* Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236

- Allow kdumpgui domain to read nvme device
- Add amanda_tmpfs_t label. BZ(1243752)
- Fix typo in sssd interface file
- Allow sssd_t domain setpgid BZ(1411437)
- Allow ifconfig_t domain read nsfs_t
- Allow ping_t domain to load kernel modules.
- Allow systemd to send user information back to pid1. BZ(1412750)
- rawhide-base: Fix wrong type/attribute flavors in require blocks
This commit is contained in:
Lukas Vrabec 2017-02-02 12:41:29 +01:00
parent 5ed99329f5
commit bab4787609
4 changed files with 209 additions and 123 deletions

Binary file not shown.

View File

@ -2089,7 +2089,7 @@ index c6ca761..0c86bfd 100644
') ')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c359..ae484a0 100644 index c44c359..a3d4e61 100644
--- a/policy/modules/admin/netutils.te --- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -2187,11 +2187,12 @@ index c44c359..ae484a0 100644
domain_use_interactive_fds(ping_t) domain_use_interactive_fds(ping_t)
@@ -131,14 +139,13 @@ files_read_etc_files(ping_t) @@ -131,14 +139,14 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t) files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t) kernel_read_system_state(ping_t)
+kernel_read_network_state(ping_t) +kernel_read_network_state(ping_t)
+kernel_request_load_module(ping_t)
auth_use_nsswitch(ping_t) auth_use_nsswitch(ping_t)
@ -2205,7 +2206,7 @@ index c44c359..ae484a0 100644
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t) init_dontaudit_use_fds(ping_t)
@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',` @@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',`
optional_policy(` optional_policy(`
nagios_dontaudit_rw_log(ping_t) nagios_dontaudit_rw_log(ping_t)
nagios_dontaudit_rw_pipes(ping_t) nagios_dontaudit_rw_pipes(ping_t)
@ -2235,7 +2236,7 @@ index c44c359..ae484a0 100644
pcmcia_use_cardmgr_fds(ping_t) pcmcia_use_cardmgr_fds(ping_t)
') ')
@@ -161,6 +183,15 @@ optional_policy(` @@ -161,6 +184,15 @@ optional_policy(`
hotplug_use_fds(ping_t) hotplug_use_fds(ping_t)
') ')
@ -2251,7 +2252,7 @@ index c44c359..ae484a0 100644
######################################## ########################################
# #
# Traceroute local policy # Traceroute local policy
@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms; @@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t) kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t) kernel_read_network_state(traceroute_t)
@ -2259,7 +2260,7 @@ index c44c359..ae484a0 100644
corenet_all_recvfrom_netlabel(traceroute_t) corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t)
@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) @@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t) domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t) files_read_etc_files(traceroute_t)
@ -2267,7 +2268,7 @@ index c44c359..ae484a0 100644
files_dontaudit_search_var(traceroute_t) files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t) init_use_fds(traceroute_t)
@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t) @@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t) logging_send_syslog_msg(traceroute_t)
@ -10069,7 +10070,7 @@ index 0b1a871..29965c3 100644
+dev_getattr_all(devices_unconfined_type) +dev_getattr_all(devices_unconfined_type)
+ +
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..e215d29 100644 index 6a1e4d1..8f4a4cd 100644
--- a/policy/modules/kernel/domain.if --- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',` @@ -76,33 +76,8 @@ interface(`domain_type',`
@ -10108,7 +10109,18 @@ index 6a1e4d1..e215d29 100644
') ')
######################################## ########################################
@@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` @@ -133,6 +108,10 @@ interface(`domain_entry_file',`
typeattribute $2 entry_type;
corecmd_executable_file($2)
+
+ optional_policy(`
+ unconfined_exec_typebounds($2)
+ ')
')
########################################
@@ -513,6 +492,26 @@ interface(`domain_signull_all_domains',`
######################################## ########################################
## <summary> ## <summary>
@ -10135,7 +10147,7 @@ index 6a1e4d1..e215d29 100644
## Send a stop signal to all domains. ## Send a stop signal to all domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',` @@ -571,6 +570,25 @@ interface(`domain_kill_all_domains',`
######################################## ########################################
## <summary> ## <summary>
@ -10161,7 +10173,7 @@ index 6a1e4d1..e215d29 100644
## Search the process state directory (/proc/pid) of all domains. ## Search the process state directory (/proc/pid) of all domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -590,6 +604,42 @@ interface(`domain_search_all_domains_state',` @@ -590,6 +608,42 @@ interface(`domain_search_all_domains_state',`
######################################## ########################################
