From ff3605a07823d4ca17f200a75ec0411b9018e724 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Thu, 10 Aug 2017 11:25:41 +0200 Subject: [PATCH] * Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269 - Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524) - After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy - refpolicy: Define and allow map permission - init: Add NoNewPerms support for systemd. - Add nnp_nosuid_transition policycap and related class/perm definitions. --- container-selinux.tgz | Bin 6903 -> 6904 bytes policy-rawhide-base.patch | 524 ++++++++++++++++++++++++----------- policy-rawhide-contrib.patch | 4 +- selinux-policy.spec | 9 +- 4 files changed, 370 insertions(+), 167 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 6d087c8d6b40c937b3f99b6a28c85a641db5d0d0..b3dd705f507d4cd6b91127c8107a15126141629b 100644 GIT binary patch delta 6893 zcmVyO+vlF!%aze2DBcqXvt<;0O5Nq_L+d;ER% zhaWE0-|+MP!~3hNZ?4{7egFRQ`u*kAhi@+7k3anIO>p^K6;gi=O&iuh@J)7Chnpm_ z(v7|UC;eHyejWVS9P&J@AOG~XeG-&aQoL)*LmeeSSXEgXg>70EK_muBkQ6)keg5Nx zU|Ru*-%qbJ_~YbXAClSUJ`>pJ=Ukk&xEIyq?{E2RaJr+sU9n1BS)N(#LXMbB17DVZsWk*h^za(Ky@~!F;2VVdy6^Osw4yV{cGst6*TZ9c& zT~qaDjp_=t7Hi{(_BvLif2D3zzJAcks2ZCR&DGhy&Pk0ALtgKGH*@-D2Av=bzi zAAEadqWK8z3^+dgb6q8M-T>n^&5}kG%&BRRFT5JOG*QzW{ePT-w&)DWw}iUri<`Rk ziwl~R1GbQ=GfUjoF?vGa?6p~SNUYBw^JX8`$xD(tRmflNjNC)&S=zKXwrxV^K!!&? zT{h006}Phy{5yQm-G8Q8k4th>B~iLfp@UdQqPda`R34QXvjKtpN7_rzs0WW5C>G5& zL*xdb|3_GaJAZv4c^Pvor>Z@hZsYLBXg7f|HesGsOAdPQMfIL{&oTMQe)H%Z&S7}u z-!m?ZWqai%8E0HLxWvrw8pi_l`K0>N%w9!j`AT=X%5q5lSvAd1U>)EVdGmLWcZ2?k zQ0WRNrPm#g$a0^y`yd3uLkkja(sv+}Qtg#jb ze01hgQ_3w_9ZV=_s6-^CDMc~fb(DooV=0Q>4a?djytsHudHDZVL0O^v!|ac*+WKH? zB9dywZj!Xvc@=A(B4R!FcJLY}h|3$ROoDH(;lKCr-}lSzMSl7BpI^v2OBQ>T#?x%1 z`cPOD4u3#36E=SYWPG@|i=#>EyG4#L7V>jjd`yo`o8(cOP4(63?+!)UlK8uhV%Ra? zREUCDZ>30HCs~ObQ;<{&yX|4({vJw3*D499FI`KYyw3K}Pv3Z?B;zBn|XK9x!Yn`w7z2 zg&72zH2c%CY9FUA;em#46=yKjU~3;qJ>p#G3suYzO|)@xSG8pK;!6}1{x-;0 z5PppI%+N&{LoJpOGX5~vNaqY;tFIz#{8v)6Q$&qF!;%~#Cx%I4?-pt-KVI`%VlVi2 zgMYI8TPUQz1mEcsBrA6gR%I=;Q0&V*(Z>K^6#1en4hk(xBa*xgUdeao!1wBGHcnhd zxAQ?7;9d`Egiq(7fvKHU@y}!w4u-t z6$sfw)GJ;Le^(W_v1_TqOq_urCL@ z&;ek$)Uax=!#Gb1wie-`r)~PM#Y!NZ%NKxlr0b_F3gO?7Mh7-N2m>(mAA+U@lYbLZUv5F5uN_ z%OiUS_9enQSRbHP0dF6ORby?(-HZ9N7T~yCwy){P#SA-dxu)(LBX$~1Ej8-Qzp{SVqWW$A^ z9A8-H#27#KNNW5jWe)(>8OSZHdC9-?V&}~_I0?tOm2ooeofCdGR0{(qn}2Zlud6ak zqemLy!YRnTfFaC)Rs%`F07D|(k z3`bXx29J-6(J^<_v7yS(q}PQMyu0J5=wt=q*mG8cvCZWCa%~=J{dBW?I18%m04mno z81gcLbxhxP(Gbs1g84umEA5n=sZ6=$76s4W~)!SZ#y z*$Jy)SUeiw`I^CG0VXFbX!T=NLUWm=nl{Vci&^;UN>|;v*D745AERT3cwI@XH7ur1NZ*@R6R^%qbfU%%zDs*`Q{ zV36l8^n!}PUhB~8@_&SZU*Q>qDo)0?7O#x*>~0O}eCk>W%DQiOND@&75S=2?nS6wv zVN`!P?dsNTSnrZn(BxUO2EDQ4&S>pr)Zo}h#|#t}i^sS`@gR|P&HDsj(dzJ}FH--L z{>UCZZY%NP{fsec>|Z-eXe>#Ot2vz4YV zSePgCt^{>iw&m?qQ+f3|_&EWbni31ZnzJHR7AH-_Lu@J@T$5mk3REY!-zT64Yc-rC zB=cDKiOHLrWx?Nm`X#8!x|K0F71xst9UIdgig2U0Rc_6|Tz?yE!>mcpv?}o$F{_>* zBdVT$C_U$a-+#NhJXFCccT1gdE$vYYZj>>At{%3X3^X?laiJlr0(79$@a|I!W1J%L z;xNfUJu{_!YADHd!I`W2=CJwu8Vt8+k1D-W`X)HZgzDUrLpn4})w9>mwYIHPLqc7| zxZPk{Y&f+pYPJdQicfe!C2@dE<^nxLKG^%6>ik1o;kxf5cP9<3p8RiWy3y@#Jlg1EisKH3 zn28{zQ=Q9%HmD#!BGDsnPBkXS?9Z!#2Ea$MXW$PFvB&B}#skv|bXb&fjL|QpcTgtIBjm$VBf=0~#Ax=hyAV$n zuGv1G4q1j^JYu7dC8H3T5b_ebjNB`y14e_OVO1T7m!93M&<|ZCE&Y9}v*22qZsTNo z`ddP4-Wtq%+={&B5#hK1#K$Z{u-Cf`-UYa8V1Lrzr@K9@ytD!Dmz=SE|6&E>HbyOT zvL)16G@w7iEMWE+ykb5w)56~*+4f@;R^cYi()KZU3Zi{^Uj(-)7(iS27v8XJk~WQl z{I)3L0K0|`@aSKgw2<-l^q>yGrb*f@K;nY8#^5VT|Mcl*tQKI!hy(jN$-q9&@W6hA zNq_8-{{e+YhZ=@XJI>QLI7g_rF@`0LlcAH5WE>2xns!c%`5lvRFaevH|Pyo}Uj8dq)$Bd%J9ns<=SV85aOY|A2 zuPiNY*SGwF;vu=i@PH#~CJ><`;xyc8P~z<@NLQ`o5{d(WG&F1ylRAyopuml0)|q6% zfjf}};FG*-Gq15b!-Kg^bz)7PS~fiMRU|(!MQ}3M z`;(uhBZQA)3bQN+ux_=0X;yrn*cQ4U;5JfCWB4tvyMEp6-QSzCIER<7Tn%_Ky6lEN zfKS6{ir2xPyH+_x;k<-R;*F)tkd&S7~5a|!l?2>>|5 zbGZAI{Q|-pPlnFlAv_?RNXQg0Iz%)R0>kYzHkS7b{R=ibV#f6Cx$CSi=1u2`*psKX zFMi)w={4CkXv?HOQs5)kP=AgVx-b4Qg7!8gbCxmL;GR;3&nluZk>RW? zA2;qpELZ7U)#W~Qny|L1X2rbb$jkwq!)(SZb0ub+J6Jq0Cl3w}%%$-r&vqB4PY-kA ziH48wD3(=O#!@n0yL}ey?hfvA!e1|sZ@M@BJVhvXzMroEyr#W+-G9+^CG~Q3EN63# zrKX!R@jWpoD?Lx#$%@Ytce*pm6L_)~9K-d|guT?=6E}gTj1m4-UeJIY%XKz)^m<`V zH6lHM=M6It;90}Wh1-uS@E!&n(liWY+i5`f4C7&zCvEKBOFhFc(!%)07%BbnCmwCU zk1F~>2gbH^kqE?y(SP)~HEuDY-mIT*LFh@wqrF*}6$O2p$yMqiY0*95OHMaUADgJn zEL9Q2_lWF83Sw)beG>Z>j_2JLA#{<_Yl?>tqc**R`4n5q=kzhYJH(Vuj~Bw;G%lft zSiN)??Xw=2lYVODW>jg%hv8_I^k~#Bz)ytry>ZSJMm75=Uw^Rk@Pf`Egbt>SIeO%* zPu1*`Ec2lAb1WTkYS=r^6Kv^r2Gh*4v|yoykM{O$TX_~CSfVn|t1Nj~)0iCR?VWD= zO3=vUcg8#WBz4A7^4Q5JTkdG8b9Kie$Sw2=dDI1CI*B_S*V7JoU2QVgXkq*$(~p?n z@C|MASZVB`!GB9>IUfJ}K(cHPUd=lcJZ6akFP-tWNzo9+AzhmgSfZZZo(}C1FN^I>nu?o9(3r_$c1Pq7j z&}vIeUX=U$IBY}5JR;j$Ogei7UI#;JN6$I-0*qHCK~}uaE2b~xX9F#hD><|&w_W38 z8y>Qj`F~j+Y$8!P*zmJKKQ_3;#N2KIT zw>me^*lQ-5jf27tU@3JAlfTTGk-o7orxmjh=W*lLUhkM%^a^jH_+}Wd*+ayx!s6{M z|4`+BJW+%(vlTqzi`Ae?;LXEmjqcMrjT8EVMSnGW;ZQ71(afpBwZdz!f^XRKQvhoV z#ahc>IAZX3wM*kbY%T{WuYBVSK?TV8!hr2+he38Kih5&>)Fq{zy$@`Ca! z5-SHLMeTF}2$`i#8dEgZ=oX!CRgPd7-JuUSeD>f2CV3_|iA$cijrkiG&v*e`cOkV8 zT><}599?Sm+M96u?X~qc=Na3_tDXthc0chT^OZo;zdi37Qab5~D+E+_!y|88ZGVv) zt@Q)jc={2OlVuS<3@usv15C$k|Z%*{kjlOFFBqJ4s1ewfTdCL`WWxtdb`};RhHc6!YRxpaB_$)Cu+jH?+WDr`~N8 zq3;@aXy2~WJ!a;)q5&hXFWX!J9e+#RuH|3iQ%_EwcymDOBSdp?m)aIhc|XEuuPSNT z*zmkdA-JSvhYy^GSRDuJxUL|Ftc*+|6m}|)UEL|k6_lyU7%8_(XfrNXJVS|e7Tl%K zspLo9vP;yRDupMGI%tHB25OWn%*W{s);QdH;zTZCg>7P;C<~aAh*t2i=6`g?Jk`x% z%D-_5yb1G7sEIsEy+ui+Ufn~K)1*!;<6T! z9knsiyIU$)X!tM=C!rW=9;76|@k*QBe2Aft>$xqPo{-rg_nF2tNMmVdV(tvndqeOk zyPCp|-)^)r`$1JEKqdDNoqyoB%J-x67D$J%Pjd}P80~D^rWcXH`jnX>b|&0nbzEXC zXPZ1Tm&Jt}R&=~U9ppTO6_g_6#=Q<&O50VPDFgquIv6bMw9NBxA6oJ0dt8?KvNTA- zFmMqui=#XCLQBQ6tT~g+`&l6-`W!@?7B=@8OQdKjd7IYBJ=@EC=``jbsuvvqAPo333(iq9i zU%7drZ=H^wEtm|WuC%C2UntC?8OaV*wtl2h=&%I!!hBoA(4>FSFjHl9^k#I}poS0rpn&B2W zC4fPuQoB*J!+%)q3h{Z4k^3Cu-xzVd8@<}G5WMp;#zJMd?qwWXg!_ty5Bm5u4a>(~ zM%4bXUwm3$Hs#b8cL?_7{r*jpm3PHbUI{FfACoD1E_Ti8#$` zjG5&+=;sd%Zu(Oyt$#O6Dd8mQdHl)GuN_@U!Vz1e_lzcrzR_>>7-C~sFh4pjN_H@+ z<&0)tJAWPlE0Y)Uv)P_YR8SfRF%NrX*MFo_Lywqn1U5M0I$ZG_ntHNcg=h`8l30WK zA-lsYj)ttiLK35{a`f?apAOZ_9~w83{>DWuf*}=Z)1@m@)FU^s$=}<+M*o(1ev{l3 zoi{8oR$?!2_yCqc%Ay&mE_lP#HhH32HTJ4T_kZtTjrgOXTTR)tJcFO}V?lRNw*N2llJN_;7p9Zal)-V@hnE z=YLxXkdz6%mE@eR9231AfH+DUE;$}qB|MRa;?il<1@VamI|ux5jap^A_tC`m&A8p| z;&J?AIiBtadQoNiVZAXbO*=@pD*0zP7WX|4pKuI5di?Ei?Cp2l?JE*KPhG~3Pip2d z-YJ=)$FL^otv7Fj-@4Czt8vw~+kC!qBY$R++V~AYZ%kNeK^--omgwM;&N$D=1tAZE zc1odsSAx7mL%Q2jE=23q7*6?Sm@|QPO!C$k+cPOPa{n8g9o^S2?ESy|kv)IDeYS7g zxxfE+b@~1E5Bm52u0DMI{@-W$xj_5z;@5NbMIZV)C=Q9_q2-^jTOU61MXCPSsecKc z!o0Zz{c>?