From aad537eb284584094fd76b879f03dda2250d2e09 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7ppc64bebuilder0 Date: Sun, 16 Dec 2018 15:17:02 +0100 Subject: [PATCH] selinux-policy package update Signed-off-by: basebuilder_pel7ppc64bebuilder0 --- SOURCES/modules-targeted-contrib.conf | 7 + SOURCES/policy-rhel-7.6-base.patch | 13582 +++++----- SOURCES/policy-rhel-7.6-contrib.patch | 28700 +++++++++++----------- SOURCES/policy-rhel-7.6.z-base.patch | 36 + SOURCES/policy-rhel-7.6.z-contrib.patch | 525 + SPECS/selinux-policy.spec | 43 +- 6 files changed, 21744 insertions(+), 21149 deletions(-) create mode 100644 SOURCES/policy-rhel-7.6.z-base.patch create mode 100644 SOURCES/policy-rhel-7.6.z-contrib.patch diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 16faf1d3..32c88ba9 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2545,6 +2545,13 @@ sbd = module # opendnssec = module +# Layer: contrib +# Module: ganesha +# +# ganesha +# +ganesha = module + # Layer: contrib # Module: tlp # diff --git a/SOURCES/policy-rhel-7.6-base.patch b/SOURCES/policy-rhel-7.6-base.patch index 3e2065e4..ab2691c1 100644 --- a/SOURCES/policy-rhel-7.6-base.patch +++ b/SOURCES/policy-rhel-7.6-base.patch @@ -17,17 +17,17 @@ index ec7b5cba8..2431fcd29 100644 -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names) +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts systemd_contexts snapperd_contexts) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts - + all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) @@ -365,7 +366,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke - @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ - @echo "#" >> $@ - $(verbose) cat $@.in >> $@ + @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ + @echo "#" >> $@ + $(verbose) cat $@.in >> $@ - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ - | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ - | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ - + | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ + | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + @@ -609,15 +610,17 @@ resetlabels: # Clean everything # @@ -54,7 +54,7 @@ index ec7b5cba8..2431fcd29 100644 + #rm -f $(tags) # don't remove these files if we're given a local root ifndef LOCAL_ROOT - rm -f $(fcsort) + rm -f $(fcsort) diff --git a/Rules.modular b/Rules.modular index 313d8375b..1e92c7d5d 100644 --- a/Rules.modular @@ -65,37 +65,37 @@ index 313d8375b..1e92c7d5d 100644 $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" + @echo "Compiling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) + $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ @@ -168,6 +168,8 @@ $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.c - $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true - + ######################################## # @@ -201,6 +203,7 @@ validate: $(base_pkg) $(mod_pkgs) - @echo "Validating policy linking." - $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ - $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin + @echo "Validating policy linking." + $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ + $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin + $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output - @echo "Success." - + @echo "Success." + ######################################## diff --git a/Rules.monolithic b/Rules.monolithic index 808a5398a..77f71cd95 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -155,6 +155,8 @@ $(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.c - $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true + $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true - + ######################################## # diff --git a/config/appconfig-mcs/staff_u_default_contexts b/config/appconfig-mcs/staff_u_default_contexts @@ -126,7 +126,7 @@ index 000000000..b8fda9543 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 -+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts @@ -217,7 +217,7 @@ index 000000000..b8fda9543 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 +system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 -+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 +sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 + diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts @@ -311,7 +311,7 @@ index 5bebd82d4..000000000 -setsebool -P allow_ftpd_use_nfs on -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -.PP -This manual page was written by Dan Walsh . - @@ -340,23 +340,23 @@ index e9c43b190..000000000 -Security-Enhanced Linux secures the Git server via flexible mandatory access -control. -.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. -SELinux Git policy is very flexible allowing users to setup their web services in as secure a method as possible. --.PP +-.PP -The following file contexts types are by default defined for Git: -.EX --git_system_content_t --.EE +-git_system_content_t +-.EE -- Set files with git_system_content_t if you want the Git system daemon to read the file, and if you want the file to be modifiable and executable by all "Git shell" users. -.EX --git_session_content_t --.EE +-git_session_content_t +-.EE -- Set files with git_session_content_t if you want the Git session and system daemon to read the file, and if you want the file to be modifiable and executable by all users. Note that "Git shell" users may not interact with this type. -.SH BOOLEANS -SELinux policy is customizable based on least access required. Git policy is extremely flexible and has several booleans that allow you to manipulate the policy and run Git with the tightest access possible. -.PP --Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. +-Allow the Git system daemon to search user home directories so that it can find git session content. This is useful if you want the Git system daemon to host users personal repositories. -.EX -sudo setsebool -P git_system_enable_homedirs 1 -.EE @@ -417,7 +417,7 @@ index e9c43b190..000000000 -.EE -To create a "Git shell" domain that can interact with this repository create a file named project1user.te in the same directory as where the source policy for the Git systemm content type is and add the following: -.EX --policy_module(project1user, 1.0.0) +-policy_module(project1user, 1.0.0) -git_role_template(project1user) -git_content_delegation(project1user_t, git_project1_content_t) -gen_user(project1user_u, user, project1user_r, s0, s0) @@ -430,7 +430,7 @@ index e9c43b190..000000000 -.EE -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dominick Grift . -.SH "SEE ALSO" -selinux(8), git(8), chcon(1), semodule(8), setsebool(8) @@ -454,32 +454,32 @@ index 16e8b1323..000000000 -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the httpd server via flexible mandatory access --control. +-control. -.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. -SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. --.PP +-.PP -The following file contexts types are defined for httpd: -.EX --httpd_sys_content_t --.EE +-httpd_sys_content_t +-.EE -- Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. -.EX --httpd_sys_script_exec_t --.EE +-httpd_sys_script_exec_t +-.EE -- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. -.EX --httpd_sys_content_rw_t +-httpd_sys_content_rw_t -.EE -- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. -.EX --httpd_sys_content_ra_t +-httpd_sys_content_ra_t -.EE -- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. -.EX --httpd_unconfined_script_exec_t --.EE +-httpd_unconfined_script_exec_t +-.EE -- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. - -.SH NOTE @@ -492,7 +492,7 @@ index 16e8b1323..000000000 -setsebool -P allow_httpd_anon_write=1 -.EE - --or +-or - -.EX -setsebool -P allow_httpd_sys_script_anon_write=1 @@ -544,7 +544,7 @@ index 16e8b1323..000000000 - -.PP -SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. --This would prevent a hacker from breaking into you httpd server and attacking +-This would prevent a hacker from breaking into you httpd server and attacking -other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. - -.EX @@ -553,7 +553,7 @@ index 16e8b1323..000000000 - -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -580,7 +580,7 @@ index a8f81c8e7..000000000 -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the system via flexible mandatory access --control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. +-control. SELinux policy can be configured to deny Kerberos access to confined applications, since it requires daemons to be allowed greater access to certain secure files and additional access to the network. -.SH BOOLEANS -.PP -You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. @@ -589,7 +589,7 @@ index a8f81c8e7..000000000 -.EE -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -614,16 +614,16 @@ index fce0b4815..000000000 -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the named server via flexible mandatory access --control. +-control. -.SH BOOLEANS --SELinux policy is customizable based on least access required. So by +-SELinux policy is customizable based on least access required. So by -default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. -.EX -setsebool -P named_write_master_zones 1 -.EE -.PP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -642,7 +642,7 @@ index 8e30c4c65..000000000 -.SH "DESCRIPTION" - -Security Enhanced Linux secures the NFS server via flexible mandatory access --control. +-control. -.SH BOOLEANS -SELinux policy is customizable based on the least level of access required. SELinux can be configured to not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: - @@ -662,7 +662,7 @@ index 8e30c4c65..000000000 -setsebool -P use_nfs_home_dirs 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -694,11 +694,11 @@ index ad9ccf5cd..000000000 -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the rsync server via flexible mandatory access --control. +-control. -.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-If you want to share files using the rsync daemon, you must label the files and directories public_content_t. So if you created a special directory /var/rsync, you -would need to label the directory with the chcon tool. -.TP -chcon -t public_content_t /var/rsync @@ -727,7 +727,7 @@ index ad9ccf5cd..000000000 -.SH BOOLEANS -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -744,12 +744,12 @@ index ca702c799..000000000 -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the Samba server via flexible mandatory access --control. +-control. -.SH FILE_CONTEXTS --SELinux requires files to have an extended attribute to define the file type. --Policy governs the access daemons have to these files. --If you want to share files other than home directories, those files must be --labeled samba_share_t. So if you created a special directory /var/eng, you +-SELinux requires files to have an extended attribute to define the file type. +-Policy governs the access daemons have to these files. +-If you want to share files other than home directories, those files must be +-labeled samba_share_t. So if you created a special directory /var/eng, you -would need to label the directory with the chcon tool. -.TP -chcon -t samba_share_t /var/eng @@ -772,24 +772,24 @@ index ca702c799..000000000 -setsebool -P allow_smbd_anon_write=1 - -.SH BOOLEANS --.br --SELinux policy is customizable based on least access required. So by --default SELinux policy turns off SELinux sharing of home directories and +-.br +-SELinux policy is customizable based on least access required. So by +-default SELinux policy turns off SELinux sharing of home directories and -the use of Samba shares from a remote machine as a home directory. -.TP --If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. +-If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. -.br - -setsebool -P samba_enable_home_dirs 1 -.TP -If you want to use a remote Samba server for the home directories on this machine, you must set the use_samba_home_dirs boolean. --.br +-.br - -setsebool -P use_samba_home_dirs 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. - --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -806,7 +806,7 @@ index 5061a5f04..000000000 -.SH "DESCRIPTION" - -Security-Enhanced Linux secures the system via flexible mandatory access --control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. +-control. SELinux can be setup deny NIS from working, since it requires daemons to be allowed greater access to the network. -.SH BOOLEANS -.TP -You must set the allow_ypbind boolean to allow your system to work properly in a NIS environment. @@ -814,7 +814,7 @@ index 5061a5f04..000000000 -setsebool -P allow_ypbind 1 -.TP -system-config-selinux is a GUI tool available to customize SELinux policy settings. --.SH AUTHOR +-.SH AUTHOR -This manual page was written by Dan Walsh . - -.SH "SEE ALSO" @@ -824,9 +824,9 @@ index 3a45f236b..225034c75 100644 --- a/policy/constraints +++ b/policy/constraints @@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh } - or ( t1 == process_uncond_exempt ) + or ( t1 == process_uncond_exempt ) ); - + +constrain process dyntransition +( + u1 == u2 @@ -843,7 +843,7 @@ index 3a45f236b..225034c75 100644 # fork # setexec @@ -130,6 +142,7 @@ exempted_ubac_constraint(fd, ubacfd) - + exempted_ubac_constraint(socket, ubacsock) exempted_ubac_constraint(tcp_socket, ubacsock) +exempted_ubac_constraint(sctp_socket, ubacsock) @@ -862,33 +862,33 @@ index 3a45f236b..225034c75 100644 +exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock) +exempted_ubac_constraint(netlink_rdma_socket, ubacsock) +exempted_ubac_constraint(netlink_crypto_socket, ubacsock) - - constrain socket_class_set { create relabelto relabelfrom } + + constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index a94b16980..e16707c3f 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -20,6 +20,7 @@ common file - relabelfrom - relabelto - append + relabelfrom + relabelto + append + map - unlink - link - rename + unlink + link + rename @@ -47,6 +48,7 @@ common socket - relabelfrom - relabelto - append + relabelfrom + relabelto + append + map # socket-specific - bind - connect + bind + connect @@ -120,6 +122,60 @@ common x_device - destroy + destroy } - + +# +# Define a common for capability access vectors. +# @@ -947,32 +947,32 @@ index a94b16980..e16707c3f 100644 # Define the access vectors. # @@ -329,8 +385,14 @@ class process - execheap - setkeycreate - setsockcreate + execheap + setkeycreate + setsockcreate + ptrace_child } - + +class process2 +{ + nnp_transition + nosuid_transition +} - + # # Define the access vector interpretation for ipc-related objects @@ -379,6 +441,7 @@ class security - setsecparam - setcheckreqprot - read_policy + setsecparam + setcheckreqprot + read_policy + validate_trans } - - + + @@ -393,62 +456,30 @@ class system - syslog_mod - syslog_console - module_request + syslog_mod + syslog_console + module_request + module_load + halt + reboot @@ -983,12 +983,12 @@ index a94b16980..e16707c3f 100644 + reload + kill } - + # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # - + class capability -{ - # The capabilities are defined in include/linux/capability.h @@ -996,33 +996,33 @@ index a94b16980..e16707c3f 100644 - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - -- chown -- dac_override -- dac_read_search -- fowner -- fsetid -- kill -- setgid -- setuid -- setpcap -- linux_immutable -- net_bind_service -- net_broadcast -- net_admin -- net_raw -- ipc_lock -- ipc_owner -- sys_module -- sys_rawio -- sys_chroot -- sys_ptrace -- sys_pacct -- sys_admin -- sys_boot -- sys_nice -- sys_resource -- sys_time -- sys_tty_config +- chown +- dac_override +- dac_read_search +- fowner +- fsetid +- kill +- setgid +- setuid +- setpcap +- linux_immutable +- net_bind_service +- net_broadcast +- net_admin +- net_raw +- ipc_lock +- ipc_owner +- sys_module +- sys_rawio +- sys_chroot +- sys_ptrace +- sys_pacct +- sys_admin +- sys_boot +- sys_nice +- sys_resource +- sys_time +- sys_tty_config - mknod - lease - audit_write @@ -1030,8 +1030,8 @@ index a94b16980..e16707c3f 100644 - setfcap -} +inherits cap - --class capability2 + +-class capability2 +class capability2 +inherits cap2 { @@ -1048,18 +1048,18 @@ index a94b16980..e16707c3f 100644 # Define the access vector interpretation for controlling # changes to passwd information. @@ -690,6 +721,8 @@ class nscd - shmemhost - getserv - shmemserv + shmemhost + getserv + shmemserv + getnetgrp + shmemnetgrp } - + # Define the access vector interpretation for controlling @@ -831,6 +864,38 @@ inherits socket - attach_queue + attach_queue } - + +class binder +{ + impersonate @@ -1094,11 +1094,11 @@ index a94b16980..e16707c3f 100644 + class x_pointer inherits x_device - + @@ -859,9 +924,166 @@ inherits database - set_value + set_value } - + +class infiniband_pkey +{ + access @@ -1112,8 +1112,8 @@ index a94b16980..e16707c3f 100644 class db_language inherits database { - implement - execute + implement + execute } + +class service @@ -1267,9 +1267,9 @@ index 14a479911..0e057ded1 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -121,14 +121,79 @@ class kernel_service - + class tun_socket - + +class binder + +# Updated netlink classes for more recent netlink protocols. @@ -1285,7 +1285,7 @@ index 14a479911..0e057ded1 100644 # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace - + +# Infiniband +class infiniband_pkey +class infiniband_endport @@ -1295,11 +1295,11 @@ index 14a479911..0e057ded1 100644 class db_view # userspace class db_sequence # userspace class db_language # userspace - -+# systemd services -+class service + ++# systemd services ++class service + -+# gssd services ++# gssd services +class proxy + + @@ -1351,7 +1351,7 @@ index 66e85ea54..d02654d7f 100644 --- a/policy/global_booleans +++ b/policy/global_booleans @@ -6,7 +6,7 @@ - + ## ##

-## Enabling secure mode disallows programs, such as @@ -1366,7 +1366,7 @@ index 4705ab618..b82865c43 100644 @@ -4,54 +4,61 @@ # file should be used. # - + +## +##

+## Deny any process from ptracing or debugging any other processes. @@ -1381,7 +1381,7 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(allow_execheap,false) +gen_tunable(selinuxuser_execheap,false) - + ## ##

-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") @@ -1390,7 +1390,7 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(allow_execmem,false) +gen_tunable(deny_execmem,false) - + ## ##

-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") @@ -1399,7 +1399,7 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(allow_execmod,false) +gen_tunable(selinuxuser_execmod,false) - + ## ##

-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") @@ -1408,7 +1408,7 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(allow_execstack,false) +gen_tunable(selinuxuser_execstack,false) - + ## ##

## Enable polyinstantiated directory support. @@ -1416,7 +1416,7 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(allow_polyinstantiation,false) +gen_tunable(polyinstantiation_enabled,false) - + ## ##

## Allow system to run with NIS @@ -1424,7 +1424,7 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(allow_ypbind,false) +gen_tunable(nis_enabled,false) - + ## ##

## Allow logging in and using the system from /dev/console. @@ -1432,13 +1432,13 @@ index 4705ab618..b82865c43 100644 ## -gen_tunable(console_login,true) +gen_tunable(login_console_enabled,true) - + ## ##

@@ -66,15 +73,6 @@ gen_tunable(console_login,true) ## gen_tunable(global_ssp,false) - + -## -##

-## Allow email client to various content. @@ -1454,7 +1454,7 @@ index 4705ab618..b82865c43 100644 @@ -103,6 +101,20 @@ gen_tunable(use_nfs_home_dirs,false) ## gen_tunable(use_samba_home_dirs,false) - + +## +##

+## Support ecryptfs home directories @@ -1482,7 +1482,7 @@ index 4705ab618..b82865c43 100644 +## +##

+## Allow users to run UDP servers (bind to ports and accept connection from -+## the same domain and outside users) disabling this may break avahi ++## the same domain and outside users) disabling this may break avahi +## discovering services on the network and other udp related services. +##

+## @@ -1503,41 +1503,41 @@ index 216b3d125..ba9e2ee16 100644 +default_range dir_file_class_set target low; + # - # Define sensitivities + # Define sensitivities # @@ -69,58 +71,61 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. - + mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain fifo_file { open } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and ( t2 == domain ))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); @@ -1548,14 +1548,14 @@ index 216b3d125..ba9e2ee16 100644 + +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or + ( t1 != mcs_constrained_type )); - + # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); @@ -1563,45 +1563,45 @@ index 216b3d125..ba9e2ee16 100644 + +mlsconstrain { file lnk_file fifo_file } { create relabelto } + (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 == mcsptraceall )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 == mcskillall )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + mlsconstrain process { signal } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + -mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # @@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - + (( h1 dom h2 ) and ( l2 eq h2 )); + +mlsconstrain context contains + (( h1 dom h2 ) and ( l1 domby l2)); + # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } - ( h1 dom h2 ); + ( h1 dom h2 ); @@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } - ( h1 dom h2 ); - + ( h1 dom h2 ); + +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + @@ -1627,71 +1627,71 @@ index f11e5e2b7..c862bbe89 100644 --- a/policy/mls +++ b/policy/mls @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } - + # new file labels must be dominated by the relabeling subjects clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto - ( h1 dom h2 ); + (( h1 dom h2 ) or + (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or + ( t1 == mlsfilewrite )); - + # the file "read" ops (note the check is dominance of the low level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } @@ -156,21 +158,18 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # these access vectors have no MLS restrictions # filesystem { transition associate } - + - - - # # MLS policy for the socket classes # - + # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto - ( h1 dom h2 ); - + ( h1 dom h2 ); + # the socket "read+write" ops # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), # require equal levels for unprivileged subjects, or read *and* write overrides) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect } - (( l1 eq l2 ) or - (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )) and + (( l1 eq l2 ) or + (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )) and @@ -180,7 +179,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s - - + + # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg } - (( l1 dom l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); + (( l1 dom l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); @@ -191,14 +190,15 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock - ( t1 == mlsnetread )); - + ( t1 == mlsnetread )); + # the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown } - (( l1 eq l2 ) or - (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or - (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( l1 eq l2 ) or + (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or + (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or - ( t1 == mlsnetwrite )); + ( t1 == mlsnetwrite ) or + ( t2 == mlstrustedobject )); - + # used by netlabel to restrict normal domains to same level connections -mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom - (( l1 eq l2 ) or - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); + (( l1 eq l2 ) or + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); @@ -219,13 +219,13 @@ mlsconstrain unix_dgram_socket sendto - ( t2 == mlstrustedobject )); - + ( t2 == mlstrustedobject )); + # these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind } @@ -1708,9 +1708,9 @@ index f11e5e2b7..c862bbe89 100644 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write # @@ -252,6 +252,11 @@ mlsconstrain msg receive - (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsipcread )); - + (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsipcread )); + +mlsconstrain key { create link read search setattr view write } + (( l1 eq l2 ) or + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or @@ -1718,11 +1718,11 @@ index f11e5e2b7..c862bbe89 100644 + # the ipc "write" ops (implicit single level) mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } - (( l1 eq l2 ) or + (( l1 eq l2 ) or @@ -361,9 +366,6 @@ mlsconstrain { peer packet } { recv } - (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsnetread )); - + (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsnetread )); + - - - @@ -1731,30 +1731,30 @@ index f11e5e2b7..c862bbe89 100644 # @@ -763,13 +765,14 @@ mlsconstrain context contains # - + # make sure these database classes are "single level" -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } +mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto } - ( l2 eq h2 ); + ( l2 eq h2 ); + mlsconstrain { db_tuple } { insert relabelto } - ( l2 eq h2 ); - + ( l2 eq h2 ); + # new database labels must be dominated by the relabeling subjects clearance -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } +mlsconstrain { db_database db_schema db_table db_column } { relabelto } - ( h1 dom h2 ); - + ( h1 dom h2 ); + # the database "read" ops (note the check is dominance of the low level) @@ -833,7 +836,7 @@ mlsconstrain { db_tuple } { use select } - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + -# the "single level" file "write" ops +# the "single level" database "write" ops mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 2626ebf95..5745bb240 100644 --- a/policy/modules/admin/bootloader.fc @@ -1764,7 +1764,7 @@ index 2626ebf95..5745bb240 100644 +/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) - + -/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) - @@ -1778,7 +1778,7 @@ index 2626ebf95..5745bb240 100644 +/usr/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) - + -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0) -/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) @@ -1788,9 +1788,9 @@ index cc8df9d7d..90467f3af 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` - domtrans_pattern($1, bootloader_exec_t, bootloader_t) + domtrans_pattern($1, bootloader_exec_t, bootloader_t) ') - + +###################################### +## +## Execute bootloader in the caller domain. @@ -1815,16 +1815,16 @@ index cc8df9d7d..90467f3af 100644 @@ -38,16 +56,18 @@ interface(`bootloader_domtrans',` # interface(`bootloader_run',` - gen_require(` + gen_require(` + type bootloader_t; - attribute_role bootloader_roles; - ') - - bootloader_domtrans($1) - roleattribute $2 bootloader_roles; + attribute_role bootloader_roles; + ') + + bootloader_domtrans($1) + roleattribute $2 bootloader_roles; + ') - + ######################################## ## -## Execute bootloader in the caller domain. @@ -1838,16 +1838,16 @@ index cc8df9d7d..90467f3af 100644 # -interface(`bootloader_exec',` +interface(`bootloader_read_config',` - gen_require(` + gen_require(` - type bootloader_exec_t; + type bootloader_etc_t; - ') - + ') + - corecmd_search_bin($1) - can_exec($1, bootloader_exec_t) + allow $1 bootloader_etc_t:file read_file_perms; ') - + ######################################## ## -## Read the bootloader configuration file. @@ -1863,14 +1863,14 @@ index cc8df9d7d..90467f3af 100644 # -interface(`bootloader_read_config',` +interface(`bootloader_rw_config',` - gen_require(` - type bootloader_etc_t; - ') - + gen_require(` + type bootloader_etc_t; + ') + - allow $1 bootloader_etc_t:file read_file_perms; + allow $1 bootloader_etc_t:file rw_file_perms; ') - + ######################################## ## -## Read and write the bootloader @@ -1884,27 +1884,27 @@ index cc8df9d7d..90467f3af 100644 # -interface(`bootloader_rw_config',` +interface(`bootloader_manage_config',` - gen_require(` - type bootloader_etc_t; - ') - + gen_require(` + type bootloader_etc_t; + ') + - allow $1 bootloader_etc_t:file rw_file_perms; + manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) ') - + ######################################## @@ -119,7 +140,7 @@ interface(`bootloader_rw_tmp_files',` - ') - - files_search_tmp($1) + ') + + files_search_tmp($1) - allow $1 bootloader_tmp_t:file rw_file_perms; + allow $1 bootloader_tmp_t:file rw_inherited_file_perms; ') - + ######################################## @@ -141,3 +162,24 @@ interface(`bootloader_create_runtime_file',` - allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; - files_boot_filetrans($1, boot_runtime_t, file) + allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; + files_boot_filetrans($1, boot_runtime_t, file) ') + +######################################## @@ -1942,7 +1942,7 @@ index 0fd5c5f2e..a14addb41 100644 + +type bootloader_var_lib_t; +files_type(bootloader_var_lib_t) - + # # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. @@ -1950,22 +1950,22 @@ index 0fd5c5f2e..a14addb41 100644 type bootloader_etc_t alias etc_bootloader_t; -files_type(bootloader_etc_t) +files_config_file(bootloader_etc_t) - + # # The temp file is used for initrd creation; @@ -41,7 +48,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # - + -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; - + @@ -59,6 +66,15 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) - + +manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) +manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) +files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file }) @@ -1979,7 +1979,7 @@ index 0fd5c5f2e..a14addb41 100644 kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -81,6 +97,8 @@ dev_rw_nvram(bootloader_t) - + fs_getattr_xattr_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) +fs_list_hugetlbfs(bootloader_t) @@ -1989,15 +1989,15 @@ index 0fd5c5f2e..a14addb41 100644 fs_manage_dos_files(bootloader_t) @@ -89,7 +107,10 @@ mls_file_read_all_levels(bootloader_t) mls_file_write_all_levels(bootloader_t) - + term_getattr_all_ttys(bootloader_t) +term_getattr_all_ptys(bootloader_t) term_dontaudit_manage_pty_dirs(bootloader_t) +term_dontaudit_getattr_generic_ptys(bootloader_t) +term_use_unallocated_ttys(bootloader_t) - + corecmd_exec_all_executables(bootloader_t) - + @@ -98,12 +119,14 @@ domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) files_manage_boot_files(bootloader_t) @@ -2016,53 +2016,53 @@ index 0fd5c5f2e..a14addb41 100644 @@ -111,6 +134,8 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) - + + +init_read_state(bootloader_t) init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) @@ -118,19 +143,20 @@ init_rw_script_pipes(bootloader_t) - + libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) +libs_exec_ld_so(bootloader_t) - + -logging_send_syslog_msg(bootloader_t) -logging_rw_generic_logs(bootloader_t) +auth_use_nsswitch(bootloader_t) - + -miscfiles_read_localization(bootloader_t) +logging_send_syslog_msg(bootloader_t) +logging_manage_generic_logs(bootloader_t) - + modutils_domtrans_insmod(bootloader_t) - + seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) -seutil_dontaudit_search_config(bootloader_t) - + -userdom_use_user_terminals(bootloader_t) +userdom_getattr_user_tmp_files(bootloader_t) +userdom_use_inherited_user_terminals(bootloader_t) userdom_dontaudit_search_user_home_dirs(bootloader_t) - + ifdef(`distro_debian',` @@ -173,6 +199,10 @@ ifdef(`distro_redhat',` - ') + ') ') - + +optional_policy(` + devicekit_dontaudit_read_pid_files(bootloader_t) +') + optional_policy(` - fstools_exec(bootloader_t) + fstools_exec(bootloader_t) ') @@ -182,6 +212,14 @@ optional_policy(` - hal_write_log(bootloader_t) + hal_write_log(bootloader_t) ') - + +optional_policy(` + gpm_getattr_gpmctl(bootloader_t) +') @@ -2072,29 +2072,29 @@ index 0fd5c5f2e..a14addb41 100644 +') + optional_policy(` - kudzu_domtrans(bootloader_t) + kudzu_domtrans(bootloader_t) ') @@ -194,18 +232,19 @@ optional_policy(` ') - + optional_policy(` - modutils_exec_insmod(bootloader_t) - modutils_read_module_deps(bootloader_t) - modutils_read_module_config(bootloader_t) - modutils_exec_insmod(bootloader_t) - modutils_exec_depmod(bootloader_t) - modutils_exec_update_mods(bootloader_t) + modutils_exec_insmod(bootloader_t) + modutils_exec_depmod(bootloader_t) + modutils_exec_update_mods(bootloader_t) + modutils_domtrans_insmod_uncond(bootloader_t) + modutils_list_module_config(bootloader_t) + modutils_read_module_deps(bootloader_t) + modutils_read_module_config(bootloader_t) ') - + optional_policy(` - nscd_use(bootloader_t) + rpm_rw_pipes(bootloader_t) ') - + optional_policy(` - rpm_rw_pipes(bootloader_t) + udev_read_pid_files(bootloader_t) @@ -2104,7 +2104,7 @@ index b7f053bf6..5d4fc3188 100644 --- a/policy/modules/admin/consoletype.fc +++ b/policy/modules/admin/consoletype.fc @@ -1,2 +1,4 @@ - + /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) + +/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0) @@ -2113,53 +2113,53 @@ index 0f57d3bc0..655d07f01 100644 --- a/policy/modules/admin/consoletype.if +++ b/policy/modules/admin/consoletype.if @@ -19,10 +19,6 @@ interface(`consoletype_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, consoletype_exec_t, consoletype_t) + + corecmd_search_bin($1) + domtrans_pattern($1, consoletype_exec_t, consoletype_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit consoletype_t $1:socket_class_set { read write }; - ') ') - + ######################################## diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index cd5e005ce..247259ac4 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -7,8 +7,8 @@ policy_module(consoletype, 1.10.0) - + type consoletype_t; type consoletype_exec_t; -init_domain(consoletype_t, consoletype_exec_t) -init_system_domain(consoletype_t, consoletype_exec_t) +application_domain(consoletype_t, consoletype_exec_t) +role system_r types consoletype_t; - + ######################################## # @@ -47,14 +47,16 @@ fs_list_inotifyfs(consoletype_t) mls_file_read_all_levels(consoletype_t) mls_file_write_all_levels(consoletype_t) - + -term_use_all_terms(consoletype_t) +term_use_all_inherited_terms(consoletype_t) +term_use_ptmx(consoletype_t) - + init_use_fds(consoletype_t) init_use_script_ptys(consoletype_t) init_use_script_fds(consoletype_t) init_rw_script_pipes(consoletype_t) +init_rw_inherited_script_tmp_files(consoletype_t) - + -userdom_use_user_terminals(consoletype_t) +userdom_use_inherited_user_terminals(consoletype_t) - + ifdef(`distro_redhat',` - fs_rw_tmpfs_chr_files(consoletype_t) + fs_rw_tmpfs_chr_files(consoletype_t) @@ -79,16 +81,14 @@ optional_policy(` ') - + optional_policy(` - files_read_etc_files(consoletype_t) - firstboot_use_fds(consoletype_t) @@ -2167,7 +2167,7 @@ index cd5e005ce..247259ac4 100644 + devicekit_dontaudit_read_pid_files(consoletype_t) + devicekit_dontaudit_rw_log(consoletype_t) ') - + optional_policy(` - hal_dontaudit_use_fds(consoletype_t) - hal_dontaudit_rw_pipes(consoletype_t) @@ -2177,22 +2177,22 @@ index cd5e005ce..247259ac4 100644 + firstboot_use_fds(consoletype_t) + firstboot_rw_pipes(consoletype_t) ') - + optional_policy(` @@ -114,6 +114,7 @@ optional_policy(` - + optional_policy(` - userdom_use_unpriv_users_fds(consoletype_t) + userdom_use_unpriv_users_fds(consoletype_t) + userdom_dontaudit_rw_dgram_socket(consoletype_t) ') - + optional_policy(` diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc index d6cc2d970..0685b190d 100644 --- a/policy/modules/admin/dmesg.fc +++ b/policy/modules/admin/dmesg.fc @@ -1,2 +1,4 @@ - + /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) + +/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) @@ -2203,7 +2203,7 @@ index 72bc6d815..bb4a6f0d7 100644 @@ -9,6 +9,10 @@ type dmesg_t; type dmesg_exec_t; init_system_domain(dmesg_t, dmesg_exec_t) - + +ifdef(`enable_mls',` + init_ranged_daemon_domain(dmesg_t, dmesg_exec_t, mls_systemhigh) +') @@ -2212,9 +2212,9 @@ index 72bc6d815..bb4a6f0d7 100644 # # Local policy @@ -19,14 +23,18 @@ dontaudit dmesg_t self:capability sys_tty_config; - + allow dmesg_t self:process signal_perms; - + +kernel_read_system_state(dmesg_t) kernel_read_kernel_sysctls(dmesg_t) kernel_read_ring_buffer(dmesg_t) @@ -2223,20 +2223,20 @@ index 72bc6d815..bb4a6f0d7 100644 kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) +kernel_dontaudit_write_kernel_sysctl(dmesg_t) - + dev_read_sysfs(dmesg_t) +dev_read_kmsg(dmesg_t) +dev_read_raw_memory(dmesg_t) - + fs_search_auto_mountpoints(dmesg_t) - + @@ -44,10 +52,14 @@ init_use_script_ptys(dmesg_t) logging_send_syslog_msg(dmesg_t) logging_write_generic_logs(dmesg_t) - + -miscfiles_read_localization(dmesg_t) +miscfiles_read_hwdata(dmesg_t) - + userdom_dontaudit_use_unpriv_user_fds(dmesg_t) -userdom_use_user_terminals(dmesg_t) +userdom_use_inherited_user_terminals(dmesg_t) @@ -2244,9 +2244,9 @@ index 72bc6d815..bb4a6f0d7 100644 +optional_policy(` + abrt_rw_inherited_cache(dmesg_t) +') - + optional_policy(` - seutil_sigchld_newrole(dmesg_t) + seutil_sigchld_newrole(dmesg_t) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 407078f4b..1a09bead7 100644 --- a/policy/modules/admin/netutils.fc @@ -2256,16 +2256,16 @@ index 407078f4b..1a09bead7 100644 -/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - + /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) - + /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) - + -/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) +/usr/lib/heartbeat/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) + @@ -2281,77 +2281,77 @@ index c6ca761c9..6edd67420 100644 --- a/policy/modules/admin/netutils.if +++ b/policy/modules/admin/netutils.if @@ -42,6 +42,7 @@ interface(`netutils_run',` - ') - - netutils_domtrans($1) + ') + + netutils_domtrans($1) + allow $1 netutils_t:process { signal sigkill }; - role $2 types netutils_t; + role $2 types netutils_t; ') - + @@ -99,6 +100,7 @@ interface(`netutils_domtrans_ping',` - - corecmd_search_bin($1) - domtrans_pattern($1, ping_exec_t, ping_t) + + corecmd_search_bin($1) + domtrans_pattern($1, ping_exec_t, ping_t) + allow $1 ping_exec_t:file map; ') - + ######################################## @@ -161,6 +163,7 @@ interface(`netutils_run_ping',` - - netutils_domtrans_ping($1) - role $2 types ping_t; + + netutils_domtrans_ping($1) + role $2 types ping_t; + allow $1 ping_t:process { signal sigkill }; ') - + ######################################## @@ -183,13 +186,14 @@ interface(`netutils_run_ping',` interface(`netutils_run_ping_cond',` - gen_require(` - type ping_t; + gen_require(` + type ping_t; - bool user_ping; + bool selinuxuser_ping; - ') - - role $2 types ping_t; - + ') + + role $2 types ping_t; + - if ( user_ping ) { + if ( selinuxuser_ping ) { - netutils_domtrans_ping($1) + netutils_domtrans_ping($1) + allow $1 ping_t:process { signal sigkill }; - } + } ') - + @@ -254,6 +258,7 @@ interface(`netutils_run_traceroute',` - ') - - netutils_domtrans_traceroute($1) + ') + + netutils_domtrans_traceroute($1) + allow $1 traceroute_t:process { signal sigkill }; - role $2 types traceroute_t; + role $2 types traceroute_t; ') - + @@ -277,13 +282,14 @@ interface(`netutils_run_traceroute',` interface(`netutils_run_traceroute_cond',` - gen_require(` - type traceroute_t; + gen_require(` + type traceroute_t; - bool user_ping; + bool selinuxuser_ping; - ') - - role $2 types traceroute_t; - + ') + + role $2 types traceroute_t; + - if( user_ping ) { + if( selinuxuser_ping ) { - netutils_domtrans_traceroute($1) + netutils_domtrans_traceroute($1) + allow $1 traceroute_t:process { signal sigkill }; - } + } ') - + diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index c44c3592a..982e33e1c 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) - + ## ##

-## Control users use of ping and traceroute @@ -2360,12 +2360,12 @@ index c44c3592a..982e33e1c 100644 ## -gen_tunable(user_ping, false) +gen_tunable(selinuxuser_ping, false) - + type netutils_t; type netutils_exec_t; @@ -33,25 +33,29 @@ init_system_domain(traceroute_t, traceroute_exec_t) # - + # Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; +allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; @@ -2382,47 +2382,47 @@ index c44c3592a..982e33e1c 100644 +allow netutils_t self:bluetooth_socket create_stream_socket_perms; allow netutils_t self:socket create_socket_perms; +allow netutils_t self:netlink_socket create_socket_perms; - + manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) - + kernel_search_proc(netutils_t) -kernel_read_network_state(netutils_t) kernel_read_all_sysctls(netutils_t) +kernel_read_network_state(netutils_t) +kernel_request_load_module(netutils_t) - + -corenet_all_recvfrom_unlabeled(netutils_t) corenet_all_recvfrom_netlabel(netutils_t) corenet_tcp_sendrecv_generic_if(netutils_t) corenet_raw_sendrecv_generic_if(netutils_t) @@ -66,6 +70,10 @@ corenet_sendrecv_all_client_packets(netutils_t) corenet_udp_bind_generic_node(netutils_t) - + dev_read_sysfs(netutils_t) +dev_read_usbmon_dev(netutils_t) +dev_write_usbmon_dev(netutils_t) +dev_map_usbmon_dev(netutils_t) +dev_rw_generic_usb_dev(netutils_t) - + fs_getattr_xattr_fs(netutils_t) - + @@ -80,12 +88,12 @@ init_use_script_ptys(netutils_t) - + auth_use_nsswitch(netutils_t) - + -logging_send_syslog_msg(netutils_t) +libs_use_ld_so(netutils_t) - + -miscfiles_read_localization(netutils_t) +logging_send_syslog_msg(netutils_t) - + term_dontaudit_use_console(netutils_t) -userdom_use_user_terminals(netutils_t) +userdom_use_inherited_user_terminals(netutils_t) userdom_use_all_users_fds(netutils_t) - + optional_policy(` @@ -110,11 +118,11 @@ allow ping_t self:capability { setuid net_raw }; allow ping_t self:process { getcap setcap }; @@ -2434,48 +2434,48 @@ index c44c3592a..982e33e1c 100644 +allow ping_t self:packet_socket create_socket_perms; allow ping_t self:netlink_route_socket create_netlink_socket_perms; +allow ping_t self:icmp_socket create_socket_perms; - + -corenet_all_recvfrom_unlabeled(ping_t) corenet_all_recvfrom_netlabel(ping_t) corenet_tcp_sendrecv_generic_if(ping_t) corenet_raw_sendrecv_generic_if(ping_t) @@ -124,6 +132,9 @@ corenet_raw_bind_generic_node(ping_t) corenet_tcp_sendrecv_all_ports(ping_t) - + fs_dontaudit_getattr_xattr_fs(ping_t) +fs_dontaudit_rw_anon_inodefs_files(ping_t) + +dev_read_urand(ping_t) - + domain_use_interactive_fds(ping_t) - + @@ -131,14 +142,14 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) - + kernel_read_system_state(ping_t) +kernel_read_network_state(ping_t) +kernel_request_load_module(ping_t) - + auth_use_nsswitch(ping_t) - + -logging_send_syslog_msg(ping_t) - -miscfiles_read_localization(ping_t) +init_rw_inherited_script_tmp_files(ping_t) - + -userdom_use_user_terminals(ping_t) +logging_send_syslog_msg(ping_t) - + ifdef(`hide_broken_symptoms',` - init_dontaudit_use_fds(ping_t) + init_dontaudit_use_fds(ping_t) @@ -146,13 +157,28 @@ ifdef(`hide_broken_symptoms',` - optional_policy(` - nagios_dontaudit_rw_log(ping_t) - nagios_dontaudit_rw_pipes(ping_t) + optional_policy(` + nagios_dontaudit_rw_log(ping_t) + nagios_dontaudit_rw_pipes(ping_t) + nagios_dontaudit_write_pipes_nrpe(ping_t) - ') + ') ') - + +term_use_all_inherited_terms(ping_t) + +tunable_policy(`selinuxuser_ping',` @@ -2487,20 +2487,20 @@ index c44c3592a..982e33e1c 100644 +') + optional_policy(` - munin_append_log(ping_t) + munin_append_log(ping_t) ') - + +optional_policy(` + nagios_rw_inerited_tmp_files(ping_t) +') + optional_policy(` - pcmcia_use_cardmgr_fds(ping_t) + pcmcia_use_cardmgr_fds(ping_t) ') @@ -161,6 +187,15 @@ optional_policy(` - hotplug_use_fds(ping_t) + hotplug_use_fds(ping_t) ') - + +optional_policy(` + openshift_rw_inherited_content(ping_t) + openshift_dontaudit_rw_inherited_fifo_files(ping_t) @@ -2514,7 +2514,7 @@ index c44c3592a..982e33e1c 100644 # # Traceroute local policy @@ -168,13 +203,18 @@ optional_policy(` - + allow traceroute_t self:capability { net_admin net_raw setuid setgid }; allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:packet_socket create_socket_perms; @@ -2523,33 +2523,33 @@ index c44c3592a..982e33e1c 100644 +allow traceroute_t self:sctp_socket create_socket_perms; +allow traceroute_t self:icmp_socket create_socket_perms; +allow traceroute_t self:dccp_socket create_socket_perms; - + kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) +kernel_read_net_sysctls(traceroute_t) +kernel_request_load_module(traceroute_t) +kernel_search_network_sysctl(traceroute_t) - + -corenet_all_recvfrom_unlabeled(traceroute_t) corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) @@ -198,6 +238,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) - + files_read_etc_files(traceroute_t) +files_read_usr_files(traceroute_t) files_dontaudit_search_var(traceroute_t) - + init_use_fds(traceroute_t) @@ -206,11 +247,17 @@ auth_use_nsswitch(traceroute_t) - + logging_send_syslog_msg(traceroute_t) - + -miscfiles_read_localization(traceroute_t) - -userdom_use_user_terminals(traceroute_t) - + #rules needed for nmap dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) @@ -2569,7 +2569,7 @@ index 688abc2ae..3d89250a6 100644 --- a/policy/modules/admin/su.fc +++ b/policy/modules/admin/su.fc @@ -3,3 +3,4 @@ - + /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0) /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) @@ -2578,57 +2578,57 @@ index 03ec5cafe..06bcbf4a5 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -41,13 +41,14 @@ template(`su_restricted_domain_template', ` - - allow $2 $1_su_t:process signal; - + + allow $2 $1_su_t:process signal; + - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; - allow $1_su_t self:key { search write }; - allow $1_su_t self:process { setexec setsched setrlimit }; - allow $1_su_t self:fifo_file rw_fifo_file_perms; - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:unix_stream_socket create_stream_socket_perms; + dontaudit $1_su_t self:capability sys_tty_config; + allow $1_su_t self:key { search write }; + allow $1_su_t self:process { setexec setsched setrlimit }; + allow $1_su_t self:fifo_file rw_fifo_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:unix_stream_socket create_stream_socket_perms; + allow $1_su_t self:netlink_selinux_socket create_socket_perms; - - # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) + + # Transition from the user domain to this domain. + domtrans_pattern($2, su_exec_t, $1_su_t) @@ -58,6 +59,7 @@ template(`su_restricted_domain_template', ` - allow $2 $1_su_t:fifo_file rw_file_perms; - allow $2 $1_su_t:process sigchld; - + allow $2 $1_su_t:fifo_file rw_file_perms; + allow $2 $1_su_t:process sigchld; + + kernel_getattr_core_if($1_su_t) - kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) + kernel_read_system_state($1_su_t) + kernel_read_kernel_sysctls($1_su_t) + kernel_search_key($1_su_t) @@ -86,10 +88,10 @@ template(`su_restricted_domain_template', ` - # Write to utmp. - init_rw_utmp($1_su_t) - init_search_script_keys($1_su_t) + # Write to utmp. + init_rw_utmp($1_su_t) + init_search_script_keys($1_su_t) + init_getattr_initctl($1_su_t) - - logging_send_syslog_msg($1_su_t) - + + logging_send_syslog_msg($1_su_t) + - miscfiles_read_localization($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora + + ifdef(`distro_redhat',` + # RHEL5 and possibly newer releases incl. Fedora @@ -119,11 +121,6 @@ template(`su_restricted_domain_template', ` - userdom_spec_domtrans_unpriv_users($1_su_t) - ') - + userdom_spec_domtrans_unpriv_users($1_su_t) + ') + - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $2:socket_class_set { read write }; - ') - - optional_policy(` - cron_read_pipes($1_su_t) - ') + optional_policy(` + cron_read_pipes($1_su_t) + ') @@ -171,15 +168,9 @@ template(`su_role_template',` - domain_interactive_fd($1_su_t) - role $2 types $1_su_t; - + domain_interactive_fd($1_su_t) + role $2 types $1_su_t; + - allow $3 $1_su_t:process signal; - - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; @@ -2638,15 +2638,15 @@ index 03ec5cafe..06bcbf4a5 100644 - allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - allow $1_su_t self:key { search write }; + allow $1_su_t self:netlink_selinux_socket create_socket_perms; - + + allow $3 $1_su_t:process signal; - allow $1_su_t $3:key search; - - # Transition from the user domain to this domain. + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. @@ -194,125 +185,16 @@ template(`su_role_template',` - allow $3 $1_su_t:process sigchld; - - kernel_read_system_state($1_su_t) + allow $3 $1_su_t:process sigchld; + + kernel_read_system_state($1_su_t) - kernel_read_kernel_sysctls($1_su_t) - kernel_search_key($1_su_t) - kernel_link_key($1_su_t) @@ -2666,10 +2666,10 @@ index 03ec5cafe..06bcbf4a5 100644 - - corecmd_search_bin($1_su_t) + kernel_dontaudit_getattr_core_if($1_su_t) - + - domain_use_interactive_fds($1_su_t) + auth_use_pam($1_su_t) - + - files_read_etc_files($1_su_t) - files_read_etc_runtime_files($1_su_t) - files_search_var_lib($1_su_t) @@ -2679,11 +2679,11 @@ index 03ec5cafe..06bcbf4a5 100644 - # Write to utmp. - init_rw_utmp($1_su_t) + init_dontaudit_getattr_initctl($1_su_t) - - mls_file_write_all_levels($1_su_t) - - logging_send_syslog_msg($1_su_t) - + + mls_file_write_all_levels($1_su_t) + + logging_send_syslog_msg($1_su_t) + - miscfiles_read_localization($1_su_t) - - userdom_use_user_terminals($1_su_t) @@ -2770,14 +2770,14 @@ index 03ec5cafe..06bcbf4a5 100644 - xserver_domtrans_xauth($1_su_t) - ') ') - + ####################################### diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 85bb77e05..a4302332a 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -9,3 +9,82 @@ attribute su_domain_type; - + type su_exec_t; corecmd_executable_file(su_exec_t) + @@ -2864,7 +2864,7 @@ index 7bddc02a4..6083c590e 100644 --- a/policy/modules/admin/sudo.fc +++ b/policy/modules/admin/sudo.fc @@ -1,2 +1,6 @@ - + /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) @@ -2875,26 +2875,26 @@ index 096019932..b6debf340 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` - - gen_require(` - type sudo_exec_t; + + gen_require(` + type sudo_exec_t; + type sudo_db_t; - attribute sudodomain; - ') - + attribute sudodomain; + ') + @@ -45,28 +46,15 @@ template(`sudo_role_template',` - domain_interactive_fd($1_sudo_t) - domain_role_change_exemption($1_sudo_t) - role $2 types $1_sudo_t; + domain_interactive_fd($1_sudo_t) + domain_role_change_exemption($1_sudo_t) + role $2 types $1_sudo_t; + userdom_home_manager($1_sudo_t) - + - ############################## - # - # Local Policy - # + type $1_sudo_tmp_t; + files_tmp_file($1_sudo_tmp_t) - + - # Use capabilities. - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; - allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -2912,26 +2912,26 @@ index 096019932..b6debf340 100644 - allow $1_sudo_t self:key manage_key_perms; + allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) - + + allow $1_sudo_t $3:dir search_dir_perms;; - allow $1_sudo_t $3:key search; - - # Enter this derived domain from the user domain + allow $1_sudo_t $3:key search; + + # Enter this derived domain from the user domain @@ -75,88 +63,33 @@ template(`sudo_role_template',` - # By default, revert to the calling domain when a shell is executed. - corecmd_shell_domtrans($1_sudo_t, $3) - corecmd_bin_domtrans($1_sudo_t, $3) + # By default, revert to the calling domain when a shell is executed. + corecmd_shell_domtrans($1_sudo_t, $3) + corecmd_bin_domtrans($1_sudo_t, $3) + userdom_domtrans_user_home($1_sudo_t, $3) + userdom_domtrans_user_tmp($1_sudo_t, $3) + domain_entry_file($3, sudo_exec_t) + domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) + - allow $3 $1_sudo_t:fd use; - allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; - allow $3 $1_sudo_t:process signal_perms; - + allow $3 $1_sudo_t:fd use; + allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; + allow $3 $1_sudo_t:process signal_perms; + - kernel_read_kernel_sysctls($1_sudo_t) - kernel_read_system_state($1_sudo_t) + kernel_read_system_state($1_sudo_t) - kernel_link_key($1_sudo_t) - - corecmd_read_bin_symlinks($1_sudo_t) @@ -2964,17 +2964,17 @@ index 096019932..b6debf340 100644 - term_relabel_all_ttys($1_sudo_t) - term_relabel_all_ptys($1_sudo_t) + seutil_libselinux_linked($1_sudo_t) - - auth_run_chk_passwd($1_sudo_t, $2) + + auth_run_chk_passwd($1_sudo_t, $2) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) - auth_use_nsswitch($1_sudo_t) - + auth_use_nsswitch($1_sudo_t) + - init_rw_utmp($1_sudo_t) - - logging_send_audit_msgs($1_sudo_t) - logging_send_syslog_msg($1_sudo_t) - + logging_send_syslog_msg($1_sudo_t) + - miscfiles_read_localization($1_sudo_t) - - seutil_search_default_contexts($1_sudo_t) @@ -3004,22 +3004,22 @@ index 096019932..b6debf340 100644 - ') + term_use_generic_ptys($1_sudo_t) + term_setattr_generic_ptys($1_sudo_t) - - optional_policy(` + + optional_policy(` - dbus_system_bus_client($1_sudo_t) + mta_role($2, $1_sudo_t) - ') - - optional_policy(` + ') + + optional_policy(` - fprintd_dbus_chat($1_sudo_t) + kerberos_manage_host_rcache($1_sudo_t) + kerberos_read_config($1_sudo_t) - ') - + ') + ') @@ -178,3 +111,41 @@ interface(`sudo_sigchld',` - - allow $1 sudodomain:process sigchld; + + allow $1 sudodomain:process sigchld; ') + +####################################### @@ -3055,7 +3055,7 @@ index 096019932..b6debf340 100644 + gen_require(` + type sudo_db_t; + ') -+ ++ + manage_dirs_pattern($1, sudo_db_t, sudo_db_t) + manage_files_pattern($1, sudo_db_t, sudo_db_t) +') @@ -3064,7 +3064,7 @@ index d9fce57ab..5c11b48e1 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,118 @@ attribute sudodomain; - + type sudo_exec_t; application_executable_file(sudo_exec_t) + @@ -3199,38 +3199,38 @@ index f82f0ce0a..7b8915d47 100644 /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) +/usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) - + /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) - + diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 99e3903ea..5c5627830 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` - - corecmd_search_bin($1) - domtrans_pattern($1, chfn_exec_t, chfn_t) + + corecmd_search_bin($1) + domtrans_pattern($1, chfn_exec_t, chfn_t) - - ifdef(`hide_broken_symptoms',` - dontaudit chfn_t $1:socket_class_set { read write }; - ') ') - + ######################################## @@ -42,6 +38,7 @@ interface(`usermanage_domtrans_chfn',` interface(`usermanage_run_chfn',` - gen_require(` - attribute_role chfn_roles; + gen_require(` + attribute_role chfn_roles; + type chfn_t; - ') - - usermanage_domtrans_chfn($1) + ') + + usermanage_domtrans_chfn($1) @@ -65,10 +62,25 @@ interface(`usermanage_domtrans_groupadd',` - - corecmd_search_bin($1) - domtrans_pattern($1, groupadd_exec_t, groupadd_t) + + corecmd_search_bin($1) + domtrans_pattern($1, groupadd_exec_t, groupadd_t) +') - + - ifdef(`hide_broken_symptoms',` - dontaudit groupadd_t $1:socket_class_set { read write }; +######################################## @@ -3246,44 +3246,44 @@ index 99e3903ea..5c5627830 100644 +interface(`usermanage_access_check_groupadd',` + gen_require(` + type groupadd_exec_t; - ') + ') + + corecmd_search_bin($1) + allow $1 groupadd_exec_t:file { getattr_file_perms execute }; ') - + ######################################## @@ -90,6 +102,7 @@ interface(`usermanage_domtrans_groupadd',` # interface(`usermanage_run_groupadd',` - gen_require(` + gen_require(` + type groupadd_t; - attribute_role groupadd_roles; - ') - + attribute_role groupadd_roles; + ') + @@ -114,10 +127,6 @@ interface(`usermanage_domtrans_passwd',` - - corecmd_search_bin($1) - domtrans_pattern($1, passwd_exec_t, passwd_t) + + corecmd_search_bin($1) + domtrans_pattern($1, passwd_exec_t, passwd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit passwd_t $1:socket_class_set { read write }; - ') ') - + ######################################## @@ -174,6 +183,7 @@ interface(`usermanage_check_exec_passwd',` # interface(`usermanage_run_passwd',` - gen_require(` + gen_require(` + type passwd_t; - attribute_role passwd_roles; - ') - + attribute_role passwd_roles; + ') + @@ -181,6 +191,25 @@ interface(`usermanage_run_passwd',` - roleattribute $2 passwd_roles; + roleattribute $2 passwd_roles; ') - + +######################################## +##

+## Check access to the passwd executable @@ -3309,34 +3309,34 @@ index 99e3903ea..5c5627830 100644 @@ -221,6 +250,7 @@ interface(`usermanage_domtrans_admin_passwd',` # interface(`usermanage_run_admin_passwd',` - gen_require(` + gen_require(` + type sysadm_passwd_t; - attribute_role sysadm_passwd_roles; - ') - + attribute_role sysadm_passwd_roles; + ') + @@ -263,10 +293,7 @@ interface(`usermanage_domtrans_useradd',` - - corecmd_search_bin($1) - domtrans_pattern($1, useradd_exec_t, useradd_t) + + corecmd_search_bin($1) + domtrans_pattern($1, useradd_exec_t, useradd_t) - - ifdef(`hide_broken_symptoms',` - dontaudit useradd_t $1:socket_class_set { read write }; - ') + allow $1 useradd_exec_t:file map; ') - + ######################################## @@ -307,12 +334,32 @@ interface(`usermanage_check_exec_useradd',` interface(`usermanage_run_useradd',` - gen_require(` - attribute_role useradd_roles; + gen_require(` + attribute_role useradd_roles; + type useradd_t; - ') - - usermanage_domtrans_useradd($1) - roleattribute $2 useradd_roles; + ') + + usermanage_domtrans_useradd($1) + roleattribute $2 useradd_roles; ') - + +######################################## +## +## Check access to the useradd executable. @@ -3368,13 +3368,13 @@ index 1d732f1e7..44e694926 100644 application_domain(chfn_t, chfn_exec_t) role chfn_roles types chfn_t; +role system_r types chfn_t; - + type crack_t; type crack_exec_t; @@ -44,9 +45,11 @@ domain_obj_id_change_exemption(groupadd_t) init_system_domain(groupadd_t, groupadd_exec_t) role groupadd_roles types groupadd_t; - + + type passwd_t; type passwd_exec_t; @@ -3382,7 +3382,7 @@ index 1d732f1e7..44e694926 100644 +domain_system_change_exemption(passwd_t) application_domain(passwd_t, passwd_exec_t) role passwd_roles types passwd_t; - + @@ -61,15 +64,19 @@ files_tmp_file(sysadm_passwd_tmp_t) type useradd_t; type useradd_exec_t; @@ -3390,7 +3390,7 @@ index 1d732f1e7..44e694926 100644 +domain_system_change_exemption(useradd_t) init_system_domain(useradd_t, useradd_exec_t) role useradd_roles types useradd_t; - + +type useradd_var_run_t; +files_pid_file(useradd_var_run_t) + @@ -3398,37 +3398,37 @@ index 1d732f1e7..44e694926 100644 # # Chfn local policy # - + -allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow chfn_t self:process { setrlimit setfscreate }; allow chfn_t self:fd use; @@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto; - + kernel_read_system_state(chfn_t) kernel_read_kernel_sysctls(chfn_t) +kernel_dontaudit_getattr_core_if(chfn_t) - + selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) @@ -94,25 +102,29 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) - + -term_use_all_ttys(chfn_t) -term_use_all_ptys(chfn_t) +term_use_all_inherited_ttys(chfn_t) +term_use_all_inherited_ptys(chfn_t) +term_getattr_all_ptys(chfn_t) - + fs_getattr_xattr_fs(chfn_t) fs_search_auto_mountpoints(chfn_t) - + # for SSP dev_read_urand(chfn_t) +dev_dontaudit_getattr_all(chfn_t) - + +auth_manage_passwd(chfn_t) +auth_use_pam(chfn_t) auth_run_chk_passwd(chfn_t, chfn_roles) @@ -3436,13 +3436,13 @@ index 1d732f1e7..44e694926 100644 -auth_use_nsswitch(chfn_t) +#auth_dontaudit_read_shadow(chfn_t) +#auth_use_nsswitch(chfn_t) - + # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) +corecmd_exec_bin(chfn_t) - + domain_use_interactive_fds(chfn_t) - + -files_manage_etc_files(chfn_t) files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) @@ -3454,11 +3454,11 @@ index 1d732f1e7..44e694926 100644 - -miscfiles_read_localization(chfn_t) +init_dontaudit_getattr_initctl(chfn_t) - + logging_send_syslog_msg(chfn_t) - + seutil_read_file_contexts(chfn_t) - + +userdom_manage_user_tmp_files(chfn_t) +userdom_tmp_filetrans_user_tmp(chfn_t, { file }) + @@ -3466,9 +3466,9 @@ index 1d732f1e7..44e694926 100644 # user generally runs this from their home directory, so do not audit a search # on user home dir @@ -136,6 +150,16 @@ optional_policy(` - nscd_run(chfn_t, chfn_roles) + nscd_run(chfn_t, chfn_roles) ') - + +optional_policy(` + rssh_exec(chfn_t) +') @@ -3485,7 +3485,7 @@ index 1d732f1e7..44e694926 100644 @@ -186,7 +210,7 @@ optional_policy(` # Groupadd local policy # - + -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; +allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write }; dontaudit groupadd_t self:capability { fsetid sys_tty_config }; @@ -3494,30 +3494,30 @@ index 1d732f1e7..44e694926 100644 @@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) - + -term_use_all_ttys(groupadd_t) -term_use_all_ptys(groupadd_t) +term_use_all_inherited_terms(groupadd_t) +term_getattr_all_ptys(groupadd_t) - + init_use_fds(groupadd_t) init_read_utmp(groupadd_t) @@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t) - + domain_use_interactive_fds(groupadd_t) - + -files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) +files_read_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) - + @@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t) logging_send_audit_msgs(groupadd_t) logging_send_syslog_msg(groupadd_t) - + -miscfiles_read_localization(groupadd_t) - + auth_run_chk_passwd(groupadd_t, groupadd_roles) auth_rw_lastlog(groupadd_t) auth_use_nsswitch(groupadd_t) @@ -3528,11 +3528,11 @@ index 1d732f1e7..44e694926 100644 -auth_manage_shadow(groupadd_t) auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) - + @@ -273,7 +297,7 @@ optional_policy(` # Passwd local policy # - + -allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; +allow passwd_t self:capability { chown dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin }; dontaudit passwd_t self:capability sys_tty_config; @@ -3543,26 +3543,26 @@ index 1d732f1e7..44e694926 100644 allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; +allow passwd_t self:netlink_selinux_socket create_socket_perms; - + allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) @@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) - + # for SSP dev_read_urand(passwd_t) +dev_dontaudit_getattr_all(passwd_t) - + fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) @@ -310,26 +336,34 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) - + -term_use_all_ttys(passwd_t) -term_use_all_ptys(passwd_t) +term_use_all_inherited_terms(passwd_t) +term_getattr_all_ptys(passwd_t) - + auth_run_chk_passwd(passwd_t, passwd_roles) +auth_manage_passwd(passwd_t) +auth_map_passwd(passwd_t) @@ -3572,22 +3572,22 @@ index 1d732f1e7..44e694926 100644 auth_etc_filetrans_shadow(passwd_t) -auth_use_nsswitch(passwd_t) +auth_use_pam(passwd_t) - + # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) +corecmd_exec_bin(passwd_t) + +corenet_tcp_connect_kerberos_password_port(passwd_t) - + domain_use_interactive_fds(passwd_t) - + files_read_etc_runtime_files(passwd_t) -files_manage_etc_files(passwd_t) +files_read_usr_files(passwd_t) files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) files_relabel_etc_files(passwd_t) - + +term_search_ptys(passwd_t) + # /usr/bin/passwd asks for w access to utmp, but it will operate @@ -3596,12 +3596,12 @@ index 1d732f1e7..44e694926 100644 @@ -338,12 +372,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) - + -miscfiles_read_localization(passwd_t) - + seutil_read_config(passwd_t) seutil_read_file_contexts(passwd_t) - + -userdom_use_user_terminals(passwd_t) +userdom_use_inherited_user_terminals(passwd_t) userdom_use_unpriv_users_fds(passwd_t) @@ -3625,13 +3625,13 @@ index 1d732f1e7..44e694926 100644 + gnome_manage_generic_cache_sockets(passwd_t) + gnome_stream_connect_gkeyringd(passwd_t) +') - + optional_policy(` - nscd_run(passwd_t, passwd_roles) + nscd_run(passwd_t, passwd_roles) @@ -362,7 +409,7 @@ optional_policy(` # Password admin local policy # - + -allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource }; +allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource }; allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -3640,20 +3640,20 @@ index 1d732f1e7..44e694926 100644 @@ -401,9 +448,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) - + -term_use_all_ttys(sysadm_passwd_t) -term_use_all_ptys(sysadm_passwd_t) +term_use_all_inherited_terms(sysadm_passwd_t) +term_getattr_all_ptys(sysadm_passwd_t) - + +auth_manage_passwd(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) @@ -416,7 +464,6 @@ files_read_usr_files(sysadm_passwd_t) - + domain_use_interactive_fds(sysadm_passwd_t) - + -files_manage_etc_files(sysadm_passwd_t) files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) @@ -3661,11 +3661,11 @@ index 1d732f1e7..44e694926 100644 @@ -426,12 +473,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) - + -miscfiles_read_localization(sysadm_passwd_t) - + logging_send_syslog_msg(sysadm_passwd_t) - + -seutil_dontaudit_search_config(sysadm_passwd_t) - userdom_use_unpriv_users_fds(sysadm_passwd_t) @@ -3674,7 +3674,7 @@ index 1d732f1e7..44e694926 100644 @@ -446,7 +490,8 @@ optional_policy(` # Useradd local policy # - + -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + @@ -3684,25 +3684,25 @@ index 1d732f1e7..44e694926 100644 @@ -461,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; - + +manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) +manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) +files_pid_filetrans(useradd_t, useradd_var_run_t, dir) + # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) - + @@ -468,29 +517,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) - + +kernel_getattr_core_if(useradd_t) +dev_dontaudit_getattr_all(useradd_t) + domain_use_interactive_fds(useradd_t) domain_read_all_domains_state(useradd_t) +domain_dontaudit_read_all_domains_state(useradd_t) - + -files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) files_relabel_etc_files(useradd_t) @@ -3710,13 +3710,13 @@ index 1d732f1e7..44e694926 100644 +files_manage_etc_files(useradd_t) +files_create_var_lib_dirs(useradd_t) +files_rw_var_lib_dirs(useradd_t) - + fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) - + mls_file_upgrade(useradd_t) +mls_process_read_to_clearance(useradd_t) - + -# Allow access to context for shadow file -selinux_get_fs_mount(useradd_t) -selinux_validate_context(useradd_t) @@ -3729,7 +3729,7 @@ index 1d732f1e7..44e694926 100644 -term_use_all_ptys(useradd_t) +term_use_all_inherited_terms(useradd_t) +term_getattr_all_ptys(useradd_t) - + auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) @@ -498,6 +546,7 @@ auth_rw_faillog(useradd_t) @@ -3743,7 +3743,7 @@ index 1d732f1e7..44e694926 100644 @@ -508,33 +557,32 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) - + -miscfiles_read_localization(useradd_t) + +seutil_semanage_policy(useradd_t) @@ -3751,7 +3751,7 @@ index 1d732f1e7..44e694926 100644 +seutil_manage_config(useradd_t) +seutil_manage_login_config(useradd_t) +seutil_manage_default_contexts(useradd_t) - + seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) seutil_read_default_contexts(useradd_t) @@ -3760,7 +3760,7 @@ index 1d732f1e7..44e694926 100644 seutil_run_semanage(useradd_t, useradd_roles) seutil_run_setfiles(useradd_t, useradd_roles) +seutil_run_loadpolicy(useradd_t, useradd_roles) - + userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) @@ -3771,11 +3771,11 @@ index 1d732f1e7..44e694926 100644 -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) - + optional_policy(` - mta_manage_spool(useradd_t) + mta_manage_spool(useradd_t) ') - + -ifdef(`distro_redhat',` - optional_policy(` - unconfined_domain(useradd_t) @@ -3783,39 +3783,39 @@ index 1d732f1e7..44e694926 100644 -') - optional_policy(` - apache_manage_all_user_content(useradd_t) + apache_manage_all_user_content(useradd_t) ') @@ -544,14 +592,27 @@ optional_policy(` - dpkg_rw_pipes(useradd_t) + dpkg_rw_pipes(useradd_t) ') - + +optional_policy(` + kerberos_manage_kdc_var_lib(useradd_t) +') + optional_policy(` - nscd_run(useradd_t, useradd_roles) + nscd_run(useradd_t, useradd_roles) ') - + +optional_policy(` + openshift_manage_content(useradd_t) +') + optional_policy(` - puppet_rw_tmp(useradd_t) + puppet_rw_tmp(useradd_t) ') - + +optional_policy(` + rpc_list_nfs_state_data(useradd_t) + rpc_read_nfs_state_data(useradd_t) +') + optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(useradd_t) + tunable_policy(`samba_domain_controller',` + samba_append_log(useradd_t) @@ -562,3 +623,12 @@ optional_policy(` - rpm_use_fds(useradd_t) - rpm_rw_pipes(useradd_t) + rpm_use_fds(useradd_t) + rpm_rw_pipes(useradd_t) ') + +optional_policy(` @@ -3831,9 +3831,9 @@ index 1dc7a85d3..1a2084fdc 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -43,18 +43,18 @@ interface(`seunshare_run',` - role $2 types seunshare_t; - - allow $1 seunshare_t:process signal_perms; + role $2 types seunshare_t; + + allow $1 seunshare_t:process signal_perms; - - ifdef(`hide_broken_symptoms', ` - dontaudit seunshare_t $1:tcp_socket rw_socket_perms; @@ -3841,7 +3841,7 @@ index 1dc7a85d3..1a2084fdc 100644 - dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms; - ') ') - + ######################################## ## -## Role access for seunshare @@ -3862,17 +3862,17 @@ index 1dc7a85d3..1a2084fdc 100644 # -interface(`seunshare_role',` +interface(`seunshare_role_template',` - gen_require(` + gen_require(` - type seunshare_t; + attribute seunshare_domain; + type seunshare_exec_t; - ') - + ') + - role $2 types seunshare_t; + type $1_seunshare_t, seunshare_domain; + application_domain($1_seunshare_t, seunshare_exec_t) + role $2 types $1_seunshare_t; - + - seunshare_domtrans($1) + kernel_read_system_state($1_seunshare_t) + @@ -3902,7 +3902,7 @@ index 1dc7a85d3..1a2084fdc 100644 + + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; - + - ps_process_pattern($2, seunshare_t) - allow $2 seunshare_t:process signal; + corecmd_bin_domtrans($1_seunshare_t, $1_t) @@ -3915,36 +3915,36 @@ index 759016583..f50f79935 100644 @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) # Declarations # - + -type seunshare_t; +attribute seunshare_domain; type seunshare_exec_t; -application_domain(seunshare_t, seunshare_exec_t) -role system_r types seunshare_t; - + ######################################## # # seunshare local policy # +allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched }; - + -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -allow seunshare_t self:process { setexec signal getcap setcap }; +allow seunshare_domain self:fifo_file rw_file_perms; +allow seunshare_domain self:unix_stream_socket create_stream_socket_perms; - + -allow seunshare_t self:fifo_file rw_file_perms; -allow seunshare_t self:unix_stream_socket create_stream_socket_perms; +corecmd_exec_shell(seunshare_domain) +corecmd_exec_bin(seunshare_domain) +corecmd_getattr_all_executables(seunshare_domain) - + -corecmd_exec_shell(seunshare_t) -corecmd_exec_bin(seunshare_t) +dev_read_urand(seunshare_domain) +dev_dontaudit_rw_dri(seunshare_domain) - + -files_read_etc_files(seunshare_t) -files_mounton_all_poly_members(seunshare_t) +files_search_all(seunshare_domain) @@ -3953,7 +3953,7 @@ index 759016583..f50f79935 100644 +files_mounton_rootfs(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) +files_relabelfrom_tmp_dirs(seunshare_domain) - + -auth_use_nsswitch(seunshare_t) - -logging_send_syslog_msg(seunshare_t) @@ -3964,7 +3964,7 @@ index 759016583..f50f79935 100644 +fs_manage_cgroup_dirs(seunshare_domain) +fs_manage_cgroup_files(seunshare_domain) +fs_unmount_all_fs(seunshare_domain) - + +userdom_dontaudit_rw_user_tmp_pipes(seunshare_domain) +userdom_use_inherited_user_terminals(seunshare_domain) +userdom_list_user_home_content(seunshare_domain) @@ -3972,11 +3972,11 @@ index 759016583..f50f79935 100644 - fs_dontaudit_rw_anon_inodefs_files(seunshare_t) + fs_dontaudit_rw_anon_inodefs_files(seunshare_domain) + fs_dontaudit_list_inotifyfs(seunshare_domain) - - optional_policy(` + + optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) + gnome_dontaudit_rw_inherited_config(seunshare_domain) - ') + ') + + optional_policy(` + mozilla_dontaudit_manage_user_home_files(seunshare_domain) @@ -4017,18 +4017,18 @@ index 33e0f8dad..3806eab60 100644 @@ -46,6 +47,7 @@ ifdef(`distro_redhat',` /etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0) - + +/etc/auto\.[^/]* -- gen_context(system_u:object_r:bin_t,s0) /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) - + /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) @@ -67,18 +69,28 @@ ifdef(`distro_redhat',` /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) - + /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/kde/kdm(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) - + +/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0) @@ -4037,24 +4037,24 @@ index 33e0f8dad..3806eab60 100644 +/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) + /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) - + /etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) +/etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0) - + ifdef(`distro_redhat',` /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) ') - + /etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0) +/etc/munin/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - + @@ -101,11 +113,8 @@ ifdef(`distro_redhat',` - + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) - + -/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) @@ -4062,20 +4062,20 @@ index 33e0f8dad..3806eab60 100644 -/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) - + @@ -114,7 +123,7 @@ ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0) - + -/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/wdmd\.d/checkquorum\.wdmd gen_context(system_u:object_r:bin_t,s0) - + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) @@ -128,6 +137,8 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') - + +/etc/dhcp/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + # @@ -4092,13 +4092,13 @@ index 33e0f8dad..3806eab60 100644 /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) +/lib/security/pam_krb5(/.*)? gen_context(system_u:object_r:bin_t,s0) - + ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) @@ -149,10 +162,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') - + +/usr/lib/erlang/erts.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + # @@ -4111,16 +4111,16 @@ index 33e0f8dad..3806eab60 100644 /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) @@ -168,6 +183,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) - + @@ -179,34 +195,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') - + +/root/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + # @@ -4144,14 +4144,14 @@ index 33e0f8dad..3806eab60 100644 /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) - + -/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) - + /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) +/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4222,7 +4222,7 @@ index 33e0f8dad..3806eab60 100644 /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/debug/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) @@ -4233,7 +4233,7 @@ index 33e0f8dad..3806eab60 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) - + /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4244,9 +4244,9 @@ index 33e0f8dad..3806eab60 100644 +/usr/bin/cockpit-bridge -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) - + /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) - + -/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4257,7 +4257,7 @@ index 33e0f8dad..3806eab60 100644 +/usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) +/usr/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) +/usr/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) - + +/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4298,16 +4298,16 @@ index 33e0f8dad..3806eab60 100644 /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/virtualbox/.*\.sh gen_context(system_u:object_r:bin_t,s0) +/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) - + -/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) +/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) - + ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -325,20 +395,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) - + +/usr/lib/.*/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -4324,7 +4324,7 @@ index 33e0f8dad..3806eab60 100644 /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0) /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) @@ -4347,9 +4347,9 @@ index 33e0f8dad..3806eab60 100644 # -/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/var/mailman.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - + /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/var/lib/dirsrv/scripts-INSTANCE -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) @@ -4357,11 +4357,11 @@ index 33e0f8dad..3806eab60 100644 +/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) - + /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/qmail/rc -- gen_context(system_u:object_r:bin_t,s0) - + +/var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) +/var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) + @@ -4384,7 +4384,7 @@ index 9e9263a68..5175abbf5 100644 @@ -8,6 +8,22 @@ ## run init. ## - + +##################################### +## +## corecmd stub bin_t interface. No access allowed. @@ -4406,32 +4406,32 @@ index 9e9263a68..5175abbf5 100644 ## Make the specified type usable for files @@ -68,9 +84,11 @@ interface(`corecmd_bin_alias',` interface(`corecmd_bin_entry_type',` - gen_require(` - type bin_t; + gen_require(` + type bin_t; + type usr_t; - ') - - domain_entry_file($1, bin_t) + ') + + domain_entry_file($1, bin_t) + domain_entry_file($1, usr_t) ') - + ######################################## @@ -122,6 +140,7 @@ interface(`corecmd_search_bin',` - type bin_t; - ') - + type bin_t; + ') + + corecmd_read_bin_symlinks($1) - search_dirs_pattern($1, bin_t, bin_t) + search_dirs_pattern($1, bin_t, bin_t) ') - + @@ -158,6 +177,7 @@ interface(`corecmd_list_bin',` - type bin_t; - ') - + type bin_t; + ') + + corecmd_read_bin_symlinks($1) - list_dirs_pattern($1, bin_t, bin_t) + list_dirs_pattern($1, bin_t, bin_t) ') - + @@ -203,7 +223,7 @@ interface(`corecmd_getattr_bin_files',` ## ## @@ -4442,17 +4442,17 @@ index 9e9263a68..5175abbf5 100644 ## # @@ -231,6 +251,7 @@ interface(`corecmd_read_bin_files',` - type bin_t; - ') - + type bin_t; + ') + + corecmd_read_bin_symlinks($1) - read_files_pattern($1, bin_t, bin_t) + read_files_pattern($1, bin_t, bin_t) ') - + @@ -252,6 +273,24 @@ interface(`corecmd_dontaudit_write_bin_files',` - dontaudit $1 bin_t:file write; + dontaudit $1 bin_t:file write; ') - + +######################################## +## +## Do not audit attempts to access check bin files. @@ -4475,90 +4475,90 @@ index 9e9263a68..5175abbf5 100644 ## ## Read symbolic links in bin directories. @@ -285,6 +324,7 @@ interface(`corecmd_read_bin_pipes',` - type bin_t; - ') - + type bin_t; + ') + + corecmd_read_bin_symlinks(bin_t) - read_fifo_files_pattern($1, bin_t, bin_t) + read_fifo_files_pattern($1, bin_t, bin_t) ') - + @@ -303,6 +343,7 @@ interface(`corecmd_read_bin_sockets',` - type bin_t; - ') - + type bin_t; + ') + + corecmd_read_bin_symlinks($1) - read_sock_files_pattern($1, bin_t, bin_t) + read_sock_files_pattern($1, bin_t, bin_t) ') - + @@ -345,6 +386,10 @@ interface(`corecmd_exec_bin',` - read_lnk_files_pattern($1, bin_t, bin_t) - list_dirs_pattern($1, bin_t, bin_t) - can_exec($1, bin_t) + read_lnk_files_pattern($1, bin_t, bin_t) + list_dirs_pattern($1, bin_t, bin_t) + can_exec($1, bin_t) + + ifdef(`enable_mls',`',` + files_exec_all_base_ro_files($1) + ') ') - + ######################################## @@ -362,6 +407,7 @@ interface(`corecmd_manage_bin_files',` - type bin_t; - ') - + type bin_t; + ') + + corecmd_read_bin_symlinks($1) - manage_files_pattern($1, bin_t, bin_t) + manage_files_pattern($1, bin_t, bin_t) ') - + @@ -398,7 +444,8 @@ interface(`corecmd_mmap_bin_files',` - type bin_t; - ') - + type bin_t; + ') + - mmap_files_pattern($1, bin_t, bin_t) + corecmd_read_bin_symlinks($1) + mmap_exec_files_pattern($1, bin_t, bin_t) ') - + ######################################## @@ -440,10 +487,14 @@ interface(`corecmd_mmap_bin_files',` interface(`corecmd_bin_spec_domtrans',` - gen_require(` - type bin_t; + gen_require(` + type bin_t; + type usr_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) - domain_transition_pattern($1, bin_t, $2) + ') + + read_lnk_files_pattern($1, bin_t, bin_t) + domain_transition_pattern($1, bin_t, $2) + + read_lnk_files_pattern($1, usr_t, usr_t) + domain_transition_pattern($1, usr_t, $2) ') - + ######################################## @@ -483,10 +534,12 @@ interface(`corecmd_bin_spec_domtrans',` interface(`corecmd_bin_domtrans',` - gen_require(` - type bin_t; + gen_require(` + type bin_t; + type usr_t; - ') - - corecmd_bin_spec_domtrans($1, $2) - type_transition $1 bin_t:process $2; + ') + + corecmd_bin_spec_domtrans($1, $2) + type_transition $1 bin_t:process $2; + type_transition $1 usr_t:process $2; ') - + ######################################## @@ -945,6 +998,7 @@ interface(`corecmd_shell_domtrans',` interface(`corecmd_exec_chroot',` - gen_require(` - type chroot_exec_t; + gen_require(` + type chroot_exec_t; + type bin_t; - ') - - read_lnk_files_pattern($1, bin_t, bin_t) + ') + + read_lnk_files_pattern($1, bin_t, bin_t) @@ -952,6 +1006,24 @@ interface(`corecmd_exec_chroot',` - allow $1 self:capability sys_chroot; + allow $1 self:capability sys_chroot; ') - + +######################################## +## +## Do not audit attempts to access check executable files. @@ -4581,28 +4581,28 @@ index 9e9263a68..5175abbf5 100644 ## ## Get the attributes of all executable files. @@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` - can_exec($1, exec_type) - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, exec_type) + can_exec($1, exec_type) + list_dirs_pattern($1, bin_t, bin_t) + read_lnk_files_pattern($1, bin_t, exec_type) + + ifdef(`enable_mls',`',` + files_exec_all_base_ro_files($1) + ') ') - + ######################################## @@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` - type bin_t; - ') - + type bin_t; + ') + + manage_dirs_pattern($1, bin_t, exec_type) - manage_files_pattern($1, bin_t, exec_type) - manage_lnk_files_pattern($1, bin_t, bin_t) + manage_files_pattern($1, bin_t, exec_type) + manage_lnk_files_pattern($1, bin_t, bin_t) ') @@ -1089,5 +1166,38 @@ interface(`corecmd_mmap_all_executables',` - type bin_t; - ') - + type bin_t; + ') + - mmap_files_pattern($1, bin_t, exec_type) + mmap_exec_files_pattern($1, bin_t, exec_type) +') @@ -4652,21 +4652,21 @@ index 20c76cff9..cc63dcc9c 100644 +files_ro_base_file(bin_t) corecmd_executable_file(bin_t) dev_associate(bin_t) #For /dev/MAKEDEV - + @@ -21,6 +22,7 @@ dev_associate(bin_t) #For /dev/MAKEDEV # shell_exec_t is the type of user shells such as /bin/bash. # type shell_exec_t; +files_ro_base_file(shell_exec_t) corecmd_executable_file(shell_exec_t) - + type chroot_exec_t; diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc index f9b25c12f..9af1f7a61 100644 --- a/policy/modules/kernel/corenetwork.fc +++ b/policy/modules/kernel/corenetwork.fc @@ -8,3 +8,6 @@ - + /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) + @@ -4677,25 +4677,25 @@ index 07126bdcc..7ff70b2d8 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -55,6 +55,7 @@ interface(`corenet_reserved_port',` - ') - - typeattribute $1 reserved_port_type; + ') + + typeattribute $1 reserved_port_type; + corenet_port($1) ') - + ######################################## @@ -82,6 +83,7 @@ interface(`corenet_rpc_port',` - ') - - typeattribute $1 rpc_port_type; + ') + + typeattribute $1 rpc_port_type; + corenet_port($1) ') - + ######################################## @@ -580,6 +582,24 @@ interface(`corenet_raw_send_all_if',` - allow $1 netif_type:netif { rawip_send egress }; + allow $1 netif_type:netif { rawip_send egress }; ') - + +######################################## +## +## Send and receive SCTP network traffic on generic nodes. @@ -4718,9 +4718,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Receive raw IP packets on all interfaces. @@ -613,6 +633,24 @@ interface(`corenet_raw_sendrecv_all_if',` - corenet_raw_receive_all_if($1) + corenet_raw_receive_all_if($1) ') - + +######################################## +## +## Send and receive DCCP network traffic on generic nodes. @@ -4743,9 +4743,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Send and receive TCP network traffic on generic nodes. @@ -787,6 +825,24 @@ interface(`corenet_raw_sendrecv_generic_node',` - corenet_raw_receive_generic_node($1) + corenet_raw_receive_generic_node($1) ') - + +######################################## +## +## Bind DCCP sockets to generic nodes. @@ -4768,9 +4768,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind TCP sockets to generic nodes. @@ -853,6 +909,44 @@ interface(`corenet_udp_bind_generic_node',` - allow $1 node_t:udp_socket node_bind; + allow $1 node_t:udp_socket node_bind; ') - + +######################################## +## +## Dontaudit attempts to bind TCP sockets to generic nodes. @@ -4813,9 +4813,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind raw sockets to genric nodes. @@ -926,6 +1020,24 @@ interface(`corenet_inout_generic_node',` - corenet_out_generic_node($1) + corenet_out_generic_node($1) ') - + +######################################## +## +## Send and receive DCCP network traffic on all nodes. @@ -4838,9 +4838,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Send and receive TCP network traffic on all nodes. @@ -981,6 +1093,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',` - dontaudit $1 node_type:node { udp_send sendto }; + dontaudit $1 node_type:node { udp_send sendto }; ') - + +######################################## +## +## Send and receive SCTP network traffic on all nodes. @@ -4863,9 +4863,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Receive UDP network traffic on all nodes. @@ -1100,6 +1230,24 @@ interface(`corenet_raw_sendrecv_all_nodes',` - corenet_raw_receive_all_nodes($1) + corenet_raw_receive_all_nodes($1) ') - + +######################################## +## +## Bind DCCP sockets to all nodes. @@ -4888,9 +4888,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind TCP sockets to all nodes. @@ -1155,6 +1303,24 @@ interface(`corenet_raw_bind_all_nodes',` - allow $1 node_type:rawip_socket node_bind; + allow $1 node_type:rawip_socket node_bind; ') - + +######################################## +## +## Send and receive DCCP network traffic on generic ports. @@ -4915,7 +4915,7 @@ index 07126bdcc..7ff70b2d8 100644 @@ -1167,12 +1333,51 @@ interface(`corenet_raw_bind_all_nodes',` # interface(`corenet_tcp_sendrecv_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; + ') @@ -4956,12 +4956,12 @@ index 07126bdcc..7ff70b2d8 100644 +interface(`corenet_sctp_bind_all_nodes',` + gen_require(` + attribute node_type; - ') - + ') + - allow $1 port_t:tcp_socket { send_msg recv_msg }; + allow $1 node_type:sctp_socket node_bind; ') - + + ######################################## ## @@ -4969,46 +4969,46 @@ index 07126bdcc..7ff70b2d8 100644 @@ -1185,10 +1390,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` # interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - ') - + ') + - dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; ') - + ######################################## @@ -1203,10 +1408,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` # interface(`corenet_udp_send_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - ') - + ') + - allow $1 port_t:udp_socket send_msg; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg; ') - + ######################################## @@ -1221,10 +1426,10 @@ interface(`corenet_udp_send_generic_port',` # interface(`corenet_udp_receive_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - ') - + ') + - allow $1 port_t:udp_socket recv_msg; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg; ') - + ######################################## @@ -1242,6 +1447,26 @@ interface(`corenet_udp_sendrecv_generic_port',` - corenet_udp_receive_generic_port($1) + corenet_udp_receive_generic_port($1) ') - + +######################################## +## +## Bind DCCP sockets to generic ports. @@ -5035,17 +5035,17 @@ index 07126bdcc..7ff70b2d8 100644 @@ -1254,14 +1479,33 @@ interface(`corenet_udp_sendrecv_generic_port',` # interface(`corenet_tcp_bind_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - attribute defined_port_type; - ') - + attribute defined_port_type; + ') + - allow $1 port_t:tcp_socket name_bind; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; - dontaudit $1 defined_port_type:tcp_socket name_bind; + dontaudit $1 defined_port_type:tcp_socket name_bind; ') - + +######################################## +## +## Do not audit attempts to bind DCCP @@ -5071,30 +5071,30 @@ index 07126bdcc..7ff70b2d8 100644 @@ -1274,10 +1518,10 @@ interface(`corenet_tcp_bind_generic_port',` # interface(`corenet_dontaudit_tcp_bind_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - ') - + ') + - dontaudit $1 port_t:tcp_socket name_bind; + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; ') - + ######################################## @@ -1292,14 +1536,32 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` # interface(`corenet_udp_bind_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; - attribute defined_port_type; - ') - + attribute defined_port_type; + ') + - allow $1 port_t:udp_socket name_bind; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind; - dontaudit $1 defined_port_type:udp_socket name_bind; + dontaudit $1 defined_port_type:udp_socket name_bind; ') - + +######################################## +## +## Connect DCCP sockets to generic ports. @@ -5119,7 +5119,7 @@ index 07126bdcc..7ff70b2d8 100644 @@ -1312,10 +1574,28 @@ interface(`corenet_udp_bind_generic_port',` # interface(`corenet_tcp_connect_generic_port',` - gen_require(` + gen_require(` - type port_t; + type port_t, unreserved_port_t, ephemeral_port_t; + ') @@ -5140,15 +5140,15 @@ index 07126bdcc..7ff70b2d8 100644 +interface(`corenet_dccp_sendrecv_all_ports',` + gen_require(` + attribute port_type; - ') - + ') + - allow $1 port_t:tcp_socket name_connect; + allow $1 port_type:dccp_socket { send_msg recv_msg }; ') - + ######################################## @@ -1382,7 +1662,7 @@ interface(`corenet_udp_send_all_ports',` - + ######################################## ## -## Receive UDP network traffic on all ports. @@ -5162,17 +5162,17 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_udp_receive_all_ports',` +interface(`corenet_sctp_bind_generic_port',` - gen_require(` + gen_require(` - attribute port_type; + type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; - ') - + ') + - allow $1 port_type:udp_socket recv_msg; + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 defined_port_type:sctp_socket name_bind; ') - + ######################################## ## -## Send and receive UDP network traffic on all ports. @@ -5364,9 +5364,9 @@ index 07126bdcc..7ff70b2d8 100644 ## # @@ -1437,6 +1848,25 @@ interface(`corenet_udp_sendrecv_all_ports',` - corenet_udp_receive_all_ports($1) + corenet_udp_receive_all_ports($1) ') - + +######################################## +## +## Bind DCCP sockets to all ports. @@ -5390,9 +5390,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind TCP sockets to all ports. @@ -1456,6 +1886,24 @@ interface(`corenet_tcp_bind_all_ports',` - allow $1 self:capability net_bind_service; + allow $1 self:capability net_bind_service; ') - + +######################################## +## +## Do not audit attepts to bind DCCP sockets to any ports. @@ -5415,9 +5415,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attepts to bind TCP sockets to any ports. @@ -1493,6 +1941,24 @@ interface(`corenet_udp_bind_all_ports',` - allow $1 self:capability net_bind_service; + allow $1 self:capability net_bind_service; ') - + +######################################## +## +## Connect SCTP sockets to generic ports. @@ -5440,9 +5440,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attepts to bind UDP sockets to any ports. @@ -1511,6 +1977,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',` - dontaudit $1 port_type:udp_socket name_bind; + dontaudit $1 port_type:udp_socket name_bind; ') - + +######################################## +## +## Connect DCCP sockets to all ports. @@ -5465,9 +5465,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Connect TCP sockets to all ports. @@ -1557,6 +2041,25 @@ interface(`corenet_tcp_connect_all_ports',` - allow $1 port_type:tcp_socket name_connect; + allow $1 port_type:tcp_socket name_connect; ') - + +######################################## +## +## Do not audit attempts to connect DCCP sockets @@ -5491,9 +5491,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to connect TCP sockets @@ -1576,6 +2079,24 @@ interface(`corenet_dontaudit_tcp_connect_all_ports',` - dontaudit $1 port_type:tcp_socket name_connect; + dontaudit $1 port_type:tcp_socket name_connect; ') - + +######################################## +## +## Send and receive DCCP network traffic on generic reserved ports. @@ -5516,9 +5516,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Send and receive TCP network traffic on generic reserved ports. @@ -1645,6 +2166,25 @@ interface(`corenet_udp_sendrecv_reserved_port',` - corenet_udp_receive_reserved_port($1) + corenet_udp_receive_reserved_port($1) ') - + +######################################## +## +## Bind DCCP sockets to generic reserved ports. @@ -5542,9 +5542,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind TCP sockets to generic reserved ports. @@ -1664,6 +2204,25 @@ interface(`corenet_tcp_bind_reserved_port',` - allow $1 self:capability net_bind_service; + allow $1 self:capability net_bind_service; ') - + +######################################## +## +## Bind SCTP sockets to all ports. @@ -5568,9 +5568,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind UDP sockets to generic reserved ports. @@ -1683,6 +2242,24 @@ interface(`corenet_udp_bind_reserved_port',` - allow $1 self:capability net_bind_service; + allow $1 self:capability net_bind_service; ') - + +######################################## +## +## Connect DCCP sockets to generic reserved ports. @@ -5593,9 +5593,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Connect TCP sockets to generic reserved ports. @@ -1701,6 +2278,24 @@ interface(`corenet_tcp_connect_reserved_port',` - allow $1 reserved_port_t:tcp_socket name_connect; + allow $1 reserved_port_t:tcp_socket name_connect; ') - + +######################################## +## +## Send and receive DCCP network traffic on all reserved ports. @@ -5618,9 +5618,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Send and receive TCP network traffic on all reserved ports. @@ -1716,12 +2311,300 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` - attribute reserved_port_type; - ') - + attribute reserved_port_type; + ') + - allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; + allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; +') @@ -5912,7 +5912,7 @@ index 07126bdcc..7ff70b2d8 100644 + + allow $1 reserved_port_type:dccp_socket name_connect; ') - + ######################################## ## -## Send UDP network traffic on all reserved ports. @@ -5926,14 +5926,14 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_udp_send_all_reserved_ports',` +interface(`corenet_tcp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - + gen_require(` + attribute reserved_port_type; + ') + - allow $1 reserved_port_type:udp_socket send_msg; + allow $1 reserved_port_type:tcp_socket name_connect; ') - + ######################################## ## -## Receive UDP network traffic on all reserved ports. @@ -5947,11 +5947,11 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_udp_receive_all_reserved_ports',` +interface(`corenet_dccp_connect_all_unreserved_ports',` - gen_require(` + gen_require(` - attribute reserved_port_type; + attribute unreserved_port_type; - ') - + ') + - allow $1 reserved_port_type:udp_socket recv_msg; + allow $1 unreserved_port_type:dccp_socket name_connect; +') @@ -5973,7 +5973,7 @@ index 07126bdcc..7ff70b2d8 100644 + + allow $1 unreserved_port_t:tcp_socket name_connect; ') - + ######################################## ## -## Send and receive UDP network traffic on all reserved ports. @@ -5995,7 +5995,7 @@ index 07126bdcc..7ff70b2d8 100644 + + allow $1 unreserved_port_type:tcp_socket name_connect; ') - + ######################################## ## -## Bind TCP sockets to all reserved ports. @@ -6009,16 +6009,16 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_tcp_bind_all_reserved_ports',` +interface(`corenet_tcp_connect_all_ephemeral_ports',` - gen_require(` + gen_require(` - attribute reserved_port_type; + attribute ephemeral_port_type; - ') - + ') + - allow $1 reserved_port_type:tcp_socket name_bind; - allow $1 self:capability net_bind_service; + allow $1 ephemeral_port_type:tcp_socket name_connect; ') - + ######################################## ## -## Do not audit attempts to bind TCP sockets to all reserved ports. @@ -6033,14 +6033,14 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - + gen_require(` + attribute reserved_port_type; + ') + - dontaudit $1 reserved_port_type:tcp_socket name_bind; + dontaudit $1 reserved_port_type:dccp_socket name_connect; ') - + ######################################## ## -## Bind UDP sockets to all reserved ports. @@ -6056,15 +6056,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_udp_bind_all_reserved_ports',` +interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - + gen_require(` + attribute reserved_port_type; + ') + - allow $1 reserved_port_type:udp_socket name_bind; - allow $1 self:capability net_bind_service; + dontaudit $1 reserved_port_type:tcp_socket name_connect; ') - + ######################################## ## -## Do not audit attempts to bind UDP sockets to all reserved ports. @@ -6079,15 +6079,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` +interface(`corenet_dccp_connect_all_rpc_ports',` - gen_require(` + gen_require(` - attribute reserved_port_type; + attribute rpc_port_type; - ') - + ') + - dontaudit $1 reserved_port_type:udp_socket name_bind; + allow $1 rpc_port_type:dccp_socket name_connect; ') - + ######################################## ## -## Bind TCP sockets to all ports > 1024. @@ -6101,15 +6101,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_tcp_bind_all_unreserved_ports',` +interface(`corenet_tcp_connect_all_rpc_ports',` - gen_require(` + gen_require(` - attribute unreserved_port_type; + attribute rpc_port_type; - ') - + ') + - allow $1 unreserved_port_type:tcp_socket name_bind; + allow $1 rpc_port_type:tcp_socket name_connect; ') - + ######################################## ## -## Bind UDP sockets to all ports > 1024. @@ -6125,15 +6125,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_udp_bind_all_unreserved_ports',` +interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',` - gen_require(` + gen_require(` - attribute unreserved_port_type; + attribute rpc_port_type; - ') - + ') + - allow $1 unreserved_port_type:udp_socket name_bind; + dontaudit $1 rpc_port_type:dccp_socket name_connect; ') - + ######################################## ## -## Connect TCP sockets to reserved ports. @@ -6149,15 +6149,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_tcp_connect_all_reserved_ports',` +interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` - gen_require(` + gen_require(` - attribute reserved_port_type; + attribute rpc_port_type; - ') - + ') + - allow $1 reserved_port_type:tcp_socket name_connect; + dontaudit $1 rpc_port_type:tcp_socket name_connect; ') - + ######################################## ## -## Connect TCP sockets to all ports > 1024. @@ -6171,16 +6171,16 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_tcp_connect_all_unreserved_ports',` +interface(`corenet_sctp_bind_reserved_port',` - gen_require(` + gen_require(` - attribute unreserved_port_type; + type reserved_port_t; - ') - + ') + - allow $1 unreserved_port_type:tcp_socket name_connect; + allow $1 reserved_port_t:sctp_socket name_bind; + allow $1 self:capability net_bind_service; ') - + ######################################## ## -## Do not audit attempts to connect TCP sockets @@ -6195,16 +6195,16 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` +interface(`corenet_rw_tun_tap_dev',` - gen_require(` + gen_require(` - attribute reserved_port_type; + type tun_tap_device_t; - ') - + ') + - dontaudit $1 reserved_port_type:tcp_socket name_connect; + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ') - + ######################################## ## -## Connect TCP sockets to rpc ports. @@ -6219,15 +6219,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_tcp_connect_all_rpc_ports',` +interface(`corenet_relabel_tun_tap_dev',` - gen_require(` + gen_require(` - attribute rpc_port_type; + type tun_tap_device_t; - ') - + ') + - allow $1 rpc_port_type:tcp_socket name_connect; + relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) ') - + ######################################## ## -## Do not audit attempts to connect TCP sockets @@ -6243,15 +6243,15 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` +interface(`corenet_rw_inherited_tun_tap_dev',` - gen_require(` + gen_require(` - attribute rpc_port_type; + type tun_tap_device_t; - ') - + ') + - dontaudit $1 rpc_port_type:tcp_socket name_connect; + allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; ') - + ######################################## ## -## Read and write the TUN/TAP virtual network device. @@ -6266,21 +6266,21 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_rw_tun_tap_dev',` +interface(`corenet_sctp_connect_reserved_port',` - gen_require(` + gen_require(` - type tun_tap_device_t; + type reserved_port_t; - ') - + ') + - dev_list_all_dev_nodes($1) - allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; + allow $1 reserved_port_t:sctp_socket name_connect; ') - + ######################################## @@ -2047,6 +2951,25 @@ interface(`corenet_rw_ppp_dev',` - allow $1 ppp_device_t:chr_file rw_chr_file_perms; + allow $1 ppp_device_t:chr_file rw_chr_file_perms; ') - + +######################################## +## +## Bind DCCP sockets to all RPC ports. @@ -6304,9 +6304,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Bind TCP sockets to all RPC ports. @@ -2066,6 +2989,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` - allow $1 self:capability net_bind_service; + allow $1 self:capability net_bind_service; ') - + +######################################## +## +## Do not audit attempts to bind DCCP sockets to all RPC ports. @@ -6329,9 +6329,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to bind TCP sockets to all RPC ports. @@ -2192,6 +3133,25 @@ interface(`corenet_tcp_recv_netlabel',` - corenet_tcp_recvfrom_netlabel($1) + corenet_tcp_recvfrom_netlabel($1) ') - + +######################################## +## +## Receive DCCP packets from a NetLabel connection. @@ -6355,7 +6355,7 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Receive TCP packets from a NetLabel connection. @@ -2213,7 +3173,7 @@ interface(`corenet_tcp_recvfrom_netlabel',` - + ######################################## ## -## Receive TCP packets from an unlabled connection. @@ -6375,15 +6375,15 @@ index 07126bdcc..7ff70b2d8 100644 + ') + + kernel_dccp_recvfrom_unlabeled($1) - kernel_recvfrom_unlabeled_peer($1) - + kernel_recvfrom_unlabeled_peer($1) + + typeattribute $1 corenet_unlabeled_type; - # XXX - at some point the oubound/send access check will be removed - # but for right now we need to keep this in place so as not to break - # older systems - kernel_sendrecv_unlabeled_association($1) + # XXX - at some point the oubound/send access check will be removed + # but for right now we need to keep this in place so as not to break + # older systems + kernel_sendrecv_unlabeled_association($1) ') - + +######################################## +## +## Do not audit attempts to bind SCTP sockets to all reserved ports. @@ -6406,9 +6406,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to receive TCP packets from a NetLabel @@ -2247,6 +3230,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` - corenet_dontaudit_tcp_recvfrom_netlabel($1) + corenet_dontaudit_tcp_recvfrom_netlabel($1) ') - + +######################################## +## +## Do not audit attempts to receive DCCP packets from a NetLabel @@ -6433,9 +6433,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to receive TCP packets from a NetLabel @@ -2267,6 +3270,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` - dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; + dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; ') - + +######################################## +## +## Do not audit attempts to receive DCCP packets from an unlabeled @@ -6461,9 +6461,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to receive TCP packets from an unlabeled @@ -2342,6 +3366,24 @@ interface(`corenet_udp_recvfrom_unlabeled',` - kernel_sendrecv_unlabeled_association($1) + kernel_sendrecv_unlabeled_association($1) ') - + +######################################## +## +## Bind SCTP sockets to all ports > 1024. @@ -6486,7 +6486,7 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to receive UDP packets from a NetLabel @@ -2471,22 +3513,40 @@ interface(`corenet_dontaudit_raw_recv_netlabel',` - + ######################################## ## -## Do not audit attempts to receive Raw IP packets from a NetLabel @@ -6522,16 +6522,16 @@ index 07126bdcc..7ff70b2d8 100644 # -interface(`corenet_dontaudit_raw_recvfrom_netlabel',` +interface(`corenet_sctp_connect_all_reserved_ports',` - gen_require(` + gen_require(` - type netlabel_peer_t; + attribute reserved_port_type; - ') - + ') + - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; + allow $1 reserved_port_type:sctp_socket name_connect; ') - + ######################################## @@ -2533,15 +3593,10 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## @@ -6551,16 +6551,16 @@ index 07126bdcc..7ff70b2d8 100644 + ') + typeattribute $1 corenet_unlabeled_type; ') - + ######################################## @@ -2567,11 +3622,34 @@ interface(`corenet_all_recvfrom_unlabeled',` # interface(`corenet_all_recvfrom_netlabel',` - gen_require(` + gen_require(` - type netlabel_peer_t; + attribute netlabel_peer_type; - ') - + ') + - allow $1 netlabel_peer_t:peer recv; - allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; + typeattribute $1 netlabel_peer_type; @@ -6589,20 +6589,20 @@ index 07126bdcc..7ff70b2d8 100644 + + kernel_sendrecv_unlabeled_association(corenet_unlabeled_type) ') - + ######################################## @@ -2585,6 +3663,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` + kernel_dontaudit_dccp_recvfrom_unlabeled($1) - kernel_dontaudit_tcp_recvfrom_unlabeled($1) - kernel_dontaudit_udp_recvfrom_unlabeled($1) - kernel_dontaudit_raw_recvfrom_unlabeled($1) + kernel_dontaudit_tcp_recvfrom_unlabeled($1) + kernel_dontaudit_udp_recvfrom_unlabeled($1) + kernel_dontaudit_raw_recvfrom_unlabeled($1) @@ -2596,6 +3675,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',` - kernel_dontaudit_sendrecv_unlabeled_association($1) + kernel_dontaudit_sendrecv_unlabeled_association($1) ') - + +######################################## +## +## Do not audit attempts to connect SCTP sockets @@ -6626,9 +6626,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Do not audit attempts to receive packets from a NetLabel @@ -2613,7 +3711,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` - ') - - dontaudit $1 netlabel_peer_t:peer recv; + ') + + dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; + dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; +') @@ -6660,20 +6660,20 @@ index 07126bdcc..7ff70b2d8 100644 + corenet_dccp_recvfrom_netlabel($1) + corenet_dccp_recvfrom_netlabel($2) ') - + ######################################## @@ -2727,6 +3853,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` + corenet_sctp_recvfrom_labeled($1, $2) - corenet_tcp_recvfrom_labeled($1, $2) - corenet_udp_recvfrom_labeled($1, $2) - corenet_raw_recvfrom_labeled($1, $2) + corenet_tcp_recvfrom_labeled($1, $2) + corenet_udp_recvfrom_labeled($1, $2) + corenet_raw_recvfrom_labeled($1, $2) @@ -2997,6 +4124,24 @@ interface(`corenet_send_all_server_packets',` - allow $1 server_packet_type:packet send; + allow $1 server_packet_type:packet send; ') - + +######################################## +## +## Receive SCTP packets from a NetLabel connection. @@ -6696,9 +6696,9 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Receive all server packets. @@ -3048,6 +4193,27 @@ interface(`corenet_relabelto_all_server_packets',` - allow $1 server_packet_type:packet relabelto; + allow $1 server_packet_type:packet relabelto; ') - + +######################################## +## +## Receive SCTP packets from an unlabled connection. @@ -6724,8 +6724,8 @@ index 07126bdcc..7ff70b2d8 100644 ## ## Send all packets. @@ -3134,3 +4300,216 @@ interface(`corenet_unconfined',` - - typeattribute $1 corenet_unconfined_type; + + typeattribute $1 corenet_unconfined_type; ') + +######################################## @@ -6945,9 +6945,9 @@ index 8e0f9cd14..2fe34db47 100644 --- a/policy/modules/kernel/corenetwork.if.m4 +++ b/policy/modules/kernel/corenetwork.if.m4 @@ -629,6 +629,26 @@ interface(`corenet_udp_bind_$1_port',` - $4 + $4 ') - + +######################################## +## +## Do not audit attempts to sbind to $1 port. @@ -6972,8 +6972,8 @@ index 8e0f9cd14..2fe34db47 100644 ## ## Make a TCP connection to the $1 port. @@ -646,6 +666,23 @@ interface(`corenet_tcp_connect_$1_port',` - - allow dollarsone $1_$2:tcp_socket name_connect; + + allow dollarsone $1_$2:tcp_socket name_connect; ') +######################################## +## @@ -6993,12 +6993,12 @@ index 8e0f9cd14..2fe34db47 100644 + dontaudit dollarsone $1_$2:tcp_socket name_connect; +') '') dnl end create_port_interfaces - + define(`create_packet_interfaces',`` @@ -776,6 +813,48 @@ interface(`corenet_relabelto_$1_packets',` ') '') dnl end create_port_interfaces - + +define(`create_ibpkey_interfaces',`` +######################################## +## @@ -7077,7 +7077,7 @@ index b191055f9..c89e45e64 100644 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) # Declarations # - + +attribute netlabel_peer_type; attribute client_packet_type; # This is an optimization for { port_type -port_t } @@ -7093,10 +7093,10 @@ index b191055f9..c89e45e64 100644 +attribute ibendport_type; # This is an optimization for { port_type -reserved_port_type } attribute unreserved_port_type; - + attribute corenet_unconfined_type; +attribute corenet_unlabeled_type; - + type ppp_device_t; dev_node(ppp_device_t) @@ -29,12 +34,25 @@ dev_node(ppp_device_t) @@ -7104,12 +7104,12 @@ index b191055f9..c89e45e64 100644 type tun_tap_device_t; dev_node(tun_tap_device_t) +mls_trusted_object(tun_tap_device_t) - + ######################################## # # Ports and packets # - + +# +# client_packet_t is the default type of IPv4 and IPv6 client packets. +# @@ -7130,16 +7130,16 @@ index b191055f9..c89e45e64 100644 type netlabel_peer_t; sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) +mcs_constrained(netlabel_peer_t) - + # # port_t is the default type of INET port numbers. @@ -58,6 +77,12 @@ sid port gen_context(system_u:object_r:port_t,s0) # type unreserved_port_t, port_type, unreserved_port_type; - + +# +# ephemeral_port_t is the default type of ephemeral port numbers. -+# cat /proc/sys/net/ipv4/ip_local_port_range ++# cat /proc/sys/net/ipv4/ip_local_port_range +# +type ephemeral_port_t, port_type, ephemeral_port_type; + @@ -7161,7 +7161,7 @@ index b191055f9..c89e45e64 100644 -network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) -network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) +network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0) -+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) ++network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) +network_port(apc, tcp,3052,s0, udp,3052,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(apertus_ldp, tcp,539,s0, udp,539,s0) @@ -7474,10 +7474,10 @@ index b191055f9..c89e45e64 100644 +network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0) network_port(zented, tcp,1229,s0, udp,1229,s0) network_port(zope, tcp,8021,s0) - + # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. - + -portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) -portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) @@ -7493,11 +7493,11 @@ index b191055f9..c89e45e64 100644 +portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) +portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) - + ######################################## # @@ -333,6 +427,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) - + build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) +allow netlabel_peer_t lo_netif_t:netif ingress; @@ -7513,7 +7513,7 @@ index b191055f9..c89e45e64 100644 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; +allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect }; allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; - + # Bind to any network address. -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; @@ -7528,7 +7528,7 @@ index b191055f9..c89e45e64 100644 + +# +# Rules coverning the use of unlabeled types -+# ++# +kernel_dccp_recvfrom_unlabeled(corenet_unlabeled_type) +kernel_tcp_recvfrom_unlabeled(corenet_unlabeled_type) +kernel_udp_recvfrom_unlabeled(corenet_unlabeled_type) @@ -7550,7 +7550,7 @@ index 3f6e16889..abd046c56 100644 @@ -86,6 +86,11 @@ define(`add_port_attribute',`dnl ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;') ') - + +define(`add_ephemeral_attribute',`dnl +ifelse(eval(range_start($3) >= 50000 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type; +',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl @@ -7566,7 +7566,7 @@ index 3f6e16889..abd046c56 100644 +ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl ') - + @@ -111,3 +117,29 @@ define(`network_packet',` type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; @@ -7725,29 +7725,29 @@ index b31c05491..9bf0f8504 100644 /dev/winradio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) - + /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) - + +/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) - + @@ -169,14 +205,21 @@ ifdef(`distro_suse', ` - + /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) - + +/dev/ss[0-9]+ -c gen_context(system_u:object_r:gpfs_device_t,s0) + /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) - + +/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0) + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) - + +/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hypervvssd_device_t,s0) +/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hypervkvp_device_t,s0) + @@ -7757,7 +7757,7 @@ index b31c05491..9bf0f8504 100644 @@ -198,12 +241,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) - + -/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) - ifdef(`distro_redhat',` @@ -7789,9 +7789,9 @@ index 76f285ea6..39c574228 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` - type device_t; - ') - + type device_t; + ') + - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) - relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) @@ -7826,12 +7826,12 @@ index 76f285ea6..39c574228 100644 + + relabel_files_pattern($1, device_t, device_t) ') - + ######################################## @@ -207,6 +226,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',` - dontaudit $1 device_t:dir list_dir_perms; + dontaudit $1 device_t:dir list_dir_perms; ') - + +######################################## +## +## Dontaudit attempts to list all device nodes. @@ -7854,9 +7854,9 @@ index 76f285ea6..39c574228 100644 ## ## Add entries to directories in /dev. @@ -352,6 +389,24 @@ interface(`dev_read_generic_files',` - read_files_pattern($1, device_t, device_t) + read_files_pattern($1, device_t, device_t) ') - + +####################################### +## +## Read generic files in /dev. @@ -7879,9 +7879,9 @@ index 76f285ea6..39c574228 100644 ## ## Read and write generic files in /dev. @@ -460,6 +515,42 @@ interface(`dev_getattr_generic_blk_files',` - getattr_blk_files_pattern($1, device_t, device_t) + getattr_blk_files_pattern($1, device_t, device_t) ') - + +######################################## +## +## Rename generic block device nodes. @@ -7922,9 +7922,9 @@ index 76f285ea6..39c574228 100644 ## ## Dontaudit getattr on generic block devices. @@ -568,6 +659,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` - dontaudit $1 device_t:chr_file getattr; + dontaudit $1 device_t:chr_file getattr; ') - + +######################################## +## +## Rename generic character device nodes. @@ -7956,7 +7956,7 @@ index 76f285ea6..39c574228 100644 ## # @@ -733,7 +842,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` - + ######################################## ## -## Read symbolic links in device directories. @@ -7970,14 +7970,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_generic_symlinks',` +interface(`dev_create_generic_symlinks',` - gen_require(` - type device_t; - ') - + gen_require(` + type device_t; + ') + - allow $1 device_t:lnk_file read_lnk_file_perms; + create_lnk_files_pattern($1, device_t, device_t) ') - + ######################################## ## -## Create symbolic links in device directories. @@ -7991,14 +7991,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_create_generic_symlinks',` +interface(`dev_delete_generic_symlinks',` - gen_require(` - type device_t; - ') - + gen_require(` + type device_t; + ') + - create_lnk_files_pattern($1, device_t, device_t) + delete_lnk_files_pattern($1, device_t, device_t) ') - + ######################################## ## -## Delete symbolic links in device directories. @@ -8012,19 +8012,19 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_delete_generic_symlinks',` +interface(`dev_read_generic_symlinks',` - gen_require(` - type device_t; - ') - + gen_require(` + type device_t; + ') + - delete_lnk_files_pattern($1, device_t, device_t) + allow $1 device_t:lnk_file read_lnk_file_perms; ') - + ######################################## @@ -875,6 +984,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` - dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; + dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') - + +######################################## +## +## Read block device files. @@ -8047,9 +8047,9 @@ index 76f285ea6..39c574228 100644 ## ## Create, delete, read, and write block device files. @@ -981,6 +1108,25 @@ interface(`dev_tmpfs_filetrans_dev',` - fs_tmpfs_filetrans($1, device_t, $2, $3) + fs_tmpfs_filetrans($1, device_t, $2, $3) ') - + +######################################## +## +## Allow getattr on all device nodes. @@ -8073,9 +8073,9 @@ index 76f285ea6..39c574228 100644 ## ## Getattr on all block file device nodes. @@ -1001,6 +1147,26 @@ interface(`dev_getattr_all_blk_files',` - getattr_blk_files_pattern($1, device_t, device_node) + getattr_blk_files_pattern($1, device_t, device_node) ') - + +######################################## +## +## Read on all block file device nodes. @@ -8101,16 +8101,16 @@ index 76f285ea6..39c574228 100644 ## Dontaudit getattr on all block file device nodes. @@ -1034,6 +1200,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` interface(`dev_getattr_all_chr_files',` - gen_require(` - attribute device_node; + gen_require(` + attribute device_node; + type device_t; - ') - - getattr_chr_files_pattern($1, device_t, device_node) + ') + + getattr_chr_files_pattern($1, device_t, device_node) @@ -1204,6 +1371,42 @@ interface(`dev_create_all_chr_files',` - create_chr_files_pattern($1, device_t, device_node) + create_chr_files_pattern($1, device_t, device_node) ') - + +######################################## +## +## rw all inherited character device files. @@ -8151,9 +8151,9 @@ index 76f285ea6..39c574228 100644 ## ## Delete all block device files. @@ -1558,25 +1761,6 @@ interface(`dev_relabel_autofs_dev',` - allow $1 autofs_device_t:chr_file relabel_chr_file_perms; + allow $1 autofs_device_t:chr_file relabel_chr_file_perms; ') - + -######################################## -## -## Read and write cachefiles character @@ -8177,9 +8177,9 @@ index 76f285ea6..39c574228 100644 ## ## Read and write the PCMCIA card manager device. @@ -1680,6 +1864,26 @@ interface(`dev_filetrans_cardmgr',` - filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) + filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) ') - + +######################################## +## +## Automatic type transition to the type @@ -8204,9 +8204,9 @@ index 76f285ea6..39c574228 100644 ## ## Get the attributes of the CPU @@ -1791,6 +1995,24 @@ interface(`dev_rw_crypto',` - rw_chr_files_pattern($1, device_t, crypt_device_t) + rw_chr_files_pattern($1, device_t, crypt_device_t) ') - + +######################################## +## +## Read and write the the ecrypt filesystem device. @@ -8229,7 +8229,7 @@ index 76f285ea6..39c574228 100644 ## ## Set the attributes of the dlm control devices. @@ -1865,7 +2087,7 @@ interface(`dev_setattr_dri_dev',` - + ######################################## ## -## Read and write the dri devices. @@ -8243,14 +8243,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_dri',` +interface(`dev_map_dri',` - gen_require(` - type device_t, dri_device_t; - ') - + gen_require(` + type device_t, dri_device_t; + ') + - rw_chr_files_pattern($1, device_t, dri_device_t) + allow $1 dri_device_t:chr_file map; ') - + ######################################## ## -## Dontaudit read and write on the dri devices. @@ -8265,16 +8265,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_rw_dri',` +interface(`dev_rw_dri',` - gen_require(` + gen_require(` - type dri_device_t; + type device_t, dri_device_t; - ') - + ') + - dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; + rw_chr_files_pattern($1, device_t, dri_device_t) + allow $1 dri_device_t:chr_file map; ') - + ######################################## ## -## Create, read, write, and delete the dri devices. @@ -8288,15 +8288,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_manage_dri_dev',` +interface(`dev_rw_inherited_dri',` - gen_require(` - type device_t, dri_device_t; - ') - + gen_require(` + type device_t, dri_device_t; + ') + - manage_chr_files_pattern($1, device_t, dri_device_t) + allow $1 device_t:dir search_dir_perms; + allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; ') - + ######################################## ## -## Automatic type transition to the type @@ -8354,9 +8354,9 @@ index 76f285ea6..39c574228 100644 ## ## @@ -2015,6 +2275,181 @@ interface(`dev_rw_input_dev',` - rw_chr_files_pattern($1, device_t, event_device_t) + rw_chr_files_pattern($1, device_t, event_device_t) ') - + +######################################## +## +## Read input event devices (/dev/input). @@ -8536,9 +8536,9 @@ index 76f285ea6..39c574228 100644 ## ## Get the attributes of the framebuffer device node. @@ -2124,6 +2559,24 @@ interface(`dev_write_framebuffer',` - write_chr_files_pattern($1, device_t, framebuf_device_t) + write_chr_files_pattern($1, device_t, framebuf_device_t) ') - + +######################################## +## +## Mmap the framebuffer. @@ -8561,7 +8561,7 @@ index 76f285ea6..39c574228 100644 ## ## Read and write the framebuffer. @@ -2402,7 +2855,7 @@ interface(`dev_filetrans_lirc',` - + ######################################## ## -## Get the attributes of the lvm comtrol device. @@ -8575,15 +8575,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_lvm_control',` +interface(`dev_getattr_loop_control',` - gen_require(` + gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; - ') - + ') + - getattr_chr_files_pattern($1, device_t, lvm_control_t) + getattr_chr_files_pattern($1, device_t, loop_control_device_t) ') - + ######################################## ## -## Read the lvm comtrol device. @@ -8597,15 +8597,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_lvm_control',` +interface(`dev_read_loop_control',` - gen_require(` + gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; - ') - + ') + - read_chr_files_pattern($1, device_t, lvm_control_t) + read_chr_files_pattern($1, device_t, loop_control_device_t) ') - + ######################################## ## -## Read and write the lvm control device. @@ -8619,15 +8619,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_lvm_control',` +interface(`dev_rw_loop_control',` - gen_require(` + gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, lvm_control_t) + rw_chr_files_pattern($1, device_t, loop_control_device_t) ') - + ######################################## ## -## Do not audit attempts to read and write lvm control device. @@ -8641,15 +8641,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_rw_lvm_control',` +interface(`dev_dontaudit_rw_loop_control',` - gen_require(` + gen_require(` - type lvm_control_t; + type loop_control_device_t; - ') - + ') + - dontaudit $1 lvm_control_t:chr_file rw_file_perms; + dontaudit $1 loop_control_device_t:chr_file rw_file_perms; ') - + ######################################## ## -## Delete the lvm control device. @@ -8663,15 +8663,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_delete_lvm_control_dev',` +interface(`dev_delete_loop_control_dev',` - gen_require(` + gen_require(` - type device_t, lvm_control_t; + type device_t, loop_control_device_t; - ') - + ') + - delete_chr_files_pattern($1, device_t, lvm_control_t) + delete_chr_files_pattern($1, device_t, loop_control_device_t) ') - + ######################################## ## -## dontaudit getattr raw memory devices (e.g. /dev/mem). @@ -8686,15 +8686,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_getattr_memory_dev',` +interface(`dev_getattr_lvm_control',` - gen_require(` + gen_require(` - type memory_device_t; + type device_t, lvm_control_t; - ') - + ') + - dontaudit $1 memory_device_t:chr_file getattr; + getattr_chr_files_pattern($1, device_t, lvm_control_t) ') - + ######################################## ## -## Read raw memory devices (e.g. /dev/mem). @@ -8708,19 +8708,19 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_raw_memory',` +interface(`dev_read_lvm_control',` - gen_require(` + gen_require(` - type device_t, memory_device_t; - attribute memory_raw_read; + type device_t, lvm_control_t; - ') - + ') + - read_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; + read_chr_files_pattern($1, device_t, lvm_control_t) ') - + ######################################## ## -## Do not audit attempts to read raw memory devices @@ -8736,15 +8736,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_read_raw_memory',` +interface(`dev_rw_lvm_control',` - gen_require(` + gen_require(` - type memory_device_t; + type device_t, lvm_control_t; - ') - + ') + - dontaudit $1 memory_device_t:chr_file read_chr_file_perms; + rw_chr_files_pattern($1, device_t, lvm_control_t) ') - + ######################################## ## -## Write raw memory devices (e.g. /dev/mem). @@ -8759,19 +8759,19 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_write_raw_memory',` +interface(`dev_dontaudit_rw_lvm_control',` - gen_require(` + gen_require(` - type device_t, memory_device_t; - attribute memory_raw_write; + type lvm_control_t; - ') - + ') + - write_chr_files_pattern($1, device_t, memory_device_t) - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_write; + dontaudit $1 lvm_control_t:chr_file rw_file_perms; ') - + ######################################## ## -## Read and execute raw memory devices (e.g. /dev/mem). @@ -8880,22 +8880,22 @@ index 76f285ea6..39c574228 100644 ## ## @@ -2587,7 +3131,7 @@ interface(`dev_rx_raw_memory',` - ') - - dev_read_raw_memory($1) + ') + + dev_read_raw_memory($1) - allow $1 memory_device_t:chr_file execute; + allow $1 memory_device_t:chr_file { map execute }; ') - + ######################################## @@ -2606,7 +3150,7 @@ interface(`dev_wx_raw_memory',` - ') - - dev_write_raw_memory($1) + ') + + dev_write_raw_memory($1) - allow $1 memory_device_t:chr_file execute; + allow $1 memory_device_t:chr_file { map execute }; ') - + ######################################## @@ -2725,7 +3269,7 @@ interface(`dev_write_misc',` ## @@ -8907,9 +8907,9 @@ index 76f285ea6..39c574228 100644 ## # @@ -2809,6 +3353,78 @@ interface(`dev_rw_modem',` - rw_chr_files_pattern($1, device_t, modem_device_t) + rw_chr_files_pattern($1, device_t, modem_device_t) ') - + +######################################## +## +## Get the attributes of the monitor devices. @@ -8986,7 +8986,7 @@ index 76f285ea6..39c574228 100644 ## ## Get the attributes of the mouse devices. @@ -2903,20 +3519,20 @@ interface(`dev_getattr_mtrr_dev',` - + ######################################## ## -## Read the memory type range @@ -9016,10 +9016,10 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_mtrr',` +interface(`dev_write_mtrr',` - refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') - dev_rw_mtrr($1) + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) ') - + ######################################## ## -## Write the memory type range @@ -9058,7 +9058,7 @@ index 76f285ea6..39c574228 100644 + dontaudit $1 mtrr_device_t:file write_file_perms; + dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ') - + ######################################## ## -## Do not audit attempts to write the memory type @@ -9072,10 +9072,10 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_write_mtrr',` +interface(`dev_dontaudit_read_mtrr',` - gen_require(` - type mtrr_device_t; - ') - + gen_require(` + type mtrr_device_t; + ') + - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; + dontaudit $1 mtrr_device_t:file { open read }; @@ -9100,10 +9100,10 @@ index 76f285ea6..39c574228 100644 + read_files_pattern($1, device_t, mtrr_device_t) + read_chr_files_pattern($1, device_t, mtrr_device_t) ') - + ######################################## @@ -3144,44 +3770,43 @@ interface(`dev_create_null_dev',` - + ######################################## ## -## Do not audit attempts to get the attributes @@ -9119,15 +9119,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_getattr_nvram_dev',` +interface(`dev_service_status_null_dev',` - gen_require(` + gen_require(` - type nvram_device_t; + type null_device_t; - ') - + ') + - dontaudit $1 nvram_device_t:chr_file getattr; + allow $1 null_device_t:service status; ') - + ######################################## ## -## Read and write BIOS non-volatile RAM. @@ -9142,15 +9142,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_nvram',` +interface(`dev_config_null_dev_service',` - gen_require(` + gen_require(` - type nvram_device_t; + type null_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, nvram_device_t) + allow $1 null_device_t:service manage_service_perms; ') - + ######################################## ## -## Get the attributes of the printer device nodes. @@ -9164,16 +9164,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_printer_dev',` +interface(`dev_read_nvme',` - gen_require(` + gen_require(` - type device_t, printer_device_t; + type nvme_device_t; - ') - + ') + - getattr_chr_files_pattern($1, device_t, printer_device_t) + read_chr_files_pattern($1, device_t, nvme_device_t) + read_blk_files_pattern($1, device_t, nvme_device_t) ') - + ######################################## ## -## Set the attributes of the printer device nodes. @@ -9187,16 +9187,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_setattr_printer_dev',` +interface(`dev_rw_nvme',` - gen_require(` + gen_require(` - type device_t, printer_device_t; + type nvme_device_t; - ') - + ') + - setattr_chr_files_pattern($1, device_t, printer_device_t) + rw_chr_files_pattern($1, device_t, nvme_device_t) + rw_blk_files_pattern($1, device_t, nvme_device_t) ') - + ######################################## ## -## Append the printer device. @@ -9213,15 +9213,15 @@ index 76f285ea6..39c574228 100644 -# cjp: added for lpd/checkpc_t -interface(`dev_append_printer',` +interface(`dev_dontaudit_getattr_nvram_dev',` - gen_require(` + gen_require(` - type device_t, printer_device_t; + type nvram_device_t; - ') - + ') + - append_chr_files_pattern($1, device_t, printer_device_t) + dontaudit $1 nvram_device_t:chr_file getattr; ') - + ######################################## ## -## Read and write the printer device. @@ -9235,15 +9235,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_printer',` +interface(`dev_read_nvram',` - gen_require(` + gen_require(` - type device_t, printer_device_t; + type nvram_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, printer_device_t) + read_chr_files_pattern($1, device_t, nvram_device_t) ') - + ######################################## ## -## Read printk devices (e.g., /dev/kmsg /dev/mcelog) @@ -9257,15 +9257,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_printk',` +interface(`dev_rw_nvram',` - gen_require(` + gen_require(` - type device_t, printk_device_t; + type nvram_device_t; - ') - + ') + - read_chr_files_pattern($1, device_t, printk_device_t) + rw_chr_files_pattern($1, device_t, nvram_device_t) ') - + ######################################## ## -## Get the attributes of the QEMU @@ -9280,7 +9280,7 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_qemu_dev',` +interface(`dev_getattr_printer_dev',` - gen_require(` + gen_require(` - type device_t, qemu_device_t; + type device_t, printer_device_t; + ') @@ -9394,11 +9394,11 @@ index 76f285ea6..39c574228 100644 +interface(`dev_getattr_qemu_dev',` + gen_require(` + type device_t, qemu_device_t; - ') - - getattr_chr_files_pattern($1, device_t, qemu_device_t) + ') + + getattr_chr_files_pattern($1, device_t, qemu_device_t) @@ -3399,7 +4136,7 @@ interface(`dev_dontaudit_read_rand',` - + ######################################## ## -## Do not audit attempts to append to random @@ -9407,32 +9407,32 @@ index 76f285ea6..39c574228 100644 ## ## @@ -3413,7 +4150,7 @@ interface(`dev_dontaudit_append_rand',` - type random_device_t; - ') - + type random_device_t; + ') + - dontaudit $1 random_device_t:chr_file append_chr_file_perms; + dontaudit $1 random_device_t:chr_file { append }; ') - + ######################################## @@ -3633,6 +4370,7 @@ interface(`dev_read_sound',` - ') - - read_chr_files_pattern($1, device_t, sound_device_t) + ') + + read_chr_files_pattern($1, device_t, sound_device_t) + allow $1 sound_device_t:chr_file map; ') - + ######################################## @@ -3669,6 +4407,7 @@ interface(`dev_read_sound_mixer',` - ') - - read_chr_files_pattern($1, device_t, sound_device_t) + ') + + read_chr_files_pattern($1, device_t, sound_device_t) + allow $1 sound_device_t:chr_file map; ') - + ######################################## @@ -3855,7 +4594,7 @@ interface(`dev_getattr_sysfs_dirs',` - + ######################################## ## -## Search the sysfs directories. @@ -9446,14 +9446,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_search_sysfs',` +interface(`dev_setattr_sysfs_dirs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - search_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir setattr_dir_perms; ') - + ######################################## ## -## Do not audit attempts to search sysfs. @@ -9468,14 +9468,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_search_sysfs',` +interface(`dev_getattr_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - dontaudit $1 sysfs_t:dir search_dir_perms; + allow $1 sysfs_t:filesystem getattr; ') - + ######################################## ## -## List the contents of the sysfs directories. @@ -9490,14 +9490,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_list_sysfs',` +interface(`dev_mounton_sysfs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - list_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir mounton; ') - + ######################################## ## -## Write in a sysfs directories. @@ -9513,14 +9513,14 @@ index 76f285ea6..39c574228 100644 -# cjp: added for cpuspeed -interface(`dev_write_sysfs_dirs',` +interface(`dev_dontaudit_mounton_sysfs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - allow $1 sysfs_t:dir write; + dontaudit $1 sysfs_t:dir mounton; ') - + ######################################## ## -## Do not audit attempts to write in a sysfs directory. @@ -9535,14 +9535,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_write_sysfs_dirs',` +interface(`dev_mount_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - dontaudit $1 sysfs_t:dir write; + allow $1 sysfs_t:filesystem mount; ') - + ######################################## ## -## Create, read, write, and delete sysfs @@ -9557,14 +9557,14 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_unmount_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - manage_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:filesystem unmount; ') - + ######################################## ## -## Read hardware state information. @@ -9587,17 +9587,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_sysfs',` +interface(`dev_search_sysfs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - read_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) + search_dirs_pattern($1, sysfs_t, sysfs_t) ') - + ######################################## ## -## Allow caller to modify hardware state information. @@ -9612,17 +9612,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_sysfs',` +interface(`dev_dontaudit_search_sysfs',` - gen_require(` - type sysfs_t; - ') - + gen_require(` + type sysfs_t; + ') + - rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) + dontaudit $1 sysfs_t:dir search_dir_perms; ') - + ######################################## ## -## Read and write the TPM device. @@ -9636,16 +9636,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_tpm',` +interface(`dev_list_sysfs',` - gen_require(` + gen_require(` - type device_t, tpm_device_t; + type sysfs_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, tpm_device_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) ') - + ######################################## ## -## Read from pseudo random number generator devices (e.g., /dev/urandom). @@ -9683,15 +9683,15 @@ index 76f285ea6..39c574228 100644 -interface(`dev_read_urand',` +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` - gen_require(` + gen_require(` - type device_t, urandom_device_t; + type sysfs_t; - ') - + ') + - read_chr_files_pattern($1, device_t, urandom_device_t) + allow $1 sysfs_t:dir write; ') - + ######################################## ## -## Do not audit attempts to read from pseudo @@ -9707,15 +9707,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_read_urand',` +interface(`dev_access_check_sysfs',` - gen_require(` + gen_require(` - type urandom_device_t; + type sysfs_t; - ') - + ') + - dontaudit $1 urandom_device_t:chr_file { getattr read }; + allow $1 sysfs_t:dir audit_access; ') - + ######################################## ## -## Write to the pseudo random device (e.g., /dev/urandom). This @@ -9731,15 +9731,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_write_urand',` +interface(`dev_dontaudit_write_sysfs_dirs',` - gen_require(` + gen_require(` - type device_t, urandom_device_t; + type sysfs_t; - ') - + ') + - write_chr_files_pattern($1, device_t, urandom_device_t) + dontaudit $1 sysfs_t:dir write; ') - + ######################################## ## -## Getattr generic the USB devices. @@ -9753,15 +9753,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_generic_usb_dev',` +interface(`dev_map_sysfs',` - gen_require(` + gen_require(` - type usb_device_t; + type sysfs_t; - ') - + ') + - getattr_chr_files_pattern($1, device_t, usb_device_t) + allow $1 sysfs_t:file map; ') - + + ######################################## ## @@ -9781,16 +9781,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_setattr_generic_usb_dev',` +interface(`dev_read_cpu_online',` - gen_require(` + gen_require(` - type usb_device_t; + type cpu_online_t; - ') - + ') + - setattr_chr_files_pattern($1, device_t, usb_device_t) + dev_search_sysfs($1) + read_files_pattern($1, cpu_online_t, cpu_online_t) ') - + ######################################## ## -## Read generic the USB devices. @@ -9804,17 +9804,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_generic_usb_dev',` +interface(`dev_relabel_cpu_online',` - gen_require(` + gen_require(` - type usb_device_t; + type cpu_online_t; + type sysfs_t; - ') - + ') + - read_chr_files_pattern($1, device_t, usb_device_t) + dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; ') - + + ######################################## ## @@ -9838,18 +9838,18 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_generic_usb_dev',` +interface(`dev_read_sysfs',` - gen_require(` + gen_require(` - type device_t, usb_device_t; + type sysfs_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, usb_device_t) + read_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) + + list_dirs_pattern($1, sysfs_t, sysfs_t) ') - + ######################################## ## -## Relabel generic the USB devices. @@ -10093,14 +10093,14 @@ index 76f285ea6..39c574228 100644 +## +# +interface(`dev_setattr_generic_usb_dev',` - gen_require(` - type usb_device_t; - ') - + gen_require(` + type usb_device_t; + ') + - relabel_chr_files_pattern($1, device_t, usb_device_t) + setattr_chr_files_pattern($1, device_t, usb_device_t) ') - + ######################################## ## -## Read USB monitor devices. @@ -10114,15 +10114,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_usbmon_dev',` +interface(`dev_read_generic_usb_dev',` - gen_require(` + gen_require(` - type device_t, usbmon_device_t; + type usb_device_t; - ') - + ') + - read_chr_files_pattern($1, device_t, usbmon_device_t) + read_chr_files_pattern($1, device_t, usb_device_t) ') - + ######################################## ## -## Write USB monitor devices. @@ -10136,15 +10136,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_write_usbmon_dev',` +interface(`dev_rw_generic_usb_dev',` - gen_require(` + gen_require(` - type device_t, usbmon_device_t; + type device_t, usb_device_t; - ') - + ') + - write_chr_files_pattern($1, device_t, usbmon_device_t) + rw_chr_files_pattern($1, device_t, usb_device_t) ') - + ######################################## ## -## Mount a usbfs filesystem. @@ -10677,15 +10677,15 @@ index 76f285ea6..39c574228 100644 +## +# +interface(`dev_rw_vfio_dev',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, vfio_device_t; - ') - + ') + - allow $1 usbfs_t:filesystem mount; + rw_chr_files_pattern($1, device_t, vfio_device_t) ') - + ######################################## ## -## Associate a file to a usbfs filesystem. @@ -10701,15 +10701,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_associate_usbfs',` +interface(`dev_rw_vhost',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, vhost_device_t; - ') - + ') + - allow $1 usbfs_t:filesystem associate; + rw_chr_files_pattern($1, device_t, vhost_device_t) ') - + ######################################## ## -## Get the attributes of a directory in the usb filesystem. @@ -10723,15 +10723,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_usbfs_dirs',` +interface(`dev_rw_inherited_vhost',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, vhost_device_t; - ') - + ') + - allow $1 usbfs_t:dir getattr_dir_perms; + allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; ') - + ######################################## ## -## Do not audit attempts to get the attributes @@ -10747,15 +10747,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_getattr_usbfs_dirs',` +interface(`dev_rw_vmware',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, vmware_device_t; - ') - + ') + - dontaudit $1 usbfs_t:dir getattr_dir_perms; + rw_chr_files_pattern($1, device_t, vmware_device_t) ') - + ######################################## ## -## Search the directory containing USB hardware information. @@ -10769,16 +10769,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_search_usbfs',` +interface(`dev_rwx_vmware',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, vmware_device_t; - ') - + ') + - search_dirs_pattern($1, usbfs_t, usbfs_t) + dev_rw_vmware($1) + allow $1 vmware_device_t:chr_file { map execute }; ') - + ######################################## ## -## Allow caller to get a list of usb hardware. @@ -10792,18 +10792,18 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_list_usbfs',` +interface(`dev_read_watchdog',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, watchdog_device_t; - ') - + ') + - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - getattr_files_pattern($1, usbfs_t, usbfs_t) - - list_dirs_pattern($1, usbfs_t, usbfs_t) + read_chr_files_pattern($1, device_t, watchdog_device_t) ') - + ######################################## ## -## Set the attributes of usbfs filesystem. @@ -10817,16 +10817,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_setattr_usbfs_files',` +interface(`dev_write_watchdog',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, watchdog_device_t; - ') - + ') + - setattr_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) + write_chr_files_pattern($1, device_t, watchdog_device_t) ') - + ######################################## ## -## Read USB hardware information using @@ -10841,17 +10841,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_usbfs',` +interface(`dev_rw_watchdog',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, watchdog_device_t; - ') - + ') + - read_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - list_dirs_pattern($1, usbfs_t, usbfs_t) + rw_chr_files_pattern($1, device_t, watchdog_device_t) ') - + ######################################## ## -## Allow caller to modify usb hardware configuration files. @@ -10865,17 +10865,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_usbfs',` +interface(`dev_rw_wireless',` - gen_require(` + gen_require(` - type usbfs_t; + type device_t, wireless_device_t; - ') - + ') + - list_dirs_pattern($1, usbfs_t, usbfs_t) - rw_files_pattern($1, usbfs_t, usbfs_t) - read_lnk_files_pattern($1, usbfs_t, usbfs_t) + rw_chr_files_pattern($1, device_t, wireless_device_t) ') - + ######################################## ## -## Get the attributes of video4linux devices. @@ -10889,15 +10889,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_video_dev',` +interface(`dev_rw_xen',` - gen_require(` + gen_require(` - type device_t, v4l_device_t; + type device_t, xen_device_t; - ') - + ') + - getattr_chr_files_pattern($1, device_t, v4l_device_t) + rw_chr_files_pattern($1, device_t, xen_device_t) ') - + -###################################### +######################################## ## @@ -10912,15 +10912,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_userio_dev',` +interface(`dev_manage_xen',` - gen_require(` + gen_require(` - type device_t, userio_device_t; + type device_t, xen_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, userio_device_t) + manage_chr_files_pattern($1, device_t, xen_device_t) ') - + ######################################## ## -## Do not audit attempts to get the attributes @@ -10942,15 +10942,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_getattr_video_dev',` +interface(`dev_filetrans_xen',` - gen_require(` + gen_require(` - type v4l_device_t; + type device_t, xen_device_t; - ') - + ') + - dontaudit $1 v4l_device_t:chr_file getattr; + filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) ') - + ######################################## ## -## Set the attributes of video4linux device nodes. @@ -10964,15 +10964,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_setattr_video_dev',` +interface(`dev_getattr_xserver_misc_dev',` - gen_require(` + gen_require(` - type device_t, v4l_device_t; + type device_t, xserver_misc_device_t; - ') - + ') + - setattr_chr_files_pattern($1, device_t, v4l_device_t) + getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') - + ######################################## ## -## Do not audit attempts to set the attributes @@ -10988,15 +10988,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_dontaudit_setattr_video_dev',` +interface(`dev_setattr_xserver_misc_dev',` - gen_require(` + gen_require(` - type v4l_device_t; + type device_t, xserver_misc_device_t; - ') - + ') + - dontaudit $1 v4l_device_t:chr_file setattr; + setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') - + ######################################## ## -## Read the video4linux devices. @@ -11010,16 +11010,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_video_dev',` +interface(`dev_rw_xserver_misc',` - gen_require(` + gen_require(` - type device_t, v4l_device_t; + type device_t, xserver_misc_device_t; - ') - + ') + - read_chr_files_pattern($1, device_t, v4l_device_t) + rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + allow $1 xserver_misc_device_t:chr_file map; ') - + ######################################## ## -## Write the video4linux devices. @@ -11034,15 +11034,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_write_video_dev',` +interface(`dev_dontaudit_leaked_xserver_misc',` - gen_require(` + gen_require(` - type device_t, v4l_device_t; + type xserver_misc_device_t; - ') - + ') + - write_chr_files_pattern($1, device_t, v4l_device_t) + dontaudit $1 xserver_misc_device_t:chr_file { read write }; ') - + ######################################## ## -## Allow read/write the vhost net device @@ -11056,17 +11056,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_vhost',` +interface(`dev_manage_xserver_misc',` - gen_require(` + gen_require(` - type device_t, vhost_device_t; + type device_t, xserver_misc_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, vhost_device_t) + manage_chr_files_pattern($1, device_t, xserver_misc_device_t) + + dev_filetrans_xserver_named_dev($1) ') - + ######################################## ## -## Read and write VMWare devices. @@ -11080,15 +11080,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_vmware',` +interface(`dev_rw_zero',` - gen_require(` + gen_require(` - type device_t, vmware_device_t; + type device_t, zero_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, vmware_device_t) + rw_chr_files_pattern($1, device_t, zero_device_t) ') - + ######################################## ## -## Read, write, and mmap VMWare devices. @@ -11102,17 +11102,17 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rwx_vmware',` +interface(`dev_rwx_zero',` - gen_require(` + gen_require(` - type device_t, vmware_device_t; + type zero_device_t; - ') - + ') + - dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file execute; + dev_rw_zero($1) + allow $1 zero_device_t:chr_file { map execute }; ') - + ######################################## ## -## Read from watchdog devices. @@ -11126,16 +11126,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_read_watchdog',` +interface(`dev_execmod_zero',` - gen_require(` + gen_require(` - type device_t, watchdog_device_t; + type zero_device_t; - ') - + ') + - read_chr_files_pattern($1, device_t, watchdog_device_t) + dev_rw_zero($1) + allow $1 zero_device_t:chr_file execmod; ') - + ######################################## ## -## Write to watchdog devices. @@ -11149,15 +11149,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_write_watchdog',` +interface(`dev_create_zero_dev',` - gen_require(` + gen_require(` - type device_t, watchdog_device_t; + type device_t, zero_device_t; - ') - + ') + - write_chr_files_pattern($1, device_t, watchdog_device_t) + create_chr_files_pattern($1, device_t, zero_device_t) ') - + ######################################## ## -## Read and write the the wireless device. @@ -11171,15 +11171,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_wireless',` +interface(`dev_unconfined',` - gen_require(` + gen_require(` - type device_t, wireless_device_t; + attribute devices_unconfined_type; - ') - + ') + - rw_chr_files_pattern($1, device_t, wireless_device_t) + typeattribute $1 devices_unconfined_type; ') - + ######################################## ## -## Read and write Xen devices. @@ -11194,16 +11194,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_xen',` +interface(`dev_dontaudit_getattr_all',` - gen_require(` + gen_require(` - type device_t, xen_device_t; + attribute device_node; + type device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, xen_device_t) + dontaudit $1 { device_t device_node }:dir_file_class_set getattr; ') - + ######################################## ## -## Create, read, write, and delete Xen devices. @@ -11217,15 +11217,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_manage_xen',` +interface(`dev_getattr_mei',` - gen_require(` + gen_require(` - type device_t, xen_device_t; + type device_t, mei_device_t; - ') - + ') + - manage_chr_files_pattern($1, device_t, xen_device_t) + getattr_chr_files_pattern($1, device_t, mei_device_t) ') - + ######################################## ## -## Automatic type transition to the type @@ -11245,15 +11245,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_filetrans_xen',` +interface(`dev_read_mei',` - gen_require(` + gen_require(` - type device_t, xen_device_t; + type device_t, mei_device_t; - ') - + ') + - filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) + read_chr_files_pattern($1, device_t, mei_device_t) ') - + ######################################## ## -## Get the attributes of X server miscellaneous devices. @@ -11267,15 +11267,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_getattr_xserver_misc_dev',` +interface(`dev_rw_mei',` - gen_require(` + gen_require(` - type device_t, xserver_misc_device_t; + type device_t, mei_device_t; - ') - + ') + - getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, mei_device_t) ') - + ######################################## ## -## Set the attributes of X server miscellaneous devices. @@ -11289,15 +11289,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_setattr_xserver_misc_dev',` +interface(`dev_rw_uhid_dev',` - gen_require(` + gen_require(` - type device_t, xserver_misc_device_t; + type device_t, uhid_device_t; - ') - + ') + - setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, uhid_device_t) ') - + + ######################################## ## @@ -11312,15 +11312,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_xserver_misc',` +interface(`dev_rw_hypervkvp',` - gen_require(` + gen_require(` - type device_t, xserver_misc_device_t; + type device_t, hypervkvp_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, hypervkvp_device_t) ') - + ######################################## ## -## Read and write to the zero device (/dev/zero). @@ -11334,15 +11334,15 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rw_zero',` +interface(`dev_read_gpfs',` - gen_require(` + gen_require(` - type device_t, zero_device_t; + type device_t, gpfs_device_t; - ') - + ') + - rw_chr_files_pattern($1, device_t, zero_device_t) + read_chr_files_pattern($1, device_t, gpfs_device_t) ') - + ######################################## ## -## Read, write, and execute the zero device (/dev/zero). @@ -11356,16 +11356,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_rwx_zero',` +interface(`dev_read_gpio',` - gen_require(` + gen_require(` - type zero_device_t; + type device_t, gpio_device_t; - ') - + ') + - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execute; + read_chr_files_pattern($1, device_t, gpio_device_t) ') - + ######################################## ## -## Execmod the zero device (/dev/zero). @@ -11379,16 +11379,16 @@ index 76f285ea6..39c574228 100644 # -interface(`dev_execmod_zero',` +interface(`dev_rw_hypervvssd',` - gen_require(` + gen_require(` - type zero_device_t; + type device_t, hypervvssd_device_t; - ') - + ') + - dev_rw_zero($1) - allow $1 zero_device_t:chr_file execmod; + rw_chr_files_pattern($1, device_t, hypervvssd_device_t) ') - + ######################################## ## -## Create the zero device (/dev/zero). @@ -11404,11 +11404,11 @@ index 76f285ea6..39c574228 100644 -interface(`dev_create_zero_dev',` +interface(`dev_filetrans_printer_named_dev',` + - gen_require(` + gen_require(` - type device_t, zero_device_t; - ') + type printer_device_t; - + - create_chr_files_pattern($1, device_t, zero_device_t) + ') + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") @@ -11452,7 +11452,7 @@ index 76f285ea6..39c574228 100644 + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") ') - + ######################################## ## -## Unconfined access to devices. @@ -12340,13 +12340,13 @@ index 0b1a8715a..331978df5 100644 fs_type(device_t) fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); +dev_node(device_t) - + # # Type for /dev/agpgart @@ -43,9 +44,6 @@ type cardmgr_dev_t; dev_node(cardmgr_dev_t) files_tmp_file(cardmgr_dev_t) - + -type cachefiles_device_t; -dev_node(cachefiles_device_t) - @@ -12356,7 +12356,7 @@ index 0b1a8715a..331978df5 100644 @@ -65,6 +63,9 @@ dev_node(cpu_device_t) type crash_device_t; dev_node(crash_device_t) - + +type ecryptfs_device_t; +dev_node(ecryptfs_device_t) + @@ -12366,17 +12366,17 @@ index 0b1a8715a..331978df5 100644 @@ -78,6 +79,9 @@ dev_node(dlm_control_device_t) type dri_device_t; dev_node(dri_device_t) - + +type hsa_device_t; +dev_node(hsa_device_t) + type event_device_t; dev_node(event_device_t) - + @@ -87,12 +91,45 @@ dev_node(event_device_t) type framebuf_device_t; dev_node(framebuf_device_t) - + +# +# Type for hyperv devices +# @@ -12403,7 +12403,7 @@ index 0b1a8715a..331978df5 100644 # type ipmi_device_t; dev_node(ipmi_device_t) - + +# +# Type for /dev/infiniband +# @@ -12424,23 +12424,23 @@ index 0b1a8715a..331978df5 100644 type kvm_device_t; dev_node(kvm_device_t) +mls_trusted_object(kvm_device_t) - + # # Type for /dev/lirc @@ -118,6 +156,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) - + +# +# Type for /dev/mapper/control +# type loop_control_device_t; dev_node(loop_control_device_t) - + @@ -149,12 +190,24 @@ dev_node(misc_device_t) type modem_device_t; dev_node(modem_device_t) - + +# +# A general type for monitor devices. +# @@ -12452,7 +12452,7 @@ index 0b1a8715a..331978df5 100644 # type mouse_device_t; dev_node(mouse_device_t) - + +# +# Type for /dev/mptctl used to check RAID status. +# @@ -12465,7 +12465,7 @@ index 0b1a8715a..331978df5 100644 @@ -182,6 +235,19 @@ sid devnull gen_context(system_u:object_r:null_device_t,s0) type nvram_device_t; dev_node(nvram_device_t) - + +# +# Type for controller device nodes +# @@ -12485,7 +12485,7 @@ index 0b1a8715a..331978df5 100644 @@ -227,6 +293,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) - + +type cpu_online_t; +files_type(cpu_online_t) +dev_associate_sysfs(cpu_online_t) @@ -12496,7 +12496,7 @@ index 0b1a8715a..331978df5 100644 @@ -266,14 +336,30 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) - + +# +# uhid_device_t is the type for /dev/uhid +# @@ -12508,7 +12508,7 @@ index 0b1a8715a..331978df5 100644 + type v4l_device_t; dev_node(v4l_device_t) - + +type vsock_device_t; +dev_node(vsock_device_t) + @@ -12521,12 +12521,12 @@ index 0b1a8715a..331978df5 100644 type vhost_device_t; dev_node(vhost_device_t) +mls_trusted_object(vhost_device_t) - + # Type for vmware devices. type vmware_device_t; @@ -319,5 +405,6 @@ files_associate_tmp(device_node) # - + allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:{ blk_file chr_file } *; -allow devices_unconfined_type mtrr_device_t:file *; @@ -12538,9 +12538,9 @@ index 6a1e4d156..5fa83a2fb 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` - # start with basic domain - domain_base_type($1) - + # start with basic domain + domain_base_type($1) + - ifdef(`distro_redhat',` - optional_policy(` - unconfined_use_fds($1) @@ -12571,24 +12571,24 @@ index 6a1e4d156..5fa83a2fb 100644 + # Only way to get corenet_unlabeled packets disabled to work + corenet_all_recvfrom_unlabeled($1) ') - + ######################################## @@ -128,7 +103,7 @@ interface(`domain_entry_file',` - ') - - allow $1 $2:file entrypoint; + ') + + allow $1 $2:file entrypoint; - allow $1 $2:file { mmap_file_perms ioctl lock }; + allow $1 $2:file { mmap_exec_file_perms ioctl lock }; - - typeattribute $2 entry_type; - + + typeattribute $2 entry_type; + @@ -511,6 +486,26 @@ interface(`domain_signull_all_domains',` - allow $1 domain:process signull; + allow $1 domain:process signull; ') - + +######################################## +## -+## Do not audit attempts to send ++## Do not audit attempts to send +## signulls to all domains. +## +## @@ -12610,9 +12610,9 @@ index 6a1e4d156..5fa83a2fb 100644 ## ## Send a stop signal to all domains. @@ -569,6 +564,25 @@ interface(`domain_kill_all_domains',` - allow $1 self:capability kill; + allow $1 self:capability kill; ') - + +######################################## +## +## Destroy all domains semaphores @@ -12636,7 +12636,7 @@ index 6a1e4d156..5fa83a2fb 100644 ## ## Search the process state directory (/proc/pid) of all domains. @@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',` - + ######################################## ## -## Get the attributes of all domains of all domains. @@ -12654,9 +12654,9 @@ index 6a1e4d156..5fa83a2fb 100644 ## # @@ -1114,6 +1128,25 @@ interface(`domain_dontaudit_rw_all_key_sockets',` - dontaudit $1 domain:key_socket { read write }; + dontaudit $1 domain:key_socket { read write }; ') - + +######################################## +## +## Do not audit attempts to link @@ -12680,9 +12680,9 @@ index 6a1e4d156..5fa83a2fb 100644 ## ## Do not audit attempts to get the attributes @@ -1354,6 +1387,24 @@ interface(`domain_manage_all_entry_files',` - allow $1 entry_type:file manage_file_perms; + allow $1 entry_type:file manage_file_perms; ') - + +######################################## +## +## Relabel from domain types on files if a user managed to mislable @@ -12705,13 +12705,13 @@ index 6a1e4d156..5fa83a2fb 100644 ## ## Relabel to and from all entry point @@ -1390,7 +1441,7 @@ interface(`domain_mmap_all_entry_files',` - attribute entry_type; - ') - + attribute entry_type; + ') + - allow $1 entry_type:file mmap_file_perms; + allow $1 entry_type:file mmap_exec_file_perms; ') - + ######################################## @@ -1421,7 +1472,7 @@ interface(`domain_entry_file_spec_domtrans',` ## @@ -12732,9 +12732,9 @@ index 6a1e4d156..5fa83a2fb 100644 ## exploiting null deref bugs in the kernel. ## @@ -1506,6 +1557,24 @@ interface(`domain_unconfined_signal',` - allow $1 unconfined_domain_type:process signal; + allow $1 unconfined_domain_type:process signal; ') - + +######################################## +## +## Named Filetrans Domain. @@ -12757,9 +12757,9 @@ index 6a1e4d156..5fa83a2fb 100644 ## ## Unconfined access to domains. @@ -1530,4 +1599,63 @@ interface(`domain_unconfined',` - typeattribute $1 can_change_object_identity; - typeattribute $1 set_curr_context; - typeattribute $1 process_uncond_exempt; + typeattribute $1 can_change_object_identity; + typeattribute $1 set_curr_context; + typeattribute $1 process_uncond_exempt; + + mcs_process_set_categories($1) + @@ -12851,7 +12851,7 @@ index cf04cb509..d49f2f6da 100644 +## +# +gen_tunable(domain_kernel_load_modules, false) - + ## ##