## <summary> ## <summary>
@ -10204,7 +10216,7 @@ index 6a1e4d1..e215d29 100644
## Do not audit attempts to search the process ## Do not audit attempts to search the process
## state directory (/proc/pid) of all domains. ## state directory (/proc/pid) of all domains.
## </summary> ## </summary>
@@ -631,7 +681,7 @@ interface(`domain_read_all_domains_state',` @@ -631,7 +685,7 @@ interface(`domain_read_all_domains_state',`
######################################## ########################################
## <summary> ## <summary>
@ -10213,7 +10225,7 @@ index 6a1e4d1..e215d29 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -655,7 +705,7 @@ interface(`domain_getattr_all_domains',` @@ -655,7 +709,7 @@ interface(`domain_getattr_all_domains',`
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -10222,7 +10234,7 @@ index 6a1e4d1..e215d29 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -1356,6 +1406,24 @@ interface(`domain_manage_all_entry_files',` @@ -1356,6 +1410,24 @@ interface(`domain_manage_all_entry_files',`
######################################## ########################################
## <summary> ## <summary>
@ -10247,7 +10259,7 @@ index 6a1e4d1..e215d29 100644
## Relabel to and from all entry point ## Relabel to and from all entry point
## file types. ## file types.
## </summary> ## </summary>
@@ -1421,7 +1489,7 @@ interface(`domain_entry_file_spec_domtrans',` @@ -1421,7 +1493,7 @@ interface(`domain_entry_file_spec_domtrans',`
## <summary> ## <summary>
## Ability to mmap a low area of the address ## Ability to mmap a low area of the address
## space conditionally, as configured by ## space conditionally, as configured by
@ -10256,7 +10268,7 @@ index 6a1e4d1..e215d29 100644
## Preventing such mappings helps protect against ## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel. ## exploiting null deref bugs in the kernel.
## </summary> ## </summary>
@@ -1448,7 +1516,7 @@ interface(`domain_mmap_low',` @@ -1448,7 +1520,7 @@ interface(`domain_mmap_low',`
## <summary> ## <summary>
## Ability to mmap a low area of the address ## Ability to mmap a low area of the address
## space unconditionally, as configured ## space unconditionally, as configured
@ -10265,7 +10277,7 @@ index 6a1e4d1..e215d29 100644
## Preventing such mappings helps protect against ## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel. ## exploiting null deref bugs in the kernel.
## </summary> ## </summary>
@@ -1508,6 +1576,40 @@ interface(`domain_unconfined_signal',` @@ -1508,6 +1580,40 @@ interface(`domain_unconfined_signal',`
######################################## ########################################
## <summary> ## <summary>
@ -10306,7 +10318,7 @@ index 6a1e4d1..e215d29 100644
## Unconfined access to domains. ## Unconfined access to domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1530,4 +1632,101 @@ interface(`domain_unconfined',` @@ -1530,4 +1636,101 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity; typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context; typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt; typeattribute $1 process_uncond_exempt;
@ -10409,7 +10421,7 @@ index 6a1e4d1..e215d29 100644
+ allow $1 domain:process rlimitinh; + allow $1 domain:process rlimitinh;
') ')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..43876e0 100644 index cf04cb5..ae8a257 100644
--- a/policy/modules/kernel/domain.te --- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -10565,7 +10577,7 @@ index cf04cb5..43876e0 100644
# Create/access any System V IPC objects. # Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *; allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -160,11 +237,382 @@ allow unconfined_domain_type domain:msg { send receive }; @@ -160,11 +237,386 @@ allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid # For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms; allow unconfined_domain_type domain:dir list_dir_perms;
@ -10799,6 +10811,10 @@ index cf04cb5..43876e0 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ sssd_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
+ tftp_filetrans_named_content(named_filetrans_domain) + tftp_filetrans_named_content(named_filetrans_domain)
+') +')
+ +
@ -21648,7 +21664,7 @@ index 7be4ddf..9710b33 100644
+/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0)
+/sys/kernel/debug/.* <<none>> +/sys/kernel/debug/.* <<none>>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..8139871 100644 index e100d88..342fb1e 100644
--- a/policy/modules/kernel/kernel.if --- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -22385,7 +22401,7 @@ index e100d88..8139871 100644
+####################################### +#######################################
+## <summary> +## <summary>
+## Allow the specified domain to read/write on +## Allow the specified domain to read/write on
+## the kernel with a unix socket. +## the kernel with a unix stream socket.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
+## <summary> +## <summary>
@ -26785,10 +26801,10 @@ index 0000000..d9efb90
+#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) +#/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644 new file mode 100644
index 0000000..15b42ae index 0000000..f730286
--- /dev/null --- /dev/null
+++ b/policy/modules/roles/unconfineduser.if +++ b/policy/modules/roles/unconfineduser.if
@@ -0,0 +1,727 @@ @@ -0,0 +1,745 @@
+## <summary>Unconfined user role</summary> +## <summary>Unconfined user role</summary>
+ +
+######################################## +########################################
@ -27516,6 +27532,24 @@ index 0000000..15b42ae
+ typebounds unconfined_t $1; + typebounds unconfined_t $1;
+') +')
+ +
+########################################
+## <summary>
+## unconfined_exec_t domain typebounds file_type.
