From c9b9ed2c4db3489f4d4be0e5acabc837df9f106b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 26 Nov 2013 11:42:42 +0100 Subject: [PATCH] - Add filename transition also for servicelog.db-journal - Add files_dontaudit_access_check_root() - Add lvm_dontaudit_access_check_lock() interface - Allow mount to manage mount_var_run_t files/dirs - Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level - Make sure boot.log is created with the correct label - call logging_relabel_all_log_dirs() in systemd.te - Allow systemd_tmpfiles to relabel log directories - Allow staff_t to run frequency command - Allow staff_t to read xserver_log file - This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f. - Label hsperfdata_root as tmp_t - Add plymouthd_create_log() - Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 - Allow sssd to request the kernel loads modules - Allow gpg_agent to use ssh-add - Allow gpg_agent to use ssh-add - Dontaudit access check on /root for myslqd_safe_t - Add glusterd_brick_t files type - Allow ctdb to getattr on al filesystems - Allow abrt to stream connect to syslog - Allow dnsmasq to list dnsmasq.d directory - Watchdog opens the raw socket - Allow watchdog to read network state info - Dontaudit access check on lvm lock dir - Allow sosreport to send signull to setroubleshootd - Add setroubleshoot_signull() interface - Fix ldap_read_certs() interface - Allow sosreport all signal perms - Allow sosreport to run systemctl - Allow sosreport to dbus chat with rpm - Allow zabbix_agentd to read all domain state - Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom - Allow smoltclient to execute ldconfig - Allow sosreport to request the kernel to load a module - Clean up rtas.if - Clean up docker.if - drop /var/lib/glpi/files labeling in cron.fc - Added new policy for rasdaemon --- policy-rawhide-base.patch | 794 ++++++++------- policy-rawhide-contrib.patch | 1855 +++++++++++++++++++++++++++------- selinux-policy.spec | 61 +- 3 files changed, 1991 insertions(+), 719 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2e8bd414..3c1c7552 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8707,7 +8707,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..369ddc2 100644 +index cf04cb5..83fca99 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8844,7 +8844,7 @@ index cf04cb5..369ddc2 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8985,6 +8985,10 @@ index cf04cb5..369ddc2 100644 +') + +optional_policy(` ++ plymouthd_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + postgresql_filetrans_named_content(named_filetrans_domain) +') + @@ -9152,7 +9156,7 @@ index cf04cb5..369ddc2 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..7f5b8f8 100644 +index b876c48..bd5b58c 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9286,7 +9290,7 @@ index b876c48..7f5b8f8 100644 # # /selinux # -@@ -178,13 +191,14 @@ ifdef(`distro_debian',` +@@ -178,25 +191,28 @@ ifdef(`distro_debian',` # # /srv # @@ -9303,7 +9307,10 @@ index b876c48..7f5b8f8 100644 /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +208,10 @@ ifdef(`distro_debian',` + /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /tmp/lost\+found/.* <> ++/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) + # # /usr # @@ -9315,7 +9322,7 @@ index b876c48..7f5b8f8 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +219,9 @@ ifdef(`distro_debian',` +@@ -204,15 +220,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9332,7 +9339,7 @@ index b876c48..7f5b8f8 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +229,6 @@ ifdef(`distro_debian',` +@@ -220,8 +230,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9341,7 +9348,7 @@ index b876c48..7f5b8f8 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +237,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9350,7 +9357,7 @@ index b876c48..7f5b8f8 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +244,24 @@ ifndef(`distro_redhat',` +@@ -237,11 +245,24 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9376,7 +9383,7 @@ index b876c48..7f5b8f8 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +276,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9391,14 +9398,14 @@ index b876c48..7f5b8f8 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +293,5 @@ ifdef(`distro_debian',` +@@ -271,3 +294,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..ed3cc8d 100644 +index f962f76..eda85f9 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10072,7 +10079,34 @@ index f962f76..ed3cc8d 100644 ## List the contents of the root directory. ## ## -@@ -1892,25 +2298,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1765,6 +2171,26 @@ interface(`files_dontaudit_rw_root_dir',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on root directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_access_check_root',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ dontaudit $1 root_t:dir_file_class_set audit_access; ++') ++ ++ ++######################################## ++## + ## Create an object in the root directory, with a private + ## type using a type transition. + ## +@@ -1892,25 +2318,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -10104,7 +10138,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -1923,7 +2329,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2349,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -10113,7 +10147,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -1946,6 +2352,24 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2372,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10138,7 +10172,7 @@ index f962f76..ed3cc8d 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2625,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10163,7 +10197,7 @@ index f962f76..ed3cc8d 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3087,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3107,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10188,7 +10222,7 @@ index f962f76..ed3cc8d 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3176,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3196,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10196,7 +10230,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -2724,7 +3185,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3205,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10205,7 +10239,7 @@ index f962f76..ed3cc8d 100644 ## ## # -@@ -2780,6 +3241,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3261,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10231,7 +10265,7 @@ index f962f76..ed3cc8d 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3278,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3298,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10256,7 +10290,7 @@ index f962f76..ed3cc8d 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3461,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3481,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10281,7 +10315,7 @@ index f962f76..ed3cc8d 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3501,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3521,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -10292,7 +10326,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -3031,18 +3509,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3529,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10314,7 +10348,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -3060,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3557,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -10341,7 +10375,7 @@ index f962f76..ed3cc8d 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3594,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10349,7 +10383,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -3098,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3616,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10357,11 +10391,58 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -3150,6 +3649,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3150,45 +3669,64 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## +-## Do not audit attempts to search directories on new filesystems +## Setattr of directories on new filesystems + ## that have not yet been labeled. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_isid_type_dirs',` ++interface(`files_setattr_isid_type_dirs',` + gen_require(` + type file_t; + ') + +- dontaudit $1 file_t:dir search_dir_perms; ++ allow $1 file_t:dir setattr; + ') + + ######################################## + ## +-## List the contents of directories on new filesystems ++## Do not audit attempts to search directories on new filesystems + ## that have not yet been labeled. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_isid_type_dirs',` ++interface(`files_dontaudit_search_isid_type_dirs',` + gen_require(` + type file_t; + ') + +- allow $1 file_t:dir list_dir_perms; ++ dontaudit $1 file_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read and write directories on new filesystems ++## List the contents of directories on new filesystems +## that have not yet been labeled. +## +## @@ -10370,132 +10451,65 @@ index f962f76..ed3cc8d 100644 +## +## +# -+interface(`files_setattr_isid_type_dirs',` ++interface(`files_list_isid_type_dirs',` + gen_require(` + type file_t; + ') + -+ allow $1 file_t:dir setattr; ++ allow $1 file_t:dir list_dir_perms; +') + +######################################## +## - ## Do not audit attempts to search directories on new filesystems ++## Read and write directories on new filesystems ## that have not yet been labeled. ## -@@ -3223,11 +3741,10 @@ interface(`files_delete_isid_type_dirs',` + ## +@@ -3223,6 +3761,62 @@ interface(`files_delete_isid_type_dirs',` delete_dirs_pattern($1, file_t, file_t) ') -- - ######################################## - ## --## Create, read, write, and delete directories --## on new filesystems that have not yet been labeled. ++######################################## ++## +## Execute files on new filesystems +## that have not yet been labeled. - ## - ## - ## -@@ -3235,18 +3752,18 @@ interface(`files_delete_isid_type_dirs',` - ## - ## - # --interface(`files_manage_isid_type_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_exec_isid_files',` - gen_require(` - type file_t; - ') - -- allow $1 file_t:dir manage_dir_perms; ++ gen_require(` ++ type file_t; ++ ') ++ + can_exec($1, file_t) - ') - - ######################################## - ## --## Mount a filesystem on a directory on new filesystems --## that has not yet been labeled. ++') ++ ++######################################## ++## +## Moundon directories on new filesystems +## that have not yet been labeled. - ## - ## - ## -@@ -3254,17 +3771,17 @@ interface(`files_manage_isid_type_dirs',` - ## - ## - # --interface(`files_mounton_isid_type_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_mounton_isid',` - gen_require(` - type file_t; - ') - -- allow $1 file_t:dir { search_dir_perms mounton }; ++ gen_require(` ++ type file_t; ++ ') ++ + allow $1 file_t:dir mounton; - ') - - ######################################## - ## --## Read files on new filesystems ++') ++ ++######################################## ++## +## Relabelfrom all file opbjects on new filesystems - ## that have not yet been labeled. - ## - ## -@@ -3273,12 +3790,69 @@ interface(`files_mounton_isid_type_dirs',` - ## - ## - # --interface(`files_read_isid_type_files',` -+interface(`files_relabelfrom_isid_type',` - gen_require(` - type file_t; - ') - -- allow $1 file_t:file read_file_perms; -+ dontaudit $1 file_t:dir_file_class_set relabelfrom; -+') -+ -+######################################## -+## -+## Create, read, write, and delete directories -+## on new filesystems that have not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:dir manage_dir_perms; -+') -+ -+######################################## -+## -+## Mount a filesystem on a directory on new filesystems -+## that has not yet been labeled. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_mounton_isid_type_dirs',` -+ gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:dir { search_dir_perms mounton }; -+') -+ -+######################################## -+## -+## Read files on new filesystems +## that have not yet been labeled. +## +## @@ -10504,16 +10518,17 @@ index f962f76..ed3cc8d 100644 +## +## +# -+interface(`files_read_isid_type_files',` ++interface(`files_relabelfrom_isid_type',` + gen_require(` + type file_t; + ') + -+ allow $1 file_t:file read_file_perms; - ') ++ dontaudit $1 file_t:dir_file_class_set relabelfrom; ++') ######################################## -@@ -3473,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',` + ## +@@ -3473,6 +4067,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -10539,7 +10554,7 @@ index f962f76..ed3cc8d 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3814,20 +4407,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4427,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10583,7 +10598,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -4217,6 +4828,171 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +4848,173 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10750,12 +10765,14 @@ index f962f76..ed3cc8d 100644 + ') + + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") ++ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") ++') +') + ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5015,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5037,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -10782,7 +10799,7 @@ index f962f76..ed3cc8d 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5070,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -10821,7 +10838,7 @@ index f962f76..ed3cc8d 100644 ## ## # -@@ -4289,6 +5105,7 @@ interface(`files_search_tmp',` +@@ -4289,6 +5127,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -10829,7 +10846,7 @@ index f962f76..ed3cc8d 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5142,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5164,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -10837,7 +10854,7 @@ index f962f76..ed3cc8d 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5152,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5174,7 @@ interface(`files_list_tmp',` ## ## ## @@ -10846,7 +10863,7 @@ index f962f76..ed3cc8d 100644 ## ## # -@@ -4346,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5186,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -10872,7 +10889,7 @@ index f962f76..ed3cc8d 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5220,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -10880,7 +10897,7 @@ index f962f76..ed3cc8d 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5262,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -10913,7 +10930,7 @@ index f962f76..ed3cc8d 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,7 +5342,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -10922,7 +10939,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -4464,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4464,17 +5350,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -10944,7 +10961,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -4482,59 +5346,53 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4482,33 +5368,123 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -10980,52 +10997,42 @@ index f962f76..ed3cc8d 100644 ') - allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:dir { search_dir_perms setattr }; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp files. ++') ++ ++######################################## ++## +## Allow caller to read inherited tmp files. - ## - ## - ## --## Domain not to audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` ++## ++## ++# +interface(`files_read_inherited_tmp_files',` - gen_require(` - attribute tmpfile; - ') - -- dontaudit $1 tmpfile:file getattr; ++ gen_require(` ++ attribute tmpfile; ++ ') ++ + allow $1 tmpfile:file { append read_inherited_file_perms }; - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. ++') ++ ++######################################## ++## +## Allow caller to append inherited tmp files. - ## - ## - ## -@@ -4542,12 +5400,108 @@ interface(`files_dontaudit_getattr_all_tmp_files',` - ## - ## - # --interface(`files_getattr_all_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_append_inherited_tmp_files',` - gen_require(` - attribute tmpfile; - ') - -- allow $1 tmpfile:file getattr; ++ gen_require(` ++ attribute tmpfile; ++ ') ++ + allow $1 tmpfile:file append_inherited_file_perms; +') + @@ -11084,49 +11091,10 @@ index