From c0884791adc79fdb1bb20472c18eabb69ca70c67 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 18 Apr 2017 00:12:06 +0200 Subject: [PATCH] * Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250 - Allow tlp_t domain to ioctl removable devices BZ(1436830) - Allow tlp_t domain domtrans into mount_t BZ(1442571) - Allow lircd_t to read/write to sysfs BZ(1442443) - Fix policy to reflect all changes in new IPA release - Allow virtlogd_t to creating tmp files with virt_tmp_t labels. - Allow sbd_t to read/write fixed disk devices - Add sys_ptrace capability to radiusd_t domain - Allow cockpit_session_t domain connects to ssh tcp ports. - Update tomcat policy to make working ipa install process - Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t - Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 - Update pki interfaces and tomcat module - Allow sendmail to search network sysctls - Add interface gssd_noatsecure() - Add interface gssproxy_noatsecure() - Allow chronyd_t net_admin capability to allow support HW timestamping. - Update tomcat policy. - Allow certmonger to start haproxy service - Fix init Module - Make groupadd_t domain as system bus client BZ(1416963) - Make useradd_t domain as system bus client BZ(1442572) - Allow xdm_t to gettattr /dev/loop-control device BZ(1385090) - Dontaudit gdm-session-worker to view key unknown. BZ(1433191) - Allow init noatsecure for gssd and gssproxy - Allow staff user to read fwupd_cache_t files - Remove typo bugs - Remove /proc <> from fedora policy, it's no longer necessary --- container-selinux.tgz | Bin 6461 -> 6555 bytes policy-rawhide-base.patch | 611 +++++++++++++++++++------------ policy-rawhide-contrib.patch | 675 ++++++++++++++++++++++++----------- selinux-policy.spec | 31 +- 4 files changed, 863 insertions(+), 454 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index a98f4feae423b7820789d4ad08d82ed8e2a10165..1e43445c9f8fe0a32b65a00c3a3aded59b222c7a 100644 GIT binary patch literal 6555 zcmV;M8D!=kiwFQ6J@r@s1MOXHkK8tr&e!Q*A=m*t6WBBMIB@_wyN5-xz}<%fg53q~ z!{x4{me}3e(OdK~FK2jv`&AW5iK0k~Qfp%G-87K2r&aZ^SR{+ZVv&l9ya|(>RhP;B zt4I30hR?fq-{SY1@4tJke#7VO+v{(?`|8cx*WZ74{r26rZ-MU3+v_*)z6xGHmO$#K zt(&k4g0IrsD%`QiN;mcVpY*eN{yg}hZnG?`9{%{ZBMXX><*(|Zts)kLWtk>X*d#?B zM6#m*nmh@@>U_Ym*9SH)m(fL#foD<7r+Req^A5ZS%pwm6iLNC|+D_HfK>$ zu_%kTH4CfgxZNfB`PXkQHfK_xZ5cKoH~wlb&h(_Y*kA!GHl;vTn)IMO;jQN1v}d!L z_RQ9_S^-s&G6Vcy;O7oJj3QRoQ>cg(h2_;`_kr(OJ*RJd`AD`mZ+$En+PzA4*aTl+ zn=ugLF~%w=>5Cnx*x~1>x*Lzq(H4a{Q94K2i394dRHmZtG}#3)h#xgYm9Tn-rk&%) zqidU0ER+Ib`6&1{tdO+VEtMa9{l-M|9_kqgeE8?KWK~uJ<334QEejUZ)FLaJt}jj1 z)S-S)MO!*}$9JN}|H8spQ#Up3XIFFuf>8}goJH!k_R%u}=a0>^bcgjj=)69L75kF3 zP6GMsos)ZLJx%Hc`?gK#0?6=_Pm@h^r}@od1pfvfHTR!r)Z_eImn=&52{aIINSs^Q z$mCI(G4Bw_f8yl+h<5O_j$*NF3si1U`oD*Hc+e-3FJp{lB-*3dHUWQ%b(0uV1Lje! zq_G9RBv(LbM>J}W(~J&t`Ka3e5iBNHrDFGY(07dsj8JI`C}q$b56E(tG{+zW!nOeo zH%Syw?fb<8m^-8k6+2i~$t{+Hl)qzxYRE#0ElOd)$7l>yrPz}t=1M{19g&vi6vcVB zQ5x2@r6_tfE^Eg`aq*n;@c++(qD1|N=^vgoRcosvl4`~7Sdt&SiZu@rY2&;jG{ynq z3a2Q8;OlGn?=AfI?YjQi&;Rz*7cz5@7gHwjym!}<2$+bFuCmMu z^EkMx5|e|Su?%Le&p)W|Ku6i4Af%xsIvQw)Ea2Eu_cOGqD>Dc*Z4QTJ**wgh!UGN8 zs?K0$ys@pJvo#N79&s!Tl`2PwrrMa@mJJ2>@gXV-zYY48gzuwcwdDikZVOVZqh$Q> z4$Z2T9?n>nh+&$uLq%86l?+WUzb%a6B0N^AxHW>BVo3q`kv#Ao^dNsEJn zRhbJd6vrZCdLIyzqL_4Lq~9_%BFW3(S@-M`_?}%X#)*sQW;sX=+}n{v`0ElhaP?K3 zS5cZk^Dal?bz4D_MY`b_MYK$_ngq4LfbMqyf0??W4TZX>L`d(WLGiNtyF?Jqu0@1} zI3q>OMldwzLX1}_n7dl-S)TsCA&}Si{(W+|WclrysK=si>a_uBy|yA|#p)uxy+jSH z0?S*f21j65+_QD6&oR-dT@kK;^+OsytdDrTB4pSUSt4x!I4%{;+S@SBlAO;)xDjL< zK76v0NSECMKszz?Q{=gfZ*)!vRz3&=aP;qkx&fCYqxpq3pWT1v(xAVAQZG&eF)nZ| zsUMa_^iYyT3u((b$PZeRcJ3qdf>7gpFJr>NU`u6z_v`FX$lL7y2S)@tyKs{Ur1w|Avgb~ol4cH6i`9#q0 z#oEE%ZP+$Pk*PI`_|n5KETfI&os)M;3HBQ{fHAbDzEMR1#$D0o zaZLjTcT?A~Wqd=pgFhiJw-<5I9)w!MF%?W-r@Ngn3x@fF0ba}*To>SS!h}{mlm%3m zd#XvjZesh&x#zvOOY@>#t{0pS#rFF{d$QP!UIa>_9T+ zlxec~AsJJwdL;dEhvbIpvV4q4_|zfNI2A(i8b?u5J(t0v_F*o7ru6QiL#p8pw#{iZ z^Qs$d3ak9tRqA-|u*Gv+DCVWNYi)jdhB|G7qW>e;RdqvoQhQv0DP}+=t};4}ba{x`sVg8Se9+@7{j*_U-8WC;aqu{_}VE@P+y|E8;d~ z=Us1j8N9iCefj!gqm5pkB*@q1K~)q@aWmJ^+B^?_Vt`Z8xl*uL8!{|0t0R%1QHslQ)VEZaH86hO+N=6we7MP~N-+uf#D2uA;GB`?MwKzIfrfKtVr&hId?7`W4 z8SKNfW*3@BLL%-HicKgrP7I}IB5n9k6>S-ui=f7Zu$dlGh$)=|^m5qzV5n{qqMu1~ z5|~n_+cu<@t{mla#Uaaze9LEsb3;k4^KG1KTerKvZ(-Vxj$wYFrx^u;OmH0&`m3HC z-E!C@o?W_)I@O3$@uzb!v!DbbXKh>2qNbMAx;ptXZKy{6+eq_jSZPe}rF&=KMy;2! zgdJuQoDZIk`%xG09EzwU!f-rNmpM*qOkx?r$;1}9#fabhN92Rm!MV;q#+AX{A#xv! z=5mU^sp`hSurc^O#FPPXj+n|cmUErUgfQgZ}dL)F74L-27h$6AI?Ixb2HbPr1zY^BJE zb@$`B5n&83v-pPCeG(u~=xZL%$1Gzov8O-8>hjdM60!oCj27VMBSwRwVdfmEmwx-O z!AND!8v6TOXPG zRxAalFvU&I2`0I2`v(*nwG}9{ndTX~SySZQ-U;T0DjO+$bHaflR+iF8sGAn`uK^6s`W~iPl8r3Mg$nLYc$f51#8_M>AR7 z)+Nhh7pFeb)v91ffd-aG=K^CyMl*meT|@~8@6r3IawpXI1XeH)$r^12rY24Do9&G_ zfYq{F-2Oa4GKmNc5hvk6gOX1dLAs>sCIIXJWKCfi!>T0Og0VF^2^Sp;cHEgPp#Qln z)H9(wS1h{aNh`PzoR(|}4~gbU-zjVceYYfavuvE3V-_A^-*>5g$aZ4w$DNw-FBcNA zOZ;8|(#Il+gao|6;-i>|_f?VglQJE0&x#nP^o{X&@`QLY)p5K?F`be<6>NO!c`@Q- zN~b5XA;(if3!z;rIzy+MqcFL6GiUlNX-_vIhXU`+Ur#-tmKXnQS(W+v(v%mpq`G!A zZH4PqSBdr!>q=S3!Kdyl!LrI83_mQbsuOGW(6Zr~k6QSFDT?coSwHz%Izo6ahcG|I z4f9q5m}bNGi7x<$2|N>G8q*7f?D}z@SAVaI{1P5Mb5-D@G2k>_!G0R=7C#UE6vsSg zDhqGeAfe&NqMP8ZsBSKS>|cwL?b|ecz>qL#AS-SuUYrMaEI5YnM;PoFDj=wfw8a=B zaQ%lMK%TgujkSG&^?=5G$#?MYiZ+c!;rMq3(=)hBuy$hr;7mUd!9V^5gdaQ^`qjEz zzxOI3SHQTO*IWopC(_vXT`w4Kw)qhYhVLNQWPPw~IM2kMJ-mJKhmkg~!LC7D2K|W& zpGdPmS?Rv`rzqaP4k9q|n1#qwwU1fGY=?VJ89uX!exw3>rZRneaBs7?O5dvi*`wWs>C?i3c&6jy+lxC<*720g z#|j?>yFX+2nDE!@qL42FY9I=z>B(> z3wO9H?%fRpq^TQpb*B#D(~ZZs*l2zCuCp`Zpdj>byw+U*`IFcy7h4s>EpuaC`h9d_ z#B5<)8aJ3RY_`ugpmdgsY*wBmL`kh?a+Nw~4TdLt$>}8BLmf4#MHESVhsa)}ptd?X zve>V1+?%#2L1ay#x+vc_jGE*Y##3x5U(m<+tc~fqFi{A9QoEEQv&oV}bW8_aPWrjR zEfDD-y5XcqdcI_TCqHN7$&&W5!l@Q-rxc9FczZD-E!yBJc{N0z1@bbf)Q z6Lt*;`+1Tr*)L#PSeBORvhvp6v1v-rA|y*xWLcTA`z`g!Y2Lx^rmqH#On!U3i+55N zY$Z?ajPmJ@hPp6!JjK~UuaHN5Dxs6Ow{ZjOfX8uWb4?Z|b~62l#Rh9kqoCw*p9$eTlu-{`!cpqow#fPAm*Of6 zb6x7DsL+MO90oGq_pla>llsO&Ph0mmiRE>Dmo(AQOec)i(yrg3p+ffhG*%JVp8 zDk8$?t))hSpeWt^HgiPJH#tMNVsza)V9TU zQb)=#pftqfe?of-de6`|0Y4?Rr46ZV#BB99u}Z&o55E9H2pA62p-D?jUX;hXIBY`4 zI3nL$4m!I4&x0|wqvafH0nXc9@~T9iH{4!y?=`XvF4i`Q@LglJ58Jfiah7|VN>mQs z{cO+=HBK?Hh~I4a9cGq6BZ$crO7>1%!=)H?ee4e`8o6GW8LKk01~)JGW3HN=gTfAA zDRmEnzewwewy`iLCHD}QapUXgZn;_XN^hdGNYG!?`-tBcgy)O=(~AG`k+Olgui%jj ztR__gZx%*d44+m>%;*oEf&6JYdAGkW2MjwUC3j!gT=-ock~oknyU~3*zDa&C{<`G8 zfG;V>8H3&_gZKMNPmnz+1yNYX(*Y@gH$GH-{_aOpVq<{Q1&@`@&j|kL$P5i4dH>Z! z<5+@x{Vvu#*6}Ww?|z7Swnwo$8HX? zxEuyIqunnV@$oC`Fe?$d6g#pM2BXXO-E3lZt1bX6VIYMF6o)(AwipvoQnSNMXBjOW zN$WwA-qM8ERE0w{yl)+)a#Ey4QF=l76^X*Zd|o-%-%@8uoy3$1HMu?(>x2^+CYQ$} z4xa_^h^gBUo5j^_cTFw!InQ(f!ge9G4_yxbQ4(8X4w;*9hxN6!x8RvtM5|!|*IJu- zkojt$9v-fCbt#>6A`Ss2yB29LuDW!qob5ed_4yG~gkzN;2u)eX7KUTGb3l3qLI^F% zizeAWxZ@>Beq?BoV&Jj5^m*r3_NL!K>LSI~Wn4#EHrc&{L~0(8tePi6 zxd@*ml;fh!(SeLYY6Sak7kXf@Ozu}{&~`QaXkRPS5m+8Jq7KuYe6_8^dzPx%c7MtD z$T)f8U5nmFi0*!PzA{ufBVD}_+MLUcxWJ-Ysoy5hs1(H9^P8D^QwqO0WY7p571Stsj*T-Et8uvP z#923m<+g!!rc7W?BAUUcs?$63B%8yPf8kPi9cH^wQ+bqltCC2)nujRoX`NW6)lTY~ zlG&;RaUlySV-Nq^ckkfo1>wIt>S-i*NModT*Hp4l_u(8)LfO+iNJ)XyLYrf3h@p_{ z7w6RjCG#ET3yo=XN1hMUFeS;vq1^34``?Z7b{QS53#a-NZMdS%&bF@y`3$^KxG!O6 z!ZlLQB`0IPN;7j=0-#|@n**d_=N6`DiOf>kq3nGT__sAeU}2|uS|rQRlud8z zvB=A>z>zb%i-@}n{iYGR8kTv0XD`w!VQfa_bsjWLS1a0tAzalr&&eOP?+4C;be}D4?dzi+&&Yf9EwwA zcSF`Svl6w;4)mp$KHGqSI-!N@d9W`k+~g1d{l((jfpswledV23-A%40i)0EpcbP?^ zn$oN(V%xe3F@RkOaU)02<4r0FT_I_)X!el2L14qhEPQA2Y(U%}j&t{rcDDuno;$@r z(iq9i@4)y-Z$g~h958t{eQ8mDJ)QJx7F-pevJLZeLWe7-7v`JcGy6tByv5Xb7ZBaY zcFIXo*ClVGJMN96WmHUeHR)V_C9hf_IC?m}Sf$?O1>w^Mc&C9+m&h-)u5S z3Uwp*mSt$a$ZlRtnR59apWb-e?3$EQHVWQw^sU;XdHtgFb!8 z!SX7I3A2CdyCEpvKIf#(JjMCt(RY1aJLzDETy>1?i! zbfLj(bZhrK_>tf2mp<@2BNG1l4VbjSoknAPiLWUO48H3YOnR9Pg2)%*)(CzbqgpKg zg-;IXdy;qdK|gw+UGB(V!JwPfQT7q8b6~k0-SEqkSY}F%=?y0Zi}N~&mBc5oog`Y9 zo+s^VGHBT5Vq@sWrd6cVYf;E1rj*HB>crZ{G+&IT3Vzw7C-rqOymBwF>U8cUf2Z9r z=*kV7m3_7R&b|eA^__Z0-+FiRt(6To9#HarQ*~g;drs-jQ|NvoAF$fbR z;1RD975Aem`7+%_sLDlYuJgWw`9ub0^A$Ex>A( z{JJs15VHs4>bj2Yp&bX`^k!o7&-2!*PUy@1qrKb6{r;!d-+%Y+&FKA4Z?2!- z|MYu&u5d|k^~)uH-2=U>4Z8%pZ^S!{w(WaiYpVBs4;MEC*RNrWT(xy|l_on37+i6j ztIKcBUcK^0lM8Y2K4C;Pf%30)purpM@zw%N@1s`;w`Sb|^J+yA;aRkffQZ&n{pWvQ z{ns}i7L&R7US<)LSN;fe)<~Om4rBM?U(UR-B6*`YDWJy@!{8*i&DCwlYmIpg z9LX1`-?=8iB+#Iet6%}t6_@%KydcmURBp|iAUmoW(J#OG1#hnQS0cXydm32YIp~k< zFEm{@xDGJx+0X4qEHxA$zES#kK zef3UG1nUTv3}piz7w(tKGKpvTBNK2K9Rj?19lTc}#d{qUiV1)_dG%b-QQCuI#{gJy zduCVwdh3Y_bXbNXEy?Fz@IQT?K2M*g&(r7W^YnT8Jbj)%PoJmH)92~)^m+O`eg0p4 N{ud<=PjLXq000If?yCR* literal 6461 zcmV-D8N%itiwFP|3*uM+1MOXHkK8tr&e!Q*A=m*t6WBB3@k;QDw4%wu}DQl&ch^U)n&5% z=83LrxZb~ii@&eGe|N3_!u96O&D(e1ynb{2{q@`HcW-Zi?)96S>-XOT*H0yoejREa zRzdJhdRK)T7Fp@Wp8qesR?nXYKh%dT3#-RJ|9#JbqGb82x;Ru33&OHYlPKg#kq41# zC;`iN@O$~gm10`~h~L#I4gNU$=LZ%YIMdLRJm7o%MqFg@k4s{`(s+X(%CHKvAP+P4 zr)Prd*`Eg`{6r6eFinel76-ftcopV#f-hwPy&_cj_bSObtF~dp&VOyBSyzXgCmCBq zd4%)g<*%!=9n04h`~8qqK)X6SS7FNt{{gwzknT0vC_XqjZDy2k5-shZXypv`zx~ z>s^q0Xgy78j&0kfbO~g*h(B2*CmURZ2}b}DiX(5HZXZq zW-J;6@*g?4KcO8wuAx{g+YFT(l>TpF9`5=B$=A`xG7{~{Y@38X#=0qtu@3X3R?=95 zUz01K)gv0Ur>RDVxqMRX{|FWntWvT04fI{(1S8a{0!ryr$0M@bCww1-KzQJwVV*<* zy?r}*0CR_Qp=JlmD!IdQkn#_#&>pgsVvSN5@G%-guTpHu5(}lE@s3DKQ;HJ2>nIKD z+ENrf8EO$@ZTHw@9nbw+0Xy_(^oQbkQY-X@w9OR=E4?(15ot@hnRqjHy5Aw)vUT(BnG)q zpvp4ueylmmBA!kSA@!df@`RK6+lms{v2?UlL87)2B(GRnptBB|N}xT_lR#dISyt<| z5a1;kmirhb5jckVs3yq={0W+t(acCkxTHXV9KhtCihFfdLKCYB>;WSY(nY3OVIBwf zRbq0mGnT=~_2oPDJ?JQ#6@)a@L_-7hkOcx;>3)JX`^pT0o;JJPvgD6bhwz|>Z&hb7 zG2VEnp|SBtGLP67x=K|&q^H`L-Ibhz`}hzQg}(;$!L6G{EPd~LK^fpQ0m!fAjS!DLjFHKn*E*1YID-;>D4*1M?CU9jp!