+## </summary>
+## <param name="domain">
+## <summary>
+## File type to be typebound.
+## </summary>
+## </param>
+#
+interface(`unconfined_exec_typebounds',`
+ gen_require(`
+ type unconfined_exec_t;
+ ')
+
+ typebounds unconfined_exec_t $1;
+')
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644 new file mode 100644
index 0000000..60c3f9d index 0000000..60c3f9d
@ -37792,7 +37826,7 @@ index 79a45f6..6126f21 100644
+ allow $1 init_var_lib_t:dir search_dir_perms; + allow $1 init_var_lib_t:dir search_dir_perms;
') ')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..9f2c792 100644 index 17eda24..136864b 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -37972,11 +38006,12 @@ index 17eda24..9f2c792 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file) dev_filetrans(init_t, initctl_t, fifo_file)
@@ -125,13 +212,24 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -125,13 +212,25 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t) kernel_read_system_state(init_t)
kernel_share_state(init_t) kernel_share_state(init_t)
+kernel_stream_connect(init_t) +kernel_rw_stream_socket_perms(init_t)
+kernel_rw_unix_dgram_sockets(init_t)
+kernel_mounton_systemd_ProtectKernelTunables(init_t) +kernel_mounton_systemd_ProtectKernelTunables(init_t)
corecmd_exec_chroot(init_t) corecmd_exec_chroot(init_t)
@ -37998,7 +38033,7 @@ index 17eda24..9f2c792 100644
domain_getpgid_all_domains(init_t) domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
@@ -139,14 +237,26 @@ domain_signal_all_domains(init_t) @@ -139,14 +238,26 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t) domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t) domain_sigchld_all_domains(init_t)
@ -38027,7 +38062,7 @@ index 17eda24..9f2c792 100644
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t) files_dontaudit_rw_root_chr_files(init_t)
@@ -155,29 +265,73 @@ fs_list_inotifyfs(init_t) @@ -155,29 +266,73 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log # cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t) fs_write_ramfs_sockets(init_t)
@ -38106,7 +38141,7 @@ index 17eda24..9f2c792 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +340,275 @@ ifdef(`distro_gentoo',` @@ -186,29 +341,275 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -38391,7 +38426,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +616,30 @@ optional_policy(` @@ -216,7 +617,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38423,7 +38458,7 @@ index 17eda24..9f2c792 100644
') ')
######################################## ########################################
@@ -225,9 +648,9 @@ optional_policy(` @@ -225,9 +649,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38435,7 +38470,7 @@ index 17eda24..9f2c792 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -258,12 +681,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -258,12 +682,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38452,7 +38487,7 @@ index 17eda24..9f2c792 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +706,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -279,23 +707,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -38495,7 +38530,7 @@ index 17eda24..9f2c792 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +743,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -303,9 +744,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -38507,7 +38542,7 @@ index 17eda24..9f2c792 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -313,8 +755,10 @@ dev_write_framebuffer(initrc_t) @@ -313,8 +756,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -38518,7 +38553,7 @@ index 17eda24..9f2c792 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -322,8 +766,7 @@ dev_manage_generic_files(initrc_t) @@ -322,8 +767,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -38528,7 +38563,7 @@ index 17eda24..9f2c792 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -332,7 +775,6 @@ domain_sigstop_all_domains(initrc_t) @@ -332,7 +776,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -38536,7 +38571,7 @@ index 17eda24..9f2c792 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -340,6 +782,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -340,6 +783,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38544,7 +38579,7 @@ index 17eda24..9f2c792 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -347,14 +790,15 @@ files_getattr_all_symlinks(initrc_t) @@ -347,14 +791,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -38562,7 +38597,7 @@ index 17eda24..9f2c792 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -364,8 +808,12 @@ files_list_isid_type_dirs(initrc_t) @@ -364,8 +809,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -38576,7 +38611,7 @@ index 17eda24..9f2c792 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -375,10 +823,11 @@ fs_mount_all_fs(initrc_t) @@ -375,10 +824,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -38590,7 +38625,7 @@ index 17eda24..9f2c792 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -387,8 +836,10 @@ mls_process_read_up(initrc_t) @@ -387,8 +837,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -38601,7 +38636,7 @@ index 17eda24..9f2c792 100644