f962f76..ed3cc8d 100644 + ') + + allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of all tmp files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file getattr; -+') -+ -+######################################## -+## -+## Allow attempts to get the attributes -+## of all tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_all_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file getattr; + relabel_dirs_pattern($1, tmpfile, tmpfile) ') - ######################################## -@@ -4579,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4519,7 +5495,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11135,7 +11103,16 @@ index f962f76..ed3cc8d 100644 ## ## # -@@ -4611,6 +5565,44 @@ interface(`files_read_all_tmp_files',` +@@ -4579,7 +5555,7 @@ interface(`files_relabel_all_tmp_files',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -4611,6 +5587,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11180,7 +11157,7 @@ index f962f76..ed3cc8d 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5656,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5678,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11197,7 +11174,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -5241,6 +6243,24 @@ interface(`files_list_var',` +@@ -5241,6 +6265,24 @@ interface(`files_list_var',` ######################################## ## @@ -11222,7 +11199,7 @@ index f962f76..ed3cc8d 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5596,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6638,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11248,7 +11225,7 @@ index f962f76..ed3cc8d 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6680,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6702,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11257,7 +11234,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -5649,12 +6688,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6710,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11273,7 +11250,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -5672,6 +6712,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6734,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11281,7 +11258,7 @@ index f962f76..ed3cc8d 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6739,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6761,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11309,7 +11286,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -5706,13 +6766,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6788,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11326,7 +11303,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -5731,7 +6790,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6812,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11335,7 +11312,7 @@ index f962f76..ed3cc8d 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6823,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6845,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11343,7 +11320,7 @@ index f962f76..ed3cc8d 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6859,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11352,7 +11329,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -5787,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6867,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11387,7 +11364,7 @@ index f962f76..ed3cc8d 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +6887,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +6909,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11405,7 +11382,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -5834,9 +6911,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +6933,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11416,7 +11393,7 @@ index f962f76..ed3cc8d 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +6953,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +6975,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11426,7 +11403,7 @@ index f962f76..ed3cc8d 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +6975,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +6997,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11436,7 +11413,7 @@ index f962f76..ed3cc8d 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7012,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7034,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11446,7 +11423,7 @@ index f962f76..ed3cc8d 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7051,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7073,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11455,7 +11432,7 @@ index f962f76..ed3cc8d 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7071,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7093,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11504,7 +11481,7 @@ index f962f76..ed3cc8d 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7135,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7157,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11530,7 +11507,7 @@ index f962f76..ed3cc8d 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7168,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7190,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11539,7 +11516,7 @@ index f962f76..ed3cc8d 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7187,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7209,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11548,7 +11525,7 @@ index f962f76..ed3cc8d 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7229,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11557,7 +11534,7 @@ index f962f76..ed3cc8d 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7269,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7291,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11565,7 +11542,7 @@ index f962f76..ed3cc8d 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,7 +7319,7 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11574,21 +11551,27 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -6177,12 +7305,30 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6177,20 +7327,38 @@ interface(`files_pid_filetrans_lock_dir',` ## ## # -interface(`files_rw_generic_pids',` +interface(`files_rw_inherited_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + allow $1 var_run_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Read and write generic process ID files. +## +## @@ -11598,16 +11581,23 @@ index f962f76..ed3cc8d 100644 +## +# +interface(`files_rw_generic_pids',` - gen_require(` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) - ') -@@ -6249,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. + ## + ## + ## +@@ -6249,6 +7417,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -11724,7 +11714,7 @@ index f962f76..ed3cc8d 100644 ## Read all process ID files. ## ## -@@ -6261,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6261,12 +7539,86 @@ interface(`files_dontaudit_ioctl_all_pids',` interface(`files_read_all_pids',` gen_require(` attribute pidfile; @@ -11813,7 +11803,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -6286,8 +7616,8 @@ interface(`files_delete_all_pids',` +@@ -6286,8 +7638,8 @@ interface(`files_delete_all_pids',` type var_t, var_run_t; ') @@ -11823,7 +11813,7 @@ index f962f76..ed3cc8d 100644 allow $1 var_run_t:dir rmdir; allow $1 var_run_t:lnk_file delete_lnk_file_perms; delete_files_pattern($1, pidfile, pidfile) -@@ -6311,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',` +@@ -6311,36 +7663,80 @@ interface(`files_delete_all_pid_dirs',` type var_t, var_run_t; ') @@ -11915,7 +11905,7 @@ index f962f76..ed3cc8d 100644 ## ## ## -@@ -6348,12 +7722,33 @@ interface(`files_manage_all_pids',` +@@ -6348,12 +7744,33 @@ interface(`files_manage_all_pids',` ## ## # @@ -11952,7 +11942,7 @@ index f962f76..ed3cc8d 100644 ') ######################################## -@@ -6580,3 +7975,491 @@ interface(`files_unconfined',` +@@ -6580,3 +7997,492 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -12313,6 +12303,7 @@ index f962f76..ed3cc8d 100644 + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") ++ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") +') @@ -17163,7 +17154,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..faffbc3 100644 +index 0fef1fc..cf718d2 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.4.0) @@ -17238,7 +17229,7 @@ index 0fef1fc..faffbc3 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +82,106 @@ optional_policy(` +@@ -23,11 +82,110 @@ optional_policy(` ') optional_policy(` @@ -17283,6 +17274,10 @@ index 0fef1fc..faffbc3 100644 +') + +optional_policy(` ++ freqset_run(staff_t, staff_r) ++') ++ ++optional_policy(` + irc_role(staff_r, staff_t) +') + @@ -17346,7 +17341,7 @@ index 0fef1fc..faffbc3 100644 ') optional_policy(` -@@ -35,15 +189,31 @@ optional_policy(` +@@ -35,15 +193,31 @@ optional_policy(` ') optional_policy(` @@ -17380,7 +17375,7 @@ index 0fef1fc..faffbc3 100644 ') optional_policy(` -@@ -52,10 +222,55 @@ optional_policy(` +@@ -52,11 +226,57 @@ optional_policy(` ') optional_policy(` @@ -17434,9 +17429,11 @@ index 0fef1fc..faffbc3 100644 + +optional_policy(` xserver_role(staff_r, staff_t) ++ xserver_read_log(staff_t) ') -@@ -65,10 +280,6 @@ ifndef(`distro_redhat',` + ifndef(`distro_redhat',` +@@ -65,10 +285,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17447,7 +17444,7 @@ index 0fef1fc..faffbc3 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +289,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +294,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -17458,7 +17455,7 @@ index 0fef1fc..faffbc3 100644 ') optional_policy(` -@@ -101,10 +308,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +313,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17469,7 +17466,7 @@ index 0fef1fc..faffbc3 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +328,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +333,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17480,7 +17477,7 @@ index 0fef1fc..faffbc3 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +340,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +345,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17491,7 +17488,7 @@ index 0fef1fc..faffbc3 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +371,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +376,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -25563,7 +25560,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..c3d52f9 100644 +index 09b791d..88c3a2d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -25760,15 +25757,18 @@ index 09b791d..c3d52f9 100644 miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) -@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t) +@@ -341,6 +362,10 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) files_manage_etc_files(updpwd_t) +auth_manage_passwd(updpwd_t) ++ ++mls_file_read_all_levels(updpwd_t) ++mls_file_write_all_levels(updpwd_t) term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) -@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t) +@@ -350,9 +375,7 @@ auth_use_nsswitch(updpwd_t) logging_send_syslog_msg(updpwd_t) @@ -25779,7 +25779,7 @@ index 09b791d..c3d52f9 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t) +@@ -380,13 +403,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) @@ -25796,7 +25796,7 @@ index 09b791d..c3d52f9 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',` +@@ -397,19 +422,29 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -25830,7 +25830,7 @@ index 09b791d..c3d52f9 100644 files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf -@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain) +@@ -417,15 +452,21 @@ files_read_etc_files(nsswitch_domain) sysnet_dns_name_resolve(nsswitch_domain) @@ -25854,7 +25854,7 @@ index 09b791d..c3d52f9 100644 ldap_stream_connect(nsswitch_domain) ') ') -@@ -438,6 +476,7 @@ optional_policy(` +@@ -438,6 +479,7 @@ optional_policy(` likewise_stream_connect_lsassd(nsswitch_domain) ') @@ -25862,7 +25862,7 @@ index 09b791d..c3d52f9 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,6 +495,8 @@ optional_policy(` +@@ -456,6 +498,8 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -25871,7 +25871,7 @@ index 09b791d..c3d52f9 100644 ') optional_policy(` -@@ -463,3 +504,133 @@ optional_policy(` +@@ -463,3 +507,133 @@ optional_policy(` samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -27969,7 +27969,7 @@ index 79a45f6..edf52ea 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..885091e 100644 +index 17eda24..641bae3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28213,7 +28213,7 @@ index 17eda24..885091e 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',` +@@ -186,29 +284,209 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28427,10 +28427,11 @@ index 17eda24..885091e 100644 - nscd_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ++ plymouthd_filetrans_named_content(init_t) ') optional_policy(` -@@ -216,7 +493,30 @@ optional_policy(` +@@ -216,7 +494,30 @@ optional_policy(` ') optional_policy(` @@ -28461,7 +28462,7 @@ index 17eda24..885091e 100644 ') ######################################## -@@ -225,9 +525,9 @@ optional_policy(` +@@ -225,9 +526,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28473,7 +28474,7 @@ index 17eda24..885091e 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +559,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28490,7 +28491,7 @@ index 17eda24..885091e 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +584,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28533,7 +28534,7 @@ index 17eda24..885091e 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +621,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28545,7 +28546,7 @@ index 17eda24..885091e 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +632,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +633,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28556,7 +28557,7 @@ index 17eda24..885091e 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +643,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +644,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28566,7 +28567,7 @@ index 17eda24..885091e 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +652,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +653,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28574,7 +28575,7 @@ index 17eda24..885091e 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +660,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28582,7 +28583,7 @@ index 17eda24..885091e 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +667,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +668,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28600,7 +28601,7 @@ index 17eda24..885091e 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +685,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +686,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28614,7 +28615,7 @@ index 17eda24..885091e 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +700,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +701,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28628,7 +28629,7 @@ index 17eda24..885091e 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,6 +713,7 @@ mls_process_read_up(initrc_t) +@@ -387,6 +714,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28636,7 +28637,7 @@ index 17eda24..885091e 100644 selinux_get_enforce_mode(initrc_t) -@@ -398,6 +725,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +726,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28644,7 +28645,7 @@ index 17eda24..885091e 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +744,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +745,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28668,7 +28669,7 @@ index 17eda24..885091e 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +777,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +778,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28676,7 +28677,7 @@ index 17eda24..885091e 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +811,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +812,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28687,7 +28688,7 @@ index 17eda24..885091e 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +835,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +836,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28696,7 +28697,7 @@ index 17eda24..885091e 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +850,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +851,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28704,7 +28705,7 @@ index 17eda24..885091e 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +871,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +872,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28712,7 +28713,7 @@ index 17eda24..885091e 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +881,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +882,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28757,7 +28758,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -559,14 +926,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +927,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28789,7 +28790,7 @@ index 17eda24..885091e 100644 ') ') -@@ -577,6 +961,39 @@ ifdef(`distro_suse',` +@@ -577,6 +962,39 @@ ifdef(`distro_suse',` ') ') @@ -28829,7 +28830,7 @@ index 17eda24..885091e 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1006,8 @@ optional_policy(` +@@ -589,6 +1007,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28838,7 +28839,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -610,6 +1029,7 @@ optional_policy(` +@@ -610,6 +1030,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28846,7 +28847,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -626,6 +1046,17 @@ optional_policy(` +@@ -626,6 +1047,17 @@ optional_policy(` ') optional_policy(` @@ -28864,7 +28865,7 @@ index 17eda24..885091e 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1073,13 @@ optional_policy(` +@@ -642,9 +1074,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28878,7 +28879,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -657,15 +1092,11 @@ optional_policy(` +@@ -657,15 +1093,11 @@ optional_policy(` ') optional_policy(` @@ -28896,7 +28897,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -686,6 +1117,15 @@ optional_policy(` +@@ -686,6 +1118,15 @@ optional_policy(` ') optional_policy(` @@ -28912,7 +28913,7 @@ index 17eda24..885091e 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1166,7 @@ optional_policy(` +@@ -726,6 +1167,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28920,7 +28921,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -743,7 +1184,13 @@ optional_policy(` +@@ -743,7 +1185,13 @@ optional_policy(` ') optional_policy(` @@ -28935,7 +28936,7 @@ index 17eda24..885091e 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1213,10 @@ optional_policy(` +@@ -766,6 +1214,10 @@ optional_policy(` ') optional_policy(` @@ -28946,7 +28947,7 @@ index 17eda24..885091e 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1226,20 @@ optional_policy(` +@@ -775,10 +1227,20 @@ optional_policy(` ') optional_policy(` @@ -28967,7 +28968,7 @@ index 17eda24..885091e 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1248,10 @@ optional_policy(` +@@ -787,6 +1249,10 @@ optional_policy(` ') optional_policy(` @@ -28978,7 +28979,7 @@ index 17eda24..885091e 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1273,6 @@ optional_policy(` +@@ -808,8 +1274,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28987,7 +28988,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -818,6 +1281,10 @@ optional_policy(` +@@ -818,6 +1282,10 @@ optional_policy(` ') optional_policy(` @@ -28998,7 +28999,7 @@ index 17eda24..885091e 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1294,12 @@ optional_policy(` +@@ -827,10 +1295,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29011,7 +29012,7 @@ index 17eda24..885091e 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1326,33 @@ optional_policy(` +@@ -857,12 +1327,33 @@ optional_policy(` ') optional_policy(` @@ -29046,7 +29047,7 @@ index 17eda24..885091e 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1362,18 @@ optional_policy(` +@@ -872,6 +1363,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29065,7 +29066,7 @@ index 17eda24..885091e 100644 ') optional_policy(` -@@ -887,6 +1389,10 @@ optional_policy(` +@@ -887,6 +1390,10 @@ optional_policy(` ') optional_policy(` @@ -29076,7 +29077,7 @@ index 17eda24..885091e 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1403,218 @@ optional_policy(` +@@ -897,3 +1404,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -31010,7 +31011,7 @@ index b50c5fe..2faaaf2 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..9b82ed0 100644 +index 4e94884..bb6086e 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -31132,11 +31133,7 @@ index 4e94884..9b82ed0 100644 + gen_require(` + type devlog_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, sock_file) + init_pid_filetrans($1, devlog_t, sock_file, "syslog") @@ -31156,7 +31153,11 @@ index 4e94884..9b82ed0 100644 + gen_require(` + type devlog_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + allow $1 devlog_t:sock_file relabel_sock_file_perms; +') + @@ -31198,7 +31199,33 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',` +@@ -722,6 +847,25 @@ interface(`logging_setattr_all_log_dirs',` + allow $1 logfile:dir setattr; + ') + ++####################################### ++## ++## Relabel on all log dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_relabel_all_log_dirs',` ++ gen_require(` ++ attribute logfile; ++ ') ++ ++ relabel_dirs_pattern($1, logfile, logfile) ++') ++ + ######################################## + ## + ## Do not audit attempts to get the attributes +@@ -776,7 +920,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -31225,7 +31252,7 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1021,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -31234,7 +31261,7 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1047,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -31279,7 +31306,7 @@ index 4e94884..9b82ed0 100644 ## Write generic log files. ## ## -@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1105,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -31304,7 +31331,7 @@ index 4e94884..9b82ed0 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1202,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -31322,7 +31349,7 @@ index 4e94884..9b82ed0 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1227,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -31356,7 +31383,7 @@ index 4e94884..9b82ed0 100644 ') ######################################## -@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1282,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -31374,7 +31401,7 @@ index 4e94884..9b82ed0 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1312,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -31383,7 +31410,7 @@ index 4e94884..9b82ed0 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1323,35 @@ interface(`logging_admin',` +@@ -1085,3 +1342,35 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -31938,10 +31965,10 @@ index 6b91740..b250b3e 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..51e9872 100644 +index 58bc27f..f0de612 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -32036,6 +32063,25 @@ index 58bc27f..51e9872 100644 + + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') ++ ++######################################## ++## ++## Do not audit attempts to access check cert dirs/files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`lvm_dontaudit_access_check_lock',` ++ gen_require(` ++ type lvm_lock_t; ++ ') ++ ++ dontaudit $1 lvm_lock_t:dir audit_access; ++') ++ diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 79048c4..55d6ce4 100644 --- a/policy/modules/system/lvm.te @@ -33371,7 +33417,7 @@ index 4584457..fb1c881 100644 +') + diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 459a0ef..9a50d63 100644 +index 459a0ef..00b82b3 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -5,13 +5,6 @@ policy_module(mount, 1.16.1) @@ -33441,12 +33487,17 @@ index 459a0ef..9a50d63 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -56,9 +76,18 @@ create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) - create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) - rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) +@@ -52,13 +72,20 @@ can_exec(mount_t, mount_exec_t) + + files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) + +-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) +-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) +-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) ++manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) ++manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") +dev_filetrans(mount_t, mount_var_run_t, dir) -+ kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) @@ -33460,7 +33511,7 @@ index 459a0ef..9a50d63 100644 kernel_setsched(mount_t) kernel_dontaudit_getattr_core_if(mount_t) kernel_dontaudit_write_debugfs_dirs(mount_t) -@@ -69,31 +98,47 @@ kernel_request_load_module(mount_t) +@@ -69,31 +96,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -33511,7 +33562,7 @@ index 459a0ef..9a50d63 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -101,28 +146,39 @@ files_list_all_mountpoints(mount_t) +@@ -101,28 +144,39 @@ files_list_all_mountpoints(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -33557,7 +33608,7 @@ index 459a0ef..9a50d63 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -130,16 +186,21 @@ auth_use_nsswitch(mount_t) +@@ -130,16 +184,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -33581,7 +33632,7 @@ index 459a0ef..9a50d63 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -155,26 +216,27 @@ ifdef(`distro_ubuntu',` +@@ -155,26 +214,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -33621,7 +33672,7 @@ index 459a0ef..9a50d63 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -188,6 +250,9 @@ optional_policy(` +@@ -188,6 +248,9 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -33631,7 +33682,7 @@ index 459a0ef..9a50d63 100644 ') optional_policy(` -@@ -195,6 +260,40 @@ optional_policy(` +@@ -195,6 +258,40 @@ optional_policy(` ') optional_policy(` @@ -33672,7 +33723,7 @@ index 459a0ef..9a50d63 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -203,28 +302,136 @@ optional_policy(` +@@ -203,28 +300,136 @@ optional_policy(` ') optional_policy(` @@ -37642,10 +37693,10 @@ index 0000000..35b4178 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f758960 +index 0000000..a88f6e2 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,650 @@ +@@ -0,0 +1,651 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37977,6 +38028,7 @@ index 0000000..f758960 +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) +logging_setattr_all_log_dirs(systemd_tmpfiles_t) ++logging_relabel_all_log_dirs(systemd_tmpfiles_t) + +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index bd5b77e7..5e7217ba 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -509,7 +509,7 @@ index 058d908..9d57403 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..15c0d4e 100644 +index eb50f07..9ef43d3 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -701,7 +701,7 @@ index eb50f07..15c0d4e 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +187,37 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +187,38 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -728,6 +728,7 @@ index eb50f07..15c0d4e 100644 +logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) ++logging_stream_connect_syslog(abrt_t) + auth_use_nsswitch(abrt_t) @@ -742,7 +743,7 @@ index eb50f07..15c0d4e 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +225,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +226,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -759,7 +760,7 @@ index eb50f07..15c0d4e 100644 ') optional_policy(` -@@ -222,6 +237,20 @@ optional_policy(` +@@ -222,6 +238,20 @@ optional_policy(` ') optional_policy(` @@ -780,7 +781,7 @@ index eb50f07..15c0d4e 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -233,6 +262,7 @@ optional_policy(` +@@ -233,6 +263,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -788,7 +789,7 @@ index eb50f07..15c0d4e 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -243,6 +273,7 @@ optional_policy(` +@@ -243,6 +274,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -796,7 +797,7 @@ index eb50f07..15c0d4e 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +284,17 @@ optional_policy(` +@@ -253,9 +285,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -815,7 +816,7 @@ index eb50f07..15c0d4e 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +305,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +306,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -830,7 +831,7 @@ index eb50f07..15c0d4e 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +324,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +325,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -838,7 +839,7 @@ index eb50f07..15c0d4e 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +333,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +334,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -859,7 +860,7 @@ index eb50f07..15c0d4e 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +354,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +355,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -886,7 +887,7 @@ index eb50f07..15c0d4e 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +390,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +391,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -900,7 +901,7 @@ index eb50f07..15c0d4e 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +408,11 @@ optional_policy(` +@@ -343,10 +409,11 @@ optional_policy(` ####################################### # @@ -914,7 +915,7 @@ index eb50f07..15c0d4e 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +431,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +432,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -966,7 +967,7 @@ index eb50f07..15c0d4e 100644 ####################################### # -@@ -404,7 +480,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +481,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -975,7 +976,7 @@ index eb50f07..15c0d4e 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +489,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +490,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1019,7 +1020,7 @@ index eb50f07..15c0d4e 100644 ') ####################################### -@@ -430,10 +532,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +533,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -2956,10 +2957,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..ddfe9a9 100644 +index 7caefc3..95f0e5c 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,189 @@ +@@ -1,162 +1,193 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -2986,6 +2987,7 @@ index 7caefc3..ddfe9a9 100644 +/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -3112,6 +3114,7 @@ index 7caefc3..ddfe9a9 100644 +/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + ++/usr/share/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -3158,6 +3161,7 @@ index 7caefc3..ddfe9a9 100644 +/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/lib/glpi(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -3198,6 +3202,7 @@ index 7caefc3..ddfe9a9 100644 + +/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/glpi(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -7123,7 +7128,7 @@ index 1a7a97e..1d29dce 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..7ac00c5 100644 +index 7fd431b..e05b2d4 100644 --- a/apm.te +++ b/apm.te @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) @@ -7154,7 +7159,15 @@ index 7fd431b..7ac00c5 100644 allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; -@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t) +@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t) + kernel_rw_all_sysctls(apmd_t) + kernel_read_system_state(apmd_t) + kernel_write_proc_files(apmd_t) ++kernel_request_load_module(apmd_t) + + dev_read_input(apmd_t) + dev_read_mouse(apmd_t) +@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t) fs_dontaudit_getattr_all_symlinks(apmd_t) fs_dontaudit_getattr_all_pipes(apmd_t) fs_dontaudit_getattr_all_sockets(apmd_t) @@ -7164,7 +7177,7 @@ index 7fd431b..7ac00c5 100644 corecmd_exec_all_executables(apmd_t) -@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) +@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) auth_use_nsswitch(apmd_t) init_domtrans_script(apmd_t) @@ -7173,7 +7186,7 @@ index 7fd431b..7ac00c5 100644 libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) -@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t) +@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) logging_send_syslog_msg(apmd_t) @@ -7193,7 +7206,7 @@ index 7fd431b..7ac00c5 100644 optional_policy(` automount_domtrans(apmd_t) -@@ -206,11 +209,15 @@ optional_policy(` +@@ -206,11 +210,15 @@ optional_policy(` ') optional_policy(` @@ -9547,6 +9560,198 @@ index 18623e3..d9f3061 100644 optional_policy(` mta_send_mail(httpd_bugzilla_script_t) ') +diff --git a/bumblebee.fc b/bumblebee.fc +new file mode 100644 +index 0000000..17eea86 +--- /dev/null ++++ b/bumblebee.fc +@@ -0,0 +1,7 @@ ++/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++ ++/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++ ++/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0) ++ ++/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) +diff --git a/bumblebee.if b/bumblebee.if +new file mode 100644 +index 0000000..f61b9c3 +--- /dev/null ++++ b/bumblebee.if +@@ -0,0 +1,122 @@ ++ ++## policy for bumblebee ++ ++######################################## ++## ++## Execute TEMPLATE in the bumblebee domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bumblebee_domtrans',` ++ gen_require(` ++ type bumblebee_t, bumblebee_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, bumblebee_exec_t, bumblebee_t) ++') ++######################################## ++## ++## Read bumblebee PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bumblebee_read_pid_files',` ++ gen_require(` ++ type bumblebee_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t) ++') ++ ++######################################## ++## ++## Execute bumblebee server in the bumblebee domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`bumblebee_systemctl',` ++ gen_require(` ++ type bumblebee_t; ++ type bumblebee_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 bumblebee_unit_file_t:file read_file_perms; ++ allow $1 bumblebee_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, bumblebee_t) ++') ++ ++######################################## ++## ++## Connect to bumblebee over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bumblebee_stream_connect',` ++ gen_require(` ++ type bumblebee_t, bumblebee_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an bumblebee environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`bumblebee_admin',` ++ gen_require(` ++ type bumblebee_t; ++ type bumblebee_var_run_t; ++ type bumblebee_unit_file_t; ++ ') ++ ++ allow $1 bumblebee_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, bumblebee_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, bumblebee_var_run_t) ++ ++ bumblebee_systemctl($1) ++ admin_pattern($1, bumblebee_unit_file_t) ++ allow $1 bumblebee_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/bumblebee.te b/bumblebee.te +new file mode 100644 +index 0000000..f39fc96 +--- /dev/null ++++ b/bumblebee.te +@@ -0,0 +1,45 @@ ++policy_module(bumblebee, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type bumblebee_t; ++type bumblebee_exec_t; ++init_daemon_domain(bumblebee_t, bumblebee_exec_t) ++ ++permissive bumblebee_t; ++ ++type bumblebee_var_run_t; ++files_pid_file(bumblebee_var_run_t) ++ ++type bumblebee_unit_file_t; ++systemd_unit_file(bumblebee_unit_file_t) ++ ++######################################## ++# ++# bumblebee local policy ++# ++allow bumblebee_t self:capability { setgid }; ++allow bumblebee_t self:process { fork signal_perms }; ++allow bumblebee_t self:fifo_file rw_fifo_file_perms; ++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t) ++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_read_system_state(bumblebee_t) ++ ++dev_read_sysfs(bumblebee_t) ++ ++domain_use_interactive_fds(bumblebee_t) ++ ++files_read_etc_files(bumblebee_t) ++ ++logging_send_syslog_msg(bumblebee_t) ++ ++miscfiles_read_localization(bumblebee_t) diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 --- a/cachefilesd.fc @@ -10678,10 +10883,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..406f3a0 +index 0000000..12585f0 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,242 @@ +@@ -0,0 +1,246 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -10858,6 +11063,10 @@ index 0000000..406f3a0 +') + +optional_policy(` ++ bumblebee_stream_connect(chrome_sandbox_t) ++') ++ ++optional_policy(` + cups_stream_connect(chrome_sandbox_t) +') + @@ -13248,7 +13457,7 @@ index 881d92f..eb35613 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..ae5517a 100644 +index ce9f040..32ebb0c 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -13291,7 +13500,11 @@ index ce9f040..ae5517a 100644 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t) -@@ -89,13 +100,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) + + allow condor_domain condor_master_t:process signull; + allow condor_domain condor_master_t:tcp_socket getattr; ++allow condor_domain condor_master_t:udp_socket { read write }; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -13305,7 +13518,7 @@ index ce9f040..ae5517a 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -109,9 +117,9 @@ dev_read_rand(condor_domain) +@@ -109,9 +118,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -13317,7 +13530,7 @@ index ce9f040..ae5517a 100644 sysnet_dns_name_resolve(condor_domain) -@@ -130,7 +138,7 @@ optional_policy(` +@@ -130,7 +139,7 @@ optional_policy(` # Master local policy # @@ -13326,7 +13539,7 @@ index ce9f040..ae5517a 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -138,6 +146,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -13337,7 +13550,7 @@ index ce9f040..ae5517a 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -157,6 +169,8 @@ domain_read_all_domains_state(condor_master_t) +@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t) @@ -13346,7 +13559,7 @@ index ce9f040..ae5517a 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -174,6 +188,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13355,7 +13568,7 @@ index ce9f040..ae5517a 100644 ##################################### # # Negotiator local policy -@@ -183,6 +199,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -183,6 +200,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13364,7 +13577,7 @@ index ce9f040..ae5517a 100644 ###################################### # # Procd local policy -@@ -206,6 +224,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -206,6 +225,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13373,7 +13586,7 @@ index ce9f040..ae5517a 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -214,6 +234,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -214,6 +235,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13382,7 +13595,7 @@ index ce9f040..ae5517a 100644 ##################################### # # Startd local policy -@@ -238,11 +260,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -238,11 +261,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13395,7 +13608,7 @@ index ce9f040..ae5517a 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -254,3 +275,7 @@ optional_policy(` +@@ -254,3 +276,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -14427,10 +14640,10 @@ index 6cedb87..530e250 100644 + xserver_dbus_chat_xdm(cpufreqselector_t) +') diff --git a/cron.fc b/cron.fc -index ad0bae9..72c2cda 100644 +index ad0bae9..615a947 100644 --- a/cron.fc +++ b/cron.fc -@@ -1,66 +1,79 @@ +@@ -1,66 +1,77 @@ -/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) @@ -14466,7 +14679,8 @@ index ad0bae9..72c2cda 100644 -/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) ++/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) ++/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) -/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14475,12 +14689,6 @@ index ad0bae9..72c2cda 100644 -/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) -+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) -+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) - --/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) --/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) --/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) +/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -14489,17 +14697,20 @@ index ad0bae9..72c2cda 100644 +/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) --/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) --#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) --/var/spool/cron/[^/]* -- <> +-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) +-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) --/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) +-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) +-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +-/var/spool/cron/[^/]* -- <> +/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) +#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +/var/spool/cron/[^/]* -- <> -+ + +-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) @@ -16821,7 +17032,7 @@ index b25b01d..e99c5c6 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..fa6a022 100644 +index 001b502..f3809a2 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -16873,13 +17084,15 @@ index 001b502..fa6a022 100644 corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t) +@@ -85,12 +97,14 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) -files_read_etc_files(ctdbd_t) files_search_all_mountpoints(ctdbd_t) ++fs_getattr_all_fs(ctdbd_t) ++ +auth_read_passwd(ctdbd_t) + logging_send_syslog_msg(ctdbd_t) @@ -16888,7 +17101,7 @@ index 001b502..fa6a022 100644 miscfiles_read_public_files(ctdbd_t) optional_policy(` -@@ -109,6 +121,7 @@ optional_policy(` +@@ -109,6 +123,7 @@ optional_policy(` samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) @@ -21608,7 +21821,7 @@ index 19aa0b8..e34a540 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index 37a3b7b..83a8692 100644 +index 37a3b7b..921056a 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -21621,7 +21834,15 @@ index 37a3b7b..83a8692 100644 ######################################## # # Local policy -@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) +@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms; + allow dnsmasq_t self:rawip_socket create_socket_perms; + + read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) ++list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) + + manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) + files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) kernel_read_kernel_sysctls(dnsmasq_t) @@ -21637,7 +21858,7 @@ index 37a3b7b..83a8692 100644 corenet_all_recvfrom_netlabel(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t) +@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t) auth_use_nsswitch(dnsmasq_t) @@ -21649,7 +21870,7 @@ index 37a3b7b..83a8692 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,12 +104,21 @@ optional_policy(` +@@ -98,12 +105,21 @@ optional_policy(` ') optional_policy(` @@ -21672,7 +21893,7 @@ index 37a3b7b..83a8692 100644 ') optional_policy(` -@@ -124,6 +139,14 @@ optional_policy(` +@@ -124,6 +140,14 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -21864,16 +22085,16 @@ index 0000000..484dd44 \ No newline at end of file diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..097c75c +index 0000000..d856375 --- /dev/null +++ b/docker.if -@@ -0,0 +1,202 @@ +@@ -0,0 +1,196 @@ + -+## policy for docker ++## The open-source application container engine. + +######################################## +## -+## Execute TEMPLATE in the docker domin. ++## Execute docker in the docker domain. +## +## +## @@ -22020,19 +22241,12 @@ index 0000000..097c75c +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`docker_admin',` + gen_require(` + type docker_t; -+ type docker_var_lib_t; -+ type docker_var_run_t; -+ type docker_unit_file_t; ++ type docker_var_lib_t, docker_var_run_t; ++ type docker_unit_file_t; + ') + + allow $1 docker_t:process { ptrace signal_perms }; @@ -22047,6 +22261,7 @@ index 0000000..097c75c + docker_systemctl($1) + admin_pattern($1, docker_unit_file_t) + allow $1 docker_unit_file_t:service all_service_perms; ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) @@ -22480,7 +22695,7 @@ index d5badb7..b093baa 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..2290915 100644 +index 0aabc7e..ec5bd5d 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -22806,7 +23021,7 @@ index 0aabc7e..2290915 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,15 +290,30 @@ optional_policy(` +@@ -277,53 +290,78 @@ optional_policy(` ') optional_policy(` @@ -22837,8 +23052,13 @@ index 0aabc7e..2290915 100644 + allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; - append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -295,35 +323,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +-append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) ++manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) ++manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) ++logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir }) + + manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) + manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22899,7 +23119,7 @@ index 0aabc7e..2290915 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +368,6 @@ optional_policy(` +@@ -332,5 +370,6 @@ optional_policy(` ') optional_policy(` @@ -24904,6 +25124,135 @@ index 92a6479..989f63a 100644 +optional_policy(` + xserver_read_state_xdm(fprintd_t) ') +diff --git a/freqset.fc b/freqset.fc +new file mode 100644 +index 0000000..3cd9c38 +--- /dev/null ++++ b/freqset.fc +@@ -0,0 +1 @@ ++/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset -- gen_context(system_u:object_r:freqset_exec_t,s0) +diff --git a/freqset.if b/freqset.if +new file mode 100644 +index 0000000..190ccc0 +--- /dev/null ++++ b/freqset.if +@@ -0,0 +1,76 @@ ++ ++## policy for freqset ++ ++######################################## ++## ++## Execute TEMPLATE in the freqset domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`freqset_domtrans',` ++ gen_require(` ++ type freqset_t, freqset_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, freqset_exec_t, freqset_t) ++') ++ ++######################################## ++## ++## Execute freqset in the freqset domain, and ++## allow the specified role the freqset domain. ++## ++## ++## ++## Domain allowed to transition ++## ++## ++## ++## ++## The role to be allowed the freqset domain. ++## ++## ++# ++interface(`freqset_run',` ++ gen_require(` ++ type freqset_t; ++ attribute_role freqset_roles; ++ ') ++ ++ freqset_domtrans($1) ++ roleattribute $2 freqset_roles; ++') ++ ++######################################## ++## ++## Role access for freqset ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`freqset_role',` ++ gen_require(` ++ type freqset_t; ++ attribute_role freqset_roles; ++ ') ++ ++ roleattribute $1 freqset_roles; ++ ++ freqset_domtrans($2) ++ ++ ps_process_pattern($2, freqset_t) ++ allow $2 freqset_t:process { signull signal sigkill }; ++') +diff --git a/freqset.te b/freqset.te +new file mode 100644 +index 0000000..0d09fbd +--- /dev/null ++++ b/freqset.te +@@ -0,0 +1,34 @@ ++policy_module(freqset, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute_role freqset_roles; ++roleattribute system_r freqset_roles; ++ ++type freqset_t; ++type freqset_exec_t; ++application_domain(freqset_t, freqset_exec_t) ++ ++role freqset_roles types freqset_t; ++ ++######################################## ++# ++# freqset local policy ++# ++allow freqset_t self:capability { setuid }; ++ ++allow freqset_t self:fifo_file manage_fifo_file_perms; ++allow freqset_t self:unix_stream_socket create_stream_socket_perms; ++ ++dev_rw_sysfs(freqset_t) ++ ++domain_use_interactive_fds(freqset_t) ++ ++files_read_etc_files(freqset_t) ++ ++miscfiles_read_localization(freqset_t) ++ ++userdom_use_inherited_user_terminals(freqset_t) diff --git a/ftp.fc b/ftp.fc index ddb75c1..44f74e6 100644 --- a/ftp.fc @@ -25917,10 +26266,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..a3bdd8d +index 0000000..8d5bc9d --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,189 @@ +@@ -0,0 +1,199 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -25973,6 +26322,9 @@ index 0000000..a3bdd8d +type glusterd_var_lib_t; +files_type(glusterd_var_lib_t) + ++type gluster_brick_t; ++files_type(gluster_brick_t) ++ +######################################## +# +# Local policy @@ -26013,6 +26365,13 @@ index 0000000..a3bdd8d +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) +relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) + ++manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) ++ +can_exec(glusterd_t, glusterd_exec_t) + +kernel_read_system_state(glusterd_t) @@ -26321,10 +26680,10 @@ index 4e95c7e..0000000 - -miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index e39de43..5818f74 100644 +index e39de43..4c8113b 100644 --- a/gnome.fc +++ b/gnome.fc -@@ -1,15 +1,58 @@ +@@ -1,15 +1,59 @@ -HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) @@ -26382,21 +26741,22 @@ index e39de43..5818f74 100644 +/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) + /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) - --/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) --/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) ++/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) ++ +# Don't use because toolchain is broken +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) -+ + +-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..d2cd4bf 100644 +index ab09d61..4b2e5f6 100644 --- a/gnome.if +++ b/gnome.if -@@ -1,52 +1,78 @@ +@@ -1,52 +1,77 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) @@ -26491,20 +26851,16 @@ index ab09d61..d2cd4bf 100644 attribute gnomedomain, gkeyringd_domain; attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; -+ type gnome_home_t; -+ type gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t; ++ type gkeyringd_exec_t, gkeyring_gnome_home_t, gkeyring_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; type gconf_home_t; + class dbus send_msg; ') ######################################## -@@ -76,12 +102,12 @@ template(`gnome_role_template',` - - allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; -- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") -- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") +@@ -79,9 +104,11 @@ template(`gnome_role_template',` + userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") + userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") - allow $3 gconfd_t:process { ptrace signal_perms }; + allow $3 gconfd_t:process { signal_perms }; @@ -26515,24 +26871,28 @@ index ab09d61..d2cd4bf 100644 ######################################## # # Gkeyringd policy -@@ -89,37 +115,85 @@ template(`gnome_role_template',` +@@ -89,37 +116,91 @@ template(`gnome_role_template',` domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; - allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; -+ allow $3 { gnome_home_t gkeyringd_gnome_home_t gkeyringd_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; -+ allow $3 { gnome_home_t gkeyringd_gnome_home_t }:file { relabel_file_perms manage_file_perms }; ++ allow $3 { gnome_home_t gkeyring_gnome_home_t gkeyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; ++ allow $3 { gnome_home_t gkeyring_gnome_home_t }:file { relabel_file_perms manage_file_perms }; - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") -- -- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") + userdom_home_manager($1_gkeyringd_t) + +- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") ++ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome") ++ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2") ++ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2_private") ++ gnome_home_dir_filetrans($3, gkeyring_gnome_home_t, "keyrings") - allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; -+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; ++ allow $3 gkeyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; ps_process_pattern($3, $1_gkeyringd_t) - allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; @@ -26566,6 +26926,7 @@ index ab09d61..d2cd4bf 100644 optional_policy(` - dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) ++ dbus_session_bus_client($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) + gnome_read_generic_data_home_files($1_gkeyringd_t) + gnome_read_generic_data_home_dirs($1_gkeyringd_t) @@ -26614,7 +26975,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -127,18 +201,18 @@ template(`gnome_role_template',` +@@ -127,18 +208,18 @@ template(`gnome_role_template',` ## ## # @@ -26638,7 +26999,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -146,119 +220,114 @@ interface(`gnome_exec_gconf',` +@@ -146,119 +227,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -26795,7 +27156,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -266,15 +335,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -266,15 +342,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -26822,7 +27183,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -282,57 +357,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -282,57 +364,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -26930,7 +27291,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -340,15 +447,18 @@ interface(`gnome_read_generic_home_content',` +@@ -340,15 +454,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -26954,7 +27315,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -356,22 +466,18 @@ interface(`gnome_manage_config',` +@@ -356,22 +473,18 @@ interface(`gnome_manage_config',` ## ## # @@ -26982,7 +27343,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -379,53 +485,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -379,53 +492,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -27044,7 +27405,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -433,17 +523,18 @@ interface(`gnome_home_filetrans',` +@@ -433,17 +530,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -27067,7 +27428,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -451,23 +542,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -451,23 +549,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -27095,7 +27456,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -475,82 +561,73 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -475,82 +568,73 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -27202,7 +27563,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -559,52 +636,77 @@ interface(`gnome_home_filetrans_gconf_home',` +@@ -559,52 +643,77 @@ interface(`gnome_home_filetrans_gconf_home',` ## ## # @@ -27301,7 +27662,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -612,93 +714,86 @@ interface(`gnome_gconf_home_filetrans',` +@@ -612,93 +721,86 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -27426,7 +27787,7 @@ index ab09d61..d2cd4bf 100644 ## ## ## -@@ -706,12 +801,912 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +808,912 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -28345,7 +28706,7 @@ index ab09d61..d2cd4bf 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..3b275e6 100644 +index 63893eb..d6f68a8 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -28405,7 +28766,7 @@ index 63893eb..3b275e6 100644 -type gnome_keyring_home_t; -userdom_user_home_content(gnome_keyring_home_t) -+type gkeyringd_gnome_home_t; ++type gkeyringd_gnome_home_t, gnome_home_type; +userdom_user_home_content(gkeyringd_gnome_home_t) -type gnome_keyring_tmp_t; @@ -29181,7 +29542,7 @@ index 180f1b7..3c8757e 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82..edabe2e 100644 +index 0e97e82..0a158ad 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -29431,7 +29792,7 @@ index 0e97e82..edabe2e 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -207,29 +234,35 @@ tunable_policy(`use_samba_home_dirs',` +@@ -207,29 +234,36 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # @@ -29439,11 +29800,12 @@ index 0e97e82..edabe2e 100644 +# GPG agent local policy # +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) - -+# rlimit: gpg-agent wants to prevent coredumps - allow gpg_agent_t self:process setrlimit; --allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; + ++# rlimit: gpg-agent wants to prevent coredumps ++allow gpg_agent_t self:process { setrlimit signal_perms }; + +-allow gpg_agent_t self:process setrlimit; +-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ; allow gpg_agent_t self:fifo_file rw_fifo_file_perms; @@ -29467,17 +29829,19 @@ index 0e97e82..edabe2e 100644 -kernel_dontaudit_search_sysctl(gpg_agent_t) +kernel_read_system_state(gpg_agent_t) ++kernel_read_core_if(gpg_agent_t) +corecmd_read_bin_symlinks(gpg_agent_t) -+corecmd_search_bin(gpg_agent_t) ++corecmd_exec_bin(gpg_agent_t) corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,37 +272,40 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,37 +273,41 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) -miscfiles_read_localization(gpg_agent_t) ++miscfiles_read_certs(gpg_agent_t) -userdom_use_user_terminals(gpg_agent_t) +# Write to the user domain tty. @@ -29526,7 +29890,7 @@ index 0e97e82..edabe2e 100644 ############################## # # Pinentry local policy -@@ -277,8 +313,17 @@ optional_policy(` +@@ -277,8 +315,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -29545,7 +29909,7 @@ index 0e97e82..edabe2e 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +332,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +334,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -35241,7 +35605,7 @@ index b7e5679..c93db33 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index 3602712..517bfbf 100644 +index 3602712..585c416 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -35349,7 +35713,7 @@ index 3602712..517bfbf 100644 ## ## ## -@@ -41,22 +119,27 @@ interface(`ldap_read_config',` +@@ -41,22 +119,28 @@ interface(`ldap_read_config',` ######################################## ## @@ -35371,6 +35735,7 @@ index 3602712..517bfbf 100644 + ') + + files_search_etc($1) ++ allow $1 slapd_cert_t:dir list_dir_perms; + read_files_pattern($1, slapd_cert_t, slapd_cert_t) ') @@ -35382,7 +35747,7 @@ index 3602712..517bfbf 100644 ## ## ## -@@ -64,18 +147,13 @@ interface(`ldap_use',` +@@ -64,18 +148,13 @@ interface(`ldap_use',` ## ## # @@ -35404,7 +35769,7 @@ index 3602712..517bfbf 100644 ## ## ## -@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',` +@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',` ## ## # @@ -35432,7 +35797,7 @@ index 3602712..517bfbf 100644 ## ## ## -@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',` +@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',` ## ## ## @@ -35441,7 +35806,7 @@ index 3602712..517bfbf 100644 ## ## ## -@@ -117,11 +193,16 @@ interface(`ldap_admin',` +@@ -117,11 +194,16 @@ interface(`ldap_admin',` type slapd_lock_t, slapd_etc_t, slapd_var_run_t; type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; type slapd_db_t, slapd_keytab_t; @@ -35459,7 +35824,7 @@ index 3602712..517bfbf 100644 init_labeled_script_domtrans($1, slapd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 slapd_initrc_exec_t system_r; -@@ -130,13 +211,9 @@ interface(`ldap_admin',` +@@ -130,13 +212,9 @@ interface(`ldap_admin',` files_list_etc($1) admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) @@ -35474,7 +35839,7 @@ index 3602712..517bfbf 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -144,4 +221,8 @@ interface(`ldap_admin',` +@@ -144,4 +222,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -37999,7 +38364,7 @@ index f89651e..ea89ab1 100644 ## ## All of the rules required to diff --git a/mcelog.te b/mcelog.te -index 59b3b3d..064c4fd 100644 +index 59b3b3d..494c4f3 100644 --- a/mcelog.te +++ b/mcelog.te @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) @@ -38016,7 +38381,7 @@ index 59b3b3d..064c4fd 100644 type mcelog_t; type mcelog_exec_t; init_daemon_domain(mcelog_t, mcelog_exec_t) -@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) +@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) kernel_read_system_state(mcelog_t) @@ -38026,9 +38391,10 @@ index 59b3b3d..064c4fd 100644 dev_read_raw_memory(mcelog_t) dev_read_kmsg(mcelog_t) dev_rw_sysfs(mcelog_t) - --files_read_etc_files(mcelog_t) - +-files_read_etc_files(mcelog_t) ++dev_rw_cpu_microcode(mcelog_t) + mls_file_read_all_levels(mcelog_t) +auth_use_nsswitch(mcelog_t) @@ -38040,7 +38406,7 @@ index 59b3b3d..064c4fd 100644 tunable_policy(`mcelog_client',` allow mcelog_t self:unix_stream_socket connectto; -@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',` +@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',` allow mcelog_t self:unix_stream_socket { listen accept }; ') @@ -38821,6 +39187,139 @@ index b330161..5450937 100644 ps_process_pattern($1, minissdpd_t) init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) +diff --git a/mip6d.fc b/mip6d.fc +new file mode 100644 +index 0000000..767bbad +--- /dev/null ++++ b/mip6d.fc +@@ -0,0 +1,3 @@ ++/usr/lib/systemd/system/mip6d.* -- gen_context(system_u:object_r:mip6d_unit_file_t,s0) ++ ++/usr/sbin/mip6d -- gen_context(system_u:object_r:mip6d_exec_t,s0) +diff --git a/mip6d.if b/mip6d.if +new file mode 100644 +index 0000000..9e2bf1b +--- /dev/null ++++ b/mip6d.if +@@ -0,0 +1,80 @@ ++ ++## Mobile IPv6 and NEMO Basic Support implementation ++ ++######################################## ++## ++## Execute TEMPLATE in the mip6d domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mip6d_domtrans',` ++ gen_require(` ++ type mip6d_t, mip6d_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mip6d_exec_t, mip6d_t) ++') ++######################################## ++## ++## Execute mip6d server in the mip6d domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mip6d_systemctl',` ++ gen_require(` ++ type mip6d_t; ++ type mip6d_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 mip6d_unit_file_t:file read_file_perms; ++ allow $1 mip6d_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, mip6d_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an mip6d environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`mip6d_admin',` ++ gen_require(` ++ type mip6d_t; ++ type mip6d_unit_file_t; ++ ') ++ ++ allow $1 mip6d_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, mip6d_t) ++ ++ mip6d_systemctl($1) ++ admin_pattern($1, mip6d_unit_file_t) ++ allow $1 mip6d_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/mip6d.te b/mip6d.te +new file mode 100644 +index 0000000..86d2351 +--- /dev/null ++++ b/mip6d.te +@@ -0,0 +1,32 @@ ++policy_module(mip6d, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type mip6d_t; ++type mip6d_exec_t; ++init_daemon_domain(mip6d_t, mip6d_exec_t) ++ ++type mip6d_unit_file_t; ++systemd_unit_file(mip6d_unit_file_t) ++ ++######################################## ++# ++# mip6d local policy ++# ++#allow mip6d_t self:capability { net_admin net_raw }; ++allow mip6d_t self:process { fork signal }; ++allow mip6d_t self:netlink_route_socket create_netlink_socket_perms; ++allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms; ++allow mip6d_t self:rawip_socket create_socket_perms; ++allow mip6d_t self:udp_socket create_socket_perms; ++allow mip6d_t self:fifo_file rw_fifo_file_perms; ++allow mip6d_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_rw_net_sysctls(mip6d_t) ++kernel_read_network_state(mip6d_t) ++ ++logging_send_syslog_msg(mip6d_t) ++ diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -40840,7 +41339,7 @@ index 6194b80..ada96f0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..7655da0 100644 +index 11ac8e4..0e84537 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -41108,12 +41607,12 @@ index 11ac8e4..7655da0 100644 - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -41243,34 +41742,34 @@ index 11ac8e4..7655da0 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) ++ java_domtrans(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -41278,7 +41777,7 @@ index 11ac8e4..7655da0 100644 ') optional_policy(` -@@ -300,259 +324,236 @@ optional_policy(` +@@ -300,259 +324,240 @@ optional_policy(` ######################################## # @@ -41361,12 +41860,12 @@ index 11ac8e4..7655da0 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -41538,12 +42037,12 @@ index 11ac8e4..7655da0 100644 -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -+systemd_read_logind_sessions_files(mozilla_plugin_t) - +- -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -41567,28 +42066,31 @@ index 11ac8e4..7655da0 100644 -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) - fs_read_dos_files(mozilla_plugin_t) -- -- fs_search_removable(mozilla_plugin_t) -- fs_read_removable_files(mozilla_plugin_t) -- fs_read_removable_symlinks(mozilla_plugin_t) +userdom_read_user_home_content_files(mozilla_plugin_t) +userdom_read_user_home_content_symlinks(mozilla_plugin_t) +userdom_read_home_certs(mozilla_plugin_t) +userdom_read_home_audio_files(mozilla_plugin_t) +userdom_exec_user_tmp_files(mozilla_plugin_t) +- fs_search_removable(mozilla_plugin_t) +- fs_read_removable_files(mozilla_plugin_t) +- fs_read_removable_symlinks(mozilla_plugin_t) ++userdom_home_manager(mozilla_plugin_t) + - fs_read_iso9660_files(mozilla_plugin_t) --') -- ++tunable_policy(`mozilla_plugin_can_network_connect',` ++ corenet_tcp_connect_all_ports(mozilla_plugin_t) + ') + -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process execmem; -') -+userdom_home_manager(mozilla_plugin_t) - +- -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; -+tunable_policy(`mozilla_plugin_can_network_connect',` -+ corenet_tcp_connect_all_ports(mozilla_plugin_t) ++optional_policy(` ++ alsa_read_rw_config(mozilla_plugin_t) ++ alsa_read_home_files(mozilla_plugin_t) ') -tunable_policy(`use_nfs_home_dirs',` @@ -41596,8 +42098,7 @@ index 11ac8e4..7655da0 100644 - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) +optional_policy(` -+ alsa_read_rw_config(mozilla_plugin_t) -+ alsa_read_home_files(mozilla_plugin_t) ++ apache_list_modules(mozilla_plugin_t) ') -tunable_policy(`use_samba_home_dirs',` @@ -41605,7 +42106,7 @@ index 11ac8e4..7655da0 100644 - fs_manage_cifs_files(mozilla_plugin_t) - fs_manage_cifs_symlinks(mozilla_plugin_t) +optional_policy(` -+ apache_list_modules(mozilla_plugin_t) ++ bumblebee_stream_connect(mozilla_plugin_t) ') optional_policy(` @@ -41666,7 +42167,7 @@ index 11ac8e4..7655da0 100644 ') optional_policy(` -@@ -560,7 +561,7 @@ optional_policy(` +@@ -560,7 +565,7 @@ optional_policy(` ') optional_policy(` @@ -41675,7 +42176,7 @@ index 11ac8e4..7655da0 100644 ') optional_policy(` -@@ -568,108 +569,130 @@ optional_policy(` +@@ -568,108 +573,130 @@ optional_policy(` ') optional_policy(` @@ -43380,7 +43881,7 @@ index ed81cac..e3840c1 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..e61560a 100644 +index ff1d68c..4bf6d3b 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -43453,18 +43954,19 @@ index ff1d68c..e61560a 100644 courier_manage_spool_dirs(user_mail_domain) courier_manage_spool_files(user_mail_domain) courier_rw_spool_pipes(user_mail_domain) -@@ -150,6 +147,10 @@ optional_policy(` +@@ -150,6 +147,11 @@ optional_policy(` ') optional_policy(` + openshift_rw_inherited_content(mta_user_agent) ++ openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent) +') + +optional_policy(` procmail_exec(user_mail_domain) ') -@@ -171,52 +172,69 @@ optional_policy(` +@@ -171,52 +173,69 @@ optional_policy(` # System local policy # @@ -43552,7 +44054,7 @@ index ff1d68c..e61560a 100644 ') optional_policy(` -@@ -225,17 +243,21 @@ optional_policy(` +@@ -225,17 +244,21 @@ optional_policy(` ') optional_policy(` @@ -43576,7 +44078,7 @@ index ff1d68c..e61560a 100644 courier_stream_connect_authdaemon(system_mail_t) ') -@@ -246,6 +268,7 @@ optional_policy(` +@@ -246,6 +269,7 @@ optional_policy(` optional_policy(` fail2ban_dontaudit_rw_stream_sockets(system_mail_t) fail2ban_append_log(system_mail_t) @@ -43584,7 +44086,7 @@ index ff1d68c..e61560a 100644 fail2ban_rw_inherited_tmp_files(system_mail_t) ') -@@ -258,10 +281,15 @@ optional_policy(` +@@ -258,10 +282,15 @@ optional_policy(` ') optional_policy(` @@ -43600,7 +44102,7 @@ index ff1d68c..e61560a 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -272,6 +300,15 @@ optional_policy(` +@@ -272,6 +301,15 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -43616,7 +44118,7 @@ index ff1d68c..e61560a 100644 ') optional_policy(` -@@ -287,42 +324,36 @@ optional_policy(` +@@ -287,42 +325,36 @@ optional_policy(` ') optional_policy(` @@ -43669,7 +44171,7 @@ index ff1d68c..e61560a 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -331,40 +362,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -331,40 +363,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -43718,7 +44220,7 @@ index ff1d68c..e61560a 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -372,6 +389,13 @@ optional_policy(` +@@ -372,6 +390,13 @@ optional_policy(` ') optional_policy(` @@ -43732,7 +44234,7 @@ index ff1d68c..e61560a 100644 postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -381,24 +405,49 @@ optional_policy(` +@@ -381,24 +406,49 @@ optional_policy(` ######################################## # @@ -44917,7 +45419,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..3d9035c 100644 +index 7584bbe..2d683f1 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) @@ -45114,7 +45616,7 @@ index 7584bbe..3d9035c 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +186,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +186,28 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -45127,6 +45629,7 @@ index 7584bbe..3d9035c 100644 -files_read_usr_files(mysqld_safe_t) -files_search_pids(mysqld_safe_t) -files_dontaudit_getattr_all_dirs(mysqld_safe_t) ++files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) +files_dontaudit_write_root_dirs(mysqld_safe_t) @@ -45148,7 +45651,7 @@ index 7584bbe..3d9035c 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +214,7 @@ optional_policy(` +@@ -209,7 +215,7 @@ optional_policy(` ######################################## # @@ -45157,7 +45660,7 @@ index 7584bbe..3d9035c 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +223,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +224,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -45175,7 +45678,7 @@ index 7584bbe..3d9035c 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +236,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +237,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -51714,10 +52217,10 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..f2d6119 +index 0000000..0dc672f --- /dev/null +++ b/openshift.fc -@@ -0,0 +1,26 @@ +@@ -0,0 +1,27 @@ +/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -51734,6 +52237,7 @@ index 0000000..f2d6119 +/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0) + +/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0) ++/var/log/openshift(/.*)? gen_context(system_u:object_r:openshift_log_t,s0) + +/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) + @@ -51746,10 +52250,10 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..e03de01 +index 0000000..cf03270 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,700 @@ +@@ -0,0 +1,702 @@ + +## policy for openshift + @@ -52371,9 +52875,11 @@ index 0000000..e03de01 +interface(`openshift_dontaudit_rw_inherited_fifo_files',` + gen_require(` + type openshift_initrc_t; ++ type openshift_t; + ') + + dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## @@ -52452,10 +52958,10 @@ index 0000000..e03de01 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..cd25e8e +index 0000000..0a6f091 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,555 @@ +@@ -0,0 +1,556 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -52946,6 +53452,7 @@ index 0000000..cd25e8e +allow openshift_cron_t self:unix_dgram_socket create_socket_perms; +allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms; + ++append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t) +manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) +manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) +manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t) @@ -53011,6 +53518,295 @@ index 0000000..cd25e8e + ssh_dontaudit_read_server_keys(openshift_cron_t) +') + +diff --git a/opensm.fc b/opensm.fc +new file mode 100644 +index 0000000..51650fa +--- /dev/null ++++ b/opensm.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/opensm.* -- gen_context(system_u:object_r:opensm_unit_file_t,s0) ++ ++/usr/libexec/opensm-launch -- gen_context(system_u:object_r:opensm_exec_t,s0) ++ ++/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0) ++ ++/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0) +diff --git a/opensm.if b/opensm.if +new file mode 100644 +index 0000000..a62f050 +--- /dev/null ++++ b/opensm.if +@@ -0,0 +1,220 @@ ++ ++## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB ++ ++######################################## ++## ++## Execute TEMPLATE in the opensm domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opensm_domtrans',` ++ gen_require(` ++ type opensm_t, opensm_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, opensm_exec_t, opensm_t) ++') ++ ++######################################## ++## ++## Search opensm cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_search_cache',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ allow $1 opensm_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read opensm cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_read_cache_files',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, opensm_cache_t, opensm_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## opensm cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_manage_cache_files',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, opensm_cache_t, opensm_cache_t) ++') ++ ++######################################## ++## ++## Manage opensm cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_manage_cache_dirs',` ++ gen_require(` ++ type opensm_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t) ++') ++ ++######################################## ++## ++## Read opensm's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opensm_read_log',` ++ gen_require(` ++ type opensm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, opensm_log_t, opensm_log_t) ++') ++ ++######################################## ++## ++## Append to opensm log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_append_log',` ++ gen_require(` ++ type opensm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, opensm_log_t, opensm_log_t) ++') ++ ++######################################## ++## ++## Manage opensm log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opensm_manage_log',` ++ gen_require(` ++ type opensm_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, opensm_log_t, opensm_log_t) ++ manage_files_pattern($1, opensm_log_t, opensm_log_t) ++ manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t) ++') ++######################################## ++## ++## Execute opensm server in the opensm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`opensm_systemctl',` ++ gen_require(` ++ type opensm_t; ++ type opensm_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 opensm_unit_file_t:file read_file_perms; ++ allow $1 opensm_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, opensm_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an opensm environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`opensm_admin',` ++ gen_require(` ++ type opensm_t; ++ type opensm_cache_t; ++ type opensm_log_t; ++ type opensm_unit_file_t; ++ ') ++ ++ allow $1 opensm_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, opensm_t) ++ ++ files_search_var($1) ++ admin_pattern($1, opensm_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, opensm_log_t) ++ ++ opensm_systemctl($1) ++ admin_pattern($1, opensm_unit_file_t) ++ allow $1 opensm_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/opensm.te b/opensm.te +new file mode 100644 +index 0000000..a055461 +--- /dev/null ++++ b/opensm.te +@@ -0,0 +1,44 @@ ++policy_module(opensm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type opensm_t; ++type opensm_exec_t; ++init_daemon_domain(opensm_t, opensm_exec_t) ++ ++type opensm_cache_t; ++files_type(opensm_cache_t) ++ ++type opensm_log_t; ++logging_log_file(opensm_log_t) ++ ++type opensm_unit_file_t; ++systemd_unit_file(opensm_unit_file_t) ++ ++######################################## ++# ++# opensm local policy ++# ++allow opensm_t self:process { signal fork }; ++allow opensm_t self:fifo_file rw_fifo_file_perms; ++allow opensm_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t) ++manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t) ++files_var_filetrans(opensm_t, opensm_cache_t, { dir file }) ++ ++manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t) ++logging_log_filetrans(opensm_t, opensm_log_t, file ) ++ ++kernel_read_system_state(opensm_t) ++ ++auth_read_passwd(opensm_t) ++ ++corecmd_exec_bin(opensm_t) ++ ++dev_read_sysfs(opensm_t) ++ ++logging_send_syslog_msg(opensm_t) diff --git a/openvpn.fc b/openvpn.fc index 300213f..4cdfe09 100644 --- a/openvpn.fc @@ -54665,7 +55461,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..1e7f218 100644 +index 608f454..dfb2fb4 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -55023,7 +55819,7 @@ index 608f454..1e7f218 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +356,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -55031,7 +55827,11 @@ index 608f454..1e7f218 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t) ++domain_named_filetrans(pegasus_t) + + files_list_var_lib(pegasus_t) + files_read_var_lib_files(pegasus_t) +@@ -128,18 +372,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -55047,6 +55847,10 @@ index 608f454..1e7f218 100644 optional_policy(` - dbus_system_bus_client(pegasus_t) - dbus_connect_system_bus(pegasus_t) ++ dmidecode_domtrans(pegasus_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) @@ -55063,7 +55867,7 @@ index 608f454..1e7f218 100644 ') optional_policy(` -@@ -151,16 +401,24 @@ optional_policy(` +@@ -151,16 +406,24 @@ optional_policy(` ') optional_policy(` @@ -55092,7 +55896,7 @@ index 608f454..1e7f218 100644 ') optional_policy(` -@@ -168,7 +426,7 @@ optional_policy(` +@@ -168,7 +431,7 @@ optional_policy(` ') optional_policy(` @@ -56529,10 +57333,10 @@ index 0000000..17f5d18 +') + diff --git a/plymouthd.fc b/plymouthd.fc -index 735500f..ef1dd7a 100644 +index 735500f..2ba6832 100644 --- a/plymouthd.fc +++ b/plymouthd.fc -@@ -1,15 +1,15 @@ +@@ -1,15 +1,14 @@ -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) @@ -56553,11 +57357,11 @@ index 735500f..ef1dd7a 100644 +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) - +- -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) ++/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 30e751f..3985ff9 100644 +index 30e751f..78fb7c6 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -1,4 +1,4 @@ @@ -56745,7 +57549,7 @@ index 30e751f..3985ff9 100644 gen_require(` type plymouthd_var_run_t; ') -@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',` +@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',` ######################################## ## @@ -56753,13 +57557,12 @@ index 30e751f..3985ff9 100644 -## administrate an plymouthd environment. +## Allow the specified domain to read +## to plymouthd log files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`plymouthd_read_log',` + gen_require(` @@ -56770,16 +57573,37 @@ index 30e751f..3985ff9 100644 + read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) +') + ++##################################### ++## ++## Allow the specified domain to create plymouthd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`plymouthd_create_log',` ++ gen_require(` ++ type plymouthd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t) ++') ++ ++ +######################################## +## +## Allow the specified domain to manage +## to plymouthd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`plymouthd_manage_log',` + gen_require(` @@ -56802,12 +57626,12 @@ index 30e751f..3985ff9 100644 +## +## +# -+interface(`plymouthd_create_log',` ++interface(`plymouthd_filetrans_named_content',` ++ + gen_require(` + type plymouthd_var_log_t; + ') + -+ logging_rw_generic_log_dirs($1) + logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log") +') + @@ -58371,7 +59195,7 @@ index c0e8785..c0e0959 100644 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) /var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0) diff --git a/postfix.if b/postfix.if -index ded95ec..0b76d72 100644 +index ded95ec..3cf7146 100644 --- a/postfix.if +++ b/postfix.if @@ -1,4 +1,4 @@ @@ -58702,8 +59526,11 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',` +@@ -380,16 +365,35 @@ interface(`postfix_run_map',` + interface(`postfix_domtrans_master',` + gen_require(` type postfix_master_t, postfix_master_exec_t; ++ attribute postfix_domain; ') - corecmd_search_bin($1) @@ -58738,7 +59565,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -402,21 +405,18 @@ interface(`postfix_exec_master',` +@@ -402,21 +406,18 @@ interface(`postfix_exec_master',` type postfix_master_exec_t; ') @@ -58761,7 +59588,7 @@ index ded95ec..0b76d72 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',` +@@ -428,8 +429,7 @@ interface(`postfix_stream_connect_master',` ######################################## ## @@ -58771,7 +59598,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',` +@@ -437,15 +437,18 @@ interface(`postfix_stream_connect_master',` ## ## # @@ -58794,7 +59621,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',` +@@ -458,14 +461,13 @@ interface(`postfix_domtrans_postdrop',` type postfix_postdrop_t, postfix_postdrop_exec_t; ') @@ -58810,7 +59637,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',` +@@ -478,30 +480,85 @@ interface(`postfix_domtrans_postqueue',` type postfix_postqueue_t, postfix_postqueue_exec_t; ') @@ -58830,18 +59657,15 @@ index ded95ec..0b76d72 100644 ## -## Domain allowed access. +## Domain allowed to transition. - ## - ## ++## ++## +## +## +## The role to be