From c1e28f68d8d1fc1d97ff1bd57712b36d47adb3c2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 15 May 2017 22:07:43 +0200 Subject: [PATCH] * Mon May 15 2017 Lukas Vrabec - 3.13.1-254 - Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit - ejabberd small fixes - Update targetd policy to accommodate changes in the service - Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls - Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit - Allow glusterd_t domain start ganesha service - Made few cosmetic changes in sssd SELinux module - Merge pull request #11 from lslebodn/sssd_kcm - Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. - Allow keepalived_t domain read usermodehelper_t - Allow radius domain stream connec to postgresql - Merge pull request #8 from bowlofeggs/142-rawhide - Add fs_manage_configfs_lnk_files() interface --- container-selinux.tgz | Bin 6619 -> 6618 bytes policy-rawhide-base.patch | 606 ++++++++++++++++++----------------- policy-rawhide-contrib.patch | 343 +++++++++++++++----- selinux-policy.spec | 17 +- 4 files changed, 586 insertions(+), 380 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 5ebf4551400748349df5233b771500c90f01019b..cda4d57e9ea3ee0ff791e69d7447741cb2900e16 100644 GIT binary patch delta 5175 zcmV-76v*q_GuktMABzY8FbW!300Zq^>yO+vlF!%aze2DBcqZ^XJWd?I&hBB6EO7VX zfM9ol`*68a)DpW}J9+pnrfN|Z!Wlv*8o@1}vIJ*}!Ai$$_nEEcIS&*~t~ zSa}uizBN3cx7%Qa%y(U!n_a@G2R_=n3o&VZO zYP`q$0bo@IW?erw_qXg6nP^;4nLpyjDwYkp*)0l)rW;Yy2LMHH_t zHk-3BFIkvIe#L?^JowuWd8)uwqjRWTi>>gD1Sz z+?)1nR@0uDns!h?nI}vG{}=eV1rNfIRn-(KB85S5J=uNWdsffsT3XlHl6JbK^1ZL$=xE+UJw1UB|MUx1rWG*m;)GSQU_nhS zva;#=(o{_y>i1N%p@X-4M{4{pEQki`rl$SuiY`Ggsv(K9NZrOhdPd;`g zSBIcvUy{~IAa}iUatEy^aaCjAHYr^IX?}8lX|ieVB)eOT;NIY)=Kd3ndYqrDf`#!e zh6dsdiE}F(nLH{p;vE9{kDT03Xa|q$C6K;;^x|9g-H`{6|LWsI?uL_3*n6Y$4a zH;FMdU`}c!wJrE1xdKW%qES0dGg{2$NwxnYSWK`=`S$Oi?+OjY%$0)1 zJ0va5DT?#@VG>l8p(uJbE^Es~anYRe@c%Eoyg>a2$sbw7EVzH!PmF&-&^?a+jaeav!DO%r!QpYATOqfqj~cNtc48*2cW7M4lw~~ ze_VapSF!Sbl^Enofhxng`>Co~8rI3&5Yq5jlf^ZuziTLt9SKKE7Q|aCM)Hy+IXdg0 zsTlebJ@LdxGK*&2#GAqa;@1cx!4tB~?n7Kaxpnd=yrHg`)nwDs3pdC_=V@uu7(B@E?o;T2D ze^?gv)7&ZC8{iw&>CKEcHWhTX`iaaVj)lHb

$5He&ZhO~HM9h>F5*jeaHJ`|wcu ze1JUoAjLXL#t&aEb_+y4`zp$R#(%M_o}+5~j7zepoET=Qy_=}9{KywlVk@{egEIXa zDB3k7J{t~@B;Q+DmATMBamZ6P>;qy_6qBxu^c$u|Bzf(=iG&zfA<;>>5N^h%-{eYy?enF2uM@z}!`8&vNwtHG#aY_wVBU70d3|L_OqHU9AmB z>$MdzOIGE{{S|6p61R&`+LaGQQC|9awoU@W9c3^r{+Ml9c8bR)2Q? znM;HI21>m+4Me-ZHKcwR7SVl47A>R=>mWDifwXfU=@*0p&i67V?De)(7I?qbj`!D} zf9zzazU1Clgw8z>Y0)o(FW0yX|CyFtKFCTA3a@!JSi%$dd(@DBl!w!KLaaJJvUOlx zBBO(415$aSeiTL_n-xRBFn3dox1XnWAD4NS&RVpbrnyMYW1}_3z`JZwdw6HOY5_l8 z|6s5Eox3xRVE_?p@jk*Ly##G|RlLuFgb!Hn(}#Hh87PcqCq1DQ%)YZ>Lr}IajALSo zUqmDa{HSFI0NxmX$SuA3mVfWWE~>8y5>9g~{bV{iC*y2r7Dhof8SwXuJc+|6>ftgd zD58J?jDT8hz+NcNCxV8r)(-aiK~o<@rq(FpOAo)Wj5d;YPTnao^sI$a1x3<;iFI~{oSfhx zrt7o$14h%D!;LBmFmCfEiz*s0xSP6;E#n))E&LIAxt)lM_8`<6j;Ub!I^OMsSun_+ zH1J~1;JN^p6DG9ssmP(a+*6IKbraiH&OPtMU78ndbNx6S-^A-m;;o^G#e;7Byw(m( z{@kYajybh|DT9hQgU1#mZBE%h7B?hqidBa+eB2`0q1r4TEfPMph%`=xP`t)blysQO zU{HHM7hs_D_Mt_p{tmXuY1Q+p8*K`!{MlCOcHZG)o!BiB_` zO?gr~T!1Sfi_bkrW8L}CL-{6R64I6%R)R!Bdi&gehvfbbf4UvInw_c)`}xmz-+uS@ z&FK8+n|IIWKYx!8U#R6bFnW2CAYYq%WuDjh-CRd&^V0i? z0ZvKhO2J}n$go7L3PplOAyP9KCOCjJ-ot@`?JLz}gn*nY8D*qcV3K%$`|)S5$jiFT z;3$ND)#B(_nYzh>ty{tojXKqcQt_vAF|(iqB4^DnX;D*2>Y+OM zGOe#h{@Y0NYFKGZ@1%Qc;6|;NvV`qt5}fy*j{8v?@a&7IB*Jh!QkOnXs!d|)!^y-J zxy6Xz{72-2)xr6Ye~c@GyM5#?7R}`pe^b@9fnja%yN@XY;v6xNX)NbME*;uPKoLZL zALeG9511??JS|3}9DizC2L2cz_E@dRxTQA2=39*|I{azIM_PTaq7FCiRr+44kDw1w zhvAbx_&AtjEMrJIE=mb>_e<$*rO1eN`{TJ5VGJ*``1;sg5+G0LtDnxtEMqXSr{BkF z^VGN!(j1zM7U1V2MvbCj<{YV)e*3V0!ANDsYWn+p$b##nUBq_hzcQNE{50gtGoCSw zCO$f5qJg!*jd$q*s#qZ&;{8Fa&-&#iE0+s^qatUyI-Sb`#v@2P?r*^(9zxO0>=jFP z@57)7ws8{IPu@o_Jme3VcNc?)vx9#D*sfxA9C_(omPa183+?aFzqWDKrf1WC4`l#O z3#)ekiL;%LxjA&b$EOcdQh=Kx_j5~@fd8A|e(nU5T%!I13JseQ`b|B})AuN+$lGlq zOoLVSjQBp3GqZAL&5<{)_O$Z_-;NxZ56yFF)tu-lrbEYcaAg9Sev@4IZ$~!W-n}SV z{m~Jv4vQ5~nrMVFhrJs-x89b2Che-J3YJAS&Y@9LtAf!J8dwgU3+yf#3=g_=9>yTN zL+_``9Z};WSiwBRYqS}dnk3Hd{5x^htYP=K(|d$u5)m3Aii7#zfm zHH8%$E91}yW2^OtE?O4sxHDNm|8rTWXF_)_S$NO$b8yW&E!h$t63vl+zE#)^`gZkg zXW3Zy0S!FDzHgJ^dEyB#fctObUoIqKo8!I$q>Duoxfgg>$44;{@5(&wCS^L$pXL!v z=^O1y>{Ul(O**TD7DC$=ubNIbM`3cEs!wWK(w=ri z4h7zsyPi70!4ZHL%c{(Om(scvs3p}kqYW1GPIZ-NAF-~KaP56+k4-GA>|XQ3(yCgq zW)CeBp8iyc8j`eak4lKO$9`f>k?h45MH80q%Ns=dw zeuDYjXl1LPe zf2S}#gS!N4HwFOKObZd`!!LD%c|2J0w*h(XCD@gGTXglOFN4L z=IqYlfVno_?9pz+bZKEhJk#-U?ZvGq>v&4~6O<>x?v7J`o)Z3ceSF;!;L{YL9N#@% z0eIqe^RlDqO6py^u%6E~b<5b2f$xYp+vqvs&Nh6GxbuTij=;06;1sTlCG6cyJ981J zJN)l1@`?`Z)U{Phd#@AbTqn{Icv&}d0AAG1Y`Fad0OxKXAa&iKtvhuHmu@`1uxHSB zA6h#j&O}0g|Hd2Khd+N3X#rxZqMse0txK0OK#Z6ejZ5PilcV+a`3{uM5|Oye^Pwnz zS5K}|XROBXgey568hon4Ix&bMi60Qzi4@dUg$EY76^?t;1|^6DF;o|&HV0uH-@|x{ z4CM>@2%j|(-Hav*;ZG`?Qe@&>ybljakIPCwSGWa#BJD*toD^x88rr>nfV1(uQ1e*f zRExLrC3}PyScpx#P+nZO)n|HK^r@-?OA-e{p)JE;q{lBae?`E*A^U6?zb&26Ap$ipsc z(n{Qa*|?r{z>`O_xh4w}JDG08;;?358pldyn+netrMUg?0?7~VJ5{gAC=N4-Tbr5- zLr7fvl^`tCjq(Qrw78sqR31IjQxOq9ZwxgO1bJcSH<=@PE|-yF z$CQrzV;hd)@ijjQ1^(zN5Y*epf)YO<0@2!0i_|v{}Y(A?K_693HX69 zpEjiYkeTYQW0ijG4t@cI05B}3V<0UtIZ+-SqM!~exyaC8lgE%>jf6+3+|!DG|M8Ksfw`~XkPECPRRV7sgg%B(%Q#~62hTwM zG@ZQLT@3_=osyELAx7KNx>)a-YYSl;ey+=aj+6T{%pUJt_rJ zSjXc5DS(m2p0_mguGeF4am@ev#- zPxg38oE;ciu?goV|xMTOag$ZWRMbBP7$m z?&Bkqf)t+tVv`~jGXX)9RuyV6p7@;+F@MttOxoa1qcOh1H?nye-_-|`UL?IB@`boH zg5Nx;7R!I(lLPvmEhqo4B@)%ws+?sU<%&eM4ANYYjuP4YV8A=0&2F0l-`Rn}|pC<|mA>;m(X lMj18`S4AAn@<%4%Fk}XJ)jD{WlZ+Wg316qigk%870017E2Fd^c delta 5219 zcmV-p6rAhYGutzNABzY85zZA^00Zq^>yO+vlF!%aze2DBcqZ^Xoy35h-NPbT;O@f# z!R`Y4;c};_C3d$mdPR?UoZLAWo zc@givdZN!2e7^twTl~I$``wlL4WBn}Zod8QtLrz{SKqyV`S$JA&GlDT*KcmF-hAa< zJ(WP}r>W|o^t`W{;fQ?Dr-vfp&9pQa=_-4O*W1wdO|#8u07)7Ou3|RYdXX zY_mBD^OA*Wx!-Kz#v(vAy&o(DgAioG|kQ;x0H5aFQQlD+GfEAlkAS+F}A3Wi$ z=H9d?vzqqA)U<;F$~<8j_`kr%(zP{08AjDIQRZ!9wJ5aI1&rx+d9<8G-3^Jm$jM)L*GgMcqlf^&${Itn)Hv z)eKF4TgQz<*Ve08Cgfr5_@`g6GOd7d7bmQe1q*6w zk(Eu?m!@j!P@huKh7R8H9jWoZupk1sD>oYB6S=4=m~-I$NE{i#rgy~ zuMR=Uz9g-aK<;|y;H#5)A?A33={p&dM~qZlmP0+nl&{+~e>?1vM{modgt679)sn}9#Y zx=Dus%WqgO_Amt})&;hcL!bd4I_!y0$s^mMe#9S$8 zyhGB`oT50dA0|On8H%E3XY4)S7(IGQ(az*^W~Z~&^B;Sdv$ z_Q%zieHAP3R*6Bb6sR(+yC18XrD2`S4IvGmHCbGf`n!hW*pYCwWI?>OVk9qFlB2T@ znu?)6(GyR6B(rGNUCzM^Ff8{GO2Tn8>rq9LclhPCJ)>QbPH+i3IWf z_J?IrKhB-Py#c;ao!-oNV^cwAs~^cc;#lY_RgRE>Y9n@6)D+yuho~t0*63Ffz6%ef z&j-l84^ph7Wc={uVz)r#v#+9mZ2T9?>N%>$&$uLu%86l?+PjGw%a42^CANZlGbq!) zfudbQ;kf0?>}p$Ub$s6Y0%^%o0)#sS#)UF7Z!}=i!9@j^_SrIa*^E8$=034SR zW^F%+(m3OD5pD#Th7X^AtR&J!`vB064E^L;CgU5e(}9)u0uLPh2d}EZB}r+1VfAPC zpSd*XZ=lqR(?GNfTtn)IVG-SzWYI#}unuyA9!NX)k$yoq;Cv@z!d`DnWr6o=?RbCv z`NvL%>Pzl@Md;iEkrw?j_;QWQ@SkbP<%6u`pzxYkgC#tHze5dwNqIP(C&a4rBU=a7 zB{Di#HXxNJ>PKM|vRN?{40AWdc>8&3cX63#>8wS|(=->!d2F=C7S1sVD z>mTg3zjJrSF$^GLE#3!Mq?e!#uZs6sknjQPeSAMJAOnTb?4&1@g4uUAYzWHsg>g(w z@r#J$fFHH&0Kgl61G%L)-}3LB*hTd&B7?iCIkL{ktcEZNIhHz z1w|AvfDus34cIf~`9#q0)!M;cKWOTM$kZA|eCgpAmeEG?