storage_getattr_fixed_disk_dev(initrc_t) storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +849,7 @@ term_use_all_terms(initrc_t) @@ -398,6 +850,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -38609,7 +38644,7 @@ index 17eda24..9f2c792 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -416,20 +868,18 @@ logging_read_all_logs(initrc_t) @@ -416,20 +869,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -38633,7 +38668,7 @@ index 17eda24..9f2c792 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +901,6 @@ ifdef(`distro_gentoo',` @@ -451,7 +902,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -38641,7 +38676,7 @@ index 17eda24..9f2c792 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -486,6 +935,10 @@ ifdef(`distro_gentoo',` @@ -486,6 +936,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -38652,7 +38687,7 @@ index 17eda24..9f2c792 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -506,7 +959,7 @@ ifdef(`distro_redhat',` @@ -506,7 +960,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -38661,7 +38696,7 @@ index 17eda24..9f2c792 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -521,6 +974,7 @@ ifdef(`distro_redhat',` @@ -521,6 +975,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -38669,7 +38704,7 @@ index 17eda24..9f2c792 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -541,6 +995,7 @@ ifdef(`distro_redhat',` @@ -541,6 +996,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -38677,7 +38712,7 @@ index 17eda24..9f2c792 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -550,8 +1005,44 @@ ifdef(`distro_redhat',` @@ -550,8 +1006,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -38722,7 +38757,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -559,14 +1050,31 @@ ifdef(`distro_redhat',` @@ -559,14 +1051,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -38754,7 +38789,7 @@ index 17eda24..9f2c792 100644
') ')
') ')
@@ -577,6 +1085,39 @@ ifdef(`distro_suse',` @@ -577,6 +1086,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -38794,7 +38829,7 @@ index 17eda24..9f2c792 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1130,8 @@ optional_policy(` @@ -589,6 +1131,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -38803,7 +38838,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -610,6 +1153,7 @@ optional_policy(` @@ -610,6 +1154,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -38811,7 +38846,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -626,6 +1170,17 @@ optional_policy(` @@ -626,6 +1171,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38829,7 +38864,7 @@ index 17eda24..9f2c792 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -642,9 +1197,13 @@ optional_policy(` @@ -642,9 +1198,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -38843,7 +38878,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -657,15 +1216,11 @@ optional_policy(` @@ -657,15 +1217,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38861,7 +38896,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -686,6 +1241,15 @@ optional_policy(` @@ -686,6 +1242,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38877,7 +38912,7 @@ index 17eda24..9f2c792 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -726,6 +1290,7 @@ optional_policy(` @@ -726,6 +1291,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -38885,7 +38920,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -743,7 +1308,13 @@ optional_policy(` @@ -743,7 +1309,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38900,7 +38935,7 @@ index 17eda24..9f2c792 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -766,6 +1337,10 @@ optional_policy(` @@ -766,6 +1338,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38911,7 +38946,7 @@ index 17eda24..9f2c792 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -775,10 +1350,20 @@ optional_policy(` @@ -775,10 +1351,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38932,7 +38967,7 @@ index 17eda24..9f2c792 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -787,6 +1372,10 @@ optional_policy(` @@ -787,6 +1373,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38943,7 +38978,7 @@ index 17eda24..9f2c792 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -808,8 +1397,6 @@ optional_policy(` @@ -808,8 +1398,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -38952,7 +38987,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -818,6 +1405,10 @@ optional_policy(` @@ -818,6 +1406,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -38963,7 +38998,7 @@ index 17eda24..9f2c792 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -827,10 +1418,12 @@ optional_policy(` @@ -827,10 +1419,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -38976,7 +39011,7 @@ index 17eda24..9f2c792 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1450,62 @@ optional_policy(` @@ -857,21 +1451,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39040,7 +39075,7 @@ index 17eda24..9f2c792 100644
') ')
optional_policy(` optional_policy(`
@@ -887,6 +1521,10 @@ optional_policy(` @@ -887,6 +1522,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -39051,7 +39086,7 @@ index 17eda24..9f2c792 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1535,218 @@ optional_policy(` @@ -897,3 +1536,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -47198,7 +47233,7 @@ index 2cea692..e3cb4f2 100644
+ files_etc_filetrans($1, net_conf_t, file) + files_etc_filetrans($1, net_conf_t, file)
+') +')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..b01eb22 100644 index a392fc4..98c5f23 100644
--- a/policy/modules/system/sysnetwork.te --- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -47441,7 +47476,7 @@ index a392fc4..b01eb22 100644
vmware_append_log(dhcpc_t) vmware_append_log(dhcpc_t)
') ')
@@ -264,29 +322,66 @@ allow ifconfig_t self:msgq create_msgq_perms; @@ -264,32 +322,70 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive }; allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc # Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms; allow ifconfig_t self:udp_socket create_socket_perms;
@ -47508,7 +47543,11 @@ index a392fc4..b01eb22 100644
fs_getattr_xattr_fs(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t)
@@ -299,33 +394,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +fs_read_nsfs_files(ifconfig_t)
selinux_dontaudit_getattr_fs(ifconfig_t)
@@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t)
@ -47566,7 +47605,7 @@ index a392fc4..b01eb22 100644
optional_policy(` optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t) dev_dontaudit_rw_cardmgr(ifconfig_t)
') ')
@@ -336,7 +449,11 @@ ifdef(`hide_broken_symptoms',` @@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',`
') ')
optional_policy(` optional_policy(`
@ -47579,7 +47618,7 @@ index a392fc4..b01eb22 100644
') ')
optional_policy(` optional_policy(`
@@ -350,7 +467,16 @@ optional_policy(` @@ -350,7 +468,16 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -47597,7 +47636,7 @@ index a392fc4..b01eb22 100644
') ')
optional_policy(` optional_policy(`
@@ -371,3 +497,17 @@ optional_policy(` @@ -371,3 +498,17 @@ optional_policy(`
xen_append_log(ifconfig_t) xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
') ')
@ -51904,7 +51943,7 @@ index db75976..c54480a 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+ +
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..269ce67 100644 index 9dc60c6..4b0a3ed 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -55501,7 +55540,7 @@ index 9dc60c6..269ce67 100644
+# +#
+interface(`userdom_execmod_user_home_files',` +interface(`userdom_execmod_user_home_files',`
+ gen_require(` + gen_require(`
+ type user_home_type; + attribute user_home_type;
+ ') + ')
+ +
+ allow $1 user_home_type:file execmod; + allow $1 user_home_type:file execmod;
@ -55897,7 +55936,7 @@ index 9dc60c6..269ce67 100644
+# +#
+interface(`userdom_dontaudit_read_inherited_admin_home_files',` +interface(`userdom_dontaudit_read_inherited_admin_home_files',`
+ gen_require(` + gen_require(`
+ attribute admin_home_t; + type admin_home_t;
+ ') + ')
+ +
+ dontaudit $1 admin_home_t:file read_inherited_file_perms; + dontaudit $1 admin_home_t:file read_inherited_file_perms;
@ -55915,7 +55954,7 @@ index 9dc60c6..269ce67 100644
+# +#
+interface(`userdom_dontaudit_append_inherited_admin_home_file',` +interface(`userdom_dontaudit_append_inherited_admin_home_file',`
+ gen_require(` + gen_require(`
+ attribute admin_home_t; + type admin_home_t;
+ ') + ')
+ +
+ dontaudit $1 admin_home_t:file append_inherited_file_perms; + dontaudit $1 admin_home_t:file append_inherited_file_perms;

