From aab1932f467c98a163cef4a916400727251f27b1 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 28 Jan 2013 20:11:03 +0100 Subject: [PATCH] - Change ssh_use_pts to use macro and only inherited sshd_devpts_t - Allow confined users to read systemd_logind seat information - libmpg ships badly created libraries - Add support for strongswan.service - Add labeling for strongswan - Allow l2tpd_t to read network manager content in /run directory - Allow rsync to getattr any file in rsync_data_t - Add labeling and filename transition for .grl-podcasts --- policy-rawhide-base.patch | 276 ++++++++++++++++++++++------------- policy-rawhide-contrib.patch | 30 ++-- selinux-policy.spec | 12 +- 3 files changed, 206 insertions(+), 112 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5cb6337f..3ca93a0f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -26309,7 +26309,7 @@ index 0000000..310ea6d \ No newline at end of file diff --git a/man/man8/condor_collector_selinux.8 b/man/man8/condor_collector_selinux.8 new file mode 100644 -index 0000000..b0807ef +index 0000000..b0807efa --- /dev/null +++ b/man/man8/condor_collector_selinux.8 @@ -0,0 +1,261 @@ @@ -228517,8 +228517,43 @@ index dd3be8d..aab0c5a 100644 + allow daemon direct_run_init:process sigchld; + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') +diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc +index 662e79b..a452892 100644 +--- a/policy/modules/system/ipsec.fc ++++ b/policy/modules/system/ipsec.fc +@@ -1,6 +1,8 @@ + /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) + /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) + ++/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) ++ + /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) + /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +@@ -8,6 +10,8 @@ + /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + ++/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++ + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) + + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +@@ -26,10 +30,12 @@ + /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + + /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) + /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) ++/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + + /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) + diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..9d66bf7 100644 +index 0d4c8d3..ac0a652 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',` @@ -228553,11 +228588,48 @@ index 0d4c8d3..9d66bf7 100644 ') ######################################## +@@ -369,3 +367,26 @@ interface(`ipsec_run_setkey',` + ipsec_domtrans_setkey($1) + role $2 types setkey_t; + ') ++ ++####################################### ++## ++## Execute strongswan in the ipsec_mgmt domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipsec_mgmt_systemctl',` ++ gen_require(` ++ type ipsec_mgmt_unit_file_t; ++ type ipsec_mgmt_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 ipsec_mgmt_unit_file_t:file read_file_perms; ++ allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ipsec_mgmt_t) ++') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..ed744d2 100644 +index 9e54bf9..35992c7 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te -@@ -73,13 +73,15 @@ role system_r types setkey_t; +@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) + corecmd_shell_entry_type(ipsec_mgmt_t) + role system_r types ipsec_mgmt_t; + ++type ipsec_mgmt_unit_file_t; ++systemd_unit_file(ipsec_mgmt_unit_file_t) ++ + type ipsec_mgmt_lock_t; + files_lock_file(ipsec_mgmt_lock_t) + +@@ -73,13 +76,15 @@ role system_r types setkey_t; # allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; @@ -228574,7 +228646,7 @@ index 9e54bf9..ed744d2 100644 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -128,20 +130,21 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +133,21 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -228603,7 +228675,7 @@ index 9e54bf9..ed744d2 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,6 +160,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,6 +163,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -228612,7 +228684,7 @@ index 9e54bf9..ed744d2 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -165,11 +170,13 @@ auth_use_nsswitch(ipsec_t) +@@ -165,11 +173,13 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -228627,7 +228699,7 @@ index 9e54bf9..ed744d2 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -187,9 +194,9 @@ optional_policy(` +@@ -187,9 +197,9 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -228640,7 +228712,7 @@ index 9e54bf9..ed744d2 100644 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -246,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +256,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -228657,7 +228729,7 @@ index 9e54bf9..ed744d2 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +275,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -228666,7 +228738,7 @@ index 9e54bf9..ed744d2 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +300,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -228678,7 +228750,7 @@ index 9e54bf9..ed744d2 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +310,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +313,16 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -228700,7 +228772,7 @@ index 9e54bf9..ed744d2 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -370,13 +391,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +394,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -228720,7 +228792,7 @@ index 9e54bf9..ed744d2 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +421,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +424,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -228733,7 +228805,7 @@ index 9e54bf9..ed744d2 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +459,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +462,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -228935,7 +229007,7 @@ index 5dfa44b..938e2ec 100644 optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..bd25d6e 100644 +index 73bb3c0..e96fdf3 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -229048,11 +229120,12 @@ index 73bb3c0..bd25d6e 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +254,10 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +254,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -229063,7 +229136,7 @@ index 73bb3c0..bd25d6e 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +279,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +280,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -229094,7 +229167,7 @@ index 73bb3c0..bd25d6e 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +308,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +309,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -237659,7 +237732,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..0bb7b4d 100644 +index 3c5dba7..f2fe86e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -237675,7 +237748,7 @@ index 3c5dba7..0bb7b4d 100644 corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -44,79 +46,131 @@ template(`userdom_base_user_template',` +@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -237831,6 +237904,7 @@ index 3c5dba7..0bb7b4d 100644 + systemd_read_logind_sessions_files($1_usertype) + systemd_write_inhibit_pipes($1_usertype) + systemd_write_inherited_logind_sessions_pipes($1_usertype) ++ systemd_login_read_pid_files($1_usertype) + + tunable_policy(`deny_execmem',`', ` # Allow loading DSOs that require executable stack. @@ -237859,7 +237933,7 @@ index 3c5dba7..0bb7b4d 100644 ') ####################################### -@@ -150,6 +204,8 @@ interface(`userdom_ro_home_role',` +@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -237868,7 +237942,7 @@ index 3c5dba7..0bb7b4d 100644 ############################## # # Domain access to home dir -@@ -167,27 +223,6 @@ interface(`userdom_ro_home_role',` +@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -237896,7 +237970,7 @@ index 3c5dba7..0bb7b4d 100644 ') ####################################### -@@ -219,8 +254,11 @@ interface(`userdom_ro_home_role',` +@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -237908,7 +237982,7 @@ index 3c5dba7..0bb7b4d 100644 ############################## # # Domain access to home dir -@@ -229,43 +267,47 @@ interface(`userdom_manage_home_role',` +@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -237972,7 +238046,7 @@ index 3c5dba7..0bb7b4d 100644 ') ') -@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -237998,7 +238072,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## Role allowed access. -@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -238068,7 +238142,7 @@ index 3c5dba7..0bb7b4d 100644 ') ####################################### -@@ -317,11 +425,31 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,11 +426,31 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -238100,7 +238174,7 @@ index 3c5dba7..0bb7b4d 100644 ## Role access for the user tmpfs type ## that the user has full access. ## -@@ -348,59 +476,60 @@ interface(`userdom_exec_user_tmp_files',` +@@ -348,59 +477,60 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -238191,7 +238265,7 @@ index 3c5dba7..0bb7b4d 100644 ') ####################################### -@@ -431,6 +560,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +561,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -238199,7 +238273,7 @@ index 3c5dba7..0bb7b4d 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +593,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +594,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -238210,7 +238284,7 @@ index 3c5dba7..0bb7b4d 100644 ') ') -@@ -491,7 +621,8 @@ template(`userdom_common_user_template',` +@@ -491,7 +622,8 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -238220,7 +238294,7 @@ index 3c5dba7..0bb7b4d 100644 ############################## # -@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` +@@ -501,41 +633,51 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -238295,7 +238369,7 @@ index 3c5dba7..0bb7b4d 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +687,121 @@ template(`userdom_common_user_template',` +@@ -546,93 +688,121 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -238455,7 +238529,7 @@ index 3c5dba7..0bb7b4d 100644 ') optional_policy(` -@@ -646,19 +815,17 @@ template(`userdom_common_user_template',` +@@ -646,19 +816,17 @@ template(`userdom_common_user_template',` # for running depmod as part of the kernel packaging process optional_policy(` @@ -238480,7 +238554,7 @@ index 3c5dba7..0bb7b4d 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +838,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +839,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -238489,7 +238563,7 @@ index 3c5dba7..0bb7b4d 100644 ') optional_policy(` -@@ -680,9 +847,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +848,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -238502,7 +238576,7 @@ index 3c5dba7..0bb7b4d 100644 ') ') -@@ -693,32 +860,36 @@ template(`userdom_common_user_template',` +@@ -693,32 +861,36 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -238550,7 +238624,7 @@ index 3c5dba7..0bb7b4d 100644 ') ') -@@ -743,17 +914,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +915,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -238589,7 +238663,7 @@ index 3c5dba7..0bb7b4d 100644 userdom_change_password_template($1) -@@ -761,82 +948,100 @@ template(`userdom_login_user_template', ` +@@ -761,82 +949,100 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -238726,7 +238800,7 @@ index 3c5dba7..0bb7b4d 100644 ') ') -@@ -868,6 +1073,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1074,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -238739,7 +238813,7 @@ index 3c5dba7..0bb7b4d 100644 ############################## # # Local policy -@@ -908,41 +1119,91 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1120,91 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -238844,7 +238918,7 @@ index 3c5dba7..0bb7b4d 100644 ') optional_policy(` -@@ -951,12 +1212,26 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1213,26 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -238872,7 +238946,7 @@ index 3c5dba7..0bb7b4d 100644 ') ####################################### -@@ -990,27 +1265,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1266,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -238910,7 +238984,7 @@ index 3c5dba7..0bb7b4d 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1302,57 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1303,57 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -238978,7 +239052,7 @@ index 3c5dba7..0bb7b4d 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1361,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1362,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -238989,7 +239063,7 @@ index 3c5dba7..0bb7b4d 100644 ') ') -@@ -1082,7 +1399,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1400,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -238998,7 +239072,7 @@ index 3c5dba7..0bb7b4d 100644 ') ############################## -@@ -1109,6 +1426,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1427,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -239006,7 +239080,7 @@ index 3c5dba7..0bb7b4d 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1435,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1436,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -239016,7 +239090,7 @@ index 3c5dba7..0bb7b4d 