=>WeJh;F^8Ga4ycjJ9+oc8%=D?`B!xi)db3ZEdvb}b%(bUVD=EbL%1c| z4wx4URuSGs%Ty52B-MZY&&7X#$4(BG?VWe%^KRP3YRpmjcZZgSEy}wxJLJi`>7r0R z;@3epB;-0Rml{>ifmcRpycAxe0)H+ui~8DQ@h(zISZ)$@(0pskf6r4{%4g>|deRD| zdJ4+r>|aj2u_EzJ1`gY7qVWyI=7O0{%i|-y#?X7P(*jk^L)8Xk_o4LielBxY= z?*5~cuv1fU%x6$o0@ n2B1%8sX)7VI6{+rX{XHBpRYe(f4=^FhM)ff?7a6)0LTCU)N+PN delta 6892 zcmVyO+vlF!%aze2DBcqXvthU7srNJL3|N4+bhkrIv(9qF6|d9sG`2t1P)!FJqRA^m=Ez}#I+KV&2Y0p+zz=B=Lk(DmpX>VAs`FHKfq^>=&b*)xF zU1o^^{x9%Yf`?I*G|d<)B1K_!F*I+Cn^s3DWaD1(SJGHqOc%J=PWyNLj5HPW0G%GmpJ$WSgAn#<#ss57MejGgWMu) zsOp-kH)~W^ptV>VN3_?mBK<3Mqawd7-2^dIGiu8^O_~XV_jv@##~D=1N04`6jij9* zsr=yED-+E}XlKCj;h*a&sq+RHw`rC%qF_!%$N-bn08B7fZJ3(3ovV>wmr*>oF+KSsL=jIjyxtXgu=gD`)Dv*J6#e zFyNyzmzq*;$?9N2K|>`XDNQMg@vfsRY#K{Z^ln(zCgH`!Q_92tzY59<*RHt2CZw zBh`n(qJMAzs+q9)BOv3$#a$dtQr|6dgt3sH+u~z-Y}zD`+H9(?PJeeO(w4;Ebri#n z`KCe?#Cj`5@;b>%+?ax-QW#J4Cg4AUnRn~9WZ)GjmiriM!f*_}7o{d2@mC;6hV;IS zaPbNSd;#Ns3hvM7qNHgY7IAQ2r>4zhp5(A{eSi5$eGf9qXL)-KJt1kJAM$`<3)xSQ zrY_7N(4^U)mR0*WbqNnNe5*KviN_U(1_oRENa_*iLSLw2hG?RVle?-VyBA-gpzyar zzJl;$v}cAc${1>~jF9n%xkfr?2wQy>VdKA&qMagY{27+y5IHeS5_`8$WBKu#*Ajcd zzkeH)<=;Xf{U!KLpCDPebFeCFp@m{!=7~NA_@c-cU2#xoSsIb#ZSYFII|sg3XR~qQ zGP<1)(g62*P$PUg2MtVp73W=)rO>_ekyzUnsL3qZFpM&qCt0lq4ab1tw*z~bhM^6G zhNwWu9-?0HV)(nNz>Qr?6=vcL1Th)G(0`pXG2UgM?izJudD{O5r*${_x9RRYDejg; z-Iq<kD>0G`5v?E+joOCEhy)bhPsl0!dl*FTX+Khh!PU@VRQkn zR$Cs~JFqVi-og3+wF-Fq$c;ieD}RN8VeKX#Z$HfSF0IQVpR{Rtp6;T09_y{KI^IQ( zy4^d&T?^Rh<`+BTb7szXx&cJU+Y@ZkYmi3Jq`M-_*n|x}-Ar@HKw-2xnF&S3+$S3@ z1m*a`Iw!{XxkpmtM=5&%u+BhkVa-eaofkWAzQIX2&aI4-aqpb)v!PlTIDgrM!+%|s zSsFdk2p3L4?gb2C2DBpB;7oZx;xv4-w6k{|9@;$*^c;A6>E#Oxh^6{Y30o(Ip0-e$ zd}KJff;4!1T#SynqmB(#ekQ#xq~P5hM@1(q2*;kY8jNiw=a*~qQ0u3g-NRW>Wd~5P z-o}uZ5v*hSzMDQ_485rzRDY3!aZ?_OxSV>6GIk&=;g1OG@2WWK3_@+;kP4Qs zaEY-AG_Fl}wS68~~&b?OQGW{4GJH+csV!feM zi#gr;G29)Pcr3%%hn&XnSfx7JYX_1sep0K8ACfVgutU;cOC&dxjDPYmBH>#{m4=}Z ziq$yqlIpPx7P0qZ0W_h@myTNXPq1x9tC?3lXj53lV^^uewZrDmaiN&E-mbm*@wYMT zSBaoB#bxoO*Jy0J&s`#N8;sl@BAP|w$r@U*8ahX2PK0fVM$RT|(x|_H3iJ8)!$XpYGJxn5iO%FB z^bDi=%V}4)Zo_()w1OtjnlK00Qguvk3CC5i`$tZUvU_=;ACFMW~v zpY%ue=y{twR~hd6|3Cb2`QiQG{{Q>0_y0f35A(FF^D+j-c7G~I!`tBc{QBzr@@%E) z3l`?dyemOnmTh@E)l^=+4t`Dmr>4XLu;#2tmBmRD@erGe2iGJRq5{kL&wInha%jlZIxRyFxTG(+c0aAGp$OzM$D?` z$B3$@A4<=8;D7h7E)P|3%H2|DTuXb@f*WNFpsR;%Cj-q*LtJRcssJ76G`#!N!WgHB zyf{p9P|r+hpBhSXU2x{AzBz3Ez6QfB+M`PEl)ed0GNC&6W`Q78_2ji<)i1`yyt~2EC#>4Ttnz{o-`Xohj{79Dfx3IFZxd+u<0K?(BXQl`toM zR|3Ul_JSKjl=^TYY)Kp-les_-kq`EMr#k--SGex`$lXZ;t0(`Pnr?La8;>^nnBusD zA!Z^-=~U-3p$#g?k4W^$n^TR+G5hmspaJla>>2n&L+r6Sk@3KEfXxn)B|7|R$KN)# zQAGo8IDe|lqttvpqM_=}u|D|FRc9?jCmj~09AorL=^d1b^9cFy)QB*I7crWB>@LKU zg=@Btr$d$@7?0TKW63B)CWO3%E+hBK>44E7XjoMT;-zOdEA&GbNlSm9>MXdHrrS8# zp8l55nzsh?9=9T|c|=-@jPFxQ$WE zoNNho77gf+FbkMH2CtZp%(U<~Nw)nMg;lsov$TB-o`Ps!-WS1b3I@;?{)IOzo1{(S zAipijIKZx<13dcICM{(AJw2#HuxXNZ3y`?rtugqD(m#E=8LI_YG2+0!PBO5MGd!># zVSf^PQ+(~k4>4bBnjZH!?_<7DV$q*+j+K`=_q&lWLuS~+NBhnL>W%C%8X z-n`k-aVh-vMKi&+x0EKpm<2`Fg)Ohnh8Ych&T;*8kBfD3({39xrE{XAPo(h#H3E6H7IbSnRO;v zaNtg40r^j5p^*v0xlW=x7Sx5??D3k-;i0N|(o2C&pqCqdH_J-fVrgD^GY{AAn}1Bd z)<0rdFtc#@yue57VY#4M?1SYn>=190X{pm(zP+;--%c%p@?v1>f z*JQRsH^t4(X|5ej^AUKpRiHg#TYo7^Klmi?+RSV0&hTJvQ=M3or#kpSd-wOIEY9KOD^~-aj4r#O z58%@{ReDW!4cap4j}-XGHGh<&h3<=gjNtv-z#S9MS%|oG{+wk@Hn^vh;j@ZpOk_AK z%g2rT5X)8iR&}{gohGbps#!6wIWluV=P;Ww%Up>W=MEMR%*lhp19NG-$+O*s>C?lU zc%tFsJBnphma&w~*KVH$ySsz?obcDn0IzAUUVnEqT}i!M9n0BV zW2x!pOngtw$x6=?ce3L1#GUSp@&ul&1;=oGG+{4w_ry)0DPx3xl@~N%$8w#`9lc(d zQ;kSZ;CaK$19;XjbK&;m3cQB_hcpcX*>)NbKErsJ$92)5j)i zGfPzj@jW7Yk%HKoXrIJ>h2wd*MF?G_^qS(~!>CQ~U_Ql`@;QBs?+!7g)8mD(H;qdu zB33WmMf%V~!p< z>r*xRB+ESL{2WV1oErAd^8{PEoxwD-EG<}Q;iJ8M+g6@M2$rbK^D0Xo)-)!^d3&du zz7jMt`JM63K1rQ%lstAa%9cBt>RjEi2yzR(LLPO&m`>tO$Mv)WURRsUHCh-y$@C-U zH+)0eJXRWeXn*ihT8_v6K9DTigIDto1^Hn#zqPHq(1paLPtoPhHgZbl_Zg|YhcKFc zPdG}wUzY_-4$D);nA_5{WsN2r#xRije!w8Uw7Ip=)6qRHVnx&3r){)1)A95O`tX5` zXrhk+t0wZA@9lh#Oh2VszR_D#m zLfs<<8wpRYfZDeCPMb)X1{B(u{%>dx@b4J9E?~C^*K{DYjuKn@O{~JM-NF+<2m!;P zI<(pnlNaUwJ`UT^F^|ah7L(3if!D#1+R<~4y#V8tNstxq^NQ&U`Po3rQ#5m`aINs#tKb{<{1m|2 zLb2BJ7mgVGUG3615Sz{ z6(@J<9>n5_Qiwosc-U@pa{(oFJ1n-A*?%HQ4jwew9j&=-T{^0UpG3e~IVrNTth}K7 zip0u+Nl`mp077PIlg1Q{HM<Ta_aiMtA4~4xc^vfJvUoP2!R#Ze#ui#xq_3*Ih{M zLs!6m6i1huz4j*DetT{G&3VT5@v3LSwcSrV$b2Qx^l#6*hLlb^;tBzk-SEg8SASdN zMr-}RHlBXOrPUVR&D;^AQ6%WB&+0!Q1}5x3B|lP6lg$3A$5ZNzzr=h*r|6L zMd-T*9@@9-bdQ;Nu4ur>>&rG*K!3+lw`=*A_|%h=C*B;;`Uufn+@-cfQ{Ip8*{e!g zHa0x(QV1?-+2I4{Ay&u1I<70oAuA)32!)->V^?=das_3oGDga+655Q*70*y2odtI( zbSn8#x9k#ir%K_8qYfIOqk$SF3-fV$gEbDfo;Z<9SYex3C&~imB%&33tbaM3F;8`K znDTF20&l{66KW!lQg2ZbsaN+9gs-C?9*IB5=J}Qw&_J=us&s`h@AriIOY#u6!-O5Ub*at|{m9)E4<8>>)pJ3q_& ze~|lp+ku9Sv54?UrofX|Yu=Qz)oYcoyP`FzD4GhRr%Q~?adg9Gl!w)5q7+kctZX@D zT?;c&i}*%gdSUYQ7-$e$xL#B8(Ci`N0Ntkp);;ZF_8E)3XEImwh&Gq3GB%1gQ>Zni z+P0xW44_v+Jc{Da^*6K#? zG)rH9k={HTQ|01IU7hl_=`~SLT}e9P)@P;DRui1D?}LnFIpe7`XC&NGIVYxACE_qq%##> zt82U0!A~sTVfM(fUZm^;JFsYjIgQHr96v-D7;IOW#DBl5-x<$)!BTRn#j+=CaX{OX ztg{>a@`RS)lcmuoKttN(-aR9J*TU;g(wrL?uKmSgK%+S#hm8>TK1>S+FG^o9SRzjI z8e?X;4*K~6gPZ=8O6%VZQ%X3AdLDoB^J_;}l5oV<=slx}qHpwDJ%-pA7R-;1i;^9T zYB{5s*ME*jz{=!>{A{-85*3ujLCnKm+4Udk)X*a)9DxmvxDHo5ho+vaS0P%%tt8f< ze#q`Hi=!dyuaLy3s~mlN-KRtK@`uKaq`z@di(p8F+H~p46!pkWZ1VRuu+hI|p5G)l zMduAmjFs5S8$N(#kg{k-stevQwN0L=R*k)?(SQ9rm}BjDBv;#y3^RnXwSJcw`LuCe z+Mtta-y2}9|Gl8rKTl*kAwOh0;Wm@0wj*@T%VMp6{zubPotYu_xb(Ec6w6ZzH3kDu z3b&n~Cw4}D*kkj;E|(8>sqp8a`Vx7%RW&B^byMzcFco+J_<{YZFh1O#vm1|a_Lvfz z=YRQD0wiTZZzVaWE5}4{2Oy5phD(k|RtZm}p}2G!bwPY$!Oj6cT%%SQ?|n3}eKT%% zyLcS`SdOPVf?iaaepqjeO4AO~txEnGj>UbC!zUbrj~;(}9DDm6cl(Nj&r_H2It0T2M!grzJYLq%+PlazV($ zpq)~v-<2RQ(U9);lnc>%HHK5Z8Rkr&9h1B@#`a8#jokkRXGiz-3w!@Be`L>}Z=dbk zcJA;0U0r^E{bBI^zss-R|NAUI7id3T{Cdv5=tExz#UYVAwEPox>%&LBDAgZ3HGjcV zm^YW8UoH+!eUYUbT(d72&c*q6C-2^Qqlt|<|Edn6nn2mFWuU>L?(miZ%pRh52)AV0 z0rO(PD#E*HnF=DBr24P_x%ltz*vY}Nz4H!z-c7q$jX5g+?$FY(MR`|dhdg;VT@=bk z{5t4{gj}cPQlsiQ@X9ESm%?jQz<*_CQD1v3-bG3Y%T0m~nr}_{?|CXq`Rp7=Pg)ur2d+>P#{=Tmj`-oR$=;9sL*)OL$zBmXR$YU2qpbGPS?V z-G7u4c4{h)`3wq6Ae;5p(Q3;Kzo_=I7qN^I6Zi}3G6B1|O4ERk*KA-K&9qax&?Z?