diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2ecf31ad..4a2ac6f4 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -110364,7 +110364,7 @@ index 4705ab6..11a1ae6 100644 +gen_tunable(selinuxuser_tcp_server,false) + diff --git a/policy/mcs b/policy/mcs -index 216b3d1..552c23a 100644 +index 216b3d1..81bc8c4 100644 --- a/policy/mcs +++ b/policy/mcs @@ -1,4 +1,6 @@ @@ -110374,7 +110374,44 @@ index 216b3d1..552c23a 100644 # # Define sensitivities # -@@ -99,14 +101,18 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } +@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats) + # - /proc/pid operations are not constrained. + + mlsconstrain file { read ioctl lock execute execute_no_trans } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain file { write setattr append unlink link rename } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain dir { search read ioctl lock } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain dir { write setattr append unlink link rename add_name remove_name } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain fifo_file { open } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and ( t2 == domain ))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } +- (( h1 dom h2 ) or ( t1 == mcsreadall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } +- (( h1 dom h2 ) or ( t1 == mcswriteall ) or +- (( t1 != mcs_constrained_type ) and (t2 == domain))); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } @@ -110385,18 +110422,30 @@ index 216b3d1..552c23a 100644 # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); -+ (( h1 dom h2 ) or ( t1 == mcswriteall )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain { file lnk_file fifo_file } { create relabelto } -+ ( l2 eq h2 ); ++ (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); -+ ( h1 dom h2 ); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); -@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +- (( h1 dom h2 ) or ( t1 == mcssetcats )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { ptrace } +- (( h1 dom h2) or ( t1 == mcsptraceall )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { sigkill sigstop } +- (( h1 dom h2 ) or ( t1 == mcskillall )); ++ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + + mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +@@ -166,4 +165,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -111417,10 +111466,10 @@ index 0960199..aa51ab2 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..8ae7673 100644 +index d9fce57..baefb50 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,100 @@ attribute sudodomain; +@@ -7,3 +7,101 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -111453,8 +111502,9 @@ index d9fce57..8ae7673 100644 +allow sudodomain self:unix_stream_socket connectto; +allow sudodomain self:key manage_key_perms; + -+kernel_read_kernel_sysctls(sudodomain) ++kernel_getattr_core_if(sudodomain) +kernel_link_key(sudodomain) ++kernel_read_kernel_sysctls(sudodomain) + +corecmd_read_bin_symlinks(sudodomain) +corecmd_exec_all_executables(sudodomain) @@ -114347,7 +114397,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..ae311f6 100644 +index 4edc40d..26fc01f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -114560,7 +114610,7 @@ index 4edc40d..ae311f6 100644 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -214,14 +252,16 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -114578,7 +114628,12 @@ index 4edc40d..ae311f6 100644 network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) -@@ -233,19 +273,20 @@ network_port(rsync, tcp,873,s0, udp,873,s0) + network_port(rlogind, tcp,513,s0) +-network_port(rndc, tcp,953,s0, udp,953,s0) ++network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0) + network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) + network_port(rsh, tcp,514,s0) + network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rtsp, tcp,554,s0, udp,554,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -116807,7 +116862,7 @@ index 6529bd9..cfec99c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..eee8419 100644 +index 6a1e4d1..70c5c72 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -116916,7 +116971,7 @@ index 6a1e4d1..eee8419 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1530,4 +1543,29 @@ interface(`domain_unconfined',` +@@ -1530,4 +1543,30 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -116926,6 +116981,7 @@ index 6a1e4d1..eee8419 100644 + mcs_killall($1) + mcs_ptrace_all($1) + mcs_socket_write_all_levels($1) ++ mcs_process_set_categories($1) +') + +######################################## @@ -116947,7 +117003,7 @@ index 6a1e4d1..eee8419 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..7219a2a 100644 +index cf04cb5..ebbf47a 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -117073,7 +117129,7 @@ index cf04cb5..7219a2a 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +227,283 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -117356,6 +117412,7 @@ index cf04cb5..7219a2a 100644 + prelink_exec(domain) + ') +') ++ diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c2c6e05..d0e6d1c 100644 --- a/policy/modules/kernel/files.fc @@ -122486,10 +122543,62 @@ index 6fac350..6fc8411 100644 +read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t) +list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if -index b08a6e8..226021d 100644 +index b08a6e8..43d504b 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if -@@ -130,3 +130,23 @@ interface(`mcs_process_set_categories',` +@@ -44,11 +44,7 @@ interface(`mcs_constrained',` + ## + # + interface(`mcs_file_read_all',` +- gen_require(` +- attribute mcsreadall; +- ') +- +- typeattribute $1 mcsreadall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` + ## + # + interface(`mcs_file_write_all',` +- gen_require(` +- attribute mcswriteall; +- ') +- +- typeattribute $1 mcswriteall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` + ## + # + interface(`mcs_killall',` +- gen_require(` +- attribute mcskillall; +- ') +- +- typeattribute $1 mcskillall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -104,11 +92,7 @@ interface(`mcs_killall',` + ## + # + interface(`mcs_ptrace_all',` +- gen_require(` +- attribute mcsptraceall; +- ') +- +- typeattribute $1 mcsptraceall; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') + ') + + ######################################## +@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',` typeattribute $1 mcssetcats; ') @@ -122507,11 +122616,7 @@ index b08a6e8..226021d 100644 +## +# +interface(`mcs_socket_write_all_levels',` -+ gen_require(` -+ attribute mcsnetwrite; -+ ') -+ -+ typeattribute $1 mcsnetwrite; ++ refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 5cbeb54..8067370 100644 @@ -125899,10 +126004,10 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..0b9a7bb +index 0000000..09d96d1 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,373 @@ +@@ -0,0 +1,369 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -125979,10 +126084,6 @@ index 0000000..0b9a7bb +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + -+mcs_killall(unconfined_t) -+mcs_ptrace_all(unconfined_t) -+mls_file_write_all_levels(unconfined_t) -+ +init_run_daemon(unconfined_t, unconfined_r) +init_domtrans_script(unconfined_t) +init_telinit(unconfined_t) @@ -132283,7 +132384,7 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 6c4b6ee..86a90a2 100644 +index 6c4b6ee..417f5e5 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,6 +13,9 @@ role system_r types fsadm_t; @@ -132321,7 +132422,7 @@ index 6c4b6ee..86a90a2 100644 # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -120,11 +131,16 @@ fs_list_auto_mountpoints(fsadm_t) +@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -132331,14 +132432,7 @@ index 6c4b6ee..86a90a2 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs - files_search_all(fsadm_t) - -+mcs_file_read_all(fsadm_t) -+ - mls_file_read_all_levels(fsadm_t) - mls_file_write_all_levels(fsadm_t) - -@@ -133,21 +149,24 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +147,24 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -132365,7 +132459,7 @@ index 6c4b6ee..86a90a2 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +185,11 @@ optional_policy(` +@@ -166,6 +183,11 @@ optional_policy(` ') optional_policy(` @@ -132377,7 +132471,7 @@ index 6c4b6ee..86a90a2 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -179,6 +203,10 @@ optional_policy(` +@@ -179,6 +201,10 @@ optional_policy(` ') optional_policy(` @@ -132388,7 +132482,7 @@ index 6c4b6ee..86a90a2 100644 nis_use_ypbind(fsadm_t) ') -@@ -192,6 +220,10 @@ optional_policy(` +@@ -192,6 +218,10 @@ optional_policy(` ') optional_policy(` @@ -133819,7 +133913,7 @@ index 24e7804..386109d 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..682e5fc 100644 +index dd3be8d..2cef56a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -134006,16 +134100,13 @@ index dd3be8d..682e5fc 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,6 +221,8 @@ fs_list_inotifyfs(init_t) - # cjp: this may be related to /dev/log +@@ -156,28 +222,46 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) -+mcs_file_read_all(init_t) -+mcs_file_write_all(init_t) mcs_process_set_categories(init_t) - mcs_killall(init_t) +-mcs_killall(init_t) -@@ -162,22 +230,41 @@ mls_file_read_all_levels(init_t) + mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -134059,7 +134150,7 @@ index dd3be8d..682e5fc 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +273,176 @@ ifdef(`distro_gentoo',` +@@ -186,29 +270,176 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -134244,7 +134335,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -216,6 +450,27 @@ optional_policy(` +@@ -216,6 +447,27 @@ optional_policy(` ') optional_policy(` @@ -134272,7 +134363,7 @@ index dd3be8d..682e5fc 100644 unconfined_domain(init_t) ') -@@ -225,8 +480,9 @@ optional_policy(` +@@ -225,8 +477,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -134284,7 +134375,7 @@ index dd3be8d..682e5fc 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +510,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -134301,7 +134392,7 @@ index dd3be8d..682e5fc 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +535,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -134344,7 +134435,7 @@ index dd3be8d..682e5fc 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +572,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -134356,7 +134447,7 @@ index dd3be8d..682e5fc 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +584,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -134367,7 +134458,7 @@ index dd3be8d..682e5fc 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,17 +598,16 @@ dev_manage_generic_files(initrc_t) +@@ -321,17 +595,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -134387,7 +134478,7 @@ index dd3be8d..682e5fc 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +612,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -134395,7 +134486,7 @@ index dd3be8d..682e5fc 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,8 +623,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,8 +620,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -134407,7 +134498,7 @@ index dd3be8d..682e5fc 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +639,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -134421,7 +134512,7 @@ index dd3be8d..682e5fc 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,9 +657,13 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +654,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -134431,12 +134522,11 @@ index dd3be8d..682e5fc 100644 # initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -+mcs_file_read_all(initrc_t) -+mcs_file_write_all(initrc_t) - mcs_killall(initrc_t) +-mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -386,6 +673,7 @@ mls_process_read_up(initrc_t) + mls_file_read_all_levels(initrc_t) +@@ -386,6 +667,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -134444,7 +134534,7 @@ index dd3be8d..682e5fc 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +685,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +679,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -134452,7 +134542,7 @@ index dd3be8d..682e5fc 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +704,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +698,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -134476,7 +134566,7 @@ index dd3be8d..682e5fc 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +766,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -134487,7 +134577,7 @@ index dd3be8d..682e5fc 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +796,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +790,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -134496,7 +134586,7 @@ index dd3be8d..682e5fc 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +811,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +805,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -134504,7 +134594,7 @@ index dd3be8d..682e5fc 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +832,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +826,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -134512,7 +134602,7 @@ index dd3be8d..682e5fc 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +842,40 @@ ifdef(`distro_redhat',` +@@ -549,8 +836,40 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -134553,7 +134643,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -558,14 +883,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +877,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -134585,7 +134675,7 @@ index dd3be8d..682e5fc 100644 ') ') -@@ -576,6 +918,39 @@ ifdef(`distro_suse',` +@@ -576,6 +912,39 @@ ifdef(`distro_suse',` ') ') @@ -134625,7 +134715,7 @@ index dd3be8d..682e5fc 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +963,8 @@ optional_policy(` +@@ -588,6 +957,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -134634,7 +134724,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -609,6 +986,7 @@ optional_policy(` +@@ -609,6 +980,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -134642,7 +134732,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -625,6 +1003,17 @@ optional_policy(` +@@ -625,6 +997,17 @@ optional_policy(` ') optional_policy(` @@ -134660,7 +134750,7 @@ index dd3be8d..682e5fc 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1030,13 @@ optional_policy(` +@@ -641,9 +1024,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -134674,7 +134764,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -668,6 +1061,10 @@ optional_policy(` +@@ -668,6 +1055,10 @@ optional_policy(` ') optional_policy(` @@ -134685,7 +134775,7 @@ index dd3be8d..682e5fc 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -685,6 +1082,15 @@ optional_policy(` +@@ -685,6 +1076,15 @@ optional_policy(` ') optional_policy(` @@ -134701,7 +134791,7 @@ index dd3be8d..682e5fc 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1131,7 @@ optional_policy(` +@@ -725,6 +1125,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -134709,7 +134799,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -742,7 +1149,14 @@ optional_policy(` +@@ -742,7 +1143,14 @@ optional_policy(` ') optional_policy(` @@ -134724,7 +134814,7 @@ index dd3be8d..682e5fc 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1179,10 @@ optional_policy(` +@@ -765,6 +1173,10 @@ optional_policy(` ') optional_policy(` @@ -134735,7 +134825,7 @@ index dd3be8d..682e5fc 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1192,20 @@ optional_policy(` +@@ -774,10 +1186,20 @@ optional_policy(` ') optional_policy(` @@ -134756,7 +134846,7 @@ index dd3be8d..682e5fc 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1214,10 @@ optional_policy(` +@@ -786,6 +1208,10 @@ optional_policy(` ') optional_policy(` @@ -134767,7 +134857,7 @@ index dd3be8d..682e5fc 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1239,6 @@ optional_policy(` +@@ -807,8 +1233,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -134776,7 +134866,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -817,6 +1247,10 @@ optional_policy(` +@@ -817,6 +1241,10 @@ optional_policy(` ') optional_policy(` @@ -134787,7 +134877,7 @@ index dd3be8d..682e5fc 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1260,12 @@ optional_policy(` +@@ -826,10 +1254,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -134800,7 +134890,7 @@ index dd3be8d..682e5fc 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1292,31 @@ optional_policy(` +@@ -856,12 +1286,27 @@ optional_policy(` ') optional_policy(` @@ -134824,16 +134914,12 @@ index dd3be8d..682e5fc 100644 optional_policy(` unconfined_domain(initrc_t) + domain_role_change_exemption(initrc_t) -+ mcs_file_read_all(initrc_t) -+ mcs_file_write_all(initrc_t) -+ mcs_socket_write_all_levels(initrc_t) -+ mcs_killall(initrc_t) + + files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1326,18 @@ optional_policy(` +@@ -871,6 +1316,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -134852,7 +134938,7 @@ index dd3be8d..682e5fc 100644 ') optional_policy(` -@@ -886,6 +1353,10 @@ optional_policy(` +@@ -886,6 +1343,10 @@ optional_policy(` ') optional_policy(` @@ -134863,7 +134949,7 @@ index dd3be8d..682e5fc 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1367,185 @@ optional_policy(` +@@ -896,3 +1357,185 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -135312,7 +135398,7 @@ index 1b93eb7..5effebe 100644 +/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index c42fbc3..7071460 100644 +index c42fbc3..174cfdb 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,6 @@ interface(`iptables_domtrans',` @@ -135326,32 +135412,7 @@ index c42fbc3..7071460 100644 ') ######################################## -@@ -42,11 +38,22 @@ interface(`iptables_domtrans',` - # - interface(`iptables_run',` - gen_require(` -- attribute_role iptables_roles; -+ #attribute_role iptables_roles; -+ type iptables_t; - ') - -+ #iptables_domtrans($1) -+ #roleattribute $2 iptables_roles; -+ - iptables_domtrans($1) -- roleattribute $2 iptables_roles; -+ role $2 types iptables_t; -+ -+ sysnet_run_ifconfig(iptables_t, $2) -+ -+ optional_policy(` -+ modutils_run_insmod(iptables_t, $2) -+ ') -+ - ') - - ######################################## -@@ -86,6 +93,29 @@ interface(`iptables_initrc_domtrans',` +@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',` init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') @@ -135382,25 +135443,10 @@ index c42fbc3..7071460 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..16d64ad 100644 +index 5dfa44b..169f4b2 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.1) - # Declarations - # - --attribute_role iptables_roles; --roleattribute system_r iptables_roles; -+#attribute_role iptables_roles; -+#roleattribute system_r iptables_roles; - - type iptables_t; - type iptables_exec_t; - init_system_domain(iptables_t, iptables_exec_t) --role iptables_roles types iptables_t; -+#role iptables_roles types iptables_t; -+role system_r types iptables_t; - +@@ -16,15 +16,15 @@ role iptables_roles types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -135419,7 +135465,7 @@ index 5dfa44b..16d64ad 100644 ######################################## # # Iptables local policy -@@ -37,8 +38,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; @@ -135430,7 +135476,7 @@ index 5dfa44b..16d64ad 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -49,6 +50,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; +@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) @@ -135438,7 +135484,7 @@ index 5dfa44b..16d64ad 100644 kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) -@@ -64,6 +66,10 @@ corenet_relabelto_all_packets(iptables_t) +@@ -64,6 +65,10 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -135449,7 +135495,7 @@ index 5dfa44b..16d64ad 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -72,11 +78,13 @@ fs_list_inotifyfs(iptables_t) +@@ -72,11 +77,11 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -135457,14 +135503,13 @@ index 5dfa44b..16d64ad 100644 domain_use_interactive_fds(iptables_t) - files_read_etc_files(iptables_t) +-files_read_etc_files(iptables_t) -files_read_etc_runtime_files(iptables_t) +files_rw_etc_runtime_files(iptables_t) -+files_read_usr_files(iptables_t) auth_use_nsswitch(iptables_t) -@@ -85,15 +93,16 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +90,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -135473,10 +135518,8 @@ index 5dfa44b..16d64ad 100644 logging_send_syslog_msg(iptables_t) -miscfiles_read_localization(iptables_t) - --sysnet_run_ifconfig(iptables_t, iptables_roles) -+#sysnet_run_ifconfig(iptables_t, iptables_roles) -+sysnet_domtrans_ifconfig(iptables_t) +- + sysnet_run_ifconfig(iptables_t, iptables_roles) sysnet_dns_name_resolve(iptables_t) -userdom_use_user_terminals(iptables_t) @@ -135484,7 +135527,7 @@ index 5dfa44b..16d64ad 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +111,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +106,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -135493,17 +135536,7 @@ index 5dfa44b..16d64ad 100644 ') optional_policy(` -@@ -110,7 +121,8 @@ optional_policy(` - ') - - optional_policy(` -- modutils_run_insmod(iptables_t, iptables_roles) -+ modutils_domtrans_insmod(iptables_t) -+ #modutils_run_insmod(iptables_t, iptables_roles) - ') - - optional_policy(` -@@ -124,6 +136,7 @@ optional_policy(` +@@ -124,6 +130,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -135511,7 +135544,7 @@ index 5dfa44b..16d64ad 100644 ') optional_policy(` -@@ -137,6 +150,7 @@ optional_policy(` +@@ -137,6 +144,7 @@ optional_policy(` optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) @@ -138595,7 +138628,7 @@ index 4584457..300c3f7 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..bd42591 100644 +index 6a50270..4b28c1b 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -138747,7 +138780,7 @@ index 6a50270..bd42591 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +148,42 @@ files_list_mnt(mount_t) +@@ -92,28 +148,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -138775,9 +138808,6 @@ index 6a50270..bd42591 100644 -mls_file_read_all_levels(mount_t) -mls_file_write_all_levels(mount_t) -+mcs_file_read_all(mount_t) -+mcs_file_write_all(mount_t) -+ +mls_file_read_to_clearance(mount_t) +mls_file_write_to_clearance(mount_t) +mls_process_write_to_clearance(mount_t) @@ -138796,7 +138826,7 @@ index 6a50270..bd42591 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +191,20 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +188,20 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -138818,7 +138848,7 @@ index 6a50270..bd42591 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -138858,7 +138888,7 @@ index 6a50270..bd42591 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +254,8 @@ optional_policy(` +@@ -179,6 +251,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -138867,7 +138897,7 @@ index 6a50270..bd42591 100644 ') optional_policy(` -@@ -186,6 +263,28 @@ optional_policy(` +@@ -186,6 +260,28 @@ optional_policy(` ') optional_policy(` @@ -138896,7 +138926,7 @@ index 6a50270..bd42591 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +293,124 @@ optional_policy(` +@@ -194,24 +290,124 @@ optional_policy(` ') optional_policy(` @@ -140503,60 +140533,41 @@ index 346a7cc..1285089 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..8f424e5 100644 +index 6944526..729dc8c 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if -@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` +@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` # interface(`sysnet_run_dhcpc',` gen_require(` -- attribute_role dhcpc_roles; + type dhcpc_t; -+ #attribute_role dhcpc_roles; + attribute_role dhcpc_roles; ') -+ #sysnet_domtrans_dhcpc($1) -+ #roleattribute $2 dhcpc_roles; -+ sysnet_domtrans_dhcpc($1) -- roleattribute $2 dhcpc_roles; -+ role $2 types dhcpc_t; + roleattribute $2 dhcpc_roles; + -+ modutils_run_insmod(dhcpc_t, $2) ++ optional_policy(` ++ networkmanager_run(dhcpc_t, $2) ++ ') + -+ sysnet_run_ifconfig(dhcpc_t, $2) ++ optional_policy(` ++ nis_run_ypbind(dhcpc_t, $2) ++ ') + -+ optional_policy(` -+ hostname_run(dhcpc_t, $2) -+ ') ++ optional_policy(` ++ nscd_run(dhcpc_t, $2) ++ ') + -+ optional_policy(` -+ netutils_run(dhcpc_t, $2) -+ netutils_run_ping(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ networkmanager_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nis_run_ypbind(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nscd_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ ntp_run(dhcpc_t, $2) -+ ') -+ -+ seutil_run_setfiles(dhcpc_t, $2) ++ optional_policy(` ++ ntp_run(dhcpc_t, $2) ++ ') + ++ seutil_run_setfiles(dhcpc_t, $2) ') ######################################## -@@ -271,6 +307,43 @@ interface(`sysnet_delete_dhcpc_state',` +@@ -271,6 +290,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -140600,7 +140611,7 @@ index 6944526..8f424e5 100644 ####################################### ## ## Set the attributes of network config files. -@@ -292,6 +365,44 @@ interface(`sysnet_setattr_config',` +@@ -292,6 +348,44 @@ interface(`sysnet_setattr_config',` ####################################### ## @@ -140645,7 +140656,7 @@ index 6944526..8f424e5 100644 ## Read network config files. ## ## -@@ -331,6 +442,7 @@ interface(`sysnet_read_config',` +@@ -331,6 +425,7 @@ interface(`sysnet_read_config',` ifdef(`distro_redhat',` allow $1 net_conf_t:dir list_dir_perms; @@ -140653,7 +140664,7 @@ index 6944526..8f424e5 100644 read_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -433,6 +545,7 @@ interface(`sysnet_manage_config',` +@@ -433,6 +528,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -140661,7 +140672,7 @@ index 6944526..8f424e5 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -471,6 +584,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -471,6 +567,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -140669,7 +140680,7 @@ index 6944526..8f424e5 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -580,6 +694,25 @@ interface(`sysnet_signull_ifconfig',` +@@ -580,6 +677,25 @@ interface(`sysnet_signull_ifconfig',` ######################################## ## @@ -140695,7 +140706,7 @@ index 6944526..8f424e5 100644 ## Read the DHCP configuration files. ## ## -@@ -596,6 +729,7 @@ interface(`sysnet_read_dhcp_config',` +@@ -596,6 +712,7 @@ interface(`sysnet_read_dhcp_config',` files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) @@ -140703,7 +140714,7 @@ index 6944526..8f424e5 100644 ') ######################################## -@@ -681,8 +815,6 @@ interface(`sysnet_dns_name_resolve',` +@@ -681,8 +798,6 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; @@ -140712,7 +140723,7 @@ index 6944526..8f424e5 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -692,6 +824,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -692,6 +807,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -140721,7 +140732,7 @@ index 6944526..8f424e5 100644 sysnet_read_config($1) optional_policy(` -@@ -720,8 +854,6 @@ interface(`sysnet_use_ldap',` +@@ -720,8 +837,6 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; @@ -140730,7 +140741,7 @@ index 6944526..8f424e5 100644 corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) -@@ -733,6 +865,9 @@ interface(`sysnet_use_ldap',` +@@ -733,6 +848,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -140740,7 +140751,7 @@ index 6944526..8f424e5 100644 ') ######################################## -@@ -754,7 +889,6 @@ interface(`sysnet_use_portmap',` +@@ -754,7 +872,6 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) @@ -140748,7 +140759,7 @@ index 6944526..8f424e5 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +900,73 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +883,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -140823,15 +140834,13 @@ index 6944526..8f424e5 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..be7444c 100644 +index b7686d5..ab5e58c 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te -@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.6) +@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) # Declarations # --attribute_role dhcpc_roles; --roleattribute system_r dhcpc_roles; +## +##

+## Allow dhcpc client applications to execute iptables commands @@ -140839,25 +140848,21 @@ index b7686d5..be7444c 100644 +## +gen_tunable(dhcpc_exec_iptables, false) + -+#attribute_role dhcpc_roles; -+#roleattribute system_r dhcpc_roles; + attribute_role dhcpc_roles; + roleattribute system_r dhcpc_roles; - # this is shared between dhcpc and dhcpd: - type dhcp_etc_t; -@@ -20,7 +27,11 @@ files_type(dhcp_state_t) +@@ -20,7 +27,9 @@ files_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; init_daemon_domain(dhcpc_t, dhcpc_exec_t) -role dhcpc_roles types dhcpc_t; -+#role dhcpc_roles types dhcpc_t; -+role system_r types dhcpc_t; + +type dhcpc_helper_exec_t; +init_script_file(dhcpc_helper_exec_t) type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -37,17 +48,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) +@@ -37,17 +46,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; @@ -140878,7 +140883,7 @@ index b7686d5..be7444c 100644 allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -60,8 +71,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -60,8 +69,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -140890,7 +140895,7 @@ index b7686d5..be7444c 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -70,6 +84,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +@@ -70,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -140899,7 +140904,7 @@ index b7686d5..be7444c 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -91,14 +107,13 @@ kernel_rw_net_sysctls(dhcpc_t) +@@ -91,14 +105,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) @@ -140920,7 +140925,7 @@ index b7686d5..be7444c 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -108,11 +123,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -108,17 +121,18 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -140935,7 +140940,13 @@ index b7686d5..be7444c 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -132,15 +150,20 @@ term_dontaudit_use_all_ptys(dhcpc_t) +-files_read_etc_files(dhcpc_t) + files_read_etc_runtime_files(dhcpc_t) +-files_read_usr_files(dhcpc_t) + files_search_home(dhcpc_t) + files_search_var_lib(dhcpc_t) + files_dontaudit_search_locks(dhcpc_t) +@@ -132,11 +146,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -140950,74 +140961,47 @@ index b7686d5..be7444c 100644 -miscfiles_read_localization(dhcpc_t) +miscfiles_read_generic_certs(dhcpc_t) --modutils_run_insmod(dhcpc_t, dhcpc_roles) -+#modutils_run_insmod(dhcpc_t, dhcpc_roles) -+modutils_domtrans_insmod(dhcpc_t) -+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) + modutils_run_insmod(dhcpc_t, dhcpc_roles) --sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) - - userdom_use_user_terminals(dhcpc_t) - userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -155,8 +178,23 @@ ifdef(`distro_ubuntu',` - ') +@@ -156,7 +174,14 @@ ifdef(`distro_ubuntu',` ') -+#optional_policy(` -+# consoletype_run(dhcpc_t, dhcpc_roles) -+#') -+ -+optional_policy(` + optional_policy(` +- consoletype_run(dhcpc_t, dhcpc_roles) + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) + chronyd_read_keys(dhcpc_t) +') + +optional_policy(` -+ consoletype_exec(dhcpc_t) -+') -+ - optional_policy(` -- consoletype_run(dhcpc_t, dhcpc_roles) + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) ') optional_policy(` -@@ -170,11 +208,8 @@ optional_policy(` +@@ -174,10 +199,6 @@ optional_policy(` ') optional_policy(` -- hostname_run(dhcpc_t, dhcpc_roles) +- hal_dontaudit_rw_dgram_sockets(dhcpc_t) -') - -optional_policy(` -- hal_dontaudit_rw_dgram_sockets(dhcpc_t) -+ hostname_domtrans(dhcpc_t) -+# hostname_run(dhcpc_t, dhcpc_roles) - ') + hotplug_getattr_config_dirs(dhcpc_t) + hotplug_search_config(dhcpc_t) +@@ -190,23 +211,35 @@ optional_policy(` optional_policy(` -@@ -188,25 +223,41 @@ optional_policy(` - - # for the dhcp client to run ping to check IP addresses - optional_policy(` -- netutils_run_ping(dhcpc_t, dhcpc_roles) -- netutils_run(dhcpc_t, dhcpc_roles) -+ #netutils_run_ping(dhcpc_t, dhcpc_roles) -+ #netutils_run(dhcpc_t, dhcpc_roles) + netutils_run_ping(dhcpc_t, dhcpc_roles) + netutils_run(dhcpc_t, dhcpc_roles) + netutils_domtrans_ping(dhcpc_t) -+ netutils_domtrans(dhcpc_t) ++ netutils_domtrans(dhcpc_t) ',` allow dhcpc_t self:capability setuid; allow dhcpc_t self:rawip_socket create_socket_perms; ') optional_policy(` -+ modutils_domtrans_insmod(dhcpc_t) -+') -+ -+optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) + networkmanager_manage_lib(dhcpc_t) @@ -141042,7 +141026,7 @@ index b7686d5..be7444c 100644 ') optional_policy(` -@@ -216,7 +267,11 @@ optional_policy(` +@@ -216,7 +249,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -141055,7 +141039,7 @@ index b7686d5..be7444c 100644 ') optional_policy(` -@@ -259,6 +314,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,6 +296,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -141063,7 +141047,7 @@ index b7686d5..be7444c 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -277,11 +333,18 @@ corenet_rw_tun_tap_dev(ifconfig_t) +@@ -277,11 +315,18 @@ corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -141082,7 +141066,7 @@ index b7686d5..be7444c 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +357,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +339,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -141110,7 +141094,7 @@ index b7686d5..be7444c 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +381,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +363,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -141133,7 +141117,7 @@ index b7686d5..be7444c 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +407,7 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +389,7 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -141143,7 +141127,7 @@ index b7686d5..be7444c 100644 ') optional_policy(` -@@ -339,7 +416,15 @@ optional_policy(` +@@ -339,7 +398,15 @@ optional_policy(` ') optional_policy(` @@ -141160,7 +141144,7 @@ index b7686d5..be7444c 100644 ') optional_policy(` -@@ -360,3 +445,9 @@ optional_policy(` +@@ -360,3 +427,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -142180,10 +142164,10 @@ index 0000000..3e4cae7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..223e3f0 +index 0000000..f29d5b8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,451 @@ +@@ -0,0 +1,447 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -142304,8 +142288,6 @@ index 0000000..223e3f0 +fs_getattr_tmpfs(systemd_logind_t) +fs_read_tmpfs_symlinks(systemd_logind_t) + -+mcs_killall(systemd_logind_t) -+ +storage_setattr_removable_dev(systemd_logind_t) +storage_setattr_scsi_generic_dev(systemd_logind_t) + @@ -142488,8 +142470,6 @@ index 0000000..223e3f0 +files_relabel_all_tmp_files(systemd_tmpfiles_t) +files_list_lost_found(systemd_tmpfiles_t) + -+mcs_file_read_all(systemd_tmpfiles_t) -+mcs_file_write_all(systemd_tmpfiles_t) +mls_file_read_all_levels(systemd_tmpfiles_t) +mls_file_write_all_levels(systemd_tmpfiles_t) + @@ -143213,10 +143193,10 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index db7aabb..4012a61 100644 +index db7aabb..01e03ec 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if -@@ -12,53 +12,59 @@ +@@ -12,53 +12,57 @@ # interface(`unconfined_domain_noaudit',` gen_require(` @@ -143267,11 +143247,9 @@ index db7aabb..4012a61 100644 + + domain_mmap_low($1) + -+ mcs_file_read_all($1) ++ ubac_process_exempt($1) - tunable_policy(`allow_execheap',` -+ ubac_process_exempt($1) -+ + tunable_policy(`selinuxuser_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; @@ -143293,7 +143271,7 @@ index db7aabb..4012a61 100644 # auditallow $1 self:process execstack; ') -@@ -69,6 +75,7 @@ interface(`unconfined_domain_noaudit',` +@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -143301,7 +143279,7 @@ index db7aabb..4012a61 100644 ') optional_policy(` -@@ -122,9 +129,13 @@ interface(`unconfined_domain_noaudit',` +@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -143316,7 +143294,7 @@ index db7aabb..4012a61 100644 auditallow $1 self:process execheap; ') ') -@@ -150,7 +161,7 @@ interface(`unconfined_domain',` +@@ -150,7 +159,7 @@ interface(`unconfined_domain',` ## # interface(`unconfined_alias_domain',` @@ -143325,7 +143303,7 @@ index db7aabb..4012a61 100644 ') ######################################## -@@ -176,414 +187,5 @@ interface(`unconfined_alias_domain',` +@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',` ## # interface(`unconfined_execmem_alias_program',` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f2b1c82a..65fe9bee 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -489,7 +489,7 @@ index 058d908..cce58bb 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index cc43d25..6d98338 100644 +index cc43d25..db88fca 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -705,12 +705,12 @@ index cc43d25..6d98338 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +173,35 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) +-files_read_usr_files(abrt_t) +files_read_var_lib_files(abrt_t) - files_read_usr_files(abrt_t) +files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) +files_dontaudit_list_default(abrt_t) @@ -744,7 +744,7 @@ index cc43d25..6d98338 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +209,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -761,7 +761,7 @@ index cc43d25..6d98338 100644 ') optional_policy(` -@@ -209,6 +221,12 @@ optional_policy(` +@@ -209,6 +220,12 @@ optional_policy(` ') optional_policy(` @@ -774,7 +774,7 @@ index cc43d25..6d98338 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +238,7 @@ optional_policy(` +@@ -220,6 +237,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -782,7 +782,7 @@ index cc43d25..6d98338 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +249,7 @@ optional_policy(` +@@ -230,6 +248,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -790,7 +790,7 @@ index cc43d25..6d98338 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +260,17 @@ optional_policy(` +@@ -240,9 +259,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -809,7 +809,7 @@ index cc43d25..6d98338 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +281,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -824,7 +824,7 @@ index cc43d25..6d98338 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +307,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -845,7 +845,7 @@ index cc43d25..6d98338 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +328,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -872,19 +872,21 @@ index cc43d25..6d98338 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -316,8 +367,11 @@ dev_read_urand(abrt_retrace_coredump_t) +@@ -314,10 +364,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) - files_read_usr_files(abrt_retrace_coredump_t) + dev_read_urand(abrt_retrace_coredump_t) -+logging_send_syslog_msg(abrt_retrace_coredump_t) +-files_read_usr_files(abrt_retrace_coredump_t) + ++logging_send_syslog_msg(abrt_retrace_coredump_t) + sysnet_dns_name_resolve(abrt_retrace_coredump_t) +# to install debuginfo packages optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +384,11 @@ optional_policy(` +@@ -330,10 +382,11 @@ optional_policy(` ####################################### # @@ -898,12 +900,14 @@ index cc43d25..6d98338 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -354,16 +409,22 @@ dev_read_urand(abrt_retrace_worker_t) +@@ -352,18 +405,23 @@ corecmd_exec_shell(abrt_retrace_worker_t) - files_read_usr_files(abrt_retrace_worker_t) + dev_read_urand(abrt_retrace_worker_t) -+logging_send_syslog_msg(abrt_retrace_worker_t) +-files_read_usr_files(abrt_retrace_worker_t) + ++logging_send_syslog_msg(abrt_retrace_worker_t) + sysnet_dns_name_resolve(abrt_retrace_worker_t) +optional_policy(` @@ -923,7 +927,7 @@ index cc43d25..6d98338 100644 files_search_spool(abrt_dump_oops_t) manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -376,6 +437,7 @@ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) +@@ -376,6 +434,7 @@ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) @@ -931,7 +935,7 @@ index cc43d25..6d98338 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) +@@ -384,14 +443,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) @@ -949,7 +953,7 @@ index cc43d25..6d98338 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +463,15 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +460,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -967,7 +971,7 @@ index cc43d25..6d98338 100644 -kernel_read_system_state(abrt_domain) - - files_read_etc_files(abrt_domain) +-files_read_etc_files(abrt_domain) - -logging_send_syslog_msg(abrt_domain) - @@ -1043,7 +1047,7 @@ index bd5ec9a..a5ed692 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 313b33f..ea8883f 100644 +index 313b33f..783d3df 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1082,7 +1086,11 @@ index 313b33f..ea8883f 100644 kernel_read_kernel_sysctls(accountsd_t) kernel_read_system_state(accountsd_t) -@@ -42,13 +51,15 @@ files_read_usr_files(accountsd_t) +@@ -38,17 +47,18 @@ corecmd_exec_bin(accountsd_t) + dev_read_sysfs(accountsd_t) + + files_read_mnt_files(accountsd_t) +-files_read_usr_files(accountsd_t) fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -1099,7 +1107,7 @@ index 313b33f..ea8883f 100644 logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) -@@ -62,6 +73,11 @@ usermanage_domtrans_passwd(accountsd_t) +@@ -62,6 +72,11 @@ usermanage_domtrans_passwd(accountsd_t) optional_policy(` consolekit_dbus_chat(accountsd_t) consolekit_read_log(accountsd_t) @@ -1111,7 +1119,7 @@ index 313b33f..ea8883f 100644 ') optional_policy(` -@@ -70,4 +86,7 @@ optional_policy(` +@@ -70,4 +85,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_tmp_files(accountsd_t) @@ -1218,10 +1226,10 @@ index 3b41be6..0b18812 100644 afs_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/afs.te b/afs.te -index 6690cdf..7fefcf5 100644 +index 6690cdf..ff1c351 100644 --- a/afs.te +++ b/afs.te -@@ -83,6 +83,15 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) +@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) kernel_rw_afs_state(afs_t) @@ -1235,9 +1243,11 @@ index 6690cdf..7fefcf5 100644 +corenet_udp_bind_generic_node(afs_t) + files_mounton_mnt(afs_t) - files_read_usr_files(afs_t) +-files_read_usr_files(afs_t) files_rw_etc_runtime_files(afs_t) -@@ -93,6 +102,12 @@ fs_read_nfs_symlinks(afs_t) + + fs_getattr_xattr_fs(afs_t) +@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t) logging_send_syslog_msg(afs_t) @@ -1250,7 +1260,7 @@ index 6690cdf..7fefcf5 100644 ######################################## # # AFS bossserver local policy -@@ -125,7 +140,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) +@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) kernel_read_kernel_sysctls(afs_bosserver_t) @@ -1258,7 +1268,15 @@ index 6690cdf..7fefcf5 100644 corenet_all_recvfrom_netlabel(afs_bosserver_t) corenet_udp_sendrecv_generic_if(afs_bosserver_t) corenet_udp_sendrecv_generic_node(afs_bosserver_t) -@@ -179,6 +193,9 @@ corenet_tcp_sendrecv_generic_if(afs_fsserver_t) +@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) + corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) + + files_list_home(afs_bosserver_t) +-files_read_usr_files(afs_bosserver_t) + + seutil_read_config(afs_bosserver_t) + +@@ -179,6 +191,9 @@ corenet_tcp_sendrecv_generic_if(afs_fsserver_t) corenet_udp_sendrecv_generic_if(afs_fsserver_t) corenet_tcp_sendrecv_generic_node(afs_fsserver_t) corenet_udp_sendrecv_generic_node(afs_fsserver_t) @@ -1268,7 +1286,15 @@ index 6690cdf..7fefcf5 100644 corenet_tcp_bind_generic_node(afs_fsserver_t) corenet_udp_bind_generic_node(afs_fsserver_t) -@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) +@@ -190,7 +205,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) + + files_read_etc_runtime_files(afs_fsserver_t) + files_list_home(afs_fsserver_t) +-files_read_usr_files(afs_fsserver_t) + files_list_pids(afs_fsserver_t) + files_dontaudit_search_mnt(afs_fsserver_t) + +@@ -224,7 +238,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) kernel_read_kernel_sysctls(afs_kaserver_t) @@ -1276,7 +1302,15 @@ index 6690cdf..7fefcf5 100644 corenet_all_recvfrom_netlabel(afs_kaserver_t) corenet_udp_sendrecv_generic_if(afs_kaserver_t) corenet_udp_sendrecv_generic_node(afs_kaserver_t) -@@ -262,7 +278,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) +@@ -239,7 +252,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) + corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) + + files_list_home(afs_kaserver_t) +-files_read_usr_files(afs_kaserver_t) + + seutil_read_config(afs_kaserver_t) + +@@ -262,7 +274,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) @@ -1284,7 +1318,7 @@ index 6690cdf..7fefcf5 100644 corenet_all_recvfrom_netlabel(afs_ptserver_t) corenet_tcp_sendrecv_generic_if(afs_ptserver_t) corenet_udp_sendrecv_generic_if(afs_ptserver_t) -@@ -274,6 +289,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) +@@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) corenet_udp_bind_afs_pt_port(afs_ptserver_t) corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) @@ -1293,7 +1327,7 @@ index 6690cdf..7fefcf5 100644 userdom_dontaudit_use_user_terminals(afs_ptserver_t) ######################################## -@@ -293,7 +310,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) +@@ -293,7 +306,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) @@ -1301,7 +1335,7 @@ index 6690cdf..7fefcf5 100644 corenet_all_recvfrom_netlabel(afs_vlserver_t) corenet_tcp_sendrecv_generic_if(afs_vlserver_t) corenet_udp_sendrecv_generic_if(afs_vlserver_t) -@@ -314,8 +330,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) +@@ -314,8 +326,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) allow afs_domain self:udp_socket create_socket_perms; @@ -1330,7 +1364,7 @@ index 3b5dcb9..fbe187f 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 72c33c2..ca27918 100644 +index 72c33c2..6e4206c 100644 --- a/aiccu.te +++ b/aiccu.te @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t) @@ -1341,9 +1375,11 @@ index 72c33c2..ca27918 100644 corenet_sendrecv_sixxsconfig_client_packets(aiccu_t) corenet_tcp_connect_sixxsconfig_port(aiccu_t) corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) -@@ -62,9 +61,9 @@ dev_read_urand(aiccu_t) +@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t) + dev_read_rand(aiccu_t) + dev_read_urand(aiccu_t) - files_read_etc_files(aiccu_t) +-files_read_etc_files(aiccu_t) -logging_send_syslog_msg(aiccu_t) +auth_read_passwd(aiccu_t) @@ -1567,10 +1603,10 @@ index 0000000..7abe946 +') diff --git a/ajaxterm.te b/ajaxterm.te new file mode 100644 -index 0000000..84bba98 +index 0000000..a95a4ad --- /dev/null +++ b/ajaxterm.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,60 @@ +policy_module(ajaxterm, 1.0.0) + +######################################## @@ -1619,8 +1655,6 @@ index 0000000..84bba98 + +domain_use_interactive_fds(ajaxterm_t) + -+files_read_etc_files(ajaxterm_t) -+files_read_usr_files(ajaxterm_t) + +sysnet_dns_name_resolve(ajaxterm_t) + @@ -1728,7 +1762,7 @@ index 708b743..a482fed 100644 + ps_process_pattern($1, alsa_t) +') diff --git a/alsa.te b/alsa.te -index cda6d20..60c0649 100644 +index cda6d20..1986c26 100644 --- a/alsa.te +++ b/alsa.te @@ -24,6 +24,9 @@ files_type(alsa_var_lib_t) @@ -1741,16 +1775,17 @@ index cda6d20..60c0649 100644 ######################################## # # Local policy -@@ -59,6 +62,8 @@ dev_read_sound(alsa_t) +@@ -59,7 +62,8 @@ dev_read_sound(alsa_t) dev_read_sysfs(alsa_t) dev_write_sound(alsa_t) +-files_read_usr_files(alsa_t) +corecmd_exec_bin(alsa_t) + - files_read_usr_files(alsa_t) files_search_var_lib(alsa_t) -@@ -72,8 +77,6 @@ init_use_fds(alsa_t) + term_dontaudit_use_console(alsa_t) +@@ -72,8 +76,6 @@ init_use_fds(alsa_t) logging_send_syslog_msg(alsa_t) @@ -1878,7 +1913,7 @@ index 60d4f8c..18ef077 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index ab55ba7..3da45f7 100644 +index ab55ba7..f493d2a 100644 --- a/amavis.te +++ b/amavis.te @@ -39,7 +39,7 @@ type amavis_quarantine_t; @@ -1912,7 +1947,7 @@ index ab55ba7..3da45f7 100644 corenet_all_recvfrom_netlabel(amavis_t) corenet_tcp_sendrecv_generic_if(amavis_t) corenet_udp_sendrecv_generic_if(amavis_t) -@@ -118,10 +120,12 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) +@@ -118,16 +120,17 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) corenet_sendrecv_razor_client_packets(amavis_t) corenet_tcp_connect_razor_port(amavis_t) @@ -1925,7 +1960,13 @@ index ab55ba7..3da45f7 100644 domain_use_interactive_fds(amavis_t) domain_dontaudit_read_all_domains_state(amavis_t) -@@ -141,14 +145,20 @@ init_stream_connect_script(amavis_t) + + files_read_etc_runtime_files(amavis_t) +-files_read_usr_files(amavis_t) + files_search_spool(amavis_t) + + fs_getattr_xattr_fs(amavis_t) +@@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) @@ -1949,7 +1990,7 @@ index ab55ba7..3da45f7 100644 ') optional_policy(` -@@ -173,6 +183,10 @@ optional_policy(` +@@ -173,6 +182,10 @@ optional_policy(` ') optional_policy(` @@ -1961,10 +2002,14 @@ index ab55ba7..3da45f7 100644 postfix_list_spool(amavis_t) ') diff --git a/amtu.te b/amtu.te -index c960f92..c291650 100644 +index c960f92..486e9ed 100644 --- a/amtu.te +++ b/amtu.te -@@ -28,7 +28,7 @@ files_read_etc_files(amtu_t) +@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t) + + files_manage_boot_files(amtu_t) + files_read_etc_runtime_files(amtu_t) +-files_read_etc_files(amtu_t) logging_send_audit_msgs(amtu_t) @@ -3698,7 +3743,7 @@ index 83e899c..7b2ad39 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..44dae79 100644 +index 1a82e29..bcdad77 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,353 @@ @@ -4376,7 +4421,7 @@ index 1a82e29..44dae79 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +541,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +541,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -4454,7 +4499,7 @@ index 1a82e29..44dae79 100644 +domain_use_interactive_fds(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) - files_read_usr_files(httpd_t) +-files_read_usr_files(httpd_t) +files_exec_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -4604,7 +4649,7 @@ index 1a82e29..44dae79 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +708,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +707,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -4660,7 +4705,7 @@ index 1a82e29..44dae79 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +756,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +755,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -4745,7 +4790,7 @@ index 1a82e29..44dae79 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +797,29 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +796,29 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -4811,7 +4856,7 @@ index 1a82e29..44dae79 100644 ') optional_policy(` -@@ -744,12 +831,10 @@ optional_policy(` +@@ -744,12 +830,10 @@ optional_policy(` ') optional_policy(` @@ -4826,7 +4871,7 @@ index 1a82e29..44dae79 100644 ') optional_policy(` -@@ -765,6 +850,24 @@ optional_policy(` +@@ -765,6 +849,24 @@ optional_policy(` ') optional_policy(` @@ -4851,7 +4896,7 @@ index 1a82e29..44dae79 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +884,42 @@ optional_policy(` +@@ -781,34 +883,42 @@ optional_policy(` ') optional_policy(` @@ -4905,7 +4950,7 @@ index 1a82e29..44dae79 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +927,10 @@ optional_policy(` +@@ -816,8 +926,10 @@ optional_policy(` ') optional_policy(` @@ -4916,7 +4961,7 @@ index 1a82e29..44dae79 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +939,7 @@ optional_policy(` +@@ -826,6 +938,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -4924,7 +4969,7 @@ index 1a82e29..44dae79 100644 ') optional_policy(` -@@ -836,20 +950,35 @@ optional_policy(` +@@ -836,20 +949,35 @@ optional_policy(` ') optional_policy(` @@ -4967,7 +5012,7 @@ index 1a82e29..44dae79 100644 ') optional_policy(` -@@ -857,6 +986,16 @@ optional_policy(` +@@ -857,6 +985,16 @@ optional_policy(` ') optional_policy(` @@ -4984,7 +5029,7 @@ index 1a82e29..44dae79 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,6 +1004,7 @@ optional_policy(` +@@ -865,6 +1003,7 @@ optional_policy(` ') optional_policy(` @@ -4992,7 +5037,7 @@ index 1a82e29..44dae79 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -877,64 +1017,168 @@ optional_policy(` +@@ -877,65 +1016,168 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5173,16 +5218,17 @@ index 1a82e29..44dae79 100644 fs_read_iso9660_files(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) +-files_read_usr_files(httpd_suexec_t) +application_exec_all(httpd_suexec_t) + +# for shell scripts +corecmd_exec_bin(httpd_suexec_t) +corecmd_exec_shell(httpd_suexec_t) + - files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1188,74 @@ auth_use_nsswitch(httpd_suexec_t) + +@@ -944,123 +1186,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -5337,7 +5383,7 @@ index 1a82e29..44dae79 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1272,103 @@ optional_policy(` +@@ -1077,172 +1270,103 @@ optional_policy(` ') ') @@ -5572,7 +5618,7 @@ index 1a82e29..44dae79 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1376,70 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -5666,7 +5712,7 @@ index 1a82e29..44dae79 100644 ######################################## # -@@ -1315,8 +1447,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -5683,7 +5729,7 @@ index 1a82e29..44dae79 100644 ') ######################################## -@@ -1324,49 +1463,36 @@ optional_policy(` +@@ -1324,49 +1461,36 @@ optional_policy(` # User content local policy # @@ -5747,7 +5793,7 @@ index 1a82e29..44dae79 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1502,101 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1500,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -5831,7 +5877,6 @@ index 1a82e29..44dae79 100644 +fs_getattr_xattr_fs(httpd_script_type) + +files_read_etc_runtime_files(httpd_script_type) -+files_read_usr_files(httpd_script_type) + +libs_read_lib_files(httpd_script_type) + @@ -6202,7 +6247,7 @@ index 3590e2f..29e3af5 100644 optional_policy(` diff --git a/apt.te b/apt.te -index e2d8d52..c6e62d7 100644 +index e2d8d52..d82403c 100644 --- a/apt.te +++ b/apt.te @@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t) @@ -6213,7 +6258,14 @@ index e2d8d52..c6e62d7 100644 corenet_all_recvfrom_netlabel(apt_t) corenet_tcp_sendrecv_generic_if(apt_t) corenet_tcp_sendrecv_generic_node(apt_t) -@@ -105,20 +104,18 @@ fs_getattr_all_fs(apt_t) +@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t) + domain_use_interactive_fds(apt_t) + + files_exec_usr_files(apt_t) +-files_read_etc_files(apt_t) + files_read_etc_runtime_files(apt_t) + + fs_getattr_all_fs(apt_t) term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) @@ -6310,7 +6362,7 @@ index 50c9b9c..51c8cc0 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index fa18c76..ef976af 100644 +index fa18c76..fd6911a 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -6356,7 +6408,14 @@ index fa18c76..ef976af 100644 dev_read_sysfs(arpwatch_t) dev_read_usbmon_dev(arpwatch_t) dev_rw_generic_usb_dev(arpwatch_t) -@@ -66,8 +82,6 @@ auth_use_nsswitch(arpwatch_t) +@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t) + + domain_use_interactive_fds(arpwatch_t) + +-files_read_usr_files(arpwatch_t) + files_search_var_lib(arpwatch_t) + + auth_use_nsswitch(arpwatch_t) logging_send_syslog_msg(arpwatch_t) @@ -6597,10 +6656,10 @@ index 0000000..98ab9ed +') diff --git a/authconfig.te b/authconfig.te new file mode 100644 -index 0000000..aeea7cf +index 0000000..340b755 --- /dev/null +++ b/authconfig.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,32 @@ +policy_module(authconfig, 1.0.0) + +######################################## @@ -6629,7 +6688,6 @@ index 0000000..aeea7cf + +domain_use_interactive_fds(authconfig_t) + -+files_read_etc_files(authconfig_t) + +init_domtrans_script(authconfig_t) + @@ -6867,7 +6925,7 @@ index aebe7cb..33fe57b 100644 + allow $1 avahi_unit_file_t:service all_service_perms; ') diff --git a/avahi.te b/avahi.te -index 60e76be..0f0891b 100644 +index 60e76be..3929421 100644 --- a/avahi.te +++ b/avahi.te @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t) @@ -6889,15 +6947,18 @@ index 60e76be..0f0891b 100644 corenet_all_recvfrom_netlabel(avahi_t) corenet_tcp_sendrecv_generic_if(avahi_t) corenet_udp_sendrecv_generic_if(avahi_t) -@@ -72,6 +75,7 @@ fs_search_auto_mountpoints(avahi_t) +@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t) fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) +domain_dontaudit_signull_all_domains(avahi_t) files_read_etc_runtime_files(avahi_t) - files_read_usr_files(avahi_t) -@@ -83,13 +87,14 @@ init_signull_script(avahi_t) +-files_read_usr_files(avahi_t) + + auth_use_nsswitch(avahi_t) + +@@ -83,13 +86,14 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) @@ -6913,7 +6974,7 @@ index 60e76be..0f0891b 100644 userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) -@@ -106,6 +111,10 @@ optional_policy(` +@@ -106,6 +110,10 @@ optional_policy(` ') optional_policy(` @@ -6925,10 +6986,19 @@ index 60e76be..0f0891b 100644 ') diff --git a/awstats.te b/awstats.te -index d6ab824..eec2bdb 100644 +index d6ab824..116176d 100644 --- a/awstats.te +++ b/awstats.te -@@ -61,8 +61,6 @@ libs_read_lib_files(awstats_t) +@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t) + dev_read_urand(awstats_t) + + files_dontaudit_search_all_mountpoints(awstats_t) +-files_read_etc_files(awstats_t) +-files_read_usr_files(awstats_t) + + fs_list_inotifyfs(awstats_t) + +@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t) logging_read_generic_logs(awstats_t) @@ -6937,7 +7007,7 @@ index d6ab824..eec2bdb 100644 sysnet_dns_name_resolve(awstats_t) tunable_policy(`awstats_purge_apache_log_files',` -@@ -90,9 +88,13 @@ optional_policy(` +@@ -90,9 +86,13 @@ optional_policy(` # CGI local policy # @@ -6975,12 +7045,14 @@ index d6ceef4..c10d39c 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) diff --git a/bacula.te b/bacula.te -index 3beba2f..67e074e 100644 +index 3beba2f..7ca4480 100644 --- a/bacula.te +++ b/bacula.te -@@ -150,7 +150,6 @@ domain_use_interactive_fds(bacula_admin_t) +@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) - files_read_etc_files(bacula_admin_t) + domain_use_interactive_fds(bacula_admin_t) + +-files_read_etc_files(bacula_admin_t) -miscfiles_read_localization(bacula_admin_t) @@ -7067,7 +7139,7 @@ index ec95d36..7132e1e 100644 + ') ') diff --git a/bcfg2.te b/bcfg2.te -index 536ec3c..2d04d51 100644 +index 536ec3c..271b976 100644 --- a/bcfg2.te +++ b/bcfg2.te @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) @@ -7080,7 +7152,12 @@ index 536ec3c..2d04d51 100644 type bcfg2_var_run_t; files_pid_file(bcfg2_var_run_t) -@@ -57,5 +60,3 @@ files_read_usr_files(bcfg2_t) +@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t) + + domain_use_interactive_fds(bcfg2_t) + +-files_read_usr_files(bcfg2_t) + auth_use_nsswitch(bcfg2_t) logging_send_syslog_msg(bcfg2_t) @@ -7423,6 +7500,18 @@ index 076ffee..6a12335 100644 userdom_use_user_terminals(ndc_t) +diff --git a/bird.te b/bird.te +index d4d71ec..f53b135 100644 +--- a/bird.te ++++ b/bird.te +@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t) + corenet_tcp_sendrecv_bgp_port(bird_t) + + # /etc/iproute2/rt_realms +-files_read_etc_files(bird_t) + + logging_send_syslog_msg(bird_t) + diff --git a/bitlbee.if b/bitlbee.if index e73fb79..2badfc0 100644 --- a/bitlbee.if @@ -7519,7 +7608,7 @@ index c295d2e..4f84e9c 100644 /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.te b/blueman.te -index bc5c984..b0c90e9 100644 +index bc5c984..fe09796 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) @@ -7541,10 +7630,11 @@ index bc5c984..b0c90e9 100644 allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -@@ -46,12 +47,14 @@ domain_use_interactive_fds(blueman_t) +@@ -45,13 +46,14 @@ dev_rw_wireless(blueman_t) + domain_use_interactive_fds(blueman_t) files_list_tmp(blueman_t) - files_read_usr_files(blueman_t) +-files_read_usr_files(blueman_t) +files_list_tmp(blueman_t) auth_use_nsswitch(blueman_t) @@ -7557,7 +7647,7 @@ index bc5c984..b0c90e9 100644 sysnet_domtrans_ifconfig(blueman_t) -@@ -60,10 +63,22 @@ optional_policy(` +@@ -60,10 +62,22 @@ optional_policy(` ') optional_policy(` @@ -7710,7 +7800,7 @@ index c723a0a..3e8a553 100644 + allow $1 bluetooth_unit_file_t:service all_service_perms; ') diff --git a/bluetooth.te b/bluetooth.te -index 6f09d24..0b43ce7 100644 +index 6f09d24..f3ae1a6 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t) @@ -7766,7 +7856,7 @@ index 6f09d24..0b43ce7 100644 miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) -@@ -131,6 +142,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) +@@ -131,7 +142,12 @@ userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) optional_policy(` @@ -7775,8 +7865,18 @@ index 6f09d24..0b43ce7 100644 + +optional_policy(` dbus_system_bus_client(bluetooth_t) ++ dbus_connect_system_bus(bluetooth_t) optional_policy(` + cups_dbus_chat(bluetooth_t) +@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t) + domain_read_all_domains_state(bluetooth_helper_t) + + files_read_etc_runtime_files(bluetooth_helper_t) +-files_read_usr_files(bluetooth_helper_t) + files_dontaudit_list_default(bluetooth_helper_t) + + term_dontaudit_use_all_ttys(bluetooth_helper_t) diff --git a/boinc.fc b/boinc.fc index 6d3ccad..bda740a 100644 --- a/boinc.fc @@ -8020,7 +8120,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..3dbacf3 100644 +index 7c92aa1..69f0a40 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,13 @@ @@ -8039,7 +8139,7 @@ index 7c92aa1..3dbacf3 100644 type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) -@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t) +@@ -21,31 +23,64 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) @@ -8085,9 +8185,7 @@ index 7c92aa1..3dbacf3 100644 + +domain_read_all_domains_state(boinc_domain) + -+files_read_etc_files(boinc_domain) +files_read_etc_runtime_files(boinc_domain) -+files_read_usr_files(boinc_domain) + +fs_getattr_all_fs(boinc_domain) + @@ -8115,7 +8213,7 @@ index 7c92aa1..3dbacf3 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -54,74 +89,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -8209,7 +8307,7 @@ index 7c92aa1..3dbacf3 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +138,61 @@ init_read_utmp(boinc_t) +@@ -130,55 +136,61 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -8292,10 +8390,14 @@ index 7c92aa1..3dbacf3 100644 + unconfined_domain(boinc_project_t) +') diff --git a/brctl.te b/brctl.te -index bcd1e87..a2559fe 100644 +index bcd1e87..6294955 100644 --- a/brctl.te +++ b/brctl.te -@@ -38,8 +38,6 @@ files_read_etc_files(brctl_t) +@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t) + + domain_use_interactive_fds(brctl_t) + +-files_read_etc_files(brctl_t) term_dontaudit_use_console(brctl_t) @@ -8501,10 +8603,10 @@ index 8de2ab9..3b41945 100644 + domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) ') diff --git a/cachefilesd.te b/cachefilesd.te -index 581c8ef..3eda1b1 100644 +index 581c8ef..2c71b1d 100644 --- a/cachefilesd.te +++ b/cachefilesd.te -@@ -1,52 +1,144 @@ +@@ -1,52 +1,143 @@ -policy_module(cachefilesd, 1.0.1) +############################################################################### +# @@ -8518,8 +8620,7 @@ index 581c8ef..3eda1b1 100644 +# 2 of the License, or (at your option) any later version. +# +############################################################################### - --######################################## ++ +# +# This security policy governs access by the CacheFiles kernel module and +# userspace management daemon to the files and directories in the on-disk @@ -8527,7 +8628,8 @@ index 581c8ef..3eda1b1 100644 +# filesystem such as NFS +# +policy_module(cachefilesd, 1.0.17) -+ + +-######################################## +############################################################################### # # Declarations @@ -8570,7 +8672,7 @@ index 581c8ef..3eda1b1 100644 -# Local policy +# The CacheFiles kernel module causes processes accessing the cache files to do +# so acting as security ID cachefiles_kernel_t -+# + # +type cachefiles_kernel_t; +domain_type(cachefiles_kernel_t) +domain_obj_id_change_exemption(cachefiles_kernel_t) @@ -8579,7 +8681,7 @@ index 581c8ef..3eda1b1 100644 +############################################################################### +# +# Permit RPM to deal with files in the cache - # ++# +optional_policy(` + rpm_use_script_fds(cachefilesd_t) +') @@ -8607,11 +8709,11 @@ index 581c8ef..3eda1b1 100644 -manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) -manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) +- +-dev_rw_cachefiles(cachefilesd_t) +# Allow access to cachefiles device file +allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; --dev_rw_cachefiles(cachefilesd_t) -- -files_create_all_files_as(cachefilesd_t) -files_read_etc_files(cachefilesd_t) +# Allow access to cache superstructure @@ -8622,7 +8724,6 @@ index 581c8ef..3eda1b1 100644 fs_getattr_xattr_fs(cachefilesd_t) +# Basic access -+files_read_etc_files(cachefilesd_t) +logging_send_syslog_msg(cachefilesd_t) +init_dontaudit_use_script_ptys(cachefilesd_t) term_dontaudit_use_generic_ptys(cachefilesd_t) @@ -8733,7 +8834,7 @@ index 400db07..f416e22 100644 domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff --git a/canna.te b/canna.te -index 4ec0626..a209a9b 100644 +index 4ec0626..88e7e89 100644 --- a/canna.te +++ b/canna.te @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) @@ -8744,7 +8845,15 @@ index 4ec0626..a209a9b 100644 corenet_all_recvfrom_netlabel(canna_t) corenet_tcp_sendrecv_generic_if(canna_t) corenet_tcp_sendrecv_generic_node(canna_t) -@@ -76,8 +75,6 @@ files_dontaudit_read_root_files(canna_t) +@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t) + + domain_use_interactive_fds(canna_t) + +-files_read_etc_files(canna_t) + files_read_etc_runtime_files(canna_t) +-files_read_usr_files(canna_t) + files_search_tmp(canna_t) + files_dontaudit_read_root_files(canna_t) logging_send_syslog_msg(canna_t) @@ -8773,7 +8882,7 @@ index 5ded72d..f6b854c 100644 domain_system_change_exemption($1) role_transition $2 ccs_initrc_exec_t system_r; diff --git a/ccs.te b/ccs.te -index b85b53b..619a4c5 100644 +index b85b53b..a37eebd 100644 --- a/ccs.te +++ b/ccs.te @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) @@ -8793,7 +8902,11 @@ index b85b53b..619a4c5 100644 corenet_all_recvfrom_netlabel(ccs_t) corenet_tcp_sendrecv_generic_if(ccs_t) corenet_udp_sendrecv_generic_if(ccs_t) -@@ -99,11 +98,10 @@ files_read_etc_files(ccs_t) +@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t) + + dev_read_urand(ccs_t) + +-files_read_etc_files(ccs_t) files_read_etc_runtime_files(ccs_t) init_rw_script_tmp_files(ccs_t) @@ -9464,10 +9577,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..0ce7275 +index 0000000..8f6ba6b --- /dev/null +++ b/chrome.te -@@ -0,0 +1,197 @@ +@@ -0,0 +1,194 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -9550,8 +9663,6 @@ index 0000000..0ce7275 +dev_rwx_zero(chrome_sandbox_t) +dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t) + -+files_read_etc_files(chrome_sandbox_t) -+files_read_usr_files(chrome_sandbox_t) + +fs_dontaudit_getattr_all_fs(chrome_sandbox_t) + @@ -9651,7 +9762,6 @@ index 0000000..0ce7275 +dev_read_urand(chrome_sandbox_nacl_t) +dev_read_sysfs(chrome_sandbox_nacl_t) + -+files_read_etc_files(chrome_sandbox_nacl_t) + +init_read_state(chrome_sandbox_nacl_t) + @@ -9880,7 +9990,7 @@ index 914ee2d..dac9e4c 100644 optional_policy(` gpsd_rw_shm(chronyd_t) diff --git a/cipe.te b/cipe.te -index 28c8475..a53162d 100644 +index 28c8475..9b86dd1 100644 --- a/cipe.te +++ b/cipe.te @@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) @@ -9891,7 +10001,15 @@ index 28c8475..a53162d 100644 corenet_all_recvfrom_netlabel(ciped_t) corenet_udp_sendrecv_generic_if(ciped_t) corenet_udp_sendrecv_generic_node(ciped_t) -@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t) +@@ -45,7 +44,6 @@ dev_read_urand(ciped_t) + + domain_use_interactive_fds(ciped_t) + +-files_read_etc_files(ciped_t) + files_read_etc_runtime_files(ciped_t) + files_dontaudit_search_var(ciped_t) + +@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t) logging_send_syslog_msg(ciped_t) @@ -10316,7 +10434,7 @@ index 8e1fef9..725029f 100644 ') diff --git a/clockspeed.te b/clockspeed.te -index b59c592..c21a405 100644 +index b59c592..4b8cddc 100644 --- a/clockspeed.te +++ b/clockspeed.te @@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; @@ -10327,9 +10445,11 @@ index b59c592..c21a405 100644 corenet_all_recvfrom_netlabel(clockspeed_cli_t) corenet_udp_sendrecv_generic_if(clockspeed_cli_t) corenet_udp_sendrecv_generic_node(clockspeed_cli_t) -@@ -40,9 +39,8 @@ corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) +@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) + corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) + files_list_var_lib(clockspeed_cli_t) - files_read_etc_files(clockspeed_cli_t) +-files_read_etc_files(clockspeed_cli_t) -miscfiles_read_localization(clockspeed_cli_t) @@ -10338,7 +10458,7 @@ index b59c592..c21a405 100644 ######################################## # -@@ -57,7 +55,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; +@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) @@ -10346,9 +10466,11 @@ index b59c592..c21a405 100644 corenet_all_recvfrom_netlabel(clockspeed_srv_t) corenet_udp_sendrecv_generic_if(clockspeed_srv_t) corenet_udp_sendrecv_generic_node(clockspeed_srv_t) -@@ -70,7 +67,6 @@ corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) +@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t) + corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) + files_list_var_lib(clockspeed_srv_t) - files_read_etc_files(clockspeed_srv_t) +-files_read_etc_files(clockspeed_srv_t) -miscfiles_read_localization(clockspeed_srv_t) @@ -10731,10 +10853,20 @@ index c223f81..1f3d0b7 100644 ##

## Read cobbler configuration files. diff --git a/cobbler.te b/cobbler.te -index 2a71346..30c75af 100644 +index 2a71346..7b64dc9 100644 --- a/cobbler.te +++ b/cobbler.te -@@ -193,12 +193,11 @@ optional_policy(` +@@ -117,9 +117,7 @@ dev_read_urand(cobblerd_t) + files_list_boot(cobblerd_t) + files_list_tmp(cobblerd_t) + files_read_boot_files(cobblerd_t) +-files_read_etc_files(cobblerd_t) + files_read_etc_runtime_files(cobblerd_t) +-files_read_usr_files(cobblerd_t) + + fs_getattr_all_fs(cobblerd_t) + fs_read_iso9660_files(cobblerd_t) +@@ -193,12 +191,11 @@ optional_policy(` optional_policy(` rsync_read_config(cobblerd_t) @@ -11034,7 +11166,7 @@ index 8e27a37..fa2c3cb 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..5c8bb84 100644 +index 09f18e2..235f39e 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -11070,7 +11202,7 @@ index 09f18e2..5c8bb84 100644 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) -@@ -74,9 +81,8 @@ dev_read_video_dev(colord_t) +@@ -74,18 +81,17 @@ dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) dev_read_rand(colord_t) @@ -11081,9 +11213,9 @@ index 09f18e2..5c8bb84 100644 dev_rw_generic_usb_dev(colord_t) domain_use_interactive_fds(colord_t) -@@ -84,8 +90,9 @@ domain_use_interactive_fds(colord_t) + files_list_mnt(colord_t) - files_read_usr_files(colord_t) +-files_read_usr_files(colord_t) +fs_search_all(colord_t) fs_getattr_noxattr_fs(colord_t) @@ -11092,7 +11224,7 @@ index 09f18e2..5c8bb84 100644 fs_list_noxattr_fs(colord_t) fs_read_noxattr_fs_files(colord_t) fs_search_all(colord_t) -@@ -100,7 +107,11 @@ auth_use_nsswitch(colord_t) +@@ -100,7 +106,11 @@ auth_use_nsswitch(colord_t) logging_send_syslog_msg(colord_t) @@ -11105,7 +11237,7 @@ index 09f18e2..5c8bb84 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(colord_t) -@@ -120,6 +131,12 @@ optional_policy(` +@@ -120,6 +130,12 @@ optional_policy(` ') optional_policy(` @@ -11118,7 +11250,7 @@ index 09f18e2..5c8bb84 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -133,3 +150,13 @@ optional_policy(` +@@ -133,3 +149,13 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) ') @@ -11852,7 +11984,7 @@ index 5b830ec..0647a3b 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index 5f0c793..7d6c470 100644 +index 5f0c793..fcc27e3 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,12 +19,16 @@ type consolekit_var_run_t; @@ -11872,15 +12004,25 @@ index 5f0c793..7d6c470 100644 allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; -@@ -54,7 +58,6 @@ dev_read_sysfs(consolekit_t) +@@ -54,17 +58,13 @@ dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) - files_read_usr_files(consolekit_t) +-files_read_usr_files(consolekit_t) # needs to read /var/lib/dbus/machine-id -@@ -74,17 +77,17 @@ auth_write_login_records(consolekit_t) + files_read_var_lib_files(consolekit_t) + files_search_all_mountpoints(consolekit_t) + + fs_list_inotifyfs(consolekit_t) + +-mcs_ptrace_all(consolekit_t) +- + term_use_all_terms(consolekit_t) + + auth_use_nsswitch(consolekit_t) +@@ -74,17 +74,17 @@ auth_write_login_records(consolekit_t) logging_send_syslog_msg(consolekit_t) logging_send_audit_msgs(consolekit_t) @@ -11904,7 +12046,7 @@ index 5f0c793..7d6c470 100644 ') ifdef(`distro_debian',` -@@ -113,7 +116,7 @@ optional_policy(` +@@ -113,7 +113,7 @@ optional_policy(` ') optional_policy(` @@ -12020,7 +12162,7 @@ index 694a037..283cf03 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index eeea48d..dc3795e 100644 +index eeea48d..d7f485e 100644 --- a/corosync.te +++ b/corosync.te @@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t) @@ -12051,7 +12193,7 @@ index eeea48d..dc3795e 100644 corecmd_exec_bin(corosync_t) corecmd_exec_shell(corosync_t) -@@ -89,6 +96,7 @@ corenet_udp_sendrecv_netsupport_port(corosync_t) +@@ -89,11 +96,11 @@ corenet_udp_sendrecv_netsupport_port(corosync_t) dev_read_sysfs(corosync_t) dev_read_urand(corosync_t) @@ -12059,7 +12201,12 @@ index eeea48d..dc3795e 100644 domain_read_all_domains_state(corosync_t) -@@ -106,7 +114,13 @@ logging_send_syslog_msg(corosync_t) + files_manage_mounttab(corosync_t) +-files_read_usr_files(corosync_t) + + auth_use_nsswitch(corosync_t) + +@@ -106,7 +113,13 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) userdom_read_user_tmp_files(corosync_t) @@ -12074,7 +12221,7 @@ index eeea48d..dc3795e 100644 optional_policy(` ccs_read_config(corosync_t) -@@ -133,16 +147,44 @@ optional_policy(` +@@ -133,16 +146,44 @@ optional_policy(` ') optional_policy(` @@ -13683,7 +13830,7 @@ index 1303b30..058864e 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 28e1b86..88a7b95 100644 +index 28e1b86..9e55dbb 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -13924,7 +14071,7 @@ index 28e1b86..88a7b95 100644 logging_log_filetrans(crond_t, cron_log_t, file) manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) -@@ -237,71 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) +@@ -237,71 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) @@ -13988,7 +14135,7 @@ index 28e1b86..88a7b95 100644 -fs_rw_cgroup_files(crond_t) -fs_search_auto_mountpoints(crond_t) - - files_read_usr_files(crond_t) +-files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) files_read_generic_spool(crond_t) files_list_usr(crond_t) @@ -14026,7 +14173,7 @@ index 28e1b86..88a7b95 100644 auth_manage_var_auth(crond_t) auth_use_nsswitch(crond_t) -@@ -311,41 +251,42 @@ logging_set_loginuid(crond_t) +@@ -311,41 +250,42 @@ logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -14085,7 +14232,7 @@ index 28e1b86..88a7b95 100644 ') optional_policy(` -@@ -353,102 +294,135 @@ optional_policy(` +@@ -353,102 +293,135 @@ optional_policy(` ') optional_policy(` @@ -14250,7 +14397,7 @@ index 28e1b86..88a7b95 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -457,11 +431,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -14263,7 +14410,7 @@ index 28e1b86..88a7b95 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -481,6 +455,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -14271,9 +14418,11 @@ index 28e1b86..88a7b95 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -493,13 +468,18 @@ files_getattr_all_pipes(system_cronjob_t) +@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t) + files_getattr_all_symlinks(system_cronjob_t) + files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) - files_read_usr_files(system_cronjob_t) +-files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) +# for nscd: files_dontaudit_search_pids(system_cronjob_t) @@ -14292,7 +14441,7 @@ index 28e1b86..88a7b95 100644 init_domtrans_script(system_cronjob_t) auth_use_nsswitch(system_cronjob_t) -@@ -511,20 +491,23 @@ logging_read_generic_logs(system_cronjob_t) +@@ -511,20 +489,23 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -14319,7 +14468,7 @@ index 28e1b86..88a7b95 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -534,10 +517,17 @@ tunable_policy(`cron_can_relabel',` +@@ -534,10 +515,17 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -14337,7 +14486,7 @@ index 28e1b86..88a7b95 100644 ') optional_policy(` -@@ -546,10 +536,6 @@ optional_policy(` +@@ -546,10 +534,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -14348,7 +14497,7 @@ index 28e1b86..88a7b95 100644 ') optional_policy(` -@@ -581,6 +567,7 @@ optional_policy(` +@@ -581,6 +565,7 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -14356,7 +14505,7 @@ index 28e1b86..88a7b95 100644 ') optional_policy(` -@@ -588,15 +575,19 @@ optional_policy(` +@@ -588,15 +573,19 @@ optional_policy(` ') optional_policy(` @@ -14378,7 +14527,7 @@ index 28e1b86..88a7b95 100644 ') optional_policy(` -@@ -606,6 +597,7 @@ optional_policy(` +@@ -606,6 +595,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -14386,7 +14535,7 @@ index 28e1b86..88a7b95 100644 ') optional_policy(` -@@ -613,12 +605,24 @@ optional_policy(` +@@ -613,12 +603,24 @@ optional_policy(` ') optional_policy(` @@ -14412,7 +14561,7 @@ index 28e1b86..88a7b95 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -626,12 +630,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -626,12 +628,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -14446,7 +14595,7 @@ index 28e1b86..88a7b95 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -639,84 +663,152 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -639,84 +661,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -14467,12 +14616,11 @@ index 28e1b86..88a7b95 100644 domain_dontaudit_read_all_domains_state(cronjob_t) domain_dontaudit_getattr_all_domains(cronjob_t) --files_exec_etc_files(cronjob_t) + files_exec_etc_files(cronjob_t) -files_read_etc_runtime_files(cronjob_t) -files_read_var_files(cronjob_t) - files_read_usr_files(cronjob_t) +-files_read_usr_files(cronjob_t) -files_search_spool(cronjob_t) -+files_exec_etc_files(cronjob_t) +# for nscd: files_dontaudit_search_pids(cronjob_t) @@ -14593,8 +14741,6 @@ index 28e1b86..88a7b95 100644 + +domain_use_interactive_fds(crontab_domain) + -+files_read_etc_files(crontab_domain) -+files_read_usr_files(crontab_domain) +files_dontaudit_search_pids(crontab_domain) + +fs_dontaudit_rw_anon_inodefs_files(crontab_domain) @@ -15193,7 +15339,7 @@ index 06da9a0..1a6b35f 100644 + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ') diff --git a/cups.te b/cups.te -index 9f34c2e..2e06558 100644 +index 9f34c2e..6cfc825 100644 --- a/cups.te +++ b/cups.te @@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t) @@ -15309,7 +15455,15 @@ index 9f34c2e..2e06558 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -420,11 +427,8 @@ auth_use_nsswitch(cupsd_config_t) +@@ -404,7 +411,6 @@ dev_read_rand(cupsd_config_t) + dev_rw_generic_usb_dev(cupsd_config_t) + + files_read_etc_runtime_files(cupsd_config_t) +-files_read_usr_files(cupsd_config_t) + files_read_var_symlinks(cupsd_config_t) + files_search_all_mountpoints(cupsd_config_t) + +@@ -420,11 +426,8 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -15321,7 +15475,7 @@ index 9f34c2e..2e06558 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,6 +456,10 @@ optional_policy(` +@@ -452,6 +455,10 @@ optional_policy(` ') optional_policy(` @@ -15332,7 +15486,7 @@ index 9f34c2e..2e06558 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -470,6 +478,11 @@ optional_policy(` +@@ -470,6 +477,11 @@ optional_policy(` ') optional_policy(` @@ -15344,7 +15498,7 @@ index 9f34c2e..2e06558 100644 rpm_read_db(cupsd_config_t) ') -@@ -513,13 +526,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) +@@ -513,13 +525,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) kernel_read_network_state(cupsd_lpd_t) @@ -15359,7 +15513,7 @@ index 9f34c2e..2e06558 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) dev_read_urand(cupsd_lpd_t) -@@ -533,7 +546,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -533,7 +545,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -15367,7 +15521,14 @@ index 9f34c2e..2e06558 100644 miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) optional_policy(` -@@ -569,7 +581,6 @@ corecmd_exec_shell(cups_pdf_t) +@@ -562,14 +573,12 @@ fs_search_auto_mountpoints(cups_pdf_t) + + kernel_read_system_state(cups_pdf_t) + +-files_read_usr_files(cups_pdf_t) + + corecmd_exec_bin(cups_pdf_t) + corecmd_exec_shell(cups_pdf_t) auth_use_nsswitch(cups_pdf_t) @@ -15375,7 +15536,7 @@ index 9f34c2e..2e06558 100644 miscfiles_read_fonts(cups_pdf_t) miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) -@@ -582,9 +593,10 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -582,9 +591,10 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(cups_pdf_t) ') @@ -15389,7 +15550,7 @@ index 9f34c2e..2e06558 100644 ') optional_policy(` -@@ -613,9 +625,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms; +@@ -613,9 +623,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms; allow hplip_t hplip_etc_t:file read_file_perms; allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms; @@ -15406,7 +15567,7 @@ index 9f34c2e..2e06558 100644 manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file) -@@ -627,7 +646,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -627,7 +644,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_system_state(hplip_t) kernel_read_kernel_sysctls(hplip_t) @@ -15417,7 +15578,7 @@ index 9f34c2e..2e06558 100644 corenet_all_recvfrom_netlabel(hplip_t) corenet_tcp_sendrecv_generic_if(hplip_t) corenet_udp_sendrecv_generic_if(hplip_t) -@@ -644,12 +665,15 @@ corenet_sendrecv_hplip_client_packets(hplip_t) +@@ -644,12 +663,15 @@ corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) corenet_tcp_bind_hplip_port(hplip_t) corenet_tcp_connect_hplip_port(hplip_t) @@ -15433,7 +15594,7 @@ index 9f34c2e..2e06558 100644 corecmd_exec_bin(hplip_t) -@@ -662,23 +686,25 @@ dev_rw_usbfs(hplip_t) +@@ -662,23 +684,25 @@ dev_rw_usbfs(hplip_t) domain_use_interactive_fds(hplip_t) @@ -15463,7 +15624,7 @@ index 9f34c2e..2e06558 100644 optional_policy(` dbus_system_bus_client(hplip_t) -@@ -731,7 +757,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +755,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -15471,7 +15632,7 @@ index 9f34c2e..2e06558 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -747,7 +772,6 @@ dev_rw_printer(ptal_t) +@@ -747,7 +770,6 @@ dev_rw_printer(ptal_t) domain_use_interactive_fds(ptal_t) @@ -15479,7 +15640,7 @@ index 9f34c2e..2e06558 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +779,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +777,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -15589,7 +15750,7 @@ index 53fc3af..25b3285 100644 + files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) ') diff --git a/cyphesis.te b/cyphesis.te -index 916427f..9d65864 100644 +index 916427f..556f1ac 100644 --- a/cyphesis.te +++ b/cyphesis.te @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) @@ -15600,7 +15761,12 @@ index 916427f..9d65864 100644 corenet_tcp_sendrecv_generic_if(cyphesis_t) corenet_tcp_sendrecv_generic_node(cyphesis_t) corenet_tcp_bind_generic_node(cyphesis_t) -@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t) +@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t) + + domain_use_interactive_fds(cyphesis_t) + +-files_read_etc_files(cyphesis_t) +-files_read_usr_files(cyphesis_t) logging_send_syslog_msg(cyphesis_t) @@ -15730,7 +15896,7 @@ index 3b3d9a0..6c8106a 100644 ') + diff --git a/daemontools.te b/daemontools.te -index 0165962..8be5248 100644 +index 0165962..2569147 100644 --- a/daemontools.te +++ b/daemontools.te @@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; @@ -15744,16 +15910,17 @@ index 0165962..8be5248 100644 logging_manage_generic_logs(svc_multilog_t) -@@ -77,6 +80,8 @@ dev_read_urand(svc_run_t) +@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t) corecmd_exec_bin(svc_run_t) corecmd_exec_shell(svc_run_t) +-files_read_etc_files(svc_run_t) +term_write_console(svc_run_t) + - files_read_etc_files(svc_run_t) files_read_etc_runtime_files(svc_run_t) files_search_pids(svc_run_t) -@@ -109,6 +114,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit }; + files_search_var_lib(svc_run_t) +@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit }; can_exec(svc_start_t, svc_start_exec_t) @@ -15761,16 +15928,16 @@ index 0165962..8be5248 100644 domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t) kernel_read_kernel_sysctls(svc_start_t) -@@ -117,11 +123,14 @@ kernel_read_system_state(svc_start_t) +@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t) corecmd_exec_bin(svc_start_t) corecmd_exec_shell(svc_start_t) +-files_read_etc_files(svc_start_t) +corenet_tcp_bind_generic_node(svc_start_t) +corenet_tcp_bind_generic_port(svc_start_t) + +term_write_console(svc_start_t) + - files_read_etc_files(svc_start_t) files_read_etc_runtime_files(svc_start_t) files_search_var(svc_start_t) files_search_pids(svc_start_t) @@ -15778,6 +15945,18 @@ index 0165962..8be5248 100644 logging_send_syslog_msg(svc_start_t) - -miscfiles_read_localization(svc_start_t) +diff --git a/dante.te b/dante.te +index 98a2d6a..fff0987 100644 +--- a/dante.te ++++ b/dante.te +@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t) + + domain_use_interactive_fds(dante_t) + +-files_read_etc_files(dante_t) + files_read_etc_runtime_files(dante_t) + + fs_getattr_all_fs(dante_t) diff --git a/dbadm.te b/dbadm.te index a67870a..76435d4 100644 --- a/dbadm.te @@ -16493,7 +16672,7 @@ index afcf3a2..126d543 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 2c2e7e1..4dee5a0 100644 +index 2c2e7e1..6206703 100644 --- a/dbus.te +++ b/dbus.te @@ -1,20 +1,18 @@ @@ -16615,7 +16794,7 @@ index 2c2e7e1..4dee5a0 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +115,156 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +115,155 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -16629,7 +16808,6 @@ index 2c2e7e1..4dee5a0 100644 +domain_read_all_domains_state(system_dbusd_t) + +files_list_home(system_dbusd_t) -+files_read_usr_files(system_dbusd_t) + init_use_fds(system_dbusd_t) init_use_script_ptys(system_dbusd_t) @@ -16730,7 +16908,7 @@ index 2c2e7e1..4dee5a0 100644 +init_rw_stream_sockets(system_bus_type) + +ps_process_pattern(system_dbusd_t, system_bus_type) -+ + +userdom_dontaudit_search_admin_dir(system_bus_type) +userdom_read_all_users_state(system_bus_type) + @@ -16745,7 +16923,7 @@ index 2c2e7e1..4dee5a0 100644 +optional_policy(` + unconfined_dbus_send(system_bus_type) +') - ++ +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') @@ -16786,7 +16964,7 @@ index 2c2e7e1..4dee5a0 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,20 +273,16 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +272,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -16807,8 +16985,11 @@ index 2c2e7e1..4dee5a0 100644 +domain_read_all_domains_state(session_bus_type) files_list_home(session_bus_type) - files_read_usr_files(session_bus_type) -@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type) +-files_read_usr_files(session_bus_type) + files_dontaudit_search_var(session_bus_type) + + fs_getattr_romfs(session_bus_type) +@@ -215,7 +291,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -16816,7 +16997,7 @@ index 2c2e7e1..4dee5a0 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +302,39 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +300,39 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -16860,7 +17041,7 @@ index 2c2e7e1..4dee5a0 100644 ') ######################################## -@@ -244,5 +342,6 @@ optional_policy(` +@@ -244,5 +340,6 @@ optional_policy(` # Unconfined access to this module # @@ -17041,7 +17222,7 @@ index 5606b40..cd18cf2 100644 domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te -index 0b4b8b9..6f53812 100644 +index 0b4b8b9..db7291a 100644 --- a/ddclient.te +++ b/ddclient.te @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) @@ -17076,7 +17257,14 @@ index 0b4b8b9..6f53812 100644 corenet_sendrecv_all_client_packets(ddclient_t) corenet_tcp_connect_all_ports(ddclient_t) -@@ -99,9 +105,11 @@ files_read_usr_files(ddclient_t) +@@ -92,16 +98,16 @@ dev_read_urand(ddclient_t) + + domain_use_interactive_fds(ddclient_t) + +-files_read_etc_files(ddclient_t) + files_read_etc_runtime_files(ddclient_t) +-files_read_usr_files(ddclient_t) + fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) @@ -17089,6 +17277,20 @@ index 0b4b8b9..6f53812 100644 sysnet_exec_ifconfig(ddclient_t) sysnet_dns_name_resolve(ddclient_t) +diff --git a/ddcprobe.te b/ddcprobe.te +index ceb9bf4..2496e02 100644 +--- a/ddcprobe.te ++++ b/ddcprobe.te +@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t) + dev_read_raw_memory(ddcprobe_t) + dev_wx_raw_memory(ddcprobe_t) + +-files_read_etc_files(ddcprobe_t) + files_read_etc_runtime_files(ddcprobe_t) +-files_read_usr_files(ddcprobe_t) + + term_use_all_ttys(ddcprobe_t) + term_use_all_ptys(ddcprobe_t) diff --git a/denyhosts.if b/denyhosts.if index a7326da..c87b5b7 100644 --- a/denyhosts.if @@ -17513,7 +17715,7 @@ index d294865..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index ff933af..feb84e0 100644 +index ff933af..1aa58d4 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) @@ -17577,7 +17779,15 @@ index ff933af..feb84e0 100644 dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_urand(devicekit_disk_t) -@@ -134,16 +138,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -117,7 +121,6 @@ files_manage_boot_dirs(devicekit_disk_t) + files_manage_isid_type_dirs(devicekit_disk_t) + files_manage_mnt_dirs(devicekit_disk_t) + files_read_etc_runtime_files(devicekit_disk_t) +-files_read_usr_files(devicekit_disk_t) + + fs_getattr_all_fs(devicekit_disk_t) + fs_list_inotifyfs(devicekit_disk_t) +@@ -134,16 +137,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -17598,7 +17808,7 @@ index ff933af..feb84e0 100644 dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -167,6 +173,7 @@ optional_policy(` +@@ -167,6 +172,7 @@ optional_policy(` optional_policy(` mount_domtrans(devicekit_disk_t) @@ -17606,7 +17816,7 @@ index ff933af..feb84e0 100644 ') optional_policy(` -@@ -180,6 +187,10 @@ optional_policy(` +@@ -180,6 +186,10 @@ optional_policy(` ') optional_policy(` @@ -17617,7 +17827,7 @@ index ff933af..feb84e0 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -188,17 +199,27 @@ optional_policy(` +@@ -188,17 +198,27 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -17646,7 +17856,12 @@ index ff933af..feb84e0 100644 manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t) files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir }) -@@ -247,12 +268,13 @@ files_dontaudit_list_mnt(devicekit_power_t) +@@ -242,17 +262,17 @@ domain_read_all_domains_state(devicekit_power_t) + + files_read_kernel_img(devicekit_power_t) + files_read_etc_runtime_files(devicekit_power_t) +-files_read_usr_files(devicekit_power_t) + files_dontaudit_list_mnt(devicekit_power_t) fs_getattr_all_fs(devicekit_power_t) fs_list_inotifyfs(devicekit_power_t) @@ -17662,7 +17877,7 @@ index ff933af..feb84e0 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -269,9 +291,11 @@ optional_policy(` +@@ -269,9 +289,11 @@ optional_policy(` optional_policy(` cron_initrc_domtrans(devicekit_power_t) @@ -17674,7 +17889,7 @@ index ff933af..feb84e0 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -302,8 +326,11 @@ optional_policy(` +@@ -302,8 +324,11 @@ optional_policy(` ') optional_policy(` @@ -17687,7 +17902,7 @@ index ff933af..feb84e0 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -321,6 +348,7 @@ optional_policy(` +@@ -321,6 +346,7 @@ optional_policy(` ') optional_policy(` @@ -17695,7 +17910,7 @@ index ff933af..feb84e0 100644 policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) policykit_read_reload(devicekit_power_t) -@@ -341,3 +369,9 @@ optional_policy(` +@@ -341,3 +367,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -17787,7 +18002,7 @@ index c697edb..31d45bf 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index c93c3db..1125f7d 100644 +index c93c3db..f14723d 100644 --- a/dhcp.te +++ b/dhcp.te @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -17808,7 +18023,15 @@ index c93c3db..1125f7d 100644 corenet_all_recvfrom_netlabel(dhcpd_t) corenet_tcp_sendrecv_generic_if(dhcpd_t) corenet_udp_sendrecv_generic_if(dhcpd_t) -@@ -102,8 +104,6 @@ auth_use_nsswitch(dhcpd_t) +@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t) + + domain_use_interactive_fds(dhcpd_t) + +-files_read_usr_files(dhcpd_t) + files_read_etc_runtime_files(dhcpd_t) + files_search_var_lib(dhcpd_t) + +@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t) logging_send_syslog_msg(dhcpd_t) @@ -17817,7 +18040,7 @@ index c93c3db..1125f7d 100644 sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -@@ -113,6 +113,19 @@ tunable_policy(`dhcpd_use_ldap',` +@@ -113,6 +112,19 @@ tunable_policy(`dhcpd_use_ldap',` sysnet_use_ldap(dhcpd_t) ') @@ -17883,6 +18106,17 @@ index fd4a602..43b800a 100644 userdom_dontaudit_use_unpriv_user_fds(dictd_t) optional_policy(` +diff --git a/dirmngr.te b/dirmngr.te +index b3b2188..5f91705 100644 +--- a/dirmngr.te ++++ b/dirmngr.te +@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) + + kernel_read_crypto_sysctls(dirmngr_t) + +-files_read_etc_files(dirmngr_t) + + miscfiles_read_localization(dirmngr_t) diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc new file mode 100644 index 0000000..fdf5675 @@ -18439,10 +18673,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..7f0b4f6 +index 0000000..217b0ef --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,193 @@ +@@ -0,0 +1,190 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -18555,7 +18789,6 @@ index 0000000..7f0b4f6 +dev_read_sysfs(dirsrv_t) +dev_read_urand(dirsrv_t) + -+files_read_etc_files(dirsrv_t) +files_read_usr_symlinks(dirsrv_t) + +fs_getattr_all_fs(dirsrv_t) @@ -18619,8 +18852,6 @@ index 0000000..7f0b4f6 +domain_use_interactive_fds(dirsrv_snmp_t) + +#files_manage_var_files(dirsrv_snmp_t) -+files_read_etc_files(dirsrv_snmp_t) -+files_read_usr_files(dirsrv_snmp_t) + +fs_getattr_tmpfs(dirsrv_snmp_t) +fs_search_tmpfs(dirsrv_snmp_t) @@ -19084,10 +19315,10 @@ index 0000000..a952041 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..25daf6c +index 0000000..7f715f8 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,58 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -19132,7 +19363,6 @@ index 0000000..25daf6c +domain_use_interactive_fds(dnssec_trigger_t) + +files_read_etc_runtime_files(dnssec_trigger_t) -+files_read_etc_files(dnssec_trigger_t) + +logging_send_syslog_msg(dnssec_trigger_t) + @@ -19438,7 +19668,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..6344853 100644 +index a7bfaf0..c482695 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -19688,7 +19918,7 @@ index a7bfaf0..6344853 100644 sendmail_domtrans(dovecot_t) ') -@@ -221,46 +213,58 @@ optional_policy(` +@@ -221,46 +213,57 @@ optional_policy(` ######################################## # @@ -19717,29 +19947,29 @@ index a7bfaf0..6344853 100644 +dovecot_stream_connect_auth(dovecot_auth_t) -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; +- +-files_search_pids(dovecot_auth_t) +-files_read_usr_files(dovecot_auth_t) +-files_read_var_lib_files(dovecot_auth_t) +logging_send_audit_msgs(dovecot_auth_t) -+ -+auth_domtrans_chk_passwd(dovecot_auth_t) -+auth_use_nsswitch(dovecot_auth_t) -+ + + auth_domtrans_chk_passwd(dovecot_auth_t) + auth_use_nsswitch(dovecot_auth_t) + +-init_rw_utmp(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) - files_search_pids(dovecot_auth_t) - files_read_usr_files(dovecot_auth_t) +-logging_send_audit_msgs(dovecot_auth_t) ++files_search_pids(dovecot_auth_t) +files_read_usr_symlinks(dovecot_auth_t) - files_read_var_lib_files(dovecot_auth_t) ++files_read_var_lib_files(dovecot_auth_t) +files_search_tmp(dovecot_auth_t) --auth_domtrans_chk_passwd(dovecot_auth_t) --auth_use_nsswitch(dovecot_auth_t) -+fs_getattr_xattr_fs(dovecot_auth_t) - - init_rw_utmp(dovecot_auth_t) - --logging_send_audit_msgs(dovecot_auth_t) -- -seutil_dontaudit_search_config(dovecot_auth_t) -- ++fs_getattr_xattr_fs(dovecot_auth_t) ++ ++init_rw_utmp(dovecot_auth_t) + sysnet_use_ldap(dovecot_auth_t) optional_policy(` @@ -19756,7 +19986,7 @@ index a7bfaf0..6344853 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -272,14 +276,21 @@ optional_policy(` +@@ -272,14 +275,21 @@ optional_policy(` optional_policy(` postfix_manage_private_sockets(dovecot_auth_t) @@ -19779,7 +20009,7 @@ index a7bfaf0..6344853 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,31 +300,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,31 +299,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -19831,7 +20061,7 @@ index a7bfaf0..6344853 100644 ') optional_policy(` -@@ -326,5 +340,6 @@ optional_policy(` +@@ -326,5 +339,6 @@ optional_policy(` ') optional_policy(` @@ -20363,6 +20593,42 @@ index a0da189..d8bc9d5 100644 userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) +diff --git a/evolution.te b/evolution.te +index 94fb625..b94a09d 100644 +--- a/evolution.te ++++ b/evolution.te +@@ -168,7 +168,6 @@ dev_read_urand(evolution_t) + + domain_dontaudit_read_all_domains_state(evolution_t) + +-files_read_usr_files(evolution_t) + + fs_search_auto_mountpoints(evolution_t) + +@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio + + dev_read_urand(evolution_alarm_t) + +-files_read_usr_files(evolution_alarm_t) + + fs_search_auto_mountpoints(evolution_alarm_t) + +@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t) + + dev_read_urand(evolution_exchange_t) + +-files_read_usr_files(evolution_exchange_t) + + fs_search_auto_mountpoints(evolution_exchange_t) + +@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t) + + dev_read_urand(evolution_server_t) + +-files_read_usr_files(evolution_server_t) + + fs_search_auto_mountpoints(evolution_server_t) + diff --git a/exim.if b/exim.if index 6041113..ef3b449 100644 --- a/exim.if @@ -20921,6 +21187,18 @@ index 0872e50..e985043 100644 - userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) +diff --git a/fcoe.te b/fcoe.te +index 79b9273..dc7e983 100644 +--- a/fcoe.te ++++ b/fcoe.te +@@ -31,7 +31,6 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) + +-files_read_etc_files(fcoemon_t) + + dev_read_sysfs(fcoemon_t) + diff --git a/fetchmail.fc b/fetchmail.fc index 2486e2a..ea07c4f 100644 --- a/fetchmail.fc @@ -21227,23 +21505,22 @@ index e6866d1..941f4ef 100644 + dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; ') diff --git a/firewallgui.te b/firewallgui.te -index c5ceab1..0d9c1ce 100644 +index c5ceab1..86b8098 100644 --- a/firewallgui.te +++ b/firewallgui.te -@@ -36,8 +36,11 @@ corecmd_exec_shell(firewallgui_t) +@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t) dev_read_sysfs(firewallgui_t) dev_read_urand(firewallgui_t) --files_list_kernel_modules(firewallgui_t) +files_manage_system_conf_files(firewallgui_t) +files_etc_filetrans_system_conf(firewallgui_t) - files_read_usr_files(firewallgui_t) +files_search_kernel_modules(firewallgui_t) -+files_list_kernel_modules(firewallgui_t) + files_list_kernel_modules(firewallgui_t) +-files_read_usr_files(firewallgui_t) auth_use_nsswitch(firewallgui_t) -@@ -60,12 +63,13 @@ optional_policy(` +@@ -60,12 +62,13 @@ optional_policy(` ') optional_policy(` @@ -21398,7 +21675,7 @@ index 280f875..f3a67c9 100644 ## ## diff --git a/firstboot.te b/firstboot.te -index c12c067..0647c46 100644 +index c12c067..3b01d01 100644 --- a/firstboot.te +++ b/firstboot.te @@ -1,7 +1,7 @@ @@ -21430,7 +21707,7 @@ index c12c067..0647c46 100644 type firstboot_etc_t; files_config_file(firstboot_etc_t) -@@ -32,18 +27,36 @@ files_config_file(firstboot_etc_t) +@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t) allow firstboot_t self:capability { dac_override setgid }; allow firstboot_t self:process setfscreate; allow firstboot_t self:fifo_file rw_fifo_file_perms; @@ -21455,37 +21732,38 @@ index c12c067..0647c46 100644 dev_read_urand(firstboot_t) -+selinux_get_fs_mount(firstboot_t) -+selinux_validate_context(firstboot_t) -+selinux_compute_access_vector(firstboot_t) -+selinux_compute_create_context(firstboot_t) -+selinux_compute_relabel_context(firstboot_t) -+selinux_compute_user_contexts(firstboot_t) -+ -+auth_dontaudit_getattr_shadow(firstboot_t) -+ +-files_exec_etc_files(firstboot_t) +-files_manage_etc_files(firstboot_t) +-files_manage_etc_runtime_files(firstboot_t) +-files_read_usr_files(firstboot_t) +-files_manage_var_dirs(firstboot_t) +-files_manage_var_files(firstboot_t) +-files_manage_var_symlinks(firstboot_t) +-files_create_boot_flag(firstboot_t) +-files_delete_boot_flag(firstboot_t) +- + selinux_get_fs_mount(firstboot_t) + selinux_validate_context(firstboot_t) + selinux_compute_access_vector(firstboot_t) +@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t) + + auth_dontaudit_getattr_shadow(firstboot_t) + +corecmd_exec_all_executables(firstboot_t) + - files_exec_etc_files(firstboot_t) - files_manage_etc_files(firstboot_t) - files_manage_etc_runtime_files(firstboot_t) -@@ -54,15 +67,6 @@ files_manage_var_symlinks(firstboot_t) - files_create_boot_flag(firstboot_t) - files_delete_boot_flag(firstboot_t) - --selinux_get_fs_mount(firstboot_t) --selinux_validate_context(firstboot_t) --selinux_compute_access_vector(firstboot_t) --selinux_compute_create_context(firstboot_t) --selinux_compute_relabel_context(firstboot_t) --selinux_compute_user_contexts(firstboot_t) -- --auth_dontaudit_getattr_shadow(firstboot_t) -- ++files_exec_etc_files(firstboot_t) ++files_manage_etc_files(firstboot_t) ++files_manage_etc_runtime_files(firstboot_t) ++files_manage_var_dirs(firstboot_t) ++files_manage_var_files(firstboot_t) ++files_manage_var_symlinks(firstboot_t) ++files_create_boot_flag(firstboot_t) ++files_delete_boot_flag(firstboot_t) ++ init_domtrans_script(firstboot_t) init_rw_utmp(firstboot_t) -@@ -73,11 +77,11 @@ locallogin_use_fds(firstboot_t) +@@ -73,11 +76,11 @@ locallogin_use_fds(firstboot_t) logging_send_syslog_msg(firstboot_t) @@ -21500,7 +21778,7 @@ index c12c067..0647c46 100644 userdom_manage_user_home_content_dirs(firstboot_t) userdom_manage_user_home_content_files(firstboot_t) userdom_manage_user_home_content_symlinks(firstboot_t) -@@ -102,20 +106,18 @@ optional_policy(` +@@ -102,20 +105,18 @@ optional_policy(` ') optional_policy(` @@ -21671,7 +21949,7 @@ index d062080..e098a40 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..fd43185 100644 +index e50f33c..11dedd5 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -21746,7 +22024,7 @@ index e50f33c..fd43185 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -223,6 +228,10 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -223,10 +228,13 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -21757,7 +22035,11 @@ index e50f33c..fd43185 100644 domain_use_interactive_fds(ftpd_t) -@@ -245,7 +254,6 @@ logging_send_audit_msgs(ftpd_t) +-files_read_etc_files(ftpd_t) + files_read_etc_runtime_files(ftpd_t) + files_search_var_lib(ftpd_t) + +@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -21765,7 +22047,7 @@ index e50f33c..fd43185 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -255,31 +263,39 @@ sysnet_use_ldap(ftpd_t) +@@ -255,31 +262,39 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -21812,7 +22094,7 @@ index e50f33c..fd43185 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,9 +314,9 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -21825,7 +22107,7 @@ index e50f33c..fd43185 100644 ') tunable_policy(`ftp_home_dir',` -@@ -360,7 +376,7 @@ optional_policy(` +@@ -360,7 +375,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -21834,7 +22116,7 @@ index e50f33c..fd43185 100644 ') optional_policy(` -@@ -410,6 +426,7 @@ optional_policy(` +@@ -410,21 +425,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -21842,8 +22124,8 @@ index e50f33c..fd43185 100644 allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) -@@ -417,7 +434,7 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) - files_read_etc_files(ftpdctl_t) + +-files_read_etc_files(ftpdctl_t) files_search_pids(ftpdctl_t) -userdom_use_user_terminals(ftpdctl_t) @@ -21851,7 +22133,18 @@ index e50f33c..fd43185 100644 ######################################## # -@@ -441,6 +458,19 @@ files_read_etc_files(sftpd_t) + # Anon sftpd local policy + # + +-files_read_etc_files(anon_sftpd_t) + + miscfiles_read_public_files(anon_sftpd_t) + +@@ -437,10 +451,22 @@ tunable_policy(`sftpd_anon_write',` + # Sftpd local policy + # + +-files_read_etc_files(sftpd_t) userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) @@ -21871,7 +22164,7 @@ index e50f33c..fd43185 100644 tunable_policy(`sftpd_enable_homedirs',` allow sftpd_t self:capability { dac_override dac_read_search }; -@@ -475,21 +505,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +501,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -21897,7 +22190,7 @@ index e50f33c..fd43185 100644 - fs_read_nfs_symlinks(ftpd_t) -') diff --git a/games.te b/games.te -index 572fb12..9c05eee 100644 +index 572fb12..879c59a 100644 --- a/games.te +++ b/games.te @@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) @@ -21917,7 +22210,16 @@ index 572fb12..9c05eee 100644 corenet_all_recvfrom_netlabel(games_t) corenet_tcp_sendrecv_generic_if(games_t) corenet_tcp_sendrecv_generic_node(games_t) -@@ -151,7 +148,6 @@ init_dontaudit_rw_utmp(games_t) +@@ -142,8 +139,6 @@ dev_write_sound(games_t) + files_list_var(games_t) + files_search_var_lib(games_t) + files_dontaudit_search_var(games_t) +-files_read_etc_files(games_t) +-files_read_usr_files(games_t) + files_read_var_files(games_t) + + init_dontaudit_rw_utmp(games_t) +@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t) logging_dontaudit_search_logs(games_t) miscfiles_read_man_pages(games_t) @@ -21925,7 +22227,7 @@ index 572fb12..9c05eee 100644 sysnet_dns_name_resolve(games_t) -@@ -161,7 +157,7 @@ userdom_manage_user_tmp_symlinks(games_t) +@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t) userdom_manage_user_tmp_sockets(games_t) userdom_dontaudit_read_user_home_content_files(games_t) @@ -22011,7 +22313,7 @@ index 395238e..af76abb 100644 +userdom_use_inherited_user_terminals(giftd_t) +userdom_home_manager(gitd_t) diff --git a/git.if b/git.if -index 1e29af1..9f159d1 100644 +index 1e29af1..a1c464e 100644 --- a/git.if +++ b/git.if @@ -79,3 +79,21 @@ interface(`git_read_generic_sys_content_files',` @@ -22034,7 +22336,7 @@ index 1e29af1..9f159d1 100644 + gen_require(` + type git_user_content_t; + ') -+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git" ++ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te index 93b0301..8561970 100644 @@ -24703,7 +25005,7 @@ index d03fd43..2d6e6bb 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 20f726b..3a0a272 100644 +index 20f726b..311d9cc 100644 --- a/gnome.te +++ b/gnome.te @@ -1,18 +1,36 @@ @@ -24747,7 +25049,7 @@ index 20f726b..3a0a272 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -29,107 +47,233 @@ type gconfd_exec_t; +@@ -29,107 +47,226 @@ type gconfd_exec_t; typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t }; typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) @@ -24801,8 +25103,7 @@ index 20f726b..3a0a272 100644 +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - --domain_use_interactive_fds(gnomedomain) ++ +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) @@ -24811,8 +25112,8 @@ index 20f726b..3a0a272 100644 +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +dev_read_urand(gconfd_t) -+ -+files_read_etc_files(gconfd_t) + +-domain_use_interactive_fds(gnomedomain) -files_read_etc_files(gnomedomain) @@ -24857,8 +25158,6 @@ index 20f726b..3a0a272 100644 -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) -+files_read_etc_files(gconfdefaultsm_t) -+files_read_usr_files(gconfdefaultsm_t) -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) @@ -24915,8 +25214,6 @@ index 20f726b..3a0a272 100644 +domain_signal_all_domains(gnomesystemmm_t) +domain_sigstop_all_domains(gnomesystemmm_t) + -+files_read_etc_files(gnomesystemmm_t) -+files_read_usr_files(gnomesystemmm_t) + +fs_getattr_xattr_fs(gnomesystemmm_t) + @@ -24993,8 +25290,7 @@ index 20f726b..3a0a272 100644 +dev_read_urand(gkeyringd_domain) dev_read_sysfs(gkeyringd_domain) -+files_read_etc_files(gkeyringd_domain) - files_read_usr_files(gkeyringd_domain) +-files_read_usr_files(gkeyringd_domain) +# for nscd? +files_search_pids(gkeyringd_domain) @@ -25101,10 +25397,10 @@ index 3f55702..25c7ab8 100644 ## ## diff --git a/gnomeclock.te b/gnomeclock.te -index 6d79eb5..d58acfc 100644 +index 6d79eb5..174b784 100644 --- a/gnomeclock.te +++ b/gnomeclock.te -@@ -1,86 +1,91 @@ +@@ -1,86 +1,90 @@ -policy_module(gnomeclock, 1.0.5) +policy_module(gnomeclock, 1.0.0) @@ -25159,8 +25455,8 @@ index 6d79eb5..d58acfc 100644 +dev_write_kmsg(gnomeclock_t) +dev_read_sysfs(gnomeclock_t) +-files_read_usr_files(gnomeclock_t) +files_read_etc_runtime_files(gnomeclock_t) - files_read_usr_files(gnomeclock_t) fs_getattr_xattr_fs(gnomeclock_t) @@ -25541,7 +25837,7 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 44cf341..29063e5 100644 +index 44cf341..7c83c74 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ @@ -25613,7 +25909,7 @@ index 44cf341..29063e5 100644 type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -@@ -52,112 +52,112 @@ type gpg_helper_t; +@@ -52,112 +52,111 @@ type gpg_helper_t; type gpg_helper_exec_t; typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; @@ -25724,7 +26020,6 @@ index 44cf341..29063e5 100644 domain_use_interactive_fds(gpg_t) -+files_read_usr_files(gpg_t) +files_dontaudit_search_var(gpg_t) + auth_use_nsswitch(gpg_t) @@ -25777,7 +26072,7 @@ index 44cf341..29063e5 100644 ') optional_policy(` -@@ -165,37 +165,49 @@ optional_policy(` +@@ -165,37 +164,49 @@ optional_policy(` ') optional_policy(` @@ -25838,7 +26133,7 @@ index 44cf341..29063e5 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -207,29 +219,33 @@ tunable_policy(`use_samba_home_dirs',` +@@ -207,29 +218,33 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # @@ -25879,7 +26174,7 @@ index 44cf341..29063e5 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,32 +255,27 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,32 +254,27 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -25921,7 +26216,7 @@ index 44cf341..29063e5 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -277,8 +288,17 @@ optional_policy(` +@@ -277,8 +287,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -25940,7 +26235,7 @@ index 44cf341..29063e5 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +307,91 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +306,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -25966,7 +26261,7 @@ index 44cf341..29063e5 100644 -domain_use_interactive_fds(gpg_pinentry_t) - - files_read_usr_files(gpg_pinentry_t) +-files_read_usr_files(gpg_pinentry_t) +# read /etc/X11/qtrc fs_dontaudit_list_inotifyfs(gpg_pinentry_t) @@ -26036,7 +26331,6 @@ index 44cf341..29063e5 100644 + +can_exec(gpg_web_t, gpg_exec_t) + -+files_read_usr_files(gpg_web_t) + + +apache_dontaudit_rw_tmp_files(gpg_web_t) @@ -26046,7 +26340,7 @@ index 44cf341..29063e5 100644 + miscfiles_manage_public_files(gpg_web_t) ') diff --git a/gpm.te b/gpm.te -index 3226f52..bc3f49e 100644 +index 3226f52..68b2eb8 100644 --- a/gpm.te +++ b/gpm.te @@ -13,7 +13,7 @@ type gpm_initrc_exec_t; @@ -26058,7 +26352,15 @@ index 3226f52..bc3f49e 100644 type gpm_tmp_t; files_tmp_file(gpm_tmp_t) -@@ -68,11 +68,9 @@ domain_use_interactive_fds(gpm_t) +@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t) + dev_rw_input_dev(gpm_t) + dev_rw_mouse(gpm_t) + +-files_read_etc_files(gpm_t) + + fs_getattr_all_fs(gpm_t) + fs_search_auto_mountpoints(gpm_t) +@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t) logging_send_syslog_msg(gpm_t) @@ -26112,6 +26414,63 @@ index d928711..93d2d83 100644 -#gen_user(guest_u, user, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) +diff --git a/hadoop.te b/hadoop.te +index e62bcb7..f44ad99 100644 +--- a/hadoop.te ++++ b/hadoop.te +@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t) + domain_use_interactive_fds(hadoop_t) + + files_dontaudit_search_spool(hadoop_t) +-files_read_usr_files(hadoop_t) + + fs_getattr_xattr_fs(hadoop_t) + +@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain) + corecmd_exec_bin(hadoop_initrc_domain) + corecmd_exec_shell(hadoop_initrc_domain) + +-files_read_etc_files(hadoop_initrc_domain) +-files_read_usr_files(hadoop_initrc_domain) + files_search_locks(hadoop_initrc_domain) + files_search_pids(hadoop_initrc_domain) + +@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t) + + domain_use_interactive_fds(zookeeper_t) + +-files_read_usr_files(zookeeper_t) + + auth_use_nsswitch(zookeeper_t) + +@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t) + dev_read_sysfs(zookeeper_server_t) + dev_read_urand(zookeeper_server_t) + +-files_read_usr_files(zookeeper_server_t) + + fs_getattr_xattr_fs(zookeeper_server_t) + +diff --git a/hal.te b/hal.te +index 0801fe1..85b6f3e 100644 +--- a/hal.te ++++ b/hal.te +@@ -61,7 +61,6 @@ files_type(hald_var_lib_t) + # Common local policy + # + +-files_read_usr_files(hald_domain) + + miscfiles_read_localization(hald_domain) + +@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) + + dev_rw_input_dev(hald_keymap_t) + +-files_read_etc_files(hald_keymap_t) + + logging_search_logs(hald_keymap_t) + diff --git a/hddtemp.if b/hddtemp.if index 1728071..77e71ea 100644 --- a/hddtemp.if @@ -26464,7 +26823,7 @@ index eb87f23..8e11e4b 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te -index 5aab5d0..e694d0f 100644 +index 5aab5d0..e2c9fe9 100644 --- a/inn.te +++ b/inn.te @@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t) @@ -26501,7 +26860,13 @@ index 5aab5d0..e694d0f 100644 corenet_all_recvfrom_netlabel(innd_t) corenet_tcp_sendrecv_generic_if(innd_t) corenet_tcp_sendrecv_generic_node(innd_t) -@@ -97,12 +99,11 @@ auth_use_nsswitch(innd_t) +@@ -91,18 +93,16 @@ fs_search_auto_mountpoints(innd_t) + + files_list_spool(innd_t) + files_read_etc_runtime_files(innd_t) +-files_read_usr_files(innd_t) + + auth_use_nsswitch(innd_t) logging_send_syslog_msg(innd_t) @@ -26515,6 +26880,18 @@ index 5aab5d0..e694d0f 100644 mta_send_mail(innd_t) +diff --git a/iodine.te b/iodine.te +index 94ec5f8..801417b 100644 +--- a/iodine.te ++++ b/iodine.te +@@ -43,7 +43,6 @@ corenet_udp_sendrecv_dns_port(iodined_t) + + corecmd_exec_shell(iodined_t) + +-files_read_etc_files(iodined_t) + + logging_send_syslog_msg(iodined_t) + diff --git a/irc.if b/irc.if index ac00fb0..06cb083 100644 --- a/irc.if @@ -26568,7 +26945,7 @@ index ac00fb0..06cb083 100644 + userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index ecad9c7..8cbe5cf 100644 +index ecad9c7..f8d4f1d 100644 --- a/irc.te +++ b/irc.te @@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t) @@ -26628,7 +27005,15 @@ index ecad9c7..8cbe5cf 100644 corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t) corenet_tcp_sendrecv_generic_node(irc_t) -@@ -106,7 +124,6 @@ auth_use_nsswitch(irc_t) +@@ -93,7 +111,6 @@ dev_read_rand(irc_t) + + domain_use_interactive_fds(irc_t) + +-files_read_usr_files(irc_t) + + fs_getattr_all_fs(irc_t) + fs_search_auto_mountpoints(irc_t) +@@ -106,7 +123,6 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) @@ -26636,7 +27021,7 @@ index ecad9c7..8cbe5cf 100644 userdom_use_user_terminals(irc_t) -@@ -114,6 +131,9 @@ userdom_manage_user_home_content_dirs(irc_t) +@@ -114,6 +130,9 @@ userdom_manage_user_home_content_dirs(irc_t) userdom_manage_user_home_content_files(irc_t) userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) @@ -26646,7 +27031,7 @@ index ecad9c7..8cbe5cf 100644 tunable_policy(`irc_use_any_tcp_ports',` corenet_sendrecv_all_server_packets(irc_t) corenet_tcp_bind_all_unreserved_ports(irc_t) -@@ -122,18 +142,72 @@ tunable_policy(`irc_use_any_tcp_ports',` +@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',` corenet_tcp_sendrecv_all_ports(irc_t) ') @@ -26706,7 +27091,6 @@ index ecad9c7..8cbe5cf 100644 +# irssi-otr genkey. +dev_read_rand(irssi_t) + -+files_read_usr_files(irssi_t) + +fs_search_auto_mountpoints(irssi_t) + @@ -27089,7 +27473,7 @@ index 16b1666..01673a4 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index bb12c90..c1ce1b7 100644 +index bb12c90..5394703 100644 --- a/jabber.te +++ b/jabber.te @@ -1,4 +1,4 @@ @@ -27098,7 +27482,7 @@ index bb12c90..c1ce1b7 100644 ######################################## # -@@ -9,129 +9,138 @@ attribute jabberd_domain; +@@ -9,129 +9,136 @@ attribute jabberd_domain; jabber_domain_template(jabberd) jabber_domain_template(jabberd_router) @@ -27254,7 +27638,6 @@ index bb12c90..c1ce1b7 100644 +dev_read_urand(pyicqt_t); -sysnet_read_config(jabberd_t) -+files_read_usr_files(pyicqt_t) -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) @@ -27308,13 +27691,12 @@ index bb12c90..c1ce1b7 100644 -# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) -# corenet_tcp_connect_jabber_router_port(jabberd_router_t) -# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) -+files_read_etc_files(jabberd_domain) +files_read_etc_runtime_files(jabberd_domain) -auth_use_nsswitch(jabberd_router_t) +sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te -index b3fcfbb..b2c5451 100644 +index b3fcfbb..98cbfb4 100644 --- a/java.te +++ b/java.te @@ -11,7 +11,7 @@ policy_module(java, 2.6.3) @@ -27326,7 +27708,15 @@ index b3fcfbb..b2c5451 100644 attribute java_domain; -@@ -112,7 +112,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s +@@ -90,7 +90,6 @@ dev_read_urand(java_domain) + dev_read_rand(java_domain) + dev_dontaudit_append_rand(java_domain) + +-files_read_usr_files(java_domain) + files_read_etc_runtime_files(java_domain) + + fs_getattr_all_fs(java_domain) +@@ -112,7 +111,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s userdom_write_user_tmp_sockets(java_domain) @@ -27793,12 +28183,15 @@ index 2fb7a20..c6ba007 100644 + ') +') diff --git a/jockey.te b/jockey.te -index d59ec10..1b5410d 100644 +index d59ec10..dec1b3b 100644 --- a/jockey.te +++ b/jockey.te -@@ -47,13 +47,18 @@ domain_use_interactive_fds(jockey_t) - files_read_etc_files(jockey_t) - files_read_usr_files(jockey_t) +@@ -44,16 +44,19 @@ dev_read_urand(jockey_t) + + domain_use_interactive_fds(jockey_t) + +-files_read_etc_files(jockey_t) +-files_read_usr_files(jockey_t) -miscfiles_read_localization(jockey_t) +auth_read_passwd(jockey_t) @@ -28099,7 +28492,7 @@ index 3a00b3a..15d521b 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index 70f3007..6b6a6c4 100644 +index 70f3007..bacefd5 100644 --- a/kdump.te +++ b/kdump.te @@ -1,4 +1,4 @@ @@ -28108,7 +28501,7 @@ index 70f3007..6b6a6c4 100644 ####################################### # -@@ -15,30 +15,34 @@ files_config_file(kdump_etc_t) +@@ -15,30 +15,33 @@ files_config_file(kdump_etc_t) type kdump_initrc_exec_t; init_script_file(kdump_initrc_exec_t) @@ -28136,7 +28529,7 @@ index 70f3007..6b6a6c4 100644 -allow kdump_t kdump_etc_t:file read_file_perms; +read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) - files_read_etc_files(kdump_t) +-files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) @@ -28147,7 +28540,7 @@ index 70f3007..6b6a6c4 100644 