## Control the ability to mmap a low area of the address space, @@ -12860,7 +12860,7 @@ index cf04cb509..d49f2f6da 100644 ##

## gen_tunable(mmap_low_allowed, false) - + +## +##

+## Allow all domains write to kmsg_device, @@ -12879,7 +12879,7 @@ index cf04cb509..d49f2f6da 100644 # Mark process types as domains attribute domain; +attribute named_filetrans_domain; - + # Transitions only allowed from domains to other domains neverallow domain ~domain:process { transition dyntransition }; @@ -86,23 +125,65 @@ neverallow ~{ domain unlabeled_t } *:process *; @@ -12900,24 +12900,24 @@ index cf04cb509..d49f2f6da 100644 kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) +kernel_dontaudit_search_debugfs(domain) - + # create child processes in the domain -allow domain self:process { fork sigchld }; +allow domain self:process { getcap fork getsched signal_perms }; - + # Use trusted objects in /dev +dev_read_cpu_online(domain) dev_rw_null(domain) dev_rw_zero(domain) term_use_controlling_term(domain) - + +# Allow all domains to read /dev/urandom. It is needed by all apps/services +# linked to libgcrypt. There is no harm to allow it by default. +dev_read_urand(domain) + # list the root directory files_list_root(domain) -+# allow all domains to search through base_file_type directory, since users ++# allow all domains to search through base_file_type directory, since users +# sometimes place labels within these directories. (samba_share_t) for example. +files_search_base_file_types(domain) + @@ -12946,20 +12946,20 @@ index cf04cb509..d49f2f6da 100644 + allow domain file_type:blk_file map; + allow domain file_type:chr_file map; +') - + ifdef(`hide_broken_symptoms',` - # This check is in the general socket + # This check is in the general socket @@ -120,9 +201,20 @@ tunable_policy(`global_ssp',` - dev_read_urand(domain) + dev_read_urand(domain) ') - + +optional_policy(` + afs_rw_cache(domain) +') + optional_policy(` - libs_use_ld_so(domain) - libs_use_shared_libs(domain) + libs_use_ld_so(domain) + libs_use_shared_libs(domain) + libs_read_lib_files(domain) +') + @@ -12968,27 +12968,27 @@ index cf04cb509..d49f2f6da 100644 + miscfiles_read_man_pages(domain) + miscfiles_read_fonts(domain) ') - + optional_policy(` @@ -133,6 +225,9 @@ optional_policy(` optional_policy(` - xserver_dontaudit_use_xdm_fds(domain) - xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_use_xdm_fds(domain) + xserver_dontaudit_rw_xdm_pipes(domain) + xserver_dontaudit_append_xdm_home_files(domain) + xserver_dontaudit_write_log(domain) + xserver_dontaudit_xdm_rw_stream_sockets(domain) ') - + ######################################## @@ -147,12 +242,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; - + +allow unconfined_domain_type domain:system all_system_perms; # Use descriptors and pipes created by any domain. allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; - + +allow unconfined_domain_type unconfined_domain_type:dbus send_msg; + # Act upon any other process. @@ -12997,13 +12997,13 @@ index cf04cb509..d49f2f6da 100644 +tunable_policy(`deny_ptrace',`',` + allow unconfined_domain_type domain:process ptrace; +') - + # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; @@ -166,5 +267,385 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; - + +corenet_filetrans_all_named_dev(named_filetrans_domain) + +dev_filetrans_all_named_dev(named_filetrans_domain) @@ -13396,7 +13396,7 @@ index b876c48ad..df5b188be 100644 /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0) +/[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') - + ifdef(`distro_suse',` @@ -27,7 +28,7 @@ ifdef(`distro_suse',` # @@ -13414,7 +13414,7 @@ index b876c48ad..df5b188be 100644 -/emul -d gen_context(system_u:object_r:usr_t,s0) +/emul gen_context(system_u:object_r:usr_t,s0) /emul/.* gen_context(system_u:object_r:usr_t,s0) - + # # /etc # @@ -13448,11 +13448,11 @@ index b876c48ad..df5b188be 100644 + +/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) +/ostree/deploy/rhel-atomic-host/deploy(/.*)? gen_context(system_u:object_r:system_conf_t,s0) - + /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) - + @@ -70,7 +80,10 @@ ifdef(`distro_suse',` - + /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -13460,13 +13460,13 @@ index b876c48ad..df5b188be 100644 +/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0) + - + ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -78,10 +91,6 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') - + -ifdef(`distro_redhat',` -/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0) -') @@ -13485,13 +13485,13 @@ index b876c48ad..df5b188be 100644 HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) @@ -104,7 +115,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) - + # -# /lib(64)? +# /lib # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) - + @@ -125,10 +136,13 @@ ifdef(`distro_debian',` # # Mount points; do not relabel subdirectories, since @@ -13504,7 +13504,7 @@ index b876c48ad..df5b188be 100644 +/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) +/var/run/media/.* <> +/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0) - + # # /misc @@ -138,7 +152,7 @@ ifdef(`distro_debian',` @@ -13515,7 +13515,7 @@ index b876c48ad..df5b188be 100644 +/mnt(/[^/]*)? -l gen_context(system_u:object_r:mnt_t,s0) /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /mnt/[^/]*/.* <> - + @@ -150,10 +164,10 @@ ifdef(`distro_debian',` # # /opt @@ -13523,16 +13523,16 @@ index b876c48ad..df5b188be 100644 -/opt -d gen_context(system_u:object_r:usr_t,s0) +/opt gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) - + -/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0) +/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - + # # /proc @@ -161,6 +175,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> - + +ifdef(`distro_redhat',` +/rhev -d gen_context(system_u:object_r:mnt_t,s0) +/rhev(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) @@ -13545,7 +13545,7 @@ index b876c48ad..df5b188be 100644 @@ -169,6 +189,7 @@ ifdef(`distro_debian',` /run/.*\.*pid <> /run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) - + +/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0) # # /selinux @@ -13557,7 +13557,7 @@ index b876c48ad..df5b188be 100644 -/srv -d gen_context(system_u:object_r:var_t,s0) +/srv gen_context(system_u:object_r:var_t,s0) /srv/.* gen_context(system_u:object_r:var_t,s0) - + # # /tmp # @@ -13566,7 +13566,7 @@ index b876c48ad..df5b188be 100644 +/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /tmp/.* <> /tmp/\.journal <> - + @@ -194,9 +216,11 @@ ifdef(`distro_debian',` # # /usr @@ -13577,13 +13577,13 @@ index b876c48ad..df5b188be 100644 /usr/\.journal <> +/export(/.*)? gen_context(system_u:object_r:usr_t,s0) +/ostree(/.*)? gen_context(system_u:object_r:usr_t,s0) - + /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - + @@ -204,15 +228,9 @@ ifdef(`distro_debian',` - + /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) - + -/usr/local/\.journal <> - -/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -13594,12 +13594,12 @@ index b876c48ad..df5b188be 100644 /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/lost\+found/.* <> +/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) - + /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) - + @@ -220,8 +238,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> - + ifndef(`distro_redhat',` -/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) - @@ -13614,18 +13614,18 @@ index b876c48ad..df5b188be 100644 +/var gen_context(system_u:object_r:var_t,s0) /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> - + -/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0) +/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0) - + /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - + +/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) + /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) - + /var/lib/nfs/rpc_pipefs(/.*)? <> - + -/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) +/var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0) +/var/lib/stickshift/.limits.d(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -13640,7 +13640,7 @@ index b876c48ad..df5b188be 100644 +/var/lock -d gen_context(system_u:object_r:var_lock_t,s0) +/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) +/var/lock/.* <> - + /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> @@ -256,12 +286,14 @@ ifndef(`distro_redhat',` @@ -13648,10 +13648,10 @@ index b876c48ad..df5b188be 100644 /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> +/var/run/lock/.* <> - + /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) - + /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) +/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) @@ -13673,7 +13673,7 @@ index f962f76ad..4a8ce9c4b 100644 @@ -19,6 +19,136 @@ ## Comains the file initial SID. ## - + +##################################### +##

+## files stub etc_t interface. No access allowed. @@ -13816,9 +13816,9 @@ index f962f76ad..4a8ce9c4b 100644 ##
  • files_tmpfs_file()
    • ##
  • logging_log_file()
    • @@ -125,44 +256,59 @@ interface(`files_security_file',` - typeattribute $1 file_type, security_file_type, non_auth_file_type; + typeattribute $1 file_type, security_file_type, non_auth_file_type; ') - + + ######################################## ## @@ -13835,16 +13835,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_lock_file',` +interface(`files_mountpoint',` - gen_require(` + gen_require(` - attribute lockfile; + attribute mountpoint; - ') - - files_type($1) + ') + + files_type($1) - typeattribute $1 lockfile; + typeattribute $1 mountpoint; ') - + ######################################## ## -## Make the specified type usable for @@ -13877,20 +13877,20 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_mountpoint',` +interface(`files_mountpoint_filetrans',` - gen_require(` - attribute mountpoint; - ') - + gen_require(` + attribute mountpoint; + ') + - files_type($1) - typeattribute $1 mountpoint; + filetrans_pattern($1, mountpoint, $2, $3, $4) ') - + ######################################## @@ -185,6 +331,26 @@ interface(`files_security_mountpoint',` - typeattribute $1 mountpoint; + typeattribute $1 mountpoint; ') - + +######################################## +## +## Make the specified type usable for @@ -13915,18 +13915,18 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Make the specified type usable for @@ -521,7 +687,7 @@ interface(`files_mounton_non_security',` - attribute non_security_file_type; - ') - + attribute non_security_file_type; + ') + - allow $1 non_security_file_type:dir mounton; + allow $1 non_security_file_type:dir { write setattr mounton }; - allow $1 non_security_file_type:file mounton; + allow $1 non_security_file_type:file mounton; ') - + @@ -543,6 +709,24 @@ interface(`files_write_non_security_dirs',` - allow $1 non_security_file_type:dir write; + allow $1 non_security_file_type:dir write; ') - + +######################################## +## +## Allow attempts to setattr any directory @@ -13949,9 +13949,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Allow attempts to manage non-security directories @@ -580,6 +764,42 @@ interface(`files_getattr_all_files',` - getattr_lnk_files_pattern($1, file_type, file_type) + getattr_lnk_files_pattern($1, file_type, file_type) ') - + +######################################## +## +## Get the attributes of all chr files. @@ -13992,9 +13992,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Do not audit attempts to get the attributes @@ -618,6 +838,63 @@ interface(`files_dontaudit_getattr_non_security_files',` - dontaudit $1 non_security_file_type:file getattr; + dontaudit $1 non_security_file_type:file getattr; ') - + +######################################## +## +## Do not audit attempts to search @@ -14056,14 +14056,14 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Read all files. @@ -683,129 +960,261 @@ interface(`files_read_non_security_files',` - attribute non_security_file_type; - ') - + attribute non_security_file_type; + ') + + list_dirs_pattern($1, non_security_file_type, non_security_file_type) - read_files_pattern($1, non_security_file_type, non_security_file_type) - read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) + read_files_pattern($1, non_security_file_type, non_security_file_type) + read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') - + ######################################## ## -## Read all directories on the filesystem, except @@ -14085,15 +14085,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_all_dirs_except',` +interface(`files_map_non_security_files',` - gen_require(` + gen_require(` - attribute file_type; + attribute non_security_file_type; - ') - + ') + - allow $1 { file_type $2 }:dir list_dir_perms; + allow $1 non_security_file_type:file map; ') - + ######################################## ## -## Read all files on the filesystem, except @@ -14115,15 +14115,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_all_files_except',` +interface(`files_rw_inherited_non_security_files',` - gen_require(` + gen_require(` - attribute file_type; + attribute non_security_file_type; - ') - + ') + - read_files_pattern($1, { file_type $2 }, { file_type $2 }) + allow $1 non_security_file_type:file { read write }; ') - + ######################################## ## -## Read all symbolic links on the filesystem, except @@ -14145,16 +14145,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_all_symlinks_except',` +interface(`files_manage_non_security_files',` - gen_require(` + gen_require(` - attribute file_type; + attribute non_security_file_type; - ') - + ') + - read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) + manage_files_pattern($1, non_security_file_type, non_security_file_type) + manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) ') - + ######################################## ## -## Get the attributes of all symbolic links. @@ -14169,11 +14169,11 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_getattr_all_symlinks',` +interface(`files_relabel_non_security_files',` - gen_require(` + gen_require(` - attribute file_type; + attribute non_security_file_type; - ') - + ') + - getattr_lnk_files_pattern($1, file_type, file_type) + relabel_files_pattern($1, non_security_file_type, non_security_file_type) + allow $1 { non_security_file_type }:dir list_dir_perms; @@ -14188,7 +14188,7 @@ index f962f76ad..4a8ce9c4b 100644 + # satisfy the assertions: + seutil_relabelto_bin_policy($1) ') - + ######################################## ## -## Do not audit attempts to get the attributes @@ -14204,15 +14204,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_getattr_all_symlinks',` +interface(`files_search_base_file_types',` - gen_require(` + gen_require(` - attribute file_type; + attribute base_file_type; - ') - + ') + - dontaudit $1 file_type:lnk_file getattr; + allow $1 base_file_type:dir search_dir_perms; ') - + ######################################## ## -## Do not audit attempts to read all symbolic links. @@ -14363,9 +14363,9 @@ index f962f76ad..4a8ce9c4b 100644 ## # @@ -951,6 +1360,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` - dontaudit $1 non_security_file_type:fifo_file getattr; + dontaudit $1 non_security_file_type:fifo_file getattr; ') - + +######################################## +## +## Do not audit attempts to read/write @@ -14389,9 +14389,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Get the attributes of all named sockets. @@ -989,6 +1417,44 @@ interface(`files_dontaudit_getattr_all_sockets',` - dontaudit $1 file_type:sock_file getattr; + dontaudit $1 file_type:sock_file getattr; ') - + +######################################## +## +## Do not audit attempts to read @@ -14434,22 +14434,22 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Do not audit attempts to get the attributes @@ -1073,10 +1539,8 @@ interface(`files_relabel_all_files',` - relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) - relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) + relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) + + # satisfy the assertions: + seutil_relabelto_bin_policy($1) @@ -1180,24 +1644,6 @@ interface(`files_list_all',` - allow $1 file_type:dir list_dir_perms; + allow $1 file_type:dir list_dir_perms; ') - + -######################################## -## -## Create all files as is. @@ -14472,19 +14472,19 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Do not audit attempts to search the @@ -1443,9 +1889,6 @@ interface(`files_relabel_non_auth_files',` - # device nodes with file types. - relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) - relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) + # device nodes with file types. + relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) + relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) ') - + ############################################# @@ -1599,6 +2042,24 @@ interface(`files_setattr_all_mountpoints',` - allow $1 mountpoint:dir setattr; + allow $1 mountpoint:dir setattr; ') - + +######################################## +## +## Set the attributes of all mount points. @@ -14507,9 +14507,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Do not audit attempts to set the attributes on all mount points. @@ -1689,6 +2150,24 @@ interface(`files_dontaudit_list_all_mountpoints',` - dontaudit $1 mountpoint:dir list_dir_perms; + dontaudit $1 mountpoint:dir list_dir_perms; ') - + +######################################## +## +## Write all mount points. @@ -14532,14 +14532,14 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Do not audit attempts to write to mount points. @@ -1703,80 +2182,172 @@ interface(`files_dontaudit_write_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') + gen_require(` + attribute mountpoint; + ') + dontaudit $1 self:capability { dac_read_search dac_override }; - - dontaudit $1 mountpoint:dir write; + + dontaudit $1 mountpoint:dir write; ') - + ######################################## ## -## List the contents of the root directory. @@ -14554,16 +14554,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_root',` +interface(`files_dontaudit_unmount_all_mountpoints',` - gen_require(` + gen_require(` - type root_t; + attribute mountpoint; - ') - + ') + - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; + dontaudit $1 mountpoint:filesystem unmount; ') - + ######################################## ## -## Do not audit attempts to write to / dirs. @@ -14578,15 +14578,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_write_root_dirs',` +interface(`files_read_all_mountpoint_symlinks',` - gen_require(` + gen_require(` - type root_t; + attribute mountpoint; - ') - + ') + - dontaudit $1 root_t:dir write; + allow $1 mountpoint:lnk_file read_lnk_file_perms; ') - + -################### +######################################## ## @@ -14603,15 +14603,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_rw_root_dir',` +interface(`files_write_all_dirs',` - gen_require(` + gen_require(` - type root_t; + attribute file_type; - ') - + ') + - dontaudit $1 root_t:dir rw_dir_perms; + allow $1 file_type:dir write; ') - + ######################################## ## -## Create an object in the root directory, with a private @@ -14693,7 +14693,7 @@ index f962f76ad..4a8ce9c4b 100644 + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on root directory. +## +## @@ -14729,7 +14729,7 @@ index f962f76ad..4a8ce9c4b 100644 ## ## @@ -1892,25 +2463,25 @@ interface(`files_delete_root_dir_entry',` - + ######################################## ## -## Associate to root file system. @@ -14745,14 +14745,14 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_associate_rootfs',` +interface(`files_setattr_root_dirs',` - gen_require(` - type root_t; - ') - + gen_require(` + type root_t; + ') + - allow $1 root_t:filesystem associate; + allow $1 root_t:dir setattr_dir_perms; ') - + ######################################## ## -## Relabel to and from rootfs file system. @@ -14761,18 +14761,18 @@ index f962f76ad..4a8ce9c4b 100644 ## ## @@ -1923,7 +2494,7 @@ interface(`files_relabel_rootfs',` - type root_t; - ') - + type root_t; + ') + - allow $1 root_t:filesystem { relabelto relabelfrom }; + allow $1 root_t:filesystem relabel_file_perms; ') - + ######################################## @@ -1944,6 +2515,42 @@ interface(`files_unmount_rootfs',` - allow $1 root_t:filesystem unmount; + allow $1 root_t:filesystem unmount; ') - + +######################################## +## +## Mount a filesystem on the root file system @@ -14813,9 +14813,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Get attributes of the /boot directory. @@ -2143,6 +2750,23 @@ interface(`files_read_boot_files',` - read_files_pattern($1, boot_t, boot_t) + read_files_pattern($1, boot_t, boot_t) ') - + +###################################### +## +## Map files in the /boot. @@ -14837,9 +14837,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Create, read, write, and delete files @@ -2181,6 +2805,24 @@ interface(`files_relabelfrom_boot_files',` - relabelfrom_files_pattern($1, boot_t, boot_t) + relabelfrom_files_pattern($1, boot_t, boot_t) ') - + +######################################## +## +## Relabel to files in the /boot directory. @@ -14862,9 +14862,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Read symbolic links in the /boot directory. @@ -2555,6 +3197,24 @@ interface(`files_read_default_pipes',` - allow $1 default_t:fifo_file read_fifo_file_perms; + allow $1 default_t:fifo_file read_fifo_file_perms; ') - + +######################################## +## +## Mounton directories on filesystem /etc. @@ -14887,9 +14887,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Search the contents of /etc directories. @@ -2645,6 +3305,24 @@ interface(`files_rw_etc_dirs',` - allow $1 etc_t:dir rw_dir_perms; + allow $1 etc_t:dir rw_dir_perms; ') - + +####################################### +## +## Dontaudit remove dir /etc directories. @@ -14912,12 +14912,12 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Manage generic directories in /etc @@ -2716,6 +3394,7 @@ interface(`files_read_etc_files',` - allow $1 etc_t:dir list_dir_perms; - read_files_pattern($1, etc_t, etc_t) - read_lnk_files_pattern($1, etc_t, etc_t) + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) + files_read_etc_runtime_files($1) ') - + ######################################## @@ -2724,7 +3403,7 @@ interface(`files_read_etc_files',` ## @@ -14929,12 +14929,12 @@ index f962f76ad..4a8ce9c4b 100644 ## # @@ -2778,6 +3457,25 @@ interface(`files_manage_etc_files',` - read_lnk_files_pattern($1, etc_t, etc_t) + read_lnk_files_pattern($1, etc_t, etc_t) ') - + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on etc files +## +## @@ -14955,9 +14955,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Delete system configuration files in /etc. @@ -2796,6 +3494,24 @@ interface(`files_delete_etc_files',` - delete_files_pattern($1, etc_t, etc_t) + delete_files_pattern($1, etc_t, etc_t) ') - + +######################################## +## +## Remove entries from the etc directory. @@ -14980,9 +14980,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Execute generic files in /etc. @@ -2961,24 +3677,6 @@ interface(`files_delete_boot_flag',` - delete_files_pattern($1, root_t, etc_runtime_t) + delete_files_pattern($1, root_t, etc_runtime_t) ') - + -######################################## -## -## Do not audit attempts to set the attributes of the etc_runtime files @@ -15005,7 +15005,7 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Read files in /etc that are dynamically @@ -3021,9 +3719,7 @@ interface(`files_read_etc_runtime_files',` - + ######################################## ## -## Do not audit attempts to read files @@ -15021,14 +15021,14 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_read_etc_runtime_files',` +interface(`files_dontaudit_setattr_etc_runtime_files',` - gen_require(` - type etc_runtime_t; - ') - + gen_require(` + type etc_runtime_t; + ') + - dontaudit $1 etc_runtime_t:file { getattr read }; + dontaudit $1 etc_runtime_t:file setattr; ') - + ######################################## ## -## Do not audit attempts to write @@ -15038,9 +15038,9 @@ index f962f76ad..4a8ce9c4b 100644 ## ## @@ -3058,6 +3753,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` - dontaudit $1 etc_runtime_t:file write; + dontaudit $1 etc_runtime_t:file write; ') - + +######################################## +## +## Do not audit attempts to read files @@ -15065,25 +15065,25 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Read and write files in /etc that are dynamically @@ -3077,6 +3792,7 @@ interface(`files_rw_etc_runtime_files',` - - allow $1 etc_t:dir list_dir_perms; - rw_files_pattern($1, etc_t, etc_runtime_t) + + allow $1 etc_t:dir list_dir_perms; + rw_files_pattern($1, etc_t, etc_runtime_t) + read_lnk_files_pattern($1, etc_t, etc_t) ') - + ######################################## @@ -3098,6 +3814,7 @@ interface(`files_manage_etc_runtime_files',` - ') - - manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) + ') + + manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) + read_lnk_files_pattern($1, etc_t, etc_runtime_t) ') - + ######################################## @@ -3142,10 +3859,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; + ') @@ -15105,8 +15105,8 @@ index f962f76ad..4a8ce9c4b 100644 +interface(`files_getattr_isid_type',` + gen_require(` + type unlabeled_t; - ') - + ') + - allow $1 file_t:dir getattr; + allow $1 unlabeled_t:dir_file_class_set getattr; +') @@ -15129,51 +15129,51 @@ index f962f76ad..4a8ce9c4b 100644 + + allow $1 unlabeled_t:dir setattr; ') - + ######################################## @@ -3161,10 +3916,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - dontaudit $1 file_t:dir search_dir_perms; + dontaudit $1 unlabeled_t:dir search_dir_perms; ') - + ######################################## @@ -3180,10 +3935,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:dir list_dir_perms; + allow $1 unlabeled_t:dir list_dir_perms; ') - + ######################################## @@ -3199,10 +3954,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:dir rw_dir_perms; + allow $1 unlabeled_t:dir rw_dir_perms; ') - + ######################################## @@ -3218,10 +3973,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; + ') @@ -15232,30 +15232,30 @@ index f962f76ad..4a8ce9c4b 100644 +interface(`files_relabelfrom_isid_type',` + gen_require(` + type unlabeled_t; - ') - + ') + - delete_dirs_pattern($1, file_t, file_t) + dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') - + ######################################## @@ -3237,10 +4048,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:dir manage_dir_perms; + allow $1 unlabeled_t:dir manage_dir_perms; ') - + ######################################## @@ -3256,10 +4067,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; + ') @@ -15265,7 +15265,7 @@ index f962f76ad..4a8ce9c4b 100644 + +######################################## +## -+## Mount a filesystem on a new chr_file ++## Mount a filesystem on a new chr_file +## that has not yet been labeled. +## +## @@ -15277,147 +15277,147 @@ index f962f76ad..4a8ce9c4b 100644 +interface(`files_mounton_isid_type_chr_file',` + gen_require(` + type unlabeled_t; - ') - + ') + - allow $1 file_t:dir { search_dir_perms mounton }; + allow $1 unlabeled_t:chr_file mounton; ') - + ######################################## @@ -3275,10 +4105,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:file read_file_perms; + allow $1 unlabeled_t:file read_file_perms; ') - + ######################################## @@ -3294,10 +4124,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - delete_files_pattern($1, file_t, file_t) + delete_files_pattern($1, unlabeled_t, unlabeled_t) ') - + ######################################## @@ -3313,10 +4143,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - delete_lnk_files_pattern($1, file_t, file_t) + delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') - + ######################################## @@ -3332,10 +4162,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - delete_fifo_files_pattern($1, file_t, file_t) + delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t) ') - + ######################################## @@ -3351,10 +4181,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - delete_sock_files_pattern($1, file_t, file_t) + delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) ') - + ######################################## @@ -3370,10 +4200,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - delete_blk_files_pattern($1, file_t, file_t) + delete_blk_files_pattern($1, unlabeled_t, unlabeled_t) ') - + ######################################## @@ -3389,10 +4219,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - dontaudit $1 file_t:chr_file write; + dontaudit $1 unlabeled_t:chr_file write; ') - + ######################################## @@ -3408,10 +4238,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - delete_chr_files_pattern($1, file_t, file_t) + delete_chr_files_pattern($1, unlabeled_t, unlabeled_t) ') - + ######################################## @@ -3427,10 +4257,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:file manage_file_perms; + allow $1 unlabeled_t:file manage_file_perms; ') - + ######################################## @@ -3446,10 +4276,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:lnk_file manage_lnk_file_perms; + allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; ') - + ######################################## @@ -3465,10 +4295,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; + ') @@ -15439,46 +15439,46 @@ index f962f76ad..4a8ce9c4b 100644 +interface(`files_rw_inherited_isid_type_files',` + gen_require(` + type unlabeled_t; - ') - + ') + - allow $1 file_t:blk_file rw_blk_file_perms; + allow $1 unlabeled_t:file rw_inherited_file_perms; ') - + ######################################## @@ -3484,10 +4333,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:blk_file manage_blk_file_perms; + allow $1 unlabeled_t:blk_file manage_blk_file_perms; ') - + ######################################## @@ -3503,10 +4352,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` - gen_require(` + gen_require(` - type file_t; + type unlabeled_t; - ') - + ') + - allow $1 file_t:chr_file manage_chr_file_perms; + allow $1 unlabeled_t:chr_file manage_chr_file_perms; ') - + ######################################## @@ -3550,6 +4399,43 @@ interface(`files_dontaudit_getattr_home_dir',` - dontaudit $1 home_root_t:lnk_file getattr; + dontaudit $1 home_root_t:lnk_file getattr; ') - + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on home root directory. +## +## @@ -15517,7 +15517,7 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Search home directories root (/home). @@ -3814,20 +4700,38 @@ interface(`files_list_mnt',` - + ###################################### ## -## Do not audit attempts to list the contents of /mnt. @@ -15539,7 +15539,7 @@ index f962f76ad..4a8ce9c4b 100644 + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## write access on mnt files ## ## @@ -15551,19 +15551,19 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_list_mnt',` +interface(`files_dontaudit_access_check_mnt',` - gen_require(` - type mnt_t; - ') + gen_require(` + type mnt_t; + ') - - dontaudit $1 mnt_t:dir list_dir_perms; + dontaudit $1 mnt_t:dir_file_class_set audit_access; ') - + ######################################## @@ -3921,6 +4825,45 @@ interface(`files_read_mnt_symlinks',` - read_lnk_files_pattern($1, mnt_t, mnt_t) + read_lnk_files_pattern($1, mnt_t, mnt_t) ') - + + +######################################## +## @@ -15607,17 +15607,17 @@ index f962f76ad..4a8ce9c4b 100644 ## ## Create, read, write, and delete symbolic links in /mnt. @@ -4012,6 +4955,7 @@ interface(`files_read_kernel_modules',` - allow $1 modules_object_t:dir list_dir_perms; - read_files_pattern($1, modules_object_t, modules_object_t) - read_lnk_files_pattern($1, modules_object_t, modules_object_t) + allow $1 modules_object_t:dir list_dir_perms; + read_files_pattern($1, modules_object_t, modules_object_t) + read_lnk_files_pattern($1, modules_object_t, modules_object_t) + ') - + ######################################## @@ -4217,174 +5161,235 @@ interface(`files_read_world_readable_sockets',` - allow $1 readable_t:sock_file read_sock_file_perms; + allow $1 readable_t:sock_file read_sock_file_perms; ') - + -######################################## +####################################### ## @@ -15644,13 +15644,13 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type etc_t, system_conf_t; + ') - + - allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) ') - + -######################################## +###################################### ## @@ -15674,12 +15674,12 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type etc_t, system_conf_t; + ') - + - allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) ') - + -######################################## +##################################### ## @@ -15704,7 +15704,7 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type etc_t, system_conf_t, usr_t; + ') - + - dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") @@ -15727,7 +15727,7 @@ index f962f76ad..4a8ce9c4b 100644 + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") ') - + -######################################## +###################################### ## @@ -15751,11 +15751,11 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type usr_t; + ') - + - allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) ') - + -######################################## +###################################### ## @@ -15779,11 +15779,11 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type usr_t; + ') - + - dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) ') - + -######################################## +################################### ## @@ -15808,11 +15808,11 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type etc_t, system_conf_t; + ') - + - allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) ') - + -######################################## +###################################### ## @@ -15836,12 +15836,12 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type var_lib_t, system_db_t; + ') - + - dontaudit $1 tmp_t:dir list_dir_perms; + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) ') - + -######################################## +###################################### ## @@ -15895,14 +15895,14 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_tmp_dir_entry',` +interface(`files_associate_tmp',` - gen_require(` - type tmp_t; - ') - + gen_require(` + type tmp_t; + ') + - allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 tmp_t:filesystem associate; ') - + ######################################## ## -## Read files in the tmp directory (/tmp). @@ -15920,15 +15920,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_generic_tmp_files',` +interface(`files_associate_rootfs',` - gen_require(` + gen_require(` - type tmp_t; + type root_t; - ') - + ') + - read_files_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; ') - + ######################################## ## -## Manage temporary directories in /tmp. @@ -15942,19 +15942,19 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_generic_tmp_dirs',` +interface(`files_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - + gen_require(` + type tmp_t; + ') + - manage_dirs_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') - + ######################################## ## -## Manage temporary files and directories in /tmp. -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on tmp files ## ## @@ -15966,15 +15966,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_access_check_tmp',` - gen_require(` + gen_require(` - type tmp_t; + type etc_t; - ') - + ') + - manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') - + ######################################## ## -## Read symbolic links in the tmp directory (/tmp). @@ -15990,14 +15990,14 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - + gen_require(` + type tmp_t; + ') + - read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') - + ######################################## ## -## Read and write generic named sockets in the tmp directory (/tmp). @@ -16011,16 +16011,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_rw_generic_tmp_sockets',` +interface(`files_search_tmp',` - gen_require(` - type tmp_t; - ') - + gen_require(` + type tmp_t; + ') + - rw_sock_files_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; ') - + ######################################## ## -## Set the attributes of all tmp directories. @@ -16035,15 +16035,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_setattr_all_tmp_dirs',` +interface(`files_dontaudit_search_tmp',` - gen_require(` + gen_require(` - attribute tmpfile; + type tmp_t; - ') - + ') + - allow $1 tmpfile:dir { search_dir_perms setattr }; + dontaudit $1 tmp_t:dir search_dir_perms; ') - + ######################################## ## -## List all tmp directories. @@ -16057,16 +16057,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_all_tmp',` +interface(`files_list_tmp',` - gen_require(` + gen_require(` - attribute tmpfile; + type tmp_t; - ') - + ') + - allow $1 tmpfile:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; ') - + ######################################## ## -## Relabel to and from all temporary @@ -16083,17 +16083,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_relabel_all_tmp_dirs',` +interface(`files_dontaudit_list_tmp',` - gen_require(` + gen_require(` - attribute tmpfile; - type var_t; + type tmp_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - relabel_dirs_pattern($1, tmpfile, tmpfile) + dontaudit $1 tmp_t:dir list_dir_perms; ') - + -######################################## +####################################### ## @@ -16118,12 +16118,12 @@ index f962f76ad..4a8ce9c4b 100644 + gen_require(` + type tmp_t; + ') - + - dontaudit $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') - + ######################################## ## -## Allow attempts to get the attributes @@ -16138,16 +16138,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_getattr_all_tmp_files',` +interface(`files_delete_tmp_dir_entry',` - gen_require(` + gen_require(` - attribute tmpfile; + type tmp_t; - ') - + ') + - allow $1 tmpfile:file getattr; + files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; ') - + ######################################## ## -## Relabel to and from all temporary @@ -16163,17 +16163,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_relabel_all_tmp_files',` +interface(`files_read_generic_tmp_files',` - gen_require(` + gen_require(` - attribute tmpfile; - type var_t; + type tmp_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - relabel_files_pattern($1, tmpfile, tmpfile) + read_files_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## Do not audit attempts to get the attributes @@ -16189,15 +16189,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_getattr_all_tmp_sockets',` +interface(`files_manage_generic_tmp_dirs',` - gen_require(` + gen_require(` - attribute tmpfile; + type tmp_t; - ') - + ') + - dontaudit $1 tmpfile:sock_file getattr; + manage_dirs_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## Read all tmp files. @@ -16219,14 +16219,14 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_all_tmp_files',` +interface(`files_execmod_tmp',` - gen_require(` - attribute tmpfile; - ') - + gen_require(` + attribute tmpfile; + ') + - read_files_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:file execmod; ') - + ######################################## ## -## Create an object in the tmp directories, with a private @@ -16256,14 +16256,14 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_tmp_filetrans',` +interface(`files_manage_generic_tmp_files',` - gen_require(` - type tmp_t; - ') - + gen_require(` + type tmp_t; + ') + - filetrans_pattern($1, tmp_t, $2, $3, $4) + manage_files_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## Delete the contents of /tmp. @@ -16277,11 +16277,11 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_purge_tmp',` +interface(`files_read_generic_tmp_symlinks',` - gen_require(` + gen_require(` - attribute tmpfile; + type tmp_t; - ') - + ') + - allow $1 tmpfile:dir list_dir_perms; - delete_dirs_pattern($1, tmpfile, tmpfile) - delete_files_pattern($1, tmpfile, tmpfile) @@ -16290,7 +16290,7 @@ index f962f76ad..4a8ce9c4b 100644 - delete_sock_files_pattern($1, tmpfile, tmpfile) + read_lnk_files_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## Set the attributes of the /usr directory. @@ -16304,15 +16304,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_setattr_usr_dirs',` +interface(`files_rw_generic_tmp_sockets',` - gen_require(` + gen_require(` - type usr_t; + type tmp_t; - ') - + ') + - allow $1 usr_t:dir setattr; + rw_sock_files_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## Search the content of /usr. @@ -16326,15 +16326,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_search_usr',` +interface(`files_relabelfrom_tmp_dirs',` - gen_require(` + gen_require(` - type usr_t; + type tmp_t; - ') - + ') + - allow $1 usr_t:dir search_dir_perms; + relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## List the contents of generic @@ -16349,15 +16349,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_usr',` +interface(`files_relabelfrom_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + type tmp_t; - ') - + ') + - allow $1 usr_t:dir list_dir_perms; + relabelfrom_files_pattern($1, tmp_t, tmp_t) ') - + ######################################## ## -## Do not audit write of /usr dirs @@ -16372,15 +16372,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_write_usr_dirs',` +interface(`files_setattr_all_tmp_dirs',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - dontaudit $1 usr_t:dir write; + allow $1 tmpfile:dir { search_dir_perms setattr }; ') - + ######################################## ## -## Add and remove entries from /usr directories. @@ -16394,15 +16394,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_rw_usr_dirs',` +interface(`files_read_inherited_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - allow $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file { append open read_inherited_file_perms }; ') - + ######################################## ## -## Do not audit attempts to add and remove @@ -16418,15 +16418,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_rw_usr_dirs',` +interface(`files_append_inherited_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - dontaudit $1 usr_t:dir rw_dir_perms; + allow $1 tmpfile:file append_inherited_file_perms; ') - + ######################################## ## -## Delete generic directories in /usr in the caller domain. @@ -16440,15 +16440,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_usr_dirs',` +interface(`files_rw_inherited_tmp_file',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - delete_dirs_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') - + ######################################## ## -## Delete generic files in /usr in the caller domain. @@ -16462,15 +16462,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_usr_files',` +interface(`files_list_all_tmp',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - delete_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:dir list_dir_perms; ') - + ######################################## ## -## Get the attributes of files in /usr. @@ -16486,17 +16486,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_getattr_usr_files',` +interface(`files_relabel_all_tmp_dirs',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; + type var_t; - ') - + ') + - getattr_files_pattern($1, usr_t, usr_t) + allow $1 var_t:dir search_dir_perms; + relabel_dirs_pattern($1, tmpfile, tmpfile) ') - + ######################################## ## -## Read generic files in /usr. @@ -16530,17 +16530,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:file getattr; ') - + ######################################## ## -## Execute generic programs in /usr in the caller domain. @@ -16555,17 +16555,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_exec_usr_files',` +interface(`files_getattr_all_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file getattr; ') - + ######################################## ## -## dontaudit write of /usr files @@ -16582,17 +16582,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_write_usr_files',` +interface(`files_relabel_all_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; + type var_t; - ') - + ') + - dontaudit $1 usr_t:file write; + allow $1 var_t:dir search_dir_perms; + relabel_files_pattern($1, tmpfile, tmpfile) ') - + ######################################## ## -## Create, read, write, and delete files in the /usr directory. @@ -16608,15 +16608,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_sockets',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - manage_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:sock_file getattr; ') - + ######################################## ## -## Relabel a file to the type used in /usr. @@ -16630,15 +16630,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_relabelto_usr_files',` +interface(`files_read_all_tmp_files',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - relabelto_files_pattern($1, usr_t, usr_t) + read_files_pattern($1, tmpfile, tmpfile) ') - + ######################################## ## -## Relabel a file from the type used in /usr. @@ -16654,15 +16654,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_relabelfrom_usr_files',` +interface(`files_dontaudit_tmp_file_leaks',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - relabelfrom_files_pattern($1, usr_t, usr_t) + dontaudit $1 tmpfile:file rw_inherited_file_perms; ') - + ######################################## ## -## Read symbolic links in /usr. @@ -16678,15 +16678,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_usr_symlinks',` +interface(`files_rw_tmp_file_leaks',` - gen_require(` + gen_require(` - type usr_t; + attribute tmpfile; - ') - + ') + - read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') - + ######################################## ## -## Create objects in the /usr directory @@ -16719,15 +16719,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_usr_filetrans',` +interface(`files_tmp_filetrans',` - gen_require(` + gen_require(` - type usr_t; + type tmp_t; - ') - + ') + - filetrans_pattern($1, usr_t, $2, $3, $4) + filetrans_pattern($1, tmp_t, $2, $3, $4) ') - + ######################################## ## -## Do not audit attempts to search /usr/src. @@ -16742,11 +16742,11 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_search_src',` +interface(`files_purge_tmp',` - gen_require(` + gen_require(` - type src_t; + attribute tmpfile; - ') - + ') + - dontaudit $1 src_t:dir search_dir_perms; + allow $1 tmpfile:dir list_dir_perms; + delete_dirs_pattern($1, tmpfile, tmpfile) @@ -16765,7 +16765,7 @@ index f962f76ad..4a8ce9c4b 100644 + files_delete_isid_type_blk_files($1) + files_delete_isid_type_chr_files($1) ') - + ######################################## ## -## Get the attributes of files in /usr/src. @@ -16779,18 +16779,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_getattr_usr_src_files',` +interface(`files_setattr_usr_dirs',` - gen_require(` + gen_require(` - type usr_t, src_t; + type usr_t; - ') - + ') + - getattr_files_pattern($1, src_t, src_t) - - # /usr/src/linux symlink: - read_lnk_files_pattern($1, usr_t, src_t) + allow $1 usr_t:dir setattr; ') - + ######################################## ## -## Read files in /usr/src. @@ -16804,17 +16804,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_usr_src_files',` +interface(`files_search_usr',` - gen_require(` + gen_require(` - type usr_t, src_t; + type usr_t; - ') - - allow $1 usr_t:dir search_dir_perms; + ') + + allow $1 usr_t:dir search_dir_perms; - read_files_pattern($1, { usr_t src_t }, src_t) - read_lnk_files_pattern($1, { usr_t src_t }, src_t) - allow $1 src_t:dir list_dir_perms; ') - + ######################################## ## -## Execute programs in /usr/src in the caller domain. @@ -16829,17 +16829,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_exec_usr_src_files',` +interface(`files_list_usr',` - gen_require(` + gen_require(` - type usr_t, src_t; + type usr_t; - ') - + ') + - list_dirs_pattern($1, usr_t, src_t) - exec_files_pattern($1, src_t, src_t) - read_lnk_files_pattern($1, src_t, src_t) + allow $1 usr_t:dir list_dir_perms; ') - + ######################################## ## -## Install a system.map into the /boot directory. @@ -16854,16 +16854,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_create_kernel_symbol_table',` +interface(`files_dontaudit_write_usr_dirs',` - gen_require(` + gen_require(` - type boot_t, system_map_t; + type usr_t; - ') - + ') + - allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; - allow $1 system_map_t:file { create_file_perms rw_file_perms }; + dontaudit $1 usr_t:dir write; ') - + ######################################## ## -## Read system.map in the /boot directory. @@ -16877,16 +16877,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_kernel_symbol_table',` +interface(`files_rw_usr_dirs',` - gen_require(` + gen_require(` - type boot_t, system_map_t; + type usr_t; - ') - + ') + - allow $1 boot_t:dir list_dir_perms; - read_files_pattern($1, boot_t, system_map_t) + allow $1 usr_t:dir rw_dir_perms; ') - + ######################################## ## -## Delete a system.map in the /boot directory. @@ -16902,16 +16902,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_kernel_symbol_table',` +interface(`files_dontaudit_rw_usr_dirs',` - gen_require(` + gen_require(` - type boot_t, system_map_t; + type usr_t; - ') - + ') + - allow $1 boot_t:dir list_dir_perms; - delete_files_pattern($1, boot_t, system_map_t) + dontaudit $1 usr_t:dir rw_dir_perms; ') - + ######################################## ## -## Search the contents of /var. @@ -16925,15 +16925,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_search_var',` +interface(`files_delete_usr_dirs',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Do not audit attempts to write to /var. @@ -16948,15 +16948,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_write_var_dirs',` +interface(`files_delete_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - dontaudit $1 var_t:dir write; + delete_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Allow attempts to write to /var.dirs @@ -16970,15 +16970,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_write_var_dirs',` +interface(`files_mmap_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - allow $1 var_t:dir write; + allow $1 usr_t:file map; ') - + ######################################## ## -## Do not audit attempts to search @@ -16994,15 +16994,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_search_var',` +interface(`files_getattr_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - dontaudit $1 var_t:dir search_dir_perms; + getattr_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## List the contents of /var. @@ -17034,17 +17034,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_var',` +interface(`files_read_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - allow $1 var_t:dir list_dir_perms; + allow $1 usr_t:dir list_dir_perms; + read_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Create, read, write, and delete directories @@ -17077,17 +17077,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_var_files',` +interface(`files_exec_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - read_files_pattern($1, var_t, var_t) + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Append files in the /var directory. @@ -17102,15 +17102,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_append_var_files',` +interface(`files_dontaudit_write_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - append_files_pattern($1, var_t, var_t) + dontaudit $1 usr_t:file write; ') - + ######################################## ## -## Read and write files in the /var directory. @@ -17143,15 +17143,15 @@ index f962f76ad..4a8ce9c4b 100644 -# -interface(`files_dontaudit_rw_var_files',` +interface(`files_manage_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - dontaudit $1 var_t:file rw_file_perms; + manage_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Create, read, write, and delete files in the /var directory. @@ -17165,15 +17165,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_var_files',` +interface(`files_relabelto_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - manage_files_pattern($1, var_t, var_t) + relabelto_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Read symbolic links in the /var directory. @@ -17187,15 +17187,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_var_symlinks',` +interface(`files_relabelfrom_usr_files',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - read_lnk_files_pattern($1, var_t, var_t) + relabelfrom_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Create, read, write, and delete symbolic @@ -17210,15 +17210,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_var_symlinks',` +interface(`files_read_usr_symlinks',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - manage_lnk_files_pattern($1, var_t, var_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') - + ######################################## ## -## Create objects in the /var directory @@ -17232,15 +17232,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_var_filetrans',` +interface(`files_usr_filetrans',` - gen_require(` + gen_require(` - type var_t; + type usr_t; - ') - + ') + - filetrans_pattern($1, var_t, $2, $3, $4) + filetrans_pattern($1, usr_t, $2, $3, $4) ') - + ######################################## ## -## Get the attributes of the /var/lib directory. @@ -17255,15 +17255,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_getattr_var_lib_dirs',` +interface(`files_dontaudit_search_src',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type src_t; - ') - + ') + - getattr_dirs_pattern($1, var_t, var_lib_t) + dontaudit $1 src_t:dir search_dir_perms; ') - + ######################################## ## -## Search the /var/lib directory. @@ -17291,18 +17291,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_search_var_lib',` +interface(`files_getattr_usr_src_files',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type usr_t, src_t; - ') - + ') + - search_dirs_pattern($1, var_t, var_lib_t) + getattr_files_pattern($1, src_t, src_t) + + # /usr/src/linux symlink: + read_lnk_files_pattern($1, usr_t, src_t) ') - + ######################################## ## -## Do not audit attempts to search the @@ -17319,18 +17319,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_search_var_lib',` +interface(`files_read_usr_src_files',` - gen_require(` + gen_require(` - type var_lib_t; + type usr_t, src_t; - ') - + ') + - dontaudit $1 var_lib_t:dir search_dir_perms; + allow $1 usr_t:dir search_dir_perms; + read_files_pattern($1, { usr_t src_t }, src_t) + read_lnk_files_pattern($1, { usr_t src_t }, src_t) + allow $1 src_t:dir list_dir_perms; ') - + ######################################## ## -## List the contents of the /var/lib directory. @@ -17344,17 +17344,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_var_lib',` +interface(`files_exec_usr_src_files',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type usr_t, src_t; - ') - + ') + - list_dirs_pattern($1, var_t, var_lib_t) + list_dirs_pattern($1, usr_t, src_t) + exec_files_pattern($1, src_t, src_t) + read_lnk_files_pattern($1, src_t, src_t) ') - + -########################################### +######################################## ## @@ -17369,16 +17369,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_rw_var_lib_dirs',` +interface(`files_create_kernel_symbol_table',` - gen_require(` + gen_require(` - type var_lib_t; + type boot_t, system_map_t; - ') - + ') + - rw_dirs_pattern($1, var_lib_t, var_lib_t) + allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; + allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') - + ######################################## ## -## Create objects in the /var/lib directory @@ -17408,16 +17408,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_var_lib_filetrans',` +interface(`files_dontaduit_getattr_kernel_symbol_table',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type system_map_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3, $4) + dontaudit $1 system_map_t:file getattr; ') - + ######################################## ## -## Read generic files in /var/lib. @@ -17431,17 +17431,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_var_lib_files',` +interface(`files_read_kernel_symbol_table',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; - ') - + ') + - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) + allow $1 boot_t:dir list_dir_perms; + read_files_pattern($1, boot_t, system_map_t) ') - + ######################################## ## -## Read generic symbolic links in /var/lib @@ -17455,16 +17455,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_var_lib_symlinks',` +interface(`files_delete_kernel_symbol_table',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; - ') - + ') + - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + allow $1 boot_t:dir list_dir_perms; + delete_files_pattern($1, boot_t, system_map_t) ') - + -# cjp: the next two interfaces really need to be fixed -# in some way. They really neeed their own types. - @@ -17482,15 +17482,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_urandom_seed',` +interface(`files_search_var',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type var_t; - ') - - allow $1 var_t:dir search_dir_perms; + ') + + allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) ') - + ######################################## ## -## Allow domain to manage mount tables @@ -17506,16 +17506,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_mounttab',` +interface(`files_dontaudit_write_var_dirs',` - gen_require(` + gen_require(` - type var_t, var_lib_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) + dontaudit $1 var_t:dir write; ') - + ######################################## ## -## Set the attributes of the generic lock directories. @@ -17529,15 +17529,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_setattr_lock_dirs',` +interface(`files_write_var_dirs',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - setattr_dirs_pattern($1, var_t, var_lock_t) + allow $1 var_t:dir write; ') - + ######################################## ## -## Search the locks directory (/var/lock). @@ -17553,16 +17553,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_search_locks',` +interface(`files_dontaudit_search_var',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) + dontaudit $1 var_t:dir search_dir_perms; ') - + ######################################## ## -## Do not audit attempts to search the @@ -17578,16 +17578,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_search_locks',` +interface(`files_list_var',` - gen_require(` + gen_require(` - type var_lock_t; + type var_t; - ') - + ') + - dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_lock_t:dir search_dir_perms; + allow $1 var_t:dir list_dir_perms; ') - + ######################################## ## -## List generic lock directories. @@ -17602,16 +17602,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_locks',` +interface(`files_dontaudit_list_var',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) + dontaudit $1 var_t:dir list_dir_perms; ') - + ######################################## ## -## Add and remove entries in the /var/lock @@ -17646,17 +17646,17 @@ index f962f76ad..4a8ce9c4b 100644 -# -interface(`files_create_lock_dirs',` +interface(`files_manage_var_dirs',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_lock_t, var_lock_t) + allow $1 var_t:dir manage_dir_perms; ') - + ######################################## ## -## Relabel to and from all lock directory types. @@ -17671,18 +17671,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_relabel_all_lock_dirs',` +interface(`files_read_var_files',` - gen_require(` + gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($1, lockfile, lockfile) + read_files_pattern($1, var_t, var_t) ') - + ######################################## ## -## Get the attributes of generic lock files. @@ -17696,18 +17696,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_getattr_generic_locks',` +interface(`files_append_var_files',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) + append_files_pattern($1, var_t, var_t) ') - + ######################################## ## -## Delete generic lock files. @@ -17721,17 +17721,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_generic_locks',` +interface(`files_rw_var_files',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, var_lock_t, var_lock_t) + rw_files_pattern($1, var_t, var_t) ') - + ######################################## ## -## Create, read, write, and delete generic @@ -17748,18 +17748,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_generic_locks',` +interface(`files_dontaudit_rw_var_files',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - manage_dirs_pattern($1, var_lock_t, var_lock_t) - manage_files_pattern($1, var_lock_t, var_lock_t) + dontaudit $1 var_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Delete all lock files. @@ -17774,18 +17774,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_all_locks',` +interface(`files_manage_var_files',` - gen_require(` + gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - delete_files_pattern($1, lockfile, lockfile) + manage_files_pattern($1, var_t, var_t) ') - + ######################################## ## -## Read all lock files. @@ -17799,12 +17799,12 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_all_locks',` +interface(`files_read_var_symlinks',` - gen_require(` + gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - allow $1 lockfile:dir list_dir_perms; @@ -17812,7 +17812,7 @@ index f962f76ad..4a8ce9c4b 100644 - read_lnk_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, var_t, var_t) ') - + ######################################## ## -## manage all lock files. @@ -17827,12 +17827,12 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_all_locks',` +interface(`files_manage_var_symlinks',` - gen_require(` + gen_require(` - attribute lockfile; - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - allow $1 { var_t var_lock_t }:dir search_dir_perms; - manage_dirs_pattern($1, lockfile, lockfile) @@ -17840,7 +17840,7 @@ index f962f76ad..4a8ce9c4b 100644 - manage_lnk_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, var_t, var_t) ') - + ######################################## ## -## Create an object in the locks directory, with a private @@ -17873,17 +17873,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_lock_filetrans',` +interface(`files_var_filetrans',` - gen_require(` + gen_require(` - type var_t, var_lock_t; + type var_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_lock_t, $2, $3, $4) + filetrans_pattern($1, var_t, $2, $3, $4) ') - + + ######################################## ## @@ -17900,16 +17900,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_relabel_var_dirs',` - gen_require(` + gen_require(` - type var_run_t; + type var_t; - ') + ') - - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir getattr; + allow $1 var_t:dir relabel_dir_perms; ') - + ######################################## ## -## Set the attributes of the /var/run directory. @@ -17923,16 +17923,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_setattr_pid_dirs',` +interface(`files_getattr_var_lib_dirs',` - gen_require(` + gen_require(` - type var_run_t; + type var_t, var_lib_t; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir setattr; + getattr_dirs_pattern($1, var_t, var_lib_t) ') - + ######################################## ## -## Search the contents of runtime process @@ -17961,16 +17961,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_search_pids',` +interface(`files_search_var_lib',` - gen_require(` + gen_require(` - type var_t, var_run_t; + type var_t, var_lib_t; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) + search_dirs_pattern($1, var_t, var_lib_t) ') - + ######################################## ## -## Do not audit attempts to search @@ -17987,16 +17987,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_search_pids',` +interface(`files_dontaudit_search_var_lib',` - gen_require(` + gen_require(` - type var_run_t; + type var_lib_t; - ') - + ') + - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_run_t:dir search_dir_perms; + dontaudit $1 var_lib_t:dir search_dir_perms; ') - + ######################################## ## -## List the contents of the runtime process @@ -18011,16 +18011,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_pids',` +interface(`files_list_var_lib',` - gen_require(` + gen_require(` - type var_t, var_run_t; + type var_t, var_lib_t; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) + list_dirs_pattern($1, var_t, var_lib_t) ') - + -######################################## +########################################### ## @@ -18035,17 +18035,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_generic_pids',` +interface(`files_rw_var_lib_dirs',` - gen_require(` + gen_require(` - type var_t, var_run_t; + type var_lib_t; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) + rw_dirs_pattern($1, var_lib_t, var_lib_t) ') - + ######################################## ## -## Write named generic process ID pipes @@ -18059,16 +18059,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_write_generic_pid_pipes',` +interface(`files_create_var_lib_dirs',` - gen_require(` + gen_require(` - type var_run_t; + type var_lib_t; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; + allow $1 var_lib_t:dir { create rw_dir_perms }; ') - + + ######################################## ## @@ -19186,7 +19186,7 @@ index f962f76ad..4a8ce9c4b 100644 + +######################################## +## -+## manage all pidfiles ++## manage all pidfiles +## in the /var/run directory. +## +## @@ -19723,17 +19723,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_pid_filetrans',` +interface(`files_manage_generic_pids_symlinks',` - gen_require(` + gen_require(` - type var_t, var_run_t; + type var_run_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) + manage_lnk_files_pattern($1,var_run_t,var_run_t) ') - + ######################################## ## -## Create a generic lock directory within the run directories @@ -19754,15 +19754,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_pid_filetrans_lock_dir',` +interface(`files_dontaudit_getattr_tmpfs_files',` - gen_require(` + gen_require(` - type var_lock_t; + attribute tmpfsfile; - ') - + ') + - files_pid_filetrans($1, var_lock_t, dir, $2) + allow $1 tmpfsfile:file getattr; ') - + ######################################## ## -## Read and write generic process ID files. @@ -19777,17 +19777,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_rw_generic_pids',` +interface(`files_delete_tmpfs_files',` - gen_require(` + gen_require(` - type var_t, var_run_t; + attribute tmpfsfile; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) + allow $1 tmpfsfile:file delete_file_perms; ') - + ######################################## ## -## Do not audit attempts to get the attributes of @@ -19802,21 +19802,21 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_getattr_all_pids',` +interface(`files_rw_tmpfs_files',` - gen_require(` + gen_require(` - attribute pidfile; - type var_run_t; + attribute tmpfsfile; - ') - + ') + - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file { read write }; ') - + ######################################## ## -## Do not audit attempts to write to daemon runtime data files. -+## Do not audit attempts to read security files ++## Do not audit attempts to read security files ## ## ## @@ -19826,20 +19826,20 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_read_security_files',` - gen_require(` + gen_require(` - attribute pidfile; + attribute security_file_type; - ') - + ') + - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file write; + dontaudit $1 security_file_type:file read_file_perms; ') - + ######################################## ## -## Do not audit attempts to ioctl daemon runtime data files. -+## Do not audit attempts to search security files ++## Do not audit attempts to search security files ## ## ## @@ -19849,21 +19849,21 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_search_security_files',` - gen_require(` + gen_require(` - attribute pidfile; - type var_run_t; + attribute security_file_type; - ') - + ') + - dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; - dontaudit $1 pidfile:file ioctl; + dontaudit $1 security_file_type:dir search_dir_perms; ') - + ######################################## ## -## Read all process ID files. -+## Do not audit attempts to read security dirs ++## Do not audit attempts to read security dirs ## ## ## @@ -19875,18 +19875,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_all_pids',` +interface(`files_dontaudit_list_security_dirs',` - gen_require(` + gen_require(` - attribute pidfile; - type var_t, var_run_t; + attribute security_file_type; - ') - + ') + - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) + dontaudit $1 security_file_type:dir list_dir_perms; ') - + ######################################## ## -## Delete all process IDs. @@ -19906,12 +19906,12 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_all_pids',` +interface(`files_rw_all_inherited_files',` - gen_require(` + gen_require(` - attribute pidfile; - type var_t, var_run_t; + attribute file_type; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; @@ -19924,7 +19924,7 @@ index f962f76ad..4a8ce9c4b 100644 + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; ') - + ######################################## ## -## Delete all process ID directories. @@ -19939,18 +19939,18 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_delete_all_pid_dirs',` +interface(`files_entrypoint_all_files',` - gen_require(` + gen_require(` - attribute pidfile; - type var_t, var_run_t; + attribute file_type; - ') + ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) + allow $1 file_type:file entrypoint; ') - + ######################################## ## -## Create, read, write and delete all @@ -19967,17 +19967,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_all_pids',` +interface(`files_dontaudit_all_non_security_leaks',` - gen_require(` + gen_require(` - attribute pidfile; + attribute non_security_file_type; - ') - + ') + - manage_dirs_pattern($1, pidfile, pidfile) - manage_files_pattern($1, pidfile, pidfile) - manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; ') - + ######################################## ## -## Mount filesystems on all polyinstantiation @@ -19994,16 +19994,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_mounton_all_poly_members',` +interface(`files_dontaudit_leaks',` - gen_require(` + gen_require(` - attribute polymember; + attribute file_type; - ') - + ') + - allow $1 polymember:dir mounton; + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; ') - + ######################################## ## -## Search the contents of generic spool @@ -20018,21 +20018,21 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_search_spool',` +interface(`files_create_as_is_all_files',` - gen_require(` + gen_require(` - type var_t, var_spool_t; + attribute file_type; + class kernel_service create_files_as; - ') - + ') + - search_dirs_pattern($1, var_t, var_spool_t) + allow $1 file_type:kernel_service create_files_as; ') - + ######################################## ## -## Do not audit attempts to search generic -## spool directories. -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on all files ## ## @@ -20043,15 +20043,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_all_access_check',` - gen_require(` + gen_require(` - type var_spool_t; + attribute file_type; - ') - + ') + - dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set audit_access; ') - + ######################################## ## -## List the contents of generic spool @@ -20067,15 +20067,15 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_list_spool',` +interface(`files_dontaudit_write_all_files',` - gen_require(` + gen_require(` - type var_t, var_spool_t; + attribute file_type; - ') - + ') + - list_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set write; ') - + ######################################## ## -## Create, read, write, and delete generic @@ -20091,17 +20091,17 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_generic_spool_dirs',` +interface(`files_delete_all_non_security_files',` - gen_require(` + gen_require(` - type var_t, var_spool_t; + attribute non_security_file_type; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - manage_dirs_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; ') - + ######################################## ## -## Read generic spool files. @@ -20116,16 +20116,16 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_read_generic_spool',` +interface(`files_delete_all_non_security_dirs',` - gen_require(` + gen_require(` - type var_t, var_spool_t; + attribute non_security_file_type; - ') - + ') + - list_dirs_pattern($1, var_t, var_spool_t) - read_files_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; ') - + ######################################## ## -## Create, read, write, and delete generic @@ -20141,7 +20141,7 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_manage_generic_spool',` +interface(`files_filetrans_named_content',` - gen_require(` + gen_require(` - type var_t, var_spool_t; + type etc_t; + type mnt_t; @@ -20151,8 +20151,8 @@ index f962f76ad..4a8ce9c4b 100644 + type var_run_t; + type var_lock_t; + type tmp_t; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") @@ -20195,7 +20195,7 @@ index f962f76ad..4a8ce9c4b 100644 + files_var_filetrans($1, var_run_t, dir, "run") + files_var_filetrans($1, etc_runtime_t, file, ".updated") ') - + ######################################## ## -## Create objects in the spool directory @@ -20292,21 +20292,21 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_spool_filetrans',` +interface(`files_exec_all_base_ro_files',` - gen_require(` + gen_require(` - type var_t, var_spool_t; + attribute base_ro_file_type; - ') - + ') + - allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_spool_t, $2, $3, $4) + can_exec($1, base_ro_file_type) ') - + ######################################## ## -## Allow access to manage all polyinstantiated -## directories on the system. -+## Allow the specified domain to modify the systemd configuration of ++## Allow the specified domain to modify the systemd configuration of +## any file. ## ## @@ -20317,12 +20317,12 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_polyinstantiate_all',` +interface(`files_config_all_files',` - gen_require(` + gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; + attribute file_type; - ') - + ') + - # Need to give access to /selinux/member - selinux_compute_member($1) - @@ -20361,7 +20361,7 @@ index f962f76ad..4a8ce9c4b 100644 - ') + allow $1 file_type:service all_service_perms; ') - + ######################################## ## -## Unconfined access to files. @@ -20375,11 +20375,11 @@ index f962f76ad..4a8ce9c4b 100644 # -interface(`files_unconfined',` +interface(`files_status_etc',` - gen_require(` + gen_require(` - attribute files_unconfined_type; + type etc_t; - ') - + ') + - typeattribute $1 files_unconfined_type; + allow $1 etc_t:service status; ') @@ -20390,7 +20390,7 @@ index 1a03abdd7..3221f8018 100644 @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) # Declarations # - + +attribute base_file_type; +attribute base_ro_file_type; attribute file_type; @@ -20401,7 +20401,7 @@ index 1a03abdd7..3221f8018 100644 +attribute spoolfile; attribute configfile; +attribute etcfile; - + # For labeling types that are to be polyinstantiated attribute polydir; @@ -48,47 +52,53 @@ attribute usercanread; @@ -20409,14 +20409,14 @@ index 1a03abdd7..3221f8018 100644 type boot_t; files_mountpoint(boot_t) +files_ro_base_file(boot_t) - + # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. type default_t; files_mountpoint(default_t) +files_base_file(default_t) - + # # etc_t is the type of the system etc directories. # @@ -20427,11 +20427,11 @@ index 1a03abdd7..3221f8018 100644 # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; - + +# system_conf_t is a new type of various +# files in /etc/ that can be managed and +# created by several domains. -+# ++# +type system_conf_t, configfile; +files_ro_base_file(system_conf_t) +# compatibility aliases for removed type: @@ -20463,7 +20463,7 @@ index 1a03abdd7..3221f8018 100644 -sid file gen_context(system_u:object_r:file_t,s0) +type etc_runtime_t, configfile; +files_ro_base_file(etc_runtime_t) - + # # home_root_t is the type for the directory where user home directories # are created @@ -20472,21 +20472,21 @@ index 1a03abdd7..3221f8018 100644 +files_base_file(home_root_t) files_mountpoint(home_root_t) files_poly_parent(home_root_t) - + @@ -96,12 +106,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; -files_type(lost_found_t) +files_base_file(lost_found_t) - + # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t; +files_base_file(mnt_t) files_mountpoint(mnt_t) - + # @@ -123,6 +134,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. @@ -20501,7 +20501,7 @@ index 1a03abdd7..3221f8018 100644 type src_t; files_mountpoint(src_t) +files_ro_base_file(src_t) - + # # system_map_t is for the system.map files in /boot # @@ -20509,7 +20509,7 @@ index 1a03abdd7..3221f8018 100644 files_type(system_map_t) +kernel_proc_type(system_map_t) genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) - + # # tmp_t is the type of the temporary directories # @@ -20520,21 +20520,21 @@ index 1a03abdd7..3221f8018 100644 files_poly(tmp_t) files_poly_parent(tmp_t) +typealias tmp_t alias firstboot_tmp_t; - + # # usr_t is the type for /usr. # type usr_t; +files_ro_base_file(usr_t) files_mountpoint(usr_t) - + # # var_t is the type of /var # type var_t; +files_base_file(var_t) files_mountpoint(var_t) - + # # var_lib_t is the type of /var/lib # @@ -20542,7 +20542,7 @@ index 1a03abdd7..3221f8018 100644 +files_base_file(var_lib_t) files_mountpoint(var_lib_t) +files_poly(var_lib_t) - + # # var_lock_t is tye type of /var/lock # @@ -20550,7 +20550,7 @@ index 1a03abdd7..3221f8018 100644 +files_base_file(var_lock_t) files_lock_file(var_lock_t) files_mountpoint(var_lock_t) - + @@ -180,6 +201,7 @@ files_mountpoint(var_lock_t) # used for pid and other runtime files. # @@ -20558,7 +20558,7 @@ index 1a03abdd7..3221f8018 100644 +files_base_file(var_run_t) files_pid_file(var_run_t) files_mountpoint(var_run_t) - + @@ -187,7 +209,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # @@ -20566,25 +20566,25 @@ index 1a03abdd7..3221f8018 100644 +files_base_file(var_spool_t) files_tmp_file(var_spool_t) +files_spool_file(var_spool_t) - + ######################################## # @@ -224,12 +248,13 @@ fs_associate_tmpfs(tmpfsfile) # - + # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:{ file chr_file } ~execmod; +allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint }; allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; +allow files_unconfined_type file_type:service *; - + # Mount/unmount any filesystem with the context= option. -allow files_unconfined_type file_type:filesystem *; +allow files_unconfined_type file_type:filesystem all_filesystem_perms; - + -tunable_policy(`allow_execmod',` +tunable_policy(`selinuxuser_execmod',` - allow files_unconfined_type file_type:file execmod; + allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index d7c11a0b3..f521a50f8 100644 @@ -20596,19 +20596,19 @@ index d7c11a0b3..f521a50f8 100644 +# ecryptfs does not support xattr +HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) +HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) - + /dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) /dev/hugepages(/.*)? <> -/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/dev/shm/.* <> - + -/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) -/lib/udev/devices/hugepages/.* <> -/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) -/lib/udev/devices/shm/.* <> +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> - + +/dev/oracleasm(/.*)? gen_context(system_u:object_r:oracleasmfs_t,s0) + +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) @@ -20621,10 +20621,10 @@ index d7c11a0b3..f521a50f8 100644 +# for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.* <> - + /sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) /sys/fs/pstore/.* <> - + -ifdef(`distro_debian',` /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) /var/run/shm/.* <> @@ -20634,9 +20634,9 @@ index 8416beb43..b0d8399f9 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -21,6 +21,25 @@ interface(`fs_type',` - typeattribute $1 filesystem_type; + typeattribute $1 filesystem_type; ') - + + +######################################## +## @@ -20660,9 +20660,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Transform specified type into a filesystem @@ -629,6 +648,27 @@ interface(`fs_getattr_cgroup',` - allow $1 cgroup_t:filesystem getattr; + allow $1 cgroup_t:filesystem getattr; ') - + +######################################## +## +## Get attributes of cgroup files. @@ -20688,13 +20688,13 @@ index 8416beb43..b0d8399f9 100644 ## ## Search cgroup directories. @@ -646,9 +686,29 @@ interface(`fs_search_cgroup_dirs',` - ') - - search_dirs_pattern($1, cgroup_t, cgroup_t) + ') + + search_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + +######################################## +## +## Relabel cgroup directories. @@ -20723,15 +20723,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_list_cgroup_dirs', ` +interface(`fs_list_cgroup_dirs',` - gen_require(` - type cgroup_t; - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) + gen_require(` + type cgroup_t; + ') + + list_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + +####################################### +## +## Do not audit attempts to search cgroup directories. @@ -20755,61 +20755,61 @@ index 8416beb43..b0d8399f9 100644 ## ## Delete cgroup directories. @@ -684,6 +764,7 @@ interface(`fs_delete_cgroup_dirs', ` - ') - - delete_dirs_pattern($1, cgroup_t, cgroup_t) + ') + + delete_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + @@ -704,6 +785,7 @@ interface(`fs_manage_cgroup_dirs',` - ') - - manage_dirs_pattern($1, cgroup_t, cgroup_t) + ') + + manage_dirs_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + @@ -724,6 +806,8 @@ interface(`fs_read_cgroup_files',` - ') - - read_files_pattern($1, cgroup_t, cgroup_t) + ') + + read_files_pattern($1, cgroup_t, cgroup_t) + read_lnk_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + @@ -743,6 +827,7 @@ interface(`fs_write_cgroup_files', ` - ') - - write_files_pattern($1, cgroup_t, cgroup_t) + ') + + write_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + @@ -762,7 +847,9 @@ interface(`fs_rw_cgroup_files',` - - ') - + + ') + + read_lnk_files_pattern($1, cgroup_t, cgroup_t) - rw_files_pattern($1, cgroup_t, cgroup_t) + rw_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + @@ -803,6 +890,8 @@ interface(`fs_manage_cgroup_files',` - ') - - manage_files_pattern($1, cgroup_t, cgroup_t) + ') + + manage_files_pattern($1, cgroup_t, cgroup_t) + manage_lnk_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) ') - + @@ -824,6 +913,25 @@ interface(`fs_mounton_cgroup', ` - allow $1 cgroup_t:dir mounton; + allow $1 cgroup_t:dir mounton; ') - + +######################################## +## +## Read and write ceph files. @@ -20833,9 +20833,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Do not audit attempts to read @@ -918,6 +1026,24 @@ interface(`fs_getattr_cifs',` - allow $1 cifs_t:filesystem getattr; + allow $1 cifs_t:filesystem getattr; ') - + +######################################## +## +## Set the attributes of cifs directories. @@ -20858,9 +20858,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Search directories on a CIFS or SMB filesystem. @@ -1105,6 +1231,24 @@ interface(`fs_read_noxattr_fs_files',` - read_files_pattern($1, noxattrfs, noxattrfs) + read_files_pattern($1, noxattrfs, noxattrfs) ') - + +######################################## +## +## Read/Write all inherited noxattrfs files. @@ -20883,7 +20883,7 @@ index 8416beb43..b0d8399f9 100644 ## ## Do not audit attempts to read all @@ -1245,7 +1389,7 @@ interface(`fs_append_cifs_files',` - + ######################################## ## -## dontaudit Append files @@ -20892,9 +20892,9 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -1263,6 +1407,42 @@ interface(`fs_dontaudit_append_cifs_files',` - dontaudit $1 cifs_t:file append_file_perms; + dontaudit $1 cifs_t:file append_file_perms; ') - + +######################################## +## +## Read inherited files on a CIFS or SMB filesystem. @@ -20935,18 +20935,18 @@ index 8416beb43..b0d8399f9 100644 ## ## Do not audit attempts to read or @@ -1279,7 +1459,7 @@ interface(`fs_dontaudit_rw_cifs_files',` - type cifs_t; - ') - + type cifs_t; + ') + - dontaudit $1 cifs_t:file rw_file_perms; + dontaudit $1 cifs_t:file rw_inherited_file_perms; ') - + ######################################## @@ -1361,6 +1541,27 @@ interface(`fs_exec_cifs_files',` - exec_files_pattern($1, cifs_t, cifs_t) + exec_files_pattern($1, cifs_t, cifs_t) ') - + +######################################## +## +## Mmap files on a CIFS or SMB @@ -20972,9 +20972,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Create, read, write, and delete directories @@ -1542,48 +1743,48 @@ interface(`fs_cifs_domtrans',` - domain_auto_transition_pattern($1, cifs_t, $2) + domain_auto_transition_pattern($1, cifs_t, $2) ') - + -####################################### +######################################## ## @@ -20992,15 +20992,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_configfs_dirs',` +interface(`fs_cifs_entry_type',` - gen_require(` + gen_require(` - type configfs_t; + type cifs_t; - ') - + ') + - manage_dirs_pattern($1, configfs_t, configfs_t) + domain_entry_file($1, cifs_t) ') - + -####################################### +######################################## ## @@ -21018,15 +21018,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_configfs_files',` +interface(`fs_cifs_entrypoint',` - gen_require(` + gen_require(` - type configfs_t; + type cifs_t; - ') - + ') + - manage_files_pattern($1, configfs_t, configfs_t) + allow $1 cifs_t:file entrypoint; ') - + -######################################## +####################################### ## @@ -21043,15 +21043,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_mount_dos_fs',` +interface(`fs_dontaudit_write_configfs_dirs',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - allow $1 dosfs_t:filesystem mount; + dontaudit $1 configfs_t:dir write; ') - + -######################################## +####################################### ## @@ -21069,15 +21069,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_remount_dos_fs',` +interface(`fs_read_configfs_dirs',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - allow $1 dosfs_t:filesystem remount; + list_dirs_pattern($1, configfs_t, configfs_t) ') - + -######################################## +####################################### ## @@ -21094,15 +21094,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_unmount_dos_fs',` +interface(`fs_manage_configfs_dirs',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - allow $1 dosfs_t:filesystem unmount; + manage_dirs_pattern($1, configfs_t, configfs_t) ') - + -######################################## +####################################### ## @@ -21120,15 +21120,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_getattr_dos_fs',` +interface(`fs_read_configfs_files',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - allow $1 dosfs_t:filesystem getattr; + read_files_pattern($1, configfs_t, configfs_t) ') - + -######################################## +####################################### ## @@ -21145,15 +21145,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_relabelfrom_dos_fs',` +interface(`fs_manage_configfs_files',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - allow $1 dosfs_t:filesystem relabelfrom; + manage_files_pattern($1, configfs_t, configfs_t) ') - + -######################################## +####################################### ## @@ -21169,15 +21169,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_search_dos',` +interface(`fs_manage_configfs_lnk_files',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - allow $1 dosfs_t:dir search_dir_perms; + manage_lnk_files_pattern($1, configfs_t, configfs_t) ') - + ######################################## ## -## List dirs DOS filesystem. @@ -21191,15 +21191,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_list_dos',` +interface(`fs_unmount_configfs',` - gen_require(` + gen_require(` - type dosfs_t; + type configfs_t; - ') - + ') + - list_dirs_pattern($1, dosfs_t, dosfs_t) + allow $1 configfs_t:filesystem unmount; ') - + ######################################## ## -## Create, read, write, and delete dirs @@ -21215,14 +21215,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_dos_dirs',` +interface(`fs_mount_dos_fs',` - gen_require(` - type dosfs_t; - ') - + gen_require(` + type dosfs_t; + ') + - manage_dirs_pattern($1, dosfs_t, dosfs_t) + allow $1 dosfs_t:filesystem mount; ') - + ######################################## ## -## Read files on a DOS filesystem. @@ -21238,14 +21238,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_read_dos_files',` +interface(`fs_remount_dos_fs',` - gen_require(` - type dosfs_t; - ') - + gen_require(` + type dosfs_t; + ') + - read_files_pattern($1, dosfs_t, dosfs_t) + allow $1 dosfs_t:filesystem remount; ') - + ######################################## ## -## Create, read, write, and delete files @@ -21405,7 +21405,7 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -1771,31 +2122,517 @@ interface(`fs_manage_dos_files',` - + ######################################## ## -## Read eventpollfs files. @@ -21928,7 +21928,7 @@ index 8416beb43..b0d8399f9 100644 + allow $1 fusefs_t:dir list_dir_perms; + read_lnk_files_pattern($1, fusefs_t, fusefs_t) ') - + ######################################## ## -## Mount a FUSE filesystem. @@ -21942,14 +21942,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_mount_fusefs',` +interface(`fs_manage_fusefs_symlinks',` - gen_require(` - type fusefs_t; - ') - + gen_require(` + type fusefs_t; + ') + - allow $1 fusefs_t:filesystem mount; + manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ') - + ######################################## ## -## Unmount a FUSE filesystem. @@ -21989,15 +21989,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_unmount_fusefs',` +interface(`fs_fusefs_domtrans',` - gen_require(` - type fusefs_t; - ') - + gen_require(` + type fusefs_t; + ') + - allow $1 fusefs_t:filesystem unmount; + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) ') - + ######################################## ## -## Mounton a FUSEFS filesystem. @@ -22012,14 +22012,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_mounton_fusefs',` +interface(`fs_getattr_fusefs',` - gen_require(` - type fusefs_t; - ') - + gen_require(` + type fusefs_t; + ') + - allow $1 fusefs_t:dir mounton; + allow $1 fusefs_t:filesystem getattr; ') - + ######################################## ## -## Search directories @@ -22036,15 +22036,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_search_fusefs',` +interface(`fs_getattr_hugetlbfs',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - allow $1 fusefs_t:dir search_dir_perms; + allow $1 hugetlbfs_t:filesystem getattr; ') - + ######################################## ## -## Do not audit attempts to list the contents @@ -22060,15 +22060,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_list_fusefs',` +interface(`fs_list_hugetlbfs',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - dontaudit $1 fusefs_t:dir list_dir_perms; + allow $1 hugetlbfs_t:dir list_dir_perms; ') - + ######################################## ## -## Create, read, write, and delete directories @@ -22084,15 +22084,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_fusefs_dirs',` +interface(`fs_manage_hugetlbfs_dirs',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - allow $1 fusefs_t:dir manage_dir_perms; + manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ') - + ######################################## ## -## Do not audit attempts to create, read, @@ -22109,15 +22109,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_manage_fusefs_dirs',` +interface(`fs_read_hugetlbfs_files',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - dontaudit $1 fusefs_t:dir manage_dir_perms; + read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') - + ######################################## ## -## Read, a FUSEFS filesystem. @@ -22132,16 +22132,16 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_read_fusefs_files',` +interface(`fs_rw_hugetlbfs_files',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - read_files_pattern($1, fusefs_t, fusefs_t) + allow $1 hugetlbfs_t:file map; + rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') - + ######################################## ## -## Execute files on a FUSEFS filesystem. @@ -22156,15 +22156,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_exec_fusefs_files',` +interface(`fs_manage_hugetlbfs_files',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - exec_files_pattern($1, fusefs_t, fusefs_t) + manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') - + ######################################## ## -## Create, read, write, and delete files @@ -22180,16 +22180,16 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_fusefs_files',` +interface(`fs_exec_hugetlbfs_files',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - manage_files_pattern($1, fusefs_t, fusefs_t) + allow $1 hugetlbfs_t:dir list_dir_perms; + exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') - + ######################################## ## -## Do not audit attempts to create, @@ -22207,15 +22207,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_associate_hugetlbfs',` - gen_require(` + gen_require(` - type fusefs_t; + type hugetlbfs_t; - ') - + ') + - dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 hugetlbfs_t:filesystem associate; ') - + ######################################## ## -## Read symbolic links on a FUSEFS filesystem. @@ -22229,16 +22229,16 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_read_fusefs_symlinks',` +interface(`fs_list_oracleasmfs',` - gen_require(` + gen_require(` - type fusefs_t; + type oracleasmfs_t; - ') - + ') + - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 oracleasmfs_t:dir list_dir_perms; ') - + ######################################## ## -## Get the attributes of an hugetlbfs @@ -22252,15 +22252,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_getattr_hugetlbfs',` +interface(`fs_getattr_oracleasmfs_fs',` - gen_require(` + gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; - ') - + ') + - allow $1 hugetlbfs_t:filesystem getattr; + allow $1 oracleasmfs_t:filesystem getattr; ') - + ######################################## ## -## List hugetlbfs. @@ -22275,15 +22275,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_list_hugetlbfs',` +interface(`fs_getattr_oracleasmfs',` - gen_require(` + gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; - ') - + ') + - allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 oracleasmfs_t:file getattr; ') - + ######################################## ## -## Manage hugetlbfs dirs. @@ -22298,15 +22298,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_setattr_oracleasmfs',` - gen_require(` + gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; - ') - + ') + - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 oracleasmfs_t:file setattr; ') - + ######################################## ## -## Read and write hugetlbfs files. @@ -22321,15 +22321,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_rw_hugetlbfs_files',` +interface(`fs_setattr_oracleasmfs_dirs',` - gen_require(` + gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; - ') - + ') + - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 oracleasmfs_t:dir setattr; ') - + ######################################## ## -## Allow the type to associate to hugetlbfs filesystems. @@ -22345,25 +22345,25 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_associate_hugetlbfs',` +interface(`fs_manage_oracleasm',` - gen_require(` + gen_require(` - type hugetlbfs_t; + type oracleasmfs_t; - ') - + ') + - allow $1 hugetlbfs_t:filesystem associate; + manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t) + manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t) + dev_filetrans($1, oracleasmfs_t, dir, "oracleasm") ') - + ######################################## @@ -2148,11 +3006,12 @@ interface(`fs_list_inotifyfs',` - ') - - allow $1 inotifyfs_t:dir list_dir_perms; + ') + + allow $1 inotifyfs_t:dir list_dir_perms; + fs_read_anon_inodefs_files($1) ') - + ######################################## ## -## Dontaudit List inotifyfs filesystem. @@ -22372,9 +22372,9 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -2396,6 +3255,24 @@ interface(`fs_getattr_nfs',` - allow $1 nfs_t:filesystem getattr; + allow $1 nfs_t:filesystem getattr; ') - + +######################################## +## +## Set the attributes of nfs directories. @@ -22397,7 +22397,7 @@ index 8416beb43..b0d8399f9 100644 ## ## Search directories on a NFS filesystem. @@ -2453,138 +3330,214 @@ interface(`fs_dontaudit_list_nfs',` - + ######################################## ## -## Mounton a NFS filesystem. @@ -22490,15 +22490,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_mounton_nfs',` +interface(`fs_exec_nfs_files',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - allow $1 nfs_t:dir mounton; + allow $1 nfs_t:dir list_dir_perms; + exec_files_pattern($1, nfs_t, nfs_t) ') - + ######################################## ## -## Read files on a NFS filesystem. @@ -22515,15 +22515,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_read_nfs_files',` +interface(`fs_nfs_entry_type',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) + domain_entry_file($1, nfs_t) ') - + ######################################## ## -## Do not audit attempts to read @@ -22540,14 +22540,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_read_nfs_files',` +interface(`fs_nfs_entrypoint',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - dontaudit $1 nfs_t:file read_file_perms; + allow $1 nfs_t:file entrypoint; ') - + ######################################## ## -## Read files on a NFS filesystem. @@ -22563,15 +22563,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_write_nfs_files',` +interface(`fs_append_nfs_files',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) + append_files_pattern($1, nfs_t, nfs_t) ') - + ######################################## ## -## Execute files on a NFS filesystem. @@ -22588,15 +22588,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_exec_nfs_files',` +interface(`fs_dontaudit_append_nfs_files',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - allow $1 nfs_t:dir list_dir_perms; - exec_files_pattern($1, nfs_t, nfs_t) + dontaudit $1 nfs_t:file append_file_perms; ') - + ######################################## ## -## Append files @@ -22612,14 +22612,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_append_nfs_files',` +interface(`fs_read_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - append_files_pattern($1, nfs_t, nfs_t) + allow $1 nfs_t:file read_inherited_file_perms; ') - + ######################################## ## -## dontaudit Append files @@ -22636,26 +22636,26 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_append_nfs_files',` +interface(`fs_rw_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - + gen_require(` + type nfs_t; + ') + - dontaudit $1 nfs_t:file append_file_perms; + allow $1 nfs_t:file rw_inherited_file_perms; ') - + ######################################## @@ -2603,7 +3556,7 @@ interface(`fs_dontaudit_rw_nfs_files',` - type nfs_t; - ') - + type nfs_t; + ') + - dontaudit $1 nfs_t:file rw_file_perms; + dontaudit $1 nfs_t:file rw_inherited_file_perms; ') - + ######################################## @@ -2627,7 +3580,7 @@ interface(`fs_read_nfs_symlinks',` - + ######################################## ## -## Dontaudit read symbolic links on a NFS filesystem. @@ -22664,9 +22664,9 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -2717,6 +3670,47 @@ interface(`fs_search_rpc',` - allow $1 rpc_pipefs_t:dir search_dir_perms; + allow $1 rpc_pipefs_t:dir search_dir_perms; ') - + +######################################## +## +## Do not audit attempts to list removable storage directories. @@ -22721,9 +22721,9 @@ index 8416beb43..b0d8399f9 100644 ## # @@ -2771,13 +3765,33 @@ interface(`fs_read_removable_files',` - read_files_pattern($1, removable_t, removable_t) + read_files_pattern($1, removable_t, removable_t) ') - + + +######################################## +## @@ -22756,21 +22756,21 @@ index 8416beb43..b0d8399f9 100644 ## # @@ -2970,6 +3984,7 @@ interface(`fs_manage_nfs_dirs',` - type nfs_t; - ') - + type nfs_t; + ') + + fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir manage_dir_perms; + allow $1 nfs_t:dir manage_dir_perms; ') - + @@ -3010,9 +4025,29 @@ interface(`fs_manage_nfs_files',` - type nfs_t; - ') - + type nfs_t; + ') + + fs_search_auto_mountpoints($1) - manage_files_pattern($1, nfs_t, nfs_t) + manage_files_pattern($1, nfs_t, nfs_t) ') - + +######################################## +## +## mmap files on a NFS filesystem. @@ -22794,17 +22794,17 @@ index 8416beb43..b0d8399f9 100644 ## ## Do not audit attempts to create, @@ -3050,6 +4085,7 @@ interface(`fs_manage_nfs_symlinks',` - type nfs_t; - ') - + type nfs_t; + ') + + fs_search_auto_mountpoints($1) - manage_lnk_files_pattern($1, nfs_t, nfs_t) + manage_lnk_files_pattern($1, nfs_t, nfs_t) ') - + @@ -3135,6 +4171,24 @@ interface(`fs_nfs_domtrans',` - domain_auto_transition_pattern($1, nfs_t, $2) + domain_auto_transition_pattern($1, nfs_t, $2) ') - + +######################################## +## +## Mount on nfsd_fs directories. @@ -22827,9 +22827,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Mount a NFS server pseudo filesystem. @@ -3172,28 +4226,155 @@ interface(`fs_remount_nfsd_fs',` - allow $1 nfsd_fs_t:filesystem remount; + allow $1 nfsd_fs_t:filesystem remount; ') - + -######################################## +######################################## +## @@ -22975,16 +22975,16 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_unmount_nfsd_fs',` +interface(`fs_read_nsfs_files',` - gen_require(` + gen_require(` - type nfsd_fs_t; - ') + type nsfs_t; + ') - + - allow $1 nfsd_fs_t:filesystem unmount; + allow $1 nsfs_t:file read_file_perms; ') - + -######################################## +####################################### ## @@ -23000,15 +23000,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_getattr_nfsd_fs',` +interface(`fs_rw_nsfs_files',` - gen_require(` + gen_require(` - type nfsd_fs_t; + type nsfs_t; - ') - + ') + - allow $1 nfsd_fs_t:filesystem getattr; + rw_files_pattern($1, nsfs_t, nsfs_t) ') - + + ######################################## ## @@ -23023,15 +23023,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_search_nfsd_fs',` +interface(`fs_mount_nsfs',` - gen_require(` + gen_require(` - type nfsd_fs_t; + type nsfs_t; - ') - + ') + - allow $1 nfsd_fs_t:dir search_dir_perms; + allow $1 nsfs_t:filesystem mount; ') - + + ######################################## ## @@ -23046,15 +23046,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_list_nfsd_fs',` +interface(`fs_remount_nsfs',` - gen_require(` + gen_require(` - type nfsd_fs_t; + type nsfs_t; - ') - + ') + - allow $1 nfsd_fs_t:dir list_dir_perms; + allow $1 nsfs_t:filesystem remount; ') - + ######################################## ## -## Getattr files on an nfsd filesystem @@ -23068,15 +23068,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_getattr_nfsd_files',` +interface(`fs_unmount_nsfs',` - gen_require(` + gen_require(` - type nfsd_fs_t; + type nsfs_t; - ') - + ') + - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + allow $1 nsfs_t:filesystem unmount; ') - + ######################################## ## -## Read and write NFS server files. @@ -23090,17 +23090,17 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_rw_nfsd_fs',` +interface(`fs_manage_nfsd_fs',` - gen_require(` - type nfsd_fs_t; - ') - + gen_require(` + type nfsd_fs_t; + ') + - rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') - + ######################################## @@ -3392,7 +4575,7 @@ interface(`fs_search_ramfs',` - + ######################################## ## -## Dontaudit Search directories on a ramfs @@ -23109,7 +23109,7 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -3429,7 +4612,7 @@ interface(`fs_manage_ramfs_dirs',` - + ######################################## ## -## Dontaudit read on a ramfs files. @@ -23118,7 +23118,7 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -3447,7 +4630,7 @@ interface(`fs_dontaudit_read_ramfs_files',` - + ######################################## ## -## Dontaudit read on a ramfs fifo_files. @@ -23127,9 +23127,9 @@ index 8416beb43..b0d8399f9 100644 ## ## @@ -3777,6 +4960,24 @@ interface(`fs_mount_tmpfs',` - allow $1 tmpfs_t:filesystem mount; + allow $1 tmpfs_t:filesystem mount; ') - + +######################################## +## +## Dontaudit remount a tmpfs filesystem. @@ -23152,9 +23152,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Remount a tmpfs filesystem. @@ -3813,6 +5014,24 @@ interface(`fs_unmount_tmpfs',` - allow $1 tmpfs_t:filesystem unmount; + allow $1 tmpfs_t:filesystem unmount; ') - + +######################################## +## +## Mount on tmpfs directories. @@ -23177,7 +23177,7 @@ index 8416beb43..b0d8399f9 100644 ## ## Get the attributes of a tmpfs @@ -3908,7 +5127,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` - + ######################################## ## -## Mount on tmpfs directories. @@ -23191,14 +23191,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_mounton_tmpfs',` +interface(`fs_setattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $1 tmpfs_t:dir mounton; + allow $1 tmpfs_t:dir setattr; ') - + ######################################## ## -## Set the attributes of tmpfs directories. @@ -23212,14 +23212,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_setattr_tmpfs_dirs',` +interface(`fs_search_tmpfs',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $1 tmpfs_t:dir setattr; + allow $1 tmpfs_t:dir search_dir_perms; ') - + ######################################## ## -## Search tmpfs directories. @@ -23233,14 +23233,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_search_tmpfs',` +interface(`fs_list_tmpfs',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $1 tmpfs_t:dir search_dir_perms; + allow $1 tmpfs_t:dir list_dir_perms; ') - + ######################################## ## -## List the contents of generic tmpfs directories. @@ -23273,14 +23273,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_list_tmpfs',` +interface(`fs_relabel_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $1 tmpfs_t:dir list_dir_perms; + relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Do not audit attempts to list the @@ -23296,10 +23296,10 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_list_tmpfs',` +interface(`fs_relabel_tmpfs_fifo_files',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - dontaudit $1 tmpfs_t:dir list_dir_perms; + relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) +') @@ -23321,7 +23321,7 @@ index 8416beb43..b0d8399f9 100644 + + relabel_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## @@ -4061,38 +5316,166 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## @@ -23459,15 +23459,15 @@ index 8416beb43..b0d8399f9 100644 +## +# +interface(`fs_read_tmpfs_symlinks',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $2 tmpfs_t:filesystem associate; - filetrans_pattern($1, tmpfs_t, $2, $3, $4) + read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Do not audit attempts to getattr @@ -23483,15 +23483,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_getattr_tmpfs_files',` +interface(`fs_rw_tmpfs_chr_files',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - dontaudit $1 tmpfs_t:file getattr; + allow $1 tmpfs_t:dir list_dir_perms; + rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Do not audit attempts to read or write @@ -23506,15 +23506,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_rw_tmpfs_files',` +interface(`fs_dontaudit_use_tmpfs_chr_dev',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - dontaudit $1 tmpfs_t:file rw_file_perms; + dontaudit $1 tmpfs_t:dir list_dir_perms; + dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -23530,15 +23530,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_auto_mountpoints',` +interface(`fs_dontaudit_create_tmpfs_chr_dev',` - gen_require(` + gen_require(` - type autofs_t; + type tmpfs_t; - ') - + ') + - allow $1 autofs_t:dir manage_dir_perms; + dontaudit $1 tmpfs_t:chr_file create; ') - + ######################################## ## -## Read generic tmpfs files. @@ -23553,14 +23553,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_read_tmpfs_files',` +interface(`fs_dontaudit_read_tmpfs_blk_dev',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - read_files_pattern($1, tmpfs_t, tmpfs_t) + dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; ') - + ######################################## ## -## Read and write generic tmpfs files. @@ -23575,14 +23575,14 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_rw_tmpfs_files',` +interface(`fs_dontaudit_read_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - rw_files_pattern($1, tmpfs_t, tmpfs_t) + dontaudit $1 tmpfs_t:blk_file read; ') - + ######################################## ## -## Read tmpfs link files. @@ -23596,15 +23596,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_read_tmpfs_symlinks',` +interface(`fs_relabel_tmpfs_chr_file',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) + allow $1 tmpfs_t:dir list_dir_perms; + relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Read and write character nodes on tmpfs filesystems. @@ -23618,15 +23618,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_rw_tmpfs_chr_files',` +interface(`fs_rw_tmpfs_blk_files',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir list_dir_perms; - rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) + rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## dontaudit Read and write character nodes on tmpfs filesystems. @@ -23641,16 +23641,16 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_dontaudit_use_tmpfs_chr_dev',` +interface(`fs_relabel_tmpfs_blk_file',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - dontaudit $1 tmpfs_t:dir list_dir_perms; - dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; + allow $1 tmpfs_t:dir list_dir_perms; + relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Relabel character nodes on tmpfs filesystems. @@ -23664,15 +23664,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_relabel_tmpfs_chr_file',` +interface(`fs_relabel_tmpfs_sock_file',` - gen_require(` - type tmpfs_t; - ') - - allow $1 tmpfs_t:dir list_dir_perms; + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir list_dir_perms; - relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) + relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Read and write block nodes on tmpfs filesystems. @@ -23686,16 +23686,16 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_rw_tmpfs_blk_files',` +interface(`fs_delete_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $1 tmpfs_t:dir list_dir_perms; - rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) + allow $1 tmpfs_t:dir del_entry_dir_perms; + allow $1 tmpfs_t:file_class_set delete_file_perms; ') - + ######################################## ## -## Relabel block nodes on tmpfs filesystems. @@ -23710,15 +23710,15 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_relabel_tmpfs_blk_file',` +interface(`fs_manage_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - allow $1 tmpfs_t:dir list_dir_perms; - relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) + manage_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## ## -## Read and write, create and delete generic @@ -23734,19 +23734,19 @@ index 8416beb43..b0d8399f9 100644 # -interface(`fs_manage_tmpfs_files',` +interface(`fs_exec_tmpfs_files',` - gen_require(` - type tmpfs_t; - ') - + gen_require(` + type tmpfs_t; + ') + - manage_files_pattern($1, tmpfs_t, tmpfs_t) + exec_files_pattern($1, tmpfs_t, tmpfs_t) ') - + ######################################## @@ -4407,6 +5791,25 @@ interface(`fs_search_xenfs',` - allow $1 xenfs_t:dir search_dir_perms; + allow $1 xenfs_t:dir search_dir_perms; ') - + + +######################################## +## @@ -23770,13 +23770,13 @@ index 8416beb43..b0d8399f9 100644 ## ## Create, read, write, and delete directories @@ -4503,6 +5906,8 @@ interface(`fs_mount_all_fs',` - ') - - allow $1 filesystem_type:filesystem mount; + ') + + allow $1 filesystem_type:filesystem mount; +# Mount checks write access on the dir + allow $1 filesystem_type:dir write; ') - + ######################################## @@ -4549,7 +5954,7 @@ interface(`fs_unmount_all_fs',` ## @@ -23788,12 +23788,12 @@ index 8416beb43..b0d8399f9 100644 ##