= z1d{}Frm_K#RqogGDvc+ZWJM!z=;{T$W*NM9{Fco!BIK(VvvZrNpo7RWMUMfnVzW)q m0QBiB6=*jPM`)5S?UecY^Y!QJ&)1*N@biC*X8l$G$N&H&imN*S diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ce8d03c1..dcd7c995 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -896,10 +896,26 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..7c61322 100644 +index a94b169..536babe 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors -@@ -121,6 +121,60 @@ common x_device +@@ -20,6 +20,7 @@ common file + relabelfrom + relabelto + append ++ map + unlink + link + rename +@@ -47,6 +48,7 @@ common socket + relabelfrom + relabelto + append ++ map + # socket-specific + bind + connect +@@ -121,6 +123,60 @@ common x_device } # @@ -960,7 +976,19 @@ index a94b169..7c61322 100644 # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } -@@ -379,6 +433,7 @@ class security +@@ -331,6 +387,11 @@ class process + setsockcreate + } + ++class process2 ++{ ++ nnp_transition ++ nosuid_transition ++} + + # + # Define the access vector interpretation for ipc-related objects +@@ -379,6 +440,7 @@ class security setsecparam setcheckreqprot read_policy @@ -968,7 +996,7 @@ index a94b169..7c61322 100644 } -@@ -393,62 +448,32 @@ class system +@@ -393,62 +455,32 @@ class system syslog_mod syslog_console module_request @@ -1048,7 +1076,7 @@ index a94b169..7c61322 100644 # # Define the access vector interpretation for controlling # changes to passwd information. -@@ -690,6 +715,8 @@ class nscd +@@ -690,6 +722,8 @@ class nscd shmemhost getserv shmemserv @@ -1057,7 +1085,7 @@ index a94b169..7c61322 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +858,38 @@ inherits socket +@@ -831,6 +865,38 @@ inherits socket attach_queue } @@ -1096,7 +1124,7 @@ index a94b169..7c61322 100644 class x_pointer inherits x_device -@@ -865,3 +924,28 @@ inherits database +@@ -865,3 +931,28 @@ inherits database implement execute } @@ -1126,7 +1154,7 @@ index a94b169..7c61322 100644 +class cap2_userns +inherits cap2 diff --git a/policy/flask/security_classes b/policy/flask/security_classes -index 14a4799..6e16f5e 100644 +index 14a4799..3bd5d69 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -121,6 +121,18 @@ class kernel_service @@ -1148,7 +1176,7 @@ index 14a4799..6e16f5e 100644 # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace -@@ -131,4 +143,15 @@ class db_view # userspace +@@ -131,4 +143,17 @@ class db_view # userspace class db_sequence # userspace class db_language # userspace @@ -1162,6 +1190,8 @@ index 14a4799..6e16f5e 100644 +# Capability checks when on a non-init user namespace +class cap_userns +class cap2_userns ++ ++class process2 + # FLASK diff --git a/policy/global_booleans b/policy/global_booleans @@ -6700,7 +6730,7 @@ index b31c054..3ad1127 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..519431d 100644 +index 76f285e..732931f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7143,10 +7173,15 @@ index 76f285e..519431d 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -1883,6 +2105,25 @@ interface(`dev_rw_dri',` +@@ -1879,6 +2101,26 @@ interface(`dev_rw_dri',` + ') - ######################################## - ## + rw_chr_files_pattern($1, device_t, dri_device_t) ++ allow $1 dri_device_t:chr_file map; ++') ++ ++######################################## ++## +## Read and write the dri devices. +## +## @@ -7162,14 +7197,10 @@ index 76f285e..519431d 100644 + + allow $1 device_t:dir search_dir_perms; + allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## - ## Dontaudit read and write on the dri devices. - ## - ## -@@ -2017,7 +2258,7 @@ interface(`dev_rw_input_dev',` + ') + + ######################################## +@@ -2017,7 +2259,7 @@ interface(`dev_rw_input_dev',` ######################################## ## @@ -7178,7 +7209,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',` +@@ -2025,17 +2267,18 @@ interface(`dev_rw_input_dev',` ## ## # @@ -7201,7 +7232,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -2043,7 +2285,180 @@ interface(`dev_getattr_framebuffer_dev',` +@@ -2043,7 +2286,180 @@ interface(`dev_getattr_framebuffer_dev',` ## ## # @@ -7383,7 +7414,7 @@ index 76f285e..519431d 100644 gen_require(` type device_t, framebuf_device_t; ') -@@ -2402,7 +2817,97 @@ interface(`dev_filetrans_lirc',` +@@ -2402,7 +2818,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -7482,7 +7513,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -2532,6 +3037,24 @@ interface(`dev_read_raw_memory',` +@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',` ######################################## ## @@ -7507,7 +7538,7 @@ index 76f285e..519431d 100644 ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## -@@ -2573,6 +3096,24 @@ interface(`dev_write_raw_memory',` +@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',` ######################################## ## @@ -7532,7 +7563,25 @@ index 76f285e..519431d 100644 ## Read and execute raw memory devices (e.g. /dev/mem). ## ## -@@ -2725,7 +3266,7 @@ interface(`dev_write_misc',` +@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',` + ') + + dev_read_raw_memory($1) +- allow $1 memory_device_t:chr_file execute; ++ allow $1 memory_device_t:chr_file { map execute }; + ') + + ######################################## +@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',` + ') + + dev_write_raw_memory($1) +- allow $1 memory_device_t:chr_file execute; ++ allow $1 memory_device_t:chr_file { map execute }; + ') + + ######################################## +@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7541,7 +7590,7 @@ index 76f285e..519431d 100644 ## ## # -@@ -2811,7 +3352,7 @@ interface(`dev_rw_modem',` +@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',` ######################################## ## @@ -7550,7 +7599,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -2819,17 +3360,17 @@ interface(`dev_rw_modem',` +@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',` ## ## # @@ -7572,7 +7621,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -2837,17 +3378,17 @@ interface(`dev_getattr_mouse_dev',` +@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',` ## ## # @@ -7594,7 +7643,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -2855,12 +3396,84 @@ interface(`dev_setattr_mouse_dev',` +@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',` ## ## # @@ -7682,7 +7731,7 @@ index 76f285e..519431d 100644 ') ######################################## -@@ -2903,20 +3516,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -7707,7 +7756,7 @@ index 76f285e..519431d 100644 ##

