* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165

- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
This commit is contained in:
Lukas Vrabec 2016-01-06 12:19:09 +01:00
parent f1750fb373
commit 936bb7a648
4 changed files with 142 additions and 84 deletions

Binary file not shown.

View File

@ -26517,10 +26517,10 @@ index cc877c7..b8e6e98 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..b3baa75 100644
index 8274418..12a5645 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,36 @@
@@ -2,13 +2,38 @@
# HOME_DIR
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -26538,6 +26538,7 @@ index 8274418..b3baa75 100644
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.cache/gdm(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+
+/root/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -26553,11 +26554,12 @@ index 8274418..b3baa75 100644
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.wayland-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
#
# /dev
@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -22,13 +47,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@ -26580,7 +26582,7 @@ index 8274418..b3baa75 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@ -26621,7 +26623,7 @@ index 8274418..b3baa75 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -91,19 +130,34 @@ ifndef(`distro_debian',`
@@ -91,19 +132,34 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@ -26660,7 +26662,7 @@ index 8274418..b3baa75 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -111,7 +165,18 @@ ifndef(`distro_debian',`
@@ -111,7 +167,18 @@ ifndef(`distro_debian',`
/var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -26680,7 +26682,7 @@ index 8274418..b3baa75 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..f2bbe7e 100644
index 6bf0ecc..7d0c3c3 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,36 @@
@ -27756,7 +27758,7 @@ index 6bf0ecc..f2bbe7e 100644
')
########################################
@@ -1284,10 +1640,660 @@ interface(`xserver_manage_core_devices',`
@@ -1284,10 +1640,662 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@ -28290,6 +28292,7 @@ index 6bf0ecc..f2bbe7e 100644
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
@ -28334,6 +28337,7 @@ index 6bf0ecc..f2bbe7e 100644
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
@ -45258,10 +45262,10 @@ index 0000000..c253b33
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..56ba5a6
index 0000000..b4a073f
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,824 @@
@@ -0,0 +1,825 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -45463,6 +45467,7 @@ index 0000000..56ba5a6
+init_undefined(systemd_logind_t)
+init_signal_script(systemd_logind_t)
+init_getattr_script_status_files(systemd_logind_t)
+init_read_utmp(systemd_logind_t)
+
+getty_systemctl(systemd_logind_t)
+
@ -47499,7 +47504,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..cb235f4 100644
index 9dc60c6..e6556aa 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -50801,7 +50806,7 @@ index 9dc60c6..cb235f4 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4622,1763 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@ -51369,6 +51374,24 @@ index 9dc60c6..cb235f4 100644
+
+########################################
+## <summary>
+## Read and write userdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_connectto_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain datagram socket.
+## </summary>