&dEC^hMu)hs(fTVse&~6 z`MA6VeM23aYxqQVU24I(IgUy%R1l8cXVo~{T+d&w&qK9;pYL{$M?sM^U}Bw}Atxtz zi0S%l{(#Z6=5V8m0*u?d$)bt|4DP0`W6Su4a0`D#UT!DiqCE(;hGQz2zK(Z0VHOOs zM-9A~Gq^6m<%9{Xd@ORPF85U9YTd;4m2=NKahK*r+gv|R$2al1l6Y$PDNwDu1?>I-WaB@f;h9e(7ynn;)N{PTQd9|HyS! zRa2hS4j14`$l`O)(O7pr^iaNun1r-Bq0&^3B@Lq8YhO*Q;{~jFY~7GPDN1T zOxR2ZDa4e{0XjKMelS!w4$#k}ISEXu)otrjOIMEaxuSrjdFJz(;Z#$S?R*>O@~dY1 zn-9}|cnGpRJxwVPq=Rdj&|h`rXqUq}@yybHZPckol!`x{ikSr^5IJjpNsF3FQV-S1 zmuY=9^4~_9SHntUdMDjm12<~DlqGCGli;-Xbli{HfM;JsB@u?>k-GG8Qf(4TA5JE= z$Sp?v=074ItPW0x{9{}h-0dTGv1l%*_?xP(4Ge38-+fFO5a)=AOk+76a_P`U0*WAi z`Y<=+biia8;b}1%<@i(EGVsR$vBzpf#x1oGHs5M&(cw=sKGN!Y6?M3AuhREYeFS}g zIt-um!Npu#JIvpn*!U1)!Y{Ha(kvekcQQ zT3EdUNSy6_%*~<}2_U=W| z>W_|Sby%!`(nKSaIqcowx$(AtG-+2&Rj@3waSn}|S{00*(7)(pAW(~W;o!%oPlZem|Q5@_CQ1a;_NSjpcT!$Ti ztSPM6SQ&>t7+bABbk?$9$DPRn`k%`}JrlZf$-+CHpMz`OX~~xGkZ6v7^sT~X(6_5^ zJIltp4`|>K_I;ZS&l6900o;EZ|8gb~+Z^{5AYCky$i2Y3IzEVrcvt3WH!0J3{xpwZ zO5bQtVo!)CvpUD?G2MaSW5LD;ycZ)*X0JLTYtmUIv=G|1c-3^eISP~ORDDv@lJ>MC zawzc5-1XD}4vql4SXO0!zLeIbKrN}R8EvqbcdDyI`+#+&glq3(du(D^W%rsNmR8k@ zHG628@bsrj+`tsYwRyWA-7Fm;ypuziA6SQZs|HNH;rqzfy8T?G2{E;qltT95$))q( zsyw@Zhc9du_@IrgjTh@5#~b4>y+1_}PY+9jTh`0nII!^6yU)vi+Y2E3_q<@cCP^MK z`VAUL^E(QSXWl*Y4gvfTcw2@F@Txp%Fq{fpe-{ME6XmprxXZB~(73O8vci4dB#|f_ z|4w0g26qY8ZVUjdnHD0>$-jW`y(2>xn2@20P9@|DXd@Q`7XmY<25kIV8;k{*{D=j^ zw-;A4K3F!KXJXHP9^S6_{h*@LU>`sm2K|u=pEyx)w9;Mik5RmP9YkQ_DGQMYh@Y~I z*$(%dGF)bn;pq|VnacF>-oB$`D}ATN#^(+bUN_aPSXQ0(5I9-MJbS-rl-cebTiRJ1 zFlToT2h6qcW{-9orb`P8;+c+*YcFm^S;te-pP+ma?Cv;!ZD93l7 zt^ho7yLs8sbS3q!U0BcOn!06d$-sBSoNe?Rac3JoN8I_rC`aJgR&WZ}#S->zrk%M6 z)E)kJ7kNbocIw)yrM=e)bFLHV2)wMDIRG!}W;Wb@0)TTj5RkfV(AJ$ggiALbU)VF~ zyZ5b~5oaQQp?~8I?!%uyinIW+RngB5(AK3(86ZYXjK-yLjmgn^`+N&ZXNgGM<@r#Q zzpE!#sWVn%c*2#O4h=q5VVxL6k;M0i>_iG`tHJ||+zQ9NX@e3(f*7icQk#RYj_+VR zMTYVPeT2`Nh;Bv`h43epO(`;QF5ZWSq{n5YpDWyd0+IHj8%~NeObzW`Kfu{|UZ{Dj zaH_>y`I0@t3oOK@T_`WE+v+nt&iYi8e33liMEe;+@n5Tgg*9qkOufp)SlF&*nDJE97C9 zHEAV(?rdDoI^fBp*<6!_iJeS0VsThAFpXoSvQ35Oi&EVFcY)*w_noTOWE6)P#H~%u zg&`!aeM8XeapErgY34*+^^P9{OJ(tT! zv13X{{xK8A($Jgk)(0H$RO__b8>oB4;3MJA6;PWN-*FWx!+_EdmT^SBw;Xh40bY7zYD>#m)&iV= zx4q9+i9T<*y=Y(IWEfnmsbk^0Mr;=}NzLOd4a0@%eRahCw5U z$rXxsR$R^fA60ee&Sq-4Ug;UjA~gm#&-i1mnyrPx3}7gA2ZKLPs)@ESFvkV=5SMY| zoA>UxS#(NoqFiL?ugOEmuSUY7RPJei#sBy~*}&XaaL5H#lPZBX4MHEor)3;5`h#a6 zf1FOV^5n{Hbajwxk{^t}Ho4E^OUiM^pmWOL!>$}A$R3q~ zD6Hf0fRw-+?aMBI_k%96(ZlJ2$I9ks1b?t(hI*mA>T9BL3_-qb7i%8tco)n-bw5Ns z#w1+k-h4G3P}uY6#9dr~P0V)rMD*eJhE=ss4%P6arG{SA$4_CDfG1&(e@J3`bVEbz z5?rBICpjTMlN}K_9jOZdLl{UQ0>$A@w<*R1l+^4n(-}rfOVT*dBzKc?5q$x`lkgE7 zD3A7dNt_)RTI5K{51Ob^E9Lqzpb356yOq7^c97agv2hvKk`{IPV3RZwh5>hzyAmG= zNjrsQrh#>$lj0I*0nd|46Ne-2!B2=LEBeZ)R9ufQik&y@Lfy0-U}DTd+|bBy-_m$P z$k~(h6LlCTJ>u?goV|xMTOag$Y83-XBP7$m?&AZKffSzsY?C1sGXY+cRTXM~9{HUS zF@MttOxoa1qcOg~H?nye-_-|`UL?IB@|n0bg5Nx;7R!I(lLPvm?2&~z;Zjh<(DV1RF@jl8BPioXO$NziBDiVNwhXSPukbG*Rb{3M$?UTt4OQY zqL58YDU-L{N9r4sK^ABc1J8Z)M5xwl_!m}Aox9@lcaypnp8~(P zlUo-k0i%&WR7-O_@?() z>wl$pmbGGE?4Io1R`&OQUA_J8`_cQquHQbt|Lc={E^(c7`O5`=-3Ps_54!|=sKq<1 z{N|l7z~#HHkBe)Qt1B2KmrYe(Ch-;r_a(=&TO-3igTQ?9@2g<+Jfd&`7 z!&?h5c?i!DZq2#_=H-ea!n1H40THdG`mg`F{O@mgymj5yImbw0Rj($oKo##LSsOOX z@A9Nc+4+1`s4rCSLBk3mTB}o4D&RVuv_Cjk*ML&OdVQ>e7Sp--US<)LS3U`JR!f_8 z3S;-|-%fv=u|j#xIw_#T5yRjpxXtBVz-x`k9vsOPsN2pb!6Z@GCj!MF}ECNj+JM>afhhvv*q;DC5@ z1Z0QV>2aNIs> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..d651a7d 100644 +index 8416beb..19d5bea 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15850,10 +15850,31 @@ index 8416beb..d651a7d 100644 ####################################### ##

## Create, read, write, and delete dirs -@@ -1582,6 +1800,24 @@ interface(`fs_manage_configfs_files',` +@@ -1580,6 +1798,43 @@ interface(`fs_manage_configfs_files',` + manage_files_pattern($1, configfs_t, configfs_t) + ') - ######################################## - ## ++####################################### ++## ++## Create, read, write, and delete files ++## on a configfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_configfs_lnk_files',` ++ gen_require(` ++ type configfs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, configfs_t, configfs_t) ++') ++ ++######################################## ++## +## Unmount a configfs filesystem +## +## @@ -15870,12 +15891,10 @@ index 8416beb..d651a7d 100644 + allow $1 configfs_t:filesystem unmount; +') + -+######################################## -+## + ######################################## + ## ## Mount a DOS filesystem, such as - ## FAT32 or NTFS. - ## -@@ -1793,63 +2029,70 @@ interface(`fs_read_eventpollfs',` +@@ -1793,63 +2048,70 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -15971,7 +15990,7 @@ index 8416beb..d651a7d 100644 ## on a FUSEFS filesystem. ## ## -@@ -1859,18 +2102,19 @@ interface(`fs_mounton_fusefs',` +@@ -1859,18 +2121,19 @@ interface(`fs_mounton_fusefs',` ## ## # @@ -15996,7 +16015,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -1878,135 +2122,835 @@ interface(`fs_search_fusefs',` +@@ -1878,49 +2141,240 @@ interface(`fs_search_fusefs',` ## ## # @@ -16058,50 +16077,33 @@ index 8416beb..d651a7d 100644 gen_require(` - type fusefs_t; + type ecryptfs_t; - ') -- -- dontaudit $1 fusefs_t:dir manage_dir_perms; ++ ') + dontaudit $1 ecryptfs_t:file append; - ') - - ######################################## - ## --## Read, a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Manage symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_read_fusefs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_manage_ecryptfs_symlinks',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type ecryptfs_t; - ') - -- read_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) - ') - - ######################################## - ## --## Execute files on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Execute a file on a FUSE filesystem +## in the specified domain. - ## --## --## --## Domain allowed access. --## --## --## --# --interface(`fs_exec_fusefs_files',` -- gen_require(` ++## +## +##

+## Execute a file on a FUSE filesystem @@ -16269,13 +16271,14 @@ index 8416beb..d651a7d 100644 +interface(`fs_dontaudit_manage_fusefs_dirs',` + gen_require(` + type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+##

+ ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; +@@ -1928,105 +2382,652 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` + + ######################################## + ## +-## Read, a FUSEFS filesystem. +## Read, a FUSEFS filesystem. +## +## @@ -16364,10 +16367,9 @@ index 8416beb..d651a7d 100644 +# +interface(`fs_manage_fusefs_files',` + gen_require(` - type fusefs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ type fusefs_t; ++ ') ++ + manage_files_pattern($1, fusefs_t, fusefs_t) +') + @@ -16804,12 +16806,10 @@ index 8416beb..d651a7d 100644 + ') + + dontaudit $1 inotifyfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Create an object in a hugetlbfs filesystem, with a private +## type using a type transition. ## @@ -16835,24 +16835,74 @@ index 8416beb..d651a7d 100644 +## +## # --interface(`fs_manage_fusefs_files',` +-interface(`fs_read_fusefs_files',` +interface(`fs_hugetlbfs_filetrans',` gen_require(` - type fusefs_t; + type hugetlbfs_t; ') -- manage_files_pattern($1, fusefs_t, fusefs_t) +- read_files_pattern($1, fusefs_t, fusefs_t) + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ') + ######################################## + ## +-## Execute files on a FUSEFS filesystem. ++## Mount an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_exec_fusefs_files',` ++interface(`fs_mount_iso9660_fs',` + gen_require(` +- type fusefs_t; ++ type iso9660_t; + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 iso9660_t:filesystem mount; + ') + + ######################################## + ## +-## Create, read, write, and delete files +-## on a FUSEFS filesystem. ++## Remount an iso9660 filesystem, which ++## is usually used on CDs. This allows ++## some mount options to be changed. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_manage_fusefs_files',` ++interface(`fs_remount_iso9660_fs',` + gen_require(` +- type fusefs_t; ++ type iso9660_t; + ') + +- manage_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 iso9660_t:filesystem remount; + ') + ######################################## ## -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Mount an iso9660 filesystem, which ++## Unmount an iso9660 filesystem, which +## is usually used on CDs. ## ## @@ -16863,68 +16913,19 @@ index 8416beb..d651a7d 100644 ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_mount_iso9660_fs',` ++interface(`fs_unmount_iso9660_fs',` gen_require(` - type fusefs_t; + type iso9660_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ allow $1 iso9660_t:filesystem mount; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. -+## Remount an iso9660 filesystem, which -+## is usually used on CDs. This allows -+## some mount options to be changed. - ## - ## - ## -@@ -2014,19 +2958,18 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` -+interface(`fs_remount_iso9660_fs',` - gen_require(` -- type fusefs_t; -+ type iso9660_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 iso9660_t:filesystem remount; - ') - - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. -+## Unmount an iso9660 filesystem, which -+## is usually used on CDs. - ## - ## - ## -@@ -2034,35 +2977,38 @@ interface(`fs_read_fusefs_symlinks',` - ## - ## - # --interface(`fs_getattr_hugetlbfs',` -+interface(`fs_unmount_iso9660_fs',` - gen_require(` -- type hugetlbfs_t; -+ type iso9660_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; + allow $1 iso9660_t:filesystem unmount; ') ######################################## ## --## List hugetlbfs. +-## Read symbolic links on a FUSEFS filesystem. +## Get the attributes of an iso9660 +## filesystem, which is usually used on CDs. ## @@ -16935,61 +16936,63 @@ index 8416beb..d651a7d 100644 ## +## # --interface(`fs_list_hugetlbfs',` +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_getattr_iso9660_fs',` gen_require(` -- type hugetlbfs_t; +- type fusefs_t; + type iso9660_t; ') -- allow $1 hugetlbfs_t:dir list_dir_perms; +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem getattr; ') ######################################## ## --## Manage hugetlbfs dirs. +-## Get the attributes of an hugetlbfs +-## filesystem. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2070,17 +3016,19 @@ interface(`fs_list_hugetlbfs',` +@@ -2034,17 +3035,19 @@ interface(`fs_read_fusefs_symlinks',` ## ## # --interface(`fs_manage_hugetlbfs_dirs',` +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_getattr_iso9660_files',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:filesystem getattr; + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; ') ######################################## ## --## Read and write hugetlbfs files. +-## List hugetlbfs. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2088,35 +3036,38 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2052,17 +3055,20 @@ interface(`fs_getattr_hugetlbfs',` ## ## # --interface(`fs_rw_hugetlbfs_files',` +-interface(`fs_list_hugetlbfs',` +interface(`fs_read_iso9660_files',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 iso9660_t:dir list_dir_perms; + read_files_pattern($1, iso9660_t, iso9660_t) + read_lnk_files_pattern($1, iso9660_t, iso9660_t) @@ -16998,9 +17001,53 @@ index 8416beb..d651a7d 100644 + ######################################## ## --## Allow the type to associate to hugetlbfs filesystems. +-## Manage hugetlbfs dirs. +## Mount kdbus filesystems. ## + ## + ## +@@ -2070,17 +3076,17 @@ interface(`fs_list_hugetlbfs',` + ## + ## + # +-interface(`fs_manage_hugetlbfs_dirs',` ++interface(`fs_mount_kdbus', ` + gen_require(` +- type hugetlbfs_t; ++ type kdbusfs_t; + ') + +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 kdbusfs_t:filesystem mount; + ') + + ######################################## + ## +-## Read and write hugetlbfs files. ++## Remount kdbus filesystems. + ## + ## + ## +@@ -2088,35 +3094,35 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## + ## + # +-interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_remount_kdbus', ` + gen_require(` +- type hugetlbfs_t; ++ type kdbusfs_t; + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 kdbusfs_t:filesystem remount; + ') + + ######################################## + ## +-## Allow the type to associate to hugetlbfs filesystems. ++## Unmount kdbus filesystems. + ## -## +## ## @@ -17010,64 +17057,67 @@ index 8416beb..d651a7d 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_mount_kdbus', ` ++interface(`fs_unmount_kdbus', ` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') - allow $1 hugetlbfs_t:filesystem associate; -+ allow $1 kdbusfs_t:filesystem mount; ++ allow $1 kdbusfs_t:filesystem unmount; ') ######################################## ## -## Search inotifyfs filesystem. -+## Remount kdbus filesystems. ++## Get attributes of kdbus filesystems. ## ## ## -@@ -2124,17 +3075,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +3130,17 @@ interface(`fs_associate_hugetlbfs',` ## ## # -interface(`fs_search_inotifyfs',` -+interface(`fs_remount_kdbus', ` ++interface(`fs_getattr_kdbus',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ allow $1 kdbusfs_t:filesystem remount; ++ allow $1 kdbusfs_t:filesystem getattr; ') ######################################## ## -## List inotifyfs filesystem. -+## Unmount kdbus filesystems. ++## Search kdbusfs directories. ## ## ## -@@ -2142,71 +3093,134 @@ interface(`fs_search_inotifyfs',` +@@ -2142,71 +3148,118 @@ interface(`fs_search_inotifyfs',` ## ## # -interface(`fs_list_inotifyfs',` -+interface(`fs_unmount_kdbus', ` ++interface(`fs_search_kdbus_dirs',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ++ ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 kdbusfs_t:filesystem unmount; ++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Get attributes of kdbus filesystems. ++## Relabel kdbusfs directories. ## ## ## @@ -17077,21 +17127,22 @@ index 8416beb..d651a7d 100644 ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_getattr_kdbus',` ++interface(`fs_relabel_kdbus_dirs',` gen_require(` - type inotifyfs_t; -+ type kdbusfs_t; ++ type cgroup_t; ++ ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 kdbusfs_t:filesystem getattr; ++ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Search kdbusfs directories. ++## List kdbusfs directories. ## ## ## @@ -17099,50 +17150,9 @@ index 8416beb..d651a7d 100644 ## ## -## -+# -+interface(`fs_search_kdbus_dirs',` -+ gen_require(` -+ type kdbusfs_t; -+ -+ ') -+ -+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## -+## Relabel kdbusfs directories. -+## -+## - ## +-## -## The type of the object to be created. -+## Domain allowed access. - ## - ## --## -+# -+interface(`fs_relabel_kdbus_dirs',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+') -+ -+######################################## -+## -+## List kdbusfs directories. -+## -+## - ## --## The object class of the object being created. -+## Domain allowed access. - ## - ## --## +-## +# +interface(`fs_list_kdbus_dirs',` + gen_require(` @@ -17162,7 +17172,8 @@ index 8416beb..d651a7d 100644 +## +## Domain to not audit. +## -+## + ## +-## +# +interface(`fs_dontaudit_search_kdbus_dirs', ` + gen_require(` @@ -17177,6 +17188,28 @@ index 8416beb..d651a7d 100644 +## +## Delete kdbusfs directories. +## ++## + ## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_delete_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## ++## Manage kdbusfs directories. ++## +## ## -## The name of the object being created. @@ -17185,15 +17218,16 @@ index 8416beb..d651a7d 100644 ## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_delete_kdbus_dirs', ` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; - ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17202,24 +17236,25 @@ index 8416beb..d651a7d 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Manage kdbusfs directories. ++## Read kdbusfs files. ## ## ## -@@ -2214,19 +3228,19 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3267,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_read_kdbus_files',` gen_require(` - type iso9660_t; -- ') -+ type kdbusfs_t; ++ type cgroup_t; ++ + ') - allow $1 iso9660_t:filesystem mount; -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17229,25 +17264,23 @@ index 8416beb..d651a7d 100644 -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Read kdbusfs files. ++## Write kdbusfs files. ## ## ## -@@ -2234,18 +3248,21 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3289,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17256,41 +17289,15 @@ index 8416beb..d651a7d 100644 ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Write kdbusfs files. - ## - ## - ## -@@ -2253,38 +3270,61 @@ interface(`fs_remount_iso9660_fs',` - ## - ## - # --interface(`fs_unmount_iso9660_fs',` -+interface(`fs_write_kdbus_files', ` - gen_require(` -- type iso9660_t; -+ type kdbusfs_t; - ') - -- allow $1 iso9660_t:filesystem unmount; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) - ') - - ######################################## - ## --## Get the attributes of an iso9660 --## filesystem, which is usually used on CDs. +## Read and write kdbusfs files. ## ## ## - ## Domain allowed access. +@@ -2253,38 +3309,41 @@ interface(`fs_remount_iso9660_fs',` ## ## --## # --interface(`fs_getattr_iso9660_fs',` +-interface(`fs_unmount_iso9660_fs',` +interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; @@ -17298,7 +17305,7 @@ index 8416beb..d651a7d 100644 + ') -- allow $1 iso9660_t:filesystem getattr; +- allow $1 iso9660_t:filesystem unmount; + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) @@ -17307,33 +17314,40 @@ index 8416beb..d651a7d 100644 ######################################## ## --## Read files on an iso9660 filesystem, which --## is usually used on CDs. +-## Get the attributes of an iso9660 +-## filesystem, which is usually used on CDs. +## Do not audit attempts to open, +## get attributes, read and write +## cgroup files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## +-## + # +-interface(`fs_getattr_iso9660_fs',` +interface(`fs_dontaudit_rw_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem getattr; + dontaudit $1 kdbusfs_t:file rw_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read files on an iso9660 filesystem, which +-## is usually used on CDs. +## Manage kdbusfs files. ## ## ## -@@ -2292,19 +3332,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3351,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -17361,7 +17375,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -2312,16 +3354,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3373,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -17382,7 +17396,7 @@ index 8416beb..d651a7d 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3439,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3458,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -17407,7 +17421,7 @@ index 8416beb..d651a7d 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3544,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3563,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -17415,7 +17429,7 @@ index 8416beb..d651a7d 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3583,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3602,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -17423,7 +17437,7 @@ index 8416beb..d651a7d 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3610,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3629,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -17468,7 +17482,7 @@ index 8416beb..d651a7d 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3668,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3687,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -17477,7 +17491,7 @@ index 8416beb..d651a7d 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3688,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3707,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -17520,7 +17534,7 @@ index 8416beb..d651a7d 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3738,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3757,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -17529,7 +17543,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -2627,7 +3762,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3781,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -17538,7 +17552,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -2719,6 +3854,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3873,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -17604,7 +17618,7 @@ index 8416beb..d651a7d 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3935,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3954,7 @@ interface(`fs_search_removable',` ## ## ## @@ -17613,7 +17627,7 @@ index 8416beb..d651a7d 100644 ## ## # -@@ -2777,7 +3971,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3990,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -17622,7 +17636,7 @@ index 8416beb..d651a7d 100644 ## ## # -@@ -2970,6 +4164,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4183,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -17630,7 +17644,7 @@ index 8416beb..d651a7d 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4205,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4224,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -17638,7 +17652,7 @@ index 8416beb..d651a7d 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4246,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4265,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -17646,7 +17660,7 @@ index 8416beb..d651a7d 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4334,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4353,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -17671,7 +17685,7 @@ index 8416beb..d651a7d 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +4470,182 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +4489,182 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -17858,7 +17872,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3273,12 +4653,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4672,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -17873,7 +17887,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -3301,6 +4681,24 @@ interface(`fs_associate_ramfs',` +@@ -3301,6 +4700,24 @@ interface(`fs_associate_ramfs',` ######################################## ## @@ -17898,7 +17912,7 @@ index 8416beb..d651a7d 100644 ## Mount a RAM filesystem. ## ## -@@ -3392,7 +4790,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4809,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17907,7 +17921,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3429,7 +4827,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4846,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17916,7 +17930,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3447,7 +4845,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4864,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17925,7 +17939,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3779,6 +5177,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5196,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17950,7 +17964,7 @@ index 8416beb..d651a7d 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5231,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5250,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17975,7 +17989,7 @@ index 8416beb..d651a7d 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5342,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5361,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -17984,7 +17998,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3916,17 +5350,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5369,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -18005,7 +18019,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3934,17 +5368,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5387,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -18026,7 +18040,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3952,17 +5386,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5405,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -18066,7 +18080,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -3970,31 +5423,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5442,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -18122,7 +18136,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -4057,23 +5527,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5546,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -18299,7 +18313,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4081,18 +5698,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5717,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -18322,7 +18336,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4100,54 +5717,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5736,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -18389,7 +18403,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4155,17 +5771,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5790,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -18411,7 +18425,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4173,17 +5790,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5809,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -18433,7 +18447,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4191,37 +5809,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5828,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -18479,7 +18493,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4229,18 +5846,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5865,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -18501,7 +18515,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4248,18 +5865,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5884,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -18525,7 +18539,7 @@ index 8416beb..d651a7d 100644 ## ## ## -@@ -4267,32 +5885,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5904,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -18564,7 +18578,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -4407,6 +6024,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6043,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -18590,7 +18604,7 @@ index 8416beb..d651a7d 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6139,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6158,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -18599,7 +18613,7 @@ index 8416beb..d651a7d 100644 ') ######################################## -@@ -4549,7 +6187,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6206,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -18608,7 +18622,7 @@ index 8416beb..d651a7d 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6234,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6253,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -18635,7 +18649,7 @@ index 8416beb..d651a7d 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6329,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6348,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -18661,7 +18675,7 @@ index 8416beb..d651a7d 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6589,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6608,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3e40862c..9f9f1195 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -27883,6 +27883,127 @@ index ef62363..0841716 100644 +optional_policy(` + procmail_domtrans(dspam_t) +') +diff --git a/ejabberd.fc b/ejabberd.fc +new file mode 100644 +index 0000000..e797d62 +--- /dev/null ++++ b/ejabberd.fc +@@ -0,0 +1,7 @@ ++/usr/bin/ejabberdctl -- gen_context(system_u:object_r:ejabberd_exec_t,s0) ++ ++/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:ejabberd_unit_t,s0) ++ ++/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_lib_t,s0) ++ ++/var/log/ejabberd(/.*)? gen_context(system_u:object_r:ejabberd_var_log_t,s0) +diff --git a/ejabberd.if b/ejabberd.if +new file mode 100644 +index 0000000..91ef4a4 +--- /dev/null ++++ b/ejabberd.if +@@ -0,0 +1,34 @@ ++## ejabberd is a Free and Open Source distributed fault-tolerant: Jabber/XMPP server. ++######################################## ++## ++## All of the rules required to ++## administrate an ejabberd environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ejabberd_admin',` ++ gen_require(` ++ type ejabberd_t, ejabberd_exec_t; ++ type ejabberd_var_lib_t, ejabberd_var_log_t; ++ ') ++ ++ admin_process_pattern($1, ejabberd_t) ++ ++ init_startstop_service($1, $2, ejabberd_t, ejabberd_initrc_exec_t, ejabberd_unit_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, ejabberd_var_lib_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, ejabberd_var_log_t) ++') +diff --git a/ejabberd.te b/ejabberd.te +new file mode 100644 +index 0000000..4498b11 +--- /dev/null ++++ b/ejabberd.te +@@ -0,0 +1,62 @@ ++policy_module(ejabberd,0.0) ++ ++ ++######################################## ++# ++# Declarations ++# ++ ++# Private type declarations ++type ejabberd_t; ++type ejabberd_exec_t; ++init_daemon_domain(ejabberd_t, ejabberd_exec_t) ++ ++type ejabberd_unit_t; ++systemd_unit_file(ejabberd_unit_t) ++ ++type ejabberd_var_lib_t; ++files_type(ejabberd_var_lib_t) ++ ++type ejabberd_var_log_t; ++logging_log_file(ejabberd_var_log_t) ++ ++ ++# What will we allow ++allow ejabberd_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write }; ++allow ejabberd_t self:udp_socket { bind connect create getattr getopt read setopt write }; ++allow ejabberd_t self:unix_dgram_socket { connect create getopt setopt write }; ++ ++auth_use_nsswitch(ejabberd_t) ++ ++corecmd_exec_bin(ejabberd_t) ++corecmd_exec_shell(ejabberd_t) ++ ++corenet_tcp_bind_epmd_port(ejabberd_t) ++corenet_tcp_bind_generic_node(ejabberd_t) ++corenet_tcp_bind_generic_port(ejabberd_t) ++corenet_tcp_bind_jabber_client_port(ejabberd_t) ++corenet_tcp_bind_jabber_interserver_port(ejabberd_t) ++corenet_tcp_connect_epmd_port(ejabberd_t) ++corenet_tcp_connect_generic_port(ejabberd_t) ++corenet_tcp_connect_jabber_interserver_port(ejabberd_t) ++ ++corenet_udp_bind_generic_node(ejabberd_t) ++ ++dev_read_rand(ejabberd_t) ++dev_read_sysfs(ejabberd_t) ++ ++files_search_var_lib(ejabberd_t, ejabberd_var_lib_t, dir) ++ ++kernel_dgram_send(ejabberd_t) ++ ++logging_create_devlog_dev(ejabberd_t) ++logging_log_filetrans(ejabberd_t, ejabberd_var_log_t, { dir file }) ++ ++manage_dirs_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t) ++manage_dirs_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t) ++manage_files_pattern(ejabberd_t, ejabberd_var_lib_t, ejabberd_var_lib_t) ++manage_files_pattern(ejabberd_t, ejabberd_var_log_t, ejabberd_var_log_t) ++ ++miscfiles_read_generic_certs(ejabberd_t) ++ ++sysnet_read_config(ejabberd_t) diff --git a/entropyd.te b/entropyd.te index b8b8328..111084c 100644 --- a/entropyd.te @@ -32826,10 +32947,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..03db2af +index 0000000..ce9dd75 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,308 @@ +@@ -0,0 +1,312 @@ +policy_module(glusterd, 1.1.3) + +## @@ -33081,6 +33202,10 @@ index 0000000..03db2af +') + +optional_policy(` ++ ganesha_systemctl(glusterd_t) ++') ++ ++optional_policy(` + hostname_exec(glusterd_t) +') + @@ -42725,10 +42850,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..66e747b +index 0000000..82772f2 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,92 @@ +@@ -0,0 +1,93 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -42768,6 +42893,7 @@ index 0000000..66e747b +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) +kernel_request_load_module(keepalived_t) ++kernel_read_usermodehelper_state(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -84339,30 +84465,20 @@ index f47c8e8..af09c76 100644 + dbus_connect_system_bus(quota_nld_t) ') diff --git a/rabbitmq.fc b/rabbitmq.fc -index c5ad6de..af2d46f 100644 +index c5ad6de..44135d4 100644 --- a/rabbitmq.fc +++ b/rabbitmq.fc -@@ -1,10 +1,18 @@ +@@ -1,7 +1,8 @@ /etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0) -/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) +/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0) -+/usr/lib/systemd/system/ejabberd.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0) + +/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) -+ -+/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) -+ -+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0) - /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) -+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) - - /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.if b/rabbitmq.if index 2c3d338..7d49554 100644 --- a/rabbitmq.if @@ -84682,7 +84798,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..b1668fa 100644 +index 403a4fe..c659271 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84805,10 +84921,11 @@ index 403a4fe..b1668fa 100644 logrotate_exec(radiusd_t) ') -@@ -132,6 +159,10 @@ optional_policy(` +@@ -132,6 +159,11 @@ optional_policy(` ') optional_policy(` ++ postgresql_stream_connect(radiusd_t) + postgresql_tcp_connect(radiusd_t) +') + @@ -84816,7 +84933,7 @@ index 403a4fe..b1668fa 100644 samba_domtrans_winbind_helper(radiusd_t) ') -@@ -140,5 +171,10 @@ optional_policy(` +@@ -140,5 +172,10 @@ optional_policy(` ') optional_policy(` @@ -105585,10 +105702,10 @@ index 0000000..821e158 +') + diff --git a/sssd.fc b/sssd.fc -index dbb005a..25d119e 100644 +index dbb005a..47b49ea 100644 --- a/sssd.fc +++ b/sssd.fc -@@ -1,15 +1,28 @@ +@@ -1,15 +1,30 @@ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) @@ -105599,6 +105716,7 @@ index dbb005a..25d119e 100644 +/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0) ++/usr/libexec/sssd/sssd_kcm -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_pac -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_pam -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0) @@ -105623,8 +105741,9 @@ index dbb005a..25d119e 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/secrets.socket gen_context(system_u:object_r:sssd_var_run_t,s0) ++/var/run/.heim_org.h5l.kcm-socket -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..277f8f2 100644 +index a240455..aac2584 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -105753,13 +105872,13 @@ index a240455..277f8f2 100644 + gen_require(` + type sssd_conf_t; + ') - -- files_search_etc($1) -- write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ + files_search_etc($1) + write_files_pattern($1, sssd_conf_t, sssd_conf_t) +') -+ + +- files_search_etc($1) +- write_files_pattern($1, sssd_conf_t, sssd_conf_t) +##################################### +## +## Write sssd configuration. @@ -105836,10 +105955,11 @@ index a240455..277f8f2 100644 sssd_search_lib($1) - manage_files_pattern($1, sssd_public_t, sssd_public_t) + allow $1 sssd_public_t:file unlink; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read sssd pid files. +## Dontaudit read sssd public files. +## +## @@ -105873,11 +105993,10 @@ index a240455..277f8f2 100644 + + sssd_search_lib($1) + manage_files_pattern($1, sssd_public_t, sssd_public_t) - ') - - ######################################## - ## --## Read sssd pid files. ++') ++ ++######################################## ++## +## Read sssd PID files. ## ## @@ -105937,7 +106056,7 @@ index a240455..277f8f2 100644 ## ## ## -@@ -317,8 +408,92 @@ interface(`sssd_stream_connect',` +@@ -317,8 +408,130 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -105960,6 +106079,44 @@ index a240455..277f8f2 100644 + dontaudit $1 sssd_var_lib_t:sock_file { read write }; +') + ++######################################## ++## ++## Connect to sssd over a unix stream socket in /var/run. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_run_stream_connect',` ++ gen_require(` ++ type sssd_t, sssd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t) ++') ++ ++######################################## ++## ++## Dontaudit attempts to connect to sssd over a unix stream socket in /var/run. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_dontaudit_run_stream_connect',` ++ gen_require(` ++ type sssd_t, sssd_var_lib_t; ++ ') ++ ++ dontaudit $1 sssd_t:unix_stream_socket connectto; ++ dontaudit $1 sssd_var_run_t:sock_file { read write }; ++') ++ +####################################### +## +## Manage keys for all user domains. @@ -106032,7 +106189,7 @@ index a240455..277f8f2 100644 ## ## ## -@@ -327,7 +502,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +540,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -106041,7 +106198,7 @@ index a240455..277f8f2 100644 ## ## ## -@@ -335,27 +510,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +548,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -106083,7 +106240,7 @@ index a240455..277f8f2 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..d4fee07 100644 +index 2d8db1f..f0f3862 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) @@ -106122,7 +106279,7 @@ index 2d8db1f..d4fee07 100644 manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -51,9 +63,11 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +@@ -51,28 +63,28 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) @@ -106137,7 +106294,9 @@ index 2d8db1f..d4fee07 100644 logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -62,17 +76,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) ++manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) + files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -106160,7 +106319,7 @@ index 2d8db1f..d4fee07 100644 corecmd_exec_bin(sssd_t) -@@ -83,28 +94,36 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +95,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -106201,7 +106360,7 @@ index 2d8db1f..d4fee07 100644 init_read_utmp(sssd_t) -@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +132,67 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -107573,10 +107732,10 @@ index 0000000..a6e216c + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 0000000..e187320 +index 0000000..0315421 --- /dev/null +++ b/targetd.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,81 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -107599,21 +107758,33 @@ index 0000000..e187320 +# targetd local policy +# + -+allow targetd_t self:capability { sys_admin }; ++allow targetd_t self:capability { ipc_lock sys_admin sys_nice }; +allow targetd_t self:fifo_file rw_fifo_file_perms; +allow targetd_t self:unix_stream_socket create_stream_socket_perms; +allow targetd_t self:unix_dgram_socket create_socket_perms; +allow targetd_t self:tcp_socket listen; +allow targetd_t self:netlink_route_socket r_netlink_socket_perms; -+allow targetd_t self:process setfscreate; ++allow targetd_t self:process { setfscreate setsched }; + +manage_dirs_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +manage_files_pattern(targetd_t, targetd_etc_rw_t, targetd_etc_rw_t) +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) + ++fs_getattr_xattr_fs(targetd_t) ++fs_manage_configfs_files(targetd_t) ++fs_manage_configfs_lnk_files(targetd_t) ++fs_manage_configfs_dirs(targetd_t) ++fs_read_nfsd_files(targetd_t) ++ ++kernel_rw_rpc_sysctls(targetd_t) ++kernel_get_sysvipc_info(targetd_t) +kernel_read_system_state(targetd_t) +kernel_read_network_state(targetd_t) + ++rpc_read_exports(targetd_t) ++ ++storage_raw_rw_fixed_disk(targetd_t) ++ +auth_use_nsswitch(targetd_t) + +corecmd_exec_shell(targetd_t) @@ -107622,7 +107793,7 @@ index 0000000..e187320 +corenet_tcp_bind_generic_node(targetd_t) +corenet_tcp_bind_lsm_plugin_port(targetd_t) + -+dev_read_sysfs(targetd_t) ++dev_rw_sysfs(targetd_t) +dev_read_urand(targetd_t) +dev_rw_lvm_control(targetd_t) +dev_getattr_loop_control(targetd_t) @@ -107636,8 +107807,9 @@ index 0000000..e187320 + +optional_policy(` + lvm_read_config(targetd_t) -+ lvm_read_metadata(targetd_t) ++ lvm_write_metadata(targetd_t) + lvm_manage_lock(targetd_t) ++ lvm_rw_pipes(targetd_t) + lvm_stream_connect(targetd_t) +') + @@ -110850,10 +111022,10 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..71e14ac +index 0000000..cc0c5fe --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,86 @@ +@@ -0,0 +1,89 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -110912,6 +111084,7 @@ index 0000000..71e14ac +can_exec(tomcat_domain, tomcat_exec_t) + +kernel_read_network_state(tomcat_domain) ++kernel_read_net_sysctls(tomcat_domain) + +corecmd_exec_bin(tomcat_domain) +corecmd_exec_shell(tomcat_domain) @@ -110925,6 +111098,8 @@ index 0000000..71e14ac +corenet_tcp_connect_ldap_port(tomcat_domain) +corenet_tcp_connect_mxi_port(tomcat_domain) +corenet_tcp_connect_http_cache_port(tomcat_domain) ++corenet_tcp_connect_postgresql_port(tomcat_domain) ++corenet_tcp_connect_amqp_port(tomcat_domain) + +dev_read_rand(tomcat_domain) +dev_read_urand(tomcat_domain) @@ -113341,7 +113516,7 @@ index a4f20bc..9777de2 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..487857a 100644 +index facdee8..b5a815a 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,111 @@ @@ -113775,7 +113950,7 @@ index facdee8..487857a 100644 - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; -+ allow $1 svirt_t:unix_stream_socket { read write }; ++ allow $1 svirt_t:unix_stream_socket { setopt getopt read write }; ') -####################################### @@ -115541,10 +115716,10 @@ index facdee8..487857a 100644 + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') diff --git a/virt.te b/virt.te -index f03dcf5..fee0027 100644 +index f03dcf5..6e0d11b 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,413 @@ +@@ -1,451 +1,415 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -116182,6 +116357,8 @@ index f03dcf5..fee0027 100644 + +virt_dontaudit_read_state(svirt_t) + ++storage_raw_read_fixed_disk(svirt_t) ++ +####################################### +# +# svirt_prot_exec local policy @@ -116268,7 +116445,7 @@ index f03dcf5..fee0027 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +417,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +419,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -116315,27 +116492,27 @@ index f03dcf5..fee0027 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +452,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +454,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -116349,7 +116526,7 @@ index f03dcf5..fee0027 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +477,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +479,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -116377,7 +116554,7 @@ index f03dcf5..fee0027 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +497,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +499,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -116408,7 +116585,7 @@ index f03dcf5..fee0027 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +549,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +551,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -116428,7 +116605,7 @@ index f03dcf5..fee0027 100644 selinux_validate_context(virtd_t) -@@ -620,18 +571,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +573,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -116465,7 +116642,7 @@ index f03dcf5..fee0027 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +599,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +601,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -116474,7 +116651,7 @@ index f03dcf5..fee0027 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +624,12 @@ optional_policy(` +@@ -665,20 +626,12 @@ optional_policy(` ') optional_policy(` @@ -116496,7 +116673,7 @@ index f03dcf5..fee0027 100644 ') optional_policy(` -@@ -691,20 +642,26 @@ optional_policy(` +@@ -691,20 +644,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -116527,7 +116704,7 @@ index f03dcf5..fee0027 100644 ') optional_policy(` -@@ -712,11 +669,18 @@ optional_policy(` +@@ -712,11 +671,18 @@ optional_policy(` ') optional_policy(` @@ -116546,7 +116723,7 @@ index f03dcf5..fee0027 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +691,18 @@ optional_policy(` +@@ -727,10 +693,18 @@ optional_policy(` ') optional_policy(` @@ -116565,7 +116742,7 @@ index f03dcf5..fee0027 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +718,344 @@ optional_policy(` +@@ -746,44 +720,344 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -116678,7 +116855,7 @@ index f03dcf5..fee0027 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) -+ + +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) @@ -116839,7 +117016,7 @@ index f03dcf5..fee0027 100644 + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) +') - ++ +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -116932,7 +117109,7 @@ index f03dcf5..fee0027 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1068,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116959,7 +117136,7 @@ index f03dcf5..fee0027 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1088,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116993,7 +117170,7 @@ index f03dcf5..fee0027 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1123,20 @@ optional_policy(` +@@ -856,14 +1125,20 @@ optional_policy(` ') optional_policy(` @@ -117015,7 +117192,7 @@ index f03dcf5..fee0027 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1161,66 @@ optional_policy(` +@@ -888,49 +1163,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -117100,7 +117277,7 @@ index f03dcf5..fee0027 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1234,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -117120,7 +117297,7 @@ index f03dcf5..fee0027 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1255,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -117144,7 +117321,7 @@ index f03dcf5..fee0027 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1280,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -117588,7 +117765,7 @@ index f03dcf5..fee0027 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1582,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -117603,7 +117780,7 @@ index f03dcf5..fee0027 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1598,7 @@ optional_policy(` +@@ -1192,7 +1600,7 @@ optional_policy(` ######################################## # @@ -117612,7 +117789,7 @@ index f03dcf5..fee0027 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1609,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index aeab6e6f..f591cb10 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 253%{?dist} +Release: 254%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -689,6 +689,21 @@ exit 0 %endif %changelog +* Mon May 15 2017 Lukas Vrabec - 3.13.1-254 +- Allow svirt_t to read raw fixed_disk_device_t to make working blockcommit +- ejabberd small fixes +- Update targetd policy to accommodate changes in the service +- Allow tomcat_domain connect to * postgresql_port_t * amqp_port_t Allow tomcat_domain read network sysctls +- Allow virt_domain to read raw fixed_disk_device_t to make working blockcommit +- Allow glusterd_t domain start ganesha service +- Made few cosmetic changes in sssd SELinux module +- Merge pull request #11 from lslebodn/sssd_kcm +- Update virt_rw_stream_sockets_svirt() interface to allow confined users set socket options. +- Allow keepalived_t domain read usermodehelper_t +- Allow radius domain stream connec to postgresql +- Merge pull request #8 from bowlofeggs/142-rawhide +- Add fs_manage_configfs_lnk_files() interface + * Fri May 12 2017 Lukas Vrabec - 3.13.1-253 - auth_use_nsswitch can call only domain not attribute - Dontaudit net_admin cap for winbind_t