## ## -@@ -2925,43 +3538,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -7763,7 +7812,7 @@ index 76f285e..519431d 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3574,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -7799,7 +7848,7 @@ index 76f285e..519431d 100644 ') ######################################## -@@ -3144,6 +3767,80 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7880,7 +7929,7 @@ index 76f285e..519431d 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3860,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7905,7 +7954,7 @@ index 76f285e..519431d 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3969,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7932,7 +7981,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -3262,12 +3995,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7949,7 +7998,7 @@ index 76f285e..519431d 100644 ') ######################################## -@@ -3399,7 +4133,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7958,7 +8007,7 @@ index 76f285e..519431d 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4147,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7967,7 +8016,15 @@ index 76f285e..519431d 100644 ') ######################################## -@@ -3855,7 +4589,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3669,6 +4404,7 @@ interface(`dev_read_sound_mixer',` + ') + + read_chr_files_pattern($1, device_t, sound_device_t) ++ allow $1 sound_device_t:chr_file map; + ') + + ######################################## +@@ -3855,7 +4591,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7976,7 +8033,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -3863,91 +4597,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4599,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8087,7 +8144,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -3955,60 +4687,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,60 +4689,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8324,7 +8381,7 @@ index 76f285e..519431d 100644 read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) -@@ -4016,6 +4903,81 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4905,81 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -8406,7 +8463,7 @@ index 76f285e..519431d 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +5075,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +5077,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -8432,7 +8489,7 @@ index 76f285e..519431d 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5104,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5106,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8441,7 +8498,7 @@ index 76f285e..519431d 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5390,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5392,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -8453,7 +8510,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -4419,17 +5400,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5402,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -8476,7 +8533,7 @@ index 76f285e..519431d 100644 ## ## ## -@@ -4437,12 +5418,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5420,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8492,7 +8549,7 @@ index 76f285e..519431d 100644 ') ######################################## -@@ -4539,6 +5520,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5522,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -8627,7 +8684,7 @@ index 76f285e..519431d 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5666,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5668,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -8652,7 +8709,16 @@ index 76f285e..519431d 100644 ## Read and write VMWare devices. ## ## -@@ -4630,6 +5757,24 @@ interface(`dev_write_watchdog',` +@@ -4589,7 +5718,7 @@ interface(`dev_rwx_vmware',` + ') + + dev_rw_vmware($1) +- allow $1 vmware_device_t:chr_file execute; ++ allow $1 vmware_device_t:chr_file { map execute }; + ') + + ######################################## +@@ -4630,6 +5759,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8677,7 +8743,7 @@ index 76f285e..519431d 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5907,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5909,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8722,7 +8788,16 @@ index 76f285e..519431d 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +6034,1042 @@ interface(`dev_unconfined',` +@@ -4794,7 +5979,7 @@ interface(`dev_rwx_zero',` + ') + + dev_rw_zero($1) +- allow $1 zero_device_t:chr_file execute; ++ allow $1 zero_device_t:chr_file { map execute }; + ') + + ######################################## +@@ -4851,3 +6036,1042 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -34399,7 +34474,7 @@ index bc0ffc8..37b8ea5 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..054b9f7 100644 +index 79a45f6..6ed0c39 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -34424,16 +34499,19 @@ index 79a45f6..054b9f7 100644 ######################################## ## ## Create a file type used for init scripts. -@@ -106,6 +122,8 @@ interface(`init_domain',` +@@ -106,7 +122,11 @@ interface(`init_domain',` role system_r types $1; domtrans_pattern(init_t, $2, $1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; ++ allow init_t $1:process2 { nnp_transition nosuid_transition }; ++ ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -192,50 +210,43 @@ interface(`init_ranged_domain',` + # fds open from the initrd +@@ -192,50 +212,43 @@ interface(`init_ranged_domain',` interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -34506,7 +34584,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -283,17 +294,20 @@ interface(`init_daemon_domain',` +@@ -283,17 +296,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -34528,7 +34606,7 @@ index 79a45f6..054b9f7 100644 ') ') -@@ -336,23 +350,19 @@ interface(`init_ranged_daemon_domain',` +@@ -336,23 +352,19 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -34559,7 +34637,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -401,20 +411,41 @@ interface(`init_system_domain',` +@@ -401,20 +413,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -34601,7 +34679,7 @@ index 79a45f6..054b9f7 100644 ######################################## ## ## Mark the file type as a daemon run dir, allowing initrc_t -@@ -460,6 +491,25 @@ interface(`init_domtrans',` +@@ -460,6 +493,25 @@ interface(`init_domtrans',` domtrans_pattern($1, init_exec_t, init_t) ') @@ -34627,7 +34705,7 @@ index 79a45f6..054b9f7 100644 ######################################## ## ## Execute the init program in the caller domain. -@@ -469,7 +519,6 @@ interface(`init_domtrans',` +@@ -469,7 +521,6 @@ interface(`init_domtrans',` ## Domain allowed access. ## ## @@ -34635,7 +34713,7 @@ index 79a45f6..054b9f7 100644 # interface(`init_exec',` gen_require(` -@@ -478,6 +527,48 @@ interface(`init_exec',` +@@ -478,6 +529,48 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -34684,7 +34762,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -566,6 +657,58 @@ interface(`init_sigchld',` +@@ -566,6 +659,58 @@ interface(`init_sigchld',` ######################################## ## @@ -34743,7 +34821,7 @@ index 79a45f6..054b9f7 100644 ## Connect to init with a unix socket. ## ## -@@ -576,12 +719,87 @@ interface(`init_sigchld',` +@@ -576,12 +721,87 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -34831,7 +34909,7 @@ index 79a45f6..054b9f7 100644 ######################################## ## ## Inherit and use file descriptors from init. -@@ -743,22 +961,24 @@ interface(`init_write_initctl',` +@@ -743,22 +963,24 @@ interface(`init_write_initctl',` interface(`init_telinit',` gen_require(` type initctl_t; @@ -34865,7 +34943,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -787,7 +1007,7 @@ interface(`init_rw_initctl',` +@@ -787,7 +1009,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -34874,7 +34952,7 @@ index 79a45f6..054b9f7 100644 ## ## # -@@ -830,11 +1050,12 @@ interface(`init_script_file_entry_type',` +@@ -830,11 +1052,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -34889,7 +34967,7 @@ index 79a45f6..054b9f7 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -845,11 +1066,11 @@ interface(`init_spec_domtrans_script',` +@@ -845,11 +1068,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -34903,7 +34981,7 @@ index 79a45f6..054b9f7 100644 ') ') -@@ -865,19 +1086,41 @@ interface(`init_spec_domtrans_script',` +@@ -865,19 +1088,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -34949,7 +35027,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -933,9 +1176,14 @@ interface(`init_script_file_domtrans',` +@@ -933,9 +1178,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -34964,7 +35042,7 @@ index 79a45f6..054b9f7 100644 files_search_etc($1) ') -@@ -992,7 +1240,7 @@ interface(`init_run_daemon',` +@@ -992,7 +1242,7 @@ interface(`init_run_daemon',` ######################################## ## @@ -34973,7 +35051,7 @@ index 79a45f6..054b9f7 100644 ## ## ## -@@ -1000,38 +1248,37 @@ interface(`init_run_daemon',` +@@ -1000,38 +1250,37 @@ interface(`init_run_daemon',` ## ## # @@ -35021,7 +35099,7 @@ index 79a45f6..054b9f7 100644 ## ## ## -@@ -1039,17 +1286,19 @@ interface(`init_ptrace',` +@@ -1039,17 +1288,19 @@ interface(`init_ptrace',` ## ## # @@ -35045,7 +35123,7 @@ index 79a45f6..054b9f7 100644 ## ## ## -@@ -1057,18 +1306,17 @@ interface(`init_write_script_pipes',` +@@ -1057,18 +1308,17 @@ interface(`init_write_script_pipes',` ## ## # @@ -35068,7 +35146,7 @@ index 79a45f6..054b9f7 100644 ## ## ## -@@ -1076,37 +1324,38 @@ interface(`init_getattr_script_files',` +@@ -1076,37 +1326,38 @@ interface(`init_getattr_script_files',` ## ## # @@ -35117,7 +35195,7 @@ index 79a45f6..054b9f7 100644 ## ## ## -@@ -1114,7 +1363,82 @@ interface(`init_exec_script_files',` +@@ -1114,7 +1365,82 @@ interface(`init_exec_script_files',` ## ## # @@ -35201,7 +35279,7 @@ index 79a45f6..054b9f7 100644 gen_require(` attribute init_script_file_type; ') -@@ -1125,6 +1449,63 @@ interface(`init_getattr_all_script_files',` +@@ -1125,6 +1451,63 @@ interface(`init_getattr_all_script_files',` ######################################## ## @@ -35265,7 +35343,7 @@ index 79a45f6..054b9f7 100644 ## Read all init script files. ## ## -@@ -1144,6 +1525,24 @@ interface(`init_read_all_script_files',` +@@ -1144,6 +1527,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -35290,7 +35368,7 @@ index 79a45f6..054b9f7 100644 ## Dontaudit read all init script files. ## ## -@@ -1195,12 +1594,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1596,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -35304,7 +35382,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -1314,6 +1708,24 @@ interface(`init_signal_script',` +@@ -1314,6 +1710,24 @@ interface(`init_signal_script',` ######################################## ## @@ -35329,7 +35407,7 @@ index 79a45f6..054b9f7 100644 ## Send null signals to init scripts. ## ## -@@ -1440,6 +1852,27 @@ interface(`init_dbus_send_script',` +@@ -1440,6 +1854,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -35357,7 +35435,7 @@ index 79a45f6..054b9f7 100644 ## init scripts over dbus. ## ## -@@ -1547,6 +1980,25 @@ interface(`init_getattr_script_status_files',` +@@ -1547,6 +1982,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -35383,7 +35461,7 @@ index 79a45f6..054b9f7 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +2057,42 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +2059,42 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -35426,7 +35504,7 @@ index 79a45f6..054b9f7 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2165,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2167,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -35470,7 +35548,7 @@ index 79a45f6..054b9f7 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2290,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2292,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -35479,7 +35557,7 @@ index 79a45f6..054b9f7 100644 ') ######################################## -@@ -1806,27 +2331,154 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,27 +2333,154 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -35646,7 +35724,7 @@ index 79a45f6..054b9f7 100644 ## ## ## -@@ -1840,3 +2492,583 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2494,583 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -39065,7 +39143,7 @@ index 73bb3c0..a70bee5 100644 + +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..baca326 100644 +index 808ba93..b717d97 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',` @@ -39094,6 +39172,15 @@ index 808ba93..baca326 100644 ## Use the dynamic link/loader for automatic loading ## of shared libraries. ## +@@ -86,7 +105,7 @@ interface(`libs_use_ld_so',` + read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) + mmap_files_pattern($1, lib_t, ld_so_t) + +- allow $1 ld_so_cache_t:file read_file_perms; ++ allow $1 ld_so_cache_t:file { map read_file_perms }; + ') + + ######################################## @@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',` type lib_t, ld_so_t; ') @@ -39787,7 +39874,7 @@ index b50c5fe..9eacd9b 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..0690edf 100644 +index 4e94884..e82be7a 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -39883,11 +39970,18 @@ index 4e94884..0690edf 100644 gen_require(` - type syslogd_t, devlog_t; + attribute syslog_client_type; -+ ') -+ + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; + typeattribute $1 syslog_client_type; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Connect to the syslog control unix stream socket. @@ -39902,7 +39996,11 @@ index 4e94884..0690edf 100644 + gen_require(` + type devlog_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + allow $1 devlog_t:lnk_file manage_lnk_file_perms; + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, lnk_file, "log") @@ -39923,19 +40021,12 @@ index 4e94884..0690edf 100644 +interface(`logging_relabel_devlog_dev',` + gen_require(` + type devlog_t; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + allow $1 devlog_t:sock_file relabel_sock_file_perms; + allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Allow domain to read the syslog pid files. @@ -39950,11 +40041,7 @@ index 4e94884..0690edf 100644 + gen_require(` + type syslogd_var_run_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') @@ -40111,7 +40198,7 @@ index 4e94884..0690edf 100644 ') ######################################## -@@ -885,6 +1107,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1107,63 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -40152,11 +40239,30 @@ index 4e94884..0690edf 100644 +') + +######################################## ++## ++## Map generic log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_mmap_generic_logs',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ allow $1 var_log_t:file map; ++') ++ ++######################################## +## ## Write generic log files. ## ## -@@ -905,6 +1165,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1184,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -40181,7 +40287,7 @@ index 4e94884..0690edf 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1262,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1281,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -40199,7 +40305,7 @@ index 4e94884..0690edf 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1287,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1306,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -40255,7 +40361,7 @@ index 4e94884..0690edf 100644 ') ######################################## -@@ -1032,10 +1364,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1383,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -40273,7 +40379,7 @@ index 4e94884..0690edf 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1394,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1413,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -40282,7 +40388,7 @@ index 4e94884..0690edf 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1424,90 @@ interface(`logging_admin',` +@@ -1085,3 +1443,107 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -40373,8 +40479,26 @@ index 4e94884..0690edf 100644 + files_search_pids($1) + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') ++ ++####################################### ++## ++## Map files in /run/log/journal/ directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_mmap_journal',` ++ gen_require(` ++ type syslogd_var_run_t; ++ ') ++ ++ allow $1 syslogd_var_run_t:file map; +\ No newline at end of file diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..0114ad2 100644 +index 59b04c1..2ad89c5 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -40636,7 +40760,7 @@ index 59b04c1..0114ad2 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +431,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,15 +431,20 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -40653,7 +40777,12 @@ index 59b04c1..0114ad2 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +455,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) + manage_files_pattern(syslogd_t, var_log_t, var_log_t) ++allow syslogd_t var_log_t:file map; + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) + files_search_spool(syslogd_t) + +@@ -389,30 +456,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -40704,7 +40833,7 @@ index 59b04c1..0114ad2 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +505,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +506,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -40713,7 +40842,7 @@ index 59b04c1..0114ad2 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +517,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +518,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -40747,7 +40876,7 @@ index 59b04c1..0114ad2 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +556,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +557,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -40765,7 +40894,7 @@ index 59b04c1..0114ad2 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +578,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +579,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -40781,7 +40910,7 @@ index 59b04c1..0114ad2 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +610,7 @@ optional_policy(` +@@ -497,6 +611,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -40789,7 +40918,7 @@ index 59b04c1..0114ad2 100644 ') optional_policy(` -@@ -507,15 +621,44 @@ optional_policy(` +@@ -507,15 +622,44 @@ optional_policy(` ') optional_policy(` @@ -40834,7 +40963,7 @@ index 59b04c1..0114ad2 100644 ') optional_policy(` -@@ -526,3 +669,29 @@ optional_policy(` +@@ -526,3 +670,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -41670,7 +41799,7 @@ index 9fe8e01..c62c761 100644 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fc28bc3..3be6892 100644 +index fc28bc3..e4b9a3b 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -67,6 +67,27 @@ interface(`miscfiles_read_all_certs',` @@ -41762,7 +41891,23 @@ index