(system_u:object_r:swift_data_t,s0) ++ +# This seems to be a de-facto standard when using swift. +/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) + @@ -102643,7 +102862,7 @@ index a4f20bc..9ccc90c 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..c43ef2e 100644 +index facdee8..c7a2d97 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -104026,7 +104245,7 @@ index facdee8..c43ef2e 100644 ######################################## ## -## Search virt image directories. -+## Send a signal to virtual machines ++## Send a signal to virtd daemon. ## ## ## @@ -104035,34 +104254,34 @@ index facdee8..c43ef2e 100644 ## # -interface(`virt_search_images',` -+interface(`virt_signal_svirt',` ++interface(`virt_signal',` gen_require(` - attribute virt_image_type; -+ attribute virt_domain; ++ type virtd_t; ') - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -+ allow $1 virt_domain:process signal; ++ allow $1 virtd_t:process signal; ') ######################################## ## -## Read virt image files. -+## Manage virt home files. ++## Send a signal to virtual machines ## ## ## -@@ -995,36 +1016,57 @@ interface(`virt_search_images',` +@@ -995,57 +1016,75 @@ interface(`virt_search_images',` ## ## # -interface(`virt_read_images',` -+interface(`virt_manage_home_files',` ++interface(`virt_signal_svirt',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ type virt_home_t; ++ attribute virt_domain; ') - virt_search_lib($1) @@ -104071,8 +104290,7 @@ index facdee8..c43ef2e 100644 - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) ++ allow $1 virt_domain:process signal; +') - tunable_policy(`virt_use_nfs',` @@ -104081,6 +104299,29 @@ index facdee8..c43ef2e 100644 - fs_read_nfs_symlinks($1) +######################################## +## ++## Manage virt home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_manage_home_files',` ++ gen_require(` ++ type virt_home_t; + ') + +- tunable_policy(`virt_use_samba',` +- fs_list_cifs($1) +- fs_read_cifs_files($1) +- fs_read_cifs_symlinks($1) ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) ++') ++ ++######################################## ++## +## allow domain to read +## virt tmpfs files +## @@ -104094,57 +104335,59 @@ index facdee8..c43ef2e 100644 + gen_require(` + attribute virt_tmpfs_type; ') - -- tunable_policy(`virt_use_samba',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- fs_read_cifs_symlinks($1) ++ + allow $1 virt_tmpfs_type:file read_file_perms; -+') -+ -+######################################## -+## -+## allow domain to manage -+## virt tmpfs files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`virt_manage_tmpfs_files',` -+ gen_require(` -+ attribute virt_tmpfs_type; - ') -+ -+ allow $1 virt_tmpfs_type:file manage_file_perms; ') ######################################## ## -## Read and write all virt image -## character files. -+## Create .virt directory in the user home directory -+## with an correct label. ++## allow domain to manage ++## virt tmpfs files ## ## ## -@@ -1032,20 +1074,28 @@ interface(`virt_read_images',` +-## Domain allowed access. ++## Domain allowed access ## ## # -interface(`virt_rw_all_image_chr_files',` -+interface(`virt_filetrans_home_content',` ++interface(`virt_manage_tmpfs_files',` gen_require(` - attribute virt_image_type; -+ type virt_home_t; -+ type svirt_home_t; ++ attribute virt_tmpfs_type; ') - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) ++ allow $1 virt_tmpfs_type:file manage_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt cache files. ++## Create .virt directory in the user home directory ++## with an correct label. + ## + ## + ## +@@ -1053,15 +1092,28 @@ interface(`virt_rw_all_image_chr_files',` + ## + ## + # +-interface(`virt_manage_svirt_cache',` +- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') +- virt_manage_virt_cache($1) ++interface(`virt_filetrans_home_content',` ++ gen_require(` ++ type virt_home_t; ++ type svirt_home_t; ++ ') ++ + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") + filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") @@ -104161,34 +104404,36 @@ index facdee8..c43ef2e 100644 ######################################## ## -## Create, read, write, and delete --## svirt cache files. +-## virt cache content. +## Dontaudit attempts to Read virt_image_type devices. ## ## ## -@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1069,21 +1121,133 @@ interface(`virt_manage_svirt_cache',` ## ## # --interface(`virt_manage_svirt_cache',` -- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') -- virt_manage_virt_cache($1) +-interface(`virt_manage_virt_cache',` +interface(`virt_dontaudit_read_chr_dev',` -+ gen_require(` + gen_require(` +- type virt_cache_t; + attribute virt_image_type; -+ ') -+ + ') + +- files_search_var($1) +- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) +- manage_files_pattern($1, virt_cache_t, virt_cache_t) +- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') ######################################## ## -## Create, read, write, and