@RUqGw!YE|35-1qP zZi?}C^VIH=s>riRla{BcE|T-uXpJ@Su4>dB-WkqXz)v?n*ctB&cg8aeAY(1TCzzyH zppBqTc6peJ4jX*_I4vLph0*9_CRBpCS2kP-+VX|9PmJ-)h-8l+wd?^PDg(KdH{bB@ zyx8UI8-j%6+*&&skItz$8=8edkWB^r*JY6=(Id5R6%>?Fzz})>R|~Kg+Vhd1;ftk% zz3cG6_cBv!5b>plUs*;Q$vY+Qlo&eJLVM*S^GP+N!R_Pn7R(iOY_8!G*>$A_@9H=z zy--6qcAeGWYzsYqy*>}U{dBi`*bB<^04CPk8S-+1`s~*b&URQXk zNxf`h`@*^Bt+;dZqFt_^pc9LDZAqdwG_gd`t((`{f~nh0YVVNKm@=q|(|hbdGUk-^ zWbs2XrdYK|{l^WG8>-3jF(Tnphe*Rz2+eC8L`nO(3>LL_a{+ovZyq|N>aJkhoK`ch zzR;$zs@twohhv8=p5sC>PrY4p^W!trX&Ds#A2qM4Ips-haRRP|EWY#@jqfhH9?CZo zlTfzYG7}^k(%YBbB=>*#YFFqud#Wg%kC4=Fou zTEolW_2u>D^~I{!dqt9l;)N@=wOI=&1)(hs_U$*G)q7Gigi$ zQ|ffvy41>*qkOJ7WLc4~#mI1OD9N?IO>nL2!{)a&4ExbO%y;xOqd<@eu3&eLH#Y66~J5w%1Zfk)~x$4QMzEL}L2*rJvg@mJhLKA0Vx_xXpoD!AK4Ze!6x zPWd;zx-l?p41RYpRX|)IrYeo)yw7Dq8we6P`^B$9h<0>l0m z{smy$n(-tKvfI3f0~D4PJ?LMXByVz-=|&a8NY3~cAaMv-W5NoZdGYzk^fI_1~137A2|Mp}vEojT4^_!k(JSrDJIm82$DeP_Mxd}EjlGTU0 zWO?l3?Dus2RWPJL9m}I}fiWVZ89sz@2 z>%i`C`SS?L6e3haoP@g`lzKV~(j`?h0AK?kYYNjCRwdCIjIGg0xM*0g;Z9@${ZD0~ zmI=+dV$q#QTEU6nxMXv9NHkCSMqv}^n<=TAW#wEPv+zj!zDfI=Y)9sP!l@bFxlo8r z;`aiOJ{CzPB;WxSpX5Nit%|H2lxdTDR>Ux*uZ-K1N5oU9j>AccX_xG=V8dO{vk^yA zIz5pMIi3ny3hkQF85-Rbg{jG#In!rOeYz0^6nJO;dTIfCdGXKYy|S2Jn(~6?ysjOs zH^cRMSB3To-<7hEgU`)gf_X2yGu)W_s!puQUCV}N-fH0orYWvTX8r7E=?LM2>cV0d zH;h{xFwKVVvzP#O6L?0%G^Q6y+56jhUj0@V`6WDj=6Zoo#(>js2K#xqTKqitOB{=w zsVux@orH!xi*AGaqPo2VvVSQ`wmqcjBZh=Q16grL@!~wVXTd&%Kf++cPys<*qz8;K z0@uGw0_2GcT3Fi__#RNXFU1P}eQ`)*SvdZk!SD?363pEg065bRWbjY?0O3bZhIY2D z=I^aa$Q3Y7=X)*$rW5tp#91#GZ?^dnGrDgl*kpY$uRBk~p4`2C@w<^Wug>0swsiU< z6+V(?f3(tl@sClw|2xRQ#8VcccGW&*8Iv9EDP{PKBK<8D*fO=@u9eHBitduR@m<<= zbYjG8VVoLs%osM?=UY%ZOJz2zND`u?Rx`OyoimQ%314#BN%vSsJhh0Ti0={EixkvW zM|&3g6^?7u7A456DO4Bb`-Txu?w~)#mhvTijL!}+9Tz4G5l?EDQdBlsvWxaZSY=~;wgiHa;MQ}(c?HaX7QS>5#2ppnUMjd%7+ z>Wro2v6WFV+)-DT=1!zITj(|Ns7)nw61O(4V;yii&Sb99!sJS(AF zH{E2o{Oda+6RxBFpi2|wMQXfho`sB>YatULkvC=u3Q1N zZStMek=6|;4Kexe(4KNtM8xh0z+rr&SU&`a@(Oe;!ZXZO_XA!%j)b%@0-={+7EW4%EzUaGs8Dk{|TH zCb=&VQ_5k+pm)mP!?x-t$R3q~D6Ql1fRw-+@2WO`_me5HF~H$M#LA{;1b=d5h6a&3 z|7xUiEJ40@6>A#na23pVJw)HzBVFdscr_kS*oo-GT~dNg%(ulz^x^jdtNEH7s{Zyv z1HF8obq2izJPCLFLlL{98wO&Z;0k?D$P4+Y!aG1JnxhA;UWeofs}K?Kda`yrozd4G zx;e<=av0o_FiBnk)PdF7mcE1e~E5>qPF==@mD6OLdQ zogNQ3d?vsHre;BG5?8a_H8$B7JmUpO+lACVbUFM-NoK0jiLa4Zr8p&@I3fbN)X9FU%Y z5JF4xf+yQYcf2IY_Y5s^tmOxdyip_N@-d(hect<(y=qsGnn@Z89txEjw6Z#Y+wS`JZhZ9xuQ8JScb z>Qo-PxzqOLYh6_^($O2C&AD9311y@E`dtE*NoRS!{4(>k$? ztDV#}CbLxu@<0|+#uom!ZN9}=b*lg}V3 zMfehSCY&R+Txu{Dvotf8B>)^@E?aI~{fqz>g1QvE0r)9DX z4cYXy9*ex<2pl!CyNHC#&@LLGt6>?JoJUamxe+G%3{(qrHjWpzlDA34?!ixpM_=@X zRjD{1pA|blG!u2(a)6C7k8nXF$8}5Vxlk9Y=Q?4#!D&)a)D=e8W(1jI;Y0K&54X=m zsk-7=*-e*qjjTkivIBkTmCx2;phjrndLC?x3KuyfKzp$Gx?^3;L0@&|RdbT7$s(CT z&P`^Kd`)H6G_h?>g&4rDgt(9+>G33$gpQE3STuV`-XO5yU>32mc-A3qH^;eK$YHYv z{hm9;K++h=%-_KHL|;N2T^ulZHf?E9dpw=;Yi1l3ptE)JbV7$K*DuUB!)Nk|fOv|j z@hl)ZkL{S9q^?8W24~zGd&{7h=4jHX{90bML~yil`mjp7ENET$Gn}4k?(}{o%64i< zFNfBuC+lL%?G53w2;+*keMpsD_EEY$2-fOz5P9o(G?>~$P!O6&?WynRx6TW4<62a4 zTYTB1lN9PkZY@jKev#e07&GPSJ3g)Pw%Ii$XWvLVvc5IJ=N;uGz8)}go|imEamH~~ zI_Jd0nHo3T0;etiH;0CO)X!G2`W5Q%{*m1f<6j_fJsaH^u@Jm-E5kx%xOO!hTZDUq zgAe-nCI`!>AV$povEPQEc>9!{Hq#X6mq*{U_1;bgL*%L4em4=<4gQZSzz#8*I?4iv=cZJPJV5xaGRmqTB#r?Ln@dDb6XJiKk1LgW);HgC-`uC9uBvsA#q3gQExD|Zkyr# z)O=&MeQ$Y@78QHzSEDnPJ+X<_6BnC3 zu-2Z?gY@iio{_w4FDa$bcM0iphUysalp|fouqF(GFJ1<}w%;Aqb1-e&ZY-;@EkP%V zs=qdEOv37|8(TZFU#mi)so3!?MD}P+UDvUF?(g6mUv1)F&1a1onJ%|a_H7&Y_kXUx zfA{|N;QK$dCa{1Mj`o-Tj&%cVH(pFY-wO@cje`3;-(;e#|K)rYnL%M)VjYv=-3 zhq}5-lMPN7uLRE3<#%VVUU{RbiJSbMETWn~#m_R(;Gea4O98@U{1w72`R;&uwV;Ub zELuiDL~E%2$-7FTeW*PcHUX zqBsM299W$>=a1|!G#xj$3^1IB%b7tjKE>=2k`1;@LtIj-(^%N2LR#Z z)l)$S%ifwD17OYVnP36vs~0-ZZXS-ZBwu>Mf4WZB={jAf>vWy2({;K|*XcT4r|Wc` XuG4k8PS@%Be{=m0%n?~$0LTCURA#fs diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 887b34c1..edfb83c8 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3084,7 +3084,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..c2962a5 100644 +index 1d732f1..09a9fb3 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3237,7 +3237,18 @@ index 1d732f1..c2962a5 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -273,7 +297,7 @@ optional_policy(` +@@ -251,6 +275,10 @@ userdom_use_unpriv_users_fds(groupadd_t) + userdom_dontaudit_search_user_home_dirs(groupadd_t) + + optional_policy(` ++ dbus_system_bus_client(groupadd_t) ++') ++ ++optional_policy(` + dpkg_use_fds(groupadd_t) + dpkg_rw_pipes(groupadd_t) + ') +@@ -273,7 +301,7 @@ optional_policy(` # Passwd local policy # @@ -3246,7 +3257,7 @@ index 1d732f1..c2962a5 100644 dontaudit passwd_t self:capability sys_tty_config; allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; -@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -288,6 +316,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -3254,7 +3265,7 @@ index 1d732f1..c2962a5 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -296,6 +325,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -3262,7 +3273,7 @@ index 1d732f1..c2962a5 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -310,26 +336,32 @@ selinux_compute_create_context(passwd_t) +@@ -310,26 +340,32 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3299,7 +3310,7 @@ index 1d732f1..c2962a5 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -338,12 +370,11 @@ init_use_fds(passwd_t) +@@ -338,12 +374,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -3313,7 +3324,7 @@ index 1d732f1..c2962a5 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +383,20 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +387,20 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3334,7 +3345,7 @@ index 1d732f1..c2962a5 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -401,9 +446,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +450,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3347,7 +3358,7 @@ index 1d732f1..c2962a5 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +466,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -3355,7 +3366,7 @@ index 1d732f1..c2962a5 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +471,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +475,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -3368,7 +3379,7 @@ index 1d732f1..c2962a5 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,7 +488,8 @@ optional_policy(` +@@ -446,7 +492,8 @@ optional_policy(` # Useradd local policy # @@ -3378,7 +3389,7 @@ index 1d732f1..c2962a5 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -461,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +508,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -3389,7 +3400,7 @@ index 1d732f1..c2962a5 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +515,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +519,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3429,7 +3440,7 @@ index 1d732f1..c2962a5 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,6 +544,7 @@ auth_rw_faillog(useradd_t) +@@ -498,6 +548,7 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3437,7 +3448,7 @@ index 1d732f1..c2962a5 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -508,33 +555,32 @@ init_rw_utmp(useradd_t) +@@ -508,35 +559,38 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -3477,12 +3488,17 @@ index 1d732f1..c2962a5 100644 - optional_policy(` - unconfined_domain(useradd_t) - ') --') -- - optional_policy(` - apache_manage_all_user_content(useradd_t) ++optional_policy(` ++ apache_manage_all_user_content(useradd_t) ') -@@ -545,14 +591,27 @@ optional_policy(` + + optional_policy(` +- apache_manage_all_user_content(useradd_t) ++ dbus_system_bus_client(useradd_t) + ') + + optional_policy(` +@@ -545,14 +599,27 @@ optional_policy(` ') optional_policy(` @@ -3510,7 +3526,7 @@ index 1d732f1..c2962a5 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +621,12 @@ optional_policy(` +@@ -562,3 +629,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -19015,7 +19031,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..ff9e7ba 100644 +index e100d88..5113b22 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -19086,7 +19102,49 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',` +@@ -441,6 +477,41 @@ interface(`kernel_dontaudit_link_key',` + + ######################################## + ## ++## Allow view the kernel key ring. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_view_key',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:key view; ++') ++ ++######################################## ++## ++## dontaudit view the kernel key ring. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_view_key',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ dontaudit $1 kernel_t:key view; ++') ++######################################## ++## + ## Allows caller to read the ring buffer. + ## + ## +@@ -762,8 +833,8 @@ interface(`kernel_manage_debugfs',` ') manage_files_pattern($1, debugfs_t, debugfs_t) @@ -19096,7 +19154,7 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -786,6 +822,24 @@ interface(`kernel_mount_kvmfs',` +@@ -786,6 +857,24 @@ interface(`kernel_mount_kvmfs',` ######################################## ## @@ -19121,7 +19179,7 @@ index e100d88..ff9e7ba 100644 ## Unmount the proc filesystem. ## ## -@@ -804,6 +858,24 @@ interface(`kernel_unmount_proc',` +@@ -804,6 +893,24 @@ interface(`kernel_unmount_proc',` ######################################## ## @@ -19146,7 +19204,7 @@ index e100d88..ff9e7ba 100644 ## Get the attributes of the proc filesystem. ## ## -@@ -841,6 +913,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',` +@@ -841,6 +948,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',` ######################################## ## @@ -19172,7 +19230,7 @@ index e100d88..ff9e7ba 100644 ## Search directories in /proc. ## ## -@@ -991,13 +1082,10 @@ interface(`kernel_read_proc_symlinks',` +@@ -991,13 +1117,10 @@ interface(`kernel_read_proc_symlinks',` # interface(`kernel_read_system_state',` gen_require(` @@ -19188,7 +19246,7 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -1025,6 +1113,44 @@ interface(`kernel_write_proc_files',` +@@ -1025,6 +1148,44 @@ interface(`kernel_write_proc_files',` ######################################## ## @@ -19233,7 +19291,7 @@ index e100d88..ff9e7ba 100644 ## Do not audit attempts by caller to ## read system state information in proc. ## -@@ -1208,6 +1334,24 @@ interface(`kernel_read_messages',` +@@ -1208,6 +1369,24 @@ interface(`kernel_read_messages',` ######################################## ## @@ -19258,7 +19316,7 @@ index e100d88..ff9e7ba 100644 ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## -@@ -1458,6 +1602,25 @@ interface(`kernel_list_all_proc',` +@@ -1458,6 +1637,25 @@ interface(`kernel_list_all_proc',` ######################################## ## @@ -19284,7 +19342,7 @@ index e100d88..ff9e7ba 100644 ## Do not audit attempts to list all proc directories. ## ## -@@ -1477,6 +1640,28 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1675,28 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -19313,7 +19371,7 @@ index e100d88..ff9e7ba 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1672,7 +1857,7 @@ interface(`kernel_read_net_sysctls',` +@@ -1672,7 +1892,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -19322,7 +19380,7 @@ index e100d88..ff9e7ba 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1693,7 +1878,7 @@ interface(`kernel_rw_net_sysctls',` +@@ -1693,7 +1913,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -19331,7 +19389,7 @@ index e100d88..ff9e7ba 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1715,7 +1900,6 @@ interface(`kernel_read_unix_sysctls',` +@@ -1715,7 +1935,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) @@ -19339,7 +19397,7 @@ index e100d88..ff9e7ba 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1750,16 +1934,9 @@ interface(`kernel_rw_unix_sysctls',` +@@ -1750,16 +1969,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## @@ -19357,7 +19415,7 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -1771,16 +1948,9 @@ interface(`kernel_read_hotplug_sysctls',` +@@ -1771,16 +1983,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -19375,7 +19433,7 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -1792,16 +1962,9 @@ interface(`kernel_rw_hotplug_sysctls',` +@@ -1792,16 +1997,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -19393,7 +19451,7 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -1813,16 +1976,9 @@ interface(`kernel_read_modprobe_sysctls',` +@@ -1813,16 +2011,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## @@ -19411,68 +19469,115 @@ index e100d88..ff9e7ba 100644 ') ######################################## -@@ -2048,6 +2204,26 @@ interface(`kernel_read_rpc_sysctls',` +@@ -2048,9 +2239,10 @@ interface(`kernel_read_rpc_sysctls',` list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') + -+######################################## -+## + ######################################## + ## +-## Read and write RPC sysctls. +## Read RPC sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_rw_rpc_sysctls_dirs',` -+ gen_require(` -+ type proc_t, proc_net_t, sysctl_rpc_t; -+ ') -+ -+ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) -+') -+ - ######################################## - ## - ## Read and write RPC sysctls. -@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',` - - ######################################## - ## -+## Read and write RPC sysctls. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`kernel_create_rpc_sysctls',` -+ gen_require(` -+ type proc_t, proc_net_t, sysctl_rpc_t; -+ ') -+ -+ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) -+ -+') -+ -+######################################## -+## - ## Do not audit attempts to list all sysctl directories. ## ## -@@ -2085,7 +2281,54 @@ interface(`kernel_dontaudit_list_all_sysctls',` + ## +@@ -2059,38 +2251,38 @@ interface(`kernel_read_rpc_sysctls',` + ## + ## + # +-interface(`kernel_rw_rpc_sysctls',` ++interface(`kernel_rw_rpc_sysctls_dirs',` + gen_require(` + type proc_t, proc_net_t, sysctl_rpc_t; ') - dontaudit $1 sysctl_type:dir list_dir_perms; +- rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) +- +- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ++ rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + ') + + ######################################## + ## +-## Do not audit attempts to list all sysctl directories. ++## Read and write RPC sysctls. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`kernel_dontaudit_list_all_sysctls',` ++interface(`kernel_rw_rpc_sysctls',` + gen_require(` +- attribute sysctl_type; ++ type proc_t, proc_net_t, sysctl_rpc_t; + ') + +- dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file getattr; ++ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) ++ ++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + ') + + ######################################## + ## +-## Allow caller to read all sysctls. ++## Read and write RPC sysctls. + ## + ## + ## +@@ -2099,40 +2291,126 @@ interface(`kernel_dontaudit_list_all_sysctls',` + ## + ## + # +-interface(`kernel_read_all_sysctls',` ++interface(`kernel_create_rpc_sysctls',` + gen_require(` +- attribute sysctl_type; +- type proc_t, proc_net_t; ++ type proc_t, proc_net_t, sysctl_rpc_t; + ') + +- # proc_net_t for /proc/net/rpc sysctls +- read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) ++ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) + +- list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) + ') + + ######################################## + ## +-## Read and write all sysctls. ++## Do not audit attempts to list all sysctl directories. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## +-## + # +-interface(`kernel_rw_all_sysctls',` ++interface(`kernel_dontaudit_list_all_sysctls',` + gen_require(` + attribute sysctl_type; +- type proc_t, proc_net_t; + ') + +- # proc_net_t for /proc/net/rpc sysctls +- rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) ++ dontaudit $1 sysctl_type:dir list_dir_perms; + dontaudit $1 sysctl_type:file read_file_perms; +') -+ + +- allow $1 sysctl_type:dir list_dir_perms; +- # why is setattr needed? +######################################## +## +## Allow attempts to mounton all sysctl directories. @@ -19518,70 +19623,92 @@ index e100d88..ff9e7ba 100644 + allow $1 debugfs_t:dir mounton; + allow $1 cgroup_t:dir mounton; + - ') - - ######################################## -@@ -2282,7 +2525,7 @@ interface(`kernel_list_unlabeled',` - - ######################################## - ## --## Read the process state (/proc/pid) of all unlabeled_t. -+## Delete unlabeled files - ## - ## - ## -@@ -2290,19 +2533,18 @@ interface(`kernel_list_unlabeled',` - ## - ## - # --interface(`kernel_read_unlabeled_state',` -+interface(`kernel_delete_unlabeled',` - gen_require(` - type unlabeled_t; - ') - -- allow $1 unlabeled_t:dir list_dir_perms; -- read_files_pattern($1, unlabeled_t, unlabeled_t) -- read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) -+ allow $1 unlabeled_t:dir delete_dir_perms; -+ allow $1 unlabeled_t:dir_file_class_set delete_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to list unlabeled directories. -+## Read the process state (/proc/pid) of all unlabeled_t. - ## - ## - ## -@@ -2310,6 +2552,26 @@ interface(`kernel_read_unlabeled_state',` - ## - ## - # -+interface(`kernel_read_unlabeled_state',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir list_dir_perms; -+ read_files_pattern($1, unlabeled_t, unlabeled_t) -+ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) +') + +######################################## +## -+## Do not audit attempts to list unlabeled directories. ++## Allow caller to read all sysctls. +## +## +## -+## Domain to not audit. ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_read_all_sysctls',` ++ gen_require(` ++ attribute sysctl_type; ++ type proc_t, proc_net_t; ++ ') ++ ++ # proc_net_t for /proc/net/rpc sysctls ++ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) ++ ++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) ++') ++ ++######################################## ++## ++## Read and write all sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_all_sysctls',` ++ gen_require(` ++ attribute sysctl_type; ++ type proc_t, proc_net_t; ++ ') ++ ++ # proc_net_t for /proc/net/rpc sysctls ++ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) ++ ++ allow $1 sysctl_type:dir list_dir_perms; ++ # why is setattr needed? + allow $1 sysctl_type:file setattr; + ') + +@@ -2282,6 +2560,25 @@ interface(`kernel_list_unlabeled',` + + ######################################## + ## ++## Delete unlabeled files ++## ++## ++## ++## Domain allowed access. +## +## +# - interface(`kernel_dontaudit_list_unlabeled',` - gen_require(` - type unlabeled_t; -@@ -2488,6 +2750,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ++interface(`kernel_delete_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir delete_dir_perms; ++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms; ++') ++ ++######################################## ++## + ## Read the process state (/proc/pid) of all unlabeled_t. + ## + ## +@@ -2306,7 +2603,7 @@ interface(`kernel_read_unlabeled_state',` + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +@@ -2488,6 +2785,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -19606,7 +19733,7 @@ index e100d88..ff9e7ba 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2805,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2840,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -19631,7 +19758,7 @@ index e100d88..ff9e7ba 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2965,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +3000,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -19656,7 +19783,7 @@ index e100d88..ff9e7ba 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +3010,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +3045,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -19682,7 +19809,7 @@ index e100d88..ff9e7ba 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3138,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3173,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -19716,7 +19843,7 @@ index e100d88..ff9e7ba 100644 ######################################## ## -@@ -2958,6 +3320,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3355,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -19741,7 +19868,7 @@ index e100d88..ff9e7ba 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3352,649 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3387,649 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -19841,7 +19968,7 @@ index e100d88..ff9e7ba 100644 + ') + + dontaudit $1 sysctl_type:file getattr; -+') + ') + +######################################## +## @@ -19920,7 +20047,7 @@ index e100d88..ff9e7ba 100644 + ') + + dontaudit $1 proc_numa_t:dir search; - ') ++') + +######################################## +## @@ -23102,7 +23229,7 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..93ad99f 100644 +index 0fef1fc..aea97fa 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) @@ -23179,7 +23306,7 @@ index 0fef1fc..93ad99f 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +84,127 @@ optional_policy(` +@@ -23,11 +84,128 @@ optional_policy(` ') optional_policy(` @@ -23242,6 +23369,7 @@ index 0fef1fc..93ad99f 100644 + +optional_policy(` + fwupd_dbus_chat(staff_t) ++ fwupd_read_cache_files(staff_t) +') + +optional_policy(` @@ -23308,7 +23436,7 @@ index 0fef1fc..93ad99f 100644 ') optional_policy(` -@@ -35,15 +212,31 @@ optional_policy(` +@@ -35,15 +213,31 @@ optional_policy(` ') optional_policy(` @@ -23342,7 +23470,7 @@ index 0fef1fc..93ad99f 100644 ') optional_policy(` -@@ -52,11 +245,61 @@ optional_policy(` +@@ -52,11 +246,61 @@ optional_policy(` ') optional_policy(` @@ -23405,7 +23533,7 @@ index 0fef1fc..93ad99f 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +308,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +309,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23416,7 +23544,7 @@ index 0fef1fc..93ad99f 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +317,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +318,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -23427,7 +23555,7 @@ index 0fef1fc..93ad99f 100644 ') optional_policy(` -@@ -101,10 +336,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +337,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23438,7 +23566,7 @@ index 0fef1fc..93ad99f 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +356,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +357,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23449,7 +23577,7 @@ index 0fef1fc..93ad99f 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +368,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +369,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -23460,7 +23588,7 @@ index 0fef1fc..93ad99f 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +399,23 @@ ifndef(`distro_redhat',` +@@ -176,3 +400,23 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -29543,7 +29671,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..bd907ca 100644 +index 8b40377..a55ca15 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -30022,7 +30150,7 @@ index 8b40377..bd907ca 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +528,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +528,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -30046,6 +30174,7 @@ index 8b40377..bd907ca 100644 kernel_read_network_state(xdm_t) +kernel_request_load_module(xdm_t) +kernel_stream_connect(xdm_t) ++kernel_dontaudit_view_key(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) @@ -30055,7 +30184,7 @@ index 8b40377..bd907ca 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +561,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +562,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -30101,6 +30230,7 @@ index 8b40377..bd907ca 100644 +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) +dev_read_nvme(xdm_t) ++dev_getattr_loop_control(xdm_t) domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. @@ -30110,7 +30240,7 @@ index 8b40377..bd907ca 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +615,30 @@ files_list_mnt(xdm_t) +@@ -431,9 +617,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -30141,7 +30271,7 @@ index 8b40377..bd907ca 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +647,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -30192,7 +30322,7 @@ index 8b40377..bd907ca 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +695,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -30362,7 +30492,7 @@ index 8b40377..bd907ca 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +864,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -30394,7 +30524,7 @@ index 8b40377..bd907ca 100644 ') optional_policy(` -@@ -518,8 +899,36 @@ optional_policy(` +@@ -518,8 +901,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -30432,7 +30562,7 @@ index 8b40377..bd907ca 100644 ') ') -@@ -530,6 +939,20 @@ optional_policy(` +@@ -530,6 +941,20 @@ optional_policy(` ') optional_policy(` @@ -30453,7 +30583,7 @@ index 8b40377..bd907ca 100644 hostname_exec(xdm_t) ') -@@ -547,28 +970,78 @@ optional_policy(` +@@ -547,28 +972,78 @@ optional_policy(` ') optional_policy(` @@ -30541,7 +30671,7 @@ index 8b40377..bd907ca 100644 ') optional_policy(` -@@ -580,6 +1053,14 @@ optional_policy(` +@@ -580,6 +1055,14 @@ optional_policy(` ') optional_policy(` @@ -30556,7 +30686,7 @@ index 8b40377..bd907ca 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1075,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -30565,7 +30695,7 @@ index 8b40377..bd907ca 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1085,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -30578,7 +30708,7 @@ index 8b40377..bd907ca 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1102,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -30594,7 +30724,7 @@ index 8b40377..bd907ca 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1118,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -30605,7 +30735,7 @@ index 8b40377..bd907ca 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1133,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -30647,7 +30777,7 @@ index 8b40377..bd907ca 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1184,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -30679,7 +30809,7 @@ index 8b40377..bd907ca 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1217,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -30694,7 +30824,7 @@ index 8b40377..bd907ca 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1238,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1240,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -30718,7 +30848,7 @@ index 8b40377..bd907ca 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1257,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -30727,7 +30857,7 @@ index 8b40377..bd907ca 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1301,54 @@ optional_policy(` +@@ -785,17 +1303,54 @@ optional_policy(` ') optional_policy(` @@ -30784,7 +30914,7 @@ index 8b40377..bd907ca 100644 ') optional_policy(` -@@ -803,6 +1356,10 @@ optional_policy(` +@@ -803,6 +1358,10 @@ optional_policy(` ') optional_policy(` @@ -30795,7 +30925,7 @@ index 8b40377..bd907ca 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1375,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -30820,7 +30950,7 @@ index 8b40377..bd907ca 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1398,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1400,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -30855,7 +30985,7 @@ index 8b40377..bd907ca 100644 ') optional_policy(` -@@ -912,7 +1463,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -30864,7 +30994,7 @@ index 8b40377..bd907ca 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1517,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -30896,7 +31026,7 @@ index 8b40377..bd907ca 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1563,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -35296,7 +35426,7 @@ index 79a45f6..e90f7a4 100644 + allow $1 init_var_lib_t:dir search_dir_perms; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..a78f8b6 100644 +index 17eda24..1f4dc71 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -35598,10 +35728,10 @@ index 17eda24..a78f8b6 100644 + +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) ++ ++udev_manage_rules_files(init_t) -miscfiles_read_localization(init_t) -+udev_manage_rules_files(init_t) -+ +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) @@ -35614,7 +35744,7 @@ index 17eda24..a78f8b6 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +343,275 @@ ifdef(`distro_gentoo',` +@@ -186,29 +343,280 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -35664,6 +35794,11 @@ index 17eda24..a78f8b6 100644 +') + +optional_policy(` ++ gssproxy_noatsecure(init_t) ++ gssd_noatsecure(init_t) ++') ++ ++optional_policy(` + anaconda_domtrans_install(init_t) +') + @@ -35872,9 +36007,10 @@ index 17eda24..a78f8b6 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. @@ -35885,10 +36021,9 @@ index 17eda24..a78f8b6 100644 +optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) + plymouthd_filetrans_named_content(init_t) @@ -35899,7 +36034,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -216,7 +619,30 @@ optional_policy(` +@@ -216,7 +624,30 @@ optional_policy(` ') optional_policy(` @@ -35931,7 +36066,7 @@ index 17eda24..a78f8b6 100644 ') ######################################## -@@ -225,9 +651,9 @@ optional_policy(` +@@ -225,9 +656,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -35943,7 +36078,7 @@ index 17eda24..a78f8b6 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +684,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +689,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -35960,7 +36095,7 @@ index 17eda24..a78f8b6 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +709,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +714,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -36003,7 +36138,7 @@ index 17eda24..a78f8b6 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +746,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +751,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -36015,7 +36150,7 @@ index 17eda24..a78f8b6 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +758,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +763,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -36026,7 +36161,7 @@ index 17eda24..a78f8b6 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +769,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +774,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -36036,7 +36171,7 @@ index 17eda24..a78f8b6 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +778,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +783,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -36044,7 +36179,7 @@ index 17eda24..a78f8b6 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +785,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +790,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -36052,7 +36187,7 @@ index 17eda24..a78f8b6 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +793,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +798,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -36070,7 +36205,7 @@ index 17eda24..a78f8b6 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +811,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +816,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -36084,7 +36219,7 @@ index 17eda24..a78f8b6 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +826,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +831,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -36098,7 +36233,7 @@ index 17eda24..a78f8b6 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +839,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +844,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -36109,7 +36244,7 @@ index 17eda24..a78f8b6 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +852,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +857,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -36117,7 +36252,7 @@ index 17eda24..a78f8b6 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +871,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +876,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -36141,7 +36276,7 @@ index 17eda24..a78f8b6 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +904,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +909,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -36149,7 +36284,7 @@ index 17eda24..a78f8b6 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +938,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +943,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -36160,7 +36295,7 @@ index 17eda24..a78f8b6 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +962,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +967,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -36169,7 +36304,7 @@ index 17eda24..a78f8b6 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +977,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +982,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -36177,7 +36312,7 @@ index 17eda24..a78f8b6 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +998,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1003,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -36185,7 +36320,7 @@ index 17eda24..a78f8b6 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1008,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1013,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -36230,7 +36365,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -559,14 +1053,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1058,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -36262,7 +36397,7 @@ index 17eda24..a78f8b6 100644 ') ') -@@ -577,6 +1088,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1093,39 @@ ifdef(`distro_suse',` ') ') @@ -36302,7 +36437,7 @@ index 17eda24..a78f8b6 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1133,8 @@ optional_policy(` +@@ -589,6 +1138,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -36311,7 +36446,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -610,6 +1156,7 @@ optional_policy(` +@@ -610,6 +1161,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -36319,7 +36454,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -626,6 +1173,17 @@ optional_policy(` +@@ -626,6 +1178,17 @@ optional_policy(` ') optional_policy(` @@ -36337,7 +36472,7 @@ index 17eda24..a78f8b6 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1200,13 @@ optional_policy(` +@@ -642,9 +1205,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -36351,7 +36486,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -657,15 +1219,11 @@ optional_policy(` +@@ -657,15 +1224,11 @@ optional_policy(` ') optional_policy(` @@ -36369,7 +36504,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -686,6 +1244,15 @@ optional_policy(` +@@ -686,6 +1249,15 @@ optional_policy(` ') optional_policy(` @@ -36385,7 +36520,7 @@ index 17eda24..a78f8b6 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1293,7 @@ optional_policy(` +@@ -726,6 +1298,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -36393,7 +36528,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -743,7 +1311,13 @@ optional_policy(` +@@ -743,7 +1316,13 @@ optional_policy(` ') optional_policy(` @@ -36408,7 +36543,7 @@ index 17eda24..a78f8b6 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1340,10 @@ optional_policy(` +@@ -766,6 +1345,10 @@ optional_policy(` ') optional_policy(` @@ -36419,7 +36554,7 @@ index 17eda24..a78f8b6 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1353,20 @@ optional_policy(` +@@ -775,10 +1358,20 @@ optional_policy(` ') optional_policy(` @@ -36440,7 +36575,7 @@ index 17eda24..a78f8b6 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1375,10 @@ optional_policy(` +@@ -787,6 +1380,10 @@ optional_policy(` ') optional_policy(` @@ -36451,7 +36586,7 @@ index 17eda24..a78f8b6 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1400,6 @@ optional_policy(` +@@ -808,8 +1405,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -36460,7 +36595,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -818,6 +1408,10 @@ optional_policy(` +@@ -818,6 +1413,10 @@ optional_policy(` ') optional_policy(` @@ -36471,7 +36606,7 @@ index 17eda24..a78f8b6 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1421,12 @@ optional_policy(` +@@ -827,10 +1426,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -36484,7 +36619,7 @@ index 17eda24..a78f8b6 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1453,62 @@ optional_policy(` +@@ -857,21 +1458,62 @@ optional_policy(` ') optional_policy(` @@ -36548,7 +36683,7 @@ index 17eda24..a78f8b6 100644 ') optional_policy(` -@@ -887,6 +1524,10 @@ optional_policy(` +@@ -887,6 +1529,10 @@ optional_policy(` ') optional_policy(` @@ -36559,7 +36694,7 @@ index 17eda24..a78f8b6 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1538,218 @@ optional_policy(` +@@ -897,3 +1543,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 39466f6f..99726a85 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12376,7 +12376,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..10b00ba 100644 +index 550b287..e799a42 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t) @@ -12469,7 +12469,7 @@ index 550b287..10b00ba 100644 ') optional_policy(` -@@ -92,11 +111,61 @@ optional_policy(` +@@ -92,11 +111,66 @@ optional_policy(` ') optional_policy(` @@ -12492,6 +12492,7 @@ index 550b287..10b00ba 100644 kerberos_use(certmonger_t) + kerberos_read_keytab(certmonger_t) + kerberos_manage_kdc_config(certmonger_t) ++ kerberos_filetrans_named_content(certmonger_t) ') optional_policy(` @@ -12505,6 +12506,10 @@ index 550b287..10b00ba 100644 +') + +optional_policy(` ++ rhcs_start_haproxy_services(certmonger_t) ++') ++ ++optional_policy(` + sssd_delete_public_files(certmonger_t) +') + @@ -13617,7 +13622,7 @@ index 32e8265..ac74503 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..eba4e6d 100644 +index e5b621c..ded8e64 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -13636,7 +13641,7 @@ index e5b621c..eba4e6d 100644 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit signal }; -+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown }; ++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin }; +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; @@ -15358,10 +15363,10 @@ index 0000000..d5920c0 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..0167d62 +index 0000000..d60494e --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,120 @@ +@@ -0,0 +1,121 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -15470,6 +15475,7 @@ index 0000000..0167d62 +auth_write_login_records(cockpit_session_t) + +corenet_tcp_bind_ssh_port(cockpit_session_t) ++corenet_tcp_connect_ssh_port(cockpit_session_t) + +# cockpit-session can execute cockpit-agent as the user +userdom_spec_domtrans_all_users(cockpit_session_t) @@ -19307,7 +19313,7 @@ index 1303b30..f13c532 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..65e947c 100644 +index 7de3859..b66e53f 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20024,13 +20030,17 @@ index 7de3859..65e947c 100644 ') optional_policy(` -@@ -598,7 +618,27 @@ optional_policy(` +@@ -598,7 +618,31 @@ optional_policy(` ') optional_policy(` + networkmanager_dbus_chat(system_cronjob_t) +') + ++optional_policy(` ++ pcp_filetrans_named_content(system_cronjob_t) ++') ++ +optional_policy(` postfix_read_config(system_cronjob_t) +') @@ -20052,7 +20062,7 @@ index 7de3859..65e947c 100644 ') optional_policy(` -@@ -607,7 +647,12 @@ optional_policy(` +@@ -607,7 +651,12 @@ optional_policy(` ') optional_policy(` @@ -20065,7 +20075,7 @@ index 7de3859..65e947c 100644 ') optional_policy(` -@@ -615,12 +660,27 @@ optional_policy(` +@@ -615,12 +664,27 @@ optional_policy(` ') optional_policy(` @@ -20095,7 +20105,7 @@ index 7de3859..65e947c 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +688,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +692,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20129,7 +20139,7 @@ index 7de3859..65e947c 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +721,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +725,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -36836,10 +36846,10 @@ index 0000000..f4659d1 +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 -index 0000000..2277038 +index 0000000..8a2013a --- /dev/null +++ b/gssproxy.if -@@ -0,0 +1,199 @@ +@@ -0,0 +1,217 @@ + +## policy for gssproxy + @@ -37039,9 +37049,27 @@ index 0000000..2277038 + systemd_read_fifo_file_passwd_run($1) + ') +') ++ ++######################################## ++## ++## Read and write to svirt_image devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gssproxy_noatsecure',` ++ gen_require(` ++ type gssproxy_t; ++ ') ++ ++ allow $1 gssproxy_t:process { noatsecure rlimitinh }; ++') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..5e43ca7 +index 0000000..27abcbb --- /dev/null +++ b/gssproxy.te @@ -0,0 +1,74 @@ @@ -37069,7 +37097,7 @@ index 0000000..5e43ca7 +# +# gssproxy local policy +# -+allow gssproxy_t self:capability { setuid setgid }; ++allow gssproxy_t self:capability { setuid setgid dac_override }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; @@ -39303,10 +39331,10 @@ index 0000000..ddbc007 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..e4c5d89 +index 0000000..55e151e --- /dev/null +++ b/ipa.te -@@ -0,0 +1,260 @@ +@@ -0,0 +1,264 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -39406,6 +39434,10 @@ index 0000000..e4c5d89 +manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t) +logging_log_filetrans(ipa_helper_t, ipa_log_t, file) + ++manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t) ++manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t) ++files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file }) ++ +kernel_read_system_state(ipa_helper_t) +kernel_read_network_state(ipa_helper_t) + @@ -42793,7 +42825,7 @@ index 4fe75fd..3504a9b 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f6c00d8..b7e477d 100644 +index f6c00d8..79ea4d8 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -43137,8 +43169,8 @@ index f6c00d8..b7e477d 100644 files_search_etc($1) - allow $1 krb5_keytab_t:file manage_file_perms; -+ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) -+ list_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ++ manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ++ manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ') ######################################## @@ -46379,7 +46411,7 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 483c87b..f68ee3a 100644 +index 483c87b..df73ba0 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -46412,6 +46444,15 @@ index 483c87b..f68ee3a 100644 corenet_all_recvfrom_unlabeled(lircd_t) corenet_all_recvfrom_netlabel(lircd_t) corenet_tcp_sendrecv_generic_if(lircd_t) +@@ -56,7 +58,7 @@ dev_read_mouse(lircd_t) + dev_filetrans_lirc(lircd_t) + dev_rw_lirc(lircd_t) + dev_rw_input_dev(lircd_t) +-dev_read_sysfs(lircd_t) ++dev_rw_sysfs(lircd_t) + + files_read_config_files(lircd_t) + files_list_var(lircd_t) @@ -64,9 +66,11 @@ files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) @@ -69520,10 +69561,10 @@ index 0000000..de7c78c +/var/run/pmlogger\.primary\.socket -l gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..80246e6 +index 0000000..abb250d --- /dev/null +++ b/pcp.if -@@ -0,0 +1,144 @@ +@@ -0,0 +1,160 @@ +## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation + +###################################### @@ -69668,12 +69709,28 @@ index 0000000..80246e6 + can_exec($1, pcp_pmlogger_exec_t) +') + ++####################################### ++## ++## Transition to pcp named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pcp_filetrans_named_content',` ++ gen_require(` ++ type pcp_var_run_t; ++ ') ++ files_pid_filetrans($1, pcp_var_run_t, dir, "pcp") ++') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..e55bf80 +index 0000000..7bd521e --- /dev/null +++ b/pcp.te -@@ -0,0 +1,308 @@ +@@ -0,0 +1,309 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -69784,7 +69841,7 @@ index 0000000..e55bf80 +# pcp_pmcd local policy +# + -+allow pcp_pmcd_t self:capability { sys_admin sys_ptrace }; ++allow pcp_pmcd_t self:capability { net_admin sys_admin sys_ptrace }; +allow pcp_pmcd_t self:process { setsched }; +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms; + @@ -69795,6 +69852,7 @@ index 0000000..e55bf80 +kernel_read_fs_sysctls(pcp_pmcd_t) +kernel_read_rpc_sysctls(pcp_pmcd_t) +kernel_search_network_sysctl(pcp_pmcd_t) ++kernel_read_net_sysctls(pcp_pmcd_t) + +corecmd_exec_bin(pcp_pmcd_t) + @@ -72108,10 +72166,10 @@ index 0000000..47cd0f8 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..798efb6 +index 0000000..5c7f232 --- /dev/null +++ b/pki.if -@@ -0,0 +1,287 @@ +@@ -0,0 +1,404 @@ + +## policy for pki + @@ -72138,6 +72196,46 @@ index 0000000..798efb6 + +######################################## +## ++## Allow read and write pki cert files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_tomcat_cert',` ++ gen_require(` ++ type pki_tomcat_cert_t; ++ type pki_tomcat_etc_rw_t; ++ ') ++ ++ allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms; ++ manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++ manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ++') ++ ++######################################## ++## ++## Allow read and write pki cert files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_tomcat_etc_rw',` ++ gen_require(` ++ type pki_tomcat_etc_rw_t; ++ ') ++ ++ manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++ manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) ++') ++ ++######################################## ++## +## Allow domain to read pki cert files. +## +## @@ -72335,6 +72433,25 @@ index 0000000..798efb6 +## +## +# ++interface(`pki_search_log_dirs',` ++ gen_require(` ++ type pki_log_t; ++ ') ++ ++ search_dirs_pattern($1, pki_log_t, pki_log_t) ++ ++') ++ ++################################## ++## ++## Dontaudit domain to write pki log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`pki_dontaudit_write_log',` + gen_require(` + type pki_log_t; @@ -72395,10 +72512,68 @@ index 0000000..798efb6 + gen_require(` + type pki_tomcat_var_lib_t; + ') -+ ++ + read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) + read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) +') ++ ++ ++################################# ++## ++## Allow domain to manage pki tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_tomcat_lib',` ++ gen_require(` ++ type pki_tomcat_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++ manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++ manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++') ++ ++################################# ++## ++## Allow domain to manage pki tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_manage_tomcat_log',` ++ gen_require(` ++ type pki_tomcat_log_t; ++ ') ++ ++ manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t) ++ manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t) ++') ++ ++################################# ++## ++## Allow domain to read pki tomcat lib dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_read_tomcat_lib_dirs',` ++ gen_require(` ++ type pki_tomcat_var_lib_t; ++ ') ++ ++ list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) ++') diff --git a/pki.te b/pki.te new file mode 100644 index 0000000..bdeebb9 @@ -84368,7 +84543,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..93085f2 100644 +index 403a4fe..95b5e45 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84385,7 +84560,7 @@ index 403a4fe..93085f2 100644 type radiusd_t; type radiusd_exec_t; init_daemon_domain(radiusd_t, radiusd_exec_t) -@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t) +@@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -84395,9 +84570,10 @@ index 403a4fe..93085f2 100644 ######################################## # # Local policy -@@ -34,7 +44,7 @@ files_pid_file(radiusd_var_run_t) + # - allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; ++allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace}; @@ -87419,7 +87595,7 @@ index 47de2d6..6baf5cd 100644 +/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..8ad3e01 100644 +index c8bdea2..beb2872 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -87870,7 +88046,7 @@ index c8bdea2..8ad3e01 100644 ') ###################################### -@@ -446,52 +577,385 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +577,404 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -87908,16 +88084,10 @@ index c8bdea2..8ad3e01 100644 # -interface(`rhcs_admin',` +interface(`rhcs_read_cluster_lib_files',` - gen_require(` -- attribute cluster_domain, cluster_pid, cluster_tmpfs; -- attribute cluster_log; -- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; -- type fenced_tmp_t, qdiskd_var_lib_t; ++ gen_require(` + type cluster_var_lib_t; - ') - -- allow $1 cluster_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, cluster_domain) ++ ') ++ + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') @@ -87936,17 +88106,11 @@ index c8bdea2..8ad3e01 100644 + gen_require(` + type cluster_var_lib_t; + ') - -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; ++ + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - -- files_search_pids($1) -- admin_pattern($1, cluster_pid) ++ +#################################### +## +## Allow domain to relabel cluster lib files @@ -87966,9 +88130,7 @@ index c8bdea2..8ad3e01 100644 + relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) ++ +###################################### +## +## Execute a domain transition to run cluster administrative domain. @@ -87983,15 +88145,11 @@ index c8bdea2..8ad3e01 100644 + gen_require(` + type cluster_t, cluster_exec_t; + ') - -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) ++ + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') - -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) ++ +####################################### +## +## Execute cluster init scripts in @@ -88007,9 +88165,7 @@ index c8bdea2..8ad3e01 100644 + gen_require(` + type cluster_initrc_exec_t; + ') - -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) ++ + init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') + @@ -88220,17 +88376,31 @@ index c8bdea2..8ad3e01 100644 +## +# +interface(`rhcs_dbus_chat_cluster',` -+ gen_require(` + gen_require(` +- attribute cluster_domain, cluster_pid, cluster_tmpfs; +- attribute cluster_log; +- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; +- type fenced_tmp_t, qdiskd_var_lib_t; + type cluster_t; + class dbus send_msg; -+ ') -+ + ') + +- allow $1 cluster_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, cluster_domain) + allow $1 cluster_t:dbus send_msg; + allow cluster_t $1:dbus send_msg; +') -+ -+ -+ + +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; + +- files_search_pids($1) +- admin_pattern($1, cluster_pid) + +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) +##################################### +## +## All of the rules required to administrate @@ -88254,14 +88424,20 @@ index c8bdea2..8ad3e01 100644 + type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t; + type cluster_unit_file_t; + ') -+ + +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) + allow $1 cluster_t:process signal_perms; + ps_process_pattern($1, cluster_t) -+ + +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) + tunable_policy(`deny_ptrace',`',` + allow $1 cluster_t:process ptrace; + ') -+ + +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) + init_labeled_script_domtrans($1, cluster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cluster_initrc_exec_t system_r; @@ -88277,12 +88453,31 @@ index c8bdea2..8ad3e01 100644 + + files_list_pids($1) + admin_pattern($1, cluster_var_run_t) - -- logging_search_logs($1) -- admin_pattern($1, cluster_log) ++ + rhcs_systemctl_cluster($1) + admin_pattern($1, cluster_unit_file_t) + allow $1 cluster_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Start haproxy unit files domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_start_haproxy_services',` ++ gen_require(` ++ type haproxy_unit_file_t; ++ ') + +- logging_search_logs($1) +- admin_pattern($1, cluster_log) ++ systemd_exec_systemctl($1) ++ allow $1 haproxy_unit_file_t:service {status start}; ') diff --git a/rhcs.te b/rhcs.te index 6cf79c4..5279416 100644 @@ -91079,7 +91274,7 @@ index a6fb30c..97ef313 100644 +/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0) + diff --git a/rpc.if b/rpc.if -index 0bf13c2..ed393a0 100644 +index 0bf13c2..9572351 100644 --- a/rpc.if +++ b/rpc.if @@ -1,4 +1,4 @@ @@ -91397,11 +91592,10 @@ index 0bf13c2..ed393a0 100644 files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Read nfs lib files. ++') ++ ++######################################## ++## +## List NFS state data in /var/lib/nfs. +## +## @@ -91417,10 +91611,11 @@ index 0bf13c2..ed393a0 100644 + + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nfs lib files. +## Manage NFS state data in /var/lib/nfs. +## +## @@ -91529,7 +91724,7 @@ index 0bf13c2..ed393a0 100644 ') allow $1 rpc_domain:process { ptrace signal_perms }; -@@ -411,7 +504,7 @@ interface(`rpc_admin',` +@@ -411,10 +504,28 @@ interface(`rpc_admin',` admin_pattern($1, rpcd_var_run_t) files_list_all($1) @@ -91538,6 +91733,27 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) + + fs_search_nfsd_fs($1) + ') ++ ++######################################## ++## ++## Read and write to svirt_image devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpc_gssd_noatsecure',` ++ gen_require(` ++ type gssd_t; ++ ') ++ ++ allow $1 gssd_t:process { noatsecure rlimitinh }; ++') diff --git a/rpc.te b/rpc.te index 2da9fca..f97a61a 100644 --- a/rpc.te @@ -98811,10 +99027,10 @@ index 0000000..7a058a8 +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 0000000..95a5182 +index 0000000..9c44c87 --- /dev/null +++ b/sbd.te -@@ -0,0 +1,52 @@ +@@ -0,0 +1,54 @@ +policy_module(sbd, 1.0.0) + +######################################## @@ -98862,6 +99078,8 @@ index 0000000..95a5182 + +logging_send_syslog_msg(sbd_t) + ++storage_raw_rw_fixed_disk(sbd_t) ++ +optional_policy(` + rhcs_rw_cluster_tmpfs(sbd_t) + rhcs_stream_connect_cluster(sbd_t) @@ -99999,7 +100217,7 @@ index 35ad2a7..afdc7da 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b4..27adacc 100644 +index 12700b4..3a32af4 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -100034,12 +100252,14 @@ index 12700b4..27adacc 100644 logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -@@ -63,33 +65,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) +@@ -63,33 +65,23 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) +# for piping mail to a command kernel_read_system_state(sendmail_t) ++kernel_search_network_sysctl(sendmail_t) ++kernel_read_kernel_sysctls(sendmail_t) -corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) @@ -100072,7 +100292,7 @@ index 12700b4..27adacc 100644 fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) -@@ -98,35 +88,49 @@ fs_rw_anon_inodefs_files(sendmail_t) +@@ -98,35 +90,49 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) term_dontaudit_use_generic_ptys(sendmail_t) @@ -100128,7 +100348,7 @@ index 12700b4..27adacc 100644 ') optional_policy(` -@@ -134,8 +138,8 @@ optional_policy(` +@@ -134,8 +140,8 @@ optional_policy(` ') optional_policy(` @@ -100139,7 +100359,7 @@ index 12700b4..27adacc 100644 ') optional_policy(` -@@ -164,6 +168,10 @@ optional_policy(` +@@ -164,6 +170,10 @@ optional_policy(` ') optional_policy(` @@ -100150,7 +100370,7 @@ index 12700b4..27adacc 100644 milter_stream_connect_all(sendmail_t) ') -@@ -172,6 +180,11 @@ optional_policy(` +@@ -172,6 +182,11 @@ optional_policy(` ') optional_policy(` @@ -100162,7 +100382,7 @@ index 12700b4..27adacc 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -193,6 +206,10 @@ optional_policy(` +@@ -193,6 +208,10 @@ optional_policy(` ') optional_policy(` @@ -100173,7 +100393,7 @@ index 12700b4..27adacc 100644 udev_read_db(sendmail_t) ') -@@ -206,8 +223,6 @@ optional_policy(` +@@ -206,8 +225,6 @@ optional_policy(` # optional_policy(` @@ -109818,10 +110038,10 @@ index 0000000..46f12a4 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 0000000..0183c55 +index 0000000..ae69138 --- /dev/null +++ b/tlp.