From b7314cadde59ccf76422d8b5ce42c6205ac51876 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 23 Aug 2017 16:49:48 +0200 Subject: [PATCH] * Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274 - Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain - Allow nscd_t domain to search network sysctls - Allow iscsid_t domain to read mount pid files - Allow ksmtuned_t domain manage sysfs_t files/dirs - Allow keepalived_t domain domtrans into iptables_t - Allow rshd_t domain reads net sysctls - Allow systemd to create syslog netlink audit socket - Allow ifconfig_t domain unmount fs_t - Label /dev/gpiochip* devices as gpio_device_t --- container-selinux.tgz | Bin 6905 -> 6902 bytes policy-rawhide-base.patch | 274 +++++++++++++++++++++-------------- policy-rawhide-contrib.patch | 55 ++++--- selinux-policy.spec | 13 +- 4 files changed, 214 insertions(+), 128 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index b205649697fa72d60fd886f9c0f3af602092ecea..398c449e6b0ac9dc9abe1b64f68ccf6c7df97455 100644 GIT binary patch delta 6610 zcmV;@87=1dHTE@sABzY86_uS?00Zq^ZExf@lFnE6uMlPej2(>au_ws_o5<0iZD<9_=-`z`qQ9)766+JlyxE6!@{*)Z74nxm zBlnPcmNqSpZJW?Jkl~R}myL60#qDf=1pf{nboZZW*5i`gR7sR>Q|KVpk!Y?Y1C>W* z#%w?!|B?36GwQ+P28u?ItkBCd{*H$w3dk zsNVDLIVL~ZZyvqFISh~dd&Y&aY_Gf|ncQWWD|M_Jf3mZIq0u&hnOi;Jg} zhyQ;SloiT9%>MYQtq-;)BB@q?>?TQzoma8uDI(T$ZwIe&g1Ee~$|U&u8vc6^|9!jc zUgYQh{ON_Pvt+SXX*|tFst<)l;Q&-KVe>~o#)pf$IGUusTjU61AwRdp$Mo2=NglP? zR9~I`?ogyHiNEV8h8^=wg(!&iR*K|xl9jkI1xckap6E@$e*`n{)@{juz$;KJ_c7Ll z;TU``N=-iCuRx9r>3tdD;uQ+`0>=Lo+@H`zNz*ti;^4kcO`FL)$zkRC{FC|~WR%bH z_8NLZ(m+4t0mBxupCCnh}RZDg+zC=OcZ-ab)1>uKi&kS9ZG1OuiA>$8ojdacsw)!f<#(yP6J4Mv^Gc3s= za$=Yy_HLoZ^5ZqHCH8`UHz>=$g+lsE@SQ$EvU2BORn|fa#lFlFeGKqLkuSR9pwO~3 zBFWp}m3(&re6P-CA0j53-h zS*->Q$AICt1ACcX5tJ4F&V+ooij1cGf;PpIQwQ14X!0}%(98@*JRd4+OiMwgVt(0 z^_6);sBwM}UiP4Od^p4Ubq>70{rqEBhvp@ZzAEw_fk=ygb{YKg^~s|yqDS5Co#Czp>~!;so$)y{XFS~iBINA}Ht97;BWTiH5oT<{1|M&x zIb@(PTAj>)grZ{ZlMNSwa(rQ(6Jz|`BdPJDlsy1gXCSw*<|Y5mi=8*$;3OR9R>sM= zcTV`(P%R9cY{KEcuF5Qp9%+ONry%zNhA;zK5o~a#ydQBIzFFGYyABWSo(FmkJiheu zg$2Y?eW!%26GKm1C`~>x99=;gJU%W)$J|lJhAKaQlU^56@a~SIqLUSbW6xO)#x|4l z%e8r^_0!Gn;Vh`K1E^SUW5~-0)-iqGO`kA^-qa7O$icWN4@KP2gu&C)Wpo)k5SH*q zg!Ok-oOK4Fws1%V%h&N{C#-^D@o0eOYX*}An4GYn)sIyP&1IHq+AMo7X5p(VU3KSP zt8kfrevFPC;&mml-cYK=oNoOX?hZ^mmSOBePGfkiQXTEJ1IZXasnx{~$rw)9A?dFr zk{e1!`52M#t)oiAPzc3p9C%6fSO$yO`>_C;(B(@%QS3Nkkbybc#f0@)3H5QT^q#t6R5Wy-Qj_lV{Bu^u~@mqqUb&gJT~ZGf-G89^(>! z#e+oFHSZIAMXST-zDWHq`XhVvqD`Kw4EO#2@4tWd-TT4)|LZUJ|3AqO^R%qf+tmO4AoC%#(Rng1Ri*@^-4Jym}q{lmJdmi3MQIS&=G>lP2OJHWd%9 zNiakOsuSGr6VQXT8cq_Dc`W?Im{re@5miq=l%Dgz?_FIUs^FBnrOvpP_NWCn${0Xb58F-#nwy5W z(2!LDI?!o&_o;<3P7!%=nB<_InbJNrl;pbL%vF7J*!;Ez!!6pQO7E1u2~IM9p*r{E zkPZz~_3X8Ct!*pSkWd#fZa0_~8&0i@nr*`SB4*D9y`nk|hxA_k;&jWMDeY1m6#Y1n z)85dvt~_|R2nEkh?A7Ns0x^h@a-l!@~Q z`S8?;FoYK|ntkjp#FK?t{+iI5w+8bbw<523L^v)0@iEH~?DgIS=K<~-nDqDQZVxLj zZNU2_XKdfUSi!iBQOlfc33V0?=#MZ9m^}usn2*e~@Ha`e{Sbv!xJk3LeGHz0XkXqJ z!EFi#&=&rMH!Pc^P2(Vczb(o*z^VM*g;=wzf>P@+LFO3lv} zF?L!xXk>?%-ptCiQBU5y+0k(+{PyI)AbJ*ntp?JMG3`61y)P4g)aiG@h5zpz%(hN6e{mA zqo{F5wD<^CP&w%meFo|)ON-m}Ex(|6NbWE^;E0+DMCgb(4R;!pcsmQyRV%rK;s78G z4V%QIPNOv_aHE+}btYMG;7()#`A=n`kqN`OPNF*&)P>vZ@tV!yp{jY(OMy+Gmm7XJ z%Szi~XRRcRT;BDT@nu`O4LRC!@=5=mYpTjHY-U z{5g(UOkp10CcS{4eG=UUfA?j5djVwsQC7+JkY$hPa0dzGO`Qn`&0fYmUqu&^gRz%raME#<_#V19S4=@W5OeZ}Mz+VfyqiC!T2d_>N*( zm1Qg?^R?S&!S3$he?BMt_44?pd*jbjgmUNm`3k^m+N;+cO;=JcSI2TT*H~)0ITPO# zbF$L&#GS18JaMNxqdb8pYr!#GA5GXx-92#=Xv!GjU*!c2*s)w^b4RZi=2Ron6L{V* z^8lVT%v`wrxB~BCz#&b;K(?I*gwHS@W_i-a?!DAA{30!ke{YPD(jR~1(FXjeq91f% zY)co3K#Ukok6YswBkIli`4)tpWIWoNg;`P1x0zg}E|M1A6Takh)AX^4+RRcFL41$M zUZfzlCfX;lU*UM(Z4p8jDZQq6_%LeIJD5+grF>2wGXIZ>`mhmiip)qchNrU zaXIOyR&GX>e|CHrj#f#JM(qOpL|ES&=Uib_vybuxI}b1D975<|+L)t9&iYi%KFKl< zIzPwK5vPW|^E|Tu`H3mziNHu0M@O%^R3SLwsnvP2vrzYl!A8Q9 zE1L!ZjU8t)s-&eiN&(Yq#(O5JJFks1B{R#N*`a*s-&@#D_Lz{BjHBPqSA#0hR z<-sNrm4gjG8}ws?OH9oDH*1#T&oXH^F_}W?)`@FK8q+lU?n1AT>y4SQu5zn$^NhV_ zqS-ho>;RThw=nt3tQqMW3v*gA3vnJde(m*+sYS2wCW>!{@tQqE>?$nY-trGs{>KwV ze;6}c!6Uv{4XOm*JdD=pKCRO@p+8tuvlkA<(iF{{DqJhP_A2;>JwFAowot6K{DmV1 ze^u67u-=pD8Au&wnN-J_x)xq?0(kYb4AUEPHcKbc}H z16;9~yKZ_=@{=PtHHbutx{=PY_!+x{f3#_=!-F{ABN_FA7Ps1aOXj#wW5*mMcWDJ` zx!9H?4v^muNz<;$rqeH&8t8d@);Y`)FlO8?7(wiIuo#Ga{5$k{J1^wt@-P7@8;%~d zY9Ep@F1%F4>&e$?WWOyk7boag$zR~*(VuHMwj`$TE)qof4T>; zc%l>{5F8%1+uU40N!<>Mt!1`Il7k0Lc1LS&TbGWi;U^KWR!)knEGsW4zap`6U{cgh z7l4pi+N3c>V~uXn`Bvo!hS44RfWv1GK46k(a+A2^iQAaJf$@wNz;zc=`_L8eAH~t7 zX0N>ox8Gh{e{-I(eZ1P^2XH`xzSobu#Kl5 zF*#Wl@x#!PwLidg%r*{4PhSk7rA67M+ef#{CN1^}YUEf6Q5tEHtmX1~<4h0&JQAnL&KX5|}40h_>e?}4du7QX4 z?K<6KW}Yh=F!K7c%@xqG)a_dSB|i1!V1yA*;; zT6Xxrd5G0&ZaBtl`Q^4Qg#l3YQVs*I6xtAsY=a>X;0NN2%a3Y|)R)GfP2 z-KkP|;;4g0=xCru$-;b`f8Jn?!