delete --## virt cache content. +-## virt image files. +## Creates types and rules for a basic +## virt_lxc process domain. - ## --## ++## +## +## +## Prefix for the domain. @@ -104217,7 +104462,7 @@ index facdee8..c43ef2e 100644 +## Make the specified type usable as a lxc domain +## +## - ## ++## +## Type to be used as a lxc domain +## +## @@ -104236,7 +104481,7 @@ index facdee8..c43ef2e 100644 +## +## +## - ## Domain allowed access. ++## Domain allowed access. +## +## +# @@ -104255,30 +104500,22 @@ index facdee8..c43ef2e 100644 +## +## +## Domain allowed access. - ## - ## - # --interface(`virt_manage_virt_cache',` ++## ++## ++# +interface(`virt_filetrans_named_content',` - gen_require(` -- type virt_cache_t; ++ gen_require(` + type virt_lxc_var_run_t; + type virt_var_run_t; - ') - -- files_search_var($1) -- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) -- manage_files_pattern($1, virt_cache_t, virt_cache_t) -- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) ++ ') ++ + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") - ') - - ######################################## - ## --## Create, read, write, and delete --## virt image files. ++') ++ ++######################################## ++## +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. +## @@ -104314,7 +104551,7 @@ index facdee8..c43ef2e 100644 ## ## ## -@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1255,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -104388,7 +104625,7 @@ index facdee8..c43ef2e 100644 ## ## ## -@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',` +@@ -1136,50 +1318,53 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -104427,30 +104664,30 @@ index facdee8..c43ef2e 100644 - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) -+ allow $1 virt_domain:process signal_perms; - +- - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -+ admin_pattern($1, virt_file_type) -+ admin_pattern($1, svirt_file_type) - +- - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) -+ virt_systemctl($1) -+ allow $1 virtd_unit_file_t:service all_service_perms; - +- - logging_search_logs($1) - admin_pattern($1, virt_log_t) - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) -- ++ allow $1 virt_domain:process signal_perms; + - files_search_var($1) - admin_pattern($1, svirt_cache_t) -- ++ admin_pattern($1, virt_file_type) ++ admin_pattern($1, svirt_file_type) + - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) -- ++ virt_systemctl($1) ++ allow $1 virtd_unit_file_t:service all_service_perms; + - files_search_locks($1) - admin_pattern($1, virt_lock_t) + virt_stream_connect_sandbox($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index bfb08536..cd7d2d77 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 85%{?dist} +Release: 86%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,42 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 14 2014 Lukas Vrabec 3.13.1-86 +- Dontaudit aicuu to search home config dir. BZ (#1104076) +- couchdb is using erlang so it needs execmem privs +- ALlow sanlock to send a signal to virtd_t. +- Allow mondogdb to 'accept' accesses on the tcp_socket port. +- Make sosreport as unconfined domain. +- Allow nova-console to connect to mem_cache port. +- Allow mandb to getattr on file systems +- Allow read antivirus domain all kernel sysctls. +- Allow lmsd_plugin to read passwd file. BZ(1093733) +- Label /usr/share/corosync/corosync as cluster_exec_t. +- ALlow sensord to getattr on sysfs. +- automount policy is non-base module so it needs to be called in optional block. +- Add auth_use_nsswitch for portreserve to make it working with sssd. +- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files. +- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd. +- Allow openvpn to access /sys/fs/cgroup dir. +- Allow nova-scheduler to read certs +- Add support for /var/lib/swiftdirectory. +- Allow neutron connections to system dbus. +- Allow mongodb to manage own log files. +- Allow opensm_t to read/write /dev/infiniband/umad1. +- Added policy for mon_statd and mon_procd services. BZ (1077821) +- kernel_read_system_state needs to be called with type. Moved it to antivirus.if. +- Allow dnssec_trigger_t to execute unbound-control in own domain. +- Allow all RHCS services to read system state. +- Added monitor device +- Add interfaces for /dev/infiniband +- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type. +- Add files_dontaudit_search_security_files() +- Add selinuxuser_udp_server boolean +- ALlow syslogd_t to create /var/log/cron with correct labeling +- Add support for /etc/.updated and /var/.updated +- Allow iptables read fail2ban logs. BZ (1147709) +- ALlow ldconfig to read proc//net/sockstat. + * Mon Oct 06 2014 Lukas Vrabec 3.13.1-85 - Allow nova domains to getattr on all filesystems. - ALlow zebra for user/group look-ups.