diff --git a/docker-selinux.tgz b/docker-selinux.tgz index fd92246e..ae91b927 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 26f2fe8c..6af8a03a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6428,7 +6428,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..891ace5 100644 +index b31c054..1ed65a0 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6498,7 +6498,7 @@ index b31c054..891ace5 100644 /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -90,6 +106,7 @@ +@@ -90,9 +106,11 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6506,7 +6506,11 @@ index b31c054..891ace5 100644 /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -106,6 +123,7 @@ ++/dev/kfd -c gen_context(system_u:object_r:hsa_device_t,s0) + /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/random -c gen_context(system_u:object_r:random_device_t,s0) + /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -106,6 +124,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6514,7 +6518,7 @@ index b31c054..891ace5 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +136,12 @@ +@@ -118,6 +137,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6527,7 +6531,7 @@ index b31c054..891ace5 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +153,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +154,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6542,7 +6546,7 @@ index b31c054..891ace5 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +198,21 @@ ifdef(`distro_suse', ` +@@ -172,15 +199,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6564,7 +6568,7 @@ index b31c054..891ace5 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +230,27 @@ ifdef(`distro_debian',` +@@ -198,12 +231,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6595,7 +6599,7 @@ index b31c054..891ace5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..4e020f3 100644 +index 76f285e..6843613 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8662,7 +8666,7 @@ index 76f285e..4e020f3 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',` +@@ -4851,3 +5996,1022 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8885,6 +8889,7 @@ index 76f285e..4e020f3 100644 + type null_device_t; + type random_device_t; + type dri_device_t; ++ type hsa_device_t; + type ipmi_device_t; + type memory_device_t; + type kmsg_device_t; @@ -9151,6 +9156,7 @@ index 76f285e..4e020f3 100644 + filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") + filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") + filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") ++ filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") + filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") @@ -9684,7 +9690,7 @@ index 76f285e..4e020f3 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..9f3512c 100644 +index 0b1a871..29965c3 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9721,7 +9727,17 @@ index 0b1a871..9f3512c 100644 # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) -@@ -88,12 +89,33 @@ type framebuf_device_t; +@@ -78,6 +79,9 @@ dev_node(dlm_control_device_t) + type dri_device_t; + dev_node(dri_device_t) + ++type hsa_device_t; ++dev_node(hsa_device_t) ++ + type event_device_t; + dev_node(event_device_t) + +@@ -88,12 +92,33 @@ type framebuf_device_t; dev_node(framebuf_device_t) # @@ -9755,7 +9771,7 @@ index 0b1a871..9f3512c 100644 # Type for /dev/kmsg # type kmsg_device_t; -@@ -111,6 +133,7 @@ dev_node(ksm_device_t) +@@ -111,6 +136,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9763,7 +9779,7 @@ index 0b1a871..9f3512c 100644 # # Type for /dev/lirc -@@ -118,6 +141,9 @@ dev_node(kvm_device_t) +@@ -118,6 +144,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -9773,7 +9789,7 @@ index 0b1a871..9f3512c 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -150,12 +176,24 @@ type modem_device_t; +@@ -150,12 +179,24 @@ type modem_device_t; dev_node(modem_device_t) # @@ -9798,7 +9814,7 @@ index 0b1a871..9f3512c 100644 # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t; -@@ -183,6 +221,12 @@ type nvram_device_t; +@@ -183,6 +224,12 @@ type nvram_device_t; dev_node(nvram_device_t) # @@ -9811,7 +9827,7 @@ index 0b1a871..9f3512c 100644 # Type for /dev/pmu # type power_device_t; -@@ -227,6 +271,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +274,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -9822,7 +9838,7 @@ index 0b1a871..9f3512c 100644 # # Type for /dev/tpm # -@@ -266,6 +314,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +317,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -9838,7 +9854,7 @@ index 0b1a871..9f3512c 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +331,7 @@ dev_node(v4l_device_t) +@@ -274,6 +334,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -9846,7 +9862,7 @@ index 0b1a871..9f3512c 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +377,8 @@ files_associate_tmp(device_node) +@@ -319,5 +380,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -10169,7 +10185,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..0715228 100644 +index cf04cb5..9e9400f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10325,7 +10341,7 @@ index cf04cb5..0715228 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +237,379 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +237,380 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10657,6 +10673,7 @@ index cf04cb5..0715228 100644 + +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; ++dontaudit domain self:file create; + +ifdef(`distro_redhat',` + optional_policy(` @@ -17903,7 +17920,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..f7a29fe 100644 +index 8416beb..b204e90 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18976,7 +18993,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +2588,701 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -18985,32 +19002,26 @@ index 8416beb..f7a29fe 100644 gen_require(` - type iso9660_t; + type hugetlbfs_t; - ') - -- allow $1 iso9660_t:filesystem remount; ++ ') ++ + allow $1 hugetlbfs_t:filesystem getattr; - ') - - ######################################## - ## --## Unmount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## List hugetlbfs. - ## - ## - ## -@@ -2253,38 +2606,686 @@ interface(`fs_remount_iso9660_fs',` - ## - ## - # --interface(`fs_unmount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_list_hugetlbfs',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type hugetlbfs_t; - ') - -- allow $1 iso9660_t:filesystem unmount; ++ ') ++ + allow $1 hugetlbfs_t:dir list_dir_perms; +') + @@ -19152,6 +19163,25 @@ index 8416beb..f7a29fe 100644 +## +## +# ++interface(`fs_getattr_oracleasmfs_fs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:filesystem getattr; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_oracleasmfs',` + gen_require(` + type oracleasmfs_t; @@ -19200,6 +19230,26 @@ index 8416beb..f7a29fe 100644 + +######################################## +## ++## Read and write the oracleasm device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_oracleasm',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t) ++ manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t) ++ dev_filetrans($1, oracleasmfs_t, dir, "oracleasm") ++') ++ ++######################################## ++## +## Search inotifyfs filesystem. +## +## @@ -19634,29 +19684,35 @@ index 8416beb..f7a29fe 100644 +interface(`fs_write_kdbus_files', ` + gen_require(` + type kdbusfs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem remount; + write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. +## Read and write kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2253,38 +3290,41 @@ interface(`fs_remount_iso9660_fs',` + ## + ## + # +-interface(`fs_unmount_iso9660_fs',` +interface(`fs_rw_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type kdbusfs_t; + -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem unmount; + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) @@ -19698,7 +19754,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -2292,19 +3293,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3332,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19726,7 +19782,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -2312,16 +3315,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3354,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19747,7 +19803,7 @@ index 8416beb..f7a29fe 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3400,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3439,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -19772,7 +19828,7 @@ index 8416beb..f7a29fe 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3505,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3544,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19780,7 +19836,7 @@ index 8416beb..f7a29fe 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3544,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3583,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19788,7 +19844,7 @@ index 8416beb..f7a29fe 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3571,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3610,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19833,7 +19889,7 @@ index 8416beb..f7a29fe 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3629,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3668,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -19842,7 +19898,7 @@ index 8416beb..f7a29fe 