View File

@ -2280,7 +2280,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te diff --git a/amanda.te b/amanda.te
index 519051c..69a4c66 100644 index 519051c..c3a718a 100644
--- a/amanda.te --- a/amanda.te
+++ b/amanda.te +++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@ -2301,7 +2301,17 @@ index 519051c..69a4c66 100644
type amanda_log_t; type amanda_log_t;
logging_log_file(amanda_log_t) logging_log_file(amanda_log_t)
@@ -60,7 +63,7 @@ optional_policy(` @@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
+type amanda_tmpfs_t;
+files_tmpfs_file(amanda_tmpfs_t)
+
type amanda_amandates_t;
files_type(amanda_amandates_t)
@@ -60,7 +66,7 @@ optional_policy(`
# #
allow amanda_t self:capability { chown dac_override setuid kill }; allow amanda_t self:capability { chown dac_override setuid kill };
@ -2310,7 +2320,7 @@ index 519051c..69a4c66 100644
allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen };
@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; @@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@ -2318,7 +2328,7 @@ index 519051c..69a4c66 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms; allow amanda_t amanda_dumpdates_t:file rw_file_perms;
@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; @@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
@ -2326,7 +2336,18 @@ index 519051c..69a4c66 100644
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) @@ -90,6 +98,10 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t)
+fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir })
+
can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
kernel_read_kernel_sysctls(amanda_t)
@@ -100,13 +112,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t) corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t) corecmd_exec_bin(amanda_t)
@ -2343,7 +2364,7 @@ index 519051c..69a4c66 100644
corenet_sendrecv_all_server_packets(amanda_t) corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t) corenet_tcp_bind_generic_port(amanda_t)
@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) @@ -114,6 +128,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t) dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t) dev_getattr_all_chr_files(amanda_t)
@ -2351,7 +2372,7 @@ index 519051c..69a4c66 100644
files_read_etc_runtime_files(amanda_t) files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t) files_list_all(amanda_t)
@@ -130,6 +138,7 @@ fs_list_all(amanda_t) @@ -130,6 +145,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t) storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t) storage_read_tape(amanda_t)
storage_write_tape(amanda_t) storage_write_tape(amanda_t)
@ -2359,7 +2380,7 @@ index 519051c..69a4c66 100644
auth_use_nsswitch(amanda_t) auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t) auth_read_shadow(amanda_t)
@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t) @@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t) corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t) corecmd_exec_bin(amanda_recover_t)
@ -2367,7 +2388,7 @@ index 519051c..69a4c66 100644
corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t)
@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t) @@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t) auth_use_nsswitch(amanda_recover_t)
@ -42027,10 +42048,10 @@ index 182ab8b..8b1d9c2 100644
+') +')
+ +
diff --git a/kdumpgui.te b/kdumpgui.te diff --git a/kdumpgui.te b/kdumpgui.te
index 2990962..c153d15 100644 index 2990962..abd217f 100644
--- a/kdumpgui.te --- a/kdumpgui.te
+++ b/kdumpgui.te +++ b/kdumpgui.te
@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0) @@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0)
# Declarations # Declarations
# #
@ -42078,6 +42099,7 @@ index 2990962..c153d15 100644
dev_read_sysfs(kdumpgui_t) dev_read_sysfs(kdumpgui_t)
+dev_read_urand(kdumpgui_t) +dev_read_urand(kdumpgui_t)
+dev_getattr_all_blk_files(kdumpgui_t) +dev_getattr_all_blk_files(kdumpgui_t)
+dev_read_nvme(kdumpgui_t)
files_manage_boot_files(kdumpgui_t) files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t)
@ -42138,7 +42160,7 @@ index 2990962..c153d15 100644
') ')
optional_policy(` optional_policy(`
@@ -87,4 +96,10 @@ optional_policy(` @@ -87,4 +97,10 @@ optional_policy(`
optional_policy(` optional_policy(`
kdump_manage_config(kdumpgui_t) kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t)
@ -104702,10 +104724,10 @@ index 0000000..821e158
+') +')
+ +
diff --git a/sssd.fc b/sssd.fc diff --git a/sssd.fc b/sssd.fc
index dbb005a..835122a 100644 index dbb005a..d4328ed 100644