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,70 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -109881,12 +110101,17 @@ index 0000000..0183c55 +modutils_read_module_config(tlp_t) + +storage_raw_read_fixed_disk(tlp_t) ++storage_raw_write_removable_device(tlp_t) + +sysnet_exec_ifconfig(tlp_t) + +optional_policy(` + fstools_exec(tlp_t) +') ++ ++optional_policy(` ++ mount_domtrans(tlp_t) ++') diff --git a/tmpreaper.te b/tmpreaper.te index 585a77f..a7cb326 100644 --- a/tmpreaper.te @@ -110459,10 +110684,10 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..3157eb8 +index 0000000..1aa150f --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,70 @@ +@@ -0,0 +1,85 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -110482,10 +110707,24 @@ index 0000000..3157eb8 +# tomcat local policy +# + ++ ++optional_policy(` ++ pki_manage_tomcat_cert(tomcat_t) ++ pki_manage_apache_log_files(tomcat_t) ++ pki_manage_tomcat_lib(tomcat_t) ++ pki_manage_tomcat_etc_rw(tomcat_t) ++ pki_search_log_dirs(tomcat_t) ++ pki_manage_tomcat_log(tomcat_t) ++') ++ +optional_policy(` + unconfined_domain(tomcat_t) +') + ++optional_policy(` ++ ipa_read_lib(tomcat_t) ++') ++ +######################################## +# +# tomcat domain local policy @@ -110513,6 +110752,7 @@ index 0000000..3157eb8 +corenet_tcp_bind_http_cache_port(tomcat_domain) +corenet_tcp_bind_mxi_port(tomcat_domain) +corenet_tcp_connect_http_port(tomcat_domain) ++corenet_tcp_connect_ldap_port(tomcat_domain) +corenet_tcp_connect_mxi_port(tomcat_domain) +corenet_tcp_connect_http_cache_port(tomcat_domain) + @@ -115134,7 +115374,7 @@ index facdee8..487857a 100644 + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') diff --git a/virt.te b/virt.te -index f03dcf5..d790a0d 100644 +index f03dcf5..006d4b5 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,413 @@ @@ -116158,7 +116398,7 @@ index f03dcf5..d790a0d 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +718,336 @@ optional_policy(` +@@ -746,44 +718,341 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -116208,12 +116448,17 @@ index f03dcf5..d790a0d 100644 +files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file) -dontaudit virsh_t virt_var_lib_t:file read_file_perms; -+kernel_read_network_state(virtlogd_t) ++manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) ++manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) ++manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) ++files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file }) -allow virsh_t svirt_lxc_domain:process transition; -+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; ++kernel_read_network_state(virtlogd_t) -can_exec(virsh_t, virsh_exec_t) ++allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; ++ +dev_read_sysfs(virtlogd_t) + +logging_send_syslog_msg(virtlogd_t) @@ -116303,7 +116548,7 @@ index f03dcf5..d790a0d 100644 +dontaudit virt_domain virt_tmpfs_type:file { read write }; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) -+ + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) @@ -116361,7 +116606,7 @@ index f03dcf5..d790a0d 100644 +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) - ++ +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; +') @@ -116517,7 +116762,7 @@ index f03dcf5..d790a0d 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1058,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1063,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116544,7 +116789,7 @@ index f03dcf5..d790a0d 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1078,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1083,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116578,7 +116823,7 @@ index f03dcf5..d790a0d 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1115,20 @@ optional_policy(` +@@ -856,14 +1120,20 @@ optional_policy(` ') optional_policy(` @@ -116600,7 +116845,7 @@ index f03dcf5..d790a0d 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1153,66 @@ optional_policy(` +@@ -888,49 +1158,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116685,7 +116930,7 @@ index f03dcf5..d790a0d 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1224,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1229,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116705,7 +116950,7 @@ index f03dcf5..d790a0d 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1245,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1250,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116729,7 +116974,7 @@ index f03dcf5..d790a0d 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1270,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1275,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116760,8 +117005,7 @@ index f03dcf5..d790a0d 100644 +optional_policy(` + container_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -116769,7 +117013,8 @@ index f03dcf5..d790a0d 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -116802,89 +117047,7 @@ index f03dcf5..d790a0d 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -116974,26 +117137,108 @@ index f03dcf5..d790a0d 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` +tunable_policy(`virt_sandbox_share_apache_content',` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) + ') ++') + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ ssh_use_ptys(svirt_sandbox_domain) -+') -+ -+optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -117173,7 +117418,7 @@ index f03dcf5..d790a0d 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1572,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1577,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -117188,7 +117433,7 @@ index f03dcf5..d790a0d 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1590,7 @@ optional_policy(` +@@ -1192,7 +1595,7 @@ optional_policy(` ######################################## # @@ -117197,7 +117442,7 @@ index f03dcf5..d790a0d 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1599,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1604,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 0014e49f..ed2482e6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 249%{?dist} +Release: 250%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,35 @@ exit 0 %endif %changelog +* Tue Apr 18 2017 Lukas Vrabec - 3.13.1-250 +- Allow tlp_t domain to ioctl removable devices BZ(1436830) +- Allow tlp_t domain domtrans into mount_t BZ(1442571) +- Allow lircd_t to read/write to sysfs BZ(1442443) +- Fix policy to reflect all changes in new IPA release +- Allow virtlogd_t to creating tmp files with virt_tmp_t labels. +- Allow sbd_t to read/write fixed disk devices +- Add sys_ptrace capability to radiusd_t domain +- Allow cockpit_session_t domain connects to ssh tcp ports. +- Update tomcat policy to make working ipa install process +- Allow pcp_pmcd_t net_admin capability. Allow pcp_pmcd_t read net sysctls Allow system_cronjob_t create /var/run/pcp with pcp_var_run_t +- Fix all AVC denials during pkispawn of CA Resolves: rhbz#1436383 +- Update pki interfaces and tomcat module +- Allow sendmail to search network sysctls +- Add interface gssd_noatsecure() +- Add interface gssproxy_noatsecure() +- Allow chronyd_t net_admin capability to allow support HW timestamping. +- Update tomcat policy. +- Allow certmonger to start haproxy service +- Fix init Module +- Make groupadd_t domain as system bus client BZ(1416963) +- Make useradd_t domain as system bus client BZ(1442572) +- Allow xdm_t to gettattr /dev/loop-control device BZ(1385090) +- Dontaudit gdm-session-worker to view key unknown. BZ(1433191) +- Allow init noatsecure for gssd and gssproxy +- Allow staff user to read fwupd_cache_t files +- Remove typo bugs +- Remove /proc <> from fedora policy, it's no longer necessary + * Mon Apr 03 2017 Lukas Vrabec - 3.13.1-249 - Merge pull request #4 from lslebodn/sssd_socket_activated - Remove /proc <> from fedora policy, it's no longer necessary