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1452,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1453,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -239024,7 +239098,7 @@ index 3c5dba7..0bb7b4d 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1470,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1471,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -239039,7 +239113,7 @@ index 3c5dba7..0bb7b4d 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1488,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1489,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -239082,7 +239156,7 @@ index 3c5dba7..0bb7b4d 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1529,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1530,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -239091,7 +239165,7 @@ index 3c5dba7..0bb7b4d 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1538,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1539,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -239110,7 +239184,7 @@ index 3c5dba7..0bb7b4d 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1594,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1595,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -239119,7 +239193,7 @@ index 3c5dba7..0bb7b4d 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1608,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1609,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -239131,7 +239205,7 @@ index 3c5dba7..0bb7b4d 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,35 +1622,37 @@ template(`userdom_security_admin_template',` +@@ -1277,35 +1623,37 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -239182,7 +239256,7 @@ index 3c5dba7..0bb7b4d 100644 ######################################## ## -@@ -1360,14 +1707,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1708,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -239201,7 +239275,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1408,6 +1758,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1759,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -239253,7 +239327,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1907,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1908,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -239285,7 +239359,7 @@ index 3c5dba7..0bb7b4d 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1973,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1974,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -239300,7 +239374,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1573,9 +1996,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +1997,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -239312,7 +239386,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1632,6 +2057,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2058,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -239355,7 +239429,7 @@ index 3c5dba7..0bb7b4d 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2172,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2173,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -239364,7 +239438,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1744,10 +2207,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2208,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -239379,7 +239453,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1772,7 +2237,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2238,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -239388,7 +239462,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -1780,19 +2245,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2246,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -239412,7 +239486,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -1800,31 +2263,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2264,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -239452,7 +239526,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1848,6 +2311,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2312,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -239478,7 +239552,7 @@ index 3c5dba7..0bb7b4d 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2360,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2361,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -239516,7 +239590,7 @@ index 3c5dba7..0bb7b4d 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2400,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2401,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -239534,7 +239608,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -1941,7 +2448,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2449,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -239561,7 +239635,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -1951,17 +2476,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2477,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -239582,7 +239656,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -1969,12 +2492,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2493,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -239633,7 +239707,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -2010,8 +2569,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2570,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -239643,7 +239717,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -2027,20 +2585,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2586,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -239668,7 +239742,7 @@ index 3c5dba7..0bb7b4d 100644 ######################################## ## -@@ -2123,7 +2675,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2676,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -239677,7 +239751,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2131,19 +2683,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2684,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -239701,7 +239775,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2151,12 +2701,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2702,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -239717,7 +239791,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -2393,11 +2943,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2944,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -239732,7 +239806,7 @@ index 3c5dba7..0bb7b4d 100644 files_search_tmp($1) ') -@@ -2417,7 +2967,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2968,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -239741,7 +239815,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -2664,6 +3214,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3215,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -239767,7 +239841,7 @@ index 3c5dba7..0bb7b4d 