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3649,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3688,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19885,7 +19941,7 @@ index 8416beb..f7a29fe 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3699,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3738,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19894,7 +19950,7 @@ index 8416beb..f7a29fe 100644 ') ######################################## -@@ -2627,7 +3723,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3762,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19903,7 +19959,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -2719,6 +3815,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3854,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -19969,7 +20025,7 @@ index 8416beb..f7a29fe 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3896,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3935,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19978,7 +20034,7 @@ index 8416beb..f7a29fe 100644 ## ## # -@@ -2777,7 +3932,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3971,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19987,7 +20043,7 @@ index 8416beb..f7a29fe 100644 ## ## # -@@ -2970,6 +4125,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4164,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19995,7 +20051,7 @@ index 8416beb..f7a29fe 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4166,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4205,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -20003,7 +20059,7 @@ index 8416beb..f7a29fe 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4207,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4246,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -20011,7 +20067,7 @@ index 8416beb..f7a29fe 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4295,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4334,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -20036,56 +20092,11 @@ index 8416beb..f7a29fe 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3182,18 +4358,108 @@ interface(`fs_remount_nfsd_fs',` - ## - ## - # --interface(`fs_unmount_nfsd_fs',` -- gen_require(` -- type nfsd_fs_t; -- ') -+interface(`fs_unmount_nfsd_fs',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ allow $1 nfsd_fs_t:filesystem unmount; -+') -+ -+######################################## -+## -+## Get the attributes of a NFS server -+## pseudo filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_getattr_nfsd_fs',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ -+ allow $1 nfsd_fs_t:filesystem getattr; -+') -+ -+######################################## -+## -+## Search NFS server directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_search_nfsd_fs',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ +@@ -3224,30 +4439,120 @@ interface(`fs_search_nfsd_fs',` + type nfsd_fs_t; + ') + +- allow $1 nfsd_fs_t:dir search_dir_perms; + allow $1 nfsd_fs_t:dir search_dir_perms; +') + @@ -20139,53 +20150,43 @@ index 8416beb..f7a29fe 100644 + gen_require(` + type nfsd_fs_t; + ') - -- allow $1 nfsd_fs_t:filesystem unmount; ++ + read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - --######################################## ++') ++ +####################################### - ## --## Get the attributes of a NFS server --## pseudo filesystem. ++## +## Read and write NFS server files. - ## - ## - ## -@@ -3201,17 +4467,17 @@ interface(`fs_unmount_nfsd_fs',` - ## - ## - # --interface(`fs_getattr_nfsd_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_rw_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - -- allow $1 nfsd_fs_t:filesystem getattr; ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ + rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - - ######################################## - ## --## Search NFS server directories. ++') ++ ++######################################## ++## +## Getattr files on an nsfs filesystem - ## - ## - ## -@@ -3219,35 +4485,35 @@ interface(`fs_getattr_nfsd_fs',` - ## - ## - # --interface(`fs_search_nfsd_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_nsfs_files',` - gen_require(` -- type nfsd_fs_t; ++ gen_require(` + type nsfs_t; - ') - -- allow $1 nfsd_fs_t:dir search_dir_perms; ++ ') ++ + getattr_files_pattern($1, nsfs_t, nsfs_t) ') @@ -20224,7 +20225,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3255,17 +4521,17 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +4560,17 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20246,7 +20247,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3273,12 +4539,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4578,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -20261,7 +20262,7 @@ index 8416beb..f7a29fe 100644 ') ######################################## -@@ -3392,7 +4658,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4697,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20270,7 +20271,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3429,7 +4695,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4734,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20279,7 +20280,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3447,7 +4713,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4752,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20288,7 +20289,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3779,6 +5045,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5084,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20313,7 +20314,7 @@ index 8416beb..f7a29fe 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5099,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5138,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20338,7 +20339,7 @@ index 8416beb..f7a29fe 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5210,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5249,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20347,7 +20348,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3916,17 +5218,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5257,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20368,7 +20369,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3934,17 +5236,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5275,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20389,7 +20390,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3952,17 +5254,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5293,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20429,7 +20430,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -3970,31 +5291,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5330,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20485,12 +20486,20 @@ index 8416beb..f7a29fe 100644 ') ######################################## -@@ -4066,33 +5404,161 @@ interface(`fs_tmpfs_filetrans',` - type tmpfs_t; - ') - -- allow $2 tmpfs_t:filesystem associate; -- filetrans_pattern($1, tmpfs_t, $2, $3, $4) +@@ -4057,23 +5434,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` + ## + ## + ## +-## The name of the object being created. ++## The name of the object being created. ++## ++## ++# ++interface(`fs_tmpfs_filetrans',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ + allow $2 tmpfs_t:filesystem associate; + filetrans_pattern($1, tmpfs_t, $2, $3, $4) +') @@ -20622,82 +20631,79 @@ index 8416beb..f7a29fe 100644 + ') + + read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) - ') - - ######################################## - ## --## Do not audit attempts to getattr --## generic tmpfs files. ++') ++ ++######################################## ++## +## Read and write character nodes on tmpfs filesystems. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. ## ## # --interface(`fs_dontaudit_getattr_tmpfs_files',` +-interface(`fs_tmpfs_filetrans',` +interface(`fs_rw_tmpfs_chr_files',` gen_require(` type tmpfs_t; ') -- dontaudit $1 tmpfs_t:file getattr; +- allow $2 tmpfs_t:filesystem associate; +- filetrans_pattern($1, tmpfs_t, $2, $3, $4) + allow $1 tmpfs_t:dir list_dir_perms; + rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## --## Do not audit attempts to read or write +-## Do not audit attempts to getattr -## generic tmpfs files. +## Do not audit attempts to read and write character nodes on tmpfs filesystems. ## ## ## -@@ -4100,72 +5566,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4081,18 +5605,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # --interface(`fs_dontaudit_rw_tmpfs_files',` +-interface(`fs_dontaudit_getattr_tmpfs_files',` +interface(`fs_dontaudit_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; ') -- dontaudit $1 tmpfs_t:file rw_file_perms; +- dontaudit $1 tmpfs_t:file getattr; + dontaudit $1 tmpfs_t:dir list_dir_perms; + dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; ') ######################################## ## --## Create, read, write, and delete --## auto moutpoints. +-## Do not audit attempts to read or write +-## generic tmpfs files. +## Do not audit attempts to create character nodes on tmpfs filesystems. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -4100,54 +5624,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # --interface(`fs_manage_auto_mountpoints',` +-interface(`fs_dontaudit_rw_tmpfs_files',` +interface(`fs_dontaudit_create_tmpfs_chr_dev',` gen_require(` -- type autofs_t; -+ type tmpfs_t; + type tmpfs_t; ') -- allow $1 autofs_t:dir manage_dir_perms; +- dontaudit $1 tmpfs_t:file rw_file_perms; + dontaudit $1 tmpfs_t:chr_file create; ') ######################################## ## --## Read generic tmpfs files. +-## Create, read, write, and delete +-## auto moutpoints. +## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. ## ## @@ -20707,19 +20713,20 @@ index 8416beb..f7a29fe 100644 ## ## # --interface(`fs_read_tmpfs_files',` +-interface(`fs_manage_auto_mountpoints',` +interface(`fs_dontaudit_read_tmpfs_blk_dev',` gen_require(` - type tmpfs_t; +- type autofs_t; ++ type tmpfs_t; ') -- read_files_pattern($1, tmpfs_t, tmpfs_t) +- allow $1 autofs_t:dir manage_dir_perms; + dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; ') ######################################## ## --## Read and write generic tmpfs files. +-## Read generic tmpfs files. +## Do not audit attempts to read files on tmpfs filesystems. ## ## @@ -20729,60 +20736,82 @@ index 8416beb..f7a29fe 100644 ## ## # --interface(`fs_rw_tmpfs_files',` +-interface(`fs_read_tmpfs_files',` +interface(`fs_dontaudit_read_tmpfs_files',` gen_require(` type tmpfs_t; ') -- rw_files_pattern($1, tmpfs_t, tmpfs_t) +- read_files_pattern($1, tmpfs_t, tmpfs_t) + dontaudit $1 tmpfs_t:blk_file read; ') ######################################## ## --## Read tmpfs link files. +-## Read and write generic tmpfs files. +## Relabel character nodes on tmpfs filesystems. ## ## ## -@@ -4173,17 +5639,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4155,17 +5678,18 @@ interface(`fs_read_tmpfs_files',` ## ## # --interface(`fs_read_tmpfs_symlinks',` +-interface(`fs_rw_tmpfs_files',` +interface(`fs_relabel_tmpfs_chr_file',` gen_require(` type tmpfs_t; ') -- read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) +- rw_files_pattern($1, tmpfs_t, tmpfs_t) + allow $1 tmpfs_t:dir list_dir_perms; + relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## --## Read and write character nodes on tmpfs filesystems. +-## Read tmpfs link files. +## Read and write block nodes on tmpfs filesystems. ## ## ## -@@ -4191,37 +5658,37 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4173,17 +5697,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # --interface(`fs_rw_tmpfs_chr_files',` +-interface(`fs_read_tmpfs_symlinks',` +interface(`fs_rw_tmpfs_blk_files',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir list_dir_perms; -- rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) +- read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) ++ allow $1 tmpfs_t:dir list_dir_perms; + rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') + ######################################## + ## +-## Read and write character nodes on tmpfs filesystems. ++## Relabel block nodes on tmpfs filesystems. + ## + ## + ## +@@ -4191,37 +5716,36 @@ interface(`fs_read_tmpfs_symlinks',` + ## + ## + # +-interface(`fs_rw_tmpfs_chr_files',` ++interface(`fs_getattr_tmpfs_blk_file',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir list_dir_perms; +- rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ++ allow $1 tmpfs_t:blk_file getattr; + ') + ######################################## ## -## dontaudit Read and write character nodes on tmpfs filesystems. @@ -20814,7 +20843,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -4229,18 +5696,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5753,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20836,7 +20865,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -4248,18 +5715,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5772,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20860,7 +20889,7 @@ index 8416beb..f7a29fe 100644 ## ## ## -@@ -4267,32 +5735,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5792,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -20899,7 +20928,7 @@ index 8416beb..f7a29fe 100644 ') ######################################## -@@ -4407,6 +5874,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5931,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20925,7 +20954,7 @@ index 8416beb..f7a29fe 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5989,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6046,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20934,7 +20963,7 @@ index 8416beb..f7a29fe 100644 ') ######################################## -@@ -4549,7 +6037,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6094,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20943,7 +20972,7 @@ index 8416beb..f7a29fe 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6084,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6141,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20970,7 +20999,7 @@ index 8416beb..f7a29fe 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6179,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6236,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20996,7 +21025,7 @@ index 8416beb..f7a29fe 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6439,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6496,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -37425,7 +37454,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..022bbb7 100644 +index 17eda24..b37411d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37550,7 +37579,7 @@ index 17eda24..022bbb7 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +161,47 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +161,48 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -37594,8 +37623,9 @@ index 17eda24..022bbb7 100644 +files_pid_filetrans(init_t, init_var_run_t, { dir file blk_file chr_file fifo_file}) +allow init_t init_var_run_t:dir mounton; +allow init_t init_var_run_t:sock_file relabelto; -+allow init_t init_var_run_t:blk_file getattr; -+allow init_t init_var_run_t:chr_file getattr; ++allow init_t init_var_run_t:blk_file { getattr relabelto }; ++allow init_t init_var_run_t:chr_file { getattr relabelto }; ++allow init_t init_var_run_t:fifo_file { getattr relabelto }; + +allow init_t machineid_t:file manage_file_perms; +files_pid_filetrans(init_t, machineid_t, file, "machine-id") @@ -37604,7 +37634,7 @@ index 17eda24..022bbb7 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +211,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +212,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -37629,7 +37659,7 @@ index 17eda24..022bbb7 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +235,24 @@ domain_signal_all_domains(init_t) +@@ -139,14 +236,24 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -37655,7 +37685,7 @@ index 17eda24..022bbb7 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +261,72 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +262,72 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -37733,7 +37763,7 @@ index 17eda24..022bbb7 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +335,264 @@ ifdef(`distro_gentoo',` +@@ -186,29 +336,266 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37882,6 +37912,8 @@ index 17eda24..022bbb7 100644 +fs_manage_cgroup_files(init_t) +fs_manage_hugetlbfs_dirs(init_t) +fs_manage_tmpfs_dirs(init_t) ++fs_relabel_tmpfs_blk_file(init_t) ++fs_relabel_tmpfs_chr_file(init_t) +fs_relabel_pstore_dirs(init_t) +fs_relabel_tmpfs_dirs(init_t) +fs_relabel_tmpfs_files(init_t) @@ -38007,7 +38039,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -216,7 +600,30 @@ optional_policy(` +@@ -216,7 +603,30 @@ optional_policy(` ') optional_policy(` @@ -38039,7 +38071,7 @@ index 17eda24..022bbb7 100644 ') ######################################## -@@ -225,9 +632,9 @@ optional_policy(` +@@ -225,9 +635,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38051,7 +38083,7 @@ index 17eda24..022bbb7 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +665,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +668,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38068,7 +38100,7 @@ index 17eda24..022bbb7 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +690,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +693,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38111,7 +38143,7 @@ index 17eda24..022bbb7 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +727,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +730,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38123,7 +38155,7 @@ index 17eda24..022bbb7 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +739,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +742,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38134,7 +38166,7 @@ index 17eda24..022bbb7 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +750,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +753,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38144,7 +38176,7 @@ index 17eda24..022bbb7 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +759,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +762,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38152,7 +38184,7 @@ index 17eda24..022bbb7 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +766,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +769,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38160,7 +38192,7 @@ index 17eda24..022bbb7 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +774,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +777,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38178,7 +38210,7 @@ index 17eda24..022bbb7 