rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- geard seems to do a lot of relabeling 

- Allow system_mail_t to append to munin_var_lib_t
- Allow mozilla_plugin to read alsa_rw_ content
- Allow asterisk to connect to the apache ports
- Dontaudit attempts to read fixed disk
- Dontaudit search gconf_home_t
- Allow rsync to create  swift_server.lock with swift.log labeling
- Add labeling for swift lock files
- Use swift_virt_lock in swift.te
- Allow openwsman to getattr on sblim_sfcbd executable
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
- Allow openwsman_t to read/write sblim-sfcb shared mem
- Allow openwsman to stream connec to sblim-sfcbd
- Allow openwsman to create tmpfs files/dirs
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcb
- Allow sblim_sfcbd to execute shell
- Allow swift to create lock file
- Allow openwsman to use tcp/80
- Allow neutron to create also dirs in /tmp
- Allow seunshare domains to getattr on all executables
- Allow ssh-keygen to create temporary files/dirs needed by OpenSt
- Allow named_filetrans_domain to create /run/netns
- Allow ifconfig to create /run/netns
This commit is contained in:
Miroslav Grepl 2014-05-20 07:59:07 +02:00
parent 7768984e85
commit cccaf8f646
3 changed files with 414 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

228
policy-rawhide-base.patch
View File

@ -3174,10 +3174,10 @@ index 1dc7a85..c6f4da0 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
index 7590165..fb30c11 100644
index 7590165..b516b43 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
@@ -5,40 +5,62 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@ -3203,6 +3203,7 @@ index 7590165..fb30c11 100644
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+corecmd_exec_shell(seunshare_domain)
+corecmd_exec_bin(seunshare_domain)
+corecmd_getattr_all_executables(seunshare_domain)
-corecmd_exec_shell(seunshare_t)
-corecmd_exec_bin(seunshare_t)
@ -8813,7 +8814,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..b9da2b3 100644
index cf04cb5..32d58ca 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -8961,7 +8962,7 @@ index cf04cb5..b9da2b3 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +237,347 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -9155,6 +9156,7 @@ index cf04cb5..b9da2b3 100644
+
+optional_policy(`
+ sysnet_filetrans_named_content(named_filetrans_domain)
+ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
+')
+
+optional_policy(`
@ -15037,13 +15039,13 @@ index e7d1738..089cc7a 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
index 7be4ddf..d5ef507 100644
index 7be4ddf..71e675a 100644
--- a/policy/modules/kernel/kernel.fc
+++ b/policy/modules/kernel/kernel.fc
@@ -1 +1,3 @@
-# This module currently does not have any file contexts.
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..fb8a1f1 100644
@ -22131,10 +22133,10 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..a8b01bf 100644
index cc877c7..1d92018 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,65 @@ policy_module(ssh, 2.4.2)
@@ -6,43 +6,68 @@ policy_module(ssh, 2.4.2)
#
## <desc>
@ -22178,6 +22180,9 @@ index cc877c7..a8b01bf 100644
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
-role system_r types ssh_keygen_t;
+
+type ssh_keygen_tmp_t;
+files_tmp_file(ssh_keygen_tmp_t)
+
+type sshd_keygen_t;
+type sshd_keygen_exec_t;
+init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
@ -22214,7 +22219,7 @@ index cc877c7..a8b01bf 100644
type ssh_t;
type ssh_exec_t;
@@ -73,9 +95,11 @@ type ssh_home_t;
@@ -73,9 +98,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@ -22228,7 +22233,7 @@ index cc877c7..a8b01bf 100644
##############################
#
@@ -86,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
@@ -86,6 +113,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@ -22236,7 +22241,7 @@ index cc877c7..a8b01bf 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
@@ -93,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
@@ -93,15 +121,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@ -22253,7 +22258,7 @@ index cc877c7..a8b01bf 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
@@ -110,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
@@ -110,33 +134,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@ -22301,7 +22306,7 @@ index cc877c7..a8b01bf 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
@@ -157,40 +187,46 @@ files_read_var_files(ssh_t)
@@ -157,40 +190,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@ -22367,7 +22372,7 @@ index cc877c7..a8b01bf 100644
')
optional_policy(`
@@ -198,6 +234,7 @@ optional_policy(`
@@ -198,6 +237,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@ -22375,7 +22380,7 @@ index cc877c7..a8b01bf 100644
##############################
#
# ssh_keysign_t local policy
@@ -209,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -209,6 +249,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@ -22383,7 +22388,7 @@ index cc877c7..a8b01bf 100644
files_read_etc_files(ssh_keysign_t)
@@ -226,39 +264,57 @@ optional_policy(`
@@ -226,39 +267,57 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -22453,7 +22458,7 @@ index cc877c7..a8b01bf 100644
')
optional_policy(`
@@ -266,6 +322,15 @@ optional_policy(`
@@ -266,6 +325,15 @@ optional_policy(`
')
optional_policy(`
@ -22469,7 +22474,7 @@ index cc877c7..a8b01bf 100644
inetd_tcp_service_domain(sshd_t, sshd_exec_t)
')
@@ -275,6 +340,18 @@ optional_policy(`
@@ -275,6 +343,18 @@ optional_policy(`
')
optional_policy(`
@ -22488,7 +22493,7 @@ index cc877c7..a8b01bf 100644
oddjob_domtrans_mkhomedir(sshd_t)
')
@@ -289,13 +366,93 @@ optional_policy(`