--- a/sssd.fc --- a/sssd.fc
+++ b/sssd.fc +++ b/sssd.fc
@@ -1,15 +1,19 @@ @@ -1,15 +1,21 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
@ -104713,6 +104735,7 @@ index dbb005a..835122a 100644
-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0)
-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) +/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
@ -104731,8 +104754,9 @@ index dbb005a..835122a 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if diff --git a/sssd.if b/sssd.if
index a240455..04419ae 100644 index a240455..d30fd1f 100644
--- a/sssd.if --- a/sssd.if
+++ b/sssd.if +++ b/sssd.if
@@ -1,21 +1,21 @@ @@ -1,21 +1,21 @@
@ -105045,7 +105069,7 @@ index a240455..04419ae 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -317,8 +408,65 @@ interface(`sssd_stream_connect',` @@ -317,8 +408,92 @@ interface(`sssd_stream_connect',`
######################################## ########################################
## <summary> ## <summary>
@ -105108,12 +105132,39 @@ index a240455..04419ae 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Transition to sssd named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_filetrans_named_content',`
+ gen_require(`
+ type sssd_var_run_t;
+ type sssd_var_log_t;
+ type sssd_var_lib_t;
+ type sssd_public_t;
+ type sssd_conf_t;
+ ')
+
+ files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket")
+ logging_log_filetrans($1, sssd_var_log_t, dir, "sssd")
+ files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss")
+ filestrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc")
+ filestrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf")
+ etc_filestrans($1, sssd_conf_t, dir, "sssd")
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate +## All of the rules required to administrate
+## an sssd environment +## an sssd environment
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -327,7 +475,7 @@ interface(`sssd_stream_connect',` @@ -327,7 +502,7 @@ interface(`sssd_stream_connect',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -105122,7 +105173,7 @@ index a240455..04419ae 100644
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -335,27 +483,29 @@ interface(`sssd_stream_connect',` @@ -335,27 +510,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',` interface(`sssd_admin',`
gen_require(` gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t; type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -105164,7 +105215,7 @@ index a240455..04419ae 100644
- admin_pattern($1, sssd_log_t) - admin_pattern($1, sssd_log_t)
') ')
diff --git a/sssd.te b/sssd.te diff --git a/sssd.te b/sssd.te
index 2d8db1f..a28dfe7 100644 index 2d8db1f..1139567 100644
--- a/sssd.te --- a/sssd.te
+++ b/sssd.te +++ b/sssd.te
@@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
@ -105188,7 +105239,8 @@ index 2d8db1f..a28dfe7 100644
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
+allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; +allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
allow sssd_t self:capability2 block_suspend; allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; -allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid};
allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms; allow sssd_t self:key manage_key_perms;
-allow sssd_t self:unix_stream_socket { accept connectto listen }; -allow sssd_t self:unix_stream_socket { accept connectto listen };
@ -114657,7 +114709,7 @@ index facdee8..2cff369 100644
+ domtrans_pattern($1,container_file_t, $2) + domtrans_pattern($1,container_file_t, $2)
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index f03dcf5..d7dc78b 100644 index f03dcf5..b5b9ca5 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,451 +1,411 @@ @@ -1,451 +1,411 @@
@ -116249,7 +116301,7 @@ index f03dcf5..d7dc78b 100644
selinux_get_enforce_mode(virtd_lxc_t) selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t) selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1268,370 @@ selinux_compute_create_context(virtd_lxc_t) @@ -974,194 +1268,355 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t)
@ -116462,10 +116514,7 @@ index f03dcf5..d7dc78b 100644
+files_entrypoint_all_mountpoint(svirt_sandbox_domain) +files_entrypoint_all_mountpoint(svirt_sandbox_domain)
+corecmd_entrypoint_all_executables(svirt_sandbox_domain) +corecmd_entrypoint_all_executables(svirt_sandbox_domain)
+ +
+files_list_var(svirt_sandbox_domain)
+files_list_var_lib(svirt_sandbox_domain)
+files_search_all(svirt_sandbox_domain) +files_search_all(svirt_sandbox_domain)
+files_read_config_files(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain) +files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain) +files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
@ -116473,10 +116522,9 @@ index f03dcf5..d7dc78b 100644
+fs_getattr_all_fs(svirt_sandbox_domain) +fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain) +fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain) +fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain) +fs_read_tmpfs_symlinks(svirt_sandbox_domain)
+fs_list_tmpfs(svirt_sandbox_domain) +fs_search_tmpfs(svirt_sandbox_domain)
+fs_rw_hugetlbfs_files(svirt_sandbox_domain) +fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+ +
+ +
@ -116485,9 +116533,7 @@ index f03dcf5..d7dc78b 100644
+auth_dontaudit_write_login_records(svirt_sandbox_domain) +auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain) +auth_search_pam_console_data(svirt_sandbox_domain)
+ +
+clock_read_adjtime(svirt_sandbox_domain) +init_dontaudit_read_utmp(svirt_sandbox_domain)
+
+init_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain) +init_dontaudit_write_utmp(svirt_sandbox_domain)
+ +
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) +libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
@ -116497,8 +116543,6 @@ index f03dcf5..d7dc78b 100644
+miscfiles_read_fonts(svirt_sandbox_domain) +miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain) +miscfiles_read_hwdata(svirt_sandbox_domain)
+ +
+systemd_read_unit_files(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
@ -116575,7 +116619,6 @@ index f03dcf5..d7dc78b 100644
+virt_sandbox_domain_template(container) +virt_sandbox_domain_template(container)
+typealias container_t alias svirt_lxc_net_t; +typealias container_t alias svirt_lxc_net_t;
+virt_default_capabilities(container_t) +virt_default_capabilities(container_t)
+typeattribute container_t sandbox_net_domain;
+dontaudit container_t self:capability fsetid; +dontaudit container_t self:capability fsetid;
+dontaudit container_t self:capability2 block_suspend ; +dontaudit container_t self:capability2 block_suspend ;
+allow container_t self:process { execstack execmem }; +allow container_t self:process { execstack execmem };
@ -116663,12 +116706,6 @@ index f03dcf5..d7dc78b 100644
-auth_use_nsswitch(svirt_lxc_net_t) -auth_use_nsswitch(svirt_lxc_net_t)
+fs_noxattr_type(container_file_t) +fs_noxattr_type(container_file_t)
+# Do we actually need these?
+fs_mount_cgroup(container_t)
+fs_manage_cgroup_dirs(container_t)
+fs_manage_cgroup_files(container_t)
+# Needed for docker
+fs_unmount_xattr_fs(container_t)
-logging_send_audit_msgs(svirt_lxc_net_t) -logging_send_audit_msgs(svirt_lxc_net_t)
+term_pty(container_file_t) +term_pty(container_file_t)
@ -116765,7 +116802,7 @@ index f03dcf5..d7dc78b 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1644,12 @@ dev_read_sysfs(virt_qmf_t) @@ -1174,12 +1629,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t) dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t) dev_read_urand(virt_qmf_t)
@ -116780,7 +116817,7 @@ index f03dcf5..d7dc78b 100644
sysnet_read_config(virt_qmf_t) sysnet_read_config(virt_qmf_t)
optional_policy(` optional_policy(`
@@ -1192,7 +1662,7 @@ optional_policy(` @@ -1192,7 +1647,7 @@ optional_policy(`
######################################## ########################################
# #
@ -116789,7 +116826,7 @@ index f03dcf5..d7dc78b 100644
# #
allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1671,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; @@ -1201,11 +1656,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 235%{?dist} Release: 236%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -675,6 +675,16 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Feb 02 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
- Allow kdumpgui domain to read nvme device
- Add amanda_tmpfs_t label. BZ(1243752)
- Fix typo in sssd interface file
- Allow sssd_t domain setpgid BZ(1411437)
- Allow ifconfig_t domain read nsfs_t
- Allow ping_t domain to load kernel modules.
- Allow systemd to send user information back to pid1. BZ(1412750)
- rawhide-base: Fix wrong type/attribute flavors in require blocks
* Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235 * Tue Jan 17 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
- Allow libvirt daemon to create /var/chace/libvirt dir. - Allow libvirt daemon to create /var/chace/libvirt dir.
- Allow systemd using ProtectKernelTunables securit feature. BZ(1392161) - Allow systemd using ProtectKernelTunables securit feature. BZ(1392161)