    ##
      @@ -4594,6 +5999,26 @@ interface(`fs_dontaudit_getattr_all_fs',` - dontaudit $1 filesystem_type:filesystem getattr; + dontaudit $1 filesystem_type:filesystem getattr; ') - + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on all filesystems. +## +## @@ -23815,9 +23815,9 @@ index 8416beb43..b0d8399f9 100644 ## ## Get the quotas of all filesystems. @@ -4669,6 +6094,25 @@ interface(`fs_getattr_all_dirs',` - allow $1 filesystem_type:dir getattr; + allow $1 filesystem_type:dir getattr; ') - + +######################################## +## +## Dontaudit Get the attributes of all directories @@ -23841,8 +23841,8 @@ index 8416beb43..b0d8399f9 100644 ## ## Search all directories with a filesystem type. @@ -4912,3 +6356,174 @@ interface(`fs_unconfined',` - - typeattribute $1 filesystem_unconfined_type; + + typeattribute $1 filesystem_unconfined_type; ') + +######################################## @@ -24024,7 +24024,7 @@ index e7d173844..622029da6 100644 fs_type(fs_t) sid fs gen_context(system_u:object_r:fs_t,s0) +typealias fs_t alias vxfs_t; - + # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. @@ -26,14 +27,22 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -24047,7 +24047,7 @@ index e7d173844..622029da6 100644 +fs_use_xattr vxfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr odms gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr vxclonefs gen_context(system_u:object_r:fs_t,s0); - + # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. @@ -43,6 +52,7 @@ fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); @@ -24055,7 +24055,7 @@ index e7d173844..622029da6 100644 fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); +fs_use_task nsfs gen_context(system_u:object_r:fs_t,s0); - + ############################## # @@ -53,6 +63,7 @@ type anon_inodefs_t; @@ -24063,13 +24063,13 @@ index e7d173844..622029da6 100644 files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) +mls_trusted_object(anon_inodefs_t) - + type bdev_t; fs_type(bdev_t) @@ -63,12 +74,23 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) - + +type oracleasmfs_t; +fs_type(oracleasmfs_t) +dev_node(oracleasmfs_t) @@ -24080,7 +24080,7 @@ index e7d173844..622029da6 100644 fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) - + -type cgroup_t; +type cephfs_t; +fs_type(cephfs_t) @@ -24094,7 +24094,7 @@ index e7d173844..622029da6 100644 @@ -88,6 +110,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) - + +type efivarfs_t; +fs_noxattr_type(efivarfs_t) +files_mountpoint(efivarfs_t) @@ -24108,16 +24108,16 @@ index e7d173844..622029da6 100644 files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); +dev_associate(hugetlbfs_t) - + type ibmasmfs_t; fs_type(ibmasmfs_t) @@ -118,13 +146,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) - + type nfsd_fs_t; fs_type(nfsd_fs_t) +files_mountpoint(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) - + +type nsfs_t; +fs_type(nsfs_t) +genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) @@ -24130,7 +24130,7 @@ index e7d173844..622029da6 100644 type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) - + -type pstore_t; +type pstore_t alias pstorefs_t; fs_type(pstore_t) @@ -24139,7 +24139,7 @@ index e7d173844..622029da6 100644 @@ -150,17 +188,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) - + -type squash_t; -fs_type(squash_t) -genfscon squash / gen_context(system_u:object_r:squash_t,s0) @@ -24150,7 +24150,7 @@ index e7d173844..622029da6 100644 files_mountpoint(sysv_t) genfscon sysv / gen_context(system_u:object_r:sysv_t,s0) genfscon v7 / gen_context(system_u:object_r:sysv_t,s0) - + +type tracefs_t; +fs_type(tracefs_t) +genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0) @@ -24161,7 +24161,7 @@ index e7d173844..622029da6 100644 @@ -168,11 +205,6 @@ genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) - + -type vxfs_t; -fs_noxattr_type(vxfs_t) -files_mountpoint(vxfs_t) @@ -24176,7 +24176,7 @@ index e7d173844..622029da6 100644 files_poly_parent(tmpfs_t) +dev_associate(tmpfs_t) +mls_trusted_object(tmpfs_t) - + # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, @@ -261,6 +295,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) @@ -24186,23 +24186,23 @@ index e7d173844..622029da6 100644 +files_type(removable_t) +dev_node(removable_t) files_mountpoint(removable_t) - + # @@ -280,6 +316,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) +genfscon 9p / gen_context(system_u:object_r:nfs_t,s0) - + ######################################## # @@ -301,9 +338,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # - + -allow filesystem_unconfined_type filesystem_type:filesystem *; +allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms; - + # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. @@ -24225,9 +24225,9 @@ index e100d886b..d16dc1f1b 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -124,6 +124,24 @@ interface(`kernel_setsched',` - allow $1 kernel_t:process setsched; + allow $1 kernel_t:process setsched; ') - + +######################################## +## +## Dontaudit attempts to set the priority of kernel threads. @@ -24250,9 +24250,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Send a SIGCHLD signal to kernel threads. @@ -178,6 +196,24 @@ interface(`kernel_signal',` - allow $1 kernel_t:process signal; + allow $1 kernel_t:process signal; ') - + +######################################## +## +## Send signull to kernel threads. @@ -24275,28 +24275,28 @@ index e100d886b..d16dc1f1b 100644 ## ## Allows the kernel to share state information with @@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',` - type kernel_t; - ') - + type kernel_t; + ') + - allow $1 kernel_t:unix_dgram_socket { read write ioctl }; + allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; ') - + ######################################## @@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',` - ') - - manage_files_pattern($1, debugfs_t, debugfs_t) + ') + + manage_files_pattern($1, debugfs_t, debugfs_t) + manage_dirs_pattern($1,debugfs_t, debugfs_t) - read_lnk_files_pattern($1, debugfs_t, debugfs_t) + read_lnk_files_pattern($1, debugfs_t, debugfs_t) - list_dirs_pattern($1, debugfs_t, debugfs_t) ') - + ######################################## @@ -784,6 +820,24 @@ interface(`kernel_mount_kvmfs',` - allow $1 kvmfs_t:filesystem mount; + allow $1 kvmfs_t:filesystem mount; ') - + +######################################## +## +## Mount the proc filesystem. @@ -24319,9 +24319,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Unmount the proc filesystem. @@ -802,6 +856,24 @@ interface(`kernel_unmount_proc',` - allow $1 proc_t:filesystem unmount; + allow $1 proc_t:filesystem unmount; ') - + +######################################## +## +## Mounton a proc filesystem. @@ -24344,9 +24344,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Get the attributes of the proc filesystem. @@ -839,6 +911,25 @@ interface(`kernel_dontaudit_setattr_proc_dirs',` - dontaudit $1 proc_t:dir setattr; + dontaudit $1 proc_t:dir setattr; ') - + +######################################## +## +## Do not audit attempts to set the @@ -24372,23 +24372,23 @@ index e100d886b..d16dc1f1b 100644 @@ -991,13 +1082,10 @@ interface(`kernel_read_proc_symlinks',` # interface(`kernel_read_system_state',` - gen_require(` + gen_require(` - type proc_t; + attribute kernel_system_state_reader; - ') - + ') + - read_files_pattern($1, proc_t, proc_t) - read_lnk_files_pattern($1, proc_t, proc_t) - - list_dirs_pattern($1, proc_t, proc_t) + typeattribute $1 kernel_system_state_reader; ') - + ######################################## @@ -1023,6 +1111,44 @@ interface(`kernel_write_proc_files',` - write_files_pattern($1, proc_t, proc_t) + write_files_pattern($1, proc_t, proc_t) ') - + +######################################## +## +## Do not audit attempts to write the @@ -24410,7 +24410,7 @@ index e100d886b..d16dc1f1b 100644 + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on generic proc entries. +## +## @@ -24431,9 +24431,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Do not audit attempts by caller to @@ -1061,6 +1187,26 @@ interface(`kernel_dontaudit_read_proc_symlinks',` - dontaudit $1 proc_t:lnk_file read; + dontaudit $1 proc_t:lnk_file read; ') - + +####################################### +## +## Allow caller to read state information for AFS. @@ -24458,9 +24458,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Allow caller to read and write state information for AFS. @@ -1206,6 +1352,24 @@ interface(`kernel_read_messages',` - typeattribute $1 can_receive_kernel_messages; + typeattribute $1 can_receive_kernel_messages; ') - + +######################################## +## +## Allow caller to mounton the kernel messages file @@ -24483,9 +24483,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Allow caller to get the attributes of kernel message @@ -1456,6 +1620,25 @@ interface(`kernel_list_all_proc',` - allow $1 proc_type:file getattr; + allow $1 proc_type:file getattr; ') - + +######################################## +## +## Allow attempts to mounton all proc directories. @@ -24509,9 +24509,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Do not audit attempts to list all proc directories. @@ -1475,6 +1658,24 @@ interface(`kernel_dontaudit_list_all_proc',` - dontaudit $1 proc_type:file getattr; + dontaudit $1 proc_type:file getattr; ') - + +######################################## +## +## Allow attempts to read all proc types. @@ -24534,31 +24534,31 @@ index e100d886b..d16dc1f1b 100644 ## ## Do not audit attempts by caller to search @@ -1672,7 +1873,7 @@ interface(`kernel_read_net_sysctls',` - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - + read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') - + @@ -1693,7 +1894,7 @@ interface(`kernel_rw_net_sysctls',` - ') - - rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + ') + + rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - + read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') - + @@ -1715,7 +1916,6 @@ interface(`kernel_read_unix_sysctls',` - ') - - read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') - + @@ -1750,16 +1950,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## @@ -24575,7 +24575,7 @@ index e100d886b..d16dc1f1b 100644 - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') - + ######################################## @@ -1771,16 +1964,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. @@ -24593,7 +24593,7 @@ index e100d886b..d16dc1f1b 100644 - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') - + ######################################## @@ -1792,16 +1978,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. @@ -24611,7 +24611,7 @@ index e100d886b..d16dc1f1b 100644 - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') - + ######################################## @@ -1813,16 +1992,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. @@ -24629,12 +24629,12 @@ index e100d886b..d16dc1f1b 100644 - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + refpolicywarn(`$0($*) has been deprecated.') ') - + ######################################## @@ -2048,6 +2220,26 @@ interface(`kernel_read_rpc_sysctls',` - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') - + + +######################################## +## @@ -24659,9 +24659,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Read and write RPC sysctls. @@ -2069,6 +2261,26 @@ interface(`kernel_rw_rpc_sysctls',` - list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) ') - + +######################################## +## +## Read and write RPC sysctls. @@ -24686,9 +24686,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Do not audit attempts to list all sysctl directories. @@ -2085,9 +2297,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` - ') - - dontaudit $1 sysctl_type:dir list_dir_perms; + ') + + dontaudit $1 sysctl_type:dir list_dir_perms; - dontaudit $1 sysctl_type:file getattr; + dontaudit $1 sysctl_type:file read_file_perms; +') @@ -24710,13 +24710,13 @@ index e100d886b..d16dc1f1b 100644 + + allow $1 sysctl_type:dir mounton; ') - + + ######################################## ## ## Allow caller to read all sysctls. @@ -2282,7 +2513,7 @@ interface(`kernel_list_unlabeled',` - + ######################################## ## -## Read the process state (/proc/pid) of all unlabeled_t. @@ -24730,10 +24730,10 @@ index e100d886b..d16dc1f1b 100644 # -interface(`kernel_read_unlabeled_state',` +interface(`kernel_delete_unlabeled',` - gen_require(` - type unlabeled_t; - ') - + gen_require(` + type unlabeled_t; + ') + - allow $1 unlabeled_t:dir list_dir_perms; + allow $1 unlabeled_t:dir delete_dir_perms; + allow $1 unlabeled_t:dir_file_class_set delete_file_perms; @@ -24755,8 +24755,8 @@ index e100d886b..d16dc1f1b 100644 + ') + + allow $1 unlabeled_t:dir list_dir_perms; - read_files_pattern($1, unlabeled_t, unlabeled_t) - read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) + read_files_pattern($1, unlabeled_t, unlabeled_t) + read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') @@ -2306,7 +2556,7 @@ interface(`kernel_read_unlabeled_state',` ## @@ -24768,9 +24768,9 @@ index e100d886b..d16dc1f1b 100644 ## # @@ -2486,6 +2736,24 @@ interface(`kernel_rw_unlabeled_blk_files',` - allow $1 unlabeled_t:blk_file getattr; + allow $1 unlabeled_t:blk_file getattr; ') - + +######################################## +## +## Read and write unlabeled sockets. @@ -24793,9 +24793,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Do not audit attempts by caller to get attributes for @@ -2523,6 +2791,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` - allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; + allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; ') - + +######################################## +## +## Allow caller to relabel unlabeled filesystems. @@ -24818,9 +24818,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Allow caller to relabel unlabeled files. @@ -2665,6 +2951,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` - dontaudit $1 unlabeled_t:association { sendto recvfrom }; + dontaudit $1 unlabeled_t:association { sendto recvfrom }; ') - + +######################################## +## +## Receive DCCP packets from an unlabeled connection. @@ -24843,9 +24843,9 @@ index e100d886b..d16dc1f1b 100644 ## ## Receive TCP packets from an unlabeled connection. @@ -2692,6 +2996,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` - allow $1 unlabeled_t:tcp_socket recvfrom; + allow $1 unlabeled_t:tcp_socket recvfrom; ') - + +######################################## +## +## Do not audit attempts to receive DCCP packets from an unlabeled @@ -24869,8 +24869,8 @@ index e100d886b..d16dc1f1b 100644 ## ## Do not audit attempts to receive TCP packets from an unlabeled @@ -2803,6 +3126,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` - - allow $1 unlabeled_t:rawip_socket recvfrom; + + allow $1 unlabeled_t:rawip_socket recvfrom; ') +######################################## +## @@ -24899,13 +24899,13 @@ index e100d886b..d16dc1f1b 100644 + allow $1 unlabeled_t:rawip_socket rw_socket_perms; +') + - + ######################################## ## @@ -2956,6 +3306,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` - allow $1 unlabeled_t:db_blob { setattr relabelfrom }; + allow $1 unlabeled_t:db_blob { setattr relabelfrom }; ') - + +######################################## +## +## Relabel to unlabeled context . @@ -24928,16 +24928,16 @@ index e100d886b..d16dc1f1b 100644 ## ## Unconfined access to kernel module resources. @@ -2972,5 +3340,683 @@ interface(`kernel_unconfined',` - ') - - typeattribute $1 kern_unconfined; + ') + + typeattribute $1 kern_unconfined; - kernel_load_module($1) -+ kernel_load_module($1) ++ kernel_load_module($1) +') + +######################################## +## -+## Allow the specified domain to getattr on ++## Allow the specified domain to getattr on +## the kernel with a unix socket. +## +## @@ -24956,7 +24956,7 @@ index e100d886b..d16dc1f1b 100644 + +####################################### +## -+## Allow the specified domain to write on ++## Allow the specified domain to write on +## the kernel with a unix socket. +## +## @@ -24975,7 +24975,7 @@ index e100d886b..d16dc1f1b 100644 + +####################################### +## -+## Allow the specified domain to read/write on ++## Allow the specified domain to read/write on +## the kernel with a unix socket. +## +## @@ -25276,7 +25276,7 @@ index e100d886b..d16dc1f1b 100644 +## +##

      +## Allow the specified domain to read the security -+## state information. ++## state information. +##

      +##       +## @@ -25307,7 +25307,7 @@ index e100d886b..d16dc1f1b 100644 +## +##

      +## Allow the specified domain to write the security -+## state information. ++## state information. +##

      +##       +## @@ -25619,13 +25619,13 @@ index 8dbab4c5e..36a42c060 100644 @@ -25,6 +25,9 @@ attribute kern_unconfined; # regular entries in proc attribute proc_type; - + +# attribute for domains which read proc_t +attribute kernel_system_state_reader; + # sysctls attribute sysctl_type; - + @@ -48,6 +51,7 @@ ifdef(`enable_mls',` type kernel_t, can_load_kernmodule; domain_base_type(kernel_t) @@ -25633,7 +25633,7 @@ index 8dbab4c5e..36a42c060 100644 +mls_trusted_object(kernel_t) role system_r types kernel_t; sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) - + @@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) type debugfs_t; files_mountpoint(debugfs_t) @@ -25642,18 +25642,18 @@ index 8dbab4c5e..36a42c060 100644 + allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) - + @@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) - + +type proc_numa_t, proc_type; +genfscon proc /numatools gen_context(system_u:object_r:proc_numa_t,s0) +mls_trusted_object(proc_numa_t) + type proc_net_t, proc_type; genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) - + +type proc_security_t, proc_type; +genfscon proc /sys/fs/protected_hardlinks gen_context(system_u:object_r:proc_security_t,s0) +genfscon proc /sys/fs/protected_symlinks gen_context(system_u:object_r:proc_security_t,s0) @@ -25677,25 +25677,25 @@ index 8dbab4c5e..36a42c060 100644 files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) @@ -114,10 +143,12 @@ genfscon proc /sys gen_context(system_u:object_r:sysctl_t,s0) - + # /proc/irq directory and files type sysctl_irq_t, sysctl_type; +fs_associate_proc(sysctl_irq_t) genfscon proc /irq gen_context(system_u:object_r:sysctl_irq_t,s0) - + # /proc/net/rpc directory and files type sysctl_rpc_t, sysctl_type; +fs_associate_proc(sysctl_rpc_t) genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) - + # /proc/sys/crypto directory and files @@ -131,16 +162,9 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) - + # /proc/sys/kernel directory and files type sysctl_kernel_t, sysctl_type; +fs_associate(sysctl_kernel_t) genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) - + -# /proc/sys/kernel/modprobe file -type sysctl_modprobe_t, sysctl_type; -genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:sysctl_modprobe_t,s0) @@ -25710,7 +25710,7 @@ index 8dbab4c5e..36a42c060 100644 @@ -153,6 +177,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) - + +# /proc/sys/vm/overcommit_memory +type sysctl_vm_overcommit_t, sysctl_type; +genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) @@ -25730,13 +25730,13 @@ index 8dbab4c5e..36a42c060 100644 +kernel_rootfs_mountpoint(unlabeled_t) +sid file gen_context(system_u:object_r:unlabeled_t,s0) +typealias unlabeled_t alias file_t; - + # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -189,6 +225,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # - + +allow kernel_t self:capability2 mac_admin; allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -25744,7 +25744,7 @@ index 8dbab4c5e..36a42c060 100644 @@ -233,7 +270,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) - + -corenet_all_recvfrom_unlabeled(kernel_t) corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: @@ -25759,7 +25759,7 @@ index 8dbab4c5e..36a42c060 100644 +corenet_ib_access_unlabeled_pkeys(kernel_t) +corenet_ib_manage_subnet_all_endports(kernel_t) +corenet_ib_manage_subnet_unlabeled_endports(kernel_t) - + dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) # devtmpfs handling: @@ -25777,17 +25777,17 @@ index 8dbab4c5e..36a42c060 100644 +dev_filetrans_all_named_dev(kernel_t) +storage_filetrans_all_named_dev(kernel_t) +term_filetrans_all_named_dev(kernel_t) - + # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem @@ -263,7 +308,8 @@ fs_unmount_all_fs(kernel_t) - + selinux_load_policy(kernel_t) - + -term_use_console(kernel_t) +term_use_all_terms(kernel_t) +term_use_ptmx(kernel_t) - + corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) @@ -277,25 +323,54 @@ files_list_root(kernel_t) @@ -25796,27 +25796,27 @@ index 8dbab4c5e..36a42c060 100644 files_read_usr_files(kernel_t) +files_manage_mounttab(kernel_t) +files_manage_generic_spool_dirs(kernel_t) - + mcs_process_set_categories(kernel_t) +mcs_file_read_all(kernel_t) +mcs_file_write_all(kernel_t) +mcs_socket_write_all_levels(kernel_t) - + mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) +mls_file_downgrade(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) -+mls_socket_write_all_levels(kernel_t) -+mls_fd_share_all_levels(kernel_t) ++mls_socket_write_all_levels(kernel_t) ++mls_fd_share_all_levels(kernel_t) +mls_fd_use_all_levels(kernel_t) +mls_process_set_level(kernel_t) - + ifdef(`distro_redhat',` - # Bugzilla 222337 - fs_rw_tmpfs_chr_files(kernel_t) + # Bugzilla 222337 + fs_rw_tmpfs_chr_files(kernel_t) ') - + + +optional_policy(` + abrt_filetrans_named_content(kernel_t) @@ -25836,19 +25836,19 @@ index 8dbab4c5e..36a42c060 100644 +') + optional_policy(` - hotplug_search_config(kernel_t) + hotplug_search_config(kernel_t) ') - + optional_policy(` - init_sigchld(kernel_t) + init_sigchld(kernel_t) + init_dyntrans(kernel_t) ') - + optional_policy(` @@ -305,12 +380,30 @@ optional_policy(` - + optional_policy(` - logging_send_syslog_msg(kernel_t) + logging_send_syslog_msg(kernel_t) + logging_manage_generic_logs(kernel_t) +') + @@ -25863,53 +25863,53 @@ index 8dbab4c5e..36a42c060 100644 +optional_policy(` + userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) ') - + optional_policy(` - nis_use_ypbind(kernel_t) + nis_use_ypbind(kernel_t) ') - + +optional_policy(` + plymouthd_create_log(kernel_t) + plymouthd_filetrans_named_content(kernel_t) +') + optional_policy(` - # nfs kernel server needs kernel UDP access. It is less risky and painful - # to just give it everything. + # nfs kernel server needs kernel UDP access. It is less risky and painful + # to just give it everything. @@ -332,9 +425,6 @@ optional_policy(` - - sysnet_read_config(kernel_t) - + + sysnet_read_config(kernel_t) + - rpc_manage_nfs_ro_content(kernel_t) - rpc_manage_nfs_rw_content(kernel_t) - rpc_tcp_rw_nfs_sockets(kernel_t) - rpc_udp_rw_nfs_sockets(kernel_t) - - tunable_policy(`nfs_export_all_ro',` + rpc_udp_rw_nfs_sockets(kernel_t) + + tunable_policy(`nfs_export_all_ro',` @@ -343,9 +433,7 @@ optional_policy(` - fs_read_noxattr_fs_files(kernel_t) - fs_read_noxattr_fs_symlinks(kernel_t) - + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + - files_list_non_auth_dirs(kernel_t) - files_read_non_auth_files(kernel_t) - files_read_non_auth_symlinks(kernel_t) + files_read_non_security_files(kernel_t) - ') - - tunable_policy(`nfs_export_all_rw',` + ') + + tunable_policy(`nfs_export_all_rw',` @@ -354,7 +442,7 @@ optional_policy(` - fs_read_noxattr_fs_files(kernel_t) - fs_read_noxattr_fs_symlinks(kernel_t) - + fs_read_noxattr_fs_files(kernel_t) + fs_read_noxattr_fs_symlinks(kernel_t) + - files_manage_non_auth_files(kernel_t) + files_manage_non_security_files(kernel_t) - ') + ') ') - + @@ -367,6 +455,15 @@ optional_policy(` - unconfined_domain_noaudit(kernel_t) + unconfined_domain_noaudit(kernel_t) ') - + +optional_policy(` + virt_filetrans_home_content(kernel_t) +') @@ -25924,27 +25924,27 @@ index 8dbab4c5e..36a42c060 100644 # Unlabeled process local policy @@ -388,6 +485,8 @@ optional_policy(` if( ! secure_mode_insmod ) { - allow can_load_kernmodule self:capability sys_module; - + allow can_load_kernmodule self:capability sys_module; + + files_load_kernel_modules(can_load_kernmodule) + - # load_module() calls stop_machine() which - # calls sched_setscheduler() - allow can_load_kernmodule self:capability sys_nice; + # load_module() calls stop_machine() which + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; @@ -399,14 +498,39 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # - + -allow kern_unconfined proc_type:{ dir file lnk_file } *; +allow kern_unconfined proc_type:{ file } ~entrypoint; +allow kern_unconfined proc_type:{ dir lnk_file } *; - + -allow kern_unconfined sysctl_type:{ dir file } *; +allow kern_unconfined sysctl_type:{ file } ~entrypoint; +allow kern_unconfined sysctl_type:{ dir } *; - + allow kern_unconfined kernel_t:system *; - + -allow kern_unconfined unlabeled_t:dir_file_class_set *; +allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *; +allow kern_unconfined unlabeled_t:file ~entrypoint; @@ -25990,7 +25990,7 @@ index b08a6e849..43d504b88 100644 - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') - + ######################################## @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## @@ -26003,7 +26003,7 @@ index b08a6e849..43d504b88 100644 - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') - + ######################################## @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## @@ -26016,7 +26016,7 @@ index b08a6e849..43d504b88 100644 - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') - + ######################################## @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## @@ -26029,11 +26029,11 @@ index b08a6e849..43d504b88 100644 - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') - + ######################################## @@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',` - - typeattribute $1 mcssetcats; + + typeattribute $1 mcssetcats; ') + +######################################## @@ -26065,9 +26065,9 @@ index d178478da..42bf05bcd 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -97,6 +97,26 @@ interface(`mls_file_write_to_clearance',` - typeattribute $1 mlsfilewritetoclr; + typeattribute $1 mlsfilewritetoclr; ') - + +######################################## +## +## Make specified domain MLS trusted @@ -26100,7 +26100,7 @@ index 8c7bd90d2..66ee5b9a1 100644 attribute mlsfileupgrade; attribute mlsfiledowngrade; +attribute mlsfilerelabeltoclr; - + attribute mlsnetread; attribute mlsnetreadtoclr; diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc @@ -26115,87 +26115,87 @@ index 6d0811da3..c10081b23 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` - - # because of this statement, any module which - # calls this interface must be in the base module: + + # because of this statement, any module which + # calls this interface must be in the base module: - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) +# genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) ') - + ######################################## @@ -58,6 +58,9 @@ interface(`selinux_get_fs_mount',` - type security_t; - ') - + type security_t; + ') + + allow $1 security_t:lnk_file read_lnk_file_perms; + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs + # starting in libselinux 2.0.5, init_selinuxmnt() will + # attempt to short circuit by checking if SELINUXMNT + # (/selinux) is already a selinuxfs @@ -87,6 +90,7 @@ interface(`selinux_dontaudit_get_fs_mount',` - # starting in libselinux 2.0.5, init_selinuxmnt() will - # attempt to short circuit by checking if SELINUXMNT - # (/selinux) is already a selinuxfs + # starting in libselinux 2.0.5, init_selinuxmnt() will + # attempt to short circuit by checking if SELINUXMNT + # (/selinux) is already a selinuxfs + dev_dontaudit_search_sysfs($1) - dontaudit $1 security_t:filesystem getattr; - - # read /proc/filesystems to see if selinuxfs is supported + dontaudit $1 security_t:filesystem getattr; + + # read /proc/filesystems to see if selinuxfs is supported @@ -109,6 +113,9 @@ interface(`selinux_mount_fs',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem mount; + allow $1 security_t:filesystem mount; ') - + @@ -128,6 +135,9 @@ interface(`selinux_remount_fs',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem remount; + allow $1 security_t:filesystem remount; ') - + @@ -146,6 +156,9 @@ interface(`selinux_unmount_fs',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem unmount; + allow $1 security_t:filesystem unmount; ') - + @@ -164,6 +177,7 @@ interface(`selinux_getattr_fs',` - type security_t; - ') - + type security_t; + ') + + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:filesystem getattr; + allow $1 security_t:filesystem getattr; ') - + @@ -221,7 +235,12 @@ interface(`selinux_search_fs',` - ') - - dev_search_sysfs($1) + ') + + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir search_dir_perms; + allow $1 security_t:dir search_dir_perms; + + optional_policy(` + seutil_search_config($1) + ') ') - + ######################################## @@ -242,6 +261,28 @@ interface(`selinux_dontaudit_search_fs',` - dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:dir search_dir_perms; ') - + +######################################## +## +## Mount on selinuxfs directories. @@ -26222,35 +26222,35 @@ index 6d0811da3..c10081b23 100644 ## ## Do not audit attempts to read @@ -258,6 +299,7 @@ interface(`selinux_dontaudit_read_fs',` - type security_t; - ') - + type security_t; + ') + + selinux_dontaudit_getattr_fs($1) - dontaudit $1 security_t:dir search_dir_perms; - dontaudit $1 security_t:file read_file_perms; + dontaudit $1 security_t:dir search_dir_perms; + dontaudit $1 security_t:file read_file_perms; ') @@ -280,8 +322,10 @@ interface(`selinux_get_enforce_mode',` - ') - - dev_search_sysfs($1) + ') + + dev_search_sysfs($1) + selinux_get_fs_mount($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; + allow $1 security_t:lnk_file read_lnk_file_perms; ') - + ######################################## @@ -310,22 +354,12 @@ interface(`selinux_set_enforce_mode',` - gen_require(` - type security_t; - attribute can_setenforce; + gen_require(` + type security_t; + attribute can_setenforce; - bool secure_mode_policyload; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - typeattribute $1 can_setenforce; + ') + + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + typeattribute $1 can_setenforce; - - if(!secure_mode_policyload) { - allow $1 security_t:security setenforce; @@ -26261,20 +26261,20 @@ index 6d0811da3..c10081b23 100644 - ') - } ') - + ######################################## @@ -342,22 +376,13 @@ interface(`selinux_load_policy',` - gen_require(` - type security_t; - attribute can_load_policy; + gen_require(` + type security_t; + attribute can_load_policy; - bool secure_mode_policyload; - ') - - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + ') + + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:lnk_file read_lnk_file_perms; - typeattribute $1 can_load_policy; + typeattribute $1 can_load_policy; - - if(!secure_mode_policyload) { - allow $1 security_t:security load_policy; @@ -26285,30 +26285,30 @@ index 6d0811da3..c10081b23 100644 - ') - } ') - + ######################################## @@ -378,6 +403,7 @@ interface(`selinux_read_policy',` - dev_search_sysfs($1) - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + dev_search_sysfs($1) + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file read_file_perms; + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:security read_policy; + allow $1 security_t:security read_policy; ') - + @@ -438,19 +464,15 @@ interface(`selinux_set_boolean',` interface(`selinux_set_generic_booleans',` - gen_require(` - type security_t; + gen_require(` + type security_t; + attribute can_setbool; - ') - + ') + + typeattribute $1 can_setbool; - dev_search_sysfs($1) + dev_search_sysfs($1) - + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + - allow $1 security_t:security setbool; - - ifdef(`distro_rhel4',` @@ -26316,22 +26316,22 @@ index 6d0811da3..c10081b23 100644 - auditallow $1 security_t:security setbool; - ') ') - + ######################################## @@ -479,25 +501,16 @@ interface(`selinux_set_all_booleans',` - gen_require(` - type security_t, secure_mode_policyload_t; - attribute boolean_type; + gen_require(` + type security_t, secure_mode_policyload_t; + attribute boolean_type; - bool secure_mode_policyload; + attribute can_setbool; - ') - + ') + + typeattribute $1 can_setbool; + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) - + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; + allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; - allow $1 secure_mode_policyload_t:file read_file_perms; - @@ -26348,73 +26348,73 @@ index 6d0811da3..c10081b23 100644 + allow $1 boolean_type:dir list_dir_perms; + allow $1 boolean_type:file rw_file_perms; ') - + ######################################## @@ -528,7 +541,9 @@ interface(`selinux_set_parameters',` - attribute can_setsecparam; - ') - + attribute can_setsecparam; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security setsecparam; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security setsecparam; @@ -552,9 +567,11 @@ interface(`selinux_validate_context',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; + allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file { map rw_file_perms }; - allow $1 security_t:security check_context; + allow $1 security_t:security check_context; ') - + @@ -595,7 +612,9 @@ interface(`selinux_compute_access_vector',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_av; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_av; @@ -617,7 +636,9 @@ interface(`selinux_compute_create_context',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_create; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_create; @@ -639,7 +660,9 @@ interface(`selinux_compute_member',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_member; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_member; @@ -669,12 +692,37 @@ interface(`selinux_compute_relabel_context',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_relabel; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_relabel; ') - + +######################################## +## +## Allows caller to setcheckreqprot @@ -26442,19 +26442,19 @@ index 6d0811da3..c10081b23 100644 ## ## Allows caller to compute possible contexts for a user. @@ -690,7 +738,9 @@ interface(`selinux_compute_user_contexts',` - type security_t; - ') - + type security_t; + ') + + dev_getattr_sysfs_fs($1) - dev_search_sysfs($1) + dev_search_sysfs($1) + allow $1 security_t:lnk_file read_lnk_file_perms; - allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; - allow $1 security_t:security compute_user; + allow $1 security_t:dir list_dir_perms; + allow $1 security_t:file rw_file_perms; + allow $1 security_t:security compute_user; @@ -712,4 +762,28 @@ interface(`selinux_unconfined',` - ') - - typeattribute $1 selinux_unconfined_type; + ') + + typeattribute $1 selinux_unconfined_type; + selinux_set_all_booleans($1) + selinux_load_policy($1) + selinux_set_parameters($1) @@ -26491,32 +26491,32 @@ index e0a973ba1..7d3e431ee 100644 +attribute can_setbool; attribute can_setsecparam; attribute selinux_unconfined_type; - + @@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) - + -neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; -neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; -neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; +neverallow ~{ can_load_policy } security_t:security load_policy; +neverallow ~{ can_setenforce } security_t:security setenforce; +neverallow ~{ can_setsecparam } security_t:security setsecparam; - + ######################################## # @@ -52,7 +53,7 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; - + # Access the security API. -allow selinux_unconfined_type security_t:security ~{ load_policy setenforce }; +allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; - + ifdef(`distro_rhel4',` - # needed for systems without audit support + # needed for systems without audit support @@ -60,11 +61,28 @@ ifdef(`distro_rhel4',` ') - + if(!secure_mode_policyload) { - allow selinux_unconfined_type security_t:security { load_policy setenforce }; - allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; @@ -26525,9 +26525,9 @@ index e0a973ba1..7d3e431ee 100644 + dev_search_sysfs(can_setenforce) + allow can_setenforce security_t:dir list_dir_perms; + allow can_setenforce security_t:file rw_file_perms; - - ifdef(`distro_rhel4',` - # needed for systems without audit support + + ifdef(`distro_rhel4',` + # needed for systems without audit support - auditallow selinux_unconfined_type security_t:security { load_policy setenforce }; + auditallow can_setenforce security_t:security setenforce; + ') @@ -26544,7 +26544,7 @@ index e0a973ba1..7d3e431ee 100644 + ifdef(`distro_rhel4',` + # needed for systems without audit support + auditallow can_setbool boolean_type:security setbool; - ') + ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 54f182702..a45a1f8df 100644 @@ -26591,7 +26591,7 @@ index 54f182702..a45a1f8df 100644 /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -81,3 +86,6 @@ ifdef(`distro_redhat', ` - + /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) + @@ -26602,9 +26602,9 @@ index 64c4cd01c..962b6858f 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -20,6 +20,26 @@ interface(`storage_getattr_fixed_disk_dev',` - allow $1 fixed_disk_device_t:blk_file getattr; + allow $1 fixed_disk_device_t:blk_file getattr; ') - + +######################################## +## +## Allow the caller to read/write inherited fixed disk @@ -26629,34 +26629,34 @@ index 64c4cd01c..962b6858f 100644 ## ## Do not audit attempts made by the caller to get @@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',` - dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; + allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; + #577012 + allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; - typeattribute $1 fixed_disk_raw_read; + typeattribute $1 fixed_disk_raw_read; ') - + @@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',` interface(`storage_raw_rw_fixed_disk',` - storage_raw_read_fixed_disk($1) - storage_raw_write_fixed_disk($1) + storage_raw_read_fixed_disk($1) + storage_raw_write_fixed_disk($1) + dev_rw_generic_blk_files($1) ') - + ######################################## @@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',` - - allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; + + allow $1 self:capability mknod; + allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; + allow $1 fixed_disk_device_t:chr_file create_chr_file_perms; - dev_add_entry_generic_dirs($1) + dev_add_entry_generic_dirs($1) ') - + @@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',` - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, blk_file, $2) ') - + +####################################### +## +## Create block devices in /dev with the fixed disk type @@ -26703,9 +26703,9 @@ index 64c4cd01c..962b6858f 100644 ## ## Create block devices in on a tmpfs filesystem with the @@ -293,6 +359,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` - fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) + fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) ') - + +######################################## +## +## Create block devices in on a tmp filesystem with the @@ -26729,9 +26729,9 @@ index 64c4cd01c..962b6858f 100644 ## ## Relabel fixed disk device nodes. @@ -716,6 +801,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; + dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') - + +####################################### +## +## Alow read and write inherited removable devices. @@ -26754,8 +26754,8 @@ index 64c4cd01c..962b6858f 100644 ## ## Allow the caller to directly read @@ -813,3 +916,462 @@ interface(`storage_unconfined',` - - typeattribute $1 storage_unconfined_type; + + typeattribute $1 storage_unconfined_type; ') + +######################################## @@ -27221,7 +27221,7 @@ index 156c33310..02f5a3c91 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -57,3 +57,9 @@ dev_node(tape_device_t) - + allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; + @@ -27248,7 +27248,7 @@ index 0ea25b653..37069ae93 100644 +/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) - + /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) @@ -42,3 +43,7 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev @@ -27263,17 +27263,17 @@ index cbb729b66..f118b2a3b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,13 +124,32 @@ interface(`term_user_tty',` - type_change $1 ttynode:chr_file $2; - ') - + type_change $1 ttynode:chr_file $2; + ') + - tunable_policy(`console_login',` + tunable_policy(`login_console_enabled',` - # When user logs in from /dev/console, relabel it - # to user tty type as well. - type_change $1 console_device_t:chr_file $2; - ') + # When user logs in from /dev/console, relabel it + # to user tty type as well. + type_change $1 console_device_t:chr_file $2; + ') ') - + +######################################## +## +## Create the /dev/pts directory. @@ -27297,12 +27297,12 @@ index cbb729b66..f118b2a3b 100644 ## ## Create a pty in the /dev/pts directory. @@ -206,6 +225,27 @@ interface(`term_use_all_terms',` - allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; + allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; ') - + +######################################## +## -+## Read and write the inherited console, all inherited ++## Read and write the inherited console, all inherited +## ttys and ptys. +## +## @@ -27331,25 +27331,25 @@ index cbb729b66..f118b2a3b 100644 -## # interface(`term_use_console',` - gen_require(` + gen_require(` @@ -299,9 +338,12 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` - gen_require(` - type console_device_t; + gen_require(` + type console_device_t; + type tty_device_t; - ') - + ') + - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; + init_dontaudit_use_fds($1) + dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') - + ######################################## @@ -382,6 +424,42 @@ interface(`term_getattr_pty_fs',` - allow $1 devpts_t:filesystem getattr; + allow $1 devpts_t:filesystem getattr; ') - + +######################################## +## +## Mount a pty filesystem @@ -27390,9 +27390,9 @@ index cbb729b66..f118b2a3b 100644 ## ## Relabel from and to pty filesystem. @@ -479,6 +557,24 @@ interface(`term_list_ptys',` - allow $1 devpts_t:dir list_dir_perms; + allow $1 devpts_t:dir list_dir_perms; ') - + +######################################## +## +## Relabel the /dev/pts directory @@ -27415,7 +27415,7 @@ index cbb729b66..f118b2a3b 100644 ## ## Do not audit attempts to read the @@ -620,7 +716,7 @@ interface(`term_use_generic_ptys',` - + ######################################## ## -## Dot not audit attempts to read and @@ -27424,17 +27424,17 @@ index cbb729b66..f118b2a3b 100644 ## generally only used in the targeted policy. ## @@ -635,6 +731,7 @@ interface(`term_dontaudit_use_generic_ptys',` - type devpts_t; - ') - + type devpts_t; + ') + + init_dontaudit_use_fds($1) - dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') - + @@ -877,6 +974,26 @@ interface(`term_use_all_ptys',` - allow $1 ptynode:chr_file { rw_term_perms lock append }; + allow $1 ptynode:chr_file { rw_term_perms lock append }; ') - + +######################################## +## +## Read and write all inherited ptys. @@ -27459,22 +27459,22 @@ index cbb729b66..f118b2a3b 100644 ## ## Do not audit attempts to read or write any ptys. @@ -892,7 +1009,7 @@ interface(`term_dontaudit_use_all_ptys',` - attribute ptynode; - ') - + attribute ptynode; + ') + - dontaudit $1 ptynode:chr_file { rw_term_perms lock append }; + dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; ') - + ######################################## @@ -912,7 +1029,7 @@ interface(`term_relabel_all_ptys',` - ') - - dev_list_all_dev_nodes($1) + ') + + dev_list_all_dev_nodes($1) - relabel_chr_files_pattern($1, devpts_t, ptynode) + relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } ) ') - + ######################################## @@ -940,7 +1057,7 @@ interface(`term_getattr_all_user_ptys',` ## @@ -27486,9 +27486,9 @@ index cbb729b66..f118b2a3b 100644 ## # @@ -1065,6 +1182,28 @@ interface(`term_getattr_unallocated_ttys',` - allow $1 tty_device_t:chr_file getattr; + allow $1 tty_device_t:chr_file getattr; ') - + +######################################## +## +## Allow open access for all unallocated @@ -27515,9 +27515,9 @@ index cbb729b66..f118b2a3b 100644 ## ## Do not audit attempts to get the attributes @@ -1163,6 +1302,25 @@ interface(`term_relabel_unallocated_ttys',` - allow $1 tty_device_t:chr_file relabel_chr_file_perms; + allow $1 tty_device_t:chr_file relabel_chr_file_perms; ') - + +######################################## +## +## Mounton unallocated tty device nodes. @@ -27541,9 +27541,9 @@ index cbb729b66..f118b2a3b 100644 ## ## Relabel from all user tty types to @@ -1259,7 +1417,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` - type tty_device_t; - ') - + type tty_device_t; + ') + - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; + init_dontaudit_use_fds($1) + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; @@ -27587,39 +27587,39 @@ index cbb729b66..f118b2a3b 100644 + + allow $1 usbtty_device_t:chr_file setattr; ') - + ######################################## @@ -1275,11 +1473,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` - gen_require(` + gen_require(` + type tty_device_t; - attribute ttynode; - ') - - dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file getattr; + attribute ttynode; + ') + + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file getattr; + allow $1 tty_device_t:chr_file getattr; ') - + ######################################## @@ -1296,10 +1496,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` - gen_require(` - attribute ttynode; + gen_require(` + attribute ttynode; + type tty_device_t; - ') - - dev_list_all_dev_nodes($1) - dontaudit $1 ttynode:chr_file getattr; + ') + + dev_list_all_dev_nodes($1) + dontaudit $1 ttynode:chr_file getattr; + dontaudit $1 tty_device_t:chr_file getattr; ') - + ######################################## @@ -1377,7 +1579,27 @@ interface(`term_use_all_ttys',` - ') - - dev_list_all_dev_nodes($1) + ') + + dev_list_all_dev_nodes($1) - allow $1 ttynode:chr_file rw_chr_file_perms; + allow $1 ttynode:chr_file rw_term_perms; +') @@ -27643,16 +27643,16 @@ index cbb729b66..f118b2a3b 100644 + dev_list_all_dev_nodes($1) + allow $1 ttynode:chr_file rw_inherited_term_perms; ') - + ######################################## @@ -1396,7 +1618,7 @@ interface(`term_dontaudit_use_all_ttys',` - attribute ttynode; - ') - + attribute ttynode; + ') + - dontaudit $1 ttynode:chr_file rw_chr_file_perms; + dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; ') - + ######################################## @@ -1504,7 +1726,7 @@ interface(`term_use_all_user_ttys',` ## @@ -27664,9 +27664,9 @@ index cbb729b66..f118b2a3b 100644 ## # @@ -1513,21 +1735,435 @@ interface(`term_dontaudit_use_all_user_ttys',` - term_dontaudit_use_all_ttys($1) + term_dontaudit_use_all_ttys($1) ') - + +#################################### +## +## Getattr on the virtio console. @@ -28118,13 +28118,13 @@ index 66e116a3f..a0a5d90fe 100644 fs_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); +dev_associate(devpts_t) - + # # devtty_t is the type of /dev/tty. @@ -57,5 +58,8 @@ dev_node(tty_device_t) type usbtty_device_t, serial_device; dev_node(usbtty_device_t) - + +# +# virtio_device_t is the type of /dev/vport[0-9]p[0-9] +# @@ -28167,18 +28167,18 @@ index 834a065de..ff9369756 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) - + role auditadm_r; role system_r; -userdom_unpriv_user_template(auditadm) +userdom_confined_admin_template(auditadm) - + ######################################## # @@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t) - + domain_kill_all_domains(auditadm_t) - + +mls_file_read_all_levels(auditadm_t) + +selinux_read_policy(auditadm_t) @@ -28190,31 +28190,31 @@ index 834a065de..ff9369756 100644 logging_run_auditctl(auditadm_t, auditadm_r) logging_run_auditd(auditadm_t, auditadm_r) +logging_stream_connect_syslog(auditadm_t) - + seutil_run_runinit(auditadm_t, auditadm_r) seutil_read_bin_policy(auditadm_t) - + +userdom_dontaudit_search_admin_dir(auditadm_t) + optional_policy(` - consoletype_exec(auditadm_t) + consoletype_exec(auditadm_t) ') diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te index 3a45a3ef0..7499f24b5 100644 --- a/policy/modules/roles/logadm.te +++ b/policy/modules/roles/logadm.te @@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0) - + role logadm_r; - + -userdom_base_user_template(logadm) +userdom_confined_admin_template(logadm) - + ######################################## # # logadmin local policy # - + -allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; @@ -28224,9 +28224,9 @@ index da111206f..21ab89b20 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) - + role secadm_r; - + -userdom_unpriv_user_template(secadm) -userdom_security_admin_template(secadm_t, secadm_r) +userdom_confined_admin_template(secadm) @@ -28234,40 +28234,40 @@ index da111206f..21ab89b20 100644 +userdom_inherit_append_admin_home_files(secadm_t) +userdom_read_admin_home_files(secadm_t) +userdom_manage_tmp_role(secadm_r, secadm_t) - + ######################################## # @@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r) - + allow secadm_t self:capability { dac_read_search dac_override }; - + +kernel_read_system_state(secadm_t) + corecmd_exec_shell(secadm_t) - + dev_relabel_all_dev_nodes(secadm_t) +dev_read_urand(secadm_t) - + domain_obj_id_change_exemption(secadm_t) - + @@ -30,14 +36,15 @@ mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) - + auth_role(secadm_r, secadm_t) -files_relabel_non_auth_files(secadm_t) -auth_relabel_shadow(secadm_t) +files_relabel_all_files(secadm_t) - + init_exec(secadm_t) - + logging_read_audit_log(secadm_t) logging_read_generic_logs(secadm_t) logging_read_audit_config(secadm_t) +logging_map_audit_config(secadm_t) +logging_map_audit_log(secadm_t) - + optional_policy(` - aide_run(secadm_t, secadm_r) + aide_run(secadm_t, secadm_r) diff --git a/policy/modules/roles/staff.if b/policy/modules/roles/staff.if index 234a940f9..d340f20b9 100644 --- a/policy/modules/roles/staff.if @@ -28275,7 +28275,7 @@ index 234a940f9..d340f20b9 100644 @@ -1,4 +1,4 @@ -## Administrator's unprivileged user role +## Administrator's unprivileged user - + ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te @@ -28284,7 +28284,7 @@ index 0fef1fca2..c03a52c04 100644 +++ b/policy/modules/roles/staff.te @@ -8,11 +8,74 @@ policy_module(staff, 2.4.0) role staff_r; - + userdom_unpriv_user_template(staff) +fs_exec_noxattr(staff_t) + @@ -28294,7 +28294,7 @@ index 0fef1fca2..c03a52c04 100644 +##

      +## +gen_tunable(staff_use_svirt, false) - + ######################################## # # Local policy @@ -28354,13 +28354,13 @@ index 0fef1fca2..c03a52c04 100644 +optional_policy(` + accountsd_read_lib_files(staff_t) +') - + optional_policy(` - apache_role(staff_r, staff_t) + apache_role(staff_r, staff_t) @@ -22,33 +85,205 @@ optional_policy(` - auditadm_role_change(staff_r) + auditadm_role_change(staff_r) ') - + +optional_policy(` + blueman_dbus_chat(staff_t) +') @@ -28382,9 +28382,9 @@ index 0fef1fca2..c03a52c04 100644 +') + optional_policy(` - dbadm_role_change(staff_r) + dbadm_role_change(staff_r) ') - + optional_policy(` - git_role(staff_r, staff_t) + dnsmasq_read_pid_files(staff_t) @@ -28487,11 +28487,11 @@ index 0fef1fca2..c03a52c04 100644 +optional_policy(` + openvpn_exec(staff_t) ') - + optional_policy(` - postgresql_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') - + +optional_policy(` + rtkit_scheduled(staff_t) +') @@ -28505,14 +28505,14 @@ index 0fef1fca2..c03a52c04 100644 +') + optional_policy(` - secadm_role_change(staff_r) + secadm_role_change(staff_r) ') - + optional_policy(` - ssh_role_template(staff, staff_r, staff_t) + sandbox_transition(staff_t, staff_r) ') - + optional_policy(` - sudo_role_template(staff, staff_r, staff_t) + sandbox_x_transition(staff_t, staff_r) @@ -28521,10 +28521,10 @@ index 0fef1fca2..c03a52c04 100644 +optional_policy(` + screen_role_template(staff, staff_r, staff_t) ') - + optional_policy(` - sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) + sysadm_role_change(staff_r) + userdom_dontaudit_use_user_terminals(staff_t) + userdom_dontaudit_read_admin_home_files(staff_t) +') + @@ -28564,11 +28564,11 @@ index 0fef1fca2..c03a52c04 100644 + virt_search_images(staff_t) + virt_stream_connect(staff_t) ') - + optional_policy(` @@ -56,7 +291,24 @@ optional_policy(` ') - + optional_policy(` - xserver_role(staff_r, staff_t) + vmtools_run_helper(staff_t, staff_r) @@ -28590,66 +28590,66 @@ index 0fef1fca2..c03a52c04 100644 + xserver_read_log(staff_t) + xserver_run(staff_t, staff_r) ') - + ifndef(`distro_redhat',` @@ -64,10 +316,6 @@ ifndef(`distro_redhat',` - auth_role(staff_r, staff_t) - ') - + auth_role(staff_r, staff_t) + ') + - optional_policy(` - bluetooth_role(staff_r, staff_t) - ') - - optional_policy(` - cdrecord_role(staff_r, staff_t) - ') + optional_policy(` + cdrecord_role(staff_r, staff_t) + ') @@ -78,10 +326,6 @@ ifndef(`distro_redhat',` - - optional_policy(` - dbus_role_template(staff, staff_r, staff_t) + + optional_policy(` + dbus_role_template(staff, staff_r, staff_t) - - optional_policy(` - gnome_role_template(staff, staff_r, staff_t) - ') - ') - - optional_policy(` + ') + + optional_policy(` @@ -100,10 +344,6 @@ ifndef(`distro_redhat',` - gpg_role(staff_r, staff_t) - ') - + gpg_role(staff_r, staff_t) + ') + - optional_policy(` - irc_role(staff_r, staff_t) - ') - - optional_policy(` - java_role(staff_r, staff_t) - ') + optional_policy(` + java_role(staff_r, staff_t) + ') @@ -124,10 +364,6 @@ ifndef(`distro_redhat',` - mplayer_role(staff_r, staff_t) - ') - + mplayer_role(staff_r, staff_t) + ') + - optional_policy(` - mta_role(staff_r, staff_t) - ') - - optional_policy(` - pyzor_role(staff_r, staff_t) - ') + optional_policy(` + pyzor_role(staff_r, staff_t) + ') @@ -140,10 +376,6 @@ ifndef(`distro_redhat',` - rssh_role(staff_r, staff_t) - ') - + rssh_role(staff_r, staff_t) + ') + - optional_policy(` - screen_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` - spamassassin_role(staff_r, staff_t) - ') + optional_policy(` + spamassassin_role(staff_r, staff_t) + ') @@ -176,3 +408,24 @@ ifndef(`distro_redhat',` - wireshark_role(staff_r, staff_t) - ') + wireshark_role(staff_r, staff_t) + ') ') + +tunable_policy(`selinuxuser_execmod',` @@ -28677,9 +28677,9 @@ index ff9243078..36740eab3 100644 --- a/policy/modules/roles/sysadm.if +++ b/policy/modules/roles/sysadm.if @@ -70,6 +70,23 @@ interface(`sysadm_shell_domtrans',` - allow sysadm_t $1:process sigchld; + allow sysadm_t $1:process sigchld; ') - + +####################################### +## +## sysadm stub interface. No access allowed. @@ -28707,7 +28707,7 @@ index 2522ca6c0..aaa5a272d 100644 @@ -5,39 +5,112 @@ policy_module(sysadm, 2.6.1) # Declarations # - + -## -##

      -## Allow sysadm to debug or ptrace all processes. @@ -28716,7 +28716,7 @@ index 2522ca6c0..aaa5a272d 100644 -gen_tunable(allow_ptrace, false) - role sysadm_r; - + userdom_admin_user_template(sysadm) +allow sysadm_t self:socket { accept listen }; +allow sysadm_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -28724,20 +28724,20 @@ index 2522ca6c0..aaa5a272d 100644 +allow sysadm_t self:netlink_generic_socket create_socket_perms; +allow sysadm_t self:sctp_socket create_socket_perms; +allow sysadm_t self:rawip_socket create_socket_perms; - + -ifndef(`enable_mls',` - userdom_security_admin_template(sysadm_t, sysadm_r) -') - + ######################################## # # Local policy # +kernel_read_fs_sysctls(sysadm_t) +kernel_read_all_proc(sysadm_t) - + corecmd_exec_shell(sysadm_t) - + +dev_filetrans_all_named_dev(sysadm_t) + +domain_dontaudit_read_all_domains_state(sysadm_t) @@ -28759,11 +28759,11 @@ index 2522ca6c0..aaa5a272d 100644 +mls_process_write_to_clearance(sysadm_t) + +storage_setattr_fixed_disk_dev(sysadm_t) - + ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) ubac_fd_exempt(sysadm_t) - + +application_exec(sysadm_t) + +init_filetrans_named_content(sysadm_t) @@ -28789,7 +28789,7 @@ index 2522ca6c0..aaa5a272d 100644 +miscfiles_map_generic_certs(sysadm_t) + +sysnet_filetrans_named_content(sysadm_t) - + # Add/remove user home directories +userdom_manage_user_tmp_chr_files(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) @@ -28824,13 +28824,13 @@ index 2522ca6c0..aaa5a272d 100644 + ssh_filetrans_admin_home_content(sysadm_t) + ssh_filetrans_keys(sysadm_t) +') - + ifdef(`direct_sysadm_daemon',` - optional_policy(` + optional_policy(` @@ -55,13 +128,7 @@ ifdef(`distro_gentoo',` - init_exec_rc(sysadm_t) + init_exec_rc(sysadm_t) ') - + -ifndef(`enable_mls',` - logging_manage_audit_log(sysadm_t) - logging_manage_audit_config(sysadm_t) @@ -28839,50 +28839,50 @@ index 2522ca6c0..aaa5a272d 100644 - -tunable_policy(`allow_ptrace',` +tunable_policy(`deny_ptrace',`',` - domain_ptrace_all_domains(sysadm_t) + domain_ptrace_all_domains(sysadm_t) ') - + @@ -71,9 +138,9 @@ optional_policy(` - + optional_policy(` - apache_run_helper(sysadm_t, sysadm_r) + apache_run_helper(sysadm_t, sysadm_r) + apache_filetrans_named_content(sysadm_t) - #apache_run_all_scripts(sysadm_t, sysadm_r) - #apache_domtrans_sys_script(sysadm_t) + #apache_run_all_scripts(sysadm_t, sysadm_r) + #apache_domtrans_sys_script(sysadm_t) - apache_role(sysadm_r, sysadm_t) ') - + optional_policy(` @@ -87,6 +154,7 @@ optional_policy(` - + optional_policy(` - asterisk_stream_connect(sysadm_t) + asterisk_stream_connect(sysadm_t) + asterisk_exec(sysadm_t) ') - + optional_policy(` @@ -109,12 +177,18 @@ optional_policy(` - bootloader_run(sysadm_t, sysadm_r) + bootloader_run(sysadm_t, sysadm_r) ') - + +optional_policy(` + certmonger_dbus_chat(sysadm_t) +') + optional_policy(` - certwatch_run(sysadm_t, sysadm_r) + certwatch_run(sysadm_t, sysadm_r) ') - + optional_policy(` - clock_run(sysadm_t, sysadm_r) + clock_run(sysadm_t, sysadm_r) + clock_manage_adjtime(sysadm_t) + clock_filetrans_named_content(sysadm_t) ') - + optional_policy(` @@ -122,11 +196,31 @@ optional_policy(` ') - + optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) @@ -28904,7 +28904,7 @@ index 2522ca6c0..aaa5a272d 100644 + dontaudit sysadm_dbusd_t self:capability net_admin; + ') - + optional_policy(` - cvs_exec(sysadm_t) + systemd_dbus_chat_timedated(sysadm_t) @@ -28912,46 +28912,46 @@ index 2522ca6c0..aaa5a272d 100644 + systemd_dbus_chat_localed(sysadm_t) + systemd_hwdb_mmap_config(sysadm_t) ') - + optional_policy(` @@ -139,6 +233,10 @@ optional_policy(` - ddcprobe_run(sysadm_t, sysadm_r) + ddcprobe_run(sysadm_t, sysadm_r) ') - + +optional_policy(` + devicekit_filetrans_named_content(sysadm_t) +') + optional_policy(` - dmesg_exec(sysadm_t) + dmesg_exec(sysadm_t) ') @@ -155,6 +253,10 @@ optional_policy(` - firstboot_run(sysadm_t, sysadm_r) + firstboot_run(sysadm_t, sysadm_r) ') - + +optional_policy(` + firewalld_dbus_chat(sysadm_t) +') + optional_policy(` - fstools_run(sysadm_t, sysadm_r) + fstools_run(sysadm_t, sysadm_r) ') @@ -163,6 +265,11 @@ optional_policy(` - hostname_run(sysadm_t, sysadm_r) + hostname_run(sysadm_t, sysadm_r) ') - + +optional_policy(` + hwloc_admin(sysadm_t) + hwloc_run_dhwd(sysadm_t, sysadm_r) +') + optional_policy(` - hadoop_role(sysadm_r, sysadm_t) + hadoop_role(sysadm_r, sysadm_t) ') @@ -175,10 +282,27 @@ optional_policy(` - ipsec_stream_connect(sysadm_t) - # for lsof - ipsec_getattr_key_sockets(sysadm_t) + ipsec_stream_connect(sysadm_t) + # for lsof + ipsec_getattr_key_sockets(sysadm_t) + ipsec_run_setkey(sysadm_t, sysadm_r) + ipsec_run_racoon(sysadm_t, sysadm_r) + ipsec_stream_connect_racoon(sysadm_t) @@ -28960,9 +28960,9 @@ index 2522ca6c0..aaa5a272d 100644 + ipsec_mgmt_dbus_chat(sysadm_t) + ') ') - + optional_policy(` - iptables_run(sysadm_t, sysadm_r) + iptables_run(sysadm_t, sysadm_r) + iptables_filetrans_named_content(sysadm_t) +') + @@ -28974,33 +28974,33 @@ index 2522ca6c0..aaa5a272d 100644 + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ') - + optional_policy(` @@ -190,11 +314,12 @@ optional_policy(` ') - + optional_policy(` - lockdev_role(sysadm_r, sysadm_t) + logrotate_run(sysadm_t, sysadm_r) ') - + optional_policy(` - logrotate_run(sysadm_t, sysadm_r) + corenet_tcp_bind_ldap_port(sysadm_t) + ldap_admin(sysadm_t, sysadm_r) ') - + optional_policy(` @@ -210,22 +335,21 @@ optional_policy(` - modutils_run_depmod(sysadm_t, sysadm_r) - modutils_run_insmod(sysadm_t, sysadm_r) - modutils_run_update_mods(sysadm_t, sysadm_r) + modutils_run_depmod(sysadm_t, sysadm_r) + modutils_run_insmod(sysadm_t, sysadm_r) + modutils_run_update_mods(sysadm_t, sysadm_r) + modutils_read_module_deps(sysadm_t) + modules_filetrans_named_content(sysadm_t) ') - + optional_policy(` - mount_run(sysadm_t, sysadm_r) + mount_run(sysadm_t, sysadm_r) -') - -optional_policy(` @@ -29011,38 +29011,38 @@ index 2522ca6c0..aaa5a272d 100644 - mplayer_role(sysadm_r, sysadm_t) + mount_run_showmount(sysadm_t, sysadm_r) ') - + optional_policy(` - mta_role(sysadm_r, sysadm_t) + mta_role(sysadm_r, sysadm_t) + # this is defined in userdom_common_user_template + #mta_filetrans_home_content(sysadm_t) + mta_filetrans_admin_home_content(sysadm_t) + mta_rw_aliases(sysadm_t) ') - + optional_policy(` @@ -236,25 +360,53 @@ optional_policy(` - mysql_stream_connect(sysadm_t) + mysql_stream_connect(sysadm_t) ') - + +optional_policy(` + ncftool_run(sysadm_t, sysadm_r) +') + optional_policy(` - netutils_run(sysadm_t, sysadm_r) - netutils_run_ping(sysadm_t, sysadm_r) - netutils_run_traceroute(sysadm_t, sysadm_r) + netutils_run(sysadm_t, sysadm_r) + netutils_run_ping(sysadm_t, sysadm_r) + netutils_run_traceroute(sysadm_t, sysadm_r) ') - + +optional_policy(` + networkmanager_filetrans_named_content(sysadm_t) + networkmanager_stream_connect(sysadm_t) +') + optional_policy(` - ntp_stub() - corenet_udp_bind_ntp_port(sysadm_t) + ntp_stub() + corenet_udp_bind_ntp_port(sysadm_t) + ntp_admin(sysadm_t, sysadm_r) +') + @@ -29053,19 +29053,19 @@ index 2522ca6c0..aaa5a272d 100644 +optional_policy(` + oddjob_dbus_chat(sysadm_t) ') - + optional_policy(` - oav_run_update(sysadm_t, sysadm_r) + oav_run_update(sysadm_t, sysadm_r) ') - + +optional_policy(` + openvpn_run(sysadm_t, sysadm_r) +') + optional_policy(` - pcmcia_run_cardctl(sysadm_t, sysadm_r) + pcmcia_run_cardctl(sysadm_t, sysadm_r) ') - + +optional_policy(` + polipo_role(sysadm_r, sysadm_t) + polipo_named_filetrans_admin_cache_home_dirs(sysadm_t) @@ -29073,43 +29073,43 @@ index 2522ca6c0..aaa5a272d 100644 +') + optional_policy(` - portage_run(sysadm_t, sysadm_r) - portage_run_fetch(sysadm_t, sysadm_r) + portage_run(sysadm_t, sysadm_r) + portage_run_fetch(sysadm_t, sysadm_r) @@ -266,35 +418,47 @@ optional_policy(` ') - + optional_policy(` - pyzor_role(sysadm_r, sysadm_t) + postfix_admin(sysadm_t, sysadm_r) ') - + optional_policy(` - quota_run(sysadm_t, sysadm_r) + postgresql_admin(sysadm_t, sysadm_r) + postgresql_run(sysadm_t, sysadm_r) ') - + optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) + journalctl_role(sysadm_r, sysadm_t) ') - + optional_policy(` - razor_role(sysadm_r, sysadm_t) + prelink_run(sysadm_t, sysadm_r) ') - + optional_policy(` - rpc_domtrans_nfsd(sysadm_t) + puppet_run_puppetca(sysadm_t, sysadm_r) + puppet_run(sysadm_t, sysadm_r) ') - + optional_policy(` - rpm_run(sysadm_t, sysadm_r) + quota_filetrans_named_content(sysadm_t) ') - + optional_policy(` - rssh_role(sysadm_r, sysadm_t) + raid_run_mdadm(sysadm_r,sysadm_t) @@ -29123,24 +29123,24 @@ index 2522ca6c0..aaa5a272d 100644 + rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') - + optional_policy(` - rsync_exec(sysadm_t) + rsync_exec(sysadm_t) + rsync_filetrans_named_content(sysadm_t) ') - + optional_policy(` @@ -308,19 +472,28 @@ optional_policy(` - + optional_policy(` - screen_role_template(sysadm, sysadm_r, sysadm_t) + screen_role_template(sysadm, sysadm_r, sysadm_t) + allow sysadm_screen_t self:capability { dac_read_search dac_override }; ') - + optional_policy(` - secadm_role_change(sysadm_r) + secadm_role_change(sysadm_r) ') - + +optional_policy(` + setroubleshoot_stream_connect(sysadm_t) + setroubleshoot_dbus_chat(sysadm_t) @@ -29148,21 +29148,21 @@ index 2522ca6c0..aaa5a272d 100644 +') + optional_policy(` - seutil_run_setfiles(sysadm_t, sysadm_r) - seutil_run_runinit(sysadm_t, sysadm_r) + seutil_run_setfiles(sysadm_t, sysadm_r) + seutil_run_runinit(sysadm_t, sysadm_r) + seutil_dbus_chat_semanage(sysadm_t) + seutil_read_login_config(sysadm_t) ') - + optional_policy(` - spamassassin_role(sysadm_r, sysadm_t) + shutdown_run(sysadm_t, sysadm_r) ') - + optional_policy(` @@ -345,30 +518,38 @@ optional_policy(` ') - + optional_policy(` - thunderbird_role(sysadm_r, sysadm_t) + systemd_passwd_agent_run(sysadm_t, sysadm_r) @@ -29175,7 +29175,7 @@ index 2522ca6c0..aaa5a272d 100644 + systemd_login_undefined(sysadm_t) + systemd_tmpfiles_run(sysadm_t, sysadm_r) ') - + optional_policy(` - tripwire_run_siggen(sysadm_t, sysadm_r) - tripwire_run_tripwire(sysadm_t, sysadm_r) @@ -29183,12 +29183,12 @@ index 2522ca6c0..aaa5a272d 100644 - tripwire_run_twprint(sysadm_t, sysadm_r) + systemd_exec_sysctl(sysadm_t) ') - + optional_policy(` - tvtime_role(sysadm_r, sysadm_t) + tftp_filetrans_named_content(sysadm_t) ') - + optional_policy(` - tzdata_domtrans(sysadm_t) + tripwire_run_siggen(sysadm_t, sysadm_r) @@ -29196,67 +29196,67 @@ index 2522ca6c0..aaa5a272d 100644 + tripwire_run_twadmin(sysadm_t, sysadm_r) + tripwire_run_twprint(sysadm_t, sysadm_r) ') - + optional_policy(` - uml_role(sysadm_r, sysadm_t) + tzdata_domtrans(sysadm_t) ') - + optional_policy(` - unconfined_domtrans(sysadm_t) + udev_run(sysadm_t, sysadm_r) ') - + optional_policy(` @@ -379,10 +560,6 @@ optional_policy(` - usbmodules_run(sysadm_t, sysadm_r) + usbmodules_run(sysadm_t, sysadm_r) ') - + -optional_policy(` - userhelper_role_template(sysadm, sysadm_r, sysadm_t) -') - optional_policy(` - usermanage_run_admin_passwd(sysadm_t, sysadm_r) - usermanage_run_groupadd(sysadm_t, sysadm_r) + usermanage_run_admin_passwd(sysadm_t, sysadm_r) + usermanage_run_groupadd(sysadm_t, sysadm_r) @@ -391,6 +568,9 @@ optional_policy(` - + optional_policy(` - virt_stream_connect(sysadm_t) + virt_stream_connect(sysadm_t) + virt_filetrans_home_content(sysadm_t) + virt_manage_pid_dirs(sysadm_t) + virt_transition_svirt_sandbox(sysadm_t, sysadm_r) ') - + optional_policy(` @@ -398,19 +578,19 @@ optional_policy(` ') - + optional_policy(` - vpn_run(sysadm_t, sysadm_r) + vlock_run(sysadm_t, sysadm_r) ') - + optional_policy(` - webalizer_run(sysadm_t, sysadm_r) + vpn_run(sysadm_t, sysadm_r) ') - + optional_policy(` - wireshark_role(sysadm_r, sysadm_t) + webalizer_run(sysadm_t, sysadm_r) ') - + optional_policy(` - vlock_run(sysadm_t, sysadm_r) + wireshark_role(sysadm_r, sysadm_t) ') - + optional_policy(` @@ -421,53 +601,11 @@ optional_policy(` - yam_run(sysadm_t, sysadm_r) + yam_run(sysadm_t, sysadm_r) ') - + -ifndef(`distro_redhat',` - optional_policy(` - auth_role(sysadm_r, sysadm_t) @@ -29308,7 +29308,7 @@ index 2522ca6c0..aaa5a272d 100644 +optional_policy(` + zebra_stream_connect(sysadm_t) ') - + +optional_policy(` + gnome_role_template(sysadm, sysadm_r, sysadm_t) + gnome_filetrans_admin_home_content(sysadm_t) @@ -30262,7 +30262,7 @@ index 000000000..d280802ba + gen_require(` + type user_tmpfs_t; + ') -+ ++ + xserver_rw_session(unconfined_t, user_tmpfs_t) + xserver_dbus_chat_xdm(unconfined_t) + ') @@ -30460,7 +30460,7 @@ index 383559646..fbca2be81 100644 @@ -1,4 +1,4 @@ -##

      Generic unprivileged user role +## Generic unprivileged user - + ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te @@ -30469,7 +30469,7 @@ index 6d77e81c5..5fc3b0b4e 100644 +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ policy_module(unprivuser, 2.4.0) - + +## +##

      +## Allow unprivileged user to create and transition to svirt domains. @@ -30479,11 +30479,11 @@ index 6d77e81c5..5fc3b0b4e 100644 + # this module should be named user, but that is # a compile error since user is a keyword. - + @@ -12,12 +19,102 @@ role user_r; - + userdom_unpriv_user_template(user) - + +kernel_read_numa_state(user_t) +kernel_write_numa_state(user_t) + @@ -30507,9 +30507,9 @@ index 6d77e81c5..5fc3b0b4e 100644 +') + optional_policy(` - apache_role(user_r, user_t) + apache_role(user_r, user_t) ') - + optional_policy(` - git_role(user_r, user_t) + blueman_dbus_chat(user_t) @@ -30582,16 +30582,16 @@ index 6d77e81c5..5fc3b0b4e 100644 +optional_policy(` + ssh_role_template(user, user_r, user_t) ') - + optional_policy(` @@ -25,11 +122,19 @@ optional_policy(` ') - + optional_policy(` - vlock_run(user_t, user_r) + setroubleshoot_dontaudit_stream_connect(user_t) ') - + +#optional_policy(` +# telepathy_dbus_session_role(user_r, user_t) +#') @@ -30604,31 +30604,31 @@ index 6d77e81c5..5fc3b0b4e 100644 +optional_policy(` + vlock_run(user_t, user_r) ') - + ifndef(`distro_redhat',` @@ -101,10 +206,6 @@ ifndef(`distro_redhat',` - mplayer_role(user_r, user_t) - ') - + mplayer_role(user_r, user_t) + ') + - optional_policy(` - mta_role(user_r, user_t) - ') - - optional_policy(` - postgresql_role(user_r, user_t) - ') + optional_policy(` + postgresql_role(user_r, user_t) + ') @@ -128,7 +229,6 @@ ifndef(`distro_redhat',` - optional_policy(` - ssh_role_template(user, user_r, user_t) - ') + optional_policy(` + ssh_role_template(user, user_r, user_t) + ') - - optional_policy(` - su_role_template(user, user_r, user_t) - ') + optional_policy(` + su_role_template(user, user_r, user_t) + ') @@ -160,4 +260,24 @@ ifndef(`distro_redhat',` - optional_policy(` - wireshark_role(user_r, user_t) - ') + optional_policy(` + wireshark_role(user_r, user_t) + ') + + optional_policy(` + xserver_run(user_t, user_r) @@ -30662,26 +30662,26 @@ index a26f84f40..d52bc2e3c 100644 +/usr/bin/postgresql-check-db-dir -- gen_context(system_u:object_r:postgresql_exec_t,s0) + +/usr/libexec/postgresql-ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) - + /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) @@ -28,9 +32,10 @@ ifdef(`distro_redhat', ` # /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) - + -/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) +/var/lib/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) -/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/.*\.log gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/data/pg_log(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) - + /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) @@ -45,4 +50,4 @@ ifdef(`distro_redhat', ` - + /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) - + -/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) +#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if @@ -30699,7 +30699,7 @@ index 9d2f31168..df0970c02 100644 ## # interface(`postgresql_role',` - gen_require(` + gen_require(` - class db_database all_db_database_perms; - class db_schema all_db_schema_perms; - class db_table all_db_table_perms; @@ -30724,18 +30724,18 @@ index 9d2f31168..df0970c02 100644 + attribute sepgsql_client_type; + type sepgsql_trusted_proc_t; + type sepgsql_ranged_proc_t; - ') - + ') + - ######################################## - # - # Declarations - # - - typeattribute $2 sepgsql_client_type; - role $1 types sepgsql_trusted_proc_t; - role $1 types sepgsql_ranged_proc_t; + typeattribute $2 sepgsql_client_type; + role $1 types sepgsql_trusted_proc_t; + role $1 types sepgsql_ranged_proc_t; +') - + - ############################## - # - # Client local policy @@ -30768,8 +30768,8 @@ index 9d2f31168..df0970c02 100644 +interface(`postgresql_run',` + gen_require(` + type postgresql_t; - ') - + ') + - allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; - type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; - type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; @@ -30803,16 +30803,16 @@ index 9d2f31168..df0970c02 100644 + postgresql_domtrans($1) + role $2 types postgresql_t; ') - + ######################################## @@ -312,7 +268,7 @@ interface(`postgresql_search_db',` - type postgresql_db_t; - ') - + type postgresql_db_t; + ') + - allow $1 postgresql_db_t:dir search; + allow $1 postgresql_db_t:dir search_dir_perms; ') - + ######################################## @@ -324,14 +280,16 @@ interface(`postgresql_search_db',` ## Domain allowed access. @@ -30820,10 +30820,10 @@ index 9d2f31168..df0970c02 100644 ## +# interface(`postgresql_manage_db',` - gen_require(` - type postgresql_db_t; - ') - + gen_require(` + type postgresql_db_t; + ') + - allow $1 postgresql_db_t:dir rw_dir_perms; - allow $1 postgresql_db_t:file rw_file_perms; - allow $1 postgresql_db_t:lnk_file { getattr read }; @@ -30832,12 +30832,12 @@ index 9d2f31168..df0970c02 100644 + manage_files_pattern($1, postgresql_db_t, postgresql_db_t) + manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t) ') - + ######################################## @@ -352,6 +310,24 @@ interface(`postgresql_domtrans',` - domtrans_pattern($1, postgresql_exec_t, postgresql_t) + domtrans_pattern($1, postgresql_exec_t, postgresql_t) ') - + +###################################### +##

      +## Execute Postgresql in the caller domain. @@ -30860,9 +30860,9 @@ index 9d2f31168..df0970c02 100644 ## ## Allow domain to signal postgresql @@ -369,6 +345,23 @@ interface(`postgresql_signal',` - allow $1 postgresql_t:process signal; + allow $1 postgresql_t:process signal; ') - + +###################################### +## +## Allow domain to signull postgresql @@ -30890,19 +30890,19 @@ index 9d2f31168..df0970c02 100644 -## # interface(`postgresql_stream_connect',` - gen_require(` + gen_require(` @@ -432,6 +424,7 @@ interface(`postgresql_stream_connect',` - - files_search_pids($1) - files_search_tmp($1) + + files_search_pids($1) + files_search_tmp($1) + stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) ') - + ######################################## @@ -447,83 +440,10 @@ interface(`postgresql_stream_connect',` # interface(`postgresql_unpriv_client',` - gen_require(` + gen_require(` - class db_database all_db_database_perms; - class db_schema all_db_schema_perms; - class db_table all_db_table_perms; @@ -30914,7 +30914,7 @@ index 9d2f31168..df0970c02 100644 - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type; + attribute sepgsql_client_type; - attribute sepgsql_database_type, sepgsql_schema_type; - attribute sepgsql_sysobj_table_type; - @@ -30925,14 +30925,14 @@ index 9d2f31168..df0970c02 100644 - type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; - type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; - type unpriv_sepgsql_view_t; - ') - + ') + - ######################################## - # - # Declarations - # - - typeattribute $1 sepgsql_client_type; + typeattribute $1 sepgsql_client_type; - - ######################################## - # @@ -30981,12 +30981,12 @@ index 9d2f31168..df0970c02 100644 - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') ') - + ######################################## @@ -545,6 +465,29 @@ interface(`postgresql_unconfined',` - typeattribute $1 sepgsql_unconfined_type; + typeattribute $1 sepgsql_unconfined_type; ') - + +######################################## +## +## Transition to postgresql named content @@ -31016,7 +31016,7 @@ index 9d2f31168..df0970c02 100644 @@ -563,35 +506,41 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` - gen_require(` + gen_require(` - attribute sepgsql_admin_type; - attribute sepgsql_client_type; - @@ -31028,39 +31028,39 @@ index 9d2f31168..df0970c02 100644 + type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; + type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; + type postgresql_etc_t; - ') - - typeattribute $1 sepgsql_admin_type; - + ') + + typeattribute $1 sepgsql_admin_type; + - allow $1 postgresql_t:process { ptrace signal_perms }; + allow $1 postgresql_t:process signal_perms; - ps_process_pattern($1, postgresql_t) + ps_process_pattern($1, postgresql_t) + tunable_policy(`deny_ptrace',`',` + allow $1 postgresql_t:process ptrace; + ') - - init_labeled_script_domtrans($1, postgresql_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgresql_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, postgresql_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgresql_initrc_exec_t system_r; + allow $2 system_r; + + files_list_pids($1) - admin_pattern($1, postgresql_var_run_t) - + admin_pattern($1, postgresql_var_run_t) + + files_list_var_lib($1) - admin_pattern($1, postgresql_db_t) - + admin_pattern($1, postgresql_db_t) + + files_list_etc($1) - admin_pattern($1, postgresql_etc_t) - + admin_pattern($1, postgresql_etc_t) + + logging_list_logs($1) - admin_pattern($1, postgresql_log_t) - + admin_pattern($1, postgresql_log_t) + + files_list_tmp($1) - admin_pattern($1, postgresql_tmp_t) - - postgresql_tcp_connect($1) - postgresql_stream_connect($1) + admin_pattern($1, postgresql_tmp_t) + + postgresql_tcp_connect($1) + postgresql_stream_connect($1) + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te @@ -31069,7 +31069,7 @@ index 03061349c..9997e093c 100644 +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` # - + ## -##

      -## Allow unprived users to execute DDL statement @@ -31087,7 +31087,7 @@ index 03061349c..9997e093c 100644 ## -gen_tunable(sepgsql_enable_users_ddl, false) +gen_tunable(postgresql_selinux_users_ddl, true) - + ## ##

      ## Allow transmit client label to foreign database @@ -31095,7 +31095,7 @@ index 03061349c..9997e093c 100644 ## -gen_tunable(sepgsql_transmit_client_label, false) +gen_tunable(postgresql_selinux_transmit_client_label, false) - + ## ##

      ## Allow database admins to execute DML statement @@ -31103,7 +31103,7 @@ index 03061349c..9997e093c 100644 ## -gen_tunable(sepgsql_unconfined_dbadm, false) +gen_tunable(postgresql_selinux_unconfined_dbadm, true) - + type postgresql_t; type postgresql_exec_t; @@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; @@ -31113,99 +31113,99 @@ index 03061349c..9997e093c 100644 -tunable_policy(`sepgsql_transmit_client_label',` + +tunable_policy(`postgresql_selinux_transmit_client_label',` - allow postgresql_t self:process { setsockcreate }; + allow postgresql_t self:process { setsockcreate }; ') - + @@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) -files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) +postgresql_filetrans_named_content(postgresql_t) - + allow postgresql_t postgresql_etc_t:dir list_dir_perms; read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) - + -allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; +allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms; can_exec(postgresql_t, postgresql_exec_t ) - + allow postgresql_t postgresql_lock_t:file manage_file_perms; files_lock_filetrans(postgresql_t, postgresql_lock_t, file) - + +manage_dirs_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) - + @@ -291,6 +300,7 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) +allow postgresql_t postgresql_tmp_t:file map; fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) - + manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) @@ -299,12 +309,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) - + kernel_read_kernel_sysctls(postgresql_t) +kernel_read_network_state(postgresql_t) kernel_read_system_state(postgresql_t) kernel_list_proc(postgresql_t) kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) - + -corenet_all_recvfrom_unlabeled(postgresql_t) corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) @@ -342,8 +352,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) - + files_dontaudit_search_home(postgresql_t) -files_manage_etc_files(postgresql_t) -files_search_etc(postgresql_t) +files_read_etc_files(postgresql_t) files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) - + @@ -354,20 +363,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) - + -miscfiles_read_localization(postgresql_t) - seutil_libselinux_linked(postgresql_t) seutil_read_default_contexts(postgresql_t) - + +sysnet_use_ldap(postgresql_t) + userdom_dontaudit_use_unpriv_user_fds(postgresql_t) userdom_dontaudit_search_user_home_dirs(postgresql_t) userdom_dontaudit_use_user_terminals(postgresql_t) - + +optional_policy(` + ccs_read_config(postgresql_t) +') + optional_policy(` - mta_getattr_spool(postgresql_t) + mta_getattr_spool(postgresql_t) ') - + -tunable_policy(`allow_execmem',` +optional_policy(` + rhcs_manage_cluster_pid_files(postgresql_t) +') + +tunable_policy(`deny_execmem',`',` - allow postgresql_t self:process execmem; + allow postgresql_t self:process execmem; ') - + @@ -485,10 +502,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; - + -# Note that permission of creation/deletion are eventually controlled by -# create or drop permission of individual objects within shared schemas. -# So, it just allows to create/drop user specific types. @@ -31256,21 +31256,21 @@ index 03061349c..9997e093c 100644 + # Note that permission of creation/deletion are eventually controlled by + # create or drop permission of individual objects within shared schemas. + # So, it just allows to create/drop user specific types. - allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; + allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') - + @@ -536,7 +595,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; - + kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) - + -tunable_policy(`sepgsql_unconfined_dbadm',` +tunable_policy(`postgresql_selinux_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database *; - - allow sepgsql_admin_type sepgsql_schema_type:db_schema *; + allow sepgsql_admin_type sepgsql_database_type:db_database *; + + allow sepgsql_admin_type sepgsql_schema_type:db_schema *; @@ -589,3 +648,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; - + kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) + +optional_policy(` @@ -31294,7 +31294,7 @@ index 76d9f66ec..5c271ce01 100644 HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) - + -/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) -/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) +/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) @@ -31313,22 +31313,22 @@ index 76d9f66ec..5c271ce01 100644 +/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) +/etc/ssh/ssh_host.*_key\.pub -- gen_context(system_u:object_r:sshd_key_t,s0) - + /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) - + /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) +/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0) - + +/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) - + /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) +/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) +/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0) - + /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) + @@ -31343,85 +31343,85 @@ index fe0c68272..68d48b722 100644 # template(`ssh_basic_client_template',` - - gen_require(` - attribute ssh_server; - type ssh_exec_t, sshd_key_t, sshd_tmp_t; + gen_require(` + attribute ssh_server; + type ssh_exec_t, sshd_key_t, sshd_tmp_t; + type ssh_keysign_exec_t, ssh_keysign_t; + type ssh_home_t; - ') - - ############################## + ') + + ############################## @@ -47,10 +48,6 @@ template(`ssh_basic_client_template',` - application_domain($1_ssh_t, ssh_exec_t) - role $3 types $1_ssh_t; - + application_domain($1_ssh_t, ssh_exec_t) + role $3 types $1_ssh_t; + - type $1_ssh_home_t; - files_type($1_ssh_home_t) - typealias $1_ssh_home_t alias $1_home_ssh_t; - - ############################## - # - # Client local policy + ############################## + # + # Client local policy @@ -89,33 +86,38 @@ template(`ssh_basic_client_template',` - # or "regular" (not special like sshd_extern_t) servers - allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; - + # or "regular" (not special like sshd_extern_t) servers + allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; + + # derived domain can execute ssh-keysign + domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t) + role $3 types ssh_keysign_t; + - # allow ps to show ssh - ps_process_pattern($2, $1_ssh_t) - - # user can manage the keys and config + # allow ps to show ssh + ps_process_pattern($2, $1_ssh_t) + + # user can manage the keys and config - manage_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_lnk_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) - manage_sock_files_pattern($2, $1_ssh_home_t, $1_ssh_home_t) + manage_files_pattern($2, ssh_home_t, ssh_home_t) + manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) - - # ssh client can manage the keys and config + + # ssh client can manage the keys and config - manage_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern($1_ssh_t, $1_ssh_home_t, $1_ssh_home_t) + manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) + read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) - - # ssh servers can read the user keys and config + + # ssh servers can read the user keys and config - allow ssh_server $1_ssh_home_t:dir list_dir_perms; - read_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) - read_lnk_files_pattern(ssh_server, $1_ssh_home_t, $1_ssh_home_t) + allow ssh_server ssh_home_t:dir list_dir_perms; + read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) + read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - - kernel_read_kernel_sysctls($1_ssh_t) - kernel_read_system_state($1_ssh_t) - + + kernel_read_kernel_sysctls($1_ssh_t) + kernel_read_system_state($1_ssh_t) + - corenet_all_recvfrom_unlabeled($1_ssh_t) - corenet_all_recvfrom_netlabel($1_ssh_t) - corenet_tcp_sendrecv_generic_if($1_ssh_t) - corenet_tcp_sendrecv_generic_node($1_ssh_t) - corenet_tcp_sendrecv_all_ports($1_ssh_t) - corenet_tcp_connect_ssh_port($1_ssh_t) - corenet_sendrecv_ssh_client_packets($1_ssh_t) + corenet_all_recvfrom_netlabel($1_ssh_t) + corenet_tcp_sendrecv_generic_if($1_ssh_t) + corenet_tcp_sendrecv_generic_node($1_ssh_t) + corenet_tcp_sendrecv_all_ports($1_ssh_t) + corenet_tcp_connect_ssh_port($1_ssh_t) + corenet_sendrecv_ssh_client_packets($1_ssh_t) + corenet_tcp_bind_generic_node($1_ssh_t) + corenet_tcp_bind_all_unreserved_ports($1_ssh_t) - - dev_read_urand($1_ssh_t) - + + dev_read_urand($1_ssh_t) + @@ -139,7 +141,6 @@ template(`ssh_basic_client_template',` - logging_send_syslog_msg($1_ssh_t) - logging_read_generic_logs($1_ssh_t) - + logging_send_syslog_msg($1_ssh_t) + logging_read_generic_logs($1_ssh_t) + - miscfiles_read_localization($1_ssh_t) - - seutil_read_config($1_ssh_t) - + + seutil_read_config($1_ssh_t) + @@ -148,6 +149,29 @@ template(`ssh_basic_client_template',` - ') + ') ') - + +###################################### +##

      +## The template to define a domain to which sshd dyntransition. @@ -31440,7 +31440,7 @@ index fe0c68272..68d48b722 100644 + type $1, ssh_dyntransition_domain; + domain_type($1) + role system_r types $1; -+ ++ + optional_policy(` + ssh_dyntransition_to($1) + ') @@ -31454,89 +31454,89 @@ index fe0c68272..68d48b722 100644 # -template(`ssh_server_template', ` +template(`ssh_server_template',` - type $1_t, ssh_server; - auth_login_pgm_domain($1_t) - + type $1_t, ssh_server; + auth_login_pgm_domain($1_t) + @@ -181,20 +205,23 @@ template(`ssh_server_template', ` - type $1_var_run_t; - files_pid_file($1_var_run_t) - + type $1_var_run_t; + files_pid_file($1_var_run_t) + - allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config }; + allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; - allow $1_t self:fifo_file rw_fifo_file_perms; + allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate }; + allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; + allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; - # ssh agent connections: - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:shm create_shm_perms; - + # ssh agent connections: + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:shm create_shm_perms; + - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; - term_create_pty($1_t, $1_devpts_t) - + term_create_pty($1_t, $1_devpts_t) + - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) + #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) + userdom_manage_tmp_role(system_r, sshd_t) - - allow $1_t $1_var_run_t:file manage_file_perms; - files_pid_filetrans($1_t, $1_var_run_t, file) + + allow $1_t $1_var_run_t:file manage_file_perms; + files_pid_filetrans($1_t, $1_var_run_t, file) @@ -206,6 +233,7 @@ template(`ssh_server_template', ` - - kernel_read_kernel_sysctls($1_t) - kernel_read_network_state($1_t) + + kernel_read_kernel_sysctls($1_t) + kernel_read_network_state($1_t) + kernel_request_load_module($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) @@ -220,10 +248,13 @@ template(`ssh_server_template', ` - corenet_tcp_bind_generic_node($1_t) - corenet_udp_bind_generic_node($1_t) - corenet_tcp_bind_ssh_port($1_t) + corenet_tcp_bind_generic_node($1_t) + corenet_udp_bind_generic_node($1_t) + corenet_tcp_bind_ssh_port($1_t) - corenet_tcp_connect_all_ports($1_t) - corenet_sendrecv_ssh_server_packets($1_t) + corenet_sendrecv_ssh_server_packets($1_t) + # -R qualifier + corenet_sendrecv_ssh_server_packets($1_t) + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) - + - fs_dontaudit_getattr_all_fs($1_t) + fs_getattr_all_fs($1_t) - - auth_rw_login_records($1_t) - auth_rw_faillog($1_t) + + auth_rw_login_records($1_t) + auth_rw_faillog($1_t) @@ -233,7 +264,10 @@ template(`ssh_server_template', ` - # for sshd subsystems, such as sftp-server. - corecmd_getattr_bin_files($1_t) - + # for sshd subsystems, such as sftp-server. + corecmd_getattr_bin_files($1_t) + + dev_rw_crypto($1_t) + - domain_interactive_fd($1_t) + domain_interactive_fd($1_t) + domain_dyntrans_type($1_t) - - files_read_etc_files($1_t) - files_read_etc_runtime_files($1_t) + + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) @@ -241,35 +275,33 @@ template(`ssh_server_template', ` - - logging_search_logs($1_t) - + + logging_search_logs($1_t) + - miscfiles_read_localization($1_t) - - userdom_create_all_users_keys($1_t) - userdom_dontaudit_relabelfrom_user_ptys($1_t) + userdom_dontaudit_relabelfrom_user_ptys($1_t) - userdom_search_user_home_dirs($1_t) + userdom_read_user_home_content_files($1_t) - - # Allow checking users mail at login - optional_policy(` - mta_getattr_spool($1_t) - ') - + + # Allow checking users mail at login + optional_policy(` + mta_getattr_spool($1_t) + ') + - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files($1_t) - fs_read_nfs_symlinks($1_t) @@ -31546,17 +31546,17 @@ index fe0c68272..68d48b722 100644 - fs_read_cifs_files($1_t) - ') + userdom_home_manager($1_t) - - optional_policy(` - kerberos_use($1_t) + + optional_policy(` + kerberos_use($1_t) - kerberos_manage_host_rcache($1_t) + #kerberos_manage_host_rcache($1_t) - ') - - optional_policy(` - files_read_var_lib_symlinks($1_t) - nx_spec_domtrans_server($1_t) - ') + ') + + optional_policy(` + files_read_var_lib_symlinks($1_t) + nx_spec_domtrans_server($1_t) + ') + + optional_policy(` + rlogin_read_home_content($1_t) @@ -31566,7 +31566,7 @@ index fe0c68272..68d48b722 100644 + shutdown_getattr_exec_files($1_t) + ') ') - + ######################################## @@ -292,14 +324,15 @@ template(`ssh_server_template', ` ## User domain for the role @@ -31575,65 +31575,65 @@ index fe0c68272..68d48b722 100644 +## # template(`ssh_role_template',` - gen_require(` - attribute ssh_server, ssh_agent_type; + gen_require(` + attribute ssh_server, ssh_agent_type; - - type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; - type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; - type ssh_agent_tmp_t; + type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; + type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; + type ssh_agent_tmp_t; + type cache_home_t; - ') - - ############################## + ') + + ############################## @@ -328,103 +361,56 @@ template(`ssh_role_template',` - - # allow ps to show ssh - ps_process_pattern($3, ssh_t) + + # allow ps to show ssh + ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process signal; + allow $3 ssh_t:process signal_perms; - - # for rsync - allow ssh_t $3:unix_stream_socket rw_socket_perms; - allow ssh_t $3:unix_stream_socket connectto; + + # for rsync + allow ssh_t $3:unix_stream_socket rw_socket_perms; + allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; + allow $3 ssh_t:key { write search read view }; - - # user can manage the keys and config - manage_files_pattern($3, ssh_home_t, ssh_home_t) - manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) - manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) - userdom_search_user_home_dirs($1_t) + + # user can manage the keys and config + manage_files_pattern($3, ssh_home_t, ssh_home_t) + manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) + manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1_t) + userdom_manage_tmp_role($2, ssh_t) - - ############################## - # - # SSH agent local policy - # - + + ############################## + # + # SSH agent local policy + # + - allow $1_ssh_agent_t self:process setrlimit; - allow $1_ssh_agent_t self:capability setgid; - - allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; - - allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; - + allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; + + allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; + - manage_dirs_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - manage_sock_files_pattern($1_ssh_agent_t, ssh_agent_tmp_t, ssh_agent_tmp_t) - files_tmp_filetrans($1_ssh_agent_t, ssh_agent_tmp_t, { dir sock_file }) - - # for ssh-add - stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) + # for ssh-add + stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) + stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t) - - # Allow the user shell to signal the ssh program. + + # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process signal; + allow $3 $1_ssh_agent_t:process signal_perms; - - # allow ps to show ssh - ps_process_pattern($3, $1_ssh_agent_t) - - domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) - + + # allow ps to show ssh + ps_process_pattern($3, $1_ssh_agent_t) + + domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) + - kernel_read_kernel_sysctls($1_ssh_agent_t) - - dev_read_urand($1_ssh_agent_t) @@ -31641,11 +31641,11 @@ index fe0c68272..68d48b722 100644 - - fs_search_auto_mountpoints($1_ssh_agent_t) + kernel_read_system_state($1_ssh_agent_t) - - # transition back to normal privs upon exec - corecmd_shell_domtrans($1_ssh_agent_t, $3) - corecmd_bin_domtrans($1_ssh_agent_t, $3) - + + # transition back to normal privs upon exec + corecmd_shell_domtrans($1_ssh_agent_t, $3) + corecmd_bin_domtrans($1_ssh_agent_t, $3) + - domain_use_interactive_fds($1_ssh_agent_t) - - files_read_etc_files($1_ssh_agent_t) @@ -31654,9 +31654,9 @@ index fe0c68272..68d48b722 100644 - - libs_read_lib_files($1_ssh_agent_t) + auth_use_nsswitch($1_ssh_agent_t) - - logging_send_syslog_msg($1_ssh_agent_t) - + + logging_send_syslog_msg($1_ssh_agent_t) + - miscfiles_read_localization($1_ssh_agent_t) - miscfiles_read_generic_certs($1_ssh_agent_t) - @@ -31667,7 +31667,7 @@ index fe0c68272..68d48b722 100644 - - # for the transition back to normal privs upon exec - userdom_search_user_home_content($1_ssh_agent_t) - userdom_user_home_domtrans($1_ssh_agent_t, $3) + userdom_user_home_domtrans($1_ssh_agent_t, $3) - allow $3 $1_ssh_agent_t:fd use; - allow $3 $1_ssh_agent_t:fifo_file rw_file_perms; - allow $3 $1_ssh_agent_t:process sigchld; @@ -31690,19 +31690,19 @@ index fe0c68272..68d48b722 100644 - nis_use_ypbind($1_ssh_agent_t) - ') + userdom_home_manager($1_ssh_agent_t) - + - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) - ') + ssh_exec_keygen($3) ') - + ######################################## @@ -496,8 +482,27 @@ interface(`ssh_read_pipes',` - type sshd_t; - ') - + type sshd_t; + ') + - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; +') @@ -31729,18 +31729,18 @@ index fe0c68272..68d48b722 100644 ## ## Read and write a ssh server unnamed pipe. @@ -513,7 +518,7 @@ interface(`ssh_rw_pipes',` - type sshd_t; - ') - + type sshd_t; + ') + - allow $1 sshd_t:fifo_file { write read getattr ioctl }; + allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## @@ -603,6 +608,24 @@ interface(`ssh_domtrans',` - domtrans_pattern($1, sshd_exec_t, sshd_t) + domtrans_pattern($1, sshd_exec_t, sshd_t) ') - + +######################################## +## +## Execute sshd server in the sshd domain. @@ -31763,18 +31763,18 @@ index fe0c68272..68d48b722 100644 ## ## Execute the ssh client in the caller domain. @@ -637,7 +660,7 @@ interface(`ssh_setattr_key_files',` - type sshd_key_t; - ') - + type sshd_key_t; + ') + - allow $1 sshd_key_t:file setattr; + allow $1 sshd_key_t:file setattr_file_perms; - files_search_pids($1) + files_search_pids($1) ') - + @@ -660,6 +683,42 @@ interface(`ssh_agent_exec',` - can_exec($1, ssh_agent_exec_t) + can_exec($1, ssh_agent_exec_t) ') - + +######################################## +## +## Getattr ssh home directory @@ -31815,9 +31815,9 @@ index fe0c68272..68d48b722 100644 ## ## Read ssh home directory content @@ -697,6 +756,69 @@ interface(`ssh_domtrans_keygen',` - ') - - domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) + ') + + domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) + allow $1 ssh_keygen_exec_t:file map; +') + @@ -31882,12 +31882,12 @@ index fe0c68272..68d48b722 100644 + + allow $1 sshd_key_t:file getattr_file_perms; ') - + ######################################## @@ -714,7 +836,26 @@ interface(`ssh_dontaudit_read_server_keys',` - type sshd_key_t; - ') - + type sshd_key_t; + ') + - dontaudit $1 sshd_key_t:file { getattr read }; + dontaudit $1 sshd_key_t:file read_file_perms; +') @@ -31910,11 +31910,11 @@ index fe0c68272..68d48b722 100644 + append_files_pattern($1, ssh_home_t, ssh_home_t) + userdom_search_user_home_dirs($1) ') - + ###################################### @@ -754,3 +895,151 @@ interface(`ssh_delete_tmp',` - files_search_tmp($1) - delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) + files_search_tmp($1) + delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') + +##################################### @@ -31969,7 +31969,7 @@ index fe0c68272..68d48b722 100644 +## +# +interface(`ssh_filetrans_home_content',` -+ ++ + gen_require(` + type ssh_home_t; + ') @@ -31991,7 +31991,7 @@ index fe0c68272..68d48b722 100644 +## +# +interface(`ssh_filetrans_keys',` -+ ++ + gen_require(` + type sshd_key_t; + ') @@ -32007,7 +32007,7 @@ index fe0c68272..68d48b722 100644 +######################################## +## +## Do not audit attempts to read and -+## write the sshd pty type. ++## write the sshd pty type. +## +## +## @@ -32025,7 +32025,7 @@ index fe0c68272..68d48b722 100644 + +######################################## +## -+## Read and write inherited sshd pty type. ++## Read and write inherited sshd pty type. +## +## +## @@ -32070,7 +32070,7 @@ index cc877c7b0..f2da060bf 100644 +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) # - + ## -##

      -## allow host key based authentication @@ -32088,21 +32088,21 @@ index cc877c7b0..f2da060bf 100644 ## -gen_tunable(allow_ssh_keysign, false) +gen_tunable(ssh_sysadm_login, false) - + ## ##

      -## Allow ssh logins as sysadm_r:sysadm_t -+## Allow ssh with chroot env to read and write files ++## Allow ssh with chroot env to read and write files +## in the user home directories ##