kernel_request_load_module(kdump_t) dev_read_framebuffer(kdump_t) -@@ -48,22 +52,27 @@ term_use_console(kdump_t) +@@ -48,22 +51,27 @@ term_use_console(kdump_t) ####################################### # @@ -28180,7 +28573,7 @@ index 70f3007..6b6a6c4 100644 kernel_read_system_state(kdumpctl_t) -@@ -71,6 +80,7 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +79,56 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -28188,8 +28581,11 @@ index 70f3007..6b6a6c4 100644 dev_manage_all_dev_nodes(kdumpctl_t) domain_use_interactive_fds(kdumpctl_t) -@@ -81,36 +91,47 @@ files_read_etc_runtime_files(kdumpctl_t) - files_read_usr_files(kdumpctl_t) + + files_create_kernel_img(kdumpctl_t) +-files_read_etc_files(kdumpctl_t) + files_read_etc_runtime_files(kdumpctl_t) +-files_read_usr_files(kdumpctl_t) files_read_kernel_modules(kdumpctl_t) files_getattr_all_dirs(kdumpctl_t) +files_delete_kernel(kdumpctl_t) @@ -28274,7 +28670,7 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..acb89ac 100644 +index e7f5c81..17dc1b4 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,4 +1,4 @@ @@ -28283,7 +28679,7 @@ index e7f5c81..acb89ac 100644 ######################################## # -@@ -7,61 +7,66 @@ policy_module(kdumpgui, 1.1.4) +@@ -7,61 +7,65 @@ policy_module(kdumpgui, 1.1.4) type kdumpgui_t; type kdumpgui_exec_t; @@ -28330,7 +28726,7 @@ index e7f5c81..acb89ac 100644 +# for blkid.tab files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) - files_read_usr_files(kdumpgui_t) +-files_read_usr_files(kdumpgui_t) +fs_read_dos_files(kdumpgui_t) fs_getattr_all_fs(kdumpgui_t) @@ -28359,7 +28755,7 @@ index e7f5c81..acb89ac 100644 optional_policy(` bootloader_exec(kdumpgui_t) -@@ -73,11 +78,11 @@ optional_policy(` +@@ -73,11 +77,11 @@ optional_policy(` ') optional_policy(` @@ -28375,7 +28771,7 @@ index e7f5c81..acb89ac 100644 ') optional_policy(` -@@ -87,4 +92,10 @@ optional_policy(` +@@ -87,4 +91,10 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -29110,7 +29506,7 @@ index f9de9fc..138e1e2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 3465a9a..6127834 100644 +index 3465a9a..fe2c2da 100644 --- a/kerberos.te +++ b/kerberos.te @@ -1,4 +1,4 @@ @@ -29224,7 +29620,7 @@ index 3465a9a..6127834 100644 corenet_all_recvfrom_netlabel(kadmind_t) corenet_tcp_sendrecv_generic_if(kadmind_t) corenet_udp_sendrecv_generic_if(kadmind_t) -@@ -119,20 +128,28 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) +@@ -119,31 +128,39 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) @@ -29250,12 +29646,12 @@ index 3465a9a..6127834 100644 domain_use_interactive_fds(kadmind_t) - files_read_etc_files(kadmind_t) +-files_read_etc_files(kadmind_t) +-files_read_usr_files(kadmind_t) +files_read_usr_symlinks(kadmind_t) - files_read_usr_files(kadmind_t) files_read_var_files(kadmind_t) -@@ -140,10 +157,12 @@ selinux_validate_context(kadmind_t) + selinux_validate_context(kadmind_t) logging_send_syslog_msg(kadmind_t) @@ -29269,7 +29665,7 @@ index 3465a9a..6127834 100644 sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,6 +173,10 @@ optional_policy(` +@@ -154,6 +171,10 @@ optional_policy(` ') optional_policy(` @@ -29280,7 +29676,7 @@ index 3465a9a..6127834 100644 nis_use_ypbind(kadmind_t) ') -@@ -174,24 +197,27 @@ optional_policy(` +@@ -174,24 +195,27 @@ optional_policy(` # Krb5kdc local policy # @@ -29312,7 +29708,7 @@ index 3465a9a..6127834 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,38 +229,36 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) +@@ -203,42 +227,39 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) @@ -29359,7 +29755,11 @@ index 3465a9a..6127834 100644 domain_use_interactive_fds(krb5kdc_t) -@@ -247,10 +271,10 @@ selinux_validate_context(krb5kdc_t) +-files_read_etc_files(krb5kdc_t) + files_read_usr_symlinks(krb5kdc_t) + files_read_var_files(krb5kdc_t) + +@@ -247,10 +268,10 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) miscfiles_read_generic_certs(krb5kdc_t) @@ -29371,7 +29771,7 @@ index 3465a9a..6127834 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +285,11 @@ optional_policy(` +@@ -261,11 +282,11 @@ optional_policy(` ') optional_policy(` @@ -29385,7 +29785,7 @@ index 3465a9a..6127834 100644 ') optional_policy(` -@@ -273,6 +297,10 @@ optional_policy(` +@@ -273,6 +294,10 @@ optional_policy(` ') optional_policy(` @@ -29396,7 +29796,7 @@ index 3465a9a..6127834 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +309,12 @@ optional_policy(` +@@ -281,10 +306,12 @@ optional_policy(` # kpropd local policy # @@ -29412,7 +29812,7 @@ index 3465a9a..6127834 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,14 +333,11 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +330,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -29428,7 +29828,10 @@ index 3465a9a..6127834 100644 dev_read_urand(kpropd_t) -@@ -321,8 +348,6 @@ selinux_validate_context(kpropd_t) +-files_read_etc_files(kpropd_t) + files_search_tmp(kpropd_t) + + selinux_validate_context(kpropd_t) logging_send_syslog_msg(kpropd_t) @@ -29990,10 +30393,18 @@ index 5297064..6ba8108 100644 domain_system_change_exemption($1) role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te -index 9725f1a..0ed9942 100644 +index 9725f1a..34aa63b 100644 --- a/kudzu.te +++ b/kudzu.te -@@ -101,11 +101,10 @@ libs_read_lib_files(kudzu_t) +@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) + domain_use_interactive_fds(kudzu_t) + + files_read_kernel_modules(kudzu_t) +-files_read_usr_files(kudzu_t) + files_search_locks(kudzu_t) + files_manage_etc_files(kudzu_t) + files_manage_etc_runtime_files(kudzu_t) +@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t) logging_send_syslog_msg(kudzu_t) miscfiles_read_hwdata(kudzu_t) @@ -30006,7 +30417,7 @@ index 9725f1a..0ed9942 100644 userdom_dontaudit_use_unpriv_user_fds(kudzu_t) userdom_search_user_home_dirs(kudzu_t) -@@ -122,10 +121,6 @@ optional_policy(` +@@ -122,10 +120,6 @@ optional_policy(` ') optional_policy(` @@ -30764,30 +31175,21 @@ index 98b5405..b1d3cdf 100644 - sysnet_dns_name_resolve(lircd_t) diff --git a/livecd.if b/livecd.if -index e354181..da499d4 100644 +index e354181..c6b2383 100644 --- a/livecd.if +++ b/livecd.if -@@ -38,11 +38,39 @@ interface(`livecd_domtrans',` +@@ -38,11 +38,32 @@ interface(`livecd_domtrans',` # interface(`livecd_run',` gen_require(` -- attribute_role livecd_roles; + type livecd_t; + type livecd_exec_t; -+ #attribute_role livecd_roles; + attribute_role livecd_roles; ') livecd_domtrans($1) -- roleattribute $2 livecd_roles; -+ #roleattribute $2 livecd_roles; -+ role $2 types livecd_t; + roleattribute $2 livecd_roles; + role_transition $2 livecd_exec_t system_r; -+ -+ seutil_run_setfiles_mac(livecd_t, system_r) -+ -+ optional_policy(` -+ mount_run(livecd_t, $2) -+ ') +') + +######################################## @@ -30810,28 +31212,10 @@ index e354181..da499d4 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 33f64b5..09b5105 100644 +index 33f64b5..06b1661 100644 --- a/livecd.te +++ b/livecd.te -@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.1) - # Declarations - # - --attribute_role livecd_roles; --roleattribute system_r livecd_roles; -+#attribute_role livecd_roles; -+#roleattribute system_r livecd_roles; - - type livecd_t; - type livecd_exec_t; - application_domain(livecd_t, livecd_exec_t) --role livecd_roles types livecd_t; -+role system_r types livecd_t; -+#role livecd_roles types livecd_t; - - type livecd_tmp_t; - files_tmp_file(livecd_tmp_t) -@@ -21,7 +22,7 @@ files_tmp_file(livecd_tmp_t) +@@ -21,7 +21,7 @@ files_tmp_file(livecd_tmp_t) # Local policy # @@ -30840,20 +31224,22 @@ index 33f64b5..09b5105 100644 domain_ptrace_all_domains(livecd_t) -@@ -36,13 +37,5 @@ optional_policy(` +@@ -35,12 +35,13 @@ sysnet_etc_filetrans_config(livecd_t) + optional_policy(` hal_dbus_chat(livecd_t) ') ++ optional_policy(` - mount_run(livecd_t, livecd_roles) --') -- --optional_policy(` -- rpm_domtrans(livecd_t) --') -- --optional_policy(` - unconfined_domain_noaudit(livecd_t) ++ mount_run(livecd_t, livecd_roles) ') + + optional_policy(` +- rpm_domtrans(livecd_t) ++ seutil_run_setfiles_mac(livecd_t, livecd_roles) + ') + + optional_policy(` diff --git a/lldpad.if b/lldpad.if index d18c960..fb5b674 100644 --- a/lldpad.if @@ -30917,10 +31303,16 @@ index 648def0..0b6281d 100644 optional_policy(` fcoe_dgram_send_fcoemon(lldpad_t) diff --git a/loadkeys.te b/loadkeys.te -index 6cbb977..fa49534 100644 +index 6cbb977..bd5406a 100644 --- a/loadkeys.te +++ b/loadkeys.te -@@ -31,14 +31,14 @@ files_read_etc_runtime_files(loadkeys_t) +@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) + corecmd_exec_bin(loadkeys_t) + corecmd_exec_shell(loadkeys_t) + +-files_read_etc_files(loadkeys_t) + files_read_etc_runtime_files(loadkeys_t) + term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) @@ -31021,7 +31413,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index 7bab8e5..8a2583b 100644 +index 7bab8e5..3a2c50c 100644 --- a/logrotate.te +++ b/logrotate.te @@ -1,20 +1,18 @@ @@ -31083,7 +31475,7 @@ index 7bab8e5..8a2583b 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,29 +52,47 @@ allow logrotate_t self:msg { send receive }; +@@ -48,79 +52,91 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -31134,8 +31526,8 @@ index 7bab8e5..8a2583b 100644 +# Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) - files_read_usr_files(logrotate_t) -@@ -78,49 +100,44 @@ files_read_etc_runtime_files(logrotate_t) +-files_read_usr_files(logrotate_t) + files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t) files_read_var_lib_files(logrotate_t) @@ -31203,7 +31595,7 @@ index 7bab8e5..8a2583b 100644 ') optional_policy(` -@@ -140,11 +157,11 @@ optional_policy(` +@@ -140,11 +156,11 @@ optional_policy(` ') optional_policy(` @@ -31217,7 +31609,7 @@ index 7bab8e5..8a2583b 100644 ') optional_policy(` -@@ -178,7 +195,7 @@ optional_policy(` +@@ -178,7 +194,7 @@ optional_policy(` ') optional_policy(` @@ -31226,7 +31618,7 @@ index 7bab8e5..8a2583b 100644 ') optional_policy(` -@@ -198,17 +215,14 @@ optional_policy(` +@@ -198,17 +214,14 @@ optional_policy(` ') optional_policy(` @@ -31247,7 +31639,7 @@ index 7bab8e5..8a2583b 100644 ') optional_policy(` -@@ -228,10 +242,16 @@ optional_policy(` +@@ -228,10 +241,16 @@ optional_policy(` ') optional_policy(` @@ -31264,7 +31656,7 @@ index 7bab8e5..8a2583b 100644 su_exec(logrotate_t) ') -@@ -241,13 +261,11 @@ optional_policy(` +@@ -241,13 +260,11 @@ optional_policy(` ####################################### # @@ -31284,7 +31676,7 @@ index 7bab8e5..8a2583b 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..ba62d5b 100644 +index 4256a4c..1bbe9d9 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6) @@ -31297,12 +31689,12 @@ index 4256a4c..ba62d5b 100644 type logwatch_cache_t; files_type(logwatch_cache_t) -@@ -67,10 +68,12 @@ files_list_var(logwatch_t) +@@ -67,10 +68,11 @@ files_list_var(logwatch_t) files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_runtime_files(logwatch_t) +-files_read_usr_files(logwatch_t) +files_read_system_conf_files(logwatch_t) - files_read_usr_files(logwatch_t) fs_getattr_all_dirs(logwatch_t) fs_getattr_all_fs(logwatch_t) @@ -31310,7 +31702,7 @@ index 4256a4c..ba62d5b 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -92,17 +95,22 @@ libs_read_lib_files(logwatch_t) +@@ -92,17 +94,22 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -31335,7 +31727,7 @@ index 4256a4c..ba62d5b 100644 tunable_policy(`use_nfs_home_dirs',` fs_list_nfs(logwatch_t) ') -@@ -164,6 +172,8 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +171,8 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -31357,10 +31749,10 @@ index 2fb9b2e..08974e3 100644 /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) diff --git a/lpd.if b/lpd.if -index 6256371..628b63c 100644 +index 6256371..7826e38 100644 --- a/lpd.if +++ b/lpd.if -@@ -1,44 +1,37 @@ +@@ -1,44 +1,49 @@ -## Line printer daemon. +## Line printer daemon @@ -31385,7 +31777,7 @@ index 6256371..628b63c 100644 # interface(`lpd_role',` gen_require(` -- attribute_role lpr_roles; + attribute_role lpr_roles; - type lpr_t, lpr_exec_t; + type lpr_t, lpr_exec_t, print_spool_t; ') @@ -31394,14 +31786,21 @@ index 6256371..628b63c 100644 - # - # Declarations - # -- -- roleattribute $1 lpr_roles; -- ++ ######################################## ++ # ++ # Declarations ++ # + + roleattribute $1 lpr_roles; + - ######################################## - # - # Policy - # -+ role $1 types lpr_t; ++ ######################################## ++ # ++ # Policy ++ # + # Transition from the user domain to the derived domain. domtrans_pattern($2, lpr_exec_t, lpr_t) @@ -31409,16 +31808,16 @@ index 6256371..628b63c 100644 - allow $2 lpr_t:process { ptrace signal_perms }; ps_process_pattern($2, lpr_t) -- -- dontaudit lpr_t $2:unix_stream_socket { read write }; + allow $2 lpr_t:process signal_perms; + +- dontaudit lpr_t $2:unix_stream_socket { read write }; + tunable_policy(`deny_ptrace',`',` + allow $2 lpr_t:process ptrace; + ') optional_policy(` cups_read_config($2) -@@ -60,15 +53,13 @@ interface(`lpd_domtrans_checkpc',` +@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',` type checkpc_t, checkpc_exec_t; ') @@ -31436,7 +31835,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -84,16 +75,16 @@ interface(`lpd_domtrans_checkpc',` +@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',` # interface(`lpd_run_checkpc',` gen_require(` @@ -31456,7 +31855,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -112,7 +103,7 @@ interface(`lpd_list_spool',` +@@ -112,7 +115,7 @@ interface(`lpd_list_spool',` ######################################## ## @@ -31465,7 +31864,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -131,8 +122,7 @@ interface(`lpd_read_spool',` +@@ -131,8 +134,7 @@ interface(`lpd_read_spool',` ######################################## ## @@ -31475,7 +31874,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -153,7 +143,7 @@ interface(`lpd_manage_spool',` +@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',` ######################################## ## @@ -31484,7 +31883,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -172,7 +162,7 @@ interface(`lpd_relabel_spool',` +@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',` ######################################## ## @@ -31493,7 +31892,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -200,12 +190,11 @@ interface(`lpd_read_config',` +@@ -200,12 +202,11 @@ interface(`lpd_read_config',` ## ## # @@ -31507,18 +31906,7 @@ index 6256371..628b63c 100644 domtrans_pattern($1, lpr_exec_t, lpr_t) ') -@@ -228,16 +217,17 @@ template(`lpd_domtrans_lpr',` - # - interface(`lpd_run_lpr',` - gen_require(` -- attribute_role lpr_roles; -+ type lpr_t; - ') - - lpd_domtrans_lpr($1) -- roleattribute $2 lpr_roles; -+ role $2 types lpr_t; - ') +@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',` ######################################## ## @@ -31528,7 +31916,7 @@ index 6256371..628b63c 100644 ## ## ## -@@ -250,6 +240,5 @@ interface(`lpd_exec_lpr',` +@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',` type lpr_exec_t; ') @@ -31536,7 +31924,7 @@ index 6256371..628b63c 100644 can_exec($1, lpr_exec_t) ') diff --git a/lpd.te b/lpd.te -index b9270f7..0fd2f4c 100644 +index b9270f7..15f3748 100644 --- a/lpd.te +++ b/lpd.te @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -31612,7 +32000,15 @@ index b9270f7..0fd2f4c 100644 corenet_all_recvfrom_netlabel(lpr_t) corenet_tcp_sendrecv_generic_if(lpr_t) corenet_tcp_sendrecv_generic_node(lpr_t) -@@ -249,23 +242,27 @@ term_use_generic_ptys(lpr_t) +@@ -239,7 +232,6 @@ dev_read_urand(lpr_t) + domain_use_interactive_fds(lpr_t) + + files_search_spool(lpr_t) +-files_read_usr_files(lpr_t) + files_list_home(lpr_t) + + fs_getattr_all_fs(lpr_t) +@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t) auth_use_nsswitch(lpr_t) @@ -31647,7 +32043,7 @@ index b9270f7..0fd2f4c 100644 manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) -@@ -279,17 +276,7 @@ tunable_policy(`use_lpd_server',` +@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',` allow lpr_t printconf_t:lnk_file read_lnk_file_perms; ') @@ -31666,7 +32062,7 @@ index b9270f7..0fd2f4c 100644 optional_policy(` cups_read_config(lpr_t) -@@ -298,5 +285,13 @@ optional_policy(` +@@ -298,5 +284,13 @@ optional_policy(` ') optional_policy(` @@ -32154,7 +32550,7 @@ index 0293f34..bd1d48e 100644 + files_list_pids($1) ') diff --git a/mailscanner.te b/mailscanner.te -index 725ba32..38269ae 100644 +index 725ba32..f0ceff1 100644 --- a/mailscanner.te +++ b/mailscanner.te @@ -34,6 +34,7 @@ allow mscan_t self:process signal; @@ -32165,7 +32561,15 @@ index 725ba32..38269ae 100644 manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) files_pid_filetrans(mscan_t, mscan_var_run_t, file) -@@ -81,10 +82,9 @@ auth_use_nsswitch(mscan_t) +@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t) + + dev_read_urand(mscan_t) + +-files_read_usr_files(mscan_t) + + fs_getattr_xattr_fs(mscan_t) + +@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t) logging_send_syslog_msg(mscan_t) @@ -32177,7 +32581,7 @@ index 725ba32..38269ae 100644 ') optional_policy(` -@@ -97,5 +97,6 @@ optional_policy(` +@@ -97,5 +96,6 @@ optional_policy(` ') optional_policy(` @@ -32824,10 +33228,10 @@ index 0000000..e76a9b5 +') diff --git a/mcollective.te b/mcollective.te new file mode 100644 -index 0000000..5dd171f +index 0000000..a04dd6b --- /dev/null +++ b/mcollective.te -@@ -0,0 +1,30 @@ +@@ -0,0 +1,29 @@ +policy_module(mcollective, 1.0.0) + +######################################## @@ -32857,7 +33261,6 @@ index 0000000..5dd171f + +domain_use_interactive_fds(mcollective_t) + -+files_read_etc_files(mcollective_t) diff --git a/mediawiki.if b/mediawiki.if index 9771b4b..1c1d012 100644 --- a/mediawiki.if @@ -33270,10 +33673,10 @@ index cba62db..bdf319a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 92508b2..64c2969 100644 +index 92508b2..38c718c 100644 --- a/milter.te +++ b/milter.te -@@ -1,77 +1,98 @@ +@@ -1,77 +1,96 @@ -policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) @@ -33379,10 +33782,9 @@ index 92508b2..64c2969 100644 +corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) +corenet_tcp_bind_rtsclient_port(greylist_milter_t) +-files_read_usr_files(greylist_milter_t) +# perl getgroups() reads a bunch of files in /etc -+files_read_etc_files(greylist_milter_t) +# Allow the milter to read a GeoIP database in /usr/share - files_read_usr_files(greylist_milter_t) +# The milter runs from /var/lib/milter-greylist and maintains files there files_search_var_lib(greylist_milter_t) @@ -33399,7 +33801,7 @@ index 92508b2..64c2969 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +100,48 @@ optional_policy(` +@@ -79,30 +98,48 @@ optional_policy(` ######################################## # @@ -33777,10 +34179,10 @@ index 0000000..7f6f2d6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..ecfd7be +index 0000000..d27f8f3 --- /dev/null +++ b/mock.te -@@ -0,0 +1,247 @@ +@@ -0,0 +1,245 @@ +policy_module(mock,1.0.0) + +## @@ -33882,7 +34284,6 @@ index 0000000..ecfd7be +domain_use_interactive_fds(mock_t) + +files_read_etc_runtime_files(mock_t) -+files_read_usr_files(mock_t) +files_dontaudit_list_boot(mock_t) + +fs_getattr_all_fs(mock_t) @@ -34010,7 +34411,6 @@ index 0000000..ecfd7be +domain_dontaudit_read_all_domains_state(mock_build_t) +domain_use_interactive_fds(mock_build_t) + -+files_read_usr_files(mock_build_t) +files_dontaudit_list_boot(mock_build_t) + +fs_getattr_all_fs(mock_build_t) @@ -34029,10 +34429,14 @@ index 0000000..ecfd7be + userdom_read_user_home_content_files(mock_build_t) +') diff --git a/modemmanager.te b/modemmanager.te -index cb4c13d..14e8f87 100644 +index cb4c13d..d744144 100644 --- a/modemmanager.te +++ b/modemmanager.te -@@ -31,8 +31,9 @@ files_read_etc_files(modemmanager_t) +@@ -27,12 +27,12 @@ kernel_read_system_state(modemmanager_t) + dev_read_sysfs(modemmanager_t) + dev_rw_modem(modemmanager_t) + +-files_read_etc_files(modemmanager_t) term_use_generic_ptys(modemmanager_t) term_use_unallocated_ttys(modemmanager_t) @@ -34253,10 +34657,10 @@ index 6ffaba2..0fa08be 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..cccec7e 100644 +index 6194b80..110cdc6 100644 --- a/mozilla.if +++ b/mozilla.if -@@ -1,146 +1,76 @@ +@@ -1,146 +1,75 @@ -## Policy for Mozilla and related web browsers. +## Policy for Mozilla and related web browsers @@ -34283,19 +34687,16 @@ index 6194b80..cccec7e 100644 type mozilla_t, mozilla_exec_t, mozilla_home_t; - type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; -- attribute_role mozilla_roles; -+ #attribute_role mozilla_roles; + attribute_role mozilla_roles; ') - ######################################## - # - # Declarations - # -+ #roleattribute $1 mozilla_roles; -+ role $1 types mozilla_t; - -- roleattribute $1 mozilla_roles; - + roleattribute $1 mozilla_roles; + - ######################################## - # - # Policy @@ -34439,7 +34840,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -153,15 +83,15 @@ interface(`mozilla_read_user_home_files',` +@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',` type mozilla_home_t; ') @@ -34457,7 +34858,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -174,14 +104,13 @@ interface(`mozilla_write_user_home_files',` +@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',` type mozilla_home_t; ') @@ -34474,7 +34875,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -194,14 +123,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',` +@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',` type mozilla_home_t; ') @@ -34491,7 +34892,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -216,12 +143,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',` +@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',` dontaudit $1 mozilla_home_t:dir manage_dir_perms; dontaudit $1 mozilla_home_t:file manage_file_perms; @@ -34505,7 +34906,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -230,33 +156,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',` +@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',` ## # interface(`mozilla_exec_user_home_files',` @@ -34542,7 +34943,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -265,27 +174,11 @@ interface(`mozilla_exec_user_plugin_home_files',` +@@ -265,27 +173,11 @@ interface(`mozilla_exec_user_plugin_home_files',` ## # interface(`mozilla_execmod_user_home_files',` @@ -34572,7 +34973,7 @@ index 6194b80..cccec7e 100644 ') ######################################## -@@ -303,102 +196,102 @@ interface(`mozilla_domtrans',` +@@ -303,102 +195,98 @@ interface(`mozilla_domtrans',` type mozilla_t, mozilla_exec_t; ') @@ -34654,21 +35055,19 @@ index 6194b80..cccec7e 100644 gen_require(` - attribute_role mozilla_plugin_roles; + type mozilla_plugin_t; ++ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; ') mozilla_domtrans_plugin($1) -- roleattribute $2 mozilla_plugin_roles; -+ role $2 types mozilla_plugin_t; -+ role $2 types mozilla_plugin_config_t; + roleattribute $2 mozilla_plugin_roles; ++ roleattribute $2 mozilla_plugin_config_roles; ') -######################################## -+####################################### - ## +-## -## Execute a domain transition to -## run mozilla plugin config. -+## Execute qemu unconfined programs in the role. - ## +-## -## -## -## Domain allowed to transition. @@ -34685,12 +35084,14 @@ index 6194b80..cccec7e 100644 -') - -######################################## --## ++####################################### + ## -## Execute mozilla plugin config in -## the mozilla plugin config domain, -## and allow the specified role the -## mozilla plugin config domain. --## ++## Execute qemu unconfined programs in the role. + ## -## -## -## Domain allowed to transition. @@ -34712,22 +35113,17 @@ index 6194b80..cccec7e 100644 - ') +interface(`mozilla_role_plugin',` + gen_require(` -+ type mozilla_plugin_t; -+ type mozilla_plugin_config_t; ++ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; + ') - mozilla_domtrans_plugin_config($1) - roleattribute $2 mozilla_plugin_config_roles; -+ role $1 types mozilla_plugin_t; -+ role $1 types mozilla_plugin_config_t; -+ -+ optional_policy(` -+ lpd_run_lpr(mozilla_plugin_t, $1) -+ ') ++ roleattribute $1 mozilla_plugin_roles; ++ roleattribute $1 mozilla_plugin_config_roles; ') ######################################## -@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +312,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -34737,7 +35133,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -433,76 +325,90 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -34857,7 +35253,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -510,19 +416,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -34882,7 +35278,7 @@ index 6194b80..cccec7e 100644 ## ## ## -@@ -530,45 +435,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +430,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -34953,7 +35349,7 @@ index 6194b80..cccec7e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..8247246 100644 +index 6a306ee..a85da32 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -34962,7 +35358,7 @@ index 6a306ee..8247246 100644 ######################################## # -@@ -6,23 +6,38 @@ policy_module(mozilla, 2.7.4) +@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4) # ## @@ -34976,10 +35372,7 @@ index 6a306ee..8247246 100644 ## -gen_tunable(mozilla_execstack, false) +gen_tunable(mozilla_plugin_can_network_connect, false) - --attribute_role mozilla_roles; --attribute_role mozilla_plugin_roles; --attribute_role mozilla_plugin_config_roles; ++ +## +##

+## Allow confined web browsers to read home directory content @@ -34993,24 +35386,29 @@ index 6a306ee..8247246 100644 +##

+## +gen_tunable(mozilla_plugin_enable_homedirs, false) -+ -+#attribute_role mozilla_roles; + attribute_role mozilla_roles; + attribute_role mozilla_plugin_roles; + attribute_role mozilla_plugin_config_roles; + ++roleattribute system_r mozilla_roles; ++roleattribute system_r mozilla_plugin_roles; ++roleattribute system_r mozilla_plugin_config_roles; ++ type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; - typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) --role mozilla_roles types mozilla_t; -+#role mozilla_roles types mozilla_t; -+role system_r types mozilla_t; -+ + role mozilla_roles types mozilla_t; + +type mozilla_conf_t; +files_config_file(mozilla_conf_t) - ++ type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; -@@ -31,29 +46,26 @@ userdom_user_home_content(mozilla_home_t) + typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -35020,8 +35418,7 @@ index 6a306ee..8247246 100644 -type mozilla_plugin_home_t; -userdom_user_home_content(mozilla_plugin_home_t) +application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) -+#role mozilla_roles types mozilla_plugin_t; -+role system_r types mozilla_plugin_t; ++role mozilla_roles types mozilla_plugin_t; type mozilla_plugin_tmp_t; +userdom_user_tmp_content(mozilla_plugin_tmp_t) @@ -35043,12 +35440,11 @@ index 6a306ee..8247246 100644 -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -role mozilla_plugin_config_roles types mozilla_plugin_config_t; +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -+#role mozilla_roles types mozilla_plugin_config_t; -+role system_r types mozilla_plugin_config_t; ++role mozilla_roles types mozilla_plugin_config_t; type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -63,10 +75,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -35059,7 +35455,7 @@ index 6a306ee..8247246 100644 ######################################## # # Local policy -@@ -75,23 +83,26 @@ optional_policy(` +@@ -75,23 +86,26 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -35098,7 +35494,7 @@ index 6a306ee..8247246 100644 manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -@@ -103,76 +114,70 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -35188,7 +35584,7 @@ index 6a306ee..8247246 100644 domain_dontaudit_read_all_domains_state(mozilla_t) files_read_etc_runtime_files(mozilla_t) - files_read_usr_files(mozilla_t) +-files_read_usr_files(mozilla_t) -files_read_var_files(mozilla_t) +# /var/lib files_read_var_lib_files(mozilla_t) @@ -35206,7 +35602,7 @@ index 6a306ee..8247246 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +186,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -35317,7 +35713,7 @@ index 6a306ee..8247246 100644 ') optional_policy(` -@@ -244,19 +266,12 @@ optional_policy(` +@@ -244,19 +268,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -35339,7 +35735,7 @@ index 6a306ee..8247246 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +280,32 @@ optional_policy(` +@@ -265,33 +282,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -35387,7 +35783,7 @@ index 6a306ee..8247246 100644 ') optional_policy(` -@@ -300,63 +314,53 @@ optional_policy(` +@@ -300,63 +316,53 @@ optional_policy(` ######################################## # @@ -35469,18 +35865,18 @@ index 6a306ee..8247246 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) -@@ -366,155 +370,110 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) +@@ -366,155 +372,109 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -35595,7 +35991,7 @@ index 6a306ee..8247246 100644 -files_exec_usr_files(mozilla_plugin_t) -files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) - files_read_usr_files(mozilla_plugin_t) +-files_read_usr_files(mozilla_plugin_t) +files_list_mnt(mozilla_plugin_t) +files_exec_usr_files(mozilla_plugin_t) +fs_rw_inherited_tmpfs_files(mozilla_plugin_t) @@ -35694,7 +36090,7 @@ index 6a306ee..8247246 100644 ') optional_policy(` -@@ -523,36 +482,43 @@ optional_policy(` +@@ -523,36 +483,43 @@ optional_policy(` ') optional_policy(` @@ -35729,21 +36125,21 @@ index 6a306ee..8247246 100644 - java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") ') -+#optional_policy(` -+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -+#') -+ optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_manage_generic_home_content(mozilla_plugin_t) -+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++ lpd_run_lpr(mozilla_plugin_t, mozilla_roles) ') optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) - mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++ mplayer_exec(mozilla_plugin_t) ++ mplayer_manage_generic_home_content(mozilla_plugin_t) ++ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ++') ++ ++optional_policy(` + pulseaudio_exec(mozilla_plugin_t) + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) @@ -35752,7 +36148,7 @@ index 6a306ee..8247246 100644 ') optional_policy(` -@@ -560,7 +526,7 @@ optional_policy(` +@@ -560,7 +527,7 @@ optional_policy(` ') optional_policy(` @@ -35761,7 +36157,7 @@ index 6a306ee..8247246 100644 ') optional_policy(` -@@ -568,108 +534,100 @@ optional_policy(` +@@ -568,108 +535,99 @@ optional_policy(` ') optional_policy(` @@ -35792,19 +36188,18 @@ index 6a306ee..8247246 100644 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms; -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms; -+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - +- -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t }) -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -+allow mozilla_plugin_config_t self:fifo_file rw_file_perms; -+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix") -+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) ++allow mozilla_plugin_config_t self:fifo_file rw_file_perms; ++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia") @@ -35814,23 +36209,24 @@ index 6a306ee..8247246 100644 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") ++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) + +-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +dev_search_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_dontaudit_rw_dri(mozilla_plugin_config_t) --filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +fs_search_auto_mountpoints(mozilla_plugin_config_t) +fs_list_inotifyfs(mozilla_plugin_config_t) --can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) -- -kernel_read_system_state(mozilla_plugin_config_t) -kernel_request_load_module(mozilla_plugin_config_t) +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) @@ -35851,7 +36247,7 @@ index 6a306ee..8247246 100644 domain_use_interactive_fds(mozilla_plugin_config_t) -files_list_tmp(mozilla_plugin_config_t) - files_read_usr_files(mozilla_plugin_config_t) +-files_read_usr_files(mozilla_plugin_config_t) files_dontaudit_search_home(mozilla_plugin_config_t) +files_list_tmp(mozilla_plugin_config_t) @@ -35942,7 +36338,7 @@ index 5fa77c7..a0e8661 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..bf055f0 100644 +index 7c8afcc..670e1bf 100644 --- a/mpd.te +++ b/mpd.te @@ -74,6 +74,9 @@ allow mpd_t self:unix_stream_socket { accept connectto listen }; @@ -35963,7 +36359,15 @@ index 7c8afcc..bf055f0 100644 corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) corenet_tcp_sendrecv_generic_node(mpd_t) -@@ -150,7 +152,9 @@ auth_use_nsswitch(mpd_t) +@@ -139,7 +141,6 @@ dev_read_sound(mpd_t) + dev_write_sound(mpd_t) + dev_read_sysfs(mpd_t) + +-files_read_usr_files(mpd_t) + + fs_getattr_all_fs(mpd_t) + fs_list_inotifyfs(mpd_t) +@@ -150,7 +151,9 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) @@ -35974,7 +36378,7 @@ index 7c8afcc..bf055f0 100644 tunable_policy(`mpd_enable_homedirs',` userdom_search_user_home_dirs(mpd_t) -@@ -199,6 +203,16 @@ optional_policy(` +@@ -199,6 +202,16 @@ optional_policy(` ') optional_policy(` @@ -35992,7 +36396,7 @@ index 7c8afcc..bf055f0 100644 ') diff --git a/mplayer.te b/mplayer.te -index 9aca704..e8e71cb 100644 +index 9aca704..5db9491 100644 --- a/mplayer.te +++ b/mplayer.te @@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4) @@ -36004,7 +36408,15 @@ index 9aca704..e8e71cb 100644 attribute_role mencoder_roles; attribute_role mplayer_roles; -@@ -95,15 +95,15 @@ ifndef(`enable_mls',` +@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t) + dev_rwx_zero(mencoder_t) + dev_read_video_dev(mencoder_t) + +-files_read_usr_files(mencoder_t) + + fs_search_auto_mountpoints(mencoder_t) + +@@ -95,15 +94,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(mencoder_t) ') @@ -36024,7 +36436,15 @@ index 9aca704..e8e71cb 100644 allow mencoder_t self:process { execmem execstack }; ') -@@ -211,15 +211,15 @@ ifndef(`enable_mls',` +@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t) + files_read_non_security_files(mplayer_t) + files_list_home(mplayer_t) + files_read_etc_runtime_files(mplayer_t) +-files_read_usr_files(mplayer_t) + + fs_getattr_all_fs(mplayer_t) + fs_search_auto_mountpoints(mplayer_t) +@@ -211,15 +209,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(mplayer_t) ') @@ -36044,7 +36464,7 @@ index 9aca704..e8e71cb 100644 allow mplayer_t self:process { execmem execstack }; ') -@@ -235,7 +235,7 @@ tunable_policy(`use_samba_home_dirs',` +@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_symlinks(mplayer_t) ') @@ -36054,7 +36474,7 @@ index 9aca704..e8e71cb 100644 ') diff --git a/mrtg.te b/mrtg.te -index c97c177..273b714 100644 +index c97c177..9e68dfb 100644 --- a/mrtg.te +++ b/mrtg.te @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) @@ -36065,7 +36485,12 @@ index c97c177..273b714 100644 corenet_all_recvfrom_netlabel(mrtg_t) corenet_tcp_sendrecv_generic_if(mrtg_t) corenet_tcp_sendrecv_generic_node(mrtg_t) -@@ -87,6 +86,8 @@ files_search_var(mrtg_t) +@@ -82,11 +81,12 @@ domain_dontaudit_search_all_domains_state(mrtg_t) + + files_getattr_tmp_dirs(mrtg_t) + files_read_etc_runtime_files(mrtg_t) +-files_read_usr_files(mrtg_t) + files_search_var(mrtg_t) files_search_locks(mrtg_t) files_search_var_lib(mrtg_t) files_search_spool(mrtg_t) @@ -36074,7 +36499,7 @@ index c97c177..273b714 100644 fs_search_auto_mountpoints(mrtg_t) fs_getattr_all_fs(mrtg_t) -@@ -105,13 +106,12 @@ libs_read_lib_files(mrtg_t) +@@ -105,13 +105,12 @@ libs_read_lib_files(mrtg_t) logging_send_syslog_msg(mrtg_t) @@ -37258,7 +37683,7 @@ index ed81cac..0005ac0 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..ed44eaf 100644 +index afd2fad..b2abfca 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -37288,7 +37713,7 @@ index afd2fad..ed44eaf 100644 type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) -@@ -43,178 +43,79 @@ role system_r types system_mail_t; +@@ -43,178 +43,78 @@ role system_r types system_mail_t; mta_base_mail_template(user) typealias user_mail_t alias { staff_mail_t sysadm_mail_t }; typealias user_mail_t alias { auditadm_mail_t secadm_mail_t }; @@ -37446,7 +37871,6 @@ index afd2fad..ed44eaf 100644 +dev_read_urand(system_mail_t) -fs_rw_anon_inodefs_files(system_mail_t) -+files_read_usr_files(system_mail_t) -selinux_getattr_fs(system_mail_t) +fs_rw_anon_inodefs_files(system_mail_t) @@ -37504,7 +37928,7 @@ index afd2fad..ed44eaf 100644 ') optional_policy(` -@@ -223,18 +124,18 @@ optional_policy(` +@@ -223,18 +123,18 @@ optional_policy(` ') optional_policy(` @@ -37526,7 +37950,7 @@ index afd2fad..ed44eaf 100644 courier_manage_spool_dirs(system_mail_t) courier_manage_spool_files(system_mail_t) courier_rw_spool_pipes(system_mail_t) -@@ -245,13 +146,8 @@ optional_policy(` +@@ -245,13 +145,8 @@ optional_policy(` ') optional_policy(` @@ -37541,7 +37965,7 @@ index afd2fad..ed44eaf 100644 fail2ban_rw_inherited_tmp_files(system_mail_t) ') -@@ -264,10 +160,15 @@ optional_policy(` +@@ -264,10 +159,15 @@ optional_policy(` ') optional_policy(` @@ -37557,7 +37981,7 @@ index afd2fad..ed44eaf 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -278,6 +179,15 @@ optional_policy(` +@@ -278,6 +178,15 @@ optional_policy(` manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) @@ -37573,7 +37997,7 @@ index afd2fad..ed44eaf 100644 ') optional_policy(` -@@ -293,42 +203,36 @@ optional_policy(` +@@ -293,42 +202,36 @@ optional_policy(` ') optional_policy(` @@ -37626,7 +38050,7 @@ index afd2fad..ed44eaf 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -37675,7 +38099,7 @@ index afd2fad..ed44eaf 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +277,168 @@ optional_policy(` +@@ -387,24 +276,166 @@ optional_policy(` ######################################## # @@ -37762,7 +38186,6 @@ index afd2fad..ed44eaf 100644 + +dev_read_urand(user_mail_domain) + -+files_read_usr_files(user_mail_domain) + +# Write to /var/spool/mail and /var/spool/mqueue. +manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t) @@ -37785,7 +38208,6 @@ index afd2fad..ed44eaf 100644 + +corecmd_exec_bin(user_mail_domain) + -+files_read_etc_files(user_mail_domain) +files_search_spool(user_mail_domain) +# It wants to check for nscd +files_dontaudit_search_pids(user_mail_domain) @@ -38143,7 +38565,7 @@ index b744fe3..4c1b6a8 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index 97370e4..be752a6 100644 +index 97370e4..27726ee 100644 --- a/munin.te +++ b/munin.te @@ -45,7 +45,7 @@ munin_plugin_template(unconfined) @@ -38233,17 +38655,15 @@ index 97370e4..be752a6 100644 ') optional_policy(` -@@ -252,11 +245,17 @@ dev_read_sysfs(disk_munin_plugin_t) - dev_read_urand(disk_munin_plugin_t) +@@ -253,10 +246,15 @@ dev_read_urand(disk_munin_plugin_t) files_read_etc_runtime_files(disk_munin_plugin_t) -+files_read_usr_files(disk_munin_plugin_t) -+ + +dev_getattr_lvm_control(disk_munin_plugin_t) +dev_read_sysfs(disk_munin_plugin_t) +dev_read_urand(disk_munin_plugin_t) +dev_read_all_blk_files(munin_disk_plugin_t) - ++ fs_getattr_all_fs(disk_munin_plugin_t) fs_getattr_all_dirs(disk_munin_plugin_t) @@ -38252,7 +38672,7 @@ index 97370e4..be752a6 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -275,27 +274,36 @@ optional_policy(` +@@ -275,27 +273,36 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -38293,7 +38713,7 @@ index 97370e4..be752a6 100644 ') optional_policy(` -@@ -353,7 +361,11 @@ optional_policy(` +@@ -353,7 +360,11 @@ optional_policy(` ') optional_policy(` @@ -38306,7 +38726,7 @@ index 97370e4..be752a6 100644 ') optional_policy(` -@@ -413,3 +425,4 @@ optional_policy(` +@@ -413,3 +424,4 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -38902,7 +39322,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..8855ea2 100644 +index 