>uPy){40vxZj+0BO-3b~%!vgrw#9de&(OoKF*b|&V|e=xl_1fR02DeU;| zMk}))RAmBGa{tf?eye;xN^gO52>UeGkc83BwrzS58LUs4DPm{BEmp@R)^fJVGjmy7 zxM4-d8`MG0Ls&s6LT=papry23)tNHzZ>xjB!cNOP5BH%JpT5UssV_@|Bn$%=5wkeD zV=uH+EX$fR$-JKxe`2D~L9}UMbDyz9il&mcX`S4|jEP4Z`o=0$+|JMP{vYH%-*%v3 zV=N*(k}2@y)tWcuZ1q|t?5=1{DvGAU=;;z8a~$2U8RcO$nkdCo94lK+S=Yi$)FQso zmtL5BJq8+t7OvNnJT!ZVI6(L5fOSv1n0>|~@0rZiJfh7df2)j*;>{FlO{unRs1O6_ zl@O1jI6dZ0#`C;Hau z=-GnFFzQN+y7Yy@ESiz*KxOMk8ifu^P%q3kMrm@MB+OH6%#cJm`Hr~@>q_)D_=<&b zwhW4q$%m)%e=CvU9KkWd>C;KwsiO7V(2yV5Jn8*P?E4@iS7}F@Zh=z*7-TB7 z8#OzO)vgeq=NP%qG5(Da*SpcH9SgxbFJmlJhU;F&u|>GAX!xLyU(>LB>}5plAN%ze za@S9}D>O}Tem4Q+Sl8}q7#v@c)D@d4iIjjlkv_%<<`;A*$;ac-BUYNTUa*v$YO(AITO82#Bxp&Wq-?i|%lQieXg=>GY7|>{r$YCSIy${oZ!Hd!t43>z~yvCSWu7iI5 zz~H7orPBI$!;}(EqMpZ}{QTO{l_VUoHG0ozf1>Cc{Z@}5HiiZBqvN7v2cuffXy&!! z5wJ3OAwQe#xkLq}aS-#cS9bkJIyLl&2}fXqBd)_0&!MR&>s5%>a4U&5s2{RB%;IRs z`YR+c>MBPcU-#)yz5JnZBk6Bk)FK#Cp*CH*GDSUd6Px_K4Q%vpnddjjP0@M75@RLy zfAWS8U>T$=nvv>)H%x7lC#qFruWEGv4(3=p9?8}ABf|`#Y^~pAMm}v^mp166+V=)n z>whn(_0JR8PRI}0PPolvs_h7!^Rig$pa0P`RcB_1JuW@%FvaqeLXE+|lfrH1=ZT$> zANJV1u*>CxT`K%}sJ=v=ZdHwmeBG40I2%j_9sqt|zbcFmx99A}Bb+^^#O8Uvl>kYZ z&|68)>B=$D+X0B9wBeHDkyXMIX(%q8MqLn}Sd&^9Cjo|&f*2+Q^EUXkldKpxe{Y64 z6KKaIZ;i1%lVT(Hzroqjefh%P|H~iQ^B3D^`?j6?`+ryOzPN)VrD2H^zEZ#**3Cm4_4w`RG`R{ouOZn^^M^9RzR8K*VKs`|{f(1~Qtk%C^qE>HE5nyD3lvE9(UwrcmenG%r zi0oSg>Kt3R@Tr77*}GQb#lG<6)g@OawZiG#oc@%jkJ4zrWvGQ(8qm#{7Kbm~kp zHe3PaS)7&>s~!Cq5leVnf0dSzEh1fV7eF$#zs%i#loEDoDvtRK3QHiH_14j9%M8D$ z_OchTj1m+03+plgySPfzfREQ~U>eP|Q@YS5Sx*F$1aqdc0gqMgmy0TmCz)g;aOmm< zyk;4^bAHQa84>c;i`lu&RM0`>nWD!4Sh3kAXaM?jmI}0+ha)t}80U7%eEIqE^X2Eu Q&nNi#C;k04%K*p#0QmVB;{X5v delta 6612 zcmV;_87t=YHTgAvABzY8YbTsp00Zq^>yO+vlF!%aze2DBcqZ^XJdPc}likB2IpFTY z0m1G9_u+EaQA_G>W%P=qp2r#9zx}F;4^b3JQEH7nd+-3sc%-Ty$s$=S7K^2*EZQ(F zlKLXue)B{>SMc-x{rC9$%@6Oc)Zg&)_Wj#8Z@zi+_RaTyKU`hEefRGAo2xf(udm*J z6I?x2h18!z(}r~re3RYP;U{&J2Su1Ce|o{FUi^7b!q4;~2(zrbPvW30gSHNfCdEdXKraau{=G_zHmSE^ zl$`!1YqPEoMVscy8pW2m z)wUsuS7)o$NmSNJl*j8P3F~OT-lWCpw{Ol?C!#`=d;wDndu_%*h^LsVAf#uL+5uF5 zPa{Y^&Y)U8g1ifBB<%!Ao|~v? zj($!-TXcrxTS8s*#Z6uN#RW~u0b5AbnI&%P7(F3y_S&pEB-Uq;d9x4eu;D=`yvc2-0j597ATw>;TjbnlOd{TXGX0M{Ne5E^oU1d2W z|D>AcC$J81i@fBpO6hgSBeLA5?LG*B@X&&U+cXNO^_}klmUg5Il{LSr z(>p8&DL-R}YRJ46YpjIlyXZ}2NMb!DiKL(N>Pk=9c5wDSc;-|!?HFBFD{-^ z9{&GDP*y1aF#FSswm#UJh@@J7v700t|W7*xE-@k2n|lLKQPa z6K$N_RV~@Q_!0$$zYX$#6@(w6Ju`Gs#!!o8gp5DTHPSgl*y^hY8~>FQ?G#bt&#)wi z$cbT+*t>-q%a7N*me>pa-JmT077FPv!FT!u$;zFBRapxy6#Fty^fAB}MZV~YgF?&F zh$OFr7xLW&@Vz*jjT4vA?R=01xYvUk;nO*2VCt(l=TVkI_s&OuVr^TXCbMM2Fv@72 zWVISJ90P{m4(w$bhBg!$q5>g%hd5l6 z{|!#-ZuD={-9=K|Es44>o3>dRkoIc}V%AAhW_K4Tfkj|hPc>i&Y|4jZndUQ0G-?-w zD`EeTg^$Z4UM~oL8MbAf3LOB3OAV{`I*jwQU~3T`dfKKBTdV}qg?s^MN4kE>q7eQK zX>?%YgD?O?{~>5vFiCP+Uy}BV+s~{vXm4PxXGf74H@KF_G0P^pUz1rIY0Eyy4_d43 z)K}&Wp~m?^c-e#A@!<^X*E#V1_RCLQ9h&Dn`l`r#1R^be+GX&|*Du2!)0S%ubtMCZ zwY<@`@C5z=B_!&@=mK7?wmh*9But~2$8bOopiZEjnHu!Wi z%^?GY(duM>CKMHOpKQ1gl;aEQoEYQh9!ZTKrR)K~Is>_dH81&hUhKU21}EV-w=zz~ zy>r6PhH7EpWD^embya3*^hhIII0d;EFoYSN_QDofvxBLTU1m;phs|;PG)WI_8c#HdOh4iS)XVf_HZu6`iag9DB}cFt(YT zpRdhBt)Fgo4`)G@9YDo;8$(`3u#V~bZu*2V^rn7LMGnSIc_`wBCJdgYE~CrXfv|)> zBCNlw;;b_WwS_|}SiX)oJ7E8d;T zT7}Dh^ka1F5U(qV^@dU{=5*`FaCczhu?%A$avH;9mFj4(9Z1IbNv$q^NXBr&4oQD4 zk=#%+%EyR=Zyi+{hC(P-s`_cnmlXPpf`5h8LhpH8XWuRn1RA#@feqX zC>|uTu6du}D_R}C^hN4_(jVEQ7j5!XWw`JEzkh%A?(N|I|Ml1V|DWZDd0N(a8G~Xw zm80QxaD8$8=HlvXrRfV6=E=M(L0y(@c{|lqUcC%{P5`H-!~(G9tVor`NfYr9n~De5 zBp9Ls)d}wR3FyIE4JQf7JQjXp^5$lLS@8FtehI3wZe~p4_+sD%(%Mgr5Z1k~Y6e1HsUP70Vd*yV%Xb?1itf~X?(zBZt z`k{-YrN2*g7FR7Bc>x9@HV&G)cP!NL=vN7<@(PpFZ7; z)dH*-abRC38Q8}e9@vjCi9PZ^pwQ@0!_aBRdHM$D2=z9`u%vM^bTZN`DA6DorRHag z7(1;TG_u1>Z)WA%s3&jU?C7`@etU9Y5IqaPRs-qBnD!mh-j@k~>hy=;!hd_RnF2m| z(dt7_v^J_1Ksm$%lqu}pguD(mWD7Khrb>#~#i{E`wJGQ#qRHwtj+qh)V49Rs3YGVm zQPj92T6_d6sGM|(J_GfYrN!;~mS0djBzG7da74`nB6LKYhC2;PyqyKcVaIc+KYUP}Mx?rNAc8%MHJq zWu)1t5Ji5)atHWJVwPlWGi2f0)-~wnI0? z&CO}99ZmBQc(qlaeZ;m>lz#9@-nE(6*q!0Q+@?CQCQmIJp7|=0ADALI8SMSZPty^? z2Qh_NmIGL~TEH|bzE5lm-4AdZsirafme*as?soorQx+HS@`bAbAB`@%p%38GFq-0J z@RvAdF@w}p21v#{a^wB&hQ-WK4rgv z@Wzv&^LGdjNGB391&j_6&4j>kJB^Ly{X+kO&5oEceS7XY>x+5Qe|aMI^!`na|oe>X=9EaIqOq3`y|Ue z==>Z@N1Ph=&hrFYx}Cu^vn(xGXyK#1ecM)^MF^It%=0Qs9@aD_$9a3Fo4yh>GWnhH z&OS+Niq)*Z1&NgyN=Jy$?yoWHFeor_`yS4WjcHuoTcCMH zTXA2_e@sP0`2JvN5ho}sH@{6C(R;Ct7`%SFEuHC{DKnMZDp*pnM5|bC@ z{yq-d&@qq5_7;=QUV)dvklN96j=ccml}V5lfA8~(=?nSUK+EJx4sFV9*ErdRhpc6O zmIs?iR1P-$Y|xJlE-^9p->g}VKg*=y#AFJkTPLm|X-w1Xy9>QWu2*Kpy2`E2%`^6z ziDu)Vumf01-NNKAvu31kEX--eEW~--__fzNrWU=zn<%~+#%uNvv8%9nd&@sm`5zxC zf5MpA3Lf#rYEUKc=3%r(_i3HR3H`yMn!Ru+mZoUtRN-3TwO7G6?D=B=YYW9%%U?KR z@OQOK<3MaK2Pv<7;|xIs$oRs5?P`ZXi{4R-58GOg(LE{(k}K%r0V#$!