From 2ed5289fc9a18884a571a3735b4b74aed98f7d79 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Tue, 19 Jul 2011 17:44:23 +0200 Subject: [PATCH 1/3] - Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop --- policy-F16.patch | 993 ++++++++++++++++++++++++++++++-------------- selinux-policy.spec | 13 +- 2 files changed, 696 insertions(+), 310 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index e3ba6d44..f6c009f5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1514,7 +1514,7 @@ index 7f1d18e..a68d519 100644 ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..e12af8e 100644 +index af55369..5ede07b 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1556,7 +1556,7 @@ index af55369..e12af8e 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,11 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +102,13 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -1565,11 +1565,13 @@ index af55369..e12af8e 100644 +userdom_manage_user_home_content(prelink_t) +userdom_execmod_user_home_files(prelink_t) + ++systemd_read_unit_files(prelink_t) ++ +term_use_all_inherited_terms(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,13 +117,22 @@ optional_policy(` +@@ -109,13 +119,22 @@ optional_policy(` ') optional_policy(` @@ -1594,7 +1596,7 @@ index af55369..e12af8e 100644 ######################################## # # Prelink Cron system Policy -@@ -129,6 +146,7 @@ optional_policy(` +@@ -129,6 +148,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1602,7 +1604,7 @@ index af55369..e12af8e 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +166,28 @@ optional_policy(` +@@ -148,17 +168,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -2554,7 +2556,7 @@ index 8966ec9..8fbe943 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te -index bc00875..819a10b 100644 +index bc00875..2efc0d7 100644 --- a/policy/modules/admin/smoltclient.te +++ b/policy/modules/admin/smoltclient.te @@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) @@ -2573,7 +2575,7 @@ index bc00875..819a10b 100644 fs_getattr_all_fs(smoltclient_t) fs_getattr_all_dirs(smoltclient_t) -@@ -46,15 +46,21 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) @@ -2588,6 +2590,10 @@ index bc00875..819a10b 100644 miscfiles_read_localization(smoltclient_t) optional_policy(` ++ abrt_stream_connect(smoltclient_t) ++') ++ ++optional_policy(` + cron_system_entry(smoltclient_t, smoltclient_exec_t) +') + @@ -13117,10 +13123,18 @@ index c19518a..ba08cfe 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..c0e0b1e 100644 +index ff006ea..d6ca227 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` +@@ -55,6 +55,7 @@ + ##
  • files_pid_file()
    • + ##
  • files_security_file()
    • + ##
  • files_security_mountpoint()
    • ++##
  • files_spool_file()
    • + ##
  • files_tmp_file()
    • + ##
  • files_tmpfs_file()
    • + ##
  • logging_log_file()
    • +@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -13133,7 +13147,7 @@ index ff006ea..c0e0b1e 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1482,6 +1480,42 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -13176,7 +13190,7 @@ index ff006ea..c0e0b1e 100644 ## List the contents of the root directory. ## ## -@@ -1562,7 +1596,7 @@ interface(`files_root_filetrans',` +@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',` type root_t; ') @@ -13185,7 +13199,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -1848,7 +1882,7 @@ interface(`files_boot_filetrans',` +@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -13194,7 +13208,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -2372,6 +2406,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -13219,7 +13233,7 @@ index ff006ea..c0e0b1e 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2503,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -13228,7 +13242,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -2525,6 +2577,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -13253,7 +13267,7 @@ index ff006ea..c0e0b1e 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2694,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -13262,7 +13276,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -2680,24 +2750,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -13287,7 +13301,7 @@ index ff006ea..c0e0b1e 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2790,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -13312,7 +13326,7 @@ index ff006ea..c0e0b1e 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2845,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -13320,7 +13334,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3364,7 +3435,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -13329,7 +13343,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3502,20 +3573,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -13373,7 +13387,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3900,6 +3989,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13473,7 +13487,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4127,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -13482,7 +13496,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4017,7 +4199,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13491,7 +13505,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4029,6 +4211,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13516,7 +13530,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4285,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13549,7 +13563,7 @@ index ff006ea..c0e0b1e 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4365,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13592,7 +13606,7 @@ index ff006ea..c0e0b1e 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4464,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13601,7 +13615,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4262,7 +4524,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13610,7 +13624,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4318,7 +4580,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -13619,7 +13633,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -4342,6 +4604,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13636,7 +13650,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -4681,7 +4953,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -13645,7 +13659,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5084,7 +5356,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -13654,7 +13668,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5219,7 +5491,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13663,7 +13677,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5304,6 +5576,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -13689,7 +13703,7 @@ index ff006ea..c0e0b1e 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5608,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5609,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -13698,7 +13712,7 @@ index ff006ea..c0e0b1e 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5629,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -13714,7 +13728,7 @@ index ff006ea..c0e0b1e 100644 ## ## ## -@@ -5349,12 +5644,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13747,7 +13761,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5373,6 +5686,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -13755,7 +13769,7 @@ index ff006ea..c0e0b1e 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5699,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -13763,7 +13777,7 @@ index ff006ea..c0e0b1e 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5725,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -13772,7 +13786,7 @@ index ff006ea..c0e0b1e 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5741,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -13789,7 +13803,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5452,7 +5765,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -13798,7 +13812,7 @@ index ff006ea..c0e0b1e 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5806,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -13807,7 +13821,7 @@ index ff006ea..c0e0b1e 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5828,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -13816,7 +13830,7 @@ index ff006ea..c0e0b1e 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5860,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -13827,7 +13841,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5608,6 +5921,43 @@ interface(`files_search_pids',` +@@ -5608,6 +5922,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -13871,7 +13885,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Do not audit attempts to search -@@ -5736,7 +6086,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13880,7 +13894,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5815,6 +6165,98 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,6 +6166,98 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13979,7 +13993,7 @@ index ff006ea..c0e0b1e 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6274,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6275,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14024,7 +14038,98 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -6042,7 +6522,7 @@ interface(`files_spool_filetrans',` +@@ -5900,6 +6381,90 @@ interface(`files_delete_all_pid_dirs',` + + ######################################## + ## ++## Make the specified type a file ++## used for spool files. ++## ++## ++##

    ++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

    ++##

    ++## Related interfaces: ++##

    ++##
      ++##
    • files_spool_filetrans()
      • ++##
    ++##

    ++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

    ++##

    ++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

    ++##     ++## ++## ++## Type of the file to be used as a ++## spool file. ++## ++## ++## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## + ## Search the contents of generic spool + ## directories (/var/spool). + ## +@@ -6042,7 +6607,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14033,7 +14138,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -6117,3 +6597,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6682,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -14319,18 +14424,20 @@ index ff006ea..c0e0b1e 100644 + dontaudit $1 file_type:dir_file_class_set write; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 22821ff..567322b 100644 +index 22821ff..20251b0 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te -@@ -11,6 +11,7 @@ attribute lockfile; +@@ -10,7 +10,9 @@ attribute files_unconfined_type; + attribute lockfile; attribute mountpoint; attribute pidfile; ++attribute spoolfile; attribute configfile; +attribute etcfile; # For labeling types that are to be polyinstantiated attribute polydir; -@@ -58,12 +59,21 @@ files_type(etc_t) +@@ -58,12 +60,21 @@ files_type(etc_t) typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -14353,7 +14460,7 @@ index 22821ff..567322b 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t) +@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t) # type var_lock_t; files_lock_file(var_lock_t) @@ -14361,6 +14468,14 @@ index 22821ff..567322b 100644 # # var_run_t is the type of /var/run, usually +@@ -181,6 +193,7 @@ files_mountpoint(var_run_t) + # + type var_spool_t; + files_tmp_file(var_spool_t) ++files_spool_file(var_spool_t) + + ######################################## + # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 97fcdac..3babb37 100644 --- a/policy/modules/kernel/filesystem.if @@ -18888,14 +19003,14 @@ index e88b95f..0eb55db 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..f7a7a96 100644 +index 1bd5812..b3631d6 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc @@ -1,11 +1,9 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) @@ -19124,7 +19239,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..ffe6d41 100644 +index 30861ec..b8f91da 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19142,7 +19257,20 @@ index 30861ec..ffe6d41 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -43,14 +51,37 @@ ifdef(`enable_mcs',` +@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t) + type abrt_var_run_t; + files_pid_file(abrt_var_run_t) + ++type abrt_dump_oops_t; ++type abrt_dump_oops_exec_t; ++init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) ++ ++permissive abrt_dump_oops_t; ++ + # type needed to allow all domains + # to handle /var/cache/abrt + type abrt_helper_t; +@@ -43,14 +57,37 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -19167,7 +19295,7 @@ index 30861ec..ffe6d41 100644 +files_type(abrt_retrace_cache_t) + +type abrt_retrace_spool_t; -+files_type(abrt_retrace_spool_t) ++files_spool_file(abrt_retrace_spool_t) + ######################################## # @@ -19182,7 +19310,7 @@ index 30861ec..ffe6d41 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -19190,7 +19318,7 @@ index 30861ec..ffe6d41 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -19198,7 +19326,7 @@ index 30861ec..ffe6d41 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -19207,7 +19335,7 @@ index 30861ec..ffe6d41 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -19215,7 +19343,7 @@ index 30861ec..ffe6d41 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -19225,7 +19353,7 @@ index 30861ec..ffe6d41 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -19234,7 +19362,7 @@ index 30861ec..ffe6d41 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -19243,7 +19371,7 @@ index 30861ec..ffe6d41 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -19260,7 +19388,7 @@ index 30861ec..ffe6d41 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +197,11 @@ optional_policy(` +@@ -150,6 +203,11 @@ optional_policy(` ') optional_policy(` @@ -19272,7 +19400,7 @@ index 30861ec..ffe6d41 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +219,7 @@ optional_policy(` +@@ -167,6 +225,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -19280,7 +19408,7 @@ index 30861ec..ffe6d41 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +231,18 @@ optional_policy(` +@@ -178,12 +237,18 @@ optional_policy(` ') optional_policy(` @@ -19300,7 +19428,7 @@ index 30861ec..ffe6d41 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,9 +259,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -19313,7 +19441,7 @@ index 30861ec..ffe6d41 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +278,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -19323,7 +19451,7 @@ index 30861ec..ffe6d41 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +287,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +293,130 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -19331,7 +19459,7 @@ index 30861ec..ffe6d41 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -19423,7 +19551,37 @@ index 30861ec..ffe6d41 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') ++ ++######################################## ++# ++# abrt_dump_oops local policy ++# ++ ++allow abrt_dump_oops_t self:capability dac_override; ++allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; ++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_search_spool(abrt_dump_oops_t) ++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) ++ ++read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++ ++kernel_read_kernel_sysctls(abrt_dump_oops_t) ++kernel_read_ring_buffer(abrt_dump_oops_t) ++ ++domain_use_interactive_fds(abrt_dump_oops_t) ++ ++files_read_etc_files(abrt_dump_oops_t) ++ ++logging_read_generic_logs(abrt_helper_t) ++logging_send_syslog_msg(abrt_dump_oops_t) ++ ++miscfiles_read_localization(abrt_dump_oops_t) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858d..d639ae0 100644 --- a/policy/modules/services/accountsd.if @@ -19802,9 +19960,18 @@ index d96fdfa..e07158f 100644 ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..4556eb2 100644 +index deca9d3..ae8c579 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te +@@ -38,7 +38,7 @@ type amavis_quarantine_t; + files_type(amavis_quarantine_t) + + type amavis_spool_t; +-files_type(amavis_spool_t) ++files_spool_file(amavis_spool_t) + + ######################################## + # @@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) @@ -20575,7 +20742,7 @@ index 6480167..b32b10e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..a079c51 100644 +index 3136c6a..edeae62 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -20877,7 +21044,7 @@ index 3136c6a..a079c51 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t) +@@ -254,9 +334,13 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -20887,7 +21054,11 @@ index 3136c6a..a079c51 100644 # File Type of squirrelmail attachments type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) -@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; ++files_spool_file(squirrelmail_spool_t) + + optional_policy(` + prelink_object_file(httpd_modules_t) +@@ -281,11 +365,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -20901,7 +21072,7 @@ index 3136c6a..a079c51 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +415,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -20912,7 +21083,7 @@ index 3136c6a..a079c51 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +441,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +442,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -20921,7 +21092,7 @@ index 3136c6a..a079c51 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +454,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -20937,7 +21108,7 @@ index 3136c6a..a079c51 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +470,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -20953,7 +21124,7 @@ index 3136c6a..a079c51 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +482,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +483,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -20961,7 +21132,7 @@ index 3136c6a..a079c51 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +494,13 @@ files_read_etc_files(httpd_t) +@@ -402,6 +495,13 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -20975,7 +21146,7 @@ index 3136c6a..a079c51 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +515,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +516,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -21052,7 +21223,7 @@ index 3136c6a..a079c51 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +595,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +596,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -21063,7 +21234,7 @@ index 3136c6a..a079c51 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +609,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +610,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -21093,7 +21264,7 @@ index 3136c6a..a079c51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +639,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +640,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -21110,7 +21281,7 @@ index 3136c6a..a079c51 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +663,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +664,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -21131,7 +21302,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -513,7 +687,13 @@ optional_policy(` +@@ -513,7 +688,13 @@ optional_policy(` ') optional_policy(` @@ -21146,7 +21317,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -528,7 +708,18 @@ optional_policy(` +@@ -528,7 +709,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -21166,7 +21337,7 @@ index 3136c6a..a079c51 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +728,13 @@ optional_policy(` +@@ -537,8 +729,13 @@ optional_policy(` ') optional_policy(` @@ -21181,7 +21352,7 @@ index 3136c6a..a079c51 100644 ') ') -@@ -556,7 +752,13 @@ optional_policy(` +@@ -556,7 +753,13 @@ optional_policy(` ') optional_policy(` @@ -21195,7 +21366,7 @@ index 3136c6a..a079c51 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +769,7 @@ optional_policy(` +@@ -567,6 +770,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -21203,7 +21374,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -577,6 +780,16 @@ optional_policy(` +@@ -577,6 +781,16 @@ optional_policy(` ') optional_policy(` @@ -21220,7 +21391,7 @@ index 3136c6a..a079c51 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +804,11 @@ optional_policy(` +@@ -591,6 +805,11 @@ optional_policy(` ') optional_policy(` @@ -21232,7 +21403,7 @@ index 3136c6a..a079c51 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +821,12 @@ optional_policy(` +@@ -603,6 +822,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -21245,7 +21416,7 @@ index 3136c6a..a079c51 100644 ######################################## # # Apache helper local policy -@@ -616,7 +840,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +841,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -21258,7 +21429,7 @@ index 3136c6a..a079c51 100644 ######################################## # -@@ -654,28 +882,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +883,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -21302,7 +21473,7 @@ index 3136c6a..a079c51 100644 ') ######################################## -@@ -685,6 +915,8 @@ optional_policy(` +@@ -685,6 +916,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -21311,7 +21482,7 @@ index 3136c6a..a079c51 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +931,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +932,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21337,7 +21508,7 @@ index 3136c6a..a079c51 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +977,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +978,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -21370,7 +21541,7 @@ index 3136c6a..a079c51 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1024,25 @@ optional_policy(` +@@ -769,6 +1025,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21396,7 +21567,7 @@ index 3136c6a..a079c51 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1063,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1064,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21414,7 +21585,7 @@ index 3136c6a..a079c51 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1082,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1083,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21471,7 +21642,7 @@ index 3136c6a..a079c51 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1133,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1134,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21502,7 +21673,7 @@ index 3136c6a..a079c51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1168,20 @@ optional_policy(` +@@ -842,10 +1169,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21523,7 +21694,7 @@ index 3136c6a..a079c51 100644 ') ######################################## -@@ -891,11 +1227,21 @@ optional_policy(` +@@ -891,11 +1228,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -21781,10 +21952,15 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..0e8a352 100644 +index b3b0176..c873197 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te -@@ -23,6 +23,7 @@ files_type(asterisk_spool_t) +@@ -19,10 +19,11 @@ type asterisk_log_t; + logging_log_file(asterisk_log_t) + + type asterisk_spool_t; +-files_type(asterisk_spool_t) ++files_spool_file(asterisk_spool_t) type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) @@ -23381,7 +23557,7 @@ index 0000000..564acbd +') diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te new file mode 100644 -index 0000000..a67f732 +index 0000000..a7c96a5 --- /dev/null +++ b/policy/modules/services/callweaver.te @@ -0,0 +1,79 @@ @@ -23411,7 +23587,7 @@ index 0000000..a67f732 +files_pid_file(callweaver_var_run_t) + +type callweaver_spool_t; -+files_type(callweaver_spool_t) ++files_spool_file(callweaver_spool_t) + +######################################## +# @@ -25244,9 +25420,18 @@ index 9971337..f081899 100644 ') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te -index 838dec7..452741c 100644 +index 838dec7..59d0f96 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te +@@ -15,7 +15,7 @@ courier_domain_template(pcp) + courier_domain_template(pop) + + type courier_spool_t; +-files_type(courier_spool_t) ++files_spool_file(courier_spool_t) + + courier_domain_template(tcpd) + @@ -95,7 +95,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; @@ -25688,7 +25873,7 @@ index 35241ed..2976df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..1812563 100644 +index f7583ab..894130f 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -25718,7 +25903,15 @@ index f7583ab..1812563 100644 ## gen_tunable(fcron_crond, false) -@@ -38,7 +38,7 @@ type cron_var_lib_t; +@@ -31,14 +31,14 @@ type anacron_exec_t; + application_executable_file(anacron_exec_t) + + type cron_spool_t; +-files_type(cron_spool_t) ++files_spool_file(cron_spool_t) + + # var/lib files + type cron_var_lib_t; files_type(cron_var_lib_t) type cron_var_run_t; @@ -25740,15 +25933,17 @@ index f7583ab..1812563 100644 type crontab_exec_t; application_executable_file(crontab_exec_t) -@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; +@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +allow admin_crontab_t crond_t:process signal; type system_cron_spool_t, cron_spool_type; - files_type(system_cron_spool_t) -@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t; +-files_type(system_cron_spool_t) ++files_spool_file(system_cron_spool_t) + + type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; @@ -25767,9 +25962,12 @@ index f7583ab..1812563 100644 type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) -@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon +@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t) + type user_cron_spool_t, cron_spool_type; + typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; - files_type(user_cron_spool_t) +-files_type(user_cron_spool_t) ++files_spool_file(user_cron_spool_t) ubac_constrained(user_cron_spool_t) +mta_system_content(user_cron_spool_t) + @@ -26368,7 +26566,7 @@ index 0000000..3317390 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..8ce09c4 +index 0000000..82ba45e --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,90 @@ @@ -26392,7 +26590,7 @@ index 0000000..8ce09c4 +logging_log_file(ctdbd_log_t) + +type ctdbd_spool_t; -+files_type(ctdbd_spool_t) ++files_spool_file(ctdbd_spool_t) + +type ctdbd_tmp_t; +files_tmp_file(ctdbd_tmp_t) @@ -29013,7 +29211,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..4bbff24 100644 +index acf6d4f..87949e8 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -29035,6 +29233,15 @@ index acf6d4f..4bbff24 100644 type dovecot_etc_t; files_config_file(dovecot_etc_t) +@@ -36,7 +39,7 @@ type dovecot_passwd_t; + files_type(dovecot_passwd_t) + + type dovecot_spool_t; +-files_type(dovecot_spool_t) ++files_spool_file(dovecot_spool_t) + + type dovecot_tmp_t; + files_tmp_file(dovecot_tmp_t) @@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t) # dovecot local policy # @@ -29933,7 +30140,7 @@ index 6bef7f8..464669c 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..0b19f11 100644 +index f28f64b..6419b55 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -29971,7 +30178,7 @@ index f28f64b..0b19f11 100644 ## gen_tunable(exim_manage_user_files, false) -@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t) +@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t) application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -29981,6 +30188,12 @@ index f28f64b..0b19f11 100644 type exim_log_t; logging_log_file(exim_log_t) + type exim_spool_t; +-files_type(exim_spool_t) ++files_spool_file(exim_spool_t) + + type exim_tmp_t; + files_tmp_file(exim_tmp_t) @@ -171,6 +174,10 @@ optional_policy(` ') @@ -32397,7 +32610,7 @@ index ebc9e0d..2f3d8dc 100644 allow $1 innd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te -index 9fab1dc..dc7dd01 100644 +index 9fab1dc..2462aa7 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -4,6 +4,7 @@ policy_module(inn, 1.9.0) @@ -32408,7 +32621,13 @@ index 9fab1dc..dc7dd01 100644 type innd_t; type innd_exec_t; init_daemon_domain(innd_t, innd_exec_t) -@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t) +@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t) + + type news_spool_t; + files_mountpoint(news_spool_t) ++files_spool_file(news_spool_t) + + ######################################## # # Local policy # @@ -32416,7 +32635,7 @@ index 9fab1dc..dc7dd01 100644 allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; -@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) +@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) can_exec(innd_t, innd_exec_t) manage_files_pattern(innd_t, innd_log_t, innd_log_t) @@ -32425,7 +32644,7 @@ index 9fab1dc..dc7dd01 100644 logging_log_filetrans(innd_t, innd_log_t, file) manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -@@ -56,7 +58,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) +@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -32434,7 +32653,7 @@ index 9fab1dc..dc7dd01 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -105,6 +107,7 @@ sysnet_read_config(innd_t) +@@ -105,6 +108,7 @@ sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -32648,7 +32867,7 @@ index 9878499..81fcd0f 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..0ba2bdc 100644 +index da2127e..6538d66 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0) @@ -32684,7 +32903,7 @@ index da2127e..0ba2bdc 100644 -######################################## +type pyicqt_var_spool_t; -+files_type(pyicqt_var_spool_t) ++files_spool_file(pyicqt_var_spool_t) + +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) @@ -32861,7 +33080,7 @@ index da2127e..0ba2bdc 100644 + +sysnet_read_config(jabberd_domain) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index 3525d24..923e979 100644 +index 3525d24..74ec098 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -32873,9 +33092,13 @@ index 3525d24..923e979 100644 /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -@@ -31,3 +31,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++ ++krb5_host_rcache_t /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if @@ -34251,7 +34474,7 @@ index a4f32f5..ea7dca0 100644 type lpr_t, lpr_exec_t; ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te -index 93c14ca..c08de17 100644 +index 93c14ca..f28acd2 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) @@ -34267,7 +34490,15 @@ index 93c14ca..c08de17 100644 ## gen_tunable(use_lpd_server, false) -@@ -54,7 +54,7 @@ type printer_t; +@@ -47,14 +47,14 @@ ubac_constrained(lpr_tmp_t) + type print_spool_t; + typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; + typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +-files_type(print_spool_t) ++files_spool_file(print_spool_t) + ubac_constrained(print_spool_t) + + type printer_t; files_type(printer_t) type printconf_t; @@ -36275,10 +36506,10 @@ index 343cee3..5e792cc 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..dbddbef 100644 +index 64268e4..3bd4ceb 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te -@@ -20,8 +20,8 @@ files_type(etc_aliases_t) +@@ -20,14 +20,16 @@ files_type(etc_aliases_t) type etc_mail_t; files_config_file(etc_mail_t) @@ -36289,7 +36520,15 @@ index 64268e4..dbddbef 100644 type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t) ++files_spool_file(mqueue_spool_t) + + type mail_spool_t; + files_mountpoint(mail_spool_t) ++files_spool_file(mail_spool_t) + + type sendmail_exec_t; + mta_agent_executable(sendmail_exec_t) +@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t) # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; @@ -36313,7 +36552,7 @@ index 64268e4..dbddbef 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -80,8 +69,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t) +@@ -80,8 +71,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t) init_use_script_ptys(system_mail_t) @@ -36329,7 +36568,7 @@ index 64268e4..dbddbef 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +87,28 @@ optional_policy(` +@@ -92,17 +89,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -36359,7 +36598,7 @@ index 64268e4..dbddbef 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +117,8 @@ optional_policy(` +@@ -111,6 +119,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -36368,7 +36607,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -124,12 +132,9 @@ optional_policy(` +@@ -124,12 +134,9 @@ optional_policy(` ') optional_policy(` @@ -36383,7 +36622,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -146,6 +151,10 @@ optional_policy(` +@@ -146,6 +153,10 @@ optional_policy(` ') optional_policy(` @@ -36394,7 +36633,7 @@ index 64268e4..dbddbef 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +167,6 @@ optional_policy(` +@@ -158,18 +169,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -36413,7 +36652,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -189,6 +186,10 @@ optional_policy(` +@@ -189,6 +188,10 @@ optional_policy(` ') optional_policy(` @@ -36424,7 +36663,7 @@ index 64268e4..dbddbef 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +200,7 @@ optional_policy(` +@@ -199,7 +202,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -36433,7 +36672,7 @@ index 64268e4..dbddbef 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +221,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -36443,7 +36682,7 @@ index 64268e4..dbddbef 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +244,10 @@ optional_policy(` +@@ -242,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -36454,7 +36693,7 @@ index 64268e4..dbddbef 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +255,25 @@ optional_policy(` +@@ -249,16 +257,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -36482,7 +36721,7 @@ index 64268e4..dbddbef 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +307,44 @@ optional_policy(` +@@ -292,3 +309,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -36973,7 +37212,7 @@ index e9c0982..14af30a 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..91de41a 100644 +index 0a0d63c..a02ffc9 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -37003,7 +37242,7 @@ index 0a0d63c..91de41a 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,12 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -37015,14 +37254,14 @@ index 0a0d63c..91de41a 100644 kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) - ++kernel_request_load_module(mysqld_t) ++ +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) -+ + corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) - corenet_tcp_sendrecv_generic_if(mysqld_t) -@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) +@@ -127,8 +133,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) userdom_read_user_home_content_files(mysqld_t) ifdef(`distro_redhat',` @@ -37032,7 +37271,7 @@ index 0a0d63c..91de41a 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,6 +159,7 @@ optional_policy(` +@@ -155,6 +160,7 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; @@ -37040,7 +37279,7 @@ index 0a0d63c..91de41a 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -37302,9 +37541,18 @@ index 8581040..2367841 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..8a9789c 100644 +index bf64a4c..971f741 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te +@@ -25,7 +25,7 @@ type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + + type nagios_spool_t; +-files_type(nagios_spool_t) ++files_spool_file(nagios_spool_t) + + nagios_plugin_template(admin) + nagios_plugin_template(checkdisk) @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) kernel_read_system_state(nagios_t) @@ -39742,10 +39990,10 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..208ef3a 100644 +index 06e217d..4f9a575 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te -@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1) +@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1) type plymouth_t; type plymouth_exec_t; application_domain(plymouth_t, plymouth_exec_t) @@ -39753,7 +40001,12 @@ index 06e217d..208ef3a 100644 type plymouthd_t; type plymouthd_exec_t; -@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t) + init_daemon_domain(plymouthd_t, plymouthd_exec_t) + + type plymouthd_spool_t; +-files_type(plymouthd_spool_t) ++files_spool_file(plymouthd_spool_t) + type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) @@ -40302,7 +40555,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..c22af86 100644 +index 46bee12..9e2714e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -40538,7 +40791,7 @@ index 46bee12..c22af86 100644 ') ######################################## -@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -40641,9 +40894,13 @@ index 46bee12..c22af86 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write }; ++ ') +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..701607c 100644 +index a32c4b3..3f5751c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -40661,15 +40918,17 @@ index a32c4b3..701607c 100644 attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -12,7 +20,7 @@ attribute postfix_user_domtrans; +@@ -12,8 +20,8 @@ attribute postfix_user_domtrans; postfix_server_domain_template(bounce) -type postfix_spool_bounce_t; +-files_type(postfix_spool_bounce_t) +type postfix_spool_bounce_t, postfix_spool_type; - files_type(postfix_spool_bounce_t) ++files_spool_file(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) + @@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t; # generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) @@ -40688,23 +40947,27 @@ index a32c4b3..701607c 100644 type postfix_private_t; files_type(postfix_private_t) -@@ -65,13 +77,13 @@ mta_mailserver_sender(postfix_smtp_t) +@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) -type postfix_spool_t; +-files_type(postfix_spool_t) +type postfix_spool_t, postfix_spool_type; - files_type(postfix_spool_t) ++files_spool_file(postfix_spool_t) -type postfix_spool_maildrop_t; +-files_type(postfix_spool_maildrop_t) +type postfix_spool_maildrop_t, postfix_spool_type; - files_type(postfix_spool_maildrop_t) ++files_spool_file(postfix_spool_maildrop_t) -type postfix_spool_flush_t; +-files_type(postfix_spool_flush_t) +type postfix_spool_flush_t, postfix_spool_type; - files_type(postfix_spool_flush_t) ++files_spool_file(postfix_spool_flush_t) type postfix_public_t; + files_type(postfix_public_t) @@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs @@ -40774,7 +41037,18 @@ index a32c4b3..701607c 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -264,8 +285,8 @@ optional_policy(` +@@ -249,6 +270,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + ++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; ++ + allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; + + corecmd_exec_bin(postfix_cleanup_t) +@@ -264,8 +289,8 @@ optional_policy(` # Postfix local local policy # @@ -40784,7 +41058,7 @@ index a32c4b3..701607c 100644 # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -273,6 +294,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +298,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -40793,7 +41067,7 @@ index a32c4b3..701607c 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +309,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +313,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -40812,7 +41086,7 @@ index a32c4b3..701607c 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +325,10 @@ optional_policy(` +@@ -297,6 +329,10 @@ optional_policy(` ') optional_policy(` @@ -40823,7 +41097,7 @@ index a32c4b3..701607c 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +336,22 @@ optional_policy(` +@@ -304,9 +340,22 @@ optional_policy(` ') optional_policy(` @@ -40846,7 +41120,7 @@ index a32c4b3..701607c 100644 ######################################## # # Postfix map local policy -@@ -372,6 +417,7 @@ optional_policy(` +@@ -372,6 +421,7 @@ optional_policy(` # Postfix pickup local policy # @@ -40854,7 +41128,7 @@ index a32c4b3..701607c 100644 allow postfix_pickup_t self:tcp_socket create_socket_perms; stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -385,13 +431,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +@@ -385,13 +435,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -40872,7 +41146,7 @@ index a32c4b3..701607c 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +450,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -40881,7 +41155,7 @@ index a32c4b3..701607c 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +471,7 @@ optional_policy(` +@@ -420,6 +475,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -40889,7 +41163,7 @@ index a32c4b3..701607c 100644 ') optional_policy(` -@@ -436,11 +488,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -40907,7 +41181,7 @@ index a32c4b3..701607c 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +545,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +549,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -40918,7 +41192,7 @@ index a32c4b3..701607c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +565,8 @@ optional_policy(` +@@ -507,6 +569,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -40927,7 +41201,7 @@ index a32c4b3..701607c 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +579,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +583,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -40939,7 +41213,7 @@ index a32c4b3..701607c 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +602,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +606,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -40950,7 +41224,7 @@ index a32c4b3..701607c 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +630,10 @@ optional_policy(` +@@ -565,6 +634,10 @@ optional_policy(` ') optional_policy(` @@ -40961,7 +41235,7 @@ index a32c4b3..701607c 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +657,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +661,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -40978,7 +41252,7 @@ index a32c4b3..701607c 100644 ') optional_policy(` -@@ -611,8 +686,8 @@ optional_policy(` +@@ -611,8 +690,8 @@ optional_policy(` # Postfix virtual local policy # @@ -40988,7 +41262,7 @@ index a32c4b3..701607c 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +705,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +709,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -41278,6 +41552,19 @@ index ad15fde..6f55445 100644 ') allow $1 postgrey_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te +index db843e2..4389e81 100644 +--- a/policy/modules/services/postgrey.te ++++ b/policy/modules/services/postgrey.te +@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; + init_script_file(postgrey_initrc_exec_t) + + type postgrey_spool_t; +-files_type(postgrey_spool_t) ++files_spool_file(postgrey_spool_t) + + type postgrey_var_lib_t; + files_type(postgrey_var_lib_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc index 2d82c6d..352032a 100644 --- a/policy/modules/services/ppp.fc @@ -41586,9 +41873,18 @@ index 2316653..77ef768 100644 + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te -index b1bc02c..8f0b07e 100644 +index b1bc02c..e0c0f70 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te +@@ -13,7 +13,7 @@ type prelude_initrc_exec_t; + init_script_file(prelude_initrc_exec_t) + + type prelude_spool_t; +-files_type(prelude_spool_t) ++files_spool_file(prelude_spool_t) + + type prelude_log_t; + logging_log_file(prelude_log_t) @@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t) type prelude_correlator_t; type prelude_correlator_exec_t; @@ -42238,6 +42534,19 @@ index 64c5f95..cb7c5e2 100644 + usermanage_access_check_passwd(puppetmaster_t) + usermanage_access_check_useradd(puppetmaster_t) +') +diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te +index a841221..b62a01f 100644 +--- a/policy/modules/services/pyicqt.te ++++ b/policy/modules/services/pyicqt.te +@@ -13,7 +13,7 @@ type pyicqt_conf_t; + files_config_file(pyicqt_conf_t) + + type pyicqt_spool_t; +-files_type(pyicqt_spool_t) ++files_spool_file(pyicqt_spool_t) + + type pyicqt_var_run_t; + files_pid_file(pyicqt_var_run_t) diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index d4a7750..705196e 100644 --- a/policy/modules/services/pyzor.fc @@ -42488,9 +42797,18 @@ index a55bf44..77a25f5 100644 ') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te -index 355b2a2..54329f9 100644 +index 355b2a2..88e6f40 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te +@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) + qmail_child_domain_template(qmail_splogger, qmail_start_t) + + type qmail_spool_t; +-files_type(qmail_spool_t) ++files_spool_file(qmail_spool_t) + + type qmail_start_t; + type qmail_start_exec_t; @@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) ######################################## # @@ -45287,7 +45605,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..e8ee29b 100644 +index b1468ed..06e637c 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -45393,14 +45711,14 @@ index b1468ed..e8ee29b 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -196,6 +214,7 @@ kernel_signal(gssd_t) - - corecmd_exec_bin(gssd_t) - -+fs_search_nfsd_fs(gssd_t) +@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) ++fs_search_nfsd_fs(gssd_t) + + fs_list_inotifyfs(gssd_t) + files_list_tmp(gssd_t) @@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -45774,9 +46092,18 @@ index 71ea0ea..664e68e 100644 # interface(`rwho_domtrans',` diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te -index a07b2f4..0ba4495 100644 +index a07b2f4..ee39810 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te +@@ -16,7 +16,7 @@ type rwho_log_t; + files_type(rwho_log_t) + + type rwho_spool_t; +-files_type(rwho_spool_t) ++files_spool_file(rwho_spool_t) + + ######################################## + # @@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) @@ -46952,6 +47279,19 @@ index 086cd5f..79347e7 100644 optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) +diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te +index e5e72fd..92eecec 100644 +--- a/policy/modules/services/slrnpull.te ++++ b/policy/modules/services/slrnpull.te +@@ -13,7 +13,7 @@ type slrnpull_var_run_t; + files_pid_file(slrnpull_var_run_t) + + type slrnpull_spool_t; +-files_type(slrnpull_spool_t) ++files_spool_file(slrnpull_spool_t) + + type slrnpull_log_t; + logging_log_file(slrnpull_log_t) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index adea9f9..d5b2d93 100644 --- a/policy/modules/services/smartmon.if @@ -47503,10 +47843,10 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..7573826 100644 +index ec1eb1e..e1f3477 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te -@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0) +@@ -6,56 +6,95 @@ policy_module(spamassassin, 2.4.0) # ## @@ -47634,8 +47974,11 @@ index ec1eb1e..7573826 100644 +logging_log_file(spamd_log_t) + type spamd_spool_t; - files_type(spamd_spool_t) +-files_type(spamd_spool_t) ++files_spool_file(spamd_spool_t) + type spamd_tmp_t; + files_tmp_file(spamd_tmp_t) @@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) @@ -49585,9 +49928,18 @@ index 3b953f5..70f687a 100644 # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te -index c2cf97e..037a1e8 100644 +index c2cf97e..1f8f768 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te +@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t; + files_config_file(uptimed_etc_t) + + type uptimed_spool_t; +-files_type(uptimed_spool_t) ++files_spool_file(uptimed_spool_t) + + type uptimed_var_run_t; + files_pid_file(uptimed_var_run_t) @@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t) dontaudit uptimed_t self:capability sys_tty_config; @@ -49610,9 +49962,18 @@ index 4440aa6..34ffbfd 100644 + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..4d112ba 100644 +index d4349e9..5e7be4f 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te +@@ -24,7 +24,7 @@ type uucpd_ro_t; + files_type(uucpd_ro_t) + + type uucpd_spool_t; +-files_type(uucpd_spool_t) ++files_spool_file(uucpd_spool_t) + + type uucpd_log_t; + logging_log_file(uucpd_log_t) @@ -125,6 +125,8 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -52729,7 +53090,7 @@ index 130ced9..10b57e0 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..bc547bf 100644 +index 143c893..0ad8e41 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -52864,7 +53225,7 @@ index 143c893..bc547bf 100644 +files_config_file(xdm_rw_etc_t) + +type xdm_spool_t; -+files_type(xdm_spool_t) ++files_spool_file(xdm_spool_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -54228,7 +54589,7 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..c2dc2c5 100644 +index 73554ec..dedb917 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -54301,7 +54662,7 @@ index 73554ec..c2dc2c5 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +171,113 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +171,89 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -54349,30 +54710,10 @@ index 73554ec..c2dc2c5 100644 + ') + + optional_policy(` ++ systemd_dbus_chat_logind($1) + systemd_use_fds_logind($1) + systemd_write_inherited_logind_sessions_pipes($1) - ') - ') - - ######################################## - ## -+## Send and receive messages from -+## login program domains over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authlogin_dbus_chat',` -+ gen_require(` -+ attribute polydomain; -+ class dbus send_msg; + ') -+ -+ allow $1 polydomain:dbus send_msg; -+ allow polydomain $1:dbus send_msg; +') + +######################################## @@ -54407,17 +54748,13 @@ index 73554ec..c2dc2c5 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; -+ ') + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## - ## Use the login program as an entry point program. - ## - ## -@@ -368,13 +484,15 @@ interface(`auth_domtrans_chk_passwd',` + ') + + ######################################## +@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -54434,7 +54771,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -421,6 +539,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -54460,7 +54797,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -736,7 +873,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -54509,7 +54846,7 @@ index 73554ec..c2dc2c5 100644 ') ####################################### -@@ -932,9 +1109,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -54543,7 +54880,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -1387,6 +1585,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -54569,7 +54906,7 @@ index 73554ec..c2dc2c5 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1758,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -54594,7 +54931,7 @@ index 73554ec..c2dc2c5 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1579,28 +1778,36 @@ interface(`auth_relabel_login_records',` +@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',` # interface(`auth_use_nsswitch',` @@ -54638,7 +54975,7 @@ index 73554ec..c2dc2c5 100644 optional_policy(` kerberos_use($1) ') -@@ -1610,7 +1817,7 @@ interface(`auth_use_nsswitch',` +@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -55860,7 +56197,7 @@ index 94fd8dd..0d7aa40 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..82cf8ae 100644 +index 29a9565..308297d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56035,7 +56372,7 @@ index 29a9565..82cf8ae 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,126 @@ tunable_policy(`init_upstart',` +@@ -186,12 +244,129 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56081,6 +56418,7 @@ index 29a9565..82cf8ae 100644 + dev_manage_sysfs_dirs(init_t) + dev_relabel_sysfs_dirs(init_t) + ++ files_search_all(init_t) + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) + files_manage_all_pid_dirs(init_t) @@ -56088,6 +56426,8 @@ index 29a9565..82cf8ae 100644 + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) + files_delete_all_pid_sockets(init_t) ++ files_create_all_spool_sockets(init_t) ++ files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_list_spool(init_t) @@ -56162,7 +56502,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -199,10 +371,26 @@ optional_policy(` +@@ -199,10 +374,26 @@ optional_policy(` ') optional_policy(` @@ -56189,7 +56529,7 @@ index 29a9565..82cf8ae 100644 unconfined_domain(init_t) ') -@@ -212,7 +400,7 @@ optional_policy(` +@@ -212,7 +403,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56198,7 +56538,7 @@ index 29a9565..82cf8ae 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +429,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56214,7 +56554,7 @@ index 29a9565..82cf8ae 100644 init_write_initctl(initrc_t) -@@ -258,20 +449,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56251,7 +56591,7 @@ index 29a9565..82cf8ae 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +482,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56259,7 +56599,7 @@ index 29a9565..82cf8ae 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +493,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56270,7 +56610,7 @@ index 29a9565..82cf8ae 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +504,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -56287,7 +56627,7 @@ index 29a9565..82cf8ae 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +523,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56295,7 +56635,7 @@ index 29a9565..82cf8ae 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +531,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56307,7 +56647,7 @@ index 29a9565..82cf8ae 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +550,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56321,7 +56661,7 @@ index 29a9565..82cf8ae 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +565,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56330,7 +56670,7 @@ index 29a9565..82cf8ae 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +579,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56338,7 +56678,7 @@ index 29a9565..82cf8ae 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +591,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56346,7 +56686,7 @@ index 29a9565..82cf8ae 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +612,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56368,7 +56708,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +675,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56379,7 +56719,7 @@ index 29a9565..82cf8ae 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +699,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +702,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56388,7 +56728,7 @@ index 29a9565..82cf8ae 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +714,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +717,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56396,7 +56736,7 @@ index 29a9565..82cf8ae 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +744,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +747,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56430,7 +56770,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -531,10 +778,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +781,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56457,7 +56797,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -549,6 +812,39 @@ ifdef(`distro_suse',` +@@ -549,6 +815,39 @@ ifdef(`distro_suse',` ') ') @@ -56497,7 +56837,7 @@ index 29a9565..82cf8ae 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +857,8 @@ optional_policy(` +@@ -561,6 +860,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56506,7 +56846,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -577,6 +875,7 @@ optional_policy(` +@@ -577,6 +878,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56514,7 +56854,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -589,6 +888,11 @@ optional_policy(` +@@ -589,6 +891,11 @@ optional_policy(` ') optional_policy(` @@ -56526,7 +56866,7 @@ index 29a9565..82cf8ae 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +909,13 @@ optional_policy(` +@@ -605,9 +912,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -56540,7 +56880,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -649,6 +957,11 @@ optional_policy(` +@@ -649,6 +960,11 @@ optional_policy(` ') optional_policy(` @@ -56552,7 +56892,7 @@ index 29a9565..82cf8ae 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1002,7 @@ optional_policy(` +@@ -689,6 +1005,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -56560,7 +56900,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -706,7 +1020,13 @@ optional_policy(` +@@ -706,7 +1023,13 @@ optional_policy(` ') optional_policy(` @@ -56574,7 +56914,7 @@ index 29a9565..82cf8ae 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1049,10 @@ optional_policy(` +@@ -729,6 +1052,10 @@ optional_policy(` ') optional_policy(` @@ -56585,7 +56925,7 @@ index 29a9565..82cf8ae 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1062,20 @@ optional_policy(` +@@ -738,10 +1065,20 @@ optional_policy(` ') optional_policy(` @@ -56606,7 +56946,7 @@ index 29a9565..82cf8ae 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1084,10 @@ optional_policy(` +@@ -750,6 +1087,10 @@ optional_policy(` ') optional_policy(` @@ -56617,7 +56957,7 @@ index 29a9565..82cf8ae 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1109,6 @@ optional_policy(` +@@ -771,8 +1112,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -56626,7 +56966,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -790,10 +1126,12 @@ optional_policy(` +@@ -790,10 +1129,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -56639,7 +56979,7 @@ index 29a9565..82cf8ae 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1143,6 @@ optional_policy(` +@@ -805,7 +1146,6 @@ optional_policy(` ') optional_policy(` @@ -56647,7 +56987,7 @@ index 29a9565..82cf8ae 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1152,24 @@ optional_policy(` +@@ -815,11 +1155,24 @@ optional_policy(` ') optional_policy(` @@ -56673,7 +57013,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1179,25 @@ optional_policy(` +@@ -829,6 +1182,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -56699,7 +57039,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -844,6 +1213,10 @@ optional_policy(` +@@ -844,6 +1216,10 @@ optional_policy(` ') optional_policy(` @@ -56710,7 +57050,7 @@ index 29a9565..82cf8ae 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1227,45 @@ optional_policy(` +@@ -854,3 +1230,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -56959,7 +57299,7 @@ index 05fb364..6b895d1 100644 -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index f3e1b57..a7b2adc 100644 +index f3e1b57..d6a93ac 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -13,9 +13,6 @@ role system_r types iptables_t; @@ -56983,7 +57323,15 @@ index f3e1b57..a7b2adc 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -61,6 +58,9 @@ corenet_relabelto_all_packets(iptables_t) +@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; + allow iptables_t iptables_tmp_t:file manage_file_perms; + files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) + ++kernel_getattr_proc(iptables_t) + kernel_request_load_module(iptables_t) + kernel_read_system_state(iptables_t) + kernel_read_network_state(iptables_t) +@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -56993,7 +57341,7 @@ index f3e1b57..a7b2adc 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -69,11 +69,13 @@ fs_list_inotifyfs(iptables_t) +@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -57008,7 +57356,7 @@ index f3e1b57..a7b2adc 100644 auth_use_nsswitch(iptables_t) -@@ -82,6 +84,7 @@ init_use_script_ptys(iptables_t) +@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -57016,7 +57364,7 @@ index f3e1b57..a7b2adc 100644 logging_send_syslog_msg(iptables_t) -@@ -90,7 +93,7 @@ miscfiles_read_localization(iptables_t) +@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) @@ -57025,7 +57373,7 @@ index f3e1b57..a7b2adc 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -99,6 +102,8 @@ ifdef(`hide_broken_symptoms',` +@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -57034,7 +57382,7 @@ index f3e1b57..a7b2adc 100644 ') optional_policy(` -@@ -121,6 +126,7 @@ optional_policy(` +@@ -121,6 +127,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -57042,7 +57390,7 @@ index f3e1b57..a7b2adc 100644 ') optional_policy(` -@@ -134,6 +140,7 @@ optional_policy(` +@@ -134,6 +141,7 @@ optional_policy(` optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) @@ -57946,14 +58294,14 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..eedd444 100644 +index b6ec597..fa034d6 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; -+files_type(audit_spool_t) ++files_spool_file(audit_spool_t) files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) @@ -61082,10 +61430,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..9cc3fb6 +index 0000000..16371df --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,325 @@ +@@ -0,0 +1,344 @@ +## SELinux policy for systemd components + +####################################### @@ -61198,6 +61546,25 @@ index 0000000..9cc3fb6 + +###################################### +## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_read_pid_files',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++###################################### ++## +## Use and and inherited systemd +## logind file descriptors. +## @@ -61413,10 +61780,10 @@ index 0000000..9cc3fb6 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..06e5b12 +index 0000000..155a839 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,310 @@ +@@ -0,0 +1,309 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -61484,7 +61851,7 @@ index 0000000..06e5b12 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override }; ++allow systemd_logind_t self:capability { chown dac_override fowner }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -61522,7 +61889,6 @@ index 0000000..06e5b12 +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) + -+authlogin_dbus_chat(systemd_logind_t) +authlogin_read_state(systemd_logind_t) + +dbus_connect_system_bus(systemd_logind_t) @@ -61949,7 +62315,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..ca207d7 100644 +index d88f7c3..73c1dbc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -62068,7 +62434,16 @@ index d88f7c3..ca207d7 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +200,16 @@ ifdef(`distro_redhat',` +@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t) + sysnet_manage_config(udev_t) + sysnet_etc_filetrans_config(udev_t) + ++systemd_login_read_pid_files(udev_t) ++ + userdom_dontaudit_search_user_home_content(udev_t) + + ifdef(`distro_gentoo',` +@@ -186,15 +202,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -62089,7 +62464,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -216,11 +231,16 @@ optional_policy(` +@@ -216,11 +233,16 @@ optional_policy(` ') optional_policy(` @@ -62107,7 +62482,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -230,6 +250,15 @@ optional_policy(` +@@ -230,6 +252,15 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -62123,7 +62498,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -259,6 +288,10 @@ optional_policy(` +@@ -259,6 +290,10 @@ optional_policy(` ') optional_policy(` @@ -62134,7 +62509,7 @@ index d88f7c3..ca207d7 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +306,11 @@ optional_policy(` +@@ -273,6 +308,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index b8fbc059..ad718c02 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jul 19 2011 Miroslav Grepl 3.10.0-6 +- Add initial policy for abrt_dump_oops_t +- xtables-multi wants to getattr of the proc fs +- Smoltclient is connecting to abrt +- Dontaudit leaked file descriptors to postdrop +- Allow abrt_dump_oops to look at kernel sysctls +- Abrt_dump_oops_t reads kernel ring buffer +- Allow mysqld to request the kernel to load modules +- systemd-login needs fowner +- Allow postfix_cleanup_t to searh maildrop + * Mon Jul 18 2011 Miroslav Grepl 3.10.0-5 - Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind From 273e9346116f8816c3dcc594ff63874f49cc4d1f Mon Sep 17 00:00:00 2001 From: Miroslav Date: Thu, 21 Jul 2011 17:22:47 +0200 Subject: [PATCH 2/3] systemd fixes --- policy-F16.patch | 717 +++++++++++++++++++++++++++----------------- selinux-policy.spec | 5 +- 2 files changed, 446 insertions(+), 276 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index f6c009f5..db25c5af 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -3310,10 +3310,10 @@ index 0000000..1f468aa +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..7b1047f +index 0000000..bbbba63 --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,126 @@ +@@ -0,0 +1,128 @@ + +## policy for chrome + @@ -3335,6 +3335,8 @@ index 0000000..7b1047f + domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) + ++ allow $1 chrome_sandbox_t:fd use; ++ + ifdef(`hide_broken_symptoms',` + dontaudit chrome_sandbox_t $1:socket_class_set { read write }; + fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t) @@ -13123,7 +13125,7 @@ index c19518a..ba08cfe 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..d6ca227 100644 +index ff006ea..9097e58 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -13894,7 +13896,7 @@ index ff006ea..d6ca227 100644 ') ######################################## -@@ -5815,6 +6166,98 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,6 +6166,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13952,6 +13954,24 @@ index ff006ea..d6ca227 100644 + +######################################## +## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## +## Delete all pid named pipes +## +## @@ -13993,7 +14013,7 @@ index ff006ea..d6ca227 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6275,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6293,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14038,7 +14058,7 @@ index ff006ea..d6ca227 100644 ') ######################################## -@@ -5900,6 +6381,90 @@ interface(`files_delete_all_pid_dirs',` +@@ -5900,6 +6399,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -14129,7 +14149,7 @@ index ff006ea..d6ca227 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6042,7 +6607,7 @@ interface(`files_spool_filetrans',` +@@ -6042,7 +6625,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14138,7 +14158,7 @@ index ff006ea..d6ca227 100644 ') ######################################## -@@ -6117,3 +6682,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6700,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -18137,10 +18157,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..230d370 +index 0000000..99f35d5 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,543 @@ +@@ -0,0 +1,545 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18263,6 +18283,8 @@ index 0000000..230d370 +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + ++systemd_config_all_services(unconfined_t) ++ +optional_policy(` + mount_run_unconfined(unconfined_t, unconfined_r) + # Unconfined running as system_r @@ -19239,7 +19261,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..b8f91da 100644 +index 30861ec..2fe2895 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19578,7 +19600,7 @@ index 30861ec..b8f91da 100644 + +files_read_etc_files(abrt_dump_oops_t) + -+logging_read_generic_logs(abrt_helper_t) ++logging_read_generic_logs(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) + +miscfiles_read_localization(abrt_dump_oops_t) @@ -20017,7 +20039,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..70d68cb 100644 +index 9e39aa5..a0876b5 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -20040,7 +20062,16 @@ index 9e39aa5..70d68cb 100644 /etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) -@@ -24,16 +29,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u +@@ -16,6 +21,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u + /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) + /etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + ++/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0) ++ + /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + +@@ -24,16 +31,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -20065,7 +20096,7 @@ index 9e39aa5..70d68cb 100644 /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) -@@ -43,8 +49,9 @@ ifdef(`distro_suse', ` +@@ -43,8 +51,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -20077,7 +20108,7 @@ index 9e39aa5..70d68cb 100644 /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -73,8 +80,10 @@ ifdef(`distro_suse', ` +@@ -73,8 +82,10 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -20089,7 +20120,7 @@ index 9e39aa5..70d68cb 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -84,9 +93,10 @@ ifdef(`distro_suse', ` +@@ -84,9 +95,10 @@ ifdef(`distro_suse', ` /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -20101,7 +20132,12 @@ index 9e39aa5..70d68cb 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +119,22 @@ ifdef(`distro_debian', ` +@@ -105,7 +117,27 @@ ifdef(`distro_debian', ` + + /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/html(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -20125,7 +20161,7 @@ index 9e39aa5..70d68cb 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..b32b10e 100644 +index 6480167..970916e 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -20564,11 +20600,12 @@ index 6480167..b32b10e 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1026,11 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1026,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; - type httpd_sys_script_t; ++ type httpd_sys_script_exec_t; + type httpd_sys_script_t, httpd_sys_content_t; + ') + @@ -20577,7 +20614,7 @@ index 6480167..b32b10e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1089,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1090,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -20589,7 +20626,7 @@ index 6480167..b32b10e 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1119,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1120,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -20598,7 +20635,7 @@ index 6480167..b32b10e 100644 ') ######################################## -@@ -1091,6 +1260,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1261,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -20624,7 +20661,7 @@ index 6480167..b32b10e 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1295,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -20633,7 +20670,7 @@ index 6480167..b32b10e 100644 ') ######################################## -@@ -1170,17 +1358,14 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1359,15 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -20648,6 +20685,7 @@ index 6480167..b32b10e 100644 + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; - type httpd_initrc_exec_t; ++ type httpd_unit_t; ') - allow $1 httpd_t:process { getattr ptrace signal_perms }; @@ -20655,7 +20693,7 @@ index 6480167..b32b10e 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1376,10 @@ interface(`apache_admin',` +@@ -1191,10 +1378,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -20668,7 +20706,7 @@ index 6480167..b32b10e 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1390,67 @@ interface(`apache_admin',` +@@ -1205,14 +1392,69 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -20687,6 +20725,8 @@ index 6480167..b32b10e 100644 admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) + ++ allow $1 httpd_unit_t:service all_service_perms; ++ + ifdef(`TODO',` + apache_set_booleans($1, $2, $3, httpd_bool_t) + seutil_setsebool_role_template($1, $3, $2) @@ -20742,7 +20782,7 @@ index 6480167..b32b10e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..edeae62 100644 +index 3136c6a..8115e0e 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -21006,7 +21046,17 @@ index 3136c6a..edeae62 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -216,7 +281,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -177,6 +242,9 @@ role system_r types httpd_helper_t; + type httpd_initrc_exec_t; + init_script_file(httpd_initrc_exec_t) + ++type httpd_unit_t; ++systemd_unit_file(httpd_unit_t) ++ + type httpd_lock_t; + files_lock_file(httpd_lock_t) + +@@ -216,7 +284,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -21025,7 +21075,7 @@ index 3136c6a..edeae62 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +301,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +304,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -21036,7 +21086,7 @@ index 3136c6a..edeae62 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +312,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +315,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -21044,7 +21094,7 @@ index 3136c6a..edeae62 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,9 +334,13 @@ files_type(httpd_var_lib_t) +@@ -254,9 +337,13 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -21058,7 +21108,7 @@ index 3136c6a..edeae62 100644 optional_policy(` prelink_object_file(httpd_modules_t) -@@ -281,11 +365,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +368,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -21072,7 +21122,7 @@ index 3136c6a..edeae62 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +415,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +418,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -21083,7 +21133,7 @@ index 3136c6a..edeae62 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +442,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +445,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -21092,7 +21142,7 @@ index 3136c6a..edeae62 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +454,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +457,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -21108,7 +21158,7 @@ index 3136c6a..edeae62 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +470,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +473,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -21124,7 +21174,7 @@ index 3136c6a..edeae62 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +483,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +486,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -21132,7 +21182,7 @@ index 3136c6a..edeae62 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +495,13 @@ files_read_etc_files(httpd_t) +@@ -402,6 +498,13 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -21146,7 +21196,7 @@ index 3136c6a..edeae62 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +516,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +519,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -21223,7 +21273,7 @@ index 3136c6a..edeae62 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +596,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +599,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -21234,7 +21284,7 @@ index 3136c6a..edeae62 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +610,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +613,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -21264,7 +21314,7 @@ index 3136c6a..edeae62 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +640,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +643,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -21281,7 +21331,7 @@ index 3136c6a..edeae62 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +664,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +667,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -21302,7 +21352,7 @@ index 3136c6a..edeae62 100644 ') optional_policy(` -@@ -513,7 +688,13 @@ optional_policy(` +@@ -513,7 +691,13 @@ optional_policy(` ') optional_policy(` @@ -21317,7 +21367,7 @@ index 3136c6a..edeae62 100644 ') optional_policy(` -@@ -528,7 +709,18 @@ optional_policy(` +@@ -528,7 +712,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -21337,7 +21387,7 @@ index 3136c6a..edeae62 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +729,13 @@ optional_policy(` +@@ -537,8 +732,13 @@ optional_policy(` ') optional_policy(` @@ -21352,7 +21402,7 @@ index 3136c6a..edeae62 100644 ') ') -@@ -556,7 +753,13 @@ optional_policy(` +@@ -556,7 +756,13 @@ optional_policy(` ') optional_policy(` @@ -21366,7 +21416,7 @@ index 3136c6a..edeae62 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +770,7 @@ optional_policy(` +@@ -567,6 +773,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -21374,7 +21424,7 @@ index 3136c6a..edeae62 100644 ') optional_policy(` -@@ -577,6 +781,16 @@ optional_policy(` +@@ -577,6 +784,16 @@ optional_policy(` ') optional_policy(` @@ -21391,7 +21441,7 @@ index 3136c6a..edeae62 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +805,11 @@ optional_policy(` +@@ -591,6 +808,11 @@ optional_policy(` ') optional_policy(` @@ -21403,7 +21453,7 @@ index 3136c6a..edeae62 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +822,12 @@ optional_policy(` +@@ -603,6 +825,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -21416,7 +21466,7 @@ index 3136c6a..edeae62 100644 ######################################## # # Apache helper local policy -@@ -616,7 +841,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +844,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -21429,7 +21479,7 @@ index 3136c6a..edeae62 100644 ######################################## # -@@ -654,28 +883,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +886,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -21473,7 +21523,7 @@ index 3136c6a..edeae62 100644 ') ######################################## -@@ -685,6 +916,8 @@ optional_policy(` +@@ -685,6 +919,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -21482,7 +21532,7 @@ index 3136c6a..edeae62 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +932,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +935,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21508,7 +21558,7 @@ index 3136c6a..edeae62 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +978,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +981,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -21541,7 +21591,7 @@ index 3136c6a..edeae62 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1025,25 @@ optional_policy(` +@@ -769,6 +1028,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21567,7 +21617,7 @@ index 3136c6a..edeae62 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1064,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1067,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21585,7 +21635,7 @@ index 3136c6a..edeae62 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1083,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1086,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21642,7 +21692,7 @@ index 3136c6a..edeae62 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1134,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1137,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21673,7 +21723,7 @@ index 3136c6a..edeae62 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1169,20 @@ optional_policy(` +@@ -842,10 +1172,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21694,7 +21744,7 @@ index 3136c6a..edeae62 100644 ') ######################################## -@@ -891,11 +1228,21 @@ optional_policy(` +@@ -891,11 +1231,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -25873,7 +25923,7 @@ index 35241ed..2976df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..894130f 100644 +index f7583ab..3c9cf5a 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -26049,10 +26099,11 @@ index f7583ab..894130f 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +243,11 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) ++userdom_list_admin_dir(crond_t) +userdom_create_all_users_keys(crond_t) mta_send_mail(crond_t) @@ -26060,7 +26111,7 @@ index f7583ab..894130f 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -233,7 +258,7 @@ ifdef(`distro_debian',` +@@ -233,7 +259,7 @@ ifdef(`distro_debian',` ') ') @@ -26069,7 +26120,7 @@ index f7583ab..894130f 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +276,30 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -26100,7 +26151,7 @@ index f7583ab..894130f 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +308,8 @@ optional_policy(` +@@ -264,6 +309,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -26109,7 +26160,7 @@ index f7583ab..894130f 100644 ') optional_policy(` -@@ -286,15 +332,26 @@ optional_policy(` +@@ -286,15 +333,26 @@ optional_policy(` ') optional_policy(` @@ -26136,7 +26187,7 @@ index f7583ab..894130f 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +364,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -26157,7 +26208,7 @@ index f7583ab..894130f 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +396,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -26165,7 +26216,7 @@ index f7583ab..894130f 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +408,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -26180,7 +26231,7 @@ index f7583ab..894130f 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +437,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -26188,7 +26239,7 @@ index f7583ab..894130f 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +464,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -26196,7 +26247,7 @@ index f7583ab..894130f 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +487,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -26208,7 +26259,7 @@ index f7583ab..894130f 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +514,8 @@ optional_policy(` +@@ -439,6 +515,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -26217,7 +26268,7 @@ index f7583ab..894130f 100644 ') optional_policy(` -@@ -446,6 +523,14 @@ optional_policy(` +@@ -446,6 +524,14 @@ optional_policy(` ') optional_policy(` @@ -26232,7 +26283,7 @@ index f7583ab..894130f 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +541,24 @@ optional_policy(` +@@ -456,15 +542,24 @@ optional_policy(` ') optional_policy(` @@ -26257,7 +26308,7 @@ index f7583ab..894130f 100644 ') optional_policy(` -@@ -480,7 +574,7 @@ optional_policy(` +@@ -480,7 +575,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -26266,7 +26317,7 @@ index f7583ab..894130f 100644 ') optional_policy(` -@@ -495,6 +589,7 @@ optional_policy(` +@@ -495,6 +590,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -26274,7 +26325,7 @@ index f7583ab..894130f 100644 ') optional_policy(` -@@ -502,7 +597,13 @@ optional_policy(` +@@ -502,7 +598,13 @@ optional_policy(` ') optional_policy(` @@ -26288,7 +26339,7 @@ index f7583ab..894130f 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +696,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +697,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -26304,10 +26355,10 @@ index f7583ab..894130f 100644 diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc new file mode 100644 -index 0000000..a7c4f1e +index 0000000..e490a2a --- /dev/null +++ b/policy/modules/services/ctdbd.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,15 @@ + +/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) + @@ -26320,14 +26371,15 @@ index 0000000..a7c4f1e +/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) +/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 -index 0000000..3317390 +index 0000000..9146ef1 --- /dev/null +++ b/policy/modules/services/ctdbd.if -@@ -0,0 +1,236 @@ +@@ -0,0 +1,255 @@ + +## policy for ctdbd + @@ -26523,6 +26575,25 @@ index 0000000..3317390 + allow $1 ctdbd_var_run_t:file read_file_perms; +') + ++####################################### ++## ++## Connect to ctdbd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ctdbd_stream_connect',` ++ gen_require(` ++ type ctdbd_t, ctdbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -26566,10 +26637,10 @@ index 0000000..3317390 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..82ba45e +index 0000000..09cb39f --- /dev/null +++ b/policy/modules/services/ctdbd.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,114 @@ +policy_module(ctdbd, 1.0.0) + +######################################## @@ -26590,7 +26661,8 @@ index 0000000..82ba45e +logging_log_file(ctdbd_log_t) + +type ctdbd_spool_t; -+files_spool_file(ctdbd_spool_t) ++files_type(ctdbd_spool_t) ++#files_spool_file(ctdbd_spool_t) + +type ctdbd_tmp_t; +files_tmp_file(ctdbd_tmp_t) @@ -26605,10 +26677,13 @@ index 0000000..82ba45e +# +# ctdbd local policy +# -+allow ctdbd_t self:capability { chown ipc_lock sys_nice }; ++ ++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace }; +allow ctdbd_t self:process { setpgid signal_perms setsched }; ++ +allow ctdbd_t self:fifo_file rw_fifo_file_perms; +allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; +allow ctdbd_t self:packet_socket create_socket_perms; +allow ctdbd_t self:tcp_socket create_stream_socket_perms; + @@ -26616,14 +26691,16 @@ index 0000000..82ba45e +manage_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) +logging_log_filetrans(ctdbd_t, ctdbd_log_t, { dir file } ) + ++manage_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) +manage_sock_files_pattern(ctdbd_t, ctdbd_tmp_t, ctdbd_tmp_t) -+files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, sock_file) ++files_tmp_filetrans(ctdbd_t, ctdbd_tmp_t, { file sock_file}) + +manage_dirs_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +manage_lnk_files_pattern(ctdbd_t, ctdbd_spool_t, ctdbd_spool_t) +files_spool_filetrans(ctdbd_t, ctdbd_spool_t, { dir file }) + ++exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) +files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, { dir file } ) @@ -26632,6 +26709,8 @@ index 0000000..82ba45e +manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, { dir file }) + ++kernel_read_network_state(ctdbd_t) ++kernel_rw_net_sysctls(ctdbd_t) +kernel_read_system_state(ctdbd_t) + +corenet_tcp_bind_generic_node(ctdbd_t) @@ -26639,27 +26718,43 @@ index 0000000..82ba45e +corecmd_exec_bin(ctdbd_t) +corecmd_exec_shell(ctdbd_t) + ++dev_read_sysfs(ctdbd_t) ++ +domain_use_interactive_fds(ctdbd_t) +domain_dontaudit_read_all_domains_state(ctdbd_t) + +files_read_etc_files(ctdbd_t) -+ -+iptables_domtrans(ctdbd_t) ++files_search_all_mountpoints(ctdbd_t) + +logging_send_syslog_msg(ctdbd_t) + +miscfiles_read_localization(ctdbd_t) + -+sysnet_domtrans_ifconfig(ctdbd_t) + +# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) +# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) + +optional_policy(` -+ samba_initrc_domtrans(ctdbd_t) ++ consoletype_exec(ctdbd_t) +') + ++optional_policy(` ++ hostname_exec(ctdbd_t) ++') + ++optional_policy(` ++ iptables_domtrans(ctdbd_t) ++') ++ ++optional_policy(` ++ samba_initrc_domtrans(ctdbd_t) ++ samba_domtrans_net(ctdbd_t) ++ samba_read_var_files(ctdbd_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(ctdbd_t) ++') diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc index 1b492ed..c79454d 100644 --- a/policy/modules/services/cups.fc @@ -37212,7 +37307,7 @@ index e9c0982..14af30a 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..a02ffc9 100644 +index 0a0d63c..91de41a 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -37242,7 +37337,7 @@ index 0a0d63c..a02ffc9 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,12 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -37254,14 +37349,14 @@ index 0a0d63c..a02ffc9 100644 kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) -+kernel_request_load_module(mysqld_t) -+ + +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) - ++ corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) -@@ -127,8 +133,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + corenet_tcp_sendrecv_generic_if(mysqld_t) +@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) userdom_read_user_home_content_files(mysqld_t) ifdef(`distro_redhat',` @@ -37271,7 +37366,7 @@ index 0a0d63c..a02ffc9 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,6 +160,7 @@ optional_policy(` +@@ -155,6 +159,7 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; @@ -37279,7 +37374,7 @@ index 0a0d63c..a02ffc9 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -40900,7 +40995,7 @@ index 46bee12..9e2714e 100644 + ') +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..3f5751c 100644 +index a32c4b3..d60a654 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -41128,7 +41223,17 @@ index a32c4b3..3f5751c 100644 allow postfix_pickup_t self:tcp_socket create_socket_perms; stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -385,13 +435,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +@@ -379,19 +429,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p + rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) + rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) + ++allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; ++read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) ++delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) ++ + postfix_list_spool(postfix_pickup_t) + + allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -41146,7 +41251,7 @@ index a32c4b3..3f5751c 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +458,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -41155,7 +41260,7 @@ index a32c4b3..3f5751c 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +475,7 @@ optional_policy(` +@@ -420,6 +479,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -41163,7 +41268,7 @@ index a32c4b3..3f5751c 100644 ') optional_policy(` -@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +496,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -41181,7 +41286,7 @@ index a32c4b3..3f5751c 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +549,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +553,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -41192,7 +41297,7 @@ index a32c4b3..3f5751c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +569,8 @@ optional_policy(` +@@ -507,6 +573,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -41201,7 +41306,7 @@ index a32c4b3..3f5751c 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +583,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -41209,11 +41314,12 @@ index a32c4b3..3f5751c 100644 +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +606,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -41224,7 +41330,7 @@ index a32c4b3..3f5751c 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +634,10 @@ optional_policy(` +@@ -565,6 +639,10 @@ optional_policy(` ') optional_policy(` @@ -41235,7 +41341,7 @@ index a32c4b3..3f5751c 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +661,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +666,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -41252,7 +41358,7 @@ index a32c4b3..3f5751c 100644 ') optional_policy(` -@@ -611,8 +690,8 @@ optional_policy(` +@@ -611,8 +695,8 @@ optional_policy(` # Postfix virtual local policy # @@ -41262,7 +41368,7 @@ index a32c4b3..3f5751c 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +709,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +714,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -42193,7 +42299,7 @@ index bc329d1..0589f97 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..312e537 100644 +index d4000e0..f35afa4 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -42205,6 +42311,15 @@ index d4000e0..312e537 100644 type psad_initrc_exec_t; init_script_file(psad_initrc_exec_t) +@@ -39,7 +39,7 @@ files_tmp_file(psad_tmp_t) + + allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; + dontaudit psad_t self:capability sys_tty_config; +-allow psad_t self:process signull; ++allow psad_t self:process signal_perms; + allow psad_t self:fifo_file rw_fifo_file_perms; + allow psad_t self:rawip_socket create_socket_perms; + @@ -53,9 +53,10 @@ manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t) logging_log_filetrans(psad_t, psad_var_log_t, { file dir }) @@ -43806,7 +43921,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..034544f 100644 +index 00fa514..9e237a7 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -43866,7 +43981,7 @@ index 00fa514..034544f 100644 # need to write to /dev/misc/dlm-control dev_rw_dlm_control(rgmanager_t) -@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t) +@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) domain_dontaudit_ptrace_all_domains(rgmanager_t) @@ -43891,7 +44006,12 @@ index 00fa514..034544f 100644 # needed by resources scripts auth_read_all_files_except_shadow(rgmanager_t) -@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t) + auth_dontaudit_getattr_shadow(rgmanager_t) + auth_use_nsswitch(rgmanager_t) + ++init_domtrans_script(rgmanager_t) ++ + logging_send_syslog_msg(rgmanager_t) miscfiles_read_localization(rgmanager_t) @@ -43900,7 +44020,7 @@ index 00fa514..034544f 100644 tunable_policy(`rgmanager_can_network_connect',` corenet_tcp_connect_all_ports(rgmanager_t) -@@ -118,6 +126,14 @@ optional_policy(` +@@ -118,6 +128,14 @@ optional_policy(` ') optional_policy(` @@ -43915,7 +44035,7 @@ index 00fa514..034544f 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +156,15 @@ optional_policy(` +@@ -140,6 +158,15 @@ optional_policy(` ') optional_policy(` @@ -43931,7 +44051,7 @@ index 00fa514..034544f 100644 mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') -@@ -193,9 +218,9 @@ optional_policy(` +@@ -193,9 +220,9 @@ optional_policy(` virt_stream_connect(rgmanager_t) ') @@ -46364,7 +46484,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..941f823 100644 +index e30bb63..fdfa9bf 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -46461,7 +46581,17 @@ index e30bb63..941f823 100644 ') # Support Samba sharing of NFS mount points -@@ -445,8 +442,8 @@ optional_policy(` +@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',` + fs_search_fusefs(smbd_t) + ') + ++optional_policy(` ++ ctdbd_stream_connect(smbd_t) ++') + + optional_policy(` + cups_read_rw_config(smbd_t) +@@ -445,8 +445,8 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -46471,7 +46601,7 @@ index e30bb63..941f823 100644 tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) -@@ -462,8 +459,8 @@ tunable_policy(`samba_export_all_rw',` +@@ -462,8 +462,8 @@ tunable_policy(`samba_export_all_rw',` auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -46481,7 +46611,7 @@ index e30bb63..941f823 100644 ######################################## # -@@ -484,8 +481,9 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -46492,7 +46622,7 @@ index e30bb63..941f823 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +558,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -46510,7 +46640,7 @@ index e30bb63..941f823 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -578,7 +576,7 @@ files_read_etc_files(smbcontrol_t) +@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -46519,7 +46649,7 @@ index e30bb63..941f823 100644 ######################################## # -@@ -644,19 +642,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -46544,7 +46674,7 @@ index e30bb63..941f823 100644 ######################################## # # SWAT Local policy -@@ -677,7 +677,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -46553,7 +46683,7 @@ index e30bb63..941f823 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +692,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -46568,7 +46698,7 @@ index e30bb63..941f823 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +712,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -46576,7 +46706,7 @@ index e30bb63..941f823 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +757,8 @@ logging_search_logs(swat_t) +@@ -754,6 +760,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -46585,7 +46715,7 @@ index e30bb63..941f823 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +811,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -46607,7 +46737,7 @@ index e30bb63..941f823 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +839,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -46615,7 +46745,7 @@ index e30bb63..941f823 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +911,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -46624,7 +46754,7 @@ index e30bb63..941f823 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +929,18 @@ optional_policy(` +@@ -922,6 +932,18 @@ optional_policy(` # optional_policy(` @@ -46643,7 +46773,7 @@ index e30bb63..941f823 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +951,12 @@ optional_policy(` +@@ -932,9 +954,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -50804,7 +50934,7 @@ index 7c5d8d8..59ba27c 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..ae4a925 100644 +index 3eca020..6182880 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -51039,8 +51169,9 @@ index 3eca020..ae4a925 100644 +') -allow virtd_t self:fifo_file rw_fifo_file_perms; +-allow virtd_t self:unix_stream_socket create_stream_socket_perms; +allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; - allow virtd_t self:unix_stream_socket create_stream_socket_perms; ++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow virtd_t self:tcp_socket create_stream_socket_perms; allow virtd_t self:tun_socket create_socket_perms; +allow virtd_t self:rawip_socket create_socket_perms; @@ -53090,7 +53221,7 @@ index 130ced9..10b57e0 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..0ad8e41 100644 +index 143c893..d293052 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -53632,7 +53763,7 @@ index 143c893..0ad8e41 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +629,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -53640,6 +53771,7 @@ index 143c893..0ad8e41 100644 term_setattr_console(xdm_t) +term_use_console(xdm_t) ++term_use_virtio_console(xdm_t) term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) +term_relabel_all_ttys(xdm_t) @@ -53671,7 +53803,7 @@ index 143c893..0ad8e41 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -53702,7 +53834,7 @@ index 143c893..0ad8e41 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -53717,7 +53849,7 @@ index 143c893..0ad8e41 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -53739,7 +53871,7 @@ index 143c893..0ad8e41 100644 ') optional_policy(` -@@ -519,12 +749,62 @@ optional_policy(` +@@ -519,12 +750,62 @@ optional_policy(` ') optional_policy(` @@ -53802,7 +53934,7 @@ index 143c893..0ad8e41 100644 hostname_exec(xdm_t) ') -@@ -542,28 +822,70 @@ optional_policy(` +@@ -542,28 +823,70 @@ optional_policy(` ') optional_policy(` @@ -53882,7 +54014,7 @@ index 143c893..0ad8e41 100644 ') optional_policy(` -@@ -575,6 +897,14 @@ optional_policy(` +@@ -575,6 +898,14 @@ optional_policy(` ') optional_policy(` @@ -53897,7 +54029,7 @@ index 143c893..0ad8e41 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +930,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -53906,7 +54038,7 @@ index 143c893..0ad8e41 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +944,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -53922,7 +54054,7 @@ index 143c893..0ad8e41 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +971,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -53944,7 +54076,7 @@ index 143c893..0ad8e41 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +991,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -53952,7 +54084,7 @@ index 143c893..0ad8e41 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,7 +1018,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -53960,7 +54092,7 @@ index 143c893..0ad8e41 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t) +@@ -682,11 +1027,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -53978,7 +54110,7 @@ index 143c893..0ad8e41 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1048,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -53992,7 +54124,7 @@ index 143c893..0ad8e41 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1066,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1067,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -54001,7 +54133,7 @@ index 143c893..0ad8e41 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1074,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -54016,7 +54148,7 @@ index 143c893..0ad8e41 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1132,36 @@ optional_policy(` +@@ -778,16 +1133,36 @@ optional_policy(` ') optional_policy(` @@ -54054,7 +54186,7 @@ index 143c893..0ad8e41 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1170,10 @@ optional_policy(` +@@ -796,6 +1171,10 @@ optional_policy(` ') optional_policy(` @@ -54065,7 +54197,7 @@ index 143c893..0ad8e41 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1189,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1190,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -54079,7 +54211,7 @@ index 143c893..0ad8e41 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1200,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1201,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -54088,7 +54220,7 @@ index 143c893..0ad8e41 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1213,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1214,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -54098,7 +54230,7 @@ index 143c893..0ad8e41 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1223,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1224,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -54110,7 +54242,7 @@ index 143c893..0ad8e41 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1236,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1237,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -54127,7 +54259,7 @@ index 143c893..0ad8e41 100644 ') optional_policy(` -@@ -862,6 +1251,10 @@ optional_policy(` +@@ -862,6 +1252,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -54138,7 +54270,7 @@ index 143c893..0ad8e41 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1298,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1299,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -54147,7 +54279,7 @@ index 143c893..0ad8e41 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1352,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1353,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -54179,7 +54311,7 @@ index 143c893..0ad8e41 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1398,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1399,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -56197,7 +56329,7 @@ index 94fd8dd..0d7aa40 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..308297d 100644 +index 29a9565..fcf5d6c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56372,7 +56504,7 @@ index 29a9565..308297d 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,129 @@ tunable_policy(`init_upstart',` +@@ -186,12 +244,131 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56426,6 +56558,8 @@ index 29a9565..308297d 100644 + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) + files_delete_all_pid_sockets(init_t) ++ files_create_all_pid_pipes(init_t) ++ files_delete_all_pid_pipes(init_t) + files_create_all_spool_sockets(init_t) + files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) @@ -56502,7 +56636,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -199,10 +374,26 @@ optional_policy(` +@@ -199,10 +376,26 @@ optional_policy(` ') optional_policy(` @@ -56529,7 +56663,7 @@ index 29a9565..308297d 100644 unconfined_domain(init_t) ') -@@ -212,7 +403,7 @@ optional_policy(` +@@ -212,7 +405,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56538,7 +56672,7 @@ index 29a9565..308297d 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56554,7 +56688,7 @@ index 29a9565..308297d 100644 init_write_initctl(initrc_t) -@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56591,7 +56725,7 @@ index 29a9565..308297d 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56599,7 +56733,7 @@ index 29a9565..308297d 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56610,7 +56744,7 @@ index 29a9565..308297d 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -56627,7 +56761,7 @@ index 29a9565..308297d 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56635,7 +56769,7 @@ index 29a9565..308297d 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56647,7 +56781,7 @@ index 29a9565..308297d 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56661,7 +56795,7 @@ index 29a9565..308297d 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56670,7 +56804,7 @@ index 29a9565..308297d 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56678,7 +56812,7 @@ index 29a9565..308297d 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56686,7 +56820,7 @@ index 29a9565..308297d 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56708,7 +56842,7 @@ index 29a9565..308297d 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56719,7 +56853,7 @@ index 29a9565..308297d 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +702,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +704,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56728,7 +56862,7 @@ index 29a9565..308297d 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +717,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +719,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56736,7 +56870,7 @@ index 29a9565..308297d 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +747,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +749,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56770,7 +56904,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -531,10 +781,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +783,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56797,7 +56931,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -549,6 +815,39 @@ ifdef(`distro_suse',` +@@ -549,6 +817,39 @@ ifdef(`distro_suse',` ') ') @@ -56837,7 +56971,7 @@ index 29a9565..308297d 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +860,8 @@ optional_policy(` +@@ -561,6 +862,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56846,7 +56980,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -577,6 +878,7 @@ optional_policy(` +@@ -577,6 +880,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56854,7 +56988,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -589,6 +891,11 @@ optional_policy(` +@@ -589,6 +893,11 @@ optional_policy(` ') optional_policy(` @@ -56866,7 +57000,7 @@ index 29a9565..308297d 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +912,13 @@ optional_policy(` +@@ -605,9 +914,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -56880,7 +57014,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -649,6 +960,11 @@ optional_policy(` +@@ -649,6 +962,11 @@ optional_policy(` ') optional_policy(` @@ -56892,7 +57026,7 @@ index 29a9565..308297d 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1005,7 @@ optional_policy(` +@@ -689,6 +1007,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -56900,7 +57034,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -706,7 +1023,13 @@ optional_policy(` +@@ -706,7 +1025,13 @@ optional_policy(` ') optional_policy(` @@ -56914,7 +57048,7 @@ index 29a9565..308297d 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1052,10 @@ optional_policy(` +@@ -729,6 +1054,10 @@ optional_policy(` ') optional_policy(` @@ -56925,7 +57059,7 @@ index 29a9565..308297d 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1065,20 @@ optional_policy(` +@@ -738,10 +1067,20 @@ optional_policy(` ') optional_policy(` @@ -56946,7 +57080,7 @@ index 29a9565..308297d 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1087,10 @@ optional_policy(` +@@ -750,6 +1089,10 @@ optional_policy(` ') optional_policy(` @@ -56957,7 +57091,7 @@ index 29a9565..308297d 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1112,6 @@ optional_policy(` +@@ -771,8 +1114,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -56966,7 +57100,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -790,10 +1129,12 @@ optional_policy(` +@@ -790,10 +1131,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -56979,7 +57113,7 @@ index 29a9565..308297d 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1146,6 @@ optional_policy(` +@@ -805,7 +1148,6 @@ optional_policy(` ') optional_policy(` @@ -56987,7 +57121,7 @@ index 29a9565..308297d 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1155,24 @@ optional_policy(` +@@ -815,11 +1157,24 @@ optional_policy(` ') optional_policy(` @@ -57013,7 +57147,7 @@ index 29a9565..308297d 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1182,25 @@ optional_policy(` +@@ -829,6 +1184,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -57039,7 +57173,7 @@ index 29a9565..308297d 100644 ') optional_policy(` -@@ -844,6 +1216,10 @@ optional_policy(` +@@ -844,6 +1218,10 @@ optional_policy(` ') optional_policy(` @@ -57050,7 +57184,7 @@ index 29a9565..308297d 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1230,45 @@ optional_policy(` +@@ -854,3 +1232,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -57420,7 +57554,7 @@ index ddbd8be..ac8e814 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..98b8d89 100644 +index 560dc48..6673319 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -37,17 +37,12 @@ ifdef(`distro_redhat',` @@ -57556,7 +57690,7 @@ index 560dc48..98b8d89 100644 /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -203,86 +194,85 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -57647,6 +57781,8 @@ index 560dc48..98b8d89 100644 +/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libffmpegsumo\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -57699,7 +57835,7 @@ index 560dc48..98b8d89 100644 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -303,8 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -57709,7 +57845,7 @@ index 560dc48..98b8d89 100644 ') dnl end distro_redhat # -@@ -312,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +303,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -61430,10 +61566,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..16371df +index 0000000..67fcd26 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,344 @@ +@@ -0,0 +1,365 @@ +## SELinux policy for systemd components + +####################################### @@ -61778,12 +61914,33 @@ index 0000000..16371df + + allow $1 systemd_logger_t:unix_stream_socket connectto; +') ++ ++######################################## ++## ++## Allow the specified domain to connect to ++## systemd_logger with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_config_all_services',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ allow $1 systemd_unit_file_type:service all_service_perms; ++') ++ ++ diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..155a839 +index 0000000..f0a3169 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,309 @@ +@@ -0,0 +1,311 