@@ -289,13 +369,93 @@ optional_policy(`
')
optional_policy(`
@ -22582,7 +22587,7 @@ index cc877c7..a8b01bf 100644
########################################
#
# ssh_keygen local policy
@@ -304,19 +461,29 @@ optional_policy(`
@@ -304,19 +464,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@ -22600,6 +22605,10 @@ index cc877c7..a8b01bf 100644
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
+manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
+manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
+files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
+
+kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)
@ -22613,7 +22622,7 @@ index cc877c7..a8b01bf 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -333,6 +500,12 @@ auth_use_nsswitch(ssh_keygen_t)
@@ -333,6 +507,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@ -22626,7 +22635,7 @@ index cc877c7..a8b01bf 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
@@ -341,3 +514,140 @@ optional_policy(`
@@ -341,3 +521,140 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@ -29787,7 +29796,7 @@ index 79a45f6..89b43aa 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..43c0bc6 100644
index 17eda24..956662b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -30064,9 +30073,10 @@ index 17eda24..43c0bc6 100644
+ fs_manage_tmpfs_files(init_t)
+ fs_manage_tmpfs_symlinks(init_t)
+ fs_manage_tmpfs_sockets(init_t)
+ fs_manage_tmpfs_chr_files(init_t)
+ fs_exec_tmpfs_files(init_t)
fs_read_tmpfs_symlinks(init_t)
fs_rw_tmpfs_chr_files(init_t)
- fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ fs_tmpfs_filetrans_named_content(init_t)
+
@ -33440,7 +33450,7 @@ index 4e94884..b144ffe 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..1259fbd 100644
index 59b04c1..13c21e8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -33527,7 +33537,19 @@ index 59b04c1..1259fbd 100644
init_dontaudit_use_fds(auditctl_t)
@@ -148,6 +176,7 @@ kernel_read_kernel_sysctls(auditd_t)
@@ -136,9 +164,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
+manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
-allow auditd_t var_log_t:dir search_dir_perms;
+logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit")
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
@@ -148,6 +177,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@ -33535,7 +33557,7 @@ index 59b04c1..1259fbd 100644
dev_read_sysfs(auditd_t)
@@ -155,9 +184,6 @@ fs_getattr_all_fs(auditd_t)
@@ -155,9 +185,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@ -33545,7 +33567,7 @@ index 59b04c1..1259fbd 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
@@ -183,16 +209,17 @@ logging_send_syslog_msg(auditd_t)
@@ -183,16 +210,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@ -33567,7 +33589,7 @@ index 59b04c1..1259fbd 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
@@ -237,19 +264,29 @@ corecmd_exec_shell(audisp_t)
@@ -237,19 +265,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@ -33598,7 +33620,7 @@ index 59b04c1..1259fbd 100644
')
########################################
@@ -268,7 +305,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
@@ -268,7 +306,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@ -33606,7 +33628,7 @@ index 59b04c1..1259fbd 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
@@ -280,10 +316,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
@@ -280,10 +317,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@ -33626,7 +33648,7 @@ index 59b04c1..1259fbd 100644
sysnet_dns_name_resolve(audisp_remote_t)
@@ -326,7 +370,6 @@ files_read_etc_files(klogd_t)
@@ -326,7 +371,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@ -33634,7 +33656,7 @@ index 59b04c1..1259fbd 100644
mls_file_read_all_levels(klogd_t)
@@ -355,13 +398,12 @@ optional_policy(`
@@ -355,13 +399,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@ -33651,7 +33673,7 @@ index 59b04c1..1259fbd 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
@@ -369,8 +412,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -33662,7 +33684,7 @@ index 59b04c1..1259fbd 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -389,30 +434,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -33712,7 +33734,7 @@ index 59b04c1..1259fbd 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
@@ -422,6 +483,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@ -33721,7 +33743,7 @@ index 59b04c1..1259fbd 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
@@ -432,9 +495,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -33749,7 +33771,7 @@ index 59b04c1..1259fbd 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
@@ -448,13 +528,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@ -33767,7 +33789,7 @@ index 59b04c1..1259fbd 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +549,11 @@ init_use_fds(syslogd_t)
@@ -466,11 +550,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@ -33782,7 +33804,7 @@ index 59b04c1..1259fbd 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -507,15 +590,40 @@ optional_policy(`
@@ -507,15 +591,40 @@ optional_policy(`
')
optional_policy(`
@ -33823,7 +33845,7 @@ index 59b04c1..1259fbd 100644
')
optional_policy(`
@@ -526,3 +634,26 @@ optional_policy(`
@@ -526,3 +635,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@ -38115,7 +38137,7 @@ index 2cea692..e094fc0 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..f1782ee 100644
index a392fc4..4302955 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -38403,7 +38425,7 @@ index a392fc4..f1782ee 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -299,33 +377,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
@@ -299,33 +377,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@ -38426,6 +38448,7 @@ index a392fc4..f1782ee 100644
+sysnet_dns_name_resolve(ifconfig_t)
sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+sysnet_filetrans_named_content_ifconfig(ifconfig_t)
-userdom_use_user_terminals(ifconfig_t)
+userdom_use_inherited_user_terminals(ifconfig_t)
@ -38460,7 +38483,7 @@ index a392fc4..f1782ee 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
@@ -336,7 +431,11 @@ ifdef(`hide_broken_symptoms',`
@@ -336,7 +432,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@ -38473,7 +38496,7 @@ index a392fc4..f1782ee 100644
')
optional_policy(`
@@ -350,7 +449,15 @@ optional_policy(`
@@ -350,7 +450,15 @@ optional_policy(`
')
optional_policy(`
@ -38490,7 +38513,7 @@ index a392fc4..f1782ee 100644
')
optional_policy(`
@@ -371,3 +478,13 @@ optional_policy(`
@@ -371,3 +479,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@ -42095,7 +42118,7 @@ index db75976..4ca3a28 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..102478f 100644
index 9dc60c6..87b5cc3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -43573,13 +43596,14 @@ index 9dc60c6..102478f 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
@@ -1145,10 +1559,14 @@ template(`userdom_admin_user_template',`
@@ -1145,10 +1559,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
+ dev_rw_generic_usb_dev($1_t)
+ dev_rw_usbfs($1_t)
+ dev_read_kmsg($1_t)
+ dev_read_cpuid($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
@ -43588,7 +43612,7 @@ index 9dc60c6..102478f 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
@@ -1159,29 +1577,38 @@ template(`userdom_admin_user_template',`
@@ -1159,29 +1578,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@ -43631,7 +43655,7 @@ index 9dc60c6..102478f 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
@@ -1191,6 +1618,8 @@ template(`userdom_admin_user_template',`
@@ -1191,6 +1619,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@ -43640,7 +43664,7 @@ index 9dc60c6..102478f 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
@@ -1198,13 +1627,17 @@ template(`userdom_admin_user_template',`
@@ -1198,13 +1628,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@ -43659,7 +43683,7 @@ index 9dc60c6..102478f 100644
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1240,7 +1673,7 @@ template(`userdom_admin_user_template',`
@@ -1240,7 +1674,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@ -43668,7 +43692,7 @@ index 9dc60c6..102478f 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
@@ -1250,6 +1683,8 @@ template(`userdom_security_admin_template',`
@@ -1250,6 +1684,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -43677,7 +43701,7 @@ index 9dc60c6..102478f 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1262,8 +1697,10 @@ template(`userdom_security_admin_template',`
@@ -1262,8 +1698,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@ -43689,7 +43713,7 @@ index 9dc60c6..102478f 100644
auth_relabel_shadow($1)
init_exec($1)
@@ -1274,29 +1711,31 @@ template(`userdom_security_admin_template',`
@@ -1274,29 +1712,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@ -43732,7 +43756,7 @@ index 9dc60c6..102478f 100644
')
optional_policy(`
@@ -1357,14 +1796,17 @@ interface(`userdom_user_home_content',`
@@ -1357,14 +1797,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@ -43751,7 +43775,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -1405,6 +1847,51 @@ interface(`userdom_user_tmpfs_file',`
@@ -1405,6 +1848,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@ -43803,7 +43827,7 @@ index 9dc60c6..102478f 100644
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1509,11 +1996,31 @@ interface(`userdom_search_user_home_dirs',`
@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@ -43835,7 +43859,7 @@ index 9dc60c6..102478f 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
@@ -1555,6 +2062,14 @@ interface(`userdom_list_user_home_dirs',`
@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@ -43850,7 +43874,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -1570,9 +2085,11 @@ interface(`userdom_list_user_home_dirs',`
@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@ -43862,7 +43886,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -1629,6 +2146,42 @@ interface(`userdom_relabelto_user_home_dirs',`
@@ -1629,6 +2147,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@ -43905,7 +43929,7 @@ index 9dc60c6..102478f 100644
########################################
## <summary>
## Create directories in the home dir root with
@@ -1708,6 +2261,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
@@ -1708,6 +2262,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@ -43914,7 +43938,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -1741,10 +2296,12 @@ interface(`userdom_list_all_user_home_content',`
@@ -1741,10 +2297,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@ -43929,7 +43953,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -1769,7 +2326,25 @@ interface(`userdom_manage_user_home_content_dirs',`
@@ -1769,7 +2327,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@ -43956,7 +43980,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1779,53 +2354,70 @@ interface(`userdom_manage_user_home_content_dirs',`
@@ -1779,53 +2355,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@ -44039,7 +44063,7 @@ index 9dc60c6..102478f 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
@@ -1845,6 +2437,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
@@ -1845,6 +2438,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@ -44065,7 +44089,7 @@ index 9dc60c6..102478f 100644
## Mmap user home files.
## </summary>
## <param name="domain">
@@ -1875,15 +2486,18 @@ interface(`userdom_mmap_user_home_content_files',`
@@ -1875,15 +2487,18 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@ -44086,7 +44110,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1891,18 +2505,18 @@ interface(`userdom_read_user_home_content_files',`
@@ -1891,18 +2506,18 @@ interface(`userdom_read_user_home_content_files',`
## </summary>
## </param>
#
@ -44110,7 +44134,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1910,17 +2524,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
@@ -1910,17 +2525,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
## </summary>
## </param>
#
@ -44136,7 +44160,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1928,7 +2546,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
@@ -1928,7 +2547,25 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
## </summary>
## </param>
#
@ -44163,7 +44187,7 @@ index 9dc60c6..102478f 100644
gen_require(`
type user_home_t;
')
@@ -1938,7 +2574,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
@@ -1938,7 +2575,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@ -44172,7 +44196,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1946,10 +2582,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
@@ -1946,10 +2583,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@ -44185,7 +44209,7 @@ index 9dc60c6..102478f 100644
')
userdom_search_user_home_content($1)
@@ -1958,7 +2593,7 @@ interface(`userdom_delete_all_user_home_content_files',`
@@ -1958,7 +2594,7 @@ interface(`userdom_delete_all_user_home_content_files',`
########################################
## <summary>
@ -44194,7 +44218,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1966,12 +2601,66 @@ interface(`userdom_delete_all_user_home_content_files',`
@@ -1966,12 +2602,66 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@ -44263,7 +44287,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2007,8 +2696,7 @@ interface(`userdom_read_user_home_content_symlinks',`
@@ -2007,8 +2697,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@ -44273,7 +44297,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2024,20 +2712,14 @@ interface(`userdom_read_user_home_content_symlinks',`
@@ -2024,20 +2713,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@ -44298,7 +44322,7 @@ index 9dc60c6..102478f 100644
########################################
## <summary>
@@ -2120,7 +2802,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
@@ -2120,7 +2803,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@ -44307,7 +44331,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2128,19 +2810,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
@@ -2128,19 +2811,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@ -44331,7 +44355,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2148,12 +2828,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
@@ -2148,12 +2829,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@ -44347,7 +44371,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2390,11 +3070,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
@@ -2390,11 +3071,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@ -44362,7 +44386,7 @@ index 9dc60c6..102478f 100644
files_search_tmp($1)
')
@@ -2414,7 +3094,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
@@ -2414,7 +3095,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@ -44371,7 +44395,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',`
@@ -2538,6 +3219,26 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@ -44398,7 +44422,7 @@ index 9dc60c6..102478f 100644
## temporary symbolic links.
## </summary>
## <param name="domain">
@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
@@ -2661,6 +3362,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@ -44424,7 +44448,7 @@ index 9dc60c6..102478f 100644
########################################
## <summary>
## Read user tmpfs files.
@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',`
@@ -2677,13 +3397,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -44440,7 +44464,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2704,7 +3425,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@ -44449,7 +44473,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',`
@@ -2712,14 +3433,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@ -44484,7 +44508,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',`
@@ -2814,6 +3551,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@ -44509,7 +44533,7 @@ index 9dc60c6..102478f 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',`
@@ -2832,22 +3587,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@ -44552,7 +44576,7 @@ index 9dc60c6..102478f 100644
## </desc>
## <param name="domain">
## <summary>
@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',`
@@ -2856,14 +3623,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@ -44590,7 +44614,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
@@ -2882,8 +3668,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@ -44620,7 +44644,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
@@ -2955,69 +3760,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@ -44721,7 +44745,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
@@ -3025,12 +3829,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@ -44736,7 +44760,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3094,7 +3898,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@ -44745,7 +44769,7 @@ index 9dc60c6..102478f 100644
allow unpriv_userdomain $1:process sigchld;
')
@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
@@ -3110,16 +3914,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -44767,7 +44791,7 @@ index 9dc60c6..102478f 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',`
@@ -3127,30 +3933,12 @@ interface(`userdom_search_user_home_content',`
## </summary>
## </param>
#
@ -44800,7 +44824,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
@@ -3214,7 +4002,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@ -44827,7 +44851,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',`
@@ -3269,7 +4075,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@ -44912,7 +44936,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
@@ -3287,7 +4169,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@ -44921,7 +44945,7 @@ index 9dc60c6..102478f 100644
')
########################################
@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',`
@@ -3306,6 +4188,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@ -44929,7 +44953,7 @@ index 9dc60c6..102478f 100644
kernel_search_proc($1)
')
@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',`
@@ -3382,6 +4265,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@ -44972,7 +44996,7 @@ index 9dc60c6..102478f 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',`
@@ -3402,6 +4321,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@ -44997,7 +45021,7 @@ index 9dc60c6..102478f 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4372,1680 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;

333
policy-rawhide-contrib.patch
View File

@ -536,7 +536,7 @@ index 058d908..2f6c3a9 100644
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f07..5508cee 100644
index eb50f07..cfd3aa9 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -731,7 +731,7 @@ index eb50f07..5508cee 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
@@ -176,29 +189,40 @@ files_getattr_all_files(abrt_t)
@@ -176,29 +189,42 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@ -756,14 +756,16 @@ index eb50f07..5508cee 100644
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
+logging_read_generic_logs(abrt_t)
-auth_use_nsswitch(abrt_t)
+storage_dontaudit_read_fixed_disk(abrt_t)
logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
+
auth_use_nsswitch(abrt_t)
-logging_read_generic_logs(abrt_t)
+auth_use_nsswitch(abrt_t)
+
+init_read_utmp(abrt_t)
+miscfiles_read_generic_certs(abrt_t)
@ -775,7 +777,7 @@ index eb50f07..5508cee 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
@@ -206,15 +230,11 @@ tunable_policy(`abrt_anon_write',`
@@ -206,15 +232,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@ -792,7 +794,7 @@ index eb50f07..5508cee 100644
')
optional_policy(`
@@ -222,6 +242,20 @@ optional_policy(`
@@ -222,6 +244,20 @@ optional_policy(`
')
optional_policy(`
@ -813,7 +815,7 @@ index eb50f07..5508cee 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -234,6 +268,11 @@ optional_policy(`
@@ -234,6 +270,11 @@ optional_policy(`
')
optional_policy(`
@ -825,7 +827,7 @@ index eb50f07..5508cee 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -243,6 +282,7 @@ optional_policy(`
@@ -243,6 +284,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@ -833,7 +835,7 @@ index eb50f07..5508cee 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
@@ -253,9 +293,17 @@ optional_policy(`
@@ -253,9 +295,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@ -852,7 +854,7 @@ index eb50f07..5508cee 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +314,13 @@ tunable_policy(`abrt_handle_event',`
@@ -266,9 +316,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@ -867,7 +869,7 @@ index eb50f07..5508cee 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -281,6 +335,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -875,7 +877,7 @@ index eb50f07..5508cee 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t)
@@ -289,15 +344,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@ -896,7 +898,7 @@ index eb50f07..5508cee 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +363,25 @@ ifdef(`hide_broken_symptoms',`
@@ -305,11 +365,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -923,7 +925,7 @@ index eb50f07..5508cee 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
@@ -327,10 +401,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@ -937,7 +939,7 @@ index eb50f07..5508cee 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +417,11 @@ optional_policy(`
@@ -343,10 +419,11 @@ optional_policy(`
#######################################
#
@ -951,7 +953,7 @@ index eb50f07..5508cee 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +440,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
@@ -365,38 +442,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@ -1003,7 +1005,7 @@ index eb50f07..5508cee 100644
#######################################
#
@@ -404,7 +489,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
@@ -404,7 +491,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1012,7 +1014,7 @@ index eb50f07..5508cee 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
@@ -413,16 +498,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
@@ -413,16 +500,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@ -1056,7 +1058,7 @@ index eb50f07..5508cee 100644
')
#######################################
@@ -430,10 +541,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
@@ -430,10 +543,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@ -7969,7 +7971,7 @@ index 2077053..198a02a 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
index 7e41350..1076937 100644
index 7e41350..e8e1672 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@ -8003,7 +8005,15 @@ index 7e41350..1076937 100644
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
@@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
corenet_sendrecv_sip_client_packets(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+corenet_tcp_connect_http_port(asterisk_t)
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
@@ -136,7 +136,6 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@ -8011,7 +8021,7 @@ index 7e41350..1076937 100644
files_search_spool(asterisk_t)
files_dontaudit_search_home(asterisk_t)
@@ -150,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
@@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t)
logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
@ -28277,10 +28287,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
index 0000000..781c76d
index 0000000..cb68ca9
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,122 @@
@@ -0,0 +1,125 @@
+policy_module(gear, 1.0.0)
+
+########################################
@ -28315,6 +28325,8 @@ index 0000000..781c76d
+allow gear_t self:unix_stream_socket create_stream_socket_perms;
+allow gear_t self:tcp_socket create_stream_socket_perms;
+
+allow gear_t gear_unit_file_t:dir { relabelfrom relabelto };
+
+manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
+manage_files_pattern(gear_t, gear_log_t, gear_log_t)
+manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
@ -28328,6 +28340,7 @@ index 0000000..781c76d
+manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
+files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
+allow gear_t gear_var_lib_t:dir { relabelfrom relabelto };
+
+manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
+manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
@ -45714,7 +45727,7 @@ index 6194b80..cafb2b0 100644
')
+
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4..633063d 100644
index 11ac8e4..fb431ea 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
@ -46152,7 +46165,7 @@ index 11ac8e4..633063d 100644
')
optional_policy(`
@@ -300,259 +324,252 @@ optional_policy(`
@@ -300,259 +324,253 @@ optional_policy(`
########################################
#
@ -46474,6 +46487,7 @@ index 11ac8e4..633063d 100644
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_rw_config(mozilla_plugin_config_t)
+ alsa_read_home_files(mozilla_plugin_t)
')
@ -46551,7 +46565,7 @@ index 11ac8e4..633063d 100644
')
optional_policy(`
@@ -560,7 +577,11 @@ optional_policy(`
@@ -560,7 +578,11 @@ optional_policy(`
')
optional_policy(`
@ -46564,7 +46578,7 @@ index 11ac8e4..633063d 100644
')
optional_policy(`
@@ -568,108 +589,131 @@ optional_policy(`
@@ -568,108 +590,131 @@ optional_policy(`
')
optional_policy(`
@ -48305,7 +48319,7 @@ index ed81cac..8f217ea 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c..0c688c5 100644
index ff1d68c..4cf1204 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@ -48532,7 +48546,7 @@ index ff1d68c..0c688c5 100644
')
optional_policy(`
@@ -258,10 +282,15 @@ optional_policy(`
@@ -258,10 +282,16 @@ optional_policy(`
')
optional_policy(`
@ -48542,13 +48556,14 @@ index ff1d68c..0c688c5 100644
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
+ munin_append_var_lib_files(system_mail_t)
+')
+
+optional_policy(`
nagios_read_tmp_files(system_mail_t)
')
@@ -272,6 +301,19 @@ optional_policy(`
@@ -272,6 +302,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@ -48568,7 +48583,7 @@ index ff1d68c..0c688c5 100644
')
optional_policy(`
@@ -287,42 +329,36 @@ optional_policy(`
@@ -287,42 +330,36 @@ optional_policy(`
')
optional_policy(`
@ -48621,7 +48636,7 @@ index ff1d68c..0c688c5 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,40 +367,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,40 +368,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -48670,7 +48685,7 @@ index ff1d68c..0c688c5 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
@@ -372,6 +394,17 @@ optional_policy(`
@@ -372,6 +395,17 @@ optional_policy(`
')
optional_policy(`
@ -48688,7 +48703,7 @@ index ff1d68c..0c688c5 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
@@ -381,24 +414,49 @@ optional_policy(`
@@ -381,24 +415,49 @@ optional_policy(`
########################################
#
@ -48875,7 +48890,7 @@ index eb4b72a..af28bb5 100644
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
index b744fe3..900d083 100644
index b744fe3..50c386e 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
@ -48946,7 +48961,7 @@ index b744fe3..900d083 100644
## </summary>
## <param name="domain">
## <summary>
@@ -80,15 +84,53 @@ interface(`munin_read_config',`
@@ -80,15 +84,73 @@ interface(`munin_read_config',`
type munin_etc_t;
')
@ -48978,6 +48993,26 @@ index b744fe3..900d083 100644
+
+')
+
+#######################################
+## <summary>
+## Append munin library files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`munin_append_var_lib_files',`
+ gen_require(`
+ type munin_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ append_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
+
+')
+
+######################################
+## <summary>
+## dontaudit read and write an leaked file descriptors
@ -49002,7 +49037,7 @@ index b744fe3..900d083 100644
## </summary>
## <param name="domain">
## <summary>
@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',`
@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',`
########################################
## <summary>
@ -49013,7 +49048,7 @@ index b744fe3..900d083 100644
## </summary>
## <param name="domain">
## <summary>
@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',`
@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',`
## </param>
## <param name="role">
## <summary>
@ -49022,7 +49057,7 @@ index b744fe3..900d083 100644
## </summary>
## </param>
## <rolecap/>
@@ -167,11 +209,15 @@ interface(`munin_admin',`
@@ -167,11 +229,15 @@ interface(`munin_admin',`
attribute munin_plugin_domain, munin_plugin_tmp_content;
type munin_t, munin_etc_t, munin_tmp_t;
type munin_log_t, munin_var_lib_t, munin_var_run_t;
@ -49041,7 +49076,7 @@ index b744fe3..900d083 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
@@ -193,5 +239,5 @@ interface(`munin_admin',`
@@ -193,5 +259,5 @@ interface(`munin_admin',`
files_list_pids($1)
admin_pattern($1, munin_var_run_t)
@ -53135,10 +53170,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
index 0000000..f691a30
index 0000000..2c40c73
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,310 @@
@@ -0,0 +1,314 @@
+policy_module(nova, 1.0.0)
+
+########################################
@ -53271,6 +53306,10 @@ index 0000000..f691a30
+ ssh_exec_keygen(nova_api_t)
+')
+
+optional_policy(`
+ gnome_dontaudit_search_config(nova_api_t)
+')
+
+#optional_policy(`
+# unconfined_domain(nova_api_t)
+#')
@ -59379,10 +59418,10 @@ index 0000000..42ed4ba
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
index 0000000..a0161d5
index 0000000..3bcd32c
--- /dev/null
+++ b/openwsman.te
@@ -0,0 +1,56 @@
@@ -0,0 +1,74 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
@ -59397,6 +59436,9 @@ index 0000000..a0161d5
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
+type openwsman_tmpfs_t;
+files_tmpfs_file(openwsman_tmpfs_t)
+
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
@ -59422,6 +59464,10 @@ index 0000000..a0161d5
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
+fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
+
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
@ -59433,12 +59479,23 @@ index 0000000..a0161d5
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
+corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
+logging_send_syslog_msg(openwsman_t)
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
+ sblim_stream_connect_sfcbd(openwsman_t)
+ sblim_rw_semaphores_sfcbd(openwsman_t)
+ sblim_getattr_exec_sfcbd(openwsman_t)
+')
+
+optional_policy(`
+ unconfined_domain(openwsman_t)
+')
+
diff --git a/oracleasm.fc b/oracleasm.fc
new file mode 100644
index 0000000..80fb8c3
@ -73632,10 +73689,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b..9494e23 100644
index 8644d8b..4398f8e 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,136 @@ policy_module(quantum, 1.1.0)
@@ -5,92 +5,137 @@ policy_module(quantum, 1.1.0)
# Declarations
#
@ -73699,7 +73756,8 @@ index 8644d8b..9494e23 100644
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
+manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
+files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
@ -82908,7 +82966,7 @@ index f1140ef..642e062 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
index abeb302..61b21d2 100644
index abeb302..7c1f218 100644
--- a/rsync.te
+++ b/rsync.te
@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
@ -83029,7 +83087,7 @@ index abeb302..61b21d2 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@ -83155,6 +83213,8 @@ index abeb302..61b21d2 100644
optional_policy(`
- inetd_service_domain(rsync_t, rsync_exec_t)
+ swift_manage_data_files(rsync_t)
+ swift_manage_lock(rsync_t)
+ swift_filetrans_named_lock(rsync_t)
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
@ -87331,7 +87391,7 @@ index 68a550d..e976fc6 100644
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
index 98c9e0a..d4aa009 100644
index 98c9e0a..562666e 100644
--- a/sblim.if
+++ b/sblim.if
@@ -1,8 +1,36 @@
@ -87382,21 +87442,19 @@ index 98c9e0a..d4aa009 100644
## </summary>
## <param name="domain">
## <summary>
@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
@@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sblim environment.