allowed the iptables domain. +## +## +## - # --interface(`posftix_exec_postqueue',` -- refpolicywarn(`$0($*) has been deprecated.') -- postfix_exec_postqueue($1) ++# + +interface(`postfix_run_postqueue',` + gen_require(` @@ -58851,8 +59675,8 @@ index ded95ec..0b76d72 100644 + postfix_domtrans_postqueue($1) + role $2 types postfix_postqueue_t; + allow postfix_postqueue_t $1:unix_stream_socket { read write getattr }; - ') - ++') ++ +######################################## +## +## Execute postfix_postgqueue in the postfix_postgqueue domain. @@ -58884,10 +59708,13 @@ index ded95ec..0b76d72 100644 +## +## +## Role allowed access. -+## -+## + ## + ## +## -+# + # +-interface(`posftix_exec_postqueue',` +- refpolicywarn(`$0($*) has been deprecated.') +- postfix_exec_postqueue($1) +interface(`postfix_run_postgqueue',` + gen_require(` + type postfix_postgqueue_t; @@ -58895,8 +59722,8 @@ index ded95ec..0b76d72 100644 + + postfix_domtrans_postgqueue($1) + role $2 types postfix_postgqueue_t; -+') -+ + ') + + ####################################### ## @@ -58906,7 +59733,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',` +@@ -514,13 +571,12 @@ interface(`postfix_exec_postqueue',` type postfix_postqueue_exec_t; ') @@ -58921,7 +59748,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',` +@@ -533,13 +589,13 @@ interface(`postfix_create_private_sockets',` type postfix_private_t; ') @@ -58937,7 +59764,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',` +@@ -552,13 +608,14 @@ interface(`postfix_manage_private_sockets',` type postfix_private_t; ') @@ -58954,7 +59781,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',` +@@ -571,14 +628,12 @@ interface(`postfix_domtrans_smtp',` type postfix_smtp_t, postfix_smtp_exec_t; ') @@ -58970,7 +59797,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',` +@@ -586,7 +641,7 @@ interface(`postfix_domtrans_smtp',` ## ## # @@ -58979,7 +59806,7 @@ index ded95ec..0b76d72 100644 gen_require(` attribute postfix_spool_type; ') -@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',` +@@ -607,11 +662,11 @@ interface(`postfix_getattr_all_spool_files',` # interface(`postfix_search_spool',` gen_require(` @@ -58993,7 +59820,7 @@ index ded95ec..0b76d72 100644 ') ######################################## -@@ -626,11 +680,11 @@ interface(`postfix_search_spool',` +@@ -626,11 +681,11 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -59007,7 +59834,7 @@ index ded95ec..0b76d72 100644 ') ######################################## -@@ -645,17 +699,16 @@ interface(`postfix_list_spool',` +@@ -645,17 +700,16 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -59028,7 +59855,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',` +@@ -665,11 +719,50 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -59081,7 +59908,7 @@ index ded95ec..0b76d72 100644 ') ######################################## -@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -693,8 +786,8 @@ interface(`postfix_domtrans_user_mail_handler',` ######################################## ## @@ -59092,7 +59919,7 @@ index ded95ec..0b76d72 100644 ## ## ## -@@ -710,38 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -710,38 +803,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` gen_require(` @@ -59107,17 +59934,16 @@ index ded95ec..0b76d72 100644 + type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; + type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; + type postfix_smtpd_t, postfix_var_run_t; - ') - -- allow $1 postfix_domain:process { ptrace signal_perms }; -- ps_process_pattern($1, postfix_domain) ++ ') ++ + allow $1 postfix_bounce_t:process signal_perms; + ps_process_pattern($1, postfix_bounce_t) + tunable_policy(`deny_ptrace',`',` + allow $1 postfix_bounce_t:process ptrace; -+ ') + ') -- init_labeled_script_domtrans($1, postfix_initrc_exec_t) +- allow $1 postfix_domain:process { ptrace signal_perms }; +- ps_process_pattern($1, postfix_domain) + allow $1 postfix_cleanup_t:process signal_perms; + ps_process_pattern($1, postfix_cleanup_t) + tunable_policy(`deny_ptrace',`',` @@ -59128,7 +59954,8 @@ index ded95ec..0b76d72 100644 + allow $1 postfix_qmgr_t:process ptrace; + allow $1 postfix_smtpd_t:process ptrace; + ') -+ + +- init_labeled_script_domtrans($1, postfix_initrc_exec_t) + allow $1 postfix_local_t:process signal_perms; + ps_process_pattern($1, postfix_local_t) + @@ -59252,7 +60079,7 @@ index ded95ec..0b76d72 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..a18b985 100644 +index 5cfb83e..efec4cc 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -60067,7 +60894,7 @@ index 5cfb83e..a18b985 100644 ') optional_policy(` -@@ -774,31 +706,99 @@ optional_policy(` +@@ -774,31 +706,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -60150,6 +60977,7 @@ index 5cfb83e..a18b985 100644 +term_dontaudit_use_console(postfix_domain) + +corecmd_exec_shell(postfix_domain) ++corecmd_getattr_all_executables(postfix_domain) + +files_read_etc_runtime_files(postfix_domain) +files_read_usr_symlinks(postfix_domain) @@ -68119,6 +68947,224 @@ index c99753f..5e27523 100644 +optional_policy(` + xserver_dontaudit_search_log(mdadm_t) +') +diff --git a/rasdaemon.fc b/rasdaemon.fc +new file mode 100644 +index 0000000..8e31dd0 +--- /dev/null ++++ b/rasdaemon.fc +@@ -0,0 +1,9 @@ ++/usr/lib/systemd/system/ras-mc-ctl.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0) ++ ++/usr/lib/systemd/system/rasdaemon.* -- gen_context(system_u:object_r:rasdaemon_unit_file_t,s0) ++ ++/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) ++ ++/usr/sbin/ras-mc-ctl -- gen_context(system_u:object_r:rasdaemon_exec_t,s0) ++ ++/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_lib_t,s0) +diff --git a/rasdaemon.if b/rasdaemon.if +new file mode 100644 +index 0000000..a073efd +--- /dev/null ++++ b/rasdaemon.if +@@ -0,0 +1,156 @@ ++ ++## The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing ++ ++######################################## ++## ++## Execute TEMPLATE in the rasdaemon domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rasdaemon_domtrans',` ++ gen_require(` ++ type rasdaemon_t, rasdaemon_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t) ++') ++ ++######################################## ++## ++## Search rasdaemon lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rasdaemon_search_lib',` ++ gen_require(` ++ type rasdaemon_var_lib_t; ++ ') ++ ++ allow $1 rasdaemon_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read rasdaemon lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rasdaemon_read_lib_files',` ++ gen_require(` ++ type rasdaemon_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rasdaemon lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rasdaemon_manage_lib_files',` ++ gen_require(` ++ type rasdaemon_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rasdaemon lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rasdaemon_manage_lib_dirs',` ++ gen_require(` ++ type rasdaemon_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t) ++') ++ ++######################################## ++## ++## Execute rasdaemon server in the rasdaemon domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rasdaemon_systemctl',` ++ gen_require(` ++ type rasdaemon_t; ++ type rasdaemon_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rasdaemon_unit_file_t:file read_file_perms; ++ allow $1 rasdaemon_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rasdaemon_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rasdaemon environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`rasdaemon_admin',` ++ gen_require(` ++ type rasdaemon_t; ++ type rasdaemon_var_lib_t; ++ type rasdaemon_unit_file_t; ++ ') ++ ++ allow $1 rasdaemon_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rasdaemon_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, rasdaemon_var_lib_t) ++ ++ rasdaemon_systemctl($1) ++ admin_pattern($1, rasdaemon_unit_file_t) ++ allow $1 rasdaemon_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/rasdaemon.te b/rasdaemon.te +new file mode 100644 +index 0000000..8651ca4 +--- /dev/null ++++ b/rasdaemon.te +@@ -0,0 +1,35 @@ ++policy_module(rasdaemon, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rasdaemon_t; ++type rasdaemon_exec_t; ++init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) ++ ++type rasdaemon_var_lib_t; ++files_type(rasdaemon_var_lib_t) ++ ++type rasdaemon_unit_file_t; ++systemd_unit_file(rasdaemon_unit_file_t) ++ ++######################################## ++# ++# rasdaemon local policy ++# ++allow rasdaemon_t self:fifo_file rw_fifo_file_perms; ++allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t) ++manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t) ++files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file }) ++ ++kernel_read_system_state(rasdaemon_t) ++kernel_manage_debugfs(rasdaemon_t) ++ ++dev_read_sysfs(rasdaemon_t) ++ ++logging_send_syslog_msg(rasdaemon_t) ++ diff --git a/razor.fc b/razor.fc index 6723f4d..6e26673 100644 --- a/razor.fc @@ -70913,7 +71959,7 @@ index c8bdea2..2e4d698 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..d4169cb 100644 +index 6cf79c4..65c88c9 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -71232,7 +72278,7 @@ index 6cf79c4..d4169cb 100644 ') ##################################### -@@ -79,7 +349,7 @@ optional_policy(` +@@ -79,9 +349,11 @@ optional_policy(` # dlm_controld local policy # @@ -71240,8 +72286,12 @@ index 6cf79c4..d4169cb 100644 +allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; ++files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir) ++ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t) + stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) + +@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -71274,7 +72324,7 @@ index 6cf79c4..d4169cb 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -71285,7 +72335,7 @@ index 6cf79c4..d4169cb 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +433,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -71296,7 +72346,7 @@ index 6cf79c4..d4169cb 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +443,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -71305,7 +72355,7 @@ index 6cf79c4..d4169cb 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +463,8 @@ optional_policy(` +@@ -182,7 +465,8 @@ optional_policy(` ') optional_policy(` @@ -71315,7 +72365,7 @@ index 6cf79c4..d4169cb 100644 ') optional_policy(` -@@ -190,12 +472,12 @@ optional_policy(` +@@ -190,12 +474,12 @@ optional_policy(` ') optional_policy(` @@ -71331,7 +72381,7 @@ index 6cf79c4..d4169cb 100644 ') optional_policy(` -@@ -203,6 +485,13 @@ optional_policy(` +@@ -203,6 +487,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -71345,7 +72395,7 @@ index 6cf79c4..d4169cb 100644 ####################################### # # foghorn local policy -@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +512,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -71366,7 +72416,7 @@ index 6cf79c4..d4169cb 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +550,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -71375,7 +72425,7 @@ index 6cf79c4..d4169cb 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +570,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -71417,7 +72467,7 @@ index 6cf79c4..d4169cb 100644 ###################################### # # qdiskd local policy -@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +645,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -75728,16 +76778,16 @@ index 0000000..25d96cb + diff --git a/rtas.if b/rtas.if new file mode 100644 -index 0000000..9381936 +index 0000000..0ec3302 --- /dev/null +++ b/rtas.if -@@ -0,0 +1,166 @@ +@@ -0,0 +1,162 @@ + -+## rtas_errd - Platform diagnostics report firmware events ++## Platform diagnostics report firmware events. + +######################################## +## -+## Execute TEMPLATE in the rtas_errd domin. ++## Execute rtas_errd in the rtas_errd domin. +## +## +## @@ -75753,6 +76803,7 @@ index 0000000..9381936 + corecmd_search_bin($1) + domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t) +') ++ +######################################## +## +## Read rtas_errd's log files. @@ -75812,6 +76863,7 @@ index 0000000..9381936 + manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) + manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) +') ++ +######################################## +## +## Read rtas_errd PID files. @@ -75848,7 +76900,7 @@ index 0000000..9381936 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 rtas_errd_unit_file_t:file read_file_perms; + allow $1 rtas_errd_unit_file_t:service manage_service_perms; + @@ -75866,19 +76918,12 @@ index 0000000..9381936 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`rtas_errd_admin',` + gen_require(` + type rtas_errd_t; -+ type rtas_errd_log_t; -+ type rtas_errd_var_run_t; -+ type rtas_errd_unit_file_t; ++ type rtas_errd_log_t, rtas_errd_var_run_t; ++ type rtas_errd_unit_file_t; + ') + + allow $1 rtas_errd_t:process { ptrace signal_perms }; @@ -75893,6 +76938,7 @@ index 0000000..9381936 + rtas_errd_systemctl($1) + admin_pattern($1, rtas_errd_unit_file_t) + allow $1 rtas_errd_unit_file_t:service all_service_perms; ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) @@ -76965,7 +78011,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..d768a98 100644 +index 2b7c441..3e81196 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -77382,7 +78428,7 @@ index 2b7c441..d768a98 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -366,44 +361,54 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +361,55 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -77431,6 +78477,7 @@ index 2b7c441..d768a98 100644 files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ++ fs_rw_inherited_tmpfs_files(smbd_t) ') -tunable_policy(`allow_smbd_anon_write',` @@ -77448,7 +78495,7 @@ index 2b7c441..d768a98 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +424,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +425,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -77471,7 +78518,7 @@ index 2b7c441..d768a98 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +436,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +437,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -77479,7 +78526,7 @@ index 2b7c441..d768a98 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +444,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,17 +445,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -77497,7 +78544,7 @@ index 2b7c441..d768a98 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -466,6 +451,7 @@ optional_policy(` +@@ -466,6 +452,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -77505,7 +78552,7 @@ index 2b7c441..d768a98 100644 ') optional_policy(` -@@ -479,6 +465,11 @@ optional_policy(` +@@ -479,6 +466,11 @@ optional_policy(` ') optional_policy(` @@ -77517,7 +78564,7 @@ index 2b7c441..d768a98 100644 lpd_exec_lpr(smbd_t) ') -@@ -499,9 +490,33 @@ optional_policy(` +@@ -499,9 +491,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -77552,7 +78599,7 @@ index 2b7c441..d768a98 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +527,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +528,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -77567,7 +78614,7 @@ index 2b7c441..d768a98 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +543,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +544,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -77591,7 +78638,7 @@ index 2b7c441..d768a98 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +560,41 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +561,41 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -77657,7 +78704,7 @@ index 2b7c441..d768a98 100644 ') optional_policy(` -@@ -606,16 +607,22 @@ optional_policy(` +@@ -606,16 +608,22 @@ optional_policy(` ######################################## # @@ -77684,7 +78731,7 @@ index 2b7c441..d768a98 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +634,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +635,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -77702,7 +78749,7 @@ index 2b7c441..d768a98 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +646,23 @@ optional_policy(` +@@ -644,22 +647,23 @@ optional_policy(` ######################################## # @@ -77734,7 +78781,7 @@ index 2b7c441..d768a98 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +671,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +672,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -77770,7 +78817,7 @@ index 2b7c441..d768a98 