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +792,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +795,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38192,7 +38224,7 @@ index 17eda24..022bbb7 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +807,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +810,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38206,7 +38238,7 @@ index 17eda24..022bbb7 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +820,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +823,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38217,7 +38249,7 @@ index 17eda24..022bbb7 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +833,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +836,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38225,7 +38257,7 @@ index 17eda24..022bbb7 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +852,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +855,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38249,7 +38281,7 @@ index 17eda24..022bbb7 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +885,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +888,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38257,7 +38289,7 @@ index 17eda24..022bbb7 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +919,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +922,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38268,7 +38300,7 @@ index 17eda24..022bbb7 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +943,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +946,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38277,7 +38309,7 @@ index 17eda24..022bbb7 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +958,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +961,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38285,7 +38317,7 @@ index 17eda24..022bbb7 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +979,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +982,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38293,7 +38325,7 @@ index 17eda24..022bbb7 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +989,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +992,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38338,7 +38370,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -559,14 +1034,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1037,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38370,7 +38402,7 @@ index 17eda24..022bbb7 100644 ') ') -@@ -577,6 +1069,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1072,39 @@ ifdef(`distro_suse',` ') ') @@ -38410,7 +38442,7 @@ index 17eda24..022bbb7 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1114,8 @@ optional_policy(` +@@ -589,6 +1117,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38419,7 +38451,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -610,6 +1137,7 @@ optional_policy(` +@@ -610,6 +1140,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38427,7 +38459,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -626,6 +1154,17 @@ optional_policy(` +@@ -626,6 +1157,17 @@ optional_policy(` ') optional_policy(` @@ -38445,7 +38477,7 @@ index 17eda24..022bbb7 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1181,13 @@ optional_policy(` +@@ -642,9 +1184,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38459,7 +38491,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -657,15 +1200,11 @@ optional_policy(` +@@ -657,15 +1203,11 @@ optional_policy(` ') optional_policy(` @@ -38477,7 +38509,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -686,6 +1225,15 @@ optional_policy(` +@@ -686,6 +1228,15 @@ optional_policy(` ') optional_policy(` @@ -38493,7 +38525,7 @@ index 17eda24..022bbb7 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1274,7 @@ optional_policy(` +@@ -726,6 +1277,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38501,7 +38533,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -743,7 +1292,13 @@ optional_policy(` +@@ -743,7 +1295,13 @@ optional_policy(` ') optional_policy(` @@ -38516,7 +38548,7 @@ index 17eda24..022bbb7 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1321,10 @@ optional_policy(` +@@ -766,6 +1324,10 @@ optional_policy(` ') optional_policy(` @@ -38527,7 +38559,7 @@ index 17eda24..022bbb7 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1334,20 @@ optional_policy(` +@@ -775,10 +1337,20 @@ optional_policy(` ') optional_policy(` @@ -38548,7 +38580,7 @@ index 17eda24..022bbb7 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1356,10 @@ optional_policy(` +@@ -787,6 +1359,10 @@ optional_policy(` ') optional_policy(` @@ -38559,7 +38591,7 @@ index 17eda24..022bbb7 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1381,6 @@ optional_policy(` +@@ -808,8 +1384,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38568,7 +38600,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -818,6 +1389,10 @@ optional_policy(` +@@ -818,6 +1392,10 @@ optional_policy(` ') optional_policy(` @@ -38579,7 +38611,7 @@ index 17eda24..022bbb7 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1402,12 @@ optional_policy(` +@@ -827,10 +1405,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38592,7 +38624,7 @@ index 17eda24..022bbb7 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1434,62 @@ optional_policy(` +@@ -857,21 +1437,62 @@ optional_policy(` ') optional_policy(` @@ -38656,7 +38688,7 @@ index 17eda24..022bbb7 100644 ') optional_policy(` -@@ -887,6 +1505,10 @@ optional_policy(` +@@ -887,6 +1508,10 @@ optional_policy(` ') optional_policy(` @@ -38667,7 +38699,7 @@ index 17eda24..022bbb7 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1519,218 @@ optional_policy(` +@@ -897,3 +1522,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -44461,7 +44493,7 @@ index d43f3b1..c5053db 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..593c90d 100644 +index 3822072..d358162 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -44952,7 +44984,15 @@ index 3822072..593c90d 100644 ') ######################################## -@@ -999,6 +1363,26 @@ interface(`seutil_domtrans_semanage',` +@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',` + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + manage_files_pattern($1, file_context_t, file_context_t) ++ manage_dirs_pattern($1, file_context_t, file_context_t) + ') + + ######################################## +@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -44979,7 +45019,7 @@ index 3822072..593c90d 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1401,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -45087,7 +45127,7 @@ index 3822072..593c90d 100644 ') ######################################## -@@ -1041,9 +1519,15 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) @@ -45103,7 +45143,7 @@ index 3822072..593c90d 100644 ') ####################################### -@@ -1067,6 +1551,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -45128,7 +45168,7 @@ index 3822072..593c90d 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1639,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -46213,7 +46253,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..8edb742 100644 +index 2cea692..1c74c66 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -46630,7 +46670,7 @@ index 2cea692..8edb742 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1053,143 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1053,144 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -46704,6 +46744,7 @@ index 2cea692..8edb742 100644 + files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf") ++ files_etc_filetrans($1, net_conf_t, lnk_file, "resolv.conf") + files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") @@ -46775,7 +46816,7 @@ index 2cea692..8edb742 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..162b975 100644 +index a392fc4..518cf50 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46817,7 +46858,7 @@ index a392fc4..162b975 100644 ifdef(`distro_debian',` init_daemon_run_dir(net_conf_t, "network") -@@ -48,10 +61,10 @@ ifdef(`distro_debian',` +@@ -48,10 +61,11 @@ ifdef(`distro_debian',` # DHCP client local policy # allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; @@ -46827,10 +46868,11 @@ index a392fc4..162b975 100644 dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; ++allow dhcpc_t self:cap_userns { net_bind_service }; allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -64,8 +78,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -46842,7 +46884,7 @@ index a392fc4..162b975 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +@@ -74,6 +91,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -46851,7 +46893,7 @@ index a392fc4..162b975 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t) +@@ -95,14 +114,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) @@ -46872,7 +46914,7 @@ index a392fc4..162b975 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -112,22 +130,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_udp_bind_all_unreserved_ports(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) @@ -46900,7 +46942,7 @@ index a392fc4..162b975 100644 fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -137,11 +158,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -46919,7 +46961,7 @@ index a392fc4..162b975 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',` +@@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -46942,7 +46984,7 @@ index a392fc4..162b975 100644 ') optional_policy(` -@@ -179,10 +219,6 @@ optional_policy(` +@@ -179,10 +220,6 @@ optional_policy(` ') optional_policy(` @@ -46953,7 +46995,7 @@ index a392fc4..162b975 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +231,31 @@ optional_policy(` +@@ -195,23 +232,31 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -46988,7 +47030,7 @@ index a392fc4..162b975 100644 ') optional_policy(` -@@ -221,7 +265,16 @@ optional_policy(` +@@ -221,7 +266,16 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -47006,7 +47048,7 @@ index a392fc4..162b975 100644 ') optional_policy(` -@@ -233,6 +286,10 @@ optional_policy(` +@@ -233,6 +287,10 @@ optional_policy(` ') optional_policy(` @@ -47017,7 +47059,7 @@ index a392fc4..162b975 100644 vmware_append_log(dhcpc_t) ') -@@ -264,29 +321,66 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,29 +322,66 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -47084,7 +47126,7 @@ index a392fc4..162b975 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +393,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +394,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -47142,7 +47184,7 @@ index a392fc4..162b975 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +448,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +449,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -47155,7 +47197,7 @@ index a392fc4..162b975 100644 ') optional_policy(` -@@ -350,7 +466,16 @@ optional_policy(` +@@ -350,7 +467,16 @@ optional_policy(` ') optional_policy(` @@ -47173,7 +47215,7 @@ index a392fc4..162b975 100644 ') optional_policy(` -@@ -371,3 +496,13 @@ optional_policy(` +@@ -371,3 +497,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -47189,7 +47231,7 @@ index a392fc4..162b975 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..8b77d7a +index 0000000..fc4c791 --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,71 @@ @@ -47224,13 +47266,13 @@ index 0000000..8b77d7a +/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) +/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0) -+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*sleep.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*shutdown.* -- gen_context(system_u:object_r:power_unit_file_t,s0) -+/usr/lib/systemd/system/.*suspend.* -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*halt.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*hibernate.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*power.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*reboot.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*sleep.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*shutdown.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) ++/usr/lib/systemd/system/.*suspend.*\.(service|target) -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) +/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) +/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0) @@ -49035,10 +49077,10 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..d141c81 +index 0000000..f2c6d14 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,969 @@ +@@ -0,0 +1,971 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49347,7 +49389,7 @@ index 0000000..d141c81 +# systemd_machined local policy +# + -+allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace }; ++allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace kill }; +allow systemd_machined_t systemd_unit_file_t:service { status start }; +allow systemd_machined_t self:unix_dgram_socket create_socket_perms; + @@ -49361,6 +49403,8 @@ index 0000000..d141c81 +manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") + ++fs_read_nsfs_files(systemd_machined_t) ++ +kernel_dgram_send(systemd_machined_t) +# This is a bug, but need for now. +kernel_read_unlabeled_state(systemd_machined_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ff08db52..ecd1d07d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..22f5977 100644 +index eb50f07..22e6c69 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -902,7 +902,7 @@ index eb50f07..22f5977 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +292,11 @@ optional_policy(` +@@ -234,15 +292,22 @@ optional_policy(` ') optional_policy(` @@ -914,7 +914,10 @@ index eb50f07..22f5977 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +306,7 @@ optional_policy(` + rpm_manage_log(abrt_t) + rpm_manage_pid_files(abrt_t) ++ rpm_read_tmp_files(abrt_t) + rpm_read_db(abrt_t) rpm_signull(abrt_t) ') @@ -922,7 +925,7 @@ index eb50f07..22f5977 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +317,21 @@ optional_policy(` +@@ -253,9 +318,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -945,7 +948,7 @@ index eb50f07..22f5977 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +342,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +343,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -960,7 +963,7 @@ index eb50f07..22f5977 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +361,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +362,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -968,7 +971,7 @@ index eb50f07..22f5977 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +370,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +371,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -989,7 +992,7 @@ index eb50f07..22f5977 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +391,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +392,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1016,7 +1019,7 @@ index eb50f07..22f5977 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +427,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +428,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1030,7 +1033,7 @@ index eb50f07..22f5977 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +445,11 @@ optional_policy(` +@@ -343,10 +446,11 @@ optional_policy(` ####################################### # @@ -1044,7 +1047,7 @@ index eb50f07..22f5977 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1127,7 +1130,7 @@ index eb50f07..22f5977 100644 ####################################### # -@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1190,7 +1193,7 @@ index eb50f07..22f5977 100644 ') ####################################### -@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -22115,7 +22118,7 @@ index dda905b..5587295 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..a5ea200 100644 +index 62d22cb..90fc04d 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -22264,9 +22267,9 @@ index 62d22cb..a5ea200 100644 - files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) - -+ dev_read_urand($1) + ++ dev_read_urand($1) + + # For connecting to the bus files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) @@ -22645,7 +22648,7 @@ index 62d22cb..a5ea200 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +410,67 @@ interface(`dbus_manage_lib_files',` +@@ -397,199 +410,228 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -22685,10 +22688,25 @@ index 62d22cb..a5ea200 100644 ## ## -## Type to be used as a domain. --## --## ++## Domain allowed access. + ## + ## -## --## ++# ++interface(`dbus_use_system_bus_fds',` ++ gen_require(` ++ type system_dbusd_t; ++ ') ++ ++ allow $1 system_dbusd_t:fd use; ++') ++ ++######################################## ++## ++## Allow unconfined access to the system DBUS. ++## ++## + ## -## Type of the program to be used as an -## entry point to this domain. +## Domain allowed access. @@ -22696,174 +22714,195 @@ index 62d22cb..a5ea200 100644 ## # -interface(`dbus_all_session_domain',` -+interface(`dbus_use_system_bus_fds',` ++interface(`dbus_unconfined',` gen_require(` - type session_bus_type; -+ type system_dbusd_t; ++ attribute dbusd_unconfined; ') - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) -+ allow $1 system_dbusd_t:fd use; ++ typeattribute $1 dbusd_unconfined; ') ######################################## ## -## Allow a application domain to be -## started by the specified session bus. -+## Allow unconfined access to the system DBUS. ++## Delete all dbus pid files ## -## --## ++## + ## -## The prefix of the user role (e.g., user -## is the prefix for user_r). --## --## ++## Domain allowed access. + ## + ## ++# ++interface(`dbus_delete_pid_files',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Read all dbus pid files ++## ## ## -## Type to be used as a domain. --## --## ++## Domain allowed access. + ## + ## -## --## ++# ++interface(`dbus_read_pid_files',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ++## ++## + ## -## Type of the program to be used as an -## entry point to this domain. -+## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`dbus_spec_session_domain',` -+interface(`dbus_unconfined',` ++interface(`dbus_dontaudit_stream_connect_session_bus',` gen_require(` - type $1_dbusd_t; -+ attribute dbusd_unconfined; ++ attribute session_bus_type; ') - domtrans_pattern($1_dbusd_t, $2, $3) - - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) -+ typeattribute $1 dbusd_unconfined; ++ dontaudit $1 session_bus_type:unix_stream_socket connectto; ') ######################################## ## -## Acquire service on the DBUS system bus. -+## Delete all dbus pid files - ## - ## - ## -@@ -479,18 +478,18 @@ interface(`dbus_spec_session_domain',` - ## - ## - # --interface(`dbus_connect_system_bus',` -+interface(`dbus_delete_pid_files',` - gen_require(` -- type system_dbusd_t; -- class dbus acquire_svc; -+ type system_dbusd_var_run_t; - ') - -- allow $1 system_dbusd_t:dbus acquire_svc; -+ files_search_pids($1) -+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) - ') - - ######################################## - ## --## Send messages to the DBUS system bus. -+## Read all dbus pid files - ## - ## - ## -@@ -498,98 +497,121 @@ interface(`dbus_connect_system_bus',` - ## - ## - # --interface(`dbus_send_system_bus',` -+interface(`dbus_read_pid_files',` - gen_require(` -- type system_dbusd_t; -- class dbus send_msg; -+ type system_dbusd_var_run_t; - ') - -- allow $1 system_dbusd_t:dbus send_msg; -+ files_search_pids($1) -+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) - ') - - ######################################## - ## --## Unconfined access to DBUS system bus. -+## Do not audit attempts to connect to ++## Allow attempts to connect to +## session bus types with a unix +## stream socket. ## ## ## -## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_connect_system_bus',` ++interface(`dbus_stream_connect_session_bus',` + gen_require(` +- type system_dbusd_t; +- class dbus acquire_svc; ++ attribute session_bus_type; + ') + +- allow $1 system_dbusd_t:dbus acquire_svc; ++ allow $1 session_bus_type:unix_stream_socket connectto; + ') + + ######################################## + ## +-## Send messages to the DBUS system bus. ++## Do not audit attempts to send dbus ++## messages to session bus types. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dbus_send_system_bus',` ++interface(`dbus_chat_session_bus',` + gen_require(` +- type system_dbusd_t; ++ attribute session_bus_type; + class dbus send_msg; + ') + +- allow $1 system_dbusd_t:dbus send_msg; ++ allow $1 session_bus_type:dbus send_msg; ++ allow session_bus_type $1:dbus send_msg; + ') + + ######################################## + ## +-## Unconfined access to DBUS system bus. ++## Do not audit attempts to send dbus ++## messages to session bus types. + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. ## ## # -interface(`dbus_system_bus_unconfined',` -+interface(`dbus_dontaudit_stream_connect_session_bus',` ++interface(`dbus_dontaudit_chat_session_bus',` gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; + attribute session_bus_type; ++ class dbus send_msg; ') - allow $1 system_dbusd_t:dbus *; -+ dontaudit $1 session_bus_type:unix_stream_socket connectto; ++ dontaudit $1 session_bus_type:dbus send_msg; ') ######################################## ## -## Create a domain for processes which -## can be started by the DBUS system bus. -+## Allow attempts to connect to -+## session bus types with a unix -+## stream socket. ++## Do not audit attempts to send dbus ++## messages to system bus types. ## ## ## -## Type to be used as a domain. -+## Domain to not audit. - ## - ## +-## +-## -## -+# -+interface(`dbus_stream_connect_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ ') -+ -+ allow $1 session_bus_type:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## - ## +-## -## Type of the program to be used as an entry point to this domain. +## Domain to not audit. ## ## # -interface(`dbus_system_domain',` -+interface(`dbus_chat_session_bus',` ++interface(`dbus_dontaudit_chat_system_bus',` gen_require(` - type system_dbusd_t; - role system_r; -+ attribute session_bus_type; ++ attribute system_bus_type; + class dbus send_msg; ') @@ -22880,38 +22919,21 @@ index 62d22cb..a5ea200 100644 - ps_process_pattern(system_dbusd_t, $1) - - userdom_read_all_users_state($1) -+ allow $1 session_bus_type:dbus send_msg; -+ allow session_bus_type $1:dbus send_msg; -+') - +- - ifdef(`hide_broken_symptoms', ` - dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+######################################## -+## -+## Do not audit attempts to send dbus -+## messages to session bus types. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dbus_dontaudit_chat_session_bus',` -+ gen_require(` -+ attribute session_bus_type; -+ class dbus send_msg; - ') -+ -+ dontaudit $1 session_bus_type:dbus send_msg; +- ') ++ dontaudit $1 system_bus_type:dbus send_msg; ++ dontaudit system_bus_type $1:dbus send_msg; ') ######################################## ## -## Use and inherit DBUS system bus -## file descriptors. -+## Do not audit attempts to send dbus -+## messages to system bus types. ++## Do not audit attempts to connect to ++## session bus types with a unix ++## stream socket. ## ## ## @@ -22921,16 +22943,14 @@ index 62d22cb..a5ea200 100644 ## # -interface(`dbus_use_system_bus_fds',` -+interface(`dbus_dontaudit_chat_system_bus',` ++interface(`dbus_dontaudit_stream_connect_system_dbusd',` gen_require(` - type system_dbusd_t; -+ attribute system_bus_type; -+ class dbus send_msg; ++ attribute system_dbusd_t; ') - allow $1 system_dbusd_t:fd use; -+ dontaudit $1 system_bus_type:dbus send_msg; -+ dontaudit system_bus_type $1:dbus send_msg; ++ dontaudit $1 system_dbusd_t:unix_stream_socket connectto; ') ######################################## @@ -22942,7 +22962,7 @@ index 62d22cb..a5ea200 100644 ## ## ## -@@ -597,28 +619,50 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +639,50 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -26184,10 +26204,10 @@ index 0000000..d22ed69 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..e44017c +index 0000000..2387876 --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,91 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -26248,6 +26268,8 @@ index 0000000..e44017c +files_read_etc_runtime_files(dnssec_trigger_t) +files_dontaudit_list_tmp(dnssec_trigger_t) + ++libs_exec_ldconfig(dnssec_trigger_t) ++ +logging_send_syslog_msg(dnssec_trigger_t) + +auth_use_nsswitch(dnssec_trigger_t) @@ -31331,10 +31353,10 @@ index 0000000..cf9f7bf +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..2d357a2 +index 0000000..efd838f --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,69 @@ +@@ -0,0 +1,71 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -31379,6 +31401,8 @@ index 0000000..2d357a2 + +dev_read_urand(geoclue_t) + ++logging_send_syslog_msg(geoclue_t) ++ +miscfiles_read_certs(geoclue_t) + +sysnet_dns_name_resolve(geoclue_t) @@ -34941,7 +34965,7 @@ index ab09d61..1a07290 100644 + type_transition $1 gkeyringd_exec_t:process $2; ') diff --git a/gnome.te b/gnome.te -index 63893eb..d759604 100644 +index 63893eb..3508b98 100644 --- a/gnome.te +++ b/gnome.te @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) @@ -34980,7 +35004,7 @@ index 63893eb..d759604 100644 typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t }; typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t }; typealias gconf_home_t alias unconfined_gconf_home_t; -@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; +@@ -31,105 +50,229 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; @@ -35032,41 +35056,41 @@ index 63893eb..d759604 100644 +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - --domain_use_interactive_fds(gnomedomain) ++ +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - --files_read_etc_files(gnomedomain) ++ +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +dev_read_urand(gconfd_t) +-domain_use_interactive_fds(gnomedomain) + +-files_read_etc_files(gnomedomain) + -miscfiles_read_localization(gnomedomain) ++logging_send_syslog_msg(gconfd_t) -logging_send_syslog_msg(gnomedomain) - --userdom_use_user_terminals(gnomedomain) -+logging_send_syslog_msg(gconfd_t) -+ +userdom_manage_user_tmp_sockets(gconfd_t) +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, dir) +-userdom_use_user_terminals(gnomedomain) ++optional_policy(` ++ nscd_dontaudit_search_pid(gconfd_t) ++') + optional_policy(` - xserver_rw_xdm_pipes(gnomedomain) - xserver_use_xdm_fds(gnomedomain) -+ nscd_dontaudit_search_pid(gconfd_t) ++ xserver_use_xdm_fds(gconfd_t) ++ xserver_rw_xdm_pipes(gconfd_t) ') -############################## -+optional_policy(` -+ xserver_use_xdm_fds(gconfd_t) -+ xserver_rw_xdm_pipes(gconfd_t) -+') -+ +####################################### # -# Conf daemon local Policy @@ -35235,6 +35259,10 @@ index 63893eb..d759604 100644 + xserver_append_xdm_home_files(gkeyringd_domain) + xserver_read_xdm_home_files(gkeyringd_domain) + xserver_use_xdm_fds(gkeyringd_domain) ++') ++ ++optional_policy(` ++ dbus_dontaudit_stream_connect_system_dbusd(gkeyringd_domain) ') optional_policy(` @@ -41625,7 +41653,7 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..9852a07 100644 +index 715fc21..14a5a0f 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -41659,7 +41687,8 @@ index 715fc21..9852a07 100644 +# kdump local policy # - allow kdump_t self:capability { sys_boot dac_override }; +-allow kdump_t self:capability { sys_boot dac_override }; ++allow kdump_t self:capability { sys_admin sys_boot dac_override }; +#allow kdump_t self:capability2 compromise_kernel; + +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -42249,7 +42278,7 @@ index 4fe75fd..3504a9b 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index f6c00d8..e3cb4f1 100644 +index f6c00d8..192df56 100644 --- a/kerberos.if +++ b/kerberos.if @@ -1,27 +1,29 @@ @@ -42326,7 +42355,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',` +@@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',` # interface(`kerberos_use',` gen_require(` @@ -42340,6 +42369,7 @@ index f6c00d8..e3cb4f1 100644 - dontaudit $1 krb5_conf_t:file write_file_perms; + files_search_etc($1) + read_files_pattern($1, krb5_conf_t, krb5_conf_t) ++ list_dirs_pattern($1, krb5_conf_t, krb5_conf_t) + dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; @@ -42387,7 +42417,7 @@ index f6c00d8..e3cb4f1 100644 pcscd_stream_connect($1) ') ') -@@ -119,7 +118,7 @@ interface(`kerberos_use',` +@@ -119,7 +119,7 @@ interface(`kerberos_use',` ######################################## ## @@ -42396,7 +42426,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -135,15 +134,13 @@ interface(`kerberos_read_config',` +@@ -135,15 +135,13 @@ interface(`kerberos_read_config',` files_search_etc($1) allow $1 krb5_conf_t:file read_file_perms; @@ -42414,7 +42444,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',` +@@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',` type krb5_conf_t; ') @@ -42430,7 +42460,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',` +@@ -182,27 +179,27 @@ interface(`kerberos_rw_config',` ######################################## ## @@ -42465,7 +42495,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',` +@@ -210,47 +207,63 @@ interface(`kerberos_manage_krb5_home_files',` ## ## # @@ -42544,7 +42574,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',` +@@ -259,18 +272,18 @@ interface(`kerberos_home_filetrans_krb5_home',` ## ## # @@ -42567,7 +42597,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -278,49 +290,122 @@ interface(`kerberos_read_keytab',` +@@ -278,49 +291,122 @@ interface(`kerberos_read_keytab',` ## ## # @@ -42706,7 +42736,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -329,60 +414,63 @@ interface(`kerberos_manage_keytab_files',` +@@ -329,60 +415,63 @@ interface(`kerberos_manage_keytab_files',` ## ## # @@ -42791,7 +42821,7 @@ index f6c00d8..e3cb4f1 100644 ## ## ## -@@ -391,141 +479,88 @@ interface(`kerberos_read_kdc_config',` +@@ -391,141 +480,88 @@ interface(`kerberos_read_kdc_config',` ## ## # @@ -44261,10 +44291,10 @@ index c5548c5..1356fcb 100644 +userdom_use_user_ttys(ktalkd_t) diff --git a/kubernetes.fc b/kubernetes.fc new file mode 100644 -index 0000000..6ab641c +index 0000000..deda99e --- /dev/null +++ b/kubernetes.fc -@@ -0,0 +1,13 @@ +@@ -0,0 +1,11 @@ +/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kubelet_unit_file_t,s0) +/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0) +/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_manager_unit_file_t,s0) @@ -44275,8 +44305,6 @@ index 0000000..6ab641c +/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_manager_exec_t,s0) +/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0) + -+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:kubelet_var_lib_t,s0) -+ + diff --git a/kubernetes.if b/kubernetes.if new file mode 100644 @@ -52185,7 +52213,7 @@ index 6194b80..e27c53d 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..b341bb0 100644 +index 11ac8e4..653ba10 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -52638,7 +52666,7 @@ index 11ac8e4..b341bb0 100644 ') optional_policy(` -@@ -300,259 +339,253 @@ optional_policy(` +@@ -300,259 +339,254 @@ optional_policy(` ######################################## # @@ -52651,6 +52679,7 @@ index 11ac8e4..b341bb0 100644 -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_admin ipc_lock sys_nice sys_tty_config }; +dontaudit mozilla_plugin_t self:capability2 block_suspend; ++dontaudit mozilla_plugin_t self:cap_userns {sys_ptrace }; + +allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; @@ -53037,7 +53066,7 @@ index 11ac8e4..b341bb0 100644 ') optional_policy(` -@@ -560,7 +593,11 @@ optional_policy(` +@@ -560,7 +594,11 @@ optional_policy(` ') optional_policy(` @@ -53050,7 +53079,7 @@ index 11ac8e4..b341bb0 100644 ') optional_policy(` -@@ -568,108 +605,144 @@ optional_policy(` +@@ -568,108 +606,144 @@ optional_policy(` ') optional_policy(` @@ -63310,10 +63339,10 @@ index 57c0161..c554eb6 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..1ac5cf5 100644 +index 5b2cb0d..ccaa0d4 100644 --- a/nut.te +++ b/nut.te -@@ -7,154 +7,153 @@ policy_module(nut, 1.3.0) +@@ -7,154 +7,155 @@ policy_module(nut, 1.3.0) attribute nut_domain; @@ -63427,9 +63456,9 @@ index 5b2cb0d..1ac5cf5 100644 +allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; - -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -63491,13 +63520,13 @@ index 5b2cb0d..1ac5cf5 100644 +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; + +can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) ++ ++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) -+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) - +kernel_read_kernel_sysctls(nut_upsdrvctl_t) -+ + +# /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) @@ -63513,6 +63542,8 @@ index 5b2cb0d..1ac5cf5 100644 init_sigchld(nut_upsdrvctl_t) ++udev_read_db(nut_upsdrvctl_t) ++ ####################################### # -# Cgi local policy @@ -67668,13 +67699,15 @@ index 0000000..3bcd32c + diff --git a/oracleasm.fc b/oracleasm.fc new file mode 100644 -index 0000000..80fb8c3 +index 0000000..c416596 --- /dev/null +++ b/oracleasm.fc -@@ -0,0 +1,4 @@ +@@ -0,0 +1,6 @@ + +/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0) + ++/etc/sysconfig/oracleasm-_dev_oracleasm -- gen_context(system_u:object_r:oracleasm_conf_t,s0) ++ +/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0) diff --git a/oracleasm.if b/oracleasm.if new file mode 100644 @@ -67759,10 +67792,10 @@ index 0000000..6ae382c + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 0000000..14d642b +index 0000000..48fdbd5 --- /dev/null +++ b/oracleasm.te -@@ -0,0 +1,57 @@ +@@ -0,0 +1,64 @@ +policy_module(oracleasm, 1.0.0) + +######################################## @@ -67780,15 +67813,20 @@ index 0000000..14d642b +type oracleasm_tmp_t; +files_tmp_file(oracleasm_tmp_t) + ++type oracleasm_conf_t; ++files_config_file(oracleasm_conf_t) ++ +######################################## +# +# oracleasm local policy +# + -+allow oracleasm_t self:capability { fsetid fowner chown }; ++allow oracleasm_t self:capability { dac_override fsetid fowner chown }; +allow oracleasm_t self:fifo_file rw_fifo_file_perms; +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; + ++allow oracleasm_t oracleasm_conf_t:file manage_file_perms; ++ +manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) +manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) +files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir }) @@ -67807,8 +67845,10 @@ index 0000000..14d642b +fs_getattr_xattr_fs(oracleasm_t) +fs_list_oracleasmfs(oracleasm_t) +fs_getattr_oracleasmfs(oracleasm_t) ++fs_getattr_oracleasmfs_fs(oracleasm_t) +fs_setattr_oracleasmfs(oracleasm_t) +fs_setattr_oracleasmfs_dirs(oracleasm_t) ++fs_manage_oracleasm(oracleasm_t) + +storage_raw_read_fixed_disk(oracleasm_t) +storage_raw_read_removable_device(oracleasm_t) @@ -68803,10 +68843,10 @@ index 8176e4a..2df1789 100644 diff --git a/pcp.fc b/pcp.fc new file mode 100644 -index 0000000..26a45e3 +index 0000000..de7c78c --- /dev/null +++ b/pcp.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,33 @@ +/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) @@ -68829,6 +68869,10 @@ index 0000000..26a45e3 +/usr/libexec/pcp/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) +/usr/libexec/pcp/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) + ++/usr/share/pcp/lib/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++ ++/usr/share/pcp/lib/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) ++ +/var/lib/pcp(/.*)? gen_context(system_u:object_r:pcp_var_lib_t,s0) + +/var/log/pcp(/.*)? gen_context(system_u:object_r:pcp_log_t,s0) @@ -68986,12 +69030,16 @@ index 0000000..80246e6 + can_exec($1, pcp_pmlogger_exec_t) +') + +diff --git a/pcp.pp b/pcp.pp +new file mode 100644 +index 0000000..fa4cfaa +Binary files /dev/null and b/pcp.pp differ diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..e81f463 +index 0000000..f302fd8 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,287 @@ +@@ -0,0 +1,297 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -69262,6 +69310,7 @@ index 0000000..e81f463 +# pcp_pmlogger local policy +# + ++allow pcp_pmlogger_t self:capability chown; +allow pcp_pmlogger_t self:process setpgid; +allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read }; + @@ -69279,6 +69328,15 @@ index 0000000..e81f463 + +domain_read_all_domains_state(pcp_pmlogger_t) + ++init_read_utmp(pcp_pmlogger_t) ++ ++systemd_exec_systemctl(pcp_pmlogger_t) ++systemd_getattr_unit_files(pcp_pmlogger_t) ++ ++optional_policy(` ++ hostname_exec(pcp_pmlogger_t) ++') ++ diff --git a/pcscd.if b/pcscd.if index 43d50f9..6b1544f 100644 --- a/pcscd.if @@ -84056,7 +84114,7 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..31ff402 100644 +index c99753f..0255b7e 100644 --- a/raid.te +++ b/raid.te @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; @@ -84140,7 +84198,7 @@ index c99753f..31ff402 100644 -dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_read_all_blk_files(mdadm_t) +dev_dontaudit_read_all_chr_files(mdadm_t) -+dev_getattr_generic_chr_files(mdadm_t) ++dev_getattr_all(mdadm_t) +dev_read_crash(mdadm_t) +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) @@ -91443,7 +91501,7 @@ index ebe91fc..6ba4338 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..415a50b 100644 +index ef3b225..b15d901 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -91784,7 +91842,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -374,12 +479,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +479,34 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -91796,11 +91854,31 @@ index ef3b225..415a50b 100644 ######################################## ## -## Read