From ebb4e5ec53fa40a24e4f9d6b47f4ce10caca54f2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 6 Nov 2017 16:54:47 +0100 Subject: [PATCH] * Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302 - Allow jabber domains to connect to postgresql ports - Dontaudit slapd_t to block suspend system - Allow spamc_t to stream connect to cyrys. - Allow passenger to connect to mysqld_port_t - Allow ipmievd to use nsswitch - Allow chronyc_t domain to use user_ptys - Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst - Fix typo bug in tlp module - Allow userdomain gkeyringd domain to create stream socket with userdomain --- container-selinux.tgz | Bin 7160 -> 7156 bytes policy-rawhide-base.patch | 54 ++--- policy-rawhide-contrib.patch | 405 +++++++++++++++++++---------------- selinux-policy.spec | 13 +- 4 files changed, 256 insertions(+), 216 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 8b0d16775766da6a4cbeb7eb107b1ee1450e3a2c..af9d4ac86243403233abd34f035c30e837f21331 100644 GIT binary patch literal 7156 zcmb7|1y>Uc14apzE`iYukQV7?j!vbdy9Wa{2}$YhmJVs@ZW!IoKpK_q?)=`r@SXGg zg?sL~4=@rF#Wxs59|ir$=pc4QFky0juT!cT-JQAGdLS_rRn?Us($c?;0OM5~&PwR0 zk^F~}wja~)6Fh0H-CwTD*ugUDjIt#HjRfAC4dFuE=JZPAb159`=u#gibH-w;$Y25Um5^h$r@DpGvfny{URLnpY-P zH!jVJ4DVML9$xaHSLarz7S2N#)jszZ;@665+KOjIYy>VzugtWppd^h@y;t$Otdd_2 z|K6MrzVB{CBkY_V#d{WhIIwt2vm_&_8u@dzj9{HN)YtIs!H*uQN8MnTR1Dcv7GKZq zU&fCfalMn5448H0UJC0!KLj@7M>6*-rAbs_l0J7RMGBTQnI&buFn_A6B#_P69;Q5h zm#I_bYmjx6U~a_XOFctrqhoD-q)|94ab91AM?f6c)!O0Wur=36AE855Hm9fgTQOJ|8D*(m$r4D!~wf~?#k_KcGjNq_nIDDfW1;oIscx@_g?++PUs}Fz)@NS zv;lXY_Y>}^Z{XltP*h$4bU=-W4ZEyt`WU@4(Nksqe*K5d*WdT4JoVqR;MG_N1djz> zpL3KJ;S8CWT1~GiQ3G}C#55rIwYsSMVm$i(S4Hwfud>#@39>Gw*XvwOz4VP!nCH8j z05fUzdChjcj@AIZ$T>&LYf9M;(BrGer-jYG|;SxC`9Q$S7M}YG5z%S}P!!iXsus zB~bCUpHQbR$}f(P@Z}}>NzBX+K~a*CQqqv%?AUgfN)D}G#h@po)sJ(?kVBnA)P3xliTRdWyRGBm8GA>!#bU39mzH84 zUC8}6pC_gC3taKQR7z5oiGfXdIO41_pTnN=llCP%b)Na(V!y_D?@K4<2=*2b;_Es6 z8^eG!UUSqnv7mqAy}<<`(Lqa-|Gcn-;cs0lLN9Oh7jK*w@1{fJ%@p5$fV2)R;CR2&ZvQo$P6tgMQ`{!!;ky@pIQG&NCrvyWTxa8)Y$ZqUwH$^P{V zL@n7DC%8W4ub8)=<<>-ZX?ZXp!aI${6Zkih!Q@-NWUdudCSkrC=kECJt+CI|=MToqjZLL$;Ek)6>lW`wm zzXX9wELD97(_>LiTQ$jh1@O1}Fz3fm%?3=gDxKt3FEJvl40@6VfIq~#*U?!nBzv%L zqo^6$>Nd=qWfs3Sh&-J_3VJP=GsSUk;Yf(hTxtMw=Rt1DPOhRIBIKID|XS_OceYui8R!lu&5Bw?rpPCZ}PBi zwnP26`e<(LH8D$}%ID|c@qm(XNm)R|zgLOLCukZN+l0jBjiabgfk>%y-wcP~NQxk; zW5RiS;PJD!>Lau$8)e_~x3hADBRcz6 zC{8|I6Iuv2n*Kj~hun4`4<$l>X`v0D;3!+n6Q2Wdd5+^8R(P)BXuuM(W}mBhr{MPO zHT3jW7)awRO>=K?SY{ zTeoP@N!uR!z*PFZBq;^C&{l336(zTOdh3|s0DchDBN6<`h{!ri@|OVhm+o_y_9d(` zQ(X|n-@Ei~OH_6i4x1|tEh(3@qIAL0wMf0&eI=chmU(u=QeeJCsJoF$xj>RRPrkvQ z&^C19*g~p@IOHyE8HxP&BMIJnRa>hwY2H?1SA~1K@Xe3}W3U{f*8%Iy6sgoSC5HBw z)s$|AYXp}c^S8Sh_0ngoMrEkLMJWahyUhJ?#HHDF;ZTH=MV8|0Y(PmL9 z2l$3E+U2I@lMEy5~Dlg_Q$(nQ$3P23LG zWk7AW_QBNQc~FeWKZ+oBm4PNeRn++*9BgQ&%7Cb1b%3e7To!Xr2N)H}q)U z5Pv*9Zac`3d<@Mv(0B}0jZZCvWu@?N*zeQ|wd2D%JH5Yqc-PD@Q*LjMmfJ}hCBr;~ zT<(oJaD7xzii^75{&X(4c@ve$yw0gj>Q<>VC5sh73_2v%#ju;pVl6m|7iOWe^GSaF za=VxEll?&Z-c-xW(`r{Y?OH8}s-e=!4u82}zFTlCeN*cFTP~vIxibsPs{#zC$(D_m zN=^bThl%k7GB2ka*4H{C6cRf4%PN4PX3)~_RSSq~#oQ{X-@$`$<7eDRHz_j-xO4xY}zw)zDW$Kd& z@bz5Ej%DNN%L-5u>~$>lLz6qy_6x~>-TO%GbTsvXnPd6xWi?k;ZjC5NQtn9lcJqFR z62t9!{QYKSJ;S`JZ^Y;CLYvoji(*%@_-mZbJ4^NlEPxx++CU9zH=e%F!X;S;hRpSn zsCPtZ#~v<~JR)+w#&{4EFGhnm&r^io%T+8v+(1)4d9-kR-=(vr=n5V6P^xQoXD)%9 zSm>`-$9e)V|D68ClwznJ+o0}~p(jS+I!Fl&5@Nvp7aR)*wmF|!9k(7K@8Ya52R^#q z>(1c(z@q2M9Uf|T1)K6?QfklnyYDR?VNcRW6clz&x&RD6Az_*JlfIv9#tnL}@o%`f z?xIl)QPwSz=@$-6FutO#2=MNmAXjO%jd{B+ohKHKp*2yCRAt*Ddc^zul&Ru99H#f= z?dHou$eurpi`U*H+W(lxXRg_931uG6b1{#vjALj>`Yrgma-cbvJ9a6qN3yGIhCF0g^<6h=Fa+`_W zv5+u}&Q29BIc6gmM5Q{Sr;T8lxNgJzqDq=1awR{auS~^`#>)*^t~bXsXlU|#t5`6M zD+w!RjjG8lmfSvnH(_Q)0t0Yfj)oyluh#X-2tH0P{nAI-A|y~Ns&+%aVqS=gnW9c- zXEP@&28WhvNk$UmnOFIYF&CqRC{h%vxyKU8{t(L>kgx91OyZn|a93DC9h*W-2&Ezq zmL8?Bs>OV8uH#nn2}aPurb-8WZNnBU>I9qbBg$IF68boJ3LAHqe7Kdy%1V$aI^in#bKZ55DRl#Y#| zFz<|s%r)dgLolmavFizRby~6CdL@yyZfm((yK^^{s+12)kA_$yPPQ?MFjdxAZ+C@| zL_Obmg7jGNbekMDEVFOHwceh8BAp6S<$zy}U7u98GX7-LHV36}8IsQA z#kc}H`*@rU$9vlfcC;E*^VED87`wskgM5q1 z0ce=%ykbAo$eW)7iRn}gXGHEA`#dE!5D>T~!4`d_$M&ro{wUwCPt`4-QM&%K4y^tV z1M}-g3eo%s?z(Rb^jcjuF4LNrmwU4dx(*`z<_ni$6unK>#Px_&p-dKYRUHsBgxll! zwEx7wumeJjx5QgUy_okdr6dNfW%6k8>cj*CF6S}vS>`ZkXUw8jPMnD#$4be9VcbwJ z2fixrSh>=)-`zcH*0W!<|KXza-G<4x?GB3kF;e4iaO<Hjdc+{(I%h;U6@~s0Q*zUV8EOTWz-4VFl3tjtG^2n{(Na4E7FG2uQ z$BC|+zD&@b$GS@PEy%I>eO7i?qIEZqVNO~#nV-)(Cz9l*uX6~8z1o84Vf)&cYpg`6 zfaSCuzKseh%V=?USR-0n^^;C-^)DB5!OVe!qO^*xRxv~-Po*Kde|Gl@#h-_~nQ!$J z{9kxG&9d(2HZwR_TjwUa+c)wF^u36_z@=EL`V>e2}=5Q%>)r#|8 za~wR(OCT!#Zk~uGwWCh9I~i`xJwEp7BBr)_{3B$g3AU9MY#KfSs;b>|RQ7htY;v2~ ze=qqi@sG#Fp~fo3;F3jgy}eaI?!=DRHt*M5ouT}RhgrpyamS8D)Dvr!ZOZYeoYH%u zi}y#lFzWX|KJvTc@X71E0xAI3`pP^*13n9;L@HEHb6F&)09G%AJaeb>yz&2N zZwS`?>49nOD2e9eYIFpW%Ak%FU@F!|~`u znEQ}EB*CLTTxQF3b@I*A?BBP<&Ki^HuN&%dDOEm~s zTZ|6Vsx%uxd~7j4ruh%J&%AbWO9MTb+MlH}2cvU@5Z1`NlrmD0Z_>WwwC`MRsH)2D z9w09l=q;LjM%}#_`d5J0YoMs#HqZ*BaISbNRTCNh-4)4rCc_GA`!&Puy|XW-DU5!{ z=`Qf&8{aY`N(^(LXxQ2I!3Cy<-=z!g!W;KpiM=DqyXFd)osE1D@7*hJ5S@tpU|Z`& zwBWZ!`IWs=f9_|cnm~|js=b!%)`fHFv^3|v5A{YxsLdOhU>Ki5%}{0kHLty zes{g0{V0*aFfgLalqx;Z2A9Mm}xpng>e2jOvHVY|LMuNVtvzi zHBgsB9h(Rfe{u^3;rv+u3GM&QtIs&x9mw2PEYMW(Nq+j2icXiEMOHic2U(IyvaYZi zn{6?c#1IE;CKc2x*R<KDO57KEU_ane5BM6zM7O z?y?Yq-ig&@Vq);!IlIQY-8Rhuc0)|SYl6l9~Q&m--Z0tK6gtPgEuoExv$Imc(;xokM;Rd4O-XI`${p z3Tl>G6O#(GGQ>p{f;Lfy**zFYT>aFgcsTK2v&X3`M4O6dNaNwU?yt%bEmiu5ULT1X ztw56B?{l9c8plbdYG#l0pP3M_?ago@j9IXhCYf6aY&ywJ!0Wm+A^8e#@;gnyCtKIs zE|0J|$Lf#+UZuO`L2*NIpa)`=j-NPfUd@zgI%`PEv3ja5x- zRcfm#Od8Tz)-?GzBxSi{^G-NlOAu+Jze^E^sS1OB_h2cK?Lt#9l>KFd>6Cd)D3|%1 z^$Nfg?