      ##       -gen_tunable(ssh_sysadm_login, false) +gen_tunable(ssh_chroot_rw_homedirs, false) - + +attribute ssh_dyntransition_domain; attribute ssh_server; attribute ssh_agent_type; - + +ssh_dyntransition_domain_template(chroot_user_t) +ssh_dyntransition_domain_template(sshd_sandbox_t) +ssh_dyntransition_domain_template(sshd_net_t) @@ -32121,10 +32121,10 @@ index cc877c7b0..f2da060bf 100644 + +type sshd_keygen_unit_file_t; +systemd_unit_file(sshd_keygen_unit_file_t) - + type sshd_exec_t; corecmd_executable_file(sshd_exec_t) - + ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) +mls_trusted_object(sshd_t) @@ -32136,10 +32136,10 @@ index cc877c7b0..f2da060bf 100644 + +type sshd_unit_file_t; +systemd_unit_file(sshd_unit_file_t) - + type sshd_key_t; files_type(sshd_key_t) - + -type sshd_tmp_t; -files_tmp_file(sshd_tmp_t) -files_poly_parent(sshd_tmp_t) @@ -32149,7 +32149,7 @@ index cc877c7b0..f2da060bf 100644 -') +type sshd_keytab_t; +files_type(sshd_keytab_t) - + type ssh_t; type ssh_exec_t; @@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) @@ -32158,19 +32158,19 @@ index cc877c7b0..f2da060bf 100644 typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; -userdom_user_tmpfs_file(ssh_tmpfs_t) +userdom_user_tmp_file(ssh_tmpfs_t) - + type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) +files_poly_parent(ssh_home_t) - + -type sshd_keytab_t; -files_type(sshd_keytab_t) +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) +') - + ############################## # @@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; @@ -32186,10 +32186,10 @@ index cc877c7b0..f2da060bf 100644 allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; +can_exec(ssh_t, ssh_exec_t) - + # Read the ssh key file. allow ssh_t sshd_key_t:file read_file_perms; - + -# Access the ssh temporary files. -allow ssh_t sshd_tmp_t:dir manage_dir_perms; -allow ssh_t sshd_tmp_t:file manage_file_perms; @@ -32201,7 +32201,7 @@ index cc877c7b0..f2da060bf 100644 manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - + manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) -userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -32211,27 +32211,27 @@ index cc877c7b0..f2da060bf 100644 +userdom_read_all_users_keys(ssh_t) +userdom_stream_connect(ssh_t) +userdom_search_admin_dir(sshd_t) - + # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) - + allow ssh_t sshd_t:unix_stream_socket connectto; +allow ssh_t sshd_t:peer recv; - + # ssh client can manage the keys and config manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) - + # ssh servers can read the user keys and config -allow ssh_server ssh_home_t:dir list_dir_perms; -read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) -read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) - + kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) - + -corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) corenet_tcp_sendrecv_generic_if(ssh_t) @@ -32243,24 +32243,24 @@ index cc877c7b0..f2da060bf 100644 +corenet_tcp_bind_generic_node(ssh_t) +#corenet_tcp_bind_all_unreserved_ports(ssh_t) +corenet_rw_tun_tap_dev(ssh_t) - + +dev_read_rand(ssh_t) dev_read_urand(ssh_t) - + fs_getattr_all_fs(ssh_t) @@ -157,40 +191,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) - + +term_use_ptmx(ssh_t) + auth_use_nsswitch(ssh_t) - + -miscfiles_read_localization(ssh_t) +miscfiles_read_generic_certs(ssh_t) - + seutil_read_config(ssh_t) - + userdom_dontaudit_list_user_home_dirs(ssh_t) userdom_search_user_home_dirs(ssh_t) +userdom_search_admin_dir(ssh_t) @@ -32285,7 +32285,7 @@ index cc877c7b0..f2da060bf 100644 +tunable_policy(`ssh_keysign',` + domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(ssh_t) - fs_manage_nfs_files(ssh_t) @@ -32295,7 +32295,7 @@ index cc877c7b0..f2da060bf 100644 + corenet_tcp_bind_generic_node(ssh_t) + corenet_tcp_bind_all_unreserved_ports(ssh_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ssh_t) - fs_manage_cifs_files(ssh_t) @@ -32304,7 +32304,7 @@ index cc877c7b0..f2da060bf 100644 + condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh) + ') ') - + -# for port forwarding -tunable_policy(`user_tcp_server',` - corenet_tcp_bind_ssh_port(ssh_t) @@ -32312,18 +32312,18 @@ index cc877c7b0..f2da060bf 100644 +optional_policy(` + gnome_stream_connect_gkeyringd(ssh_t) ') - + optional_policy(` @@ -198,6 +238,7 @@ optional_policy(` - xserver_domtrans_xauth(ssh_t) + xserver_domtrans_xauth(ssh_t) ') - + + ############################## # # ssh_keysign_t local policy @@ -205,10 +246,16 @@ optional_policy(` - + allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +allow ssh_keysign_t self:udp_socket create_socket_perms; @@ -32331,19 +32331,19 @@ index cc877c7b0..f2da060bf 100644 +allow ssh_keysign_t sshd_key_t:file { getattr open read }; + +kernel_read_network_state(ssh_keysign_t) - + -allow ssh_keysign_t sshd_key_t:file { getattr read }; +auth_read_passwd(ssh_keysign_t) - + dev_read_urand(ssh_keysign_t) +dev_read_rand(ssh_keysign_t) - + files_read_etc_files(ssh_keysign_t) - + @@ -216,6 +263,14 @@ optional_policy(` - nscd_use(ssh_keysign_t) + nscd_use(ssh_keysign_t) ') - + +optional_policy(` + sssd_read_public_files(ssh_keysign_t) +') @@ -32360,9 +32360,9 @@ index cc877c7b0..f2da060bf 100644 allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; +allow sshd_t self:process setcurrent; - + allow sshd_t sshd_keytab_t:file read_file_perms; - + -manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) -manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t) @@ -32377,18 +32377,18 @@ index cc877c7b0..f2da060bf 100644 + +fs_search_cgroup_dirs(sshd_t) +fs_rw_cgroup_files(sshd_t) - + term_use_all_ptys(sshd_t) term_setattr_all_ptys(sshd_t) +term_setattr_all_ttys(sshd_t) term_relabelto_all_ptys(sshd_t) +term_use_ptmx(sshd_t) - + # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) +corenet_tcp_bind_vnc_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) - + -ifdef(`distro_debian',` - allow sshd_t self:process { getcap setcap }; -') @@ -32402,14 +32402,14 @@ index cc877c7b0..f2da060bf 100644 +userdom_signal_unpriv_users(sshd_t) +userdom_dyntransition_unpriv_users(sshd_t) +userdom_map_tmp_files(sshd_t) - + tunable_policy(`ssh_sysadm_login',` - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. - # some versions of sshd on the new SE Linux require setattr + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to + # display the tty. + # some versions of sshd on the new SE Linux require setattr - userdom_spec_domtrans_all_users(sshd_t) - userdom_signal_all_users(sshd_t) + userdom_signal_all_users(sshd_t) -',` - userdom_spec_domtrans_unpriv_users(sshd_t) - userdom_signal_unpriv_users(sshd_t) @@ -32426,11 +32426,11 @@ index cc877c7b0..f2da060bf 100644 + condor_rw_tcp_sockets_startd(sshd_t) + condor_rw_tcp_sockets_schedd(sshd_t) ') - + optional_policy(` - daemontools_service_domain(sshd_t, sshd_exec_t) + daemontools_service_domain(sshd_t, sshd_exec_t) ') - + +optional_policy(` + ftp_dyntrans_sftpd(sshd_t) + ftp_dyntrans_anon_sftpd(sshd_t) @@ -32445,12 +32445,12 @@ index cc877c7b0..f2da060bf 100644 +') + optional_policy(` - inetd_tcp_service_domain(sshd_t, sshd_exec_t) + inetd_tcp_service_domain(sshd_t, sshd_exec_t) ') @@ -274,10 +363,26 @@ optional_policy(` - kerberos_use(sshd_t) + kerberos_use(sshd_t) ') - + +optional_policy(` + lvm_domtrans(sshd_t) +') @@ -32464,20 +32464,20 @@ index cc877c7b0..f2da060bf 100644 +') + optional_policy(` - oddjob_domtrans_mkhomedir(sshd_t) + oddjob_domtrans_mkhomedir(sshd_t) ') - + +optional_policy(` + rpc_rw_gssd_keys(sshd_t) +') + optional_policy(` - rpm_use_script_fds(sshd_t) + rpm_use_script_fds(sshd_t) ') @@ -288,12 +393,101 @@ optional_policy(` - rssh_read_ro_content(sshd_t) + rssh_read_ro_content(sshd_t) ') - + +optional_policy(` + rsync_read_data(sshd_t) +') @@ -32505,9 +32505,9 @@ index cc877c7b0..f2da060bf 100644 +') + optional_policy(` - unconfined_shell_domtrans(sshd_t) + unconfined_shell_domtrans(sshd_t) ') - + +optional_policy(` + sge_rw_tcp_sockets(sshd_t) +') @@ -32520,7 +32520,7 @@ index cc877c7b0..f2da060bf 100644 +') + optional_policy(` - xserver_domtrans_xauth(sshd_t) + xserver_domtrans_xauth(sshd_t) + xserver_xdm_signull(sshd_t) +') + @@ -32574,21 +32574,21 @@ index cc877c7b0..f2da060bf 100644 +optional_policy(` + plymouthd_exec_plymouth(sshd_keygen_t) ') - + ######################################## @@ -304,19 +498,33 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t - + +allow ssh_keygen_t self:capability { dac_read_search dac_override }; dontaudit ssh_keygen_t self:capability sys_tty_config; allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - + allow ssh_keygen_t sshd_key_t:file manage_file_perms; files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) - + +manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) @@ -32600,21 +32600,21 @@ index cc877c7b0..f2da060bf 100644 + +kernel_read_system_state(ssh_keygen_t) kernel_read_kernel_sysctls(ssh_keygen_t) - + +corecmd_exec_shell(ssh_keygen_t) +corecmd_exec_bin(ssh_keygen_t) + fs_search_auto_mountpoints(ssh_keygen_t) - + dev_read_sysfs(ssh_keygen_t) +dev_read_rand(ssh_keygen_t) dev_read_urand(ssh_keygen_t) - + term_dontaudit_use_console(ssh_keygen_t) @@ -332,7 +540,13 @@ auth_use_nsswitch(ssh_keygen_t) - + logging_send_syslog_msg(ssh_keygen_t) - + +userdom_home_manager(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_user_terminals(ssh_keygen_t) @@ -32622,12 +32622,12 @@ index cc877c7b0..f2da060bf 100644 +optional_policy(` + glusterd_manage_lib_files(ssh_keygen_t) +') - + optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) + seutil_sigchld_newrole(ssh_keygen_t) @@ -341,3 +555,150 @@ optional_policy(` optional_policy(` - udev_read_db(ssh_keygen_t) + udev_read_db(ssh_keygen_t) ') + +#################################### @@ -32814,13 +32814,13 @@ index 8274418c6..29bbc5976 100644 +/root/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) - + # # /dev @@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - + +/etc/X11/xorg\.conf\.d(/.*)? gen_context(system_u:object_r:xserver_etc_t,s0) +/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) +/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) @@ -32832,10 +32832,10 @@ index 8274418c6..29bbc5976 100644 /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) - + -/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) +/etc/opt/VirtualGL(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) - + +/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -32843,18 +32843,18 @@ index 8274418c6..29bbc5976 100644 @@ -46,26 +77,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # - + -/tmp/\.ICE-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.ICE-unix/.* -s <> -/tmp/\.X0-lock -- gen_context(system_u:object_r:xserver_tmp_t,s0) -/tmp/\.X11-unix -d gen_context(system_u:object_r:xdm_tmp_t,s0) -/tmp/\.X11-unix/.* -s <> +/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) - + # # /usr # - + +/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/s?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -32877,14 +32877,14 @@ index 8274418c6..29bbc5976 100644 +/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) + -+/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) - + /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - + @@ -91,19 +131,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - + /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/sddm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -32897,7 +32897,7 @@ index 8274418c6..29bbc5976 100644 + +/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - + -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -32912,7 +32912,7 @@ index 8274418c6..29bbc5976 100644 +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + +/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) - + /var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -32930,7 +32930,7 @@ index 8274418c6..29bbc5976 100644 +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - + ifdef(`distro_suse',` /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') @@ -32947,15 +32947,15 @@ index 6bf0ecc2d..28048bf64 100644 @@ -18,100 +18,36 @@ # interface(`xserver_restricted_role',` - gen_require(` + gen_require(` - type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; + type xauth_t, iceauth_t; + attribute dridomain, x_userdomain; - ') - + ') + - role $1 types { xserver_t xauth_t iceauth_t }; - - # Xserver read/write client shm @@ -33027,14 +33027,14 @@ index 6bf0ecc2d..28048bf64 100644 - miscfiles_read_fonts($2) + role $1 types { xauth_t iceauth_t }; + typeattribute $2 x_userdomain, dridomain; - + - xserver_common_x_domain_template(user, $2) - xserver_domtrans($2) - xserver_unconfined($2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) + xserver_common_x_domain_template(user,$2) - xserver_stream_connect_xdm($2) + xserver_stream_connect_xdm($2) - # certain apps want to read xdm.pid file - xserver_read_xdm_pid($2) - # gnome-session creates socket under /tmp/.ICE-unix/ @@ -33042,7 +33042,7 @@ index 6bf0ecc2d..28048bf64 100644 - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) + xserver_xdm_append_log($2) - + - # Client write xserver shm - tunable_policy(`allow_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; @@ -33063,138 +33063,138 @@ index 6bf0ecc2d..28048bf64 100644 +interface(`xserver_dri_domain',` + gen_require(` + attribute dridomain; - ') + ') + + typeattribute $1 dridomain; ') - + ######################################## @@ -143,13 +79,15 @@ interface(`xserver_role',` - allow $2 xserver_tmpfs_t:file rw_file_perms; - - allow $2 iceauth_home_t:file manage_file_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; + + allow $2 iceauth_home_t:file manage_file_perms; - allow $2 iceauth_home_t:file { relabelfrom relabelto }; + allow $2 iceauth_home_t:file relabel_file_perms; - - allow $2 xauth_home_t:file manage_file_perms; + + allow $2 xauth_home_t:file manage_file_perms; - allow $2 xauth_home_t:file { relabelfrom relabelto }; + allow $2 xauth_home_t:file relabel_file_perms; - + + mls_xwin_read_to_clearance($2) - manage_dirs_pattern($2, user_fonts_t, user_fonts_t) - manage_files_pattern($2, user_fonts_t, user_fonts_t) + manage_dirs_pattern($2, user_fonts_t, user_fonts_t) + manage_files_pattern($2, user_fonts_t, user_fonts_t) + allow $2 user_fonts_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) - relabel_files_pattern($2, user_fonts_t, user_fonts_t) - + relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) + relabel_files_pattern($2, user_fonts_t, user_fonts_t) + @@ -162,7 +100,6 @@ interface(`xserver_role',` - manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) - relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) + relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') - + ####################################### @@ -197,7 +134,7 @@ interface(`xserver_ro_session',` - allow $1 xserver_t:process signal; - - # Read /tmp/.X0-lock + allow $1 xserver_t:process signal; + + # Read /tmp/.X0-lock - allow $1 xserver_tmp_t:file { getattr read }; + allow $1 xserver_tmp_t:file read_file_perms; - - # Client read xserver shm - allow $1 xserver_t:fd use; + + # Client read xserver shm + allow $1 xserver_t:fd use; @@ -227,7 +164,7 @@ interface(`xserver_rw_session',` - type xserver_t, xserver_tmpfs_t; - ') - + type xserver_t, xserver_tmpfs_t; + ') + - xserver_ro_session($1,$2) + xserver_ro_session($1, $2) - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; ') @@ -255,7 +192,7 @@ interface(`xserver_non_drawing_client',` - - allow $1 self:x_gc { create setattr }; - + + allow $1 self:x_gc { create setattr }; + - allow $1 xdm_var_run_t:dir search; + allow $1 xdm_var_run_t:dir search_dir_perms; - allow $1 xserver_t:unix_stream_socket connectto; - - allow $1 xextension_t:x_extension { query use }; + allow $1 xserver_t:unix_stream_socket connectto; + + allow $1 xextension_t:x_extension { query use }; @@ -282,7 +219,7 @@ interface(`xserver_non_drawing_client',` interface(`xserver_user_client',` - refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') - gen_require(` + refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') + gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; - ') - + type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + ') + @@ -291,14 +228,14 @@ interface(`xserver_user_client',` - allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; - - # Read .Xauthority file + allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; + + # Read .Xauthority file - allow $1 xauth_home_t:file { getattr read }; - allow $1 iceauth_home_t:file { getattr read }; + allow $1 xauth_home_t:file read_file_perms; + allow $1 iceauth_home_t:file read_file_perms; - - # for when /tmp/.X11-unix is created by the system - allow $1 xdm_t:fd use; + + # for when /tmp/.X11-unix is created by the system + allow $1 xdm_t:fd use; - allow $1 xdm_t:fifo_file { getattr read write ioctl }; - allow $1 xdm_tmp_t:dir search; - allow $1 xdm_tmp_t:sock_file { read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; + userdom_search_user_tmp_dirs($1) + userdom_rw_user_tmp_sock_files($1) - dontaudit $1 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. + dontaudit $1 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. @@ -316,7 +253,7 @@ interface(`xserver_user_client',` - xserver_read_xdm_tmp_files($1) - - # Client write xserver shm + xserver_read_xdm_tmp_files($1) + + # Client write xserver shm - tunable_policy(`allow_write_xshm',` + tunable_policy(`xserver_clients_write_xshm',` - allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; - ') + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') @@ -342,19 +279,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` - gen_require(` + gen_require(` - type root_xdrawable_t; + type root_xdrawable_t, xdm_t, xserver_t; - type xproperty_t, $1_xproperty_t; - type xevent_t, client_xevent_t; - type input_xevent_t, $1_input_xevent_t; - + type xproperty_t, $1_xproperty_t; + type xevent_t, client_xevent_t; + type input_xevent_t, $1_input_xevent_t; + - attribute x_domain; + attribute x_domain, input_xevent_type; - attribute xdrawable_type, xcolormap_type; + attribute xdrawable_type, xcolormap_type; - attribute input_xevent_type; - - class x_drawable all_x_drawable_perms; - class x_property all_x_property_perms; - class x_event all_x_event_perms; - class x_synthetic_event all_x_synthetic_event_perms; + + class x_drawable all_x_drawable_perms; + class x_property all_x_property_perms; + class x_event all_x_event_perms; + class x_synthetic_event all_x_synthetic_event_perms; + class x_client destroy; + class x_server manage; + class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; + class x_pointer { get_property set_property manage }; + class x_keyboard { read manage freeze }; - ') - - ############################## + ') + + ############################## @@ -383,9 +324,18 @@ template(`xserver_common_x_domain_template',` - allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; - # can receive default events - allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; + allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; + # can receive default events + allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; - allow $2 xevent_t:{ x_event x_synthetic_event } receive; + allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; - # dont audit send failures - dontaudit $2 input_xevent_type:x_event send; + # dont audit send failures + dontaudit $2 input_xevent_type:x_event send; + + allow $2 xdm_t:x_drawable { hide read add_child manage }; + allow $2 xdm_t:x_client destroy; @@ -33205,80 +33205,80 @@ index 6bf0ecc2d..28048bf64 100644 + allow $2 xserver_t:x_pointer { get_property set_property manage }; + allow $2 xserver_t:x_keyboard { read manage freeze }; ') - + ####################################### @@ -444,8 +394,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` - gen_require(` + gen_require(` - type xdm_t, xdm_tmp_t; - type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + type xdm_t, xserver_tmpfs_t; + type xdm_home_t; + type xauth_home_t, iceauth_home_t, xserver_t; - ') - - allow $2 self:shm create_shm_perms; + ') + + allow $2 self:shm create_shm_perms; @@ -456,11 +407,13 @@ template(`xserver_user_x_domain_template',` - allow $2 xauth_home_t:file read_file_perms; - allow $2 iceauth_home_t:file read_file_perms; - + allow $2 xauth_home_t:file read_file_perms; + allow $2 iceauth_home_t:file read_file_perms; + + xserver_filetrans_home_content($2) + - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search_dir_perms; - allow $2 xdm_tmp_t:sock_file { read write }; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; + userdom_search_user_tmp_dirs($2) + userdom_rw_user_tmp_sock_files($2) - dontaudit $2 xdm_t:tcp_socket { read write }; - - # Allow connections to X server. + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. @@ -472,20 +425,26 @@ template(`xserver_user_x_domain_template',` - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($2) - + # for .xsession-errors + userdom_dontaudit_write_user_home_content_files($2) + - xserver_ro_session($2,$3) + xserver_ro_session($2, $3) - xserver_use_user_fonts($2) - + xserver_use_user_fonts($2) + - xserver_read_xdm_tmp_files($2) + userdom_read_user_tmp_files($2) + xserver_read_xdm_pid($2) + xserver_xdm_append_log($2) - - # X object manager - xserver_object_types_template($1) + + # X object manager + xserver_object_types_template($1) - xserver_common_x_domain_template($1,$2) + xserver_common_x_domain_template($1, $2) - - # Client write xserver shm + + # Client write xserver shm - tunable_policy(`allow_write_xshm',` + tunable_policy(`xserver_clients_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; - ') + allow $2 xserver_t:shm rw_shm_perms; + allow $2 xserver_tmpfs_t:file rw_file_perms; + ') + + tunable_policy(`selinuxuser_direct_dri_enabled',` + dev_rw_dri($2) + ') ') - + ######################################## @@ -517,6 +476,7 @@ interface(`xserver_use_user_fonts',` - # Read per user fonts - allow $1 user_fonts_t:dir list_dir_perms; - allow $1 user_fonts_t:file read_file_perms; + # Read per user fonts + allow $1 user_fonts_t:dir list_dir_perms; + allow $1 user_fonts_t:file read_file_perms; + allow $1 user_fonts_t:lnk_file read_lnk_file_perms; - - # Manipulate the global font cache - manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) + + # Manipulate the global font cache + manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) @@ -547,6 +507,42 @@ interface(`xserver_domtrans_xauth',` - domtrans_pattern($1, xauth_exec_t, xauth_t) + domtrans_pattern($1, xauth_exec_t, xauth_t) ') - + +###################################### +## +## Allow exec of Xauthority program.. @@ -33319,9 +33319,9 @@ index 6bf0ecc2d..28048bf64 100644 ## ## Create a Xauthority file in the user home directory. @@ -565,6 +561,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` - userdom_user_home_dir_filetrans($1, xauth_home_t, file) + userdom_user_home_dir_filetrans($1, xauth_home_t, file) ') - + +######################################## +## +## Create a Xauthority file in the admin home directory. @@ -33344,9 +33344,9 @@ index 6bf0ecc2d..28048bf64 100644 ## ## Read all users fonts, user font configurations, @@ -598,6 +612,25 @@ interface(`xserver_read_user_xauth',` - - allow $1 xauth_home_t:file read_file_perms; - userdom_search_user_home_dirs($1) + + allow $1 xauth_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) + xserver_read_xdm_pid($1) +') + @@ -33367,21 +33367,21 @@ index 6bf0ecc2d..28048bf64 100644 + + allow $1 xauth_home_t:file manage_file_perms; ') - + ######################################## @@ -615,7 +648,7 @@ interface(`xserver_setattr_console_pipes',` - type xconsole_device_t; - ') - + type xconsole_device_t; + ') + - allow $1 xconsole_device_t:fifo_file setattr; + allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; ') - + ######################################## @@ -636,6 +669,25 @@ interface(`xserver_rw_console',` - allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; + allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; ') - + +######################################## +## +## Read XDM state files. @@ -33405,61 +33405,61 @@ index 6bf0ecc2d..28048bf64 100644 ## ## Use file descriptors for xdm. @@ -651,7 +703,7 @@ interface(`xserver_use_xdm_fds',` - type xdm_t; - ') - -- allow $1 xdm_t:fd use; + type xdm_t; + ') + +- allow $1 xdm_t:fd use; + allow $1 xdm_t:fd use; ') - + ######################################## @@ -670,7 +722,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` - type xdm_t; - ') - -- dontaudit $1 xdm_t:fd use; + type xdm_t; + ') + +- dontaudit $1 xdm_t:fd use; + dontaudit $1 xdm_t:fd use; ') - + ######################################## @@ -688,7 +740,7 @@ interface(`xserver_rw_xdm_pipes',` - type xdm_t; - ') - -- allow $1 xdm_t:fifo_file { getattr read write }; + type xdm_t; + ') + +- allow $1 xdm_t:fifo_file { getattr read write }; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## @@ -703,12 +755,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` - - gen_require(` - type xdm_t; - ') - -- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; + gen_require(` + type xdm_t; + ') + +- dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; + dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; ') - + ######################################## @@ -765,16 +816,19 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` - gen_require(` + gen_require(` - type xdm_t, xdm_tmp_t; + type xdm_t, xdm_var_run_t; - ') - - files_search_tmp($1) + ') + + files_search_tmp($1) - stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t) + files_search_pids($1) + stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) + userdom_stream_connect($1) ') - + ######################################## ## -## Read xdm-writable configuration files. @@ -33475,20 +33475,20 @@ index 6bf0ecc2d..28048bf64 100644 -interface(`xserver_read_xdm_rw_config',` + +interface(`xserver_append_xdm_stream_socket',` - gen_require(` + gen_require(` - type xdm_rw_etc_t; + type xdm_t; - ') - + ') + - files_search_etc($1) - allow $1 xdm_rw_etc_t:file read_file_perms; + allow $1 xdm_t:unix_stream_socket append; ') - + ######################################## ## -## Set the attributes of XDM temporary directories. -+## Read XDM files in user home directories. ++## Read XDM files in user home directories. ## ## ## @@ -33498,16 +33498,16 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_setattr_xdm_tmp_dirs',` +interface(`xserver_read_xdm_home_files',` - gen_require(` + gen_require(` - type xdm_tmp_t; + type xdm_home_t; - ') - + ') + - allow $1 xdm_tmp_t:dir setattr; + userdom_search_user_home_dirs($1) + allow $1 xdm_home_t:file read_file_perms; ') - + ######################################## ## -## Create a named socket in a XDM @@ -33522,11 +33522,11 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_create_xdm_tmp_sockets',` +interface(`xserver_read_config',` - gen_require(` + gen_require(` - type xdm_tmp_t; + type xserver_etc_t; - ') - + ') + - files_search_tmp($1) - allow $1 xdm_tmp_t:dir list_dir_perms; - create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) @@ -33534,7 +33534,7 @@ index 6bf0ecc2d..28048bf64 100644 + read_files_pattern($1, xserver_etc_t, xserver_etc_t) + read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') - + ######################################## ## -## Read XDM pid files. @@ -33548,18 +33548,18 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_read_xdm_pid',` +interface(`xserver_manage_config',` - gen_require(` + gen_require(` - type xdm_var_run_t; + type xserver_etc_t; - ') - + ') + - files_search_pids($1) - allow $1 xdm_var_run_t:file read_file_perms; + files_search_etc($1) + manage_files_pattern($1, xserver_etc_t, xserver_etc_t) + manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) ') - + ######################################## ## -## Read XDM var lib files. @@ -33573,16 +33573,16 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_read_xdm_lib_files',` +interface(`xserver_read_xdm_rw_config',` - gen_require(` + gen_require(` - type xdm_var_lib_t; + type xdm_rw_etc_t; - ') - + ') + - allow $1 xdm_var_lib_t:file read_file_perms; + files_search_etc($1) + allow $1 xdm_rw_etc_t:file read_file_perms; ') - + ######################################## ## -## Make an X session script an entrypoint for the specified domain. @@ -33605,7 +33605,7 @@ index 6bf0ecc2d..28048bf64 100644 + refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') + userdom_search_user_tmp_dirs($1) ') - + ######################################## ## -## Execute an X session in the target domain. This @@ -33647,7 +33647,7 @@ index 6bf0ecc2d..28048bf64 100644 + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') + userdom_dontaudit_setattr_user_tmp($1) ') - + ######################################## ## -## Get the attributes of X server logs. @@ -33671,7 +33671,7 @@ index 6bf0ecc2d..28048bf64 100644 + refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') + userdom_dontaudit_setattr_user_tmp($1) ') - + ######################################## ## -## Do not audit attempts to write the X server @@ -33696,7 +33696,7 @@ index 6bf0ecc2d..28048bf64 100644 + refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') + userdom_create_user_tmp_sockets($1) ') - + ######################################## ## -## Delete X server log files. @@ -33710,11 +33710,11 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_delete_log',` +interface(`xserver_read_xdm_pid',` - gen_require(` + gen_require(` - type xserver_log_t; + type xdm_var_run_t; - ') - + ') + - logging_search_logs($1) - allow $1 xserver_log_t:dir list_dir_perms; - delete_files_pattern($1, xserver_log_t, xserver_log_t) @@ -33722,7 +33722,7 @@ index 6bf0ecc2d..28048bf64 100644 + files_search_pids($1) + read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) ') - + ######################################## ## -## Read X keyboard extension libraries. @@ -33736,18 +33736,18 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_read_xkb_libs',` +interface(`xserver_map_xdm_pid',` - gen_require(` + gen_require(` - type xkb_var_lib_t; + type xdm_var_run_t; - ') - + ') + - files_search_var_lib($1) - allow $1 xkb_var_lib_t:dir list_dir_perms; - read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) - read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) + allow $1 xdm_var_run_t:file map; ') - + -######################################## +###################################### ## @@ -33771,13 +33771,13 @@ index 6bf0ecc2d..28048bf64 100644 + gen_require(` + type xdm_var_run_t; + ') - + - files_search_tmp($1) - read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + dontaudit $1 xdm_var_run_t:dir search_dir_perms; + dontaudit $1 xdm_var_run_t:file read_file_perms; ') - + ######################################## ## -## Do not audit attempts to read xdm temporary files. @@ -34394,7 +34394,7 @@ index 6bf0ecc2d..28048bf64 100644 + + allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + allow $1 xserver_t:{ x_screen } setattr; -+ ++ + allow $1 x_domain:x_cursor all_x_cursor_perms; + allow $1 x_domain:x_drawable all_x_drawable_perms; + allow $1 x_domain:x_resource all_x_resource_perms; @@ -34525,17 +34525,17 @@ index 6bf0ecc2d..28048bf64 100644 +## +# +interface(`xserver_xdm_manage_spool',` - gen_require(` + gen_require(` - type xdm_tmp_t; + type xdm_spool_t; - ') - + ') + - dontaudit $1 xdm_tmp_t:dir search_dir_perms; - dontaudit $1 xdm_tmp_t:file read_file_perms; + files_search_spool($1) + manage_files_pattern($1, xdm_spool_t, xdm_spool_t) ') - + ######################################## ## -## Read write xdm temporary files. @@ -34550,18 +34550,18 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_rw_xdm_tmp_files',` +interface(`xserver_dbus_chat_xdm',` - gen_require(` + gen_require(` - type xdm_tmp_t; + type xdm_t; + class dbus send_msg; - ') - + ') + - allow $1 xdm_tmp_t:dir search_dir_perms; - allow $1 xdm_tmp_t:file rw_file_perms; + allow $1 xdm_t:dbus send_msg; + allow xdm_t $1:dbus send_msg; ') - + ######################################## ## -## Create, read, write, and delete xdm temporary files. @@ -34576,17 +34576,17 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_manage_xdm_tmp_files',` +interface(`xserver_dbus_chat',` - gen_require(` + gen_require(` - type xdm_tmp_t; + type xserver_t; + class dbus send_msg; - ') - + ') + - manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + allow $1 xserver_t:dbus send_msg; + allow xserver_t $1:dbus send_msg; ') - + ######################################## ## -## Do not audit attempts to get the attributes of @@ -34602,16 +34602,16 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +interface(`xserver_read_pid',` - gen_require(` + gen_require(` - type xdm_tmp_t; + type xserver_var_run_t; - ') - + ') + - dontaudit $1 xdm_tmp_t:sock_file getattr; + files_search_pids($1) + read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') - + ######################################## ## -## Execute the X server in the X server domain. @@ -34626,17 +34626,17 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_domtrans',` +interface(`xserver_exec_pid',` - gen_require(` + gen_require(` - type xserver_t, xserver_exec_t; + type xserver_var_run_t; - ') - + ') + - allow $1 xserver_t:process siginh; - domtrans_pattern($1, xserver_exec_t, xserver_t) + files_search_pids($1) + exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') - + ######################################## ## -## Signal X servers @@ -34650,16 +34650,16 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_signal',` +interface(`xserver_write_pid',` - gen_require(` + gen_require(` - type xserver_t; + type xserver_var_run_t; - ') - + ') + - allow $1 xserver_t:process signal; + files_search_pids($1) + write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) ') - + ######################################## ## -## Kill X servers @@ -34728,16 +34728,16 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_kill',` +interface(`xserver_read_user_iceauth',` - gen_require(` + gen_require(` - type xserver_t; + type iceauth_home_t; - ') - + ') + - allow $1 xserver_t:process sigkill; + # Read .Iceauthority file + allow $1 iceauth_home_t:file read_file_perms; ') - + ######################################## ## -## Read and write X server Sys V Shared @@ -34752,18 +34752,18 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_rw_shm',` +interface(`xserver_rw_inherited_user_fonts',` - gen_require(` + gen_require(` - type xserver_t; + type user_fonts_t, user_fonts_config_t; - ') - + ') + - allow $1 xserver_t:shm rw_shm_perms; + allow $1 user_fonts_t:file rw_inherited_file_perms; + allow $1 user_fonts_t:file read_lnk_file_perms; + + allow $1 user_fonts_config_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Do not audit attempts to read and write to @@ -34779,15 +34779,15 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_dontaudit_rw_tcp_sockets',` +interface(`xserver_search_xdm_lib',` - gen_require(` + gen_require(` - type xserver_t; + type xdm_var_lib_t; - ') - + ') + - dontaudit $1 xserver_t:tcp_socket { read write }; + allow $1 xdm_var_lib_t:dir search_dir_perms; ') - + ######################################## ## -## Do not audit attempts to read and write X server @@ -34828,15 +34828,15 @@ index 6bf0ecc2d..28048bf64 100644 +## +# +interface(`xserver_run',` - gen_require(` - type xserver_t; - ') - + gen_require(` + type xserver_t; + ') + - dontaudit $1 xserver_t:unix_stream_socket { read write }; + xserver_domtrans($1) + role $2 types xserver_t; ') - + ######################################## ## -## Connect to the X server over a unix domain @@ -34858,17 +34858,17 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_stream_connect',` +interface(`xserver_run_xauth',` - gen_require(` + gen_require(` - type xserver_t, xserver_tmp_t; + type xauth_t; - ') - + ') + - files_search_tmp($1) - stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) + xserver_domtrans_xauth($1) + role $2 types xauth_t; ') - + ######################################## ## -## Read X server temporary files. @@ -34883,11 +34883,11 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_read_tmp_files',` +interface(`xserver_read_home_fonts',` - gen_require(` + gen_require(` - type xserver_tmp_t; + type user_fonts_t, user_fonts_config_t; - ') - + ') + - allow $1 xserver_tmp_t:file read_file_perms; - files_search_tmp($1) + list_dirs_pattern($1, user_fonts_t, user_fonts_t) @@ -34896,7 +34896,7 @@ index 6bf0ecc2d..28048bf64 100644 + + read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) ') - + ######################################## ## -## Interface to provide X object permissions on a given X server to @@ -34913,19 +34913,19 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_manage_core_devices',` +interface(`xserver_manage_user_fonts_dir',` - gen_require(` + gen_require(` - type xserver_t; - class x_device all_x_device_perms; - class x_pointer all_x_pointer_perms; - class x_keyboard all_x_keyboard_perms; + type user_fonts_t; - ') - + ') + - allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) + files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") ') - + ######################################## ## -## Interface to provide X object permissions on a given X server to @@ -34942,12 +34942,12 @@ index 6bf0ecc2d..28048bf64 100644 # -interface(`xserver_unconfined',` +interface(`xserver_manage_home_fonts',` - gen_require(` + gen_require(` - attribute x_domain; - attribute xserver_unconfined_type; + type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; - ') - + ') + - typeattribute $1 x_domain; - typeattribute $1 xserver_unconfined_type; + manage_dirs_pattern($1, user_fonts_t, user_fonts_t) @@ -35155,7 +35155,7 @@ index 8b403774f..87dcb5ec7 100644 +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` # - + ## -##

      -## Allows clients to write to the X server shared @@ -35175,7 +35175,7 @@ index 8b403774f..87dcb5ec7 100644 ## -gen_tunable(allow_write_xshm, false) +gen_tunable(xserver_execmem, false) - + ## ##

      -## Allow xdm logins as sysadm @@ -35190,7 +35190,7 @@ index 8b403774f..87dcb5ec7 100644 +##

      +##       gen_tunable(xdm_sysadm_login, false) - + ## -##

      -## Support X userspace object manager @@ -35214,7 +35214,7 @@ index 8b403774f..87dcb5ec7 100644 +##

      ##       gen_tunable(xserver_object_manager, false) - + +## +##

      +## Allow regular users direct dri device access @@ -35226,12 +35226,12 @@ index 8b403774f..87dcb5ec7 100644 +attribute x_userdomain; attribute x_domain; +attribute dridomain; - + # X Events attribute xevent_type; @@ -107,44 +145,54 @@ xserver_object_types_template(remote) xserver_common_x_domain_template(remote, remote_t) - + type user_fonts_t; -typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t }; +typealias user_fonts_t alias { staff_fonts_t sysadm_fonts_t xfs_fonts_t }; @@ -35240,55 +35240,55 @@ index 8b403774f..87dcb5ec7 100644 +typealias user_fonts_t alias xfs_tmp_t; userdom_user_home_content(user_fonts_t) +files_tmp_file(user_fonts_t) - + type user_fonts_cache_t; typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t }; typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t }; +typealias user_fonts_cache_t alias { xguest_fonts_cache_t unconfined_fonts_cache_t }; userdom_user_home_content(user_fonts_cache_t) - + type user_fonts_config_t; typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t }; typealias user_fonts_config_t alias { auditadm_fonts_config_t secadm_fonts_config_t }; +typealias user_fonts_config_t alias { fonts_config_home_t xguest_fonts_config_t unconfined_fonts_config_t }; userdom_user_home_content(user_fonts_config_t) - + type iceauth_t; type iceauth_exec_t; typealias iceauth_t alias { user_iceauth_t staff_iceauth_t sysadm_iceauth_t }; +typealias iceauth_t alias { xguest_iceauth_t }; typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; userdom_user_application_domain(iceauth_t, iceauth_exec_t) - + type iceauth_home_t; typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t }; +typealias iceauth_home_t alias { xguest_iceauth_home_t }; userdom_user_home_content(iceauth_home_t) - + type xauth_t; type xauth_exec_t; typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; +typealias xauth_t alias { xguest_xauth_t unconfined_xauth_t }; userdom_user_application_domain(xauth_t, xauth_exec_t) - + type xauth_home_t; typealias xauth_home_t alias { user_xauth_home_t staff_xauth_home_t sysadm_xauth_home_t }; typealias xauth_home_t alias { auditadm_xauth_home_t secadm_xauth_home_t }; +typealias xauth_home_t alias { xguest_xauth_home_t unconfined_xauth_home_t }; userdom_user_home_content(xauth_home_t) - + type xauth_tmp_t; typealias xauth_tmp_t alias { user_xauth_tmp_t staff_xauth_tmp_t sysadm_xauth_tmp_t }; +typealias xauth_tmp_t alias { xguest_xauth_tmp_t unconfined_xauth_tmp_t }; typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) - + @@ -155,19 +203,28 @@ dev_associate(xconsole_device_t) fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) - + -type xdm_t; +type xdm_unconfined_exec_t; +application_executable_file(xdm_unconfined_exec_t) @@ -35301,10 +35301,10 @@ index 8b403774f..87dcb5ec7 100644 +init_system_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) - + type xdm_lock_t; files_lock_file(xdm_lock_t) - + +type xdm_etc_t; +files_config_file(xdm_etc_t) + @@ -35314,13 +35314,13 @@ index 8b403774f..87dcb5ec7 100644 + +type xdm_spool_t; +files_spool_file(xdm_spool_t) - + type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -175,13 +232,21 @@ files_type(xdm_var_lib_t) type xdm_var_run_t; files_pid_file(xdm_var_run_t) - + -type xdm_tmp_t; -files_tmp_file(xdm_tmp_t) -typealias xdm_tmp_t alias ice_tmp_t; @@ -35329,10 +35329,10 @@ index 8b403774f..87dcb5ec7 100644 + +type xserver_var_run_t; +files_pid_file(xserver_var_run_t) - + type xdm_tmpfs_t; files_tmpfs_file(xdm_tmpfs_t) - + +type xdm_home_t; +userdom_user_home_content(xdm_home_t) + @@ -35345,14 +35345,14 @@ index 8b403774f..87dcb5ec7 100644 @@ -194,15 +259,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) - + -type xserver_tmp_t; -typealias xserver_tmp_t alias { user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t }; -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -userdom_user_tmp_file(xserver_tmp_t) +type xserver_etc_t; +files_config_file(xserver_etc_t) - + type xserver_tmpfs_t; -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; @@ -35360,32 +35360,32 @@ index 8b403774f..87dcb5ec7 100644 +typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; +typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; +userdom_user_tmp_file(xserver_tmpfs_t) - + type xsession_exec_t; corecmd_executable_file(xsession_exec_t) @@ -226,21 +289,35 @@ optional_policy(` # - + allow iceauth_t iceauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) - + allow xdm_t iceauth_home_t:file read_file_perms; - + +dev_read_rand(iceauth_t) + fs_search_auto_mountpoints(iceauth_t) - + -userdom_use_user_terminals(iceauth_t) +userdom_use_inherited_user_terminals(iceauth_t) userdom_read_user_tmp_files(iceauth_t) +userdom_read_all_users_state(iceauth_t) +userdom_home_manager(iceauth_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(iceauth_t) -') +xserver_filetrans_home_content(iceauth_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(iceauth_t) +ifdef(`hide_broken_symptoms',` @@ -35404,12 +35404,12 @@ index 8b403774f..87dcb5ec7 100644 + mozilla_dontaudit_rw_user_home_files(iceauth_t) + ') ') - + ######################################## @@ -248,48 +325,91 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # - + +allow xauth_t self:capability { dac_read_search dac_override }; allow xauth_t self:process signal; +allow xauth_t self:shm create_shm_perms; @@ -35420,51 +35420,51 @@ index 8b403774f..87dcb5ec7 100644 +allow xauth_t xserver_t:unix_stream_socket connectto; + +corenet_tcp_connect_xserver_port(xauth_t) - + allow xauth_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) + +manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) +manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t) - + manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) - + -allow xdm_t xauth_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) - + +kernel_read_network_state(xauth_t) +kernel_read_system_state(xauth_t) kernel_request_load_module(xauth_t) - + +dev_read_rand(xauth_t) +dev_read_urand(xauth_t) + domain_use_interactive_fds(xauth_t) +domain_dontaudit_leaks(xauth_t) - + files_read_etc_files(xauth_t) +files_read_usr_files(xauth_t) files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) +files_dontaudit_leaks(xauth_t) +files_var_lib_filetrans(xauth_t, xauth_home_t, file) - + -fs_getattr_xattr_fs(xauth_t) +fs_dontaudit_leaks(xauth_t) +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) - + -# cjp: why? -term_use_ptmx(xauth_t) +# Probably a leak +term_dontaudit_use_ptmx(xauth_t) +term_dontaudit_use_console(xauth_t) - + auth_use_nsswitch(xauth_t) - + -userdom_use_user_terminals(xauth_t) +userdom_use_inherited_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -35477,9 +35477,9 @@ index 8b403774f..87dcb5ec7 100644 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") - + xserver_rw_xdm_tmp_files(xauth_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files(xauth_t) +ifdef(`hide_broken_symptoms',` @@ -35490,7 +35490,7 @@ index 8b403774f..87dcb5ec7 100644 + dev_dontaudit_rw_generic_dev_nodes(xauth_t) + miscfiles_read_fonts(xauth_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(xauth_t) +userdom_home_manager(xauth_t) @@ -35503,16 +35503,16 @@ index 8b403774f..87dcb5ec7 100644 +optional_policy(` + nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ') - + optional_policy(` + ssh_use_ptys(xauth_t) - ssh_sigchld(xauth_t) - ssh_read_pipes(xauth_t) - ssh_dontaudit_rw_tcp_sockets(xauth_t) + ssh_sigchld(xauth_t) + ssh_read_pipes(xauth_t) + ssh_dontaudit_rw_tcp_sockets(xauth_t) @@ -300,64 +420,105 @@ optional_policy(` # XDM Local policy # - + -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; @@ -35539,7 +35539,7 @@ index 8b403774f..87dcb5ec7 100644 +allow xdm_t self:dbus { send_msg acquire_svc }; + +allow xdm_t xauth_home_t:file manage_file_perms; - + -allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -35554,27 +35554,27 @@ index 8b403774f..87dcb5ec7 100644 +userdom_delete_user_home_content_files(xdm_t) +userdom_signull_unpriv_users(xdm_t) +userdom_dontaudit_read_admin_home_lnk_files(xdm_t) - + # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) +can_exec(xdm_t, xsession_exec_t) - + allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) - + +read_lnk_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) +read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) # wdm has its own config dir /etc/X11/wdm # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) - + -manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) -files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) +userdom_manage_all_user_tmp_content(xdm_t) +userdom_exec_user_tmp_files(xdm_t) - + manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -35588,7 +35588,7 @@ index 8b403774f..87dcb5ec7 100644 +manage_dirs_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +manage_files_pattern(xdm_t, xdm_spool_t, xdm_spool_t) +files_spool_filetrans(xdm_t, xdm_spool_t, { file dir }) - + manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) @@ -35598,7 +35598,7 @@ index 8b403774f..87dcb5ec7 100644 +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) +# Read machine-id +files_read_var_lib_files(xdm_t) - + manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +exec_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) @@ -35607,31 +35607,31 @@ index 8b403774f..87dcb5ec7 100644 -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) - + -allow xdm_t xserver_t:process signal; +allow xdm_t xserver_t:process { signal signull }; allow xdm_t xserver_t:unix_stream_socket connectto; - + allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms }; +allow xdm_t xserver_tmp_t:dir { setattr_dir_perms list_dir_perms }; - + # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) + +ps_process_pattern(xserver_t, xdm_t) allow xserver_t xdm_t:process signal; allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; - + allow xdm_t xserver_t:shm rw_shm_perms; +read_files_pattern(xdm_t, xserver_t, xserver_t) - + # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -366,20 +527,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) - + +manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t) +manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t) @@ -35644,7 +35644,7 @@ index 8b403774f..87dcb5ec7 100644 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) +files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm") - + kernel_read_system_state(xdm_t) +kernel_read_device_sysctls(xdm_t) kernel_read_kernel_sysctls(xdm_t) @@ -35653,11 +35653,11 @@ index 8b403774f..87dcb5ec7 100644 +kernel_request_load_module(xdm_t) +kernel_stream_connect(xdm_t) +kernel_view_key(xdm_t) - + corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) +corecmd_dontaudit_access_all_executables(xdm_t) - + -corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) @@ -35672,7 +35672,7 @@ index 8b403774f..87dcb5ec7 100644 corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t corenet_dontaudit_tcp_bind_all_ports(xdm_t) - + +dev_rwx_zero(xdm_t) dev_read_rand(xdm_t) -dev_read_sysfs(xdm_t) @@ -35708,13 +35708,13 @@ index 8b403774f..87dcb5ec7 100644 +dev_getattr_null_dev(xdm_t) +dev_setattr_null_dev(xdm_t) +dev_getattr_loop_control(xdm_t) - + domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) +domain_dontaudit_signal_all_domains(xdm_t) +domain_dontaudit_getattr_all_entry_files(xdm_t) - + files_read_etc_files(xdm_t) files_read_var_files(xdm_t) @@ -431,9 +615,30 @@ files_list_mnt(xdm_t) @@ -35729,7 +35729,7 @@ index 8b403774f..87dcb5ec7 100644 +files_dontaudit_getattr_all_tmp_sockets(xdm_t) +files_dontaudit_all_access_check(xdm_t) +files_dontaudit_list_non_security(xdm_t) - + fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) +fs_search_all(xdm_t) @@ -35745,7 +35745,7 @@ index 8b403774f..87dcb5ec7 100644 + +mls_socket_write_to_clearance(xdm_t) +mls_trusted_object(xdm_t) - + storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) @@ -442,28 +647,50 @@ storage_dontaudit_raw_read_removable_device(xdm_t) @@ -35753,7 +35753,7 @@ index 8b403774f..87dcb5ec7 100644 storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) +storage_dontaudit_rw_fuse(xdm_t) - + term_setattr_console(xdm_t) -term_use_unallocated_ttys(xdm_t) term_setattr_unallocated_ttys(xdm_t) @@ -35761,7 +35761,7 @@ index 8b403774f..87dcb5ec7 100644 +term_relabel_all_ttys(xdm_t) +term_relabel_unallocated_ttys(xdm_t) +term_getattr_virtio_console(xdm_t) - + auth_domtrans_pam_console(xdm_t) -auth_manage_pam_pid(xdm_t) +#auth_manage_pam_pid(xdm_t) @@ -35769,7 +35769,7 @@ index 8b403774f..87dcb5ec7 100644 +auth_signal_pam(xdm_t) auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) - + # Run telinit->init to shutdown. init_telinit(xdm_t) +init_dbus_chat(xdm_t) @@ -35777,12 +35777,12 @@ index 8b403774f..87dcb5ec7 100644 +init_status(xdm_t) + +application_exec(xdm_t) - + libs_exec_lib_files(xdm_t) +libs_exec_ldconfig(xdm_t) - + logging_read_generic_logs(xdm_t) - + -miscfiles_read_localization(xdm_t) +miscfiles_search_man_pages(xdm_t) miscfiles_read_fonts(xdm_t) @@ -35801,7 +35801,7 @@ index 8b403774f..87dcb5ec7 100644 +systemd_status_power_services(xdm_t) +systemd_hwdb_mmap_config(xdm_t) +systemd_hwdb_read_config(xdm_t) - + userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -472,24 +699,167 @@ userdom_read_user_home_content_files(xdm_t) @@ -35940,7 +35940,7 @@ index 8b403774f..87dcb5ec7 100644 +### end of filename transitions ### + +application_signal(xdm_t) - + xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) +xserver_domtrans_xauth(xdm_t) @@ -35952,21 +35952,21 @@ index 8b403774f..87dcb5ec7 100644 +ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; +') - + tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xdm_t) - fs_manage_nfs_files(xdm_t) - fs_manage_nfs_symlinks(xdm_t) - fs_exec_nfs_files(xdm_t) + fs_exec_nfs_files(xdm_t) ') - + tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(xdm_t) - fs_manage_cifs_files(xdm_t) - fs_manage_cifs_symlinks(xdm_t) - fs_exec_cifs_files(xdm_t) + fs_exec_cifs_files(xdm_t) ') - + +optional_policy(` + tunable_policy(`xdm_exec_bootloader',` + bootloader_exec(xdm_t) @@ -35976,12 +35976,12 @@ index 8b403774f..87dcb5ec7 100644 +') + tunable_policy(`xdm_sysadm_login',` - userdom_xsession_spec_domtrans_all_users(xdm_t) - # FIXME: + userdom_xsession_spec_domtrans_all_users(xdm_t) + # FIXME: @@ -502,12 +872,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') - + +tunable_policy(`xdm_bind_vnc_tcp_port',` + corenet_tcp_bind_vnc_port(xdm_t) +') @@ -36000,21 +36000,21 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - alsa_domtrans(xdm_t) + alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ') - + optional_policy(` - consolekit_dbus_chat(xdm_t) + consolekit_dbus_chat(xdm_t) + consolekit_read_log(xdm_t) ') - + optional_policy(` @@ -517,9 +906,34 @@ optional_policy(` optional_policy(` - dbus_system_bus_client(xdm_t) - dbus_connect_system_bus(xdm_t) -+ + dbus_system_bus_client(xdm_t) + dbus_connect_system_bus(xdm_t) ++ + optional_policy(` + accountsd_dbus_chat(xdm_t) + ') @@ -36031,8 +36031,8 @@ index 8b403774f..87dcb5ec7 100644 + devicekit_dbus_chat_disk(xdm_t) + devicekit_dbus_chat_power(xdm_t) + ') - - optional_policy(` + + optional_policy(` - accountsd_dbus_chat(xdm_t) + hal_dbus_chat(xdm_t) + ') @@ -36043,13 +36043,13 @@ index 8b403774f..87dcb5ec7 100644 + + optional_policy(` + networkmanager_dbus_chat(xdm_t) - ') + ') ') - + @@ -529,6 +943,20 @@ optional_policy(` - gpm_setattr_gpmctl(xdm_t) + gpm_setattr_gpmctl(xdm_t) ') - + +optional_policy(` + gnome_stream_connect_gkeyringd(xdm_t) + gnome_exec_gstreamer_home_files(xdm_t) @@ -36065,12 +36065,12 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - hostname_exec(xdm_t) + hostname_exec(xdm_t) ') @@ -546,29 +974,79 @@ optional_policy(` - mta_dontaudit_getattr_spool_files(xdm_t) + mta_dontaudit_getattr_spool_files(xdm_t) ') - + +optional_policy(` + policykit_dbus_chat(xdm_t) + policykit_domtrans_auth(xdm_t) @@ -36098,9 +36098,9 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - resmgr_stream_connect(xdm_t) + resmgr_stream_connect(xdm_t) ') - + +optional_policy(` + rhev_stream_connect_agentd(xdm_t) + rhev_read_pid_files_agentd(xdm_t) @@ -36119,27 +36119,27 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - seutil_sigchld_newrole(xdm_t) + seutil_sigchld_newrole(xdm_t) ') - + optional_policy(` - udev_read_db(xdm_t) + ssh_signull(xdm_t) ') - + optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) + shutdown_domtrans(xdm_t) +') - + - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') +optional_policy(` + telepathy_exec(xdm_t) +') - + - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') @@ -36154,12 +36154,12 @@ index 8b403774f..87dcb5ec7 100644 +optional_policy(` + usbmuxd_stream_connect(xdm_t) ') - + optional_policy(` @@ -579,6 +1057,14 @@ optional_policy(` - usermanage_read_crack_db(xdm_t) + usermanage_read_crack_db(xdm_t) ') - + +optional_policy(` + vdagent_stream_connect(xdm_t) +') @@ -36169,21 +36169,21 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - xfs_stream_connect(xdm_t) + xfs_stream_connect(xdm_t) ') @@ -594,7 +1080,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; - + allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; -allow xserver_t input_xevent_t:x_event send; +allow xserver_t xevent_type:x_event send; - + # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer @@ -604,8 +1090,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack - + -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + @@ -36199,7 +36199,7 @@ index 8b403774f..87dcb5ec7 100644 allow xserver_t self:udp_socket create_socket_perms; +allow xserver_t self:netlink_selinux_socket create_socket_perms; allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms; - + +allow xserver_t { input_xevent_t input_xevent_type }:x_event send; + +domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) @@ -36210,9 +36210,9 @@ index 8b403774f..87dcb5ec7 100644 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) @@ -627,36 +1123,48 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) - + filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) - + +allow xserver_t xserver_etc_t:dir list_dir_perms; +read_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) +read_lnk_files_pattern(xserver_t, xserver_etc_t, xserver_etc_t) @@ -36224,11 +36224,11 @@ index 8b403774f..87dcb5ec7 100644 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +allow xserver_t xserver_tmpfs_t:file map; - + manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) - + -domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) -allow xserver_t xauth_home_t:file read_file_perms; +manage_dirs_pattern(xserver_t, xserver_var_lib_t, xserver_var_lib_t) @@ -36239,12 +36239,12 @@ index 8b403774f..87dcb5ec7 100644 +manage_files_pattern(xserver_t, xserver_var_run_t, xserver_var_run_t) +manage_sock_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) +files_pid_filetrans(xserver_t, xserver_var_run_t, { file dir }) - + # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) +manage_files_pattern(xserver_t, xdm_log_t, xdm_log_t) - + kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -kernel_read_modprobe_sysctls(xserver_t) @@ -36253,11 +36253,11 @@ index 8b403774f..87dcb5ec7 100644 kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) +kernel_request_load_module(xserver_t) - + # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) corecmd_exec_shell(xserver_t) - + -corenet_all_recvfrom_unlabeled(xserver_t) corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) @@ -36283,22 +36283,22 @@ index 8b403774f..87dcb5ec7 100644 dev_rw_input_dev(xserver_t) +dev_write_raw_memory(xserver_t) dev_rwx_zero(xserver_t) - + -domain_dontaudit_search_all_domains_state(xserver_t) +domain_dontaudit_read_all_domains_state(xserver_t) +domain_signal_all_domains(xserver_t) - + files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) +files_rw_tmpfs_files(xserver_t) - + # brought on by rhgb files_search_mnt(xserver_t) @@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) - + +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) +mls_file_upgrade(xserver_t) @@ -36308,30 +36308,30 @@ index 8b403774f..87dcb5ec7 100644 +mls_sysvipc_write_to_clearance(xserver_t) +mls_trusted_object(xserver_t) mls_xwin_read_to_clearance(xserver_t) - + selinux_validate_context(xserver_t) @@ -718,28 +1240,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) - + -getty_use_fds(xserver_t) - locallogin_use_fds(xserver_t) - + logging_send_syslog_msg(xserver_t) logging_send_audit_msgs(xserver_t) - + -miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) - -modutils_domtrans_insmod(xserver_t) +miscfiles_read_hwdata(xserver_t) - + # read x_contexts seutil_read_default_contexts(xserver_t) +seutil_read_config(xserver_t) +seutil_read_file_contexts(xserver_t) - + userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) userdom_setattr_user_ttys(xserver_t) @@ -36340,13 +36340,13 @@ index 8b403774f..87dcb5ec7 100644 - -xserver_use_user_fonts(xserver_t) +userdom_map_tmp_files(xserver_t) - + ifndef(`distro_redhat',` - allow xserver_t self:process { execmem execheap execstack }; + allow xserver_t self:process { execmem execheap execstack }; @@ -784,24 +1303,65 @@ optional_policy(` - auth_search_pam_console_data(xserver_t) + auth_search_pam_console_data(xserver_t) ') - + +optional_policy(` + consolekit_read_state(xserver_t) +') @@ -36364,10 +36364,10 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - rhgb_getpgid(xserver_t) - rhgb_signal(xserver_t) + rhgb_getpgid(xserver_t) + rhgb_signal(xserver_t) ') - + +optional_policy(` + setrans_translate_context(xserver_t) +') @@ -36391,50 +36391,50 @@ index 8b403774f..87dcb5ec7 100644 +') + optional_policy(` - udev_read_db(xserver_t) + udev_read_db(xserver_t) ') - + optional_policy(` - unconfined_domain_noaudit(xserver_t) - unconfined_domtrans(xserver_t) + unconfined_domain(xserver_t) ') - + optional_policy(` - userhelper_search_config(xserver_t) + userhelper_search_config(xserver_t) ') - + +optional_policy(` + wine_rw_shm(xserver_t) +') + optional_policy(` - xfs_stream_connect(xserver_t) + xfs_stream_connect(xserver_t) ') @@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; - + # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! -allow xserver_t xdm_var_lib_t:file { getattr read }; -dontaudit xserver_t xdm_var_lib_t:dir search; +allow xserver_t xdm_var_lib_t:file read_file_perms; +dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; - + -allow xserver_t xdm_var_run_t:file read_file_perms; +read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) - + # Label pid and temporary files with derived types. -manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +userdom_manage_user_tmp_files(xserver_t) +userdom_manage_user_tmp_sockets(xserver_t) - + # Run xkbcomp. -allow xserver_t xkb_var_lib_t:lnk_file read; +allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; can_exec(xserver_t, xkb_var_lib_t) - + # VNC v4 module in X server @@ -842,26 +1401,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail @@ -36442,7 +36442,7 @@ index 8b403774f..87dcb5ec7 100644 userdom_read_user_home_content_files(xserver_t) +userdom_read_all_users_state(xserver_t) +userdom_home_manager(xserver_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xserver_t) - fs_manage_nfs_files(xserver_t) @@ -36455,21 +36455,21 @@ index 8b403774f..87dcb5ec7 100644 - fs_manage_cifs_symlinks(xserver_t) -') +xserver_use_user_fonts(xserver_t) - + optional_policy(` - dbus_system_bus_client(xserver_t) + dbus_system_bus_client(xserver_t) - hal_dbus_chat(xserver_t) + + optional_policy(` + hal_dbus_chat(xserver_t) + ') ') - + optional_policy(` - resmgr_stream_connect(xdm_t) + mono_rw_shm(xserver_t) ') - + optional_policy(` @@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; @@ -36479,11 +36479,11 @@ index 8b403774f..87dcb5ec7 100644 +allow x_domain self:x_drawable blend; # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; - + @@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; - + +# Device rules +allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell }; +allow x_domain xserver_t:x_screen getattr; @@ -36492,7 +36492,7 @@ index 8b403774f..87dcb5ec7 100644 # # Rules for unconfined access to this module # - + +allow xserver_unconfined_type xserver_t:x_server *; +allow xserver_unconfined_type xdrawable_type:x_drawable *; +allow xserver_unconfined_type xserver_t:x_screen *; @@ -36510,12 +36510,12 @@ index 8b403774f..87dcb5ec7 100644 +allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; + tunable_policy(`! xserver_object_manager',` - # should be xserver_unconfined(x_domain), - # but typeattribute doesnt work in conditionals + # should be xserver_unconfined(x_domain), + # but typeattribute doesnt work in conditionals @@ -992,18 +1566,149 @@ tunable_policy(`! xserver_object_manager',` - allow x_domain xevent_type:{ x_event x_synthetic_event } *; + allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') - + -allow xserver_unconfined_type xserver_t:x_server *; -allow xserver_unconfined_type xdrawable_type:x_drawable *; -allow xserver_unconfined_type xserver_t:x_screen *; @@ -36556,7 +36556,7 @@ index 8b403774f..87dcb5ec7 100644 + unconfined_getpgid(xserver_t) +') + -+allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms; ++allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms; +can_exec(xdm_t, xdm_unconfined_exec_t) + +optional_policy(` @@ -36682,9 +36682,9 @@ index 1b6619e64..be02b9618 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -43,6 +43,27 @@ interface(`application_executable_file',` - corecmd_executable_file($1) + corecmd_executable_file($1) ') - + +####################################### +##

      +## Make the specified type usable for files @@ -36710,14 +36710,14 @@ index 1b6619e64..be02b9618 100644 ## ## Execute application executables in the caller domain. @@ -76,11 +97,28 @@ interface(`application_exec_all',` - corecmd_dontaudit_exec_all_executables($1) - corecmd_exec_bin($1) - corecmd_exec_shell($1) + corecmd_dontaudit_exec_all_executables($1) + corecmd_exec_bin($1) + corecmd_exec_shell($1) - corecmd_exec_chroot($1) - - application_exec($1) + + application_exec($1) ') - + +######################################## +## +## Dontaudit execute all executable files. @@ -36740,9 +36740,9 @@ index 1b6619e64..be02b9618 100644 ## ## Create a domain for applications. @@ -187,6 +225,24 @@ interface(`application_dontaudit_signal',` - dontaudit $1 application_domain_type:process signal; + dontaudit $1 application_domain_type:process signal; ') - + +######################################## +## +## Send kill signals to all application domains. @@ -36765,8 +36765,8 @@ index 1b6619e64..be02b9618 100644 ## ## Do not audit attempts to send kill signals @@ -205,3 +261,21 @@ interface(`application_dontaudit_sigkill',` - - dontaudit $1 application_domain_type:process sigkill; + + dontaudit $1 application_domain_type:process sigkill; ') + +####################################### @@ -36793,7 +36793,7 @@ index c6fdab72d..82aea98a1 100644 @@ -6,15 +6,41 @@ attribute application_domain_type; # Executables to be run by user attribute application_exec_type; - + +domain_use_interactive_fds(application_domain_type) + +userdom_inherit_append_user_home_content_files(application_domain_type) @@ -36818,20 +36818,20 @@ index c6fdab72d..82aea98a1 100644 + +optional_policy(` + cron_rw_inherited_user_spool_files(application_domain_type) - cron_sigchld(application_domain_type) + cron_sigchld(application_domain_type) ') - + optional_policy(` - ssh_sigchld(application_domain_type) - ssh_rw_stream_sockets(application_domain_type) + ssh_rw_stream_sockets(application_domain_type) ') - + +optional_policy(` + screen_sigchld(application_domain_type) +') + optional_policy(` - sudo_sigchld(application_domain_type) + sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 247958765..890e1e293 100644 @@ -36844,9 +36844,9 @@ index 247958765..890e1e293 100644 +/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) - + /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) - + -/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) -/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) +/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0) @@ -36863,7 +36863,7 @@ index 247958765..890e1e293 100644 +/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) - + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) -/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) @@ -36873,11 +36873,11 @@ index 247958765..890e1e293 100644 @@ -16,13 +30,25 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') - + +/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) + /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0) - + -/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) -/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) @@ -36895,16 +36895,16 @@ index 247958765..890e1e293 100644 +/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + +/var/opt/quest/vas/vasd(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - + /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) - + @@ -30,21 +56,25 @@ ifdef(`distro_gentoo', ` - + /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - + /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) @@ -36915,7 +36915,7 @@ index 247958765..890e1e293 100644 -/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) +/var/log/tallylog.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) - + +/var/lib/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/rsa(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + @@ -36933,15 +36933,15 @@ index 3efd5b669..1bfc72041 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` - role $1 types chkpwd_t; - - # Transition from the user domain to this domain. + role $1 types chkpwd_t; + + # Transition from the user domain to this domain. - domtrans_pattern($2, chkpwd_exec_t, chkpwd_t) + auth_domtrans_chkpwd($2) - - ps_process_pattern($2, chkpwd_t) - - dontaudit $2 shadow_t:file read_file_perms; + + ps_process_pattern($2, chkpwd_t) + + dontaudit $2 shadow_t:file read_file_perms; + + logging_send_syslog_msg($2) + logging_send_audit_msgs($2) @@ -36949,39 +36949,39 @@ index 3efd5b669..1bfc72041 100644 + usermanage_read_crack_db($2) + ') - + ######################################## @@ -53,13 +59,18 @@ interface(`auth_use_pam',` - auth_read_login_records($1) - auth_append_login_records($1) - auth_rw_lastlog($1) + auth_read_login_records($1) + auth_append_login_records($1) + auth_rw_lastlog($1) - auth_rw_faillog($1) + auth_create_lastlog($1) + auth_manage_faillog($1) - auth_exec_pam($1) - auth_use_nsswitch($1) - + auth_exec_pam($1) + auth_use_nsswitch($1) + + init_rw_stream_sockets($1) + - logging_send_audit_msgs($1) - logging_send_syslog_msg($1) - + logging_send_audit_msgs($1) + logging_send_syslog_msg($1) + + userdom_search_user_tmp_dirs($1) + - optional_policy(` - dbus_system_bus_client($1) - + optional_policy(` + dbus_system_bus_client($1) + @@ -77,9 +88,20 @@ interface(`auth_use_pam',` - kerberos_read_config($1) - ') - + kerberos_read_config($1) + ') + + optional_policy(` + locallogin_getattr_home_content($1) + ') + - optional_policy(` - nis_authenticate($1) - ') + optional_policy(` + nis_authenticate($1) + ') + + optional_policy(` + systemd_dbus_chat_logind($1) @@ -36990,25 +36990,25 @@ index 3efd5b669..1bfc72041 100644 + systemd_read_logind_sessions_files($1) + ') ') - + ######################################## @@ -95,69 +117,67 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` - gen_require(` - type var_auth_t, auth_cache_t; + gen_require(` + type var_auth_t, auth_cache_t; + attribute polydomain; + attribute login_pgm; - ') - - domain_type($1) + ') + + domain_type($1) + typeattribute $1 polydomain; + typeattribute $1 login_pgm; + - domain_subj_id_change_exemption($1) - domain_role_change_exemption($1) - domain_obj_id_change_exemption($1) - role system_r types $1; - + domain_subj_id_change_exemption($1) + domain_role_change_exemption($1) + domain_obj_id_change_exemption($1) + role system_r types $1; + - # Needed for pam_selinux_permit to cleanup properly - domain_read_all_domains_state($1) - domain_kill_all_domains($1) @@ -37037,24 +37037,24 @@ index 3efd5b669..1bfc72041 100644 - - fs_list_auto_mountpoints($1) - - selinux_get_fs_mount($1) + selinux_get_fs_mount($1) - selinux_validate_context($1) - selinux_compute_access_vector($1) - selinux_compute_create_context($1) - selinux_compute_relabel_context($1) - selinux_compute_user_contexts($1) - - mls_file_read_all_levels($1) - mls_file_write_all_levels($1) - mls_file_upgrade($1) - mls_file_downgrade($1) - mls_process_set_level($1) + + mls_file_read_all_levels($1) + mls_file_write_all_levels($1) + mls_file_upgrade($1) + mls_file_downgrade($1) + mls_process_set_level($1) + mls_process_write_to_clearance($1) - mls_fd_share_all_levels($1) - - auth_use_pam($1) + mls_fd_share_all_levels($1) + + auth_use_pam($1) +') - + - init_rw_utmp($1) - - logging_set_loginuid($1) @@ -37073,13 +37073,13 @@ index 3efd5b669..1bfc72041 100644 + gen_require(` + attribute polydomain; + ') - + - seutil_read_config($1) - seutil_read_default_contexts($1) + kernel_search_proc($1) + ps_process_pattern($1, polydomain) +') - + - tunable_policy(`allow_polyinstantiation',` - files_polyinstantiate_all($1) +######################################## @@ -37095,16 +37095,16 @@ index 3efd5b669..1bfc72041 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; - ') + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## @@ -227,6 +247,26 @@ interface(`auth_domtrans_login_program',` - - corecmd_search_bin($1) - domtrans_pattern($1, login_exec_t, $2) + + corecmd_search_bin($1) + domtrans_pattern($1, login_exec_t, $2) + allow $1 login_exec_t:file map; +') + @@ -37126,12 +37126,12 @@ index 3efd5b669..1bfc72041 100644 + corecmd_search_bin($1) + can_exec($1, login_exec_t) ') - + ######################################## @@ -320,6 +360,24 @@ interface(`auth_rw_cache',` - rw_files_pattern($1, auth_cache_t, auth_cache_t) + rw_files_pattern($1, auth_cache_t, auth_cache_t) ') - + +######################################## +## +## Create authentication cache @@ -37154,34 +37154,34 @@ index 3efd5b669..1bfc72041 100644 ## ## Manage authentication cache @@ -337,6 +395,7 @@ interface(`auth_manage_cache',` - - manage_dirs_pattern($1, auth_cache_t, auth_cache_t) - manage_files_pattern($1, auth_cache_t, auth_cache_t) + + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) + allow $1 auth_cache_t:file map; ') - + ####################################### @@ -377,6 +436,7 @@ interface(`auth_domtrans_chk_passwd',` - - corecmd_search_bin($1) - domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) + + corecmd_search_bin($1) + domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) + allow $1 chkpwd_exec_t:file map; - - dontaudit $1 shadow_t:file read_file_perms; - + + dontaudit $1 shadow_t:file read_file_perms; + @@ -402,6 +462,8 @@ interface(`auth_domtrans_chk_passwd',` - optional_policy(` - samba_stream_connect_winbind($1) - ') + optional_policy(` + samba_stream_connect_winbind($1) + ') + + auth_domtrans_upd_passwd($1) ') - + ######################################## @@ -426,6 +488,24 @@ interface(`auth_domtrans_chkpwd',` - auth_domtrans_upd_passwd($1) + auth_domtrans_upd_passwd($1) ') - + +######################################## +## +## Execute chkpwd in the caller domain. @@ -37204,9 +37204,9 @@ index 3efd5b669..1bfc72041 100644 ## ## Execute chkpwd programs in the chkpwd domain. @@ -448,6 +528,25 @@ interface(`auth_run_chk_passwd',` - - auth_domtrans_chk_passwd($1) - role $2 types chkpwd_t; + + auth_domtrans_chk_passwd($1) + role $2 types chkpwd_t; + auth_run_upd_passwd($1, $2) +') + @@ -37227,20 +37227,20 @@ index 3efd5b669..1bfc72041 100644 + + allow $1 chkpwd_t:process signal; ') - + ######################################## @@ -467,7 +566,6 @@ interface(`auth_domtrans_upd_passwd',` - - domtrans_pattern($1, updpwd_exec_t, updpwd_t) - auth_dontaudit_read_shadow($1) + + domtrans_pattern($1, updpwd_exec_t, updpwd_t) + auth_dontaudit_read_shadow($1) - ') - + ######################################## @@ -532,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',` - dontaudit $1 shadow_t:file getattr; + dontaudit $1 shadow_t:file getattr; ') - + +######################################## +## +## Mmap the shadow passwords file. @@ -37263,21 +37263,21 @@ index 3efd5b669..1bfc72041 100644 ## ## Read the shadow passwords file (/etc/shadow) @@ -664,6 +780,11 @@ interface(`auth_manage_shadow',` - - allow $1 shadow_t:file manage_file_perms; - typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; + + allow $1 shadow_t:file manage_file_perms; + typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; + files_var_filetrans($1, shadow_t, file, "shadow") + files_var_filetrans($1, shadow_t, file, "shadow-") + files_etc_filetrans($1, shadow_t, file, "gshadow") + files_etc_filetrans($1, shadow_t, file, "nshadow") + files_etc_filetrans($1, shadow_t, file, "opasswd") ') - + ####################################### @@ -763,7 +884,50 @@ interface(`auth_rw_faillog',` - ') - - logging_search_logs($1) + ') + + logging_search_logs($1) - allow $1 faillog_t:file rw_file_perms; + rw_files_pattern($1, faillog_t, faillog_t) +') @@ -37324,12 +37324,12 @@ index 3efd5b669..1bfc72041 100644 + logging_log_named_filetrans($1, faillog_t, file, "faillog") + logging_log_named_filetrans($1, faillog_t, file, "btmp") ') - + ####################################### @@ -824,9 +988,29 @@ interface(`auth_rw_lastlog',` - allow $1 lastlog_t:file { rw_file_perms lock setattr }; + allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') - + +####################################### +## +## Manage create logins log. @@ -37363,11 +37363,11 @@ index 3efd5b669..1bfc72041 100644 # -interface(`auth_domtrans_pam',` +interface(`auth_domtrans_pam_timestamp',` - gen_require(` + gen_require(` - type pam_t, pam_exec_t; + type pam_timestamp_t, pam_timestamp_exec_t; - ') - + ') + - domtrans_pattern($1, pam_exec_t, pam_t) + domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t) +') @@ -37386,20 +37386,20 @@ index 3efd5b669..1bfc72041 100644 + auth_domtrans_pam_timestamp($1) + refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.') ') - + ######################################## @@ -854,15 +1053,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` - gen_require(` + gen_require(` - type pam_t; + type pam_timestamp_t; - ') - + ') + - allow $1 pam_t:process signal; + allow $1 pam_timestamp_t:process signal; ') - + ######################################## ## -## Execute pam programs in the PAM domain. @@ -37413,11 +37413,11 @@ index 3efd5b669..1bfc72041 100644 # -interface(`auth_run_pam',` +interface(`auth_run_pam_timestamp',` - gen_require(` + gen_require(` - type pam_t; + type pam_timestamp_t; - ') - + ') + - auth_domtrans_pam($1) - role $2 types pam_t; + auth_domtrans_pam_timestamp($1) @@ -37443,12 +37443,12 @@ index 3efd5b669..1bfc72041 100644 + auth_run_pam_timestamp($1, $2) + refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.') ') - + ######################################## @@ -959,9 +1178,30 @@ interface(`auth_manage_var_auth',` - ') - - files_search_var($1) + ') + + files_search_var($1) - allow $1 var_auth_t:dir manage_dir_perms; - allow $1 var_auth_t:file rw_file_perms; - allow $1 var_auth_t:lnk_file rw_lnk_file_perms; @@ -37477,31 +37477,31 @@ index 3efd5b669..1bfc72041 100644 + files_search_var($1) + relabel_dirs_pattern($1, var_auth_t, var_auth_t) ') - + ######################################## @@ -1040,6 +1280,10 @@ interface(`auth_manage_pam_pid',` - files_search_pids($1) - allow $1 pam_var_run_t:dir manage_dir_perms; - allow $1 pam_var_run_t:file manage_file_perms; + files_search_pids($1) + allow $1 pam_var_run_t:dir manage_dir_perms; + allow $1 pam_var_run_t:file manage_file_perms; + files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") + files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") + files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") + files_pid_filetrans($1, pam_var_run_t, dir, "sudo") ') - + ######################################## @@ -1176,6 +1420,7 @@ interface(`auth_manage_pam_console_data',` - files_search_pids($1) - manage_files_pattern($1, pam_var_console_t, pam_var_console_t) - manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) + files_search_pids($1) + manage_files_pattern($1, pam_var_console_t, pam_var_console_t) + manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) + files_pid_filetrans($1, pam_var_console_t, dir, "console") ') - + ####################################### @@ -1574,6 +1819,25 @@ interface(`auth_setattr_login_records',` - logging_search_logs($1) + logging_search_logs($1) ') - + +######################################## +## +## Relabel login record files. @@ -37525,9 +37525,9 @@ index 3efd5b669..1bfc72041 100644 ## ## Read login records files (/var/log/wtmp). @@ -1726,24 +1990,7 @@ interface(`auth_manage_login_records',` - - logging_rw_generic_log_dirs($1) - allow $1 wtmp_t:file manage_file_perms; + + logging_rw_generic_log_dirs($1) + allow $1 wtmp_t:file manage_file_perms; -') - -######################################## @@ -37548,7 +37548,7 @@ index 3efd5b669..1bfc72041 100644 - allow $1 wtmp_t:file relabel_file_perms; + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") ') - + ######################################## @@ -1767,11 +2014,13 @@ interface(`auth_relabel_login_records',` ## @@ -37560,16 +37560,16 @@ index 3efd5b669..1bfc72041 100644 + gen_require(` + attribute nsswitch_domain; + ') - - typeattribute $1 nsswitch_domain; + + typeattribute $1 nsswitch_domain; + + corenet_all_recvfrom_netlabel($1) ') - + ######################################## @@ -1805,3 +2054,298 @@ interface(`auth_unconfined',` - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; ') + +######################################## @@ -37779,7 +37779,7 @@ index 3efd5b669..1bfc72041 100644 +## +# +interface(`auth_read_home_content',` -+ ++ + gen_require(` + type auth_home_t; + ') @@ -37799,7 +37799,7 @@ index 3efd5b669..1bfc72041 100644 +## +# +interface(`auth_manage_home_content',` -+ ++ + gen_require(` + type auth_home_t; + ') @@ -37821,7 +37821,7 @@ index 3efd5b669..1bfc72041 100644 +## +# +interface(`auth_filetrans_home_content',` -+ ++ + gen_require(` + type auth_home_t; + ') @@ -37873,7 +37873,7 @@ index 09b791dcc..073241e05 100644 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) # Declarations # - + +## +##

      +## Allow users to login using a radius server @@ -37887,7 +37887,7 @@ index 09b791dcc..073241e05 100644 +##

      +##       +gen_tunable(authlogin_yubikey, false) - + ## ##

      @@ -16,20 +29,26 @@ gen_tunable(authlogin_nsswitch_use_ldap, false) @@ -37897,10 +37897,10 @@ index 09b791dcc..073241e05 100644 +attribute polydomain; attribute nsswitch_domain; +attribute login_pgm; - + type auth_cache_t; logging_log_file(auth_cache_t) - + +type auth_home_t; +userdom_user_home_content(auth_home_t) + @@ -37911,40 +37911,40 @@ index 09b791dcc..073241e05 100644 +typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t }; application_domain(chkpwd_t, chkpwd_exec_t) role system_r types chkpwd_t; - + type faillog_t; logging_log_file(faillog_t) +mls_trusted_object(faillog_t) - + type lastlog_t; logging_log_file(lastlog_t) @@ -42,15 +61,15 @@ type pam_console_exec_t; init_system_domain(pam_console_t, pam_console_exec_t) role system_r types pam_console_t; - + -type pam_t; -domain_type(pam_t) -role system_r types pam_t; +type pam_timestamp_t alias pam_t; +domain_type(pam_timestamp_t) +role system_r types pam_timestamp_t; - + -type pam_exec_t; -domain_entry_file(pam_t, pam_exec_t) +type pam_timestamp_exec_t alias pam_exec_t; +domain_entry_file(pam_timestamp_t, pam_timestamp_exec_t) - + -type pam_tmp_t; -files_tmp_file(pam_tmp_t) +type pam_timestamp_tmp_t; +files_tmp_file(pam_timestamp_tmp_t) - + type pam_var_console_t; files_pid_file(pam_var_console_t) @@ -64,6 +83,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; - + +type passwd_file_t; +files_type(passwd_file_t) + @@ -37954,16 +37954,16 @@ index 09b791dcc..073241e05 100644 @@ -90,11 +112,11 @@ logging_log_file(wtmp_t) # Check password local policy # - + -allow chkpwd_t self:capability { dac_override setuid }; +allow chkpwd_t self:capability { dac_read_search dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; allow chkpwd_t self:process { getattr signal }; - + -allow chkpwd_t shadow_t:file read_file_perms; +allow chkpwd_t shadow_t:file { read_file_perms map }; files_list_etc(chkpwd_t) - + kernel_read_crypto_sysctls(chkpwd_t) @@ -109,6 +131,9 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) @@ -37972,43 +37972,43 @@ index 09b791dcc..073241e05 100644 +files_read_usr_symlinks(chkpwd_t) +files_list_tmp(chkpwd_t) +files_map_system_db_files(chkpwd_t) - + fs_dontaudit_getattr_xattr_fs(chkpwd_t) - + @@ -122,12 +147,11 @@ auth_use_nsswitch(chkpwd_t) logging_send_audit_msgs(chkpwd_t) logging_send_syslog_msg(chkpwd_t) - + -miscfiles_read_localization(chkpwd_t) - + seutil_read_config(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) - + -userdom_use_user_terminals(chkpwd_t) +userdom_dontaudit_use_user_ttys(chkpwd_t) - + ifdef(`distro_ubuntu',` - optional_policy(` + optional_policy(` @@ -140,6 +164,10 @@ optional_policy(` - apache_dontaudit_rw_tcp_sockets(chkpwd_t) + apache_dontaudit_rw_tcp_sockets(chkpwd_t) ') - + +optional_policy(` + dbus_system_bus_client(chkpwd_t) +') + optional_policy(` - kerberos_use(chkpwd_t) + kerberos_use(chkpwd_t) ') @@ -153,53 +181,52 @@ optional_policy(` # PAM local policy # - + -allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -dontaudit pam_t self:capability sys_tty_config; +allow pam_timestamp_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +dontaudit pam_timestamp_t self:capability sys_tty_config; - + -allow pam_t self:fd use; -allow pam_t self:fifo_file rw_file_perms; -allow pam_t self:unix_dgram_socket create_socket_perms; @@ -38029,71 +38029,71 @@ index 09b791dcc..073241e05 100644 +allow pam_timestamp_t self:sem create_sem_perms; +allow pam_timestamp_t self:msgq create_msgq_perms; +allow pam_timestamp_t self:msg { send receive }; - + -delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) -files_list_pids(pam_t) +delete_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) +read_files_pattern(pam_timestamp_t, pam_var_run_t, pam_var_run_t) +files_list_pids(pam_timestamp_t) - + -allow pam_t pam_tmp_t:dir manage_dir_perms; -allow pam_t pam_tmp_t:file manage_file_perms; -files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) +allow pam_timestamp_t pam_timestamp_tmp_t:dir manage_dir_perms; +allow pam_timestamp_t pam_timestamp_tmp_t:file manage_file_perms; +files_tmp_filetrans(pam_timestamp_t, pam_timestamp_tmp_t, { file dir }) - + -auth_use_nsswitch(pam_t) +auth_use_nsswitch(pam_timestamp_t) - + -kernel_read_system_state(pam_t) +kernel_read_system_state(pam_timestamp_t) - + -files_read_etc_files(pam_t) +files_read_etc_files(pam_timestamp_t) - + -fs_search_auto_mountpoints(pam_t) +fs_search_auto_mountpoints(pam_timestamp_t) - + -miscfiles_read_localization(pam_t) - + -term_use_all_ttys(pam_t) -term_use_all_ptys(pam_t) +term_use_all_ttys(pam_timestamp_t) +term_use_all_ptys(pam_timestamp_t) - + -init_dontaudit_rw_utmp(pam_t) +init_dontaudit_rw_utmp(pam_timestamp_t) - + -logging_send_syslog_msg(pam_t) +logging_send_syslog_msg(pam_timestamp_t) - + ifdef(`distro_ubuntu',` - optional_policy(` + optional_policy(` - unconfined_domain(pam_t) + unconfined_domain(pam_timestamp_t) - ') + ') ') - + optional_policy(` - locallogin_use_fds(pam_t) + locallogin_use_fds(pam_timestamp_t) ') - + ######################################## @@ -289,7 +316,6 @@ init_use_script_ptys(pam_console_t) - + logging_send_syslog_msg(pam_console_t) - + -miscfiles_read_localization(pam_console_t) miscfiles_read_generic_certs(pam_console_t) - + seutil_read_file_contexts(pam_console_t) @@ -330,7 +356,7 @@ optional_policy(` # updpwd local policy # - + -allow updpwd_t self:capability { chown dac_override }; +allow updpwd_t self:capability { chown dac_read_search dac_override }; allow updpwd_t self:process setfscreate; @@ -38101,50 +38101,50 @@ index 09b791dcc..073241e05 100644 allow updpwd_t self:unix_stream_socket create_stream_socket_perms; @@ -341,18 +367,22 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) - + files_manage_etc_files(updpwd_t) +auth_manage_passwd(updpwd_t) + +mls_file_read_all_levels(updpwd_t) +mls_file_write_all_levels(updpwd_t) +mls_file_downgrade(updpwd_t) - + term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) - + auth_manage_shadow(updpwd_t) +auth_etc_filetrans_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) - + logging_send_syslog_msg(updpwd_t) - + -miscfiles_read_localization(updpwd_t) - -userdom_use_user_terminals(updpwd_t) +userdom_use_inherited_user_terminals(updpwd_t) - + ifdef(`distro_ubuntu',` - optional_policy(` + optional_policy(` @@ -380,13 +410,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) - + +auth_use_nsswitch(utempter_t) + init_rw_utmp(utempter_t) - + domain_use_interactive_fds(utempter_t) - + logging_search_logs(utempter_t) - + -userdom_use_user_terminals(utempter_t) +userdom_use_inherited_user_terminals(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) - + @@ -397,19 +429,30 @@ ifdef(`distro_ubuntu',` ') - + optional_policy(` - nscd_use(utempter_t) + xserver_use_xdm_fds(utempter_t) @@ -38154,7 +38154,7 @@ index 09b791dcc..073241e05 100644 +tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(polydomain) ') - + optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) @@ -38162,25 +38162,25 @@ index 09b791dcc..073241e05 100644 + namespace_init_domtrans(polydomain) + ') ') - + -####################################### +###################################### # # nsswitch_domain local policy # - + +allow nsswitch_domain self:key manage_key_perms; + +auth_read_passwd(nsswitch_domain) +auth_map_passwd(nsswitch_domain) + files_list_var_lib(nsswitch_domain) - + # read /etc/nsswitch.conf @@ -417,15 +460,42 @@ files_read_etc_files(nsswitch_domain) - + sysnet_dns_name_resolve(nsswitch_domain) - + +systemd_hostnamed_read_config(nsswitch_domain) + + @@ -38204,14 +38204,14 @@ index 09b791dcc..073241e05 100644 + dev_read_urand(nsswitch_domain) + sysnet_read_config(nsswitch_domain) +') - + +tunable_policy(`authlogin_nsswitch_use_ldap',` - miscfiles_read_generic_certs(nsswitch_domain) + miscfiles_read_generic_certs(nsswitch_domain) - sysnet_use_ldap(nsswitch_domain) ') - + optional_policy(` - tunable_policy(`authlogin_nsswitch_use_ldap',` + tunable_policy(`authlogin_nsswitch_use_ldap',` + dirsrv_stream_connect(nsswitch_domain) + ') +') @@ -38219,21 +38219,21 @@ index 09b791dcc..073241e05 100644 +optional_policy(` + tunable_policy(`authlogin_nsswitch_use_ldap',` + ldap_read_certs(nsswitch_domain) - ldap_stream_connect(nsswitch_domain) - ') + ldap_stream_connect(nsswitch_domain) + ') ') @@ -438,6 +508,7 @@ optional_policy(` - likewise_stream_connect_lsassd(nsswitch_domain) + likewise_stream_connect_lsassd(nsswitch_domain) ') - + +# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. optional_policy(` - kerberos_use(nsswitch_domain) + kerberos_use(nsswitch_domain) ') @@ -456,10 +527,161 @@ optional_policy(` - + optional_policy(` - sssd_stream_connect(nsswitch_domain) + sssd_stream_connect(nsswitch_domain) + sssd_read_public_files(nsswitch_domain) + sssd_read_lib_files(nsswitch_domain) +') @@ -38247,12 +38247,12 @@ index 09b791dcc..073241e05 100644 +optional_policy(` + rolekit_manage_keys(nsswitch_domain) ') - + optional_policy(` - samba_stream_connect_winbind(nsswitch_domain) + samba_stream_connect_winbind(nsswitch_domain) + samba_stream_connect_nmbd(nsswitch_domain) - samba_read_var_files(nsswitch_domain) - samba_dontaudit_write_var_files(nsswitch_domain) + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) ') + +optional_policy(` @@ -38397,9 +38397,9 @@ index c5e05ca70..c9ddbeeca 100644 --- a/policy/modules/system/clock.fc +++ b/policy/modules/system/clock.fc @@ -3,3 +3,5 @@ - + /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) - + +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if @@ -38407,8 +38407,8 @@ index d475c2deb..55305d5f3 100644 --- a/policy/modules/system/clock.if +++ b/policy/modules/system/clock.if @@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',` - allow $1 adjtime_t:file rw_file_perms; - files_list_etc($1) + allow $1 adjtime_t:file rw_file_perms; + files_list_etc($1) ') + +######################################## @@ -38452,7 +38452,7 @@ index edece47dc..2e7b81176 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -20,7 +20,7 @@ role system_r types hwclock_t; - + # Give hwclock the capabilities it requires. dac_override is a surprise, # but hwclock does require it. -allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config }; @@ -38461,37 +38461,37 @@ index edece47dc..2e7b81176 100644 allow hwclock_t self:process signal_perms; allow hwclock_t self:fifo_file rw_fifo_file_perms; @@ -46,28 +46,25 @@ fs_search_auto_mountpoints(hwclock_t) - + term_dontaudit_use_console(hwclock_t) term_use_unallocated_ttys(hwclock_t) -term_use_all_ttys(hwclock_t) -term_use_all_ptys(hwclock_t) +term_use_all_inherited_ttys(hwclock_t) +term_use_all_inherited_ptys(hwclock_t) - + domain_use_interactive_fds(hwclock_t) - + +auth_use_nsswitch(hwclock_t) + init_use_fds(hwclock_t) init_use_script_ptys(hwclock_t) - + logging_send_audit_msgs(hwclock_t) logging_send_syslog_msg(hwclock_t) - + -miscfiles_read_localization(hwclock_t) - + optional_policy(` - apm_append_log(hwclock_t) - apm_rw_stream_sockets(hwclock_t) + apm_append_log(hwclock_t) + apm_rw_stream_sockets(hwclock_t) ') - + -optional_policy(` - nscd_use(hwclock_t) -') - optional_policy(` - seutil_sigchld_newrole(hwclock_t) + seutil_sigchld_newrole(hwclock_t) ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc index 948ce2a32..8cab8aef2 100644 @@ -38515,12 +38515,12 @@ index 948ce2a32..8cab8aef2 100644 /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - + /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0) - + +/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) + +/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -38562,7 +38562,7 @@ index 948ce2a32..8cab8aef2 100644 +/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) - + /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0) + +/var/run/blkid(/.*)? gen_context(system_u:object_r:fsadm_var_run_t,s0) @@ -38571,8 +38571,8 @@ index 016a770b9..3fce820a5 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -154,3 +154,42 @@ interface(`fstools_getattr_swap_files',` - - allow $1 swapfile_t:file getattr; + + allow $1 swapfile_t:file getattr; ') + +######################################## @@ -38620,21 +38620,21 @@ index 3f48d300a..2169fc1e0 100644 @@ -13,9 +13,15 @@ role system_r types fsadm_t; type fsadm_log_t; logging_log_file(fsadm_log_t) - + +type fsadm_var_run_t; +files_pid_file(fsadm_var_run_t) + type fsadm_tmp_t; files_tmp_file(fsadm_tmp_t) - + +type fsadm_tmpfs_t; +files_tmpfs_file(fsadm_tmpfs_t) + type swapfile_t; # customizable files_type(swapfile_t) - + @@ -26,6 +32,7 @@ files_type(swapfile_t) - + # ipc_lock is for losetup allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search }; +dontaudit fsadm_t self:capability net_admin; @@ -38642,9 +38642,9 @@ index 3f48d300a..2169fc1e0 100644 allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; @@ -41,10 +48,21 @@ allow fsadm_t self:msg { send receive }; - + can_exec(fsadm_t, fsadm_exec_t) - + -allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; -allow fsadm_t fsadm_tmp_t:file manage_file_perms; +manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) @@ -38654,7 +38654,7 @@ index 3f48d300a..2169fc1e0 100644 +manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t) +manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t) files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) - + +manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t) +manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t) +fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir }) @@ -38668,7 +38668,7 @@ index 3f48d300a..2169fc1e0 100644 @@ -53,6 +71,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) # Enable swapping to files allow fsadm_t swapfile_t:file { rw_file_perms swapon }; - + +kernel_get_sysvipc_info(fsadm_t) kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) @@ -38706,9 +38706,9 @@ index 3f48d300a..2169fc1e0 100644 storage_read_scsi_generic(fsadm_t) +storage_rw_fuse(fsadm_t) storage_swapon_fixed_disk(fsadm_t) - + term_use_console(fsadm_t) - + +auth_read_passwd(fsadm_t) + +init_read_state(fsadm_t) @@ -38716,72 +38716,72 @@ index 3f48d300a..2169fc1e0 100644 init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) +init_stream_connect(fsadm_t) - + logging_send_syslog_msg(fsadm_t) - -miscfiles_read_localization(fsadm_t) +logging_send_audit_msgs(fsadm_t) +logging_stream_connect_syslog(fsadm_t) - + seutil_read_config(fsadm_t) - + -userdom_use_user_terminals(fsadm_t) +term_use_all_inherited_terms(fsadm_t) + +userdom_rw_inherited_user_tmp_pipes(fsadm_t) - + ifdef(`distro_redhat',` - optional_policy(` + optional_policy(` @@ -165,10 +195,19 @@ optional_policy(` - cron_system_entry(fsadm_t, fsadm_exec_t) + cron_system_entry(fsadm_t, fsadm_exec_t) ') - + +optional_policy(` + devicekit_dontaudit_read_pid_files(fsadm_t) + devicekit_dontaudit_rw_log(fsadm_t) +') + optional_policy(` - hal_dontaudit_write_log(fsadm_t) + hal_dontaudit_write_log(fsadm_t) ') - + +optional_policy(` + kdump_rw_inherited_kdumpctl_tmp_pipes(fsadm_t) +') + optional_policy(` - livecd_rw_tmp_files(fsadm_t) + livecd_rw_tmp_files(fsadm_t) ') @@ -178,6 +217,10 @@ optional_policy(` - modutils_read_module_deps(fsadm_t) + modutils_read_module_deps(fsadm_t) ') - + +optional_policy(` + mount_read_pid_files(fsadm_t) +') + optional_policy(` - nis_use_ypbind(fsadm_t) + nis_use_ypbind(fsadm_t) ') @@ -191,6 +234,10 @@ optional_policy(` - udev_read_db(fsadm_t) + udev_read_db(fsadm_t) ') - + +optional_policy(` + virt_read_blk_images(fsadm_t) +') + optional_policy(` - xen_append_log(fsadm_t) - xen_rw_image_files(fsadm_t) + xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc index e1a1848a2..492763873 100644 --- a/policy/modules/system/getty.fc +++ b/policy/modules/system/getty.fc @@ -3,8 +3,12 @@ - + /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0) - + -/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) -/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) +/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0) @@ -38790,16 +38790,16 @@ index e1a1848a2..492763873 100644 + +/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) +/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0) - + /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0) - + diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if index e4376aa98..2c98c5647 100644 --- a/policy/modules/system/getty.if +++ b/policy/modules/system/getty.if @@ -96,3 +96,45 @@ interface(`getty_rw_config',` - files_search_etc($1) - allow $1 getty_etc_t:file rw_file_perms; + files_search_etc($1) + allow $1 getty_etc_t:file rw_file_perms; ') + +######################################## @@ -38850,7 +38850,7 @@ index f6743ea19..d99a10c07 100644 @@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t) type getty_var_run_t; files_pid_file(getty_var_run_t) - + +type getty_unit_file_t; +systemd_unit_file(getty_unit_file_t) + @@ -38866,7 +38866,7 @@ index f6743ea19..d99a10c07 100644 # # Getty local policy # - + # Use capabilities. -allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; @@ -38879,32 +38879,32 @@ index f6743ea19..d99a10c07 100644 term_setattr_console(getty_t) +term_use_console(getty_t) +term_use_usb_ttys(getty_t) - + auth_rw_login_records(getty_t) +auth_use_nsswitch(getty_t) - + init_rw_utmp(getty_t) init_use_script_ptys(getty_t) @@ -94,7 +108,6 @@ locallogin_domtrans(getty_t) - + logging_send_syslog_msg(getty_t) - + -miscfiles_read_localization(getty_t) - + ifdef(`distro_gentoo',` - # Gentoo default /etc/issue makes agetty + # Gentoo default /etc/issue makes agetty @@ -113,19 +126,27 @@ ifdef(`distro_ubuntu',` - ') + ') ') - + -tunable_policy(`console_login',` +tunable_policy(`login_console_enabled',` - # Support logging in from /dev/console - term_use_console(getty_t) + # Support logging in from /dev/console + term_use_console(getty_t) ',` - term_dontaudit_use_console(getty_t) + term_dontaudit_use_console(getty_t) ') - + +optional_policy(` + hostname_exec(getty_t) +') @@ -38914,21 +38914,21 @@ index f6743ea19..d99a10c07 100644 +') + optional_policy(` - mta_send_mail(getty_t) + mta_send_mail(getty_t) ') - + optional_policy(` - nscd_use(getty_t) + plymouthd_exec_plymouth(getty_t) ') - + optional_policy(` diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc index 9dfecf77c..6d00f5c13 100644 --- a/policy/modules/system/hostname.fc +++ b/policy/modules/system/hostname.fc @@ -1,2 +1,4 @@ - + /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) + +/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) @@ -38943,54 +38943,54 @@ index 187f04f83..cf0af0991 100644 -## # interface(`hostname_exec',` - gen_require(` + gen_require(` diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index 24a78897a..a3d8f1af3 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -23,39 +23,50 @@ dontaudit hostname_t self:capability sys_tty_config; - + kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) +kernel_read_network_state(hostname_t) - + dev_read_sysfs(hostname_t) # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(hostname_t) - + +domain_dontaudit_leaks(hostname_t) domain_use_interactive_fds(hostname_t) - + files_read_etc_files(hostname_t) +files_dontaudit_leaks(hostname_t) files_dontaudit_search_var(hostname_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(hostname_t) - + fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) +fs_dontaudit_leaks(hostname_t) fs_dontaudit_use_tmpfs_chr_dev(hostname_t) - + term_dontaudit_use_console(hostname_t) -term_use_all_ttys(hostname_t) -term_use_all_ptys(hostname_t) +term_use_all_inherited_terms(hostname_t) - + init_use_fds(hostname_t) init_use_script_fds(hostname_t) init_use_script_ptys(hostname_t) +init_rw_inherited_script_tmp_files(hostname_t) - + logging_send_syslog_msg(hostname_t) - + -miscfiles_read_localization(hostname_t) - + sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t) sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t) sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) - + +optional_policy(` + kdump_dontaudit_inherited_kdumpctl_tmp_pipes(hostname_t) +') @@ -39000,7 +39000,7 @@ index 24a78897a..a3d8f1af3 100644 +') + optional_policy(` - nis_use_ypbind(hostname_t) + nis_use_ypbind(hostname_t) ') diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc index caf736b3b..91c4c6f23 100644 @@ -39009,7 +39009,7 @@ index caf736b3b..91c4c6f23 100644 @@ -7,5 +7,8 @@ /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) - + +/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0) +/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0) + @@ -39022,19 +39022,19 @@ index 40eb10c60..2a0a32c2d 100644 @@ -34,7 +34,7 @@ interface(`hotplug_domtrans',` # interface(`hotplug_exec',` - gen_require(` + gen_require(` - type hotplug_t; + type hotplug_exec_t; - ') - - corecmd_search_bin($1) + ') + + corecmd_search_bin($1) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index b2097e743..0a49e14ba 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) # - + allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; -dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; +dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; @@ -39042,9 +39042,9 @@ index b2097e743..0a49e14ba 100644 dontaudit hotplug_t self:capability { dac_override dac_read_search }; allow hotplug_t self:process { setpgid getsession getattr signal_perms }; @@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t) - + files_read_kernel_modules(hotplug_t) - + -corenet_all_recvfrom_unlabeled(hotplug_t) corenet_all_recvfrom_netlabel(hotplug_t) corenet_tcp_sendrecv_generic_if(hotplug_t) @@ -39052,26 +39052,26 @@ index b2097e743..0a49e14ba 100644 @@ -96,6 +95,8 @@ init_domtrans_script(hotplug_t) # kernel threads inherit from shared descriptor table used by init init_dontaudit_rw_initctl(hotplug_t) - + +auth_use_nsswitch(hotplug_t) + logging_send_syslog_msg(hotplug_t) logging_search_logs(hotplug_t) - + @@ -103,9 +104,6 @@ logging_search_logs(hotplug_t) libs_read_lib_files(hotplug_t) - + miscfiles_read_hwdata(hotplug_t) -miscfiles_read_localization(hotplug_t) - -seutil_dontaudit_search_config(hotplug_t) - + sysnet_read_config(hotplug_t) - + @@ -163,14 +161,6 @@ optional_policy(` - mta_send_mail(hotplug_t) + mta_send_mail(hotplug_t) ') - + -optional_policy(` - nis_use_ypbind(hotplug_t) -') @@ -39081,7 +39081,7 @@ index b2097e743..0a49e14ba 100644 -') - optional_policy(` - seutil_sigchld_newrole(hotplug_t) + seutil_sigchld_newrole(hotplug_t) ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index bc0ffc84e..605c85da2 100644 @@ -39096,11 +39096,11 @@ index bc0ffc84e..605c85da2 100644 + /etc/rc\.d/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) /etc/rc\.d/rc\.[^/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) - + @@ -26,6 +29,11 @@ ifdef(`distro_gentoo', ` /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) ') - + +# +# /sbin +# @@ -39112,7 +39112,7 @@ index bc0ffc84e..605c85da2 100644 @@ -42,20 +50,36 @@ ifdef(`distro_gentoo', ` # /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0) - + +/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) +# because nowadays, /sbin/init is often a symlink to /sbin/upstart +/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) @@ -39123,14 +39123,14 @@ index bc0ffc84e..605c85da2 100644 + /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) - + /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) + +/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0) - + # # /var # @@ -39143,7 +39143,7 @@ index bc0ffc84e..605c85da2 100644 /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0) +/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0) +/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,s0) - + ifdef(`distro_debian',` /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) @@ -74,3 +98,4 @@ ifdef(`distro_suse', ` @@ -39157,7 +39157,7 @@ index 79a45f62e..95bdd43e6 100644 +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ ##

      System initialization programs (init and init scripts). - + +###################################### +## +## initrc stub interface. No access allowed. @@ -39178,25 +39178,25 @@ index 79a45f62e..95bdd43e6 100644 ## ## Create a file type used for init scripts. @@ -106,7 +122,11 @@ interface(`init_domain',` - role system_r types $1; - - domtrans_pattern(init_t, $2, $1) + role system_r types $1; + + domtrans_pattern(init_t, $2, $1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; - + + allow init_t $1:process2 { nnp_transition nosuid_transition }; -+ - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd ++ + ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd @@ -115,6 +135,25 @@ interface(`init_domain',` - ') - ') + ') + ') ') +######################################## +## +## Allow SELinux Domain trasition from sytemd -+## into confined domain with NoNewPrivileges ++## into confined domain with NoNewPrivileges +## Systemd Security feature. +## +## @@ -39212,27 +39212,27 @@ index 79a45f62e..95bdd43e6 100644 + + allow init_t $1:process2 { nnp_transition nosuid_transition }; +') - + ######################################## ## @@ -192,50 +231,43 @@ interface(`init_ranged_domain',` interface(`init_daemon_domain',` - gen_require(` - attribute direct_run_init, direct_init, direct_init_entry; + gen_require(` + attribute direct_run_init, direct_init, direct_init_entry; - type initrc_t; + type init_t; - role system_r; - attribute daemon; + role system_r; + attribute daemon; + attribute initrc_transition_domain; + attribute initrc_domain; - ') - - typeattribute $1 daemon; + ') + + typeattribute $1 daemon; + typeattribute $2 direct_init_entry; - - domain_type($1) - domain_entry_file($1, $2) - + + domain_type($1) + domain_entry_file($1, $2) + - role system_r types $1; - - domtrans_pattern(initrc_t, $2, $1) @@ -39246,19 +39246,19 @@ index 79a45f62e..95bdd43e6 100644 - # when using run_init - init_use_script_ptys($1) + type_transition initrc_domain $2:process $1; - - ifdef(`direct_sysadm_daemon',` + + ifdef(`direct_sysadm_daemon',` - domtrans_pattern(direct_run_init, $2, $1) - allow direct_run_init $1:process { noatsecure siginh rlimitinh }; - + type_transition direct_run_init $2:process $1; - typeattribute $1 direct_init; + typeattribute $1 direct_init; - typeattribute $2 direct_init_entry; - - userdom_dontaudit_use_user_terminals($1) - ') + ') +') - + - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd @@ -39280,54 +39280,54 @@ index 79a45f62e..95bdd43e6 100644 + gen_require(` + attribute initrc_domain; + ') - + - optional_policy(` - nscd_use($1) - ') + typeattribute $1 initrc_domain; ') - + ######################################## @@ -283,17 +315,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` - gen_require(` - type initrc_t; + gen_require(` + type initrc_t; + type init_t; - ') - + ') + - init_daemon_domain($1, $2) +# init_daemon_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; - mls_rangetrans_target($1) + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; + mls_rangetrans_target($1) + range_transition init_t $2:process $3; - ') + ') ') - + @@ -336,23 +371,19 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` - gen_require(` + gen_require(` - type initrc_t; + type init_t; - role system_r; + role system_r; + attribute initrc_transition_domain; + attribute systemprocess, systemprocess_entry; + attribute initrc_domain; - ') - + ') + + typeattribute $1 systemprocess; - application_domain($1, $2) + application_domain($1, $2) - - role system_r types $1; + role system_r types $1; + typeattribute $2 systemprocess_entry; - + - domtrans_pattern(initrc_t, $2, $1) - - ifdef(`hide_broken_symptoms',` @@ -39339,29 +39339,29 @@ index 79a45f62e..95bdd43e6 100644 - ') + type_transition initrc_domain $2:process $1; ') - + ######################################## @@ -401,20 +432,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` - gen_require(` - type initrc_t; + gen_require(` + type initrc_t; + type init_t; - ') - - init_system_domain($1, $2) - - ifdef(`enable_mcs',` - range_transition initrc_t $2:process $3; + ') + + init_system_domain($1, $2) + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; - ') - - ifdef(`enable_mls',` - range_transition initrc_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; + range_transition init_t $2:process $3; - mls_rangetrans_target($1) - ') + mls_rangetrans_target($1) + ') ') - + +###################################### +## +## Allow domain dyntransition to init_t domain. @@ -39384,12 +39384,12 @@ index 79a45f62e..95bdd43e6 100644 ## ## Mark the file type as a daemon run dir, allowing initrc_t @@ -458,6 +510,7 @@ interface(`init_domtrans',` - ') - - domtrans_pattern($1, init_exec_t, init_t) + ') + + domtrans_pattern($1, init_exec_t, init_t) + allow $1 init_exec_t:file map; ') - + ######################################## @@ -469,7 +522,6 @@ interface(`init_domtrans',` ## Domain allowed access. @@ -39398,11 +39398,11 @@ index 79a45f62e..95bdd43e6 100644 -## # interface(`init_exec',` - gen_require(` + gen_require(` @@ -478,6 +530,48 @@ interface(`init_exec',` - - corecmd_search_bin($1) - can_exec($1, init_exec_t) + + corecmd_search_bin($1) + can_exec($1, init_exec_t) + + optional_policy(` + systemd_exec_systemctl($1) @@ -39446,12 +39446,12 @@ index 79a45f62e..95bdd43e6 100644 + + dontaudit $1 init_exec_t:file getattr; ') - + ######################################## @@ -564,6 +658,58 @@ interface(`init_sigchld',` - allow $1 init_t:process sigchld; + allow $1 init_t:process sigchld; ') - + +######################################## +## +## Send generic signals to init. @@ -39510,14 +39510,14 @@ index 79a45f62e..95bdd43e6 100644 @@ -576,10 +722,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` - gen_require(` + gen_require(` - type init_t; + type init_t, init_var_run_t; - ') - + ') + - allow $1 init_t:unix_stream_socket connectto; + files_search_pids($1) -+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) ++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) + allow $1 init_t:unix_stream_socket getattr; +') + @@ -39574,22 +39574,22 @@ index 79a45f62e..95bdd43e6 100644 + + dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl }; ') - + ######################################## @@ -743,22 +945,24 @@ interface(`init_write_initctl',` interface(`init_telinit',` - gen_require(` - type initctl_t; + gen_require(` + type initctl_t; + type init_t; - ') - + ') + + corecmd_exec_bin($1) + - dev_list_all_dev_nodes($1) - allow $1 initctl_t:fifo_file rw_fifo_file_perms; - - init_exec($1) - + dev_list_all_dev_nodes($1) + allow $1 initctl_t:fifo_file rw_fifo_file_perms; + + init_exec($1) + - tunable_policy(`init_upstart',` - gen_require(` - type init_t; @@ -39608,7 +39608,7 @@ index 79a45f62e..95bdd43e6 100644 + #576913 + allow $1 init_t:unix_stream_socket connectto; ') - + ######################################## @@ -787,7 +991,7 @@ interface(`init_rw_initctl',` ## @@ -39622,53 +39622,53 @@ index 79a45f62e..95bdd43e6 100644 @@ -830,11 +1034,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` - gen_require(` + gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; - ') - - files_list_etc($1) + ') + + files_list_etc($1) - spec_domtrans_pattern($1, initrc_exec_t, initrc_t) + spec_domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`distro_gentoo',` - gen_require(` + + ifdef(`distro_gentoo',` + gen_require(` @@ -845,11 +1050,11 @@ interface(`init_spec_domtrans_script',` - ') - - ifdef(`enable_mcs',` + ') + + ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` + ') + + ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') + ') ') - + @@ -865,19 +1070,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` - gen_require(` + gen_require(` - type initrc_t, initrc_exec_t; + type initrc_t; + attribute init_script_file_type; + attribute initrc_transition_domain; - ') + ') + typeattribute $1 initrc_transition_domain; - - files_list_etc($1) + + files_list_etc($1) - domtrans_pattern($1, initrc_exec_t, initrc_t) + domtrans_pattern($1, init_script_file_type, initrc_t) - - ifdef(`enable_mcs',` + + ifdef(`enable_mcs',` - range_transition $1 initrc_exec_t:process s0; + range_transition $1 init_script_file_type:process s0; - ') - - ifdef(`enable_mls',` + ') + + ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; + ') @@ -39677,7 +39677,7 @@ index 79a45f62e..95bdd43e6 100644 +######################################## +## +## Execute a file in a bin directory -+## in the initrc_t domain ++## in the initrc_t domain +## +## +## @@ -39688,31 +39688,31 @@ index 79a45f62e..95bdd43e6 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') + ') + + corecmd_bin_domtrans($1, initrc_t) ') - + ######################################## @@ -933,9 +1160,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` - gen_require(` - type initrc_t; + gen_require(` + type initrc_t; + attribute initrc_transition_domain; - ') - + ') + + typeattribute $1 initrc_transition_domain; + # service script searches all filesystems via mountpoint + fs_search_all($1) - domtrans_pattern($1, $2, initrc_t) + domtrans_pattern($1, $2, initrc_t) + allow $1 $2:file ioctl; - files_search_etc($1) + files_search_etc($1) ') - + @@ -1010,6 +1242,62 @@ interface(`init_read_state',` - allow $1 init_t:lnk_file read_lnk_file_perms; + allow $1 init_t:lnk_file read_lnk_file_perms; ') - + +######################################## +## +## Dontaudit read the process state (/proc/pid) of init. @@ -39773,23 +39773,23 @@ index 79a45f62e..95bdd43e6 100644 ## ## Ptrace init @@ -1026,7 +1314,9 @@ interface(`init_ptrace',` - type init_t; - ') - + type init_t; + ') + - allow $1 init_t:process ptrace; + tunable_policy(`deny_ptrace',`',` + allow $1 init_t:process ptrace; + ') ') - + ######################################## @@ -1123,6 +1413,25 @@ interface(`init_getattr_all_script_files',` - allow $1 init_script_file_type:file getattr; + allow $1 init_script_file_type:file getattr; ') - + +######################################## +## -+## Allow the specified domain to modify the systemd configuration of ++## Allow the specified domain to modify the systemd configuration of +## all init scripts. +## +## @@ -39810,7 +39810,7 @@ index 79a45f62e..95bdd43e6 100644 ## ## Read all init script files. @@ -1144,7 +1453,7 @@ interface(`init_read_all_script_files',` - + ####################################### ## -## Dontaudit read all init script files. @@ -39842,13 +39842,13 @@ index 79a45f62e..95bdd43e6 100644 +## +# +interface(`init_dontaudit_read_all_script_files',` - gen_require(` - attribute init_script_file_type; - ') + gen_require(` + attribute init_script_file_type; + ') @@ -1195,12 +1522,7 @@ interface(`init_read_script_state',` - ') - - kernel_search_proc($1) + ') + + kernel_search_proc($1) - read_files_pattern($1, initrc_t, initrc_t) - read_lnk_files_pattern($1, initrc_t, initrc_t) - list_dirs_pattern($1, initrc_t, initrc_t) @@ -39857,12 +39857,12 @@ index 79a45f62e..95bdd43e6 100644 - allow $1 initrc_t:process getattr; + ps_process_pattern($1, initrc_t) ') - + ######################################## @@ -1312,6 +1634,24 @@ interface(`init_signal_script',` - allow $1 initrc_t:process signal; + allow $1 initrc_t:process signal; ') - + +######################################## +## +## Send kill signals to init scripts. @@ -39885,9 +39885,9 @@ index 79a45f62e..95bdd43e6 100644 ## ## Send null signals to init scripts. @@ -1437,6 +1777,27 @@ interface(`init_dbus_send_script',` - allow $1 initrc_t:dbus send_msg; + allow $1 initrc_t:dbus send_msg; ') - + +######################################## +## +## Send and receive messages from @@ -39913,9 +39913,9 @@ index 79a45f62e..95bdd43e6 100644 ## ## Send and receive messages from @@ -1545,6 +1906,25 @@ interface(`init_getattr_script_status_files',` - getattr_files_pattern($1, initrc_state_t, initrc_state_t) + getattr_files_pattern($1, initrc_state_t, initrc_state_t) ') - + +######################################## +## +## Manage init script @@ -39939,9 +39939,9 @@ index 79a45f62e..95bdd43e6 100644 ## ## Do not audit attempts to read init script @@ -1603,6 +1983,24 @@ interface(`init_rw_script_tmp_files',` - rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) + rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') - + +######################################## +## +## Read and write init script inherited temporary data. @@ -39964,9 +39964,9 @@ index 79a45f62e..95bdd43e6 100644 ## ## Create files in a init script @@ -1675,6 +2073,43 @@ interface(`init_read_utmp',` - allow $1 initrc_var_run_t:file read_file_perms; + allow $1 initrc_var_run_t:file read_file_perms; ') - + +######################################## +## +## Read utmp. @@ -40008,18 +40008,18 @@ index 79a45f62e..95bdd43e6 100644 ## ## Do not audit attempts to write utmp. @@ -1765,7 +2200,7 @@ interface(`init_dontaudit_rw_utmp',` - type initrc_var_run_t; - ') - + type initrc_var_run_t; + ') + - dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; + dontaudit $1 initrc_var_run_t:file rw_file_perms; ') - + ######################################## @@ -1806,6 +2241,133 @@ interface(`init_pid_filetrans_utmp',` - files_pid_filetrans($1, initrc_var_run_t, file, "utmp") + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') - + +###################################### +## +## Allow search directory in the /run/systemd directory. @@ -40151,8 +40151,8 @@ index 79a45f62e..95bdd43e6 100644 ## ## Allow the specified domain to connect to daemon with a tcp socket @@ -1840,3 +2402,548 @@ interface(`init_udp_recvfrom_all_daemons',` - ') - corenet_udp_recvfrom_labeled($1, daemon) + ') + corenet_udp_recvfrom_labeled($1, daemon) ') + +######################################## @@ -40305,7 +40305,7 @@ index 79a45f62e..95bdd43e6 100644 +## +## +##

      -+## This defines a type that init can create sock_file within for ++## This defines a type that init can create sock_file within for +## impersonation purposes +##

      +##       @@ -40704,7 +40704,7 @@ index 17eda2480..2514c372a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` - + ## ##

      -## Enable support for upstart as the init program. @@ -40734,7 +40734,7 @@ index 17eda2480..2514c372a 100644 +##