-ql?Q@kdi^ zWq>OdbJtA|O8)2wP7NZFqHd&fEPlrBe;{od>+m4X_ee&)pvA5B-jX@))7UWw$z583 zS}wNbhy&!0L(;Tsvgz~-rUrW6o^=kh1dJKC3q}yT9V`Z7AO8-0-p&j8sXR7*mB5K!3-kGyfUMQ*g#4{YP< zM@&wZMf@Gsj>vPp}5f*LtiLX<{YBx||68)`(J_kLxs zx4-OI`c|fvCo(P2>V3bhIi$j41WE4^-*bm&$0)w4;f45PDzH8v2 zeY;Ngn3?B_28_JEY;y&4EOonmE1pcg5N6NkJ4Kp9l}1%H6&rQvu&GRL*xY9f5|Fiqj)ogT2rcR8!E&A zdL_i8C{B<0Wl~BKYtd+SkG`S8hIBRTZ1ki@++FW;kC4M=4e~v8Rs%_6Br|{I<|BRU zbo6Y&WEgd&MP2$rVHV9ucA&ELBaK3bC8!tX8>2KiPZH)SHfBhooP5XJg>@zR8+^sW zI9mqA$mGLQfBBWjaE{;@;q>XG?o`owZfMAlY@YOfCGv4<2#|--s)ifm$kmo`UWDo3xq zXJe{de5tEb-Zs4^>ZvP9N8I|XblPfyGxmLukt}CCf0gEpgj*`-#Pm|q47b230Sq#g z+KrkW#%foH&vT62=NSLSi0j?x)sBVWotH5dD#LXz_Xp(fM!fSPH_cHj2 zPPJI}ge?wedy;i_qhFrT z5`3~W`UGf5o7}r+#P3>o-AS5r(;@*d8!Qe&d3kFNXXff*c!cOe>73_jee`g5F5jS`O$GvvV&1AXEgKL z@d#L%ypW&G_FSTZ(m05D*ekpKBb^$0#DpWT!4cQtis#VOll3Y@Yq*uf8q^Qj9cFPf zWc?MA7#$N}@;}OmtQ)2Tx-%5a_ zOz5p7=XB+m=~VUTppVGGD|nOW?wR#%Zu+$ z&dW`pzPN&&|pz_cz;U)W)IOh!Y$c$z`R_ritsL4rh}b@4Y;9|6=8)go8`b;)Y|D<*371{DEDCP+!uAo|63zv34J z{DsKAMKBI5a=-c``&XLMzAgidkw;U5eVPoS^_vRQ8(t+veY zi)t@>5z8nsfxoaW6R?Y`G!6K8%?75?Ogp6uZIbmwFi9|HDjV=v<$k@W(s+_dHUfvP zUchUX!8_--Y?curU%i-}+e`%=M4l;n41g7zZGr}%PiLt>yLmW5lNo$zr_9%%uRmXZ SzW#iMpZ^1--UkN&$N&HmDfra@ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index eb3682f9..f2267638 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6673,7 +6673,7 @@ index 3f6e16889..abd046c56 100644 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl +') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c05491..3ad1127cc 100644 +index b31c05491..3b3faeeae 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6697,8 +6697,11 @@ index b31c05491..3ad1127cc 100644 /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -44,6 +47,12 @@ +@@ -42,8 +45,15 @@ + /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) + /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) ++/dev/gpiochip[0-9]+ -c gen_context(system_u:object_r:gpio_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) @@ -6710,7 +6713,7 @@ index b31c05491..3ad1127cc 100644 /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -61,8 +70,10 @@ +@@ -61,8 +71,10 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -6722,7 +6725,7 @@ index b31c05491..3ad1127cc 100644 /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) -@@ -72,7 +83,9 @@ +@@ -72,7 +84,9 @@ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) @@ -6732,7 +6735,7 @@ index b31c05491..3ad1127cc 100644 /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -@@ -80,7 +93,10 @@ +@@ -80,7 +94,10 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -6743,7 +6746,7 @@ index b31c05491..3ad1127cc 100644 /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -90,9 +106,11 @@ +@@ -90,9 +107,11 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6755,7 +6758,7 @@ index b31c05491..3ad1127cc 100644 /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -106,6 +124,7 @@ +@@ -106,6 +125,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6763,7 +6766,7 @@ index b31c05491..3ad1127cc 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +137,12 @@ +@@ -118,6 +138,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6776,7 +6779,7 @@ index b31c05491..3ad1127cc 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +154,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +155,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6791,7 +6794,7 @@ index b31c05491..3ad1127cc 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -169,18 +196,26 @@ ifdef(`distro_suse', ` +@@ -169,18 +197,26 @@ ifdef(`distro_suse', ` /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -6818,7 +6821,7 @@ index b31c05491..3ad1127cc 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +233,27 @@ ifdef(`distro_debian',` +@@ -198,12 +234,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6849,7 +6852,7 @@ index b31c05491..3ad1127cc 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..917fc3cc5 100644 +index 76f285ea6..ac044aea2 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8924,7 +8927,7 @@ index 76f285ea6..917fc3cc5 100644 ') ######################################## -@@ -4851,3 +6037,1042 @@ interface(`dev_unconfined',` +@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -9059,6 +9062,24 @@ index 76f285ea6..917fc3cc5 100644 + +######################################## +## ++## Allow read/write the gpiochip device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_gpio',` ++ gen_require(` ++ type device_t, gpio_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, gpio_device_t) ++') ++ ++######################################## ++## +## Allow read/write the hypervvssd device +## +## @@ -9197,6 +9218,7 @@ index 76f285ea6..917fc3cc5 100644 + type hypervkvp_device_t; + type hypervvssd_device_t; + type gpfs_device_t; ++ type gpio_device_t; +') + + dev_filetrans_printer_named_dev($1) @@ -9900,6 +9922,9 @@ index 76f285ea6..917fc3cc5 100644 + filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp") + filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss") + filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0") ++ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0") ++ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1") ++ filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2") + dev_filetrans_xserver_named_dev($1) +') + @@ -9968,7 +9993,7 @@ index 76f285ea6..917fc3cc5 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a8715a..db382e7c2 100644 +index 0b1a8715a..5c45b9323 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -10015,7 +10040,7 @@ index 0b1a8715a..db382e7c2 100644 type event_device_t; dev_node(event_device_t) -@@ -88,12 +92,39 @@ type framebuf_device_t; +@@ -88,12 +92,45 @@ type framebuf_device_t; dev_node(framebuf_device_t) # @@ -10033,6 +10058,12 @@ index 0b1a8715a..db382e7c2 100644 +type gpfs_device_t; +dev_node(gpfs_device_t) + ++# ++# Type for /dev/gpiochip* ++# ++type gpio_device_t; ++dev_node(gpio_device_t) ++ +# # Type for /dev/ipmi/0 # @@ -10055,7 +10086,7 @@ index 0b1a8715a..db382e7c2 100644 # Type for /dev/kmsg # type kmsg_device_t; -@@ -111,6 +142,7 @@ dev_node(ksm_device_t) +@@ -111,6 +148,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -10063,7 +10094,7 @@ index 0b1a8715a..db382e7c2 100644 # # Type for /dev/lirc -@@ -118,6 +150,9 @@ dev_node(kvm_device_t) +@@ -118,6 +156,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -10073,7 +10104,7 @@ index 0b1a8715a..db382e7c2 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -150,16 +185,29 @@ type modem_device_t; +@@ -150,16 +191,29 @@ type modem_device_t; dev_node(modem_device_t) # @@ -10103,7 +10134,7 @@ index 0b1a8715a..db382e7c2 100644 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) # -@@ -183,6 +231,12 @@ type nvram_device_t; +@@ -183,6 +237,12 @@ type nvram_device_t; dev_node(nvram_device_t) # @@ -10116,7 +10147,7 @@ index 0b1a8715a..db382e7c2 100644 # Type for /dev/pmu # type power_device_t; -@@ -227,6 +281,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +287,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -10127,7 +10158,7 @@ index 0b1a8715a..db382e7c2 100644 # # Type for /dev/tpm # -@@ -266,6 +324,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +330,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -10143,7 +10174,7 @@ index 0b1a8715a..db382e7c2 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +341,7 @@ dev_node(v4l_device_t) +@@ -274,6 +347,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -10151,7 +10182,7 @@ index 0b1a8715a..db382e7c2 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +387,8 @@ files_associate_tmp(device_node) +@@ -319,5 +393,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -36483,7 +36514,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..c9e91f8e1 100644 +index 17eda2480..a980b4d3f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36693,7 +36724,7 @@ index 17eda2480..c9e91f8e1 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,45 +241,102 @@ domain_signal_all_domains(init_t) +@@ -139,45 +241,103 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -36780,6 +36811,7 @@ index 17eda2480..c9e91f8e1 100644 logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) +logging_manage_audit_config(init_t) ++logging_create_syslog_netlink_audit_socket(init_t) seutil_read_config(init_t) +seutil_read_default_contexts(init_t) @@ -36803,7 +36835,7 @@ index 17eda2480..c9e91f8e1 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +345,283 @@ ifdef(`distro_gentoo',` +@@ -186,29 +346,283 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37096,7 +37128,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -216,7 +629,30 @@ optional_policy(` +@@ -216,7 +630,30 @@ optional_policy(` ') optional_policy(` @@ -37128,7 +37160,7 @@ index 17eda2480..c9e91f8e1 100644 ') ######################################## -@@ -225,9 +661,9 @@ optional_policy(` +@@ -225,9 +662,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37140,7 +37172,7 @@ index 17eda2480..c9e91f8e1 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +694,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +695,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37157,7 +37189,7 @@ index 17eda2480..c9e91f8e1 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +719,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +720,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37200,7 +37232,7 @@ index 17eda2480..c9e91f8e1 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +756,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +757,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37212,7 +37244,7 @@ index 17eda2480..c9e91f8e1 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +768,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +769,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37223,7 +37255,7 @@ index 17eda2480..c9e91f8e1 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +779,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +780,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37233,7 +37265,7 @@ index 17eda2480..c9e91f8e1 