9f6179e..e5300cc 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -38988,7 +39408,7 @@ index 9f6179e..8855ea2 100644 logging_log_filetrans(mysqld_t, mysqld_log_t, file) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -93,50 +90,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -93,50 +90,55 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -39037,7 +39457,7 @@ index 9f6179e..8855ea2 100644 + +files_getattr_var_lib_dirs(mysqld_t) files_read_etc_runtime_files(mysqld_t) - files_read_usr_files(mysqld_t) +-files_read_usr_files(mysqld_t) +files_search_var_lib(mysqld_t) auth_use_nsswitch(mysqld_t) @@ -39061,7 +39481,7 @@ index 9f6179e..8855ea2 100644 ') optional_policy(` -@@ -153,29 +156,22 @@ optional_policy(` +@@ -153,29 +155,22 @@ optional_policy(` ####################################### # @@ -39096,16 +39516,16 @@ index 9f6179e..8855ea2 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +183,22 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +182,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) -files_read_etc_files(mysqld_safe_t) -+files_dontaudit_search_all_mountpoints(mysqld_safe_t) - files_read_usr_files(mysqld_safe_t) +-files_read_usr_files(mysqld_safe_t) -files_search_pids(mysqld_safe_t) - files_dontaudit_getattr_all_dirs(mysqld_safe_t) --files_dontaudit_search_all_mountpoints(mysqld_safe_t) +-files_dontaudit_getattr_all_dirs(mysqld_safe_t) + files_dontaudit_search_all_mountpoints(mysqld_safe_t) ++files_dontaudit_getattr_all_dirs(mysqld_safe_t) +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -39124,7 +39544,7 @@ index 9f6179e..8855ea2 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +206,7 @@ optional_policy(` +@@ -205,7 +204,7 @@ optional_policy(` ######################################## # @@ -39133,7 +39553,7 @@ index 9f6179e..8855ea2 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +215,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +213,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -39151,7 +39571,7 @@ index 9f6179e..8855ea2 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +228,23 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +226,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -39179,7 +39599,7 @@ index 9f6179e..8855ea2 100644 dev_read_urand(mysqlmanagerd_t) -files_read_etc_files(mysqlmanagerd_t) - files_read_usr_files(mysqlmanagerd_t) +-files_read_usr_files(mysqlmanagerd_t) -files_search_pids(mysqlmanagerd_t) -files_search_var_lib(mysqlmanagerd_t) @@ -39575,7 +39995,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 44ad3b7..fd0b6d3 100644 +index 44ad3b7..61a6f39 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -39587,7 +40007,7 @@ index 44ad3b7..fd0b6d3 100644 type nagios_var_lib_t; files_type(nagios_var_lib_t) -@@ -63,19 +63,21 @@ files_pid_file(nrpe_var_run_t) +@@ -63,19 +63,20 @@ files_pid_file(nrpe_var_run_t) allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; @@ -39604,7 +40024,7 @@ index 44ad3b7..fd0b6d3 100644 dev_read_urand(nagios_plugin_domain) dev_read_rand(nagios_plugin_domain) - files_read_usr_files(nagios_plugin_domain) +-files_read_usr_files(nagios_plugin_domain) -miscfiles_read_localization(nagios_plugin_domain) - @@ -39614,7 +40034,7 @@ index 44ad3b7..fd0b6d3 100644 ######################################## # -@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t) +@@ -123,7 +124,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) @@ -39622,7 +40042,7 @@ index 44ad3b7..fd0b6d3 100644 corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) -@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t) +@@ -143,7 +143,6 @@ domain_read_all_domains_state(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -39630,7 +40050,7 @@ index 44ad3b7..fd0b6d3 100644 files_search_spool(nagios_t) fs_getattr_all_fs(nagios_t) -@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t) +@@ -153,8 +152,6 @@ auth_use_nsswitch(nagios_t) logging_send_syslog_msg(nagios_t) @@ -39639,7 +40059,7 @@ index 44ad3b7..fd0b6d3 100644 userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) -@@ -178,6 +176,7 @@ optional_policy(` +@@ -178,6 +175,7 @@ optional_policy(` # # CGI local policy # @@ -39647,7 +40067,7 @@ index 44ad3b7..fd0b6d3 100644 optional_policy(` apache_content_template(nagios) typealias httpd_nagios_script_t alias nagios_cgi_t; -@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin +@@ -231,7 +229,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin kernel_read_kernel_sysctls(nrpe_t) kernel_read_software_raid_state(nrpe_t) @@ -39655,7 +40075,7 @@ index 44ad3b7..fd0b6d3 100644 corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) -@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t) +@@ -253,7 +250,6 @@ domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) files_read_etc_runtime_files(nrpe_t) @@ -39663,7 +40083,7 @@ index 44ad3b7..fd0b6d3 100644 fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) -@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t) +@@ -262,8 +258,6 @@ auth_use_nsswitch(nrpe_t) logging_send_syslog_msg(nrpe_t) @@ -39672,7 +40092,7 @@ index 44ad3b7..fd0b6d3 100644 userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -310,15 +304,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -39691,7 +40111,7 @@ index 44ad3b7..fd0b6d3 100644 logging_send_syslog_msg(nagios_mail_plugin_t) sysnet_dns_name_resolve(nagios_mail_plugin_t) -@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; +@@ -345,6 +339,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; kernel_read_software_raid_state(nagios_checkdisk_plugin_t) @@ -39699,7 +40119,7 @@ index 44ad3b7..fd0b6d3 100644 files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) -@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -357,9 +352,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # @@ -39713,7 +40133,7 @@ index 44ad3b7..fd0b6d3 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -411,6 +408,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -39721,7 +40141,7 @@ index 44ad3b7..fd0b6d3 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,10 +418,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -39734,7 +40154,7 @@ index 44ad3b7..fd0b6d3 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -450,3 +449,26 @@ init_domtrans_script(nagios_eventhandler_plugin_t) +@@ -450,3 +448,26 @@ init_domtrans_script(nagios_eventhandler_plugin_t) optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -39826,10 +40246,10 @@ index 0000000..8d7c751 +') diff --git a/namespace.te b/namespace.te new file mode 100644 -index 0000000..ef7b846 +index 0000000..f6ffaa3 --- /dev/null +++ b/namespace.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,40 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -39861,11 +40281,8 @@ index 0000000..ef7b846 + +files_polyinstantiate_all(namespace_init_t) + -+mcs_file_write_all(namespace_init_t) -+ +auth_use_nsswitch(namespace_init_t) + -+ +term_use_console(namespace_init_t) + +userdom_manage_user_home_content_dirs(namespace_init_t) @@ -39874,57 +40291,26 @@ index 0000000..ef7b846 +userdom_relabelto_user_home_files(namespace_init_t) +userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file }) diff --git a/ncftool.if b/ncftool.if -index db9578f..96e5824 100644 +index db9578f..4309e3d 100644 --- a/ncftool.if +++ b/ncftool.if -@@ -38,9 +38,19 @@ interface(`ncftool_domtrans',` +@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',` # interface(`ncftool_run',` gen_require(` -- attribute_role ncftool_roles; -- ') + type ncftool_t; -+ #attribute_role ncftool_roles; -+ ') -+ -+ #ncftool_domtrans($1) -+ #roleattribute $2 ncftool_roles; + attribute_role ncftool_roles; + ') ncftool_domtrans($1) -- roleattribute $2 ncftool_roles; -+ role $2 types ncftool_t; -+ -+ optional_policy(` -+ brctl_run(ncftool_t, $2) -+ ') -+ + roleattribute $2 ncftool_roles; ') + diff --git a/ncftool.te b/ncftool.te -index b13c0b1..1161ce1 100644 +index b13c0b1..c8baed2 100644 --- a/ncftool.te +++ b/ncftool.te -@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.2) - # Declarations - # - --attribute_role ncftool_roles; --roleattribute system_r ncftool_roles; -+#attribute_role ncftool_roles; -+#roleattribute system_r ncftool_roles; - - type ncftool_t; - type ncftool_exec_t; - application_domain(ncftool_t, ncftool_exec_t) - domain_obj_id_change_exemption(ncftool_t) - domain_system_change_exemption(ncftool_t) --role ncftool_roles types ncftool_t; -+#role ncftool_roles types ncftool_t; -+role system_r types ncftool_t; - - ######################################## - # -@@ -22,6 +23,7 @@ role ncftool_roles types ncftool_t; +@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t; allow ncftool_t self:capability net_admin; allow ncftool_t self:process signal; @@ -39932,7 +40318,7 @@ index b13c0b1..1161ce1 100644 allow ncftool_t self:fifo_file manage_fifo_file_perms; allow ncftool_t self:unix_stream_socket create_stream_socket_perms; allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; -@@ -41,27 +43,32 @@ domain_read_all_domains_state(ncftool_t) +@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t) dev_read_sysfs(ncftool_t) @@ -39940,18 +40326,14 @@ index b13c0b1..1161ce1 100644 +files_manage_system_conf_files(ncftool_t) +files_relabelto_system_conf_files(ncftool_t) files_read_etc_runtime_files(ncftool_t) - files_read_usr_files(ncftool_t) +-files_read_usr_files(ncftool_t) -miscfiles_read_localization(ncftool_t) +term_use_all_inherited_terms(ncftool_t) sysnet_delete_dhcpc_pid(ncftool_t) --sysnet_run_dhcpc(ncftool_t, ncftool_roles) --sysnet_run_ifconfig(ncftool_t, ncftool_roles) -+sysnet_domtrans_dhcpc(ncftool_t) -+sysnet_domtrans_ifconfig(ncftool_t) -+#sysnet_run_dhcpc(ncftool_t, ncftool_roles) -+#sysnet_run_ifconfig(ncftool_t, ncftool_roles) + sysnet_run_dhcpc(ncftool_t, ncftool_roles) +@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles) sysnet_etc_filetrans_config(ncftool_t) sysnet_manage_config(ncftool_t) sysnet_read_dhcpc_state(ncftool_t) @@ -39960,19 +40342,7 @@ index b13c0b1..1161ce1 100644 sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) - userdom_use_user_terminals(ncftool_t) - userdom_read_user_tmp_files(ncftool_t) - --optional_policy(` -- brctl_run(ncftool_t, ncftool_roles) --') -+#optional_policy(` -+# brctl_run(ncftool_t, ncftool_roles) -+#') - - optional_policy(` - consoletype_exec(ncftool_t) -@@ -73,13 +80,18 @@ optional_policy(` +@@ -73,11 +76,14 @@ optional_policy(` optional_policy(` iptables_initrc_domtrans(ncftool_t) @@ -39982,17 +40352,11 @@ index b13c0b1..1161ce1 100644 optional_policy(` + modutils_list_module_config(ncftool_t) modutils_read_module_config(ncftool_t) -- modutils_run_insmod(ncftool_t, ncftool_roles) -+ modutils_domtrans_insmod(ncftool_t) -+ #modutils_run_insmod(ncftool_t, ncftool_roles) + modutils_run_insmod(ncftool_t, ncftool_roles) + ') optional_policy(` -- netutils_run(ncftool_t, ncftool_roles) -+ netutils_domtrans(ncftool_t) -+ #netutils_run(ncftool_t, ncftool_roles) - ') diff --git a/nessus.te b/nessus.te index 56c0fbd..173a2c0 100644 --- a/nessus.te @@ -40429,7 +40793,7 @@ index 0e8508c..96dbf6f 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..c0e8f13 100644 +index 0b48a30..fca40a6 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -40583,7 +40947,7 @@ index 0b48a30..c0e8f13 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +141,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +141,16 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -40595,13 +40959,12 @@ index 0b48a30..c0e8f13 100644 + +files_read_etc_runtime_files(NetworkManager_t) +files_read_system_conf_files(NetworkManager_t) -+files_read_usr_files(NetworkManager_t) +files_read_usr_src_files(NetworkManager_t) + storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +160,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +159,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -40614,7 +40977,7 @@ index 0b48a30..c0e8f13 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +179,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +178,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -40651,7 +41014,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -196,10 +220,6 @@ optional_policy(` +@@ -196,10 +219,6 @@ optional_policy(` ') optional_policy(` @@ -40662,7 +41025,7 @@ index 0b48a30..c0e8f13 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +230,11 @@ optional_policy(` +@@ -210,16 +229,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -40681,7 +41044,7 @@ index 0b48a30..c0e8f13 100644 ') ') -@@ -231,18 +246,19 @@ optional_policy(` +@@ -231,18 +245,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -40704,7 +41067,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -257,11 +273,7 @@ optional_policy(` +@@ -257,11 +272,7 @@ optional_policy(` ') optional_policy(` @@ -40717,7 +41080,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -274,10 +286,17 @@ optional_policy(` +@@ -274,10 +285,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -40735,7 +41098,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -289,6 +308,7 @@ optional_policy(` +@@ -289,6 +307,7 @@ optional_policy(` ') optional_policy(` @@ -40743,7 +41106,7 @@ index 0b48a30..c0e8f13 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +316,7 @@ optional_policy(` +@@ -296,7 +315,7 @@ optional_policy(` ') optional_policy(` @@ -40752,7 +41115,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -307,6 +327,7 @@ optional_policy(` +@@ -307,6 +326,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -40760,7 +41123,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -320,13 +341,14 @@ optional_policy(` +@@ -320,13 +340,14 @@ optional_policy(` ') optional_policy(` @@ -40779,7 +41142,7 @@ index 0b48a30..c0e8f13 100644 ') optional_policy(` -@@ -356,6 +378,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +377,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -41091,7 +41454,7 @@ index 46e55c3..1112fae 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3e4a31c..f1dd1fa 100644 +index 3e4a31c..0d16edc 100644 --- a/nis.te +++ b/nis.te @@ -1,12 +1,10 @@ @@ -41187,8 +41550,11 @@ index 3e4a31c..f1dd1fa 100644 dev_read_sysfs(ypbind_t) -@@ -112,9 +113,9 @@ domain_use_interactive_fds(ypbind_t) - files_read_etc_files(ypbind_t) +@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t) + + domain_use_interactive_fds(ypbind_t) + +-files_read_etc_files(ypbind_t) files_list_var(ypbind_t) -logging_send_syslog_msg(ypbind_t) @@ -41199,7 +41565,7 @@ index 3e4a31c..f1dd1fa 100644 sysnet_read_config(ypbind_t) -@@ -124,7 +125,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) +@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) optional_policy(` dbus_system_bus_client(ypbind_t) dbus_connect_system_bus(ypbind_t) @@ -41207,7 +41573,7 @@ index 3e4a31c..f1dd1fa 100644 init_dbus_chat_script(ypbind_t) optional_policy(` -@@ -149,7 +149,8 @@ allow yppasswdd_t self:capability dac_override; +@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { getsched setfscreate signal_perms }; @@ -41217,7 +41583,7 @@ index 3e4a31c..f1dd1fa 100644 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; allow yppasswdd_t self:tcp_socket create_stream_socket_perms; allow yppasswdd_t self:udp_socket create_socket_perms; -@@ -160,14 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) +@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) @@ -41233,7 +41599,7 @@ index 3e4a31c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) corenet_udp_sendrecv_generic_if(yppasswdd_t) -@@ -177,22 +177,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) +@@ -177,22 +176,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t) corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_generic_node(yppasswdd_t) corenet_udp_bind_generic_node(yppasswdd_t) @@ -41257,7 +41623,7 @@ index 3e4a31c..f1dd1fa 100644 dev_read_sysfs(yppasswdd_t) -@@ -203,11 +192,20 @@ selinux_get_fs_mount(yppasswdd_t) +@@ -203,11 +191,19 @@ selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) @@ -41269,7 +41635,6 @@ index 3e4a31c..f1dd1fa 100644 + +domain_use_interactive_fds(yppasswdd_t) + -+files_read_etc_files(yppasswdd_t) +files_read_etc_runtime_files(yppasswdd_t) +files_relabel_etc_files(yppasswdd_t) + @@ -41279,7 +41644,7 @@ index 3e4a31c..f1dd1fa 100644 sysnet_read_config(yppasswdd_t) -@@ -219,6 +217,10 @@ optional_policy(` +@@ -219,6 +215,10 @@ optional_policy(` ') optional_policy(` @@ -41290,7 +41655,7 @@ index 3e4a31c..f1dd1fa 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -234,7 +236,8 @@ optional_policy(` +@@ -234,7 +234,8 @@ optional_policy(` dontaudit ypserv_t self:capability sys_tty_config; allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; @@ -41300,7 +41665,7 @@ index 3e4a31c..f1dd1fa 100644 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; -@@ -254,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t) +@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) @@ -41308,7 +41673,7 @@ index 3e4a31c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -264,31 +266,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) +@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t) corenet_tcp_bind_generic_node(ypserv_t) corenet_udp_bind_generic_node(ypserv_t) @@ -41339,7 +41704,6 @@ index 3e4a31c..f1dd1fa 100644 -fs_getattr_all_fs(ypserv_t) -fs_search_auto_mountpoints(ypserv_t) +files_read_var_files(ypserv_t) -+files_read_etc_files(ypserv_t) logging_send_syslog_msg(ypserv_t) @@ -41347,7 +41711,7 @@ index 3e4a31c..f1dd1fa 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -310,8 +309,8 @@ optional_policy(` +@@ -310,8 +306,8 @@ optional_policy(` # ypxfr local policy # @@ -41358,7 +41722,7 @@ index 3e4a31c..f1dd1fa 100644 allow ypxfr_t self:tcp_socket create_stream_socket_perms; allow ypxfr_t self:udp_socket create_socket_perms; allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; -@@ -326,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -41366,7 +41730,7 @@ index 3e4a31c..f1dd1fa 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -336,23 +334,20 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) +@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t) corenet_tcp_bind_generic_node(ypxfr_t) corenet_udp_bind_generic_node(ypxfr_t) @@ -41384,7 +41748,7 @@ index 3e4a31c..f1dd1fa 100644 -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - - files_read_etc_files(ypxfr_t) +-files_read_etc_files(ypxfr_t) files_search_usr(ypxfr_t) logging_send_syslog_msg(ypxfr_t) @@ -41474,10 +41838,10 @@ index 0000000..7d11148 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..f0aaecf +index 0000000..28b535e --- /dev/null +++ b/nova.te -@@ -0,0 +1,324 @@ +@@ -0,0 +1,322 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -41541,11 +41905,9 @@ index 0000000..f0aaecf + +fs_getattr_xattr_fs(nova_domain) + -+files_read_usr_files(nova_domain) + +libs_exec_ldconfig(nova_domain) + -+files_read_etc_files(nova_domain) + + +optional_policy(` @@ -42715,7 +43077,7 @@ index 97df768..0398e70 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index a3e56f0..bcc61b5 100644 +index a3e56f0..8903423 100644 --- a/nslcd.te +++ b/nslcd.te @@ -1,4 +1,4 @@ @@ -42741,7 +43103,7 @@ index a3e56f0..bcc61b5 100644 allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -38,13 +38,10 @@ kernel_read_system_state(nslcd_t) +@@ -38,12 +38,8 @@ kernel_read_system_state(nslcd_t) corenet_all_recvfrom_unlabeled(nslcd_t) corenet_all_recvfrom_netlabel(nslcd_t) @@ -42753,11 +43115,9 @@ index a3e56f0..bcc61b5 100644 -corenet_tcp_sendrecv_ldap_port(nslcd_t) +corenet_sendrecv_ldap_client_packets(nslcd_t) -+files_read_etc_files(nslcd_t) files_read_usr_symlinks(nslcd_t) files_list_tmp(nslcd_t) - -@@ -52,10 +49,14 @@ auth_use_nsswitch(nslcd_t) +@@ -52,10 +48,14 @@ auth_use_nsswitch(nslcd_t) logging_send_syslog_msg(nslcd_t) @@ -43270,10 +43630,10 @@ index 0000000..fce899a +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 0000000..caac07d +index 0000000..ff384e0 --- /dev/null +++ b/nsplugin.te -@@ -0,0 +1,324 @@ +@@ -0,0 +1,322 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -43402,7 +43762,6 @@ index 0000000..caac07d + +files_dontaudit_getattr_lost_found_dirs(nsplugin_t) +files_dontaudit_list_home(nsplugin_t) -+files_read_usr_files(nsplugin_t) +files_read_config_files(nsplugin_t) + +fs_getattr_tmpfs(nsplugin_t) @@ -43538,7 +43897,6 @@ index 0000000..caac07d + +domain_use_interactive_fds(nsplugin_config_t) + -+files_read_usr_files(nsplugin_config_t) +files_dontaudit_search_home(nsplugin_config_t) +files_list_tmp(nsplugin_config_t) + @@ -43599,7 +43957,7 @@ index 0000000..caac07d + pulseaudio_setattr_home_dir(nsplugin_t) +') diff --git a/ntop.te b/ntop.te -index 52757d8..6519e8f 100644 +index 52757d8..638c3d2 100644 --- a/ntop.te +++ b/ntop.te @@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t) @@ -43610,6 +43968,14 @@ index 52757d8..6519e8f 100644 corenet_all_recvfrom_netlabel(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t) corenet_raw_sendrecv_generic_if(ntop_t) +@@ -81,7 +80,6 @@ dev_rw_generic_usb_dev(ntop_t) + + domain_use_interactive_fds(ntop_t) + +-files_read_usr_files(ntop_t) + + fs_getattr_all_fs(ntop_t) + fs_search_auto_mountpoints(ntop_t) diff --git a/ntp.fc b/ntp.fc index af3c91e..6882a3f 100644 --- a/ntp.fc @@ -43799,7 +44165,7 @@ index b59196f..d60b451 100644 + allow $1 ntpd_unit_file_t:service all_service_perms; ') diff --git a/ntp.te b/ntp.te -index b90e343..b969766 100644 +index b90e343..71042cd 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -43836,7 +44202,12 @@ index b90e343..b969766 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -115,8 +113,11 @@ files_list_var_lib(ntpd_t) +@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t) + domain_dontaudit_list_all_domains_state(ntpd_t) + + files_read_etc_runtime_files(ntpd_t) +-files_read_usr_files(ntpd_t) + files_list_var_lib(ntpd_t) fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) @@ -43848,7 +44219,7 @@ index b90e343..b969766 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +125,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -43970,7 +44341,7 @@ index 0d3c270..709dda1 100644 + ') ') diff --git a/numad.te b/numad.te -index f5d145d..c2d4196 100644 +index f5d145d..9510740 100644 --- a/numad.te +++ b/numad.te @@ -1,4 +1,4 @@ @@ -43979,7 +44350,7 @@ index f5d145d..c2d4196 100644 ######################################## # -@@ -8,37 +8,39 @@ policy_module(numad, 1.0.3) +@@ -8,37 +8,38 @@ policy_module(numad, 1.0.3) type numad_t; type numad_exec_t; init_daemon_domain(numad_t, numad_exec_t) @@ -44024,9 +44395,9 @@ index f5d145d..c2d4196 100644 dev_read_sysfs(numad_t) +-files_read_etc_files(numad_t) +domain_use_interactive_fds(numad_t) + - files_read_etc_files(numad_t) -miscfiles_read_localization(numad_t) +fs_search_cgroup_dirs(numad_t) @@ -44109,10 +44480,10 @@ index 57c0161..56660c5 100644 -') +## nut - Network UPS Tools diff --git a/nut.te b/nut.te -index 0c9deb7..7c6ea74 100644 +index 0c9deb7..87c7eb7 100644 --- a/nut.te +++ b/nut.te -@@ -1,121 +1,106 @@ +@@ -1,121 +1,105 @@ -policy_module(nut, 1.2.4) +policy_module(nut, 1.2.0) @@ -44210,7 +44581,7 @@ index 0c9deb7..7c6ea74 100644 corenet_tcp_bind_generic_port(nut_upsd_t) +corenet_tcp_bind_all_nodes(nut_upsd_t) - files_read_usr_files(nut_upsd_t) +-files_read_usr_files(nut_upsd_t) auth_use_nsswitch(nut_upsd_t) @@ -44277,7 +44648,7 @@ index 0c9deb7..7c6ea74 100644 mta_send_mail(nut_upsmon_t) optional_policy(` -@@ -124,14 +109,27 @@ optional_policy(` +@@ -124,14 +108,27 @@ optional_policy(` ######################################## # @@ -44307,7 +44678,7 @@ index 0c9deb7..7c6ea74 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -144,17 +142,28 @@ auth_use_nsswitch(nut_upsdrvctl_t) +@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t) init_sigchld(nut_upsdrvctl_t) @@ -44378,7 +44749,7 @@ index 251d681..50ae2a9 100644 + filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") +') diff --git a/nx.te b/nx.te -index b1832ca..df4fbb8 100644 +index b1832ca..d181d03 100644 --- a/nx.te +++ b/nx.te @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) @@ -44408,17 +44779,32 @@ index b1832ca..df4fbb8 100644 corenet_all_recvfrom_netlabel(nx_server_t) corenet_tcp_sendrecv_generic_if(nx_server_t) corenet_tcp_sendrecv_generic_node(nx_server_t) -@@ -71,10 +76,6 @@ files_read_etc_files(nx_server_t) - files_read_etc_runtime_files(nx_server_t) - files_read_usr_files(nx_server_t) +@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t) + dev_read_urand(nx_server_t) + +-files_read_etc_files(nx_server_t) + files_read_etc_runtime_files(nx_server_t) +-files_read_usr_files(nx_server_t) +- -miscfiles_read_localization(nx_server_t) - -seutil_dontaudit_search_config(nx_server_t) -- + sysnet_read_config(nx_server_t) - ssh_basic_client_template(nx_server, nx_server_t, nx_server_r) +diff --git a/oav.te b/oav.te +index 75fdf58..1a9e754 100644 +--- a/oav.te ++++ b/oav.te +@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t) + domain_use_interactive_fds(scannerdaemon_t) + + files_exec_etc_files(scannerdaemon_t) +-files_read_etc_files(scannerdaemon_t) + files_read_etc_runtime_files(scannerdaemon_t) + files_search_var_lib(scannerdaemon_t) + diff --git a/obex.fc b/obex.fc index 03fa560..000c5fe 100644 --- a/obex.fc @@ -44923,7 +45309,7 @@ index 296a1d3..467700e 100644 +userdom_stream_connect(oddjob_mkhomedir_t) + diff --git a/openct.te b/openct.te -index 8467596..866bd6a 100644 +index 8467596..c73eb86 100644 --- a/openct.te +++ b/openct.te @@ -34,6 +34,8 @@ kernel_read_kernel_sysctls(openct_t) @@ -44935,7 +45321,14 @@ index 8467596..866bd6a 100644 dev_read_sysfs(openct_t) dev_rw_usbfs(openct_t) dev_rw_smartcard(openct_t) -@@ -48,8 +50,6 @@ fs_search_auto_mountpoints(openct_t) +@@ -41,15 +43,12 @@ dev_rw_generic_usb_dev(openct_t) + + domain_use_interactive_fds(openct_t) + +-files_read_etc_files(openct_t) + + fs_getattr_all_fs(openct_t) + fs_search_auto_mountpoints(openct_t) logging_send_syslog_msg(openct_t) @@ -44944,6 +45337,18 @@ index 8467596..866bd6a 100644 userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_user_home_dirs(openct_t) +diff --git a/openhpi.te b/openhpi.te +index 7f398c0..e66751b 100644 +--- a/openhpi.te ++++ b/openhpi.te +@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) + + dev_read_urand(openhpid_t) + +-files_read_etc_files(openhpid_t) + + logging_send_syslog_msg(openhpid_t) + diff --git a/openhpid.fc b/openhpid.fc new file mode 100644 index 0000000..9441fd7 @@ -45125,10 +45530,10 @@ index 0000000..598789a + diff --git a/openhpid.te b/openhpid.te new file mode 100644 -index 0000000..c4ecca7 +index 0000000..be2a88d --- /dev/null +++ b/openhpid.te -@@ -0,0 +1,51 @@ +@@ -0,0 +1,50 @@ +policy_module(openhpid, 1.0.0) + +######################################## @@ -45177,7 +45582,6 @@ index 0000000..c4ecca7 + +dev_read_urand(openhpid_t) + -+files_read_etc_files(openhpid_t) + +logging_send_syslog_msg(openhpid_t) diff --git a/openshift-origin.fc b/openshift-origin.fc @@ -45895,10 +46299,10 @@ index 0000000..98ce2c3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..d97b009 +index 0000000..9bd0784 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,383 @@ +@@ -0,0 +1,380 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -46116,9 +46520,7 @@ index 0000000..d97b009 +files_dontaudit_search_spool(openshift_domain) +files_dontaudit_search_all_dirs(openshift_domain) +files_dontaudit_list_var(openshift_domain) -+files_read_etc_files(openshift_domain) +files_exec_etc_files(openshift_domain) -+files_read_usr_files(openshift_domain) +files_exec_usr_files(openshift_domain) +files_dontaudit_getattr_non_security_sockets(openshift_domain) +files_dontaudit_setattr_non_security_dirs(openshift_domain) @@ -46265,7 +46667,6 @@ index 0000000..d97b009 + +domain_use_interactive_fds(openshift_cgroup_read_t) + -+files_read_etc_files(openshift_cgroup_read_t) + +fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t) + @@ -46674,7 +47075,7 @@ index 9b15730..14f29e4 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..b8995a2 100644 +index 508fedf..4068f7f 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -46760,10 +47161,11 @@ index 508fedf..b8995a2 100644 corecmd_exec_bin(openvswitch_t) -@@ -74,16 +69,22 @@ dev_read_urand(openvswitch_t) +@@ -73,17 +68,22 @@ dev_read_urand(openvswitch_t) + domain_use_interactive_fds(openvswitch_t) - files_read_etc_files(openvswitch_t) +-files_read_etc_files(openvswitch_t) +files_read_kernel_modules(openvswitch_t) fs_getattr_all_fs(openvswitch_t) @@ -47297,7 +47699,7 @@ index bf59ef7..c050b37 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 4e114ff..ca09bc0 100644 +index 4e114ff..fddaed2 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -47371,12 +47773,11 @@ index 4e114ff..ca09bc0 100644 corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -66,14 +70,12 @@ dev_read_urand(passenger_t) +@@ -66,14 +70,11 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) -files_read_etc_files(passenger_t) -+files_read_usr_files(passenger_t) auth_use_nsswitch(passenger_t) @@ -47387,7 +47788,7 @@ index 4e114ff..ca09bc0 100644 userdom_dontaudit_use_user_terminals(passenger_t) optional_policy(` -@@ -90,14 +92,15 @@ optional_policy(` +@@ -90,14 +91,15 @@ optional_policy(` ') optional_policy(` @@ -48013,10 +48414,10 @@ index 0000000..8d681d1 +') diff --git a/piranha.te b/piranha.te new file mode 100644 -index 0000000..be7f288 +index 0000000..34e591f --- /dev/null +++ b/piranha.te -@@ -0,0 +1,295 @@ +@@ -0,0 +1,293 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -48126,7 +48527,6 @@ index 0000000..be7f288 + +domain_read_all_domains_state(piranha_web_t) + -+files_read_usr_files(piranha_web_t) + +optional_policy(` + consoletype_exec(piranha_web_t) @@ -48306,7 +48706,6 @@ index 0000000..be7f288 +corenet_tcp_bind_generic_node(piranha_domain) +corenet_udp_bind_generic_node(piranha_domain) + -+files_read_etc_files(piranha_domain) + +corecmd_exec_bin(piranha_domain) +corecmd_exec_shell(piranha_domain) @@ -48614,10 +49013,10 @@ index 0000000..848ddc9 +') diff --git a/pkcsslotd.te b/pkcsslotd.te new file mode 100644 -index 0000000..9ab2c4d +index 0000000..d6d79b9 --- /dev/null +++ b/pkcsslotd.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,60 @@ +policy_module(pkcsslotd, 1.0.0) + +######################################## @@ -48676,7 +49075,6 @@ index 0000000..9ab2c4d + +domain_use_interactive_fds(pkcsslotd_t) + -+files_read_etc_files(pkcsslotd_t) + +logging_send_syslog_msg(pkcsslotd_t) diff --git a/pki.fc b/pki.fc @@ -48996,10 +49394,10 @@ index 0000000..83c13cf + diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..dfebbd9 +index 0000000..b4286ce --- /dev/null +++ b/pki.te -@@ -0,0 +1,289 @@ +@@ -0,0 +1,288 @@ +policy_module(pki,10.0.11) + +######################################## @@ -49172,7 +49570,6 @@ index 0000000..dfebbd9 +corenet_tcp_connect_pki_tks_port(pki_tps_t) + +files_exec_usr_files(pki_tps_t) -+files_read_usr_files(pki_tps_t) + +# why do I need to add this? +#allow httpd_t httpd_config_t:file execute; @@ -49593,7 +49990,7 @@ index 30e751f..17c097d 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index b1f412b..5772ef0 100644 +index b1f412b..3a3249a 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -1,4 +1,4 @@ @@ -49637,7 +50034,14 @@ index b1f412b..5772ef0 100644 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) -@@ -77,12 +75,22 @@ term_getattr_pty_fs(plymouthd_t) +@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t) + + fs_getattr_all_fs(plymouthd_t) + +-files_read_etc_files(plymouthd_t) +-files_read_usr_files(plymouthd_t) + + term_getattr_pty_fs(plymouthd_t) term_use_all_terms(plymouthd_t) term_use_ptmx(plymouthd_t) @@ -49662,7 +50066,7 @@ index b1f412b..5772ef0 100644 ') optional_policy(` -@@ -90,21 +98,19 @@ optional_policy(` +@@ -90,35 +96,33 @@ optional_policy(` ') optional_policy(` @@ -49688,7 +50092,9 @@ index b1f412b..5772ef0 100644 kernel_read_system_state(plymouth_t) kernel_stream_connect(plymouth_t) -@@ -114,11 +120,12 @@ files_read_etc_files(plymouth_t) + domain_use_interactive_fds(plymouth_t) + +-files_read_etc_files(plymouth_t) term_use_ptmx(plymouth_t) @@ -49704,7 +50110,7 @@ index b1f412b..5772ef0 100644 hal_dontaudit_write_log(plymouth_t) hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te -index a14b3bc..caa8e6c 100644 +index a14b3bc..b196183 100644 --- a/podsleuth.te +++ b/podsleuth.te @@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) @@ -49717,7 +50123,15 @@ index a14b3bc..caa8e6c 100644 allow podsleuth_t self:fifo_file rw_fifo_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:sem create_sem_perms; -@@ -76,8 +77,6 @@ fs_getattr_tmpfs(podsleuth_t) +@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t) + + dev_read_urand(podsleuth_t) + +-files_read_etc_files(podsleuth_t) + + fs_mount_dos_fs(podsleuth_t) + fs_unmount_dos_fs(podsleuth_t) +@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t) fs_list_tmpfs(podsleuth_t) fs_rw_removable_blk_files(podsleuth_t) @@ -50010,7 +50424,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..946bfb5 100644 +index 49694e8..0372dfd 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -50042,7 +50456,7 @@ index 49694e8..946bfb5 100644 type policykit_resolve_t, policykit_domain; type policykit_resolve_exec_t; -@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t) +@@ -42,48 +37,43 @@ files_pid_file(policykit_var_run_t) ####################################### # @@ -50105,10 +50519,7 @@ index 49694e8..946bfb5 100644 domain_read_all_domains_state(policykit_t) -+files_read_usr_files(policykit_t) - files_dontaudit_search_all_mountpoints(policykit_t) - - fs_list_inotifyfs(policykit_t) +@@ -93,12 +83,17 @@ fs_list_inotifyfs(policykit_t) auth_use_nsswitch(policykit_t) @@ -50126,7 +50537,7 @@ index 49694e8..946bfb5 100644 optional_policy(` consolekit_dbus_chat(policykit_t) ') -@@ -109,29 +105,43 @@ optional_policy(` +@@ -109,29 +104,43 @@ optional_policy(` ') optional_policy(` @@ -50178,7 +50589,7 @@ index 49694e8..946bfb5 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,14 +155,12 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,9 +154,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -50188,13 +50599,7 @@ index 49694e8..946bfb5 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) - - files_read_etc_runtime_files(policykit_auth_t) -+files_read_usr_files(policykit_auth_t) - files_search_home(policykit_auth_t) - - fs_getattr_all_fs(policykit_auth_t) -@@ -162,48 +170,58 @@ auth_rw_var_auth(policykit_auth_t) +@@ -162,48 +168,58 @@ auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) auth_domtrans_chk_passwd(policykit_auth_t) @@ -50263,7 +50668,7 @@ index 49694e8..946bfb5 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +229,21 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +227,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -50271,7 +50676,6 @@ index 49694e8..946bfb5 100644 - -domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) -domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) -+files_read_usr_files(policykit_grant_t) auth_domtrans_chk_passwd(policykit_grant_t) auth_use_nsswitch(policykit_grant_t) @@ -50291,7 +50695,7 @@ index 49694e8..946bfb5 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +251,29 @@ optional_policy(` +@@ -235,26 +248,28 @@ optional_policy(` ######################################## # @@ -50318,7 +50722,6 @@ index 49694e8..946bfb5 100644 -domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) - -mcs_ptrace_all(policykit_resolve_t) -+files_read_usr_files(policykit_resolve_t) auth_use_nsswitch(policykit_resolve_t) @@ -50327,7 +50730,7 @@ index 49694e8..946bfb5 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +285,7 @@ optional_policy(` +@@ -266,6 +281,7 @@ optional_policy(` ') optional_policy(` @@ -50608,7 +51011,7 @@ index ae27bb7..d00f6ba 100644 + allow $1 polipo_unit_file_t:service all_service_perms; ') diff --git a/polipo.te b/polipo.te -index 316d53a..a0b37ad 100644 +index 316d53a..79b5c4f 100644 --- a/polipo.te +++ b/polipo.te @@ -1,4 +1,4 @@ @@ -50684,7 +51087,7 @@ index 316d53a..a0b37ad 100644 type polipo_cache_t; files_type(polipo_cache_t) -@@ -56,112 +63,97 @@ files_type(polipo_cache_t) +@@ -56,112 +63,96 @@ files_type(polipo_cache_t) type polipo_log_t; logging_log_file(polipo_log_t) @@ -50737,7 +51140,6 @@ index 316d53a..a0b37ad 100644 -tunable_policy(`polipo_session_send_syslog_msg',` - logging_send_syslog_msg(polipo_session_t) -') -+files_read_usr_files(polipo_daemon) -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(polipo_session_t) @@ -50789,24 +51191,24 @@ index 316d53a..a0b37ad 100644 optional_policy(` - cron_system_entry(polipo_system_t, polipo_exec_t) + cron_system_entry(polipo_t, polipo_exec_t) ++') ++ ++tunable_policy(`polipo_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(polipo_t) ') -tunable_policy(`polipo_system_use_cifs',` - fs_manage_cifs_files(polipo_system_t) -',` - fs_dontaudit_read_cifs_files(polipo_system_t) -+tunable_policy(`polipo_connect_all_unreserved',` -+ corenet_tcp_connect_all_unreserved_ports(polipo_t) ++tunable_policy(`polipo_use_cifs',` ++ fs_manage_cifs_files(polipo_t) ') -tunable_policy(`polipo_system_use_nfs',` - fs_manage_nfs_files(polipo_system_t) -',` - fs_dontaudit_read_nfs_files(polipo_system_t) -+tunable_policy(`polipo_use_cifs',` -+ fs_manage_cifs_files(polipo_t) -+') -+ +tunable_policy(`polipo_use_nfs',` + fs_manage_nfs_files(polipo_t) ') @@ -50849,6 +51251,26 @@ index 316d53a..a0b37ad 100644 -miscfiles_read_localization(polipo_daemon) +userdom_home_manager(polipo_session_t) +diff --git a/portage.te b/portage.te +index a95fc4a..b9b5418 100644 +--- a/portage.te ++++ b/portage.te +@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) + + files_manage_etc_files(gcc_config_t) + files_rw_etc_runtime_files(gcc_config_t) +-files_read_usr_files(gcc_config_t) + files_search_var_lib(gcc_config_t) + files_search_pids(gcc_config_t) + # complains loudly about not being able to list +@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t) + domain_use_interactive_fds(portage_fetch_t) + + files_read_etc_runtime_files(portage_fetch_t) +-files_read_usr_files(portage_fetch_t) + files_dontaudit_search_pids(portage_fetch_t) + + fs_search_auto_mountpoints(portage_fetch_t) diff --git a/portmap.fc b/portmap.fc index cd45831..69406ee 100644 --- a/portmap.fc @@ -50940,7 +51362,7 @@ index 5ad5291..7f1ae2a 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index a38b57a..614785d 100644 +index a38b57a..aa9d604 100644 --- a/portreserve.te +++ b/portreserve.te @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } @@ -50951,6 +51373,13 @@ index a38b57a..614785d 100644 corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_sendrecv_generic_if(portreserve_t) corenet_udp_sendrecv_generic_if(portreserve_t) +@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t) + corenet_tcp_bind_all_ports(portreserve_t) + corenet_udp_bind_all_ports(portreserve_t) + +-files_read_etc_files(portreserve_t) + + userdom_dontaudit_search_user_home_content(portreserve_t) diff --git a/portslave.te b/portslave.te index e85e33d..a7d7c55 100644 --- a/portslave.te @@ -51908,7 +52337,7 @@ index 2e23946..41da729 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..ca44603 100644 +index 191a66f..738b640 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -52117,10 +52546,10 @@ index 191a66f..ca44603 100644 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; ++ ++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; -+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -+ +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; + +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -52154,27 +52583,27 @@ index 191a66f..ca44603 100644 -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private") - +- -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t) -manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") -- + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") - --can_exec(postfix_master_t, postfix_exec_t) +kernel_read_all_sysctls(postfix_master_t) +-can_exec(postfix_master_t, postfix_exec_t) +- -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) - @@ -52182,7 +52611,7 @@ index 191a66f..ca44603 100644 corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) corenet_udp_sendrecv_generic_if(postfix_master_t) -@@ -263,50 +166,47 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -263,50 +166,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -52221,12 +52650,11 @@ index 191a66f..ca44603 100644 domain_use_interactive_fds(postfix_master_t) -+files_read_usr_files(postfix_master_t) +files_search_var_lib(postfix_master_t) files_search_tmp(postfix_master_t) - mcs_file_read_all(postfix_master_t) - +-mcs_file_read_all(postfix_master_t) +- term_dontaudit_search_ptys(postfix_master_t) -miscfiles_read_man_pages(postfix_master_t) @@ -52252,7 +52680,7 @@ index 191a66f..ca44603 100644 optional_policy(` cyrus_stream_connect(postfix_master_t) ') -@@ -316,14 +216,11 @@ optional_policy(` +@@ -316,14 +213,11 @@ optional_policy(` ') optional_policy(` @@ -52268,7 +52696,7 @@ index 191a66f..ca44603 100644 postgrey_search_spool(postfix_master_t) ') -@@ -333,12 +230,14 @@ optional_policy(` +@@ -333,12 +227,14 @@ optional_policy(` ######################################## # @@ -52285,7 +52713,7 @@ index 191a66f..ca44603 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -355,35 +254,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -355,35 +251,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool ######################################## # @@ -52330,7 +52758,7 @@ index 191a66f..ca44603 100644 mta_read_aliases(postfix_cleanup_t) -@@ -393,29 +291,45 @@ optional_policy(` +@@ -393,29 +288,45 @@ optional_policy(` ######################################## # @@ -52382,7 +52810,7 @@ index 191a66f..ca44603 100644 tunable_policy(`postfix_local_write_mail_spool',` mta_manage_spool(postfix_local_t) ') -@@ -423,6 +337,7 @@ tunable_policy(`postfix_local_write_mail_spool',` +@@ -423,6 +334,7 @@ tunable_policy(`postfix_local_write_mail_spool',` optional_policy(` clamav_search_lib(postfix_local_t) clamav_exec_clamscan(postfix_local_t) @@ -52390,7 +52818,7 @@ index 191a66f..ca44603 100644 ') optional_policy(` -@@ -434,6 +349,7 @@ optional_policy(` +@@ -434,6 +346,7 @@ optional_policy(` ') optional_policy(` @@ -52398,7 +52826,7 @@ index 191a66f..ca44603 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -444,6 +360,10 @@ optional_policy(` +@@ -444,6 +357,10 @@ optional_policy(` ') optional_policy(` @@ -52409,7 +52837,7 @@ index 191a66f..ca44603 100644 procmail_domtrans(postfix_local_t) ') -@@ -458,15 +378,17 @@ optional_policy(` +@@ -458,15 +375,17 @@ optional_policy(` ######################################## # @@ -52433,7 +52861,7 @@ index 191a66f..ca44603 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -476,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -476,14 +395,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -52453,7 +52881,15 @@ index 191a66f..ca44603 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -500,21 +423,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -492,7 +412,6 @@ corecmd_read_bin_pipes(postfix_map_t) + corecmd_read_bin_sockets(postfix_map_t) + + files_list_home(postfix_map_t) +-files_read_usr_files(postfix_map_t) + files_read_etc_runtime_files(postfix_map_t) + files_dontaudit_search_var(postfix_map_t) + +@@ -500,21 +419,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -52479,7 +52915,7 @@ index 191a66f..ca44603 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -524,6 +448,8 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -524,16 +444,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -52488,8 +52924,10 @@ index 191a66f..ca44603 100644 allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -@@ -533,7 +459,7 @@ mcs_file_write_all(postfix_pickup_t) +-mcs_file_read_all(postfix_pickup_t) +-mcs_file_write_all(postfix_pickup_t) +- ######################################## # -# Pipe local policy @@ -52497,7 +52935,7 @@ index 191a66f..ca44603 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -576,20 +502,28 @@ optional_policy(` +@@ -576,19 +495,24 @@ optional_policy(` ######################################## # @@ -52520,16 +52958,14 @@ index 191a66f..ca44603 100644 -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; - - mcs_file_read_all(postfix_postdrop_t) - mcs_file_write_all(postfix_postdrop_t) - +-mcs_file_read_all(postfix_postdrop_t) +-mcs_file_write_all(postfix_postdrop_t) +corenet_udp_sendrecv_generic_if(postfix_postdrop_t) +corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -+ + term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) - -@@ -603,10 +537,7 @@ optional_policy(` +@@ -603,10 +527,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -52541,7 +52977,7 @@ index 191a66f..ca44603 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -621,17 +552,23 @@ optional_policy(` +@@ -621,17 +542,23 @@ optional_policy(` ####################################### # @@ -52568,7 +53004,7 @@ index 191a66f..ca44603 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +584,80 @@ optional_policy(` +@@ -647,67 +574,78 @@ optional_policy(` ######################################## # @@ -52625,8 +53061,8 @@ index 191a66f..ca44603 100644 -allow postfix_showq_t postfix_spool_t:file read_file_perms; - - mcs_file_read_all(postfix_showq_t) - +-mcs_file_read_all(postfix_showq_t) +- +# to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) @@ -52665,7 +53101,7 @@ index 191a66f..ca44603 100644 ') optional_policy(` -@@ -720,24 +670,28 @@ optional_policy(` +@@ -720,24 +658,27 @@ optional_policy(` ######################################## # @@ -52694,13 +53130,12 @@ index 191a66f..ca44603 100644 corecmd_exec_bin(postfix_smtpd_t) +# for OpenSSL certificates -+files_read_usr_files(postfix_smtpd_t) + +# postfix checks the size of all mounted file systems fs_getattr_all_dirs(postfix_smtpd_t) fs_getattr_all_fs(postfix_smtpd_t) -@@ -754,6 +708,7 @@ optional_policy(` +@@ -754,6 +695,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -52708,7 +53143,7 @@ index 191a66f..ca44603 100644 ') optional_policy(` -@@ -764,31 +719,102 @@ optional_policy(` +@@ -764,31 +706,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -52734,7 +53169,6 @@ index 191a66f..ca44603 100644 +corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) -+files_read_usr_files(postfix_virtual_t) + mta_read_aliases(postfix_virtual_t) mta_delete_spool(postfix_virtual_t) @@ -52795,7 +53229,6 @@ index 191a66f..ca44603 100644 +corecmd_exec_shell(postfix_domain) + +files_read_etc_runtime_files(postfix_domain) -+files_read_usr_files(postfix_domain) +files_read_usr_symlinks(postfix_domain) +files_search_spool(postfix_domain) +files_list_tmp(postfix_domain) @@ -52839,7 +53272,7 @@ index 5de8173..985b877 100644 init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/postfixpolicyd.te b/postfixpolicyd.te -index 70f0533..3eed489 100644 +index 70f0533..77d4cd9 100644 --- a/postfixpolicyd.te +++ b/postfixpolicyd.te @@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; @@ -52850,7 +53283,12 @@ index 70f0533..3eed489 100644 corenet_tcp_sendrecv_generic_if(postfix_policyd_t) corenet_tcp_sendrecv_generic_node(postfix_policyd_t) corenet_tcp_bind_generic_node(postfix_policyd_t) -@@ -52,6 +51,4 @@ files_read_usr_files(postfix_policyd_t) +@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) + corenet_tcp_bind_mysqld_port(postfix_policyd_t) + corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) + +-files_read_etc_files(postfix_policyd_t) +-files_read_usr_files(postfix_policyd_t) logging_send_syslog_msg(postfix_policyd_t) @@ -52895,7 +53333,7 @@ index b9e71b5..a7502cd 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index 3b11496..8c3efb2 100644 +index 3b11496..04e3809 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -52915,7 +53353,15 @@ index 3b11496..8c3efb2 100644 corenet_all_recvfrom_netlabel(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t) -@@ -80,9 +79,9 @@ files_getattr_tmp_dirs(postgrey_t) +@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t) + + domain_use_interactive_fds(postgrey_t) + +-files_read_etc_files(postgrey_t) + files_read_etc_runtime_files(postgrey_t) +-files_read_usr_files(postgrey_t) + files_getattr_tmp_dirs(postgrey_t) + fs_getattr_all_fs(postgrey_t) fs_search_auto_mountpoints(postgrey_t) @@ -53484,7 +53930,7 @@ index cd8b8b9..cde0d62 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..2a04cb0 100644 +index b2b5dba..25f2610 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -53668,11 +54114,9 @@ index b2b5dba..2a04cb0 100644 corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) -@@ -146,37 +168,32 @@ domain_use_interactive_fds(pppd_t) - files_exec_etc_files(pppd_t) +@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) -+files_read_usr_files(pppd_t) -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) @@ -53715,7 +54159,7 @@ index b2b5dba..2a04cb0 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -190,7 +207,7 @@ optional_policy(` +@@ -190,7 +206,7 @@ optional_policy(` optional_policy(` tunable_policy(`pppd_can_insmod',` @@ -53724,7 +54168,7 @@ index b2b5dba..2a04cb0 100644 ') ') -@@ -218,16 +235,19 @@ optional_policy(` +@@ -218,16 +234,19 @@ optional_policy(` ######################################## # @@ -53747,7 +54191,7 @@ index b2b5dba..2a04cb0 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +256,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +255,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -53805,7 +54249,7 @@ index b2b5dba..2a04cb0 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +300,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -53983,7 +54427,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index c0f047a..9f1d1b5 100644 +index c0f047a..e81b5b1 100644 --- a/prelink.te +++ b/prelink.te @@ -1,4 +1,4 @@ @@ -54038,7 +54482,7 @@ index c0f047a..9f1d1b5 100644 kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) -@@ -75,25 +75,24 @@ corecmd_mmap_all_executables(prelink_t) +@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) dev_read_urand(prelink_t) @@ -54046,19 +54490,18 @@ index c0f047a..9f1d1b5 100644 -files_getattr_all_files(prelink_t) files_list_all(prelink_t) --files_manage_usr_files(prelink_t) --files_manage_var_files(prelink_t) +files_getattr_all_files(prelink_t) +files_write_non_security_dirs(prelink_t) - files_read_etc_files(prelink_t) - files_read_etc_runtime_files(prelink_t) --files_relabelfrom_usr_files(prelink_t) ++files_read_etc_runtime_files(prelink_t) ++files_dontaudit_read_all_symlinks(prelink_t) + files_manage_usr_files(prelink_t) + files_manage_var_files(prelink_t) +-files_read_etc_files(prelink_t) +-files_read_etc_runtime_files(prelink_t) + files_relabelfrom_usr_files(prelink_t) -files_search_var_lib(prelink_t) -files_write_non_security_dirs(prelink_t) - files_dontaudit_read_all_symlinks(prelink_t) -+files_manage_usr_files(prelink_t) -+files_manage_var_files(prelink_t) -+files_relabelfrom_usr_files(prelink_t) +-files_dontaudit_read_all_symlinks(prelink_t) -fs_getattr_all_fs(prelink_t) -fs_search_auto_mountpoints(prelink_t) @@ -54073,7 +54516,7 @@ index c0f047a..9f1d1b5 100644 libs_exec_ld_so(prelink_t) libs_legacy_use_shared_libs(prelink_t) libs_manage_ld_so(prelink_t) -@@ -102,32 +101,16 @@ libs_manage_shared_libs(prelink_t) +@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t) libs_relabel_shared_libs(prelink_t) libs_delete_lib_symlinks(prelink_t) @@ -54092,7 +54535,8 @@ index c0f047a..9f1d1b5 100644 -ifdef(`hide_broken_symptoms',` - miscfiles_read_man_pages(prelink_t) -- ++systemd_read_unit_files(prelink_t) + - optional_policy(` - dbus_read_config(prelink_t) - ') @@ -54102,8 +54546,7 @@ index c0f047a..9f1d1b5 100644 - fs_exec_nfs_files(prelink_t) - fs_manage_nfs_files(prelink_t) -') -+systemd_read_unit_files(prelink_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_exec_cifs_files(prelink_t) - fs_manage_cifs_files(prelink_t) @@ -54112,7 +54555,7 @@ index c0f047a..9f1d1b5 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -138,11 +121,12 @@ optional_policy(` +@@ -138,11 +120,12 @@ optional_policy(` ') optional_policy(` @@ -54126,7 +54569,7 @@ index c0f047a..9f1d1b5 100644 ') optional_policy(` -@@ -155,17 +139,18 @@ optional_policy(` +@@ -155,17 +138,18 @@ optional_policy(` ######################################## # @@ -54148,7 +54591,7 @@ index c0f047a..9f1d1b5 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -174,7 +159,7 @@ optional_policy(` +@@ -174,7 +158,7 @@ optional_policy(` manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) @@ -54157,20 +54600,19 @@ index c0f047a..9f1d1b5 100644 kernel_read_system_state(prelink_cron_system_t) -@@ -184,8 +169,11 @@ optional_policy(` +@@ -184,8 +168,10 @@ optional_policy(` dev_list_sysfs(prelink_cron_system_t) dev_read_sysfs(prelink_cron_system_t) - files_rw_etc_dirs(prelink_cron_system_t) files_dontaudit_search_all_mountpoints(prelink_cron_system_t) -+ files_read_etc_files(prelink_cron_system_t) + files_search_var_lib(prelink_cron_system_t) + + fs_search_cgroup_dirs(prelink_cron_system_t) auth_use_nsswitch(prelink_cron_system_t) -@@ -196,11 +184,20 @@ optional_policy(` +@@ -196,11 +182,20 @@ optional_policy(` logging_search_logs(prelink_cron_system_t) @@ -54354,7 +54796,7 @@ index c83a838..f41a4f7 100644 admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te -index db864df..6cff94f 100644 +index db864df..f7eb5e0 100644 --- a/prelude.te +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; @@ -54374,7 +54816,15 @@ index db864df..6cff94f 100644 corenet_all_recvfrom_netlabel(prelude_t) corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) -@@ -108,8 +107,6 @@ auth_use_nsswitch(prelude_t) +@@ -97,7 +96,6 @@ dev_read_rand(prelude_t) + dev_read_urand(prelude_t) + + files_read_etc_runtime_files(prelude_t) +-files_read_usr_files(prelude_t) + files_search_spool(prelude_t) + files_search_tmp(prelude_t) + +@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t) logging_send_audit_msgs(prelude_t) logging_send_syslog_msg(prelude_t) @@ -54383,7 +54833,7 @@ index db864df..6cff94f 100644 optional_policy(` mysql_stream_connect(prelude_t) mysql_tcp_connect(prelude_t) -@@ -141,7 +138,6 @@ kernel_read_system_state(prelude_audisp_t) +@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t) corecmd_search_bin(prelude_audisp_t) @@ -54391,7 +54841,7 @@ index db864df..6cff94f 100644 corenet_all_recvfrom_netlabel(prelude_audisp_t) corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) -@@ -155,15 +151,12 @@ dev_read_urand(prelude_audisp_t) +@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t) domain_use_interactive_fds(prelude_audisp_t) @@ -54407,7 +54857,7 @@ index db864df..6cff94f 100644 sysnet_dns_name_resolve(prelude_audisp_t) ######################################## -@@ -184,7 +177,6 @@ kernel_read_sysctl(prelude_correlator_t) +@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t) corecmd_search_bin(prelude_correlator_t) @@ -54415,12 +54865,12 @@ index db864df..6cff94f 100644 corenet_all_recvfrom_netlabel(prelude_correlator_t) corenet_tcp_sendrecv_generic_if(prelude_correlator_t) corenet_tcp_sendrecv_generic_node(prelude_correlator_t) -@@ -196,14 +188,11 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) +@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) dev_read_rand(prelude_correlator_t) dev_read_urand(prelude_correlator_t) -files_read_etc_files(prelude_correlator_t) - files_read_usr_files(prelude_correlator_t) +-files_read_usr_files(prelude_correlator_t) files_search_spool(prelude_correlator_t) logging_send_syslog_msg(prelude_correlator_t) @@ -54430,7 +54880,7 @@ index db864df..6cff94f 100644 sysnet_dns_name_resolve(prelude_correlator_t) ######################################## -@@ -212,6 +201,8 @@ sysnet_dns_name_resolve(prelude_correlator_t) +@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t) # allow prelude_lml_t self:capability dac_override; @@ -54439,7 +54889,7 @@ index db864df..6cff94f 100644 allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; -@@ -262,8 +253,6 @@ libs_read_lib_files(prelude_lml_t) +@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t) logging_send_syslog_msg(prelude_lml_t) logging_read_generic_logs(prelude_lml_t) @@ -54667,7 +55117,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index d447152..170ed82 100644 +index d447152..543fa5c 100644 --- a/procmail.te +++ b/procmail.te @@ -1,4 +1,4 @@ @@ -54702,7 +55152,7 @@ index d447152..170ed82 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,56 +44,69 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,56 +44,68 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -54746,9 +55196,9 @@ index d447152..170ed82 100644 +corecmd_exec_shell(procmail_t) + files_read_etc_runtime_files(procmail_t) +-files_read_usr_files(procmail_t) +files_search_pids(procmail_t) +# for spamassasin - files_read_usr_files(procmail_t) -logging_send_syslog_msg(procmail_t) +application_exec_all(procmail_t) @@ -54796,7 +55246,7 @@ index d447152..170ed82 100644 optional_policy(` clamav_domtrans_clamscan(procmail_t) clamav_search_lib(procmail_t) -@@ -100,12 +117,7 @@ optional_policy(` +@@ -100,12 +116,7 @@ optional_policy(` ') optional_policy(` @@ -54810,7 +55260,7 @@ index d447152..170ed82 100644 ') optional_policy(` -@@ -113,16 +125,17 @@ optional_policy(` +@@ -113,16 +124,17 @@ optional_policy(` ') optional_policy(` @@ -54833,7 +55283,7 @@ index d447152..170ed82 100644 ') optional_policy(` -@@ -131,6 +144,8 @@ optional_policy(` +@@ -131,6 +143,8 @@ optional_policy(` ') optional_policy(` @@ -55012,10 +55462,18 @@ index 5427bb6..718c847 100644 optional_policy(` diff --git a/ptchown.te b/ptchown.te -index d67905e..d54cb62 100644 +index d67905e..2da9eca 100644 --- a/ptchown.te +++ b/ptchown.te -@@ -31,4 +31,4 @@ term_setattr_all_ptys(ptchown_t) +@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t; + allow ptchown_t self:capability { chown fowner fsetid setuid }; + allow ptchown_t self:process { getcap setcap }; + +-files_read_etc_files(ptchown_t) + + fs_rw_anon_inodefs_files(ptchown_t) + +@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t) term_use_generic_ptys(ptchown_t) term_use_ptmx(ptchown_t) @@ -55431,7 +55889,7 @@ index fa3dc8e..ec47fb6 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index e31bbe1..276636a 100644 +index e31bbe1..822ab6c 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -1,4 +1,4 @@ @@ -55531,7 +55989,7 @@ index e31bbe1..276636a 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,24 +70,15 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -55561,9 +56019,10 @@ index e31bbe1..276636a 100644 dev_read_sound(pulseaudio_t) dev_write_sound(pulseaudio_t) -@@ -111,34 +87,35 @@ dev_read_urand(pulseaudio_t) + dev_read_sysfs(pulseaudio_t) + dev_read_urand(pulseaudio_t) - files_read_usr_files(pulseaudio_t) +-files_read_usr_files(pulseaudio_t) +fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) @@ -55607,7 +56066,7 @@ index e31bbe1..276636a 100644 ') optional_policy(` -@@ -151,8 +128,9 @@ optional_policy(` +@@ -151,8 +127,9 @@ optional_policy(` optional_policy(` dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) @@ -55619,7 +56078,7 @@ index e31bbe1..276636a 100644 optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -172,16 +150,33 @@ optional_policy(` +@@ -172,16 +149,33 @@ optional_policy(` ') optional_policy(` @@ -55653,7 +56112,7 @@ index e31bbe1..276636a 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -194,7 +189,11 @@ optional_policy(` +@@ -194,7 +188,11 @@ optional_policy(` xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -55666,7 +56125,7 @@ index e31bbe1..276636a 100644 # # Client local policy # -@@ -208,8 +207,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi +@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi fs_getattr_tmpfs(pulseaudio_client) @@ -55675,7 +56134,7 @@ index e31bbe1..276636a 100644 corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) -@@ -218,36 +215,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) pulseaudio_stream_connect(pulseaudio_client) @@ -56072,7 +56531,7 @@ index 7cb8b1f..b7b5ee7 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index f2309f4..050d953 100644 +index f2309f4..9282fbb 100644 --- a/puppet.te +++ b/puppet.te @@ -1,4 +1,4 @@ @@ -56163,7 +56622,7 @@ index f2309f4..050d953 100644 logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -@@ -91,30 +90,28 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) +@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) kernel_dontaudit_search_sysctl(puppet_t) kernel_dontaudit_search_kernel_sysctl(puppet_t) @@ -56200,7 +56659,9 @@ index f2309f4..050d953 100644 files_manage_config_files(puppet_t) files_manage_config_dirs(puppet_t) -@@ -124,10 +121,7 @@ files_read_usr_files(puppet_t) + files_manage_etc_dirs(puppet_t) + files_manage_etc_files(puppet_t) +-files_read_usr_files(puppet_t) files_read_usr_symlinks(puppet_t) files_relabel_config_dirs(puppet_t) files_relabel_config_files(puppet_t) @@ -56211,7 +56672,7 @@ index f2309f4..050d953 100644 selinux_set_all_booleans(puppet_t) selinux_set_generic_booleans(puppet_t) selinux_validate_context(puppet_t) -@@ -135,6 +129,8 @@ selinux_validate_context(puppet_t) +@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t) term_dontaudit_getattr_unallocated_ttys(puppet_t) term_dontaudit_getattr_all_ttys(puppet_t) @@ -56220,7 +56681,7 @@ index f2309f4..050d953 100644 init_all_labeled_script_domtrans(puppet_t) init_domtrans_script(puppet_t) init_read_utmp(puppet_t) -@@ -143,18 +139,15 @@ init_signull_script(puppet_t) +@@ -143,18 +138,15 @@ init_signull_script(puppet_t) logging_send_syslog_msg(puppet_t) miscfiles_read_hwdata(puppet_t) @@ -56241,7 +56702,7 @@ index f2309f4..050d953 100644 ') optional_policy(` -@@ -196,21 +189,92 @@ optional_policy(` +@@ -196,21 +188,92 @@ optional_policy(` ') optional_policy(` @@ -56340,7 +56801,7 @@ index f2309f4..050d953 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +285,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +284,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -56348,10 +56809,11 @@ index f2309f4..050d953 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -230,14 +295,12 @@ dev_read_urand(puppetca_t) +@@ -229,15 +293,12 @@ corecmd_exec_shell(puppetca_t) + dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) - files_read_etc_files(puppetca_t) +-files_read_etc_files(puppetca_t) -files_search_pids(puppetca_t) files_search_var_lib(puppetca_t) @@ -56363,7 +56825,7 @@ index f2309f4..050d953 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +309,52 @@ optional_policy(` +@@ -246,38 +307,52 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -56432,7 +56894,7 @@ index f2309f4..050d953 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,21 +366,23 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +364,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -56459,9 +56921,11 @@ index f2309f4..050d953 100644 domain_read_all_domains_state(puppetmaster_t) +domain_obj_id_change_exemption(puppetmaster_t) - files_read_usr_files(puppetmaster_t) +-files_read_usr_files(puppetmaster_t) -@@ -314,26 +393,27 @@ auth_use_nsswitch(puppetmaster_t) + selinux_validate_context(puppetmaster_t) + +@@ -314,26 +390,27 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -56496,7 +56960,7 @@ index f2309f4..050d953 100644 ') optional_policy(` -@@ -342,3 +422,9 @@ optional_policy(` +@@ -342,3 +419,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -56678,10 +57142,17 @@ index 3078e34..8f357cc 100644 - -miscfiles_read_localization(pwauth_t) diff --git a/pxe.te b/pxe.te -index 72db707..270bf8a 100644 +index 72db707..6dae5e5 100644 --- a/pxe.te +++ b/pxe.te -@@ -57,8 +57,6 @@ fs_search_auto_mountpoints(pxe_t) +@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t) + + domain_use_interactive_fds(pxe_t) + +-files_read_etc_files(pxe_t) + + fs_getattr_all_fs(pxe_t) + fs_search_auto_mountpoints(pxe_t) logging_send_syslog_msg(pxe_t) @@ -59479,7 +59950,7 @@ index 4460582..60cf556 100644 + ') diff --git a/radius.te b/radius.te -index 1e7927f..ff81482 100644 +index 1e7927f..5874c98 100644 --- a/radius.te +++ b/radius.te @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) @@ -59505,7 +59976,15 @@ index 1e7927f..ff81482 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t) +@@ -97,7 +100,6 @@ domain_use_interactive_fds(radiusd_t) + fs_getattr_all_fs(radiusd_t) + fs_search_auto_mountpoints(radiusd_t) + +-files_read_usr_files(radiusd_t) + files_read_etc_runtime_files(radiusd_t) + files_dontaudit_list_tmp(radiusd_t) + +@@ -109,7 +111,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -59568,6 +60047,18 @@ index b31f2d7..046f5b8 100644 userdom_dontaudit_use_unpriv_user_fds(radvd_t) userdom_dontaudit_search_user_home_dirs(radvd_t) +diff --git a/raid.fc b/raid.fc +index 5806046..01ca7cb 100644 +--- a/raid.fc ++++ b/raid.fc +@@ -16,6 +16,7 @@ + /usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) ++/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) + + /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if index 951db7f..db0d815 100644 --- a/raid.if @@ -60274,7 +60765,7 @@ index 5ddedbc..4e15f29 100644 + ') ') diff --git a/rdisc.te b/rdisc.te -index 9196c1d..972b269 100644 +index 9196c1d..3dac4d9 100644 --- a/rdisc.te +++ b/rdisc.te @@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t) @@ -60285,7 +60776,11 @@ index 9196c1d..972b269 100644 corenet_all_recvfrom_netlabel(rdisc_t) corenet_udp_sendrecv_generic_if(rdisc_t) corenet_raw_sendrecv_generic_if(rdisc_t) -@@ -43,8 +42,6 @@ files_read_etc_files(rdisc_t) +@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t) + + domain_use_interactive_fds(rdisc_t) + +-files_read_etc_files(rdisc_t) logging_send_syslog_msg(rdisc_t) @@ -60344,7 +60839,7 @@ index 661bb88..06f69c4 100644 +') + diff --git a/readahead.te b/readahead.te -index f1512d6..919a138 100644 +index f1512d6..ba3b9b2 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -60396,7 +60891,7 @@ index f1512d6..919a138 100644 fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -66,6 +80,7 @@ fs_read_cgroup_files(readahead_t) +@@ -66,13 +80,12 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -60404,15 +60899,14 @@ index f1512d6..919a138 100644 fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) -@@ -74,6 +89,7 @@ fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - mcs_file_read_all(readahead_t) + fs_dontaudit_use_tmpfs_chr_dev(readahead_t) +-mcs_file_read_all(readahead_t) +- mls_file_read_all_levels(readahead_t) -+mcs_file_read_all(readahead_t) storage_raw_read_fixed_disk(readahead_t) - -@@ -84,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t) +@@ -84,13 +97,13 @@ auth_dontaudit_read_shadow(readahead_t) init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) @@ -60452,7 +60946,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..c994751 100644 +index 9a8f052..5372646 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -60476,7 +60970,7 @@ index 9a8f052..c994751 100644 # allow realmd_t self:capability sys_nice; -@@ -22,28 +23,32 @@ kernel_read_system_state(realmd_t) +@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t) corecmd_exec_bin(realmd_t) corecmd_exec_shell(realmd_t) @@ -60495,12 +60989,10 @@ index 9a8f052..c994751 100644 dev_read_urand(realmd_t) -fs_getattr_all_fs(realmd_t) -- -+files_read_etc_files(realmd_t) - files_read_usr_files(realmd_t) +-files_read_usr_files(realmd_t) +fs_getattr_all_fs(realmd_t) -+ + auth_use_nsswitch(realmd_t) logging_send_syslog_msg(realmd_t) @@ -60518,7 +61010,7 @@ index 9a8f052..c994751 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +72,21 @@ optional_policy(` +@@ -67,17 +70,21 @@ optional_policy(` optional_policy(` nis_exec_ypbind(realmd_t) @@ -60543,7 +61035,7 @@ index 9a8f052..c994751 100644 ') optional_policy(` -@@ -86,5 +95,9 @@ optional_policy(` +@@ -86,5 +93,9 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) @@ -60632,7 +61124,7 @@ index a9ce68e..31be971 100644 - allow $1 remote_login_tmp_t:file relabel_file_perms; -') diff --git a/remotelogin.te b/remotelogin.te -index c51a32c..18f59a7 100644 +index c51a32c..bef8238 100644 --- a/remotelogin.te +++ b/remotelogin.te @@ -1,4 +1,4 @@ @@ -60655,7 +61147,7 @@ index c51a32c..18f59a7 100644 # allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; -@@ -23,32 +20,42 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl +@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl allow remote_login_t self:process { setrlimit setexec }; allow remote_login_t self:fd use; allow remote_login_t self:fifo_file rw_fifo_file_perms; @@ -60705,7 +61197,12 @@ index c51a32c..18f59a7 100644 domain_read_all_entry_files(remote_login_t) -@@ -61,30 +68,32 @@ files_read_world_readable_symlinks(remote_login_t) + files_read_etc_runtime_files(remote_login_t) + files_list_home(remote_login_t) +-files_read_usr_files(remote_login_t) + files_list_world_readable(remote_login_t) + files_read_world_readable_files(remote_login_t) + files_read_world_readable_symlinks(remote_login_t) files_read_world_readable_pipes(remote_login_t) files_read_world_readable_sockets(remote_login_t) files_list_mnt(remote_login_t) @@ -60748,10 +61245,18 @@ index c51a32c..18f59a7 100644 ') diff --git a/resmgr.te b/resmgr.te -index 6f219b3..f38e183 100644 +index 6f219b3..6bef328 100644 --- a/resmgr.te +++ b/resmgr.te -@@ -54,8 +54,6 @@ storage_write_scsi_generic(resmgrd_t) +@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t) + + domain_use_interactive_fds(resmgrd_t) + +-files_read_etc_files(resmgrd_t) + + fs_search_auto_mountpoints(resmgrd_t) + +@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t) logging_send_syslog_msg(resmgrd_t) @@ -61682,7 +62187,7 @@ index 56bc01f..aee7ba7 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..4efe231 100644 +index 2c2de9a..337c06d 100644 --- a/rhcs.te +++ b/rhcs.te @@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd) @@ -61822,16 +62327,17 @@ index 2c2de9a..4efe231 100644 ####################################### # # foghorn local policy -@@ -225,6 +259,8 @@ dev_read_urand(foghorn_t) +@@ -223,7 +257,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) - files_read_usr_files(foghorn_t) + dev_read_urand(foghorn_t) -+logging_send_syslog_msg(foghorn_t) +-files_read_usr_files(foghorn_t) + ++logging_send_syslog_msg(foghorn_t) + optional_policy(` dbus_connect_system_bus(foghorn_t) - ') -@@ -257,6 +293,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +292,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -61840,7 +62346,7 @@ index 2c2de9a..4efe231 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +313,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +312,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -61853,7 +62359,7 @@ index 2c2de9a..4efe231 100644 ###################################### # # qdiskd local policy -@@ -321,6 +359,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +358,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -61965,10 +62471,10 @@ index 0000000..bf11e25 +') diff --git a/rhev.te b/rhev.te new file mode 100644 -index 0000000..51b00c0 +index 0000000..26f7884 --- /dev/null +++ b/rhev.te -@@ -0,0 +1,117 @@ +@@ -0,0 +1,116 @@ +policy_module(rhev,1.0) + +######################################## @@ -62031,7 +62537,6 @@ index 0000000..51b00c0 + +files_getattr_all_mountpoints(rhev_agentd_t) +files_search_all_mountpoints(rhev_agentd_t) -+files_read_usr_files(rhev_agentd_t) + +auth_use_nsswitch(rhev_agentd_t) + @@ -62191,7 +62696,7 @@ index 1a134a7..793a29f 100644 allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/rhgb.te b/rhgb.te -index 3f32e4b..b729212 100644 +index 3f32e4b..f97ea42 100644 --- a/rhgb.te +++ b/rhgb.te @@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t) @@ -62202,7 +62707,19 @@ index 3f32e4b..b729212 100644 corenet_all_recvfrom_netlabel(rhgb_t) corenet_tcp_sendrecv_generic_if(rhgb_t) corenet_tcp_sendrecv_generic_node(rhgb_t) -@@ -89,7 +88,6 @@ libs_read_lib_files(rhgb_t) +@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t) + + domain_use_interactive_fds(rhgb_t) + +-files_read_etc_files(rhgb_t) + files_read_var_files(rhgb_t) + files_read_etc_runtime_files(rhgb_t) + files_search_tmp(rhgb_t) +-files_read_usr_files(rhgb_t) + files_mounton_mnt(rhgb_t) + files_dontaudit_rw_root_dir(rhgb_t) + files_dontaudit_read_default_files(rhgb_t) +@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t) logging_send_syslog_msg(rhgb_t) @@ -62303,10 +62820,10 @@ index 0000000..88087b7 +') diff --git a/rhnsd.te b/rhnsd.te new file mode 100644 -index 0000000..5b2757d +index 0000000..0e965c3 --- /dev/null +++ b/rhnsd.te -@@ -0,0 +1,41 @@ +@@ -0,0 +1,40 @@ +policy_module(rhnsd, 1.0.0) + +######################################## @@ -62340,7 +62857,6 @@ index 0000000..5b2757d + +corecmd_exec_bin(rhnsd_t) + -+files_read_etc_files(rhnsd_t) + +logging_send_syslog_msg(rhnsd_t) + @@ -62568,7 +63084,7 @@ index 6dbc905..92aac94 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 1cedd70..c254f12 100644 +index 1cedd70..a7c75e8 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t) @@ -62579,7 +63095,7 @@ index 1cedd70..c254f12 100644 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; -@@ -52,21 +53,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -62596,8 +63112,8 @@ index 1cedd70..c254f12 100644 +dev_read_raw_memory(rhsmcertd_t) files_list_tmp(rhsmcertd_t) - files_read_etc_files(rhsmcertd_t) - files_read_usr_files(rhsmcertd_t) +-files_read_etc_files(rhsmcertd_t) +-files_read_usr_files(rhsmcertd_t) +files_manage_generic_locks(rhsmcertd_t) + +auth_read_passwd(rhsmcertd_t) @@ -62855,7 +63371,7 @@ index 2ab3ed1..23d579c 100644 role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; diff --git a/ricci.te b/ricci.te -index 9702ed2..6d40389 100644 +index 9702ed2..fa21335 100644 --- a/ricci.te +++ b/ricci.te @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) @@ -62953,8 +63469,11 @@ index 9702ed2..6d40389 100644 allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; kernel_read_kernel_sysctls(ricci_modstorage_t) -@@ -483,13 +472,19 @@ files_read_etc_runtime_files(ricci_modstorage_t) - files_read_usr_files(ricci_modstorage_t) +@@ -480,16 +469,21 @@ domain_read_all_domains_state(ricci_modstorage_t) + + files_manage_etc_files(ricci_modstorage_t) + files_read_etc_runtime_files(ricci_modstorage_t) +-files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) +files_create_default_dir(ricci_modstorage_t) @@ -63740,7 +64259,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..fd96b3c 100644 +index e5212e6..43a888d 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -63905,15 +64424,7 @@ index e5212e6..fd96b3c 100644 kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) -@@ -149,6 +90,7 @@ corecmd_exec_bin(rpcd_t) - - files_manage_mounttab(rpcd_t) - files_getattr_all_dirs(rpcd_t) -+files_read_usr_files(rpcd_t) - - fs_list_rpc(rpcd_t) - fs_read_rpc_files(rpcd_t) -@@ -160,13 +102,14 @@ fs_getattr_all_fs(rpcd_t) +@@ -160,13 +101,14 @@ fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) @@ -63931,7 +64442,7 @@ index e5212e6..fd96b3c 100644 optional_policy(` automount_signal(rpcd_t) -@@ -174,19 +117,23 @@ optional_policy(` +@@ -174,19 +116,23 @@ optional_policy(` ') optional_policy(` @@ -63959,7 +64470,7 @@ index e5212e6..fd96b3c 100644 ') ######################################## -@@ -195,41 +142,55 @@ optional_policy(` +@@ -195,41 +141,54 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -63998,7 +64509,6 @@ index e5212e6..fd96b3c 100644 +# cjp: this should really have its own type files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) -+files_read_usr_files(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) @@ -64022,7 +64532,7 @@ index e5212e6..fd96b3c 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -64030,7 +64540,7 @@ index e5212e6..fd96b3c 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -64045,7 +64555,7 @@ index e5212e6..fd96b3c 100644 ') ######################################## -@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -64053,7 +64563,7 @@ index e5212e6..fd96b3c 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +240,29 @@ kernel_signal(gssd_t) +@@ -279,25 +238,29 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -64086,7 +64596,7 @@ index e5212e6..fd96b3c 100644 ') optional_policy(` -@@ -306,8 +271,7 @@ optional_policy(` +@@ -306,8 +269,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -64096,7 +64606,7 @@ index e5212e6..fd96b3c 100644 ') optional_policy(` -@@ -315,7 +279,7 @@ optional_policy(` +@@ -315,7 +277,7 @@ optional_policy(` ') optional_policy(` @@ -64260,7 +64770,7 @@ index 3b5e9ee..ff1163f 100644 + admin_pattern($1, rpcbind_var_run_t) ') diff --git a/rpcbind.te b/rpcbind.te -index c49828c..1f39c7c 100644 +index c49828c..13e491e 100644 --- a/rpcbind.te +++ b/rpcbind.te @@ -42,7 +42,8 @@ kernel_read_system_state(rpcbind_t) @@ -64273,8 +64783,11 @@ index c49828c..1f39c7c 100644 corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) corenet_udp_sendrecv_generic_if(rpcbind_t) -@@ -65,9 +66,9 @@ domain_use_interactive_fds(rpcbind_t) - files_read_etc_files(rpcbind_t) +@@ -62,12 +63,11 @@ corecmd_exec_shell(rpcbind_t) + + domain_use_interactive_fds(rpcbind_t) + +-files_read_etc_files(rpcbind_t) files_read_etc_runtime_files(rpcbind_t) -logging_send_syslog_msg(rpcbind_t) @@ -64286,10 +64799,10 @@ index c49828c..1f39c7c 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..ee55335 100644 +index ebe91fc..3916381 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,64 @@ +@@ -1,61 +1,65 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -64373,6 +64886,7 @@ index ebe91fc..ee55335 100644 +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -64918,7 +65432,7 @@ index 0628d50..bedc8ae 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 5cbe81c..b33a77d 100644 +index 5cbe81c..9f7e65d 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,11 @@ @@ -65207,7 +65721,7 @@ index 5cbe81c..b33a77d 100644 kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,38 +290,22 @@ kernel_read_network_state(rpm_script_t) +@@ -277,45 +290,27 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) @@ -65250,7 +65764,14 @@ index 5cbe81c..b33a77d 100644 fs_getattr_xattr_fs(rpm_script_t) fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) -@@ -331,30 +328,49 @@ storage_raw_write_fixed_disk(rpm_script_t) + fs_search_auto_mountpoints(rpm_script_t) + +-mcs_killall(rpm_script_t) +- + mls_file_read_all_levels(rpm_script_t) + mls_file_write_all_levels(rpm_script_t) + +@@ -331,30 +326,49 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -65309,7 +65830,7 @@ index 5cbe81c..b33a77d 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,24 +379,24 @@ ifdef(`distro_redhat',` +@@ -363,24 +377,24 @@ ifdef(`distro_redhat',` ') ') @@ -65341,7 +65862,7 @@ index 5cbe81c..b33a77d 100644 ') optional_policy(` -@@ -388,8 +404,17 @@ optional_policy(` +@@ -388,8 +402,17 @@ optional_policy(` ') optional_policy(` @@ -65361,7 +65882,7 @@ index 5cbe81c..b33a77d 100644 ') optional_policy(` -@@ -397,6 +422,7 @@ optional_policy(` +@@ -397,6 +420,7 @@ optional_policy(` ') optional_policy(` @@ -65369,7 +65890,7 @@ index 5cbe81c..b33a77d 100644 unconfined_domtrans(rpm_script_t) optional_policy(` -@@ -409,6 +435,6 @@ optional_policy(` +@@ -409,6 +433,6 @@ optional_policy(` ') optional_policy(` @@ -65409,10 +65930,10 @@ index 7ad29c0..2e87d76 100644 domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te -index f842825..23c58c2 100644 +index f842825..24cf46d 100644 --- a/rshd.te +++ b/rshd.te -@@ -1,62 +1,76 @@ +@@ -1,62 +1,75 @@ -policy_module(rshd, 1.7.1) +policy_module(rshd, 1.7.0) @@ -65473,7 +65994,6 @@ index f842825..23c58c2 100644 corecmd_read_bin_symlinks(rshd_t) files_list_home(rshd_t) -+files_read_etc_files(rshd_t) +files_search_tmp(rshd_t) + +auth_login_pgm_domain(rshd_t) @@ -65509,18 +66029,20 @@ index f842825..23c58c2 100644 optional_policy(` diff --git a/rssh.te b/rssh.te -index d1fd97f..88bd6f7 100644 +index d1fd97f..7ee8502 100644 --- a/rssh.te +++ b/rssh.te -@@ -60,7 +60,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) +@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) kernel_read_system_state(rssh_t) kernel_read_kernel_sysctls(rssh_t) -files_read_etc_files(rssh_t) files_read_etc_runtime_files(rssh_t) files_list_home(rssh_t) - files_read_usr_files(rssh_t) -@@ -70,8 +69,6 @@ fs_search_auto_mountpoints(rssh_t) +-files_read_usr_files(rssh_t) + files_list_var(rssh_t) + + fs_search_auto_mountpoints(rssh_t) logging_send_syslog_msg(rssh_t) @@ -65529,7 +66051,7 @@ index d1fd97f..88bd6f7 100644 rssh_domtrans_chroot_helper(rssh_t) ssh_rw_tcp_sockets(rssh_t) -@@ -95,5 +92,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t) +@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t) auth_use_nsswitch(rssh_chroot_helper_t) logging_send_syslog_msg(rssh_chroot_helper_t) @@ -66155,7 +66677,7 @@ index 0360ff0..e6cb34f 100644 init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te -index 9927d29..9ee5654 100644 +index 9927d29..6746952 100644 --- a/rwho.te +++ b/rwho.te @@ -16,7 +16,7 @@ type rwho_log_t; @@ -66175,7 +66697,14 @@ index 9927d29..9ee5654 100644 corenet_all_recvfrom_netlabel(rwho_t) corenet_udp_sendrecv_generic_if(rwho_t) corenet_udp_sendrecv_generic_node(rwho_t) -@@ -57,8 +56,7 @@ init_dontaudit_write_utmp(rwho_t) +@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t) + + domain_use_interactive_fds(rwho_t) + +-files_read_etc_files(rwho_t) + + init_read_utmp(rwho_t) + init_dontaudit_write_utmp(rwho_t) logging_send_syslog_msg(rwho_t) @@ -67044,7 +67573,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..7e70344 100644 +index 57c034b..bb73e4a 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -67351,14 +67880,14 @@ index 57c034b..7e70344 100644 +allow smbd_t self:udp_socket create_socket_perms; +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+allow smbd_t nmbd_t:process { signal signull }; -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; -+allow smbd_t nmbd_var_run_t:file rw_file_perms; -+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++allow smbd_t nmbd_t:process { signal signull }; -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; ++allow smbd_t nmbd_var_run_t:file rw_file_perms; ++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++ +allow smbd_t samba_etc_t:file { rw_file_perms setattr }; manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) @@ -67452,7 +67981,7 @@ index 57c034b..7e70344 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +348,55 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +348,54 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -67469,7 +67998,6 @@ index 57c034b..7e70344 100644 + +files_list_var_lib(smbd_t) +files_read_etc_runtime_files(smbd_t) -+files_read_usr_files(smbd_t) +files_search_spool(smbd_t) +# smbd seems to getattr all mountpoints +files_dontaudit_getattr_all_dirs(smbd_t) @@ -67519,7 +68047,7 @@ index 57c034b..7e70344 100644 ') tunable_policy(`samba_domain_controller',` -@@ -413,20 +412,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +411,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -67542,7 +68070,7 @@ index 57c034b..7e70344 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -435,6 +424,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +423,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -67550,7 +68078,7 @@ index 57c034b..7e70344 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -442,17 +432,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +431,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -67568,7 +68096,7 @@ index 57c034b..7e70344 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -473,6 +452,11 @@ optional_policy(` +@@ -473,6 +451,11 @@ optional_policy(` ') optional_policy(` @@ -67580,7 +68108,7 @@ index 57c034b..7e70344 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +477,32 @@ optional_policy(` +@@ -493,9 +476,32 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -67614,7 +68142,7 @@ index 57c034b..7e70344 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +513,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +512,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -67629,7 +68157,7 @@ index 57c034b..7e70344 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +529,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +528,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -67652,7 +68180,7 @@ index 57c034b..7e70344 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +546,40 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +545,39 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -67684,7 +68212,7 @@ index 57c034b..7e70344 100644 + domain_use_interactive_fds(nmbd_t) - files_read_usr_files(nmbd_t) +-files_read_usr_files(nmbd_t) files_list_var_lib(nmbd_t) -fs_getattr_all_fs(nmbd_t) @@ -67715,7 +68243,7 @@ index 57c034b..7e70344 100644 ') optional_policy(` -@@ -600,17 +592,24 @@ optional_policy(` +@@ -600,17 +590,24 @@ optional_policy(` ######################################## # @@ -67735,22 +68263,21 @@ index 57c034b..7e70344 100644 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) +allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) - ++ +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) +allow smbcontrol_t winbind_t:process { signal signull }; -+ + +files_search_var_lib(smbcontrol_t) samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -620,16 +619,13 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +617,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) -files_read_etc_files(smbcontrol_t) -files_search_var_lib(smbcontrol_t) -+files_read_usr_files(smbcontrol_t) term_use_console(smbcontrol_t) @@ -67763,7 +68290,7 @@ index 57c034b..7e70344 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +633,23 @@ optional_policy(` +@@ -637,22 +630,23 @@ optional_policy(` ######################################## # @@ -67795,7 +68322,7 @@ index 57c034b..7e70344 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +658,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +655,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -67831,19 +68358,19 @@ index 57c034b..7e70344 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +685,78 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +682,78 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) -auth_use_nsswitch(smbmount_t) +corecmd_list_bin(smbmount_t) - --miscfiles_read_localization(smbmount_t) ++ +files_list_mnt(smbmount_t) +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_etc_filetrans_etc_runtime(smbmount_t, file) -+ + +-miscfiles_read_localization(smbmount_t) +auth_use_nsswitch(smbmount_t) -mount_use_fds(smbmount_t) @@ -67924,7 +68451,7 @@ index 57c034b..7e70344 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +765,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +762,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -67948,7 +68475,7 @@ index 57c034b..7e70344 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,28 +779,19 @@ kernel_read_network_state(swat_t) +@@ -770,36 +776,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -67983,15 +68510,15 @@ index 57c034b..7e70344 100644 dev_read_urand(swat_t) -@@ -799,7 +799,6 @@ files_list_var_lib(swat_t) + files_list_var_lib(swat_t) files_search_home(swat_t) - files_read_usr_files(swat_t) +-files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) -files_list_var_lib(swat_t) auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +810,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +806,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -68005,7 +68532,7 @@ index 57c034b..7e70344 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -837,13 +837,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +@@ -837,13 +833,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; @@ -68025,7 +68552,7 @@ index 57c034b..7e70344 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +855,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +851,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -68036,7 +68563,7 @@ index 57c034b..7e70344 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -863,26 +863,25 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) +@@ -863,26 +859,25 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) files_var_filetrans(winbind_t, samba_var_t, dir, "samba") @@ -68070,7 +68597,7 @@ index 57c034b..7e70344 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +890,18 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +886,18 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -68092,7 +68619,7 @@ index 57c034b..7e70344 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +909,7 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +905,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -68100,11 +68627,10 @@ index 57c034b..7e70344 100644 - -files_read_usr_symlinks(winbind_t) -files_list_var_lib(winbind_t) -+files_read_usr_files(winbind_t) fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,11 +918,17 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,11 +913,17 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -68123,7 +68649,7 @@ index 57c034b..7e70344 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) userdom_manage_user_home_content_files(winbind_t) -@@ -936,6 +943,10 @@ optional_policy(` +@@ -936,6 +938,10 @@ optional_policy(` ') optional_policy(` @@ -68134,7 +68660,7 @@ index 57c034b..7e70344 100644 kerberos_use(winbind_t) ') -@@ -952,31 +963,29 @@ optional_policy(` +@@ -952,31 +958,29 @@ optional_policy(` # Winbind helper local policy # @@ -68172,7 +68698,7 @@ index 57c034b..7e70344 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +999,38 @@ optional_policy(` +@@ -990,25 +994,38 @@ optional_policy(` ######################################## # @@ -68370,10 +68896,10 @@ index 0000000..577dfa7 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..db440d4 +index 0000000..3fc69d5 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,65 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -68428,7 +68954,6 @@ index 0000000..db440d4 +files_entrypoint_all_files(sandbox_domain) + +files_read_config_files(sandbox_domain) -+files_read_usr_files(sandbox_domain) +files_read_var_files(sandbox_domain) +files_dontaudit_search_all_dirs(sandbox_domain) + @@ -68847,10 +69372,10 @@ index 0000000..1b21b7b +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..7a746a3 +index 0000000..449a87c --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,464 @@ +@@ -0,0 +1,462 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -68938,7 +69463,6 @@ index 0000000..7a746a3 +domain_use_interactive_fds(sandbox_xserver_t) + +files_read_config_files(sandbox_xserver_t) -+files_read_usr_files(sandbox_xserver_t) +files_search_home(sandbox_xserver_t) +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) +fs_list_inotifyfs(sandbox_xserver_t) @@ -69021,7 +69545,6 @@ index 0000000..7a746a3 +files_dontaudit_list_all_mountpoints(sandbox_x_domain) +files_entrypoint_all_files(sandbox_x_domain) +files_read_config_files(sandbox_x_domain) -+files_read_usr_files(sandbox_x_domain) +files_read_usr_symlinks(sandbox_x_domain) + +fs_getattr_tmpfs(sandbox_x_domain) @@ -69668,7 +70191,7 @@ index b2f388a..3e6a93f 100644 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/sasl.te b/sasl.te -index a63b875..88a01c0 100644 +index a63b875..64a7c79 100644 --- a/sasl.te +++ b/sasl.te @@ -1,4 +1,4 @@ @@ -69740,13 +70263,12 @@ index a63b875..88a01c0 100644 fs_getattr_all_fs(saslauthd_t) fs_search_auto_mountpoints(saslauthd_t) -@@ -73,33 +64,38 @@ selinux_compute_access_vector(saslauthd_t) +@@ -73,33 +64,37 @@ selinux_compute_access_vector(saslauthd_t) auth_use_pam(saslauthd_t) +domain_use_interactive_fds(saslauthd_t) + -+files_read_etc_files(saslauthd_t) +files_dontaudit_read_etc_runtime_files(saslauthd_t) +files_search_var_lib(saslauthd_t) +files_dontaudit_getattr_home_dir(saslauthd_t) @@ -70109,7 +70631,7 @@ index c21ddcc..ee00be2 100644 + can_exec($1, screen_exec_t) +') diff --git a/screen.te b/screen.te -index f095081..86af6f6 100644 +index f095081..c0d7b61 100644 --- a/screen.te +++ b/screen.te @@ -1,13 +1,11 @@ @@ -70186,7 +70708,7 @@ index f095081..86af6f6 100644 kernel_read_kernel_sysctls(screen_domain) corecmd_list_bin(screen_domain) -@@ -65,55 +58,41 @@ corecmd_read_bin_symlinks(screen_domain) +@@ -65,55 +58,39 @@ corecmd_read_bin_symlinks(screen_domain) corecmd_read_bin_pipes(screen_domain) corecmd_read_bin_sockets(screen_domain) @@ -70215,8 +70737,7 @@ index f095081..86af6f6 100644 +files_search_tmp(screen_domain) +files_search_home(screen_domain) files_list_home(screen_domain) - files_read_usr_files(screen_domain) -+files_read_etc_files(screen_domain) +-files_read_usr_files(screen_domain) fs_search_auto_mountpoints(screen_domain) -fs_getattr_all_fs(screen_domain) @@ -70681,7 +71202,7 @@ index 88e753f..ca74cd9 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 5f35d78..a536819 100644 +index 5f35d78..9bef62c 100644 --- a/sendmail.te +++ b/sendmail.te @@ -1,18 +1,10 @@ @@ -70780,7 +71301,7 @@ index 5f35d78..a536819 100644 fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) -@@ -93,35 +71,50 @@ fs_rw_anon_inodefs_files(sendmail_t) +@@ -93,35 +71,49 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) term_dontaudit_use_generic_ptys(sendmail_t) @@ -70790,7 +71311,6 @@ index 5f35d78..a536819 100644 + +domain_use_interactive_fds(sendmail_t) + -+files_read_usr_files(sendmail_t) +files_search_spool(sendmail_t) +# for piping mail to a command +files_read_etc_runtime_files(sendmail_t) @@ -70837,7 +71357,7 @@ index 5f35d78..a536819 100644 ') optional_policy(` -@@ -166,6 +159,11 @@ optional_policy(` +@@ -166,6 +158,11 @@ optional_policy(` ') optional_policy(` @@ -70849,7 +71369,7 @@ index 5f35d78..a536819 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -187,21 +185,13 @@ optional_policy(` +@@ -187,21 +184,13 @@ optional_policy(` ') optional_policy(` @@ -71097,7 +71617,7 @@ index 3a9a70b..039b0c8 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..ab3ba4d 100644 +index 49b12ae..0a0f095 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -71186,7 +71706,15 @@ index 49b12ae..ab3ba4d 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -108,13 +114,13 @@ init_dontaudit_write_utmp(setroubleshootd_t) +@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t) + domain_dontaudit_search_all_domains_state(setroubleshootd_t) + domain_signull_all_domains(setroubleshootd_t) + +-files_read_usr_files(setroubleshootd_t) + files_list_all(setroubleshootd_t) + files_getattr_all_files(setroubleshootd_t) + files_getattr_all_pipes(setroubleshootd_t) +@@ -108,13 +113,13 @@ init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -71202,7 +71730,7 @@ index 49b12ae..ab3ba4d 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) -@@ -123,11 +129,7 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -123,11 +128,7 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -71215,7 +71743,7 @@ index 49b12ae..ab3ba4d 100644 ') optional_policy(` -@@ -135,10 +137,18 @@ optional_policy(` +@@ -135,10 +136,18 @@ optional_policy(` ') optional_policy(` @@ -71234,7 +71762,7 @@ index 49b12ae..ab3ba4d 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,15 +158,17 @@ optional_policy(` +@@ -148,15 +157,17 @@ optional_policy(` ######################################## # @@ -71253,7 +71781,7 @@ index 49b12ae..ab3ba4d 100644 setroubleshoot_stream_connect(setroubleshoot_fixit_t) kernel_read_system_state(setroubleshoot_fixit_t) -@@ -165,7 +177,12 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -165,9 +176,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t) @@ -71264,9 +71792,11 @@ index 49b12ae..ab3ba4d 100644 +seutil_domtrans_setsebool(setroubleshoot_fixit_t) +seutil_read_module_store(setroubleshoot_fixit_t) - files_read_usr_files(setroubleshoot_fixit_t) +-files_read_usr_files(setroubleshoot_fixit_t) files_list_tmp(setroubleshoot_fixit_t) -@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) + + auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +190,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -71344,10 +71874,10 @@ index 0000000..c9d2d9c + diff --git a/sge.te b/sge.te new file mode 100644 -index 0000000..d43336f +index 0000000..9a329a1 --- /dev/null +++ b/sge.te -@@ -0,0 +1,193 @@ +@@ -0,0 +1,191 @@ +policy_module(sge, 1.0.0) + +######################################## @@ -71513,8 +72043,6 @@ index 0000000..d43336f + +domain_read_all_domains_state(sge_domain) + -+files_read_etc_files(sge_domain) -+files_read_usr_files(sge_domain) + +dev_read_urand(sge_domain) + @@ -71725,7 +72253,7 @@ index 1aeef8a..d5ce40a 100644 admin_pattern($1, shorewall_etc_t) diff --git a/shorewall.te b/shorewall.te -index ca03de6..bcf990d 100644 +index ca03de6..f80249c 100644 --- a/shorewall.te +++ b/shorewall.te @@ -57,6 +57,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) @@ -71738,7 +72266,15 @@ index ca03de6..bcf990d 100644 allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; -@@ -86,12 +89,13 @@ init_rw_utmp(shorewall_t) +@@ -74,7 +77,6 @@ dev_read_urand(shorewall_t) + domain_read_all_domains_state(shorewall_t) + + files_getattr_kernel_modules(shorewall_t) +-files_read_usr_files(shorewall_t) + files_search_kernel_modules(shorewall_t) + + fs_getattr_all_fs(shorewall_t) +@@ -86,12 +88,13 @@ init_rw_utmp(shorewall_t) logging_read_generic_logs(shorewall_t) logging_send_syslog_msg(shorewall_t) @@ -71766,7 +72302,7 @@ index a91f33b..631dbc1 100644 -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/shutdown.if b/shutdown.if -index d1706bf..aa97fad 100644 +index d1706bf..87ab4a7 100644 --- a/shutdown.if +++ b/shutdown.if @@ -1,30 +1,4 @@ @@ -71869,7 +72405,7 @@ index d1706bf..aa97fad 100644 + shutdown_run($2, $1) + + allow $2 shutdown_t:process { ptrace signal_perms }; -+ ps_process_pattern($2, shutdown_t ++ ps_process_pattern($2, shutdown_t) +') + +######################################## @@ -72055,7 +72591,7 @@ index 66ac42a..f28fadc 100644 -miscfiles_read_localization(slpd_t) +sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te -index 5437237..d46f779 100644 +index 5437237..3dfc982 100644 --- a/slrnpull.te +++ b/slrnpull.te @@ -13,7 +13,7 @@ type slrnpull_var_run_t; @@ -72067,7 +72603,15 @@ index 5437237..d46f779 100644 type slrnpull_log_t; logging_log_file(slrnpull_log_t) -@@ -52,8 +52,6 @@ fs_search_auto_mountpoints(slrnpull_t) +@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t) + + domain_use_interactive_fds(slrnpull_t) + +-files_read_etc_files(slrnpull_t) + files_search_spool(slrnpull_t) + + fs_getattr_all_fs(slrnpull_t) +@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t) logging_send_syslog_msg(slrnpull_t) @@ -72096,10 +72640,10 @@ index e0644b5..ea347cc 100644 domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te -index 9ade9c5..48444ed 100644 +index 9ade9c5..ff7649e 100644 --- a/smartmon.te +++ b/smartmon.te -@@ -60,6 +60,11 @@ kernel_read_system_state(fsdaemon_t) +@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) corecmd_exec_all_executables(fsdaemon_t) @@ -72111,7 +72655,12 @@ index 9ade9c5..48444ed 100644 dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) -@@ -72,9 +77,12 @@ files_read_usr_files(fsdaemon_t) + domain_use_interactive_fds(fsdaemon_t) + + files_exec_etc_files(fsdaemon_t) +-files_read_etc_files(fsdaemon_t) + files_read_etc_runtime_files(fsdaemon_t) +-files_read_usr_files(fsdaemon_t) fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) @@ -72124,7 +72673,7 @@ index 9ade9c5..48444ed 100644 storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) -@@ -85,6 +93,8 @@ term_dontaudit_search_ptys(fsdaemon_t) +@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t) application_signull(fsdaemon_t) @@ -72133,7 +72682,7 @@ index 9ade9c5..48444ed 100644 init_read_utmp(fsdaemon_t) libs_exec_ld_so(fsdaemon_t) -@@ -92,7 +102,7 @@ libs_exec_lib_files(fsdaemon_t) +@@ -92,7 +100,7 @@ libs_exec_lib_files(fsdaemon_t) logging_send_syslog_msg(fsdaemon_t) @@ -72142,7 +72691,7 @@ index 9ade9c5..48444ed 100644 sysnet_dns_name_resolve(fsdaemon_t) -@@ -122,3 +132,7 @@ optional_policy(` +@@ -122,3 +130,7 @@ optional_policy(` optional_policy(` udev_read_db(fsdaemon_t) ') @@ -72168,10 +72717,18 @@ index 1fa51c1..82e111c 100644 smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te -index a8b1aaf..3769d45 100644 +index a8b1aaf..a09f2fe 100644 --- a/smokeping.te +++ b/smokeping.te -@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t) +@@ -39,7 +39,6 @@ corecmd_exec_bin(smokeping_t) + + dev_read_urand(smokeping_t) + +-files_read_usr_files(smokeping_t) + files_search_tmp(smokeping_t) + + auth_use_nsswitch(smokeping_t) +@@ -47,8 +46,6 @@ auth_dontaudit_read_shadow(smokeping_t) logging_send_syslog_msg(smokeping_t) @@ -72180,7 +72737,7 @@ index a8b1aaf..3769d45 100644 mta_send_mail(smokeping_t) netutils_domtrans_ping(smokeping_t) -@@ -70,6 +68,8 @@ optional_policy(` +@@ -70,6 +67,8 @@ optional_policy(` files_search_tmp(httpd_smokeping_cgi_script_t) files_search_var_lib(httpd_smokeping_cgi_script_t) @@ -72686,7 +73243,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 81864ce..cc44e06 100644 +index 81864ce..bcd62b2 100644 --- a/snmp.te +++ b/snmp.te @@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t) @@ -72720,7 +73277,15 @@ index 81864ce..cc44e06 100644 corenet_all_recvfrom_netlabel(snmpd_t) corenet_tcp_sendrecv_generic_if(snmpd_t) corenet_udp_sendrecv_generic_if(snmpd_t) -@@ -103,6 +106,7 @@ fs_getattr_all_fs(snmpd_t) +@@ -94,7 +97,6 @@ domain_signull_all_domains(snmpd_t) + domain_read_all_domains_state(snmpd_t) + domain_exec_all_entry_files(snmpd_t) + +-files_read_usr_files(snmpd_t) + files_read_etc_runtime_files(snmpd_t) + files_search_home(snmpd_t) + +@@ -103,6 +105,7 @@ fs_getattr_all_fs(snmpd_t) files_list_all(snmpd_t) files_search_all_mountpoints(snmpd_t) fs_search_auto_mountpoints(snmpd_t) @@ -72728,7 +73293,7 @@ index 81864ce..cc44e06 100644 storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) -@@ -112,16 +116,25 @@ auth_use_nsswitch(snmpd_t) +@@ -112,16 +115,25 @@ auth_use_nsswitch(snmpd_t) init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -72832,10 +73397,18 @@ index ccd28bb..b9e856e 100644 userdom_dontaudit_use_unpriv_user_fds(snort_t) diff --git a/sosreport.te b/sosreport.te -index 703efa3..ec61db7 100644 +index 703efa3..de313d7 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -84,6 +84,10 @@ fs_list_inotifyfs(sosreport_t) +@@ -70,7 +70,6 @@ files_list_all(sosreport_t) + files_read_config_files(sosreport_t) + files_read_generic_tmp_files(sosreport_t) + files_read_non_auth_files(sosreport_t) +-files_read_usr_files(sosreport_t) + files_read_var_lib_files(sosreport_t) + files_read_var_symlinks(sosreport_t) + files_read_kernel_modules(sosreport_t) +@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t) storage_dontaudit_read_fixed_disk(sosreport_t) storage_dontaudit_read_removable_device(sosreport_t) @@ -72846,7 +73419,7 @@ index 703efa3..ec61db7 100644 auth_use_nsswitch(sosreport_t) init_domtrans_script(sosreport_t) -@@ -93,9 +97,8 @@ libs_domtrans_ldconfig(sosreport_t) +@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t) logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) @@ -72857,7 +73430,7 @@ index 703efa3..ec61db7 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -111,6 +114,11 @@ optional_policy(` +@@ -111,6 +113,11 @@ optional_policy(` ') optional_policy(` @@ -72889,7 +73462,7 @@ index a5abc5a..b9eff74 100644 domain_system_change_exemption($1) role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te -index db1bc6f..40abb06 100644 +index db1bc6f..b6c0d16 100644 --- a/soundserver.te +++ b/soundserver.te @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) @@ -72900,7 +73473,15 @@ index db1bc6f..40abb06 100644 corenet_all_recvfrom_netlabel(soundd_t) corenet_tcp_sendrecv_generic_if(soundd_t) corenet_tcp_sendrecv_generic_node(soundd_t) -@@ -89,8 +88,6 @@ fs_search_auto_mountpoints(soundd_t) +@@ -81,7 +80,6 @@ dev_write_sound(soundd_t) + + domain_use_interactive_fds(soundd_t) + +-files_read_etc_files(soundd_t) + files_read_etc_runtime_files(soundd_t) + + fs_getattr_all_fs(soundd_t) +@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t) logging_send_syslog_msg(soundd_t) @@ -73387,7 +73968,7 @@ index 1499b0b..82fc7f6 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index 4faa7e0..18d0efc 100644 +index 4faa7e0..c7f47b3 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,4 +1,4 @@ @@ -73466,7 +74047,7 @@ index 4faa7e0..18d0efc 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,49 +39,154 @@ type spamd_log_t; +@@ -72,87 +39,198 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -73627,8 +74208,8 @@ index 4faa7e0..18d0efc 100644 -files_read_etc_files(spamassassin_t) files_read_etc_runtime_files(spamassassin_t) files_list_home(spamassassin_t) - files_read_usr_files(spamassassin_t) -@@ -122,37 +194,44 @@ files_dontaudit_search_var(spamassassin_t) +-files_read_usr_files(spamassassin_t) + files_dontaudit_search_var(spamassassin_t) logging_send_syslog_msg(spamassassin_t) @@ -73687,7 +74268,7 @@ index 4faa7e0..18d0efc 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +239,8 @@ optional_policy(` +@@ -160,6 +238,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -73696,7 +74277,7 @@ index 4faa7e0..18d0efc 100644 ') ######################################## -@@ -167,72 +248,88 @@ optional_policy(` +@@ -167,72 +247,87 @@ optional_policy(` # Client local policy # @@ -73786,7 +74367,7 @@ index 4faa7e0..18d0efc 100644 +domain_use_interactive_fds(spamc_t) files_read_etc_runtime_files(spamc_t) - files_read_usr_files(spamc_t) +-files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) +# cjp: this may be removable: files_list_home(spamc_t) @@ -73815,7 +74396,7 @@ index 4faa7e0..18d0efc 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +340,7 @@ optional_policy(` +@@ -243,6 +338,7 @@ optional_policy(` ') optional_policy(` @@ -73823,7 +74404,7 @@ index 4faa7e0..18d0efc 100644 evolution_stream_connect(spamc_t) ') -@@ -251,52 +349,55 @@ optional_policy(` +@@ -251,52 +347,55 @@ optional_policy(` ') optional_policy(` @@ -73904,7 +74485,7 @@ index 4faa7e0..18d0efc 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,6 +409,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,6 +407,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -73912,7 +74493,7 @@ index 4faa7e0..18d0efc 100644 allow spamd_t spamd_var_lib_t:dir list_dir_perms; manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +419,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +417,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -73928,7 +74509,7 @@ index 4faa7e0..18d0efc 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +434,62 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +432,61 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -73964,29 +74545,29 @@ index 4faa7e0..18d0efc 100644 dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) -+fs_getattr_all_fs(spamd_t) -+fs_search_auto_mountpoints(spamd_t) -+ -+auth_dontaudit_read_shadow(spamd_t) -+ +-domain_use_interactive_fds(spamd_t) +- +-files_read_usr_files(spamd_t) +-files_read_etc_runtime_files(spamd_t) +- + fs_getattr_all_fs(spamd_t) + fs_search_auto_mountpoints(spamd_t) + +-auth_use_nsswitch(spamd_t) + auth_dontaudit_read_shadow(spamd_t) + +corecmd_exec_bin(spamd_t) + - domain_use_interactive_fds(spamd_t) - - files_read_usr_files(spamd_t) - files_read_etc_runtime_files(spamd_t) ++domain_use_interactive_fds(spamd_t) ++ ++files_read_etc_runtime_files(spamd_t) +# /var/lib/spamassin +files_read_var_lib_files(spamd_t) ++ + init_dontaudit_rw_utmp(spamd_t) --fs_getattr_all_fs(spamd_t) --fs_search_auto_mountpoints(spamd_t) -+init_dontaudit_rw_utmp(spamd_t) - - auth_use_nsswitch(spamd_t) --auth_dontaudit_read_shadow(spamd_t) -- --init_dontaudit_rw_utmp(spamd_t) - ++auth_use_nsswitch(spamd_t) ++ libs_use_ld_so(spamd_t) libs_use_shared_libs(spamd_t) @@ -74032,7 +74613,7 @@ index 4faa7e0..18d0efc 100644 ') optional_policy(` -@@ -421,21 +508,13 @@ optional_policy(` +@@ -421,21 +505,13 @@ optional_policy(` ') optional_policy(` @@ -74056,7 +74637,7 @@ index 4faa7e0..18d0efc 100644 ') optional_policy(` -@@ -443,8 +522,8 @@ optional_policy(` +@@ -443,8 +519,8 @@ optional_policy(` ') optional_policy(` @@ -74066,7 +74647,7 @@ index 4faa7e0..18d0efc 100644 ') optional_policy(` -@@ -455,7 +534,12 @@ optional_policy(` +@@ -455,7 +531,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -74080,7 +74661,7 @@ index 4faa7e0..18d0efc 100644 ') optional_policy(` -@@ -463,9 +547,9 @@ optional_policy(` +@@ -463,9 +544,9 @@ optional_policy(` ') optional_policy(` @@ -74091,7 +74672,7 @@ index 4faa7e0..18d0efc 100644 ') optional_policy(` -@@ -474,32 +558,29 @@ optional_policy(` +@@ -474,32 +555,29 @@ optional_policy(` ######################################## # @@ -74131,7 +74712,12 @@ index 4faa7e0..18d0efc 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -513,20 +594,16 @@ files_read_usr_files(spamd_update_t) +@@ -508,25 +586,20 @@ dev_read_urand(spamd_update_t) + + domain_use_interactive_fds(spamd_update_t) + +-files_read_usr_files(spamd_update_t) + auth_use_nsswitch(spamd_update_t) auth_dontaudit_read_shadow(spamd_update_t) @@ -74158,10 +74744,18 @@ index 4faa7e0..18d0efc 100644 ') + diff --git a/speedtouch.te b/speedtouch.te -index 9025dbd..7e4c41f 100644 +index 9025dbd..388ce0a 100644 --- a/speedtouch.te +++ b/speedtouch.te -@@ -47,8 +47,6 @@ fs_search_auto_mountpoints(speedmgmt_t) +@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t) + + domain_use_interactive_fds(speedmgmt_t) + +-files_read_etc_files(speedmgmt_t) +-files_read_usr_files(speedmgmt_t) + + fs_getattr_all_fs(speedmgmt_t) + fs_search_auto_mountpoints(speedmgmt_t) logging_send_syslog_msg(speedmgmt_t) @@ -74240,7 +74834,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 221c560..b20a9d9 100644 +index 221c560..d8c9794 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -74298,7 +74892,15 @@ index 221c560..b20a9d9 100644 corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -178,7 +189,6 @@ libs_exec_lib_files(squid_t) +@@ -156,7 +167,6 @@ dev_read_urand(squid_t) + domain_use_interactive_fds(squid_t) + + files_read_etc_runtime_files(squid_t) +-files_read_usr_files(squid_t) + files_search_spool(squid_t) + files_dontaudit_getattr_tmp_dirs(squid_t) + files_getattr_home_dir(squid_t) +@@ -178,7 +188,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -74306,7 +74908,7 @@ index 221c560..b20a9d9 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -200,6 +210,8 @@ tunable_policy(`squid_use_tproxy',` +@@ -200,6 +209,8 @@ tunable_policy(`squid_use_tproxy',` optional_policy(` apache_content_template(squid) @@ -74315,7 +74917,7 @@ index 221c560..b20a9d9 100644 corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -@@ -209,18 +221,22 @@ optional_policy(` +@@ -209,18 +220,22 @@ optional_policy(` corenet_tcp_connect_http_cache_port(httpd_squid_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) @@ -74342,7 +74944,7 @@ index 221c560..b20a9d9 100644 ') optional_policy(` -@@ -238,3 +254,24 @@ optional_policy(` +@@ -238,3 +253,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -74713,7 +75315,7 @@ index a240455..54c45f6 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 8b537aa..4253541 100644 +index 8b537aa..eaa7a83 100644 --- a/sssd.te +++ b/sssd.te @@ -1,4 +1,4 @@ @@ -74774,7 +75376,17 @@ index 8b537aa..4253541 100644 corecmd_exec_bin(sssd_t) -@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t) +@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t) + domain_obj_id_change_exemption(sssd_t) + + files_list_tmp(sssd_t) +-files_read_etc_files(sssd_t) + files_read_etc_runtime_files(sssd_t) +-files_read_usr_files(sssd_t) + files_list_var_lib(sssd_t) + + fs_list_inotifyfs(sssd_t) +@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) # sssd wants to write /etc/selinux//logins/ for SELinux PAM module @@ -74792,7 +75404,7 @@ index 8b537aa..4253541 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +107,30 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +105,30 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -74998,10 +75610,10 @@ index 0000000..80c6480 +') diff --git a/stapserver.te b/stapserver.te new file mode 100644 -index 0000000..b87c79c +index 0000000..79eac2b --- /dev/null +++ b/stapserver.te -@@ -0,0 +1,100 @@ +@@ -0,0 +1,99 @@ +policy_module(stapserver, 1.0.0) + +######################################## @@ -75065,7 +75677,6 @@ index 0000000..b87c79c +dev_read_urand(stapserver_t) + +files_list_tmp(stapserver_t) -+files_read_usr_files(stapserver_t) +files_search_kernel_modules(stapserver_t) + +fs_search_cgroup_dirs(stapserver_t) @@ -75560,7 +76171,7 @@ index 6c06a84..0000000 - rpm_exec(stapserver_t) -') diff --git a/tcpd.te b/tcpd.te -index f388db3..92d5fe0 100644 +index f388db3..3c5c32e 100644 --- a/tcpd.te +++ b/tcpd.te @@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) @@ -75571,7 +76182,12 @@ index f388db3..92d5fe0 100644 corenet_all_recvfrom_netlabel(tcpd_t) corenet_tcp_sendrecv_generic_if(tcpd_t) corenet_tcp_sendrecv_generic_node(tcpd_t) -@@ -38,8 +37,6 @@ files_dontaudit_search_var(tcpd_t) +@@ -33,13 +32,10 @@ fs_getattr_xattr_fs(tcpd_t) + + corecmd_search_bin(tcpd_t) + +-files_read_etc_files(tcpd_t) + files_dontaudit_search_var(tcpd_t) logging_send_syslog_msg(tcpd_t) @@ -76061,7 +76677,7 @@ index 42946bc..95a9aa3 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index e9c0964..6cc7ecd 100644 +index e9c0964..6e84ad8 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,29 +1,28 @@ @@ -76104,7 +76720,7 @@ index e9c0964..6cc7ecd 100644 telepathy_domain_template(gabble) -@@ -67,176 +66,146 @@ userdom_user_home_content(telepathy_sunshine_home_t) +@@ -67,176 +66,145 @@ userdom_user_home_content(telepathy_sunshine_home_t) ####################################### # @@ -76158,10 +76774,10 @@ index e9c0964..6cc7ecd 100644 dev_read_rand(telepathy_gabble_t) files_read_config_files(telepathy_gabble_t) - files_read_usr_files(telepathy_gabble_t) - -+fs_getattr_all_fs(telepathy_gabble_t) +-files_read_usr_files(telepathy_gabble_t) + ++fs_getattr_all_fs(telepathy_gabble_t) + miscfiles_read_all_certs(telepathy_gabble_t) tunable_policy(`telepathy_connect_all_ports',` @@ -76330,7 +76946,7 @@ index e9c0964..6cc7ecd 100644 optional_policy(` dbus_system_bus_client(telepathy_mission_control_t) -@@ -245,59 +214,51 @@ optional_policy(` +@@ -245,59 +213,51 @@ optional_policy(` devicekit_dbus_chat_power(telepathy_mission_control_t) ') optional_policy(` @@ -76405,7 +77021,7 @@ index e9c0964..6cc7ecd 100644 init_read_state(telepathy_msn_t) -@@ -307,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t) +@@ -307,18 +267,19 @@ logging_send_syslog_msg(telepathy_msn_t) miscfiles_read_all_certs(telepathy_msn_t) @@ -76430,7 +77046,7 @@ index e9c0964..6cc7ecd 100644 ') optional_policy(` -@@ -329,43 +291,33 @@ optional_policy(` +@@ -329,43 +290,33 @@ optional_policy(` ') ') @@ -76479,7 +77095,7 @@ index e9c0964..6cc7ecd 100644 ') optional_policy(` -@@ -378,73 +330,53 @@ optional_policy(` +@@ -378,73 +329,53 @@ optional_policy(` ####################################### # @@ -76563,7 +77179,7 @@ index e9c0964..6cc7ecd 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -452,31 +384,41 @@ optional_policy(` +@@ -452,31 +383,39 @@ optional_policy(` ####################################### # @@ -76588,8 +77204,6 @@ index e9c0964..6cc7ecd 100644 dev_read_urand(telepathy_domain) -kernel_read_system_state(telepathy_domain) -+files_read_etc_files(telepathy_domain) -+files_read_usr_files(telepathy_domain) fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) @@ -77222,10 +77836,10 @@ index 0000000..d000122 +') diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..2b878d8 +index 0000000..555b49e --- /dev/null +++ b/thin.