      +##       +gen_tunable(daemons_enable_cluster_mode, false) - + # used for direct running of init scripts # by admin domains @@ -25,9 +46,17 @@ attribute direct_init_entry; @@ -40744,7 +40744,7 @@ index 17eda2480..2514c372a 100644 +attribute initrc_transition_domain; +# Attribute used for systemd so domains can allow systemd to create sock_files +attribute init_sock_file_type; - + # Mark process types as daemons attribute daemon; +attribute systemprocess; @@ -40752,7 +40752,7 @@ index 17eda2480..2514c372a 100644 + +# Mark process types as initrc domain +attribute initrc_domain; - + # Mark file type as a daemon run directory attribute daemonrundir; @@ -35,12 +64,20 @@ attribute daemonrundir; @@ -40774,13 +40774,13 @@ index 17eda2480..2514c372a 100644 +# +type init_tmp_t; +files_tmp_file(init_tmp_t) - + # # init_var_run_t is the type for /var/run/shutdown.pid. @@ -48,6 +85,15 @@ role system_r types init_t; type init_var_run_t; files_pid_file(init_var_run_t) - + +# +# init_var_lib_t is the type for /var/lib/systemd +# @@ -40796,7 +40796,7 @@ index 17eda2480..2514c372a 100644 @@ -57,7 +103,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) - + -type initrc_t, init_script_domain_type, init_run_all_scripts_domain; +type initrc_t, initrc_domain, init_script_domain_type, init_run_all_scripts_domain; type initrc_exec_t, init_script_file_type; @@ -40807,12 +40807,12 @@ index 17eda2480..2514c372a 100644 # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) +corecmd_bin_entry_type(initrc_t) - + type initrc_devpts_t; term_pty(initrc_devpts_t) @@ -98,7 +145,11 @@ ifdef(`enable_mls',` # - + # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ audit_control audit_write sys_module }; @@ -40824,9 +40824,9 @@ index 17eda2480..2514c372a 100644 # sys_boot # sys_tty_config @@ -108,14 +159,43 @@ allow init_t self:capability ~sys_module; - + allow init_t self:fifo_file rw_fifo_file_perms; - + +allow init_t self:service manage_service_perms; + # Re-exec itself @@ -40870,18 +40870,18 @@ index 17eda2480..2514c372a 100644 +files_pid_filetrans(init_t, machineid_t, file, "machine-id") +files_etc_filetrans(init_t, machineid_t, file, "machine-id") +allow init_t machineid_t:file mounton; - + allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) @@ -125,13 +205,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; - + kernel_read_system_state(init_t) kernel_share_state(init_t) +kernel_stream_connect(init_t) - + corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) - + -dev_read_sysfs(init_t) +corenet_all_recvfrom_netlabel(init_t) +corenet_tcp_bind_all_ports(init_t) @@ -40895,7 +40895,7 @@ index 17eda2480..2514c372a 100644 dev_rw_generic_chr_files(init_t) +dev_filetrans_all_named_dev(init_t) +dev_write_watchdog(init_t) - + domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -139,14 +229,24 @@ domain_signal_all_domains(init_t) @@ -40904,7 +40904,7 @@ index 17eda2480..2514c372a 100644 domain_sigchld_all_domains(init_t) +domain_read_all_domains_state(init_t) +domain_getattr_all_domains(init_t) - + -files_read_etc_files(init_t) +files_read_config_files(init_t) +files_read_all_pids(init_t) @@ -40926,10 +40926,10 @@ index 17eda2480..2514c372a 100644 files_dontaudit_rw_root_chr_files(init_t) @@ -156,28 +256,54 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) - + mcs_process_set_categories(init_t) -mcs_killall(init_t) - + mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) -mls_process_write_down(init_t) @@ -40942,12 +40942,12 @@ index 17eda2480..2514c372a 100644 +mls_socket_read_all_levels(init_t) +mls_socket_write_all_levels(init_t) +mls_rangetrans_source(init_t) - + selinux_set_all_booleans(init_t) +selinux_load_policy(init_t) +selinux_mounton_fs(init_t) +allow init_t security_t:security load_policy; - + -term_use_all_terms(init_t) +term_create_pty_dir(init_t) +term_use_unallocated_ttys(init_t) @@ -40955,19 +40955,19 @@ index 17eda2480..2514c372a 100644 +term_use_all_inherited_terms(init_t) +term_use_generic_ptys(init_t) +term_use_virtio_console(init_t) - + # Run init scripts. init_domtrans_script(init_t) - + libs_rw_ld_so_cache(init_t) - + +logging_create_devlog_dev(init_t) logging_send_syslog_msg(init_t) +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) +logging_manage_audit_config(init_t) - + seutil_read_config(init_t) +seutil_read_module_store(init_t) + @@ -40977,30 +40977,30 @@ index 17eda2480..2514c372a 100644 +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - + -miscfiles_read_localization(init_t) +allow init_t self:process setsched; - + ifdef(`distro_gentoo',` - allow init_t self:process { getcap setcap }; + allow init_t self:process { getcap setcap }; @@ -186,37 +312,301 @@ ifdef(`distro_gentoo',` ') - + ifdef(`distro_redhat',` + fs_manage_tmpfs_files(init_t) + fs_manage_tmpfs_symlinks(init_t) + fs_manage_tmpfs_sockets(init_t) + fs_manage_tmpfs_chr_files(init_t) + fs_exec_tmpfs_files(init_t) - fs_read_tmpfs_symlinks(init_t) + fs_read_tmpfs_symlinks(init_t) - fs_rw_tmpfs_chr_files(init_t) - fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) + fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) + fs_tmpfs_filetrans_named_content(init_t) + + logging_stream_connect_syslog(init_t) + logging_relabel_syslog_pid_socket(init_t) ') - + -tunable_policy(`init_upstart',` - corecmd_shell_domtrans(init_t, initrc_t) -',` @@ -41066,7 +41066,7 @@ index 17eda2480..2514c372a 100644 +allow init_t self:process { setsockcreate setfscreate setrlimit setexec }; +allow init_t self:process { getcap setcap }; +allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+allow init_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +allow init_t self:netlink_selinux_socket create_socket_perms; +allow init_t self:unix_dgram_socket lock; +# Until systemd is fixed @@ -41141,7 +41141,7 @@ index 17eda2480..2514c372a 100644 +fs_list_auto_mountpoints(init_t) +fs_register_binary_executable_type(init_t) +fs_relabel_tmpfs_sock_file(init_t) -+fs_rw_tmpfs_files(init_t) ++fs_rw_tmpfs_files(init_t) +fs_relabel_cgroup_dirs(init_t) +fs_search_cgroup_dirs(init_t) +# for network namespaces @@ -41221,22 +41221,22 @@ index 17eda2480..2514c372a 100644 + lvm_read_config(init_t) + lvm_map_config(init_t) ') - + optional_policy(` - auth_rw_login_records(init_t) + consolekit_manage_log(init_t) ') - + optional_policy(` + dbus_connect_system_bus(init_t) - dbus_system_bus_client(init_t) + dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) + + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') ') - + optional_policy(` - nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to @@ -41260,11 +41260,11 @@ index 17eda2480..2514c372a 100644 +optional_policy(` + ssh_getattr_server_keys(init_t) ') - + optional_policy(` - sssd_stream_connect(init_t) + sssd_stream_connect(init_t) ') - + +optional_policy(` + rpcbind_filetrans_named_content(init_t) + rpcbind_relabel_sock_file(init_t) @@ -41288,15 +41288,15 @@ index 17eda2480..2514c372a 100644 +') + optional_policy(` - unconfined_domain(init_t) + unconfined_domain(init_t) + domain_named_filetrans(init_t) + unconfined_server_domtrans(init_t) ') - + ######################################## @@ -225,9 +615,9 @@ optional_policy(` # - + allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; @@ -41305,22 +41305,22 @@ index 17eda2480..2514c372a 100644 +dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; - + @@ -258,12 +648,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) - + allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_manage_generic_pids_symlinks(initrc_t) +files_create_var_run_dirs(initrc_t) +files_relabelfrom_isid_type(initrc_t) - + can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) +allow initrc_t initrc_tmp_t:dir relabelfrom; - + manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) @@ -279,23 +673,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -41336,7 +41336,7 @@ index 17eda2480..2514c372a 100644 +files_read_config_files(initrc_t) +files_read_var_lib_symlinks(initrc_t) +files_setattr_pid_dirs(initrc_t) - + files_create_lock_dirs(initrc_t) files_pid_filetrans_lock_dir(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) @@ -41350,9 +41350,9 @@ index 17eda2480..2514c372a 100644 +fs_delete_tmpfs_files(initrc_t) +fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) +fs_read_nfsd_files(initrc_t) - + corecmd_exec_all_executables(initrc_t) - + -corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -corenet_tcp_sendrecv_all_if(initrc_t) @@ -41367,7 +41367,7 @@ index 17eda2480..2514c372a 100644 corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) @@ -303,9 +710,11 @@ corenet_sendrecv_all_client_packets(initrc_t) - + dev_read_rand(initrc_t) dev_read_urand(initrc_t) +dev_dontaudit_read_kmsg(initrc_t) @@ -41396,7 +41396,7 @@ index 17eda2480..2514c372a 100644 -# Early devtmpfs -dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) - + domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -332,7 +742,6 @@ domain_sigstop_all_domains(initrc_t) @@ -41412,7 +41412,7 @@ index 17eda2480..2514c372a 100644 domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) +domain_obj_id_change_exemption(initrc_t) - + files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) @@ -347,14 +757,15 @@ files_getattr_all_symlinks(initrc_t) @@ -41439,7 +41439,7 @@ index 17eda2480..2514c372a 100644 files_mounton_default(initrc_t) +files_manage_mnt_dirs(initrc_t) +files_manage_mnt_files(initrc_t) - + -fs_write_cgroup_files(initrc_t) +fs_delete_cgroup_dirs(initrc_t) +fs_list_cgroup_dirs(initrc_t) @@ -41454,28 +41454,28 @@ index 17eda2480..2514c372a 100644 +fs_search_all(initrc_t) +fs_getattr_nfsd_files(initrc_t) +fs_dontaudit_create_tmpfs_chr_dev(initrc_t) - + # initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) - + mls_file_read_all_levels(initrc_t) @@ -387,8 +803,11 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) +mls_socket_write_to_clearance(initrc_t) - + selinux_get_enforce_mode(initrc_t) +selinux_set_enforce_mode(initrc_t) +selinux_setcheckreqprot(initrc_t) - + storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) @@ -398,6 +817,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) - + auth_rw_login_records(initrc_t) +auth_manage_faillog(initrc_t) auth_setattr_login_records(initrc_t) @@ -41484,17 +41484,17 @@ index 17eda2480..2514c372a 100644 @@ -416,20 +836,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) - + -miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript -miscfiles_read_generic_certs(initrc_t) +miscfiles_manage_generic_cert_files(initrc_t) - + -modutils_read_module_config(initrc_t) -modutils_domtrans_insmod(initrc_t) - + seutil_read_config(initrc_t) - + +userdom_read_admin_home_files(initrc_t) userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the @@ -41502,65 +41502,65 @@ index 17eda2480..2514c372a 100644 # started from init should be placed in their own domain. -userdom_use_user_terminals(initrc_t) +userdom_use_inherited_user_terminals(initrc_t) - + ifdef(`distro_debian',` - dev_setattr_generic_dirs(initrc_t) + dev_setattr_generic_dirs(initrc_t) @@ -451,7 +869,6 @@ ifdef(`distro_gentoo',` - allow initrc_t self:process setfscreate; - dev_create_null_dev(initrc_t) - dev_create_zero_dev(initrc_t) + allow initrc_t self:process setfscreate; + dev_create_null_dev(initrc_t) + dev_create_zero_dev(initrc_t) - dev_create_generic_dirs(initrc_t) - term_create_console_dev(initrc_t) - - # unfortunately /sbin/rc does stupid tricks + term_create_console_dev(initrc_t) + + # unfortunately /sbin/rc does stupid tricks @@ -485,6 +902,10 @@ ifdef(`distro_gentoo',` - sysnet_write_config(initrc_t) - sysnet_setattr_config(initrc_t) - + sysnet_write_config(initrc_t) + sysnet_setattr_config(initrc_t) + + optional_policy(` + abrt_manage_pid_files(initrc_t) + ') + - optional_policy(` - alsa_read_lib(initrc_t) - ') + optional_policy(` + alsa_read_lib(initrc_t) + ') @@ -506,7 +927,7 @@ ifdef(`distro_redhat',` - - # Red Hat systems seem to have a stray - # fd open from the initrd + + # Red Hat systems seem to have a stray + # fd open from the initrd - kernel_dontaudit_use_fds(initrc_t) + kernel_use_fds(initrc_t) - files_dontaudit_read_root_files(initrc_t) - - # These seem to be from the initrd + files_dontaudit_read_root_files(initrc_t) + + # These seem to be from the initrd @@ -521,6 +942,7 @@ ifdef(`distro_redhat',` - files_create_boot_dirs(initrc_t) - files_create_boot_flag(initrc_t) - files_rw_boot_symlinks(initrc_t) + files_create_boot_dirs(initrc_t) + files_create_boot_flag(initrc_t) + files_rw_boot_symlinks(initrc_t) + - # wants to read /.fonts directory - files_read_default_files(initrc_t) - files_mountpoint(initrc_tmp_t) + # wants to read /.fonts directory + files_read_default_files(initrc_t) + files_mountpoint(initrc_tmp_t) @@ -541,6 +963,7 @@ ifdef(`distro_redhat',` - miscfiles_rw_localization(initrc_t) - miscfiles_setattr_localization(initrc_t) - miscfiles_relabel_localization(initrc_t) + miscfiles_rw_localization(initrc_t) + miscfiles_setattr_localization(initrc_t) + miscfiles_relabel_localization(initrc_t) + miscfiles_filetrans_named_content(initrc_t) - - miscfiles_read_fonts(initrc_t) - miscfiles_read_hwdata(initrc_t) + + miscfiles_read_fonts(initrc_t) + miscfiles_read_hwdata(initrc_t) @@ -549,9 +972,45 @@ ifdef(`distro_redhat',` - alsa_manage_rw_config(initrc_t) - ') - + alsa_manage_rw_config(initrc_t) + ') + + optional_policy(` + abrt_manage_pid_files(initrc_t) + ') + - optional_policy(` - bind_manage_config_dirs(initrc_t) + optional_policy(` + bind_manage_config_dirs(initrc_t) + bind_manage_config(initrc_t) - bind_write_config(initrc_t) + bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) + ') + @@ -41592,20 +41592,20 @@ index 17eda2480..2514c372a 100644 + + optional_policy(` + pulseaudio_stream_connect(initrc_t) - ') - - optional_policy(` + ') + + optional_policy(` @@ -559,14 +1018,31 @@ ifdef(`distro_redhat',` - rpc_write_exports(initrc_t) - rpc_manage_nfs_state_data(initrc_t) - ') + rpc_write_exports(initrc_t) + rpc_manage_nfs_state_data(initrc_t) + ') + optional_policy(` + rpcbind_stream_connect(initrc_t) + ') - - optional_policy(` - sysnet_rw_dhcp_config(initrc_t) - sysnet_manage_config(initrc_t) + + optional_policy(` + sysnet_rw_dhcp_config(initrc_t) + sysnet_manage_config(initrc_t) + sysnet_manage_dhcpc_state(initrc_t) + sysnet_relabelfrom_dhcpc_state(initrc_t) + sysnet_relabelfrom_net_conf(initrc_t) @@ -41619,18 +41619,18 @@ index 17eda2480..2514c372a 100644 + + optional_policy(` + wdmd_manage_pid_files(initrc_t) - ') - - optional_policy(` - xserver_delete_log(initrc_t) + ') + + optional_policy(` + xserver_delete_log(initrc_t) + xserver_manage_user_fonts_dir(initrc_t) - ') + ') ') - + @@ -577,6 +1053,39 @@ ifdef(`distro_suse',` - ') + ') ') - + +domain_dontaudit_use_interactive_fds(daemon) + +userdom_dontaudit_list_admin_dir(daemon) @@ -41651,7 +41651,7 @@ index 17eda2480..2514c372a 100644 + term_dontaudit_use_all_ttys(daemon) + term_dontaudit_use_all_ptys(daemon) + ') -+ ++ +# system-config-services causes avc messages that should be dontaudited +tunable_policy(`daemons_dump_core',` + files_manage_root_files(daemon) @@ -41663,31 +41663,31 @@ index 17eda2480..2514c372a 100644 + userdom_dontaudit_read_user_tmp_files(daemon) + userdom_dontaudit_write_user_tmp_files(daemon) +') -+ ++ optional_policy(` - amavis_search_lib(initrc_t) - amavis_setattr_pid_files(initrc_t) + amavis_search_lib(initrc_t) + amavis_setattr_pid_files(initrc_t) @@ -589,6 +1098,8 @@ optional_policy(` optional_policy(` - apache_read_config(initrc_t) - apache_list_modules(initrc_t) + apache_read_config(initrc_t) + apache_list_modules(initrc_t) + # webmin seems to cause this. + apache_search_sys_content(daemon) ') - + optional_policy(` @@ -610,6 +1121,7 @@ optional_policy(` - + optional_policy(` - cgroup_stream_connect_cgred(initrc_t) + cgroup_stream_connect_cgred(initrc_t) + domain_setpriority_all_domains(initrc_t) ') - + optional_policy(` @@ -625,6 +1137,17 @@ optional_policy(` - dev_getattr_cpu_dev(initrc_t) + dev_getattr_cpu_dev(initrc_t) ') - + +optional_policy(` + chronyd_append_keys(initrc_t) + chronyd_read_keys(initrc_t) @@ -41700,25 +41700,25 @@ index 17eda2480..2514c372a 100644 +') + optional_policy(` - dev_getattr_printer_dev(initrc_t) - + dev_getattr_printer_dev(initrc_t) + @@ -642,9 +1165,13 @@ optional_policy(` - dbus_connect_system_bus(initrc_t) - dbus_system_bus_client(initrc_t) - dbus_read_config(initrc_t) + dbus_connect_system_bus(initrc_t) + dbus_system_bus_client(initrc_t) + dbus_read_config(initrc_t) + dbus_manage_lib_files(initrc_t) + + init_dbus_chat(initrc_t) - - optional_policy(` - consolekit_dbus_chat(initrc_t) + + optional_policy(` + consolekit_dbus_chat(initrc_t) + consolekit_manage_log(initrc_t) - ') - - optional_policy(` + ') + + optional_policy(` @@ -657,15 +1184,11 @@ optional_policy(` ') - + optional_policy(` - # /var/run/dovecot/login/ssl-parameters.dat is a hard link to - # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up @@ -41727,17 +41727,17 @@ index 17eda2480..2514c372a 100644 - dovecot_dontaudit_unlink_lib_files(initrc_t) + ftp_read_config(initrc_t) ') - + optional_policy(` - ftp_read_config(initrc_t) + glance_manage_pid_files(initrc_t) ') - + optional_policy(` @@ -685,6 +1208,15 @@ optional_policy(` - modutils_read_module_deps(initrc_t) + modutils_read_module_deps(initrc_t) ') - + +optional_policy(` + firewalld_dbus_chat(initrc_t) +') @@ -41748,19 +41748,19 @@ index 17eda2480..2514c372a 100644 +') + optional_policy(` - inn_exec_config(initrc_t) + inn_exec_config(initrc_t) ') @@ -726,6 +1258,7 @@ optional_policy(` - lpd_list_spool(initrc_t) - - lpd_read_config(initrc_t) + lpd_list_spool(initrc_t) + + lpd_read_config(initrc_t) + lpd_manage_spool(init_t) ') - + optional_policy(` @@ -743,7 +1276,13 @@ optional_policy(` ') - + optional_policy(` - mta_read_config(initrc_t) + milter_delete_dkim_pid_files(initrc_t) @@ -41770,24 +41770,24 @@ index 17eda2480..2514c372a 100644 +optional_policy(` + mta_manage_aliases(initrc_t) + mta_manage_config(initrc_t) - mta_dontaudit_read_spool_symlinks(initrc_t) + mta_dontaudit_read_spool_symlinks(initrc_t) ') - + @@ -765,6 +1304,10 @@ optional_policy(` - openvpn_read_config(initrc_t) + openvpn_read_config(initrc_t) ') - + +optional_policy(` + plymouthd_stream_connect(initrc_t) +') + optional_policy(` - postgresql_manage_db(initrc_t) - postgresql_read_config(initrc_t) + postgresql_manage_db(initrc_t) + postgresql_read_config(initrc_t) @@ -774,10 +1317,20 @@ optional_policy(` - postfix_list_spool(initrc_t) + postfix_list_spool(initrc_t) ') - + +optional_policy(` + psad_setattr_fifo_file(initrc_t) + psad_setattr_log(initrc_t) @@ -41795,63 +41795,63 @@ index 17eda2480..2514c372a 100644 +') + optional_policy(` - puppet_rw_tmp(initrc_t) + puppet_rw_tmp(initrc_t) ') - + +optional_policy(` + qpidd_manage_var_run(initrc_t) +') + optional_policy(` - quota_manage_flags(initrc_t) + quota_manage_flags(initrc_t) ') @@ -786,6 +1339,10 @@ optional_policy(` - raid_manage_mdadm_pid(initrc_t) + raid_manage_mdadm_pid(initrc_t) ') - + +optional_policy(` + ricci_manage_lib_files(initrc_t) +') + optional_policy(` - fs_write_ramfs_sockets(initrc_t) - fs_search_ramfs(initrc_t) + fs_write_ramfs_sockets(initrc_t) + fs_search_ramfs(initrc_t) @@ -808,8 +1365,6 @@ optional_policy(` - # bash tries ioctl for some reason - files_dontaudit_ioctl_all_pids(initrc_t) - + # bash tries ioctl for some reason + files_dontaudit_ioctl_all_pids(initrc_t) + - # why is this needed: - rpm_manage_db(initrc_t) ') - + optional_policy(` @@ -817,6 +1372,10 @@ optional_policy(` - samba_read_winbind_pid(initrc_t) + samba_read_winbind_pid(initrc_t) ') - + +optional_policy(` + sendmail_setattr_pid_files(initrc_t) +') + optional_policy(` - # shorewall-init script run /var/lib/shorewall/firewall - shorewall_lib_domtrans(initrc_t) + # shorewall-init script run /var/lib/shorewall/firewall + shorewall_lib_domtrans(initrc_t) @@ -827,10 +1386,12 @@ optional_policy(` - squid_manage_logs(initrc_t) + squid_manage_logs(initrc_t) ') - + +ifdef(`enabled_mls',` optional_policy(` - # allow init scripts to su - su_restricted_domain_template(initrc, initrc_t, system_r) + # allow init scripts to su + su_restricted_domain_template(initrc, initrc_t, system_r) ') +') - + optional_policy(` - ssh_dontaudit_read_server_keys(initrc_t) + ssh_dontaudit_read_server_keys(initrc_t) @@ -857,21 +1418,60 @@ optional_policy(` ') - + optional_policy(` + virt_read_config(init_t) + virt_stream_connect(init_t) @@ -41863,7 +41863,7 @@ index 17eda2480..2514c372a 100644 + virt_manage_pid_dirs(initrc_t) + virt_manage_cache(initrc_t) + virt_manage_lib_files(initrc_t) - virt_stream_connect(initrc_t) + virt_stream_connect(initrc_t) - virt_manage_virt_cache(initrc_t) +') + @@ -41876,30 +41876,30 @@ index 17eda2480..2514c372a 100644 +optional_policy(` + cfengine_append_inherited_log(daemon) ') - + optional_policy(` - unconfined_domain(initrc_t) + unconfined_domain(initrc_t) + domain_named_filetrans(initrc_t) + domain_role_change_exemption(initrc_t) + + files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) - - ifdef(`distro_redhat',` - # system-config-services causes avc messages that should be dontaudited - unconfined_dontaudit_rw_pipes(daemon) - ') - + + ifdef(`distro_redhat',` + # system-config-services causes avc messages that should be dontaudited + unconfined_dontaudit_rw_pipes(daemon) + ') + + optional_policy(` + authconfig_domtrans(initrc_t) + ') + - optional_policy(` - mono_domtrans(initrc_t) - ') + optional_policy(` + mono_domtrans(initrc_t) + ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t, system_r) -+ ++ + optional_policy(` + rtkit_scheduled(initrc_t) + ') @@ -41909,22 +41909,22 @@ index 17eda2480..2514c372a 100644 + rpm_read_db(initrc_t) + rpm_delete_db(initrc_t) ') - + optional_policy(` @@ -886,6 +1486,10 @@ optional_policy(` - xfs_read_sockets(initrc_t) + xfs_read_sockets(initrc_t) ') - + +optional_policy(` + sanlock_manage_pid_files(initrc_t) +') + optional_policy(` - # Set device ownerships/modes. - xserver_setattr_console_pipes(initrc_t) + # Set device ownerships/modes. + xserver_setattr_console_pipes(initrc_t) @@ -897,3 +1501,218 @@ optional_policy(` optional_policy(` - zebra_read_config(initrc_t) + zebra_read_config(initrc_t) ') + +userdom_inherit_append_user_home_content_files(daemon) @@ -41934,7 +41934,7 @@ index 17eda2480..2514c372a 100644 +logging_inherit_append_all_logs(daemon) + +optional_policy(` -+ # sudo service restart causes this ++ # sudo service restart causes this + unconfined_signull(daemon) +') + @@ -42130,7 +42130,7 @@ index 17eda2480..2514c372a 100644 + rhcs_read_cluster_lib_files(daemon) + rhcs_read_cluster_pid_files(daemon) + ') -+ ++ + ') + +optional_policy(` @@ -42149,7 +42149,7 @@ index 662e79be8..c34c4aebc 100644 /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) - + -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) @@ -42161,18 +42161,18 @@ index 662e79be8..c34c4aebc 100644 +/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) - + /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) - + +/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) +/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) - + /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) - + @@ -25,17 +37,30 @@ /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) @@ -42182,22 +42182,22 @@ index 662e79be8..c34c4aebc 100644 +/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) +/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) - + /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) - + /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) +/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) - + -/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0) +/var/log/pluto\.log.* -- gen_context(system_u:object_r:ipsec_log_t,s0) - + /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) - + +/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0) +/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0) @@ -42210,9 +42210,9 @@ index 0d4c8d35e..0cd667eb3 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -18,6 +18,24 @@ interface(`ipsec_domtrans',` - domtrans_pattern($1, ipsec_exec_t, ipsec_t) + domtrans_pattern($1, ipsec_exec_t, ipsec_t) ') - + +####################################### +## +## Allow read/write ipsec pipes @@ -42235,9 +42235,9 @@ index 0d4c8d35e..0cd667eb3 100644 ## ## Connect to IPSEC using a unix domain stream socket. @@ -55,6 +73,64 @@ interface(`ipsec_domtrans_mgmt',` - domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) + domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) ') - + +####################################### +## +## Allow to create OBJECT in /etc with ipsec_key_file_t. @@ -42305,28 +42305,28 @@ index 0d4c8d35e..0cd667eb3 100644 # -# interface(`ipsec_signal_mgmt',` - gen_require(` - type ipsec_mgmt_t; + gen_require(` + type ipsec_mgmt_t; @@ -139,7 +214,6 @@ interface(`ipsec_signal_mgmt',` ## ## # -# interface(`ipsec_signull_mgmt',` - gen_require(` - type ipsec_mgmt_t; + gen_require(` + type ipsec_mgmt_t; @@ -158,7 +232,6 @@ interface(`ipsec_signull_mgmt',` ## ## # -# interface(`ipsec_kill_mgmt',` - gen_require(` - type ipsec_mgmt_t; + gen_require(` + type ipsec_mgmt_t; @@ -167,6 +240,60 @@ interface(`ipsec_kill_mgmt',` - allow $1 ipsec_mgmt_t:process sigkill; + allow $1 ipsec_mgmt_t:process sigkill; ') - + +######################################## +## +## Send ipsec a general signal. @@ -42385,16 +42385,16 @@ index 0d4c8d35e..0cd667eb3 100644 ## ## Send and receive messages from @@ -225,6 +352,7 @@ interface(`ipsec_match_default_spd',` - - allow $1 ipsec_spd_t:association polmatch; - allow $1 self:association sendto; + + allow $1 ipsec_spd_t:association polmatch; + allow $1 self:association sendto; + allow $1 self:peer recv; ') - + ######################################## @@ -245,6 +373,25 @@ interface(`ipsec_setcontext_default_spd',` - - allow $1 ipsec_spd_t:association setcontext; + + allow $1 ipsec_spd_t:association setcontext; ') +######################################## +## @@ -42415,20 +42415,20 @@ index 0d4c8d35e..0cd667eb3 100644 + read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) +') - + ######################################## ## @@ -282,6 +429,7 @@ interface(`ipsec_manage_pid',` - - files_search_pids($1) - manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + + files_search_pids($1) + manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) + manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) ') - + ######################################## @@ -369,3 +517,46 @@ interface(`ipsec_run_setkey',` - ipsec_domtrans_setkey($1) - role $2 types setkey_t; + ipsec_domtrans_setkey($1) + role $2 types setkey_t; ') + +####################################### @@ -42480,17 +42480,17 @@ index 312cd0417..a3336c6a4 100644 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) corecmd_shell_entry_type(ipsec_mgmt_t) role system_r types ipsec_mgmt_t; - + +type ipsec_mgmt_unit_file_t; +systemd_unit_file(ipsec_mgmt_unit_file_t) + type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) - + @@ -67,29 +70,43 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; - + +# The NetworkManager helper communicates the password via PTY +type ipsec_mgmt_devpts_t; +term_pty(ipsec_mgmt_devpts_t) @@ -42500,7 +42500,7 @@ index 312cd0417..a3336c6a4 100644 # # ipsec Local policy # - + -allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_t self:process { getcap setcap getsched signal setsched }; @@ -42516,15 +42516,15 @@ index 312cd0417..a3336c6a4 100644 +allow ipsec_t self:netlink_selinux_socket create_socket_perms; +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; - + allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; - + allow ipsec_t ipsec_conf_file_t:dir list_dir_perms; -read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +manage_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t) +filetrans_pattern(ipsec_t, ipsec_conf_file_t, ipsec_key_file_t, file, "ipsec.secrets") - + allow ipsec_t ipsec_key_file_t:dir list_dir_perms; -manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) @@ -42533,15 +42533,15 @@ index 312cd0417..a3336c6a4 100644 + +manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t) +logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log") - + manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) @@ -101,19 +118,22 @@ manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file }) - + can_exec(ipsec_t, ipsec_mgmt_exec_t) +can_exec(ipsec_t, ipsec_exec_t) - + # pluto runs an updown script (by calling popen()!) as this is by default # a shell script, we need to find a way to make things work without # letting all sorts of stuff possibly be run... @@ -42554,7 +42554,7 @@ index 312cd0417..a3336c6a4 100644 allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; -allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; +allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld signull }; - + kernel_read_kernel_sysctls(ipsec_t) -kernel_read_net_sysctls(ipsec_t) +kernel_rw_net_sysctls(ipsec_t) @@ -42563,7 +42563,7 @@ index 312cd0417..a3336c6a4 100644 # allow pluto to access /proc/net/ipsec_eroute; @@ -128,20 +148,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) - + # Pluto needs network access -corenet_all_recvfrom_unlabeled(ipsec_t) -corenet_tcp_sendrecv_all_if(ipsec_t) @@ -42588,40 +42588,40 @@ index 312cd0417..a3336c6a4 100644 corenet_sendrecv_isakmp_server_packets(ipsec_t) +corenet_tcp_connect_http_port(ipsec_t) +corenet_tcp_connect_ldap_port(ipsec_t) - + dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) @@ -157,23 +179,40 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) - + +selinux_compute_access_vector(ipsec_t) + term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) - + +auth_use_pam(ipsec_t) auth_use_nsswitch(ipsec_t) +auth_read_home_content(ipsec_t) - + init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) - + +logging_send_audit_msgs(ipsec_t) logging_send_syslog_msg(ipsec_t) - + -miscfiles_read_localization(ipsec_t) +miscfiles_map_generic_certs(ipsec_t) - + sysnet_domtrans_ifconfig(ipsec_t) +sysnet_exec_ifconfig(ipsec_t) +sysnet_nnp_domtrans_ifconfig(ipsec_t) +sysnet_manage_config(ipsec_t) +sysnet_etc_filetrans_config(ipsec_t) - + userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) - + +optional_policy(` + iptables_domtrans(ipsec_t) +') @@ -42631,12 +42631,12 @@ index 312cd0417..a3336c6a4 100644 +') + optional_policy(` - seutil_sigchld_newrole(ipsec_t) + seutil_sigchld_newrole(ipsec_t) ') @@ -187,14 +226,15 @@ optional_policy(` # ipsec_mgmt Local policy # - + -allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; -dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; @@ -42650,37 +42650,37 @@ index 312cd0417..a3336c6a4 100644 allow ipsec_mgmt_t self:key_socket create_socket_perms; allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; +allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; - + allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) @@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) - + allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) +filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file) - + manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) +manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) - + allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file) +files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file }) - + # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file @@ -236,6 +278,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t) allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read; - + domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t) +allow ipsec_mgmt_t ipsec_exec_t:file map; - + kernel_rw_net_sysctls(ipsec_mgmt_t) # allow pluto to access /proc/net/ipsec_eroute; @@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) - + +domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) +domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) + @@ -42693,16 +42693,16 @@ index 312cd0417..a3336c6a4 100644 +files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) - + @@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) - + +corenet_tcp_connect_rndc_port(ipsec_mgmt_t) + dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) - + @@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) @@ -42713,35 +42713,35 @@ index 312cd0417..a3336c6a4 100644 files_dontaudit_getattr_default_files(ipsec_mgmt_t) @@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) - + term_use_console(ipsec_mgmt_t) -term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) +term_use_all_inherited_terms(ipsec_mgmt_t) - + auth_dontaudit_read_login_records(ipsec_mgmt_t) +auth_use_nsswitch(ipsec_mgmt_t) - + init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) @@ -288,17 +345,30 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) - + -logging_send_syslog_msg(ipsec_mgmt_t) - -miscfiles_read_localization(ipsec_mgmt_t) +ipsec_mgmt_systemctl(ipsec_mgmt_t) - + -seutil_dontaudit_search_config(ipsec_mgmt_t) +logging_read_all_logs(ipsec_mgmt_t) +logging_send_syslog_msg(ipsec_mgmt_t) - + sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) +sysnet_exec_ifconfig(ipsec_mgmt_t) +sysnet_nnp_domtrans_ifconfig(ipsec_mgmt_t) - + -userdom_use_user_terminals(ipsec_mgmt_t) +systemd_exec_systemctl(ipsec_mgmt_t) + @@ -42756,23 +42756,23 @@ index 312cd0417..a3336c6a4 100644 + bind_read_config(ipsec_mgmt_t) + bind_read_state(ipsec_mgmt_t) +') - + optional_policy(` - consoletype_exec(ipsec_mgmt_t) + consoletype_exec(ipsec_mgmt_t) @@ -321,6 +391,10 @@ optional_policy(` - iptables_domtrans(ipsec_mgmt_t) + iptables_domtrans(ipsec_mgmt_t) ') - + +optional_policy(` + l2tpd_read_pid_files(ipsec_mgmt_t) +') + optional_policy(` - modutils_domtrans_insmod(ipsec_mgmt_t) + modutils_domtrans_insmod(ipsec_mgmt_t) ') @@ -335,7 +409,7 @@ optional_policy(` # - + allow racoon_t self:capability { net_admin net_bind_service }; -allow racoon_t self:netlink_route_socket create_netlink_socket_perms; +allow racoon_t self:netlink_route_socket { create_netlink_socket_perms }; @@ -42782,7 +42782,7 @@ index 312cd0417..a3336c6a4 100644 @@ -370,13 +444,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) - + -corenet_all_recvfrom_unlabeled(racoon_t) -corenet_tcp_sendrecv_all_if(racoon_t) -corenet_udp_sendrecv_all_if(racoon_t) @@ -42798,28 +42798,28 @@ index 312cd0417..a3336c6a4 100644 +corenet_udp_bind_generic_node(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) - + @@ -401,10 +474,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) - + -miscfiles_read_localization(racoon_t) - sysnet_exec_ifconfig(racoon_t) - + +auth_use_pam(racoon_t) + auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` - auth_tunable_read_shadow(racoon_t) + auth_tunable_read_shadow(racoon_t) @@ -438,9 +511,8 @@ corenet_setcontext_all_spds(setkey_t) - + locallogin_use_fds(setkey_t) - + -miscfiles_read_localization(setkey_t) - + seutil_read_config(setkey_t) - + -userdom_use_user_terminals(setkey_t) - +userdom_use_inherited_user_terminals(setkey_t) @@ -42834,7 +42834,7 @@ index 73a1c4e1e..193006ef6 100644 -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) - + -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) @@ -42868,7 +42868,7 @@ index 73a1c4e1e..193006ef6 100644 -/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - + -/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -42900,21 +42900,21 @@ index c42fbc329..5e1a4a51c 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,7 @@ interface(`iptables_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, iptables_exec_t, iptables_t) + + corecmd_search_bin($1) + domtrans_pattern($1, iptables_exec_t, iptables_t) - - ifdef(`hide_broken_symptoms', ` - dontaudit iptables_t $1:socket_class_set { read write }; - ') + allow $1 iptables_exec_t:file map; ') - + ######################################## @@ -86,6 +83,30 @@ interface(`iptables_initrc_domtrans',` - init_labeled_script_domtrans($1, iptables_initrc_exec_t) + init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') - + +######################################## +## +## Execute iptables server in the iptables domain. @@ -42943,8 +42943,8 @@ index c42fbc329..5e1a4a51c 100644 ## ## Set the attributes of iptables config files. @@ -163,3 +184,40 @@ interface(`iptables_manage_config',` - files_search_etc($1) - manage_files_pattern($1, iptables_conf_t, iptables_conf_t) + files_search_etc($1) + manage_files_pattern($1, iptables_conf_t, iptables_conf_t) ') + +######################################## @@ -42990,16 +42990,16 @@ index be8ed1e6c..a9e54e32e 100644 @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) - + -type iptables_conf_t; -files_config_file(iptables_conf_t) - type iptables_tmp_t; files_tmp_file(iptables_tmp_t) - + type iptables_var_run_t; files_pid_file(iptables_var_run_t) - + +type iptables_var_lib_t; +files_pid_file(iptables_var_lib_t) + @@ -43013,7 +43013,7 @@ index be8ed1e6c..a9e54e32e 100644 # # Iptables local policy @@ -32,29 +38,45 @@ files_pid_file(iptables_var_run_t) - + allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; +dontaudit iptables_t self:capability2 block_suspend; @@ -43023,30 +43023,30 @@ index be8ed1e6c..a9e54e32e 100644 +allow iptables_t self:netlink_generic_socket create_socket_perms; +allow iptables_t self:netlink_netfilter_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; - + -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t) -files_etc_filetrans(iptables_t, iptables_conf_t, file) +files_manage_system_conf_files(iptables_t) +files_etc_filetrans_system_conf(iptables_t) +files_etc_filetrans(iptables_t, system_conf_t, dir) - + manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) - + +manage_dirs_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t) +manage_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t) +manage_lnk_files_pattern(iptables_t, iptables_var_lib_t, iptables_var_lib_t) +files_var_lib_filetrans(iptables_t, iptables_var_lib_t, { file dir lnk_file }) + can_exec(iptables_t, iptables_exec_t) - + +manage_files_pattern(iptables_t, iptables_lock_t, iptables_lock_t) +files_lock_filetrans(iptables_t, iptables_lock_t, file) + allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) - + +kernel_getattr_proc(iptables_t) kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) @@ -43058,68 +43058,68 @@ index be8ed1e6c..a9e54e32e 100644 +kernel_rw_net_sysctls(iptables_t) +kernel_search_network_sysctl(iptables_t) + - + # needed by ipvsadm corecmd_exec_bin(iptables_t) @@ -64,19 +86,24 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) - + dev_read_sysfs(iptables_t) +dev_read_urand(iptables_t) +dev_read_rand(iptables_t) - + fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) fs_list_inotifyfs(iptables_t) +fs_read_nsfs_files(iptables_t) - + mls_file_read_all_levels(iptables_t) - + term_dontaudit_use_console(iptables_t) +term_use_all_inherited_terms(iptables_t) - + domain_use_interactive_fds(iptables_t) - + -files_read_etc_files(iptables_t) -files_read_etc_runtime_files(iptables_t) +files_rw_etc_runtime_files(iptables_t) +files_rw_inherited_tmp_file(iptables_t) +files_read_kernel_modules(iptables_t) - + auth_use_nsswitch(iptables_t) - + @@ -85,15 +112,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) +init_dontaudit_script_leaks(iptables_t) - + logging_send_syslog_msg(iptables_t) - + -miscfiles_read_localization(iptables_t) - sysnet_run_ifconfig(iptables_t, iptables_roles) sysnet_dns_name_resolve(iptables_t) - + -userdom_use_user_terminals(iptables_t) +userdom_use_inherited_user_terminals(iptables_t) userdom_use_all_users_fds(iptables_t) - + ifdef(`hide_broken_symptoms',` @@ -102,6 +128,9 @@ ifdef(`hide_broken_symptoms',` - + optional_policy(` - fail2ban_append_log(iptables_t) + fail2ban_append_log(iptables_t) + fail2ban_read_log(iptables_t) + fail2ban_dontaudit_leaks(iptables_t) + fail2ban_rw_inherited_tmp_files(iptables_t) ') - + optional_policy(` @@ -109,8 +138,16 @@ optional_policy(` - firstboot_rw_pipes(iptables_t) + firstboot_rw_pipes(iptables_t) ') - + +optional_policy(` + firewalld_read_config(iptables_t) + firewalld_read_pid_files(iptables_t) @@ -43127,26 +43127,26 @@ index be8ed1e6c..a9e54e32e 100644 +') + optional_policy(` - modutils_run_insmod(iptables_t, iptables_roles) + modutils_run_insmod(iptables_t, iptables_roles) + modutils_list_module_config(iptables_t) + modutils_read_module_config(iptables_t) ') - + optional_policy(` @@ -118,12 +155,26 @@ optional_policy(` - nis_use_ypbind(iptables_t) + nis_use_ypbind(iptables_t) ') - + +optional_policy(` + plymouthd_exec_plymouth(iptables_t) +') + optional_policy(` - ppp_dontaudit_use_fds(iptables_t) + ppp_dontaudit_use_fds(iptables_t) ') - + optional_policy(` - psad_rw_tmp_files(iptables_t) + psad_rw_tmp_files(iptables_t) + psad_write_log(iptables_t) +') + @@ -43158,22 +43158,22 @@ index be8ed1e6c..a9e54e32e 100644 + neutron_rw_inherited_pipes(iptables_t) + neutron_sigchld(iptables_t) ') - + optional_policy(` @@ -132,12 +183,13 @@ optional_policy(` - + optional_policy(` - seutil_sigchld_newrole(iptables_t) + seutil_sigchld_newrole(iptables_t) + seutil_run_setfiles(iptables_t, iptables_roles) ') - + optional_policy(` + shorewall_read_config(iptables_t) - shorewall_read_tmp_files(iptables_t) - shorewall_rw_lib_files(iptables_t) + shorewall_read_tmp_files(iptables_t) + shorewall_rw_lib_files(iptables_t) - shorewall_read_config(iptables_t) ') - + optional_policy(` diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 73bb3c00c..10006d658 100644 @@ -43191,9 +43191,9 @@ index 73bb3c00c..10006d658 100644 +/etc/ld\.so\.cache~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) /etc/ld\.so\.preload -- gen_context(system_u:object_r:ld_so_cache_t,s0) +/etc/ld\.so\.preload~ -- gen_context(system_u:object_r:ld_so_cache_t,s0) - + /etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0) - + # # /lib(64)? # @@ -43202,7 +43202,7 @@ index 73bb3c00c..10006d658 100644 +/lib64 gen_context(system_u:object_r:lib_t,s0) /lib/.* gen_context(system_u:object_r:lib_t,s0) /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - + @@ -52,9 +56,8 @@ ifdef(`distro_gentoo',` # # /opt @@ -43226,18 +43226,18 @@ index 73bb3c00c..10006d658 100644 + /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + @@ -111,12 +120,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) - + /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) - + -/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) +/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) - + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + +/usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -43273,7 +43273,7 @@ index 73bb3c00c..10006d658 100644 -/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/nvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + -/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -43281,7 +43281,7 @@ index 73bb3c00c..10006d658 100644 +/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + @@ -182,11 +195,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -43297,33 +43297,33 @@ index 73bb3c00c..10006d658 100644 /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -241,13 +256,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ - + # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + -HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -269,20 +282,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te - + # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + -/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + -/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -43340,22 +43340,22 @@ index 73bb3c00c..10006d658 100644 +/usr/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) - + @@ -299,17 +311,157 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) - + -/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) -/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - -/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) +/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) - + /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) - + +/var/named/chroot/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +/var/named/chroot/usr/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) + @@ -43367,7 +43367,7 @@ index 73bb3c00c..10006d658 100644 ifdef(`distro_suse',` /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') - + -/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) +/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -43492,7 +43492,7 @@ index 73bb3c00c..10006d658 100644 + +/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + -+/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + @@ -43512,9 +43512,9 @@ index 808ba93eb..cc985cfbe 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -64,6 +64,25 @@ interface(`libs_exec_ldconfig',` - can_exec($1, ldconfig_exec_t) + can_exec($1, ldconfig_exec_t) ') - + +######################################## +## +## Make ldconfig_exec_t entrypoint for @@ -43538,31 +43538,31 @@ index 808ba93eb..cc985cfbe 100644 ## ## Use the dynamic link/loader for automatic loading @@ -84,9 +103,9 @@ interface(`libs_use_ld_so',` - allow $1 lib_t:dir list_dir_perms; - - read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) + allow $1 lib_t:dir list_dir_perms; + + read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) - mmap_files_pattern($1, lib_t, ld_so_t) + mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t }) - + - allow $1 ld_so_cache_t:file read_file_perms; + allow $1 ld_so_cache_t:file { map read_file_perms }; ') - + ######################################## @@ -147,6 +166,7 @@ interface(`libs_manage_ld_so',` - type lib_t, ld_so_t; - ') - + type lib_t, ld_so_t; + ') + + read_lnk_files_pattern($1, lib_t, lib_t) - manage_files_pattern($1, lib_t, ld_so_t) + manage_files_pattern($1, lib_t, ld_so_t) ') - + @@ -205,8 +225,26 @@ interface(`libs_search_lib',` - type lib_t; - ') - + type lib_t; + ') + + read_lnk_files_pattern($1, lib_t, lib_t) - allow $1 lib_t:dir search_dir_perms; + allow $1 lib_t:dir search_dir_perms; ') +######################################## +## @@ -43581,17 +43581,17 @@ index 808ba93eb..cc985cfbe 100644 + + dontaudit $1 lib_t:file setattr; +') - + ######################################## ## @@ -248,27 +286,10 @@ interface(`libs_manage_lib_dirs',` - type lib_t; - ') - + type lib_t; + ') + + read_lnk_files_pattern($1, lib_t, lib_t) - allow $1 lib_t:dir manage_dir_perms; + allow $1 lib_t:dir manage_dir_perms; ') - + -######################################## -## -## dontaudit attempts to setattr on library files @@ -43614,27 +43614,27 @@ index 808ba93eb..cc985cfbe 100644 ## ## Read files in the library directories, such @@ -345,6 +366,7 @@ interface(`libs_manage_lib_files',` - type lib_t; - ') - + type lib_t; + ') + + read_lnk_files_pattern($1, lib_t, lib_t) - manage_files_pattern($1, lib_t, lib_t) + manage_files_pattern($1, lib_t, lib_t) ') - + @@ -421,7 +443,8 @@ interface(`libs_manage_shared_libs',` - type lib_t, textrel_shlib_t; - ') - + type lib_t, textrel_shlib_t; + ') + - manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + read_lnk_files_pattern($1, lib_t, lib_t) + manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ') - + ######################################## @@ -440,9 +463,10 @@ interface(`libs_use_shared_libs',` - ') - - files_search_usr($1) + ') + + files_search_usr($1) - allow $1 lib_t:dir list_dir_perms; - read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) - mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) @@ -43642,21 +43642,21 @@ index 808ba93eb..cc985cfbe 100644 + read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) + mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) +# allow $1 lib_t:file execmod; - allow $1 textrel_shlib_t:file execmod; + allow $1 textrel_shlib_t:file execmod; ') - + @@ -483,7 +507,7 @@ interface(`libs_relabel_shared_libs',` - type lib_t, textrel_shlib_t; - ') - + type lib_t, textrel_shlib_t; + ') + - relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) + relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) ') - + ######################################## @@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',` interface(`files_lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicywarn(`$0($*) has been deprecated.') ') + +######################################## @@ -43693,7 +43693,7 @@ index 54f8fa5c8..e14ec857c 100644 type lib_t alias shlib_t; -files_type(lib_t) +files_ro_base_file(lib_t) - + # # textrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. @@ -43701,42 +43701,42 @@ index 54f8fa5c8..e14ec857c 100644 type textrel_shlib_t alias texrel_shlib_t; -files_type(textrel_shlib_t) +files_ro_base_file(textrel_shlib_t) - + ifdef(`distro_gentoo',` - # openrc unfortunately mounts a tmpfs + # openrc unfortunately mounts a tmpfs @@ -57,11 +57,14 @@ optional_policy(` # ldconfig local policy # - + -allow ldconfig_t self:capability { dac_override sys_chroot }; +allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot }; - + +manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) +files_var_filetrans(ldconfig_t, ldconfig_cache_t, dir, "ldconfig") +allow ldconfig_t ldconfig_cache_t:file map; - + -allow ldconfig_t ld_so_cache_t:file manage_file_perms; +manage_files_pattern(ldconfig_t, ld_so_cache_t, ld_so_cache_t) files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) - + manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) @@ -72,14 +75,19 @@ files_tmp_filetrans(ldconfig_t, ldconfig_tmp_t, { file dir lnk_file }) manage_lnk_files_pattern(ldconfig_t, lib_t, lib_t) - + kernel_read_system_state(ldconfig_t) +kernel_read_network_state(ldconfig_t) - + fs_getattr_xattr_fs(ldconfig_t) - + +files_list_var_lib(ldconfig_t) +files_dontaudit_leaks(ldconfig_t) +files_manage_var_lib_symlinks(ldconfig_t) + corecmd_search_bin(ldconfig_t) - + domain_use_interactive_fds(ldconfig_t) - + -files_search_var_lib(ldconfig_t) +files_search_home(ldconfig_t) files_read_etc_files(ldconfig_t) @@ -43745,21 +43745,21 @@ index 54f8fa5c8..e14ec857c 100644 @@ -90,11 +98,11 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) init_read_script_tmp_files(ldconfig_t) - + -miscfiles_read_localization(ldconfig_t) - + logging_send_syslog_msg(ldconfig_t) - + -userdom_use_user_terminals(ldconfig_t) +term_use_console(ldconfig_t) +userdom_use_inherited_user_terminals(ldconfig_t) userdom_use_all_users_fds(ldconfig_t) - + ifdef(`distro_ubuntu',` @@ -103,6 +111,13 @@ ifdef(`distro_ubuntu',` - ') + ') ') - + +userdom_dontaudit_list_admin_dir(ldconfig_t) +userdom_list_user_home_dirs(ldconfig_t) +userdom_manage_user_home_content_files(ldconfig_t) @@ -43768,24 +43768,24 @@ index 54f8fa5c8..e14ec857c 100644 +userdom_rw_inherited_user_tmp_pipes(ldconfig_t) + ifdef(`hide_broken_symptoms',` - ifdef(`distro_gentoo',` - # leaked fds from portage + ifdef(`distro_gentoo',` + # leaked fds from portage @@ -114,6 +129,11 @@ ifdef(`hide_broken_symptoms',` - ') - ') - + ') + ') + + dev_dontaudit_rw_lvm_control(ldconfig_t) + dev_dontaudit_read_all_chr_files(ldconfig_t) + dev_dontaudit_read_all_blk_files(ldconfig_t) + term_dontaudit_use_unallocated_ttys(ldconfig_t) + - optional_policy(` - unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) - ') + optional_policy(` + unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) + ') @@ -130,6 +150,18 @@ optional_policy(` - apt_use_ptys(ldconfig_t) + apt_use_ptys(ldconfig_t) ') - + +optional_policy(` + glusterd_dontaudit_read_lib_dirs(ldconfig_t) +') @@ -43799,12 +43799,12 @@ index 54f8fa5c8..e14ec857c 100644 +') + optional_policy(` - puppet_rw_tmp(ldconfig_t) + puppet_rw_tmp(ldconfig_t) ') @@ -141,6 +173,3 @@ optional_policy(` - rpm_manage_script_tmp_files(ldconfig_t) + rpm_manage_script_tmp_files(ldconfig_t) ') - + -optional_policy(` - unconfined_domain(ldconfig_t) -') @@ -43815,7 +43815,7 @@ index be6a81b80..a5303e920 100644 @@ -1,3 +1,8 @@ +HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) +/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0) - + /sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0) /sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0) + @@ -43826,8 +43826,8 @@ index 0e3c2a977..ea9bd57dc 100644 --- a/policy/modules/system/locallogin.if +++ b/policy/modules/system/locallogin.if @@ -129,3 +129,59 @@ interface(`locallogin_domtrans_sulogin',` - - domtrans_pattern($1, sulogin_exec_t, sulogin_t) + + domtrans_pattern($1, sulogin_exec_t, sulogin_t) ') + +####################################### @@ -43892,19 +43892,19 @@ index 446fa9908..6e1a05a68 100644 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) type local_login_lock_t; files_lock_file(local_login_lock_t) - + -type local_login_tmp_t; -files_tmp_file(local_login_tmp_t) -files_poly_parent(local_login_tmp_t) +type local_login_home_t; +userdom_user_home_content(local_login_home_t) - + type sulogin_t; type sulogin_exec_t; @@ -27,14 +26,21 @@ init_domain(sulogin_t, sulogin_exec_t) init_system_domain(sulogin_t, sulogin_exec_t) role system_r types sulogin_t; - + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mcs_systemhigh) +') @@ -43917,7 +43917,7 @@ index 446fa9908..6e1a05a68 100644 # # Local login local policy # - + -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -allow local_login_t self:process { setrlimit setexec }; @@ -43929,12 +43929,12 @@ index 446fa9908..6e1a05a68 100644 @@ -51,9 +57,7 @@ allow local_login_t self:key { search write link }; allow local_login_t local_login_lock_t:file manage_file_perms; files_lock_filetrans(local_login_t, local_login_lock_t, file) - + -allow local_login_t local_login_tmp_t:dir manage_dir_perms; -allow local_login_t local_login_tmp_t:file manage_file_perms; -files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir }) +allow local_login_t local_login_home_t:file read_file_perms; - + kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) @@ -73,6 +77,8 @@ dev_getattr_power_mgmt_dev(local_login_t) @@ -43951,34 +43951,34 @@ index 446fa9908..6e1a05a68 100644 # for when /var/mail is a symlink files_read_var_symlinks(local_login_t) +files_create_home_dir(local_login_t) - + fs_search_auto_mountpoints(local_login_t) - + @@ -117,16 +124,18 @@ term_relabel_unallocated_ttys(local_login_t) term_relabel_all_ttys(local_login_t) term_setattr_all_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t) +term_relabel_all_ptys(local_login_t) +term_setattr_generic_ptys(local_login_t) - + auth_rw_login_records(local_login_t) auth_rw_faillog(local_login_t) -auth_manage_pam_pid(local_login_t) auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) +auth_use_nsswitch(local_login_t) - + init_dontaudit_use_fds(local_login_t) +init_stream_connect(local_login_t) - + -miscfiles_read_localization(local_login_t) - + userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) @@ -141,19 +150,15 @@ ifdef(`distro_ubuntu',` - ') + ') ') - + -tunable_policy(`console_login',` - # Able to relabel /dev/console to user tty types. - term_relabel_console(local_login_t) @@ -43986,7 +43986,7 @@ index 446fa9908..6e1a05a68 100644 +userdom_home_reader(local_login_t) +userdom_manage_tmp_files(local_login_t) +userdom_tmp_filetrans_user_tmp(local_login_t, file) - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(local_login_t) - fs_read_nfs_symlinks(local_login_t) @@ -44001,12 +44001,12 @@ index 446fa9908..6e1a05a68 100644 + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) ') - + optional_policy(` @@ -176,14 +181,6 @@ optional_policy(` - mta_getattr_spool(local_login_t) + mta_getattr_spool(local_login_t) ') - + -optional_policy(` - nis_use_ypbind(local_login_t) -') @@ -44016,20 +44016,20 @@ index 446fa9908..6e1a05a68 100644 -') - optional_policy(` - unconfined_shell_domtrans(local_login_t) + unconfined_shell_domtrans(local_login_t) ') @@ -195,6 +192,7 @@ optional_policy(` optional_policy(` - xserver_read_xdm_tmp_files(local_login_t) - xserver_rw_xdm_tmp_files(local_login_t) + xserver_read_xdm_tmp_files(local_login_t) + xserver_rw_xdm_tmp_files(local_login_t) + xserver_rw_xdm_keys(local_login_t) ') - + ################################# @@ -202,7 +200,7 @@ optional_policy(` # Sulogin local policy # - + -allow sulogin_t self:capability dac_override; +allow sulogin_t self:capability { dac_read_search dac_override sys_admin }; allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -44038,11 +44038,11 @@ index 446fa9908..6e1a05a68 100644 @@ -215,18 +213,30 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; - + +kernel_getattr_core_if(sulogin_t) +kernel_read_crypto_sysctls(sulogin_t) kernel_read_system_state(sulogin_t) - + +dev_getattr_all_chr_files(sulogin_t) +dev_getattr_all_blk_files(sulogin_t) + @@ -44051,29 +44051,29 @@ index 446fa9908..6e1a05a68 100644 + fs_search_auto_mountpoints(sulogin_t) fs_rw_tmpfs_chr_files(sulogin_t) - + files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) +files_search_pids(sulogin_t) - + auth_read_shadow(sulogin_t) +auth_use_nsswitch(sulogin_t) - + init_getpgid_script(sulogin_t) +init_getpgid(sulogin_t) +init_getattr_initctl(sulogin_t) - + logging_send_syslog_msg(sulogin_t) - + @@ -235,17 +245,28 @@ seutil_read_default_contexts(sulogin_t) - + userdom_use_unpriv_users_fds(sulogin_t) - + +userdom_search_admin_dir(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) - + -sysadm_shell_domtrans(sulogin_t) +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) @@ -44086,20 +44086,20 @@ index 446fa9908..6e1a05a68 100644 + unconfined_shell_domtrans(sulogin_t) + ') +') - + # suse and debian do not use pam with sulogin... ifdef(`distro_suse', `define(`sulogin_no_pam')') ifdef(`distro_debian', `define(`sulogin_no_pam')') - + +allow sulogin_t self:capability sys_tty_config; ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; - init_getpgid(sulogin_t) + init_getpgid(sulogin_t) ', ` - allow sulogin_t self:process setexec; + allow sulogin_t self:process setexec; @@ -258,9 +279,5 @@ ifdef(`sulogin_no_pam', ` ') - + optional_policy(` - nis_use_ypbind(sulogin_t) -') @@ -44113,14 +44113,14 @@ index b50c5fe81..e55a55641 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -2,10 +2,13 @@ - + /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_file_t,s0) + /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) @@ -44129,7 +44129,7 @@ index b50c5fe81..e55a55641 100644 @@ -17,12 +20,25 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - + +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0) + @@ -44150,11 +44150,11 @@ index b50c5fe81..e55a55641 100644 -/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) - + /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -38,21 +54,22 @@ ifdef(`distro_suse', ` - + /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) -/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) @@ -44166,31 +44166,31 @@ index b50c5fe81..e55a55641 100644 -/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) - + ifndef(`distro_gentoo',` -/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) +/var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) ') - + ifdef(`distro_redhat',` /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) +/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') - + /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) @@ -65,11 +82,16 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) - + /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) - + +/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0) + /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -44202,9 +44202,9 @@ index 4e9488463..09c79d688 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -144,6 +144,24 @@ interface(`logging_read_audit_log',` - allow $1 auditd_log_t:dir list_dir_perms; + allow $1 auditd_log_t:dir list_dir_perms; ') - + +######################################## +## +## Map the audit log. @@ -44227,7 +44227,7 @@ index 4e9488463..09c79d688 100644 ## ## Execute auditctl in the auditctl domain. @@ -233,7 +251,7 @@ interface(`logging_run_auditd',` - + ######################################## ## -## Connect to auditdstored over an unix stream socket. @@ -44236,15 +44236,15 @@ index 4e9488463..09c79d688 100644 ## ## @@ -262,6 +280,7 @@ interface(`logging_domtrans_dispatcher',` - ') - - domtrans_pattern($1, audisp_exec_t, audisp_t) + ') + + domtrans_pattern($1, audisp_exec_t, audisp_t) + allow $1 audisp_exec_t:file map; ') - + ######################################## @@ -318,7 +337,7 @@ interface(`logging_dispatcher_domain',` - + ######################################## ## -## Connect to the audit dispatcher over an unix stream socket. @@ -44253,9 +44253,9 @@ index 4e9488463..09c79d688 100644 ## ## @@ -496,6 +515,68 @@ interface(`logging_log_filetrans',` - filetrans_pattern($1, var_log_t, $2, $3, $4) + filetrans_pattern($1, var_log_t, $2, $3, $4) ') - + +####################################### +## +## Create an object in the log directory, with a private type. @@ -44324,7 +44324,7 @@ index 4e9488463..09c79d688 100644 @@ -530,22 +611,105 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` - gen_require(` + gen_require(` - type syslogd_t, devlog_t; + attribute syslog_client_type; + ') @@ -44403,13 +44403,13 @@ index 4e9488463..09c79d688 100644 +interface(`logging_relabel_syslog_pid_socket',` + gen_require(` + type syslogd_var_run_t; - ') - + ') + - allow $1 devlog_t:lnk_file read_lnk_file_perms; - allow $1 devlog_t:sock_file write_sock_file_perms; + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') - + - # the type of socket depends on the syslog daemon - allow $1 syslogd_t:unix_dgram_socket sendto; - allow $1 syslogd_t:unix_stream_socket connectto; @@ -44429,7 +44429,7 @@ index 4e9488463..09c79d688 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') - + - # If syslog is down, the glibc syslog() function - # will write to the console. - term_write_console($1) @@ -44437,12 +44437,12 @@ index 4e9488463..09c79d688 100644 + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') - + ######################################## @@ -569,6 +733,44 @@ interface(`logging_read_audit_config',` - allow $1 auditd_etc_t:dir list_dir_perms; + allow $1 auditd_etc_t:dir list_dir_perms; ') - + +######################################## +## +## Map the auditd configuration files. @@ -44485,9 +44485,9 @@ index 4e9488463..09c79d688 100644 ## ## dontaudit search of auditd configuration files. @@ -607,6 +809,25 @@ interface(`logging_read_syslog_config',` - allow $1 syslog_conf_t:file read_file_perms; + allow $1 syslog_conf_t:file read_file_perms; ') - + +######################################## +## +## Manage syslog configuration files. @@ -44511,9 +44511,9 @@ index 4e9488463..09c79d688 100644 ## ## Allows the domain to open a file in the @@ -722,6 +943,25 @@ interface(`logging_setattr_all_log_dirs',` - allow $1 logfile:dir setattr; + allow $1 logfile:dir setattr; ') - + +####################################### +## +## Relabel on all log dirs. @@ -44537,9 +44537,9 @@ index 4e9488463..09c79d688 100644 ## ## Do not audit attempts to get the attributes @@ -776,7 +1016,25 @@ interface(`logging_append_all_logs',` - ') - - files_search_var($1) + ') + + files_search_var($1) - append_files_pattern($1, var_log_t, logfile) + append_files_pattern($1, logfile, logfile) +') @@ -44561,36 +44561,36 @@ index 4e9488463..09c79d688 100644 + + allow $1 logfile:file { getattr append ioctl lock }; ') - + ######################################## @@ -797,6 +1055,7 @@ interface(`logging_read_all_logs',` - - files_search_var($1) - allow $1 logfile:dir list_dir_perms; + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; + allow $1 logfile:file map; - read_files_pattern($1, logfile, logfile) + read_files_pattern($1, logfile, logfile) ') - + @@ -858,8 +1117,10 @@ interface(`logging_manage_all_logs',` - ') - - files_search_var($1) + ') + + files_search_var($1) + manage_dirs_pattern($1, logfile, logfile) - manage_files_pattern($1, logfile, logfile) + manage_files_pattern($1, logfile, logfile) - read_lnk_files_pattern($1, logfile, logfile) + manage_lnk_files_pattern($1, logfile, logfile) + allow $1 logfile:file map; ') - + ######################################## @@ -880,9 +1141,67 @@ interface(`logging_read_generic_logs',` - - files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; + + files_search_var($1) + allow $1 var_log_t:dir list_dir_perms; + allow $1 var_log_t:file map; - read_files_pattern($1, var_log_t, var_log_t) + read_files_pattern($1, var_log_t, var_log_t) ') - + +######################################## +## +## Link generic log files. @@ -44652,9 +44652,9 @@ index 4e9488463..09c79d688 100644 ## ## Write generic log files. @@ -903,6 +1222,24 @@ interface(`logging_write_generic_logs',` - write_files_pattern($1, var_log_t, var_log_t) + write_files_pattern($1, var_log_t, var_log_t) ') - + +######################################## +## +## Dontaudit read/Write inherited generic log files. @@ -44677,27 +44677,27 @@ index 4e9488463..09c79d688 100644 ## ## Dontaudit Write generic log files. @@ -984,11 +1321,16 @@ interface(`logging_admin_audit',` - type auditd_t, auditd_etc_t, auditd_log_t; - type auditd_var_run_t; - type auditd_initrc_exec_t; + type auditd_t, auditd_etc_t, auditd_log_t; + type auditd_var_run_t; + type auditd_initrc_exec_t; + type auditd_unit_file_t; - ') - + ') + - allow $1 auditd_t:process { ptrace signal_perms }; + allow $1 auditd_t:process signal_perms; - ps_process_pattern($1, auditd_t) - + ps_process_pattern($1, auditd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 auditd_t:process ptrace; + ') + - manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) - + manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) + manage_files_pattern($1, auditd_etc_t, auditd_etc_t) + @@ -1004,6 +1346,33 @@ interface(`logging_admin_audit',` - domain_system_change_exemption($1) - role_transition $2 auditd_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 auditd_initrc_exec_t system_r; + allow $2 system_r; + + logging_systemctl_audit($1) + admin_pattern($1, auditd_unit_file_t) @@ -44726,38 +44726,38 @@ index 4e9488463..09c79d688 100644 + + ps_process_pattern($1, auditd_t) ') - + ######################################## @@ -1032,10 +1401,15 @@ interface(`logging_admin_syslog',` - type syslogd_initrc_exec_t; - ') - + type syslogd_initrc_exec_t; + ') + - allow $1 syslogd_t:process { ptrace signal_perms }; - allow $1 klogd_t:process { ptrace signal_perms }; + allow $1 self:capability2 syslog; + allow $1 syslogd_t:process signal_perms; + allow $1 klogd_t:process signal_perms; - ps_process_pattern($1, syslogd_t) - ps_process_pattern($1, klogd_t) + ps_process_pattern($1, syslogd_t) + ps_process_pattern($1, klogd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 syslogd_t:process ptrace; + allow $1 klogd_t:process ptrace; + ') - - manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) - manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) + + manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) + manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) @@ -1057,6 +1431,8 @@ interface(`logging_admin_syslog',` - manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) - - logging_manage_all_logs($1) + manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + + logging_manage_all_logs($1) + allow $1 logfile:dir relabel_dir_perms; + allow $1 logfile:file relabel_file_perms; - - init_labeled_script_domtrans($1, syslogd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, syslogd_initrc_exec_t) + domain_system_change_exemption($1) @@ -1085,3 +1461,108 @@ interface(`logging_admin',` - logging_admin_audit($1, $2) - logging_admin_syslog($1, $2) + logging_admin_audit($1, $2) + logging_admin_syslog($1, $2) ') + +######################################## @@ -44895,21 +44895,21 @@ index 59b04c1a2..2b875dbbc 100644 +##

      +## +gen_tunable(logging_syslogd_run_nagios_plugins, false) - + attribute logfile; - + @@ -20,6 +43,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) - + type audit_spool_t; +files_spool_file(audit_spool_t) files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) - + @@ -33,6 +57,9 @@ init_script_file(auditd_initrc_exec_t) type auditd_var_run_t; files_pid_file(auditd_var_run_t) - + +type auditd_unit_file_t; +systemd_unit_file(auditd_unit_file_t) + @@ -44921,61 +44921,61 @@ index 59b04c1a2..2b875dbbc 100644 type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) +mls_trusted_object(syslogd_t) - + type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) @@ -71,11 +99,15 @@ init_script_file(syslogd_initrc_exec_t) type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) - + +type syslogd_tmpfs_t; +files_tmpfs_file(syslogd_tmpfs_t) + type syslogd_var_lib_t; files_type(syslogd_var_lib_t) - + type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) +mls_trusted_object(syslogd_var_run_t) - + type var_log_t; logging_log_file(var_log_t) @@ -94,8 +126,11 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; - + +allow auditctl_t self:process getcap; + read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; +allow auditctl_t auditd_etc_t:file map; - + # Needed for adding watches files_getattr_all_dirs(auditctl_t) @@ -111,7 +146,9 @@ domain_use_interactive_fds(auditctl_t) - + mls_file_read_all_levels(auditctl_t) - + -term_use_all_terms(auditctl_t) +storage_getattr_removable_dev(auditctl_t) + +term_use_all_inherited_terms(auditctl_t) - + init_dontaudit_use_fds(auditctl_t) - + @@ -134,11 +171,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; - + allow auditd_t auditd_etc_t:dir list_dir_perms; -allow auditd_t auditd_etc_t:file read_file_perms; +allow auditd_t auditd_etc_t:file { read_file_perms map }; - + +manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t) manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) -allow auditd_t var_log_t:dir search_dir_perms; +logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit") - + manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) @@ -148,6 +186,7 @@ kernel_read_kernel_sysctls(auditd_t) @@ -44983,13 +44983,13 @@ index 59b04c1a2..2b875dbbc 100644 # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) +kernel_read_network_state(auditd_t) - + dev_read_sysfs(auditd_t) - + @@ -155,9 +194,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) - + -selinux_search_fs(auditctl_t) - -corenet_all_recvfrom_unlabeled(auditd_t) @@ -44999,96 +44999,96 @@ index 59b04c1a2..2b875dbbc 100644 @@ -183,16 +219,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) - + -miscfiles_read_localization(auditd_t) +auth_use_nsswitch(auditd_t) - + mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory - -seutil_dontaudit_read_config(auditd_t) +mls_socket_write_all_levels(auditd_t) - + sysnet_dns_name_resolve(auditd_t) - + -userdom_use_user_terminals(auditd_t) +systemd_start_systemd_services(auditd_t) + +userdom_use_inherited_user_terminals(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) - + @@ -219,7 +256,7 @@ optional_policy(` # audit dispatcher local policy # - + -allow audisp_t self:capability { dac_override setpcap sys_nice }; +allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice }; allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; @@ -227,6 +264,8 @@ allow audisp_t self:unix_dgram_socket create_socket_perms; - + allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; - + +allow audisp_t audisp_exec_t:file map; + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) - + @@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) - + domain_use_interactive_fds(audisp_t) - + +fs_getattr_all_fs(audisp_t) + files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) - + +mls_file_read_all_levels(audisp_t) mls_file_write_all_levels(audisp_t) +mls_socket_write_all_levels(audisp_t) +mls_dbus_send_all_levels(audisp_t) - + -logging_send_syslog_msg(audisp_t) +auth_use_nsswitch(audisp_t) - + -miscfiles_read_localization(audisp_t) +logging_send_syslog_msg(audisp_t) - + sysnet_dns_name_resolve(audisp_t) - + optional_policy(` - dbus_system_bus_client(audisp_t) + dbus_system_bus_client(audisp_t) + dbus_connect_system_bus(audisp_t) + + optional_policy(` + setroubleshoot_dbus_chat(audisp_t) + ') ') - + ######################################## @@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) - + +kernel_read_system_state(audisp_remote_t) + corecmd_exec_bin(audisp_remote_t) - + -corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) @@ -280,13 +330,28 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) - + files_read_etc_files(audisp_remote_t) - + +mls_socket_write_all_levels(audisp_remote_t) + logging_send_syslog_msg(audisp_remote_t) logging_send_audit_msgs(audisp_remote_t) - + -miscfiles_read_localization(audisp_remote_t) +auth_use_nsswitch(audisp_remote_t) +auth_append_login_records(audisp_remote_t) @@ -45098,9 +45098,9 @@ index 59b04c1a2..2b875dbbc 100644 +init_telinit(audisp_remote_t) +init_read_utmp(audisp_remote_t) +init_dontaudit_write_utmp(audisp_remote_t) - + sysnet_dns_name_resolve(audisp_remote_t) - + +systemd_start_power_services(audisp_remote_t) + +term_search_ptys(audisp_remote_t) @@ -45111,13 +45111,13 @@ index 59b04c1a2..2b875dbbc 100644 # # klogd local policy @@ -326,7 +391,6 @@ files_read_etc_files(klogd_t) - + logging_send_syslog_msg(klogd_t) - + -miscfiles_read_localization(klogd_t) - + mls_file_read_all_levels(klogd_t) - + @@ -355,13 +419,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog @@ -45144,23 +45144,23 @@ index 59b04c1a2..2b875dbbc 100644 +allow syslogd_t self:netlink_audit_socket { r_netlink_socket_perms nlmsg_write }; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; - + # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; +# now is /dev/log lnk_file +allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms; files_pid_filetrans(syslogd_t, devlog_t, sock_file) - + # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) +allow syslogd_t var_log_t:file map; rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) - + @@ -389,30 +457,49 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) - + +manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t) +manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t) +fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file }) @@ -45169,7 +45169,7 @@ index 59b04c1a2..2b875dbbc 100644 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) +allow syslogd_t syslogd_var_lib_t:file map; files_search_var_lib(syslogd_t) - + -# manage pid file +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) @@ -45177,7 +45177,7 @@ index 59b04c1a2..2b875dbbc 100644 +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) - + +kernel_rw_stream_socket_perms(syslogd_t) kernel_read_system_state(syslogd_t) kernel_read_network_state(syslogd_t) @@ -45198,7 +45198,7 @@ index 59b04c1a2..2b875dbbc 100644 + +corecmd_exec_bin(syslogd_t) +corecmd_exec_shell(syslogd_t) - + -corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) @@ -45221,13 +45221,13 @@ index 59b04c1a2..2b875dbbc 100644 corenet_tcp_connect_mysqld_port(syslogd_t) +corenet_tcp_connect_http_port(syslogd_t) +corenet_tcp_connect_wap_wsp_port(syslogd_t) - + # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) @@ -432,9 +523,33 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) - + +tunable_policy(`logging_syslogd_use_tty',` + term_use_all_ttys(syslogd_t) + term_use_all_ptys(syslogd_t) @@ -45257,7 +45257,7 @@ index 59b04c1a2..2b875dbbc 100644 +domain_read_all_domains_state(syslogd_t) +domain_getattr_all_domains(syslogd_t) domain_use_interactive_fds(syslogd_t) - + files_read_etc_files(syslogd_t) @@ -443,18 +558,25 @@ files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) @@ -45266,59 +45266,59 @@ index 59b04c1a2..2b875dbbc 100644 +files_dontaudit_list_var(syslogd_t) files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) - + fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) +fs_search_cgroup_dirs(syslogd_t) + +miscfiles_manage_generic_cert_files(syslogd_t) - + mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories +mls_socket_write_all_levels(syslogd_t) # Neet to be able to sendto dgram - + term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) +term_use_generic_ptys(syslogd_t) - + +init_stream_connect(syslogd_t) # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) @@ -466,11 +588,12 @@ init_use_fds(syslogd_t) - + # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) - -miscfiles_read_localization(syslogd_t) +logging_manage_all_logs(syslogd_t) +logging_set_loginuid(syslogd_t) - + userdom_dontaudit_use_unpriv_user_fds(syslogd_t) -userdom_dontaudit_search_user_home_dirs(syslogd_t) +userdom_search_user_home_dirs(syslogd_t) +userdom_rw_inherited_user_tmp_files(syslogd_t) - + ifdef(`distro_gentoo',` - # default gentoo syslog-ng config appends kernel + # default gentoo syslog-ng config appends kernel @@ -494,9 +617,14 @@ optional_policy(` - bind_search_cache(syslogd_t) + bind_search_cache(syslogd_t) ') - + +optional_policy(` + container_read_lib_files(syslogd_t) +') + optional_policy(` - cron_manage_log_files(syslogd_t) - cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") + cron_manage_log_files(syslogd_t) + cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") + cron_generic_log_filetrans_log(syslogd_t, file, "cron") ') - + optional_policy(` @@ -507,15 +635,40 @@ optional_policy(` ') - + optional_policy(` + kerberos_keytab_template(syslogd, syslogd_t) + kerberos_manage_host_rcache(syslogd_t) @@ -45327,9 +45327,9 @@ index 59b04c1a2..2b875dbbc 100644 + +optional_policy(` + mysql_read_config(syslogd_t) - mysql_stream_connect(syslogd_t) + mysql_stream_connect(syslogd_t) ') - + +optional_policy(` + plymouthd_manage_log(syslogd_t) +') @@ -45339,15 +45339,15 @@ index 59b04c1a2..2b875dbbc 100644 +') + optional_policy(` - postgresql_stream_connect(syslogd_t) + postgresql_stream_connect(syslogd_t) ') - + +optional_policy(` + psad_search_lib_files(syslogd_t) +') + optional_policy(` - seutil_sigchld_newrole(syslogd_t) + seutil_sigchld_newrole(syslogd_t) + snmp_read_snmp_var_lib_files(syslogd_t) + snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) +') @@ -45355,11 +45355,11 @@ index 59b04c1a2..2b875dbbc 100644 +optional_policy(` + daemontools_search_svc_dir(syslogd_t) ') - + optional_policy(` @@ -526,3 +679,26 @@ optional_policy(` - # log to the xconsole - xserver_rw_console(syslogd_t) + # log to the xconsole + xserver_rw_console(syslogd_t) ') + +##################################################### @@ -45391,7 +45391,7 @@ index 6b917403e..772411608 100644 @@ -23,6 +23,8 @@ ifdef(`distro_gentoo',` /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) - + +/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + # @@ -45503,7 +45503,7 @@ index 6b917403e..772411608 100644 +/usr/libexec/storaged/storaged -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/storaged/storaged-lvm-helper -- gen_context(system_u:object_r:lvm_exec_t,s0) +/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0) - + # # /var @@ -98,5 +174,11 @@ ifdef(`distro_gentoo',` @@ -45524,7 +45524,7 @@ index 58bc27f22..d12c44ecd 100644 +++ b/policy/modules/system/lvm.if @@ -1,5 +1,24 @@ ## Policy for logical volume management programs. - + +######################################## +## +## Get the attribute of lvm entrypoint files. @@ -45548,9 +45548,9 @@ index 58bc27f22..d12c44ecd 100644 ## ## Execute lvm programs in the lvm domain. @@ -84,6 +103,90 @@ interface(`lvm_read_config',` - read_files_pattern($1, lvm_etc_t, lvm_etc_t) + read_files_pattern($1, lvm_etc_t, lvm_etc_t) ') - + +######################################## +## +## Mmap LVM configuration files. @@ -45639,9 +45639,9 @@ index 58bc27f22..d12c44ecd 100644 ## ## Manage LVM configuration files. @@ -105,6 +208,25 @@ interface(`lvm_manage_config',` - manage_files_pattern($1, lvm_etc_t, lvm_etc_t) + manage_files_pattern($1, lvm_etc_t, lvm_etc_t) ') - + +######################################## +## +## Connect to lvm using a unix domain stream socket. @@ -45665,8 +45665,8 @@ index 58bc27f22..d12c44ecd 100644 ## ## Execute a domain transition to run clvmd. @@ -123,3 +245,154 @@ interface(`lvm_domtrans_clvmd',` - corecmd_search_bin($1) - domtrans_pattern($1, clvmd_exec_t, clvmd_t) + corecmd_search_bin($1) + domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') + +######################################## @@ -45725,7 +45725,7 @@ index 58bc27f22..d12c44ecd 100644 + +######################################## +## -+## Send a message to lvm over the ++## Send a message to lvm over the +## datagram socket. +## +## @@ -45826,26 +45826,26 @@ index 79048c410..26e560e79 100644 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) - + +type clvmd_tmpfs_t alias clmvd_tmpfs_t; +files_tmpfs_file(clvmd_tmpfs_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) - + @@ -24,7 +27,7 @@ domain_obj_id_change_exemption(lvm_t) role system_r types lvm_t; - + type lvm_etc_t; -files_type(lvm_etc_t) +files_config_file(lvm_etc_t) - + type lvm_lock_t; files_lock_file(lvm_lock_t) @@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t) type lvm_tmp_t; files_tmp_file(lvm_tmp_t) - + +type lvm_unit_file_t; +systemd_unit_file(lvm_unit_file_t) + @@ -45862,7 +45862,7 @@ index 79048c410..26e560e79 100644 allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; - + +manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) +manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) +fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) @@ -45871,21 +45871,21 @@ index 79048c410..26e560e79 100644 manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) -files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) +files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir }) - + read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) - + @@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) corecmd_exec_shell(clvmd_t) corecmd_getattr_bin_files(clvmd_t) - + -corenet_all_recvfrom_unlabeled(clvmd_t) corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) @@ -120,9 +129,6 @@ init_dontaudit_getattr_initctl(clvmd_t) - + logging_send_syslog_msg(clvmd_t) - + -miscfiles_read_localization(clvmd_t) - -seutil_dontaudit_search_config(clvmd_t) @@ -45893,16 +45893,16 @@ index 79048c410..26e560e79 100644 seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) @@ -140,6 +146,11 @@ ifdef(`distro_redhat',` - ') + ') ') - + +optional_policy(` + aisexec_stream_connect(clvmd_t) + corosync_stream_connect(clvmd_t) +') + optional_policy(` - ccs_stream_connect(clvmd_t) + ccs_stream_connect(clvmd_t) ') @@ -165,20 +176,27 @@ optional_policy(` # DAC overrides and mknod for modifying /dev entries (vgmknodes) @@ -45921,10 +45921,10 @@ index 79048c410..26e560e79 100644 +allow lvm_t self:socket create_stream_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; allow lvm_t self:sem create_sem_perms; - + allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms }; - + +allow lvm_t lvm_unit_file_t:file manage_file_perms; +systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file) +systemd_create_unit_file_dirs(lvm_t) @@ -45935,7 +45935,7 @@ index 79048c410..26e560e79 100644 files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir }) @@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) - + # Creating lock files +manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) @@ -45943,11 +45943,11 @@ index 79048c410..26e560e79 100644 files_lock_filetrans(lvm_t, lvm_lock_t, file) files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm") +files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid") - + manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) @@ -202,10 +222,13 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) - + manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) +manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -45955,7 +45955,7 @@ index 79048c410..26e560e79 100644 -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) +files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) +init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) - + read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) +allow lvm_t lvm_etc_t:file map; read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) @@ -45967,7 +45967,7 @@ index 79048c410..26e560e79 100644 kernel_use_fds(lvm_t) +kernel_request_load_module(lvm_t) kernel_search_debugfs(lvm_t) - + corecmd_exec_bin(lvm_t) @@ -230,11 +254,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) @@ -45989,7 +45989,7 @@ index 79048c410..26e560e79 100644 dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) +dev_rw_generic_files(lvm_t) - + domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) @@ -255,17 +282,21 @@ files_read_etc_files(lvm_t) @@ -45997,7 +45997,7 @@ index 79048c410..26e560e79 100644 # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) +fs_rw_inherited_tmpfs_files(lvm_t) - + -fs_getattr_xattr_fs(lvm_t) +fs_getattr_all_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) @@ -46008,37 +46008,37 @@ index 79048c410..26e560e79 100644 fs_rw_anon_inodefs_files(lvm_t) +fs_list_auto_mountpoints(lvm_t) +fs_list_hugetlbfs(lvm_t) - + mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) +mls_file_upgrade(lvm_t) - + selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) @@ -285,7 +316,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) - + -term_use_all_terms(lvm_t) +term_use_all_inherited_terms(lvm_t) - + init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) @@ -293,15 +324,23 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) - + logging_send_syslog_msg(lvm_t) +logging_stream_connect_syslog(lvm_t) - + -miscfiles_read_localization(lvm_t) +authlogin_rw_pipes(lvm_t) +auth_use_nsswitch(lvm_t) - + seutil_read_config(lvm_t) seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) - + +userdom_use_inherited_user_terminals(lvm_t) userdom_use_user_terminals(lvm_t) +userdom_rw_inherited_user_tmp_pipes(lvm_t) @@ -46046,25 +46046,25 @@ index 79048c410..26e560e79 100644 +userdom_search_user_home_dirs(lvm_t) + +usermanage_read_crack_db(lvm_t) - + ifdef(`distro_redhat',` - # this is from the initrd: + # this is from the initrd: @@ -312,6 +351,11 @@ ifdef(`distro_redhat',` - ') + ') ') - + +optional_policy(` + aisexec_stream_connect(lvm_t) + corosync_stream_connect(lvm_t) +') + optional_policy(` - bootloader_rw_tmp_files(lvm_t) + bootloader_rw_tmp_files(lvm_t) ') @@ -332,14 +376,38 @@ optional_policy(` - ') + ') ') - + +optional_policy(` + container_rw_sem(lvm_t) +') @@ -46078,17 +46078,17 @@ index 79048c410..26e560e79 100644 +') + optional_policy(` - modutils_domtrans_insmod(lvm_t) + modutils_domtrans_insmod(lvm_t) ') - + +optional_policy(` + raid_read_mdadm_pid(lvm_t) +') + optional_policy(` - rpm_manage_script_tmp_files(lvm_t) + rpm_manage_script_tmp_files(lvm_t) ') - + +optional_policy(` + policykit_dbus_chat(lvm_t) +') @@ -46098,8 +46098,8 @@ index 79048c410..26e560e79 100644 +') + optional_policy(` - udev_read_db(lvm_t) - udev_read_pid_files(lvm_t) + udev_read_db(lvm_t) + udev_read_pid_files(lvm_t) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 9fe8e01e3..5cee43ebb 100644 --- a/policy/modules/system/miscfiles.fc @@ -46119,20 +46119,20 @@ index 9fe8e01e3..5cee43ebb 100644 +/etc/ipa/nssdb(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) +/etc/vconsole.conf -- gen_context(system_u:object_r:locale_t,s0) - + ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) @@ -37,24 +41,20 @@ ifdef(`distro_redhat',` - + /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) - + -/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0) - -/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - + /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) @@ -46149,22 +46149,22 @@ index 9fe8e01e3..5cee43ebb 100644 +/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) +/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) - + /usr/X11R6/lib/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - + @@ -77,7 +77,7 @@ ifdef(`distro_redhat',` - + /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_cache_t,s0) + - + /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) - + @@ -89,7 +89,10 @@ ifdef(`distro_debian',` /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0) ') - + +/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:cert_t,s0) + ifdef(`distro_redhat',` @@ -46177,9 +46177,9 @@ index fc28bc31b..e229517af 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -65,6 +65,27 @@ interface(`miscfiles_read_all_certs',` - read_lnk_files_pattern($1, cert_type, cert_type) + read_lnk_files_pattern($1, cert_type, cert_type) ') - + +######################################## +## +## Read all SSL certificates. @@ -46205,9 +46205,9 @@ index fc28bc31b..e229517af 100644 ## ## Read generic SSL certificates. @@ -86,6 +107,25 @@ interface(`miscfiles_read_generic_certs',` - read_lnk_files_pattern($1, cert_t, cert_t) + read_lnk_files_pattern($1, cert_t, cert_t) ') - + +######################################## +## +## mmap generic SSL certificates. @@ -46231,9 +46231,9 @@ index fc28bc31b..e229517af 100644 ## ## Manage generic SSL certificates. @@ -104,6 +144,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` - manage_dirs_pattern($1, cert_t, cert_t) + manage_dirs_pattern($1, cert_t, cert_t) ') - + +######################################## +## +## Dontaudit attempts to write generic SSL certificates. @@ -46256,18 +46256,18 @@ index fc28bc31b..e229517af 100644 ## ## Manage generic SSL certificates. @@ -121,7 +179,7 @@ interface(`miscfiles_manage_generic_cert_files',` - ') - - manage_files_pattern($1, cert_t, cert_t) + ') + + manage_files_pattern($1, cert_t, cert_t) - read_lnk_files_pattern($1, cert_t, cert_t) + manage_lnk_files_pattern($1, cert_t, cert_t) ') - + ######################################## @@ -154,6 +212,26 @@ interface(`miscfiles_manage_cert_dirs',` - refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') ') - + +######################################## +## +## Do not audit attempts to access check cert dirs/files. @@ -46292,66 +46292,66 @@ index fc28bc31b..e229517af 100644 ## ## Manage SSL certificates. @@ -191,11 +269,13 @@ interface(`miscfiles_read_fonts',` - - allow $1 fonts_t:dir list_dir_perms; - read_files_pattern($1, fonts_t, fonts_t) + + allow $1 fonts_t:dir list_dir_perms; + read_files_pattern($1, fonts_t, fonts_t) + allow $1 fonts_t:file map; - read_lnk_files_pattern($1, fonts_t, fonts_t) - - allow $1 fonts_cache_t:dir list_dir_perms; - read_files_pattern($1, fonts_cache_t, fonts_cache_t) - read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) + read_lnk_files_pattern($1, fonts_t, fonts_t) + + allow $1 fonts_cache_t:dir list_dir_perms; + read_files_pattern($1, fonts_cache_t, fonts_cache_t) + read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) + allow $1 fonts_cache_t:file map; ') - + ######################################## @@ -414,6 +494,7 @@ interface(`miscfiles_read_localization',` - allow $1 locale_t:dir list_dir_perms; - read_files_pattern($1, locale_t, locale_t) - read_lnk_files_pattern($1, locale_t, locale_t) + allow $1 locale_t:dir list_dir_perms; + read_files_pattern($1, locale_t, locale_t) + read_lnk_files_pattern($1, locale_t, locale_t) + allow $1 locale_t:file map; ') - + ######################################## @@ -434,6 +515,7 @@ interface(`miscfiles_rw_localization',` - files_search_usr($1) - allow $1 locale_t:dir list_dir_perms; - rw_files_pattern($1, locale_t, locale_t) + files_search_usr($1) + allow $1 locale_t:dir list_dir_perms; + rw_files_pattern($1, locale_t, locale_t) + manage_lnk_files_pattern($1, locale_t, locale_t) ') - + ######################################## @@ -453,6 +535,7 @@ interface(`miscfiles_relabel_localization',` - - files_search_usr($1) - relabel_files_pattern($1, locale_t, locale_t) + + files_search_usr($1) + relabel_files_pattern($1, locale_t, locale_t) + relabel_lnk_files_pattern($1, locale_t, locale_t) ') - + ######################################## @@ -470,7 +553,6 @@ interface(`miscfiles_legacy_read_localization',` - type locale_t; - ') - + type locale_t; + ') + - miscfiles_read_localization($1) - allow $1 locale_t:file execute; + allow $1 locale_t:file execute; ') - + @@ -531,6 +613,10 @@ interface(`miscfiles_read_man_pages',` - allow $1 { man_cache_t man_t }:dir list_dir_perms; - read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + allow $1 { man_cache_t man_t }:dir list_dir_perms; + read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + + optional_policy(` + mandb_read_cache_files($1) + ') ') - + ######################################## @@ -554,6 +640,29 @@ interface(`miscfiles_delete_man_pages',` - delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) - delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) + optional_policy(` + mandb_setattr_cache_dirs($1) + mandb_delete_cache($1) @@ -46376,12 +46376,12 @@ index fc28bc31b..e229517af 100644 + + allow $1 man_t:dir setattr; ') - + ######################################## @@ -620,6 +729,30 @@ interface(`miscfiles_manage_man_cache',` - allow $1 man_cache_t:lnk_file manage_lnk_file_perms; + allow $1 man_cache_t:lnk_file manage_lnk_file_perms; ') - + +######################################## +## +## Allow process to relabel man_pages info @@ -46410,9 +46410,9 @@ index fc28bc31b..e229517af 100644 ## ## Read public files used for file @@ -784,8 +917,11 @@ interface(`miscfiles_etc_filetrans_localization',` - type locale_t; - ') - + type locale_t; + ') + - files_etc_filetrans($1, locale_t, file) - + files_etc_filetrans($1, locale_t, lnk_file) @@ -46421,12 +46421,12 @@ index fc28bc31b..e229517af 100644 + files_etc_filetrans($1, locale_t, file, "timezone" ) + files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) ') - + ######################################## @@ -809,3 +945,81 @@ interface(`miscfiles_manage_localization',` - manage_lnk_files_pattern($1, locale_t, locale_t) + manage_lnk_files_pattern($1, locale_t, locale_t) ') - + +######################################## +## +## Transition to miscfiles locale named content @@ -46515,7 +46515,7 @@ index 1361961d0..be6b7fc80 100644 # - attribute cert_type; - + # @@ -48,10 +47,10 @@ files_type(man_cache_t) # Types for public content @@ -46523,11 +46523,11 @@ index 1361961d0..be6b7fc80 100644 type public_content_t; #, customizable; -files_type(public_content_t) +files_mountpoint(public_content_t) - + type public_content_rw_t; #, customizable; -files_type(public_content_rw_t) +files_mountpoint(public_content_rw_t) - + # # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc @@ -46537,15 +46537,15 @@ index 993367709..7875b79fa 100644 @@ -10,8 +10,6 @@ ifdef(`distro_gentoo',` /etc/modprobe.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0) ') - + -/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0) - /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) - + /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) @@ -23,3 +21,15 @@ ifdef(`distro_gentoo',` /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) - + /usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) + +/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) @@ -46566,12 +46566,12 @@ index 7449974f6..c19559d3b 100644 @@ -12,11 +12,28 @@ # interface(`modutils_getattr_module_deps',` - gen_require(` + gen_require(` - type modules_dep_t; + type modules_dep_t, modules_object_t; - ') - - getattr_files_pattern($1, modules_object_t, modules_dep_t) + ') + + getattr_files_pattern($1, modules_object_t, modules_dep_t) ') +######################################## +## @@ -46590,17 +46590,17 @@ index 7449974f6..c19559d3b 100644 + + allow $1 modules_dep_t:file read_file_perms; +') - + ######################################## ## @@ -34,9 +51,48 @@ interface(`modutils_read_module_deps',` - ') - - files_list_kernel_modules($1) + ') + + files_list_kernel_modules($1) + files_read_kernel_modules($1) - allow $1 modules_dep_t:file read_file_perms; + allow $1 modules_dep_t:file read_file_perms; ') - + +######################################## +## +## Read the dependencies of kernel modules. @@ -46643,9 +46643,9 @@ index 7449974f6..c19559d3b 100644 ## ## Read the configuration options used when @@ -159,6 +215,26 @@ interface(`modutils_domtrans_insmod',` - - corecmd_search_bin($1) - domtrans_pattern($1, insmod_exec_t, insmod_t) + + corecmd_search_bin($1) + domtrans_pattern($1, insmod_exec_t, insmod_t) + + allow $1 insmod_exec_t:file map; +') @@ -46667,12 +46667,12 @@ index 7449974f6..c19559d3b 100644 + + allow $1 insmod_t:process signal; ') - + ######################################## @@ -208,6 +284,24 @@ interface(`modutils_exec_insmod',` - can_exec($1, insmod_exec_t) + can_exec($1, insmod_exec_t) ') - + +####################################### +## +## Don't audit execute insmod in the caller domain. @@ -46697,27 +46697,27 @@ index 7449974f6..c19559d3b 100644 @@ -308,11 +402,18 @@ interface(`modutils_domtrans_update_mods',` # interface(`modutils_run_update_mods',` - gen_require(` + gen_require(` - attribute_role update_modules_roles; + #attribute_role update_modules_roles; + type update_modules_t; - ') - + ') + + #modutils_domtrans_update_mods($1) + #roleattribute $2 update_modules_roles; + - modutils_domtrans_update_mods($1) + modutils_domtrans_update_mods($1) - roleattribute $2 update_modules_roles; + role $2 types update_modules_t; + + modutils_run_insmod(update_modules_t, $2) + ') - + ######################################## @@ -333,3 +434,39 @@ interface(`modutils_exec_update_mods',` - corecmd_search_bin($1) - can_exec($1, update_modules_exec_t) + corecmd_search_bin($1) + can_exec($1, update_modules_exec_t) ') + +######################################## @@ -46762,10 +46762,10 @@ index 7a363b8b2..4724b5550 100644 @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) # Declarations # - + -attribute_role update_modules_roles; +#attribute_role update_modules_roles; - + type depmod_t; type depmod_exec_t; @@ -16,11 +16,15 @@ type insmod_t; @@ -46774,7 +46774,7 @@ index 7a363b8b2..4724b5550 100644 mls_file_write_all_levels(insmod_t) +mls_process_write_down(insmod_t) role system_r types insmod_t; - + +type insmod_var_run_t; +files_pid_file(insmod_var_run_t) + @@ -46782,7 +46782,7 @@ index 7a363b8b2..4724b5550 100644 type modules_conf_t; -files_type(modules_conf_t) +files_config_file(modules_conf_t) - + # module dependencies type modules_dep_t; @@ -29,12 +33,16 @@ files_type(modules_dep_t) @@ -46794,10 +46794,10 @@ index 7a363b8b2..4724b5550 100644 +#roleattribute system_r update_modules_roles; +#role update_modules_roles types update_modules_t; +role system_r types update_modules_t; - + type update_modules_tmp_t; files_tmp_file(update_modules_tmp_t) - + +type insmod_tmpfs_t; +files_tmpfs_file(insmod_tmpfs_t) + @@ -46805,9 +46805,9 @@ index 7a363b8b2..4724b5550 100644 # # depmod local policy @@ -54,12 +62,15 @@ corecmd_search_bin(depmod_t) - + domain_use_interactive_fds(depmod_t) - + +files_delete_kernel_modules(depmod_t) files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) @@ -46817,13 +46817,13 @@ index 7a363b8b2..4724b5550 100644 files_list_usr(depmod_t) +files_append_var_files(depmod_t) +files_read_boot_files(depmod_t) - + fs_getattr_xattr_fs(depmod_t) - + @@ -69,10 +80,12 @@ init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) - + -userdom_use_user_terminals(depmod_t) +userdom_use_inherited_user_terminals(depmod_t) # Read System.map from home directories. @@ -46831,13 +46831,13 @@ index 7a363b8b2..4724b5550 100644 userdom_read_user_home_content_files(depmod_t) +userdom_manage_user_tmp_files(depmod_t) +userdom_home_reader(depmod_t) - + ifdef(`distro_ubuntu',` - optional_policy(` + optional_policy(` @@ -80,12 +93,8 @@ ifdef(`distro_ubuntu',` - ') + ') ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(depmod_t) -') @@ -46847,40 +46847,40 @@ index 7a363b8b2..4724b5550 100644 +optional_policy(` + bootloader_rw_tmp_files(insmod_t) ') - + optional_policy(` @@ -94,7 +103,6 @@ optional_policy(` ') - + optional_policy(` - # Read System.map from home directories. - unconfined_domain(depmod_t) + unconfined_domain(depmod_t) ') - + @@ -103,11 +111,12 @@ optional_policy(` # insmod local policy # - + -allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; +allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; - + allow insmod_t self:udp_socket create_socket_perms; allow insmod_t self:rawip_socket create_socket_perms; +allow insmod_t self:shm create_shm_perms; - + # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) @@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) - + +manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) +manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t) +files_pid_filetrans(insmod_t, insmod_var_run_t, {dir file }) + can_exec(insmod_t, insmod_exec_t) - + +manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) +fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) + @@ -46901,17 +46901,17 @@ index 7a363b8b2..4724b5550 100644 -kernel_read_hotplug_sysctls(insmod_t) +kernel_read_usermodehelper_state(insmod_t) kernel_setsched(insmod_t) - + corecmd_exec_bin(insmod_t) @@ -142,40 +160,55 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) +dev_create_generic_chr_files(insmod_t) - + domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) - + files_read_kernel_modules(insmod_t) +files_load_kernel_modules(insmod_t) files_read_etc_runtime_files(insmod_t) @@ -46928,14 +46928,14 @@ index 7a363b8b2..4724b5550 100644 # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) +allow insmod_t modules_dep_t:file manage_file_perms; - + fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) +fs_mount_rpc_pipefs(insmod_t) +fs_search_rpc(insmod_t) + +auth_use_nsswitch(insmod_t) - + init_rw_initctl(insmod_t) init_use_fds(insmod_t) init_use_script_fds(insmod_t) @@ -46943,14 +46943,14 @@ index 7a363b8b2..4724b5550 100644 +init_spec_domtrans_script(insmod_t) +init_rw_script_tmp_files(insmod_t) +init_dontaudit_getattr_stream_socket(insmod_t) - + logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) - + -miscfiles_read_localization(insmod_t) - seutil_read_file_contexts(insmod_t) - + -userdom_use_user_terminals(insmod_t) - +term_use_all_inherited_terms(insmod_t) @@ -46960,40 +46960,40 @@ index 7a363b8b2..4724b5550 100644 +userdom_manage_user_tmp_pipes(insmod_t) +userdom_manage_user_tmp_symlinks(insmod_t) +userdom_manage_user_tmp_dirs(insmod_t) - + kernel_domtrans_to(insmod_t, insmod_exec_t) - + @@ -184,28 +217,37 @@ optional_policy(` ') - + optional_policy(` - firstboot_dontaudit_rw_pipes(insmod_t) - firstboot_dontaudit_rw_stream_sockets(insmod_t) + devicekit_use_fds_disk(insmod_t) + devicekit_dontaudit_read_pid_files(insmod_t) ') - + optional_policy(` - hal_write_log(insmod_t) + firstboot_dontaudit_leaks(insmod_t) ') - + optional_policy(` - hotplug_search_config(insmod_t) + firewalld_dontaudit_write_tmp_files(insmod_t) + firewallgui_dontaudit_rw_pipes(insmod_t) ') - + optional_policy(` - mount_domtrans(insmod_t) + iptables_read_var_run(insmod_t) ') - + optional_policy(` - nis_use_ypbind(insmod_t) + hal_write_log(insmod_t) ') - + optional_policy(` - nscd_use(insmod_t) + hotplug_search_config(insmod_t) @@ -47006,40 +47006,40 @@ index 7a363b8b2..4724b5550 100644 +optional_policy(` + mount_domtrans(insmod_t) ') - + optional_policy(` @@ -225,6 +267,7 @@ optional_policy(` - + optional_policy(` - rpm_rw_pipes(insmod_t) + rpm_rw_pipes(insmod_t) + rpm_manage_script_tmp_files(insmod_t) ') - + optional_policy(` @@ -232,6 +275,10 @@ optional_policy(` - unconfined_dontaudit_rw_pipes(insmod_t) + unconfined_dontaudit_rw_pipes(insmod_t) ') - + +optional_policy(` + virt_dontaudit_write_pipes(insmod_t) +') + optional_policy(` - # cjp: why is this needed: - dev_rw_xserver_misc(insmod_t) + # cjp: why is this needed: + dev_rw_xserver_misc(insmod_t) @@ -291,11 +338,10 @@ init_use_script_ptys(update_modules_t) - + logging_send_syslog_msg(update_modules_t) - + -miscfiles_read_localization(update_modules_t) - + -modutils_run_insmod(update_modules_t, update_modules_roles) +#modutils_run_insmod(update_modules_t, update_modules_roles) - + -userdom_use_user_terminals(update_modules_t) +userdom_use_inherited_user_terminals(update_modules_t) userdom_dontaudit_search_user_home_dirs(update_modules_t) - + ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc index a38605e50..f035d9fbb 100644 @@ -47049,11 +47049,11 @@ index a38605e50..f035d9fbb 100644 +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) - + -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) - + -/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -47079,9 +47079,9 @@ index 4584457b1..9a4014c9a 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,14 @@ interface(`mount_domtrans',` - ') - - domtrans_pattern($1, mount_exec_t, mount_t) + ') + + domtrans_pattern($1, mount_exec_t, mount_t) + mount_domtrans_fusermount($1) + allow $1 mount_exec_t:file map; + @@ -47091,19 +47091,19 @@ index 4584457b1..9a4014c9a 100644 + allow mount_t $1:key write; + allow mount_t $1:unix_stream_socket { read write }; ') - + ######################################## @@ -39,12 +47,117 @@ interface(`mount_domtrans',` interface(`mount_run',` - gen_require(` - attribute_role mount_roles; + gen_require(` + attribute_role mount_roles; + type mount_t; - ') - - mount_domtrans($1) - roleattribute $2 mount_roles; + ') + + mount_domtrans($1) + roleattribute $2 mount_roles; ') - + +######################################## +## +## Execute fusermount in the mount domain, and @@ -47221,11 +47221,11 @@ index 4584457b1..9a4014c9a 100644 ## # @@ -131,45 +244,205 @@ interface(`mount_send_nfs_client_request',` - + ######################################## ## -## Execute mount in the unconfined mount domain. -+## Read the mount tmp directory ++## Read the mount tmp directory ## ## ## @@ -47236,15 +47236,15 @@ index 4584457b1..9a4014c9a 100644 # -interface(`mount_domtrans_unconfined',` +interface(`mount_list_tmp',` - gen_require(` + gen_require(` - type unconfined_mount_t, mount_exec_t; + type mount_tmp_t; - ') - + ') + - domtrans_pattern($1, mount_exec_t, unconfined_mount_t) + allow $1 mount_tmp_t:dir list_dir_perms; ') - + ######################################## ## -## Execute mount in the unconfined mount domain, and @@ -47428,12 +47428,12 @@ index 4584457b1..9a4014c9a 100644 +## +# +interface(`mount_entry_type',` - gen_require(` + gen_require(` - type unconfined_mount_t; + type mount_ecryptfs_exec_t; + type mount_exec_t; - ') - + ') + - mount_domtrans_unconfined($1) - role $2 types unconfined_mount_t; + domain_entry_file($1, mount_ecryptfs_exec_t) @@ -47447,7 +47447,7 @@ index 459a0efbc..ed4756edc 100644 @@ -5,13 +5,6 @@ policy_module(mount, 1.16.1) # Declarations # - + -## -##

      -## Allow the mount command to mount any directory or file. @@ -47457,11 +47457,11 @@ index 459a0efbc..ed4756edc 100644 - attribute_role mount_roles; roleattribute system_r mount_roles; - + @@ -20,14 +13,37 @@ type mount_exec_t; init_system_domain(mount_t, mount_exec_t) role mount_roles types mount_t; - + +type fusermount_exec_t; +domain_entry_file(mount_t, fusermount_exec_t) + @@ -47471,10 +47471,10 @@ index 459a0efbc..ed4756edc 100644 type mount_loopback_t; # customizable files_type(mount_loopback_t) +typealias mount_loopback_t alias mount_loop_t; - + type mount_tmp_t; files_tmp_file(mount_tmp_t) - + type mount_var_run_t; files_pid_file(mount_var_run_t) +dev_associate(mount_var_run_t) @@ -47493,28 +47493,28 @@ index 459a0efbc..ed4756edc 100644 + +type mount_ecryptfs_tmpfs_t; +files_tmpfs_file(mount_ecryptfs_tmpfs_t) - + # causes problems with interfaces when # this is optionally declared in monolithic @@ -40,8 +56,12 @@ application_domain(unconfined_mount_t, mount_exec_t) # mount local policy # - + -# setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+# setuid/setgid needed to mount cifs ++# setuid/setgid needed to mount cifs +allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; +allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; -+allow mount_t self:unix_dgram_socket create_socket_perms; - ++allow mount_t self:unix_dgram_socket create_socket_perms; + allow mount_t mount_loopback_t:file read_file_perms; - + @@ -52,13 +72,20 @@ can_exec(mount_t, mount_exec_t) - + files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) - + -create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) -create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) -rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) @@ -47522,7 +47522,7 @@ index 459a0efbc..ed4756edc 100644 +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") +dev_filetrans(mount_t, mount_var_run_t, dir) - + kernel_read_system_state(mount_t) +kernel_read_network_state(mount_t) kernel_read_kernel_sysctls(mount_t) @@ -47538,7 +47538,7 @@ index 459a0efbc..ed4756edc 100644 @@ -69,31 +96,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) - + +dev_getattr_generic_blk_files(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) @@ -47559,10 +47559,10 @@ index 459a0efbc..ed4756edc 100644 + # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(mount_t) - + domain_use_interactive_fds(mount_t) +domain_read_all_domains_state(mount_t) - + files_search_all(mount_t) files_read_etc_files(mount_t) +files_read_etc_runtime_files(mount_t) @@ -47589,7 +47589,7 @@ index 459a0efbc..ed4756edc 100644 @@ -101,28 +144,39 @@ files_list_all_mountpoints(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) - + -fs_getattr_xattr_fs(mount_t) -fs_getattr_cifs(mount_t) +fs_list_all(mount_t) @@ -47611,26 +47611,26 @@ index 459a0efbc..ed4756edc 100644 +fs_manage_cgroup_dirs(mount_t) +fs_manage_cgroup_files(mount_t) fs_dontaudit_write_tmpfs_dirs(mount_t) - + -mls_file_read_all_levels(mount_t) -mls_file_write_all_levels(mount_t) +mls_file_read_to_clearance(mount_t) +mls_file_write_to_clearance(mount_t) +mls_process_write_to_clearance(mount_t) - + selinux_get_enforce_mode(mount_t) +selinux_mounton_fs(mount_t) - + storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) +storage_rw_fuse(mount_t) - + -term_use_all_terms(mount_t) +term_use_all_inherited_terms(mount_t) term_dontaudit_manage_pty_dirs(mount_t) - + auth_use_nsswitch(mount_t) @@ -130,16 +184,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) @@ -47638,28 +47638,28 @@ index 459a0efbc..ed4756edc 100644 init_dontaudit_getattr_initctl(mount_t) +init_stream_connect_script(mount_t) +init_rw_script_stream_sockets(mount_t) - + logging_send_syslog_msg(mount_t) - + -miscfiles_read_localization(mount_t) - sysnet_use_portmap(mount_t) - + seutil_read_config(mount_t) - + +systemd_passwd_agent_domtrans(mount_t) + userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) +userdom_list_user_tmp(mount_t) - + ifdef(`distro_redhat',` - optional_policy(` + optional_policy(` @@ -155,26 +214,27 @@ ifdef(`distro_ubuntu',` - ') + ') ') - + -tunable_policy(`allow_mount_anyfile',` - files_list_non_auth_dirs(mount_t) - files_read_non_auth_files(mount_t) @@ -47667,14 +47667,14 @@ index 459a0efbc..ed4756edc 100644 + +tunable_policy(`mount_anyfile',` + files_read_non_security_files(mount_t) - files_mounton_non_security(mount_t) + files_mounton_non_security(mount_t) + files_rw_inherited_non_security_files(mount_t) ') - + optional_policy(` - # for nfs + # for nfs - corenet_all_recvfrom_unlabeled(mount_t) - corenet_all_recvfrom_netlabel(mount_t) + corenet_all_recvfrom_netlabel(mount_t) - corenet_tcp_sendrecv_all_if(mount_t) - corenet_raw_sendrecv_all_if(mount_t) - corenet_udp_sendrecv_all_if(mount_t) @@ -47687,28 +47687,28 @@ index 459a0efbc..ed4756edc 100644 + corenet_tcp_sendrecv_generic_node(mount_t) + corenet_raw_sendrecv_generic_node(mount_t) + corenet_udp_sendrecv_generic_node(mount_t) - corenet_tcp_sendrecv_all_ports(mount_t) - corenet_udp_sendrecv_all_ports(mount_t) + corenet_tcp_sendrecv_all_ports(mount_t) + corenet_udp_sendrecv_all_ports(mount_t) - corenet_tcp_bind_all_nodes(mount_t) - corenet_udp_bind_all_nodes(mount_t) + corenet_tcp_bind_generic_node(mount_t) + corenet_udp_bind_generic_node(mount_t) - corenet_tcp_bind_generic_port(mount_t) - corenet_udp_bind_generic_port(mount_t) - corenet_tcp_bind_reserved_port(mount_t) + corenet_tcp_bind_generic_port(mount_t) + corenet_udp_bind_generic_port(mount_t) + corenet_tcp_bind_reserved_port(mount_t) @@ -188,12 +248,49 @@ optional_policy(` - fs_search_rpc(mount_t) - - rpc_stub(mount_t) + fs_search_rpc(mount_t) + + rpc_stub(mount_t) + + rpc_domtrans_rpcd(mount_t) + rpcbind_stream_connect(mount_t) ') - + optional_policy(` - apm_use_fds(mount_t) + apm_use_fds(mount_t) ') - + +optional_policy(` + cron_system_entry(mount_t, mount_exec_t) +') @@ -47744,11 +47744,11 @@ index 459a0efbc..ed4756edc 100644 +') + optional_policy(` - ifdef(`hide_broken_symptoms',` - # for a bug in the X server + ifdef(`hide_broken_symptoms',` + # for a bug in the X server @@ -203,9 +300,31 @@ optional_policy(` ') - + optional_policy(` + livecd_rw_tmp_files(mount_t) +') @@ -47760,9 +47760,9 @@ index 459a0efbc..ed4756edc 100644 + +optional_policy(` + modutils_run_insmod(mount_t, mount_roles) - modutils_read_module_deps(mount_t) + modutils_read_module_deps(mount_t) ') - + +optional_policy(` + fstools_run(mount_t, mount_roles) +') @@ -47776,20 +47776,20 @@ index 459a0efbc..ed4756edc 100644 +') + optional_policy(` - puppet_rw_tmp(mount_t) + puppet_rw_tmp(mount_t) ') @@ -213,18 +332,105 @@ optional_policy(` # for kernel package installation optional_policy(` - rpm_rw_pipes(mount_t) + rpm_rw_pipes(mount_t) + rpm_dontaudit_leaks(mount_t) ') - + optional_policy(` + samba_read_config(mount_t) - samba_run_smbmount(mount_t, mount_roles) + samba_run_smbmount(mount_t, mount_roles) ') - + +optional_policy(` + ssh_exec(mount_t) + ssh_append_home_files(mount_t) @@ -47879,7 +47879,7 @@ index 459a0efbc..ed4756edc 100644 # # Unconfined mount local policy # - + optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) @@ -47902,13 +47902,13 @@ index cbbda4a3e..2f59c4b98 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0) - + type netlabel_mgmt_t; type netlabel_mgmt_exec_t; +init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t) role system_r types netlabel_mgmt_t; - + +type netlabel_mgmt_unit_file_t; +systemd_unit_file(netlabel_mgmt_unit_file_t) + @@ -47922,19 +47922,19 @@ index cbbda4a3e..2f59c4b98 100644 +allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms; + +can_exec(netlabel_mgmt_t, netlabel_mgmt_exec_t) - + kernel_read_network_state(netlabel_mgmt_t) +kernel_read_system_state(netlabel_mgmt_t) + +corecmd_exec_bin(netlabel_mgmt_t) +corecmd_exec_shell(netlabel_mgmt_t) - + files_read_etc_files(netlabel_mgmt_t) - -+term_use_all_inherited_terms(netlabel_mgmt_t) + ++term_use_all_inherited_terms(netlabel_mgmt_t) + seutil_use_newrole_fds(netlabel_mgmt_t) - + -userdom_use_user_terminals(netlabel_mgmt_t) +auth_read_passwd(netlabel_mgmt_t) + @@ -47965,12 +47965,12 @@ index d43f3b194..c5053dbbd 100644 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) -/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s0) - + # # /root @@ -35,19 +37,30 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) - + /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) +/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) @@ -47983,7 +47983,7 @@ index d43f3b194..c5053dbbd 100644 +/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) +/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0) - + # # /var/lib # @@ -47992,7 +47992,7 @@ index d43f3b194..c5053dbbd 100644 +/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) +/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) - + # # /var/run # @@ -48006,17 +48006,17 @@ index 38220721d..a67ee36d2 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -85,6 +85,7 @@ interface(`seutil_domtrans_loadpolicy',` - - corecmd_search_bin($1) - domtrans_pattern($1, load_policy_exec_t, load_policy_t) + + corecmd_search_bin($1) + domtrans_pattern($1, load_policy_exec_t, load_policy_t) + allow $1 load_policy_exec_t:file map; ') - + ######################################## @@ -131,6 +132,43 @@ interface(`seutil_exec_loadpolicy',` - - corecmd_search_bin($1) - can_exec($1, load_policy_exec_t) + + corecmd_search_bin($1) + can_exec($1, load_policy_exec_t) + allow $1 load_policy_exec_t:file map; +') + @@ -48055,21 +48055,21 @@ index 38220721d..a67ee36d2 100644 + + dontaudit $1 load_policy_exec_t:file audit_access; ') - + ######################################## @@ -192,11 +230,22 @@ interface(`seutil_domtrans_newrole',` # interface(`seutil_run_newrole',` - gen_require(` + gen_require(` - attribute_role newrole_roles; + type newrole_t; + #attribute_role newrole_roles; - ') - + ') + + #seutil_domtrans_newrole($1) + #roleattribute $2 newrole_roles; + - seutil_domtrans_newrole($1) + seutil_domtrans_newrole($1) - roleattribute $2 newrole_roles; + role $2 types newrole_t; + @@ -48080,15 +48080,15 @@ index 38220721d..a67ee36d2 100644 + ') + ') - + ######################################## @@ -357,6 +406,27 @@ interface(`seutil_exec_restorecon',` - seutil_exec_setfiles($1) + seutil_exec_setfiles($1) ') - + +######################################## +##