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +788,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +789,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37241,7 +37273,7 @@ index 17eda2480..c9e91f8e1 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +795,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +796,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37249,7 +37281,7 @@ index 17eda2480..c9e91f8e1 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +803,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +804,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37267,7 +37299,7 @@ index 17eda2480..c9e91f8e1 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +821,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +822,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37281,7 +37313,7 @@ index 17eda2480..c9e91f8e1 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +836,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +837,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37295,7 +37327,7 @@ index 17eda2480..c9e91f8e1 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +849,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +850,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37306,7 +37338,7 @@ index 17eda2480..c9e91f8e1 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +862,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +863,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37314,7 +37346,7 @@ index 17eda2480..c9e91f8e1 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +881,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +882,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37338,7 +37370,7 @@ index 17eda2480..c9e91f8e1 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +914,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +915,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37346,7 +37378,7 @@ index 17eda2480..c9e91f8e1 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +948,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +949,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37357,7 +37389,7 @@ index 17eda2480..c9e91f8e1 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +972,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +973,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37366,7 +37398,7 @@ index 17eda2480..c9e91f8e1 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +987,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +988,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37374,7 +37406,7 @@ index 17eda2480..c9e91f8e1 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1008,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1009,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37382,7 +37414,7 @@ index 17eda2480..c9e91f8e1 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1018,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1019,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37427,7 +37459,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -559,14 +1063,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1064,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37459,7 +37491,7 @@ index 17eda2480..c9e91f8e1 100644 ') ') -@@ -577,6 +1098,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1099,39 @@ ifdef(`distro_suse',` ') ') @@ -37499,7 +37531,7 @@ index 17eda2480..c9e91f8e1 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1143,8 @@ optional_policy(` +@@ -589,6 +1144,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37508,7 +37540,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -610,6 +1166,7 @@ optional_policy(` +@@ -610,6 +1167,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37516,7 +37548,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -626,6 +1183,17 @@ optional_policy(` +@@ -626,6 +1184,17 @@ optional_policy(` ') optional_policy(` @@ -37534,7 +37566,7 @@ index 17eda2480..c9e91f8e1 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1210,13 @@ optional_policy(` +@@ -642,9 +1211,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37548,7 +37580,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -657,15 +1229,11 @@ optional_policy(` +@@ -657,15 +1230,11 @@ optional_policy(` ') optional_policy(` @@ -37566,7 +37598,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -686,6 +1254,15 @@ optional_policy(` +@@ -686,6 +1255,15 @@ optional_policy(` ') optional_policy(` @@ -37582,7 +37614,7 @@ index 17eda2480..c9e91f8e1 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1303,7 @@ optional_policy(` +@@ -726,6 +1304,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37590,7 +37622,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -743,7 +1321,13 @@ optional_policy(` +@@ -743,7 +1322,13 @@ optional_policy(` ') optional_policy(` @@ -37605,7 +37637,7 @@ index 17eda2480..c9e91f8e1 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1350,10 @@ optional_policy(` +@@ -766,6 +1351,10 @@ optional_policy(` ') optional_policy(` @@ -37616,7 +37648,7 @@ index 17eda2480..c9e91f8e1 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1363,20 @@ optional_policy(` +@@ -775,10 +1364,20 @@ optional_policy(` ') optional_policy(` @@ -37637,7 +37669,7 @@ index 17eda2480..c9e91f8e1 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1385,10 @@ optional_policy(` +@@ -787,6 +1386,10 @@ optional_policy(` ') optional_policy(` @@ -37648,7 +37680,7 @@ index 17eda2480..c9e91f8e1 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1410,6 @@ optional_policy(` +@@ -808,8 +1411,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37657,7 +37689,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -818,6 +1418,10 @@ optional_policy(` +@@ -818,6 +1419,10 @@ optional_policy(` ') optional_policy(` @@ -37668,7 +37700,7 @@ index 17eda2480..c9e91f8e1 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1431,12 @@ optional_policy(` +@@ -827,10 +1432,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37681,7 +37713,7 @@ index 17eda2480..c9e91f8e1 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1463,62 @@ optional_policy(` +@@ -857,21 +1464,62 @@ optional_policy(` ') optional_policy(` @@ -37745,7 +37777,7 @@ index 17eda2480..c9e91f8e1 100644 ') optional_policy(` -@@ -887,6 +1534,10 @@ optional_policy(` +@@ -887,6 +1535,10 @@ optional_policy(` ') optional_policy(` @@ -37756,7 +37788,7 @@ index 17eda2480..c9e91f8e1 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1548,218 @@ optional_policy(` +@@ -897,3 +1549,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -40052,10 +40084,35 @@ index b50c5fe81..9eacd9ba1 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e9488463..5f5045ae1 100644 +index 4e9488463..e7d5f42a5 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if -@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` +@@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',` + + ######################################## + ## ++## Create netlink audit socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_create_syslog_netlink_audit_socket',` ++ gen_require(` ++ type syslogd_t; ++ ') ++ ++ allow $1 syslogd_t:netlink_audit_socket create_netlink_socket_perms; ++') ++ ++######################################## ++## + ## Set login uid + ## + ## +@@ -233,7 +251,7 @@ interface(`logging_run_auditd',` ######################################## ## @@ -40064,7 +40121,7 @@ index 4e9488463..5f5045ae1 100644 ## ## ## -@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',` +@@ -318,7 +336,7 @@ interface(`logging_dispatcher_domain',` ######################################## ## @@ -40073,7 +40130,7 @@ index 4e9488463..5f5045ae1 100644 ## ## ## -@@ -496,6 +496,68 @@ interface(`logging_log_filetrans',` +@@ -496,6 +514,68 @@ interface(`logging_log_filetrans',` filetrans_pattern($1, var_log_t, $2, $3, $4) ') @@ -40142,7 +40199,7 @@ index 4e9488463..5f5045ae1 100644 ######################################## ## ## Send system log messages. -@@ -530,22 +592,107 @@ interface(`logging_log_filetrans',` +@@ -530,22 +610,107 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` @@ -40188,19 +40245,12 @@ index 4e9488463..5f5045ae1 100644 +interface(`logging_relabel_devlog_dev',` + gen_require(` + type devlog_t; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + allow $1 devlog_t:sock_file relabel_sock_file_perms; + allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Allow domain to read the syslog pid files. @@ -40215,11 +40265,7 @@ index 4e9488463..5f5045ae1 100644 + gen_require(` + type syslogd_var_run_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') @@ -40237,11 +40283,18 @@ index 4e9488463..5f5045ae1 100644 +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` + type syslogd_var_run_t; -+ ') -+ + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Connect to the syslog control unix stream socket. @@ -40256,13 +40309,17 @@ index 4e9488463..5f5045ae1 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## -@@ -571,6 +718,25 @@ interface(`logging_read_audit_config',` +@@ -571,6 +736,25 @@ interface(`logging_read_audit_config',` ######################################## ## @@ -40288,7 +40345,7 @@ index 4e9488463..5f5045ae1 100644 ## dontaudit search of auditd configuration files. ## ## -@@ -609,6 +775,25 @@ interface(`logging_read_syslog_config',` +@@ -609,6 +793,25 @@ interface(`logging_read_syslog_config',` ######################################## ## @@ -40314,7 +40371,7 @@ index 4e9488463..5f5045ae1 100644 ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -722,6 +907,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +925,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -40340,7 +40397,7 @@ index 4e9488463..5f5045ae1 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +980,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +998,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -40367,7 +40424,7 @@ index 4e9488463..5f5045ae1 100644 ') ######################################## -@@ -859,7 +1081,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1099,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -40376,7 +40433,7 @@ index 4e9488463..5f5045ae1 100644 ') ######################################## -@@ -880,11 +1102,69 @@ interface(`logging_read_generic_logs',` +@@ -880,11 +1120,69 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -40446,7 +40503,7 @@ index 4e9488463..5f5045ae1 100644 ## Write generic log files. ## ## -@@ -905,6 +1185,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1203,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -40471,7 +40528,7 @@ index 4e9488463..5f5045ae1 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1282,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1300,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -40489,7 +40546,7 @@ index 4e9488463..5f5045ae1 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1307,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1325,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -40545,7 +40602,7 @@ index 4e9488463..5f5045ae1 100644 ') ######################################## -@@ -1032,10 +1384,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1402,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -40563,7 +40620,7 @@ index 4e9488463..5f5045ae1 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1414,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1432,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -40572,7 +40629,7 @@ index 4e9488463..5f5045ae1 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1444,110 @@ interface(`logging_admin',` +@@ -1085,3 +1462,110 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -46140,7 +46197,7 @@ index 2cea692c0..e3cb4f2ef 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4bc..41a5b082f 100644 +index a392fc4bc..95c64150b 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46385,7 +46442,7 @@ index a392fc4bc..41a5b082f 100644 vmware_append_log(dhcpc_t) ') -@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,32 +322,73 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46451,6 +46508,7 @@ index a392fc4bc..41a5b082f 100644 +files_read_usr_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) ++fs_unmount_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) +fs_read_nsfs_files(ifconfig_t) +fs_mount_nsfs(ifconfig_t) @@ -46458,7 +46516,7 @@ index a392fc4bc..41a5b082f 100644 selinux_dontaudit_getattr_fs(ifconfig_t) -@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +398,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -46516,7 +46574,7 @@ index a392fc4bc..41a5b082f 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +453,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -46529,7 +46587,7 @@ index a392fc4bc..41a5b082f 100644 ') optional_policy(` -@@ -350,7 +470,16 @@ optional_policy(` +@@ -350,7 +471,16 @@ optional_policy(` ') optional_policy(` @@ -46547,7 +46605,7 @@ index a392fc4bc..41a5b082f 100644 ') optional_policy(` -@@ -371,3 +500,17 @@ optional_policy(` +@@ -371,3 +501,17 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 91888eb7..c5040c00 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -40879,7 +40879,7 @@ index 1a354203e..8101022be 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020faa9..9c628b22e 100644 +index ca020faa9..c53375b3b 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -40944,7 +40944,7 @@ index ca020faa9..9c628b22e 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,22 +90,38 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,22 +90,40 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -40975,6 +40975,8 @@ index ca020faa9..9c628b22e 100644 -miscfiles_read_localization(iscsid_t) +modutils_read_module_config(iscsid_t) + ++mount_read_pid_files(iscsid_t) ++ +optional_policy(` + iscsi_systemctl(iscsid_t) +') @@ -43238,10 +43240,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..04c46e714 +index 000000000..202ac2b59 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,95 @@ +@@ -0,0 +1,99 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43306,6 +43308,10 @@ index 000000000..04c46e714 +logging_send_syslog_msg(keepalived_t) + +optional_policy(` ++ iptables_domtrans(keepalived_t) ++') ++ ++optional_policy(` + rhcs_signull_haproxy(keepalived_t) +') + @@ -45304,7 +45310,7 @@ index 93a64bc50..af6d741d6 100644 + allow $1 ksmtuned_unit_file_t:service all_service_perms; ') diff --git a/ksmtuned.te b/ksmtuned.te -index 8eef134ac..a2ca1a009 100644 +index 8eef134ac..9636a5343 100644 --- a/ksmtuned.te +++ b/ksmtuned.te @@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1) @@ -45335,8 +45341,12 @@ index 8eef134ac..a2ca1a009 100644 type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) -@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t) - dev_rw_sysfs(ksmtuned_t) +@@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t) + corecmd_exec_bin(ksmtuned_t) + corecmd_exec_shell(ksmtuned_t) + +-dev_rw_sysfs(ksmtuned_t) ++dev_manage_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) @@ -62506,7 +62516,7 @@ index 8f2ab09f5..8ca8a6f26 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index bcd7d0a7d..0188086f9 100644 +index bcd7d0a7d..9b397fdd7 100644 --- a/nscd.te +++ b/nscd.te @@ -4,33 +4,34 @@ gen_require(` @@ -62554,7 +62564,7 @@ index bcd7d0a7d..0188086f9 100644 type nscd_log_t; logging_log_file(nscd_log_t) -@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t) +@@ -40,56 +41,59 @@ logging_log_file(nscd_log_t) # allow nscd_t self:capability { kill setgid setuid }; @@ -62590,6 +62600,7 @@ index bcd7d0a7d..0188086f9 100644 -kernel_read_kernel_sysctls(nscd_t) kernel_read_network_state(nscd_t) +kernel_read_kernel_sysctls(nscd_t) ++kernel_search_network_sysctl(nscd_t) +kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) @@ -62631,7 +62642,7 @@ index bcd7d0a7d..0188086f9 100644 corenet_rw_tun_tap_dev(nscd_t) selinux_get_fs_mount(nscd_t) -@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t) +@@ -98,16 +102,23 @@ selinux_compute_access_vector(nscd_t) selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) @@ -62656,7 +62667,7 @@ index bcd7d0a7d..0188086f9 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,13 +131,11 @@ optional_policy(` +@@ -121,13 +132,11 @@ optional_policy(` ') optional_policy(` @@ -62674,7 +62685,7 @@ index bcd7d0a7d..0188086f9 100644 ') optional_policy(` -@@ -138,3 +146,20 @@ optional_policy(` +@@ -138,3 +147,20 @@ optional_policy(` xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -77578,7 +77589,7 @@ index b9e71b537..a7502cd0e 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805e5..2ff8a1e4c 100644 +index fd58805e5..248d22985 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -77599,15 +77610,20 @@ index fd58805e5..2ff8a1e4c 100644 dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:fifo_file create_fifo_file_perms; -@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t) +@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) + kernel_read_system_state(postgrey_t) + kernel_read_kernel_sysctls(postgrey_t) - corecmd_search_bin(postgrey_t) +-corecmd_search_bin(postgrey_t) ++auth_use_nsswitch(postgrey_t) ++ ++corecmd_exec_bin(postgrey_t) -corenet_all_recvfrom_unlabeled(postgrey_t) corenet_all_recvfrom_netlabel(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t) -@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t) +@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t) domain_use_interactive_fds(postgrey_t) @@ -94704,7 +94720,7 @@ index 7ad29c046..2e87d76b4 100644 domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te -index 864e089a0..a28dccd64 100644 +index 864e089a0..f919bc537 100644 --- a/rshd.te +++ b/rshd.te @@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1) @@ -94722,7 +94738,7 @@ index 864e089a0..a28dccd64 100644 type rshd_keytab_t; files_type(rshd_keytab_t) -@@ -17,9 +18,8 @@ files_type(rshd_keytab_t) +@@ -17,51 +18,66 @@ files_type(rshd_keytab_t) # # Local policy # @@ -94734,9 +94750,10 @@ index 864e089a0..a28dccd64 100644 allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; -@@ -27,41 +27,56 @@ allow rshd_t rshd_keytab_t:file read_file_perms; + allow rshd_t rshd_keytab_t:file read_file_perms; kernel_read_kernel_sysctls(rshd_t) ++kernel_read_net_sysctls(rshd_t) -corenet_all_recvfrom_unlabeled(rshd_t) corenet_all_recvfrom_netlabel(rshd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 73ff7051..03a9bd86 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 273%{?dist} +Release: 274%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,17 @@ exit 0 %endif %changelog +* Wed Aug 23 2017 Lukas Vrabec - 3.13.1-274 +- Allow postgrey to execute bin_t files and add postgrey into nsswitch_domain +- Allow nscd_t domain to search network sysctls +- Allow iscsid_t domain to read mount pid files +- Allow ksmtuned_t domain manage sysfs_t files/dirs +- Allow keepalived_t domain domtrans into iptables_t +- Allow rshd_t domain reads net sysctls +- Allow systemd to create syslog netlink audit socket +- Allow ifconfig_t domain unmount fs_t +- Label /dev/gpiochip* devices as gpio_device_t + * Tue Aug 22 2017 Lukas Vrabec - 3.13.1-273 - Allow dirsrv_t domain use mmap on files labeled as dirsrv_var_run_t BZ(1483170) - Allow just map permission insead of using mmap_file_pattern because mmap_files_pattern allows also executing objects.