View File

@ -3799,7 +3799,7 @@ index 7caefc3..b25689b 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb485..c55558a 100644
index f6eb485..f1f976b 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@ -3948,7 +3948,7 @@ index f6eb485..c55558a 100644
+ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
+
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
+ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown };
+
+ # Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
@ -20497,7 +20497,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
index c91813c..999581c 100644
index c91813c..3d89006 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -20771,13 +20771,14 @@ index c91813c..999581c 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -244,22 +288,27 @@ auth_dontaudit_read_pam_pid(cupsd_t)
@@ -244,22 +288,28 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
-libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_exec_ldconfig(cupsd_t)
+libs_exec_ld_so(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@ -20804,7 +20805,7 @@ index c91813c..999581c 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
@@ -272,6 +321,8 @@ optional_policy(`
@@ -272,6 +322,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@ -20813,7 +20814,7 @@ index c91813c..999581c 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -279,11 +330,17 @@ optional_policy(`
@@ -279,11 +331,17 @@ optional_policy(`
')
optional_policy(`
@ -20831,7 +20832,7 @@ index c91813c..999581c 100644
')
')
@@ -296,8 +353,8 @@ optional_policy(`
@@ -296,8 +354,8 @@ optional_policy(`
')
optional_policy(`
@ -20841,7 +20842,7 @@ index c91813c..999581c 100644
')
optional_policy(`
@@ -306,7 +363,6 @@ optional_policy(`
@@ -306,7 +364,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@ -20849,7 +20850,7 @@ index c91813c..999581c 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -316,6 +372,10 @@ optional_policy(`
@@ -316,6 +373,10 @@ optional_policy(`
')
optional_policy(`
@ -20860,7 +20861,7 @@ index c91813c..999581c 100644
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
@@ -334,7 +394,11 @@ optional_policy(`
@@ -334,7 +395,11 @@ optional_policy(`
')
optional_policy(`
@ -20873,7 +20874,7 @@ index c91813c..999581c 100644
')
########################################
@@ -342,12 +406,11 @@ optional_policy(`
@@ -342,12 +407,11 @@ optional_policy(`
# Configuration daemon local policy
#
@ -20889,7 +20890,7 @@ index c91813c..999581c 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -372,18 +435,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -20910,7 +20911,7 @@ index c91813c..999581c 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +453,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@ -20931,7 +20932,7 @@ index c91813c..999581c 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +470,6 @@ auth_use_nsswitch(cupsd_config_t)
@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@ -20943,7 +20944,7 @@ index c91813c..999581c 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -449,9 +497,12 @@ optional_policy(`
@@ -449,9 +498,12 @@ optional_policy(`
')
optional_policy(`
@ -20957,7 +20958,7 @@ index c91813c..999581c 100644
')
optional_policy(`
@@ -467,6 +518,10 @@ optional_policy(`
@@ -467,6 +519,10 @@ optional_policy(`
')
optional_policy(`
@ -20968,7 +20969,7 @@ index c91813c..999581c 100644
rpm_read_db(cupsd_config_t)
')
@@ -487,10 +542,6 @@ optional_policy(`
@@ -487,10 +543,6 @@ optional_policy(`
# Lpd local policy
#
@ -20979,7 +20980,7 @@ index c91813c..999581c 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +559,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@ -20997,7 +20998,7 @@ index c91813c..999581c 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +588,6 @@ auth_use_nsswitch(cupsd_lpd_t)
@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@ -21007,7 +21008,7 @@ index c91813c..999581c 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -550,7 +598,6 @@ optional_policy(`
@@ -550,7 +599,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -21015,7 +21016,7 @@ index c91813c..999581c 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +613,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@ -21167,7 +21168,7 @@ index c91813c..999581c 100644
########################################
#
@@ -735,7 +657,6 @@ kernel_read_kernel_sysctls(ptal_t)
@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@ -21175,7 +21176,7 @@ index c91813c..999581c 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +666,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -21189,7 +21190,7 @@ index c91813c..999581c 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -759,8 +678,6 @@ fs_search_auto_mountpoints(ptal_t)
@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@ -21198,7 +21199,7 @@ index c91813c..999581c 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +690,4 @@ optional_policy(`
@@ -773,3 +691,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@ -24084,7 +24085,7 @@ index c697edb..954c090 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
index 98a24b9..5a24c3a 100644
index 98a24b9..cb5795e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@ -24122,7 +24123,7 @@ index 98a24b9..5a24c3a 100644
files_read_etc_runtime_files(dhcpd_t)
files_search_var_lib(dhcpd_t)
@@ -102,22 +103,42 @@ auth_use_nsswitch(dhcpd_t)
@@ -102,22 +103,44 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
@ -24145,17 +24146,19 @@ index 98a24b9..5a24c3a 100644
+ corenet_tcp_sendrecv_ldap_port(dhcpd_t)
+ corenet_tcp_connect_ldap_port(dhcpd_t)
+ corenet_sendrecv_ldap_client_packets(dhcpd_t)
+')
+
+tunable_policy(`dhcpd_use_ldap',`
+ ldap_read_certs(dhcpd_t)
')
optional_policy(`
+ tunable_policy(`dhcpd_use_ldap',`
+ ldap_read_certs(dhcpd_t)
+ ')
+')
+
+ifdef(`distro_gentoo',`
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
')
optional_policy(`
+')
+
+optional_policy(`
+ # used for dynamic DNS
bind_read_dnssec_keys(dhcpd_t)
')
@ -36395,10 +36398,10 @@ index 6517fad..f183748 100644
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
')
diff --git a/hypervkvp.te b/hypervkvp.te
index 4eb7041..3ba4a51 100644
index 4eb7041..76a5802 100644
--- a/hypervkvp.te
+++ b/hypervkvp.te
@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
@@ -5,24 +5,142 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
@ -36436,7 +36439,7 @@ index 4eb7041..3ba4a51 100644
#
-# Local policy
+# hyperv domain local policy
#
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
@ -36452,10 +36455,8 @@ index 4eb7041..3ba4a51 100644
+########################################
+#
+# hypervkvp local policy