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,108 @@ +policy_module(thin, 1.0) + +######################################## @@ -77276,13 +77890,11 @@ index 0000000..2b878d8 +dev_read_rand(thin_domain) +dev_read_urand(thin_domain) + -+files_read_etc_files(thin_domain) + +auth_read_passwd(thin_domain) + +miscfiles_read_certs(thin_domain) + -+files_read_usr_files(thin_domain) + +fs_search_auto_mountpoints(thin_domain) + @@ -77360,10 +77972,10 @@ index 0000000..059e12c +/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 -index 0000000..9127cec +index 0000000..4902155 --- /dev/null +++ b/thumb.if -@@ -0,0 +1,125 @@ +@@ -0,0 +1,128 @@ + +## policy for thumb + @@ -77411,7 +78023,10 @@ index 0000000..9127cec + thumb_domtrans($1) + role $2 types thumb_t; + -+ allow $1 thumb_t:process signal; ++ allow $1 thumb_t:process signal_perms; ++ ++ dontaudit thumb_t $1:dir list_dir_perms; ++ dontaudit thumb_t $1:file read_file_perms; +') + +######################################## @@ -77491,10 +78106,10 @@ index 0000000..9127cec +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..0f9dcc7 +index 0000000..e8b5d5e --- /dev/null +++ b/thumb.te -@@ -0,0 +1,130 @@ +@@ -0,0 +1,129 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -77570,7 +78185,6 @@ index 0000000..0f9dcc7 + +domain_use_interactive_fds(thumb_t) + -+files_read_usr_files(thumb_t) +files_read_non_security_files(thumb_t) + +fs_getattr_all_fs(thumb_t) @@ -77626,7 +78240,7 @@ index 0000000..0f9dcc7 + nscd_dontaudit_write_sock_file(thumb_t) +') diff --git a/thunderbird.te b/thunderbird.te -index 4257ede..cddc4c6 100644 +index 4257ede..5b3949a 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) @@ -77637,7 +78251,15 @@ index 4257ede..cddc4c6 100644 corenet_all_recvfrom_netlabel(thunderbird_t) corenet_tcp_sendrecv_generic_if(thunderbird_t) corenet_tcp_sendrecv_generic_node(thunderbird_t) -@@ -98,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t) +@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t) + dev_dontaudit_search_sysfs(thunderbird_t) + + files_list_tmp(thunderbird_t) +-files_read_usr_files(thunderbird_t) + files_read_etc_runtime_files(thunderbird_t) + files_read_var_files(thunderbird_t) + files_read_var_symlinks(thunderbird_t) +@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t) auth_use_nsswitch(thunderbird_t) miscfiles_read_fonts(thunderbird_t) @@ -77645,7 +78267,7 @@ index 4257ede..cddc4c6 100644 userdom_write_user_tmp_sockets(thunderbird_t) -@@ -113,17 +111,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) +@@ -113,17 +110,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) @@ -77666,7 +78288,7 @@ index 4257ede..cddc4c6 100644 ifndef(`enable_mls',` fs_search_removable(thunderbird_t) diff --git a/timidity.te b/timidity.te -index 67ca5c5..4254563 100644 +index 67ca5c5..a1ef2d2 100644 --- a/timidity.te +++ b/timidity.te @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f @@ -77677,8 +78299,17 @@ index 67ca5c5..4254563 100644 corenet_all_recvfrom_netlabel(timidity_t) corenet_tcp_sendrecv_generic_if(timidity_t) corenet_udp_sendrecv_generic_if(timidity_t) +@@ -51,8 +50,6 @@ dev_write_sound(timidity_t) + + domain_use_interactive_fds(timidity_t) + +-files_read_etc_files(timidity_t) +-files_read_usr_files(timidity_t) + files_search_tmp(timidity_t) + + fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index a4a949c..43988e5 100644 +index a4a949c..0ab6c4c 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) @@ -77689,7 +78320,7 @@ index a4a949c..43988e5 100644 ######################################## # -@@ -18,17 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; +@@ -18,20 +19,26 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) @@ -77715,9 +78346,12 @@ index a4a949c..43988e5 100644 +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) - mcs_file_read_all(tmpreaper_t) - mcs_file_write_all(tmpreaper_t) -@@ -39,14 +48,20 @@ auth_use_nsswitch(tmpreaper_t) +-mcs_file_read_all(tmpreaper_t) +-mcs_file_write_all(tmpreaper_t) + mls_file_read_all_levels(tmpreaper_t) + mls_file_write_all_levels(tmpreaper_t) + +@@ -39,14 +46,20 @@ auth_use_nsswitch(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -77740,7 +78374,7 @@ index a4a949c..43988e5 100644 ') optional_policy(` -@@ -54,6 +69,7 @@ optional_policy(` +@@ -54,6 +67,7 @@ optional_policy(` ') optional_policy(` @@ -77748,7 +78382,7 @@ index a4a949c..43988e5 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -69,7 +85,15 @@ optional_policy(` +@@ -69,7 +83,15 @@ optional_policy(` ') optional_policy(` @@ -78185,10 +78819,10 @@ index 0000000..9abef48 +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..0557ffc +index 0000000..5a263b2 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,71 @@ +@@ -0,0 +1,69 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -78250,8 +78884,6 @@ index 0000000..0557ffc +fs_getattr_all_fs(tomcat_domain) +fs_read_hugetlbfs_files(tomcat_domain) + -+files_read_etc_files(tomcat_domain) -+files_read_usr_files(tomcat_domain) + +auth_read_passwd(tomcat_domain) + @@ -78419,7 +79051,7 @@ index 964a395..2a5bcc4 100644 seutil_sigchld_newrole(tor_t) ') diff --git a/transproxy.te b/transproxy.te -index 20d1a28..e90a7e8 100644 +index 20d1a28..494a46d 100644 --- a/transproxy.te +++ b/transproxy.te @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) @@ -78430,7 +79062,14 @@ index 20d1a28..e90a7e8 100644 corenet_all_recvfrom_netlabel(transproxy_t) corenet_tcp_sendrecv_generic_if(transproxy_t) corenet_tcp_sendrecv_generic_node(transproxy_t) -@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(transproxy_t) +@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t) + + domain_use_interactive_fds(transproxy_t) + +-files_read_etc_files(transproxy_t) + + fs_getattr_all_fs(transproxy_t) + fs_search_auto_mountpoints(transproxy_t) logging_send_syslog_msg(transproxy_t) @@ -78502,7 +79141,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..5355bfc 100644 +index 7116181..cf4f528 100644 --- a/tuned.te +++ b/tuned.te @@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t) @@ -78533,9 +79172,11 @@ index 7116181..5355bfc 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -69,26 +71,39 @@ dev_rw_netcontrol(tuned_t) +@@ -67,28 +69,40 @@ dev_read_urand(tuned_t) + dev_rw_sysfs(tuned_t) + dev_rw_netcontrol(tuned_t) - files_read_usr_files(tuned_t) +-files_read_usr_files(tuned_t) files_dontaudit_search_home(tuned_t) -files_dontaudit_list_tmp(tuned_t) +files_list_tmp(tuned_t) @@ -78577,10 +79218,18 @@ index 7116181..5355bfc 100644 sysnet_domtrans_ifconfig(tuned_t) ') diff --git a/tvtime.te b/tvtime.te -index 3292fcc..fff4b4a 100644 +index 3292fcc..3cc43ed 100644 --- a/tvtime.te +++ b/tvtime.te -@@ -69,21 +69,12 @@ fs_search_auto_mountpoints(tvtime_t) +@@ -61,7 +61,6 @@ dev_read_realtime_clock(tvtime_t) + dev_read_sound(tvtime_t) + dev_read_urand(tvtime_t) + +-files_read_usr_files(tvtime_t) + + fs_getattr_all_fs(tvtime_t) + fs_search_auto_mountpoints(tvtime_t) +@@ -69,21 +68,12 @@ fs_search_auto_mountpoints(tvtime_t) auth_use_nsswitch(tvtime_t) miscfiles_read_fonts(tvtime_t) @@ -78623,6 +79272,26 @@ index aa6ae96..9f86987 100644 optional_policy(` postfix_search_spool(tzdata_t) +diff --git a/ucspitcp.te b/ucspitcp.te +index 5e365c2..0fbc46e 100644 +--- a/ucspitcp.te ++++ b/ucspitcp.te +@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t) + corenet_tcp_bind_generic_node(rblsmtpd_t) + corenet_udp_bind_generic_port(rblsmtpd_t) + +-files_read_etc_files(rblsmtpd_t) + files_search_var(rblsmtpd_t) + + optional_policy(` +@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t) + corenet_sendrecv_generic_server_packets(ucspitcp_t) + corenet_udp_bind_generic_port(ucspitcp_t) + +-files_read_etc_files(ucspitcp_t) + files_search_var(ucspitcp_t) + + sysnet_read_config(ucspitcp_t) diff --git a/ulogd.if b/ulogd.if index 9b95c3e..a892845 100644 --- a/ulogd.if @@ -78641,7 +79310,7 @@ index 9b95c3e..a892845 100644 init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te -index c6acbbe..46f1120 100644 +index c6acbbe..bd23e7f 100644 --- a/ulogd.te +++ b/ulogd.te @@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t) @@ -78659,9 +79328,12 @@ index c6acbbe..46f1120 100644 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) -@@ -45,7 +47,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - files_read_etc_files(ulogd_t) - files_read_usr_files(ulogd_t) +@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) + setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) + logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) + +-files_read_etc_files(ulogd_t) +-files_read_usr_files(ulogd_t) -miscfiles_read_localization(ulogd_t) @@ -79284,7 +79956,7 @@ index cf118fd..3b93d32 100644 + can_exec($1, consolehelper_exec_t) ') diff --git a/userhelper.te b/userhelper.te -index 274ed9c..1b381f0 100644 +index 274ed9c..23b8929 100644 --- a/userhelper.te +++ b/userhelper.te @@ -1,18 +1,15 @@ @@ -79309,7 +79981,7 @@ index 274ed9c..1b381f0 100644 type userhelper_exec_t; application_executable_file(userhelper_exec_t) -@@ -22,141 +19,68 @@ application_executable_file(consolehelper_exec_t) +@@ -22,141 +19,67 @@ application_executable_file(consolehelper_exec_t) ######################################## # @@ -79364,7 +80036,6 @@ index 274ed9c..1b381f0 100644 -term_list_ptys(consolehelper_type) +files_read_config_files(consolehelper_domain) -+files_read_usr_files(consolehelper_domain) -auth_search_pam_console_data(consolehelper_type) -auth_read_pam_pid(consolehelper_type) @@ -79493,61 +80164,44 @@ index 274ed9c..1b381f0 100644 + fs_search_cifs(consolehelper_domain) ') diff --git a/usernetctl.if b/usernetctl.if -index 7deec55..325bb57 100644 +index 7deec55..c542887 100644 --- a/usernetctl.if +++ b/usernetctl.if -@@ -39,9 +39,26 @@ interface(`usernetctl_domtrans',` +@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',` # interface(`usernetctl_run',` gen_require(` -- attribute_role usernetctl_roles; + type usernetctl_t; -+ #attribute_role usernetctl_roles; + attribute_role usernetctl_roles; ') -- usernetctl_domtrans($1) -- roleattribute $2 usernetctl_roles; -+ #usernetctl_domtrans($1) -+ #roleattribute $2 usernetctl_roles; -+ -+ sysnet_run_ifconfig(usernetctl_t, $2) -+ sysnet_run_dhcpc(usernetctl_t, $2) -+ -+ optional_policy(` -+ iptables_run(usernetctl_t, $2) -+ ') -+ -+ optional_policy(` -+ modutils_run_insmod(usernetctl_t, $2) -+ ') -+ -+ optional_policy(` -+ ppp_run(usernetctl_t, $2) -+ ') -+ - ') diff --git a/usernetctl.te b/usernetctl.te -index dd3f01e..a2229f7 100644 +index dd3f01e..465c661 100644 --- a/usernetctl.te +++ b/usernetctl.te -@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.1) - # Declarations +@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1) # --attribute_role usernetctl_roles; -+#attribute_role usernetctl_roles; + attribute_role usernetctl_roles; ++roleattribute system_r usernetctl_roles; type usernetctl_t; type usernetctl_exec_t; application_domain(usernetctl_t, usernetctl_exec_t) domain_interactive_fd(usernetctl_t) -role usernetctl_roles types usernetctl_t; -+#role usernetctl_roles types usernetctl_t; -+role system_r types usernetctl_t; ######################################## # -@@ -48,31 +49,36 @@ auth_use_nsswitch(usernetctl_t) +@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t) + files_read_etc_runtime_files(usernetctl_t) + files_list_pids(usernetctl_t) + files_list_home(usernetctl_t) +-files_read_usr_files(usernetctl_t) + + fs_search_auto_mountpoints(usernetctl_t) + +@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t) logging_send_syslog_msg(usernetctl_t) @@ -79555,48 +80209,30 @@ index dd3f01e..a2229f7 100644 - seutil_read_config(usernetctl_t) --sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) --sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) +sysnet_read_config(usernetctl_t) + -+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) + sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) + sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) -userdom_use_user_terminals(usernetctl_t) +- +-optional_policy(` +- consoletype_run(usernetctl_t, usernetctl_roles) +-') +userdom_use_inherited_user_terminals(usernetctl_t) - optional_policy(` -- consoletype_run(usernetctl_t, usernetctl_roles) -+# consoletype_run(usernetctl_t, usernetctl_roles) -+ consoletype_exec(usernetctl_t) - ') - optional_policy(` hostname_exec(usernetctl_t) +@@ -74,5 +69,9 @@ optional_policy(` ') --optional_policy(` -- iptables_run(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# iptables_run(usernetctl_t, usernetctl_roles) -+#') - --optional_policy(` -- modutils_run_insmod(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# modutils_run_insmod(usernetctl_t, usernetctl_roles) -+#') - optional_policy(` -- ppp_run(usernetctl_t, usernetctl_roles) + nis_use_ypbind(usernetctl_t) - ') ++') + -+#optional_policy(` -+# ppp_run(usernetctl_t, usernetctl_roles) -+#') ++optional_policy(` + ppp_run(usernetctl_t, usernetctl_roles) + ') diff --git a/uucp.if b/uucp.if index af9acc0..0119768 100644 --- a/uucp.if @@ -79698,12 +80334,14 @@ index 6e48653..29e3648 100644 uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/uuidd.te b/uuidd.te -index e670f55..43199ee 100644 +index e670f55..2b332c5 100644 --- a/uuidd.te +++ b/uuidd.te -@@ -44,4 +44,3 @@ domain_use_interactive_fds(uuidd_t) +@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t) - files_read_etc_files(uuidd_t) + domain_use_interactive_fds(uuidd_t) + +-files_read_etc_files(uuidd_t) -miscfiles_read_localization(uuidd_t) diff --git a/uwimap.te b/uwimap.te @@ -79774,7 +80412,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..cd79417 100644 +index 9d4d8cb..f50c3ff 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -79804,7 +80442,15 @@ index 9d4d8cb..cd79417 100644 allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket { accept listen }; -@@ -111,7 +111,7 @@ auth_use_nsswitch(varnishd_t) +@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) + + dev_read_urand(varnishd_t) + +-files_read_usr_files(varnishd_t) + + fs_getattr_all_fs(varnishd_t) + +@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t) logging_send_syslog_msg(varnishd_t) @@ -79936,7 +80582,7 @@ index 31c752e..e9c041d 100644 init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 77be35a..f9c0665 100644 +index 77be35a..5ba96c7 100644 --- a/vdagent.te +++ b/vdagent.te @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) @@ -79947,7 +80593,11 @@ index 77be35a..f9c0665 100644 allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; -@@ -47,9 +48,14 @@ files_read_etc_files(vdagent_t) +@@ -43,13 +44,17 @@ dev_rw_input_dev(vdagent_t) + dev_read_sysfs(vdagent_t) + dev_dontaudit_write_mtrr(vdagent_t) + +-files_read_etc_files(vdagent_t) init_read_state(vdagent_t) @@ -81697,7 +82347,7 @@ index 9dec06c..347f807 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..e096fc5 100644 +index 1f22fba..95dd6c8 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,105 @@ @@ -82022,7 +82672,9 @@ index 1f22fba..e096fc5 100644 -corenet_tcp_sendrecv_virt_migration_port(virt_domain) - -corenet_rw_tun_tap_dev(virt_domain) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -dev_getattr_fs(virt_domain) -dev_list_sysfs(virt_domain) -dev_read_generic_symlinks(virt_domain) @@ -82064,9 +82716,7 @@ index 1f22fba..e096fc5 100644 - -miscfiles_read_localization(virt_domain) -miscfiles_read_public_files(virt_domain) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -sysnet_read_config(virt_domain) - -userdom_search_user_home_dirs(virt_domain) @@ -82162,7 +82812,9 @@ index 1f22fba..e096fc5 100644 -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; - @@ -82194,9 +82846,7 @@ index 1f22fba..e096fc5 100644 -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -82326,13 +82976,13 @@ index 1f22fba..e096fc5 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -82361,7 +83011,7 @@ index 1f22fba..e096fc5 100644 corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) -@@ -548,22 +370,25 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +370,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -82370,8 +83020,7 @@ index 1f22fba..e096fc5 100644 domain_read_all_domains_state(virtd_t) +domain_read_all_domains_state(virtd_t) - files_read_usr_files(virtd_t) -+files_read_usr_files(virtd_t) +-files_read_usr_files(virtd_t) files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_read_kernel_modules(virtd_t) @@ -82391,7 +83040,7 @@ index 1f22fba..e096fc5 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +417,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -82411,7 +83060,7 @@ index 1f22fba..e096fc5 100644 selinux_validate_context(virtd_t) -@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +439,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -82446,7 +83095,7 @@ index 1f22fba..e096fc5 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +465,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -82455,7 +83104,7 @@ index 1f22fba..e096fc5 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -646,107 +480,330 @@ optional_policy(` +@@ -646,107 +478,330 @@ optional_policy(` consoletype_exec(virtd_t) ') @@ -82658,7 +83307,6 @@ index 1f22fba..e096fc5 100644 - avahi_dbus_chat(virtd_t) - ') +files_read_mnt_symlinks(virt_domain) -+files_read_usr_files(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) @@ -82779,6 +83427,7 @@ index 1f22fba..e096fc5 100644 +') + +tunable_policy(`virt_use_sysfs',` ++ allow svirt_t self:capability2 compromise_kernel; + dev_rw_sysfs(virt_domain) +') + @@ -82843,7 +83492,7 @@ index 1f22fba..e096fc5 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +815,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +813,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -82872,7 +83521,7 @@ index 1f22fba..e096fc5 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,15 +833,9 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +831,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -82888,15 +83537,18 @@ index 1f22fba..e096fc5 100644 dev_read_rand(virsh_t) dev_read_urand(virsh_t) -@@ -804,6 +846,7 @@ files_read_etc_files(virsh_t) - files_read_usr_files(virsh_t) + dev_read_sysfs(virsh_t) + + files_read_etc_runtime_files(virsh_t) +-files_read_etc_files(virsh_t) +-files_read_usr_files(virsh_t) files_list_mnt(virsh_t) files_list_tmp(virsh_t) +# Some common macros (you might be able to remove some) fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +855,21 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +851,21 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -82927,7 +83579,7 @@ index 1f22fba..e096fc5 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,6 +887,10 @@ optional_policy(` +@@ -847,6 +883,10 @@ optional_policy(` ') optional_policy(` @@ -82938,7 +83590,7 @@ index 1f22fba..e096fc5 100644 rpm_exec(virsh_t) ') -@@ -854,7 +898,7 @@ optional_policy(` +@@ -854,7 +894,7 @@ optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) xen_domtrans(virsh_t) @@ -82947,7 +83599,7 @@ index 1f22fba..e096fc5 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +923,39 @@ optional_policy(` +@@ -879,34 +919,39 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -82997,7 +83649,7 @@ index 1f22fba..e096fc5 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +965,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +961,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -83013,15 +83665,18 @@ index 1f22fba..e096fc5 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,7 +985,6 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) -files_associate_rootfs(svirt_lxc_file_t) files_search_all(virtd_lxc_t) files_getattr_all_files(virtd_lxc_t) - files_read_usr_files(virtd_lxc_t) -@@ -955,15 +1006,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +-files_read_usr_files(virtd_lxc_t) + files_relabel_rootfs(virtd_lxc_t) + files_mounton_non_security(virtd_lxc_t) + files_mount_all_file_type_fs(virtd_lxc_t) +@@ -955,15 +1001,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -83040,7 +83695,7 @@ index 1f22fba..e096fc5 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,20 +1020,39 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,20 +1015,39 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -83086,7 +83741,7 @@ index 1f22fba..e096fc5 100644 allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; -@@ -995,19 +1061,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,19 +1056,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -83106,7 +83761,7 @@ index 1f22fba..e096fc5 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1063,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -83125,7 +83780,7 @@ index 1f22fba..e096fc5 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1087,21 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1082,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -83135,7 +83790,7 @@ index 1f22fba..e096fc5 100644 files_list_var_lib(svirt_lxc_domain) files_search_all(svirt_lxc_domain) files_read_config_files(svirt_lxc_domain) - files_read_usr_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) files_read_usr_symlinks(svirt_lxc_domain) +files_search_locks(svirt_lxc_domain) @@ -83152,7 +83807,7 @@ index 1f22fba..e096fc5 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,11 +1113,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,11 +1107,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -83169,7 +83824,7 @@ index 1f22fba..e096fc5 100644 optional_policy(` udev_read_pid_files(svirt_lxc_domain) -@@ -1078,81 +1131,63 @@ optional_policy(` +@@ -1078,81 +1125,63 @@ optional_policy(` apache_read_sys_content(svirt_lxc_domain) ') @@ -83274,7 +83929,7 @@ index 1f22fba..e096fc5 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1200,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1194,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -83289,7 +83944,7 @@ index 1f22fba..e096fc5 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1218,8 @@ optional_policy(` +@@ -1183,9 +1212,8 @@ optional_policy(` ######################################## # @@ -83300,7 +83955,7 @@ index 1f22fba..e096fc5 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1232,66 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1226,65 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -83328,7 +83983,6 @@ index 1f22fba..e096fc5 100644 +corecmd_exec_shell(virt_qemu_ga_t) +corecmd_exec_bin(virt_qemu_ga_t) + -+files_read_etc_files(virt_qemu_ga_t) + +dev_rw_sysfs(virt_qemu_ga_t) + @@ -83384,7 +84038,7 @@ index 9ead775..b5285e7 100644 -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmware.te b/vmware.te -index 3a56513..1fb1463 100644 +index 3a56513..935180a 100644 --- a/vmware.te +++ b/vmware.te @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` @@ -83407,7 +84061,7 @@ index 3a56513..1fb1463 100644 corenet_all_recvfrom_netlabel(vmware_host_t) corenet_tcp_sendrecv_generic_if(vmware_host_t) corenet_udp_sendrecv_generic_if(vmware_host_t) -@@ -115,6 +116,7 @@ dev_getattr_all_blk_files(vmware_host_t) +@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) @@ -83415,16 +84069,15 @@ index 3a56513..1fb1463 100644 domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) -@@ -122,7 +124,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t) + files_list_tmp(vmware_host_t) - files_read_etc_files(vmware_host_t) +-files_read_etc_files(vmware_host_t) files_read_etc_runtime_files(vmware_host_t) -files_read_usr_files(vmware_host_t) -+files_read_usr_files(vmware_host_t) fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) -@@ -138,8 +140,6 @@ libs_exec_ld_so(vmware_host_t) +@@ -138,8 +138,6 @@ libs_exec_ld_so(vmware_host_t) logging_send_syslog_msg(vmware_host_t) @@ -83433,7 +84086,7 @@ index 3a56513..1fb1463 100644 sysnet_dns_name_resolve(vmware_host_t) sysnet_domtrans_ifconfig(vmware_host_t) -@@ -149,11 +149,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) +@@ -149,11 +147,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t) netutils_domtrans_ping(vmware_host_t) optional_policy(` @@ -83462,7 +84115,17 @@ index 3a56513..1fb1463 100644 ') optional_policy(` -@@ -258,9 +274,8 @@ storage_raw_write_removable_device(vmware_t) +@@ -244,9 +258,7 @@ dev_search_sysfs(vmware_t) + + domain_use_interactive_fds(vmware_t) + +-files_read_etc_files(vmware_t) + files_read_etc_runtime_files(vmware_t) +-files_read_usr_files(vmware_t) + files_list_home(vmware_t) + + fs_getattr_all_fs(vmware_t) +@@ -258,9 +270,8 @@ storage_raw_write_removable_device(vmware_t) libs_exec_ld_so(vmware_t) libs_read_lib_files(vmware_t) @@ -83586,7 +84249,7 @@ index 524ac2f..076dcc3 100644 -/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/vpn.if b/vpn.if -index 7a7f342..a4e2f60 100644 +index 7a7f342..afedcba 100644 --- a/vpn.if +++ b/vpn.if @@ -1,8 +1,8 @@ @@ -83618,23 +84281,15 @@ index 7a7f342..a4e2f60 100644 ## ## ## -@@ -39,16 +37,21 @@ interface(`vpn_domtrans',` - # +@@ -40,6 +38,7 @@ interface(`vpn_domtrans',` interface(`vpn_run',` gen_require(` -- attribute_role vpnc_roles; -+ #attribute_role vpnc_roles; + attribute_role vpnc_roles; + type vpnc_t; ') -+ #vpn_domtrans($1) -+ #roleattribute $2 vpnc_roles; -+ vpn_domtrans($1) -- roleattribute $2 vpnc_roles; -+ role $2 types vpnc_t; -+ sysnet_run_ifconfig(vpnc_t, $2) - ') +@@ -48,7 +47,7 @@ interface(`vpn_run',` ######################################## ## @@ -83643,7 +84298,7 @@ index 7a7f342..a4e2f60 100644 ## ## ## -@@ -66,7 +69,7 @@ interface(`vpn_kill',` +@@ -66,7 +65,7 @@ interface(`vpn_kill',` ######################################## ## @@ -83652,7 +84307,7 @@ index 7a7f342..a4e2f60 100644 ## ## ## -@@ -84,7 +87,7 @@ interface(`vpn_signal',` +@@ -84,7 +83,7 @@ interface(`vpn_signal',` ######################################## ## @@ -83661,7 +84316,7 @@ index 7a7f342..a4e2f60 100644 ## ## ## -@@ -103,7 +106,7 @@ interface(`vpn_signull',` +@@ -103,7 +102,7 @@ interface(`vpn_signull',` ######################################## ## ## Send and receive messages from @@ -83671,33 +84326,30 @@ index 7a7f342..a4e2f60 100644 ## ## diff --git a/vpn.te b/vpn.te -index 9329eae..ddf48c0 100644 +index 9329eae..83fa097 100644 --- a/vpn.te +++ b/vpn.te -@@ -1,17 +1,19 @@ +@@ -1,4 +1,4 @@ -policy_module(vpn, 1.15.1) +policy_module(vpn, 1.15.0) ######################################## # - # Declarations +@@ -6,12 +6,12 @@ policy_module(vpn, 1.15.1) # --attribute_role vpnc_roles; -+#attribute_role vpnc_roles; -+#roleattribute system_r vpnc_roles; + attribute_role vpnc_roles; ++roleattribute system_r vpnc_roles; type vpnc_t; type vpnc_exec_t; init_system_domain(vpnc_t, vpnc_exec_t) application_domain(vpnc_t, vpnc_exec_t) -role vpnc_roles types vpnc_t; -+#role vpnc_roles types vpnc_t; -+role system_r types vpnc_t; type vpnc_tmp_t; files_tmp_file(vpnc_tmp_t) -@@ -28,9 +30,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n +@@ -28,9 +28,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; @@ -83712,7 +84364,7 @@ index 9329eae..ddf48c0 100644 allow vpnc_t self:socket create_socket_perms; manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) -@@ -47,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t) +@@ -47,7 +51,6 @@ kernel_read_all_sysctls(vpnc_t) kernel_request_load_module(vpnc_t) kernel_rw_net_sysctls(vpnc_t) @@ -83720,7 +84372,7 @@ index 9329eae..ddf48c0 100644 corenet_all_recvfrom_netlabel(vpnc_t) corenet_tcp_sendrecv_generic_if(vpnc_t) corenet_udp_sendrecv_generic_if(vpnc_t) -@@ -58,38 +63,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) +@@ -58,38 +61,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t) corenet_tcp_sendrecv_all_ports(vpnc_t) corenet_udp_sendrecv_all_ports(vpnc_t) corenet_udp_bind_generic_node(vpnc_t) @@ -83770,7 +84422,7 @@ index 9329eae..ddf48c0 100644 auth_use_nsswitch(vpnc_t) -@@ -103,16 +102,15 @@ locallogin_use_fds(vpnc_t) +@@ -103,16 +100,15 @@ locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) logging_dontaudit_search_logs(vpnc_t) @@ -83779,8 +84431,7 @@ index 9329eae..ddf48c0 100644 -seutil_dontaudit_search_config(vpnc_t) +seutil_use_newrole_fds(vpnc_t) --sysnet_run_ifconfig(vpnc_t, vpnc_roles) -+#sysnet_run_ifconfig(vpnc_t, vpnc_roles) + sysnet_run_ifconfig(vpnc_t, vpnc_roles) sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) @@ -83791,7 +84442,7 @@ index 9329eae..ddf48c0 100644 optional_policy(` dbus_system_bus_client(vpnc_t) -@@ -125,7 +123,3 @@ optional_policy(` +@@ -125,7 +121,3 @@ optional_policy(` optional_policy(` networkmanager_attach_tun_iface(vpnc_t) ') @@ -84257,7 +84908,7 @@ index b51923c..335c8c2 100644 ') diff --git a/wireshark.te b/wireshark.te -index cf5cab6..f0f5dcb 100644 +index cf5cab6..0418405 100644 --- a/wireshark.te +++ b/wireshark.te @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) @@ -84269,7 +84920,15 @@ index cf5cab6..f0f5dcb 100644 allow wireshark_t self:process { signal getsched }; allow wireshark_t self:fifo_file rw_fifo_file_perms; allow wireshark_t self:shm create_shm_perms; -@@ -90,31 +90,17 @@ fs_search_auto_mountpoints(wireshark_t) +@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t) + dev_read_sysfs(wireshark_t) + dev_read_urand(wireshark_t) + +-files_read_usr_files(wireshark_t) + + fs_getattr_all_fs(wireshark_t) + fs_list_inotifyfs(wireshark_t) +@@ -90,31 +89,17 @@ fs_search_auto_mountpoints(wireshark_t) auth_use_nsswitch(wireshark_t) @@ -84443,10 +85102,10 @@ index 25b702d..177cf16 100644 - allow $1_wm_t $2:dbus send_msg; -') diff --git a/wm.te b/wm.te -index 7c7f7fa..996a3d4 100644 +index 7c7f7fa..dfeac3e 100644 --- a/wm.te +++ b/wm.te -@@ -1,36 +1,42 @@ +@@ -1,36 +1,40 @@ -policy_module(wm, 1.2.5) +policy_module(wm, 1.2.0) + @@ -84476,13 +85135,12 @@ index 7c7f7fa..996a3d4 100644 - dev_read_urand(wm_domain) -+files_read_etc_files(wm_domain) - files_read_usr_files(wm_domain) - +-files_read_usr_files(wm_domain) ++ +fs_getattr_tmpfs(wm_domain) + +application_signull(wm_domain) -+ + miscfiles_read_fonts(wm_domain) -miscfiles_read_localization(wm_domain) @@ -84820,7 +85478,7 @@ index f93558c..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index ed40676..8358a63 100644 +index ed40676..94542a1 100644 --- a/xen.te +++ b/xen.te @@ -1,42 +1,34 @@ @@ -84940,7 +85598,7 @@ index ed40676..8358a63 100644 type xend_var_run_t; files_pid_file(xend_var_run_t) files_mountpoint(xend_var_run_t) -@@ -96,51 +102,51 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) +@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) type xenstored_tmp_t; files_tmp_file(xenstored_tmp_t) @@ -84995,7 +85653,6 @@ index ed40676..8358a63 100644 +dev_rw_xen(blktap_t) - logging_send_syslog_msg(blktap_t) -+files_read_etc_files(blktap_t) - miscfiles_read_localization(blktap_t) +logging_send_syslog_msg(blktap_t) @@ -85008,7 +85665,7 @@ index ed40676..8358a63 100644 ####################################### # -@@ -148,9 +154,7 @@ tunable_policy(`xend_run_blktap',` +@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',` # manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) @@ -85019,7 +85676,7 @@ index ed40676..8358a63 100644 logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) -@@ -160,28 +164,70 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) +@@ -160,28 +163,68 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) ######################################## # @@ -85048,8 +85705,6 @@ index ed40676..8358a63 100644 + + dev_rw_xen(qemu_dm_t) + -+ files_read_etc_files(qemu_dm_t) -+ files_read_usr_files(qemu_dm_t) + + fs_manage_xenfs_dirs(qemu_dm_t) + fs_manage_xenfs_files(qemu_dm_t) @@ -85100,7 +85755,7 @@ index ed40676..8358a63 100644 allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) -@@ -190,33 +236,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) +@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) @@ -85145,7 +85800,7 @@ index ed40676..8358a63 100644 kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) -@@ -228,41 +278,31 @@ kernel_read_network_state(xend_t) +@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t) corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) @@ -85191,11 +85846,12 @@ index ed40676..8358a63 100644 domain_dontaudit_read_all_domains_state(xend_t) -domain_dontaudit_ptrace_all_domains(xend_t) - files_read_etc_files(xend_t) +-files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) -@@ -271,14 +311,8 @@ files_manage_etc_runtime_files(xend_t) + files_read_kernel_img(xend_t) + files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t, file) - files_read_usr_files(xend_t) +-files_read_usr_files(xend_t) files_read_default_symlinks(xend_t) -files_search_mnt(xend_t) @@ -85208,7 +85864,7 @@ index ed40676..8358a63 100644 storage_read_scsi_generic(xend_t) -@@ -295,7 +329,8 @@ locallogin_dontaudit_use_fds(xend_t) +@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -85218,7 +85874,7 @@ index ed40676..8358a63 100644 miscfiles_read_hwdata(xend_t) sysnet_domtrans_dhcpc(xend_t) -@@ -308,23 +343,7 @@ sysnet_rw_dhcp_config(xend_t) +@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t) userdom_dontaudit_search_user_home_dirs(xend_t) @@ -85243,7 +85899,7 @@ index ed40676..8358a63 100644 optional_policy(` brctl_domtrans(xend_t) -@@ -342,7 +361,7 @@ optional_policy(` +@@ -342,7 +356,7 @@ optional_policy(` mount_domtrans(xend_t) ') @@ -85252,7 +85908,7 @@ index ed40676..8358a63 100644 netutils_domtrans(xend_t) ') -@@ -351,6 +370,7 @@ optional_policy(` +@@ -351,6 +365,7 @@ optional_policy(` ') optional_policy(` @@ -85260,7 +85916,7 @@ index ed40676..8358a63 100644 virt_search_images(xend_t) virt_read_config(xend_t) ') -@@ -365,13 +385,9 @@ allow xenconsoled_t self:process setrlimit; +@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; @@ -85276,16 +85932,18 @@ index ed40676..8358a63 100644 manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) -@@ -384,8 +400,6 @@ dev_rw_xen(xenconsoled_t) +@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) -domain_dontaudit_ptrace_all_domains(xenconsoled_t) - - files_read_etc_files(xenconsoled_t) - files_read_usr_files(xenconsoled_t) +-files_read_etc_files(xenconsoled_t) +-files_read_usr_files(xenconsoled_t) -@@ -400,10 +414,9 @@ term_use_console(xenconsoled_t) + fs_list_tmpfs(xenconsoled_t) + fs_manage_xenfs_dirs(xenconsoled_t) +@@ -400,10 +407,9 @@ term_use_console(xenconsoled_t) init_use_fds(xenconsoled_t) init_use_script_ptys(xenconsoled_t) @@ -85298,7 +85956,7 @@ index ed40676..8358a63 100644 xen_stream_connect_xenstore(xenconsoled_t) optional_policy(` -@@ -416,24 +429,26 @@ optional_policy(` +@@ -416,24 +422,26 @@ optional_policy(` # allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; @@ -85329,12 +85987,13 @@ index ed40676..8358a63 100644 manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -@@ -449,156 +464,37 @@ dev_rw_xen(xenstored_t) +@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t) + dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) - files_read_etc_files(xenstored_t) +-files_read_etc_files(xenstored_t) +-files_read_usr_files(xenstored_t) + - files_read_usr_files(xenstored_t) fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) @@ -85501,7 +86160,7 @@ index ed40676..8358a63 100644 - fs_manage_xenfs_files(xm_ssh_t) -') diff --git a/xfs.te b/xfs.te -index 0cea2cd..d9518f8 100644 +index 0cea2cd..7668014 100644 --- a/xfs.te +++ b/xfs.te @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) @@ -85512,7 +86171,15 @@ index 0cea2cd..d9518f8 100644 corenet_all_recvfrom_netlabel(xfs_t) corenet_tcp_sendrecv_generic_if(xfs_t) corenet_tcp_sendrecv_generic_node(xfs_t) -@@ -71,7 +70,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") +@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t) + domain_use_interactive_fds(xfs_t) + + files_read_etc_runtime_files(xfs_t) +-files_read_usr_files(xfs_t) + + auth_use_nsswitch(xfs_t) + +@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") logging_send_syslog_msg(xfs_t) @@ -85769,7 +86436,7 @@ index 2882821..cc48c69 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/xprint.te b/xprint.te -index 3c44d84..14b42e5 100644 +index 3c44d84..ce5e69d 100644 --- a/xprint.te +++ b/xprint.te @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) @@ -85780,7 +86447,17 @@ index 3c44d84..14b42e5 100644 corenet_all_recvfrom_netlabel(xprint_t) corenet_tcp_sendrecv_generic_if(xprint_t) corenet_udp_sendrecv_generic_if(xprint_t) -@@ -58,7 +57,6 @@ fs_search_auto_mountpoints(xprint_t) +@@ -46,9 +45,7 @@ dev_read_urand(xprint_t) + + domain_use_interactive_fds(xprint_t) + +-files_read_etc_files(xprint_t) + files_read_etc_runtime_files(xprint_t) +-files_read_usr_files(xprint_t) + files_search_var_lib(xprint_t) + files_search_tmp(xprint_t) + +@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t) logging_send_syslog_msg(xprint_t) miscfiles_read_fonts(xprint_t) @@ -85789,10 +86466,18 @@ index 3c44d84..14b42e5 100644 sysnet_read_config(xprint_t) diff --git a/xscreensaver.te b/xscreensaver.te -index c9c9650..4a24446 100644 +index c9c9650..485e77d 100644 --- a/xscreensaver.te +++ b/xscreensaver.te -@@ -35,9 +35,8 @@ init_read_utmp(xscreensaver_t) +@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms; + + kernel_read_system_state(xscreensaver_t) + +-files_read_usr_files(xscreensaver_t) + + auth_use_nsswitch(xscreensaver_t) + auth_domtrans_chk_passwd(xscreensaver_t) +@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t) logging_send_audit_msgs(xscreensaver_t) logging_send_syslog_msg(xscreensaver_t) @@ -85986,7 +86671,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..af38ff2 100644 +index 46e4cd3..68a6624 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3) @@ -85998,7 +86683,7 @@ index 46e4cd3..af38ff2 100644 ## Determine whether zabbix can ## connect to all TCP ports ##

-@@ -90,6 +90,12 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) +@@ -90,16 +90,20 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) corenet_tcp_sendrecv_zabbix_port(zabbix_t) @@ -86011,7 +86696,9 @@ index 46e4cd3..af38ff2 100644 corecmd_exec_bin(zabbix_t) corecmd_exec_shell(zabbix_t) -@@ -99,7 +105,6 @@ files_read_usr_files(zabbix_t) + dev_read_urand(zabbix_t) + +-files_read_usr_files(zabbix_t) auth_use_nsswitch(zabbix_t) @@ -86019,7 +86706,7 @@ index 46e4cd3..af38ff2 100644 zabbix_agent_tcp_connect(zabbix_t) -@@ -115,7 +120,10 @@ optional_policy(` +@@ -115,7 +119,10 @@ optional_policy(` optional_policy(` mysql_stream_connect(zabbix_t) @@ -86031,7 +86718,7 @@ index 46e4cd3..af38ff2 100644 ') optional_policy(` -@@ -125,6 +133,7 @@ optional_policy(` +@@ -125,6 +132,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -86039,7 +86726,7 @@ index 46e4cd3..af38ff2 100644 ') ######################################## -@@ -182,7 +191,6 @@ domain_search_all_domains_state(zabbix_agent_t) +@@ -182,7 +190,6 @@ domain_search_all_domains_state(zabbix_agent_t) files_getattr_all_dirs(zabbix_agent_t) files_getattr_all_files(zabbix_agent_t) files_read_all_symlinks(zabbix_agent_t) @@ -86047,7 +86734,7 @@ index 46e4cd3..af38ff2 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,7 +198,6 @@ init_read_utmp(zabbix_agent_t) +@@ -190,7 +197,6 @@ init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) @@ -86294,7 +86981,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index a4479b1..0aa9870 100644 +index a4479b1..15774aa 100644 --- a/zarafa.te +++ b/zarafa.te @@ -1,4 +1,4 @@ @@ -86419,7 +87106,7 @@ index a4479b1..0aa9870 100644 manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) -@@ -109,70 +120,89 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } +@@ -109,70 +120,84 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) @@ -86434,7 +87121,7 @@ index a4479b1..0aa9870 100644 corenet_tcp_bind_zarafa_port(zarafa_server_t) -corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) - files_read_usr_files(zarafa_server_t) +-files_read_usr_files(zarafa_server_t) +auth_use_nsswitch(zarafa_server_t) + @@ -86478,9 +87165,10 @@ index a4479b1..0aa9870 100644 -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) + +auth_use_nsswitch(zarafa_spooler_t) -+ -+######################################## -+# + + ######################################## + # +-# Zarafa domain local policy +# zarafa_gateway local policy +# + @@ -86492,9 +87180,10 @@ index a4479b1..0aa9870 100644 +####################################### +# +# zarafa-ical local policy -+# -+ -+ + # + +-allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; +-allow zarafa_domain self:process { setrlimit signal }; +corenet_tcp_bind_http_cache_port(zarafa_ical_t) + +###################################### @@ -86502,15 +87191,12 @@ index a4479b1..0aa9870 100644 +# zarafa-monitor local policy +# + - - ######################################## - # --# Zarafa domain local policy ++ ++######################################## ++# +# zarafa domains local policy - # - --allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; --allow zarafa_domain self:process { setrlimit signal }; ++# ++ +# bad permission on /etc/zarafa +allow zarafa_domain self:capability { dac_override chown setgid setuid }; +allow zarafa_domain self:process signal; @@ -86528,10 +87214,9 @@ index a4479b1..0aa9870 100644 - dev_read_rand(zarafa_domain) dev_read_urand(zarafa_domain) - +- -logging_send_syslog_msg(zarafa_domain) -+files_read_etc_files(zarafa_domain) - +- -miscfiles_read_localization(zarafa_domain) diff --git a/zebra.fc b/zebra.fc index 28ee4ca..e1b30b2 100644 @@ -86645,7 +87330,7 @@ index 3416401..ef64e73 100644 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te -index b0803c2..ac46eb2 100644 +index b0803c2..13da3cf 100644 --- a/zebra.te +++ b/zebra.te @@ -1,4 +1,4 @@ @@ -86720,7 +87405,7 @@ index b0803c2..ac46eb2 100644 corenet_all_recvfrom_netlabel(zebra_t) corenet_tcp_sendrecv_generic_if(zebra_t) corenet_udp_sendrecv_generic_if(zebra_t) -@@ -79,48 +78,43 @@ corenet_raw_sendrecv_generic_if(zebra_t) +@@ -79,48 +78,42 @@ corenet_raw_sendrecv_generic_if(zebra_t) corenet_tcp_sendrecv_generic_node(zebra_t) corenet_udp_sendrecv_generic_node(zebra_t) corenet_raw_sendrecv_generic_node(zebra_t) @@ -86750,27 +87435,27 @@ index b0803c2..ac46eb2 100644 dev_read_sysfs(zebra_t) dev_rw_zero(zebra_t) -+fs_getattr_all_fs(zebra_t) -+fs_search_auto_mountpoints(zebra_t) -+ -+term_list_ptys(zebra_t) -+ - domain_use_interactive_fds(zebra_t) - -+files_search_etc(zebra_t) - files_read_etc_files(zebra_t) - files_read_etc_runtime_files(zebra_t) - --fs_getattr_all_fs(zebra_t) --fs_search_auto_mountpoints(zebra_t) +-domain_use_interactive_fds(zebra_t) - --term_list_ptys(zebra_t) -+auth_read_passwd(zebra_t) +-files_read_etc_files(zebra_t) +-files_read_etc_runtime_files(zebra_t) +- + fs_getattr_all_fs(zebra_t) + fs_search_auto_mountpoints(zebra_t) - logging_send_syslog_msg(zebra_t) + term_list_ptys(zebra_t) + +-logging_send_syslog_msg(zebra_t) ++domain_use_interactive_fds(zebra_t) ++ ++files_search_etc(zebra_t) ++files_read_etc_runtime_files(zebra_t) -miscfiles_read_localization(zebra_t) -- ++auth_read_passwd(zebra_t) ++ ++logging_send_syslog_msg(zebra_t) + sysnet_read_config(zebra_t) userdom_dontaudit_use_unpriv_user_fds(zebra_t) @@ -86781,7 +87466,7 @@ index b0803c2..ac46eb2 100644 manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ') -@@ -139,3 +133,7 @@ optional_policy(` +@@ -139,3 +132,7 @@ optional_policy(` optional_policy(` udev_read_db(zebra_t) ') @@ -87164,10 +87849,10 @@ index 0000000..c72a70d + diff --git a/zoneminder.te b/zoneminder.te new file mode 100644 -index 0000000..a98b795 +index 0000000..67b461b --- /dev/null +++ b/zoneminder.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,121 @@ +policy_module(zoneminder, 1.0.0) + +######################################## @@ -87253,7 +87938,6 @@ index 0000000..a98b795 +dev_read_video_dev(zoneminder_t) +dev_write_video_dev(zoneminder_t) + -+files_read_usr_files(zoneminder_t) + +auth_use_nsswitch(zoneminder_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 01824b36..271189ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -14,12 +14,12 @@ %define BUILD_MLS 1 %endif %define POLICYVER 29 -%define POLICYCOREUTILSVER 2.1.13-53 +%define POLICYCOREUTILSVER 2.1.13-54 %define CHECKPOLICYVER 2.1.11-3 Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jan 10 2013 Miroslav Grepl 3.12.1-2 +- Remove all mcs overrides and replace with t1 != mcs_constrained_types +- Add attribute_role for iptables +- mcs_process_set_categories needs to be called for type +- Implement additional role_attribute statements +- Sodo domain is attempting to get the additributes of proc_kcore_t +- Unbound uses port 8953 +- Allow svirt_t images to compromise_kernel when using pci-passthrough +- Add label for dns lib files +- Bluetooth aquires a dbus name +- Remove redundant files_read_usr_file calling +- Remove redundant files_read_etc_file calling +- Fix mozilla_run_plugin() +- Add role_attribute support for more domains + * Wed Jan 9 2013 Miroslav Grepl 3.12.1-1 - Mass merge with upstream