(tpZu;>j_yD^nTWlZ7=$15~a8g-fntR+U zoEel?>=BoMGKd2cyr2(}s>E=Hc}hV-SI8)lbnvpQ@HD>9CwM-khv~RtK5cX7hYu!c zC_hZ)zXkkZ2YyD{(c$%g=LBSE8tPyf+467fG>Re?(j5M~rNSFBVdrCp0AjfA^w}GM zxC=sUHS81W8&R8Kn2t*+?&GqpX>~P{ck*MPO@A@Ll-|hbIvA_JOSX?c=6C@|fONEW z`>`}22VkBzDOnFSnCkA?j-9sEM{R^=fx6-%z3DhA0BLm(U;l4x&+5+lViR z%bgYMjyABz6QiocWBq}+6qh9!hizgIeix6 zzUXu}K130C;1t=)9WOeN=0QXCg=DuvV*6! zx)2G@oNZ1&gEX5;L}k|Y#NKLnV4?Lu)jbZ{AeE5`^@I37K0^Lr9(W*IBb$|jXvMdYLu%elwx)Dt0A}zDpA!=DNF`V4 zmY)I#1h^R|>ah~cN2giTIhbUhNdh}1EbdZghn(CF=L>hgS&n?Dga%x+xzj(ix<(F| zS|=57>gXyK+zLeuNy>4H1638l$ImQ^)++85;N}04&)ku(jsJy+s26WfWkl_M$=h_ES_22GaqLoFy?B?5zQIHm$-7Q$Onc-ml0 z$`Y-C5xubm4QsOIbL-kUK8JUYtiTte(~w+P?Q%nD znL+gL>uz$pL7JT<#JlWn=jy9A$ddlY@u(P>S5iymY#h-4Z5*O#zx%2~izj@Tn2!J-{8B*XN32dzptH?fAD!qQv}>3r#+oUo zz8H7lpL!*iJ(b?HA59cht%Ri&2>KArQW0z0r~al?eeLc*YL{ufNtqf-`;kebGt$I3 zFIS*TgHz@}i$dkjmYgC`(Docow_M6r>hXf?p;>*osWMU`GJ@wEEr%SRh$A}gjvt!t zZ-9RgZ6e+;XBq|XH5V#3pjIzuJoK~usaYMp z*6#kJh<}DgKF-(M(L(79!WUKS^rcuyPaNoY?DnBeB&OHo9g@vkr|ZFId9pZ7)C+({ z@^SELVZG&V(>SrW__AoeNlR5Cok|=hJm=P{CpE@)Sgj}u&%U@vV>gd+ z%$SS;PE?ifN23?;(=$kJPufW}@30}AE0n^Y8{`?PDigGA2zIz(CXb_OLfVW79BJ7@ zhud#1AnNOfd^K&I8+u~uR(W1Vlb;i)F(XLS{!x@GO9UoB!l-8dB||vYwSO-$ewSTx_xIi^Le5269s3OKmQLJ9&<_!SA8G%$ofol_>m-%E|9^^~UT`=W`jSyjQBeK|0YV!V literal 7160 zcmb8x16v&o!vNrTvKE(Hwr$(1PF}8Moop>HvX?&iz!IwO}eA+8j2k%W+XLC`X0t2}qCm4nEqQFE35w>AvbS4;Rc`+Ae z&_0MvK|e0_bo_r6D8y*lJ5bc1&|D@}1k%LTn%4tk#tJazzm>DkU-GM`nn=IyMtMEI z9gSR@R`&kh`gneQ-Q;)P>Up^tS>FDHzOPgC_`DxoK0K^Dhc2t@Q1X&x^HqiIfG=t= z`4ugTN&G&8c&Z`dSb;w=eaM#*gFZ&YP{x=TO?VIU6Ot*bDp=wN_*i2pzmU-?#E|_n z`S74!(S_N|@NMs>un7uKD3As-oY>(s`8`M)9YGV7&AYX{!~Rs%Vcz8--yNt=6D>B1 zW4S#?m>`&?r#&f>Hd)Oqnavgf8F5eW^9OqM>}Kg6_~Mf9wyo@z9`bGHMf9Zu!|(PE zuPYmkwW`h!2C1q;K%Sr_FYSva0A@jtK{*r_Llv1vm_^THGfgc^T<{_)uy5o6l zjelW2`Mp{C2N{&It?YBV*42q$r8}2T0pOi=dv1V~$Pf^b zDxeu2U-%!M=J?GCsiP(kyVyOIOfc^wJ)Cp2wLJWIbk~y;(NG5MxYa#pU^;1qZP`?AkoWXh_-7}j9SLk{kIr)j3Aw7}udVp9_SW@ew zztvfV=QH?3PcxfK1d*p$kdB;gCIQuac zEt?LhiVEK*y{$UnKCW-o{%(P)UMy?^8~~&@O<5?H_;9m1AlI6nD;er>#1%r~61lZ& zaJ{N(%Z=aJ-U&PUK#TV^N(M7U&pD!E{3ZUfm}bdws0rab$Nn#x&OSljvR!>W02^*M9}%V14o~A!cpaYQQh|`kK2WFBD-%mAa2T-o+lO%phzc)8 z>|V}vnBIg*hxh&ax8%9hDxzzlv4N6$OWEs4AIC2cV-Z^Mf1izcRT>{=kEJ$_0d+b! zip>uEiUt>54ZK)5^$E~retz|B4e7DlRosd=l z0}C#u1TQXM5Q3$DTU&IY;#sF`0tZ2ZyP<#eHwR#?I(2C4JtM}09$n{8xPaH0(RTBjWUZwD+%1ACG|g8 z@#aiIukT@#(}a;K8wd;-9<3lJ0m1As{RgHGigKM*GgJzL@W3nhk2 zEfVcOsr!t?qMoaXtUl_bFh%sDV@UEuGR7c7p-=Ln(u@oGNucmdMmfovMp-Os_yyIO z6?;c-C9=_KGoBgUlmvDP4*H}Z?!FFS-nj6QMg4vIN7I$>C*P(q-Oy%o*;|7hxER*1 zw}sL=m&Xd^75xQ>kly?qKBlk4Um?9*Y*3~cB-!@m5ljEMO=RyO^tYMeQF$i3gloCk zqDho1gusDyKw5nrY8IO&(UHmybEz<|u8%j+LzRYE<&O=>I}t}vMPpJ_J6E0ybbZfC z13X}`JUFm(?E{wg1g%$Po|L)lsU265UL@^{b6>~0s1^ja(U|>agvE05--U#?wu9c= znWgV|pL&>XuR;`JeZT&DUb9-USaYk+uPVx`%jRDrfb?w_hRgU68TZ95rpvcrUMPoq z)`>}!!kC|ujquOKj0eV^ibo>SMj+r+`qfD-oE!PLm(TSU$l7rKE; zG=OXy(bykx8~E4u+1$?JT1ceH@9IRb?s;y!c7iH>OnAsKm&ms~jaYtl8B-J{u00JY)*M!Tw&>!29nJhSJz z1dB-8{tQXS^2bJM)Hf&Fz8$+WF88m(*y&LDwg)fS98W<0l8XZ3`0~w9`l?W~8{6Px zdq4_eSx#NvVxkVpqE+_KH5Na1>)lFbW7lJoN|*A$xCF92Pr>>njhLZ0rvQp8OcjxI zrweJdLcc04(#vM}(G&6Vv>~j~6SWnp(^}eO5+&akq9kZ_p@Os?vaCHRP|?#A5WDi$ z1Cu>-s4QRpO25Kayf{%w-o#k7SI@k>yJpsS+@>*M=)Ao3?|Gf*u~OzY*u3F+&Yov! z^Oy}M3q#Hc3up4%hb2Ze5F?kGn|h!{hSmm`&u+m~BEtVYeY`@g03hn(ctP34Q-QW4^{|GxCAW z4p9}tYoEyv+90a#jw8N!v&{^dFux(nV7Q`bsPO^sR8lYhoRp`u6h-)YOEiv<|KbF9TMvwdjw6)5xf>(7yX$#R&IzjZW+}++)em|4klik zm}2dTcliaxd_o1kG&WV=aYaU48a+m4^gkS~^Jmnu>#oTRZun<;vX+fEusWBj^;RDD zv!m=R-~r)067VO3UFT#rhAQ@^bWl1NBwa(_0^rVnRCnM;G>LvWMzEZmZrGs^|0Moy zwW&l=6{B8@PR2Y>9^+EDq~kPc*7?Y_5~-hJWGlNzYu+go7*_?km$(x2`nSD!n2$Qu zu74YG|S(wNM|%9Dp({r{$0fH)Tm=p$(U1zHu5~4&MHj%yuey6v**`p zqhw{7+&)#eUZ=oh1EEqk9=y)B`bpOlXl3NURj&6}449;sIc$&XPbiV`!mG=GqpAS* z?+yj5B&^4eW1&xMJ<`qlq|OvNU9}H>olWlx3z4-miQL1!;5yx4jsj9UXlC>qfF+eXwVlzsEL zs19g(zGf{?A;keC2P=fI*+o0`cLimVn(m+4r$X)RI^t6X415d7Yk`zv9*;#FSXJX)jDGSE5RbGTdl3|K5ShAVv3mcoVN0Y`}(XqjSw+Lg!2 zCMdsRO8`ZLPMcz5QvkXcV78}=J#-xpFOT&fn)3>uB6wIb&@k0CSXCOS?Y>sk;J-J* z`#em^QpGh^iM`NPxnp6}&xcd%D!jZQjYII~r25%84ScmA{JSlw%8J?tN<=g! zuSYp3r?mE0f`+q&haL(2pfOi`!WaAq&7W2lqAO~C+|0|-qCR)l@*^kE^U;tDW*KHr zLYCpoN3!{?43x2ZNtfMT(N&cM2@(5;e0l>C9ke{sJ=ih4N2fd!B$7FtY-w#;*^9k} zV~u7eTh{`~i^as%1H3*C#zH*QYtDi)H~EEUWZle|IodV!l4cfGr)4Obl&z~V*pvYl zH16C_o-BMXsSkr=z^gWx3!vSa3iU`+s+nH_+kOqswbd$}CDuhLWb>lZcfnJ!3>nTD zliDO5mdlm#nsCQ{y4|M*4@%446=lGICD^M`ozl}<66X^FCq(?~S1f%me&IYsoI(ca z3E?!idh}uDY<%}k%!oM8sh9CvJhPa6;eQ(Vd<}c8|GtbkVl+zB|XVd^;@asuCXh0tRvmUXkH)NRp`Xi=D$9?{!tRdKmV+Sq`cW9 zInat>&k3AzCUCduThy=pG!yXVPxdFrYqrb%ALO+OGN89vm2edCp#J>)-T4`-V;^XS zfOSHpk2mw#x-nT3Qk>}jFk8m^U8&=tSkY_?4NkkBf`S!-vd4!-&^gRM( zc~T_U#*>@SXxvq0Ow!mnA^WFd zm0tfy^4R7;Xb+*$tA$}@?h?Hu%g1g@lc1%2B<`)HTBH%1MKkMICtakfTs`6LQOzKL z*4FY?*clQ~A-oUtyGTv1j^kN)@gFfdV!cQ8S@8KI6x}IU!!Nw^J~3)kn02GABW@m8 zEZP)rQQQy(a5g(SiP?c49RPdlTx@r^*QFR;Zq&btXmB81Hx=*&sHv6q9{?S^9982a}tS%~k z+z*WhYnO%1HoN>6@-_tv?;e8H;Zduq{JqJAz{@EsqMT$csl0S;$BKZ!PWh5gW245? zFUj(LZJxZA%lUaatw`7xw~|lXHD?|VbYtAQ^$>d@QbYOZ>JK{Id^qP_6w2`6-AtjT zxi2Y%haX~?>oc4Q3aW%*QzpU3{lC{{-4Yz(_tP|c@ueSPCJAqav(o$1NY_#;+g%$l zu=K}OxUl$=%1Eo;R`V!GjLglQ&h#7e($ggeqZRR$TGfoCQ;SMgz4%w+jo2sRJkty> z^9V0^aVLi*&5-I2IwJZ_ttS=Mftm9$cE9f0ZtjM?91QN=n!iOkoz$*M|Gf&__v8)Q zz6c7W$@p2q?ENfJxmC~yj+!NAt@b3QzejT4e;lCdg%o6IhucRin;@75T_wU+u^t$) z1=Wr0I5#WrOI%1Jac=nskei|Y?n!`MhruFa=oV$5XlcIk_fM6l`;(W5M00%Nt>@J< zYyHR1sJ@Hz3S(=Dg3P2zW;M56)q)JN`U2T1vm3@KU09$NTnoPH`#}C9LM*Bh z_MNG4R2XaHu*IpRw^v^!u71>*mmlIMuKnn5BJ^Mk^si1dK}(qbJCUtq-9h`@_^Q8i;3!+s{I zoBrg3f?eJonw$BLzpjr|rlTx_#BV6?(j?}w2zSo3gie1kB9vT23ZJ%}ed9McM{2pb zr>3JG{{|v5Xm~^-N?09+J++IaYHDIw_jo(uTlL6y7jiC1A|BOZbB-iVI_@^zs=Vq_ zCa$a&R#Y@-ehCYcQ6T?al}s;XhD1b*x4);62lq8%0r{~}aG~!