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3249,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3250,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -239783,7 +239857,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2707,7 +3277,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3278,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -239792,7 +239866,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2715,19 +3285,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3286,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -239815,7 +239889,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2735,35 +3303,53 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,35 +3304,53 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -239877,7 +239951,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2817,6 +3403,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3404,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -239902,7 +239976,7 @@ index 3c5dba7..0bb7b4d 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3439,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3440,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -239945,7 +240019,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -2859,14 +3475,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3476,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -239983,7 +240057,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -2885,8 +3520,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3521,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -240013,7 +240087,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -2958,69 +3612,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3613,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -240114,7 +240188,7 @@ index 3c5dba7..0bb7b4d 100644 ## ## ## -@@ -3028,12 +3681,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3682,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -240129,7 +240203,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -3097,7 +3750,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3751,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -240138,7 +240212,7 @@ index 3c5dba7..0bb7b4d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3766,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3767,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -240172,7 +240246,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -3217,7 +3854,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3855,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -240181,7 +240255,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -3272,7 +3909,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3910,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -240247,7 +240321,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -3290,7 +3984,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3985,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -240256,7 +240330,7 @@ index 3c5dba7..0bb7b4d 100644 ') ######################################## -@@ -3309,6 +4003,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4004,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -240264,7 +240338,7 @@ index 3c5dba7..0bb7b4d 100644 kernel_search_proc($1) ') -@@ -3385,6 +4080,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4081,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -240307,7 +240381,7 @@ index 3c5dba7..0bb7b4d 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4136,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4137,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -240332,7 +240406,7 @@ index 3c5dba7..0bb7b4d 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4188,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4189,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 99f1306a..972f2b9e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -31146,10 +31146,10 @@ index 73e2803..562d25b 100644 files_search_pids($1) admin_pattern($1, l2tpd_var_run_t) diff --git a/l2tp.te b/l2tp.te -index 19f2b97..134b150 100644 +index 19f2b97..17f1883 100644 --- a/l2tp.te +++ b/l2tp.te -@@ -75,16 +75,12 @@ corecmd_exec_bin(l2tpd_t) +@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) @@ -31166,6 +31166,13 @@ index 19f2b97..134b150 100644 sysnet_dns_name_resolve(l2tpd_t) optional_policy(` ++ networkmanager_read_pid_files(l2tpd_t) ++') ++ ++optional_policy(` + ppp_domtrans(l2tpd_t) + ppp_signal(l2tpd_t) + ppp_kill(l2tpd_t) diff --git a/ldap.fc b/ldap.fc index bc25c95..dcdbe9b 100644 --- a/ldap.fc @@ -35097,10 +35104,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..4cecf11 100644 +index 6ffaba2..ce28024 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,59 @@ +@@ -1,38 +1,60 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -35129,7 +35136,8 @@ index 6ffaba2..4cecf11 100644 +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -35195,7 +35203,7 @@ index 6ffaba2..4cecf11 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..84438b1 100644 +index 6194b80..60bb004 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -35816,7 +35824,7 @@ index 6194b80..84438b1 100644 ## ## ## -@@ -530,45 +430,46 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +430,47 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -35878,6 +35886,7 @@ index 6194b80..84438b1 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") @@ -67032,7 +67041,7 @@ index f1140ef..6bde558 100644 - rsync_run($1, $2) -') diff --git a/rsync.te b/rsync.te -index e3e7c96..f3932af 100644 +index e3e7c96..ad3e416 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -67136,7 +67145,7 @@ index e3e7c96..f3932af 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +79,22 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +79,23 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -67158,13 +67167,14 @@ index e3e7c96..f3932af 100644 -allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; +read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ++allow rsync_t rsync_data_t:dir_file_class_set getattr; -allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +108,76 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +109,76 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e73d261f..6a0ecae3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 28 2013 Miroslav Grepl 3.12.1-8 +- Change ssh_use_pts to use macro and only inherited sshd_devpts_t +- Allow confined users to read systemd_logind seat information +- libmpg ships badly created libraries +- Add support for strongswan.service +- Add labeling for strongswan +- Allow l2tpd_t to read network manager content in /run directory +- Allow rsync to getattr any file in rsync_data_t +- Add labeling and filename transition for .grl-podcasts + * Fri Jan 25 2013 Miroslav Grepl 3.12.1-7 - mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd