diff --git a/policy-rawhide.patch b/policy-rawhide.patch index ce44aa45..cc2839ad 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..7ee62e0 100644 +index 28802c5..f2026cd 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -62032,8 +62032,12 @@ index 28802c5..7ee62e0 100644 } # -@@ -446,6 +451,7 @@ class capability2 - mac_admin # unused by SELinux +@@ -443,9 +448,10 @@ class capability + class capability2 + { + mac_override # unused by SELinux +- mac_admin # unused by SELinux ++ mac_admin syslog wake_alarm + epollwakeup @@ -65958,7 +65962,7 @@ index 8e0f9cd..da3b374 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..8db5e47 100644 +index fe2ee5e..7f3dc50 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -14,12 +14,14 @@ attribute node_type; @@ -66107,6 +66111,7 @@ index fe2ee5e..8db5e47 100644 -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +-network_port(kismet, tcp,2501,s0) +network_port(jabber_router, tcp,5347,s0) +network_port(jacorb, tcp,3528,s0, tcp,3529,s0) +network_port(jboss_debug, tcp,8787,s0) @@ -66116,7 +66121,7 @@ index fe2ee5e..8db5e47 100644 +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keystone, tcp,5000,s0, udp,5000,s0) - network_port(kismet, tcp,2501,s0) ++network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) @@ -74115,14 +74120,21 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index e5aee97..3d10b66 100644 +index e5aee97..681001d 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,57 @@ policy_module(staff, 2.3.0) +@@ -8,12 +8,64 @@ policy_module(staff, 2.3.0) role staff_r; userdom_unpriv_user_template(staff) +fs_exec_noxattr(staff_t) ++ ++## ++##

++## allow staff user to create and transition to svirt domains. ++##

++## ++gen_tunable(staff_use_svirt, false) ######################################## # @@ -74176,7 +74188,7 @@ index e5aee97..3d10b66 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +68,98 @@ optional_policy(` +@@ -23,11 +75,98 @@ optional_policy(` ') optional_policy(` @@ -74276,7 +74288,7 @@ index e5aee97..3d10b66 100644 ') optional_policy(` -@@ -35,15 +167,27 @@ optional_policy(` +@@ -35,15 +174,27 @@ optional_policy(` ') optional_policy(` @@ -74306,7 +74318,7 @@ index e5aee97..3d10b66 100644 ') optional_policy(` -@@ -52,10 +196,59 @@ optional_policy(` +@@ -52,10 +203,59 @@ optional_policy(` ') optional_policy(` @@ -74366,7 +74378,7 @@ index e5aee97..3d10b66 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +258,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +265,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -74377,7 +74389,7 @@ index e5aee97..3d10b66 100644 cdrecord_role(staff_r, staff_t) ') -@@ -93,18 +282,10 @@ ifndef(`distro_redhat',` +@@ -93,18 +289,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -74396,7 +74408,7 @@ index e5aee97..3d10b66 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +306,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +313,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -74407,7 +74419,7 @@ index e5aee97..3d10b66 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +318,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +325,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -74418,7 +74430,7 @@ index e5aee97..3d10b66 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +349,7 @@ ifndef(`distro_redhat',` +@@ -176,3 +356,15 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -74426,6 +74438,14 @@ index e5aee97..3d10b66 100644 +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(staff_t) +') ++ ++virt_transition_svirt(staff_t, staff_r) ++virt_filetrans_home_content(staff_t) ++tunable_policy(`staff_use_svirt',` ++ allow staff_t self:fifo_file relabelfrom; ++ dev_rw_kvm(staff_t) ++ virt_manage_images(staff_t) ++') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if index ff92430..36740ea 100644 --- a/policy/modules/roles/sysadm.if @@ -76050,10 +76070,23 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 9f6d4c3..cad6364 100644 +index 9f6d4c3..7852ae3 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,12 +12,90 @@ role user_r; +@@ -1,5 +1,12 @@ + policy_module(unprivuser, 2.3.0) + ++## ++##

++## Allow unprivledged user to create and transition to svirt domains. ++##

++## ++gen_tunable(unprivuser_use_svirt, false) ++ + # this module should be named user, but that is + # a compile error since user is a keyword. + +@@ -12,12 +19,90 @@ role user_r; userdom_unpriv_user_template(user) @@ -76145,7 +76178,7 @@ index 9f6d4c3..cad6364 100644 ') optional_policy(` -@@ -25,6 +103,18 @@ optional_policy(` +@@ -25,6 +110,18 @@ optional_policy(` ') optional_policy(` @@ -76164,7 +76197,7 @@ index 9f6d4c3..cad6364 100644 vlock_run(user_t, user_r) ') -@@ -66,10 +156,6 @@ ifndef(`distro_redhat',` +@@ -66,10 +163,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -76175,7 +76208,7 @@ index 9f6d4c3..cad6364 100644 gpg_role(user_r, user_t) ') -@@ -102,10 +188,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +195,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -76186,7 +76219,7 @@ index 9f6d4c3..cad6364 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +210,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +217,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -76194,11 +76227,17 @@ index 9f6d4c3..cad6364 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +242,4 @@ ifndef(`distro_redhat',` +@@ -161,3 +249,10 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') + ++ ++virt_transition_svirt(user_t, user_r) ++virt_filetrans_home_content(user_t) ++tunable_policy(`unprivuser_use_svirt',` ++ virt_manage_images(user_t) ++') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index a26f84f..4e52843 100644 --- a/policy/modules/services/postgresql.fc @@ -79003,7 +79042,7 @@ index 130ced9..1b31c76 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..c7e6040 100644 +index d40f750..3711d39 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -79327,13 +79366,14 @@ index d40f750..c7e6040 100644 ') optional_policy(` -@@ -299,64 +396,103 @@ optional_policy(` +@@ -299,64 +396,104 @@ optional_policy(` # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; ++allow xdm_t self:capability2 { block_suspend }; +dontaudit xdm_t self:capability sys_admin; + +allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; @@ -79441,7 +79481,7 @@ index d40f750..c7e6040 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +501,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +502,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -79471,7 +79511,7 @@ index d40f750..c7e6040 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +531,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +532,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -79524,7 +79564,7 @@ index d40f750..c7e6040 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +583,25 @@ files_list_mnt(xdm_t) +@@ -430,9 +584,25 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -79550,7 +79590,7 @@ index d40f750..c7e6040 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +611,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -79592,7 +79632,7 @@ index d40f750..c7e6040 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +651,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -79642,7 +79682,7 @@ index d40f750..c7e6040 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +701,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -79664,7 +79704,7 @@ index d40f750..c7e6040 100644 ') optional_policy(` -@@ -514,12 +722,64 @@ optional_policy(` +@@ -514,12 +723,64 @@ optional_policy(` ') optional_policy(` @@ -79729,7 +79769,7 @@ index d40f750..c7e6040 100644 hostname_exec(xdm_t) ') -@@ -537,28 +797,69 @@ optional_policy(` +@@ -537,28 +798,69 @@ optional_policy(` ') optional_policy(` @@ -79808,7 +79848,7 @@ index d40f750..c7e6040 100644 ') optional_policy(` -@@ -570,6 +871,14 @@ optional_policy(` +@@ -570,6 +872,14 @@ optional_policy(` ') optional_policy(` @@ -79823,7 +79863,7 @@ index d40f750..c7e6040 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -79833,7 +79873,7 @@ index d40f750..c7e6040 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -79849,7 +79889,7 @@ index d40f750..c7e6040 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -79871,7 +79911,7 @@ index d40f750..c7e6040 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +965,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +966,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -79885,7 +79925,7 @@ index d40f750..c7e6040 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +991,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -79917,7 +79957,7 @@ index d40f750..c7e6040 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -79931,7 +79971,7 @@ index d40f750..c7e6040 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,8 +1042,6 @@ init_getpgid(xserver_t) +@@ -708,8 +1043,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -79940,7 +79980,7 @@ index d40f750..c7e6040 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -717,11 +1049,12 @@ logging_send_audit_msgs(xserver_t) +@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -79955,7 +79995,7 @@ index d40f750..c7e6040 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1108,40 @@ optional_policy(` +@@ -775,16 +1109,40 @@ optional_policy(` ') optional_policy(` @@ -79997,7 +80037,7 @@ index d40f750..c7e6040 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1150,10 @@ optional_policy(` +@@ -793,6 +1151,10 @@ optional_policy(` ') optional_policy(` @@ -80008,7 +80048,7 @@ index d40f750..c7e6040 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -80022,7 +80062,7 @@ index d40f750..c7e6040 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -80031,7 +80071,7 @@ index d40f750..c7e6040 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1193,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1194,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -80066,7 +80106,7 @@ index d40f750..c7e6040 100644 ') optional_policy(` -@@ -859,6 +1215,10 @@ optional_policy(` +@@ -859,6 +1216,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -80077,7 +80117,7 @@ index d40f750..c7e6040 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -80086,7 +80126,7 @@ index d40f750..c7e6040 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1316,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -80118,7 +80158,7 @@ index d40f750..c7e6040 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1362,44 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1363,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -80375,7 +80415,7 @@ index 28ad538..47fdb65 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index f416ce9..25def3e 100644 +index f416ce9..1409940 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -80500,12 +80540,14 @@ index f416ce9..25def3e 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +198,89 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +198,91 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) ++ systemd_login_read_pid_files($1) ++ + userdom_set_rlimitnh($1) + userdom_read_user_home_content_symlinks($1) + userdom_delete_user_tmp_files($1) @@ -80592,7 +80634,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -231,6 +354,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +356,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -80618,7 +80660,7 @@ index f416ce9..25def3e 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -395,13 +537,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -395,13 +539,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -80635,7 +80677,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -448,6 +592,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +594,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -80661,7 +80703,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -467,7 +630,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +632,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -80669,7 +80711,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -664,6 +826,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +828,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -80680,7 +80722,7 @@ index f416ce9..25def3e 100644 ') ####################################### -@@ -763,7 +929,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +931,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -80732,7 +80774,7 @@ index f416ce9..25def3e 100644 ') ####################################### -@@ -959,9 +1168,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1170,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -80766,7 +80808,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -1040,6 +1270,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1272,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -80777,7 +80819,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -1157,6 +1391,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1157,6 +1393,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -80785,7 +80827,7 @@ index f416ce9..25def3e 100644 ') ####################################### -@@ -1526,6 +1761,25 @@ interface(`auth_setattr_login_records',` +@@ -1526,6 +1763,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -80811,7 +80853,7 @@ index f416ce9..25def3e 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,24 +1930,7 @@ interface(`auth_manage_login_records',` +@@ -1676,24 +1932,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -80837,7 +80879,7 @@ index f416ce9..25def3e 100644 ') ######################################## -@@ -1717,9 +1954,9 @@ interface(`auth_relabel_login_records',` +@@ -1717,9 +1956,9 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -80850,7 +80892,7 @@ index f416ce9..25def3e 100644 typeattribute $1 nsswitch_domain; ') -@@ -1755,3 +1992,194 @@ interface(`auth_unconfined',` +@@ -1755,3 +1994,194 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -82829,7 +82871,7 @@ index d26fe81..3f3a57f 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 4a88fa1..2a13153 100644 +index 4a88fa1..582f563 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -82909,16 +82951,17 @@ index 4a88fa1..2a13153 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -95,7 +135,7 @@ ifdef(`enable_mls',` +@@ -95,7 +135,8 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module }; ++allow init_t self:capability2 ~{ mac_admin mac_override }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -107,12 +147,26 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -107,12 +148,26 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -82951,7 +82994,7 @@ index 4a88fa1..2a13153 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -122,28 +176,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -122,28 +177,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -82991,7 +83034,7 @@ index 4a88fa1..2a13153 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -152,6 +216,8 @@ fs_list_inotifyfs(init_t) +@@ -152,6 +217,8 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -83000,7 +83043,7 @@ index 4a88fa1..2a13153 100644 mcs_process_set_categories(init_t) mcs_killall(init_t) -@@ -159,22 +225,41 @@ mls_file_read_all_levels(init_t) +@@ -159,22 +226,41 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -83043,7 +83086,7 @@ index 4a88fa1..2a13153 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -183,12 +268,19 @@ ifdef(`distro_gentoo',` +@@ -183,12 +269,19 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -83064,7 +83107,7 @@ index 4a88fa1..2a13153 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -196,16 +288,148 @@ tunable_policy(`init_upstart',` +@@ -196,16 +289,148 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -83215,7 +83258,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -213,6 +437,18 @@ optional_policy(` +@@ -213,6 +438,18 @@ optional_policy(` ') optional_policy(` @@ -83234,7 +83277,7 @@ index 4a88fa1..2a13153 100644 unconfined_domain(init_t) ') -@@ -222,8 +458,8 @@ optional_policy(` +@@ -222,8 +459,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -83245,7 +83288,7 @@ index 4a88fa1..2a13153 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -251,12 +487,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -251,12 +488,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -83261,7 +83304,7 @@ index 4a88fa1..2a13153 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -272,23 +511,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -272,23 +512,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -83304,7 +83347,7 @@ index 4a88fa1..2a13153 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -296,6 +548,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -296,6 +549,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -83312,7 +83355,7 @@ index 4a88fa1..2a13153 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -306,8 +559,10 @@ dev_write_framebuffer(initrc_t) +@@ -306,8 +560,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -83323,7 +83366,7 @@ index 4a88fa1..2a13153 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -315,17 +570,16 @@ dev_manage_generic_files(initrc_t) +@@ -315,17 +571,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -83343,7 +83386,7 @@ index 4a88fa1..2a13153 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -333,6 +587,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -333,6 +588,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -83351,7 +83394,7 @@ index 4a88fa1..2a13153 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -340,8 +595,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -340,8 +596,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -83363,7 +83406,7 @@ index 4a88fa1..2a13153 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -357,8 +614,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -357,8 +615,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -83377,7 +83420,7 @@ index 4a88fa1..2a13153 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -368,9 +629,12 @@ fs_mount_all_fs(initrc_t) +@@ -368,9 +630,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -83391,7 +83434,7 @@ index 4a88fa1..2a13153 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -380,6 +644,7 @@ mls_process_read_up(initrc_t) +@@ -380,6 +645,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -83399,7 +83442,7 @@ index 4a88fa1..2a13153 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,6 +656,7 @@ term_use_all_terms(initrc_t) +@@ -391,6 +657,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -83407,7 +83450,7 @@ index 4a88fa1..2a13153 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -411,18 +677,17 @@ logging_read_audit_config(initrc_t) +@@ -411,18 +678,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -83429,7 +83472,7 @@ index 4a88fa1..2a13153 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -476,6 +741,10 @@ ifdef(`distro_gentoo',` +@@ -476,6 +742,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -83440,7 +83483,7 @@ index 4a88fa1..2a13153 100644 alsa_read_lib(initrc_t) ') -@@ -496,7 +765,7 @@ ifdef(`distro_redhat',` +@@ -496,7 +766,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -83449,7 +83492,7 @@ index 4a88fa1..2a13153 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -511,6 +780,7 @@ ifdef(`distro_redhat',` +@@ -511,6 +781,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -83457,7 +83500,7 @@ index 4a88fa1..2a13153 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -531,6 +801,7 @@ ifdef(`distro_redhat',` +@@ -531,6 +802,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -83465,7 +83508,7 @@ index 4a88fa1..2a13153 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -540,8 +811,35 @@ ifdef(`distro_redhat',` +@@ -540,8 +812,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -83501,7 +83544,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -549,14 +847,27 @@ ifdef(`distro_redhat',` +@@ -549,14 +848,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -83529,7 +83572,7 @@ index 4a88fa1..2a13153 100644 ') ') -@@ -567,6 +878,39 @@ ifdef(`distro_suse',` +@@ -567,6 +879,39 @@ ifdef(`distro_suse',` ') ') @@ -83569,7 +83612,7 @@ index 4a88fa1..2a13153 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -579,6 +923,8 @@ optional_policy(` +@@ -579,6 +924,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -83578,7 +83621,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -600,6 +946,7 @@ optional_policy(` +@@ -600,6 +947,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -83586,7 +83629,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -612,6 +959,17 @@ optional_policy(` +@@ -612,6 +960,17 @@ optional_policy(` ') optional_policy(` @@ -83604,7 +83647,7 @@ index 4a88fa1..2a13153 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -628,9 +986,13 @@ optional_policy(` +@@ -628,9 +987,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -83618,7 +83661,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -655,6 +1017,10 @@ optional_policy(` +@@ -655,6 +1018,10 @@ optional_policy(` ') optional_policy(` @@ -83629,7 +83672,7 @@ index 4a88fa1..2a13153 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -672,6 +1038,15 @@ optional_policy(` +@@ -672,6 +1039,15 @@ optional_policy(` ') optional_policy(` @@ -83645,7 +83688,7 @@ index 4a88fa1..2a13153 100644 inn_exec_config(initrc_t) ') -@@ -712,6 +1087,7 @@ optional_policy(` +@@ -712,6 +1088,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -83653,7 +83696,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -729,7 +1105,13 @@ optional_policy(` +@@ -729,7 +1106,13 @@ optional_policy(` ') optional_policy(` @@ -83667,7 +83710,7 @@ index 4a88fa1..2a13153 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -752,6 +1134,10 @@ optional_policy(` +@@ -752,6 +1135,10 @@ optional_policy(` ') optional_policy(` @@ -83678,7 +83721,7 @@ index 4a88fa1..2a13153 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -761,10 +1147,20 @@ optional_policy(` +@@ -761,10 +1148,20 @@ optional_policy(` ') optional_policy(` @@ -83699,7 +83742,7 @@ index 4a88fa1..2a13153 100644 quota_manage_flags(initrc_t) ') -@@ -773,6 +1169,10 @@ optional_policy(` +@@ -773,6 +1170,10 @@ optional_policy(` ') optional_policy(` @@ -83710,7 +83753,7 @@ index 4a88fa1..2a13153 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -794,8 +1194,6 @@ optional_policy(` +@@ -794,8 +1195,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -83719,7 +83762,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -804,6 +1202,10 @@ optional_policy(` +@@ -804,6 +1203,10 @@ optional_policy(` ') optional_policy(` @@ -83730,7 +83773,7 @@ index 4a88fa1..2a13153 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -813,10 +1215,12 @@ optional_policy(` +@@ -813,10 +1216,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -83743,7 +83786,7 @@ index 4a88fa1..2a13153 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -828,8 +1232,6 @@ optional_policy(` +@@ -828,8 +1233,6 @@ optional_policy(` ') optional_policy(` @@ -83752,7 +83795,7 @@ index 4a88fa1..2a13153 100644 udev_manage_pid_files(initrc_t) udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) -@@ -840,12 +1242,30 @@ optional_policy(` +@@ -840,12 +1243,30 @@ optional_policy(` ') optional_policy(` @@ -83785,7 +83828,7 @@ index 4a88fa1..2a13153 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -855,6 +1275,18 @@ optional_policy(` +@@ -855,6 +1276,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -83804,7 +83847,7 @@ index 4a88fa1..2a13153 100644 ') optional_policy(` -@@ -870,6 +1302,10 @@ optional_policy(` +@@ -870,6 +1303,10 @@ optional_policy(` ') optional_policy(` @@ -83815,7 +83858,7 @@ index 4a88fa1..2a13153 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -880,3 +1316,165 @@ optional_policy(` +@@ -880,3 +1317,165 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -91027,7 +91070,7 @@ index 77a13a5..9a5a73f 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 29075b3..6ee8c74 100644 +index 29075b3..13f3949 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -91046,12 +91089,13 @@ index 29075b3..6ee8c74 100644 ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -36,9 +34,10 @@ ifdef(`enable_mcs',` +@@ -36,9 +34,11 @@ ifdef(`enable_mcs',` # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; ++allow udev_t self:capability2 { block_suspend }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + @@ -91059,7 +91103,7 @@ index 29075b3..6ee8c74 100644 allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -52,6 +51,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -91067,7 +91111,7 @@ index 29075b3..6ee8c74 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,31 +62,35 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -62,31 +63,35 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -91110,7 +91154,7 @@ index 29075b3..6ee8c74 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -97,6 +101,7 @@ corecmd_exec_all_executables(udev_t) +@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -91118,7 +91162,7 @@ index 29075b3..6ee8c74 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,23 +110,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,23 +111,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -91154,7 +91198,7 @@ index 29075b3..6ee8c74 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -143,10 +156,12 @@ auth_use_nsswitch(udev_t) +@@ -143,10 +157,12 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -91167,7 +91211,7 @@ index 29075b3..6ee8c74 100644 miscfiles_read_localization(udev_t) miscfiles_read_hwdata(udev_t) -@@ -154,6 +169,8 @@ miscfiles_read_hwdata(udev_t) +@@ -154,6 +170,8 @@ miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t) @@ -91176,7 +91220,7 @@ index 29075b3..6ee8c74 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +187,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -91185,7 +91229,7 @@ index 29075b3..6ee8c74 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -178,16 +197,9 @@ ifdef(`distro_gentoo',` +@@ -178,16 +198,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -91204,7 +91248,7 @@ index 29075b3..6ee8c74 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +228,16 @@ optional_policy(` +@@ -216,11 +229,16 @@ optional_policy(` ') optional_policy(` @@ -91221,7 +91265,7 @@ index 29075b3..6ee8c74 100644 ') optional_policy(` -@@ -230,10 +247,20 @@ optional_policy(` +@@ -230,10 +248,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -91242,7 +91286,7 @@ index 29075b3..6ee8c74 100644 ') optional_policy(` -@@ -259,6 +286,10 @@ optional_policy(` +@@ -259,6 +287,10 @@ optional_policy(` ') optional_policy(` @@ -91253,7 +91297,7 @@ index 29075b3..6ee8c74 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +304,11 @@ optional_policy(` +@@ -273,6 +305,11 @@ optional_policy(` ') optional_policy(` @@ -91265,7 +91309,7 @@ index 29075b3..6ee8c74 100644 unconfined_signal(udev_t) ') -@@ -285,6 +321,7 @@ optional_policy(` +@@ -285,6 +322,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -92098,7 +92142,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..7ce85d3 100644 +index e720dcd..c4ae660 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -93406,7 +93450,7 @@ index e720dcd..7ce85d3 100644 # allow $1_t self:capability ~{ sys_module audit_control audit_write }; -+ allow $1_t self:capability2 syslog; ++ allow $1_t self:capability2 { block_suspend syslog }; allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index e9ed4806..49247694 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -13392,7 +13392,7 @@ index 305ddf4..11d010a 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/cups.te b/cups.te -index e5a8924..abb85c3 100644 +index e5a8924..4965460 100644 --- a/cups.te +++ b/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -13413,7 +13413,15 @@ index e5a8924..abb85c3 100644 type hplip_t; type hplip_exec_t; init_daemon_domain(hplip_t, hplip_exec_t) -@@ -123,6 +127,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -104,6 +108,7 @@ ifdef(`enable_mls',` + # /usr/lib/cups/backend/serial needs sys_admin(?!) + allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config }; + dontaudit cupsd_t self:capability { sys_tty_config net_admin }; ++allow cupsd_t self:capability2 { block_suspend }; + allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; + allow cupsd_t self:fifo_file rw_fifo_file_perms; + allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -123,6 +128,7 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -13421,7 +13429,7 @@ index e5a8924..abb85c3 100644 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -137,6 +142,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; +@@ -137,6 +143,7 @@ allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; allow cupsd_t cupsd_lock_t:file manage_file_perms; files_lock_filetrans(cupsd_t, cupsd_lock_t, file) @@ -13429,7 +13437,7 @@ index e5a8924..abb85c3 100644 manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) -@@ -146,11 +152,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) +@@ -146,11 +153,12 @@ manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -13444,7 +13452,7 @@ index e5a8924..abb85c3 100644 allow cupsd_t hplip_t:process { signal sigkill }; -@@ -159,14 +166,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) +@@ -159,14 +167,13 @@ read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) @@ -13460,7 +13468,7 @@ index e5a8924..abb85c3 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -211,6 +217,7 @@ mls_rangetrans_target(cupsd_t) +@@ -211,6 +218,7 @@ mls_rangetrans_target(cupsd_t) mls_socket_write_all_levels(cupsd_t) mls_fd_use_all_levels(cupsd_t) @@ -13468,7 +13476,7 @@ index e5a8924..abb85c3 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -220,11 +227,12 @@ corecmd_exec_bin(cupsd_t) +@@ -220,11 +228,12 @@ corecmd_exec_bin(cupsd_t) domain_use_interactive_fds(cupsd_t) @@ -13482,7 +13490,7 @@ index e5a8924..abb85c3 100644 # for /var/lib/defoma files_read_var_lib_files(cupsd_t) files_list_world_readable(cupsd_t) -@@ -270,12 +278,6 @@ files_dontaudit_list_home(cupsd_t) +@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -13495,7 +13503,7 @@ index e5a8924..abb85c3 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -287,6 +289,8 @@ optional_policy(` +@@ -287,6 +290,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -13504,7 +13512,7 @@ index e5a8924..abb85c3 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -297,8 +301,10 @@ optional_policy(` +@@ -297,8 +302,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -13515,7 +13523,7 @@ index e5a8924..abb85c3 100644 ') ') -@@ -311,10 +317,23 @@ optional_policy(` +@@ -311,10 +318,23 @@ optional_policy(` ') optional_policy(` @@ -13539,7 +13547,7 @@ index e5a8924..abb85c3 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +341,8 @@ optional_policy(` +@@ -322,6 +342,8 @@ optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -13548,7 +13556,7 @@ index e5a8924..abb85c3 100644 ') optional_policy(` -@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -13559,7 +13567,7 @@ index e5a8924..abb85c3 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -381,7 +403,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) +@@ -381,7 +404,6 @@ read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) kernel_read_system_state(cupsd_config_t) kernel_read_all_sysctls(cupsd_config_t) @@ -13567,7 +13575,7 @@ index e5a8924..abb85c3 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -407,7 +428,6 @@ domain_use_interactive_fds(cupsd_config_t) +@@ -407,7 +429,6 @@ domain_use_interactive_fds(cupsd_config_t) domain_dontaudit_search_all_domains_state(cupsd_config_t) files_read_usr_files(cupsd_config_t) @@ -13575,7 +13583,7 @@ index e5a8924..abb85c3 100644 files_read_etc_runtime_files(cupsd_config_t) files_read_var_symlinks(cupsd_config_t) -@@ -425,11 +445,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -13589,7 +13597,7 @@ index e5a8924..abb85c3 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +473,10 @@ optional_policy(` +@@ -453,6 +474,10 @@ optional_policy(` ') optional_policy(` @@ -13600,7 +13608,7 @@ index e5a8924..abb85c3 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +491,10 @@ optional_policy(` +@@ -467,6 +492,10 @@ optional_policy(` ') optional_policy(` @@ -13611,7 +13619,7 @@ index e5a8924..abb85c3 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -526,7 +554,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) +@@ -526,7 +555,6 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) kernel_read_network_state(cupsd_lpd_t) @@ -13619,7 +13627,7 @@ index e5a8924..abb85c3 100644 corenet_all_recvfrom_netlabel(cupsd_lpd_t) corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) corenet_udp_sendrecv_generic_if(cupsd_lpd_t) -@@ -537,13 +564,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,13 +565,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -13634,7 +13642,7 @@ index e5a8924..abb85c3 100644 auth_use_nsswitch(cupsd_lpd_t) -@@ -577,7 +604,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) +@@ -577,7 +605,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -13642,7 +13650,7 @@ index e5a8924..abb85c3 100644 files_read_usr_files(cups_pdf_t) corecmd_exec_shell(cups_pdf_t) -@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,23 +614,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -13675,7 +13683,7 @@ index e5a8924..abb85c3 100644 ') ######################################## -@@ -647,7 +672,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) +@@ -647,7 +673,6 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -13683,7 +13691,7 @@ index e5a8924..abb85c3 100644 corenet_all_recvfrom_netlabel(hplip_t) corenet_tcp_sendrecv_generic_if(hplip_t) corenet_udp_sendrecv_generic_if(hplip_t) -@@ -661,10 +685,10 @@ corenet_tcp_bind_generic_node(hplip_t) +@@ -661,10 +686,10 @@ corenet_tcp_bind_generic_node(hplip_t) corenet_udp_bind_generic_node(hplip_t) corenet_tcp_bind_hplip_port(hplip_t) corenet_tcp_connect_hplip_port(hplip_t) @@ -13697,7 +13705,7 @@ index e5a8924..abb85c3 100644 dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -@@ -682,9 +706,11 @@ corecmd_exec_bin(hplip_t) +@@ -682,9 +707,11 @@ corecmd_exec_bin(hplip_t) domain_use_interactive_fds(hplip_t) @@ -13710,7 +13718,7 @@ index e5a8924..abb85c3 100644 logging_send_syslog_msg(hplip_t) -@@ -695,9 +721,12 @@ sysnet_read_config(hplip_t) +@@ -695,9 +722,12 @@ sysnet_read_config(hplip_t) userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -13725,7 +13733,7 @@ index e5a8924..abb85c3 100644 optional_policy(` dbus_system_bus_client(hplip_t) -@@ -743,7 +772,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -743,7 +773,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -13733,7 +13741,7 @@ index e5a8924..abb85c3 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -760,7 +788,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -760,7 +789,6 @@ fs_search_auto_mountpoints(ptal_t) domain_use_interactive_fds(ptal_t) @@ -14442,7 +14450,7 @@ index fb4bf82..115133d 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 625cb32..ac27bd9 100644 +index 625cb32..cfe6dbd 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -14548,7 +14556,7 @@ index 625cb32..ac27bd9 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -150,12 +178,160 @@ optional_policy(` +@@ -150,12 +178,161 @@ optional_policy(` ') optional_policy(` @@ -14607,6 +14615,7 @@ index 625cb32..ac27bd9 100644 +# +# session_bus_type rules +# ++allow session_bus_type self:capability2 block_suspend; +dontaudit session_bus_type self:capability sys_resource; +allow session_bus_type self:process { getattr sigkill signal }; +dontaudit session_bus_type self:process setrlimit; @@ -17025,7 +17034,7 @@ index fdaeeba..ec15389 100644 + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) ') diff --git a/dnssec.fc b/dnssec.fc -new file mode 100755 +new file mode 100644 index 0000000..9e231a8 --- /dev/null +++ b/dnssec.fc @@ -17034,7 +17043,7 @@ index 0000000..9e231a8 + +/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) diff --git a/dnssec.if b/dnssec.if -new file mode 100755 +new file mode 100644 index 0000000..a952041 --- /dev/null +++ b/dnssec.if @@ -17104,7 +17113,7 @@ index 0000000..a952041 + admin_pattern($1, dnssec_trigger_var_run_t) +') diff --git a/dnssec.te b/dnssec.te -new file mode 100755 +new file mode 100644 index 0000000..98ba6e1 --- /dev/null +++ b/dnssec.te @@ -27434,10 +27443,10 @@ index c18c920..582f7f3 100644 kismet_manage_pid_files($1) kismet_manage_lib($1) diff --git a/kismet.te b/kismet.te -index 9dd6880..ab842bd 100644 +index 9dd6880..ba8021c 100644 --- a/kismet.te +++ b/kismet.te -@@ -74,7 +74,6 @@ kernel_read_network_state(kismet_t) +@@ -74,24 +74,22 @@ kernel_read_network_state(kismet_t) corecmd_exec_bin(kismet_t) @@ -27445,7 +27454,13 @@ index 9dd6880..ab842bd 100644 corenet_all_recvfrom_netlabel(kismet_t) corenet_tcp_sendrecv_generic_if(kismet_t) corenet_tcp_sendrecv_generic_node(kismet_t) -@@ -86,12 +85,11 @@ corenet_tcp_connect_pulseaudio_port(kismet_t) + corenet_tcp_sendrecv_all_ports(kismet_t) + corenet_tcp_bind_generic_node(kismet_t) +-corenet_tcp_bind_kismet_port(kismet_t) +-corenet_tcp_connect_kismet_port(kismet_t) ++corenet_tcp_bind_rtsclient_port(kismet_t) ++corenet_tcp_connect_rtsclient_port(kismet_t) + corenet_tcp_connect_pulseaudio_port(kismet_t) auth_use_nsswitch(kismet_t) @@ -30523,26 +30538,32 @@ index b681608..27460d5 100644 term_dontaudit_use_all_ptys(memcached_t) term_dontaudit_use_all_ttys(memcached_t) diff --git a/milter.fc b/milter.fc -index 1ec5a6c..cbcad00 100644 +index 1ec5a6c..06beeb2 100644 --- a/milter.fc +++ b/milter.fc -@@ -1,10 +1,15 @@ +@@ -1,13 +1,21 @@ +/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) + +/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0) /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) ++/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) +/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/lib/sqlgrey(/.*)? -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) +/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) + /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) + /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) + diff --git a/milter.if b/milter.if index ee72cbe..bf5fc09 100644 --- a/milter.if @@ -30628,7 +30649,7 @@ index ee72cbe..bf5fc09 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 26101cb..7393387 100644 +index 26101cb..01ef5a5 100644 --- a/milter.te +++ b/milter.te @@ -9,6 +9,13 @@ policy_module(milter, 1.4.0) @@ -30670,7 +30691,7 @@ index 26101cb..7393387 100644 ######################################## # # milter-greylist local policy -@@ -33,11 +58,19 @@ files_type(spamass_milter_state_t) +@@ -33,11 +58,25 @@ files_type(spamass_milter_state_t) allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; @@ -30681,15 +30702,37 @@ index 26101cb..7393387 100644 kernel_read_kernel_sysctls(greylist_milter_t) ++dev_read_rand(greylist_milter_t) ++dev_read_urand(greylist_milter_t) ++ +corecmd_exec_bin(greylist_milter_t) +corecmd_exec_shell(greylist_milter_t) + +corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) +corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) ++corenet_tcp_bind_rtsclient_port(greylist_milter_t) + ++# perl getgroups() reads a bunch of files in /etc ++files_read_etc_files(greylist_milter_t) # Allow the milter to read a GeoIP database in /usr/share files_read_usr_files(greylist_milter_t) # The milter runs from /var/lib/milter-greylist and maintains files there +@@ -49,6 +88,15 @@ auth_use_nsswitch(greylist_milter_t) + # Config is in /etc/mail/greylist.conf + mta_read_config(greylist_milter_t) + ++miscfiles_read_localization(greylist_milter_t) ++ ++sysnet_read_config(greylist_milter_t) ++ ++ ++optional_policy(` ++ mysql_stream_connect(greylist_milter_t) ++') ++ + ######################################## + # + # milter-regex local policy diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -42473,7 +42516,7 @@ index 46bee12..61cc81a 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index a1e0f60..4baf9a4 100644 +index a1e0f60..ec5fc31 100644 --- a/postfix.te +++ b/postfix.te @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0) @@ -42643,7 +42686,7 @@ index a1e0f60..4baf9a4 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -237,18 +264,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -237,22 +264,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool # allow postfix_cleanup_t self:process setrlimit; @@ -42668,7 +42711,14 @@ index a1e0f60..4baf9a4 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,7 +297,6 @@ optional_policy(` + ++# allow postfix to connect to sqlgrey ++corenet_tcp_connect_rtsclient_port(postfix_cleanup_t) ++ + mta_read_aliases(postfix_cleanup_t) + + optional_policy(` +@@ -264,7 +300,6 @@ optional_policy(` # Postfix local local policy # @@ -42676,7 +42726,7 @@ index a1e0f60..4baf9a4 100644 allow postfix_local_t self:process { setsched setrlimit }; # connect to master process -@@ -273,12 +305,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,12 +308,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -42691,7 +42741,7 @@ index a1e0f60..4baf9a4 100644 logging_dontaudit_search_logs(postfix_local_t) -@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +322,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -42710,7 +42760,7 @@ index a1e0f60..4baf9a4 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +335,14 @@ optional_policy(` +@@ -297,6 +338,14 @@ optional_policy(` ') optional_policy(` @@ -42725,7 +42775,7 @@ index a1e0f60..4baf9a4 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +350,22 @@ optional_policy(` +@@ -304,9 +353,22 @@ optional_policy(` ') optional_policy(` @@ -42748,7 +42798,7 @@ index a1e0f60..4baf9a4 100644 ######################################## # # Postfix map local policy -@@ -329,7 +388,6 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -329,7 +391,6 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -42756,7 +42806,7 @@ index a1e0f60..4baf9a4 100644 corenet_all_recvfrom_netlabel(postfix_map_t) corenet_tcp_sendrecv_generic_if(postfix_map_t) corenet_udp_sendrecv_generic_if(postfix_map_t) -@@ -348,7 +406,6 @@ corecmd_read_bin_sockets(postfix_map_t) +@@ -348,7 +409,6 @@ corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) files_read_usr_files(postfix_map_t) @@ -42764,7 +42814,7 @@ index a1e0f60..4baf9a4 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -379,18 +436,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +439,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -42790,7 +42840,7 @@ index a1e0f60..4baf9a4 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +467,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -42799,7 +42849,7 @@ index a1e0f60..4baf9a4 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +485,7 @@ optional_policy(` +@@ -420,6 +488,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -42807,7 +42857,7 @@ index a1e0f60..4baf9a4 100644 ') optional_policy(` -@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +505,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -42825,7 +42875,7 @@ index a1e0f60..4baf9a4 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +562,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -42836,7 +42886,7 @@ index a1e0f60..4baf9a4 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +594,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -42849,7 +42899,7 @@ index a1e0f60..4baf9a4 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +618,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -42860,7 +42910,7 @@ index a1e0f60..4baf9a4 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +636,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +639,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -42872,7 +42922,7 @@ index a1e0f60..4baf9a4 100644 files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +648,14 @@ optional_policy(` +@@ -565,6 +651,14 @@ optional_policy(` ') optional_policy(` @@ -42887,7 +42937,7 @@ index a1e0f60..4baf9a4 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +672,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +675,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -42914,7 +42964,7 @@ index a1e0f60..4baf9a4 100644 ') optional_policy(` -@@ -599,6 +698,12 @@ optional_policy(` +@@ -599,6 +701,12 @@ optional_policy(` ') optional_policy(` @@ -42927,7 +42977,7 @@ index a1e0f60..4baf9a4 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +716,6 @@ optional_policy(` +@@ -611,7 +719,6 @@ optional_policy(` # Postfix virtual local policy # @@ -42935,7 +42985,7 @@ index a1e0f60..4baf9a4 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +726,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } +@@ -622,7 +729,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) @@ -42943,7 +42993,7 @@ index a1e0f60..4baf9a4 100644 files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) -@@ -630,3 +733,75 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +736,75 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -53366,7 +53416,7 @@ index cfe3172..3eb745d 100644 + ') diff --git a/sanlock.te b/sanlock.te -index e02eb6c..6491450 100644 +index e02eb6c..d015830 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -53404,8 +53454,8 @@ index e02eb6c..6491450 100644 # -allow sanlock_t self:capability { sys_nice ipc_lock }; -allow sanlock_t self:process { setsched signull }; -+allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice }; -+allow sanlock_t self:process { setsched signull signal sigkill }; ++allow sanlock_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice sys_resource }; ++allow sanlock_t self:process { setrlimit setsched signull signal sigkill }; + allow sanlock_t self:fifo_file rw_fifo_file_perms; allow sanlock_t self:unix_stream_socket create_stream_socket_perms; @@ -53495,7 +53545,7 @@ index f1aea88..3e6a93f 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/sasl.te b/sasl.te -index 9d9f8ce..c68cdf4 100644 +index 9d9f8ce..4ad9ef7 100644 --- a/sasl.te +++ b/sasl.te @@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0) @@ -53517,7 +53567,17 @@ index 9d9f8ce..c68cdf4 100644 type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) -@@ -38,23 +35,24 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; +@@ -30,31 +27,32 @@ files_pid_file(saslauthd_var_run_t) + # Local policy + # + +-allow saslauthd_t self:capability { setgid setuid }; ++allow saslauthd_t self:capability { setgid setuid sys_nice }; + dontaudit saslauthd_t self:capability sys_tty_config; +-allow saslauthd_t self:process signal_perms; ++allow saslauthd_t self:process { setsched signal_perms }; + allow saslauthd_t self:fifo_file rw_fifo_file_perms; + allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; @@ -53548,12 +53608,13 @@ index 9d9f8ce..c68cdf4 100644 corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_urand(saslauthd_t) -@@ -88,11 +86,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) +@@ -88,11 +86,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) # cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` +tunable_policy(`saslauthd_read_shadow',` ++ allow saslauthd_t self:capability dac_override; auth_tunable_read_shadow(saslauthd_t) ') @@ -54280,7 +54341,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..67fd48d 100644 +index 086cd5f..6bc7784 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -54303,7 +54364,7 @@ index 086cd5f..67fd48d 100644 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -49,19 +52,22 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble +@@ -49,19 +52,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) # pid file @@ -54318,6 +54379,7 @@ index 086cd5f..67fd48d 100644 kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) +kernel_dontaudit_list_all_proc(setroubleshootd_t) ++kernel_read_irq_sysctls(setroubleshootd_t) +kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) @@ -54328,7 +54390,13 @@ index 086cd5f..67fd48d 100644 corenet_all_recvfrom_netlabel(setroubleshootd_t) corenet_tcp_sendrecv_generic_if(setroubleshootd_t) corenet_tcp_sendrecv_generic_node(setroubleshootd_t) -@@ -79,12 +85,12 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t) +@@ -74,17 +81,18 @@ dev_read_urand(setroubleshootd_t) + dev_read_sysfs(setroubleshootd_t) + dev_getattr_all_blk_files(setroubleshootd_t) + dev_getattr_all_chr_files(setroubleshootd_t) ++dev_getattr_mtrr_dev(setroubleshootd_t) + + domain_dontaudit_search_all_domains_state(setroubleshootd_t) domain_signull_all_domains(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) @@ -54342,7 +54410,7 @@ index 086cd5f..67fd48d 100644 fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) -@@ -95,6 +101,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) +@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -54350,7 +54418,7 @@ index 086cd5f..67fd48d 100644 term_dontaudit_use_all_ptys(setroubleshootd_t) term_dontaudit_use_all_ttys(setroubleshootd_t) -@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t) +@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t) init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) @@ -54359,7 +54427,7 @@ index 086cd5f..67fd48d 100644 miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) -@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t) +@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -54368,7 +54436,7 @@ index 086cd5f..67fd48d 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -54392,7 +54460,7 @@ index 086cd5f..67fd48d 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,10 +171,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,10 +173,14 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -54408,7 +54476,7 @@ index 086cd5f..67fd48d 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -58585,11 +58653,12 @@ index 0000000..1ed278e +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 -index 0000000..34d6c89 +index 0000000..17544ee --- /dev/null +++ b/thumb.fc -@@ -0,0 +1,15 @@ +@@ -0,0 +1,16 @@ +HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) ++HOME_DIR/.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) + +/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) @@ -58737,10 +58806,10 @@ index 0000000..9127cec +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..389ccab +index 0000000..be861ba --- /dev/null +++ b/thumb.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,111 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -58850,6 +58919,7 @@ index 0000000..389ccab + gnome_manage_gstreamer_home_files(thumb_t) + gnome_manage_gstreamer_home_dirs(thumb_t) + gnome_exec_gstreamer_home_files(thumb_t) ++ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails") +') diff --git a/thunderbird.te b/thunderbird.te index bf37d98..9456124 100644 @@ -60865,20 +60935,27 @@ index 32a3c13..759f08c 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index 2124b6a..37e03e4 100644 +index 2124b6a..b52dc56 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,5 +1,7 @@ +@@ -1,6 +1,14 @@ -HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -+HOME_DIR/.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) ++HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +14,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t + /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +@@ -12,18 +20,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -60935,7 +61012,7 @@ index 2124b6a..37e03e4 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..2d43a63 100644 +index 6f0736b..3e6749b 100644 --- a/virt.if +++ b/virt.if @@ -13,39 +13,45 @@ @@ -61342,15 +61419,27 @@ index 6f0736b..2d43a63 100644 ') ######################################## -@@ -468,6 +642,7 @@ interface(`virt_manage_images',` +@@ -468,18 +642,7 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) +- +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_read_nfs_symlinks($1) +- ') +- +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) +- ') + rw_chr_files_pattern($1, virt_image_type, virt_image_type) + ') - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) -@@ -502,10 +677,19 @@ interface(`virt_manage_images',` + ######################################## +@@ -502,10 +665,19 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -61371,7 +61460,7 @@ index 6f0736b..2d43a63 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -517,4 +701,278 @@ interface(`virt_admin',` +@@ -517,4 +689,290 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -61402,12 +61491,18 @@ index 6f0736b..2d43a63 100644 + gen_require(` + type svirt_t; + type virt_bridgehelper_t; ++ type svirt_image_t; + ') + + allow $1 svirt_t:process transition; + role $2 types svirt_t; + role $2 types virt_bridgehelper_t; + ++ allow $1 svirt_image_t:file { relabelfrom relabelto }; ++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; ++ ++ virt_signal_svirt($1) ++ + optional_policy(` + ptchown_run(svirt_t, $2) + ') @@ -61539,10 +61634,16 @@ index 6f0736b..2d43a63 100644 +interface(`virt_filetrans_home_content',` + gen_require(` + type virt_home_t; ++ type svirt_home_t; + ') + + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") ++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") ++ gnome_data_filetrans($1, svirt_home_t, dir, "images") +') + +######################################## @@ -61651,7 +61752,7 @@ index 6f0736b..2d43a63 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..b9f5601 100644 +index 947bbc6..d0b1ae9 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.5.0) @@ -61874,12 +61975,13 @@ index 947bbc6..b9f5601 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -150,11 +231,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -150,11 +231,17 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) + fs_manage_nfs_named_sockets(svirt_t) + fs_read_nfs_symlinks(svirt_t) ++ fs_getattr_nfs(svirt_t) ') tunable_policy(`virt_use_samba',` @@ -61887,10 +61989,11 @@ index 947bbc6..b9f5601 100644 fs_manage_cifs_files(svirt_t) + fs_manage_cifs_named_sockets(svirt_t) + fs_read_cifs_symlinks(virtd_t) ++ fs_getattr_cifs(svirt_t) ') tunable_policy(`virt_use_sysfs',` -@@ -163,11 +248,28 @@ tunable_policy(`virt_use_sysfs',` +@@ -163,11 +250,28 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -61919,7 +62022,7 @@ index 947bbc6..b9f5601 100644 xen_rw_image_files(svirt_t) ') -@@ -176,22 +278,41 @@ optional_policy(` +@@ -176,22 +280,41 @@ optional_policy(` # virtd local policy # @@ -61968,7 +62071,7 @@ index 947bbc6..b9f5601 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +323,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +325,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -62003,7 +62106,7 @@ index 947bbc6..b9f5601 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +355,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +357,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -62026,7 +62129,7 @@ index 947bbc6..b9f5601 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +382,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +384,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -62060,7 +62163,7 @@ index 947bbc6..b9f5601 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +414,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +416,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -62079,7 +62182,7 @@ index 947bbc6..b9f5601 100644 mcs_process_set_categories(virtd_t) -@@ -284,6 +440,8 @@ term_use_ptmx(virtd_t) +@@ -284,6 +442,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -62088,7 +62191,7 @@ index 947bbc6..b9f5601 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +451,32 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +453,32 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -62121,7 +62224,7 @@ index 947bbc6..b9f5601 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +495,10 @@ optional_policy(` +@@ -322,6 +497,10 @@ optional_policy(` ') optional_policy(` @@ -62132,7 +62235,7 @@ index 947bbc6..b9f5601 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +512,30 @@ optional_policy(` +@@ -335,19 +514,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -62164,7 +62267,7 @@ index 947bbc6..b9f5601 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +550,12 @@ optional_policy(` +@@ -362,6 +552,12 @@ optional_policy(` ') optional_policy(` @@ -62177,7 +62280,7 @@ index 947bbc6..b9f5601 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +563,11 @@ optional_policy(` +@@ -369,11 +565,11 @@ optional_policy(` ') optional_policy(` @@ -62194,7 +62297,7 @@ index 947bbc6..b9f5601 100644 ') optional_policy(` -@@ -384,6 +578,7 @@ optional_policy(` +@@ -384,6 +580,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -62202,7 +62305,7 @@ index 947bbc6..b9f5601 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -403,34 +598,51 @@ optional_policy(` +@@ -403,34 +600,51 @@ optional_policy(` # virtual domains common policy # @@ -62259,7 +62362,7 @@ index 947bbc6..b9f5601 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +650,11 @@ dev_write_sound(virt_domain) +@@ -438,10 +652,11 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -62272,7 +62375,7 @@ index 947bbc6..b9f5601 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,8 +662,16 @@ files_search_all(virt_domain) +@@ -449,8 +664,16 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -62290,7 +62393,7 @@ index 947bbc6..b9f5601 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -459,13 +680,447 @@ logging_send_syslog_msg(virt_domain) +@@ -459,13 +682,461 @@ logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) @@ -62330,6 +62433,10 @@ index 947bbc6..b9f5601 100644 +allow virsh_t self:tcp_socket create_stream_socket_perms; + +can_exec(virsh_t, virsh_exec_t) ++virt_domtrans(virsh_t) ++virt_manage_images(virsh_t) ++virt_manage_config(virsh_t) ++virt_stream_connect(virsh_t) + +manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) @@ -62389,6 +62496,18 @@ index 947bbc6..b9f5601 100644 + +sysnet_dns_name_resolve(virsh_t) + ++tunable_policy(`virt_use_nfs',` ++ fs_manage_nfs_dirs(virsh_t) ++ fs_manage_nfs_files(virsh_t) ++ fs_read_nfs_symlinks(virsh_t) ++') ++ ++tunable_policy(`virt_use_samba',` ++ fs_manage_cifs_files(virsh_t) ++ fs_manage_cifs_files(virsh_t) ++ fs_read_cifs_symlinks(virsh_t) ++') ++ +optional_policy(` + cron_system_entry(virsh_t, virsh_exec_t) +') @@ -62421,13 +62540,6 @@ index 947bbc6..b9f5601 100644 +') + +optional_policy(` -+ virt_domtrans(virsh_t) -+ virt_manage_images(virsh_t) -+ virt_manage_config(virsh_t) -+ virt_stream_connect(virsh_t) -+') -+ -+optional_policy(` + ssh_basic_client_template(virsh, virsh_t, system_r) + + kernel_read_xen_state(virsh_ssh_t) @@ -62581,6 +62693,7 @@ index 947bbc6..b9f5601 100644 +allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; + +kernel_getattr_proc(svirt_lxc_domain) ++kernel_list_all_proc(svirt_lxc_domain) +kernel_read_kernel_sysctls(svirt_lxc_domain) +kernel_read_net_sysctls(svirt_lxc_domain) +kernel_read_system_state(svirt_lxc_domain) @@ -62640,6 +62753,8 @@ index 947bbc6..b9f5601 100644 +virt_lxc_domain_template(svirt_lxc_net) + +allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++dontaudit svirt_lxc_net_t self:capability2 { block_suspend }; ++ +allow svirt_lxc_net_t self:process setrlimit; + +allow svirt_lxc_net_t self:udp_socket create_socket_perms; @@ -62651,17 +62766,19 @@ index 947bbc6..b9f5601 100644 +allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; +allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; + -+corenet_tcp_bind_generic_node(svirt_lxc_net_t) -+corenet_udp_bind_generic_node(svirt_lxc_net_t) ++kernel_read_network_state(svirt_lxc_net_t) ++kernel_read_irq_sysctls(svirt_lxc_net_t) + +dev_read_sysfs(svirt_lxc_net_t) ++dev_getattr_mtrr_dev(svirt_lxc_net_t) + ++corenet_tcp_bind_generic_node(svirt_lxc_net_t) ++corenet_udp_bind_generic_node(svirt_lxc_net_t) +corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_udp_bind_all_ports(svirt_lxc_net_t) +corenet_tcp_bind_all_ports(svirt_lxc_net_t) +corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+kernel_read_network_state(svirt_lxc_net_t) + +fs_noxattr_type(svirt_lxc_file_t) +term_pty(svirt_lxc_file_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index c0b2f088..cea5aa0c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 0%{?dist} +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Aug 3 2012 Miroslav Grepl 3.11.1-1 +- Fix saslauthd when it tries to read /etc/shadow +- Label gnome-boxes as a virt homedir +- Need to allow svirt_t ability to getattr on nfs_t file systems +- Update sanlock policy to solve all AVC's +- Change confined users can optionally manage virt content +- Handle new directories under ~/.cache +- Add block suspend to appropriate domains +- More rules required for containers +- Allow login programs to read /run/ data created by systemd_logind +- Allow staff users to run svirt_t processes + * Thu Aug 2 2012 Miroslav Grepl 3.11.1-0 - Update to upstream