<>6Rm2{w1-u?RL%l zkfU{b0Vege{kjS)net}Mq3PbbwHn0RUE-2j#?v)pjX>2$Z_uWe$xeS8+ODN|Gn$g|$vy~z)&0a#eh`5aWuO@e&}Izoh^7GFze*^VOWn%7?3UdK&UwHe_vg1n zEoaRy<$8D6hdkxD<83R7Miy2rs3B2A-^?6#gA8Ac+iEB;+6y6aZt`|<_gC4d1ZQG# zgNh8k*+`5iE?qO$+!W>v2fiH3CG?h{{{r$kG4@*4vN8n+@3(eJ$7)9F_FG9egwxgnZC6xga@ZEhyle8NX1dy>fh{fs7qt>aOACN~HUBH{!;Wr^o2#EP6C9N$+aXa?2vv zi`lzpzWSjr#IhPqGj2FNV!H-kS&*D>-CObr#VWWG5?pDr)ym2=C}ps)k#d5W(waRv z%!5x^{^D||CA#`+#R%GGDO@6;@yVp5|Ln@jxK<^cmwY0A!P3m@+_cWgLq#cGPey_VoMeJ8oA_!%P ztATq=%W+>#gQqR(P+g?DRohO=98<=|R*M}o+~##RPAw7zm0fVY$pNRqOYs|%EblL| zN2=?1Y=kg3vLcRS{1f&CIj=OQ(5mZtbX}a!s)zVcLOa6uX&idUj|J?TwGlMDPmTx= zh2g=hr|2W38H;TS;^=}A>EQ38P>Q<=!KPEB}t{br7vmp@5hzWr?u zw{DVdk4EgSyX*-mpEjonQgFoEZ5-C?Ga~W$NReE6r$sNDY$>(2ldCFj&h`-6>TDy4RrVJ)m=*x?@(yi;0xT28zfc?Yjl@F9V7Mvy85KPbb7EH*%To>Qx z^Y}&FgP6zz^pfEkI76`vzkeO4oU0zQ72J*#5+9UMs~li0pNe9N?W2pmsYBp?uI82 z(w$X9rQQ9Nu;?cTFUud>)G^*Niw6F)Ku9YbwPc=*wi!j5V1=y`h_}@!fu>|Ze`GRz z(UQgkdy2_~DW1G^B{wg$VbgRv>U&qjYXoP3f99uvRTx5CpoFFv2T{pWY<}aZhkR6EQL;-=LO5PPRu|K=xqKoOQ_#F^BokfyGJ2hRPgL4iEJ5l zTCS*Z;x$-DvZx~S%CUb-@CHoxFI{Kb*+1}b3$@&69(8C*2O{)5-5Gou8de9%%z~t7 zWM~B}t;(95=3-Nl`exrItTE79j`dqT(Vqadm%3BB@Q-+@M-h zr-Q3%;qiJlqBvp@snIa&{>?kAi&ClU06%0Okss?8G$3-2N!E8ue;?YoN@k#f^B^Ur zP!w~jyf?ObQGS~TvFH20|BPng1Mj~=EgVrxc4OSESX9Kz(q2I7xa*EEAm)q_sy{<0 z`P3&bm}hKX<+i0KjR!h_A|ZESwey1rHc^`NNLa@J@lt?k67=S3uH8R0B=JTqT2(BP z*X+aZhO6&Rzvi)W>#ju@+~Y=VoxJues^P2xtT!{T7s21@*Qs)aB-#HU_q|V5d1njs ziH=-?QE$ht*0T~gj5V`FUn?8!3~{I|DLZ;sNAvRd-0lT2%6ha1G&qxV^nN}cy>31^ z1GaHFK?5!U-qSYMuL1lJZ;zKFUi80}(%Pn0 zrvSoM=16zXm(A5my)9ew{fXX+@G?4$$3}FXvO2OYt>9JZd(_?Z!C1oKSOV4!w;zTp z<~(m6>ujM6uNVtYKl6_+DffpcXT8;%kz#B)HM#1FXJ{6KKAskX0!F5s(#e8qp$qx? zCA;|FKM?DS&0=qBCNO<&e|9jWPJ4i6Fi_gn#*2pq&vjx4#Z)=}6r@_E4lD2SGVO3R zDg<#Fc8N0zvhbS=+d66O^xo-e95QFVyV>t>ERsiebtoC+i{=bA1>CUPYyp#=+0gOp z2Y2TeZ(LTc6Q%TxHzQPBPRK`p`-cc22{5T6;jzOnq`Z6s!gvlzt0 zivNI`9ml8AQ9)gW8M>}0G|(vs2sl9)Z2%Z)$cABv(( z2|lhaEM?{XSJ0Rt8f!(z8PW?iqWeMkXO3rQ--d5yE0TM?C~%VW(NZ79C9=XiB)c?j zb&MAINQHZ8;2or2d_&Xij)18y08^_ExW@05YP0;mt2quFd~iYUz8?W$bn)g<8gT;( mH4xV(2T!Nn!oN(*zsyChX$uwq|IxC(vnvbPeusg=!2Az%Z57%8 diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e9b9e2d9..de2489e1 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -32046,7 +32046,7 @@ index 6bf0ecc2d..75b2f31f9 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..edd47215b 100644 +index 8b403774f..0bdea37e9 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32394,13 +32394,13 @@ index 8b403774f..edd47215b 100644 +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) - ') - - optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) +') + +optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) + ') + + optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -32704,7 +32704,7 @@ index 8b403774f..edd47215b 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +703,167 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +703,171 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -32756,6 +32756,10 @@ index 8b403774f..edd47215b 100644 +') + +optional_policy(` ++ cups_stream_connect(xdm_t) ++') ++ ++optional_policy(` + colord_read_lib_files(xdm_t) +') + @@ -32878,7 +32882,7 @@ index 8b403774f..edd47215b 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +876,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +880,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -32910,7 +32914,7 @@ index 8b403774f..edd47215b 100644 ') optional_policy(` -@@ -518,8 +911,36 @@ optional_policy(` +@@ -518,8 +915,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -32948,7 +32952,7 @@ index 8b403774f..edd47215b 100644 ') ') -@@ -530,6 +951,20 @@ optional_policy(` +@@ -530,6 +955,20 @@ optional_policy(` ') optional_policy(` @@ -32969,7 +32973,7 @@ index 8b403774f..edd47215b 100644 hostname_exec(xdm_t) ') -@@ -547,28 +982,78 @@ optional_policy(` +@@ -547,28 +986,78 @@ optional_policy(` ') optional_policy(` @@ -33057,7 +33061,7 @@ index 8b403774f..edd47215b 100644 ') optional_policy(` -@@ -580,6 +1065,14 @@ optional_policy(` +@@ -580,6 +1069,14 @@ optional_policy(` ') optional_policy(` @@ -33072,7 +33076,7 @@ index 8b403774f..edd47215b 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1087,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1091,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -33081,7 +33085,7 @@ index 8b403774f..edd47215b 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1097,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1101,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -33094,7 +33098,7 @@ index 8b403774f..edd47215b 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1114,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1118,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -33110,7 +33114,7 @@ index 8b403774f..edd47215b 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,36 +1130,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,36 +1134,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -33168,7 +33172,7 @@ index 8b403774f..edd47215b 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1197,29 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1201,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -33201,7 +33205,7 @@ index 8b403774f..edd47215b 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1231,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1235,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -33216,7 +33220,7 @@ index 8b403774f..edd47215b 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,28 +1252,25 @@ init_getpgid(xserver_t) +@@ -718,28 +1256,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -33249,7 +33253,7 @@ index 8b403774f..edd47215b 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; -@@ -785,17 +1316,54 @@ optional_policy(` +@@ -785,17 +1320,54 @@ optional_policy(` ') optional_policy(` @@ -33306,7 +33310,7 @@ index 8b403774f..edd47215b 100644 ') optional_policy(` -@@ -803,6 +1371,10 @@ optional_policy(` +@@ -803,6 +1375,10 @@ optional_policy(` ') optional_policy(` @@ -33317,7 +33321,7 @@ index 8b403774f..edd47215b 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1390,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1394,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -33342,7 +33346,7 @@ index 8b403774f..edd47215b 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1413,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1417,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -33377,7 +33381,7 @@ index 8b403774f..edd47215b 100644 ') optional_policy(` -@@ -912,7 +1478,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1482,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -33386,7 +33390,7 @@ index 8b403774f..edd47215b 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1532,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1536,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -33418,7 +33422,7 @@ index 8b403774f..edd47215b 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1578,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1582,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 71c1df7b..c4b24493 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -13909,7 +13909,7 @@ index 32e8265c2..508f3b84f 100644 + roleattribute $2 chronyc_roles; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c29..47b5fe7e4 100644 +index e5b621c29..98e3ce0ab 100644 --- a/chronyd.te +++ b/chronyd.te @@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0) @@ -13980,7 +13980,7 @@ index e5b621c29..47b5fe7e4 100644 corenet_all_recvfrom_unlabeled(chronyd_t) corenet_all_recvfrom_netlabel(chronyd_t) -@@ -76,18 +102,62 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +102,64 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -14045,6 +14045,8 @@ index e5b621c29..47b5fe7e4 100644 +corecmd_exec_bin(chronyc_t) + +sysnet_read_config(chronyc_t) ++ ++userdom_use_user_ptys(chronyc_t) diff --git a/cinder.fc b/cinder.fc new file mode 100644 index 000000000..4b318b783 @@ -16886,7 +16888,7 @@ index 881d92f35..a2d588a51 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040e2..eaefb5a97 100644 +index ce9f040e2..7c90ce13c 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16929,7 +16931,7 @@ index ce9f040e2..eaefb5a97 100644 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t) -@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) +@@ -86,16 +97,16 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) allow condor_domain condor_master_t:process signull; allow condor_domain condor_master_t:tcp_socket getattr; @@ -16940,6 +16942,7 @@ index ce9f040e2..eaefb5a97 100644 -kernel_read_system_state(condor_domain) +kernel_rw_kernel_sysctl(condor_domain) +kernel_search_network_sysctl(condor_domain) ++kernel_read_vm_sysctls(condor_domain) corecmd_exec_bin(condor_domain) corecmd_exec_shell(condor_domain) @@ -16949,7 +16952,7 @@ index ce9f040e2..eaefb5a97 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -109,9 +119,9 @@ dev_read_rand(condor_domain) +@@ -109,9 +120,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -16961,7 +16964,7 @@ index ce9f040e2..eaefb5a97 100644 sysnet_dns_name_resolve(condor_domain) -@@ -130,7 +140,7 @@ optional_policy(` +@@ -130,7 +141,7 @@ optional_policy(` # Master local policy # @@ -16970,7 +16973,7 @@ index ce9f040e2..eaefb5a97 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -138,6 +149,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -16983,7 +16986,7 @@ index ce9f040e2..eaefb5a97 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t) +@@ -157,6 +174,8 @@ domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t) @@ -16992,7 +16995,7 @@ index ce9f040e2..eaefb5a97 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -174,6 +193,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -17001,7 +17004,7 @@ index ce9f040e2..eaefb5a97 100644 ##################################### # # Negotiator local policy -@@ -183,12 +203,15 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -183,12 +204,15 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -17018,7 +17021,7 @@ index ce9f040e2..eaefb5a97 100644 allow condor_procd_t condor_domain:process sigkill; -@@ -199,13 +222,15 @@ domain_read_all_domains_state(condor_procd_t) +@@ -199,13 +223,15 @@ domain_read_all_domains_state(condor_procd_t) # Schedd local policy # @@ -17035,7 +17038,7 @@ index ce9f040e2..eaefb5a97 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -214,12 +239,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -214,12 +240,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -17056,7 +17059,7 @@ index ce9f040e2..eaefb5a97 100644 allow condor_startd_t self:process execmem; manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) -@@ -238,11 +270,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -238,11 +271,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -17069,7 +17072,7 @@ index ce9f040e2..eaefb5a97 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -254,3 +285,7 @@ optional_policy(` +@@ -254,3 +286,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -26235,7 +26238,7 @@ index 000000000..b3784d85d +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 000000000..58a8bf4fd +index 000000000..de56c291d --- /dev/null +++ b/dirsrv.te @@ -0,0 +1,210 @@ @@ -26292,7 +26295,7 @@ index 000000000..58a8bf4fd +# dirsrv local policy +# +allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms}; -+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search fowner }; ++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner }; +allow dirsrv_t self:fifo_file manage_fifo_file_perms; +allow dirsrv_t self:sem create_sem_perms; +allow dirsrv_t self:tcp_socket create_stream_socket_perms; @@ -34490,7 +34493,7 @@ index e39de436a..5edcb8330 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d6195..e591cd040 100644 +index ab09d6195..e1ae96179 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -34596,7 +34599,7 @@ index ab09d6195..e591cd040 100644 ') ######################################## -@@ -74,14 +98,11 @@ template(`gnome_role_template',` +@@ -74,52 +98,101 @@ template(`gnome_role_template',` domtrans_pattern($3, gconfd_exec_t, gconfd_t) @@ -34614,8 +34617,10 @@ index ab09d6195..e591cd040 100644 ######################################## # # Gkeyringd policy -@@ -89,37 +110,86 @@ template(`gnome_role_template',` + # ++ allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms }; ++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; @@ -34642,7 +34647,6 @@ index ab09d6195..e591cd040 100644 + allow $3 $1_gkeyringd_t:fd use; + allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; + -+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write connectto}; + stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) + + kernel_read_system_state($1_gkeyringd_t) @@ -34659,6 +34663,8 @@ index ab09d6195..e591cd040 100644 + + logging_send_syslog_msg($1_gkeyringd_t) + ++ userdom_rw_user_tmp_sock_files($1_gkeyringd_t) ++ + allow $1_gkeyringd_t $3:dbus send_msg; + allow $3 $1_gkeyringd_t:dbus send_msg; @@ -34714,7 +34720,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -127,18 +197,18 @@ template(`gnome_role_template',` +@@ -127,18 +200,18 @@ template(`gnome_role_template',` ## ## # @@ -34738,7 +34744,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',` +@@ -146,119 +219,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -34895,7 +34901,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -266,15 +334,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -34922,7 +34928,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -282,57 +356,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -35030,7 +35036,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',` +@@ -340,15 +446,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -35054,7 +35060,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -356,22 +462,18 @@ interface(`gnome_manage_config',` +@@ -356,22 +465,18 @@ interface(`gnome_manage_config',` ## ## # @@ -35082,7 +35088,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -379,53 +484,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -35144,7 +35150,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',` +@@ -433,17 +522,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -35167,7 +35173,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -451,23 +541,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -35195,7 +35201,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -475,22 +560,18 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -35222,7 +35228,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -498,79 +579,59 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -35320,7 +35326,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -579,12 +640,12 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## ## @@ -35335,7 +35341,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -593,18 +654,18 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -35360,7 +35366,7 @@ index ab09d6195..e591cd040 100644 ## ## ## -@@ -612,46 +670,81 @@ interface(`gnome_gconf_home_filetrans',` +@@ -612,46 +673,58 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -35385,11 +35391,15 @@ index ab09d6195..e591cd040 100644 +## Read generic data home dirs. ## -## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +## +## +## Domain allowed access. +## -+## + ## +# +interface(`gnome_read_generic_data_home_dirs',` + gen_require(` @@ -35402,30 +35412,6 @@ index ab09d6195..e591cd040 100644 +####################################### +## +## Manage gconf data home files -+## -+## - ## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). -+## Domain allowed access. - ## - ## -+# -+interface(`gnome_manage_data',` -+ gen_require(` -+ type data_home_t; -+ type gconf_home_t; -+ ') -+ -+ allow $1 gconf_home_t:dir search_dir_perms; -+ manage_dirs_pattern($1, data_home_t, data_home_t) -+ manage_files_pattern($1, data_home_t, data_home_t) -+ manage_lnk_files_pattern($1, data_home_t, data_home_t) -+') -+ -+######################################## -+## -+## Read icc data home content. +## ## ## @@ -35434,15 +35420,44 @@ index ab09d6195..e591cd040 100644 ## # -interface(`gnome_dbus_chat_gkeyringd',` -+interface(`gnome_read_home_icc_data_content',` ++interface(`gnome_manage_data',` gen_require(` - type $1_gkeyringd_t; - class dbus send_msg; -+ type icc_data_home_t, gconf_home_t, data_home_t; ++ type data_home_t; ++ type gconf_home_t; ') - allow $2 $1_gkeyringd_t:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg; ++ allow $1 gconf_home_t:dir search_dir_perms; ++ manage_dirs_pattern($1, data_home_t, data_home_t) ++ manage_files_pattern($1, data_home_t, data_home_t) ++ manage_lnk_files_pattern($1, data_home_t, data_home_t) + ') + + ######################################## + ## +-## Send