From bab47876090a45288048f920b16c3253a3904b97 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 2 Feb 2017 12:41:29 +0100 Subject: [PATCH] * Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236 - Allow kdumpgui domain to read nvme device - Add amanda_tmpfs_t label. BZ(1243752) - Fix typo in sssd interface file - Allow sssd_t domain setpgid BZ(1411437) - Allow ifconfig_t domain read nsfs_t - Allow ping_t domain to load kernel modules. - Allow systemd to send user information back to pid1. BZ(1412750) - rawhide-base: Fix wrong type/attribute flavors in require blocks --- container-selinux.tgz | Bin 5492 -> 5586 bytes policy-rawhide-base.patch | 199 +++++++++++++++++++++-------------- policy-rawhide-contrib.patch | 121 +++++++++++++-------- selinux-policy.spec | 12 ++- 4 files changed, 209 insertions(+), 123 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index e3df1064b92ae7cb55ddaa92b48e2c027629fd71..d4438eab167a586da20265d0e5cd2b9155bf96bc 100644 GIT binary patch literal 5586 zcmV;@6)ox?iwFQu8k1N61MOW~kK8tv_G{O#5bOZ%4(z_!V*}lpSuB!$*oVagnY?Xw z6_v!QQd*aaNcCk6&u^b|c#$ZHq$rij?gdMvJUA75Nvy}Q1?d=Xq8t3mpwrYx$0 z;6-*{MQajU>BipwKmDv;y$XJyb)HAn)8BsGk)Yg@;w>%fDked+-)CtYv9v6LSWT3G z6kGT{|KUOvTLFmQr&AmJa`GRKB(53J(9t19)!FJqRTu6f2Cc%Ub}-W$cDBL_791#vtPR+<_eP9~|G=G08n_eN!1XGq%8VG` ze}TshcofHk(lJy-ilhC-=;VO!N%Nu^eDy{Rw-|h^7lyq`*Ej;-U7H|o`S2cNAp(z{ z?JC6iK84eMi!F`{PU&1^2d<}o@H#biXX!dfp!qQ?tCY|QoOUi7kC|;|v1AG~%ZI`D zQH7)}Z+ZQ}cULBw8|Y^s@!`jCPpX_k!A+VGsw$S$d_)$OT+fZwd_sLmMq4I$Q|>^H z|3adq$8J8fU!BnvG>rF%2k!d>7;%T+dR< zaBka}E`bb>e1>eibXMHWM(`i-!EpaOU-h^@(>;mPO$q}f1`_vHG7x#Z&O}TIEPvqU zendHV*hH~NwizrpF#W%xBHH#hlIO9;a^AF~$u!q47-tcsma6!>VO?t? zt4pTThyT9}%02Qw%KrM2Rkf{)NZPA*P10iPRjql6C>iJNelac(mp4UQ1m9i5zjyHO z{j&Pm&;R+;Gub(~7PC*2Y5NA)!WMx8P;`Pq%z=y#7dQJTsqPnXFfQb$ve?~El#x7U z*(49r?eJY)q>Qt_9VmgFNJUFkBt|Pm@`_|7D(k?h6y_6u6UdJ$EQfVd3h+G$mWKpe zB5(}$sMeAj{0f?x(O9G-rDTHwxq-=FRq55q9;R4T;tCjXkS=0oMMV-kRH;e9&PfhC z*VkXv55S{*>I|~^6B-&AhddD2iuV(^*=J@D^tjnwmV5Rzbqf!A_*QlX6a9@fg~`UA zxOl|1&}FJxAwAY6{omloYiIu^-JX-;eo53_Nf})lklSkuVpfEf+5I_kU=dg`QWO+{b@@n^ z>At{3rFKEM66}X8dRiXwdO^sDm3gXU04OdM?Al?Jr;L-Ssw1oERCP|3|9^{ z=|PKN1uzx7Jk#EfINV+@?I;bSn(btk)4*HGUp}*JFy7uN37Nb=M_OoIJ}?ziLmE6j zEaq<>s6+GgjwII=7rck#pwv7KVL6?r$LHs(^YGqJS6PRvV4u|>VwY80`ms3i!C)kE8CfQRsSW%AIjwCIXZi2-9uBEs`#N0hgk3Nyo(%AE&k(!- zl@m6!>S

cZH^!(q(hP7f#!5n>#nB*roajIuQVCYZ9ZOHA^_Gx;ddOn0nl##STjv z)9tk8^jPCNUN~^i79;DKWs>iNchkJ+37ve%Oo8B(l{P65<9zsO@N7+@B@f@QK8sM7C z;%o2G*mtq?uze#w2_?%dmLR9$d^`O7R~y7(iqKja?;9Ny$XIJaR$o(?KoI*E50xiLSq@6-^;K(!QeJj6Flq) ztldfvL`PgXP+l_b%gVCg*B^fl_GQJI=>1-5 z9yJcTZWFa62!Y4hW%lzK6BxR1Dycz*m+)IW#B!kBp7zTRag}qji`@EBMLXs1yz55C zrqOxZ#Z(SmftaZjhSPp26WXAG(h1y;%b)fNIaYYSAFOhG)Qk-L(nIVNbs}%50eeF` z= zxVqSF0+>kVVo#^TB1144&+TG0IZA>FIav6N8<3}if(Ayz&N*N&e|EbF1-ue=v1z-bB-`A8c^<9PEM-r@ry$;y4@Gd7!nVJGp8#w_2}_e8 zzbnclz{YZ?J^yK)7EQh?e^5oRlM}W9NQ|b8R1Dj-ipy0b0|hU`xZFsgHiWY!3=d{^ zV>nQIm8E&gcsr=fwL=-7lbnBp${F8zw61abV?v-70T5Azk;10XBX3Igp(h%P_Y0uZ z$pB?a@phVA2Wu{~X-)T}NL(fRb6W2T8h?BWc?<n;gb@o!uH9%^$PJzP&A2l>-IXiYTxMg^VDS``lj!6^SaX<65=*sS=`QA zWv+WE=1vw5%*m6(19NG-$*bLk=`+HTc;a5{JByp9EVFr=GwhFo-KN_g6aIR6eA5w; z<5Zy??>Jrscp_uKw~+o4Zql)7UK(a~8fQ=47Ggi91>FdEzz)@|FgkECt7K zeI#M$=CX-)iRo~df0GwfV8^aCm^*vDFsCY!p1|{_nFsK!Y39Q11_`{UfrK&eCoK!PplqtZ)b1B$>=Q5y4QNd}5ZX-Bh zzN-^{C5Eg-yrC|ptW?@E59qGVVfV8x72T06bHE|T&|}R59b5RdO5?C76H62HB9s&f z)O6nzOE)tL&8({zPqGx_z2ZZN$sObLu}taMF}C-tLKTV2Jl|*JG2{b0UY5ryrgG3& zXq zN*_`d@62@aL`7HS(+|1JW zhYIe+BJhg4@-*Yss~~%f#erE&P@IyNkVJ8aK7%Sv2r6vbG{LVuW*WeEjlVuonVWz= zt;>?}A3&>9KgvU&px8~yGLUu1FB~RbwQK@cl?De%$0~ryhC(g`(bxpy1EHhw=bg~} zXn+Cr**Lc^GM&AEjEBg1aRo@w^<87$)#!y;>*I?h9Qkz>DFwS3lgCCCH)*~fP+(Na8qq=hQ4W$}?7d~)$yV??BDB6k~y*Cz8nI}`r*ad{iVA$^4`2|1YVah4?MzXG{ z@}uI9;<7@EF(pocaI#(GBofm=+<$==fZ+78^vQXPNK+Z6SEV*(#6+J*@eb&0C0^TV z-hkYDfSHnvcJ#HCsi>gLvi|But+E-kwt@w>tPAwBSdT`*cAyisXX+^sCZwW=_Ab3? zj(s(U@jGSYn465Tn@xh(<=v`o%6&s`wr#5L0w7l+bVW#dJXw(PQ^4k4I*e6AgAE52 zL@v`whq%plG}d~;XR17+*i6)xGHwq{s+*2Yp7as#v0kj})Q-eOX``h&0fmv;rkx%K zH4o2)8&9Y36M~22m%5G}4sHz^vE`dQ40)t+YI!ZREfE|Oj$c*R`kSmCCBu1i^BVN4 zQF>bp5q?&7;-%<+G00cPRwi3u-yPdC^wzzeleZgwgQ>j)PM}!Q-umu3VBvAUOp7WW z3;&=Va2!FFGQVDTg`<#HXJaB%U4hsNO`AMX?d%IDM}%E#_`FkO;^L)|qh#^~?~DUe zddZ2Wr5eAQ1x|AuH|Nzl$Azr>xw`jgB=cna@+Q~2(Ik|G;GJnB3)SJuAUU)OcQT0& z`glT#ZO=ae-DUZZ3n}8Pr%5#^-p$YhchBLlEivtYf~Tn+x?4aS~Xs zRy+}#1E}776hLn=xwy1q+|Sh)tAqGed*oFeg2fG;SJlK@mAp(l1I2R}2Gi1Hjfpuo z6v{(+EDjT!MY!RdY4@OMFx*9E9&J7BT&*jFH!0|*28*lab2>1iNEJP#OZ56q{^7Hl z+@t5j)e?{F-i|~Q2mOanyz+THk-B0pt^PEKJ=RTjGlb5VU+Ny4kWR+@lZ-S{OkwdP z9kuV+gw!ZgYe(punP<$LK4u|p!+ZU(ogVrFExEG1>IDv6LB-zA)&xH>^4f3KcxH{} zSjFv>J5_rQd;}V?FFMco=Gb?t$*5CNicm)H;u*CV3^!ynuX_H9PLH;jF?&^J>Ra@$7B|N@-#@QXS>S!x6IZ*S`7g+Xp|*u$*s>cDJGX{>RIY@85kG z-2Zs_;oJR>U*dCtnTZ#_or_zc_?@IUCCDR_R~?4+jg+RlT3q^{>TS3J?tEw+Ocs9=wZ}Lu;u1`+qO~ z=X>F^S(cUZ&#W!hVu>0H56IH6MR{Llbxz(+XNCSp9y-wYNAH%J0aOQEW;JzJ(&8M@ zYFKWLwa`+xkl*u`uXc@}L?=uMm{Sm2Xa9EMjTNh#nm7Ym9Jve*f?HkON21ptR3wrw zP#gQ>4O2j!PA-B4P#2=rzu_r&Z%`H7G(k306w%MW{|#>h@@JyBTWB0u9h~<^_HQ&l zGrtTlrU*@)M=m^h=fT8D;DLC30A!2V@^P7Is*Q{IvxrM{97Xan%|oP%=I>rE!oh2d{iH{GtNDUd1wUK;bVe4ixO-QlSTYxNrcyVCE*>1}vL)B3MH( zXDJ)-MB{$LzpFh-9~pr|XBFVlW$@%5*j|W*asv=b9-Rt0h$m}u41hJYXMzOaw@KQM4}bY(N22OL$``b1>Xbyu;ZWph!t$z&QZ-Q` zQf}er<&RgY*a|?xKAqa&m$U!4Cuzfofu5HU+nEotY7bv7dC@DQZ1m$Hsgr$FCVTSd zCxYt9Uj{XNMXZWgos=}kPT4@OI4XQ!g!3hQmIQz|x67plp2!#zsnv|T zzQzYq?1@GrER`@gDN# z%wo55j-GLF@!BrLHP#p4Io%~S`IflO8x+oWK_0;MBBu=Jwu|W!$nq#;$i_<-<;`q_ z@BtqT_uu%c$NiZeNSbeQ7$7l_xVMsl$m4ZpVnSf~BRBUG%E99%ibJx^V7Z0q|CN-< zw!e{l8*6OOn|3nUCgG2fZVF>;!JJe|T1W6(QU#20M4@(?Vf2X0lXCwjkeDEqs`c-{ zZ;A#+Vhjb;(ix5iEOM8#U6cS}!+^sqPb1#@)_4GMhjfV{2M=|Ai}fJo7aY(YvTQ|+ zt+3#uDbBl6ZMY;BOhMtDaxP7&N|cS$BB9h#6@NFZYfWTz*_8V5|0hv(K>jDipP#V0 zadi<%d)2NjLpv+r}dJ{x$r21OKj<)z5zZ&yU~8&cU^qL!M3B zH^3Hl2poW-6BJ?&WPP}}*+)rzyNCnII}iic##FoefikjBSux4;^kMj}DRaiz-wu?( z&ZMHHDiWiWBY91V3YB%>R1Wirzlr2W6_&%gsRZ}|1j}89EfF{td(>#jd;AgUnV~Jx zky5fjk=(%Kud4Lw>;O}&u5bm6IM5a`vyw84?&{p8VDHHucCN3#sPBMB`>8X?ft-t8BO#zHWVfsd*I>`*Fu-6YK8Pzn~~cC zqsUo&iHyRZ7XB*2_vx;V#R9pDp%u$889%~YYz;)Q`x?x~Z=_^XSdE`yO&*r>0+ZO@ zZq!(R7Ry%RD1;A#vHd$Jv<->x`U|9}ww|KKUg)6MReRE(19DT8n=bF6duv3J=g|}W z?h?v9xtNWURq4%q5DKN^L5uL|95hh%O`I2Lk;CxLM-qKope3_-BQUCT9%p+kpb`V7 z-xl;`J`G(ce2OZB;y&$Eucp7R2~yd0G+`#rfDw}sEWD?S5Zcn2IThIf|xa-RdIWX99RTaj1&b$U|rplWx6jgQK?-Jt^)g^NFJ6) ze7zuK!m53)WB@2GHSF4PlI`_r#|axEXRSt+DT{Q}UAbp2Fisr(yS>A=oMNd$`i zeMA|kBzwNU5cbveXVDteH?Y;Sa{xju^XH%13h1{ya)&f{^pF;H z8u$@9QsOZ;S7K-@-`qvdY0v!S;O~(`sy%`(lFee(B)#4m0#cr}x`9?jvVYtK!Pk2Z z6~n&A{iEFkpWD2y%KapT|1`tJ+j*>~!|AkEBkFgJ3^jhxaqTa**5^VM2sELkpCbAM z25t@9h-kholR}t!(dQ4-oEcCVm+W>z)i8flz=vSC{+(-Lti1H*^~xic0|3NeU}>cZ z>+;*6;+w#lpZrrJUvQp(^t9fzNQ|P?H|C1Xci3!OIKd{fNWu z+0u^EIBD2UW;qSKrTpbLmJP<+J0)R{7wAX}qsvF8>KRCb$H&F|?E`gep5BS%y5d6c za2%DIXCN%6^Yr-q?dm+d_tRC@;VL*34T#uf)z&^{=)36)#xk1yAP;xWt*fTYC|@ub ziCjjOiD0URKO(2KZQ?Bdz1hPd6>ML}tDUe5Cgp<#UhWx!7oc*&hE_iuD(J4zRC6l1 z{pD5+e6Op5q{-oGl=E$K=jIgqR6ju{0$^=TVl<3q35QiTC$t4qk9At?u%tEJ&S*~W zwFk+XkJW2S7?L$TsYU9))<}LRogrgI!nd9#4bun=t#ROC?B@YE*xrq!_n59&e*UKo(lBzWGe-XNU)OK1-wn@yU0*+*|N0UiVQK?(H7r5`~xd4l=} zmsPODyxVz~T5a(>MWFAmlb7hw*>OMP#`rc)ucsAg?>24U(2l3u((3|}- zOq*_W_Pq0UIFGa=tlLB*xj^7?cG>-B*2I7=oJtl@VH^A@9%4Dr8qfRXhq%h=*F|o9 zl%k#TciwfY!_ev!?P4lNsX#1LYQTBFlnrgrKKe;BNCe56MPe(520 zih7YZ)PlXC9d!8BjgPeUS;Z&Za8}u8sok^ML+zW@UGSli@2sOwI;_fYfOc!?xY(5^ zQ$IYnA`IbGW>gouO{@}0QtaV;SY!w$ z(1TSH#(zKW7n!>6w)-cnsHBL*t`4t+y=mL-C@D7Y!R$@ed6Bb+=u?#Ls=G3}$zi+Q zz&8NfP{Q&o+TWB_7GYz#Gn{{0=cUdAQbOuq}YcEABoFL}Te;0hA^i zpiC*=PKwvjnoDTf&;uzmU&;OqHoJl*6rV7l26(-ac4cK{JzX@SSgA~f;eKd4+7 z@X*q1#L~3Dbk~j6Q;UN7 zs?a`RUwJxE^jRnM&Fk#e@?dUPy;zeMi3`u3^B4wZFiy26`g{>2*f_#_wHU>5D%b)U zV9GsgQ&;eOW-`eyD)^SYzYw{SD7DnHCxWxgvF=1!IX%*m4@0CQ=)$*bLm88X6>c;c=Z zI*WBvmf2?Q$>Ar#ZZpMC3IBR|eB0@U(^O%cOgLQyc$i@Iw54fl>YOO^8>Ul))7S+H za~6Ie=47E4h&x&E1>)+nWJ?22mV#rrA(F6j>DELG!gj7HyvYkHuwy6k=g!_B%&AIb zAn?3t763eJn)z_Me)!;NAR%qjK=++bh>&SKJd50$yLVd7v~F4S)%G8Mmfm^kq3k;8 zt$i^(_cy>zQpkh}5pU#q6LvXmQkR6?RrO6MIZxJppeZY?tZs?#5IKkx_(9Vh$-*i} zpSNT8kpWoD-{C1GNy_qDSSXpJeo3FoX5ysKMMkQSLX=Paw2g5)s0DGm zVr1M&EE>!ooLtIN8QS2YUE8{94&HW2N?|zDhkcQkH*Q*)nVq;+Ban33=xQKkRgF7a zo!rGdR(206a+cE@2R#q*pnNJRy~|m;v(w4*8GUwvzMfTg4rqBDjY^oaQ*k1E-?)0z z9vZ@_!>ixZt%JHl45A+0vOw)J4sx0rlZ^*v^Z!fSNjWR-_0R`ZTw_2QmdgzyBb%ft zn6OgrT~ppHA*Q?w`hnt7%B1xZi*wu#-b!LF=<|&i*K)Y2KJ1+q{)KogdbsvbxB;Ho zYu&&Et_nKBVn^Zpz%ajTW@)@u{Z=f3pr9vDdR;w@iu+U?-^6sfDbf5aNn>;a)Okiw z2ixWu{y1QK9)33X>jRY$ef+krD#pKnqNcveBZ#1@O^VISI^+)=CSJ8{0@r>9#~Q~f zfXRkJE(X!41KN>LyZG}?hq5rgsovTfa_0erFr-y@VA!myj3Sn$b{ z6cDBA*zgE59TsWpa-CLm=&}uU-kGUyQtNH^fFLD#D>Uxg`~V`T+*BhP^&btPEan%O z_0wG~^s+zk9%eP{d48Q<5&JcE3$fQ=Sb@c3Zp;p~-XH=vbm6-U0HEYjwE^+vV6CPp zZn=bFb>*oS@A|?jy%a@N9fF`ntCX6R>TOQJ6vmXRQC&=04^ zR7!i`e5J%rP4yuYUj=f8B6SE|3I8Zbn>x2!@iyFUf883fP>OtNDG)Vf5LrzE$U-@w z$3d#=o+;HQ^$fsMY$oh#REFYQWYI5w|M>UlAJCy&68(ZF=Xk1?J8f{)J5It=6?rw{ zj2YMGN1auofchz!s=Yt)JztmJ5on3I@v?}0!!LQ?H6Ry?wbOXv-X=6gv>A_wo~*Q* z^uYG_9ug&p0Lj^DPAI!QPN?QxQ{pz9;uW|tbGCDZ`xxlH<)EJt~JSMA6l>!bbIFv|CDP7ZyJ7I6jM(V+NxB0%SBYn?nl~W#?qH^5qaA(bWGX5sv#h^Ht5q(8)>W|NmUW4K z7UzK?*bYp>_JsGOs&4a|jXMbhna6bJ??V>8jWU*(yp7eZ=zQx?P^%zMD7{*>odSFk zI!Zl_HdT#gx&&x%Dv7D+p}R}Z^^0p7En{wYUo9&t^ya33R z1YHr59`o^YekRr4OOLT?X|N@|U!*6Ub%@(j?$%n*_)L|@`t(F?Dbx0NpSpL~<{Te! z2%E*ae(FSA+cjFM6C)U@ZQ5C8Q1kGVvh_>{KUaq?fuTV?%z21D5APN59o8G%VKZXO z>(mN)5O8XFBU&vHJQI#zoYwlAoE|01>1g{J469LkTP#6)R&_$4=zp=uSI<@^Tj1Uu z+Y{Z+y`Gb|8@|RgUIHgjEE#V@cO9_sxL>A46_15~(2OCDAWNCwth>Td$g7Jn5vnfa zYlWsuo~U;Ag_9>}ZZv$}*(-4k(8vKSdG2+_!6UQe#8XGwujYU=9LM^USLdvbb3a$N z@Qfsrj9(?>dpDX_vJkvC6J((}d`Th4R^iVN2|*vv5pmq1iNS)l} zOZ56i{*|nT+@fQ{*OK7mr3oo51}SD&1d@)L9&AD)j;*yLblyBCW=~dfkgi5l!&T=Y z7i@ip2(#oc4#LyuKA>Rx-tcdG!u9ol4C&4mBJLv?J_*W+4n!JQz8wbOo}%OT{JJPd z&kbRv=|5O4>j6GL_aBJOX#;U_20&372rbFwuf0DB_ zz0~i(T&o?gdJ$}2bi1cw=_ov=0Q8%+0bQvQQLNrgJ!)A#jXqY<9f?3iY+yXlVj}#8 zIZFQ8#w$gjuM0jFF${?m@&^1j)QEqqx2ol(B4!BG5`xpwuWpjH>d|;wTaYy3vxYC1 z@uWIAnT%_UM3|%(lCvn=*5qwR2!&FbxlLEMlOiBUAq#))+uM%+=q_DuPIkAQ|Ng(1 z@2;<34(|VZ_44ulzc2B*!d$lQoMt$l^;9On)aQ5OwFq$&q<+bRDY6F#jnrsnh&{|u(r2xSceSvUG;laCfNjy#U zum8RJpC5!DWLaj)Kcux-izR9*yb4Rhmep-lG<))5IxEa;{5#P2XU&!xGim}Zv!1$Z zX>kr1H7qyBT4=d5%b)WWuyLWBL?=v%m~#+Z7k@nq#!A)IL!1FEj$8&u!L6=t6VYoB zD-tObsEw!bhAE&z4o zaPTMzk3{5*b^{`^1wd+MkFpa1|uwCXSb diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4d722aa2..8cda26a0 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2089,7 +2089,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..ae484a0 100644 +index c44c359..a3d4e61 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2187,11 +2187,12 @@ index c44c359..ae484a0 100644 domain_use_interactive_fds(ping_t) -@@ -131,14 +139,13 @@ files_read_etc_files(ping_t) +@@ -131,14 +139,14 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) +kernel_read_network_state(ping_t) ++kernel_request_load_module(ping_t) auth_use_nsswitch(ping_t) @@ -2205,7 +2206,7 @@ index c44c359..ae484a0 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',` +@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',` optional_policy(` nagios_dontaudit_rw_log(ping_t) nagios_dontaudit_rw_pipes(ping_t) @@ -2235,7 +2236,7 @@ index c44c359..ae484a0 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +183,15 @@ optional_policy(` +@@ -161,6 +184,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -2251,7 +2252,7 @@ index c44c359..ae484a0 100644 ######################################## # # Traceroute local policy -@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -2259,7 +2260,7 @@ index c44c359..ae484a0 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -2267,7 +2268,7 @@ index c44c359..ae484a0 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t) +@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -10069,7 +10070,7 @@ index 0b1a871..29965c3 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..e215d29 100644 +index 6a1e4d1..8f4a4cd 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -10108,7 +10109,18 @@ index 6a1e4d1..e215d29 100644 ') ######################################## -@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` +@@ -133,6 +108,10 @@ interface(`domain_entry_file',` + typeattribute $2 entry_type; + + corecmd_executable_file($2) ++ ++ optional_policy(` ++ unconfined_exec_typebounds($2) ++ ') + ') + + ######################################## +@@ -513,6 +492,26 @@ interface(`domain_signull_all_domains',` ######################################## ##

@@ -10135,7 +10147,7 @@ index 6a1e4d1..e215d29 100644 ## Send a stop signal to all domains. ## ## -@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',` +@@ -571,6 +570,25 @@ interface(`domain_kill_all_domains',` ######################################## ## @@ -10161,7 +10173,7 @@ index 6a1e4d1..e215d29 100644 ## Search the process state directory (/proc/pid) of all domains. ## ## -@@ -590,6 +604,42 @@ interface(`domain_search_all_domains_state',` +@@ -590,6 +608,42 @@ interface(`domain_search_all_domains_state',` ######################################## ## @@ -10204,7 +10216,7 @@ index 6a1e4d1..e215d29 100644 ## Do not audit attempts to search the process ## state directory (/proc/pid) of all domains. ## -@@ -631,7 +681,7 @@ interface(`domain_read_all_domains_state',` +@@ -631,7 +685,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -10213,7 +10225,7 @@ index 6a1e4d1..e215d29 100644 ## ## ## -@@ -655,7 +705,7 @@ interface(`domain_getattr_all_domains',` +@@ -655,7 +709,7 @@ interface(`domain_getattr_all_domains',` ## ## ## @@ -10222,7 +10234,7 @@ index 6a1e4d1..e215d29 100644 ## ## # -@@ -1356,6 +1406,24 @@ interface(`domain_manage_all_entry_files',` +@@ -1356,6 +1410,24 @@ interface(`domain_manage_all_entry_files',` ######################################## ## @@ -10247,7 +10259,7 @@ index 6a1e4d1..e215d29 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1421,7 +1489,7 @@ interface(`domain_entry_file_spec_domtrans',` +@@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',` ## ## Ability to mmap a low area of the address ## space conditionally, as configured by @@ -10256,7 +10268,7 @@ index 6a1e4d1..e215d29 100644 ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## -@@ -1448,7 +1516,7 @@ interface(`domain_mmap_low',` +@@ -1448,7 +1520,7 @@ interface(`domain_mmap_low',` ## ## Ability to mmap a low area of the address ## space unconditionally, as configured @@ -10265,7 +10277,7 @@ index 6a1e4d1..e215d29 100644 ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## -@@ -1508,6 +1576,40 @@ interface(`domain_unconfined_signal',` +@@ -1508,6 +1580,40 @@ interface(`domain_unconfined_signal',` ######################################## ## @@ -10306,7 +10318,7 @@ index 6a1e4d1..e215d29 100644 ## Unconfined access to domains. ## ## -@@ -1530,4 +1632,101 @@ interface(`domain_unconfined',` +@@ -1530,4 +1636,101 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -10409,7 +10421,7 @@ index 6a1e4d1..e215d29 100644 + allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..43876e0 100644 +index cf04cb5..ae8a257 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10565,7 +10577,7 @@ index cf04cb5..43876e0 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +237,382 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +237,386 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10799,6 +10811,10 @@ index cf04cb5..43876e0 100644 +') + +optional_policy(` ++ sssd_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + tftp_filetrans_named_content(named_filetrans_domain) +') + @@ -21648,7 +21664,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..8139871 100644 +index e100d88..342fb1e 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -22385,7 +22401,7 @@ index e100d88..8139871 100644 +####################################### +## +## Allow the specified domain to read/write on -+## the kernel with a unix socket. ++## the kernel with a unix stream socket. +## +## +## @@ -26785,10 +26801,10 @@ index 0000000..d9efb90 +#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..15b42ae +index 0000000..f730286 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,727 @@ +@@ -0,0 +1,745 @@ +## Unconfined user role + +######################################## @@ -27516,6 +27532,24 @@ index 0000000..15b42ae + typebounds unconfined_t $1; +') + ++######################################## ++## ++## unconfined_exec_t domain typebounds file_type. ++## ++## ++## ++## File type to be typebound. ++## ++## ++# ++interface(`unconfined_exec_typebounds',` ++ gen_require(` ++ type unconfined_exec_t; ++ ') ++ ++ typebounds unconfined_exec_t $1; ++') ++ diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 index 0000000..60c3f9d @@ -37792,7 +37826,7 @@ index 79a45f6..6126f21 100644 + allow $1 init_var_lib_t:dir search_dir_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..9f2c792 100644 +index 17eda24..136864b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37972,11 +38006,12 @@ index 17eda24..9f2c792 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +212,24 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +212,25 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) -+kernel_stream_connect(init_t) ++kernel_rw_stream_socket_perms(init_t) ++kernel_rw_unix_dgram_sockets(init_t) +kernel_mounton_systemd_ProtectKernelTunables(init_t) corecmd_exec_chroot(init_t) @@ -37998,7 +38033,7 @@ index 17eda24..9f2c792 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t) +@@ -139,14 +238,26 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -38027,7 +38062,7 @@ index 17eda24..9f2c792 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +266,73 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -38106,7 +38141,7 @@ index 17eda24..9f2c792 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +340,275 @@ ifdef(`distro_gentoo',` +@@ -186,29 +341,275 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38391,7 +38426,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -216,7 +616,30 @@ optional_policy(` +@@ -216,7 +617,30 @@ optional_policy(` ') optional_policy(` @@ -38423,7 +38458,7 @@ index 17eda24..9f2c792 100644 ') ######################################## -@@ -225,9 +648,9 @@ optional_policy(` +@@ -225,9 +649,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38435,7 +38470,7 @@ index 17eda24..9f2c792 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +681,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +682,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38452,7 +38487,7 @@ index 17eda24..9f2c792 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +706,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +707,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38495,7 +38530,7 @@ index 17eda24..9f2c792 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +743,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +744,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38507,7 +38542,7 @@ index 17eda24..9f2c792 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +755,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +756,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38518,7 +38553,7 @@ index 17eda24..9f2c792 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +766,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +767,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38528,7 +38563,7 @@ index 17eda24..9f2c792 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +775,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +776,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38536,7 +38571,7 @@ index 17eda24..9f2c792 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +782,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +783,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38544,7 +38579,7 @@ index 17eda24..9f2c792 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +790,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +791,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38562,7 +38597,7 @@ index 17eda24..9f2c792 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +808,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +809,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38576,7 +38611,7 @@ index 17eda24..9f2c792 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +823,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +824,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38590,7 +38625,7 @@ index 17eda24..9f2c792 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +836,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +837,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38601,7 +38636,7 @@ index 17eda24..9f2c792 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +849,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +850,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38609,7 +38644,7 @@ index 17eda24..9f2c792 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +868,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +869,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38633,7 +38668,7 @@ index 17eda24..9f2c792 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +901,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +902,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38641,7 +38676,7 @@ index 17eda24..9f2c792 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +935,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +936,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38652,7 +38687,7 @@ index 17eda24..9f2c792 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +959,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +960,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38661,7 +38696,7 @@ index 17eda24..9f2c792 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +974,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +975,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38669,7 +38704,7 @@ index 17eda24..9f2c792 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +995,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +996,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38677,7 +38712,7 @@ index 17eda24..9f2c792 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1005,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1006,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38722,7 +38757,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -559,14 +1050,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1051,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38754,7 +38789,7 @@ index 17eda24..9f2c792 100644 ') ') -@@ -577,6 +1085,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1086,39 @@ ifdef(`distro_suse',` ') ') @@ -38794,7 +38829,7 @@ index 17eda24..9f2c792 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1130,8 @@ optional_policy(` +@@ -589,6 +1131,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38803,7 +38838,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -610,6 +1153,7 @@ optional_policy(` +@@ -610,6 +1154,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38811,7 +38846,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -626,6 +1170,17 @@ optional_policy(` +@@ -626,6 +1171,17 @@ optional_policy(` ') optional_policy(` @@ -38829,7 +38864,7 @@ index 17eda24..9f2c792 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1197,13 @@ optional_policy(` +@@ -642,9 +1198,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38843,7 +38878,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -657,15 +1216,11 @@ optional_policy(` +@@ -657,15 +1217,11 @@ optional_policy(` ') optional_policy(` @@ -38861,7 +38896,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -686,6 +1241,15 @@ optional_policy(` +@@ -686,6 +1242,15 @@ optional_policy(` ') optional_policy(` @@ -38877,7 +38912,7 @@ index 17eda24..9f2c792 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1290,7 @@ optional_policy(` +@@ -726,6 +1291,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38885,7 +38920,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -743,7 +1308,13 @@ optional_policy(` +@@ -743,7 +1309,13 @@ optional_policy(` ') optional_policy(` @@ -38900,7 +38935,7 @@ index 17eda24..9f2c792 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1337,10 @@ optional_policy(` +@@ -766,6 +1338,10 @@ optional_policy(` ') optional_policy(` @@ -38911,7 +38946,7 @@ index 17eda24..9f2c792 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1350,20 @@ optional_policy(` +@@ -775,10 +1351,20 @@ optional_policy(` ') optional_policy(` @@ -38932,7 +38967,7 @@ index 17eda24..9f2c792 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1372,10 @@ optional_policy(` +@@ -787,6 +1373,10 @@ optional_policy(` ') optional_policy(` @@ -38943,7 +38978,7 @@ index 17eda24..9f2c792 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1397,6 @@ optional_policy(` +@@ -808,8 +1398,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38952,7 +38987,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -818,6 +1405,10 @@ optional_policy(` +@@ -818,6 +1406,10 @@ optional_policy(` ') optional_policy(` @@ -38963,7 +38998,7 @@ index 17eda24..9f2c792 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1418,12 @@ optional_policy(` +@@ -827,10 +1419,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38976,7 +39011,7 @@ index 17eda24..9f2c792 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1450,62 @@ optional_policy(` +@@ -857,21 +1451,62 @@ optional_policy(` ') optional_policy(` @@ -39040,7 +39075,7 @@ index 17eda24..9f2c792 100644 ') optional_policy(` -@@ -887,6 +1521,10 @@ optional_policy(` +@@ -887,6 +1522,10 @@ optional_policy(` ') optional_policy(` @@ -39051,7 +39086,7 @@ index 17eda24..9f2c792 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1535,218 @@ optional_policy(` +@@ -897,3 +1536,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -47198,7 +47233,7 @@ index 2cea692..e3cb4f2 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..b01eb22 100644 +index a392fc4..98c5f23 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -47441,7 +47476,7 @@ index a392fc4..b01eb22 100644 vmware_append_log(dhcpc_t) ') -@@ -264,29 +322,66 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,32 +322,70 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -47508,7 +47543,11 @@ index a392fc4..b01eb22 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +394,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) ++fs_read_nsfs_files(ifconfig_t) + + selinux_dontaudit_getattr_fs(ifconfig_t) + +@@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -47566,7 +47605,7 @@ index a392fc4..b01eb22 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +449,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -47579,7 +47618,7 @@ index a392fc4..b01eb22 100644 ') optional_policy(` -@@ -350,7 +467,16 @@ optional_policy(` +@@ -350,7 +468,16 @@ optional_policy(` ') optional_policy(` @@ -47597,7 +47636,7 @@ index a392fc4..b01eb22 100644 ') optional_policy(` -@@ -371,3 +497,17 @@ optional_policy(` +@@ -371,3 +498,17 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -51904,7 +51943,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..269ce67 100644 +index 9dc60c6..4b0a3ed 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -55501,7 +55540,7 @@ index 9dc60c6..269ce67 100644 +# +interface(`userdom_execmod_user_home_files',` + gen_require(` -+ type user_home_type; ++ attribute user_home_type; + ') + + allow $1 user_home_type:file execmod; @@ -55897,7 +55936,7 @@ index 9dc60c6..269ce67 100644 +# +interface(`userdom_dontaudit_read_inherited_admin_home_files',` + gen_require(` -+ attribute admin_home_t; ++ type admin_home_t; + ') + + dontaudit $1 admin_home_t:file read_inherited_file_perms; @@ -55915,7 +55954,7 @@ index 9dc60c6..269ce67 100644 +# +interface(`userdom_dontaudit_append_inherited_admin_home_file',` + gen_require(` -+ attribute admin_home_t; ++ type admin_home_t; + ') + + dontaudit $1 admin_home_t:file append_inherited_file_perms; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c20e916e..0243bf0d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2280,7 +2280,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..69a4c66 100644 +index 519051c..c3a718a 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2301,7 +2301,17 @@ index 519051c..69a4c66 100644 type amanda_log_t; logging_log_file(amanda_log_t) -@@ -60,7 +63,7 @@ optional_policy(` +@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t) + type amanda_tmp_t; + files_tmp_file(amanda_tmp_t) + ++type amanda_tmpfs_t; ++files_tmpfs_file(amanda_tmpfs_t) ++ + type amanda_amandates_t; + files_type(amanda_amandates_t) + +@@ -60,7 +66,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -2310,7 +2320,7 @@ index 519051c..69a4c66 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -2318,7 +2328,7 @@ index 519051c..69a4c66 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; +@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) @@ -2326,7 +2336,18 @@ index 519051c..69a4c66 100644 manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) -@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -90,6 +98,10 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) + manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) + files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) + ++manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t) ++manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t) ++fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir }) ++ + can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t }) + + kernel_read_kernel_sysctls(amanda_t) +@@ -100,13 +112,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2343,7 +2364,7 @@ index 519051c..69a4c66 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +128,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2351,7 +2372,7 @@ index 519051c..69a4c66 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -130,6 +138,7 @@ fs_list_all(amanda_t) +@@ -130,6 +145,7 @@ fs_list_all(amanda_t) storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) @@ -2359,7 +2380,7 @@ index 519051c..69a4c66 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2367,7 +2388,7 @@ index 519051c..69a4c66 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -42027,10 +42048,10 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 2990962..c153d15 100644 +index 2990962..abd217f 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0) +@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0) # Declarations # @@ -42078,6 +42099,7 @@ index 2990962..c153d15 100644 dev_read_sysfs(kdumpgui_t) +dev_read_urand(kdumpgui_t) +dev_getattr_all_blk_files(kdumpgui_t) ++dev_read_nvme(kdumpgui_t) files_manage_boot_files(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t) @@ -42138,7 +42160,7 @@ index 2990962..c153d15 100644 ') optional_policy(` -@@ -87,4 +96,10 @@ optional_policy(` +@@ -87,4 +97,10 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -104702,10 +104724,10 @@ index 0000000..821e158 +') + diff --git a/sssd.fc b/sssd.fc -index dbb005a..835122a 100644 +index dbb005a..d4328ed 100644 --- a/sssd.fc +++ b/sssd.fc -@@ -1,15 +1,19 @@ +@@ -1,15 +1,21 @@ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) @@ -104713,6 +104735,7 @@ index dbb005a..835122a 100644 -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0) -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) @@ -104731,8 +104754,9 @@ index dbb005a..835122a 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..04419ae 100644 +index a240455..d30fd1f 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -105045,7 +105069,7 @@ index a240455..04419ae 100644 ## ## ## -@@ -317,8 +408,65 @@ interface(`sssd_stream_connect',` +@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -105108,12 +105132,39 @@ index a240455..04419ae 100644 + +######################################## +## ++## Transition to sssd named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_filetrans_named_content',` ++ gen_require(` ++ type sssd_var_run_t; ++ type sssd_var_log_t; ++ type sssd_var_lib_t; ++ type sssd_public_t; ++ type sssd_conf_t; ++ ') ++ ++ files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket") ++ logging_log_filetrans($1, sssd_var_log_t, dir, "sssd") ++ files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss") ++ filestrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc") ++ filestrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf") ++ etc_filestrans($1, sssd_conf_t, dir, "sssd") ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an sssd environment ## ## ## -@@ -327,7 +475,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -105122,7 +105173,7 @@ index a240455..04419ae 100644 ## ## ## -@@ -335,27 +483,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -105164,7 +105215,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..a28dfe7 100644 +index 2d8db1f..1139567 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -105188,7 +105239,8 @@ index 2d8db1f..a28dfe7 100644 -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:capability2 block_suspend; - allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; +-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; ++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid}; allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:key manage_key_perms; -allow sssd_t self:unix_stream_socket { accept connectto listen }; @@ -114657,7 +114709,7 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..d7dc78b 100644 +index f03dcf5..b5b9ca5 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,411 @@ @@ -116249,7 +116301,7 @@ index f03dcf5..d7dc78b 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1268,370 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116462,10 +116514,7 @@ index f03dcf5..d7dc78b 100644 +files_entrypoint_all_mountpoint(svirt_sandbox_domain) +corecmd_entrypoint_all_executables(svirt_sandbox_domain) + -+files_list_var(svirt_sandbox_domain) -+files_list_var_lib(svirt_sandbox_domain) +files_search_all(svirt_sandbox_domain) -+files_read_config_files(svirt_sandbox_domain) +files_read_usr_symlinks(svirt_sandbox_domain) +files_search_locks(svirt_sandbox_domain) +files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) @@ -116473,10 +116522,9 @@ index f03dcf5..d7dc78b 100644 +fs_getattr_all_fs(svirt_sandbox_domain) +fs_list_inotifyfs(svirt_sandbox_domain) +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) -+fs_read_fusefs_files(svirt_sandbox_domain) +fs_read_hugetlbfs_files(svirt_sandbox_domain) +fs_read_tmpfs_symlinks(svirt_sandbox_domain) -+fs_list_tmpfs(svirt_sandbox_domain) ++fs_search_tmpfs(svirt_sandbox_domain) +fs_rw_hugetlbfs_files(svirt_sandbox_domain) + + @@ -116485,9 +116533,7 @@ index f03dcf5..d7dc78b 100644 +auth_dontaudit_write_login_records(svirt_sandbox_domain) +auth_search_pam_console_data(svirt_sandbox_domain) + -+clock_read_adjtime(svirt_sandbox_domain) -+ -+init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_read_utmp(svirt_sandbox_domain) +init_dontaudit_write_utmp(svirt_sandbox_domain) + +libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) @@ -116497,8 +116543,6 @@ index f03dcf5..d7dc78b 100644 +miscfiles_read_fonts(svirt_sandbox_domain) +miscfiles_read_hwdata(svirt_sandbox_domain) + -+systemd_read_unit_files(svirt_sandbox_domain) -+ +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) @@ -116575,7 +116619,6 @@ index f03dcf5..d7dc78b 100644 +virt_sandbox_domain_template(container) +typealias container_t alias svirt_lxc_net_t; +virt_default_capabilities(container_t) -+typeattribute container_t sandbox_net_domain; +dontaudit container_t self:capability fsetid; +dontaudit container_t self:capability2 block_suspend ; +allow container_t self:process { execstack execmem }; @@ -116663,12 +116706,6 @@ index f03dcf5..d7dc78b 100644 -auth_use_nsswitch(svirt_lxc_net_t) +fs_noxattr_type(container_file_t) -+# Do we actually need these? -+fs_mount_cgroup(container_t) -+fs_manage_cgroup_dirs(container_t) -+fs_manage_cgroup_files(container_t) -+# Needed for docker -+fs_unmount_xattr_fs(container_t) -logging_send_audit_msgs(svirt_lxc_net_t) +term_pty(container_file_t) @@ -116765,7 +116802,7 @@ index f03dcf5..d7dc78b 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1644,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116780,7 +116817,7 @@ index f03dcf5..d7dc78b 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1662,7 @@ optional_policy(` +@@ -1192,7 +1647,7 @@ optional_policy(` ######################################## # @@ -116789,7 +116826,7 @@ index f03dcf5..d7dc78b 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1671,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 24b4aa63..7b4a6187 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 235%{?dist} +Release: 236%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,16 @@ exit 0 %endif %changelog +* Thu Feb 02 2017 Lukas Vrabec - 3.13.1-236 +- Allow kdumpgui domain to read nvme device +- Add amanda_tmpfs_t label. BZ(1243752) +- Fix typo in sssd interface file +- Allow sssd_t domain setpgid BZ(1411437) +- Allow ifconfig_t domain read nsfs_t +- Allow ping_t domain to load kernel modules. +- Allow systemd to send user information back to pid1. BZ(1412750) +- rawhide-base: Fix wrong type/attribute flavors in require blocks + * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-235 - Allow libvirt daemon to create /var/chace/libvirt dir. - Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)