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -61903,6 +62060,8 @@ index 0000000..155a839 + +udev_read_db(systemd_logind_t) + ++userdom_read_all_users_state(systemd_logind_t) ++ +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) + cron_read_state_crond(systemd_logind_t) @@ -62542,7 +62701,7 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..9f3c1c1 100644 +index 416e668..a56f542 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,27 +12,34 @@ @@ -62587,20 +62746,21 @@ index 416e668..9f3c1c1 100644 kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +51,12 @@ interface(`unconfined_domain_noaudit',` +@@ -43,6 +50,13 @@ interface(`unconfined_domain_noaudit',` + files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) - ++ systemd_config_all_services($1) ++ + domain_mmap_low($1) + + mcs_file_read_all($1) + + ubac_process_exempt($1) -+ + tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. - allow $1 self:process execheap; -@@ -69,6 +82,7 @@ interface(`unconfined_domain_noaudit',` +@@ -69,6 +83,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -62608,7 +62768,7 @@ index 416e668..9f3c1c1 100644 ') optional_policy(` -@@ -122,6 +136,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,6 +137,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -62619,7 +62779,7 @@ index 416e668..9f3c1c1 100644 unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -178,412 +196,3 @@ interface(`unconfined_alias_domain',` +@@ -178,412 +197,3 @@ interface(`unconfined_alias_domain',` interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') @@ -63293,7 +63453,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..b0955cf 100644 +index 4b2878a..181ada4 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -64603,7 +64763,16 @@ index 4b2878a..b0955cf 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1525,8 @@ template(`userdom_security_admin_template',` +@@ -1151,6 +1466,8 @@ template(`userdom_admin_user_template',` + # But presently necessary for installing the file_contexts file. + seutil_manage_bin_policy($1_t) + ++ systemd_config_all_services($1_t) ++ + userdom_manage_user_home_content_dirs($1_t) + userdom_manage_user_home_content_files($1_t) + userdom_manage_user_home_content_symlinks($1_t) +@@ -1210,6 +1527,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -64612,7 +64781,7 @@ index 4b2878a..b0955cf 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1539,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1541,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -64620,7 +64789,7 @@ index 4b2878a..b0955cf 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1234,13 +1552,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1554,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -64649,7 +64818,7 @@ index 4b2878a..b0955cf 100644 ') optional_policy(` -@@ -1251,12 +1580,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1582,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -64665,7 +64834,7 @@ index 4b2878a..b0955cf 100644 ') optional_policy(` -@@ -1279,54 +1608,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1610,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -64747,7 +64916,7 @@ index 4b2878a..b0955cf 100644 ## ## ## -@@ -1334,12 +1675,49 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,9 +1677,46 @@ interface(`userdom_setattr_user_ptys',` ## ## # @@ -64756,9 +64925,8 @@ index 4b2878a..b0955cf 100644 gen_require(` - type user_devpts_t; + attribute admindomain; - ') - -- term_create_pty($1, user_devpts_t) ++ ') ++ + allow $1 admindomain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') @@ -64794,13 +64962,10 @@ index 4b2878a..b0955cf 100644 +interface(`userdom_create_user_pty',` + gen_require(` + type user_devpts_t; -+ ') -+ -+ term_create_pty($1, user_devpts_t) - ') + ') - ######################################## -@@ -1395,6 +1773,7 @@ interface(`userdom_search_user_home_dirs',` + term_create_pty($1, user_devpts_t) +@@ -1395,6 +1775,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -64808,7 +64973,7 @@ index 4b2878a..b0955cf 100644 files_search_home($1) ') -@@ -1441,6 +1820,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1822,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -64823,7 +64988,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1456,9 +1843,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1845,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -64835,7 +65000,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1515,6 +1904,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1906,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -64878,7 +65043,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2014,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2016,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -64887,7 +65052,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1603,10 +2030,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2032,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -64902,7 +65067,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1649,6 +2078,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2080,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -64946,7 +65111,7 @@ index 4b2878a..b0955cf 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2134,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2136,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -64972,7 +65137,7 @@ index 4b2878a..b0955cf 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2185,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2187,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -65005,7 +65170,7 @@ index 4b2878a..b0955cf 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2221,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -65023,7 +65188,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1779,6 +2287,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -65084,7 +65249,7 @@ index 4b2878a..b0955cf 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2372,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -65094,7 +65259,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -1827,20 +2388,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -65119,7 +65284,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## -@@ -1941,6 +2496,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -65144,7 +65309,7 @@ index 4b2878a..b0955cf 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2581,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -65153,7 +65318,7 @@ index 4b2878a..b0955cf 100644 files_search_home($1) ') -@@ -2182,7 +2755,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -65162,7 +65327,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -2435,13 +3008,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3010,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -65178,7 +65343,7 @@ index 4b2878a..b0955cf 100644 ## ## ## -@@ -2462,26 +3036,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3038,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -65205,7 +65370,7 @@ index 4b2878a..b0955cf 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3126,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3128,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -65214,7 +65379,7 @@ index 4b2878a..b0955cf 100644 ## ## ## -@@ -2580,70 +3134,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3136,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -65286,8 +65451,9 @@ index 4b2878a..b0955cf 100644 gen_require(` - type user_tty_device_t, user_devpts_t; + type user_devpts_t; -+ ') -+ + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') + @@ -65354,9 +65520,9 @@ index 4b2878a..b0955cf 100644 +interface(`userdom_dontaudit_use_user_terminals',` + gen_require(` + type user_tty_device_t, user_devpts_t; - ') - - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms; dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') @@ -65382,7 +65548,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3358,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3360,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -65407,7 +65573,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3376,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3378,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -65433,7 +65599,7 @@ index 4b2878a..b0955cf 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3437,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3439,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -65442,7 +65608,7 @@ index 4b2878a..b0955cf 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3453,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3455,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -65476,7 +65642,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -2972,7 +3541,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3543,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -65485,7 +65651,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -3027,7 +3596,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3598,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -65532,7 +65698,7 @@ index 4b2878a..b0955cf 100644 ') ######################################## -@@ -3064,6 +3671,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3673,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -65540,7 +65706,7 @@ index 4b2878a..b0955cf 100644 kernel_search_proc($1) ') -@@ -3142,6 +3750,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3752,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -65565,7 +65731,7 @@ index 4b2878a..b0955cf 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3820,1075 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3822,1075 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -67098,7 +67264,7 @@ index 22ca011..df6b5de 100644 # diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index f7380b3..184f238 100644 +index f7380b3..fb62555 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -67198,7 +67364,7 @@ index f7380b3..184f238 100644 # # Sockets -@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -317,3 +324,15 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') @@ -67212,6 +67378,7 @@ index f7380b3..184f238 100644 +define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') ++define(`all_service_perms', `{ start stop status reload kill } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/policy/users b/policy/users index c4ebc7e..30d6d7a 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index ad718c02..34f536cc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jul 21 2011 Miroslav Grepl 3.10.0-7 +- systemd fixes + * Tue Jul 19 2011 Miroslav Grepl 3.10.0-6 - Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs From 6e9c2276f7a5356ef36e32f83322bb9b05412dbf Mon Sep 17 00:00:00 2001 From: Miroslav Date: Fri, 22 Jul 2011 12:37:49 +0200 Subject: [PATCH 3/3] - Fix oracledb_port definition - Allow mount to mounton the selinux file system - Allow users to list /var directories --- policy-F16.patch | 309 ++++++++++++++++++++++++-------------------- selinux-policy.spec | 7 +- 2 files changed, 178 insertions(+), 138 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index db25c5af..ece00d4f 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -757,7 +757,7 @@ index 8fa451c..f3a67c9 100644 ') diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te -index c4d8998..d62fdd2 100644 +index c4d8998..419d14a 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -75,12 +75,7 @@ logging_send_syslog_msg(firstboot_t) @@ -793,6 +793,15 @@ index c4d8998..d62fdd2 100644 optional_policy(` samba_rw_config(firstboot_t) +@@ -113,7 +118,7 @@ optional_policy(` + optional_policy(` + unconfined_domtrans(firstboot_t) + # The big hammer +- unconfined_domain(firstboot_t) ++ unconfined_domain_noaudit(firstboot_t) + ') + + optional_policy(` @@ -125,6 +130,7 @@ optional_policy(` ') @@ -11303,7 +11312,7 @@ index 4f3b542..4581434 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..e2f9c64 100644 +index 99b71cb..b49e084 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -11423,8 +11432,12 @@ index 99b71cb..e2f9c64 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -158,10 +188,18 @@ network_port(ntp, udp,123,s0) - network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) +@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) + network_port(nmbd, udp,137,s0, udp,138,s0) + network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) + network_port(ntp, udp,123,s0) +-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) +network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0) @@ -15422,6 +15435,13 @@ index 0e5b661..3168d72 100644 attribute mcsreadall; +attribute mcsuntrustedproc; +attribute mcsnetwrite; +diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc +index 7be4ddf..4d4c577 100644 +--- a/policy/modules/kernel/selinux.fc ++++ b/policy/modules/kernel/selinux.fc +@@ -1 +1 @@ +-# This module currently does not have any file contexts. ++/selinux -l gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index ca7e808..23a065c 100644 --- a/policy/modules/kernel/selinux.if @@ -19261,7 +19281,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..2fe2895 100644 +index 30861ec..ced411a 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19473,7 +19493,7 @@ index 30861ec..2fe2895 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +293,130 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -19595,6 +19615,7 @@ index 30861ec..2fe2895 100644 + +kernel_read_kernel_sysctls(abrt_dump_oops_t) +kernel_read_ring_buffer(abrt_dump_oops_t) ++kernel_read_system_state(abrt_dump_oops_t) + +domain_use_interactive_fds(abrt_dump_oops_t) + @@ -20782,7 +20803,7 @@ index 6480167..970916e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..8115e0e 100644 +index 3136c6a..0966da0 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -21233,8 +21254,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) -+ corenet_tcp_connect_oracledb_port(httpd_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -21499,8 +21520,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_php_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) -+ corenet_tcp_connect_oracledb_port(httpd_php_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ') optional_policy(` @@ -21566,8 +21587,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) -+ corenet_tcp_connect_oracledb_port(httpd_suexec_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -21649,8 +21670,8 @@ index 3136c6a..8115e0e 100644 + corenet_tcp_connect_firebird_port(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) -+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t) -+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -50934,7 +50955,7 @@ index 7c5d8d8..59ba27c 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..6182880 100644 +index 3eca020..b2c36e4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -51443,7 +51464,7 @@ index 3eca020..6182880 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +613,166 @@ optional_policy(` +@@ -457,8 +613,176 @@ optional_policy(` ') optional_policy(` @@ -51572,8 +51593,12 @@ index 3eca020..6182880 100644 +allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; + ++allow virt_lxc_t virt_image_type:dir mounton; ++ ++allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++ +domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t) -+allow virtd_t virt_lxc_t:process signal; ++allow virtd_t virt_lxc_t:process { signal signull sigkill }; + +manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) @@ -51592,9 +51617,15 @@ index 3eca020..6182880 100644 +files_mount_all_file_type_fs(virt_lxc_t) +files_unmount_all_file_type_fs(virt_lxc_t) + ++fs_manage_tmpfs_dirs(virt_lxc_t) ++fs_manage_tmpfs_chr_files(virt_lxc_t) ++fs_manage_tmpfs_symlinks(virt_lxc_t) +fs_manage_cgroup_dirs(virt_lxc_t) +fs_rw_cgroup_files(virt_lxc_t) + ++selinux_mount_fs(virt_lxc_t) ++selinux_unmount_fs(virt_lxc_t) ++ +term_use_generic_ptys(virt_lxc_t) +term_use_ptmx(virt_lxc_t) + @@ -56329,7 +56360,7 @@ index 94fd8dd..0d7aa40 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..fcf5d6c 100644 +index 29a9565..70532cc 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56424,7 +56455,7 @@ index 29a9565..fcf5d6c 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -114,24 +151,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -56455,9 +56486,11 @@ index 29a9565..fcf5d6c 100644 files_dontaudit_search_isid_type_dirs(init_t) +files_read_etc_runtime_files(init_t) files_manage_etc_runtime_files(init_t) ++files_manage_etc_symlinks(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: -@@ -151,10 +196,19 @@ mls_file_read_all_levels(init_t) + files_exec_etc_files(init_t) +@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -56478,7 +56511,7 @@ index 29a9565..fcf5d6c 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +216,16 @@ init_domtrans_script(init_t) +@@ -162,12 +217,16 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -56495,7 +56528,7 @@ index 29a9565..fcf5d6c 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +236,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +237,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -56504,7 +56537,7 @@ index 29a9565..fcf5d6c 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,131 @@ tunable_policy(`init_upstart',` +@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56636,7 +56669,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -199,10 +376,26 @@ optional_policy(` +@@ -199,10 +377,26 @@ optional_policy(` ') optional_policy(` @@ -56663,7 +56696,7 @@ index 29a9565..fcf5d6c 100644 unconfined_domain(init_t) ') -@@ -212,7 +405,7 @@ optional_policy(` +@@ -212,7 +406,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56672,7 +56705,7 @@ index 29a9565..fcf5d6c 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56688,7 +56721,7 @@ index 29a9565..fcf5d6c 100644 init_write_initctl(initrc_t) -@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56725,7 +56758,7 @@ index 29a9565..fcf5d6c 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56733,7 +56766,7 @@ index 29a9565..fcf5d6c 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56744,7 +56777,7 @@ index 29a9565..fcf5d6c 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -56761,7 +56794,7 @@ index 29a9565..fcf5d6c 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56769,7 +56802,7 @@ index 29a9565..fcf5d6c 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56781,7 +56814,7 @@ index 29a9565..fcf5d6c 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56795,7 +56828,7 @@ index 29a9565..fcf5d6c 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56804,7 +56837,7 @@ index 29a9565..fcf5d6c 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56812,7 +56845,7 @@ index 29a9565..fcf5d6c 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56820,7 +56853,7 @@ index 29a9565..fcf5d6c 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56842,7 +56875,7 @@ index 29a9565..fcf5d6c 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56853,7 +56886,7 @@ index 29a9565..fcf5d6c 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +704,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56862,7 +56895,7 @@ index 29a9565..fcf5d6c 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +719,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56870,7 +56903,7 @@ index 29a9565..fcf5d6c 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +749,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56904,7 +56937,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -531,10 +783,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +784,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56931,7 +56964,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -549,6 +817,39 @@ ifdef(`distro_suse',` +@@ -549,6 +818,39 @@ ifdef(`distro_suse',` ') ') @@ -56971,7 +57004,7 @@ index 29a9565..fcf5d6c 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +862,8 @@ optional_policy(` +@@ -561,6 +863,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56980,7 +57013,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -577,6 +880,7 @@ optional_policy(` +@@ -577,6 +881,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56988,7 +57021,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -589,6 +893,11 @@ optional_policy(` +@@ -589,6 +894,11 @@ optional_policy(` ') optional_policy(` @@ -57000,7 +57033,7 @@ index 29a9565..fcf5d6c 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +914,13 @@ optional_policy(` +@@ -605,9 +915,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -57014,7 +57047,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -649,6 +962,11 @@ optional_policy(` +@@ -649,6 +963,11 @@ optional_policy(` ') optional_policy(` @@ -57026,7 +57059,7 @@ index 29a9565..fcf5d6c 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1007,7 @@ optional_policy(` +@@ -689,6 +1008,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -57034,7 +57067,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -706,7 +1025,13 @@ optional_policy(` +@@ -706,7 +1026,13 @@ optional_policy(` ') optional_policy(` @@ -57048,7 +57081,7 @@ index 29a9565..fcf5d6c 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1054,10 @@ optional_policy(` +@@ -729,6 +1055,10 @@ optional_policy(` ') optional_policy(` @@ -57059,7 +57092,7 @@ index 29a9565..fcf5d6c 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1067,20 @@ optional_policy(` +@@ -738,10 +1068,20 @@ optional_policy(` ') optional_policy(` @@ -57080,7 +57113,7 @@ index 29a9565..fcf5d6c 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1089,10 @@ optional_policy(` +@@ -750,6 +1090,10 @@ optional_policy(` ') optional_policy(` @@ -57091,7 +57124,7 @@ index 29a9565..fcf5d6c 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1114,6 @@ optional_policy(` +@@ -771,8 +1115,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -57100,7 +57133,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -790,10 +1131,12 @@ optional_policy(` +@@ -790,10 +1132,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -57113,7 +57146,7 @@ index 29a9565..fcf5d6c 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1148,6 @@ optional_policy(` +@@ -805,7 +1149,6 @@ optional_policy(` ') optional_policy(` @@ -57121,7 +57154,7 @@ index 29a9565..fcf5d6c 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1157,24 @@ optional_policy(` +@@ -815,11 +1158,24 @@ optional_policy(` ') optional_policy(` @@ -57147,7 +57180,7 @@ index 29a9565..fcf5d6c 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1184,25 @@ optional_policy(` +@@ -829,6 +1185,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -57173,7 +57206,7 @@ index 29a9565..fcf5d6c 100644 ') optional_policy(` -@@ -844,6 +1218,10 @@ optional_policy(` +@@ -844,6 +1219,10 @@ optional_policy(` ') optional_policy(` @@ -57184,7 +57217,7 @@ index 29a9565..fcf5d6c 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1232,45 @@ optional_policy(` +@@ -854,3 +1233,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -59496,7 +59529,7 @@ index 8b5c196..1ac1567 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..43f0a0b 100644 +index 15832c7..ed497ff 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -59573,7 +59606,7 @@ index 15832c7..43f0a0b 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,50 +95,74 @@ kernel_request_load_module(mount_t) +@@ -57,65 +95,93 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -59655,8 +59688,9 @@ index 15832c7..43f0a0b 100644 +mls_process_write_to_clearance(mount_t) selinux_get_enforce_mode(mount_t) ++selinux_mounton_fs(mount_t) -@@ -108,14 +170,17 @@ storage_raw_read_fixed_disk(mount_t) + storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -59675,7 +59709,7 @@ index 15832c7..43f0a0b 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +191,12 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +192,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -59688,7 +59722,7 @@ index 15832c7..43f0a0b 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +212,29 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',` ') ') @@ -59726,7 +59760,7 @@ index 15832c7..43f0a0b 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +248,8 @@ optional_policy(` +@@ -174,6 +249,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -59735,7 +59769,7 @@ index 15832c7..43f0a0b 100644 ') optional_policy(` -@@ -181,6 +257,28 @@ optional_policy(` +@@ -181,6 +258,28 @@ optional_policy(` ') optional_policy(` @@ -59764,7 +59798,7 @@ index 15832c7..43f0a0b 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,13 +286,52 @@ optional_policy(` +@@ -188,13 +287,52 @@ optional_policy(` ') ') @@ -59817,7 +59851,7 @@ index 15832c7..43f0a0b 100644 ') ######################################## -@@ -203,6 +340,43 @@ optional_policy(` +@@ -203,6 +341,43 @@ optional_policy(` # optional_policy(` @@ -63453,7 +63487,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..181ada4 100644 +index 4b2878a..c0e5c10 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -63467,7 +63501,7 @@ index 4b2878a..181ada4 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,103 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,104 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -63559,6 +63593,7 @@ index 4b2878a..181ada4 100644 + + files_read_etc_files($1_usertype) + files_list_mnt($1_usertype) ++ files_list_var($1_usertype) + files_read_mnt_files($1_usertype) + files_dontaudit_access_check_mnt($1_usertype) + files_read_etc_runtime_files($1_usertype) @@ -63620,7 +63655,7 @@ index 4b2878a..181ada4 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +151,20 @@ template(`userdom_base_user_template',` +@@ -116,6 +152,20 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -63641,7 +63676,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +199,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -63650,7 +63685,7 @@ index 4b2878a..181ada4 100644 ############################## # # Domain access to home dir -@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +218,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -63678,7 +63713,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +249,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -63690,7 +63725,7 @@ index 4b2878a..181ada4 100644 ############################## # # Domain access to home dir -@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +262,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -63722,7 +63757,7 @@ index 4b2878a..181ada4 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +284,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -63752,7 +63787,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +322,63 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -63821,7 +63856,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +398,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -63829,7 +63864,7 @@ index 4b2878a..181ada4 100644 files_search_tmp($1) ') -@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +430,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -63924,7 +63959,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +516,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -63932,7 +63967,7 @@ index 4b2878a..181ada4 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -462,8 +548,8 @@ template(`userdom_change_password_template',` +@@ -462,8 +549,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -63943,7 +63978,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -490,7 +576,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +577,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -63952,7 +63987,7 @@ index 4b2878a..181ada4 100644 ############################## # -@@ -500,73 +586,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +587,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -64076,7 +64111,7 @@ index 4b2878a..181ada4 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +668,123 @@ template(`userdom_common_user_template',` +@@ -574,67 +669,123 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -64218,7 +64253,7 @@ index 4b2878a..181ada4 100644 ') optional_policy(` -@@ -650,41 +800,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +801,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -64280,7 +64315,7 @@ index 4b2878a..181ada4 100644 ') ####################################### -@@ -712,13 +871,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +872,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -64312,7 +64347,7 @@ index 4b2878a..181ada4 100644 userdom_change_password_template($1) -@@ -736,72 +908,76 @@ template(`userdom_login_user_template', ` +@@ -736,72 +909,76 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -64422,7 +64457,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -833,6 +1009,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -64432,7 +64467,7 @@ index 4b2878a..181ada4 100644 ############################## # # Local policy -@@ -874,45 +1053,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -64562,7 +64597,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -64571,7 +64606,7 @@ index 4b2878a..181ada4 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -64589,7 +64624,7 @@ index 4b2878a..181ada4 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,32 +1233,76 @@ template(`userdom_unpriv_user_template', ` +@@ -978,32 +1234,76 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -64678,7 +64713,7 @@ index 4b2878a..181ada4 100644 ') ') -@@ -1039,7 +1338,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1339,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -64687,7 +64722,7 @@ index 4b2878a..181ada4 100644 ') ############################## -@@ -1066,6 +1365,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1366,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -64695,7 +64730,7 @@ index 4b2878a..181ada4 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1375,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -64705,7 +64740,7 @@ index 4b2878a..181ada4 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1392,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -64713,7 +64748,7 @@ index 4b2878a..181ada4 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1410,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -64727,7 +64762,7 @@ index 4b2878a..181ada4 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1426,22 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1427,22 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -64751,7 +64786,7 @@ index 4b2878a..181ada4 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1453,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1454,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -64763,7 +64798,7 @@ index 4b2878a..181ada4 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1466,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -64772,7 +64807,7 @@ index 4b2878a..181ada4 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1527,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -64781,7 +64816,7 @@ index 4b2878a..181ada4 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1541,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1542,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -64789,7 +64824,7 @@ index 4b2878a..181ada4 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1234,13 +1554,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -64818,7 +64853,7 @@ index 4b2878a..181ada4 100644 ') optional_policy(` -@@ -1251,12 +1582,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -64834,7 +64869,7 @@ index 4b2878a..181ada4 100644 ') optional_policy(` -@@ -1279,54 +1610,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1611,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -64916,7 +64951,7 @@ index 4b2878a..181ada4 100644 ## ## ## -@@ -1334,9 +1677,46 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,9 +1678,46 @@ interface(`userdom_setattr_user_ptys',` ## ## # @@ -64965,7 +65000,7 @@ index 4b2878a..181ada4 100644 ') term_create_pty($1, user_devpts_t) -@@ -1395,6 +1775,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -64973,7 +65008,7 @@ index 4b2878a..181ada4 100644 files_search_home($1) ') -@@ -1441,6 +1822,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1823,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -64988,7 +65023,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1456,9 +1845,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -65000,7 +65035,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1515,6 +1906,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -65043,7 +65078,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2016,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -65052,7 +65087,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1603,10 +2032,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -65067,7 +65102,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1649,6 +2080,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -65111,7 +65146,7 @@ index 4b2878a..181ada4 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2136,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -65137,7 +65172,7 @@ index 4b2878a..181ada4 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2187,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -65170,7 +65205,7 @@ index 4b2878a..181ada4 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -65188,7 +65223,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -65249,7 +65284,7 @@ index 4b2878a..181ada4 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -65259,7 +65294,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2391,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -65284,7 +65319,7 @@ index 4b2878a..181ada4 100644 ######################################## ## -@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -65309,7 +65344,7 @@ index 4b2878a..181ada4 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -65318,7 +65353,7 @@ index 4b2878a..181ada4 100644 files_search_home($1) ') -@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -65327,7 +65362,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -2435,13 +3010,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3011,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -65343,7 +65378,7 @@ index 4b2878a..181ada4 100644 ## ## ## -@@ -2462,26 +3038,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3039,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -65370,7 +65405,7 @@ index 4b2878a..181ada4 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3128,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3129,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -65379,7 +65414,7 @@ index 4b2878a..181ada4 100644 ## ## ## -@@ -2580,70 +3136,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3137,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -65548,7 +65583,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3360,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3361,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -65573,7 +65608,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3378,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3379,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -65599,7 +65634,7 @@ index 4b2878a..181ada4 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3439,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3440,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -65608,7 +65643,7 @@ index 4b2878a..181ada4 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3455,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3456,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -65642,7 +65677,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -2972,7 +3543,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3544,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -65651,7 +65686,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -3027,7 +3598,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3599,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -65698,7 +65733,7 @@ index 4b2878a..181ada4 100644 ') ######################################## -@@ -3064,6 +3673,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3674,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -65706,7 +65741,7 @@ index 4b2878a..181ada4 100644 kernel_search_proc($1) ') -@@ -3142,6 +3752,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3753,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -65731,7 +65766,7 @@ index 4b2878a..181ada4 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3822,1075 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3823,1075 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 34f536cc..2ea5fbe7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 22 2011 Miroslav Grepl 3.10.0-8 +- Fix oracledb_port definition +- Allow mount to mounton the selinux file system +- Allow users to list /var directories + * Thu Jul 21 2011 Miroslav Grepl 3.10.0-7 - systemd fixes