and receive messages from all +-## gnome keyring daemon over dbus. ++## Read icc data home content. + ## + ## + ## +@@ -659,59 +732,1091 @@ interface(`gnome_dbus_chat_gkeyringd',` + ## + ## + # +-interface(`gnome_dbus_chat_all_gkeyringd',` ++interface(`gnome_read_home_icc_data_content',` + gen_require(` +- attribute gkeyringd_domain; +- class dbus send_msg; ++ type icc_data_home_t, gconf_home_t, data_home_t; + ') + +- allow $1 gkeyringd_domain:dbus send_msg; +- allow gkeyringd_domain $1:dbus send_msg; + userdom_search_user_home_dirs($1) + allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; + allow $1 icc_data_home_t:file map; @@ -35451,69 +35466,68 @@ index ab09d6195..e591cd040 100644 + read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ') - ######################################## - ## --## Send and receive messages from all --## gnome keyring daemon over dbus. -+## Read inherited icc data home files. - ## - ## - ## -@@ -659,46 +752,64 @@ interface(`gnome_dbus_chat_gkeyringd',` - ## - ## - # --interface(`gnome_dbus_chat_all_gkeyringd',` -+interface(`gnome_read_inherited_home_icc_data_files',` - gen_require(` -- attribute gkeyringd_domain; -- class dbus send_msg; -+ type icc_data_home_t; - ') - -- allow $1 gkeyringd_domain:dbus send_msg; -- allow gkeyringd_domain $1:dbus send_msg; -+ allow $1 icc_data_home_t:file read_inherited_file_perms; - ') - ######################################## ## -## Connect to gnome keyring daemon -## with a unix stream socket. -+## Create gconf_home_t objects in the /root directory ++## Read inherited icc data home files. ## -## +## -+## -+## Domain allowed access. -+## -+## -+## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -+## The class of the object to be created. ++## Domain allowed access. ## ## ++# ++interface(`gnome_read_inherited_home_icc_data_files',` ++ gen_require(` ++ type icc_data_home_t; ++ ') ++ ++ allow $1 icc_data_home_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## Create gconf_home_t objects in the /root directory ++## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The class of the object to be created. ++## ++## +## +## +## The name of the object being created. +## +## -+# + # +-interface(`gnome_stream_connect_gkeyringd',` +interface(`gnome_admin_home_gconf_filetrans',` -+ gen_require(` + gen_require(` +- type $1_gkeyringd_t, gnome_keyring_tmp_t; + type gconf_home_t; -+ ') -+ + ') + +- files_search_tmp($2) +- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) + userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Connect to all gnome keyring daemon +-## with a unix stream socket. +## Do not audit attempts to read +## inherited gconf config files. -+## + ## ## ## -## Domain allowed access. @@ -35521,35 +35535,31 @@ index ab09d6195..e591cd040 100644 ## ## # --interface(`gnome_stream_connect_gkeyringd',` -+interface(`gnome_dontaudit_read_inherited_gconf_config_files',` - gen_require(` -- type $1_gkeyringd_t, gnome_keyring_tmp_t; -+ type gconf_etc_t; - ') - -- files_search_tmp($2) -- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) -+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; - ') - - ######################################## - ## --## Connect to all gnome keyring daemon --## with a unix stream socket. -+## read gconf config files - ## - ## - ## -@@ -706,12 +817,1003 @@ interface(`gnome_stream_connect_gkeyringd',` - ## - ## - # -interface(`gnome_stream_connect_all_gkeyringd',` -+interface(`gnome_read_gconf_config',` ++interface(`gnome_dontaudit_read_inherited_gconf_config_files',` gen_require(` - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; ++ type gconf_etc_t; + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## read gconf config files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_config',` ++ gen_require(` + type gconf_etc_t; + ') + @@ -35693,10 +35703,9 @@ index ab09d6195..e591cd040 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; - ') - - files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ ') ++ ++ files_search_tmp($1) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + @@ -40966,7 +40975,7 @@ index 000000000..e86db5418 +') diff --git a/ipmievd.te b/ipmievd.te new file mode 100644 -index 000000000..06b8358b4 +index 000000000..3990b66b2 --- /dev/null +++ b/ipmievd.te @@ -0,0 +1,52 @@ @@ -41007,7 +41016,7 @@ index 000000000..06b8358b4 +kernel_read_system_state(ipmievd_t) +kernel_load_module(ipmievd_t) + -+auth_read_passwd(ipmievd_t) ++auth_use_nsswitch(ipmievd_t) + +corecmd_exec_bin(ipmievd_t) + @@ -41900,10 +41909,10 @@ index 7eb381121..8075ba5f0 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index af67c36ee..aa88a0ac2 100644 +index af67c36ee..4755e0af8 100644 --- a/jabber.te +++ b/jabber.te -@@ -9,129 +9,133 @@ attribute jabberd_domain; +@@ -9,129 +9,137 @@ attribute jabberd_domain; jabber_domain_template(jabberd) jabber_domain_template(jabberd_router) @@ -41971,6 +41980,7 @@ index af67c36ee..aa88a0ac2 100644 +corenet_tcp_connect_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) ++corenet_tcp_connect_postgresql_port(jabberd_router_t) -logging_send_syslog_msg(jabberd_domain) +fs_getattr_all_fs(jabberd_router_t) @@ -41999,84 +42009,87 @@ index af67c36ee..aa88a0ac2 100644 -dontaudit jabberd_t self:capability sys_tty_config; -allow jabberd_t self:tcp_socket create_socket_perms; -allow jabberd_t self:udp_socket create_socket_perms; ++allow jabberd_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ++ +manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) - --manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) ++ +corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_router_port(jabberd_t) ++corenet_tcp_connect_postgresql_port(jabberd_t) + +-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) ++userdom_dontaudit_use_unpriv_user_fds(jabberd_t) ++userdom_dontaudit_search_user_home_dirs(jabberd_t) -allow jabberd_t jabberd_log_t:dir setattr_dir_perms; -append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) -+userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -+userdom_dontaudit_search_user_home_dirs(jabberd_t) - --manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) +miscfiles_read_certs(jabberd_t) --manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) --files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) +optional_policy(` + seutil_sigchld_newrole(jabberd_t) +') --kernel_read_kernel_sysctls(jabberd_t) +-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +optional_policy(` + udev_read_db(jabberd_t) +') --corenet_sendrecv_jabber_client_server_packets(jabberd_t) --corenet_tcp_bind_jabber_client_port(jabberd_t) --corenet_tcp_sendrecv_jabber_client_port(jabberd_t) +-kernel_read_kernel_sysctls(jabberd_t) +###################################### +# +# Local policy for pyicq-t +# --corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) --corenet_tcp_bind_jabber_interserver_port(jabberd_t) --corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +-corenet_sendrecv_jabber_client_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_client_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_client_port(jabberd_t) +# need for /var/log/pyicq-t.log +manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t) +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) --dev_read_rand(jabberd_t) +-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_interserver_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t); --domain_use_interactive_fds(jabberd_t) +-dev_read_rand(jabberd_t) +files_search_spool(pyicqt_t) +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); --files_read_etc_files(jabberd_t) --files_read_etc_runtime_files(jabberd_t) +-domain_use_interactive_fds(jabberd_t) +corenet_tcp_bind_jabber_router_port(pyicqt_t) +corenet_tcp_connect_jabber_router_port(pyicqt_t) --fs_search_auto_mountpoints(jabberd_t) +-files_read_etc_files(jabberd_t) +-files_read_etc_runtime_files(jabberd_t) +corecmd_exec_bin(pyicqt_t) --sysnet_read_config(jabberd_t) +-fs_search_auto_mountpoints(jabberd_t) +dev_read_urand(pyicqt_t) +-sysnet_read_config(jabberd_t) ++auth_use_nsswitch(pyicqt_t) + -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) -+auth_use_nsswitch(pyicqt_t) - +# needed for pyicq-t-mysql ++optional_policy(` ++ corenet_tcp_connect_mysqld_port(pyicqt_t) ++') + optional_policy(` - udev_read_db(jabberd_t) -+ corenet_tcp_connect_mysqld_port(pyicqt_t) ++ sysnet_use_ldap(pyicqt_t) ') -######################################## -+optional_policy(` -+ sysnet_use_ldap(pyicqt_t) -+') -+ +####################################### # -# Router local policy @@ -46979,7 +46992,7 @@ index 3602712d0..af83a5b6b 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b1110e..f01469806 100644 +index 4c2b1110e..4baf7a041 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -46992,7 +47005,7 @@ index 4c2b1110e..f01469806 100644 type slapd_keytab_t; files_type(slapd_keytab_t) -@@ -47,9 +50,9 @@ files_pid_file(slapd_var_run_t) +@@ -47,9 +50,10 @@ files_pid_file(slapd_var_run_t) # Local policy # @@ -47000,11 +47013,12 @@ index 4c2b1110e..f01469806 100644 +allow slapd_t self:capability { kill setgid setuid net_raw dac_read_search }; dontaudit slapd_t self:capability sys_tty_config; -allow slapd_t self:process setsched; ++dontaudit slapd_t self:capability2 block_suspend; +allow slapd_t self:process { setsched signal } ; allow slapd_t self:fifo_file rw_fifo_file_perms; allow slapd_t self:tcp_socket { accept listen }; -@@ -60,6 +63,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) +@@ -60,6 +64,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) @@ -47012,7 +47026,7 @@ index 4c2b1110e..f01469806 100644 allow slapd_t slapd_etc_t:file read_file_perms; -@@ -69,9 +73,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; +@@ -69,9 +74,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t, slapd_lock_t, file) manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) @@ -47023,7 +47037,7 @@ index 4c2b1110e..f01469806 100644 logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) -@@ -93,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) +@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -47031,7 +47045,7 @@ index 4c2b1110e..f01469806 100644 corenet_all_recvfrom_netlabel(slapd_t) corenet_tcp_sendrecv_generic_if(slapd_t) corenet_tcp_sendrecv_generic_node(slapd_t) -@@ -115,25 +116,26 @@ fs_getattr_all_fs(slapd_t) +@@ -115,25 +117,26 @@ fs_getattr_all_fs(slapd_t) fs_search_auto_mountpoints(slapd_t) files_read_etc_runtime_files(slapd_t) @@ -68743,7 +68757,7 @@ index 000000000..3ff5b7610 +') diff --git a/opensm.fc b/opensm.fc new file mode 100644 -index 000000000..51650fa65 +index 000000000..65511ed7a --- /dev/null +++ b/opensm.fc @@ -0,0 +1,7 @@ @@ -68753,7 +68767,7 @@ index 000000000..51650fa65 + +/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0) + -+/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0) ++/var/log/opensm.