      -+## Execute restorecond in the caller domain. ++## Execute restorecond in the caller domain. +## +## +## @@ -48113,13 +48113,13 @@ index 38220721d..a67ee36d2 100644 @@ -425,11 +495,20 @@ interface(`seutil_init_script_domtrans_runinit',` # interface(`seutil_run_runinit',` - gen_require(` + gen_require(` - attribute_role run_init_roles; + #attribute_role run_init_roles; + type run_init_t; + role system_r; - ') - + ') + - seutil_domtrans_runinit($1) - roleattribute $2 run_init_roles; + #seutil_domtrans_runinit($1) @@ -48132,18 +48132,18 @@ index 38220721d..a67ee36d2 100644 + allow $2 system_r; + ') - + ######################################## @@ -461,11 +540,19 @@ interface(`seutil_run_runinit',` # interface(`seutil_init_script_run_runinit',` - gen_require(` + gen_require(` - attribute_role run_init_roles; + #attribute_role run_init_roles; + type run_init_t; + role system_r; - ') - + ') + - seutil_init_script_domtrans_runinit($1) - roleattribute $2 run_init_roles; + #seutil_init_script_domtrans_runinit($1) @@ -48155,20 +48155,20 @@ index 38220721d..a67ee36d2 100644 + allow $2 system_r; + ') - + ######################################## @@ -504,6 +591,7 @@ interface(`seutil_domtrans_setfiles',` - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, setfiles_exec_t, setfiles_t) + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setfiles_exec_t, setfiles_t) + allow $1 setfiles_exec_t:file map; ') - + ######################################## @@ -533,6 +621,53 @@ interface(`seutil_run_setfiles',` - role $2 types setfiles_t; + role $2 types setfiles_t; ') - + +######################################## +## +## Execute setfiles in the setfiles domain. @@ -48220,9 +48220,9 @@ index 38220721d..a67ee36d2 100644 ## ## Execute setfiles in the caller domain. @@ -553,6 +688,42 @@ interface(`seutil_exec_setfiles',` - can_exec($1, setfiles_exec_t) + can_exec($1, setfiles_exec_t) ') - + +######################################## +## +## Allow access check on setfiles. @@ -48263,9 +48263,9 @@ index 38220721d..a67ee36d2 100644 ## ## Do not audit attempts to search the SELinux @@ -572,6 +743,25 @@ interface(`seutil_dontaudit_search_config',` - dontaudit $1 selinux_config_t:dir search_dir_perms; + dontaudit $1 selinux_config_t:dir search_dir_perms; ') - + +######################################## +## +## Allow attempts to search the SELinux @@ -48289,11 +48289,11 @@ index 38220721d..a67ee36d2 100644 ## ## Do not audit attempts to read the SELinux @@ -680,8 +870,113 @@ interface(`seutil_manage_config',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) + manage_dirs_pattern($1, selinux_config_t, selinux_config_t) - manage_files_pattern($1, selinux_config_t, selinux_config_t) + manage_files_pattern($1, selinux_config_t, selinux_config_t) - read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) + manage_lnk_files_pattern($1, selinux_config_t, selinux_config_t) +') @@ -48401,7 +48401,7 @@ index 38220721d..a67ee36d2 100644 + allow $1 selinux_login_config_t:dir list_dir_perms; + rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') - + ####################################### @@ -694,15 +989,62 @@ interface(`seutil_manage_config',` ## Domain allowed access. @@ -48411,12 +48411,12 @@ index 38220721d..a67ee36d2 100644 # -interface(`seutil_manage_config_dirs',` +interface(`seutil_rw_login_config_dirs',` - gen_require(` - type selinux_config_t; + gen_require(` + type selinux_config_t; + type selinux_login_config_t; - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 selinux_config_t:dir manage_dir_perms; + allow $1 selinux_config_t:dir search_dir_perms; + allow $1 selinux_login_config_t:dir rw_dir_perms; @@ -48467,12 +48467,12 @@ index 38220721d..a67ee36d2 100644 + manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) + read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) ') - + ######################################## @@ -746,6 +1088,29 @@ interface(`seutil_read_default_contexts',` - read_files_pattern($1, default_context_t, default_context_t) + read_files_pattern($1, default_context_t, default_context_t) ') - + +####################################### +## +## Read and write the default_contexts files. @@ -48500,9 +48500,9 @@ index 38220721d..a67ee36d2 100644 ## ## Create, read, write, and delete the default_contexts files. @@ -766,6 +1131,25 @@ interface(`seutil_manage_default_contexts',` - manage_files_pattern($1, default_context_t, default_context_t) + manage_files_pattern($1, default_context_t, default_context_t) ') - + +######################################## +## +## Create, read, write, and delete the default_contexts dirs. @@ -48526,53 +48526,53 @@ index 38220721d..a67ee36d2 100644 ## ## Read the file_contexts files. @@ -784,7 +1168,10 @@ interface(`seutil_read_file_contexts',` - - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + list_dirs_pattern($1, file_context_t, file_context_t) - read_files_pattern($1, file_context_t, file_context_t) + read_files_pattern($1, file_context_t, file_context_t) + read_lnk_files_pattern($1, file_context_t, file_context_t) + allow $1 file_context_t:file map; ') - + ######################################## @@ -805,6 +1192,7 @@ interface(`seutil_dontaudit_read_file_contexts',` - - dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; - dontaudit $1 file_context_t:file read_file_perms; + + dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; + dontaudit $1 file_context_t:file read_file_perms; + dontaudit $1 file_context_t:file map; ') - + ######################################## @@ -825,6 +1213,7 @@ interface(`seutil_rw_file_contexts',` - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - rw_files_pattern($1, file_context_t, file_context_t) + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + rw_files_pattern($1, file_context_t, file_context_t) + allow $1 file_context_t:file map; ') - + ######################################## @@ -846,6 +1235,8 @@ interface(`seutil_manage_file_contexts',` - files_search_etc($1) - allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; - manage_files_pattern($1, file_context_t, file_context_t) + files_search_etc($1) + allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; + manage_files_pattern($1, file_context_t, file_context_t) + manage_dirs_pattern($1, file_context_t, file_context_t) + allow $1 file_context_t:file map; ') - + ######################################## @@ -866,6 +1257,7 @@ interface(`seutil_read_bin_policy',` - files_search_etc($1) - allow $1 selinux_config_t:dir search_dir_perms; - read_files_pattern($1, policy_config_t, policy_config_t) + files_search_etc($1) + allow $1 selinux_config_t:dir search_dir_perms; + read_files_pattern($1, policy_config_t, policy_config_t) + allow $1 policy_config_t:file map; ') - + ######################################## @@ -997,6 +1389,26 @@ interface(`seutil_domtrans_semanage',` - domtrans_pattern($1, semanage_exec_t, semanage_t) + domtrans_pattern($1, semanage_exec_t, semanage_t) ') - + +######################################## +## +## Execute a domain transition to run setsebool. @@ -48599,16 +48599,16 @@ index 38220721d..a67ee36d2 100644 @@ -1017,11 +1429,125 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` - gen_require(` + gen_require(` - attribute_role semanage_roles; + #attribute_role semanage_roles; + type semanage_t; - ') - + ') + + #seutil_domtrans_semanage($1) + #roleattribute $2 semanage_roles; + - seutil_domtrans_semanage($1) + seutil_domtrans_semanage($1) - roleattribute $2 semanage_roles; + seutil_run_setfiles(semanage_t, $2) + seutil_run_loadpolicy(semanage_t, $2) @@ -48722,28 +48722,28 @@ index 38220721d..a67ee36d2 100644 + + dontaudit $1 semanage_store_t:dir_file_class_set audit_access; ') - + ######################################## @@ -1041,9 +1567,15 @@ interface(`seutil_manage_module_store',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) + files_search_var($1) - manage_dirs_pattern($1, selinux_config_t, semanage_store_t) + manage_dirs_pattern($1, selinux_config_t, semanage_store_t) + manage_dirs_pattern($1, semanage_store_t, semanage_store_t) - manage_files_pattern($1, semanage_store_t, semanage_store_t) + manage_files_pattern($1, semanage_store_t, semanage_store_t) + manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) - filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") + filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") ') - + ####################################### @@ -1065,6 +1597,24 @@ interface(`seutil_get_semanage_read_lock',` - rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) + rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) ') - + +####################################### +## +## Dontaudit access check on module store @@ -48766,8 +48766,8 @@ index 38220721d..a67ee36d2 100644 ## ## Get trans lock on module store @@ -1137,3 +1687,121 @@ interface(`seutil_dontaudit_libselinux_linked',` - selinux_dontaudit_get_fs_mount($1) - seutil_dontaudit_read_config($1) + selinux_dontaudit_get_fs_mount($1) + seutil_dontaudit_read_config($1) ') + +####################################### @@ -48817,7 +48817,7 @@ index 38220721d..a67ee36d2 100644 + + gen_require(` + attribute setfiles_domain; -+ ') ++ ') + typeattribute $1 setfiles_domain; + + kernel_read_system_state($1) @@ -48892,25 +48892,25 @@ index dc4642022..87680f157 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` - + attribute can_write_binary_policy; attribute can_relabelto_binary_policy; +attribute setfiles_domain; +attribute policy_manager_domain; - + -attribute_role newrole_roles; +#attribute_role newrole_roles; - + -attribute_role run_init_roles; -role system_r types run_init_t; +#attribute_role run_init_roles; +#role system_r types run_init_t; - + -attribute_role semanage_roles; -roleattribute system_r semanage_roles; +#attribute_role semanage_roles; +#roleattribute system_r semanage_roles; - + # # selinux_config_t is the type applied to @@ -28,7 +30,13 @@ roleattribute system_r semanage_roles; @@ -48925,7 +48925,7 @@ index dc4642022..87680f157 100644 + +type selinux_var_lib_t; +files_type(selinux_var_lib_t) - + type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; @@ -40,14 +48,14 @@ role system_r types checkpolicy_t; @@ -48934,7 +48934,7 @@ index dc4642022..87680f157 100644 type default_context_t; -files_type(default_context_t) +files_security_file(default_context_t) - + # # file_context_t is the type applied to # /etc/selinux/*/contexts/files @@ -48942,7 +48942,7 @@ index dc4642022..87680f157 100644 type file_context_t; -files_type(file_context_t) +files_security_file(file_context_t) - + type load_policy_t; type load_policy_exec_t; @@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t) @@ -48952,7 +48952,7 @@ index dc4642022..87680f157 100644 -role newrole_roles types newrole_t; +#role newrole_roles types newrole_t; +role system_r types newrole_t; - + # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. @@ -48966,7 +48966,7 @@ index dc4642022..87680f157 100644 +') + +typealias semanage_store_t alias { policy_config_t semanage_var_lib_t }; - + neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; @@ -83,7 +97,6 @@ type restorecond_t; @@ -48974,7 +48974,7 @@ index dc4642022..87680f157 100644 init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) -role system_r types restorecond_t; - + type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) @@ -92,40 +105,49 @@ type run_init_t; @@ -48984,7 +48984,7 @@ index dc4642022..87680f157 100644 -role run_init_roles types run_init_t; +#role run_init_roles types run_init_t; +role system_r types run_init_t; - + type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) @@ -48997,31 +48997,31 @@ index dc4642022..87680f157 100644 +type setsebool_t; +type setsebool_exec_t; +init_system_domain(setsebool_t, setsebool_exec_t) - + type semanage_store_t; -files_type(semanage_store_t) +files_security_file(semanage_store_t) - + type semanage_read_lock_t; -files_type(semanage_read_lock_t) +files_lock_file(semanage_read_lock_t) - + type semanage_tmp_t; files_tmp_file(semanage_tmp_t) - + -type semanage_trans_lock_t; -files_type(semanage_trans_lock_t) - -type semanage_var_lib_t; -files_type(semanage_var_lib_t) -+type semanage_trans_lock_t; ++type semanage_trans_lock_t; +files_lock_file(semanage_trans_lock_t) - + type setfiles_t alias restorecon_t, can_relabelto_binary_policy; type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) - + +type setfiles_mac_t; +domain_type(setfiles_mac_t) +domain_entry_file(setfiles_mac_t, setfiles_exec_t) @@ -49031,10 +49031,10 @@ index dc4642022..87680f157 100644 # # Checkpolicy local policy # - + -allow checkpolicy_t self:capability dac_override; +allow checkpolicy_t self:capability { dac_read_search dac_override }; - + # able to create and modify binary policy files manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t) @@ -137,6 +159,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file) @@ -49042,60 +49042,60 @@ index dc4642022..87680f157 100644 read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t) allow checkpolicy_t selinux_config_t:dir search_dir_perms; +allow checkpolicy_t selinux_login_config_t:dir search_dir_perms; - + domain_use_interactive_fds(checkpolicy_t) - + @@ -151,7 +174,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) - + -userdom_use_user_terminals(checkpolicy_t) +userdom_use_inherited_user_terminals(checkpolicy_t) userdom_use_all_users_fds(checkpolicy_t) - + ifdef(`distro_ubuntu',` @@ -165,10 +188,11 @@ ifdef(`distro_ubuntu',` # Load_policy local policy # - + -allow load_policy_t self:capability dac_override; +allow load_policy_t self:capability { dac_read_search dac_override }; - + # only allow read of policy config files read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t) +allow load_policy_t policy_config_t:file map; - + domain_use_interactive_fds(load_policy_t) - + @@ -188,13 +212,13 @@ term_list_ptys(load_policy_t) - + init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) - -miscfiles_read_localization(load_policy_t) +init_write_script_pipes(load_policy_t) - + seutil_libselinux_linked(load_policy_t) - + -userdom_use_user_terminals(load_policy_t) +userdom_use_inherited_user_terminals(load_policy_t) userdom_use_all_users_fds(load_policy_t) +userdom_dontaudit_read_user_tmp_files(load_policy_t) - + ifdef(`distro_ubuntu',` - optional_policy(` + optional_policy(` @@ -205,6 +229,7 @@ ifdef(`distro_ubuntu',` ifdef(`hide_broken_symptoms',` - # cjp: cover up stray file descriptors. - dontaudit load_policy_t selinux_config_t:file write; + # cjp: cover up stray file descriptors. + dontaudit load_policy_t selinux_config_t:file write; + dontaudit load_policy_t selinux_login_config_t:file write; - - optional_policy(` - unconfined_dontaudit_read_pipes(load_policy_t) + + optional_policy(` + unconfined_dontaudit_read_pipes(load_policy_t) @@ -215,12 +240,21 @@ optional_policy(` - portage_dontaudit_use_fds(load_policy_t) + portage_dontaudit_use_fds(load_policy_t) ') - + +optional_policy(` + sssd_rw_inherited_pipes(load_policy_t) +') @@ -49109,7 +49109,7 @@ index dc4642022..87680f157 100644 # # Newrole local policy # - + -allow newrole_t self:capability { fowner setuid setgid dac_override }; +allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override }; allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; @@ -49121,13 +49121,13 @@ index dc4642022..87680f157 100644 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(newrole_t) - + read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) @@ -249,6 +283,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) - + +files_list_var(newrole_t) files_read_etc_files(newrole_t) files_read_var_files(newrole_t) @@ -49135,28 +49135,28 @@ index dc4642022..87680f157 100644 @@ -276,25 +311,34 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) - + -auth_use_nsswitch(newrole_t) -auth_run_chk_passwd(newrole_t, newrole_roles) -auth_run_upd_passwd(newrole_t, newrole_roles) -auth_rw_faillog(newrole_t) +auth_use_pam(newrole_t) - + # Write to utmp. init_rw_utmp(newrole_t) init_use_fds(newrole_t) - + -logging_send_syslog_msg(newrole_t) - -miscfiles_read_localization(newrole_t) - + seutil_libselinux_linked(newrole_t) - + +userdom_use_unpriv_users_fds(newrole_t) # for some PAM modules and for cwd userdom_dontaudit_search_user_home_content(newrole_t) userdom_search_user_home_dirs(newrole_t) - + +# need to talk with dbus +optional_policy(` + dbus_system_bus_client(newrole_t) @@ -49172,21 +49172,21 @@ index dc4642022..87680f157 100644 +') + ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(newrole_t) + optional_policy(` + unconfined_domain(newrole_t) @@ -309,7 +353,7 @@ if(secure_mode) { - userdom_spec_domtrans_all_users(newrole_t) + userdom_spec_domtrans_all_users(newrole_t) } - + -tunable_policy(`allow_polyinstantiation',` +tunable_policy(`polyinstantiation_enabled',` - files_polyinstantiate_all(newrole_t) + files_polyinstantiate_all(newrole_t) ') - + @@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) - + +dev_relabel_all_dev_nodes(restorecond_t) + +files_dontaudit_read_all_symlinks(restorecond_t) @@ -49196,59 +49196,59 @@ index dc4642022..87680f157 100644 -fs_getattr_xattr_fs(restorecond_t) +fs_getattr_all_fs(restorecond_t) fs_list_inotifyfs(restorecond_t) - + selinux_validate_context(restorecond_t) @@ -341,16 +389,17 @@ selinux_compute_user_contexts(restorecond_t) - + files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) + auth_use_nsswitch(restorecond_t) - + locallogin_dontaudit_use_fds(restorecond_t) - + logging_send_syslog_msg(restorecond_t) - + -miscfiles_read_localization(restorecond_t) - seutil_libselinux_linked(restorecond_t) - + +userdom_read_user_home_content_symlinks(restorecond_t) + ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(restorecond_t) + optional_policy(` + unconfined_domain(restorecond_t) @@ -366,21 +415,24 @@ optional_policy(` # Run_init local policy # - + -allow run_init_roles system_r; +#allow run_init_roles system_r; - + allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; -allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +logging_send_audit_msgs(run_init_t) - + # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit # the failed access to the current directory dontaudit run_init_t self:capability { dac_override dac_read_search }; - + +kernel_dontaudit_getattr_core_if(run_init_t) + corecmd_exec_bin(run_init_t) corecmd_exec_shell(run_init_t) - + +dev_dontaudit_getattr_all(run_init_t) dev_dontaudit_list_all_dev_nodes(run_init_t) - + domain_use_interactive_fds(run_init_t) @@ -398,23 +450,30 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) - + +term_use_console(run_init_t) + +#auth_use_nsswitch(run_init_t) @@ -49262,29 +49262,29 @@ index dc4642022..87680f157 100644 +auth_domtrans_chk_passwd(run_init_t) +auth_domtrans_upd_passwd(run_init_t) auth_dontaudit_read_shadow(run_init_t) - + + init_spec_domtrans_script(run_init_t) # for utmp init_rw_utmp(run_init_t) +init_dontaudit_getattr_initctl(run_init_t) - + logging_send_syslog_msg(run_init_t) - + -miscfiles_read_localization(run_init_t) - seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) - + -userdom_use_user_terminals(run_init_t) +userdom_use_inherited_user_terminals(run_init_t) - + ifndef(`direct_sysadm_daemon',` - ifdef(`distro_gentoo',` + ifdef(`distro_gentoo',` @@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',` - ') + ') ') - + +# need to talk with dbus +optional_policy(` + dbus_system_bus_client(run_init_t) @@ -49299,12 +49299,12 @@ index dc4642022..87680f157 100644 +') + ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(run_init_t) + optional_policy(` + unconfined_domain(run_init_t) @@ -440,81 +512,86 @@ optional_policy(` # semodule local policy # - + -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; @@ -49326,7 +49326,7 @@ index dc4642022..87680f157 100644 -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) - + -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -49344,7 +49344,7 @@ index dc4642022..87680f157 100644 +selinux_set_enforce_mode(semanage_t) selinux_set_all_booleans(semanage_t) +can_exec(semanage_t, semanage_exec_t) - + -term_use_all_terms(semanage_t) - -# Running genhomedircon requires this for finding all users @@ -49353,7 +49353,7 @@ index dc4642022..87680f157 100644 -locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) - + -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) @@ -49380,18 +49380,18 @@ index dc4642022..87680f157 100644 +#seutil_get_semanage_read_lock(semanage_t) # netfilter_contexts: seutil_manage_default_contexts(semanage_t) - + # Handle pp files created in homedir and /tmp userdom_read_user_home_content_files(semanage_t) userdom_read_user_tmp_files(semanage_t) +userdom_home_reader(semanage_t) +userdom_map_tmp_files(semanage_t) - + ifdef(`distro_debian',` - files_read_var_lib_files(semanage_t) - files_read_var_lib_symlinks(semanage_t) + files_read_var_lib_files(semanage_t) + files_read_var_lib_symlinks(semanage_t) ') - + -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(semanage_t) @@ -49442,12 +49442,12 @@ index dc4642022..87680f157 100644 +optional_policy(` + unconfined_domain(setfiles_mac_t) ') - + ######################################## @@ -522,111 +599,201 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # - + -allow setfiles_t self:capability { dac_override dac_read_search fowner }; -dontaudit setfiles_t self:capability sys_tty_config; -allow setfiles_t self:fifo_file rw_file_perms; @@ -49518,10 +49518,10 @@ index dc4642022..87680f157 100644 +allow setfiles_t file_context_t:file map; + +fs_mount_tracefs(setfiles_t) - + logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) - + -miscfiles_read_localization(setfiles_t) +optional_policy(` + cloudform_dontaudit_write_cloud_log(setfiles_t) @@ -49531,7 +49531,7 @@ index dc4642022..87680f157 100644 + devicekit_dontaudit_read_pid_files(setfiles_t) + devicekit_dontaudit_rw_log(setfiles_t) +') - + -seutil_libselinux_linked(setfiles_t) +optional_policy(` + # pki is leaking @@ -49555,7 +49555,7 @@ index dc4642022..87680f157 100644 + unconfined_domain(setfiles_t) + ') +') - + -userdom_use_all_users_fds(setfiles_t) +######################################## +# @@ -49595,7 +49595,7 @@ index dc4642022..87680f157 100644 + +domain_use_interactive_fds(setfiles_domain) +domain_read_all_domains_state(setfiles_domain) -+ ++ +files_read_etc_runtime_files(setfiles_domain) +files_read_etc_files(setfiles_domain) +files_list_all(setfiles_domain) @@ -49628,15 +49628,15 @@ index dc4642022..87680f157 100644 +userdom_read_user_home_content_files(setfiles_domain) +userdom_read_admin_home_files(setfiles_domain) +userdom_rw_inherited_user_home_content_files(setfiles_domain) - + ifdef(`distro_debian',` - # udev tmpfs is populated with static device nodes - # and then relabeled afterwards; thus - # /dev/console has the tmpfs type + # udev tmpfs is populated with static device nodes + # and then relabeled afterwards; thus + # /dev/console has the tmpfs type - fs_rw_tmpfs_chr_files(setfiles_t) + fs_rw_tmpfs_chr_files(setfiles_domain) ') - + -ifdef(`distro_redhat', ` - fs_rw_tmpfs_chr_files(setfiles_t) - fs_rw_tmpfs_blk_files(setfiles_t) @@ -49648,7 +49648,7 @@ index dc4642022..87680f157 100644 + fs_relabel_tmpfs_blk_file(setfiles_domain) + fs_relabel_tmpfs_chr_file(setfiles_domain) ') - + -ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(setfiles_t) @@ -49656,7 +49656,7 @@ index dc4642022..87680f157 100644 +optional_policy(` + hotplug_use_fds(setfiles_domain) ') - + -ifdef(`hide_broken_symptoms',` - optional_policy(` - udev_dontaudit_rw_dgram_sockets(setfiles_t) @@ -49670,7 +49670,7 @@ index dc4642022..87680f157 100644 +optional_policy(` + dbus_read_pid_files(setfiles_domain) ') - + +allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource }; +dontaudit policy_manager_domain self:capability sys_tty_config; +allow policy_manager_domain self:process { signal setsched }; @@ -49683,7 +49683,7 @@ index dc4642022..87680f157 100644 + +logging_send_audit_msgs(policy_manager_domain) + -+# Domains that will manage policy ++# Domains that will manage policy +allow policy_manager_domain policy_config_t:file rw_file_perms; + +allow policy_manager_domain semanage_tmp_t:dir manage_dir_perms; @@ -49737,9 +49737,9 @@ index bea462999..06e2834f7 100644 --- a/policy/modules/system/setrans.fc +++ b/policy/modules/system/setrans.fc @@ -2,4 +2,7 @@ - + /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) - + +/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) + /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) @@ -49749,8 +49749,8 @@ index efa9c27f6..536a514fc 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -40,3 +40,21 @@ interface(`setrans_translate_context',` - stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) - files_list_pids($1) + stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) + files_list_pids($1) ') +####################################### +## @@ -49779,25 +49779,25 @@ index 1447687d5..0b1da4d3e 100644 type setrans_exec_t; init_daemon_domain(setrans_t, setrans_exec_t) +mls_trusted_object(setrans_t) - + type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) @@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) - + +kernel_read_system_state(setrans_t) kernel_read_kernel_sysctls(setrans_t) kernel_read_proc_symlinks(setrans_t) - + @@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t) - + logging_send_syslog_msg(setrans_t) - + -miscfiles_read_localization(setrans_t) - + seutil_read_config(setrans_t) - + diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 40edc18ab..95f4458d2 100644 --- a/policy/modules/system/sysnetwork.fc @@ -49821,11 +49821,11 @@ index 40edc18ab..95f4458d2 100644 +/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - + -/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) +/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) - + ifdef(`distro_redhat',` /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) @@ -49834,7 +49834,7 @@ index 40edc18ab..95f4458d2 100644 +/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ') +/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - + # # /sbin @@ -44,6 +50,7 @@ ifdef(`distro_redhat',` @@ -49865,12 +49865,12 @@ index 40edc18ab..95f4458d2 100644 +/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0) +/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0) /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) - + # @@ -77,3 +99,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') - + +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + @@ -49879,23 +49879,23 @@ index 2cea692c0..1fb3ada18 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -17,6 +17,7 @@ interface(`sysnet_domtrans_dhcpc',` - - corecmd_search_bin($1) - domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) + + corecmd_search_bin($1) + domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) + allow $1 dhcpc_exec_t:file map; ') - + ######################################## @@ -38,11 +39,30 @@ interface(`sysnet_domtrans_dhcpc',` # interface(`sysnet_run_dhcpc',` - gen_require(` + gen_require(` + type dhcpc_t; - attribute_role dhcpc_roles; - ') - - sysnet_domtrans_dhcpc($1) - roleattribute $2 dhcpc_roles; + attribute_role dhcpc_roles; + ') + + sysnet_domtrans_dhcpc($1) + roleattribute $2 dhcpc_roles; + + optional_policy(` + networkmanager_run(dhcpc_t, $2) @@ -49915,29 +49915,29 @@ index 2cea692c0..1fb3ada18 100644 + + seutil_run_setfiles(dhcpc_t, $2) ') - + ######################################## @@ -231,7 +251,7 @@ interface(`sysnet_rw_dhcp_config',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 dhcp_etc_t:file rw_file_perms; + rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') - + ######################################## @@ -269,6 +289,7 @@ interface(`sysnet_read_dhcpc_state',` - type dhcpc_state_t; - ') - + type dhcpc_state_t; + ') + + list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) - read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) + read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') - + @@ -290,6 +311,43 @@ interface(`sysnet_delete_dhcpc_state',` - delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) + delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') - + +######################################## +## +## Allow caller to relabel dhcpc_state files @@ -49979,9 +49979,9 @@ index 2cea692c0..1fb3ada18 100644 ## ## Set the attributes of network config files. @@ -309,6 +367,44 @@ interface(`sysnet_setattr_config',` - allow $1 net_conf_t:file setattr_file_perms; + allow $1 net_conf_t:file setattr_file_perms; ') - + +####################################### +## +## Allow caller to relabel net_conf files @@ -50024,20 +50024,20 @@ index 2cea692c0..1fb3ada18 100644 ## ## Read network config files. @@ -355,7 +451,10 @@ interface(`sysnet_read_config',` - ') - - ifdef(`distro_redhat',` + ') + + ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) - allow $1 net_conf_t:dir list_dir_perms; + allow $1 net_conf_t:dir list_dir_perms; + allow $1 net_conf_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, net_conf_t, net_conf_t) - ') + read_files_pattern($1, net_conf_t, net_conf_t) + ') ') @@ -438,6 +537,42 @@ interface(`sysnet_etc_filetrans_config',` - ') - - files_etc_filetrans($1, net_conf_t, file, $2) + ') + + files_etc_filetrans($1, net_conf_t, file, $2) + files_etc_filetrans($1, net_conf_t, lnk_file, $2) + +') @@ -50075,25 +50075,25 @@ index 2cea692c0..1fb3ada18 100644 + + filetrans_pattern($1, $2, net_conf_t, $3, $4) ') - + ####################################### @@ -453,7 +588,7 @@ interface(`sysnet_etc_filetrans_config',` interface(`sysnet_manage_config',` - gen_require(` - type net_conf_t; + gen_require(` + type net_conf_t; - ') + ') - - allow $1 net_conf_t:file manage_file_perms; - + + allow $1 net_conf_t:file manage_file_perms; + @@ -463,7 +598,41 @@ interface(`sysnet_manage_config',` - ') - - ifdef(`distro_redhat',` + ') + + ifdef(`distro_redhat',` + files_search_all_pids($1) + init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; - manage_files_pattern($1, net_conf_t, net_conf_t) + manage_files_pattern($1, net_conf_t, net_conf_t) + manage_lnk_files_pattern($1, net_conf_t, net_conf_t) + ') +') @@ -50125,24 +50125,24 @@ index 2cea692c0..1fb3ada18 100644 + init_search_pid_dirs($1) + allow $1 net_conf_t:dir list_dir_perms; + manage_dirs_pattern($1, net_conf_t, net_conf_t) - ') + ') ') - + @@ -501,9 +670,29 @@ interface(`sysnet_delete_dhcpc_pid',` - type dhcpc_var_run_t; - ') - + type dhcpc_var_run_t; + ') + + files_rw_pid_dirs($1) - allow $1 dhcpc_var_run_t:file unlink; + allow $1 dhcpc_var_run_t:file unlink; ') - + +####################################### +## +## Manage the dhcp client pid file. +## +## +## -+## Domain allowed access. ++## Domain allowed access. +## +## +# @@ -50159,9 +50159,9 @@ index 2cea692c0..1fb3ada18 100644 ## ## Execute ifconfig in the ifconfig domain. @@ -523,6 +712,24 @@ interface(`sysnet_domtrans_ifconfig',` - domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) + domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) ') - + +######################################## +## +## NNP Transition to ifconfig_t. @@ -50184,9 +50184,9 @@ index 2cea692c0..1fb3ada18 100644 ## ## Execute ifconfig in the ifconfig domain, and @@ -608,6 +815,25 @@ interface(`sysnet_signull_ifconfig',` - allow $1 ifconfig_t:process signull; + allow $1 ifconfig_t:process signull; ') - + +######################################## +## +## Send a kill signal to iconfig. @@ -50210,17 +50210,17 @@ index 2cea692c0..1fb3ada18 100644 ## ## Read the DHCP configuration files. @@ -626,6 +852,7 @@ interface(`sysnet_read_dhcp_config',` - files_search_etc($1) - allow $1 dhcp_etc_t:dir list_dir_perms; - read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) + files_search_etc($1) + allow $1 dhcp_etc_t:dir list_dir_perms; + read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) + allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms; ') - + ######################################## @@ -647,6 +874,26 @@ interface(`sysnet_search_dhcp_state',` - allow $1 dhcp_state_t:dir search_dir_perms; + allow $1 dhcp_state_t:dir search_dir_perms; ') - + +####################################### +## +## Set the attributes of network config files. @@ -50245,63 +50245,63 @@ index 2cea692c0..1fb3ada18 100644 ## ## Create DHCP state data. @@ -711,8 +958,6 @@ interface(`sysnet_dns_name_resolve',` - allow $1 self:udp_socket create_socket_perms; - allow $1 self:netlink_route_socket r_netlink_socket_perms; - + allow $1 self:udp_socket create_socket_perms; + allow $1 self:netlink_route_socket r_netlink_socket_perms; + - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) @@ -720,8 +965,13 @@ interface(`sysnet_dns_name_resolve',` - corenet_tcp_sendrecv_dns_port($1) - corenet_udp_sendrecv_dns_port($1) - corenet_tcp_connect_dns_port($1) + corenet_tcp_sendrecv_dns_port($1) + corenet_udp_sendrecv_dns_port($1) + corenet_tcp_connect_dns_port($1) + corenet_tcp_connect_dnssec_port($1) - corenet_sendrecv_dns_client_packets($1) - + corenet_sendrecv_dns_client_packets($1) + + files_search_all_pids($1) + + miscfiles_read_generic_certs($1) + - sysnet_read_config($1) - - optional_policy(` + sysnet_read_config($1) + + optional_policy(` @@ -750,8 +1000,6 @@ interface(`sysnet_use_ldap',` - - allow $1 self:tcp_socket create_socket_perms; - + + allow $1 self:tcp_socket create_socket_perms; + - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_tcp_sendrecv_ldap_port($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_ldap_port($1) @@ -760,9 +1008,14 @@ interface(`sysnet_use_ldap',` - - # Support for LDAPS - dev_read_rand($1) + + # Support for LDAPS + dev_read_rand($1) + # LDAP Configuration using encrypted requires - dev_read_urand($1) - - sysnet_read_config($1) + dev_read_urand($1) + + sysnet_read_config($1) + + optional_policy(` + ldap_read_certs($1) + ') ') - + ######################################## @@ -784,7 +1037,6 @@ interface(`sysnet_use_portmap',` - allow $1 self:udp_socket create_socket_perms; - - corenet_all_recvfrom_unlabeled($1) + allow $1 self:udp_socket create_socket_perms; + + corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) @@ -796,3 +1048,143 @@ interface(`sysnet_use_portmap',` - - sysnet_read_config($1) + + sysnet_read_config($1) ') + +######################################## @@ -50450,7 +50450,7 @@ index a392fc4bc..4b8dc5630 100644 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) # Declarations # - + +## +##

      +## Allow dhcpc client applications to execute iptables commands @@ -50460,7 +50460,7 @@ index a392fc4bc..4b8dc5630 100644 + attribute_role dhcpc_roles; roleattribute system_r dhcpc_roles; - + @@ -20,7 +27,9 @@ files_type(dhcp_state_t) type dhcpc_t; type dhcpc_exec_t; @@ -50469,13 +50469,13 @@ index a392fc4bc..4b8dc5630 100644 + +type dhcpc_helper_exec_t; +init_script_file(dhcpc_helper_exec_t) - + type dhcpc_state_t; files_type(dhcpc_state_t) @@ -36,8 +45,12 @@ type ifconfig_exec_t; init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; - + +type ifconfig_var_run_t; +files_pid_file(ifconfig_var_run_t) +files_mountpoint(ifconfig_var_run_t) @@ -50483,9 +50483,9 @@ index a392fc4bc..4b8dc5630 100644 type net_conf_t alias resolv_conf_t; -files_type(net_conf_t) +files_config_file(net_conf_t) - + ifdef(`distro_debian',` - init_daemon_run_dir(net_conf_t, "network") + init_daemon_run_dir(net_conf_t, "network") @@ -47,11 +60,11 @@ ifdef(`distro_debian',` # # DHCP client local policy @@ -50498,34 +50498,34 @@ index a392fc4bc..4b8dc5630 100644 dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms }; - + allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; @@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) - + allow dhcpc_t dhcp_state_t:file read_file_perms; +allow dhcpc_t dhcp_state_t:file relabel_file_perms; + manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +allow dhcpc_t dhcpc_state_t:file { map relabel_file_perms }; - + # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) @@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) - + # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. +allow dhcpc_t net_conf_t:file manage_file_perms; +allow dhcpc_t net_conf_t:file relabel_file_perms; sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) - + @@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) - + -corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) -corenet_tcp_sendrecv_all_if(dhcpc_t) @@ -50550,15 +50550,15 @@ index a392fc4bc..4b8dc5630 100644 +corenet_sendrecv_dhcpc_server_packets(dhcpc_t) corenet_sendrecv_all_server_packets(dhcpc_t) +corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t) - + dev_read_sysfs(dhcpc_t) # for SSP: dev_read_urand(dhcpc_t) - + +domain_obj_id_change_exemption(dhcpc_t) domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) - + -files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) -files_read_usr_files(dhcpc_t) @@ -50568,13 +50568,13 @@ index a392fc4bc..4b8dc5630 100644 files_getattr_generic_locks(dhcpc_t) +files_rw_inherited_tmp_file(dhcpc_t) +files_dontaudit_rw_inherited_locks(dhcpc_t) - + fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) @@ -137,15 +157,22 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) - + +auth_use_nsswitch(dhcpc_t) + init_rw_utmp(dhcpc_t) @@ -50582,22 +50582,22 @@ index a392fc4bc..4b8dc5630 100644 +init_stream_send(dhcpc_t) + +libs_exec_ldconfig(dhcpc_t) - + logging_send_syslog_msg(dhcpc_t) - + -miscfiles_read_localization(dhcpc_t) +miscfiles_read_generic_certs(dhcpc_t) - + modutils_run_insmod(dhcpc_t, dhcpc_roles) - + sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) +allow dhcpc_t ifconfig_exec_t:file map; - + userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) @@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',` ') - + optional_policy(` - consoletype_run(dhcpc_t, dhcpc_roles) + chronyd_initrc_domtrans(dhcpc_t) @@ -50616,30 +50616,30 @@ index a392fc4bc..4b8dc5630 100644 + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) ') - + optional_policy(` @@ -176,10 +217,7 @@ optional_policy(` - + optional_policy(` - hostname_run(dhcpc_t, dhcpc_roles) + hostname_run(dhcpc_t, dhcpc_roles) -') - -optional_policy(` - hal_dontaudit_rw_dgram_sockets(dhcpc_t) + allow dhcpc_t hostname_exec_t:file map; ') - + optional_policy(` @@ -195,23 +233,32 @@ optional_policy(` optional_policy(` - netutils_run_ping(dhcpc_t, dhcpc_roles) - netutils_run(dhcpc_t, dhcpc_roles) + netutils_run_ping(dhcpc_t, dhcpc_roles) + netutils_run(dhcpc_t, dhcpc_roles) -',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; + allow dhcpc_t netutils_exec_t:file map; ') - + optional_policy(` + networkmanager_domtrans(dhcpc_t) + networkmanager_read_pid_files(dhcpc_t) @@ -50649,27 +50649,27 @@ index a392fc4bc..4b8dc5630 100644 + +optional_policy(` + nis_initrc_domtrans_ypbind(dhcpc_t) - nis_read_ypbind_pid(dhcpc_t) + nis_read_ypbind_pid(dhcpc_t) + nis_systemctl_ypbind(dhcpc_t) ') - + optional_policy(` - nscd_initrc_domtrans(dhcpc_t) + nscd_initrc_domtrans(dhcpc_t) + nscd_systemctl(dhcpc_t) - nscd_domtrans(dhcpc_t) - nscd_read_pid(dhcpc_t) + nscd_domtrans(dhcpc_t) + nscd_read_pid(dhcpc_t) ') - + optional_policy(` - ntp_initrc_domtrans(dhcpc_t) + ntp_initrc_domtrans(dhcpc_t) + ntp_systemctl(dhcpc_t) ') - + optional_policy(` @@ -221,7 +268,11 @@ optional_policy(` - + optional_policy(` - seutil_sigchld_newrole(dhcpc_t) + seutil_sigchld_newrole(dhcpc_t) - seutil_dontaudit_search_config(dhcpc_t) + seutil_domtrans_setfiles(dhcpc_t) +') @@ -50677,18 +50677,18 @@ index a392fc4bc..4b8dc5630 100644 + systemd_passwd_agent_domtrans(dhcpc_t) + systemd_signal_passwd_agent(dhcpc_t) ') - + optional_policy(` @@ -232,6 +283,10 @@ optional_policy(` - userdom_use_all_users_fds(dhcpc_t) + userdom_use_all_users_fds(dhcpc_t) ') - + +optional_policy(` + virt_manage_pid_files(dhcpc_t) +') + optional_policy(` - vmware_append_log(dhcpc_t) + vmware_append_log(dhcpc_t) ') @@ -264,32 +319,73 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -50704,7 +50704,7 @@ index a392fc4bc..4b8dc5630 100644 +allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms }; + allow ifconfig_t self:tcp_socket { create ioctl }; - + +can_exec(ifconfig_t, ifconfig_exec_t) + +manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) @@ -50722,9 +50722,9 @@ index a392fc4bc..4b8dc5630 100644 kernel_rw_net_sysctls(ifconfig_t) +kernel_getattr_proc(ifconfig_t) +kernel_unmount_proc(ifconfig_t) - + corenet_rw_tun_tap_dev(ifconfig_t) - + +corecmd_exec_bin(ifconfig_t) +corecmd_exec_shell(ifconfig_t) + @@ -50737,7 +50737,7 @@ index a392fc4bc..4b8dc5630 100644 +dev_mount_sysfs_fs(ifconfig_t) +dev_unmount_sysfs_fs(ifconfig_t) +dev_getattr_sysfs_fs(ifconfig_t) - + domain_use_interactive_fds(ifconfig_t) +domain_read_all_domains_state(ifconfig_t) + @@ -50750,59 +50750,59 @@ index a392fc4bc..4b8dc5630 100644 +files_dontaudit_rw_var_files(ifconfig_t) + +files_mounton_rootfs(ifconfig_t) - + files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) +files_read_usr_files(ifconfig_t) - + fs_getattr_xattr_fs(ifconfig_t) +fs_unmount_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) +fs_read_nsfs_files(ifconfig_t) +fs_mount_nsfs(ifconfig_t) +fs_unmount_nsfs(ifconfig_t) - + selinux_dontaudit_getattr_fs(ifconfig_t) - + @@ -299,33 +395,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) - + -files_dontaudit_read_root_files(ifconfig_t) +auth_use_nsswitch(ifconfig_t) - + init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) +init_rw_inherited_script_tmp_files(ifconfig_t) - + libs_read_lib_files(ifconfig_t) - + logging_send_syslog_msg(ifconfig_t) - + -miscfiles_read_localization(ifconfig_t) - -modutils_domtrans_insmod(ifconfig_t) - seutil_use_runinit_fds(ifconfig_t) - + +sysnet_dns_name_resolve(ifconfig_t) sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) +sysnet_filetrans_named_content_ifconfig(ifconfig_t) - + -userdom_use_user_terminals(ifconfig_t) +userdom_use_inherited_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) - + +optional_policy(` + hostname_exec(ifconfig_t) +') + ifdef(`distro_ubuntu',` - optional_policy(` - unconfined_domain(ifconfig_t) - ') + optional_policy(` + unconfined_domain(ifconfig_t) + ') ') - + +optional_policy(` + brctl_domtrans(ifconfig_t) +') @@ -50819,12 +50819,12 @@ index a392fc4bc..4b8dc5630 100644 + # caused by some bogus kernel code + dontaudit ifconfig_t self:capability sys_module; + - optional_policy(` - dev_dontaudit_rw_cardmgr(ifconfig_t) - ') + optional_policy(` + dev_dontaudit_rw_cardmgr(ifconfig_t) + ') @@ -336,7 +450,11 @@ ifdef(`hide_broken_symptoms',` ') - + optional_policy(` - devicekit_read_pid_files(ifconfig_t) + dnsmasq_domtrans(ifconfig_t) @@ -50833,15 +50833,15 @@ index a392fc4bc..4b8dc5630 100644 +optional_policy(` + devicekit_dontaudit_read_pid_files(ifconfig_t) ') - + optional_policy(` @@ -347,10 +465,20 @@ optional_policy(` optional_policy(` - ipsec_write_pid(ifconfig_t) - ipsec_setcontext_default_spd(ifconfig_t) + ipsec_write_pid(ifconfig_t) + ipsec_setcontext_default_spd(ifconfig_t) + ipsec_dontaudit_write_log(ifconfig_t) ') - + optional_policy(` - nis_use_ypbind(ifconfig_t) + kdump_dontaudit_read_config(ifconfig_t) @@ -50855,11 +50855,11 @@ index a392fc4bc..4b8dc5630 100644 +optional_policy(` + modutils_domtrans_insmod(ifconfig_t) ') - + optional_policy(` @@ -371,3 +499,17 @@ optional_policy(` - xen_append_log(ifconfig_t) - xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) + xen_append_log(ifconfig_t) + xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') + +optional_policy(` @@ -50987,7 +50987,7 @@ index 000000000..8f75416ce + +###################################### +##

      -+## Create a domain for processes which are started ++## Create a domain for processes which are started +## exuting systemctl. +## +## @@ -51004,7 +51004,7 @@ index 000000000..8f75416ce + +####################################### +## -+## Create a domain for processes which are started ++## Create a domain for processes which are started +## exuting systemctl. +## +## @@ -51022,7 +51022,7 @@ index 000000000..8f75416ce + + type $1_systemctl_t, systemctl_domain; + domain_type($1_systemctl_t) -+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) ++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) + + role system_r types $1_systemctl_t; + @@ -51095,7 +51095,7 @@ index 000000000..8f75416ce + gen_require(` + attribute systemd_unit_file_type; + ') -+ ++ + files_search_var_lib($1) + allow $1 systemd_unit_file_type:dir search_dir_perms; +') @@ -51114,7 +51114,7 @@ index 000000000..8f75416ce + gen_require(` + attribute systemd_unit_file_type; + ') -+ ++ + files_search_var_lib($1) + allow $1 systemd_unit_file_type:dir list_dir_perms; +') @@ -51133,7 +51133,7 @@ index 000000000..8f75416ce + gen_require(` + attribute systemd_unit_file_type; + ') -+ ++ + files_search_var_lib($1) + allow $1 systemd_unit_file_type:dir create; +') @@ -51189,7 +51189,7 @@ index 000000000..8f75416ce + gen_require(` + attribute systemd_unit_file_type; + ') -+ ++ + files_search_var_lib($1) + allow $1 systemd_unit_file_type:file read_file_perms; + allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms; @@ -51738,7 +51738,7 @@ index 000000000..8f75416ce +# +interface(`systemd_manage_passwd_run',` + gen_require(` -+ type systemd_passwd_agent_t; ++ type systemd_passwd_agent_t; + type systemd_passwd_var_run_t; + ') + @@ -51913,7 +51913,7 @@ index 000000000..8f75416ce + +######################################## +## -+## Allow the specified domain to modify the systemd configuration of ++## Allow the specified domain to modify the systemd configuration of +## all systemd services +## +## @@ -51969,7 +51969,7 @@ index 000000000..8f75416ce + +######################################## +## -+## Allow the specified domain to modify the systemd configuration of ++## Allow the specified domain to modify the systemd configuration of +## all systemd services +## +## @@ -53278,7 +53278,7 @@ index 000000000..3cf2e1230 +') + +optional_policy(` -+ # we have /run/user/$USER/dconf ++ # we have /run/user/$USER/dconf + gnome_delete_home_config(systemd_tmpfiles_t) + gnome_delete_home_config_dirs(systemd_tmpfiles_t) + gnome_setattr_home_config_dirs(systemd_tmpfiles_t) @@ -53680,20 +53680,20 @@ index f41857e09..49fd32e17 100644 +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) +/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) +/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) - + /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - + @@ -10,6 +12,7 @@ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) - + /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) +/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) - + ifdef(`distro_debian',` /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -27,11 +30,23 @@ ifdef(`distro_redhat',` ') - + /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) - -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -53715,9 +53715,9 @@ index f41857e09..49fd32e17 100644 +/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) + +/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ++/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) - + ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if @@ -53725,35 +53725,35 @@ index 9a1650d37..d7e8a0193 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` - ') - - domtrans_pattern($1, udev_exec_t, udev_t) + ') + + domtrans_pattern($1, udev_exec_t, udev_t) + allow $1 udev_t:process noatsecure; ') - + ######################################## @@ -88,8 +89,7 @@ interface(`udev_read_state',` - ') - - kernel_search_proc($1) + ') + + kernel_search_proc($1) - allow $1 udev_t:file read_file_perms; - allow $1 udev_t:lnk_file read_lnk_file_perms; + ps_process_pattern($1, udev_t) ') - + ######################################## @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` # interface(`udev_dontaudit_search_db',` - gen_require(` + gen_require(` - type udev_tbl_t; + type udev_var_run_t; - ') - + ') + - dontaudit $1 udev_tbl_t:dir search_dir_perms; + dontaudit $1 udev_var_run_t:dir search_dir_perms; ') - + ######################################## @@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',` ## @@ -53773,17 +53773,17 @@ index 9a1650d37..d7e8a0193 100644 +## +# +interface(`udev_rw_db',` - gen_require(` + gen_require(` - type udev_tbl_t; + type udev_var_run_t; - ') - + ') + - allow $1 udev_tbl_t:dir list_dir_perms; + files_search_pids($1) + dev_list_all_dev_nodes($1) + rw_files_pattern($1, udev_var_run_t, udev_var_run_t) +') - + - read_files_pattern($1, udev_tbl_t, udev_tbl_t) - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) +######################################## @@ -53800,12 +53800,12 @@ index 9a1650d37..d7e8a0193 100644 + gen_require(` + type udev_var_run_t; + ') - + - dev_list_all_dev_nodes($1) + files_search_pids($1) + allow $1 udev_var_run_t:file relabelto_file_perms; +') - + - files_search_etc($1) +######################################## +## @@ -53821,11 +53821,11 @@ index 9a1650d37..d7e8a0193 100644 + gen_require(` + type udev_var_run_t; + ') - + - udev_search_pids($1) + allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; ') - + ######################################## ## -## Allow process to modify list of devices. @@ -53840,22 +53840,22 @@ index 9a1650d37..d7e8a0193 100644 # -interface(`udev_rw_db',` +interface(`udev_read_pid_files',` - gen_require(` + gen_require(` - type udev_tbl_t; + type udev_var_run_t; - ') - - dev_list_all_dev_nodes($1) + ') + + dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:file rw_file_perms; + files_search_pids($1) + allow $1 udev_var_run_t:dir list_dir_perms; + read_files_pattern($1, udev_var_run_t, udev_var_run_t) + read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t) ') - + ######################################## @@ -263,7 +311,8 @@ interface(`udev_manage_pid_dirs',` - + ######################################## ## -## Read udev pid files. @@ -53870,15 +53870,15 @@ index 9a1650d37..d7e8a0193 100644 # -interface(`udev_read_pid_files',` +interface(`udev_manage_pid_files',` - gen_require(` - type udev_var_run_t; - ') - - files_search_pids($1) + gen_require(` + type udev_var_run_t; + ') + + files_search_pids($1) - read_files_pattern($1, udev_var_run_t, udev_var_run_t) + manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ') - + -######################################## +####################################### ## @@ -53920,12 +53920,12 @@ index 9a1650d37..d7e8a0193 100644 # -interface(`udev_manage_pid_files',` +interface(`udev_create_kobject_uevent_socket',` - gen_require(` + gen_require(` - type udev_var_run_t; + type udev_t; + role system_r; - ') - + ') + - files_search_pids($1) - manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; @@ -53962,7 +53962,7 @@ index 9a1650d37..d7e8a0193 100644 + + dontaudit $1 udev_t:unix_dgram_socket { read write }; ') - + ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 39f185f68..fb61dca9a 100644 @@ -53971,28 +53971,28 @@ index 39f185f68..fb61dca9a 100644 @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) - + -type udev_tbl_t alias udev_tdb_t; -files_type(udev_tbl_t) - type udev_rules_t; files_type(udev_rules_t) - + type udev_var_run_t; files_pid_file(udev_var_run_t) +typealias udev_var_run_t alias udev_tbl_t; init_daemon_run_dir(udev_var_run_t, "udev") - + +type udev_tmp_t; +files_tmp_file(udev_tmp_t) + ifdef(`enable_mcs',` - kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) - init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) + kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh) @@ -37,10 +38,10 @@ ifdef(`enable_mcs',` # Local policy # - + -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +allow udev_t self:capability2 { block_suspend compromise_kernel }; @@ -54011,25 +54011,25 @@ index 39f185f68..fb61dca9a 100644 allow udev_t self:rawip_socket create_socket_perms; +allow udev_t self:netlink_socket create_socket_perms; +allow udev_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; - + allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) @@ -64,31 +68,40 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; - + -allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) +allow udev_t udev_tmp_t:dir manage_dir_perms; +allow udev_t udev_tmp_t:file manage_file_perms; +files_tmp_filetrans(udev_t, udev_tmp_t, { file dir }) - + list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) -read_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) +manage_chr_files_pattern(udev_t, udev_rules_t, udev_rules_t) - + manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) @@ -54039,7 +54039,7 @@ index 39f185f68..fb61dca9a 100644 +allow udev_t udev_var_run_t:dir mounton; +allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms; +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } ) - + +kernel_load_module(udev_t) kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) @@ -54059,11 +54059,11 @@ index 39f185f68..fb61dca9a 100644 +kernel_setsched(udev_t) +kernel_stream_connect(udev_t) +kernel_signal(udev_t) - + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) @@ -99,6 +112,7 @@ corecmd_exec_all_executables(udev_t) - + dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) +dev_rw_generic_usb_dev(udev_t) @@ -54075,10 +54075,10 @@ index 39f185f68..fb61dca9a 100644 dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) +dev_filetrans_all_named_dev(udev_t) - + domain_read_all_domains_state(udev_t) -domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these - + files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) -files_read_etc_files(udev_t) @@ -54094,7 +54094,7 @@ index 39f185f68..fb61dca9a 100644 files_getattr_generic_locks(udev_t) files_search_mnt(udev_t) +files_list_tmp(udev_t) - + fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) fs_rw_anon_inodefs_files(udev_t) @@ -54103,7 +54103,7 @@ index 39f185f68..fb61dca9a 100644 +fs_list_auto_mountpoints(udev_t) +fs_list_hugetlbfs(udev_t) +fs_read_cgroup_files(udev_t) - + mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) @@ -145,17 +167,20 @@ auth_use_nsswitch(udev_t) @@ -54111,21 +54111,21 @@ index 39f185f68..fb61dca9a 100644 init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) +init_stream_connect(udev_t) - + logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) logging_send_audit_msgs(udev_t) +logging_stream_connect_syslog(udev_t) - + -miscfiles_read_localization(udev_t) miscfiles_read_hwdata(udev_t) - + modutils_domtrans_insmod(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t) +modutils_list_module_config(udev_t) +modutils_read_module_config(udev_t) - + seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) @@ -169,9 +194,14 @@ sysnet_read_dhcpc_pid(udev_t) @@ -54138,15 +54138,15 @@ index 39f185f68..fb61dca9a 100644 +systemd_login_read_pid_files(udev_t) +systemd_getattr_unit_files(udev_t) +systemd_hwdb_manage_config(udev_t) - + userdom_dontaudit_search_user_home_content(udev_t) +userdom_rw_inherited_user_tmp_pipes(udev_t) - + ifdef(`distro_debian',` - files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") + files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") @@ -195,16 +225,9 @@ ifdef(`distro_gentoo',` ') - + ifdef(`distro_redhat',` - fs_manage_tmpfs_dirs(udev_t) - fs_manage_tmpfs_files(udev_t) @@ -54157,33 +54157,33 @@ index 39f185f68..fb61dca9a 100644 - fs_relabel_tmpfs_blk_file(udev_t) - fs_relabel_tmpfs_chr_file(udev_t) + fs_manage_hugetlbfs_dirs(udev_t) - + - term_search_ptys(udev_t) + term_use_generic_ptys(udev_t) - - # for arping used for static IP addresses on PCMCIA ethernet - netutils_domtrans(udev_t) + + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(udev_t) @@ -242,6 +265,7 @@ optional_policy(` - + optional_policy(` - cups_domtrans_config(udev_t) + cups_domtrans_config(udev_t) + cups_read_config(udev_t) ') - + optional_policy(` @@ -249,17 +273,31 @@ optional_policy(` - dbus_use_system_bus_fds(udev_t) - - optional_policy(` + dbus_use_system_bus_fds(udev_t) + + optional_policy(` - consolekit_dbus_chat(udev_t) - ') + systemd_dbus_chat_logind(udev_t) + ') ') - + optional_policy(` - devicekit_read_pid_files(udev_t) - devicekit_dgram_send(udev_t) + devicekit_read_pid_files(udev_t) + devicekit_dgram_send(udev_t) + devicekit_domtrans_disk(udev_t) +') + @@ -54198,39 +54198,39 @@ index 39f185f68..fb61dca9a 100644 +optional_policy(` + kdump_systemctl(udev_t) ') - + optional_policy(` - lvm_domtrans(udev_t) + lvm_domtrans(udev_t) + lvm_dgram_send(udev_t) ') - + optional_policy(` @@ -280,6 +318,10 @@ optional_policy(` - hotplug_search_pids(udev_t) + hotplug_search_pids(udev_t) ') - + +optional_policy(` + kdump_rw_inherited_kdumpctl_tmp_pipes(udev_t) +') + optional_policy(` - lvm_domtrans(udev_t) + lvm_domtrans(udev_t) ') @@ -288,6 +330,10 @@ optional_policy(` - mount_domtrans(udev_t) + mount_domtrans(udev_t) ') - + +optional_policy(` + networkmanager_dbus_chat(udev_t) +') + optional_policy(` - openct_read_pid_files(udev_t) - openct_domtrans(udev_t) + openct_read_pid_files(udev_t) + openct_domtrans(udev_t) @@ -302,6 +348,15 @@ optional_policy(` - raid_domtrans_mdadm(udev_t) + raid_domtrans_mdadm(udev_t) ') - + +optional_policy(` + radvd_read_pid_files(udev_t) +') @@ -54241,15 +54241,15 @@ index 39f185f68..fb61dca9a 100644 +') + optional_policy(` - unconfined_signal(udev_t) + unconfined_signal(udev_t) ') @@ -315,6 +370,7 @@ optional_policy(` - kernel_read_xen_state(udev_t) - xen_manage_log(udev_t) - xen_read_image_files(udev_t) + kernel_read_xen_state(udev_t) + xen_manage_log(udev_t) + xen_read_image_files(udev_t) + xen_stream_connect_xenstore(udev_t) ') - + optional_policy(` diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index 0abaf8432..8b34dbc09 100644 @@ -54284,13 +54284,13 @@ index 5ca20a97d..99a38b017 100644 @@ -12,53 +12,57 @@ # interface(`unconfined_domain_noaudit',` - gen_require(` + gen_require(` - type unconfined_t; - class dbus all_dbus_perms; - class nscd all_nscd_perms; - class passwd all_passwd_perms; - ') - + class dbus all_dbus_perms; + class nscd all_nscd_perms; + class passwd all_passwd_perms; + ') + - # Use most Linux capabilities - allow $1 self:capability ~sys_module; - allow $1 self:fifo_file manage_fifo_file_perms; @@ -54299,16 +54299,16 @@ index 5ca20a97d..99a38b017 100644 + allow $1 self:capability ~{ sys_module }; + allow $1 self:capability2 ~{ mac_admin mac_override }; + allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; - - # Transition to myself, to make get_ordered_context_list happy. + + # Transition to myself, to make get_ordered_context_list happy. - allow $1 self:process transition; + allow $1 self:process { dyntransition transition }; - - # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; + + # Write access is for setting attributes under /proc/self/attr. + allow $1 self:file rw_file_perms; + allow $1 self:dir rw_dir_perms; - - # Userland object managers + + # Userland object managers - allow $1 self:nscd *; - allow $1 self:dbus *; - allow $1 self:passwd *; @@ -54318,35 +54318,35 @@ index 5ca20a97d..99a38b017 100644 + allow $1 self:passwd all_passwd_perms; + allow $1 self:association all_association_perms; + allow $1 self:socket_class_set create_socket_perms; - - kernel_unconfined($1) - corenet_unconfined($1) - dev_unconfined($1) - domain_unconfined($1) + + kernel_unconfined($1) + corenet_unconfined($1) + dev_unconfined($1) + domain_unconfined($1) - domain_dontaudit_read_all_domains_state($1) - domain_dontaudit_ptrace_all_domains($1) - files_unconfined($1) - fs_unconfined($1) - selinux_unconfined($1) + files_unconfined($1) + fs_unconfined($1) + selinux_unconfined($1) + systemd_config_all_services($1) + + domain_mmap_low($1) - + - tunable_policy(`allow_execheap',` + ubac_process_exempt($1) + + tunable_policy(`selinuxuser_execheap',` - # Allow making the stack executable via mprotect. - allow $1 self:process execheap; - ') - + # Allow making the stack executable via mprotect. + allow $1 self:process execheap; + ') + - tunable_policy(`allow_execmem',` + tunable_policy(`deny_execmem',`',` - # Allow making anonymous memory executable, e.g. - # for runtime-code generation or executable stack. - allow $1 self:process execmem; - ') - + # Allow making anonymous memory executable, e.g. + # for runtime-code generation or executable stack. + allow $1 self:process execmem; + ') + - tunable_policy(`allow_execstack',` - # Allow making the stack executable via mprotect; - # execstack implies execmem; @@ -54354,31 +54354,31 @@ index 5ca20a97d..99a38b017 100644 + tunable_policy(`selinuxuser_execstack',` + allow $1 self:process execstack; # auditallow $1 self:process execstack; - ') - + ') + @@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',` - ') - - optional_policy(` + ') + + optional_policy(` + # Communicate via dbusd. + dbus_system_bus_unconfined($1) - dbus_unconfined($1) - ') - + dbus_unconfined($1) + ') + @@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` + gen_require(` + attribute unconfined_services; -+ ') ++ ') + - unconfined_domain_noaudit($1) - + unconfined_domain_noaudit($1) + - tunable_policy(`allow_execheap',` + tunable_policy(`selinuxuser_execheap',` - auditallow $1 self:process execheap; - ') + auditallow $1 self:process execheap; + ') ') @@ -149,7 +159,7 @@ interface(`unconfined_domain',` ## @@ -54387,7 +54387,7 @@ index 5ca20a97d..99a38b017 100644 - refpolicywarn(`$0($1) has been deprecated.') + refpolicywarn(`$0() has been deprecated.') ') - + ######################################## @@ -175,343 +185,12 @@ interface(`unconfined_alias_domain',` ## @@ -54727,7 +54727,7 @@ index 5ca20a97d..99a38b017 100644 - dontaudit $1 unconfined_t:tcp_socket { read write }; + refpolicywarn(`$0() has been deprecated.') ') - + ######################################## ## -## Create keys for the unconfined domain. @@ -54741,17 +54741,17 @@ index 5ca20a97d..99a38b017 100644 # -interface(`unconfined_create_keys',` +interface(`unconfined_server_stream_connect',` - gen_require(` + gen_require(` - type unconfined_t; + type unconfined_service_t; - ') - + ') + - allow $1 unconfined_t:key create; + files_search_pids($1) + files_write_generic_pid_pipes($1) + allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; ') - + ######################################## ## -## Send messages to the unconfined domain over dbus. @@ -54765,16 +54765,16 @@ index 5ca20a97d..99a38b017 100644 # -interface(`unconfined_dbus_send',` +interface(`unconfined_server_domtrans',` - gen_require(` + gen_require(` - type unconfined_t; - class dbus send_msg; + type unconfined_service_t; - ') - + ') + - allow $1 unconfined_t:dbus send_msg; + corecmd_bin_domtrans($1, unconfined_service_t) ') - + ######################################## ## -## Send and receive messages from @@ -54789,19 +54789,19 @@ index 5ca20a97d..99a38b017 100644 # -interface(`unconfined_dbus_chat',` +interface(`unconfined_server_dbus_chat',` - gen_require(` + gen_require(` - type unconfined_t; - class dbus send_msg; + type unconfined_service_t; + class dbus send_msg; - ') - + ') + - allow $1 unconfined_t:dbus send_msg; - allow unconfined_t $1:dbus send_msg; + allow $1 unconfined_service_t:dbus send_msg; + allow unconfined_service_t $1:dbus send_msg; ') - + ######################################## ## -## Connect to the the unconfined DBUS @@ -54816,12 +54816,12 @@ index 5ca20a97d..99a38b017 100644 # -interface(`unconfined_dbus_connect',` +interface(`unconfined_server_signull',` - gen_require(` + gen_require(` - type unconfined_t; - class dbus acquire_svc; + type unconfined_service_t; - ') - + ') + - allow $1 unconfined_t:dbus acquire_svc; + allow $1 unconfined_service_t:process signull; ') @@ -54832,13 +54832,13 @@ index 5fe902db3..fe649d908 100644 @@ -1,207 +1,33 @@ -policy_module(unconfined, 3.5.1) +policy_module(unconfined, 3.5.0) - + ######################################## # # Declarations # +attribute unconfined_services; - + -# usage in this module of types created by these -# calls is not correct, however we dont currently -# have another method to add access to these types @@ -54850,17 +54850,17 @@ index 5fe902db3..fe649d908 100644 +domain_type(unconfined_service_t) +role system_r types unconfined_service_t; +init_nnp_daemon_domain(unconfined_service_t) - + -type unconfined_exec_t; -init_system_domain(unconfined_t, unconfined_exec_t) +unconfined_domain(unconfined_service_t) - + -type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -role unconfined_r types unconfined_execmem_t; +unconfined_stub_role() - + -######################################## -# -# Local policy @@ -54992,7 +54992,7 @@ index 5fe902db3..fe649d908 100644 - rpm_run(unconfined_t, unconfined_r) -') +role unconfined_r types unconfined_service_t; - + -optional_policy(` - samba_run_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -55016,17 +55016,17 @@ index 5fe902db3..fe649d908 100644 -') +corecmd_bin_entry_type(unconfined_service_t) +corecmd_shell_entry_type(unconfined_service_t) - + optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) + rpm_transition_script(unconfined_service_t, system_r) ') - + optional_policy(` - vpn_run(unconfined_t, unconfined_r) + chronyd_run_chronyc(unconfined_service_t, system_r) ') - + optional_policy(` - webalizer_run(unconfined_t, unconfined_r) -') @@ -55099,22 +55099,22 @@ index 9dc60c6c0..c8efa15c9 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` - ') - - attribute $1_file_type; + ') + + attribute $1_file_type; + attribute $1_usertype; - + - type $1_t, userdomain; + type $1_t, userdomain, $1_usertype; - domain_type($1_t) + domain_type($1_t) + role $1_r; - corecmd_shell_entry_type($1_t) - corecmd_bin_entry_type($1_t) - domain_user_exemption_target($1_t) + corecmd_shell_entry_type($1_t) + corecmd_bin_entry_type($1_t) + domain_user_exemption_target($1_t) @@ -44,79 +46,133 @@ template(`userdom_base_user_template',` - term_user_pty($1_t, user_devpts_t) - - term_user_tty($1_t, user_tty_device_t) + term_user_pty($1_t, user_devpts_t) + + term_user_tty($1_t, user_tty_device_t) - - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; @@ -55151,13 +55151,13 @@ index 9dc60c6c0..c8efa15c9 100644 + + allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; + term_create_pty($1_usertype, user_devpts_t) - # avoid annoying messages on terminal hangup on role change + # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_devpts_t:chr_file ioctl; + dontaudit $1_usertype user_devpts_t:chr_file ioctl; - + - allow $1_t user_tty_device_t:chr_file { setattr rw_chr_file_perms }; + allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; - # avoid annoying messages on terminal hangup on role change + # avoid annoying messages on terminal hangup on role change - dontaudit $1_t user_tty_device_t:chr_file ioctl; - - kernel_read_kernel_sysctls($1_t) @@ -55189,9 +55189,9 @@ index 9dc60c6c0..c8efa15c9 100644 + dev_dontaudit_getattr_all_blk_files($1_usertype) + dev_dontaudit_getattr_all_chr_files($1_usertype) + dev_getattr_mtrr_dev($1_t) - - # When the user domain runs ps, there will be a number of access - # denials when ps tries to search /proc. Do not audit these denials. + + # When the user domain runs ps, there will be a number of access + # denials when ps tries to search /proc. Do not audit these denials. - domain_dontaudit_read_all_domains_state($1_t) - domain_dontaudit_getattr_all_domains($1_t) - domain_dontaudit_getsession_all_domains($1_t) @@ -55212,8 +55212,8 @@ index 9dc60c6c0..c8efa15c9 100644 + files_read_etc_runtime_files($1_usertype) + files_read_usr_files($1_usertype) + files_read_usr_src_files($1_usertype) - # Read directories and files with the readable_t type. - # This type is a general type for "world"-readable files. + # Read directories and files with the readable_t type. + # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) - files_read_world_readable_files($1_t) - files_read_world_readable_symlinks($1_t) @@ -55224,7 +55224,7 @@ index 9dc60c6c0..c8efa15c9 100644 + files_read_world_readable_symlinks($1_usertype) + files_read_world_readable_pipes($1_usertype) + files_read_world_readable_sockets($1_usertype) - # old broswer_domain(): + # old broswer_domain(): - files_dontaudit_list_non_security($1_t) - files_dontaudit_getattr_non_security_files($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t) @@ -55249,19 +55249,19 @@ index 9dc60c6c0..c8efa15c9 100644 + + init_stream_connect($1_usertype) + # The library functions always try to open read-write first, -+ # then fall back to read-only if it fails. ++ # then fall back to read-only if it fails. + init_dontaudit_rw_utmp($1_usertype) - + - libs_exec_ld_so($1_t) + libs_exec_ld_so($1_usertype) - + - miscfiles_read_localization($1_t) - miscfiles_read_generic_certs($1_t) - + miscfiles_read_generic_certs($1_t) + - sysnet_read_config($1_t) + miscfiles_read_all_certs($1_usertype) + miscfiles_read_public_files($1_usertype) - + - tunable_policy(`allow_execmem',` + systemd_dbus_chat_logind($1_usertype) + systemd_read_logind_sessions_files($1_usertype) @@ -55270,15 +55270,15 @@ index 9dc60c6c0..c8efa15c9 100644 + systemd_login_read_pid_files($1_usertype) + + tunable_policy(`deny_execmem',`', ` - # Allow loading DSOs that require executable stack. - allow $1_t self:process execmem; - ') - + # Allow loading DSOs that require executable stack. + allow $1_t self:process execmem; + ') + - tunable_policy(`allow_execmem && allow_execstack',` + tunable_policy(`selinuxuser_execstack',` - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') + # Allow making the stack executable via mprotect. + allow $1_t self:process execstack; + ') + + optional_policy(` + abrt_stream_connect($1_usertype) @@ -55287,7 +55287,7 @@ index 9dc60c6c0..c8efa15c9 100644 + optional_policy(` + fs_list_cgroup_dirs($1_usertype) + ') -+ ++ + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_rw_dgram_sockets($1_usertype) @@ -55295,21 +55295,21 @@ index 9dc60c6c0..c8efa15c9 100644 + ssh_signal($1_t) + ') ') - + ####################################### @@ -150,6 +206,8 @@ interface(`userdom_ro_home_role',` - type user_home_t, user_home_dir_t; - ') - + type user_home_t, user_home_dir_t; + ') + + role $1 types { user_home_t user_home_dir_t }; + - ############################## - # - # Domain access to home dir + ############################## + # + # Domain access to home dir @@ -167,27 +225,6 @@ interface(`userdom_ro_home_role',` - read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) - files_list_home($2) - + read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) + files_list_home($2) + - tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs($2) - fs_read_nfs_files($2) @@ -55332,26 +55332,26 @@ index 9dc60c6c0..c8efa15c9 100644 - fs_dontaudit_read_cifs_files($2) - ') ') - + ####################################### @@ -219,8 +256,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` - gen_require(` - type user_home_t, user_home_dir_t; + gen_require(` + type user_home_t, user_home_dir_t; + attribute user_home_type; - ') - + ') + + role $1 types { user_home_type user_home_dir_t }; + - ############################## - # - # Domain access to home dir + ############################## + # + # Domain access to home dir @@ -229,46 +269,144 @@ interface(`userdom_manage_home_role',` - type_member $2 user_home_dir_t:dir user_home_dir_t; - - # full control of the home directory + type_member $2 user_home_dir_t:dir user_home_dir_t; + + # full control of the home directory + allow $2 user_home_t:dir mounton; - allow $2 user_home_t:file entrypoint; + allow $2 user_home_t:file entrypoint; - manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) - manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t) @@ -55378,38 +55378,38 @@ index 9dc60c6c0..c8efa15c9 100644 + relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) + userdom_filetrans_home_content($2) + - files_list_home($2) - - # cjp: this should probably be removed: - allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; - - tunable_policy(`use_nfs_home_dirs',` + files_list_home($2) + + # cjp: this should probably be removed: + allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + + tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs($2) + fs_mounton_nfs($2) - fs_manage_nfs_dirs($2) - fs_manage_nfs_files($2) - fs_manage_nfs_symlinks($2) - fs_manage_nfs_named_sockets($2) - fs_manage_nfs_named_pipes($2) + fs_manage_nfs_dirs($2) + fs_manage_nfs_files($2) + fs_manage_nfs_symlinks($2) + fs_manage_nfs_named_sockets($2) + fs_manage_nfs_named_pipes($2) - ',` - fs_dontaudit_manage_nfs_dirs($2) - fs_dontaudit_manage_nfs_files($2) - ') - - tunable_policy(`use_samba_home_dirs',` + ') + + tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs($2) + fs_mounton_cifs($2) - fs_manage_cifs_dirs($2) - fs_manage_cifs_files($2) - fs_manage_cifs_symlinks($2) - fs_manage_cifs_named_sockets($2) - fs_manage_cifs_named_pipes($2) + fs_manage_cifs_dirs($2) + fs_manage_cifs_files($2) + fs_manage_cifs_symlinks($2) + fs_manage_cifs_named_sockets($2) + fs_manage_cifs_named_pipes($2) - ',` - fs_dontaudit_manage_cifs_dirs($2) - fs_dontaudit_manage_cifs_files($2) - ') + ') ') - + +####################################### +## +## Manage user temporary files @@ -55511,15 +55511,15 @@ index 9dc60c6c0..c8efa15c9 100644 @@ -287,17 +425,65 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` - gen_require(` + gen_require(` + attribute user_tmp_type; - type user_tmp_t; - ') - + type user_tmp_t; + ') + + role $1 types user_tmp_t; + - files_poly_member_tmp($2, user_tmp_t) - + files_poly_member_tmp($2, user_tmp_t) + - manage_dirs_pattern($2, user_tmp_t, user_tmp_t) - manage_files_pattern($2, user_tmp_t, user_tmp_t) - manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t) @@ -55531,7 +55531,7 @@ index 9dc60c6c0..c8efa15c9 100644 + manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) + manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) + manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) - files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) + relabel_files_pattern($2, user_tmp_type, user_tmp_type) @@ -55577,16 +55577,16 @@ index 9dc60c6c0..c8efa15c9 100644 + exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) + files_search_home($1) ') - + ####################################### @@ -317,9 +503,29 @@ interface(`userdom_exec_user_tmp_files',` - ') - - exec_files_pattern($1, user_tmp_t, user_tmp_t) + ') + + exec_files_pattern($1, user_tmp_t, user_tmp_t) + dontaudit $1 user_tmp_t:sock_file execute; - files_search_tmp($1) + files_search_tmp($1) ') - + +####################################### +## +## Manage user temporary file system files @@ -55626,7 +55626,7 @@ index 9dc60c6c0..c8efa15c9 100644 + refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') + userdom_manage_tmp_role($1,$2) ') - + ####################################### ## -## The template allowing the user basic @@ -55638,7 +55638,7 @@ index 9dc60c6c0..c8efa15c9 100644 ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -+## The user domain ++## The user domain ## ## ## @@ -55648,12 +55648,12 @@ index 9dc60c6c0..c8efa15c9 100644 - type $1_t; - ') +interface(`userdom_basic_networking',` - + - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; - + - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) @@ -55674,86 +55674,86 @@ index 9dc60c6c0..c8efa15c9 100644 + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_ports($1) + corenet_sendrecv_all_client_packets($1) - - optional_policy(` + + optional_policy(` - init_tcp_recvfrom_all_daemons($1_t) - init_udp_recvfrom_all_daemons($1_t) + init_tcp_recvfrom_all_daemons($1) + init_udp_recvfrom_all_daemons($1) - ') - - optional_policy(` + ') + + optional_policy(` - ipsec_match_default_spd($1_t) + ipsec_match_default_spd($1) - ') + ') + ') - + ####################################### @@ -431,6 +622,7 @@ template(`userdom_xwindows_client_template',` - dev_dontaudit_rw_dri($1_t) - # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) + dev_dontaudit_rw_dri($1_t) + # GNOME checks for usb and other devices: + dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_t) - - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) + + xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) + xserver_xsession_entry_type($1_t) @@ -463,8 +655,8 @@ template(`userdom_change_password_template',` - ') - - optional_policy(` + ') + + optional_policy(` - usermanage_run_chfn($1_t, $1_r) - usermanage_run_passwd($1_t, $1_r) + usermanage_run_chfn($1_t,$1_r) + usermanage_run_passwd($1_t,$1_r) - ') + ') ') - + @@ -491,51 +683,69 @@ template(`userdom_common_user_template',` - attribute unpriv_userdomain; - ') - + attribute unpriv_userdomain; + ') + - userdom_basic_networking_template($1) + userdom_basic_networking($1_usertype) + corenet_all_recvfrom_netlabel($1_t) - - ############################## - # - # User domain Local policy - # + + ############################## + # + # User domain Local policy + # + allow $1_t self:packet_socket create_socket_perms; - - # evolution and gnome-session try to create a netlink socket - dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + + # evolution and gnome-session try to create a netlink socket + dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_t self:socket create_socket_perms; - + - allow $1_t unpriv_userdomain:fd use; + allow $1_usertype unpriv_userdomain:fd use; - - kernel_read_system_state($1_t) + + kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_net_sysctls($1_t) + kernel_read_network_state($1_usertype) + kernel_read_software_raid_state($1_usertype) + kernel_read_net_sysctls($1_usertype) + kernel_read_afs_state($1_usertype) - # Very permissive allowing every domain to see every type: + # Very permissive allowing every domain to see every type: - kernel_get_sysvipc_info($1_t) + kernel_get_sysvipc_info($1_usertype) - # Find CDROM devices: + # Find CDROM devices: - kernel_read_device_sysctls($1_t) - - corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) - + - corenet_udp_bind_generic_node($1_t) - corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) - + - dev_read_rand($1_t) - dev_write_sound($1_t) - dev_read_sound($1_t) @@ -55764,15 +55764,15 @@ index 9dc60c6c0..c8efa15c9 100644 + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) - + - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) + files_search_locks($1_usertype) - # Check to see if cdrom is mounted + # Check to see if cdrom is mounted - files_search_mnt($1_t) + files_search_mnt($1_usertype) - # cjp: perhaps should cut back on file reads: + # cjp: perhaps should cut back on file reads: - files_read_var_files($1_t) - files_read_var_symlinks($1_t) - files_read_generic_spool($1_t) @@ -55781,7 +55781,7 @@ index 9dc60c6c0..c8efa15c9 100644 + files_read_var_symlinks($1_usertype) + files_read_generic_spool($1_usertype) + files_read_var_lib_files($1_usertype) - # Stat lost+found. + # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) + files_read_config_files($1_usertype) @@ -55791,7 +55791,7 @@ index 9dc60c6c0..c8efa15c9 100644 + + application_getattr_socket($1_usertype) + - + - fs_rw_cgroup_files($1_t) + ifdef(`enable_mls',` + init_rw_tcp_sockets($1_t) @@ -55800,16 +55800,16 @@ index 9dc60c6c0..c8efa15c9 100644 + logging_send_syslog_msg($1_t) + + selinux_get_enforce_mode($1_t) - - # cjp: some of this probably can be removed - selinux_get_fs_mount($1_t) + + # cjp: some of this probably can be removed + selinux_get_fs_mount($1_t) @@ -546,93 +756,141 @@ template(`userdom_common_user_template',` - selinux_compute_user_contexts($1_t) - - # for eject + selinux_compute_user_contexts($1_t) + + # for eject - storage_getattr_fixed_disk_dev($1_t) + storage_getattr_fixed_disk_dev($1_usertype) - + - auth_use_nsswitch($1_t) - auth_read_login_records($1_t) - auth_search_pam_console_data($1_t) @@ -55819,24 +55819,24 @@ index 9dc60c6c0..c8efa15c9 100644 + auth_run_pam_timestamp($1_t,$1_r) + auth_run_utempter($1_t,$1_r) + auth_filetrans_admin_home_content($1_t) - + - init_read_utmp($1_t) + init_read_utmp($1_usertype) - + - seutil_read_file_contexts($1_t) - seutil_read_default_contexts($1_t) - seutil_run_newrole($1_t, $1_r) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_run_newrole($1_t,$1_r) - seutil_exec_checkpolicy($1_t) + seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) - # for when the network connection is killed - # this is needed when a login role can change - # to this one. - seutil_dontaudit_signal_newrole($1_t) - + # for when the network connection is killed + # this is needed when a login role can change + # to this one. + seutil_dontaudit_signal_newrole($1_t) + - tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) - ') @@ -55845,34 +55845,34 @@ index 9dc60c6c0..c8efa15c9 100644 + optional_policy(` + afs_read_config($1_t) + ') - + - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_ttys($1_t) + optional_policy(` + # Allow graphical boot to check battery lifespan + apm_stream_connect($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") - alsa_manage_home_files($1_t) - alsa_read_rw_config($1_t) - alsa_relabel_home_files($1_t) + chrome_role($1_r, $1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + canna_stream_connect($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - canna_stream_connect($1_t) + colord_read_lib_files($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - dbus_system_bus_client($1_t) + dbus_system_bus_client($1_usertype) + @@ -55913,13 +55913,13 @@ index 9dc60c6c0..c8efa15c9 100644 + optional_policy(` + gnome_dbus_chat_gconfdefault($1_usertype) + ') - - optional_policy(` + + optional_policy(` - bluetooth_dbus_chat($1_t) + hal_dbus_chat($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - consolekit_dbus_chat($1_t) + hwloc_exec_dhwd($1_t) + hwloc_read_runtime_files($1_t) @@ -55927,49 +55927,49 @@ index 9dc60c6c0..c8efa15c9 100644 + + optional_policy(` + kde_dbus_chat_backlighthelper($1_usertype) - ') - + ') + + optional_policy(` + memcached_stream_connect($1_usertype) + ') + - optional_policy(` + optional_policy(` - cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - hal_dbus_chat($1_t) + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - networkmanager_dbus_chat($1_t) + policykit_dbus_chat($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - policykit_dbus_chat($1_t) + vpn_dbus_chat($1_usertype) - ') - ') - - optional_policy(` + ') + ') + + optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_role($1_r, $1_t) - ') - - optional_policy(` + ') + + optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") @@ -55980,95 +55980,95 @@ index 9dc60c6c0..c8efa15c9 100644 + + optional_policy(` + lircd_stream_connect($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` @@ -642,23 +900,21 @@ template(`userdom_common_user_template',` - optional_policy(` - mpd_manage_user_data_content($1_t) - mpd_relabel_user_data_content($1_t) + optional_policy(` + mpd_manage_user_data_content($1_t) + mpd_relabel_user_data_content($1_t) + mpd_stream_connect($1_t) - ') - - # for running depmod as part of the kernel packaging process - optional_policy(` + ') + + # for running depmod as part of the kernel packaging process + optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - mta_rw_spool($1_t) + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - mysql_manage_mysqld_home_files($1_t) - mysql_relabel_mysqld_home_files($1_t) - mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf") - - tunable_policy(`allow_user_mysql_connect',` + tunable_policy(`selinuxuser_mysql_connect_enabled',` - mysql_stream_connect($1_t) - ') - ') + mysql_stream_connect($1_t) + ') + ') @@ -671,7 +927,7 @@ template(`userdom_common_user_template',` - - optional_policy(` - # to allow monitoring of pcmcia status + + optional_policy(` + # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) + pcmcia_read_pid($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` @@ -680,9 +936,9 @@ template(`userdom_common_user_template',` - ') - - optional_policy(` + ') + + optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) + tunable_policy(`selinuxuser_postgresql_connect_enabled',` + postgresql_stream_connect($1_usertype) + postgresql_tcp_connect($1_usertype) - ') - ') - + ') + ') + @@ -693,32 +949,35 @@ template(`userdom_common_user_template',` - ') - - optional_policy(` + ') + + optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) + rpc_dontaudit_getattr_exports($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - samba_stream_connect_winbind($1_t) + rpcbind_stream_connect($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - slrnpull_search_spool($1_t) + samba_stream_connect_winbind($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - usernetctl_run($1_t, $1_r) + sandbox_transition($1_usertype, $1_r) - ') - - optional_policy(` + ') + + optional_policy(` - virt_home_filetrans_virt_home($1_t, dir, ".libvirt") - virt_home_filetrans_virt_home($1_t, dir, ".virtinst") - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") -- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") +- virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") + seunshare_role_template($1, $1_r, $1_t) + ') + @@ -56078,29 +56078,29 @@ index 9dc60c6c0..c8efa15c9 100644 + + optional_policy(` + thumb_role($1_r, $1_usertype) - ') + ') ') - + @@ -743,17 +1002,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` - gen_require(` - class context contains; + gen_require(` + class context contains; + attribute login_userdomain; - ') - - userdom_base_user_template($1) - + ') + + userdom_base_user_template($1) + + typeattribute $1_t login_userdomain; + - userdom_manage_home_role($1_r, $1_t) - + userdom_manage_home_role($1_r, $1_t) + - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) - + - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content',` @@ -56115,53 +56115,53 @@ index 9dc60c6c0..c8efa15c9 100644 + fs_exec_cifs_files($1_usertype) + ') + ') - - userdom_change_password_template($1) - + + userdom_change_password_template($1) + @@ -761,86 +1035,118 @@ template(`userdom_login_user_template', ` - # - # User domain Local policy - # + # + # User domain Local policy + # - - allow $1_t self:capability { setgid chown fowner }; - dontaudit $1_t self:capability { sys_nice fsetid }; + dontaudit $1_t self:capability { sys_nice fsetid }; + allow $1_t self:process ~{ ptrace execmem execstack execheap }; + + tunable_policy(`selinuxuser_use_ssh_chroot',` + allow $1_t self:capability { setuid setgid sys_chroot }; + ') - + - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; - dontaudit $1_t self:process setrlimit; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + dontaudit $1_t self:process setrlimit; + dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + domain_dyntrans_type($1_t) - - allow $1_t self:context contains; - + + allow $1_t self:context contains; + - kernel_dontaudit_read_system_state($1_t) + kernel_dontaudit_read_system_state($1_usertype) + kernel_dontaudit_list_all_proc($1_usertype) - + - dev_read_sysfs($1_t) - dev_read_urand($1_t) + dev_read_sysfs($1_usertype) + dev_read_rand($1_usertype) + dev_read_urand($1_usertype) - + - domain_use_interactive_fds($1_t) + domain_use_interactive_fds($1_usertype) - # Command completion can fire hundreds of denials + # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) + domain_dontaudit_exec_all_entry_files($1_usertype) - + - files_dontaudit_list_default($1_t) - files_dontaudit_read_default_files($1_t) + files_dontaudit_list_default($1_usertype) + files_dontaudit_read_default_files($1_usertype) - # Stat lost+found. + # Stat lost+found. - files_getattr_lost_found_dirs($1_t) + files_getattr_lost_found_dirs($1_usertype) - + - fs_get_all_fs_quotas($1_t) - fs_getattr_all_fs($1_t) - fs_getattr_all_dirs($1_t) @@ -56175,77 +56175,77 @@ index 9dc60c6c0..c8efa15c9 100644 + fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + fs_rw_anon_inodefs_files($1_usertype) - + + auth_role($1_r, $1_t) + auth_create_cache($1_t) + auth_rw_cache($1_t) + auth_search_pam_console_data($1_t) + auth_dontaudit_read_login_records($1_t) - auth_dontaudit_write_login_records($1_t) - - application_exec_all($1_t) + auth_dontaudit_write_login_records($1_t) + + application_exec_all($1_t) - - # The library functions always try to open read-write first, - # then fall back to read-only if it fails. - init_dontaudit_rw_utmp($1_t) + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. + init_dontaudit_rw_utmp($1_t) + - # Stop warnings about access to /dev/console + # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - + - libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) - + - logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - + - miscfiles_read_man_pages($1_t) - # for running TeX programs + # for running TeX programs - miscfiles_read_tetex_data($1_t) - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) - + - seutil_read_config($1_t) + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) - - optional_policy(` + + optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - kerberos_use($1_t) + kerberos_use($1_usertype) + init_write_key($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) + mysql_filetrans_named_content($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - quota_dontaudit_getattr_db($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) - ') - - optional_policy(` + ') + + optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + quota_dontaudit_getattr_db($1_usertype) - ') + ') -') - + -####################################### + optional_policy(` + rpm_read_db($1_usertype) @@ -56276,24 +56276,24 @@ index 9dc60c6c0..c8efa15c9 100644 ## The template for creating a unprivileged login user. ## @@ -868,6 +1174,12 @@ template(`userdom_restricted_user_template',` - typeattribute $1_t unpriv_userdomain; - domain_interactive_fd($1_t) - + typeattribute $1_t unpriv_userdomain; + domain_interactive_fd($1_t) + + allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; + + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) + - ############################## - # - # Local policy + ############################## + # + # Local policy @@ -907,53 +1219,137 @@ template(`userdom_restricted_xwindows_user_template',` - # - # Local policy - # + # + # Local policy + # + kernel_stream_connect($1_usertype) - + - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) - @@ -56301,7 +56301,7 @@ index 9dc60c6c0..c8efa15c9 100644 - dev_write_sound($1_t) + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) - # gnome keyring wants to read this. + # gnome keyring wants to read this. - dev_dontaudit_read_rand($1_t) + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this @@ -56326,20 +56326,20 @@ index 9dc60c6c0..c8efa15c9 100644 + storage_raw_read_removable_device($1_usertype) + storage_raw_write_removable_device($1_usertype) + ') - - logging_send_syslog_msg($1_t) - logging_dontaudit_send_audit_msgs($1_t) - - # Need to to this just so screensaver will work. Should be moved to screensaver domain + + logging_send_syslog_msg($1_t) + logging_dontaudit_send_audit_msgs($1_t) + + # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) - selinux_get_enforce_mode($1_t) + selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) - - xserver_restricted_role($1_r, $1_t) - - optional_policy(` + + xserver_restricted_role($1_r, $1_t) + + optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) + ') @@ -56354,9 +56354,9 @@ index 9dc60c6c0..c8efa15c9 100644 + + optional_policy(` + obex_role($1_r, $1_t, $1) - ') - - optional_policy(` + ') + + optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) + dbus_role_template($1, $1_r, $1_usertype) @@ -56387,27 +56387,27 @@ index 9dc60c6c0..c8efa15c9 100644 + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) + ') - - optional_policy(` + + optional_policy(` - consolekit_dbus_chat($1_t) + fprintd_dbus_chat($1_t) - ') - - optional_policy(` + ') + + optional_policy(` - cups_dbus_chat($1_t) + realmd_dbus_chat($1_t) - ') - - optional_policy(` - gnome_role_template($1, $1_r, $1_t) + ') + + optional_policy(` + gnome_role_template($1, $1_r, $1_t) + ') + + optional_policy(` - wm_role_template($1, $1_r, $1_t) - ') - ') - - optional_policy(` + wm_role_template($1, $1_r, $1_t) + ') + ') + + optional_policy(` - java_role($1_r, $1_t) + policykit_role($1_r, $1_usertype) + ') @@ -56423,11 +56423,11 @@ index 9dc60c6c0..c8efa15c9 100644 + + optional_policy(` + systemd_filetrans_home_content($1_usertype) - ') - - optional_policy(` - setroubleshoot_dontaudit_stream_connect($1_t) - ') + ') + + optional_policy(` + setroubleshoot_dontaudit_stream_connect($1_t) + ') + + optional_policy(` + udev_read_db($1_usertype) @@ -56437,20 +56437,20 @@ index 9dc60c6c0..c8efa15c9 100644 + xserver_xdm_ioctl_log($1_t) + ') ') - + ####################################### @@ -987,27 +1383,39 @@ template(`userdom_unpriv_user_template', ` - # - - # Inherit rules for ordinary users. + # + + # Inherit rules for ordinary users. - userdom_restricted_user_template($1) + userdom_restricted_xwindows_user_template($1) - userdom_common_user_template($1) - - ############################## - # - # Local policy - # + userdom_common_user_template($1) + + ############################## + # + # Local policy + # + allow $1_t self:capability { setgid chown fowner }; + allow $1_t self:bluetooth_socket create_socket_perms; + allow $1_t self:alg_socket create_socket_perms; @@ -56460,33 +56460,33 @@ index 9dc60c6c0..c8efa15c9 100644 + dontaudit $1_t self:netlink_selinux_socket create_socket_perms; + + corecmd_exec_chroot($1_t) - - # port access is audited even if dac would not have allowed it, so dontaudit it here + + # port access is audited even if dac would not have allowed it, so dontaudit it here - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) +# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) + # Need the following rule to allow users to run vpnc + corenet_tcp_bind_xserver_port($1_t) + corenet_tcp_bind_generic_node($1_usertype) + + storage_rw_fuse($1_t) - - files_exec_usr_files($1_t) + + files_exec_usr_files($1_t) - # cjp: why? + # cjp: why? - files_read_kernel_symbol_table($1_t) - - ifndef(`enable_mls',` - fs_exec_noxattr($1_t) - + files_read_kernel_symbol_table($1_t) + + ifndef(`enable_mls',` + fs_exec_noxattr($1_t) + - tunable_policy(`user_rw_noexattrfile',` + tunable_policy(`selinuxuser_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - # Write floppies + fs_manage_noxattr_fs_files($1_t) + fs_manage_noxattr_fs_dirs($1_t) + # Write floppies @@ -1018,23 +1426,63 @@ template(`userdom_unpriv_user_template', ` - ') - ') - + ') + ') + - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` @@ -56495,10 +56495,10 @@ index 9dc60c6c0..c8efa15c9 100644 + miscfiles_read_hwdata($1_usertype) + + fs_mounton_fusefs($1_usertype) - - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols + + # Allow users to run TCP servers (bind to ports and accept connection from + # the same domain and outside users) disabling this forces FTP passive mode + # and may change other protocols - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) @@ -56543,9 +56543,9 @@ index 9dc60c6c0..c8efa15c9 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) - ') - - optional_policy(` + ') + + optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) + wine_role_template($1, $1_r, $1_t) @@ -56554,43 +56554,43 @@ index 9dc60c6c0..c8efa15c9 100644 + optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) - ') - - # Run pppd in pppd_t by default for user + ') + + # Run pppd in pppd_t by default for user @@ -1043,7 +1491,9 @@ template(`userdom_unpriv_user_template', ` - ') - - optional_policy(` + ') + + optional_policy(` - setroubleshoot_stream_connect($1_t) + vdagent_getattr_log($1_t) + vdagent_getattr_exec_files($1_t) + vdagent_stream_connect($1_t) - ') + ') ') - + @@ -1079,7 +1529,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` - gen_require(` - attribute admindomain; + gen_require(` + attribute admindomain; - class passwd { passwd chfn chsh rootok }; + attribute confined_admindomain; + + class passwd { passwd chfn chsh rootok crontab }; - ') - - ############################## + ') + + ############################## @@ -1095,6 +1547,7 @@ template(`userdom_admin_user_template',` - role system_r types $1_t; - - typeattribute $1_t admindomain; + role system_r types $1_t; + + typeattribute $1_t admindomain; + typeattribute $1_t confined_admindomain; - - ifdef(`direct_sysadm_daemon',` - domain_system_change_exemption($1_t) + + ifdef(`direct_sysadm_daemon',` + domain_system_change_exemption($1_t) @@ -1105,14 +1558,18 @@ template(`userdom_admin_user_template',` - # $1_t local policy - # - + # $1_t local policy + # + - allow $1_t self:capability ~{ sys_module audit_control audit_write }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; @@ -56611,112 +56611,112 @@ index 9dc60c6c0..c8efa15c9 100644 + allow $1_t self:bluetooth_socket create_socket_perms; + allow $1_t self:alg_socket create_socket_perms; + allow $1_t self:dccp_socket create_socket_perms; - - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) + + kernel_read_software_raid_state($1_t) + kernel_getattr_core_if($1_t) @@ -1120,6 +1577,7 @@ template(`userdom_admin_user_template',` - kernel_change_ring_buffer_level($1_t) - kernel_clear_ring_buffer($1_t) - kernel_read_ring_buffer($1_t) + kernel_change_ring_buffer_level($1_t) + kernel_clear_ring_buffer($1_t) + kernel_read_ring_buffer($1_t) + kernel_read_afs_state($1_t) - kernel_get_sysvipc_info($1_t) - kernel_rw_all_sysctls($1_t) - # signal unlabeled processes: + kernel_get_sysvipc_info($1_t) + kernel_rw_all_sysctls($1_t) + # signal unlabeled processes: @@ -1128,6 +1586,8 @@ template(`userdom_admin_user_template',` - kernel_sigstop_unlabeled($1_t) - kernel_signull_unlabeled($1_t) - kernel_sigchld_unlabeled($1_t) + kernel_sigstop_unlabeled($1_t) + kernel_signull_unlabeled($1_t) + kernel_sigchld_unlabeled($1_t) + kernel_signal($1_t) + kernel_stream_connect($1_t) - - corenet_tcp_bind_generic_port($1_t) - # allow setting up tunnels + + corenet_tcp_bind_generic_port($1_t) + # allow setting up tunnels @@ -1145,10 +1605,15 @@ template(`userdom_admin_user_template',` - dev_rename_all_blk_files($1_t) - dev_rename_all_chr_files($1_t) - dev_create_generic_symlinks($1_t) + dev_rename_all_blk_files($1_t) + dev_rename_all_chr_files($1_t) + dev_create_generic_symlinks($1_t) + dev_rw_generic_usb_dev($1_t) + dev_rw_usbfs($1_t) + dev_read_kmsg($1_t) + dev_read_cpuid($1_t) - - domain_setpriority_all_domains($1_t) - domain_read_all_domains_state($1_t) - domain_getattr_all_domains($1_t) + + domain_setpriority_all_domains($1_t) + domain_read_all_domains_state($1_t) + domain_getattr_all_domains($1_t) + domain_getcap_all_domains($1_t) - domain_dontaudit_ptrace_all_domains($1_t) - # signal all domains: - domain_kill_all_domains($1_t) + domain_dontaudit_ptrace_all_domains($1_t) + # signal all domains: + domain_kill_all_domains($1_t) @@ -1159,29 +1624,40 @@ template(`userdom_admin_user_template',` - domain_sigchld_all_domains($1_t) - # for lsof - domain_getattr_all_sockets($1_t) + domain_sigchld_all_domains($1_t) + # for lsof + domain_getattr_all_sockets($1_t) + domain_dontaudit_getattr_all_sockets($1_t) - - files_exec_usr_src_files($1_t) - - fs_getattr_all_fs($1_t) + + files_exec_usr_src_files($1_t) + + fs_getattr_all_fs($1_t) + fs_getattr_all_files($1_t) + fs_list_all($1_t) - fs_set_all_quotas($1_t) - fs_exec_noxattr($1_t) - - storage_raw_read_removable_device($1_t) - storage_raw_write_removable_device($1_t) + fs_set_all_quotas($1_t) + fs_exec_noxattr($1_t) + + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) + storage_dontaudit_read_fixed_disk($1_t) - + - term_use_all_terms($1_t) + term_use_all_inherited_terms($1_t) + term_use_unallocated_ttys($1_t) - - auth_getattr_shadow($1_t) - # Manage almost all files + + auth_getattr_shadow($1_t) + # Manage almost all files - files_manage_non_auth_files($1_t) + files_manage_non_security_dirs($1_t) + files_manage_non_security_files($1_t) - # Relabel almost all files + # Relabel almost all files - files_relabel_non_auth_files($1_t) + files_relabel_non_security_files($1_t) + + files_mounton_rootfs($1_t) - - init_telinit($1_t) - - logging_send_syslog_msg($1_t) - + + init_telinit($1_t) + + logging_send_syslog_msg($1_t) + - modutils_domtrans_insmod($1_t) + optional_policy(` + modutils_domtrans_insmod($1_t) + modutils_domtrans_depmod($1_t) + ') - - # The following rule is temporary until such time that a complete - # policy management infrastructure is in place so that an administrator + + # The following rule is temporary until such time that a complete + # policy management infrastructure is in place so that an administrator @@ -1191,6 +1667,8 @@ template(`userdom_admin_user_template',` - # But presently necessary for installing the file_contexts file. - seutil_manage_bin_policy($1_t) - + # But presently necessary for installing the file_contexts file. + seutil_manage_bin_policy($1_t) + + systemd_config_all_services($1_t) + - userdom_manage_user_home_content_dirs($1_t) - userdom_manage_user_home_content_files($1_t) - userdom_manage_user_home_content_symlinks($1_t) + userdom_manage_user_home_content_dirs($1_t) + userdom_manage_user_home_content_files($1_t) + userdom_manage_user_home_content_symlinks($1_t) @@ -1198,13 +1676,30 @@ template(`userdom_admin_user_template',` - userdom_manage_user_home_content_sockets($1_t) - userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) - + userdom_manage_user_home_content_sockets($1_t) + userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) + - tunable_policy(`user_rw_noexattrfile',` + tunable_policy(`selinuxuser_rw_noexattrfile',` - fs_manage_noxattr_fs_files($1_t) - fs_manage_noxattr_fs_dirs($1_t) - ',` - fs_read_noxattr_fs_files($1_t) - ') - + fs_manage_noxattr_fs_files($1_t) + fs_manage_noxattr_fs_dirs($1_t) + ',` + fs_read_noxattr_fs_files($1_t) + ') + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_t) + ') -+ ++ + tunable_policy(`selinuxuser_udp_server',` + corenet_udp_bind_all_unreserved_ports($1_t) + ') @@ -56730,13 +56730,13 @@ index 9dc60c6c0..c8efa15c9 100644 + abrt_run_helper($1_t, $1_r) + ') + - optional_policy(` - postgresql_unconfined($1_t) - ') + optional_policy(` + postgresql_unconfined($1_t) + ') @@ -1212,6 +1707,12 @@ template(`userdom_admin_user_template',` - optional_policy(` - userhelper_exec($1_t) - ') + optional_policy(` + userhelper_exec($1_t) + ') + + optional_policy(` + vdagent_getattr_log($1_t) @@ -56744,7 +56744,7 @@ index 9dc60c6c0..c8efa15c9 100644 + vdagent_stream_connect($1_t) + ') ') - + ######################################## @@ -1240,8 +1741,10 @@ template(`userdom_admin_user_template',` ## @@ -56756,34 +56756,34 @@ index 9dc60c6c0..c8efa15c9 100644 + allow $1 self:capability { audit_control dac_read_search dac_override }; + + allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; - - corecmd_exec_shell($1) - + + corecmd_exec_shell($1) + @@ -1250,6 +1753,8 @@ template(`userdom_security_admin_template',` - dev_relabel_all_dev_nodes($1) - - files_create_boot_flag($1) + dev_relabel_all_dev_nodes($1) + + files_create_boot_flag($1) + files_create_default_dir($1) + files_root_filetrans_default($1, dir) - - # Necessary for managing /boot/efi - fs_manage_dos_files($1) + + # Necessary for managing /boot/efi + fs_manage_dos_files($1) @@ -1262,8 +1767,10 @@ template(`userdom_security_admin_template',` - selinux_set_enforce_mode($1) - selinux_set_all_booleans($1) - selinux_set_parameters($1) + selinux_set_enforce_mode($1) + selinux_set_all_booleans($1) + selinux_set_parameters($1) + selinux_read_policy($1) + + files_relabel_all_files($1) - + - files_relabel_non_auth_files($1) - auth_relabel_shadow($1) - - init_exec($1) + auth_relabel_shadow($1) + + init_exec($1) @@ -1274,29 +1781,31 @@ template(`userdom_security_admin_template',` - logging_read_audit_config($1) - - seutil_manage_bin_policy($1) + logging_read_audit_config($1) + + seutil_manage_bin_policy($1) - seutil_run_checkpolicy($1, $2) - seutil_run_loadpolicy($1, $2) - seutil_run_semanage($1, $2) @@ -56796,51 +56796,51 @@ index 9dc60c6c0..c8efa15c9 100644 + seutil_run_loadpolicy($1,$2) + seutil_run_semanage($1,$2) + seutil_run_setsebool($1,$2) - seutil_run_setfiles($1, $2) - - optional_policy(` + seutil_run_setfiles($1, $2) + + optional_policy(` - aide_run($1, $2) + aide_run($1,$2) - ') - - optional_policy(` - consoletype_exec($1) - ') - + ') + + optional_policy(` + consoletype_exec($1) + ') + - optional_policy(` - dmesg_exec($1) - ') - - optional_policy(` - ipsec_run_setkey($1, $2) -+ optional_policy(` ++ optional_policy(` + ipsec_run_setkey($1,$2) - ') - - optional_policy(` + ') + + optional_policy(` - netlabel_run_mgmt($1, $2) + netlabel_run_mgmt($1,$2) - ') - - optional_policy(` + ') + + optional_policy(` @@ -1357,14 +1866,17 @@ interface(`userdom_user_home_content',` - gen_require(` - attribute user_home_content_type; - type user_home_t; + gen_require(` + attribute user_home_content_type; + type user_home_t; + attribute user_home_type; - ') - - typeattribute $1 user_home_content_type; - - allow $1 user_home_t:filesystem associate; - files_type($1) + ') + + typeattribute $1 user_home_content_type; + + allow $1 user_home_t:filesystem associate; + files_type($1) - files_poly_member($1) - ubac_constrained($1) + ubac_constrained($1) + + files_poly_member($1) + typeattribute $1 user_home_type; ') - + ######################################## @@ -1397,10 +1909,49 @@ interface(`userdom_user_tmp_file',` ## @@ -56870,9 +56870,9 @@ index 9dc60c6c0..c8efa15c9 100644 + typeattribute $1 user_tmp_type; + + files_tmp_file($1) - ubac_constrained($1) + ubac_constrained($1) ') - + +######################################## +## +## Make the specified type usable in a @@ -56894,13 +56894,13 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Allow domain to attach to TUN devices created by administrative users. @@ -1509,9 +2060,29 @@ interface(`userdom_search_user_home_dirs',` - ') - - allow $1 user_home_dir_t:dir search_dir_perms; + ') + + allow $1 user_home_dir_t:dir search_dir_perms; + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; - files_search_home($1) + files_search_home($1) ') - + +######################################## +## +## Search user tmp directories. @@ -56924,9 +56924,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Do not audit attempts to search user home directories. @@ -1555,6 +2126,14 @@ interface(`userdom_list_user_home_dirs',` - - allow $1 user_home_dir_t:dir list_dir_perms; - files_search_home($1) + + allow $1 user_home_dir_t:dir list_dir_perms; + files_search_home($1) + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) @@ -56936,24 +56936,24 @@ index 9dc60c6c0..c8efa15c9 100644 + fs_list_cifs($1) + ') ') - + ######################################## @@ -1570,9 +2149,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` - gen_require(` - type user_home_dir_t; + gen_require(` + type user_home_dir_t; + type user_home_t; - ') - - dontaudit $1 user_home_dir_t:dir list_dir_perms; + ') + + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_t:dir list_dir_perms; ') - + ######################################## @@ -1611,6 +2192,24 @@ interface(`userdom_manage_user_home_dirs',` - allow $1 user_home_dir_t:dir manage_dir_perms; + allow $1 user_home_dir_t:dir manage_dir_perms; ') - + +######################################## +## +## Create user home directories. @@ -56976,9 +56976,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Relabel to user home directories. @@ -1629,6 +2228,59 @@ interface(`userdom_relabelto_user_home_dirs',` - allow $1 user_home_dir_t:dir relabelto; + allow $1 user_home_dir_t:dir relabelto; ') - + +######################################## +## +## Relabel to user home files. @@ -57038,35 +57038,35 @@ index 9dc60c6c0..c8efa15c9 100644 @@ -1704,10 +2356,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` - gen_require(` + gen_require(` - type user_home_t; + attribute user_home_type; - ') - + ') + - dontaudit $1 user_home_t:dir search_dir_perms; + dontaudit $1 user_home_type:dir search_dir_perms; + fs_dontaudit_list_nfs($1) + fs_dontaudit_list_cifs($1) ') - + ######################################## @@ -1741,10 +2395,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` - gen_require(` + gen_require(` - type user_home_t; + type user_home_dir_t; + attribute user_home_type; - ') - + ') + - allow $1 user_home_t:dir list_dir_perms; + files_list_home($1) + allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') - + ######################################## @@ -1769,7 +2425,7 @@ interface(`userdom_manage_user_home_content_dirs',` - + ######################################## ## -## Delete all user home content directories. @@ -57080,17 +57080,17 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_delete_all_user_home_content_dirs',` +interface(`userdom_delete_user_home_content_dirs',` - gen_require(` + gen_require(` - attribute user_home_content_type; - type user_home_dir_t; + type user_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) + allow $1 user_home_t:dir delete_dir_perms; ') - + ######################################## ## -## Delete directories in a user home subdirectory. @@ -57104,15 +57104,15 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_delete_user_home_content_dirs',` +interface(`userdom_delete_all_user_home_content_dirs',` - gen_require(` + gen_require(` - type user_home_t; + attribute user_home_type; - ') - + ') + - allow $1 user_home_t:dir delete_dir_perms; + allow $1 user_home_type:dir delete_dir_perms; ') - + ######################################## ## -## Set attributes of all user home content directories. @@ -57127,11 +57127,11 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_setattr_all_user_home_content_dirs',` +interface(`userdom_setattr_user_home_content_files',` - gen_require(` + gen_require(` - attribute user_home_content_type; + type user_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 user_home_content_type:dir setattr_dir_perms; + allow $1 user_home_t:file setattr; @@ -57230,12 +57230,12 @@ index 9dc60c6c0..c8efa15c9 100644 + + allow $1 user_tmp_t:dir relabel_dir_perms; ') - + ######################################## @@ -1843,6 +2591,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` - dontaudit $1 user_home_t:file setattr_file_perms; + dontaudit $1 user_home_t:file setattr_file_perms; ') - + +######################################## +## +## Set the attributes of all user home directories. @@ -57259,14 +57259,14 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Mmap user home files. @@ -1858,10 +2625,28 @@ interface(`userdom_mmap_user_home_content_files',` - type user_home_dir_t, user_home_t; - ') - + type user_home_dir_t, user_home_t; + ') + - mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + mmap_exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) + files_search_home($1) ') - + +######################################## +## +## map user home files. @@ -57290,18 +57290,18 @@ index 9dc60c6c0..c8efa15c9 100644 ## Read user home files. @@ -1875,12 +2660,34 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` - gen_require(` - type user_home_dir_t, user_home_t; + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; - ') - + ') + - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) + read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - files_search_home($1) + files_search_home($1) ') - + +######################################## +## +## Do not audit attempts to getattr user home files. @@ -57327,12 +57327,12 @@ index 9dc60c6c0..c8efa15c9 100644 @@ -1893,11 +2700,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` + gen_require(` - type user_home_t; + attribute user_home_type; + type user_home_dir_t; - ') - + ') + - dontaudit $1 user_home_t:dir list_dir_perms; - dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; @@ -57340,10 +57340,10 @@ index 9dc60c6c0..c8efa15c9 100644 + dontaudit $1 user_home_type:file read_file_perms; + dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; ') - + ######################################## @@ -1938,7 +2748,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` - + ######################################## ## -## Delete all user home content files. @@ -57357,15 +57357,15 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_delete_all_user_home_content_files',` +interface(`userdom_delete_user_home_content_files',` - gen_require(` + gen_require(` - attribute user_home_content_type; - type user_home_dir_t; + type user_home_t; - ') - - userdom_search_user_home_content($1) + ') + + userdom_search_user_home_content($1) @@ -1958,7 +2767,7 @@ interface(`userdom_delete_all_user_home_content_files',` - + ######################################## ## -## Delete files in a user home subdirectory. @@ -57397,10 +57397,10 @@ index 9dc60c6c0..c8efa15c9 100644 +## +# +interface(`userdom_delete_user_home_content_sock_files',` - gen_require(` - type user_home_t; - ') - + gen_require(` + type user_home_t; + ') + - allow $1 user_home_t:file delete_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; +') @@ -57440,28 +57440,28 @@ index 9dc60c6c0..c8efa15c9 100644 + + allow $1 user_home_type:dir_file_class_set delete_file_perms; ') - + ######################################## @@ -2007,8 +2870,7 @@ interface(`userdom_read_user_home_content_symlinks',` - type user_home_dir_t, user_home_t; - ') - + type user_home_dir_t, user_home_t; + ') + - read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) + allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; ') - + ######################################## @@ -2024,20 +2886,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` - gen_require(` + gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; - ') - - files_search_home($1) + ') + + files_search_home($1) - exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - - tunable_policy(`use_nfs_home_dirs',` @@ -57472,21 +57472,21 @@ index 9dc60c6c0..c8efa15c9 100644 - fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; - ') + ') -') - + ######################################## ## @@ -2075,6 +2931,7 @@ interface(`userdom_manage_user_home_content_files',` - - manage_files_pattern($1, user_home_t, user_home_t) - allow $1 user_home_dir_t:dir search_dir_perms; + + manage_files_pattern($1, user_home_t, user_home_t) + allow $1 user_home_dir_t:dir search_dir_perms; + allow $1 user_home_t:file map; - files_search_home($1) + files_search_home($1) ') - + @@ -2120,7 +2977,7 @@ interface(`userdom_manage_user_home_content_symlinks',` - + ######################################## ## -## Delete all user home content symbolic links. @@ -57500,17 +57500,17 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_delete_all_user_home_content_symlinks',` +interface(`userdom_delete_user_home_content_symlinks',` - gen_require(` + gen_require(` - attribute user_home_content_type; - type user_home_dir_t; + type user_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type) + allow $1 user_home_t:lnk_file delete_lnk_file_perms; ') - + ######################################## ## -## Delete symbolic links in a user home directory. @@ -57524,20 +57524,20 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_delete_user_home_content_symlinks',` +interface(`userdom_delete_all_user_home_content_symlinks',` - gen_require(` + gen_require(` - type user_home_t; + attribute user_home_type; - ') - + ') + - allow $1 user_home_t:lnk_file delete_lnk_file_perms; + allow $1 user_home_type:lnk_file delete_lnk_file_perms; ') - + ######################################## @@ -2378,6 +3233,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` - dontaudit $1 user_tmp_t:dir manage_dir_perms; + dontaudit $1 user_tmp_t:dir manage_dir_perms; ') - + +######################################## +## +## Read user temporary files. @@ -57563,18 +57563,18 @@ index 9dc60c6c0..c8efa15c9 100644 @@ -2390,14 +3264,31 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` - gen_require(` + gen_require(` - type user_tmp_t; + attribute user_tmp_type; - ') - + ') + - read_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; + read_files_pattern($1, user_tmp_type, user_tmp_type) + allow $1 user_tmp_type:dir list_dir_perms; - files_search_tmp($1) + files_search_tmp($1) ') - + +######################################## +## +## Read user temporary files. @@ -57596,17 +57596,17 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Do not audit attempts to read users @@ -2414,7 +3305,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` - type user_tmp_t; - ') - + type user_tmp_t; + ') + - dontaudit $1 user_tmp_t:file read_file_perms; + dontaudit $1 user_tmp_t:file read_inherited_file_perms; ') - + ######################################## @@ -2455,6 +3346,25 @@ interface(`userdom_rw_user_tmp_files',` - rw_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) + rw_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) ') +######################################## +## @@ -57627,7 +57627,7 @@ index 9dc60c6c0..c8efa15c9 100644 + allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; + files_search_tmp($1) +') - + ######################################## ## @@ -2538,7 +3448,7 @@ interface(`userdom_manage_user_tmp_files',` @@ -57645,15 +57645,15 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_manage_user_tmp_symlinks',` +interface(`userdom_filetrans_named_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - + gen_require(` + type user_tmp_t; + ') + - manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") - files_search_tmp($1) + files_search_tmp($1) ') - + ######################################## ## ## Create, read, write, and delete user @@ -57668,15 +57668,15 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_manage_user_tmp_pipes',` +interface(`userdom_manage_user_tmp_symlinks',` - gen_require(` - type user_tmp_t; - ') - + gen_require(` + type user_tmp_t; + ') + - manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) + files_search_tmp($1) ') - + ######################################## ## ## Create, read, write, and delete user @@ -57727,9 +57727,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## @@ -2661,6 +3612,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` - files_tmp_filetrans($1, user_tmp_t, $2, $3) + files_tmp_filetrans($1, user_tmp_t, $2, $3) ') - + +####################################### +## +## Getattr user tmpfs files. @@ -57762,7 +57762,7 @@ index 9dc60c6c0..c8efa15c9 100644 + refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') + userdom_read_user_tmp_files($1) ') - + ######################################## ## -## Read user tmpfs files. @@ -57785,7 +57785,7 @@ index 9dc60c6c0..c8efa15c9 100644 + refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') + userdom_rw_user_tmp_files($1) ') - + ######################################## ## -## Create, read, write, and delete user tmpfs files. @@ -57842,22 +57842,22 @@ index 9dc60c6c0..c8efa15c9 100644 +## +# +interface(`userdom_execute_user_tmp_files',` - gen_require(` + gen_require(` - type user_tmpfs_t; + type user_tmp_t; - ') - + ') + - manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmp_t:file execute; ') - + ######################################## @@ -2812,6 +3810,24 @@ interface(`userdom_use_user_ttys',` - allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_tty_device_t:chr_file rw_term_perms; ') - + +######################################## +## +## Read and write a inherited user domain tty. @@ -57880,7 +57880,7 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Read and write a user domain pty. @@ -2832,22 +3848,34 @@ interface(`userdom_use_user_ptys',` - + ######################################## ## -## Read and write a user TTYs and PTYs. @@ -57928,10 +57928,10 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_use_user_terminals',` +interface(`userdom_use_inherited_user_terminals',` - gen_require(` - type user_tty_device_t, user_devpts_t; - ') - + gen_require(` + type user_tty_device_t, user_devpts_t; + ') + - allow $1 user_tty_device_t:chr_file rw_term_perms; - allow $1 user_devpts_t:chr_file rw_term_perms; - term_list_ptys($1) @@ -57958,12 +57958,12 @@ index 9dc60c6c0..c8efa15c9 100644 + allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; ') - + ######################################## @@ -2882,8 +3929,27 @@ interface(`userdom_dontaudit_use_user_terminals',` - type user_tty_device_t, user_devpts_t; - ') - + type user_tty_device_t, user_devpts_t; + ') + - dontaudit $1 user_tty_device_t:chr_file rw_term_perms; - dontaudit $1 user_devpts_t:chr_file rw_term_perms; + dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; @@ -57988,12 +57988,12 @@ index 9dc60c6c0..c8efa15c9 100644 + + allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; ') - + ######################################## @@ -2955,6 +4021,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` - allow unpriv_userdomain $1:process sigchld; + allow unpriv_userdomain $1:process sigchld; ') - + +##################################### +## +## Allow domain dyntrans to unpriv userdomain. @@ -58034,9 +58034,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Execute an Xserver session in all unprivileged user domains. This @@ -2978,24 +4080,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` - allow unpriv_userdomain $1:process sigchld; + allow unpriv_userdomain $1:process sigchld; ') - + -####################################### -## -## Read and write unpriviledged user SysV sempaphores. @@ -58059,9 +58059,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Manage unpriviledged user SysV sempaphores. @@ -3014,9 +4098,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` - allow $1 unpriv_userdomain:sem create_sem_perms; + allow $1 unpriv_userdomain:sem create_sem_perms; ') - + -####################################### +######################################## ## @@ -58076,14 +58076,14 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_rw_unpriv_user_shared_mem',` +interface(`userdom_manage_unpriv_user_shared_mem',` - gen_require(` - attribute unpriv_userdomain; - ') - + gen_require(` + attribute unpriv_userdomain; + ') + - allow $1 unpriv_userdomain:shm rw_shm_perms; + allow $1 unpriv_userdomain:shm create_shm_perms; ') - + ######################################## ## -## Manage unpriviledged user SysV shared @@ -58097,34 +58097,34 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_manage_unpriv_user_shared_mem',` +interface(`userdom_destroy_unpriv_user_shared_mem',` - gen_require(` - attribute unpriv_userdomain; - ') - + gen_require(` + attribute unpriv_userdomain; + ') + - allow $1 unpriv_userdomain:shm create_shm_perms; + allow $1 unpriv_userdomain:shm destroy; ') - + ######################################## @@ -3094,7 +4178,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` - - domain_entry_file_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; + + domain_entry_file_spec_domtrans($1, unpriv_userdomain) + allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; - allow unpriv_userdomain $1:process sigchld; + allow unpriv_userdomain $1:process sigchld; ') - + @@ -3110,29 +4194,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` - gen_require(` + gen_require(` - type user_home_dir_t, user_home_t; + type user_home_dir_t; + attribute user_home_type; - ') - - files_list_home($1) + ') + + files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; -') - @@ -58147,12 +58147,12 @@ index 9dc60c6c0..c8efa15c9 100644 + allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; + allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; ') - + ######################################## @@ -3214,7 +4282,25 @@ interface(`userdom_dontaudit_use_user_ptys',` - type user_devpts_t; - ') - + type user_devpts_t; + ') + - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; +') @@ -58174,16 +58174,16 @@ index 9dc60c6c0..c8efa15c9 100644 + + dontaudit $1 user_devpts_t:chr_file open; ') - + ######################################## @@ -3269,12 +4355,13 @@ interface(`userdom_write_user_tmp_files',` - type user_tmp_t; - ') - + type user_tmp_t; + ') + - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) ') - + ######################################## ## -## Do not audit attempts to use user ttys. @@ -58198,15 +58198,15 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_dontaudit_use_user_ttys',` +interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` + gen_require(` - type user_tty_device_t; + type user_tmp_t; - ') - + ') + - dontaudit $1 user_tty_device_t:chr_file rw_file_perms; + dontaudit $1 user_tmp_t:file write; ') - + ######################################## ## -## Read the process state of all user domains. @@ -58222,16 +58222,16 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_read_all_users_state',` +interface(`userdom_dontaudit_delete_user_tmp_files',` - gen_require(` + gen_require(` - attribute userdomain; + type user_tmp_t; - ') - + ') + - read_files_pattern($1, userdomain, userdomain) - kernel_search_proc($1) + dontaudit $1 user_tmp_t:file delete_file_perms; ') - + ######################################## ## -## Get the attributes of all user domains. @@ -58247,15 +58247,15 @@ index 9dc60c6c0..c8efa15c9 100644 # -interface(`userdom_getattr_all_users',` +interface(`userdom_dontaudit_rw_user_tmp_pipes',` - gen_require(` + gen_require(` - attribute userdomain; + type user_tmp_t; - ') - + ') + - allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## -## Inherit the file descriptors from all user domains @@ -58344,13 +58344,13 @@ index 9dc60c6c0..c8efa15c9 100644 +## +# +interface(`userdom_use_all_users_fds',` - gen_require(` - attribute userdomain; - ') + gen_require(` + attribute userdomain; + ') @@ -3382,6 +4545,42 @@ interface(`userdom_signal_all_users',` - allow $1 userdomain:process signal; + allow $1 userdomain:process signal; ') - + +####################################### +## +## Send signull to all user domains. @@ -58391,9 +58391,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Send a SIGCHLD signal to all user domains. @@ -3400,6 +4599,60 @@ interface(`userdom_sigchld_all_users',` - allow $1 userdomain:process sigchld; + allow $1 userdomain:process sigchld; ') - + +######################################## +## +## Read keys for all user domains. @@ -58452,9 +58452,9 @@ index 9dc60c6c0..c8efa15c9 100644 ## ## Create keys for all user domains. @@ -3435,4 +4688,1820 @@ interface(`userdom_dbus_send_all_users',` - ') - - allow $1 userdomain:dbus send_msg; + ') + + allow $1 userdomain:dbus send_msg; + ps_process_pattern($1, userdomain) +') + @@ -58500,7 +58500,7 @@ index 9dc60c6c0..c8efa15c9 100644 + typeattribute $2 $1_usertype; + typeattribute $2 unpriv_userdomain; + typeattribute $2 userdomain; -+ ++ + auth_use_nsswitch($2) + ubac_constrained($2) +') @@ -58790,7 +58790,7 @@ index 9dc60c6c0..c8efa15c9 100644 + +####################################### +## -+## Allow execmod on files in homedirectory ++## Allow execmod on files in homedirectory +## +## +## @@ -59402,7 +59402,7 @@ index 9dc60c6c0..c8efa15c9 100644 +## +# +interface(`userdom_manage_all_user_tmpfs_content',` -+ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') ++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') + userdom_manage_all_user_tmp_content($1) +') + @@ -60102,7 +60102,7 @@ index 9dc60c6c0..c8efa15c9 100644 + +######################################## +## -+## Do not audit attempts to check the ++## Do not audit attempts to check the +## access on user content files +## +## @@ -60260,7 +60260,7 @@ index 9dc60c6c0..c8efa15c9 100644 + consoletype_exec($1) + ') + -+ optional_policy(` ++ optional_policy(` + ipsec_run_setkey($1,$2) + ') + @@ -60277,7 +60277,7 @@ index f4ac38dc7..cceb511fc 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) - + ## ##

      -## Allow users to connect to mysql @@ -60286,7 +60286,7 @@ index f4ac38dc7..cceb511fc 100644 ## -gen_tunable(allow_user_mysql_connect, false) +gen_tunable(selinuxuser_mysql_connect_enabled, false) - + ## ##

      ## Allow users to connect to PostgreSQL @@ -60294,7 +60294,7 @@ index f4ac38dc7..cceb511fc 100644 ## -gen_tunable(allow_user_postgresql_connect, false) +gen_tunable(selinuxuser_postgresql_connect_enabled, false) - + ## ##

      -## Allow regular users direct mouse access @@ -60311,7 +60311,7 @@ index f4ac38dc7..cceb511fc 100644 ## -gen_tunable(user_dmesg, false) +gen_tunable(selinuxuser_rw_noexattrfile, false) - + ## ##

      -## Allow user to r/w files on filesystems @@ -60321,7 +60321,7 @@ index f4ac38dc7..cceb511fc 100644 ## -gen_tunable(user_rw_noexattrfile, false) +gen_tunable(selinuxuser_share_music, false) - + ## ##

      -## Allow w to display everyone @@ -60330,17 +60330,17 @@ index f4ac38dc7..cceb511fc 100644 ## -gen_tunable(user_ttyfile_stat, false) +gen_tunable(selinuxuser_use_ssh_chroot, false) - + attribute admindomain; +attribute login_userdomain; +attribute confined_admindomain; - + # all user domains attribute userdomain; @@ -58,6 +53,24 @@ attribute unpriv_userdomain; - + attribute user_home_content_type; - + +attribute userdom_home_reader_certs_type; +attribute userdom_home_reader_type; +attribute userdom_home_manager_type; @@ -60363,7 +60363,7 @@ index f4ac38dc7..cceb511fc 100644 fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) @@ -70,26 +83,399 @@ ubac_constrained(user_home_dir_t) - + type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; +typeattribute user_home_t user_home_type; @@ -60374,12 +60374,12 @@ index f4ac38dc7..cceb511fc 100644 files_poly_parent(user_home_t) files_mountpoint(user_home_t) +ubac_constrained(user_home_t) - + type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t) ubac_constrained(user_devpts_t) - + -type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; +type user_tmp_t, user_tmp_type, user_tmpfs_type; +typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; @@ -60396,7 +60396,7 @@ index f4ac38dc7..cceb511fc 100644 -userdom_user_home_content(user_tmpfs_t) +files_poly_parent(user_tmp_t) +files_mountpoint(user_tmp_t) - + type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -60527,7 +60527,7 @@ index f4ac38dc7..cceb511fc 100644 + fs_manage_ecryptfs_symlinks(userdom_home_manager_type) +') + -+# vi /etc/mtab can cause an avc trying to relabel to self. ++# vi /etc/mtab can cause an avc trying to relabel to self. +dontaudit userdomain self:file relabelto; + +userdom_user_home_dir_filetrans_user_home_content(userdom_filetrans_type, { dir file lnk_file fifo_file sock_file }) @@ -60733,7 +60733,7 @@ index f4ac38dc7..cceb511fc 100644 + +init_stream_connect(confined_admindomain) +# The library functions always try to open read-write first, -+# then fall back to read-only if it fails. ++# then fall back to read-only if it fails. +init_dontaudit_rw_utmp(confined_admindomain) + +libs_exec_ld_so(confined_admindomain) @@ -60761,7 +60761,7 @@ index f4ac38dc7..cceb511fc 100644 +optional_policy(` + fs_list_cgroup_dirs(confined_admindomain) +') -+ ++ +optional_policy(` + ssh_rw_stream_sockets(confined_admindomain) + ssh_delete_tmp(confined_admindomain) @@ -60842,9 +60842,9 @@ index 8b785c9a3..8aa8c3610 100644 --- a/policy/support/file_patterns.spt +++ b/policy/support/file_patterns.spt @@ -99,9 +99,21 @@ define(`read_files_pattern',` - allow $1 $3:file read_file_perms; + allow $1 $3:file read_file_perms; ') - + +define(`mmap_read_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_read_file_perms; @@ -60853,7 +60853,7 @@ index 8b785c9a3..8aa8c3610 100644 define(`mmap_files_pattern',` + # deprecated 20171213 + refpolicywarn(`mmap_files_pattern() is deprecated, please use mmap_exec_files_pattern() instead') - allow $1 $2:dir search_dir_perms; + allow $1 $2:dir search_dir_perms; - allow $1 $3:file mmap_file_perms; + allow $1 $3:file mmap_exec_file_perms; +') @@ -60862,20 +60862,20 @@ index 8b785c9a3..8aa8c3610 100644 + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_exec_file_perms; ') - + define(`exec_files_pattern',` @@ -124,6 +136,11 @@ define(`rw_files_pattern',` - allow $1 $3:file rw_file_perms; + allow $1 $3:file rw_file_perms; ') - + +define(`mmap_rw_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:file mmap_rw_file_perms; +') + define(`create_files_pattern',` - allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:file create_file_perms; + allow $1 $2:dir add_entry_dir_perms; + allow $1 $3:file create_file_perms; diff --git a/policy/support/misc_macros.spt b/policy/support/misc_macros.spt index 4ca5688c3..355ff953c 100644 --- a/policy/support/misc_macros.spt @@ -60886,7 +60886,7 @@ index 4ca5688c3..355ff953c 100644 # -define(`can_exec',`allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };') +define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };') - + ######################################## # diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt @@ -60899,30 +60899,30 @@ index e79d54501..d2369e17f 100644 define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; + allow $1 $2:file mmap_exec_file_perms; - allow $1 $3:process transition; + allow $1 $3:process transition; - dontaudit $1 $3:process { noatsecure siginh rlimitinh }; +# dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') - + # compatibility: @@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',` - domain_transition_pattern($1,$2,$3) - - allow $3 $1:fd use; + domain_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; - allow $3 $1:process sigchld; + allow $3 $1:process sigchld; ') - + @@ -34,7 +34,7 @@ define(`domtrans_pattern',` - domain_auto_transition_pattern($1,$2,$3) - - allow $3 $1:fd use; + domain_auto_transition_pattern($1,$2,$3) + + allow $3 $1:fd use; - allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:fifo_file rw_inherited_fifo_file_perms; - allow $3 $1:process sigchld; + allow $3 $1:process sigchld; ') - + diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index 6e9131723..4b5b81f40 100644 --- a/policy/support/obj_perm_sets.spt @@ -60934,7 +60934,7 @@ index 6e9131723..4b5b81f40 100644 -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') - +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket bridge_socket dccp_socket ib_socket mpls_socket }') - + # # Datagram socket classes. @@ -39,12 +38,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') @@ -60943,22 +60943,22 @@ index 6e9131723..4b5b81f40 100644 # -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }') - + # # Unprivileged socket classes (exclude rawip, netlink, packet). # -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') - + ######################################## - # + # @@ -59,7 +58,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }') # # Permissions for using sockets. - # + # -define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') +define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }') - + # # Permissions for creating and using sockets. @@ -153,12 +152,22 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') @@ -61048,7 +61048,7 @@ index 6e9131723..4b5b81f40 100644 -define(`rw_term_perms', `{ getattr open read write append ioctl }') +define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }') +define(`rw_term_perms', `{ rw_inherited_term_perms open }') - + # # Sockets @@ -271,3 +285,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept @@ -61070,7 +61070,7 @@ index c4ebc7e43..30d6d7a71 100644 # -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) - + # # user_u is a generic user identity for Linux users who have no @@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) @@ -61086,7 +61086,7 @@ index c4ebc7e43..30d6d7a71 100644 +gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - + # # The following users correspond to Unix identities. @@ -38,8 +35,4 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al @@ -61109,7 +61109,7 @@ index b96e9b3d1..ff7340fdb 100644 DIRECT_INITRC ?= n -POLY ?= n QUIET ?= y - + genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed index 00b94b6ad..90813480d 100644 @@ -61117,7 +61117,7 @@ index 00b94b6ad..90813480d 100644 +++ b/support/comment_move_decl.sed @@ -6,7 +6,7 @@ /optional \{/,/} # end optional/b nextline - + /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/ -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/ +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/ diff --git a/SOURCES/policy-rhel-7.6-contrib.patch b/SOURCES/policy-rhel-7.6-contrib.patch index 809ebcbb..77e4800e 100644 --- a/SOURCES/policy-rhel-7.6-contrib.patch +++ b/SOURCES/policy-rhel-7.6-contrib.patch @@ -14,7 +14,7 @@ index 1a93dc578..e948aef59 100644 -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) - + -/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0) -/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0) @@ -34,7 +34,7 @@ index 1a93dc578..e948aef59 100644 +/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) - + -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) -/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) @@ -53,7 +53,7 @@ index 1a93dc578..e948aef59 100644 +/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - + -/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) -/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) -/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) @@ -63,20 +63,20 @@ index 1a93dc578..e948aef59 100644 +/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - + -/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) -/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) - + -/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0) - + -/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0) -/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) - + -/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) @@ -109,13 +109,13 @@ index 058d908e4..1b643bfb5 100644 + + kernel_read_system_state($1_t) +') - + ###################################### ##

      @@ -17,6 +39,26 @@ interface(`abrt_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, abrt_exec_t, abrt_t) + + corecmd_search_bin($1) + domtrans_pattern($1, abrt_exec_t, abrt_t) + allow $1 abrt_exec_t:file map; +') + @@ -137,15 +137,15 @@ index 058d908e4..1b643bfb5 100644 + corecmd_search_bin($1) + domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t) ') - + ###################################### @@ -36,11 +78,12 @@ interface(`abrt_exec',` - - corecmd_search_bin($1) - can_exec($1, abrt_exec_t) + + corecmd_search_bin($1) + can_exec($1, abrt_exec_t) + allow $1 abrt_exec_t:file map; ') - + ######################################## ## -## Send null signals to abrt. @@ -154,7 +154,7 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -58,7 +101,7 @@ interface(`abrt_signull',` - + ######################################## ## -## Read process state of abrt. @@ -163,13 +163,13 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -71,12 +114,13 @@ interface(`abrt_read_state',` - type abrt_t; - ') - + type abrt_t; + ') + + kernel_search_proc($1) - ps_process_pattern($1, abrt_t) + ps_process_pattern($1, abrt_t) ') - + ######################################## ## -## Connect to abrt over an unix stream socket. @@ -178,7 +178,7 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -116,8 +160,7 @@ interface(`abrt_dbus_chat',` - + ##################################### ## -## Execute abrt-helper in the abrt @@ -188,13 +188,13 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -130,15 +173,13 @@ interface(`abrt_domtrans_helper',` - type abrt_helper_t, abrt_helper_exec_t; - ') - + type abrt_helper_t, abrt_helper_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) + domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) ') - + ######################################## ## -## Execute abrt helper in the abrt @@ -206,7 +206,7 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -163,8 +204,45 @@ interface(`abrt_run_helper',` - + ######################################## ## -## Create, read, write, and delete @@ -243,7 +243,7 @@ index 058d908e4..1b643bfb5 100644 + type abrt_var_cache_t; + ') + -+ ++ + allow $1 abrt_var_cache_t:file append_inherited_file_perms; +') + @@ -265,10 +265,10 @@ index 058d908e4..1b643bfb5 100644 + type abrt_var_cache_t; + ') + -+ ++ + allow $1 abrt_var_cache_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -278,15 +278,15 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -193,7 +274,6 @@ interface(`abrt_manage_cache',` - type abrt_var_cache_t; - ') - + type abrt_var_cache_t; + ') + - files_search_var($1) - manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) - manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) @@ -201,7 +281,7 @@ interface(`abrt_manage_cache',` - + #################################### ## -## Read abrt configuration files. @@ -295,9 +295,9 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -218,9 +298,29 @@ interface(`abrt_read_config',` - read_files_pattern($1, abrt_etc_t, abrt_etc_t) + read_files_pattern($1, abrt_etc_t, abrt_etc_t) ') - + +#################################### +## +## Dontaudit read abrt configuration file. @@ -326,7 +326,7 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -258,8 +358,7 @@ interface(`abrt_read_pid_files',` - + ###################################### ## -## Create, read, write, and delete @@ -336,9 +336,9 @@ index 058d908e4..1b643bfb5 100644 ## ## @@ -276,10 +375,52 @@ interface(`abrt_manage_pid_files',` - manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) + manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') - + +######################################## +## +## Read and write abrt fifo files. @@ -401,7 +401,7 @@ index 058d908e4..1b643bfb5 100644 ## # interface(`abrt_admin',` - gen_require(` + gen_require(` - attribute abrt_domain; - type abrt_t, abrt_etc_t, abrt_initrc_exec_t; - type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t; @@ -411,8 +411,8 @@ index 058d908e4..1b643bfb5 100644 + type abrt_var_run_t, abrt_tmp_t; + type abrt_initrc_exec_t; + type abrt_unit_file_t; - ') - + ') + - allow $1 abrt_domain:process { ptrace signal_perms }; - ps_process_pattern($1, abrt_domain) + allow $1 abrt_t:process { signal_perms }; @@ -421,32 +421,32 @@ index 058d908e4..1b643bfb5 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 abrt_t:process ptrace; + ') - - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, abrt_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 abrt_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) + files_list_etc($1) - admin_pattern($1, abrt_etc_t) - + admin_pattern($1, abrt_etc_t) + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, abrt_var_log_t) - + admin_pattern($1, abrt_var_log_t) + - files_search_var($1) - admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t }) + files_list_var($1) + admin_pattern($1, abrt_var_cache_t) - + - files_search_pids($1) + files_list_pids($1) - admin_pattern($1, abrt_var_run_t) - + admin_pattern($1, abrt_var_run_t) + - files_search_tmp($1) + files_list_tmp($1) - admin_pattern($1, abrt_tmp_t) + admin_pattern($1, abrt_tmp_t) + + abrt_systemctl($1) + admin_pattern($1, abrt_unit_file_t) @@ -584,7 +584,7 @@ index eb50f070f..a00644903 100644 +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) # - + ## -##

      -## Determine whether ABRT can modify @@ -597,48 +597,48 @@ index eb50f070f..a00644903 100644 +##

      ##       gen_tunable(abrt_anon_write, false) - + @@ -37,87 +36,99 @@ attribute abrt_domain; attribute_role abrt_helper_roles; roleattribute system_r abrt_helper_roles; - + -type abrt_t, abrt_domain; -type abrt_exec_t; +abrt_basic_types_template(abrt) init_daemon_domain(abrt_t, abrt_exec_t) - + type abrt_initrc_exec_t; init_script_file(abrt_initrc_exec_t) - + +type abrt_unit_file_t; +systemd_unit_file(abrt_unit_file_t) + type abrt_etc_t; files_config_file(abrt_etc_t) - + type abrt_var_log_t; logging_log_file(abrt_var_log_t) - + +type abrt_var_lib_t; +files_type(abrt_var_lib_t) + type abrt_tmp_t; files_tmp_file(abrt_tmp_t) - + type abrt_var_cache_t; files_type(abrt_var_cache_t) +files_tmp_file(abrt_var_cache_t) +userdom_user_tmp_content(abrt_var_cache_t) - + type abrt_var_run_t; files_pid_file(abrt_var_run_t) - + -type abrt_dump_oops_t, abrt_domain; -type abrt_dump_oops_exec_t; +abrt_basic_types_template(abrt_dump_oops) init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) +domain_obj_id_change_exemption(abrt_dump_oops_t) - + -type abrt_handle_event_t, abrt_domain; -type abrt_handle_event_exec_t; -domain_type(abrt_handle_event_t) @@ -646,7 +646,7 @@ index eb50f070f..a00644903 100644 +abrt_basic_types_template(abrt_handle_event) +application_domain(abrt_handle_event_t, abrt_handle_event_exec_t) role system_r types abrt_handle_event_t; - + -type abrt_helper_t, abrt_domain; -type abrt_helper_exec_t; +# type needed to allow all domains @@ -656,7 +656,7 @@ index eb50f070f..a00644903 100644 +abrt_basic_types_template(abrt_helper) application_domain(abrt_helper_t, abrt_helper_exec_t) role abrt_helper_roles types abrt_helper_t; - + -type abrt_retrace_coredump_t, abrt_domain; -type abrt_retrace_coredump_exec_t; -domain_type(abrt_retrace_coredump_t) @@ -670,42 +670,42 @@ index eb50f070f..a00644903 100644 +abrt_basic_types_template(abrt_retrace_worker) +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) role system_r types abrt_retrace_worker_t; - + +abrt_basic_types_template(abrt_retrace_coredump) +application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +role system_r types abrt_retrace_coredump_t; + type abrt_retrace_cache_t; files_type(abrt_retrace_cache_t) - + type abrt_retrace_spool_t; -files_type(abrt_retrace_spool_t) +files_spool_file(abrt_retrace_spool_t) - + -type abrt_watch_log_t, abrt_domain; -type abrt_watch_log_exec_t; +abrt_basic_types_template(abrt_watch_log) init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t) - + -type abrt_upload_watch_t, abrt_domain; -type abrt_upload_watch_exec_t; +abrt_basic_types_template(abrt_upload_watch) init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) - + +type abrt_upload_watch_tmp_t; +files_tmp_file(abrt_upload_watch_tmp_t) + + ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') - + ######################################## # -# Local policy +# abrt local policy # - + -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; @@ -718,22 +718,22 @@ index eb50f070f..a00644903 100644 +allow abrt_t self:udp_socket create_socket_perms; +allow abrt_t self:unix_dgram_socket create_socket_perms; +allow abrt_t self:netlink_route_socket r_netlink_socket_perms; - + -allow abrt_t abrt_etc_t:dir list_dir_perms; +# abrt etc files +list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) - + +# log file manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) - + @@ -125,48 +136,60 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) +can_exec(abrt_t, abrt_tmp_t) - + +# abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) @@ -742,19 +742,19 @@ index eb50f070f..a00644903 100644 files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) +files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt") +allow abrt_t abrt_var_cache_t:file map; - + +# abrt pid files manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) - + -can_exec(abrt_t, abrt_tmp_t) +manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) +manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) - + +kernel_read_all_proc(abrt_t) kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) @@ -766,11 +766,11 @@ index eb50f070f..a00644903 100644 +# needed by docker BZ #1194280 +kernel_read_net_sysctls(abrt_t) +kernel_rw_usermodehelper_state(abrt_t) - + corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) - + corenet_all_recvfrom_netlabel(abrt_t) -corenet_all_recvfrom_unlabeled(abrt_t) corenet_tcp_sendrecv_generic_if(abrt_t) @@ -784,7 +784,7 @@ index eb50f070f..a00644903 100644 corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) +corenet_sendrecv_http_client_packets(abrt_t) - + dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) dev_read_rand(abrt_t) @@ -793,7 +793,7 @@ index eb50f070f..a00644903 100644 -dev_dontaudit_read_raw_memory(abrt_t) +dev_read_raw_memory(abrt_t) +dev_write_kmsg(abrt_t) - + domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) @@ -176,29 +199,45 @@ files_getattr_all_files(abrt_t) @@ -810,7 +810,7 @@ index eb50f070f..a00644903 100644 files_dontaudit_getattr_all_sockets(abrt_t) files_list_mnt(abrt_t) +fs_list_all(abrt_t) - + +fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) fs_getattr_all_dirs(abrt_t) @@ -820,16 +820,16 @@ index eb50f070f..a00644903 100644 fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) - + -auth_use_nsswitch(abrt_t) +storage_dontaudit_read_fixed_disk(abrt_t) - + logging_read_generic_logs(abrt_t) +logging_mmap_journal(abrt_t) +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) +logging_read_syslog_pid(abrt_t) - + +auth_use_nsswitch(abrt_t) +auth_map_passwd(abrt_t) + @@ -839,32 +839,32 @@ index eb50f070f..a00644903 100644 miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) +miscfiles_dontaudit_write_generic_cert_files(abrt_t) - + userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) - + tunable_policy(`abrt_anon_write',` - miscfiles_manage_public_files(abrt_t) + miscfiles_manage_public_files(abrt_t) @@ -206,15 +245,11 @@ tunable_policy(`abrt_anon_write',` - + optional_policy(` - apache_list_modules(abrt_t) + apache_list_modules(abrt_t) - apache_read_module_files(abrt_t) + apache_read_modules(abrt_t) ') - + optional_policy(` - dbus_system_domain(abrt_t, abrt_exec_t) + dbus_system_domain(abrt_t, abrt_exec_t) - - optional_policy(` - policykit_dbus_chat(abrt_t) - ') ') - + optional_policy(` @@ -222,6 +257,28 @@ optional_policy(` ') - + optional_policy(` + container_stream_connect(abrt_t) +') @@ -888,25 +888,25 @@ index eb50f070f..a00644903 100644 + +optional_policy(` + policykit_dbus_chat(abrt_t) - policykit_domtrans_auth(abrt_t) - policykit_read_lib(abrt_t) - policykit_read_reload(abrt_t) + policykit_domtrans_auth(abrt_t) + policykit_read_lib(abrt_t) + policykit_read_reload(abrt_t) @@ -233,6 +290,11 @@ optional_policy(` - corecmd_exec_all_executables(abrt_t) + corecmd_exec_all_executables(abrt_t) ') - + +optional_policy(` + puppet_read_lib(abrt_t) +') + +# to install debuginfo packages optional_policy(` - rpm_exec(abrt_t) - rpm_dontaudit_manage_db(abrt_t) + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) @@ -243,6 +305,14 @@ optional_policy(` - rpm_signull(abrt_t) + rpm_signull(abrt_t) ') - + +optional_policy(` + rhsmcertd_manage_pid_files(abrt_t) + rhsmcertd_read_log(abrt_t) @@ -916,12 +916,12 @@ index eb50f070f..a00644903 100644 + +# to run mailx plugin optional_policy(` - sendmail_domtrans(abrt_t) + sendmail_domtrans(abrt_t) ') @@ -253,9 +323,21 @@ optional_policy(` - sosreport_delete_tmp_files(abrt_t) + sosreport_delete_tmp_files(abrt_t) ') - + +optional_policy(` + sssd_stream_connect(abrt_t) +') @@ -939,12 +939,12 @@ index eb50f070f..a00644903 100644 -# Handle-event local policy +# abrt-handle-event local policy # - + allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; @@ -266,9 +348,13 @@ tunable_policy(`abrt_handle_event',` - can_exec(abrt_t, abrt_handle_event_exec_t) + can_exec(abrt_t, abrt_handle_event_exec_t) ') - + +optional_policy(` + unconfined_domain(abrt_handle_event_t) +') @@ -954,41 +954,41 @@ index eb50f070f..a00644903 100644 -# Helper local policy +# abrt--helper local policy # - + allow abrt_helper_t self:capability { chown setgid sys_nice }; @@ -281,6 +367,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt") - + read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -289,15 +376,20 @@ corecmd_read_all_executables(abrt_helper_t) - + domain_read_all_domains_state(abrt_helper_t) - + +files_dontaudit_all_non_security_leaks(abrt_helper_t) + fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) - + auth_use_nsswitch(abrt_helper_t) - + +logging_send_syslog_msg(abrt_helper_t) + term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) - + ifdef(`hide_broken_symptoms',` + domain_dontaudit_leaks(abrt_helper_t) - userdom_dontaudit_read_user_home_content_files(abrt_helper_t) - userdom_dontaudit_read_user_tmp_files(abrt_helper_t) - dev_dontaudit_read_all_blk_files(abrt_helper_t) + userdom_dontaudit_read_user_home_content_files(abrt_helper_t) + userdom_dontaudit_read_user_tmp_files(abrt_helper_t) + dev_dontaudit_read_all_blk_files(abrt_helper_t) @@ -305,11 +397,25 @@ ifdef(`hide_broken_symptoms',` - dev_dontaudit_write_all_chr_files(abrt_helper_t) - dev_dontaudit_write_all_blk_files(abrt_helper_t) - fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) + dev_dontaudit_write_all_chr_files(abrt_helper_t) + dev_dontaudit_write_all_blk_files(abrt_helper_t) + fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) + + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) @@ -1004,52 +1004,52 @@ index eb50f070f..a00644903 100644 + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; ') - + ####################################### # -# Retrace coredump policy +# abrt retrace coredump policy # - + allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; @@ -327,10 +433,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) - + dev_read_urand(abrt_retrace_coredump_t) - + -files_read_usr_files(abrt_retrace_coredump_t) + +logging_send_syslog_msg(abrt_retrace_coredump_t) - + sysnet_dns_name_resolve(abrt_retrace_coredump_t) - + +# to install debuginfo packages optional_policy(` - rpm_exec(abrt_retrace_coredump_t) - rpm_dontaudit_manage_db(abrt_retrace_coredump_t) + rpm_exec(abrt_retrace_coredump_t) + rpm_dontaudit_manage_db(abrt_retrace_coredump_t) @@ -343,10 +451,11 @@ optional_policy(` - + ####################################### # -# Retrace worker policy +# abrt retrace worker policy # - + -allow abrt_retrace_worker_t self:capability setuid; +allow abrt_retrace_worker_t self:capability { setuid }; + allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; - + domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) @@ -365,38 +474,83 @@ corecmd_exec_shell(abrt_retrace_worker_t) - + dev_read_urand(abrt_retrace_worker_t) - + -files_read_usr_files(abrt_retrace_worker_t) + +logging_send_syslog_msg(abrt_retrace_worker_t) - + sysnet_dns_name_resolve(abrt_retrace_worker_t) - + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) + mock_manage_lib_files(abrt_t) @@ -1060,14 +1060,14 @@ index eb50f070f..a00644903 100644 -# Dump oops local policy +# abrt_dump_oops local policy # - + -allow abrt_dump_oops_t self:capability dac_override; +allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid }; +allow abrt_dump_oops_t self:process setfscreate; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; - + files_search_spool(abrt_dump_oops_t) manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) @@ -1077,12 +1077,12 @@ index eb50f070f..a00644903 100644 + +manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t) +manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t) - + read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) - + read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t) - + +kernel_read_debugfs(abrt_dump_oops_t) kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) @@ -1094,7 +1094,7 @@ index eb50f070f..a00644903 100644 + +dev_read_urand(abrt_dump_oops_t) +dev_read_rand(abrt_dump_oops_t) - + domain_use_interactive_fds(abrt_dump_oops_t) +domain_signull_all_domains(abrt_dump_oops_t) +domain_read_all_domains_state(abrt_dump_oops_t) @@ -1107,13 +1107,13 @@ index eb50f070f..a00644903 100644 +files_manage_non_security_dirs(abrt_dump_oops_t) +files_manage_non_security_files(abrt_dump_oops_t) +files_map_non_security_files(abrt_dump_oops_t) - + +fs_getattr_all_fs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) +fs_list_pstorefs(abrt_dump_oops_t) + +selinux_compute_create_context(abrt_dump_oops_t) - + logging_read_generic_logs(abrt_dump_oops_t) +logging_read_syslog_pid(abrt_dump_oops_t) +logging_send_syslog_msg(abrt_dump_oops_t) @@ -1125,26 +1125,26 @@ index eb50f070f..a00644903 100644 +optional_policy(` + nscd_dontaudit_write_sock_file(abrt_dump_oops_t) +') - + ####################################### # @@ -404,25 +558,63 @@ logging_read_generic_logs(abrt_dump_oops_t) # - + allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; -allow abrt_watch_log_t self:unix_stream_socket { accept listen }; +allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms; - + read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) - + +auth_read_passwd(abrt_watch_log_t) +auth_use_nsswitch(abrt_watch_log_t) + domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +allow abrt_watch_log_t abrt_dump_oops_exec_t:file map; - + corecmd_exec_bin(abrt_watch_log_t) - + logging_read_all_logs(abrt_watch_log_t) +logging_send_syslog_msg(abrt_watch_log_t) + @@ -1155,12 +1155,12 @@ index eb50f070f..a00644903 100644 +tunable_policy(`abrt_upload_watch_anon_write',` + miscfiles_manage_public_files(abrt_upload_watch_t) +') - + ####################################### # # Upload watch local policy # - + +allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid }; + +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) @@ -1175,7 +1175,7 @@ index eb50f070f..a00644903 100644 +abrt_dbus_chat(abrt_upload_watch_t) + corecmd_exec_bin(abrt_upload_watch_t) - + +dev_read_urand(abrt_upload_watch_t) + +files_search_spool(abrt_upload_watch_t) @@ -1192,16 +1192,16 @@ index eb50f070f..a00644903 100644 +optional_policy(` + dbus_system_bus_client(abrt_upload_watch_t) ') - + ####################################### @@ -430,10 +622,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # - + -kernel_read_system_state(abrt_domain) +allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; +allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; - + files_read_etc_files(abrt_domain) - -logging_send_syslog_msg(abrt_domain) @@ -1215,7 +1215,7 @@ index f9d8d7a92..068271030 100644 +/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0) + /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - + /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) diff --git a/accountsd.if b/accountsd.if index bd5ec9ab0..554177cd2 100644 @@ -1259,20 +1259,20 @@ index bd5ec9ab0..554177cd2 100644 -## # interface(`accountsd_admin',` - gen_require(` - type accountsd_t; + gen_require(` + type accountsd_t; + type accountsd_unit_file_t; - ') - + ') + - allow $1 accountsd_t:process { ptrace signal_perms }; + allow $1 accountsd_t:process signal_perms; - ps_process_pattern($1, accountsd_t) - + ps_process_pattern($1, accountsd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 accountsd_t:process ptrace; + ') + - accountsd_manage_lib_files($1) + accountsd_manage_lib_files($1) + + accountsd_systemctl($1) + admin_pattern($1, accountsd_unit_file_t) @@ -1283,9 +1283,9 @@ index 3593510d8..7c13845fd 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` - class passwd all_passwd_perms; + class passwd all_passwd_perms; ') - + +gen_require(` + class passwd { passwd chfn chsh rootok crontab }; +') @@ -1294,16 +1294,16 @@ index 3593510d8..7c13845fd 100644 # # Declarations @@ -11,17 +15,21 @@ gen_require(` - + type accountsd_t; type accountsd_exec_t; -dbus_system_domain(accountsd_t, accountsd_exec_t) +init_daemon_domain(accountsd_t, accountsd_exec_t) +role system_r types accountsd_t; - + type accountsd_var_lib_t; files_type(accountsd_var_lib_t) - + +type accountsd_unit_file_t; +systemd_unit_file(accountsd_unit_file_t) + @@ -1311,7 +1311,7 @@ index 3593510d8..7c13845fd 100644 # # Local policy # - + -allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace }; allow accountsd_t self:process signal; @@ -1319,43 +1319,43 @@ index 3593510d8..7c13845fd 100644 allow accountsd_t self:passwd { rootok passwd chfn chsh }; @@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t) dev_read_sysfs(accountsd_t) - + files_read_mnt_files(accountsd_t) -files_read_usr_files(accountsd_t) - + fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) - + -miscfiles_read_localization(accountsd_t) +init_dbus_chat(accountsd_t) - + logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) - + +userdom_dontaudit_create_admin_dir(accountsd_t) +userdom_dontaudit_manage_admin_dir(accountsd_t) + userdom_read_user_tmp_files(accountsd_t) userdom_read_user_home_content_files(accountsd_t) - + @@ -65,10 +75,17 @@ optional_policy(` - consolekit_read_log(accountsd_t) + consolekit_read_log(accountsd_t) ') - + +optional_policy(` + dbus_system_domain(accountsd_t, accountsd_exec_t) +') + optional_policy(` - policykit_dbus_chat(accountsd_t) + policykit_dbus_chat(accountsd_t) ') - + optional_policy(` - xserver_read_xdm_tmp_files(accountsd_t) + xserver_read_xdm_tmp_files(accountsd_t) + xserver_read_state_xdm(accountsd_t) + xserver_dbus_chat_xdm(accountsd_t) + xserver_manage_xdm_etc_files(accountsd_t) @@ -1365,7 +1365,7 @@ index 81280d008..bc4038b45 100644 --- a/acct.if +++ b/acct.if @@ -83,6 +83,24 @@ interface(`acct_manage_data',` - + ######################################## ## +## Dontaudit Attempts to list acct_data directory @@ -1381,7 +1381,7 @@ index 81280d008..bc4038b45 100644 + type acct_data_t; + ') + -+ dontaudit $1 acct_data_t:dir list_dir_perms; ++ dontaudit $1 acct_data_t:dir list_dir_perms; +') + +####################################### @@ -1390,20 +1390,20 @@ index 81280d008..bc4038b45 100644 ## administrate an acct environment. ## @@ -103,9 +121,13 @@ interface(`acct_admin',` - type acct_t, acct_initrc_exec_t, acct_data_t; - ') - + type acct_t, acct_initrc_exec_t, acct_data_t; + ') + - allow $1 acct_t:process { ptrace signal_perms }; + allow $1 acct_t:process { signal_perms }; - ps_process_pattern($1, acct_t) - + ps_process_pattern($1, acct_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 acct_t:process ptrace; + ') + - init_labeled_script_domtrans($1, acct_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 acct_initrc_exec_t system_r; + init_labeled_script_domtrans($1, acct_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 acct_initrc_exec_t system_r; diff --git a/acct.te b/acct.te index 8b9ad83c5..f4f24864b 100644 --- a/acct.te @@ -1411,42 +1411,42 @@ index 8b9ad83c5..f4f24864b 100644 @@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t) dev_read_sysfs(acct_t) dev_read_urand(acct_t) - + -domain_use_interactive_fds(acct_t) - fs_search_auto_mountpoints(acct_t) fs_getattr_xattr_fs(acct_t) - + @@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t) term_dontaudit_use_generic_ptys(acct_t) - + files_read_etc_runtime_files(acct_t) -files_list_usr(acct_t) - + auth_use_nsswitch(acct_t) - + @@ -59,8 +56,6 @@ init_exec_script_files(acct_t) - + logging_send_syslog_msg(acct_t) - + -miscfiles_read_localization(acct_t) - userdom_dontaudit_search_user_home_dirs(acct_t) userdom_dontaudit_use_unpriv_user_fds(acct_t) - + diff --git a/ada.te b/ada.te index 8d42c97ae..2377f8f82 100644 --- a/ada.te +++ b/ada.te @@ -20,7 +20,7 @@ role ada_roles types ada_t; - + allow ada_t self:process { execstack execmem }; - + -userdom_use_user_terminals(ada_t) +userdom_use_inherited_user_terminals(ada_t) - + optional_policy(` - unconfined_domain(ada_t) + unconfined_domain(ada_t) diff --git a/afs.fc b/afs.fc index 8926c1696..206ea16fd 100644 --- a/afs.fc @@ -1454,7 +1454,7 @@ index 8926c1696..206ea16fd 100644 @@ -3,6 +3,8 @@ /etc/rc\.d/init\.d/openafs-client -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) /etc/rc\.d/init\.d/(open)?afs -- gen_context(system_u:object_r:afs_initrc_exec_t,s0) - + +/usr/afs(/.*)? gen_context(system_u:object_r:afs_files_t,s0) + /usr/afs/bin/bosserver -- gen_context(system_u:object_r:afs_bosserver_exec_t,s0) @@ -1468,7 +1468,7 @@ index 8926c1696..206ea16fd 100644 +/usr/afs/bin/davolserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/salvageserver -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) +/usr/afs/bin/dasalvager -- gen_context(system_u:object_r:afs_fsserver_exec_t,s0) - + /usr/afs/db -d gen_context(system_u:object_r:afs_dbdir_t,s0) /usr/afs/db/pr.* -- gen_context(system_u:object_r:afs_pt_db_t,s0) diff --git a/afs.if b/afs.if @@ -1476,9 +1476,9 @@ index 3b41be699..97d99f979 100644 --- a/afs.if +++ b/afs.if @@ -38,6 +38,24 @@ interface(`afs_rw_udp_sockets',` - allow $1 afs_t:udp_socket { read write }; + allow $1 afs_t:udp_socket { read write }; ') - + +######################################## +## +## Read AFS config data @@ -1502,14 +1502,14 @@ index 3b41be699..97d99f979 100644 ## Read and write afs cache files. @@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',` interface(`afs_admin',` - gen_require(` - attribute afs_domain; + gen_require(` + attribute afs_domain; - type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; + type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; - type afs_ka_db_t, afs_vl_db_t, afs_config_t; - type afs_logfile_t, afs_cache_t, afs_files_t; - ') - + type afs_ka_db_t, afs_vl_db_t, afs_config_t; + type afs_logfile_t, afs_cache_t, afs_files_t; + ') + - allow $1 afs_domain:process { ptrace signal_perms }; - ps_process_pattern($1, afs_domain) + allow $1 afs_t:process signal_perms; @@ -1518,9 +1518,9 @@ index 3b41be699..97d99f979 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 afs_t:process ptrace; + ') - - afs_initrc_domtrans($1) - domain_system_change_exemption($1) + + afs_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/afs.te b/afs.te index 90ce63748..8cf712d15 100644 --- a/afs.te @@ -1528,16 +1528,16 @@ index 90ce63748..8cf712d15 100644 @@ -72,7 +72,7 @@ role system_r types afs_vlserver_t; # afs client local policy # - + -allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config }; +allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config }; allow afs_t self:process { setsched signal }; allow afs_t self:fifo_file rw_file_perms; allow afs_t self:unix_stream_socket { accept listen }; @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir }) - + kernel_rw_afs_state(afs_t) - + +corenet_all_recvfrom_netlabel(afs_t) +corenet_tcp_sendrecv_generic_if(afs_t) +corenet_udp_sendrecv_generic_if(afs_t) @@ -1550,12 +1550,12 @@ index 90ce63748..8cf712d15 100644 files_mounton_mnt(afs_t) -files_read_usr_files(afs_t) files_rw_etc_runtime_files(afs_t) - + fs_getattr_xattr_fs(afs_t) @@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t) - + logging_send_syslog_msg(afs_t) - + +sysnet_dns_name_resolve(afs_t) + +ifdef(`hide_broken_symptoms',` @@ -1566,34 +1566,34 @@ index 90ce63748..8cf712d15 100644 # # AFS bossserver local policy @@ -105,8 +119,11 @@ can_exec(afs_bosserver_t, afs_bosserver_exec_t) - + manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t) manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t) +filetrans_pattern(afs_bosserver_t, afs_files_t, afs_config_t, dir, "local") - + -allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms; +manage_files_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t) +manage_dirs_pattern(afs_bosserver_t, afs_dbdir_t, afs_dbdir_t) +filetrans_pattern(afs_bosserver_t, afs_files_t, afs_dbdir_t, dir, "db") - + allow afs_bosserver_t afs_fsserver_t:process signal_perms; domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t) @@ -125,7 +142,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t) - + kernel_read_kernel_sysctls(afs_bosserver_t) - + -corenet_all_recvfrom_unlabeled(afs_bosserver_t) corenet_all_recvfrom_netlabel(afs_bosserver_t) corenet_udp_sendrecv_generic_if(afs_bosserver_t) corenet_udp_sendrecv_generic_node(afs_bosserver_t) @@ -136,24 +152,24 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t) corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t) - + files_list_home(afs_bosserver_t) -files_read_usr_files(afs_bosserver_t) - + seutil_read_config(afs_bosserver_t) - + +optional_policy(` + kerberos_read_config(afs_bosserver_t) +') @@ -1602,22 +1602,22 @@ index 90ce63748..8cf712d15 100644 # # fileserver local policy # - + -allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice }; +allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice }; dontaudit afs_fsserver_t self:capability fsetid; allow afs_fsserver_t self:process { setsched signal_perms }; allow afs_fsserver_t self:fifo_file rw_fifo_file_perms; allow afs_fsserver_t self:tcp_socket create_stream_socket_perms; - + -read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) -allow afs_fsserver_t afs_config_t:dir list_dir_perms; - manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t) manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t) - + @@ -175,12 +191,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t) - + corenet_all_recvfrom_unlabeled(afs_fsserver_t) corenet_all_recvfrom_netlabel(afs_fsserver_t) +corenet_tcp_bind_generic_node(afs_fsserver_t) @@ -1630,46 +1630,46 @@ index 90ce63748..8cf712d15 100644 -corenet_udp_bind_generic_node(afs_fsserver_t) +corenet_tcp_sendrecv_all_ports(afs_fsserver_t) +corenet_udp_sendrecv_all_ports(afs_fsserver_t) - + corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t) corenet_tcp_bind_afs_fs_port(afs_fsserver_t) @@ -190,7 +208,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t) - + files_read_etc_runtime_files(afs_fsserver_t) files_list_home(afs_fsserver_t) -files_read_usr_files(afs_fsserver_t) files_list_pids(afs_fsserver_t) files_dontaudit_search_mnt(afs_fsserver_t) - + @@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t) - + kernel_read_kernel_sysctls(afs_kaserver_t) - + -corenet_all_recvfrom_unlabeled(afs_kaserver_t) corenet_all_recvfrom_netlabel(afs_kaserver_t) corenet_udp_sendrecv_generic_if(afs_kaserver_t) corenet_udp_sendrecv_generic_node(afs_kaserver_t) @@ -239,7 +255,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t) corenet_udp_sendrecv_kerberos_port(afs_kaserver_t) - + files_list_home(afs_kaserver_t) -files_read_usr_files(afs_kaserver_t) - + seutil_read_config(afs_kaserver_t) - + @@ -253,16 +268,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t) allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_ptserver_t self:tcp_socket create_stream_socket_perms; - + -read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t) -allow afs_ptserver_t afs_config_t:dir list_dir_perms; - manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t) - + manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t) filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file) - + -corenet_all_recvfrom_unlabeled(afs_ptserver_t) corenet_all_recvfrom_netlabel(afs_ptserver_t) corenet_tcp_sendrecv_generic_if(afs_ptserver_t) @@ -1677,39 +1677,39 @@ index 90ce63748..8cf712d15 100644 @@ -274,6 +285,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t) corenet_udp_bind_afs_pt_port(afs_ptserver_t) corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t) - + +sysnet_read_config(afs_ptserver_t) + userdom_dontaudit_use_user_terminals(afs_ptserver_t) - + ######################################## @@ -284,16 +297,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t) allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms; allow afs_vlserver_t self:tcp_socket create_stream_socket_perms; - + -read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t) -allow afs_vlserver_t afs_config_t:dir list_dir_perms; - manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t) - + manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t) filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file) - + -corenet_all_recvfrom_unlabeled(afs_vlserver_t) corenet_all_recvfrom_netlabel(afs_vlserver_t) corenet_tcp_sendrecv_generic_if(afs_vlserver_t) corenet_udp_sendrecv_generic_if(afs_vlserver_t) @@ -314,8 +323,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t) - + allow afs_domain self:udp_socket create_socket_perms; - + -files_read_etc_files(afs_domain) - -miscfiles_read_localization(afs_domain) +read_files_pattern(afs_domain, afs_config_t, afs_config_t) +allow afs_domain afs_config_t:dir list_dir_perms; - + sysnet_read_config(afs_domain) + diff --git a/aiccu.if b/aiccu.if @@ -1717,20 +1717,20 @@ index 3b5dcb947..fbe187fe1 100644 --- a/aiccu.if +++ b/aiccu.if @@ -79,9 +79,13 @@ interface(`aiccu_admin',` - type aiccu_var_run_t; - ') - + type aiccu_var_run_t; + ') + - allow $1 aiccu_t:process { ptrace signal_perms }; + allow $1 aiccu_t:process signal_perms; - ps_process_pattern($1, aiccu_t) - + ps_process_pattern($1, aiccu_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 aiccu_t:process ptrace; + ') + - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; + aiccu_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te index 5d2b90e04..7374df0b9 100644 --- a/aiccu.te @@ -1746,48 +1746,48 @@ index 5d2b90e04..7374df0b9 100644 @@ -60,16 +59,23 @@ domain_use_interactive_fds(aiccu_t) dev_read_rand(aiccu_t) dev_read_urand(aiccu_t) - + -files_read_etc_files(aiccu_t) + +auth_read_passwd(aiccu_t) - + logging_send_syslog_msg(aiccu_t) - + -miscfiles_read_localization(aiccu_t) +optional_policy(` + gnome_dontaudit_search_config(aiccu_t) +') - + optional_policy(` - modutils_domtrans_insmod(aiccu_t) + modutils_domtrans_insmod(aiccu_t) ') - + +optional_policy(` + pcscd_stream_connect(aiccu_t) +') + optional_policy(` - sysnet_dns_name_resolve(aiccu_t) - sysnet_domtrans_ifconfig(aiccu_t) + sysnet_dns_name_resolve(aiccu_t) + sysnet_domtrans_ifconfig(aiccu_t) diff --git a/aide.if b/aide.if index 01cbb67df..94a4a2406 100644 --- a/aide.if +++ b/aide.if @@ -67,9 +67,13 @@ interface(`aide_admin',` - type aide_t, aide_db_t, aide_log_t; - ') - + type aide_t, aide_db_t, aide_log_t; + ') + - allow $1 aide_t:process { ptrace signal_perms }; + allow $1 aide_t:process signal_perms; - ps_process_pattern($1, aide_t) - + ps_process_pattern($1, aide_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 aide_t:process ptrace; + ') + - aide_run($1, $2) - - files_list_etc($1) + aide_run($1, $2) + + files_list_etc($1) diff --git a/aide.te b/aide.te index 03831e6e5..e7d9dd97e 100644 --- a/aide.te @@ -1798,25 +1798,25 @@ index 03831e6e5..e7d9dd97e 100644 application_domain(aide_t, aide_exec_t) +cron_system_entry(aide_t, aide_exec_t) role aide_roles types aide_t; - + type aide_log_t; @@ -23,22 +24,35 @@ files_type(aide_db_t) # Local policy # - + -allow aide_t self:capability { dac_override fowner }; +allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin }; +allow aide_t self:process signal; - + manage_files_pattern(aide_t, aide_db_t, aide_db_t) +files_var_lib_filetrans(aide_t, aide_db_t, { dir file }) - + -create_files_pattern(aide_t, aide_log_t, aide_log_t) -append_files_pattern(aide_t, aide_log_t, aide_log_t) -setattr_files_pattern(aide_t, aide_log_t, aide_log_t) +manage_files_pattern(aide_t, aide_log_t, aide_log_t) logging_log_filetrans(aide_t, aide_log_t, file) - + +dev_read_rand(aide_t) +dev_read_urand(aide_t) + @@ -1828,71 +1828,71 @@ index 03831e6e5..e7d9dd97e 100644 + +mls_file_read_to_clearance(aide_t) +mls_file_write_to_clearance(aide_t) - + logging_send_audit_msgs(aide_t) logging_send_syslog_msg(aide_t) - + -userdom_use_user_terminals(aide_t) +userdom_use_inherited_user_terminals(aide_t) + +optional_policy(` + prelink_domtrans(aide_t) +') - + optional_policy(` - seutil_use_newrole_fds(aide_t) + seutil_use_newrole_fds(aide_t) diff --git a/aisexec.if b/aisexec.if index a2997fa57..861cebdf9 100644 --- a/aisexec.if +++ b/aisexec.if @@ -83,9 +83,13 @@ interface(`aisexecd_admin',` - type aisexec_initrc_exec_t; - ') - + type aisexec_initrc_exec_t; + ') + - allow $1 aisexec_t:process { ptrace signal_perms }; + allow $1 aisexec_t:process signal_perms; - ps_process_pattern($1, aisexec_t) - + ps_process_pattern($1, aisexec_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 aisexec_t:process ptrace; + ') + - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; + init_labeled_script_domtrans($1, aisexec_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 aisexec_initrc_exec_t system_r; diff --git a/aisexec.te b/aisexec.te index 4e4f06364..808e067e8 100644 --- a/aisexec.te +++ b/aisexec.te @@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) kernel_read_system_state(aisexec_t) - + corecmd_exec_bin(aisexec_t) +corecmd_exec_shell(aisexec_t) - + corenet_all_recvfrom_unlabeled(aisexec_t) corenet_all_recvfrom_netlabel(aisexec_t) @@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t) - + logging_send_syslog_msg(aisexec_t) - + -miscfiles_read_localization(aisexec_t) - userdom_rw_unpriv_user_semaphores(aisexec_t) userdom_rw_unpriv_user_shared_mem(aisexec_t) - + @@ -105,6 +104,11 @@ optional_policy(` ') - + optional_policy(` + corosync_domtrans(aisexec_t) +') + +optional_policy(` + # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(aisexec_t) - - rhcs_rw_fenced_semaphores(aisexec_t) + rhcs_rw_dlm_controld_semaphores(aisexec_t) + + rhcs_rw_fenced_semaphores(aisexec_t) diff --git a/ajaxterm.fc b/ajaxterm.fc new file mode 100644 index 000000000..aeb1888a7 @@ -2074,7 +2074,7 @@ index 33d9d3111..58bf1829a 100644 @@ -23,4 +23,10 @@ ifdef(`distro_debian',` /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) - + -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) + @@ -2088,15 +2088,15 @@ index ca8d8cf3b..053a30ad4 100644 --- a/alsa.if +++ b/alsa.if @@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` - - userdom_search_user_home_dirs($1) - allow $1 alsa_home_t:file manage_file_perms; + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file manage_file_perms; + alsa_filetrans_home_content($1) ') - + ######################################## @@ -210,51 +211,88 @@ interface(`alsa_relabel_home_files',` - + ######################################## ## -## Create objects in user home @@ -2153,12 +2153,12 @@ index ca8d8cf3b..053a30ad4 100644 # -interface(`alsa_home_filetrans_alsa_home',` +interface(`alsa_filetrans_named_content',` - gen_require(` - type alsa_home_t; + gen_require(` + type alsa_home_t; + type alsa_etc_rw_t; + type alsa_var_lib_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) + files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") + files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") @@ -2167,7 +2167,7 @@ index ca8d8cf3b..053a30ad4 100644 + files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm") + files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") ') - + ######################################## ## -## Read Alsa lib files. @@ -2182,12 +2182,12 @@ index ca8d8cf3b..053a30ad4 100644 # -interface(`alsa_read_lib',` +interface(`alsa_systemctl',` - gen_require(` + gen_require(` - type alsa_var_lib_t; + type alsa_t; + type alsa_unit_file_t; - ') - + ') + - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + systemd_exec_systemctl($1) @@ -2197,7 +2197,7 @@ index ca8d8cf3b..053a30ad4 100644 + + ps_process_pattern($1, alsa_t) ') - + ######################################### diff --git a/alsa.te b/alsa.te index 4b153f179..a799cd394 100644 @@ -2206,23 +2206,23 @@ index 4b153f179..a799cd394 100644 @@ -15,6 +15,9 @@ role alsa_roles types alsa_t; type alsa_etc_rw_t; files_config_file(alsa_etc_rw_t) - + +type alsa_lock_t; +files_lock_file(alsa_lock_t) + type alsa_tmp_t; files_tmp_file(alsa_tmp_t) - + @@ -24,16 +27,23 @@ files_tmpfs_file(alsa_tmpfs_t) type alsa_var_lib_t; files_type(alsa_var_lib_t) - + +type alsa_var_run_t; +files_pid_file(alsa_var_run_t) + type alsa_home_t; userdom_user_home_content(alsa_home_t) - + +type alsa_unit_file_t; +systemd_unit_file(alsa_unit_file_t) + @@ -2230,7 +2230,7 @@ index 4b153f179..a799cd394 100644 # # Local policy # - + -allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner }; -dontaudit alsa_t self:capability sys_admin; +allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice }; @@ -2240,9 +2240,9 @@ index 4b153f179..a799cd394 100644 allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; @@ -46,6 +56,9 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) - + can_exec(alsa_t, alsa_exec_t) - + +manage_files_pattern(alsa_t, alsa_lock_t, alsa_lock_t) +files_lock_filetrans(alsa_t, alsa_lock_t, file) + @@ -2252,7 +2252,7 @@ index 4b153f179..a799cd394 100644 @@ -57,7 +70,13 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file) manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - + +manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) +manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) +manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t) @@ -2260,21 +2260,21 @@ index 4b153f179..a799cd394 100644 + kernel_read_system_state(alsa_t) +kernel_signal(alsa_t) - + corecmd_exec_bin(alsa_t) - + @@ -67,7 +86,6 @@ dev_read_sysfs(alsa_t) dev_read_urand(alsa_t) dev_write_sound(alsa_t) - + -files_read_usr_files(alsa_t) files_search_var_lib(alsa_t) - + term_dontaudit_use_console(alsa_t) @@ -80,8 +98,6 @@ init_use_fds(alsa_t) - + logging_send_syslog_msg(alsa_t) - + -miscfiles_read_localization(alsa_t) - userdom_manage_unpriv_user_semaphores(alsa_t) @@ -2294,19 +2294,19 @@ index 7f4dfbca3..e5c9f45b8 100644 @@ -13,6 +14,8 @@ /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) - + +/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0) + /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) - + diff --git a/amanda.te b/amanda.te index 519051c7d..5f838c4dd 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; roleattribute system_r amanda_recover_roles; - + type amanda_t; +type amanda_exec_t; type amanda_inetd_exec_t; @@ -2314,28 +2314,28 @@ index 519051c7d..5f838c4dd 100644 +application_executable_file(amanda_exec_t) +init_daemon_domain(amanda_t, amanda_inetd_exec_t) +role system_r types amanda_t; - + -type amanda_exec_t; -domain_entry_file(amanda_t, amanda_exec_t) +type amanda_unit_file_t; +systemd_unit_file(amanda_unit_file_t) - + type amanda_log_t; logging_log_file(amanda_log_t) @@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t) type amanda_tmp_t; files_tmp_file(amanda_tmp_t) - + +type amanda_tmpfs_t; +files_tmpfs_file(amanda_tmpfs_t) + type amanda_amandates_t; files_type(amanda_amandates_t) - + @@ -59,8 +65,8 @@ optional_policy(` # Local policy # - + -allow amanda_t self:capability { chown dac_override setuid kill }; -allow amanda_t self:process { setpgid signal }; +allow amanda_t self:capability { chown dac_read_search dac_override setuid setgid kill sys_admin }; @@ -2344,47 +2344,47 @@ index 519051c7d..5f838c4dd 100644 allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; @@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms; - + manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) +manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t) filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) - + allow amanda_t amanda_dumpdates_t:file rw_file_perms; @@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; - + manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) +files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir) - + manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) @@ -90,23 +98,30 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) - + +manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t) +manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t) +fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir file }) + can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t }) - + kernel_read_kernel_sysctls(amanda_t) kernel_read_system_state(amanda_t) +kernel_read_network_state(amanda_t) kernel_dontaudit_getattr_unlabeled_files(amanda_t) kernel_dontaudit_read_proc_symlinks(amanda_t) - + corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) - + -corenet_all_recvfrom_unlabeled(amanda_t) corenet_all_recvfrom_netlabel(amanda_t) corenet_tcp_sendrecv_generic_if(amanda_t) corenet_tcp_sendrecv_generic_node(amanda_t) corenet_tcp_sendrecv_all_ports(amanda_t) corenet_tcp_bind_generic_node(amanda_t) - + +corenet_tcp_bind_amanda_port(amanda_t) +corenet_udp_bind_amanda_port(amanda_t) + @@ -2392,25 +2392,25 @@ index 519051c7d..5f838c4dd 100644 corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) @@ -114,6 +129,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) - + dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) +dev_read_urand(amanda_t) - + files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) @@ -126,6 +142,7 @@ files_getattr_all_sockets(amanda_t) - + fs_getattr_xattr_fs(amanda_t) fs_list_all(amanda_t) +fs_getattr_tmpfs(amanda_t) - + storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) @@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t) # Recover local policy # - + -allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override }; +allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override }; allow amanda_recover_t self:process { sigkill sigstop signal }; @@ -2419,20 +2419,20 @@ index 519051c7d..5f838c4dd 100644 @@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) - + -corenet_all_recvfrom_unlabeled(amanda_recover_t) corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) @@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t) - + auth_use_nsswitch(amanda_recover_t) - + -fstools_domtrans(amanda_t) -fstools_signal(amanda_t) - logging_search_logs(amanda_recover_t) - + -miscfiles_read_localization(amanda_recover_t) - -userdom_use_user_terminals(amanda_recover_t) @@ -2454,28 +2454,28 @@ index 17689a707..8aa684917 100644 @@ -12,8 +12,6 @@ ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) ') - + -/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) - + /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0) diff --git a/amavis.if b/amavis.if index 60d4f8c90..18ef0772c 100644 --- a/amavis.if +++ b/amavis.if @@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',` - - files_search_spool($1) - read_files_pattern($1, amavis_spool_t, amavis_spool_t) + + files_search_spool($1) + read_files_pattern($1, amavis_spool_t, amavis_spool_t) + allow $1 amavis_spool_t:dir list_dir_perms; ') - + ######################################## @@ -151,6 +152,26 @@ interface(`amavis_read_lib_files',` - files_search_var_lib($1) + files_search_var_lib($1) ') - + +######################################## +## +## Read and write amavis lib files. @@ -2500,20 +2500,20 @@ index 60d4f8c90..18ef0772c 100644 ## ## Create, read, write, and delete @@ -234,9 +255,13 @@ interface(`amavis_admin',` - type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; - ') - + type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; + ') + - allow $1 amavis_t:process { ptrace signal_perms }; + allow $1 amavis_t:process signal_perms; - ps_process_pattern($1, amavis_t) - + ps_process_pattern($1, amavis_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 amavis_t:process ptrace; + ') + - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; + amavis_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te index 91fa72ae1..be1f9677d 100644 --- a/amavis.te @@ -2523,21 +2523,21 @@ index 91fa72ae1..be1f9677d 100644 type amavis_exec_t; init_daemon_domain(amavis_t, amavis_exec_t) +init_nnp_daemon_domain(amavis_t) - + type amavis_etc_t; files_config_file(amavis_etc_t) @@ -39,14 +40,14 @@ type amavis_quarantine_t; files_type(amavis_quarantine_t) - + type amavis_spool_t; -files_type(amavis_spool_t) +files_spool_file(amavis_spool_t) - + ######################################## # # Local policy # - + -allow amavis_t self:capability { kill chown dac_override setgid setuid }; +allow amavis_t self:capability { kill chown dac_read_search dac_override setgid setuid }; dontaudit amavis_t self:capability sys_tty_config; @@ -2546,7 +2546,7 @@ index 91fa72ae1..be1f9677d 100644 @@ -67,9 +68,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t) filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file) - + +# tmp files +manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t) @@ -2554,44 +2554,44 @@ index 91fa72ae1..be1f9677d 100644 allow amavis_t amavis_tmp_t:dir setattr_dir_perms; -files_tmp_filetrans(amavis_t, amavis_tmp_t, file) +files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } ) - + manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) @@ -95,7 +99,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t) corecmd_exec_bin(amavis_t) corecmd_exec_shell(amavis_t) - + -corenet_all_recvfrom_unlabeled(amavis_t) corenet_all_recvfrom_netlabel(amavis_t) corenet_tcp_sendrecv_generic_if(amavis_t) corenet_udp_sendrecv_generic_if(amavis_t) @@ -118,6 +121,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t) - + corenet_sendrecv_razor_client_packets(amavis_t) corenet_tcp_connect_razor_port(amavis_t) +corenet_tcp_connect_agentx_port(amavis_t) - + dev_read_rand(amavis_t) dev_read_sysfs(amavis_t) @@ -127,7 +131,6 @@ domain_use_interactive_fds(amavis_t) domain_dontaudit_read_all_domains_state(amavis_t) - + files_read_etc_runtime_files(amavis_t) -files_read_usr_files(amavis_t) files_search_spool(amavis_t) - + fs_getattr_xattr_fs(amavis_t) @@ -141,14 +144,20 @@ init_stream_connect_script(amavis_t) - + logging_send_syslog_msg(amavis_t) - + -miscfiles_read_localization(amavis_t) +miscfiles_read_generic_certs(amavis_t) + +sysnet_use_ldap(amavis_t) - + userdom_dontaudit_search_user_home_dirs(amavis_t) - + tunable_policy(`amavis_use_jit',` - allow amavis_t self:process execmem; + allow amavis_t self:process execmem; @@ -2603,36 +2603,36 @@ index 91fa72ae1..be1f9677d 100644 +optional_policy(` + antivirus_domain_template(amavis_t) ') - + optional_policy(` @@ -172,6 +181,10 @@ optional_policy(` - mta_read_config(amavis_t) + mta_read_config(amavis_t) ') - + +optional_policy(` + nslcd_stream_connect(amavis_t) +') + optional_policy(` - postfix_read_config(amavis_t) - postfix_list_spool(amavis_t) + postfix_read_config(amavis_t) + postfix_list_spool(amavis_t) diff --git a/amtu.te b/amtu.te index 16d0d66eb..60abfd080 100644 --- a/amtu.te +++ b/amtu.te @@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t) - + files_manage_boot_files(amtu_t) files_read_etc_runtime_files(amtu_t) -files_read_etc_files(amtu_t) - + logging_send_audit_msgs(amtu_t) - + -userdom_use_user_terminals(amtu_t) +userdom_use_inherited_user_terminals(amtu_t) - + optional_policy(` - nscd_dontaudit_search_pid(amtu_t) + nscd_dontaudit_search_pid(amtu_t) diff --git a/anaconda.fc b/anaconda.fc index b098089d0..fe35bebfd 100644 --- a/anaconda.fc @@ -2793,9 +2793,9 @@ index aa44abfe4..9efa1f20b 100644 --- a/anaconda.te +++ b/anaconda.te @@ -4,6 +4,10 @@ gen_require(` - class passwd all_passwd_perms; + class passwd all_passwd_perms; ') - + +gen_require(` + class passwd { passwd chfn chsh rootok crontab }; +') @@ -2806,7 +2806,7 @@ index aa44abfe4..9efa1f20b 100644 @@ -16,6 +20,22 @@ domain_entry_file(anaconda_t, anaconda_exec_t) domain_obj_id_change_exemption(anaconda_t) role system_r types anaconda_t; - + +attribute_role install_roles; +roleattribute system_r install_roles; + @@ -2828,18 +2828,18 @@ index aa44abfe4..9efa1f20b 100644 # Local policy @@ -34,8 +54,9 @@ modutils_domtrans_insmod(anaconda_t) modutils_domtrans_depmod(anaconda_t) - + seutil_domtrans_semanage(anaconda_t) +seutil_domtrans_setsebool(anaconda_t) - + -userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) +userdom_filetrans_home_content(anaconda_t) - + optional_policy(` - rpm_domtrans(anaconda_t) + rpm_domtrans(anaconda_t) @@ -53,3 +74,54 @@ optional_policy(` optional_policy(` - unconfined_domain_noaudit(anaconda_t) + unconfined_domain_noaudit(anaconda_t) ') + +######################################## @@ -3562,7 +3562,7 @@ index 7caefc353..1edf14e25 100644 +HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0) HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0) - + -/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -3598,7 +3598,7 @@ index 7caefc353..1edf14e25 100644 +/etc/opt/rh/rh-nginx18/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) - + -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -3607,7 +3607,7 @@ index 7caefc353..1edf14e25 100644 +/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - + -/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) -/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -3617,22 +3617,22 @@ index 7caefc353..1edf14e25 100644 +/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) +/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0) - + -/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) - + -/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - + -/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) -/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) - + -/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) -/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) -/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) @@ -3645,7 +3645,7 @@ index 7caefc353..1edf14e25 100644 -/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) - + -/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0) +/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -3656,7 +3656,7 @@ index 7caefc353..1edf14e25 100644 +/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) - + -/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -3682,7 +3682,7 @@ index 7caefc353..1edf14e25 100644 +ifdef(`distro_suse', ` +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') - + -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -3833,7 +3833,7 @@ index 7caefc353..1edf14e25 100644 +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +') - + -/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) -/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -3921,7 +3921,7 @@ index f6eb4851f..94c92bab0 100644 @@ -1,9 +1,9 @@ -## Various web servers. +## Apache web server - + ######################################## ## -## Create a set of derived types for @@ -3937,14 +3937,14 @@ index f6eb4851f..94c92bab0 100644 # -template(`apache_content_template',` +template(`apache_user_content_template',` - gen_require(` + gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; + attribute httpd_exec_scripts, httpd_script_exec_type; - type httpd_t, httpd_suexec_t; + type httpd_t, httpd_suexec_t; + attribute httpd_script_type, httpd_user_content_type; - ') - + ') + - ######################################## - # - # Declarations @@ -4043,7 +4043,7 @@ index f6eb4851f..94c92bab0 100644 + manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) + manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) + rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) - + - type httpd_$1_ra_content_t, httpdcontent; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) @@ -4052,28 +4052,28 @@ index f6eb4851f..94c92bab0 100644 + append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) + create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) + read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) - + - ######################################## - # - # Policy - # + ') - + - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) + tunable_policy(`httpd_enable_cgi',` + allow $1_script_t $1_script_exec_t:file entrypoint; - + - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; + domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) - + - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) - + - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -4081,7 +4081,7 @@ index f6eb4851f..94c92bab0 100644 - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) + allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - + - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; - allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; @@ -4090,7 +4090,7 @@ index f6eb4851f..94c92bab0 100644 + allow httpd_t $1_script_t:unix_dgram_socket sendto; + ') +') - + - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) +######################################## @@ -4109,8 +4109,8 @@ index f6eb4851f..94c92bab0 100644 + attribute httpd_exec_scripts, httpd_script_exec_type; + type httpd_t, httpd_suexec_t; + attribute httpd_script_type, httpd_content_type; - ') - + ') + + #This type is for webpages + type $1_content_t; # customizable; + typeattribute $1_content_t httpd_content_type; @@ -4169,7 +4169,7 @@ index f6eb4851f..94c92bab0 100644 + allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; + + # Allow the web server to run scripts and serve pages - tunable_policy(`httpd_builtin_scripting',` + tunable_policy(`httpd_builtin_scripting',` - manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -4179,7 +4179,7 @@ index f6eb4851f..94c92bab0 100644 + manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) + manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) + rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) - + - allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; @@ -4189,22 +4189,22 @@ index f6eb4851f..94c92bab0 100644 + append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) + create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) + read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) - + - tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',` - can_exec(httpd_t, httpd_$1_rw_content_t) - ') - - tunable_policy(`httpd_enable_cgi',` + ') + + tunable_policy(`httpd_enable_cgi',` - allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint; - domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t) - ') + allow $1_script_t $1_script_exec_t:file entrypoint; - + - tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',` - can_exec(httpd_$1_script_t, httpd_$1_rw_content_t) - ') + domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) - + - tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms; @@ -4212,7 +4212,7 @@ index f6eb4851f..94c92bab0 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) - + - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) + allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; @@ -4220,9 +4220,9 @@ index f6eb4851f..94c92bab0 100644 + # apache runs the script: + domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) + allow httpd_t $1_script_t:unix_dgram_socket sendto; - ') + ') ') - + ######################################## ## -## Role access for apache. @@ -4265,17 +4265,17 @@ index f6eb4851f..94c92bab0 100644 ## # interface(`apache_role',` - gen_require(` - attribute httpdcontent; + gen_require(` + attribute httpdcontent; - type httpd_user_content_t, httpd_user_htaccess_t; - type httpd_user_script_t, httpd_user_script_exec_t; - type httpd_user_ra_content_t, httpd_user_rw_content_t; + type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; + type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; - ') - - role $1 types httpd_user_script_t; - + ') + + role $1 types httpd_user_script_t; + - allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms }; - - allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms }; @@ -4340,14 +4340,14 @@ index f6eb4851f..94c92bab0 100644 + + apache_exec_modules($2) + apache_filetrans_home_content($2) - - tunable_policy(`httpd_enable_cgi',` + + tunable_policy(`httpd_enable_cgi',` + # If a user starts a script by hand it gets the proper context - domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) - ') - + domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) + ') + @@ -184,7 +315,7 @@ interface(`apache_role',` - + ######################################## ## -## Read user httpd script executable files. @@ -4356,7 +4356,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -204,7 +335,7 @@ interface(`apache_read_user_scripts',` - + ######################################## ## -## Read user httpd content. @@ -4365,7 +4365,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -224,7 +355,27 @@ interface(`apache_read_user_content',` - + ######################################## ## -## Execute httpd with a domain transition. @@ -4394,9 +4394,9 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -241,27 +392,47 @@ interface(`apache_domtrans',` - domtrans_pattern($1, httpd_exec_t, httpd_t) + domtrans_pattern($1, httpd_exec_t, httpd_t) ') - + -######################################## +###################################### ## @@ -4413,11 +4413,11 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_initrc_domtrans',` +interface(`apache_exec',` - gen_require(` + gen_require(` - type httpd_initrc_exec_t; + type httpd_exec_t; - ') - + ') + - init_labeled_script_domtrans($1, httpd_initrc_exec_t) + can_exec($1, httpd_exec_t) +') @@ -4440,7 +4440,7 @@ index f6eb4851f..94c92bab0 100644 + + can_exec($1, httpd_suexec_exec_t) ') - + ####################################### ## -## Send generic signals to httpd. @@ -4449,7 +4449,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -279,7 +450,7 @@ interface(`apache_signal',` - + ######################################## ## -## Send null signals to httpd. @@ -4458,7 +4458,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -297,7 +468,7 @@ interface(`apache_signull',` - + ######################################## ## -## Send child terminated signals to httpd. @@ -4467,7 +4467,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -315,8 +486,7 @@ interface(`apache_sigchld',` - + ######################################## ## -## Inherit and use file descriptors @@ -4477,7 +4477,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -334,8 +504,8 @@ interface(`apache_use_fds',` - + ######################################## ## -## Do not audit attempts to read and @@ -4488,9 +4488,9 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -348,13 +518,32 @@ interface(`apache_dontaudit_rw_fifo_file',` - type httpd_t; - ') - + type httpd_t; + ') + - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; +') @@ -4513,7 +4513,7 @@ index f6eb4851f..94c92bab0 100644 + + allow $1 httpd_t:unix_stream_socket { getattr read write }; ') - + ######################################## ## -## Do not audit attempts to read and @@ -4524,13 +4524,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -367,13 +556,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` - type httpd_t; - ') - + type httpd_t; + ') + - dontaudit $1 httpd_t:unix_stream_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; ') - + ######################################## ## -## Do not audit attempts to read and @@ -4541,7 +4541,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -391,8 +580,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` - + ######################################## ## -## Create, read, write, and delete @@ -4551,7 +4551,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -417,7 +605,8 @@ interface(`apache_manage_all_content',` - + ######################################## ## -## Set attributes httpd cache directories. @@ -4561,7 +4561,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -435,7 +624,8 @@ interface(`apache_setattr_cache_dirs',` - + ######################################## ## -## List httpd cache directories. @@ -4571,7 +4571,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -453,7 +643,8 @@ interface(`apache_list_cache',` - + ######################################## ## -## Read and write httpd cache files. @@ -4581,7 +4581,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -471,7 +662,8 @@ interface(`apache_rw_cache_files',` - + ######################################## ## -## Delete httpd cache directories. @@ -4591,7 +4591,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -489,7 +681,8 @@ interface(`apache_delete_cache_dirs',` - + ######################################## ## -## Delete httpd cache files. @@ -4601,7 +4601,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -507,49 +700,51 @@ interface(`apache_delete_cache_files',` - + ######################################## ## -## Read httpd configuration files. @@ -4617,17 +4617,17 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_read_config',` +interface(`apache_search_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) - allow $1 httpd_config_t:dir list_dir_perms; - read_files_pattern($1, httpd_config_t, httpd_config_t) - read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) + allow $1 httpd_config_t:dir search_dir_perms; ') - + ######################################## ## -## Search httpd configuration directories. @@ -4643,17 +4643,17 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_search_config',` +interface(`apache_read_config',` - gen_require(` - type httpd_config_t; - ') - - files_search_etc($1) + gen_require(` + type httpd_config_t; + ') + + files_search_etc($1) - allow $1 httpd_config_t:dir search_dir_perms; + allow $1 httpd_config_t:dir list_dir_perms; + read_files_pattern($1, httpd_config_t, httpd_config_t) + read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -4664,7 +4664,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -570,8 +765,8 @@ interface(`apache_manage_config',` - + ######################################## ## -## Execute the Apache helper program @@ -4677,12 +4677,12 @@ index f6eb4851f..94c92bab0 100644 @@ -608,16 +803,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` - gen_require(` + gen_require(` - attribute_role httpd_helper_roles; + type httpd_helper_t; - ') - - apache_domtrans_helper($1) + ') + + apache_domtrans_helper($1) - roleattribute $2 httpd_helper_roles; + role $2 types httpd_helper_t; +') @@ -4707,7 +4707,7 @@ index f6eb4851f..94c92bab0 100644 + dontaudit $1 httpd_log_t:file read_file_perms; + dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; ') - + ######################################## ## -## Read httpd log files. @@ -4717,7 +4717,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -639,7 +856,8 @@ interface(`apache_read_log',` - + ######################################## ## -## Append httpd log files. @@ -4727,9 +4727,9 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -657,10 +875,29 @@ interface(`apache_append_log',` - append_files_pattern($1, httpd_log_t, httpd_log_t) + append_files_pattern($1, httpd_log_t, httpd_log_t) ') - + +####################################### +## +## Allow the specified domain to write @@ -4759,7 +4759,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -678,8 +915,8 @@ interface(`apache_dontaudit_append_log',` - + ######################################## ## -## Create, read, write, and delete @@ -4775,11 +4775,11 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_manage_log',` +interface(`apache_manage_lib',` - gen_require(` + gen_require(` - type httpd_log_t; + type httpd_var_lib_t; - ') - + ') + - logging_search_logs($1) - manage_dirs_pattern($1, httpd_log_t, httpd_log_t) - manage_files_pattern($1, httpd_log_t, httpd_log_t) @@ -4789,7 +4789,7 @@ index f6eb4851f..94c92bab0 100644 + manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) + read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) ') - + -####################################### +######################################## ## @@ -4805,17 +4805,17 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_write_log',` +interface(`apache_manage_log',` - gen_require(` - type httpd_log_t; - ') - - logging_search_logs($1) + gen_require(` + type httpd_log_t; + ') + + logging_search_logs($1) - write_files_pattern($1, httpd_log_t, httpd_log_t) + manage_dirs_pattern($1, httpd_log_t, httpd_log_t) + manage_files_pattern($1, httpd_log_t, httpd_log_t) + read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) ') - + ######################################## ## -## Do not audit attempts to search @@ -4826,7 +4826,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -738,7 +978,8 @@ interface(`apache_dontaudit_search_modules',` - + ######################################## ## -## List httpd module directories. @@ -4841,14 +4841,14 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_list_modules',` +interface(`apache_read_modules',` - gen_require(` - type httpd_modules_t; - ') - + gen_require(` + type httpd_modules_t; + ') + - allow $1 httpd_modules_t:dir list_dir_perms; + read_files_pattern($1, httpd_modules_t, httpd_modules_t) ') - + ######################################## ## -## Execute httpd module files. @@ -4864,16 +4864,16 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_exec_modules',` +interface(`apache_list_modules',` - gen_require(` - type httpd_modules_t; - ') - - allow $1 httpd_modules_t:dir list_dir_perms; + gen_require(` + type httpd_modules_t; + ') + + allow $1 httpd_modules_t:dir list_dir_perms; - allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; - can_exec($1, httpd_modules_t) + read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) ') - + ######################################## ## -## Read httpd module files. @@ -4888,17 +4888,17 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_read_module_files',` +interface(`apache_exec_modules',` - gen_require(` - type httpd_modules_t; - ') - + gen_require(` + type httpd_modules_t; + ') + - libs_search_lib($1) - read_files_pattern($1, httpd_modules_t, httpd_modules_t) + allow $1 httpd_modules_t:dir list_dir_perms; + allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; + can_exec($1, httpd_modules_t) ') - + ######################################## ## -## Execute a domain transition to @@ -4908,13 +4908,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -809,13 +1052,50 @@ interface(`apache_domtrans_rotatelogs',` - type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; - ') - + type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) + domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') - + +####################################### +## +## Execute httpd_rotatelogs in the caller domain. @@ -4961,13 +4961,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -829,13 +1109,14 @@ interface(`apache_list_sys_content',` - ') - - list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + ') + + list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) - files_search_var($1) + files_search_var($1) ') - + ######################################## ## -## Create, read, write, and delete @@ -4983,12 +4983,12 @@ index f6eb4851f..94c92bab0 100644 # +# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr interface(`apache_manage_sys_content',` - gen_require(` - type httpd_sys_content_t; + gen_require(` + type httpd_sys_content_t; @@ -855,32 +1137,98 @@ interface(`apache_manage_sys_content',` - manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') - + -######################################## +###################################### +## @@ -5046,18 +5046,18 @@ index f6eb4851f..94c92bab0 100644 # -interface(`apache_manage_sys_rw_content',` +interface(`apache_manage_sys_content_rw',` - gen_require(` - type httpd_sys_rw_content_t; - ') - + gen_require(` + type httpd_sys_rw_content_t; + ') + - apache_search_sys_content($1) + files_search_var($1) - manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) - manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ') - + ######################################## ## -## Execute all httpd scripts in the @@ -5099,8 +5099,8 @@ index f6eb4851f..94c92bab0 100644 +# cjp: this interface specifically added to allow +# sysadm_t to run scripts interface(`apache_domtrans_sys_script',` - gen_require(` - attribute httpdcontent; + gen_require(` + attribute httpdcontent; - type httpd_sys_script_t; + type httpd_sys_script_exec_t; + type httpd_sys_script_t, httpd_sys_content_t; @@ -5108,11 +5108,11 @@ index f6eb4851f..94c92bab0 100644 + + tunable_policy(`httpd_enable_cgi',` + domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) - ') - - tunable_policy(`httpd_enable_cgi && httpd_unified',` + ') + + tunable_policy(`httpd_enable_cgi && httpd_unified',` @@ -901,9 +1256,8 @@ interface(`apache_domtrans_sys_script',` - + ######################################## ## -## Do not audit attempts to read and @@ -5124,13 +5124,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -916,7 +1270,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` - type httpd_sys_script_t; - ') - + type httpd_sys_script_t; + ') + - dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write }; + dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write }; ') - + ######################################## @@ -941,7 +1295,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## @@ -5148,9 +5148,9 @@ index f6eb4851f..94c92bab0 100644 +## # interface(`apache_run_all_scripts',` - gen_require(` + gen_require(` @@ -966,7 +1321,8 @@ interface(`apache_run_all_scripts',` - + ######################################## ## -## Read httpd squirrelmail data files. @@ -5160,13 +5160,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -979,12 +1335,13 @@ interface(`apache_read_squirrelmail_data',` - type httpd_squirrelmail_t; - ') - + type httpd_squirrelmail_t; + ') + - allow $1 httpd_squirrelmail_t:file read_file_perms; + read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) ') - + ######################################## ## -## Append httpd squirrelmail data files. @@ -5176,7 +5176,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1002,7 +1359,7 @@ interface(`apache_append_squirrelmail_data',` - + ######################################## ## -## Search httpd system content. @@ -5185,13 +5185,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1015,13 +1372,12 @@ interface(`apache_search_sys_content',` - type httpd_sys_content_t; - ') - + type httpd_sys_content_t; + ') + - files_search_var($1) - allow $1 httpd_sys_content_t:dir search_dir_perms; + allow $1 httpd_sys_content_t:dir search_dir_perms; ') - + ######################################## ## -## Read httpd system content. @@ -5200,7 +5200,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1041,7 +1397,7 @@ interface(`apache_read_sys_content',` - + ######################################## ## -## Search httpd system CGI directories. @@ -5209,7 +5209,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1059,8 +1415,7 @@ interface(`apache_search_sys_scripts',` - + ######################################## ## -## Create, read, write, and delete all @@ -5221,12 +5221,12 @@ index f6eb4851f..94c92bab0 100644 @@ -1071,18 +1426,21 @@ interface(`apache_search_sys_scripts',` # interface(`apache_manage_all_user_content',` - gen_require(` + gen_require(` - type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t; - type httpd_user_htaccess_t, httpd_user_script_exec_t; + attribute httpd_user_content_type, httpd_user_script_exec_type; - ') - + ') + - manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) - manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }) - manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }) @@ -5238,7 +5238,7 @@ index f6eb4851f..94c92bab0 100644 + manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) + manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) ') - + ######################################## ## -## Search system script state directories. @@ -5247,7 +5247,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1100,7 +1458,48 @@ interface(`apache_search_sys_script_state',` - + ######################################## ## -## Read httpd tmp files. @@ -5297,7 +5297,7 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1119,8 +1518,47 @@ interface(`apache_read_tmp_files',` - + ######################################## ## -## Do not audit attempts to write @@ -5347,13 +5347,13 @@ index f6eb4851f..94c92bab0 100644 ## ## @@ -1133,7 +1571,7 @@ interface(`apache_dontaudit_write_tmp_files',` - type httpd_tmp_t; - ') - + type httpd_tmp_t; + ') + - dontaudit $1 httpd_tmp_t:file write_file_perms; + dontaudit $1 httpd_tmp_t:file write; ') - + ######################################## @@ -1142,6 +1580,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## @@ -5366,7 +5366,7 @@ index f6eb4851f..94c92bab0 100644 ## and its use is not allowed in upstream reference ## policy. @@ -1171,8 +1612,31 @@ interface(`apache_cgi_domain',` - + ######################################## ## -## All of the rules required to @@ -5401,10 +5401,10 @@ index f6eb4851f..94c92bab0 100644 ## @@ -1189,18 +1653,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` - gen_require(` - attribute httpdcontent, httpd_script_exec_type; + gen_require(` + attribute httpdcontent, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; - type httpd_t, httpd_config_t, httpd_log_t; + type httpd_t, httpd_config_t, httpd_log_t; - type httpd_modules_t, httpd_lock_t, httpd_helper_t; - type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t; - type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t; @@ -5413,8 +5413,8 @@ index f6eb4851f..94c92bab0 100644 + type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; + type httpd_suexec_tmp_t, httpd_tmp_t; + type httpd_unit_file_t; - ') - + ') + - allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms }; - allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t }) @@ -5425,27 +5425,27 @@ index f6eb4851f..94c92bab0 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 httpd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, httpd_initrc_exec_t) + domain_system_change_exemption($1) @@ -1210,10 +1675,10 @@ interface(`apache_admin',` - apache_manage_all_content($1) - miscfiles_manage_public_files($1) - + apache_manage_all_content($1) + miscfiles_manage_public_files($1) + - files_search_etc($1) - admin_pattern($1, { httpd_keytab_t httpd_config_t }) + files_list_etc($1) + admin_pattern($1, httpd_config_t) - + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, httpd_log_t) - - admin_pattern($1, httpd_modules_t) + admin_pattern($1, httpd_log_t) + + admin_pattern($1, httpd_modules_t) @@ -1224,9 +1689,165 @@ interface(`apache_admin',` - admin_pattern($1, httpd_var_run_t) - files_pid_filetrans($1, httpd_var_run_t, file) - + admin_pattern($1, httpd_var_run_t) + files_pid_filetrans($1, httpd_var_run_t, file) + - admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type }) - admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t }) + admin_pattern($1, httpdcontent) @@ -5588,7 +5588,7 @@ index f6eb4851f..94c92bab0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") +') + - + - apache_run_all_scripts($1, $2) - apache_run_helper($1, $2) +######################################## @@ -5619,7 +5619,7 @@ index 6649962b6..e51965af4 100644 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) # Declarations # - + +selinux_genbool(httpd_bool_t) + ## @@ -5637,7 +5637,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(allow_httpd_anon_write, false) +gen_tunable(httpd_anon_write, false) - + ## -##

      -## Determine whether httpd can use mod_auth_pam. @@ -5648,7 +5648,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(allow_httpd_mod_auth_pam, false) +gen_tunable(httpd_dontaudit_search_dirs, false) - + ## -##

      -## Determine whether httpd can use built in scripting. @@ -5659,7 +5659,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_builtin_scripting, false) +gen_tunable(httpd_mod_auth_pam, false) - + ## -##

      -## Determine whether httpd can check spam. @@ -5670,7 +5670,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_can_check_spam, false) +gen_tunable(httpd_mod_auth_ntlm_winbind, false) - + ## -##

      -## Determine whether httpd scripts and modules @@ -5709,7 +5709,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_can_network_connect, false) - + ## -##

      -## Determine whether httpd scripts and modules @@ -5720,7 +5720,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_can_network_connect_cobbler, false) - + ## -##

      -## Determine whether scripts and modules can @@ -5732,7 +5732,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_can_network_connect_db, false) +gen_tunable(httpd_serve_cobbler_files, false) - + ## -##

      -## Determine whether httpd can connect to @@ -5744,7 +5744,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_can_network_connect_ldap, false) +gen_tunable(httpd_graceful_shutdown, false) - + ## -##

      -## Determine whether httpd can connect @@ -5763,7 +5763,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_can_network_connect_memcache, false) +gen_tunable(httpd_can_network_memcache, false) - + ## -##

      -## Determine whether httpd can act as a relay. @@ -5773,7 +5773,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_can_network_relay, false) - + ## -##

      -## Determine whether httpd daemon can @@ -5785,7 +5785,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_can_network_connect_zabbix, false) +gen_tunable(httpd_can_connect_zabbix, false) - + ## -##

      -## Determine whether httpd can send mail. @@ -5809,7 +5809,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_can_sendmail, false) - + ## -##

      -## Determine whether httpd can communicate @@ -5820,7 +5820,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_dbus_avahi, false) - + ## -##

      -## Determine wether httpd can use support. @@ -5831,7 +5831,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_enable_cgi, false) +gen_tunable(httpd_dbus_sssd, false) - + ## -##

      -## Determine whether httpd can act as a @@ -5843,7 +5843,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_enable_ftp_server, false) +gen_tunable(httpd_enable_cgi, false) - + ## -##

      -## Determine whether httpd can traverse @@ -5856,7 +5856,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_enable_homedirs, false) +gen_tunable(httpd_enable_ftp_server, false) - + ## -##

      -## Determine whether httpd gpg can modify @@ -5871,19 +5871,19 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_gpg_anon_write, false) +gen_tunable(httpd_can_connect_ftp, false) - + ## -##

      -## Determine whether httpd can execute -## its temporary content. -##

      +##

      -+## Allow httpd to connect to the ldap port ++## Allow httpd to connect to the ldap port +##

      ##       -gen_tunable(httpd_tmp_exec, false) +gen_tunable(httpd_can_connect_ldap, false) - + ## -##

      -## Determine whether httpd scripts and @@ -5895,19 +5895,19 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_execmem, false) +gen_tunable(httpd_enable_homedirs, false) - + ## -##

      -## Determine whether httpd can connect -## to port 80 for graceful shutdown. -##

      +##

      -+## Allow httpd to read user content ++## Allow httpd to read user content +##

      ##       -gen_tunable(httpd_graceful_shutdown, false) +gen_tunable(httpd_read_user_content, false) - + ## -##

      -## Determine whether httpd can @@ -5920,7 +5920,7 @@ index 6649962b6..e51965af4 100644 -gen_tunable(httpd_manage_ipa, false) +gen_tunable(httpd_run_stickshift, false) + - + ## -##

      -## Determine whether httpd can use mod_auth_ntlm_winbind. @@ -5931,7 +5931,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_mod_auth_ntlm_winbind, false) +gen_tunable(httpd_run_preupgrade, false) - + ## -##

      -## Determine whether httpd can read @@ -5943,7 +5943,7 @@ index 6649962b6..e51965af4 100644 ## -gen_tunable(httpd_read_user_content, false) +gen_tunable(httpd_verify_dns, false) - + ## -##

      -## Determine whether httpd can change @@ -5954,7 +5954,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_setrlimit, false) - + ## -##

      -## Determine whether httpd can run @@ -5966,7 +5966,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_ssi_exec, false) - + ## -##

      -## Determine whether httpd can communicate @@ -5987,7 +5987,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_tty_comm, false) - + ## -##

      -## Determine whether httpd can have full access @@ -5998,7 +5998,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_unified, false) - + ## -##

      -## Determine whether httpd can use @@ -6016,7 +6016,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_use_cifs, false) - + ## ##

      -## Determine whether httpd can @@ -6025,7 +6025,7 @@ index 6649962b6..e51965af4 100644 ##

      ##       gen_tunable(httpd_use_fusefs, false) - + ## -##

      -## Determine whether httpd can use gpg. @@ -6035,7 +6035,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_use_gpg, false) - + ## -##

      -## Determine whether httpd can use @@ -6053,7 +6053,7 @@ index 6649962b6..e51965af4 100644 +##

      ##       gen_tunable(httpd_use_nfs, false) - + +## +##

      +## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t. @@ -6065,19 +6065,19 @@ index 6649962b6..e51965af4 100644 -attribute httpd_htaccess_type; +attribute httpd_user_content_type; +attribute httpd_content_type; - + -# domains that can exec all scripts +# domains that can exec all users scripts attribute httpd_exec_scripts; - + +attribute httpd_script_type; attribute httpd_script_exec_type; +attribute httpd_user_script_exec_type; - + -# all script domains +# user script domains attribute httpd_script_domains; - + -attribute_role httpd_helper_roles; -roleattribute system_r httpd_helper_roles; - @@ -6089,16 +6089,16 @@ index 6649962b6..e51965af4 100644 +') init_daemon_domain(httpd_t, httpd_exec_t) +role system_r types httpd_t; - + +# httpd_cache_t is the type given to the /var/cache/httpd +# directory and the files under that directory type httpd_cache_t; files_type(httpd_cache_t) - + +# httpd_config_t is the type given to the configuration files type httpd_config_t; files_config_file(httpd_config_t) - + type httpd_helper_t; type httpd_helper_exec_t; -application_domain(httpd_helper_t, httpd_helper_exec_t) @@ -6106,13 +6106,13 @@ index 6649962b6..e51965af4 100644 +domain_type(httpd_helper_t) +domain_entry_file(httpd_helper_t, httpd_helper_exec_t) +role system_r types httpd_helper_t; - + type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -286,15 +352,35 @@ init_script_file(httpd_initrc_exec_t) type httpd_keytab_t; files_type(httpd_keytab_t) - + +type httpd_unit_file_t; +ifdef(`distro_redhat',` + typealias httpd_unit_file_t alias phpfpm_unit_file_t; @@ -6121,18 +6121,18 @@ index 6649962b6..e51965af4 100644 + type httpd_lock_t; files_lock_file(httpd_lock_t) - + type httpd_log_t; +ifdef(`distro_redhat',` + typealias httpd_log_t alias phpfpm_log_t; +') logging_log_file(httpd_log_t) - + +# httpd_modules_t is the type given to module files (libraries) +# that come with Apache /etc/httpd/modules and /usr/lib/apache type httpd_modules_t; files_type(httpd_modules_t) - + +type httpd_php_t; +type httpd_php_exec_t; +domain_type(httpd_php_t) @@ -6148,7 +6148,7 @@ index 6649962b6..e51965af4 100644 @@ -302,10 +388,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) - + -type squirrelmail_spool_t; -files_tmp_file(squirrelmail_spool_t) - @@ -6161,7 +6161,7 @@ index 6649962b6..e51965af4 100644 @@ -314,9 +398,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) - + -apache_content_template(sys) -corecmd_shell_entry_type(httpd_sys_script_t) -typealias httpd_sys_content_t alias ntop_http_content_t; @@ -6178,13 +6178,13 @@ index 6649962b6..e51965af4 100644 +typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t }; +typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; - + type httpd_tmp_t; files_tmp_file(httpd_tmp_t) @@ -324,14 +418,16 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) - + -apache_content_template(user) +apache_user_content_template(httpd_user) ubac_constrained(httpd_user_script_t) @@ -6207,17 +6207,17 @@ index 6649962b6..e51965af4 100644 @@ -346,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; - + +# for apache2 memory mapped files type httpd_var_lib_t; files_type(httpd_var_lib_t) - + type httpd_var_run_t; +ifdef(`distro_redhat',` + typealias httpd_var_run_t alias phpfpm_var_run_t; +') files_pid_file(httpd_var_run_t) - + -type httpd_passwd_t; -type httpd_passwd_exec_t; -domain_type(httpd_passwd_t) @@ -6225,7 +6225,7 @@ index 6649962b6..e51965af4 100644 -role system_r types httpd_passwd_t; +# Removal of fastcgi, will cause problems without the following +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; - + -type httpd_gpg_t; -domain_type(httpd_gpg_t) -role system_r types httpd_gpg_t; @@ -6233,11 +6233,11 @@ index 6649962b6..e51965af4 100644 +type squirrelmail_spool_t; +files_tmp_file(squirrelmail_spool_t) +files_spool_file(squirrelmail_spool_t) - + optional_policy(` - prelink_object_file(httpd_modules_t) + prelink_object_file(httpd_modules_t) ') - + +type httpd_passwd_t; +type httpd_passwd_exec_t; +application_domain(httpd_passwd_t, httpd_passwd_exec_t) @@ -6248,7 +6248,7 @@ index 6649962b6..e51965af4 100644 -# Local policy +# Apache server local policy # - + -allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config }; -dontaudit httpd_t self:capability net_admin; +allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot }; @@ -6268,7 +6268,7 @@ index 6649962b6..e51965af4 100644 +allow httpd_t self:tcp_socket create_stream_socket_perms; +allow httpd_t self:udp_socket create_socket_perms; +dontaudit httpd_t self:netlink_audit_socket create_socket_perms; - + +# Allow httpd_t to put files in /var/cache/httpd etc manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -6276,7 +6276,7 @@ index 6649962b6..e51965af4 100644 -files_var_filetrans(httpd_t, httpd_cache_t, dir) +files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) +allow httpd_t httpd_cache_t:file map; - + +# Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) @@ -6284,12 +6284,12 @@ index 6649962b6..e51965af4 100644 +allow httpd_t httpd_config_t:file map; + +can_exec(httpd_t, httpd_exec_t) - + allow httpd_t httpd_keytab_t:file read_file_perms; - + allow httpd_t httpd_lock_t:file manage_file_perms; files_lock_filetrans(httpd_t, httpd_lock_t, file) - + -allow httpd_t httpd_log_t:dir setattr_dir_perms; +allow httpd_t httpd_log_t:dir setattr; create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t) @@ -6301,16 +6301,16 @@ index 6649962b6..e51965af4 100644 +# cjp: need to refine create interfaces to +# cut this back to add_name only logging_log_filetrans(httpd_t, httpd_log_t, file) - + allow httpd_t httpd_modules_t:dir list_dir_perms; @@ -412,13 +526,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) - + +apache_domtrans_rotatelogs(httpd_t) +# Apache-httpd needs to be able to send signals to the log rotate procs. allow httpd_t httpd_rotatelogs_t:process signal_perms; - + manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) @@ -6318,21 +6318,21 @@ index 6649962b6..e51965af4 100644 + +allow httpd_t httpd_suexec_t:process { signal signull }; +allow httpd_t httpd_suexec_t:file read_file_perms; - + -allow httpd_t httpd_suexec_exec_t:file read_file_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +allow httpd_t httpd_sys_content_t:file map; - + allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; - + @@ -428,6 +551,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) +allow httpd_t httpd_tmp_t:file map; - + manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) @@ -435,9 +559,11 @@ manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) @@ -6340,17 +6340,17 @@ index 6649962b6..e51965af4 100644 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +allow httpd_t httpd_tmpfs_t:file map; - + manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) +manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) - + setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) @@ -450,140 +576,178 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - + -can_exec(httpd_t, httpd_exec_t) - -domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) @@ -6364,7 +6364,7 @@ index 6649962b6..e51965af4 100644 kernel_read_system_state(httpd_t) +kernel_read_network_state(httpd_t) kernel_search_network_sysctl(httpd_t) - + -corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) corenet_tcp_sendrecv_generic_if(httpd_t) @@ -6396,12 +6396,12 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_graceful_shutdown',` + corenet_tcp_connect_http_port(httpd_t) +') - + dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) dev_read_urand(httpd_t) dev_rw_crypto(httpd_t) - + -domain_use_interactive_fds(httpd_t) - fs_getattr_all_fs(httpd_t) @@ -6425,7 +6425,7 @@ index 6649962b6..e51965af4 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) - + +files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -6443,7 +6443,7 @@ index 6649962b6..e51965af4 100644 +# Allow httpd_t to have access to files such as nisswitch.conf +# for tomcat files_read_var_lib_symlinks(httpd_t) - + -auth_use_nsswitch(httpd_t) +fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them @@ -6453,15 +6453,15 @@ index 6649962b6..e51965af4 100644 +manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) - + libs_read_lib_files(httpd_t) - + +ifdef(`hide_broken_symptoms',` + libs_exec_lib_files(httpd_t) +') + logging_send_syslog_msg(httpd_t) - + -miscfiles_read_localization(httpd_t) +init_dontaudit_read_utmp(httpd_t) + @@ -6473,11 +6473,11 @@ index 6649962b6..e51965af4 100644 - -seutil_dontaudit_search_config(httpd_t) +miscfiles_dontaudit_access_check_cert(httpd_t) - + userdom_use_unpriv_users_fds(httpd_t) +userdom_rw_inherited_user_tmp_files(httpd_t) +userdom_map_tmp_files(httpd_t) - + -ifdef(`TODO',` - tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) @@ -6485,19 +6485,19 @@ index 6649962b6..e51965af4 100644 + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; +') - + - logging_send_audit_msgs(httpd_t) - ') +tunable_policy(`httpd_anon_write',` + miscfiles_manage_public_files(httpd_t) ') - + -ifdef(`hide_broken_symptoms',` - libs_exec_lib_files(httpd_t) +tunable_policy(`httpd_dontaudit_search_dirs',` + files_dontaudit_search_non_security_dirs(httpd_t) ') - + -tunable_policy(`allow_httpd_anon_write',` - miscfiles_manage_public_files(httpd_t) +# @@ -6513,19 +6513,19 @@ index 6649962b6..e51965af4 100644 + samba_domtrans_winbind_helper(httpd_t) + ') ') - + tunable_policy(`httpd_can_network_connect',` - corenet_sendrecv_all_client_packets(httpd_t) - corenet_tcp_connect_all_ports(httpd_t) + corenet_tcp_connect_all_ports(httpd_t) - corenet_tcp_sendrecv_all_ports(httpd_t) ') - + tunable_policy(`httpd_can_network_connect_db',` - corenet_sendrecv_gds_db_client_packets(httpd_t) - corenet_tcp_connect_gds_db_port(httpd_t) + corenet_tcp_connect_gds_db_port(httpd_t) - corenet_tcp_sendrecv_gds_db_port(httpd_t) - corenet_sendrecv_mssql_client_packets(httpd_t) - corenet_tcp_connect_mssql_port(httpd_t) + corenet_tcp_connect_mssql_port(httpd_t) - corenet_tcp_sendrecv_mssql_port(httpd_t) - corenet_sendrecv_oracledb_client_packets(httpd_t) - corenet_tcp_connect_oracledb_port(httpd_t) @@ -6539,23 +6539,23 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_can_network_memcache',` + corenet_tcp_connect_memcache_port(httpd_t) ') - + tunable_policy(`httpd_can_network_relay',` - corenet_sendrecv_gopher_client_packets(httpd_t) + # allow httpd to work as a relay - corenet_tcp_connect_gopher_port(httpd_t) + corenet_tcp_connect_gopher_port(httpd_t) - corenet_tcp_sendrecv_gopher_port(httpd_t) - corenet_sendrecv_ftp_client_packets(httpd_t) - corenet_tcp_connect_ftp_port(httpd_t) + corenet_tcp_connect_ftp_port(httpd_t) - corenet_tcp_sendrecv_ftp_port(httpd_t) - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) + corenet_tcp_connect_http_port(httpd_t) - corenet_tcp_sendrecv_http_port(httpd_t) - corenet_sendrecv_http_cache_client_packets(httpd_t) - corenet_tcp_connect_http_cache_port(httpd_t) + corenet_tcp_connect_http_cache_port(httpd_t) - corenet_tcp_sendrecv_http_cache_port(httpd_t) - corenet_sendrecv_squid_client_packets(httpd_t) - corenet_tcp_connect_squid_port(httpd_t) + corenet_tcp_connect_squid_port(httpd_t) - corenet_tcp_sendrecv_squid_port(httpd_t) + corenet_tcp_connect_memcache_port(httpd_t) + corenet_sendrecv_gopher_client_packets(httpd_t) @@ -6565,7 +6565,7 @@ index 6649962b6..e51965af4 100644 + corenet_sendrecv_squid_client_packets(httpd_t) + corenet_tcp_connect_all_ephemeral_ports(httpd_t) ') - + -tunable_policy(`httpd_builtin_scripting',` - exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) +tunable_policy(`httpd_execmem',` @@ -6573,7 +6573,7 @@ index 6649962b6..e51965af4 100644 + allow httpd_sys_script_t self:process { execmem execstack }; + allow httpd_suexec_t self:process { execmem execstack }; +') - + - allow httpd_t httpdcontent:dir list_dir_perms; - allow httpd_t httpdcontent:file read_file_perms; - allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; @@ -6582,37 +6582,37 @@ index 6649962b6..e51965af4 100644 + filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + can_exec(httpd_sys_script_t, httpd_sys_content_t) ') - + -tunable_policy(`httpd_enable_cgi',` - allow httpd_t httpd_script_domains:process { signal sigkill sigstop }; - allow httpd_t httpd_script_exec_type:dir list_dir_perms; +tunable_policy(`httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) ') - + tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` @@ -594,28 +758,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` - fs_cifs_domtrans(httpd_t, httpd_sys_script_t) + fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') - + -# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` -# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) -# ') +tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',` + fs_fusefs_domtrans(httpd_t, httpd_sys_script_t) +') - + tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) + filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) + manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) + manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t) - - manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) - manage_files_pattern(httpd_t, httpdcontent, httpdcontent) + + manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) - manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) +') + @@ -6632,14 +6632,14 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_can_connect_zabbix',` + corenet_tcp_connect_zabbix_port(httpd_t) ') - + tunable_policy(`httpd_enable_ftp_server',` - corenet_sendrecv_ftp_server_packets(httpd_t) - corenet_tcp_bind_ftp_port(httpd_t) + corenet_tcp_bind_ftp_port(httpd_t) - corenet_tcp_sendrecv_ftp_port(httpd_t) + corenet_tcp_bind_all_ephemeral_ports(httpd_t) ') - + -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_t) +tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` @@ -6649,12 +6649,12 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',` + can_exec(httpd_sys_script_t, httpd_tmp_t) ') - + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` @@ -624,68 +810,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_symlinks(httpd_t) + fs_read_nfs_symlinks(httpd_t) ') - + -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_t) +tunable_policy(`httpd_use_nfs',` @@ -6670,13 +6670,13 @@ index 6649962b6..e51965af4 100644 + automount_search_tmp_dirs(httpd_t) + ') ') - + tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_t) - fs_read_cifs_files(httpd_t) - fs_read_cifs_symlinks(httpd_t) + fs_read_cifs_files(httpd_t) + fs_read_cifs_symlinks(httpd_t) ') - + -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) +tunable_policy(`httpd_can_sendmail',` @@ -6686,7 +6686,7 @@ index 6649962b6..e51965af4 100644 + corenet_tcp_connect_pop_port(httpd_t) + corenet_sendrecv_pop_client_packets(httpd_t) ') - + -tunable_policy(`httpd_execmem',` - allow httpd_t self:process { execmem execstack }; -') @@ -6707,7 +6707,7 @@ index 6649962b6..e51965af4 100644 + mta_signal_system_mail(httpd_t) + ') ') - + optional_policy(` - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) @@ -6716,7 +6716,7 @@ index 6649962b6..e51965af4 100644 + postfix_rw_spool_maildrop_files(httpd_t) + ') ') - + -optional_policy(` - tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` - spamassassin_domtrans_client(httpd_t) @@ -6744,7 +6744,7 @@ index 6649962b6..e51965af4 100644 + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ') - + -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_t) +tunable_policy(`httpd_use_fusefs',` @@ -6752,17 +6752,17 @@ index 6649962b6..e51965af4 100644 + fs_manage_fusefs_files(httpd_t) + fs_manage_fusefs_symlinks(httpd_t) ') - + tunable_policy(`httpd_setrlimit',` @@ -695,49 +869,48 @@ tunable_policy(`httpd_setrlimit',` - + tunable_policy(`httpd_ssi_exec',` - corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) + corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) + allow httpd_sys_script_t httpd_t:fd use; + allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms; + allow httpd_sys_script_t httpd_t:process sigchld; ') - + -tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',` - can_exec(httpd_t, httpd_tmp_t) -') @@ -6778,7 +6778,7 @@ index 6649962b6..e51965af4 100644 + userdom_use_inherited_user_terminals(httpd_t) + userdom_use_inherited_user_terminals(httpd_suexec_t) ') - + -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) @@ -6792,7 +6792,7 @@ index 6649962b6..e51965af4 100644 +optional_policy(` + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) - + -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_fusefs_dirs(httpd_t) @@ -6805,14 +6805,14 @@ index 6649962b6..e51965af4 100644 + cobbler_read_lib_files(httpd_t) + cobbler_search_lib(httpd_t) + ') - + -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') - + -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_nfs_dirs(httpd_t) @@ -6823,7 +6823,7 @@ index 6649962b6..e51965af4 100644 + sasl_connect(httpd_t) + ') ') - + -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_t) +optional_policy(` @@ -6833,33 +6833,33 @@ index 6649962b6..e51965af4 100644 + abrt_domtrans_retrace_worker(httpd_t) + abrt_read_config(httpd_t) ') - + optional_policy(` @@ -749,24 +922,32 @@ optional_policy(` ') - + optional_policy(` - clamav_domtrans_clamscan(httpd_t) + cron_system_entry(httpd_t, httpd_exec_t) ') - + optional_policy(` - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) + cvs_read_data(httpd_t) ') - + optional_policy(` - cron_system_entry(httpd_t, httpd_exec_t) + daemontools_service_domain(httpd_t, httpd_exec_t) ') - + optional_policy(` - cvs_read_data(httpd_t) -+ #needed by FreeIPA ++ #needed by FreeIPA + dirsrv_stream_connect(httpd_t) ') - + optional_policy(` - daemontools_service_domain(httpd_t, httpd_exec_t) + dirsrv_manage_config(httpd_t) @@ -6872,22 +6872,22 @@ index 6649962b6..e51965af4 100644 + dirsrvadmin_manage_tmp(httpd_t) + dirsrvadmin_domtrans_unconfined_script_t(httpd_t) ') - + optional_policy(` @@ -775,6 +956,10 @@ optional_policy(` - tunable_policy(`httpd_dbus_avahi',` - avahi_dbus_chat(httpd_t) - ') + tunable_policy(`httpd_dbus_avahi',` + avahi_dbus_chat(httpd_t) + ') + + tunable_policy(`httpd_dbus_sssd',` + sssd_dbus_chat(httpd_t) + ') ') - + optional_policy(` @@ -786,35 +971,62 @@ optional_policy(` ') - + optional_policy(` - kerberos_manage_host_rcache(httpd_t) - kerberos_read_keytab(httpd_t) @@ -6898,12 +6898,12 @@ index 6649962b6..e51965af4 100644 + gpg_domtrans_web(httpd_t) + ') ') - + optional_policy(` - ldap_stream_connect(httpd_t) + gssproxy_stream_connect(httpd_t) +') - + - tunable_policy(`httpd_can_network_connect_ldap',` - ldap_tcp_connect(httpd_t) - ') @@ -6937,33 +6937,33 @@ index 6649962b6..e51965af4 100644 + ldap_stream_connect(httpd_t) + ldap_read_certs(httpd_t) ') - + optional_policy(` - mailman_signal_cgi(httpd_t) - mailman_domtrans_cgi(httpd_t) - mailman_read_data_files(httpd_t) + mailman_signal_cgi(httpd_t) + mailman_domtrans_cgi(httpd_t) + mailman_read_data_files(httpd_t) + # should have separate types for public and private archives - mailman_search_data(httpd_t) - mailman_read_archive(httpd_t) + mailman_search_data(httpd_t) + mailman_read_archive(httpd_t) ') - + optional_policy(` - memcached_stream_connect(httpd_t) + mediawiki_read_tmp_files(httpd_t) + mediawiki_delete_tmp_files(httpd_t) +') - + - tunable_policy(`httpd_can_network_connect_memcache',` - memcached_tcp_connect(httpd_t) - ') +optional_policy(` + memcached_stream_connect(httpd_t) - - tunable_policy(`httpd_manage_ipa',` - memcached_manage_pid_files(httpd_t) + + tunable_policy(`httpd_manage_ipa',` + memcached_manage_pid_files(httpd_t) @@ -822,8 +1034,31 @@ optional_policy(` ') - + optional_policy(` + tunable_policy(`httpd_run_ipa',` + oddjob_dbus_chat(httpd_t) @@ -6983,29 +6983,29 @@ index 6649962b6..e51965af4 100644 + +optional_policy(` + # Allow httpd to work with mysql - mysql_read_config(httpd_t) - mysql_stream_connect(httpd_t) + mysql_read_config(httpd_t) + mysql_stream_connect(httpd_t) + mysql_rw_db_sockets(httpd_t) + + optional_policy(` + postgresql_stream_connect(httpd_t) + ') - - tunable_policy(`httpd_can_network_connect_db',` - mysql_tcp_connect(httpd_t) + + tunable_policy(`httpd_can_network_connect_db',` + mysql_tcp_connect(httpd_t) @@ -832,6 +1067,8 @@ optional_policy(` - + optional_policy(` - nagios_read_config(httpd_t) + nagios_read_config(httpd_t) + nagios_read_lib(httpd_t) + nagios_read_log(httpd_t) ') - + optional_policy(` @@ -841,38 +1078,77 @@ optional_policy(` - openca_kill(httpd_t) + openca_kill(httpd_t) ') - + +optional_policy(` + openshift_search_lib(httpd_t) + openshift_initrc_signull(httpd_t) @@ -7019,9 +7019,9 @@ index 6649962b6..e51965af4 100644 +') + optional_policy(` - pcscd_read_pid_files(httpd_t) + pcscd_read_pid_files(httpd_t) ') - + optional_policy(` - postgresql_stream_connect(httpd_t) - postgresql_unpriv_client(httpd_t) @@ -7032,14 +7032,14 @@ index 6649962b6..e51965af4 100644 + pki_manage_apache_run(httpd_t) + pki_read_tomcat_cert(httpd_t) +') - + - tunable_policy(`httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_t) - ') +optional_policy(` + puppet_read_lib(httpd_t) ') - + optional_policy(` - puppet_read_lib_files(httpd_t) + pwauth_domtrans(httpd_t) @@ -7052,11 +7052,11 @@ index 6649962b6..e51965af4 100644 +optional_policy(` + rpm_dontaudit_read_db(httpd_t) ') - + optional_policy(` - rpc_search_nfs_state_data(httpd_t) + rpc_search_nfs_state_data(httpd_t) ') - + +optional_policy(` + # Allow httpd to work with postgresql + postgresql_stream_connect(httpd_t) @@ -7068,11 +7068,11 @@ index 6649962b6..e51965af4 100644 +') + optional_policy(` - seutil_sigchld_newrole(httpd_t) + seutil_sigchld_newrole(httpd_t) ') - + optional_policy(` - smokeping_read_lib_files(httpd_t) + smokeping_read_lib_files(httpd_t) + smokeping_read_pid_files(httpd_t) +') + @@ -7080,18 +7080,18 @@ index 6649962b6..e51965af4 100644 + files_dontaudit_rw_usr_dirs(httpd_t) + snmp_dontaudit_manage_snmp_var_lib_files(httpd_t) ') - + optional_policy(` - snmp_dontaudit_read_snmp_var_lib_files(httpd_t) - snmp_dontaudit_write_snmp_var_lib_files(httpd_t) + thin_stream_connect(httpd_t) ') - + optional_policy(` @@ -883,65 +1159,189 @@ optional_policy(` - yam_read_content(httpd_t) + yam_read_content(httpd_t) ') - + +optional_policy(` + zarafa_manage_lib_files(httpd_t) + zarafa_stream_connect_server(httpd_t) @@ -7111,20 +7111,20 @@ index 6649962b6..e51965af4 100644 -# Helper local policy +# Apache helper local policy # - + -read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) +domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t) - + -append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) +allow httpd_helper_t httpd_config_t:file read_file_perms; - + -files_search_etc(httpd_helper_t) +allow httpd_helper_t httpd_log_t:file append_file_perms; - + -logging_search_logs(httpd_helper_t) logging_send_syslog_msg(httpd_helper_t) - + +tunable_policy(`httpd_verify_dns',` + corenet_udp_bind_all_ephemeral_ports(httpd_t) +') @@ -7170,7 +7170,7 @@ index 6649962b6..e51965af4 100644 + tunable_policy(`httpd_run_preupgrade', ` + corenet_tcp_bind_preupgrade_port(httpd_t) + ') -+') ++') + tunable_policy(`httpd_tty_comm',` - userdom_use_user_terminals(httpd_helper_t) @@ -7178,7 +7178,7 @@ index 6649962b6..e51965af4 100644 - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) ') - + ######################################## # -# Suexec local policy @@ -7246,7 +7246,7 @@ index 6649962b6..e51965af4 100644 +# +# Apache suexec local policy # - + allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:fifo_file rw_fifo_file_perms; @@ -7255,18 +7255,18 @@ index 6649962b6..e51965af4 100644 +allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; + +domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - + create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) + +allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms; - + manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) - + +can_exec(httpd_suexec_t, httpd_sys_script_exec_t) + +read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t) @@ -7276,7 +7276,7 @@ index 6649962b6..e51965af4 100644 kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) - + -corenet_all_recvfrom_unlabeled(httpd_suexec_t) -corenet_all_recvfrom_netlabel(httpd_suexec_t) -corenet_tcp_sendrecv_generic_if(httpd_suexec_t) @@ -7286,10 +7286,10 @@ index 6649962b6..e51965af4 100644 -corecmd_exec_shell(httpd_suexec_t) - dev_read_urand(httpd_suexec_t) - + fs_read_iso9660_files(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) - + -files_read_usr_files(httpd_suexec_t) +application_exec_all(httpd_suexec_t) + @@ -7299,14 +7299,14 @@ index 6649962b6..e51965af4 100644 + files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) - + @@ -950,123 +1350,78 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) - + -miscfiles_read_localization(httpd_suexec_t) miscfiles_read_public_files(httpd_suexec_t) - + -tunable_policy(`httpd_builtin_scripting',` - exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type) - @@ -7315,7 +7315,7 @@ index 6649962b6..e51965af4 100644 - allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms; -') +corenet_all_recvfrom_netlabel(httpd_suexec_t) - + tunable_policy(`httpd_can_network_connect',` + allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; + allow httpd_suexec_t self:udp_socket create_socket_perms; @@ -7326,17 +7326,17 @@ index 6649962b6..e51965af4 100644 + corenet_udp_sendrecv_generic_node(httpd_suexec_t) + corenet_tcp_sendrecv_all_ports(httpd_suexec_t) + corenet_udp_sendrecv_all_ports(httpd_suexec_t) - corenet_tcp_connect_all_ports(httpd_suexec_t) - corenet_sendrecv_all_client_packets(httpd_suexec_t) + corenet_tcp_connect_all_ports(httpd_suexec_t) + corenet_sendrecv_all_client_packets(httpd_suexec_t) - corenet_tcp_sendrecv_all_ports(httpd_suexec_t) ') - + tunable_policy(`httpd_can_network_connect_db',` - corenet_sendrecv_gds_db_client_packets(httpd_suexec_t) - corenet_tcp_connect_gds_db_port(httpd_suexec_t) + corenet_tcp_connect_gds_db_port(httpd_suexec_t) - corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t) - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) - corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) - corenet_tcp_sendrecv_mssql_port(httpd_suexec_t) - corenet_sendrecv_oracledb_client_packets(httpd_suexec_t) - corenet_tcp_connect_oracledb_port(httpd_suexec_t) @@ -7345,7 +7345,7 @@ index 6649962b6..e51965af4 100644 + corenet_tcp_connect_oracle_port(httpd_suexec_t) + corenet_sendrecv_oracle_client_packets(httpd_suexec_t) ') - + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) + tunable_policy(`httpd_can_sendmail',` @@ -7355,13 +7355,13 @@ index 6649962b6..e51965af4 100644 - corenet_sendrecv_pop_client_packets(httpd_suexec_t) - corenet_tcp_connect_pop_port(httpd_suexec_t) - corenet_tcp_sendrecv_pop_port(httpd_suexec_t) - mta_send_mail(httpd_suexec_t) + mta_send_mail(httpd_suexec_t) - mta_signal_system_mail(httpd_suexec_t) ') - + tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_sys_script_t httpdcontent:file entrypoint; - domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) + domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) -') - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` @@ -7377,18 +7377,18 @@ index 6649962b6..e51965af4 100644 + manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) ') - + tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_suexec_t) + fs_list_auto_mountpoints(httpd_suexec_t) - fs_read_nfs_files(httpd_suexec_t) - fs_read_nfs_symlinks(httpd_suexec_t) + fs_read_nfs_files(httpd_suexec_t) + fs_read_nfs_symlinks(httpd_suexec_t) -') - -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) ') - + -tunable_policy(`httpd_execmem',` - allow httpd_suexec_t self:process { execmem execstack }; -') @@ -7414,9 +7414,9 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_suexec_t) + fs_read_cifs_symlinks(httpd_suexec_t) - fs_exec_cifs_files(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) ') - + -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_suexec_t) - fs_manage_fusefs_dirs(httpd_suexec_t) @@ -7436,13 +7436,13 @@ index 6649962b6..e51965af4 100644 +optional_policy(` + apache_rw_stream_sockets(httpd_suexec_t) ') - + -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_suexec_t) +optional_policy(` + mailman_domtrans_cgi(httpd_suexec_t) ') - + optional_policy(` - mailman_domtrans_cgi(httpd_suexec_t) + mta_stub(httpd_suexec_t) @@ -7450,17 +7450,17 @@ index 6649962b6..e51965af4 100644 + # apache should set close-on-exec + # dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') - + optional_policy(` - mysql_stream_connect(httpd_suexec_t) + mysql_stream_connect(httpd_suexec_t) + mysql_rw_db_sockets(httpd_suexec_t) - mysql_read_config(httpd_suexec_t) - - tunable_policy(`httpd_can_network_connect_db',` + mysql_read_config(httpd_suexec_t) + + tunable_policy(`httpd_can_network_connect_db',` @@ -1083,172 +1438,108 @@ optional_policy(` - ') + ') ') - + -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_suexec_t) -') @@ -7474,7 +7474,7 @@ index 6649962b6..e51965af4 100644 -# Common script local policy +# Apache system script local policy # - + -allow httpd_script_domains self:fifo_file rw_file_perms; -allow httpd_script_domains self:unix_stream_socket connectto; - @@ -7486,60 +7486,60 @@ index 6649962b6..e51965af4 100644 -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) +allow httpd_sys_script_t self:process getsched; - + -corenet_all_recvfrom_unlabeled(httpd_script_domains) -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) -corenet_tcp_sendrecv_generic_node(httpd_script_domains) +allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - + -corecmd_exec_all_executables(httpd_script_domains) +dontaudit httpd_sys_script_t httpd_config_t:dir search; - + -dev_read_rand(httpd_script_domains) -dev_read_urand(httpd_script_domains) +allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - + -files_exec_etc_files(httpd_script_domains) -files_read_etc_files(httpd_script_domains) -files_search_home(httpd_script_domains) +allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; +read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) +read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) - + -libs_exec_ld_so(httpd_script_domains) -libs_exec_lib_files(httpd_script_domains) +kernel_read_kernel_sysctls(httpd_sys_script_t) - + -logging_search_logs(httpd_script_domains) +dev_list_sysfs(httpd_sys_script_t) - + -miscfiles_read_fonts(httpd_script_domains) -miscfiles_read_public_files(httpd_script_domains) +files_read_var_symlinks(httpd_sys_script_t) +files_search_var_lib(httpd_sys_script_t) +files_search_spool(httpd_sys_script_t) - + -seutil_dontaudit_search_config(httpd_script_domains) +logging_send_syslog_msg(httpd_sys_script_t) +logging_inherit_append_all_logs(httpd_sys_script_t) - + -tunable_policy(`httpd_enable_cgi && httpd_unified',` - allow httpd_script_domains httpdcontent:file entrypoint; +# Should we add a boolean? +apache_domtrans_rotatelogs(httpd_sys_script_t) - + - manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent) - manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) - manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent) +auth_use_nsswitch(httpd_sys_script_t) - + - can_exec(httpd_script_domains, httpdcontent) +ifdef(`distro_redhat',` + allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') - + -tunable_policy(`httpd_enable_cgi',` - allow httpd_script_domains self:process { setsched signal_perms }; - allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms; @@ -7557,15 +7557,15 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_can_sendmail',` + mta_send_mail(httpd_sys_script_t) ') - + optional_policy(` - tunable_policy(`httpd_enable_cgi && allow_ypbind',` - nis_use_ypbind_uncond(httpd_script_domains) + tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` + spamassassin_domtrans_client(httpd_t) - ') + ') ') - + -tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - corenet_sendrecv_gds_db_client_packets(httpd_script_domains) - corenet_tcp_connect_gds_db_port(httpd_script_domains) @@ -7593,14 +7593,14 @@ index 6649962b6..e51965af4 100644 + corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mongod_port(httpd_sys_script_t) ') - + -optional_policy(` - postgresql_stream_connect(httpd_script_domains) +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) +fs_rw_anon_inodefs_files(httpd_sys_script_t) - + - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_script_domains) - ') @@ -7611,7 +7611,7 @@ index 6649962b6..e51965af4 100644 + fs_manage_nfs_files(httpd_sys_script_t) + fs_manage_nfs_symlinks(httpd_sys_script_t) + fs_exec_nfs_files(httpd_sys_script_t) - + -optional_policy(` - nscd_use(httpd_script_domains) + fs_list_auto_mountpoints(httpd_suexec_t) @@ -7620,7 +7620,7 @@ index 6649962b6..e51965af4 100644 + fs_manage_nfs_symlinks(httpd_suexec_t) + fs_exec_nfs_files(httpd_suexec_t) ') - + -######################################## -# -# System script local policy @@ -7628,7 +7628,7 @@ index 6649962b6..e51965af4 100644 - -allow httpd_sys_script_t self:tcp_socket { accept listen }; +corenet_all_recvfrom_netlabel(httpd_sys_script_t) - + -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -7676,11 +7676,11 @@ index 6649962b6..e51965af4 100644 + corenet_tcp_connect_all_ports(httpd_sys_script_t) + corenet_sendrecv_all_client_packets(httpd_sys_script_t) ') - + tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_sys_script_t) + userdom_search_user_home_dirs(httpd_sys_script_t) ') - + -tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` - corenet_tcp_connect_all_ports(httpd_sys_script_t) - corenet_sendrecv_all_client_packets(httpd_sys_script_t) @@ -7694,16 +7694,16 @@ index 6649962b6..e51965af4 100644 + fs_read_nfs_files(httpd_sys_script_t) + fs_read_nfs_symlinks(httpd_sys_script_t) ') - + tunable_policy(`httpd_read_user_content',` @@ -1256,64 +1547,74 @@ tunable_policy(`httpd_read_user_content',` ') - + tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_cifs_dirs(httpd_sys_script_t) - fs_manage_cifs_files(httpd_sys_script_t) - fs_manage_cifs_symlinks(httpd_sys_script_t) + fs_manage_cifs_dirs(httpd_sys_script_t) + fs_manage_cifs_files(httpd_sys_script_t) + fs_manage_cifs_symlinks(httpd_sys_script_t) -') - -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` @@ -7713,11 +7713,11 @@ index 6649962b6..e51965af4 100644 + fs_manage_cifs_symlinks(httpd_suexec_t) + fs_exec_cifs_files(httpd_suexec_t) ') - + tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_fusefs_dirs(httpd_sys_script_t) - fs_manage_fusefs_files(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_sys_script_t) + fs_manage_fusefs_files(httpd_sys_script_t) - fs_read_fusefs_symlinks(httpd_sys_script_t) + fs_manage_fusefs_symlinks(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_suexec_t) @@ -7725,14 +7725,14 @@ index 6649962b6..e51965af4 100644 + fs_manage_fusefs_symlinks(httpd_suexec_t) + fs_exec_fusefs_files(httpd_suexec_t) ') - + -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_sys_script_t) +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) ') - + -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_sys_script_t) - fs_manage_nfs_dirs(httpd_sys_script_t) @@ -7742,7 +7742,7 @@ index 6649962b6..e51965af4 100644 + clamav_domtrans_clamscan(httpd_sys_script_t) + clamav_domtrans_clamscan(httpd_t) ') - + -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_sys_script_t) +optional_policy(` @@ -7754,7 +7754,7 @@ index 6649962b6..e51965af4 100644 + mysql_tcp_connect(httpd_sys_script_t) + ') ') - + optional_policy(` - clamav_domtrans_clamscan(httpd_sys_script_t) + postgresql_stream_connect(httpd_sys_script_t) @@ -7764,39 +7764,39 @@ index 6649962b6..e51965af4 100644 + postgresql_tcp_connect(httpd_sys_script_t) + ') ') - + optional_policy(` - postgresql_unpriv_client(httpd_sys_script_t) + snmp_read_snmp_var_lib_files(httpd_sys_script_t) ') - + ######################################## # -# Rotatelogs local policy +# httpd_rotatelogs local policy # - + -allow httpd_rotatelogs_t self:capability dac_override; +allow httpd_rotatelogs_t self:capability { dac_read_search dac_override }; - + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) - + kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) +kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) - + -files_read_etc_files(httpd_rotatelogs_t) - + logging_search_logs(httpd_rotatelogs_t) - + -miscfiles_read_localization(httpd_rotatelogs_t) - + ######################################## # @@ -1321,8 +1622,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # - + optional_policy(` - apache_content_template(unconfined) + type httpd_unconfined_script_t; @@ -7804,17 +7804,17 @@ index 6649962b6..e51965af4 100644 + domain_type(httpd_unconfined_script_t) + domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t) + domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t) - unconfined_domain(httpd_unconfined_script_t) + unconfined_domain(httpd_unconfined_script_t) + + role system_r types httpd_unconfined_script_t; + allow httpd_t httpd_unconfined_script_t:process signal_perms; ') - + ######################################## @@ -1330,49 +1638,43 @@ optional_policy(` # User content local policy # - + -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') @@ -7825,7 +7825,7 @@ index 6649962b6..e51965af4 100644 - fs_read_cifs_symlinks(httpd_user_script_t) -') +auth_use_nsswitch(httpd_user_script_t) - + -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_user_script_t) +tunable_policy(`httpd_enable_cgi && httpd_unified',` @@ -7835,7 +7835,7 @@ index 6649962b6..e51965af4 100644 + manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ') - + -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_nfs_files(httpd_user_script_t) @@ -7846,7 +7846,7 @@ index 6649962b6..e51965af4 100644 + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - + -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_user_script_t) + read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) @@ -7854,13 +7854,13 @@ index 6649962b6..e51965af4 100644 + list_dirs_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) + allow httpd_t httpd_user_content_type:file map; ') - + tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_t) + userdom_read_user_home_content_files(httpd_suexec_t) - userdom_read_user_home_content_files(httpd_user_script_t) + userdom_read_user_home_content_files(httpd_user_script_t) ') - + -optional_policy(` - postgresql_unpriv_client(httpd_user_script_t) -') @@ -7870,27 +7870,27 @@ index 6649962b6..e51965af4 100644 -# Passwd local policy +# httpd_passwd local policy # - + allow httpd_passwd_t self:fifo_file manage_fifo_file_perms; allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms; allow httpd_passwd_t self:unix_dgram_socket create_socket_perms; - + -dontaudit httpd_passwd_t httpd_config_t:file read_file_perms; - kernel_read_system_state(httpd_passwd_t) - + corecmd_exec_bin(httpd_passwd_t) @@ -1382,38 +1684,109 @@ dev_read_urand(httpd_passwd_t) - + domain_use_interactive_fds(httpd_passwd_t) - + + auth_use_nsswitch(httpd_passwd_t) - + -miscfiles_read_generic_certs(httpd_passwd_t) -miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_certs(httpd_passwd_t) - + -######################################## -# -# GPG local policy @@ -7932,10 +7932,10 @@ index 6649962b6..e51965af4 100644 + +miscfiles_read_fonts(httpd_script_type) +miscfiles_read_public_files(httpd_script_type) - + -allow httpd_gpg_t self:process setrlimit; +allow httpd_t httpd_script_type:unix_stream_socket connectto; - + -allow httpd_gpg_t httpd_t:fd use; -allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms; -allow httpd_gpg_t httpd_t:process sigchld; @@ -7943,22 +7943,22 @@ index 6649962b6..e51965af4 100644 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms; +allow httpd_t httpd_script_type:process { signal sigkill sigstop signull }; +allow httpd_t httpd_script_exec_type:dir list_dir_perms; - + -dev_read_rand(httpd_gpg_t) -dev_read_urand(httpd_gpg_t) +allow httpd_script_type self:process { setsched signal_perms }; +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms; +allow httpd_script_type self:unix_dgram_socket create_socket_perms; +allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms; - + -files_read_usr_files(httpd_gpg_t) +allow httpd_script_type httpd_t:fd use; +allow httpd_script_type httpd_t:process sigchld; - + -miscfiles_read_localization(httpd_gpg_t) +dontaudit httpd_script_type httpd_t:tcp_socket { read write }; +dontaudit httpd_script_type httpd_t:unix_stream_socket { read write }; - + -tunable_policy(`httpd_gpg_anon_write',` - miscfiles_manage_public_files(httpd_gpg_t) +fs_getattr_xattr_fs(httpd_script_type) @@ -7972,7 +7972,7 @@ index 6649962b6..e51965af4 100644 +tunable_policy(`httpd_enable_cgi && nis_enabled',` + nis_use_ypbind_uncond(httpd_script_type) ') - + optional_policy(` - apache_manage_sys_rw_content(httpd_gpg_t) + nscd_socket_use(httpd_script_type) @@ -8001,7 +8001,7 @@ index 6649962b6..e51965af4 100644 + corenet_tcp_connect_osapi_compute_port(httpd_t) + corenet_tcp_bind_commplex_main_port(httpd_t) ') - + optional_policy(` - gpg_entry_type(httpd_gpg_t) - gpg_exec(httpd_gpg_t) @@ -8017,21 +8017,21 @@ index 5ec0e13c8..97c204fe5 100644 +/etc/apcupsd/powerfail -- gen_context(system_u:object_r:apcupsd_power_t,s0) + /etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0) + /sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - + /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) - + /var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0) +/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0) - + /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) - + /var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0) - + -/var/www/apcupsd/multimon\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) -/var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) @@ -8058,20 +8058,20 @@ index f3c0abac6..f6e25eda4 100644 @@ -112,17 +112,61 @@ interface(`apcupsd_append_log',` # interface(`apcupsd_cgi_script_domtrans',` - gen_require(` + gen_require(` - type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t; + type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t; - ') - - files_search_var($1) + ') + + files_search_var($1) - domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t) + domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t) - - optional_policy(` - apache_search_sys_content($1) - ') + + optional_policy(` + apache_search_sys_content($1) + ') ') - + +######################################## +##