rpm script temporary files. ++## Read rpm temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_tmp_files',` ++ gen_require(` ++ type rpm_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) ++ read_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++') ++ ++######################################## ++## +## Read RPM script temporary files. ## ## ## -@@ -399,7 +506,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +526,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -91809,7 +91887,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -420,8 +527,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +547,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -91819,7 +91897,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -442,7 +548,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +568,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -91828,7 +91906,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -459,11 +565,12 @@ interface(`rpm_read_db',` +@@ -459,11 +585,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -91842,7 +91920,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -482,8 +589,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +609,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -91852,7 +91930,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -503,8 +609,28 @@ interface(`rpm_manage_db',` +@@ -503,8 +629,28 @@ interface(`rpm_manage_db',` ######################################## ## @@ -91882,7 +91960,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -517,7 +643,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +663,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -91891,7 +91969,7 @@ index ef3b225..415a50b 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +669,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +689,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -91901,7 +91979,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -563,8 +688,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +708,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -91911,7 +91989,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -573,43 +697,54 @@ interface(`rpm_manage_pid_files',` +@@ -573,43 +717,54 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -91983,7 +92061,7 @@ index ef3b225..415a50b 100644 ## ## ## -@@ -617,22 +752,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` +@@ -617,22 +772,57 @@ interface(`rpm_pid_filetrans_rpm_pid',` ## ## ## @@ -92052,7 +92130,7 @@ index ef3b225..415a50b 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) -@@ -641,9 +811,6 @@ interface(`rpm_admin',` +@@ -641,9 +831,6 @@ interface(`rpm_admin',` admin_pattern($1, rpm_file_t) @@ -111625,10 +111703,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..17edb35 100644 +index a4f20bc..d8b1fd1 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,114 @@ +@@ -1,51 +1,109 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -111771,11 +111849,6 @@ index a4f20bc..17edb35 100644 + +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + -+/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) -+ -+/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) -+/var/lib/docker-latest/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) -+ +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) + @@ -113882,7 +113955,7 @@ index facdee8..12e74f1 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..75d9fa0 100644 +index f03dcf5..36bc283 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114894,7 +114967,7 @@ index f03dcf5..75d9fa0 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +707,335 @@ optional_policy(` +@@ -746,44 +707,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -115071,7 +115144,7 @@ index f03dcf5..75d9fa0 100644 +dev_rw_dri(virt_domain) + +domain_use_interactive_fds(virt_domain) - ++ +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) @@ -115175,6 +115248,7 @@ index f03dcf5..75d9fa0 100644 + fs_getattr_dos_fs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) ++ udev_read_db(virt_domain) +') + +optional_policy(` @@ -115208,7 +115282,7 @@ index f03dcf5..75d9fa0 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -115252,7 +115326,7 @@ index f03dcf5..75d9fa0 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1046,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1047,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -115279,7 +115353,7 @@ index f03dcf5..75d9fa0 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1066,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1067,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -115296,10 +115370,10 @@ index f03dcf5..75d9fa0 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -115313,7 +115387,7 @@ index f03dcf5..75d9fa0 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1103,20 @@ optional_policy(` +@@ -856,14 +1104,20 @@ optional_policy(` ') optional_policy(` @@ -115335,7 +115409,7 @@ index f03dcf5..75d9fa0 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1141,66 @@ optional_policy(` +@@ -888,49 +1142,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -115420,7 +115494,7 @@ index f03dcf5..75d9fa0 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1212,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1213,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -115440,7 +115514,7 @@ index f03dcf5..75d9fa0 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1233,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1234,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -115464,7 +115538,7 @@ index f03dcf5..75d9fa0 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1258,359 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1259,359 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115491,12 +115565,12 @@ index f03dcf5..75d9fa0 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -115717,8 +115791,9 @@ index f03dcf5..75d9fa0 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') @@ -115726,9 +115801,8 @@ index f03dcf5..75d9fa0 100644 +optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -115909,11 +115983,11 @@ index f03dcf5..75d9fa0 100644 +manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) @@ -115965,7 +116039,7 @@ index f03dcf5..75d9fa0 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1624,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115980,7 +116054,7 @@ index f03dcf5..75d9fa0 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1641,7 @@ optional_policy(` +@@ -1192,7 +1642,7 @@ optional_policy(` ######################################## # @@ -115989,7 +116063,7 @@ index f03dcf5..75d9fa0 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1650,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1651,257 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -116017,6 +116091,8 @@ index f03dcf5..75d9fa0 100644 + +allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config }; + ++allow virt_qemu_ga_t self:passwd passwd; ++ +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; + diff --git a/selinux-policy.spec b/selinux-policy.spec index fc314b18..a3f1f6b6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 213%{?dist} +Release: 214%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -492,7 +492,7 @@ Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 -Conflicts: docker-selinux < 2:1.12.1-21 +Conflicts: docker-selinux < 2:1.12.1-22 %description targeted SELinux Reference policy targeted base module. @@ -672,6 +672,36 @@ exit 0 %endif %changelog +* Thu Sep 15 2016 Lukas Vrabec 3.13.1-214 +- Allow attach usb device to virtual machine BZ(1276873) +- Dontaudit mozilla_plugin to sys_ptrace +- Allow nut_upsdrvctl_t domain to read udev db BZ(1375636) +- Fix typo +- Allow geoclue to send msgs to syslog. BZ(1371818) +- Allow abrt to read rpm_tmp_t dirs +- Add interface rpm_read_tmp_files() +- Remove labels for somr docker sandbox files for now. This needs to be reverted after fixes in docker-selinux +- Update oracleasm SELinux module that can manage oracleasmfs_t blk files. Add dac_override cap to oracleasm_t domain. +- Add few rules to pcp SELinux module to make ti able to start pcp_pmlogger service +- Revert "label /var/lib/kubelet as svirt_sandbox_file_t" +- Remove file context for /var/lib/kubelet. This filecontext is part of docker now +- Add oracleasm_conf_t type and allow oracleasm_t to create /dev/oracleasm +- Label /usr/share/pcp/lib/pmie as pmie_exec_t and /usr/share/pcp/lib/pmlogger as pmlogger_exec_t +- Allow mdadm_t to getattr all device nodes +- Dontaudit gkeyringd_domain to connect to system_dbusd_t +- Add interface dbus_dontaudit_stream_connect_system_dbusd() +- Allow guest-set-user-passwd to set users password. +- Allow domains using kerberos to read also kerberos config dirs +- Allow add new interface to new namespace BZ(1375124) +- Allow systemd to relalbel files stored in /run/systemd/inaccessible/ +- Add interface fs_getattr_tmpfs_blk_file() +- Dontaudit domain to create any file in /proc. This is kernel bug. +- Improve regexp for power_unit_file_t files. To catch just systemd power unit files. +- Add new interface fs_getattr_oracleasmfs_fs() +- Add interface fs_manage_oracleasm() +- Label /dev/kfd as hsa_device_t +- Update seutil_manage_file_contexts() interface that caller domain can also manage file_context_t dirs + * Fri Sep 02 2016 Lukas Vrabec 3.13.1-213 - Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module - Label /usr/bin/pappet as puppetagent_exec_t