* -- gen_context(system_u:object_r:opensm_log_t,s0) diff --git a/opensm.if b/opensm.if new file mode 100644 index 000000000..45de66477 @@ -70959,7 +70973,7 @@ index bf59ef731..0e333279c 100644 +') + diff --git a/passenger.te b/passenger.te -index 08ec33bf2..e175fc6a9 100644 +index 08ec33bf2..c1af8d7ae 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -71025,7 +71039,7 @@ index 08ec33bf2..e175fc6a9 100644 kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) -@@ -53,13 +63,10 @@ kernel_read_network_state(passenger_t) +@@ -53,13 +63,11 @@ kernel_read_network_state(passenger_t) kernel_read_net_sysctls(passenger_t) corenet_all_recvfrom_netlabel(passenger_t) @@ -71037,10 +71051,11 @@ index 08ec33bf2..e175fc6a9 100644 corenet_tcp_connect_http_port(passenger_t) -corenet_tcp_sendrecv_http_port(passenger_t) +corenet_tcp_connect_postgresql_port(passenger_t) ++corenet_tcp_connect_mysqld_port(passenger_t) corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -68,10 +75,10 @@ dev_read_urand(passenger_t) +@@ -68,10 +76,10 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) @@ -71053,7 +71068,7 @@ index 08ec33bf2..e175fc6a9 100644 logging_send_syslog_msg(passenger_t) miscfiles_read_localization(passenger_t) -@@ -83,6 +90,7 @@ userdom_dontaudit_use_user_terminals(passenger_t) +@@ -83,6 +91,7 @@ userdom_dontaudit_use_user_terminals(passenger_t) optional_policy(` apache_append_log(passenger_t) apache_read_sys_content(passenger_t) @@ -71061,7 +71076,7 @@ index 08ec33bf2..e175fc6a9 100644 ') optional_policy(` -@@ -94,14 +102,21 @@ optional_policy(` +@@ -94,14 +103,21 @@ optional_policy(` ') optional_policy(` @@ -106028,7 +106043,7 @@ index 1499b0bbf..e695a62f3 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e3578..befb6796c 100644 +index cc58e3578..ece033330 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -106464,7 +106479,7 @@ index cc58e3578..befb6796c 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +352,7 @@ optional_policy(` +@@ -243,19 +352,31 @@ optional_policy(` ') optional_policy(` @@ -106472,7 +106487,12 @@ index cc58e3578..befb6796c 100644 evolution_stream_connect(spamc_t) ') -@@ -251,11 +361,18 @@ optional_policy(` + optional_policy(` ++ cyrus_stream_connect(spamc_t) ++') ++ ++optional_policy(` + milter_manage_spamass_state(spamc_t) ') optional_policy(` @@ -106492,7 +106512,7 @@ index cc58e3578..befb6796c 100644 ') optional_policy(` -@@ -267,48 +384,54 @@ optional_policy(` +@@ -267,48 +388,54 @@ optional_policy(` ######################################## # @@ -106567,7 +106587,7 @@ index cc58e3578..befb6796c 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +440,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +444,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -106584,7 +106604,7 @@ index cc58e3578..befb6796c 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +456,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +460,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -106689,7 +106709,7 @@ index cc58e3578..befb6796c 100644 ') optional_policy(` -@@ -421,21 +528,13 @@ optional_policy(` +@@ -421,21 +532,13 @@ optional_policy(` ') optional_policy(` @@ -106713,7 +106733,7 @@ index cc58e3578..befb6796c 100644 ') optional_policy(` -@@ -443,8 +542,8 @@ optional_policy(` +@@ -443,8 +546,8 @@ optional_policy(` ') optional_policy(` @@ -106723,7 +106743,7 @@ index cc58e3578..befb6796c 100644 ') optional_policy(` -@@ -455,7 +554,17 @@ optional_policy(` +@@ -455,7 +558,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -106742,7 +106762,7 @@ index cc58e3578..befb6796c 100644 ') optional_policy(` -@@ -463,9 +572,10 @@ optional_policy(` +@@ -463,9 +576,10 @@ optional_policy(` ') optional_policy(` @@ -106754,7 +106774,7 @@ index cc58e3578..befb6796c 100644 ') optional_policy(` -@@ -474,32 +584,31 @@ optional_policy(` +@@ -474,32 +588,31 @@ optional_policy(` ######################################## # @@ -106796,7 +106816,7 @@ index cc58e3578..befb6796c 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +621,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -112360,10 +112380,10 @@ index 000000000..368e18842 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 000000000..5185a9e8e +index 000000000..f124882af --- /dev/null +++ b/tlp.te -@@ -0,0 +1,86 @@ +@@ -0,0 +1,91 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -112429,6 +112449,7 @@ index 000000000..5185a9e8e +logging_send_syslog_msg(tlp_t) + +storage_raw_read_fixed_disk(tlp_t) ++storage_raw_read_removable_device(tlp_t) +storage_raw_write_removable_device(tlp_t) + +sysnet_exec_ifconfig(tlp_t) @@ -112450,6 +112471,10 @@ index 000000000..5185a9e8e + sssd_read_public_files(tlp_t) + sssd_stream_connect(tlp_t) +') ++ ++optional_policy(` ++ udev_domtrans(tlp_t) ++') diff --git a/tmpreaper.te b/tmpreaper.te index 585a77f95..71981be9d 100644 --- a/tmpreaper.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 6014ce95..b59ba001 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 301%{?dist} +Release: 302%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,17 @@ exit 0 %endif %changelog +* Mon Nov 06 2017 Lukas Vrabec - 3.13.1-302 +- Allow jabber domains to connect to postgresql ports +- Dontaudit slapd_t to block suspend system +- Allow spamc_t to stream connect to cyrys. +- Allow passenger to connect to mysqld_port_t +- Allow ipmievd to use nsswitch +- Allow chronyc_t domain to use user_ptys +- Label all files /var/log/opensm.* as opensm_log_t because opensm creating new log files with name opensm-subnet.lst +- Fix typo bug in tlp module +- Allow userdomain gkeyringd domain to create stream socket with userdomain + * Fri Nov 03 2017 Lukas Vrabec - 3.13.1-301 - Merge pull request #37 from milosmalik/rawhide - Allow mozilla_plugin_t domain to dbus chat with devicekit