#
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+#
+
+allow hypervkvp_t self:capability sys_ptrace;
+allow hypervkvp_t self:process setfscreate;
+allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
@ -36537,16 +36538,21 @@ index 4eb7041..3ba4a51 100644
+')
+
+########################################
+#
#
+# hypervvssd local policy
+#
#
-logging_send_syslog_msg(hypervkvpd_t)
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervvssd_t self:capability sys_admin;
-miscfiles_read_localization(hypervkvpd_t)
-logging_send_syslog_msg(hypervkvpd_t)
+files_list_boot(hypervvssd_t)
-miscfiles_read_localization(hypervkvpd_t)
+files_list_all_mountpoints(hypervvssd_t)
+files_write_all_mountpoints(hypervvssd_t)
-sysnet_dns_name_resolve(hypervkvpd_t)
+logging_send_syslog_msg(hypervvssd_t)
diff --git a/i18n_input.te b/i18n_input.te
@ -37242,15 +37248,16 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..db194ec
index 0000000..749756a
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,10 @@
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+
@ -61471,10 +61478,10 @@ index 57c0161..c554eb6 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
index 5b2cb0d..ad16c77 100644
index 5b2cb0d..7655e0b 100644
--- a/nut.te
+++ b/nut.te
@@ -7,154 +7,143 @@ policy_module(nut, 1.3.0)
@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0)
attribute nut_domain;
@ -61584,12 +61591,13 @@ index 5b2cb0d..ad16c77 100644
-allow nut_upsmon_t self:capability dac_read_search;
-allow nut_upsmon_t self:unix_stream_socket connectto;
+allow nut_upsmon_t self:capability kill;
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@ -61609,6 +61617,9 @@ index 5b2cb0d..ad16c77 100644
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
+dev_read_rand(nut_upsmon_t)
+dev_read_urand(nut_upsmon_t)
+
+# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
@ -61655,6 +61666,7 @@ index 5b2cb0d..ad16c77 100644
dev_read_sysfs(nut_upsdrvctl_t)
-dev_read_urand(nut_upsdrvctl_t)
+dev_read_usbfs(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@ -76890,7 +76902,7 @@ index d68e26d..d2c4d2a 100644
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
diff --git a/puppet.if b/puppet.if
index 7cb8b1f..9422c90 100644
index 7cb8b1f..bef7217 100644
--- a/puppet.if
+++ b/puppet.if
@@ -1,4 +1,32 @@
@ -76971,7 +76983,7 @@ index 7cb8b1f..9422c90 100644
')
################################################
@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
@@ -78,158 +107,165 @@ interface(`puppet_read_config',`
## </summary>
## </param>
#
@ -77202,8 +77214,9 @@ index 7cb8b1f..9422c90 100644
- files_search_var_lib($1)
- admin_pattern($1, puppet_var_lib_t)
+ files_search_etc($1)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
+ read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t)
+')
+#####################################
@ -81711,10 +81724,10 @@ index 951db7f..00e699d 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
index c99753f..c8696d7 100644
index c99753f..c7b77bc 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@ -81822,10 +81835,11 @@ index c99753f..c8696d7 100644
fs_rw_cgroup_files(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+fs_manage_cgroup_files(mdadm_t)
+fs_read_efivarfs_files(mdadm_t)
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -71,15 +118,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@ -81852,7 +81866,7 @@ index c99753f..c8696d7 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -90,17 +147,38 @@ optional_policy(`
@@ -90,17 +148,38 @@ optional_policy(`
')
optional_policy(`
@ -93982,10 +93996,10 @@ index 0000000..3e89d71
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..c9449b4
index 0000000..3dc39bf
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,505 @@
@@ -0,0 +1,506 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@ -94282,6 +94296,7 @@ index 0000000..c9449b4
+#1103622
+corenet_tcp_connect_xserver_port(sandbox_x_domain)
+xserver_stream_connect(sandbox_x_domain)
+userdom_connectto_stream(sandbox_x_domain)
+
+########################################
+#
@ -98580,10 +98595,10 @@ index 0000000..ed76979
+
diff --git a/snapper.te b/snapper.te
new file mode 100644
index 0000000..90903a9
index 0000000..243fc96
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,75 @@
@@ -0,0 +1,77 @@
+policy_module(snapper, 1.0.0)
+
+########################################
@ -98609,6 +98624,8 @@ index 0000000..90903a9
+# snapperd local policy
+#
+
+allow snapperd_t self:capability dac_override;
+
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
+
@ -110492,7 +110509,7 @@ index facdee8..19b6ffb 100644
+ ps_process_pattern(virtd_t, $1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..a9548bd 100644
index f03dcf5..7056171 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,248 @@
@ -112081,7 +112098,7 @@ index f03dcf5..a9548bd 100644
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto };
+
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
@ -112497,24 +112514,30 @@ index f03dcf5..a9548bd 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1546,8 @@ optional_policy(`
@@ -1192,7 +1546,7 @@ optional_policy(`
########################################
#
-# Bridgehelper local policy
+# virt_bridgehelper local policy
#
-
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1205,7 +1558,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
+allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
+
manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
kernel_read_network_state(virt_bridgehelper_t)
+kernel_read_system_state(virt_bridgehelper_t)
+
+dev_read_urand(virt_bridgehelper_t)
+dev_read_rand(virt_bridgehelper_t)
+
+dev_read_sysfs(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
-userdom_search_user_home_dirs(virt_bridgehelper_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 164%{?dist}
Release: 165%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -664,6 +664,18 @@ exit 0
%endif
%changelog
* Wed Jan 06 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-165
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
- Allow sddm-helper running as xdm_t to create .wayland-errors with correct labeling. BZ(#1291085)
- Revert "Allow arping running as netutils_t sys_module capability for removing tap devices."
- Allow arping running as netutils_t sys_module capability for removing tap devices.
- Add userdom_connectto_stream() interface.
- Allow systemd-logind to read /run/utmp. BZ(#1278662)
* Tue Dec 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-164
- Allow firewalld to create firewalld_var_run_t directory. BZ(1291243)
- Add interface firewalld_read_pid_files()