fc28bc3..3be6892 100644 ## Manage SSL certificates. ## ## -@@ -434,6 +493,7 @@ interface(`miscfiles_rw_localization',` +@@ -191,6 +250,7 @@ interface(`miscfiles_read_fonts',` + + allow $1 fonts_t:dir list_dir_perms; + read_files_pattern($1, fonts_t, fonts_t) ++ allow $1 fonts_t:file map; + read_lnk_files_pattern($1, fonts_t, fonts_t) + + allow $1 fonts_cache_t:dir list_dir_perms; +@@ -414,6 +474,7 @@ interface(`miscfiles_read_localization',` + allow $1 locale_t:dir list_dir_perms; + read_files_pattern($1, locale_t, locale_t) + read_lnk_files_pattern($1, locale_t, locale_t) ++ allow $1 locale_t:file map; + ') + + ######################################## +@@ -434,6 +495,7 @@ interface(`miscfiles_rw_localization',` files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) @@ -41770,7 +41915,7 @@ index fc28bc3..3be6892 100644 ') ######################################## -@@ -453,6 +513,7 @@ interface(`miscfiles_relabel_localization',` +@@ -453,6 +515,7 @@ interface(`miscfiles_relabel_localization',` files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) @@ -41778,7 +41923,7 @@ index fc28bc3..3be6892 100644 ') ######################################## -@@ -470,7 +531,6 @@ interface(`miscfiles_legacy_read_localization',` +@@ -470,7 +533,6 @@ interface(`miscfiles_legacy_read_localization',` type locale_t; ') @@ -41786,7 +41931,7 @@ index fc28bc3..3be6892 100644 allow $1 locale_t:file execute; ') -@@ -531,6 +591,10 @@ interface(`miscfiles_read_man_pages',` +@@ -531,6 +593,10 @@ interface(`miscfiles_read_man_pages',` allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -41797,7 +41942,7 @@ index fc28bc3..3be6892 100644 ') ######################################## -@@ -554,6 +618,29 @@ interface(`miscfiles_delete_man_pages',` +@@ -554,6 +620,29 @@ interface(`miscfiles_delete_man_pages',` delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) @@ -41827,7 +41972,7 @@ index fc28bc3..3be6892 100644 ') ######################################## -@@ -622,6 +709,30 @@ interface(`miscfiles_manage_man_cache',` +@@ -622,6 +711,30 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## @@ -41858,7 +42003,7 @@ index fc28bc3..3be6892 100644 ## Read public files used for file ## transfer services. ## -@@ -784,8 +895,11 @@ interface(`miscfiles_etc_filetrans_localization',` +@@ -784,8 +897,11 @@ interface(`miscfiles_etc_filetrans_localization',` type locale_t; ') @@ -41872,7 +42017,7 @@ index fc28bc3..3be6892 100644 ') ######################################## -@@ -809,3 +923,61 @@ interface(`miscfiles_manage_localization',` +@@ -809,3 +925,61 @@ interface(`miscfiles_manage_localization',` manage_lnk_files_pattern($1, locale_t, locale_t) ') @@ -43422,7 +43567,7 @@ index d43f3b1..c5053db 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..d358162 100644 +index 3822072..0395f48 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -43903,25 +44048,51 @@ index 3822072..d358162 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -784,7 +1146,9 @@ interface(`seutil_read_file_contexts',` +@@ -784,7 +1146,10 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + list_dirs_pattern($1, file_context_t, file_context_t) read_files_pattern($1, file_context_t, file_context_t) + read_lnk_files_pattern($1, file_context_t, file_context_t) ++ allow $1 file_context_t:file map; ') ######################################## -@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',` +@@ -805,6 +1170,7 @@ interface(`seutil_dontaudit_read_file_contexts',` + + dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; + dontaudit $1 file_context_t:file read_file_perms; ++ dontaudit $1 file_context_t:file map; + ') + + ######################################## +@@ -825,6 +1191,7 @@ interface(`seutil_rw_file_contexts',` + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + rw_files_pattern($1, file_context_t, file_context_t) ++ allow $1 file_context_t:file map; + ') + + ######################################## +@@ -846,6 +1213,8 @@ interface(`seutil_manage_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; manage_files_pattern($1, file_context_t, file_context_t) + manage_dirs_pattern($1, file_context_t, file_context_t) ++ allow $1 file_context_t:file map; ') ######################################## -@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',` +@@ -866,6 +1235,7 @@ interface(`seutil_read_bin_policy',` + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + read_files_pattern($1, policy_config_t, policy_config_t) ++ allow $1 policy_config_t:file map; + ') + + ######################################## +@@ -999,6 +1369,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -43948,7 +44119,7 @@ index 3822072..d358162 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1407,105 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -44056,7 +44227,7 @@ index 3822072..d358162 100644 ') ######################################## -@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',` +@@ -1041,9 +1525,15 @@ interface(`seutil_manage_module_store',` ') files_search_etc($1) @@ -44072,7 +44243,7 @@ index 3822072..d358162 100644 ') ####################################### -@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',` +@@ -1067,6 +1557,24 @@ interface(`seutil_get_semanage_read_lock',` ####################################### ## @@ -44097,7 +44268,7 @@ index 3822072..d358162 100644 ## Get trans lock on module store ## ## -@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1137,3 +1645,121 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -44220,7 +44391,7 @@ index 3822072..d358162 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..1a0d4fb 100644 +index dc46420..27d8d49 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -44386,7 +44557,7 @@ index dc46420..1a0d4fb 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` -@@ -165,7 +188,7 @@ ifdef(`distro_ubuntu',` +@@ -165,10 +188,11 @@ ifdef(`distro_ubuntu',` # Load_policy local policy # @@ -44395,7 +44566,11 @@ index dc46420..1a0d4fb 100644 # only allow read of policy config files read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) -@@ -188,13 +211,13 @@ term_list_ptys(load_policy_t) ++allow load_policy_t policy_config_t:file map; + + domain_use_interactive_fds(load_policy_t) + +@@ -188,13 +212,13 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -44412,7 +44587,7 @@ index dc46420..1a0d4fb 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -205,6 +228,7 @@ ifdef(`distro_ubuntu',` +@@ -205,6 +229,7 @@ ifdef(`distro_ubuntu',` ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. dontaudit load_policy_t selinux_config_t:file write; @@ -44420,7 +44595,7 @@ index dc46420..1a0d4fb 100644 optional_policy(` unconfined_dontaudit_read_pipes(load_policy_t) -@@ -215,12 +239,21 @@ optional_policy(` +@@ -215,12 +240,21 @@ optional_policy(` portage_dontaudit_use_fds(load_policy_t) ') @@ -44443,7 +44618,7 @@ index dc46420..1a0d4fb 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -232,7 +266,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -44452,7 +44627,7 @@ index dc46420..1a0d4fb 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t) +@@ -249,6 +283,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -44460,7 +44635,7 @@ index dc46420..1a0d4fb 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t) +@@ -276,25 +311,34 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -44502,7 +44677,7 @@ index dc46420..1a0d4fb 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -309,7 +352,7 @@ if(secure_mode) { +@@ -309,7 +353,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } @@ -44511,7 +44686,7 @@ index dc46420..1a0d4fb 100644 files_polyinstantiate_all(newrole_t) ') -@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t) +@@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -44526,7 +44701,7 @@ index dc46420..1a0d4fb 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,16 +389,17 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -44546,7 +44721,7 @@ index dc46420..1a0d4fb 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -366,21 +414,24 @@ optional_policy(` +@@ -366,21 +415,24 @@ optional_policy(` # Run_init local policy # @@ -44573,7 +44748,7 @@ index dc46420..1a0d4fb 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t) +@@ -398,23 +450,30 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -44609,7 +44784,7 @@ index dc46420..1a0d4fb 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -44629,7 +44804,7 @@ index dc46420..1a0d4fb 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +511,85 @@ optional_policy(` +@@ -440,81 +512,85 @@ optional_policy(` # semodule local policy # @@ -44771,7 +44946,7 @@ index dc46420..1a0d4fb 100644 ') ######################################## -@@ -522,111 +597,203 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +598,204 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -44842,6 +45017,7 @@ index dc46420..1a0d4fb 100644 + +# needs to be able to read symlinks to make restorecon on symlink working +files_read_all_symlinks(setfiles_t) ++allow setfiles_t file_context_t:file map; logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) @@ -56191,6 +56367,24 @@ index f4ac38d..1589d60 100644 + ssh_delete_tmp(confined_admindomain) + ssh_signal(confined_admindomain) +') +diff --git a/policy/policy_capabilities b/policy/policy_capabilities +index db3cbca..e677b81 100644 +--- a/policy/policy_capabilities ++++ b/policy/policy_capabilities +@@ -31,3 +31,12 @@ policycap network_peer_controls; + # blk_file: open + # + policycap open_perms; ++ ++ ++# Enable NoNewPrivileges support. Requires libsepol 2.7+ ++# and kernel 4.14 (estimated). ++# ++# Checks enabled; ++# process2: nnp_transition, nosuid_transition ++# ++#policycap nnp_nosuid_transition; +\ No newline at end of file diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..101086d 100644 --- a/policy/support/misc_patterns.spt @@ -56223,7 +56417,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..b80ffcb 100644 +index 6e91317..dc1c884 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -56250,13 +56444,15 @@ index 6e91317..b80ffcb 100644 define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') -define(`read_file_perms',`{ getattr open read lock ioctl }') -+define(`read_inherited_file_perms',`{ getattr read ioctl lock }') -+define(`read_file_perms',`{ open read_inherited_file_perms }') - define(`mmap_file_perms',`{ getattr open read execute ioctl }') - define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') +-define(`mmap_file_perms',`{ getattr open read execute ioctl }') +-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }') -define(`append_file_perms',`{ getattr open append lock ioctl }') -define(`write_file_perms',`{ getattr open write append lock ioctl }') -define(`rw_file_perms',`{ getattr open read write append ioctl lock }') ++define(`read_inherited_file_perms',`{ getattr read ioctl lock }') ++define(`read_file_perms',`{ open read_inherited_file_perms }') ++define(`mmap_file_perms',`{ getattr open map read execute ioctl }') ++define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }') +define(`append_inherited_file_perms',`{ getattr append }') +define(`append_file_perms',`{ open lock ioctl append_inherited_file_perms }') +define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9b20fd09..c14c291d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -69486,7 +69486,7 @@ index 0000000..05648bd +') diff --git a/osad.te b/osad.te new file mode 100644 -index 0000000..6c2f264 +index 0000000..b372f68 --- /dev/null +++ b/osad.te @@ -0,0 +1,56 @@ @@ -69515,7 +69515,7 @@ index 0000000..6c2f264 +# osad local policy +# + -+allow osad_t self:process setpgid; ++allow osad_t self:process { execmem setpgid }; + +manage_files_pattern(osad_t, osad_log_t, osad_log_t) +logging_log_filetrans(osad_t, osad_log_t, file) diff --git a/selinux-policy.spec b/selinux-policy.spec index 91ad49e1..0410f4b2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 268%{?dist} +Release: 269%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -683,6 +683,13 @@ exit 0 %endif %changelog +* Thu Aug 10 2017 Lukas Vrabec - 3.13.1-269 +- Allow osad make executable an anonymous mapping or private file mapping that is writable BZ(1425524) +- After fix in kernel where LSM hooks for dac_override and dac_search_read capability was swaped we need to fix it also in policy +- refpolicy: Define and allow map permission +- init: Add NoNewPerms support for systemd. +- Add nnp_nosuid_transition policycap and related class/perm definitions. + * Mon Aug 07 2017 Petr Lautrbach - 3.13.1-268 - Update for SELinux userspace release 20170804 / 2.7 - Omit precompiled regular expressions from file_contexts.bin files