+## Transition to sblim named content
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## </summary>
+## </param>
+#
+interface(`sblim_filetrans_named_content',`
+ gen_require(`
@ -87408,12 +87466,91 @@ index 98c9e0a..d4aa009 100644
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gatherd environment
+## Connect to sblim_sfcb over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
+interface(`sblim_stream_connect_sfcbd',`
+ gen_require(`
+ type sblim_sfcb_t, sblim_var_lib_t;
+ type sblim_tmp_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
+#######################################
+## <summary>
+## Getattr on sblim executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sblim_getattr_exec_sfcbd',`
+ gen_require(`
+ type sblim_sfcbd_exec_t;
+ ')
+
+ allow $1 sblim_sfcbd_exec_t:file getattr;
+')
+
+
+########################################
+## <summary>
+## Connect to sblim_sfcb over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_stream_connect_sfcb',`
+ gen_require(`
+ type sblim_sfcb_t, sblim_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
+')
+
+#######################################
+## <summary>
+## Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sblim_rw_semaphores_sfcbd',`
+ gen_require(`
+ type sblim_sfcbd_t;
+ ')
+
+ allow $1 sblim_sfcbd_t:sem rw_sem_perms;
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gatherd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
@ -87448,7 +87585,7 @@ index 98c9e0a..d4aa009 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
index 299756b..99eda9b 100644
index 299756b..1edabdf 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -87554,7 +87691,7 @@ index 299756b..99eda9b 100644
')
optional_policy(`
@@ -117,6 +133,35 @@ optional_policy(`
@@ -117,6 +133,43 @@ optional_policy(`
# Reposd local policy
#
@ -87586,11 +87723,19 @@ index 299756b..99eda9b 100644
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
+corecmd_exec_shell(sblim_sfcbd_t)
+corecmd_exec_bin(sblim_sfcbd_t)
+
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
+
+optional_policy(`
+ rpm_exec(sblim_sfcbd_t)
+ rpm_dontaudit_manage_db(sblim_sfcbd_t)
+')
diff --git a/screen.fc b/screen.fc
index e7c2cf7..435aaa6 100644
--- a/screen.fc
@ -94054,10 +94199,10 @@ index 49d688d..f07cc80 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
index 0000000..744f0ce
index 0000000..a4ec18a
--- /dev/null
+++ b/swift.fc
@@ -0,0 +1,29 @@
@@ -0,0 +1,30 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@ -94077,6 +94222,7 @@ index 0000000..744f0ce
+
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
+/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0)
+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
@ -94089,10 +94235,10 @@ index 0000000..744f0ce
+')
diff --git a/swift.if b/swift.if
new file mode 100644
index 0000000..df82c36
index 0000000..6a1f575
--- /dev/null
+++ b/swift.if
@@ -0,0 +1,118 @@
@@ -0,0 +1,155 @@
+
+## <summary>policy for swift</summary>
+
@ -94154,6 +94300,43 @@ index 0000000..df82c36
+ manage_dirs_pattern($1, swift_data_t, swift_data_t)
+')
+
+#####################################
+## <summary>
+## Read and write swift lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_manage_lock',`
+ gen_require(`
+ type swift_lock_t;
+ ')
+
+ files_search_locks($1)
+ manage_files_pattern($1, swift_lock_t, swift_lock_t)
+')
+
+#######################################
+## <summary>
+## Transition content labels to swift named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`swift_filetrans_named_lock',`
+ gen_require(`
+ type swift_lock_t;
+ ')
+
+ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
+')
+
+########################################
+## <summary>
+## Execute swift server in the swift domain.
@ -94213,10 +94396,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
index 0000000..159ae72
index 0000000..9ee77b2
--- /dev/null
+++ b/swift.te
@@ -0,0 +1,89 @@
@@ -0,0 +1,97 @@
+policy_module(swift, 1.0.0)
+
+########################################
@ -94228,6 +94411,9 @@ index 0000000..159ae72
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
+type swift_lock_t;
+files_lock_file(swift_lock_t)
+
+type swift_tmp_t;
+files_tmp_file(swift_tmp_t)
+
@ -94258,6 +94444,10 @@ index 0000000..159ae72
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
+manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
+files_lock_filetrans(swift_t, swift_lock_t, { dir file })
+
+manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
@ -94305,6 +94495,7 @@ index 0000000..159ae72
+
+optional_policy(`
+ rpm_exec(swift_t)
+ rpm_dontaudit_manage_db(swift_t)
+')
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644

27
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 53%{?dist}
Release: 54%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -588,6 +588,31 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue May 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-54
- geard seems to do a lot of relabeling
- Allow system_mail_t to append to munin_var_lib_t
- Allow mozilla_plugin to read alsa_rw_ content
- Allow asterisk to connect to the apache ports
- Dontaudit attempts to read fixed disk
- Dontaudit search gconf_home_t
- Allow rsync to create swift_server.lock with swift.log labeling
- Add labeling for swift lock files
- Use swift_virt_lock in swift.te
- Allow openwsman to getattr on sblim_sfcbd executable
- Fix sblim_stream_connect_sfcb() to contain also sblim_tmp_t
- Allow openwsman_t to read/write sblim-sfcb shared mem
- Allow openwsman to stream connec to sblim-sfcbd
- Allow openwsman to create tmpfs files/dirs
- dontaudit acces to rpm db if rpm_exec for swift_t and sblim_sfcbd_t
- Allow sblim_sfcbd to execute shell
- Allow swift to create lock file
- Allow openwsman to use tcp/80
- Allow neutron to create also dirs in /tmp
- Allow seunshare domains to getattr on all executables
- Allow ssh-keygen to create temporary files/dirs needed by OpenStack
- Allow named_filetrans_domain to create /run/netns
- Allow ifconfig to create /run/netns
* Tue May 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-53
- Add missing dyntransition for sandbox_x_domain