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +698,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +699,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -77862,7 +78909,7 @@ index 2b7c441..d768a98 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +777,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +778,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -77886,7 +78933,7 @@ index 2b7c441..d768a98 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +791,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +792,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -77929,7 +78976,7 @@ index 2b7c441..d768a98 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +821,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +822,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -77943,7 +78990,7 @@ index 2b7c441..d768a98 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -841,16 +845,19 @@ optional_policy(` +@@ -841,16 +846,19 @@ optional_policy(` # allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; @@ -77967,7 +79014,7 @@ index 2b7c441..d768a98 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +867,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +868,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -77978,7 +79025,7 @@ index 2b7c441..d768a98 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +878,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +879,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -78008,7 +79055,7 @@ index 2b7c441..d768a98 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +901,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +902,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -78029,7 +79076,7 @@ index 2b7c441..d768a98 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +919,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +920,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -78040,7 +79087,7 @@ index 2b7c441..d768a98 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +927,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +928,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -78082,7 +79129,7 @@ index 2b7c441..d768a98 100644 ') optional_policy(` -@@ -959,31 +975,29 @@ optional_policy(` +@@ -959,31 +976,29 @@ optional_policy(` # Winbind helper local policy # @@ -78120,7 +79167,7 @@ index 2b7c441..d768a98 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1011,38 @@ optional_policy(` +@@ -997,25 +1012,38 @@ optional_policy(` ######################################## # @@ -79847,7 +80894,7 @@ index 98c9e0a..df51942 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 299756b..d252327 100644 +index 299756b..947d6b9 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -79949,7 +80996,7 @@ index 299756b..d252327 100644 ') optional_policy(` -@@ -117,6 +130,29 @@ optional_policy(` +@@ -117,6 +130,32 @@ optional_policy(` # Reposd local policy # @@ -79978,6 +81025,9 @@ index 299756b..d252327 100644 + +corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t) + ++dev_read_rand(sblim_sfcbd_t) ++dev_read_urand(sblim_sfcbd_t) ++ +domain_read_all_domains_state(sblim_sfcbd_t) +domain_use_interactive_fds(sblim_sfcbd_t) diff --git a/screen.fc b/screen.fc @@ -81032,7 +82082,7 @@ index 0b3a971..397a522 100644 -/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) +/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/setroubleshoot.if b/setroubleshoot.if -index 3a9a70b..039b0c8 100644 +index 3a9a70b..903109c 100644 --- a/setroubleshoot.if +++ b/setroubleshoot.if @@ -1,9 +1,8 @@ @@ -81059,7 +82109,32 @@ index 3a9a70b..039b0c8 100644 ## ## ## -@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',` +@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',` + dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; + ') + ++####################################### ++## ++## Send null signals to setroubleshoot. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setroubleshoot_signull',` ++ gen_require(` ++ type setroubleshootd_t; ++ ') ++ ++ allow $1 setroubleshootd_t:process signull; ++') ++ + ######################################## + ## + ## Send and receive messages from +@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',` ######################################## ## @@ -81089,7 +82164,7 @@ index 3a9a70b..039b0c8 100644 ## ## ## -@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` +@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` # interface(`setroubleshoot_admin',` gen_require(` @@ -82283,7 +83358,7 @@ index ec031a0..ebf575f 100644 netutils_domtrans_ping(httpd_smokeping_cgi_script_t) diff --git a/smoltclient.te b/smoltclient.te -index b3f2c6f..68f17c1 100644 +index b3f2c6f..dccac2a 100644 --- a/smoltclient.te +++ b/smoltclient.te @@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t) @@ -82301,6 +83376,17 @@ index b3f2c6f..68f17c1 100644 optional_policy(` abrt_stream_connect(smoltclient_t) +@@ -77,6 +75,10 @@ optional_policy(` + ') + + optional_policy(` ++ libs_exec_ldconfig(smoltclient_t) ++') ++ ++optional_policy(` + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) + ') diff --git a/smsd.fc b/smsd.fc new file mode 100644 index 0000000..4c3fcec @@ -83150,7 +84236,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..3669dac 100644 +index f2f507d..b97161a 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -83172,7 +84258,12 @@ index f2f507d..3669dac 100644 optional_policy(` pulseaudio_tmpfs_content(sosreport_tmpfs_t) ') -@@ -37,6 +37,8 @@ allow sosreport_t self:process { setsched signull }; +@@ -33,10 +33,12 @@ optional_policy(` + + allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; + dontaudit sosreport_t self:capability sys_ptrace; +-allow sosreport_t self:process { setsched signull }; ++allow sosreport_t self:process signal_perms; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket { accept listen }; allow sosreport_t self:unix_stream_socket { accept listen }; @@ -83194,7 +84285,26 @@ index f2f507d..3669dac 100644 manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) -@@ -69,6 +77,8 @@ dev_read_urand(sosreport_t) +@@ -58,6 +66,18 @@ kernel_read_all_sysctls(sosreport_t) + kernel_read_software_raid_state(sosreport_t) + kernel_search_debugfs(sosreport_t) + kernel_read_messages(sosreport_t) ++kernel_request_load_module(sosreport_t) ++ ++corenet_all_recvfrom_netlabel(sosreport_t) ++corenet_tcp_sendrecv_generic_if(sosreport_t) ++corenet_tcp_sendrecv_generic_node(sosreport_t) ++corenet_tcp_sendrecv_generic_port(sosreport_t) ++corenet_tcp_bind_generic_node(sosreport_t) ++corenet_tcp_bind_all_rpc_ports(sosreport_t) ++corenet_udp_bind_all_rpc_ports(sosreport_t) ++corenet_tcp_connect_http_port(sosreport_t) ++corenet_tcp_connect_all_ports(sosreport_t) ++corenet_sendrecv_http_client_packets(sosreport_t) + + corecmd_exec_all_executables(sosreport_t) + +@@ -69,6 +89,8 @@ dev_read_urand(sosreport_t) dev_read_raw_memory(sosreport_t) dev_read_sysfs(sosreport_t) dev_rw_generic_usb_dev(sosreport_t) @@ -83203,7 +84313,7 @@ index f2f507d..3669dac 100644 domain_getattr_all_domains(sosreport_t) domain_read_all_domains_state(sosreport_t) -@@ -83,7 +93,6 @@ files_list_all(sosreport_t) +@@ -83,7 +105,6 @@ files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -83211,7 +84321,7 @@ index f2f507d..3669dac 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -92,25 +101,32 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -92,25 +113,34 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -83234,6 +84344,8 @@ index f2f507d..3669dac 100644 init_domtrans_script(sosreport_t) +init_getattr_initctl(sosreport_t) ++init_status(sosreport_t) ++init_stream_connect(sosreport_t) libs_domtrans_ldconfig(sosreport_t) @@ -83247,7 +84359,7 @@ index f2f507d..3669dac 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -119,6 +135,10 @@ optional_policy(` +@@ -119,6 +149,10 @@ optional_policy(` ') optional_policy(` @@ -83258,10 +84370,14 @@ index f2f507d..3669dac 100644 cups_stream_connect(sosreport_t) ') -@@ -127,6 +147,11 @@ optional_policy(` +@@ -127,6 +161,15 @@ optional_policy(` ') optional_policy(` ++ lvm_dontaudit_access_check_lock(sosreport_t) ++') ++ ++optional_policy(` + # needed by modinfo + modutils_read_module_deps(sosreport_t) +') @@ -83270,6 +84386,27 @@ index f2f507d..3669dac 100644 fstools_domtrans(sosreport_t) ') +@@ -136,6 +179,10 @@ optional_policy(` + optional_policy(` + hal_dbus_chat(sosreport_t) + ') ++ ++ optional_policy(` ++ rpm_dbus_chat(sosreport_t) ++ ') + ') + + optional_policy(` +@@ -157,5 +204,9 @@ optional_policy(` + ') + + optional_policy(` ++ setroubleshoot_signull(sosreport_t) ++') ++ ++optional_policy(` + xserver_stream_connect(sosreport_t) + ') diff --git a/soundserver.if b/soundserver.if index a5abc5a..b9eff74 100644 --- a/soundserver.if @@ -85242,7 +86379,7 @@ index a240455..16a04bf 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..49327eb 100644 +index 2d8db1f..290807b 100644 --- a/sssd.te +++ b/sssd.te @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) @@ -85279,9 +86416,11 @@ index 2d8db1f..49327eb 100644 logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) ++kernel_request_load_module(sssd_t) -corenet_all_recvfrom_unlabeled(sssd_t) -corenet_all_recvfrom_netlabel(sssd_t) @@ -85297,7 +86436,7 @@ index 2d8db1f..49327eb 100644 corecmd_exec_bin(sssd_t) -@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t) +@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -85307,7 +86446,7 @@ index 2d8db1f..49327eb 100644 files_list_var_lib(sssd_t) fs_list_inotifyfs(sssd_t) -@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t) +@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) # sssd wants to write /etc/selinux//logins/ for SELinux PAM module @@ -85325,7 +86464,7 @@ index 2d8db1f..49327eb 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -90721,7 +91860,7 @@ index af9acc0..cdaf82e 100644 admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index 849f607..d7c8ed8 100644 +index 849f607..e01ec6d 100644 --- a/uucp.te +++ b/uucp.te @@ -31,7 +31,7 @@ type uucpd_ro_t; @@ -90733,7 +91872,7 @@ index 849f607..d7c8ed8 100644 type uucpd_log_t; logging_log_file(uucpd_log_t) -@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t) +@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) kernel_read_network_state(uucpd_t) @@ -90749,12 +91888,13 @@ index 849f607..d7c8ed8 100644 corenet_tcp_connect_ssh_port(uucpd_t) corenet_tcp_sendrecv_ssh_port(uucpd_t) ++corenet_tcp_bind_uucpd_port(uucpd_t) +corenet_tcp_connect_uucpd_port(uucpd_t) + corecmd_exec_bin(uucpd_t) corecmd_exec_shell(uucpd_t) -@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t) +@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t) logging_send_syslog_msg(uucpd_t) @@ -90763,7 +91903,7 @@ index 849f607..d7c8ed8 100644 optional_policy(` cron_system_entry(uucpd_t, uucpd_exec_t) -@@ -125,10 +129,6 @@ optional_policy(` +@@ -125,10 +130,6 @@ optional_policy(` ') optional_policy(` @@ -90774,7 +91914,7 @@ index 849f607..d7c8ed8 100644 ssh_exec(uucpd_t) ') -@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t) +@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t) logging_search_logs(uux_t) logging_send_syslog_msg(uux_t) @@ -95416,10 +96556,10 @@ index eecd0e0..8df2e8c 100644 /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.te b/watchdog.te -index 3548317..d8655b2 100644 +index 3548317..c93e88b 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) +@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) type watchdog_initrc_exec_t; init_script_file(watchdog_initrc_exec_t) @@ -95438,9 +96578,15 @@ index 3548317..d8655b2 100644 ######################################## # # Local policy -@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms }; + # + +-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; ++allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw }; + dontaudit watchdog_t self:capability sys_tty_config; + allow watchdog_t self:process { setsched signal_perms }; allow watchdog_t self:fifo_file rw_fifo_file_perms; allow watchdog_t self:tcp_socket { accept listen }; ++allow watchdog_t self:rawip_socket create_socket_perms; -allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) @@ -95453,7 +96599,12 @@ index 3548317..d8655b2 100644 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) -@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t) + ++kernel_read_network_state(watchdog_t) + kernel_read_system_state(watchdog_t) + kernel_read_kernel_sysctls(watchdog_t) + kernel_unmount_proc(watchdog_t) +@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t) domain_signal_all_domains(watchdog_t) domain_kill_all_domains(watchdog_t) @@ -95461,7 +96612,11 @@ index 3548317..d8655b2 100644 files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) -@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t) +@@ -72,11 +83,10 @@ fs_getattr_all_fs(watchdog_t) + fs_search_auto_mountpoints(watchdog_t) + + auth_append_login_records(watchdog_t) ++auth_read_passwd(watchdog_t) logging_send_syslog_msg(watchdog_t) @@ -95470,7 +96625,7 @@ index 3548317..d8655b2 100644 sysnet_dns_name_resolve(watchdog_t) userdom_dontaudit_use_unpriv_user_fds(watchdog_t) -@@ -97,3 +104,28 @@ optional_policy(` +@@ -97,3 +107,28 @@ optional_policy(` optional_policy(` udev_read_db(watchdog_t) ') @@ -97883,7 +99038,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..16f1ab6 100644 +index 7f496c6..1498539 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0) @@ -98060,7 +99215,13 @@ index 7f496c6..16f1ab6 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t) +@@ -177,12 +169,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) + dev_getattr_all_blk_files(zabbix_agent_t) + dev_getattr_all_chr_files(zabbix_agent_t) + +-domain_search_all_domains_state(zabbix_agent_t) ++domain_read_all_domains_state(zabbix_agent_t) + files_getattr_all_dirs(zabbix_agent_t) files_getattr_all_files(zabbix_agent_t) files_read_all_symlinks(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0aed8ab3..6ff82f3d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -575,6 +575,65 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 26 2013 Miroslav Grepl 3.13.1-6 +- Add filename transition also for servicelog.db-journal +- Add files_dontaudit_access_check_root() +- Add lvm_dontaudit_access_check_lock() interface +- Allow mount to manage mount_var_run_t files/dirs +- Allow updapwd_t to ignore mls levels for writign shadow_t at a lower level +- Make sure boot.log is created with the correct label +- call logging_relabel_all_log_dirs() in systemd.te +- Allow systemd_tmpfiles to relabel log directories +- Allow staff_t to run frequency command +- Allow staff_t to read xserver_log file +- This reverts commit c0f9f125291f189271cbbca033f87131dab1e22f. +- Label hsperfdata_root as tmp_t +- Add plymouthd_create_log() +- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6 +- Allow sssd to request the kernel loads modules +- Allow gpg_agent to use ssh-add +- Allow gpg_agent to use ssh-add +- Dontaudit access check on /root for myslqd_safe_t +- Add glusterd_brick_t files type +- Allow ctdb to getattr on al filesystems +- Allow abrt to stream connect to syslog +- Allow dnsmasq to list dnsmasq.d directory +- Watchdog opens the raw socket +- Allow watchdog to read network state info +- Dontaudit access check on lvm lock dir +- Allow sosreport to send signull to setroubleshootd +- Add setroubleshoot_signull() interface +- Fix ldap_read_certs() interface +- Allow sosreport all signal perms +- Allow sosreport to run systemctl +- Allow sosreport to dbus chat with rpm +- Allow zabbix_agentd to read all domain state +- Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom +- Allow smoltclient to execute ldconfig +- Allow sosreport to request the kernel to load a module +- Clean up rtas.if +- Clean up docker.if +- drop /var/lib/glpi/files labeling in cron.fc +- Added new policy for rasdaemon +- Add apache labeling for glpi +- Allow pegasus to transition to dmidecode +- Make sure boot.log is created with the correct label +- Fix typo in openshift.te +- remove dup bumblebee_systemctl() +- Allow watchdog to read /etc/passwd +- Allow condor domains to read/write condor_master udp_socket +- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift +- Add back file_pid_filetrans for /var/run/dlm_controld +- Allow smbd_t to use inherited tmpfs content +- Allow mcelog to use the /dev/cpu device +- sosreport runs rpcinfo +- sosreport runs subscription-manager +- Allow setpgid for sosreport +- Allow browser plugins to connect to bumblebee +- New policy for bumblebee and freqset +- Add new policy for mip6d daemon +- Add new policy for opensm daemon + * Mon Nov 18 2013 Miroslav Grepl 3.13.1-5 - Add back /dev/shm labeling