      +## Execute apcupsd server in the apcupsd domain. @@ -8098,7 +8098,7 @@ index f3c0abac6..f6e25eda4 100644 + +######################################## +## -+## Create configuration files in /var/lock ++## Create configuration files in /var/lock +## with a named file type transition. +## +## @@ -8120,28 +8120,28 @@ index f3c0abac6..f6e25eda4 100644 ## ## All of the rules required to @@ -144,11 +188,17 @@ interface(`apcupsd_admin',` - gen_require(` - type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; - type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; + gen_require(` + type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; + type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; + type apcupsd_unit_file_t; + type apcupsd_power_t; - ') - + ') + - allow $1 apcupsd_t:process { ptrace signal_perms }; + allow $1 apcupsd_t:process signal_perms; - ps_process_pattern($1, apcupsd_t) - + ps_process_pattern($1, apcupsd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 apcupsd_t:process ptrace; + ') + - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apcupsd_initrc_exec_t system_r; @@ -165,4 +215,11 @@ interface(`apcupsd_admin',` - - files_list_pids($1) - admin_pattern($1, apcupsd_var_run_t) + + files_list_pids($1) + admin_pattern($1, apcupsd_var_run_t) + + apcupsd_systemctl($1) + admin_pattern($1, apcupsd_unit_file_t) @@ -8157,7 +8157,7 @@ index 080bc4ddb..b295381b8 100644 @@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t) type apcupsd_var_run_t; files_pid_file(apcupsd_var_run_t) - + +type apcupsd_power_t; +files_type(apcupsd_power_t) + @@ -8168,7 +8168,7 @@ index 080bc4ddb..b295381b8 100644 # # Local policy # - + -allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; +allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config }; allow apcupsd_t self:process signal; @@ -8177,7 +8177,7 @@ index 080bc4ddb..b295381b8 100644 @@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; allow apcupsd_t apcupsd_lock_t:file manage_file_perms; files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) - + -append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) -setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) @@ -8186,12 +8186,12 @@ index 080bc4ddb..b295381b8 100644 + +manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) - + manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) @@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t) corecmd_exec_bin(apcupsd_t) corecmd_exec_shell(apcupsd_t) - + -corenet_all_recvfrom_unlabeled(apcupsd_t) corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) @@ -8202,48 +8202,48 @@ index 080bc4ddb..b295381b8 100644 corenet_tcp_connect_apcupsd_port(apcupsd_t) +corenet_udp_bind_apc_port(apcupsd_t) +corenet_udp_bind_snmp_port(apcupsd_t) - + corenet_udp_bind_snmp_port(apcupsd_t) corenet_sendrecv_snmp_server_packets(apcupsd_t) corenet_udp_sendrecv_snmp_port(apcupsd_t) - + +fs_getattr_xattr_fs(apcupsd_t) + +dev_read_sysfs(apcupsd_t) + dev_rw_generic_usb_dev(apcupsd_t) - + -files_read_etc_files(apcupsd_t) +domain_signull_all_domains(apcupsd_t) + files_manage_etc_runtime_files(apcupsd_t) files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin") - + -term_use_unallocated_ttys(apcupsd_t) +term_use_all_terms(apcupsd_t) +term_use_usb_ttys(apcupsd_t) - + -logging_send_syslog_msg(apcupsd_t) +#apcupsd runs shutdown, probably need a shutdown domain +init_rw_utmp(apcupsd_t) +init_telinit(apcupsd_t) + +auth_use_nsswitch(apcupsd_t) - + -miscfiles_read_localization(apcupsd_t) +logging_send_syslog_msg(apcupsd_t) - + sysnet_dns_name_resolve(apcupsd_t) - + -userdom_use_user_ttys(apcupsd_t) +userdom_use_inherited_user_ttys(apcupsd_t) - + optional_policy(` - hostname_exec(apcupsd_t) + hostname_exec(apcupsd_t) @@ -101,6 +119,11 @@ optional_policy(` - shutdown_domtrans(apcupsd_t) + shutdown_domtrans(apcupsd_t) ') - + +optional_policy(` + systemd_start_power_services(apcupsd_t) + systemd_status_power_services(apcupsd_t) @@ -8253,9 +8253,9 @@ index 080bc4ddb..b295381b8 100644 # # CGI local policy @@ -108,20 +131,20 @@ optional_policy(` - + optional_policy(` - apache_content_template(apcupsd_cgi) + apache_content_template(apcupsd_cgi) - - allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; - allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; @@ -8296,25 +8296,25 @@ index ce27d2fb3..b2ba16a04 100644 @@ -1,3 +1,4 @@ +/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0) /etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0) - + /usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0) @@ -7,6 +8,8 @@ /usr/sbin/powersaved -- gen_context(system_u:object_r:apmd_exec_t,s0) - + /var/lock/subsys/acpid -- gen_context(system_u:object_r:apmd_lock_t,s0) +/var/lock/subsys/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0) +/var/lock/lmt-req\.lock -- gen_context(system_u:object_r:apmd_lock_t,s0) - + /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0) - + diff --git a/apm.if b/apm.if index 1a7a97e5c..2c7252a39 100644 --- a/apm.if +++ b/apm.if @@ -139,6 +139,30 @@ interface(`apm_stream_connect',` - stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') - + +######################################## +## +## Execute apmd server in the apmd domain. @@ -8343,20 +8343,20 @@ index 1a7a97e5c..2c7252a39 100644 ## ## All of the rules required to @@ -163,9 +187,13 @@ interface(`apm_admin',` - type apmd_tmp_t; - ') - + type apmd_tmp_t; + ') + - allow $1 apmd_t:process { ptrace signal_perms }; + allow $1 apmd_t:process { signal_perms }; - ps_process_pattern($1, apmd_t) - + ps_process_pattern($1, apmd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 apmd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, apmd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apmd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, apmd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te index 7fd431bcd..f944eccf1 100644 --- a/apm.te @@ -8364,7 +8364,7 @@ index 7fd431bcd..f944eccf1 100644 @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) type apmd_var_run_t; files_pid_file(apmd_var_run_t) - + +type apmd_unit_file_t; +systemd_unit_file(apmd_unit_file_t) + @@ -8372,25 +8372,25 @@ index 7fd431bcd..f944eccf1 100644 # # Client local policy # - + -allow apm_t self:capability { dac_override sys_admin }; +allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource }; - + kernel_read_system_state(apm_t) - + @@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t) - + fs_getattr_xattr_fs(apm_t) - + -term_use_all_terms(apm_t) +term_use_all_inherited_terms(apm_t) - + domain_use_interactive_fds(apm_t) - + @@ -59,11 +62,12 @@ logging_send_syslog_msg(apm_t) # Server local policy # - + -allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; +allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource }; @@ -8400,14 +8400,14 @@ index 7fd431bcd..f944eccf1 100644 allow apmd_t self:netlink_socket create_socket_perms; +allow apmd_t self:netlink_generic_socket create_socket_perms; allow apmd_t self:unix_stream_socket { accept listen }; - + allow apmd_t apmd_lock_t:file manage_file_perms; @@ -90,6 +94,7 @@ kernel_read_kernel_sysctls(apmd_t) kernel_rw_all_sysctls(apmd_t) kernel_read_system_state(apmd_t) kernel_write_proc_files(apmd_t) +kernel_request_load_module(apmd_t) - + dev_read_input(apmd_t) dev_read_mouse(apmd_t) @@ -114,8 +119,7 @@ fs_dontaudit_getattr_all_files(apmd_t) @@ -8417,47 +8417,47 @@ index 7fd431bcd..f944eccf1 100644 - -selinux_search_fs(apmd_t) +fs_read_cgroup_files(apmd_t) - + corecmd_exec_all_executables(apmd_t) - + @@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t) auth_use_nsswitch(apmd_t) - + init_domtrans_script(apmd_t) +init_read_utmp(apmd_t) +init_telinit(apmd_t) +init_dbus_chat(apmd_t) - + libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) @@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) logging_send_syslog_msg(apmd_t) - + -miscfiles_read_localization(apmd_t) miscfiles_read_hwdata(apmd_t) - + modutils_domtrans_insmod(apmd_t) modutils_read_module_config(apmd_t) - + -seutil_dontaudit_read_config(apmd_t) +seutil_sigchld_newrole(apmd_t) - + userdom_dontaudit_use_unpriv_user_fds(apmd_t) userdom_dontaudit_search_user_home_dirs(apmd_t) -userdom_dontaudit_search_user_home_content(apmd_t) +userdom_dontaudit_search_user_home_content(apmd_t) # Excessive? - + optional_policy(` - automount_domtrans(apmd_t) + automount_domtrans(apmd_t) @@ -206,11 +212,20 @@ optional_policy(` ') - + optional_policy(` - seutil_sigchld_newrole(apmd_t) + shutdown_domtrans(apmd_t) ') - + optional_policy(` - shutdown_domtrans(apmd_t) + sssd_search_lib(apmd_t) @@ -8471,21 +8471,21 @@ index 7fd431bcd..f944eccf1 100644 + systemd_start_power_services(apmd_t) + systemd_status_power_services(apmd_t) ') - + optional_policy(` diff --git a/apt.if b/apt.if index cde81d248..2fe02018a 100644 --- a/apt.if +++ b/apt.if @@ -171,7 +171,7 @@ interface(`apt_read_cache',` - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; - dontaudit $1 apt_var_cache_t:dir write_dir_perms; + dontaudit $1 apt_var_cache_t:dir rw_dir_perms; - allow $1 apt_var_cache_t:file read_file_perms; + allow $1 apt_var_cache_t:file read_file_perms; ') - + diff --git a/apt.te b/apt.te index efa853059..ae5d0c9f2 100644 --- a/apt.te @@ -8493,7 +8493,7 @@ index efa853059..ae5d0c9f2 100644 @@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) # Local policy # - + -allow apt_t self:capability { chown dac_override fowner fsetid }; +allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid }; allow apt_t self:process { signal setpgid fork }; @@ -8502,61 +8502,61 @@ index efa853059..ae5d0c9f2 100644 @@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t) corecmd_exec_bin(apt_t) corecmd_exec_shell(apt_t) - + -corenet_all_recvfrom_unlabeled(apt_t) corenet_all_recvfrom_netlabel(apt_t) corenet_tcp_sendrecv_generic_if(apt_t) corenet_tcp_sendrecv_generic_node(apt_t) @@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t) domain_use_interactive_fds(apt_t) - + files_exec_usr_files(apt_t) -files_read_etc_files(apt_t) files_read_etc_runtime_files(apt_t) - + fs_getattr_all_fs(apt_t) - + term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) -term_use_all_terms(apt_t) +term_use_all_inherited_terms(apt_t) - + libs_exec_ld_so(apt_t) libs_exec_lib_files(apt_t) - + logging_send_syslog_msg(apt_t) - + -miscfiles_read_localization(apt_t) - seutil_use_newrole_fds(apt_t) - + sysnet_read_config(apt_t) - + -userdom_use_user_terminals(apt_t) +userdom_use_inherited_user_terminals(apt_t) - + optional_policy(` - backup_manage_store_files(apt_t) + backup_manage_store_files(apt_t) diff --git a/arpwatch.fc b/arpwatch.fc index 9ca0d0fb8..9a1a61f82 100644 --- a/arpwatch.fc +++ b/arpwatch.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) - + +/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0) + /usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) - + /var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) diff --git a/arpwatch.if b/arpwatch.if index 50c9b9c87..533a555a2 100644 --- a/arpwatch.if +++ b/arpwatch.if @@ -117,6 +117,30 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` - dontaudit $1 arpwatch_t:packet_socket { read write }; + dontaudit $1 arpwatch_t:packet_socket { read write }; ') - + +######################################## +## +## Execute arpwatch server in the arpwatch domain. @@ -8585,27 +8585,27 @@ index 50c9b9c87..533a555a2 100644 ## ## All of the rules required to @@ -138,11 +162,16 @@ interface(`arpwatch_admin',` - gen_require(` - type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; - type arpwatch_data_t, arpwatch_var_run_t; + gen_require(` + type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; + type arpwatch_data_t, arpwatch_var_run_t; + type arpwatch_unit_file_t; - ') - + ') + - allow $1 arpwatch_t:process { ptrace signal_perms }; + allow $1 arpwatch_t:process signal_perms; - ps_process_pattern($1, arpwatch_t) - + ps_process_pattern($1, arpwatch_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 arpwatch_t:process ptrace; + ') + - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; + arpwatch_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 arpwatch_initrc_exec_t system_r; @@ -156,4 +185,8 @@ interface(`arpwatch_admin',` - - files_list_pids($1) - admin_pattern($1, arpwatch_var_run_t) + + files_list_pids($1) + admin_pattern($1, arpwatch_var_run_t) + + arpwatch_systemctl($1) + admin_pattern($1, arpwatch_unit_file_t) @@ -8618,7 +8618,7 @@ index 2d7bf345b..04d3ea1c8 100644 @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) type arpwatch_var_run_t; files_pid_file(arpwatch_var_run_t) - + +type arpwatch_unit_file_t; +systemd_unit_file(arpwatch_unit_file_t) + @@ -8635,13 +8635,13 @@ index 2d7bf345b..04d3ea1c8 100644 +allow arpwatch_t self:netlink_socket create_socket_perms; +allow arpwatch_t self:netlink_netfilter_socket create_socket_perms; +allow arpwatch_t self:bluetooth_socket create_socket_perms; - + manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) @@ -45,13 +51,26 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) - + -kernel_read_kernel_sysctls(arpwatch_t) kernel_read_network_state(arpwatch_t) +# meminfo @@ -8649,7 +8649,7 @@ index 2d7bf345b..04d3ea1c8 100644 +kernel_read_kernel_sysctls(arpwatch_t) +kernel_read_proc_symlinks(arpwatch_t) kernel_request_load_module(arpwatch_t) - + +corenet_all_recvfrom_netlabel(arpwatch_t) +corenet_tcp_sendrecv_generic_if(arpwatch_t) +corenet_udp_sendrecv_generic_if(arpwatch_t) @@ -8664,69 +8664,69 @@ index 2d7bf345b..04d3ea1c8 100644 dev_read_usbmon_dev(arpwatch_t) +dev_map_usbmon_dev(arpwatch_t) dev_rw_generic_usb_dev(arpwatch_t) - + fs_getattr_all_fs(arpwatch_t) @@ -59,15 +78,12 @@ fs_search_auto_mountpoints(arpwatch_t) - + domain_use_interactive_fds(arpwatch_t) - + -files_read_usr_files(arpwatch_t) files_search_var_lib(arpwatch_t) - + auth_use_nsswitch(arpwatch_t) - + logging_send_syslog_msg(arpwatch_t) - + -miscfiles_read_localization(arpwatch_t) - userdom_dontaudit_search_user_home_dirs(arpwatch_t) userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) - + diff --git a/asterisk.if b/asterisk.if index 2077053ea..198a02ab4 100644 --- a/asterisk.if +++ b/asterisk.if @@ -124,9 +124,13 @@ interface(`asterisk_admin',` - type asterisk_var_lib_t, asterisk_initrc_exec_t; - ') - + type asterisk_var_lib_t, asterisk_initrc_exec_t; + ') + - allow $1 asterisk_t:process { ptrace signal_perms }; + allow $1 asterisk_t:process signal_perms; - ps_process_pattern($1, asterisk_t) - + ps_process_pattern($1, asterisk_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 asterisk_t:process ptrace; + ') + - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; + init_labeled_script_domtrans($1, asterisk_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te index 7e4135022..1e0f4c49b 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; logging_log_file(asterisk_log_t) - + type asterisk_spool_t; -files_type(asterisk_spool_t) +files_spool_file(asterisk_spool_t) - + type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) @@ -39,7 +39,7 @@ init_daemon_run_dir(asterisk_var_run_t, "asterisk") # Local policy # - + -allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; +allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin }; dontaudit asterisk_t self:capability { sys_module sys_tty_config }; allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; allow asterisk_t self:fifo_file rw_fifo_file_perms; @@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f - + manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) - + +manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) @@ -8735,41 +8735,41 @@ index 7e4135022..1e0f4c49b 100644 - +files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file }) can_exec(asterisk_t, asterisk_exec_t) - + kernel_read_kernel_sysctls(asterisk_t) @@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t) corecmd_exec_bin(asterisk_t) corecmd_exec_shell(asterisk_t) - + -corenet_all_recvfrom_unlabeled(asterisk_t) corenet_all_recvfrom_netlabel(asterisk_t) corenet_tcp_sendrecv_generic_if(asterisk_t) corenet_udp_sendrecv_generic_if(asterisk_t) @@ -126,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t) - + corenet_sendrecv_sip_client_packets(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) +corenet_tcp_connect_http_port(asterisk_t) - + dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) @@ -136,7 +136,6 @@ dev_read_urand(asterisk_t) - + domain_use_interactive_fds(asterisk_t) - + -files_read_usr_files(asterisk_t) files_search_spool(asterisk_t) files_dontaudit_search_home(asterisk_t) - + @@ -150,8 +149,6 @@ auth_use_nsswitch(asterisk_t) logging_search_logs(asterisk_t) logging_send_syslog_msg(asterisk_t) - + -miscfiles_read_localization(asterisk_t) - userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) - + diff --git a/authconfig.fc b/authconfig.fc new file mode 100644 index 000000000..4579cfe17 @@ -8962,11 +8962,11 @@ index 92adb37e1..0a2ffc62d 100644 @@ -1,6 +1,8 @@ /etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0) /etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0) - + +/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0) + /usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0) - + /var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0) diff --git a/automount.if b/automount.if index f24e36960..4484a98da 100644 @@ -8978,12 +8978,12 @@ index f24e36960..4484a98da 100644 # -# interface(`automount_signal',` - gen_require(` - type automount_t; + gen_require(` + type automount_t; @@ -112,6 +111,25 @@ interface(`automount_dontaudit_write_pipes',` - dontaudit $1 automount_t:fifo_file write; + dontaudit $1 automount_t:fifo_file write; ') - + +######################################## +## +## Allow domain to search of automount temporary @@ -8999,7 +8999,7 @@ index f24e36960..4484a98da 100644 + gen_require(` + type automount_tmp_t; + ') -+ ++ + search_dirs_pattern($1, automount_tmp_t, automount_tmp_t) +') + @@ -9007,9 +9007,9 @@ index f24e36960..4484a98da 100644 ## ## Do not audit attempts to get @@ -132,6 +150,30 @@ interface(`automount_dontaudit_getattr_tmp_dirs',` - dontaudit $1 automount_tmp_t:dir getattr_dir_perms; + dontaudit $1 automount_tmp_t:dir getattr_dir_perms; ') - + +######################################## +## +## Execute automount server in the automount domain. @@ -9038,28 +9038,28 @@ index f24e36960..4484a98da 100644 ## ## All of the rules required to @@ -153,12 +195,16 @@ interface(`automount_admin',` - gen_require(` - type automount_t, automount_lock_t, automount_tmp_t; - type automount_var_run_t, automount_initrc_exec_t; + gen_require(` + type automount_t, automount_lock_t, automount_tmp_t; + type automount_var_run_t, automount_initrc_exec_t; - type automount_keytab_t; + type automount_unit_file_t, automount_keytab_t; - ') - + ') + - allow $1 automount_t:process { ptrace signal_perms }; + allow $1 automount_t:process signal_perms; - ps_process_pattern($1, automount_t) - + ps_process_pattern($1, automount_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 automount_t:process ptrace; + ') + - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; + init_labeled_script_domtrans($1, automount_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 automount_initrc_exec_t system_r; @@ -175,4 +221,8 @@ interface(`automount_admin',` - - files_list_pids($1) - admin_pattern($1, automount_var_run_t) + + files_list_pids($1) + admin_pattern($1, automount_var_run_t) + + automount_systemctl($1) + admin_pattern($1, automount_unit_file_t) @@ -9072,17 +9072,17 @@ index 27d2f400b..f74f75f1b 100644 @@ -22,6 +22,9 @@ type automount_tmp_t; files_tmp_file(automount_tmp_t) files_mountpoint(automount_tmp_t) - + +type automount_unit_file_t; +systemd_unit_file(automount_unit_file_t) + type automount_var_run_t; files_pid_file(automount_var_run_t) - + @@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t) # Local policy # - + -allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin }; +allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin }; +allow automount_t self:capability2 block_suspend; @@ -9092,13 +9092,13 @@ index 27d2f400b..f74f75f1b 100644 @@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t) corecmd_exec_bin(automount_t) corecmd_exec_shell(automount_t) - + -corenet_all_recvfrom_unlabeled(automount_t) corenet_all_recvfrom_netlabel(automount_t) corenet_tcp_sendrecv_generic_if(automount_t) corenet_udp_sendrecv_generic_if(automount_t) @@ -91,6 +94,7 @@ corenet_udp_bind_all_rpc_ports(automount_t) - + files_dontaudit_write_var_dirs(automount_t) files_getattr_all_dirs(automount_t) +files_getattr_all_files(automount_t) @@ -9124,15 +9124,15 @@ index 27d2f400b..f74f75f1b 100644 @@ -135,14 +139,18 @@ auth_use_nsswitch(automount_t) logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) - + -miscfiles_read_localization(automount_t) miscfiles_read_generic_certs(automount_t) - + -mount_domtrans(automount_t) -mount_signal(automount_t) - userdom_dontaudit_use_unpriv_user_fds(automount_t) - + +optional_policy(` + # Run mount in the mount_t domain. + mount_domtrans(automount_t) @@ -9142,11 +9142,11 @@ index 27d2f400b..f74f75f1b 100644 +') + optional_policy(` - fstools_domtrans(automount_t) + fstools_domtrans(automount_t) ') @@ -166,3 +174,8 @@ optional_policy(` optional_policy(` - udev_read_db(automount_t) + udev_read_db(automount_t) ') + +tunable_policy(`mount_anyfile',` @@ -9159,7 +9159,7 @@ index e9fe2cac1..4c2d0769e 100644 +++ b/avahi.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) - + +/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0) + /usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0) @@ -9170,9 +9170,9 @@ index 9078c3d85..2f6b2503e 100644 --- a/avahi.if +++ b/avahi.if @@ -209,6 +209,30 @@ interface(`avahi_dontaudit_search_pid',` - dontaudit $1 avahi_var_run_t:dir search_dir_perms; + dontaudit $1 avahi_var_run_t:dir search_dir_perms; ') - + +######################################## +## +## Execute avahi server in the avahi domain. @@ -9202,27 +9202,27 @@ index 9078c3d85..2f6b2503e 100644 ## Create specified objects in generic @@ -258,12 +282,17 @@ interface(`avahi_filetrans_pid',` interface(`avahi_admin',` - gen_require(` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + gen_require(` + type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; + type avahi_unit_file_t; - type avahi_var_lib_t; - ') - + type avahi_var_lib_t; + ') + - allow $1 avahi_t:process { ptrace signal_perms }; + allow $1 avahi_t:process signal_perms; - ps_process_pattern($1, avahi_t) - + ps_process_pattern($1, avahi_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 avahi_t:process ptrace; + ') + - avahi_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; + avahi_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 avahi_initrc_exec_t system_r; @@ -274,4 +303,8 @@ interface(`avahi_admin',` - - files_search_var_lib($1) - admin_pattern($1, avahi_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, avahi_var_lib_t) + + avahi_systemctl($1) + admin_pattern($1, avahi_unit_file_t) @@ -9234,23 +9234,23 @@ index b8355b32f..51ce1b60f 100644 +++ b/avahi.te @@ -13,17 +13,21 @@ type avahi_initrc_exec_t; init_script_file(avahi_initrc_exec_t) - + type avahi_var_lib_t; -files_pid_file(avahi_var_lib_t) +files_type(avahi_var_lib_t) - + type avahi_var_run_t; files_pid_file(avahi_var_run_t) +init_sock_file(avahi_var_run_t) + +type avahi_unit_file_t; +systemd_unit_file(avahi_unit_file_t) - + ######################################## # # Local policy # - + -allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; +allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot }; dontaudit avahi_t self:capability sys_tty_config; @@ -9259,38 +9259,38 @@ index b8355b32f..51ce1b60f 100644 @@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t) corecmd_exec_bin(avahi_t) corecmd_exec_shell(avahi_t) - + -corenet_all_recvfrom_unlabeled(avahi_t) corenet_all_recvfrom_netlabel(avahi_t) corenet_tcp_sendrecv_generic_if(avahi_t) corenet_udp_sendrecv_generic_if(avahi_t) @@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t) fs_list_inotifyfs(avahi_t) - + domain_use_interactive_fds(avahi_t) +domain_dontaudit_signull_all_domains(avahi_t) - + files_read_etc_runtime_files(avahi_t) -files_read_usr_files(avahi_t) - + auth_use_nsswitch(avahi_t) - + @@ -83,13 +86,14 @@ init_signull_script(avahi_t) - + logging_send_syslog_msg(avahi_t) - + -miscfiles_read_localization(avahi_t) miscfiles_read_generic_certs(avahi_t) - + sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) sysnet_etc_filetrans_config(avahi_t) - + +systemd_login_signull(avahi_t) + userdom_dontaudit_use_unpriv_user_fds(avahi_t) userdom_dontaudit_search_user_home_dirs(avahi_t) - + diff --git a/awstats.fc b/awstats.fc index 11e6d5ffe..73b4ea47c 100644 --- a/awstats.fc @@ -9301,7 +9301,7 @@ index 11e6d5ffe..73b4ea47c 100644 -/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) +/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:awstats_content_t,s0) +/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:awstats_script_exec_t,s0) - + /var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) diff --git a/awstats.te b/awstats.te index c1b16c392..ffbf2cb8f 100644 @@ -9309,57 +9309,57 @@ index c1b16c392..ffbf2cb8f 100644 +++ b/awstats.te @@ -26,6 +26,7 @@ type awstats_var_lib_t; files_type(awstats_var_lib_t) - + apache_content_template(awstats) +apache_content_alias_template(awstats, awstats) - + ######################################## # @@ -40,9 +41,9 @@ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) - + manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) - + -allow awstats_t { httpd_awstats_content_t httpd_awstats_script_exec_t }:dir search_dir_perms; +allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms; - + -can_exec(awstats_t, { awstats_exec_t httpd_awstats_script_exec_t }) +can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t }) - + kernel_dontaudit_read_system_state(awstats_t) - + @@ -52,8 +53,6 @@ corecmd_exec_shell(awstats_t) dev_read_urand(awstats_t) - + files_dontaudit_search_all_mountpoints(awstats_t) -files_read_etc_files(awstats_t) -files_read_usr_files(awstats_t) - + fs_list_inotifyfs(awstats_t) - + @@ -61,8 +60,6 @@ libs_read_lib_files(awstats_t) - + logging_read_generic_logs(awstats_t) - + -miscfiles_read_localization(awstats_t) - sysnet_dns_name_resolve(awstats_t) - + tunable_policy(`awstats_purge_apache_log_files',` @@ -90,9 +87,13 @@ optional_policy(` # CGI local policy # - + -allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms; +apache_read_log(awstats_script_t) + +manage_dirs_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t) +manage_files_pattern(awstats_script_t, awstats_tmp_t, awstats_tmp_t) +files_tmp_filetrans(awstats_script_t, awstats_tmp_t, { dir file }) - + -read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) -files_search_var_lib(httpd_awstats_script_t) +allow awstats_script_t awstats_var_lib_t:dir list_dir_perms; - + -apache_read_log(httpd_awstats_script_t) +read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) +files_search_var_lib(awstats_script_t) @@ -9370,7 +9370,7 @@ index 7811450b6..e78703340 100644 @@ -21,7 +21,7 @@ files_type(backup_store_t) # Local policy # - + -allow backup_t self:capability dac_override; +allow backup_t self:capability { dac_read_search dac_override }; allow backup_t self:process signal; @@ -9379,20 +9379,20 @@ index 7811450b6..e78703340 100644 @@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t) corecmd_exec_bin(backup_t) corecmd_exec_shell(backup_t) - + -corenet_all_recvfrom_unlabeled(backup_t) corenet_all_recvfrom_netlabel(backup_t) corenet_tcp_sendrecv_generic_if(backup_t) corenet_tcp_sendrecv_generic_node(backup_t) @@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t) - + sysnet_read_config(backup_t) - + -userdom_use_user_terminals(backup_t) +userdom_use_inherited_user_terminals(backup_t) - + optional_policy(` - cron_system_entry(backup_t, backup_exec_t) + cron_system_entry(backup_t, backup_exec_t) diff --git a/bacula.fc b/bacula.fc index 27ec3d519..65aa71bf6 100644 --- a/bacula.fc @@ -9400,24 +9400,24 @@ index 27ec3d519..65aa71bf6 100644 @@ -8,6 +8,8 @@ /usr/sbin/bat -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) /usr/sbin/bconsole -- gen_context(system_u:object_r:bacula_admin_exec_t,s0) - + +/var/bacula(/.*)? gen_context(system_u:object_r:bacula_store_t,s0) + /var/lib/bacula.* gen_context(system_u:object_r:bacula_var_lib_t,s0) - + /var/log/bacula.* gen_context(system_u:object_r:bacula_log_t,s0) diff --git a/bacula.if b/bacula.if index dcd774ee4..c240ffaf6 100644 --- a/bacula.if +++ b/bacula.if @@ -69,6 +69,7 @@ interface(`bacula_admin',` - type bacula_t, bacula_etc_t, bacula_log_t; - type bacula_spool_t, bacula_var_lib_t; - type bacula_var_run_t, bacula_initrc_exec_t; + type bacula_t, bacula_etc_t, bacula_log_t; + type bacula_spool_t, bacula_var_lib_t; + type bacula_var_run_t, bacula_initrc_exec_t; + attribute_role bacula_admin_roles; - ') - - allow $1 bacula_t:process { ptrace signal_perms }; + ') + + allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te index f16b00008..1a7c80f01 100644 --- a/bacula.te @@ -9425,17 +9425,17 @@ index f16b00008..1a7c80f01 100644 @@ -27,6 +27,9 @@ type bacula_store_t; files_type(bacula_store_t) files_mountpoint(bacula_store_t) - + +type bacula_tmp_t; +files_tmp_file(bacula_tmp_t) + type bacula_var_lib_t; files_type(bacula_var_lib_t) - + @@ -38,21 +41,30 @@ type bacula_admin_exec_t; application_domain(bacula_admin_t, bacula_admin_exec_t) role bacula_admin_roles types bacula_admin_t; - + +type bacula_unconfined_script_exec_t; +application_executable_file(bacula_unconfined_script_exec_t) + @@ -9443,15 +9443,15 @@ index f16b00008..1a7c80f01 100644 # # Local policy # - + -allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; +allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid}; allow bacula_t self:process signal; allow bacula_t self:fifo_file rw_fifo_file_perms; allow bacula_t self:tcp_socket { accept listen }; - + read_files_pattern(bacula_t, bacula_etc_t, bacula_etc_t) - + +manage_files_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t) +manage_dirs_pattern(bacula_t, bacula_tmp_t, bacula_tmp_t) +files_tmp_filetrans(bacula_t, bacula_tmp_t, { dir file }) @@ -9461,13 +9461,13 @@ index f16b00008..1a7c80f01 100644 create_files_pattern(bacula_t, bacula_log_t, bacula_log_t) setattr_files_pattern(bacula_t, bacula_log_t, bacula_log_t) +logging_log_filetrans(bacula_t, bacula_log_t, { file dir }) - + manage_dirs_pattern(bacula_t, bacula_spool_t, bacula_spool_t) manage_files_pattern(bacula_t, bacula_spool_t, bacula_spool_t) @@ -88,6 +100,10 @@ corenet_udp_bind_generic_node(bacula_t) corenet_sendrecv_generic_server_packets(bacula_t) corenet_udp_bind_generic_port(bacula_t) - + + +#TODO: check port labels for hplip a bacula +corenet_tcp_bind_bacula_port(bacula_t) @@ -9478,7 +9478,7 @@ index f16b00008..1a7c80f01 100644 @@ -98,19 +114,30 @@ corenet_tcp_connect_all_ports(bacula_t) dev_getattr_all_blk_files(bacula_t) dev_getattr_all_chr_files(bacula_t) - + +files_getattr_all_pipes(bacula_t) +files_getattr_all_sockets(bacula_t) + @@ -9486,30 +9486,30 @@ index f16b00008..1a7c80f01 100644 +files_dontaudit_getattr_all_pipes(bacula_t) files_read_all_files(bacula_t) files_read_all_symlinks(bacula_t) - + fs_getattr_xattr_fs(bacula_t) fs_list_all(bacula_t) - + +storage_raw_read_fixed_disk(bacula_t) +storage_read_tape(bacula_t) +storage_write_tape(bacula_t) + +auth_use_nsswitch(bacula_t) auth_read_shadow(bacula_t) - + logging_send_syslog_msg(bacula_t) - + sysnet_dns_name_resolve(bacula_t) - + +userdom_home_manager(bacula_t) + optional_policy(` - mysql_stream_connect(bacula_t) - mysql_tcp_connect(bacula_t) + mysql_stream_connect(bacula_t) + mysql_tcp_connect(bacula_t) @@ -125,6 +152,12 @@ optional_policy(` - ldap_stream_connect(bacula_t) + ldap_stream_connect(bacula_t) ') - + +optional_policy(` + postgresql_tcp_connect(bacula_t) + postgresql_stream_connect(bacula_t) @@ -9520,15 +9520,15 @@ index f16b00008..1a7c80f01 100644 # # Client local policy @@ -148,11 +181,32 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) - + domain_use_interactive_fds(bacula_admin_t) - + -files_read_etc_files(bacula_admin_t) - -miscfiles_read_localization(bacula_admin_t) - sysnet_dns_name_resolve(bacula_admin_t) - + userdom_dontaudit_search_user_home_dirs(bacula_admin_t) userdom_use_user_ptys(bacula_admin_t) + @@ -9543,7 +9543,7 @@ index f16b00008..1a7c80f01 100644 + + domain_entry_file(bacula_unconfined_script_t, bacula_unconfined_script_exec_t) + role system_r types bacula_unconfined_script_t; -+ ++ + allow bacula_t bacula_unconfined_script_t:process signal_perms; + + domtrans_pattern(bacula_t, bacula_unconfined_script_exec_t, bacula_unconfined_script_t) @@ -9562,20 +9562,20 @@ index fb42e352b..8af0e14ce 100644 +++ b/bcfg2.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) - + +/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0) + /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) - + /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) diff --git a/bcfg2.if b/bcfg2.if index ec95d361e..186271b74 100644 --- a/bcfg2.if +++ b/bcfg2.if @@ -115,6 +115,32 @@ interface(`bcfg2_manage_lib_dirs',` - manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) + manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) ') - + +######################################## +## +## Execute bcfg2 server in the bcfg2 domain. @@ -9606,27 +9606,27 @@ index ec95d361e..186271b74 100644 ## ## All of the rules required to @@ -136,11 +162,16 @@ interface(`bcfg2_admin',` - gen_require(` - type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; - type bcfg2_var_run_t; + gen_require(` + type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; + type bcfg2_var_run_t; + type bcfg2_unit_file_t; - ') - + ') + - allow $1 bcfg2_t:process { ptrace signal_perms }; + allow $1 bcfg2_t:process { signal_perms }; - ps_process_pattern($1, bcfg2_t) - + ps_process_pattern($1, bcfg2_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 bcfg2_t:process ptrace; + ') + - bcfg2_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 bcfg2_initrc_exec_t system_r; + bcfg2_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 bcfg2_initrc_exec_t system_r; @@ -151,4 +182,13 @@ interface(`bcfg2_admin',` - - files_search_var_lib($1) - admin_pattern($1, bcfg2_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, bcfg2_var_lib_t) + + bcfg2_systemctl($1) + admin_pattern($1, bcfg2_unit_file_t) @@ -9644,21 +9644,21 @@ index c3fd7b148..e18959384 100644 @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) type bcfg2_var_lib_t; files_type(bcfg2_var_lib_t) - + +type bcfg2_unit_file_t; +systemd_unit_file(bcfg2_unit_file_t) + type bcfg2_var_run_t; files_pid_file(bcfg2_var_run_t) - + @@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t) - + domain_use_interactive_fds(bcfg2_t) - + -files_read_usr_files(bcfg2_t) - + auth_use_nsswitch(bcfg2_t) - + logging_send_syslog_msg(bcfg2_t) - -miscfiles_read_localization(bcfg2_t) @@ -9672,7 +9672,7 @@ index 2b9a3a10d..982ce9b71 100644 +/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/named-sdb -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) - + -/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0) -/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) @@ -9694,7 +9694,7 @@ index 2b9a3a10d..982ce9b71 100644 +/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0) +/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0) +/usr/lib/systemd/system/named-sdb.* -- gen_context(system_u:object_r:named_unit_file_t,s0) - + /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) -/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) @@ -9708,17 +9708,17 @@ index 2b9a3a10d..982ce9b71 100644 +/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0) +/usr/sbin/unbound-control -- gen_context(system_u:object_r:named_exec_t,s0) - + -/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) - + -/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) +/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0) - + -/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0) +ifdef(`distro_debian',` +/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) @@ -9736,7 +9736,7 @@ index 2b9a3a10d..982ce9b71 100644 +/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0) +') - + -/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0) -/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0) -/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) @@ -9792,9 +9792,9 @@ index 531a8f244..3fcf18722 100644 --- a/bind.if +++ b/bind.if @@ -18,6 +18,30 @@ interface(`bind_initrc_domtrans',` - init_labeled_script_domtrans($1, named_initrc_exec_t) + init_labeled_script_domtrans($1, named_initrc_exec_t) ') - + +######################################## +## +## Execute bind server in the bind domain. @@ -9823,17 +9823,17 @@ index 531a8f244..3fcf18722 100644 ## ## Execute ndc in the ndc domain. @@ -169,6 +193,7 @@ interface(`bind_read_config',` - type named_conf_t; - ') - + type named_conf_t; + ') + + allow $1 named_conf_t:dir list_dir_perms; - read_files_pattern($1, named_conf_t, named_conf_t) + read_files_pattern($1, named_conf_t, named_conf_t) ') - + @@ -210,6 +235,25 @@ interface(`bind_manage_config_dirs',` - manage_dirs_pattern($1, named_conf_t, named_conf_t) + manage_dirs_pattern($1, named_conf_t, named_conf_t) ') - + +######################################## +## +## Create, read, write, and delete @@ -9857,9 +9857,9 @@ index 531a8f244..3fcf18722 100644 ## ## Search bind cache directories. @@ -308,6 +352,47 @@ interface(`bind_read_zone',` - read_files_pattern($1, named_zone_t, named_zone_t) + read_files_pattern($1, named_zone_t, named_zone_t) ') - + +######################################## +## +## Read BIND zone files. @@ -9905,9 +9905,9 @@ index 531a8f244..3fcf18722 100644 ## ## Create, read, write, and delete @@ -342,6 +427,25 @@ interface(`bind_udp_chat_named',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicywarn(`$0($*) has been deprecated.') ') - + +######################################## +## +## Allow the domain to read bind state files in /proc. @@ -9931,13 +9931,13 @@ index 531a8f244..3fcf18722 100644 ## ## All of the rules required to @@ -364,11 +468,17 @@ interface(`bind_admin',` - type named_t, named_tmp_t, named_log_t; - type named_cache_t, named_zone_t, named_initrc_exec_t; - type dnssec_t, ndc_t, named_conf_t, named_var_run_t; + type named_t, named_tmp_t, named_log_t; + type named_cache_t, named_zone_t, named_initrc_exec_t; + type dnssec_t, ndc_t, named_conf_t, named_var_run_t; - type named_keytab_t; + type named_keytab_t, named_unit_file_t; - ') - + ') + - allow $1 { named_t ndc_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { named_t ndc_t }) + allow $1 named_t:process signal_perms; @@ -9948,21 +9948,21 @@ index 531a8f244..3fcf18722 100644 + ') + + bind_run_ndc($1, $2) - - init_labeled_script_domtrans($1, named_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, named_initrc_exec_t) + domain_system_change_exemption($1) @@ -384,11 +494,15 @@ interface(`bind_admin',` - files_list_etc($1) - admin_pattern($1, { named_keytab_t named_conf_t }) - + files_list_etc($1) + admin_pattern($1, { named_keytab_t named_conf_t }) + + admin_pattern($1, named_keytab_t) + - files_list_var($1) - admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) - - files_list_pids($1) - admin_pattern($1, named_var_run_t) - + files_list_var($1) + admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) + + files_list_pids($1) + admin_pattern($1, named_var_run_t) + - bind_run_ndc($1, $2) + admin_pattern($1, named_unit_file_t) + bind_systemctl($1) @@ -9974,27 +9974,27 @@ index 124112346..71ecaba28 100644 +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; init_system_domain(named_t, named_checkconf_exec_t) - + type named_conf_t; -files_type(named_conf_t) +files_config_file(named_conf_t) files_mountpoint(named_conf_t) - + # for secondary zone files @@ -44,6 +44,9 @@ files_type(named_cache_t) type named_initrc_exec_t; init_script_file(named_initrc_exec_t) - + +type named_unit_file_t; +systemd_unit_file(named_unit_file_t) + type named_keytab_t; files_type(named_keytab_t) - + @@ -71,8 +74,9 @@ role ndc_roles types ndc_t; # Local policy # - + -allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; +allow named_t self:capability { chown dac_read_search dac_override fowner net_raw net_admin setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; @@ -10005,24 +10005,24 @@ index 124112346..71ecaba28 100644 @@ -84,14 +88,13 @@ allow named_t named_conf_t:dir list_dir_perms; read_files_pattern(named_t, named_conf_t, named_conf_t) read_lnk_files_pattern(named_t, named_conf_t, named_conf_t) - + +manage_dirs_pattern(named_t, named_cache_t, named_cache_t) manage_files_pattern(named_t, named_cache_t, named_cache_t) manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t) - + allow named_t named_keytab_t:file read_file_perms; - + -append_files_pattern(named_t, named_log_t, named_log_t) -create_files_pattern(named_t, named_log_t, named_log_t) -setattr_files_pattern(named_t, named_log_t, named_log_t) +manage_files_pattern(named_t, named_log_t, named_log_t) logging_log_filetrans(named_t, named_log_t, file) - + manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) @@ -115,7 +118,6 @@ kernel_read_network_state(named_t) - + corecmd_search_bin(named_t) - + -corenet_all_recvfrom_unlabeled(named_t) corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) @@ -10043,30 +10043,30 @@ index 124112346..71ecaba28 100644 +corenet_udp_bind_whois_port(named_t) corenet_tcp_bind_rndc_port(named_t) corenet_tcp_sendrecv_rndc_port(named_t) - + @@ -140,14 +148,18 @@ corenet_udp_sendrecv_all_ports(named_t) corenet_sendrecv_all_client_packets(named_t) corenet_tcp_connect_all_ports(named_t) corenet_tcp_sendrecv_all_ports(named_t) +corenet_udp_bind_all_ephemeral_ports(named_t) +corenet_tcp_bind_all_ephemeral_ports(named_t) - + dev_read_sysfs(named_t) dev_read_rand(named_t) dev_read_urand(named_t) +dev_dontaudit_write_urand(named_t) - + domain_use_interactive_fds(named_t) - + files_read_etc_runtime_files(named_t) +files_mmap_usr_files(named_t) - + fs_getattr_all_fs(named_t) fs_search_auto_mountpoints(named_t) @@ -174,6 +186,19 @@ tunable_policy(`named_write_master_zones',` - manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) + manage_lnk_files_pattern(named_t, named_zone_t, named_zone_t) ') - + +optional_policy(` + cron_system_entry(named_t, named_exec_t) +') @@ -10081,11 +10081,11 @@ index 124112346..71ecaba28 100644 +') + optional_policy(` - dbus_system_domain(named_t, named_exec_t) - + dbus_system_domain(named_t, named_exec_t) + @@ -187,7 +212,17 @@ optional_policy(` ') - + optional_policy(` + ipa_manage_lib(named_t) +') @@ -10096,15 +10096,15 @@ index 124112346..71ecaba28 100644 + +optional_policy(` + kerberos_filetrans_named_content(named_t) - kerberos_read_keytab(named_t) + kerberos_read_keytab(named_t) + kerberos_read_host_rcache(named_t) - kerberos_use(named_t) + kerberos_use(named_t) ') - + @@ -214,8 +249,9 @@ optional_policy(` # NDC local policy # - + -allow ndc_t self:capability { dac_override net_admin }; -allow ndc_t self:process signal_perms; +allow ndc_t self:capability { dac_read_search dac_override net_admin }; @@ -10112,15 +10112,15 @@ index 124112346..71ecaba28 100644 +allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; - + @@ -229,10 +265,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; - + allow ndc_t named_zone_t:dir search_dir_perms; - + -kernel_read_kernel_sysctls(ndc_t) kernel_read_system_state(ndc_t) +kernel_read_kernel_sysctls(ndc_t) - + -corenet_all_recvfrom_unlabeled(ndc_t) corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) @@ -10128,45 +10128,45 @@ index 124112346..71ecaba28 100644 @@ -242,6 +277,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) - + +dev_read_rand(ndc_t) +dev_read_urand(ndc_t) + domain_use_interactive_fds(ndc_t) - + files_search_pids(ndc_t) @@ -257,7 +295,7 @@ init_use_script_ptys(ndc_t) - + logging_send_syslog_msg(ndc_t) - + -miscfiles_read_localization(ndc_t) +userdom_use_inherited_user_terminals(ndc_t) - + userdom_use_user_terminals(ndc_t) - + diff --git a/bird.te b/bird.te index 1d60c2730..f8bb70055 100644 --- a/bird.te +++ b/bird.te @@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t) corenet_tcp_sendrecv_bgp_port(bird_t) - + # /etc/iproute2/rt_realms -files_read_etc_files(bird_t) - + logging_send_syslog_msg(bird_t) - + diff --git a/bitlbee.fc b/bitlbee.fc index e9708d6cc..61362d088 100644 --- a/bitlbee.fc +++ b/bitlbee.fc @@ -7,7 +7,7 @@ - + /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) - + -/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) +/var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0) - + /var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) /var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/bitlbee.if b/bitlbee.if @@ -10174,20 +10174,20 @@ index e73fb799e..2badfc0d9 100644 --- a/bitlbee.if +++ b/bitlbee.if @@ -44,9 +44,13 @@ interface(`bitlbee_admin',` - type bitlbee_log_t, bitlbee_tmp_t; - ') - + type bitlbee_log_t, bitlbee_tmp_t; + ') + - allow $1 bitlbee_t:process { ptrace signal_perms }; + allow $1 bitlbee_t:process signal_perms; - ps_process_pattern($1, bitlbee_t) - + ps_process_pattern($1, bitlbee_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 bitlbee_t:process ptrace; + ') + - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; + init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te index f5c1a48b6..102fa8eae 100644 --- a/bitlbee.te @@ -10195,7 +10195,7 @@ index f5c1a48b6..102fa8eae 100644 @@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t) # Local policy # - + -allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; +allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice }; allow bitlbee_t self:process { setsched signal }; @@ -10207,7 +10207,7 @@ index f5c1a48b6..102fa8eae 100644 +allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; +allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; - + allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; allow bitlbee_t bitlbee_conf_t:file read_file_perms; @@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; @@ -10217,29 +10217,29 @@ index f5c1a48b6..102fa8eae 100644 +read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) +logging_log_filetrans(bitlbee_t, bitlbee_log_t, { dir file }) - + manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) - + manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) -files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) +manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file}) - + manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) - + -kernel_read_kernel_sysctls(bitlbee_t) kernel_read_system_state(bitlbee_t) +kernel_read_kernel_sysctls(bitlbee_t) - + corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) @@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t) - + corenet_sendrecv_ircd_server_packets(bitlbee_t) corenet_tcp_bind_ircd_port(bitlbee_t) +corenet_tcp_bind_interwise_port(bitlbee_t) @@ -10247,26 +10247,26 @@ index f5c1a48b6..102fa8eae 100644 +corenet_tcp_connect_interwise_port(bitlbee_t) corenet_tcp_connect_ircd_port(bitlbee_t) corenet_tcp_sendrecv_ircd_port(bitlbee_t) - + @@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) - + -files_read_usr_files(bitlbee_t) - libs_legacy_use_shared_libs(bitlbee_t) - + auth_use_nsswitch(bitlbee_t) - + logging_send_syslog_msg(bitlbee_t) - + -miscfiles_read_localization(bitlbee_t) +optional_policy(` + dbus_system_bus_client(bitlbee_t) +') - + optional_policy(` - tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) + tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) ') + diff --git a/blkmapd.fc b/blkmapd.fc @@ -10465,77 +10465,77 @@ index c295d2e01..4f84e9c14 100644 @@ -1,3 +1,4 @@ + /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) - + /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.if b/blueman.if index 16ec52526..1dd40595c 100644 --- a/blueman.if +++ b/blueman.if @@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',` - - allow $1 blueman_t:dbus send_msg; - allow blueman_t $1:dbus send_msg; + + allow $1 blueman_t:dbus send_msg; + allow blueman_t $1:dbus send_msg; + ps_process_pattern(blueman_t, $1) ') - + ######################################## diff --git a/blueman.te b/blueman.te index 3a5032e06..7987a21b1 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0) - + type blueman_t; type blueman_exec_t; -dbus_system_domain(blueman_t, blueman_exec_t) +init_daemon_domain(blueman_t, blueman_exec_t) - + type blueman_var_lib_t; files_type(blueman_var_lib_t) @@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t) # - + allow blueman_t self:capability { net_admin sys_nice }; -allow blueman_t self:process { signal_perms setsched }; +allow blueman_t self:process { execmem signal_perms setsched }; + allow blueman_t self:fifo_file rw_fifo_file_perms; - + manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) @@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) - + -kernel_read_net_sysctls(blueman_t) +kernel_rw_net_sysctls(blueman_t) kernel_read_system_state(blueman_t) kernel_request_load_module(blueman_t) - + @@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t) dev_read_rand(blueman_t) dev_read_urand(blueman_t) dev_rw_wireless(blueman_t) +dev_rwx_zero(blueman_t) - + domain_use_interactive_fds(blueman_t) - + files_list_tmp(blueman_t) -files_read_usr_files(blueman_t) +files_dontaudit_write_all_mountpoints(blueman_t) - + auth_use_nsswitch(blueman_t) - + logging_send_syslog_msg(blueman_t) - + -miscfiles_read_localization(blueman_t) - sysnet_domtrans_ifconfig(blueman_t) +sysnet_dns_name_resolve(blueman_t) - + optional_policy(` - avahi_domtrans(blueman_t) + avahi_domtrans(blueman_t) ') - + +optional_policy(` + bluetooth_read_config(blueman_t) +') @@ -10545,16 +10545,16 @@ index 3a5032e06..7987a21b1 100644 +') + optional_policy(` - dnsmasq_domtrans(blueman_t) - dnsmasq_read_pid_files(blueman_t) + dnsmasq_domtrans(blueman_t) + dnsmasq_read_pid_files(blueman_t) ') - + +optional_policy(` + gnome_search_gconf(blueman_t) +') + optional_policy(` - iptables_domtrans(blueman_t) + iptables_domtrans(blueman_t) ') + +optional_policy(` @@ -10567,7 +10567,7 @@ index 2b9c7f329..0086b95d1 100644 @@ -5,10 +5,14 @@ /etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) /etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0) - + +/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0) + /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0) @@ -10576,7 +10576,7 @@ index 2b9c7f329..0086b95d1 100644 /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0) +/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) - + /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0) /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0) diff --git a/bluetooth.if b/bluetooth.if @@ -10584,9 +10584,9 @@ index c723a0ae0..d3611b658 100644 --- a/bluetooth.if +++ b/bluetooth.if @@ -37,7 +37,12 @@ interface(`bluetooth_role',` - domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) - - ps_process_pattern($2, bluetooth_helper_t) + domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) + + ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process { ptrace signal_perms }; + + allow $2 bluetooth_helper_t:process signal_perms; @@ -10594,40 +10594,40 @@ index c723a0ae0..d3611b658 100644 + tunable_policy(`deny_ptrace',`',` + allow $2 bluetooth_helper_t:process ptrace; + ') - - allow $2 bluetooth_t:socket rw_socket_perms; - + + allow $2 bluetooth_t:socket rw_socket_perms; + @@ -45,8 +50,10 @@ interface(`bluetooth_role',` - allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - + allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + + manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) + manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) + bluetooth_stream_connect($2) - stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) + stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) - files_search_pids($2) ') - + ##################################### @@ -63,11 +70,14 @@ interface(`bluetooth_role',` interface(`bluetooth_stream_connect',` - gen_require(` - type bluetooth_t, bluetooth_var_run_t; + gen_require(` + type bluetooth_t, bluetooth_var_run_t; + type bluetooth_tmp_t; - ') - - files_search_pids($1) - allow $1 bluetooth_t:socket rw_socket_perms; + ') + + files_search_pids($1) + allow $1 bluetooth_t:socket rw_socket_perms; + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms; - stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) + stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) + stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t) ') - + ######################################## @@ -128,6 +138,27 @@ interface(`bluetooth_dbus_chat',` - allow bluetooth_t $1:dbus send_msg; + allow bluetooth_t $1:dbus send_msg; ') - + +######################################## +## +## dontaudit Send and receive messages from @@ -10653,9 +10653,9 @@ index c723a0ae0..d3611b658 100644 ## ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) @@ -188,6 +219,30 @@ interface(`bluetooth_dontaudit_read_helper_state',` - dontaudit $1 bluetooth_helper_t:file read_file_perms; + dontaudit $1 bluetooth_helper_t:file read_file_perms; ') - + +######################################## +## +## Execute bluetooth server in the bluetooth domain. @@ -10684,28 +10684,28 @@ index c723a0ae0..d3611b658 100644 ## ## All of the rules required to @@ -210,12 +265,16 @@ interface(`bluetooth_admin',` - type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; - type bluetooth_var_lib_t, bluetooth_var_run_t; - type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; + type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; + type bluetooth_var_lib_t, bluetooth_var_run_t; + type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; - type bluetooth_initrc_exec_t; + type bluetooth_unit_file_t, bluetooth_initrc_exec_t; - ') - + ') + - allow $1 bluetooth_t:process { ptrace signal_perms }; + allow $1 bluetooth_t:process signal_perms; - ps_process_pattern($1, bluetooth_t) - + ps_process_pattern($1, bluetooth_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 bluetooth_t:process ptrace; + ') + - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; + init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bluetooth_initrc_exec_t system_r; @@ -235,4 +294,8 @@ interface(`bluetooth_admin',` - - files_list_pids($1) - admin_pattern($1, bluetooth_var_run_t) + + files_list_pids($1) + admin_pattern($1, bluetooth_var_run_t) + + bluetooth_systemctl($1) + admin_pattern($1, bluetooth_unit_file_t) @@ -10720,13 +10720,13 @@ index 851769e55..903bc0f9e 100644 type bluetooth_exec_t; init_daemon_domain(bluetooth_t, bluetooth_exec_t) +init_nnp_daemon_domain(bluetooth_t) - + type bluetooth_conf_t; files_config_file(bluetooth_conf_t) @@ -49,12 +50,15 @@ files_type(bluetooth_var_lib_t) type bluetooth_var_run_t; files_pid_file(bluetooth_var_run_t) - + +type bluetooth_unit_file_t; +systemd_unit_file(bluetooth_unit_file_t) + @@ -10734,7 +10734,7 @@ index 851769e55..903bc0f9e 100644 # # Local policy # - + -allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; +allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; @@ -10747,26 +10747,26 @@ index 851769e55..903bc0f9e 100644 +allow bluetooth_t self:alg_socket create_stream_socket_perms; +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms; allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; - + read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) @@ -78,10 +84,12 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file) - + manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) -files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file }) +manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t) +files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file }) - + manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t) +allow bluetooth_t bluetooth_var_lib_t:file map; files_var_lib_filetrans(bluetooth_t, bluetooth_var_lib_t, { dir file } ) - + manage_files_pattern(bluetooth_t, bluetooth_var_run_t, bluetooth_var_run_t) @@ -90,27 +98,37 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file }) - + can_exec(bluetooth_t, bluetooth_helper_exec_t) - + +corecmd_exec_bin(bluetooth_t) +corecmd_exec_shell(bluetooth_t) + @@ -10775,7 +10775,7 @@ index 851769e55..903bc0f9e 100644 kernel_read_network_state(bluetooth_t) kernel_request_load_module(bluetooth_t) kernel_search_debugfs(bluetooth_t) - + -corecmd_exec_bin(bluetooth_t) -corecmd_exec_shell(bluetooth_t) - @@ -10797,41 +10797,41 @@ index 851769e55..903bc0f9e 100644 dev_rw_input_dev(bluetooth_t) dev_rw_wireless(bluetooth_t) +dev_rw_uhid_dev(bluetooth_t) - + domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) - + files_read_etc_runtime_files(bluetooth_t) -files_read_usr_files(bluetooth_t) - + fs_getattr_all_fs(bluetooth_t) fs_search_auto_mountpoints(bluetooth_t) @@ -122,7 +140,6 @@ auth_use_nsswitch(bluetooth_t) - + logging_send_syslog_msg(bluetooth_t) - + -miscfiles_read_localization(bluetooth_t) miscfiles_read_fonts(bluetooth_t) miscfiles_read_hwdata(bluetooth_t) - + @@ -130,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) userdom_dontaudit_use_user_terminals(bluetooth_t) userdom_dontaudit_search_user_home_dirs(bluetooth_t) - + +# machine-info +systemd_hostnamed_read_config(bluetooth_t) +systemd_dbus_chat_hostnamed(bluetooth_t) + optional_policy(` - dbus_system_bus_client(bluetooth_t) - dbus_connect_system_bus(bluetooth_t) + dbus_system_bus_client(bluetooth_t) + dbus_connect_system_bus(bluetooth_t) @@ -200,7 +221,6 @@ dev_read_urand(bluetooth_helper_t) domain_read_all_domains_state(bluetooth_helper_t) - + files_read_etc_runtime_files(bluetooth_helper_t) -files_read_usr_files(bluetooth_helper_t) files_dontaudit_list_default(bluetooth_helper_t) - + term_dontaudit_use_all_ttys(bluetooth_helper_t) diff --git a/boinc.fc b/boinc.fc index 6d3ccad60..bda740a71 100644 @@ -10839,15 +10839,15 @@ index 6d3ccad60..bda740a71 100644 +++ b/boinc.fc @@ -1,9 +1,12 @@ -/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) - + -/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) +/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0) - + -/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0) -/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) -/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0) +/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0) - + -/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0) +/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0) + @@ -10863,7 +10863,7 @@ index 02fefaaf7..308616e8d 100644 @@ -1,9 +1,166 @@ -## Platform for computing using volunteered resources. +## policy for boinc - + ######################################## ## -## All of the rules required to @@ -11033,40 +11033,40 @@ index 02fefaaf7..308616e8d 100644 @@ -19,26 +176,32 @@ # interface(`boinc_admin',` - gen_require(` + gen_require(` - - type boinc_t, boinc_project_t, boinc_log_t; - type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t; - type boinc_project_var_lib_t, boinc_project_tmp_t; + type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; + type boinc_unit_file_t; - ') - + ') + - allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { boinc_t boinc_project_t }) + allow $1 boinc_t:process signal_perms; + ps_process_pattern($1, boinc_t) - + - init_labeled_script_domtrans($1, boinc_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 boinc_t:process ptrace; + ') + + boinc_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 boinc_initrc_exec_t system_r; + allow $2 system_r; + - logging_search_logs($1) - admin_pattern($1, boinc_log_t) + files_list_var_lib($1) + admin_pattern($1, boinc_var_lib_t) - + - files_search_tmp($1) - admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t }) + boinc_systemctl($1) + admin_pattern($1, boinc_unit_file_t) - + - files_search_var_lib($1) - admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t }) + allow $1 boinc_unit_file_t:service all_service_perms; @@ -11083,24 +11083,24 @@ index 687d4c48d..8ba0f8bdb 100644 @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1) ## gen_tunable(boinc_execmem, true) - + -type boinc_t; +attribute boinc_domain; + +type boinc_t, boinc_domain; type boinc_exec_t; init_daemon_domain(boinc_t, boinc_exec_t) - + @@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t) type boinc_var_lib_t; files_type(boinc_var_lib_t) - + -type boinc_project_var_lib_t; -files_type(boinc_project_var_lib_t) - type boinc_log_t; logging_log_file(boinc_log_t) - + +type boinc_unit_file_t; +systemd_unit_file(boinc_unit_file_t) + @@ -11108,10 +11108,10 @@ index 687d4c48d..8ba0f8bdb 100644 domain_type(boinc_project_t) -domain_entry_file(boinc_project_t, boinc_project_var_lib_t) role system_r types boinc_project_t; - + type boinc_project_tmp_t; files_tmp_file(boinc_project_tmp_t) - + +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + @@ -11157,7 +11157,7 @@ index 687d4c48d..8ba0f8bdb 100644 -# Local policy +# boinc local policy # - + allow boinc_t self:process { setsched setpgid signull sigkill }; -allow boinc_t self:unix_stream_socket { accept listen }; -allow boinc_t self:tcp_socket { accept listen }; @@ -11167,15 +11167,15 @@ index 687d4c48d..8ba0f8bdb 100644 allow boinc_t self:shm create_shm_perms; -allow boinc_t self:fifo_file rw_fifo_file_perms; -allow boinc_t self:sem create_sem_perms; - + manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) @@ -60,75 +100,51 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) - + manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) +allow boinc_t boinc_tmpfs_t:file map; - + -manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) @@ -11189,7 +11189,7 @@ index 687d4c48d..8ba0f8bdb 100644 +# other boinc lib files will end up with boinc_var_lib_t filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots") filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects") - + -append_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -create_files_pattern(boinc_t, boinc_log_t, boinc_log_t) -setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t) @@ -11199,16 +11199,16 @@ index 687d4c48d..8ba0f8bdb 100644 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +allow boinc_t boinc_project_var_lib_t:file map; - + -domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t) +logging_log_filetrans(boinc_t, boinc_log_t, { file }) - + +# needs read /proc/interrupts kernel_read_system_state(boinc_t) +kernel_read_network_state(boinc_t) kernel_search_vm_sysctl(boinc_t) - + -corenet_all_recvfrom_unlabeled(boinc_t) +dev_getattr_mouse_dev(boinc_t) + @@ -11257,35 +11257,35 @@ index 687d4c48d..8ba0f8bdb 100644 -dev_rw_xserver_misc(boinc_t) - -domain_read_all_domains_state(boinc_t) - + files_dontaudit_getattr_boot_dirs(boinc_t) -files_getattr_all_dirs(boinc_t) -files_getattr_all_files(boinc_t) -files_read_etc_files(boinc_t) -files_read_etc_runtime_files(boinc_t) -files_read_usr_files(boinc_t) - + -fs_getattr_all_fs(boinc_t) +auth_read_passwd(boinc_t) - + term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) @@ -137,8 +153,9 @@ init_read_utmp(boinc_t) - + logging_send_syslog_msg(boinc_t) - + -miscfiles_read_fonts(boinc_t) -miscfiles_read_localization(boinc_t) +modutils_dontaudit_exec_insmod(boinc_t) + +xserver_stream_connect(boinc_t) - + tunable_policy(`boinc_execmem',` - allow boinc_t self:process { execstack execmem }; + allow boinc_t self:process { execstack execmem }; @@ -148,48 +165,61 @@ optional_policy(` - mta_send_mail(boinc_t) + mta_send_mail(boinc_t) ') - + -optional_policy(` - sysnet_dns_name_resolve(boinc_t) -') @@ -11295,7 +11295,7 @@ index 687d4c48d..8ba0f8bdb 100644 -# Project local policy +# boinc-projects local policy # - + allow boinc_project_t self:capability { setuid setgid }; -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; + @@ -11309,31 +11309,31 @@ index 687d4c48d..8ba0f8bdb 100644 +') + +allow boinc_project_t self:process { execstack }; - + manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file}) - + +allow boinc_project_t boinc_project_var_lib_t:file entrypoint; +exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects") +files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" ) - + allow boinc_project_t boinc_project_var_lib_t:file execmod; -can_exec(boinc_project_t, boinc_project_var_lib_t) - + allow boinc_project_t boinc_t:shm rw_shm_perms; -allow boinc_project_t boinc_tmpfs_t:file { read write }; +allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms; - + kernel_read_kernel_sysctls(boinc_project_t) -kernel_read_network_state(boinc_project_t) kernel_search_vm_sysctl(boinc_project_t) +kernel_read_network_state(boinc_project_t) - + -corenet_all_recvfrom_unlabeled(boinc_project_t) -corenet_all_recvfrom_netlabel(boinc_project_t) -corenet_tcp_sendrecv_generic_if(boinc_project_t) @@ -11343,18 +11343,18 @@ index 687d4c48d..8ba0f8bdb 100644 -corenet_sendrecv_boinc_client_packets(boinc_project_t) corenet_tcp_connect_boinc_port(boinc_project_t) -corenet_tcp_sendrecv_boinc_port(boinc_project_t) - + files_dontaudit_search_home(boinc_project_t) - + +# needed by java +fs_read_hugetlbfs_files(boinc_project_t) + +optional_policy(` -+ gnome_read_gconf_config(boinc_project_t) ++ gnome_read_gconf_config(boinc_project_t) +') + optional_policy(` - java_exec(boinc_project_t) + java_exec(boinc_project_t) ') + +# until solution for VirtualBox, java .. @@ -11367,25 +11367,25 @@ index c5a91138c..1919abdd8 100644 +++ b/brctl.te @@ -24,6 +24,7 @@ allow brctl_t self:unix_dgram_socket create_socket_perms; allow brctl_t self:tcp_socket create_socket_perms; - + kernel_request_load_module(brctl_t) +kernel_read_system_state(brctl_t) kernel_read_network_state(brctl_t) kernel_read_sysctl(brctl_t) - + @@ -34,12 +35,8 @@ dev_write_sysfs_dirs(brctl_t) - + domain_use_interactive_fds(brctl_t) - + -files_read_etc_files(brctl_t) - term_dontaudit_use_console(brctl_t) - + -miscfiles_read_localization(brctl_t) - optional_policy(` - xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) + xen_append_log(brctl_t) + xen_dontaudit_rw_unix_stream_sockets(brctl_t) diff --git a/brltty.fc b/brltty.fc new file mode 100644 index 000000000..05e352897 @@ -11575,7 +11575,7 @@ index fce0b6ebf..9efceac4e 100644 -/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0) +/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_content_t,s0) +/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:bugzilla_script_exec_t,s0) - + -/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0) +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:bugzilla_rw_content_t,s0) diff --git a/bugzilla.if b/bugzilla.if @@ -11585,28 +11585,28 @@ index 1b22262d5..d9ea246a1 100644 @@ -12,10 +12,10 @@ # interface(`bugzilla_search_content',` - gen_require(` + gen_require(` - type httpd_bugzilla_content_t; + type bugzilla_content_t; - ') - + ') + - allow $1 httpd_bugzilla_content_t:dir search_dir_perms; + allow $1 bugzilla_content_t:dir search_dir_perms; ') - + ######################################## @@ -32,10 +32,10 @@ interface(`bugzilla_search_content',` # interface(`bugzilla_dontaudit_rw_stream_sockets',` - gen_require(` + gen_require(` - type httpd_bugzilla_script_t; + type bugzilla_script_t; - ') - + ') + - dontaudit $1 httpd_bugzilla_script_t:unix_stream_socket { read write }; + dontaudit $1 bugzilla_script_t:unix_stream_socket { read write }; ') - + ######################################## @@ -48,33 +48,37 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` ## Domain allowed access. @@ -11620,7 +11620,7 @@ index 1b22262d5..d9ea246a1 100644 -## # interface(`bugzilla_admin',` - gen_require(` + gen_require(` - type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; - type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; @@ -11634,13 +11634,13 @@ index 1b22262d5..d9ea246a1 100644 + + tunable_policy(`deny_ptrace',`',` + allow $1 bugzilla_script_t:process ptrace; - ') - + ') + - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; - ps_process_pattern($1, httpd_bugzilla_script_t) + files_list_tmp($1) + admin_pattern($1, bugzilla_tmp_t) - + - files_search_usr($1) - admin_pattern($1, httpd_bugzilla_script_exec_t) - admin_pattern($1, httpd_bugzilla_script_t) @@ -11654,12 +11654,12 @@ index 1b22262d5..d9ea246a1 100644 + admin_pattern($1, bugzilla_content_t) + admin_pattern($1, bugzilla_htaccess_t) + admin_pattern($1, bugzilla_ra_content_t) - - files_search_tmp($1) - files_search_var_lib($1) + + files_search_tmp($1) + files_search_var_lib($1) - admin_pattern($1, httpd_bugzilla_rw_content_t) + admin_pattern($1, bugzilla_rw_content_t) - + - apache_list_sys_content($1) + optional_policy(` + apache_list_sys_content($1) @@ -11671,18 +11671,18 @@ index 18623e39e..c62f617e1 100644 +++ b/bugzilla.te @@ -6,42 +6,55 @@ policy_module(bugzilla, 1.1.0) # - + apache_content_template(bugzilla) +apache_content_alias_template(bugzilla, bugzilla) + +type bugzilla_tmp_t alias httpd_bugzilla_tmp_t; +files_tmp_file(bugzilla_tmp_t) - + ######################################## # # Local policy # - + -allow httpd_bugzilla_script_t self:tcp_socket { accept listen }; +allow bugzilla_script_t self:tcp_socket { accept listen }; + @@ -11701,43 +11701,43 @@ index 18623e39e..c62f617e1 100644 +manage_dirs_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t) +manage_files_pattern(bugzilla_script_t, bugzilla_tmp_t, bugzilla_tmp_t) +files_tmp_filetrans(bugzilla_script_t, bugzilla_tmp_t, { file dir }) - + -corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t) -corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t) +files_search_var_lib(bugzilla_script_t) - + -corenet_sendrecv_http_client_packets(httpd_bugzilla_script_t) -corenet_tcp_connect_http_port(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_http_port(httpd_bugzilla_script_t) +auth_read_passwd(bugzilla_script_t) - + -corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t) -corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t) -corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t) +dev_read_sysfs(bugzilla_script_t) - + -files_search_var_lib(httpd_bugzilla_script_t) +sysnet_read_config(bugzilla_script_t) +sysnet_use_ldap(bugzilla_script_t) - + -sysnet_dns_name_resolve(httpd_bugzilla_script_t) -sysnet_use_ldap(httpd_bugzilla_script_t) +miscfiles_read_certs(bugzilla_script_t) - + optional_policy(` - mta_send_mail(httpd_bugzilla_script_t) + mta_send_mail(bugzilla_script_t) ') - + optional_policy(` - mysql_stream_connect(httpd_bugzilla_script_t) - mysql_tcp_connect(httpd_bugzilla_script_t) + mysql_stream_connect(bugzilla_script_t) + mysql_tcp_connect(bugzilla_script_t) ') - + optional_policy(` - postgresql_stream_connect(httpd_bugzilla_script_t) - postgresql_tcp_connect(httpd_bugzilla_script_t) @@ -11983,16 +11983,16 @@ index 648c7902b..aa03fc8ae 100644 +# MCS categories: + +/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0) - + /sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) - + /usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0) - + -/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0) +/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) + +/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0) - + -/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) +/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0) diff --git a/cachefilesd.if b/cachefilesd.if @@ -12018,7 +12018,7 @@ index 8de2ab9c5..3b419455f 100644 +# Define the policy interface for the CacheFiles userspace management daemon. +# +## policy for cachefilesd - + ######################################## ## -## All of the rules required to @@ -12040,12 +12040,12 @@ index 8de2ab9c5..3b419455f 100644 # -interface(`cachefilesd_admin',` +interface(`cachefilesd_domtrans',` - gen_require(` + gen_require(` - type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t; - type cachefilesd_var_run_t; + type cachefilesd_t, cachefilesd_exec_t; - ') - + ') + - allow $1 cachefilesd_t:process { ptrace signal_perms }; - ps_process_pattern($1, cachefilesd_t) - @@ -12067,13 +12067,13 @@ index a3760bc92..22ed920b7 100644 +++ b/cachefilesd.te @@ -1,52 +1,125 @@ policy_module(cachefilesd, 1.1.0) - + -######################################## +############################################################################### # # Declarations # - + +# +# Files in the cache are created by the cachefiles module with security ID +# cachefiles_var_t @@ -12093,7 +12093,7 @@ index a3760bc92..22ed920b7 100644 type cachefilesd_t; type cachefilesd_exec_t; init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) - + -type cachefilesd_initrc_exec_t; -init_script_file(cachefilesd_initrc_exec_t) - @@ -12105,7 +12105,7 @@ index a3760bc92..22ed920b7 100644 +# type cachefilesd_var_run_t; files_pid_file(cachefilesd_var_run_t) - + -######################################## # -# Local policy @@ -12124,7 +12124,7 @@ index a3760bc92..22ed920b7 100644 +optional_policy(` + rpm_use_script_fds(cachefilesd_t) +') - + -allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; +############################################################################### +# @@ -12140,36 +12140,36 @@ index a3760bc92..22ed920b7 100644 +# +allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override }; +allow cachefilesd_t self:process signal_perms; - + +# Allow manipulation of pid file +allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) +manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) +files_create_as_is_all_files(cachefilesd_t) - + -manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) -manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t) - -dev_rw_cachefiles(cachefilesd_t) +# Allow access to cachefiles device file +allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; - + -files_create_all_files_as(cachefilesd_t) -files_read_etc_files(cachefilesd_t) +# Allow access to cache superstructure +manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) +manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) - + +# Permit statfs on the backing filesystem fs_getattr_xattr_fs(cachefilesd_t) - + +# Basic access +logging_send_syslog_msg(cachefilesd_t) +init_dontaudit_use_script_ptys(cachefilesd_t) term_dontaudit_use_generic_ptys(cachefilesd_t) term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) - + -logging_send_syslog_msg(cachefilesd_t) +############################################################################### +# @@ -12183,7 +12183,7 @@ index a3760bc92..22ed920b7 100644 +# as set by the 'secctx' command in /etc/cachefilesd.conf, and +# +allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; - + -miscfiles_read_localization(cachefilesd_t) +# +# (2) the label that will be assigned to new files and directories created in @@ -12191,7 +12191,7 @@ index a3760bc92..22ed920b7 100644 +# directory pointed to by the 'dir' command. +# +allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; - + -init_dontaudit_use_script_ptys(cachefilesd_t) +############################################################################### +# @@ -12201,7 +12201,7 @@ index a3760bc92..22ed920b7 100644 +# cache. +# +allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; - + -optional_policy(` - rpm_use_script_fds(cachefilesd_t) -') @@ -12218,14 +12218,14 @@ index cd9c52871..ba793b748 100644 --- a/calamaris.if +++ b/calamaris.if @@ -42,7 +42,7 @@ interface(`calamaris_run',` - attribute_role calamaris_roles; - ') - + attribute_role calamaris_roles; + ') + - lightsquid_domtrans($1) + calamaris_domtrans($1) - roleattribute $2 calamaris_roles; + roleattribute $2 calamaris_roles; ') - + diff --git a/calamaris.te b/calamaris.te index 7e574604b..8d8cd78e5 100644 --- a/calamaris.te @@ -12233,16 +12233,16 @@ index 7e574604b..8d8cd78e5 100644 @@ -23,7 +23,7 @@ files_type(calamaris_www_t) # Local policy # - + -allow calamaris_t self:capability dac_override; +allow calamaris_t self:capability { dac_read_search dac_override }; allow calamaris_t self:process { signal_perms setsched }; allow calamaris_t self:fifo_file rw_fifo_file_perms; allow calamaris_t self:unix_stream_socket { accept listen }; @@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t) - + corecmd_exec_bin(calamaris_t) - + +corenet_all_recvfrom_netlabel(calamaris_t) +corenet_tcp_sendrecv_generic_if(calamaris_t) +corenet_udp_sendrecv_generic_if(calamaris_t) @@ -12252,50 +12252,50 @@ index 7e574604b..8d8cd78e5 100644 +corenet_udp_sendrecv_all_ports(calamaris_t) + dev_read_urand(calamaris_t) - + -files_read_usr_files(calamaris_t) +files_search_pids(calamaris_t) files_read_etc_runtime_files(calamaris_t) - + -libs_read_lib_files(calamaris_t) - auth_use_nsswitch(calamaris_t) - + logging_send_syslog_msg(calamaris_t) - + -miscfiles_read_localization(calamaris_t) - userdom_dontaudit_list_user_home_dirs(calamaris_t) - + optional_policy(` diff --git a/callweaver.te b/callweaver.te index 0e5be4cdf..b9a407f90 100644 --- a/callweaver.te +++ b/callweaver.te @@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t) - + auth_use_nsswitch(callweaver_t) - + -miscfiles_read_localization(callweaver_t) diff --git a/canna.if b/canna.if index 400db07a2..f416e22a7 100644 --- a/canna.if +++ b/canna.if @@ -43,9 +43,13 @@ interface(`canna_admin',` - type canna_var_run_t, canna_initrc_exec_t; - ') - + type canna_var_run_t, canna_initrc_exec_t; + ') + - allow $1 canna_t:process { ptrace signal_perms }; + allow $1 canna_t:process signal_perms; - ps_process_pattern($1, canna_t) - + ps_process_pattern($1, canna_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 canna_t:process ptrace; + ') + - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; + init_labeled_script_domtrans($1, canna_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 canna_initrc_exec_t system_r; diff --git a/canna.te b/canna.te index 9fe61621f..5c505e7de 100644 --- a/canna.te @@ -12303,67 +12303,67 @@ index 9fe61621f..5c505e7de 100644 @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file }) kernel_read_kernel_sysctls(canna_t) kernel_read_system_state(canna_t) - + -corenet_all_recvfrom_unlabeled(canna_t) corenet_all_recvfrom_netlabel(canna_t) corenet_tcp_sendrecv_generic_if(canna_t) corenet_tcp_sendrecv_generic_node(canna_t) @@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t) - + domain_use_interactive_fds(canna_t) - + -files_read_etc_files(canna_t) files_read_etc_runtime_files(canna_t) -files_read_usr_files(canna_t) files_search_tmp(canna_t) files_dontaudit_read_root_files(canna_t) - + -logging_send_syslog_msg(canna_t) +auth_use_nsswitch(canna_t) - + -miscfiles_read_localization(canna_t) +logging_send_syslog_msg(canna_t) - + sysnet_read_config(canna_t) - + diff --git a/ccs.if b/ccs.if index 5ded72d37..cb94e5ea7 100644 --- a/ccs.if +++ b/ccs.if @@ -98,20 +98,24 @@ interface(`ccs_manage_config',` interface(`ccs_admin',` - gen_require(` - type ccs_t, ccs_initrc_exec_t, cluster_conf_t; + gen_require(` + type ccs_t, ccs_initrc_exec_t, cluster_conf_t; - type ccs_var_lib_t_t, ccs_var_log_t; + type ccs_var_lib_t, ccs_var_log_t; - type ccs_var_run_t, ccs_tmp_t; - ') - + type ccs_var_run_t, ccs_tmp_t; + ') + - allow $1 ccs_t:process { ptrace signal_perms }; + allow $1 ccs_t:process { signal_perms }; - ps_process_pattern($1, ccs_t) - + ps_process_pattern($1, ccs_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 ccs_t:process ptrace; + ') + - init_labeled_script_domtrans($1, ccs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ccs_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) + init_labeled_script_domtrans($1, ccs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ccs_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) - admin_pattern($1, ccs_conf_t) + admin_pattern($1, cluster_conf_t) - - files_search_var_lib($1) - admin_pattern($1, ccs_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, ccs_var_lib_t) diff --git a/ccs.te b/ccs.te index 658134d8a..58deeceaa 100644 --- a/ccs.te +++ b/ccs.te @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t) - + allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; allow ccs_t self:process { signal setrlimit setsched }; -dontaudit ccs_t self:process ptrace; @@ -12374,52 +12374,52 @@ index 658134d8a..58deeceaa 100644 @@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t) corecmd_list_bin(ccs_t) corecmd_exec_bin(ccs_t) - + -corenet_all_recvfrom_unlabeled(ccs_t) corenet_all_recvfrom_netlabel(ccs_t) corenet_tcp_sendrecv_generic_if(ccs_t) corenet_udp_sendrecv_generic_if(ccs_t) @@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t) - + dev_read_urand(ccs_t) - + -files_read_etc_files(ccs_t) files_read_etc_runtime_files(ccs_t) - + init_rw_script_tmp_files(ccs_t) +init_signal(ccs_t) - + logging_send_syslog_msg(ccs_t) - + -miscfiles_read_localization(ccs_t) - sysnet_dns_name_resolve(ccs_t) - + userdom_manage_unpriv_user_shared_mem(ccs_t) @@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',` ') - + optional_policy(` - aisexec_stream_connect(ccs_t) - corosync_stream_connect(ccs_t) + rhcs_stream_connect_cluster(ccs_t) ') - + optional_policy(` diff --git a/cdrecord.if b/cdrecord.if index fbc20f694..4de4a005c 100644 --- a/cdrecord.if +++ b/cdrecord.if @@ -27,6 +27,9 @@ interface(`cdrecord_role',` - - allow cdrecord_t $2:unix_stream_socket rw_socket_perms; - + + allow cdrecord_t $2:unix_stream_socket rw_socket_perms; + - allow $2 cdrecord_t:process { ptrace signal_perms }; + allow $2 cdrecord_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $2 cdrecord_t:process ptrace; + ') - ps_process_pattern($2, cdrecord_t) + ps_process_pattern($2, cdrecord_t) ') diff --git a/cdrecord.te b/cdrecord.te index 16883c9c3..97e9a429e 100644 @@ -12428,83 +12428,83 @@ index 16883c9c3..97e9a429e 100644 @@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t; # Local policy # - + -allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; +allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio }; allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill }; allow cdrecord_t self:unix_stream_socket { accept listen }; - + @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t) domain_interactive_fd(cdrecord_t) domain_use_interactive_fds(cdrecord_t) - + -files_read_etc_files(cdrecord_t) - term_use_controlling_term(cdrecord_t) term_list_ptys(cdrecord_t) - + @@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t) - + logging_send_syslog_msg(cdrecord_t) - + -miscfiles_read_localization(cdrecord_t) - -userdom_use_user_terminals(cdrecord_t) -userdom_read_user_home_content_files(cdrecord_t) +userdom_use_inherited_user_terminals(cdrecord_t) - + tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` - fs_list_auto_mountpoints(cdrecord_t) + fs_list_auto_mountpoints(cdrecord_t) @@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',` - userdom_dontaudit_read_user_home_content_files(cdrecord_t) + userdom_dontaudit_read_user_home_content_files(cdrecord_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - files_search_mnt(cdrecord_t) - fs_read_nfs_files(cdrecord_t) - fs_read_nfs_symlinks(cdrecord_t) -') +userdom_home_manager(cdrecord_t) - + optional_policy(` - resmgr_stream_connect(cdrecord_t) + resmgr_stream_connect(cdrecord_t) diff --git a/certmaster.if b/certmaster.if index 0c53b189b..ef29f6e6c 100644 --- a/certmaster.if +++ b/certmaster.if @@ -117,13 +117,16 @@ interface(`certmaster_manage_log',` interface(`certmaster_admin',` - gen_require(` - type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; + gen_require(` + type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; - type certmaster_etc_rw_t, certmaster_var_log_t; - type certmaster_initrc_exec_t; + type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; - ') - + ') + - allow $1 certmaster_t:process { ptrace signal_perms }; + allow $1 certmaster_t:process signal_perms; - ps_process_pattern($1, certmaster_t) - + ps_process_pattern($1, certmaster_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 certmaster_t:process ptrace; + ') + - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 certmaster_initrc_exec_t system_r; diff --git a/certmaster.te b/certmaster.te index 4a878730b..113f3b32f 100644 --- a/certmaster.te +++ b/certmaster.te @@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t) dev_read_urand(certmaster_t) - + files_list_var(certmaster_t) -files_search_etc(certmaster_t) -files_read_usr_files(certmaster_t) - + auth_use_nsswitch(certmaster_t) - + -miscfiles_read_localization(certmaster_t) miscfiles_manage_generic_cert_dirs(certmaster_t) miscfiles_manage_generic_cert_files(certmaster_t) @@ -12519,41 +12519,41 @@ index ed298d8b6..c88764838 100644 +/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0) + /etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) - + /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) - + +/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0) + /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0) - + /var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0) diff --git a/certmonger.if b/certmonger.if index 008f8ef26..144c0740a 100644 --- a/certmonger.if +++ b/certmonger.if @@ -160,16 +160,20 @@ interface(`certmonger_admin',` - ') - - ps_process_pattern($1, certmonger_t) + ') + + ps_process_pattern($1, certmonger_t) - allow $1 certmonger_t:process { ptrace signal_perms }; + allow $1 certmonger_t:process signal_perms; + + tunable_policy(`deny_ptrace',`',` + allow $1 certmonger_t:process ptrace; + ') - - certmonger_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 certmonger_initrc_exec_t system_r; - allow $2 system_r; - + + certmonger_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 certmonger_initrc_exec_t system_r; + allow $2 system_r; + - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, certmonger_var_lib_t) - + admin_pattern($1, certmonger_var_lib_t) + - files_search_pids($1) + files_list_pids($1) - admin_pattern($1, certmonger_var_run_t) + admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te index 550b287ce..5c59aedd6 100644 @@ -12562,7 +12562,7 @@ index 550b287ce..5c59aedd6 100644 @@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) type certmonger_var_run_t; files_pid_file(certmonger_var_run_t) - + +type certmonger_unconfined_exec_t; +application_executable_file(certmonger_unconfined_exec_t) + @@ -12573,7 +12573,7 @@ index 550b287ce..5c59aedd6 100644 # # Local policy # - + -allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; +allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice }; dontaudit certmonger_t self:capability sys_tty_config; @@ -12587,19 +12587,19 @@ index 550b287ce..5c59aedd6 100644 +allow certmonger_t self:unix_stream_socket create_stream_socket_perms; +allow certmonger_t self:tcp_socket create_stream_socket_perms; +allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; - + manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) @@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) - + kernel_read_kernel_sysctls(certmonger_t) kernel_read_system_state(certmonger_t) +kernel_read_network_state(certmonger_t) - + corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) @@ -49,17 +58,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) - + corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) + @@ -12610,29 +12610,29 @@ index 550b287ce..5c59aedd6 100644 + +corenet_tcp_connect_pki_ca_port(certmonger_t) corenet_tcp_sendrecv_certmaster_port(certmonger_t) - + corecmd_exec_bin(certmonger_t) corecmd_exec_shell(certmonger_t) - + +dev_read_rand(certmonger_t) dev_read_urand(certmonger_t) - + domain_use_interactive_fds(certmonger_t) - + -files_read_usr_files(certmonger_t) files_list_tmp(certmonger_t) +files_list_home(certmonger_t) - + fs_search_cgroup_dirs(certmonger_t) - + @@ -68,18 +85,26 @@ auth_rw_cache(certmonger_t) - + init_getattr_all_script_files(certmonger_t) - + +libs_exec_ldconfig(certmonger_t) + logging_send_syslog_msg(certmonger_t) - + -miscfiles_read_localization(certmonger_t) -miscfiles_manage_generic_cert_files(certmonger_t) +miscfiles_manage_all_certs(certmonger_t) @@ -12642,23 +12642,23 @@ index 550b287ce..5c59aedd6 100644 +systemd_start_systemd_services(certmonger_t) +systemd_status_all_unit_files(certmonger_t) + - + userdom_search_user_home_content(certmonger_t) +userdom_write_user_tmp_dirs(certmonger_t) - + optional_policy(` - apache_initrc_domtrans(certmonger_t) - apache_search_config(certmonger_t) + apache_read_config(certmonger_t) - apache_signal(certmonger_t) - apache_signull(certmonger_t) + apache_signal(certmonger_t) + apache_signull(certmonger_t) + apache_systemctl(certmonger_t) ') - + optional_policy(` @@ -92,11 +117,77 @@ optional_policy(` ') - + optional_policy(` - kerberos_read_keytab(certmonger_t) + dirsrv_manage_config(certmonger_t) @@ -12675,7 +12675,7 @@ index 550b287ce..5c59aedd6 100644 +') + +optional_policy(` - kerberos_use(certmonger_t) + kerberos_use(certmonger_t) + kerberos_read_keytab(certmonger_t) + kerberos_manage_kdc_config(certmonger_t) + kerberos_filetrans_named_content(certmonger_t) @@ -12684,10 +12684,10 @@ index 550b287ce..5c59aedd6 100644 +optional_policy(` + mta_send_mail(certmonger_t) ') - + optional_policy(` - pcscd_read_pid_files(certmonger_t) - pcscd_stream_connect(certmonger_t) + pcscd_read_pid_files(certmonger_t) + pcscd_stream_connect(certmonger_t) ') + +optional_policy(` @@ -12742,56 +12742,56 @@ index 171fafb99..69d01f6fa 100644 @@ -18,34 +18,47 @@ role certwatch_roles types certwatch_t; # Local policy # - + -allow certwatch_t self:capability sys_nice; +allow certwatch_t self:capability { dac_read_search dac_override sys_nice }; allow certwatch_t self:process { setsched getsched }; +allow certwatch_t self:tcp_socket create_stream_socket_perms; - + +kernel_read_system_state(certwatch_t) + +corecmd_exec_bin(certwatch_t) + +dev_read_rand(certwatch_t) dev_read_urand(certwatch_t) - + -files_read_etc_files(certwatch_t) -files_read_usr_files(certwatch_t) files_read_usr_symlinks(certwatch_t) files_list_tmp(certwatch_t) - + fs_list_inotifyfs(certwatch_t) - + auth_manage_cache(certwatch_t) +auth_read_passwd(certwatch_t) auth_var_filetrans_cache(certwatch_t) - + logging_send_syslog_msg(certwatch_t) - + miscfiles_read_all_certs(certwatch_t) -miscfiles_read_localization(certwatch_t) +miscfiles_manage_generic_cert_dirs(certwatch_t) +miscfiles_map_generic_certs(certwatch_t) + +sysnet_read_config(certwatch_t) - + -userdom_use_user_terminals(certwatch_t) -userdom_dontaudit_list_user_home_dirs(certwatch_t) +userdom_use_inherited_user_terminals(certwatch_t) +userdom_dontaudit_list_admin_dir(certwatch_t) - + optional_policy(` + apache_domtrans(certwatch_t) - apache_exec_modules(certwatch_t) - apache_read_config(certwatch_t) + apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) ') - + +optional_policy(` + mta_send_mail(certwatch_t) +') + optional_policy(` - cron_system_entry(certwatch_t, certwatch_exec_t) + cron_system_entry(certwatch_t, certwatch_exec_t) ') diff --git a/cfengine.if b/cfengine.if index a7311229f..5279d4e3a 100644 @@ -12799,19 +12799,19 @@ index a7311229f..5279d4e3a 100644 +++ b/cfengine.if @@ -13,7 +13,6 @@ template(`cfengine_domain_template',` - gen_require(` - attribute cfengine_domain; + gen_require(` + attribute cfengine_domain; - type cfengine_log_t, cfengine_var_lib_t; - ') - - ######################################## + ') + + ######################################## @@ -30,7 +29,29 @@ template(`cfengine_domain_template',` - # Policy - # - + # Policy + # + + kernel_read_system_state(cfengine_$1_t) + - auth_use_nsswitch(cfengine_$1_t) + auth_use_nsswitch(cfengine_$1_t) + + logging_send_syslog_msg(cfengine_$1_t) +') @@ -12833,12 +12833,12 @@ index a7311229f..5279d4e3a 100644 + + allow $1 cfengine_var_lib_t:dir search_dir_perms; ') - + ######################################## @@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',` - dontaudit $1 cfengine_var_log_t:file write_file_perms; + dontaudit $1 cfengine_var_log_t:file write_file_perms; ') - + +##################################### +## +## Allow the specified domain to append cfengine's log files. @@ -12880,17 +12880,17 @@ index a7311229f..5279d4e3a 100644 ## ## All of the rules required to @@ -94,7 +152,7 @@ interface(`cfengine_admin',` - type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; - ') - + type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; + ') + - allow $1 cfengine_domain:process { ptrace signal_perms }; + allow $1 cfengine_domain:process { signal_perms }; - ps_process_pattern($1, cfengine_domain) - - init_labeled_script_domtrans($1, cfengine_initrc_exec_t) + ps_process_pattern($1, cfengine_domain) + + init_labeled_script_domtrans($1, cfengine_initrc_exec_t) @@ -105,3 +163,4 @@ interface(`cfengine_admin',` - files_search_var_lib($1) - admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) + files_search_var_lib($1) + admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) ') + diff --git a/cfengine.te b/cfengine.te @@ -12900,31 +12900,31 @@ index fbe3ad955..21ab8e176 100644 @@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t) logging_log_filetrans(cfengine_domain, cfengine_log_t, dir) - + -kernel_read_system_state(cfengine_domain) - corecmd_exec_bin(cfengine_domain) corecmd_exec_shell(cfengine_domain) - + dev_read_urand(cfengine_domain) dev_read_sysfs(cfengine_domain) - + -logging_send_syslog_msg(cfengine_domain) - -miscfiles_read_localization(cfengine_domain) - +sysnet_dns_name_resolve(cfengine_domain) sysnet_domtrans_ifconfig(cfengine_domain) - + ######################################## @@ -69,7 +64,7 @@ domain_read_all_domains_state(cfengine_execd_t) # Monitord local policy # - + -kernel_read_hotplug_sysctls(cfengine_monitord_t) +kernel_read_usermodehelper_state(cfengine_monitord_t) kernel_read_network_state(cfengine_monitord_t) - + domain_read_all_domains_state(cfengine_monitord_t) diff --git a/cgdcbxd.fc b/cgdcbxd.fc new file mode 100644 @@ -13093,9 +13093,9 @@ index 85ca63f9a..1d1c99c8f 100644 --- a/cgroup.if +++ b/cgroup.if @@ -171,8 +171,26 @@ interface(`cgroup_admin',` - type cgrules_etc_t, cgclear_t; - ') - + type cgrules_etc_t, cgclear_t; + ') + - allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t }) + allow $1 cgclear_t:process signal_perms; @@ -13118,9 +13118,9 @@ index 85ca63f9a..1d1c99c8f 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 cgred_t:process ptrace; + ') - - admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) - files_list_etc($1) + + admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) + files_list_etc($1) diff --git a/cgroup.te b/cgroup.te index 80a88a27a..514eb47f2 100644 --- a/cgroup.te @@ -13128,40 +13128,40 @@ index 80a88a27a..514eb47f2 100644 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) type cgrules_etc_t; files_config_file(cgrules_etc_t) - + -type cgconfig_t; -type cgconfig_exec_t; +type cgconfig_t alias cgconfigparser_t; +type cgconfig_exec_t alias cgconfigparser_exec_t; init_daemon_domain(cgconfig_t, cgconfig_exec_t) - + type cgconfig_initrc_exec_t; @@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t) - + allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; - + -allow cgclear_t cgconfig_etc_t:file read_file_perms; +read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t) - + kernel_read_system_state(cgclear_t) - + +auth_use_nsswitch(cgclear_t) + domain_setpriority_all_domains(cgclear_t) - + fs_manage_cgroup_dirs(cgclear_t) @@ -57,30 +59,33 @@ fs_unmount_cgroup(cgclear_t) # cgconfig local policy # - + -allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config }; +allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config }; - + allow cgconfig_t cgconfig_etc_t:file read_file_perms; - + kernel_list_unlabeled(cgconfig_t) kernel_read_system_state(cgconfig_t) - + -files_read_etc_files(cgconfig_t) - fs_manage_cgroup_dirs(cgconfig_t) @@ -13169,7 +13169,7 @@ index 80a88a27a..514eb47f2 100644 fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) fs_unmount_cgroup(cgconfig_t) - + +auth_use_nsswitch(cgconfig_t) + ######################################## @@ -13178,30 +13178,30 @@ index 80a88a27a..514eb47f2 100644 # +allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace }; +allow cgred_t self:process signal_perms; - + -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; +allow cgred_t self:netlink_connector_socket create_socket_perms; - + +allow cgred_t cgconfig_etc_t:file read_file_perms; allow cgred_t cgrules_etc_t:file read_file_perms; - + allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; @@ -99,10 +104,11 @@ domain_setpriority_all_domains(cgred_t) files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) files_read_all_symlinks(cgred_t) -files_read_etc_files(cgred_t) - + -fs_write_cgroup_files(cgred_t) +fs_manage_cgroup_dirs(cgred_t) +fs_manage_cgroup_files(cgred_t) +fs_list_inotifyfs(cgred_t) - + -logging_send_syslog_msg(cgred_t) +auth_use_nsswitch(cgred_t) - + -miscfiles_read_localization(cgred_t) +logging_send_syslog_msg(cgred_t) diff --git a/chrome.fc b/chrome.fc @@ -13634,20 +13634,20 @@ index 4e4143ed8..940434abe 100644 @@ -1,13 +1,20 @@ -/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0) +/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0) - + /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0) + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) +/usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) + +/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) - + /var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0) - + /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) - + -/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0) @@ -13659,9 +13659,9 @@ index 32e8265c2..ffebaf512 100644 --- a/chronyd.if +++ b/chronyd.if @@ -57,6 +57,24 @@ interface(`chronyd_exec',` - can_exec($1, chronyd_exec_t) + can_exec($1, chronyd_exec_t) ') - + +######################################## +## +## Send generic signals to chronyd. @@ -13684,7 +13684,7 @@ index 32e8265c2..ffebaf512 100644 ## ## Read chronyd log files. @@ -100,8 +118,7 @@ interface(`chronyd_rw_shm',` - + ######################################## ## -## Connect to chronyd using a unix @@ -13699,16 +13699,16 @@ index 32e8265c2..ffebaf512 100644 # -interface(`chronyd_stream_connect',` +interface(`chronyd_read_keys',` - gen_require(` + gen_require(` - type chronyd_t, chronyd_var_run_t; + type chronyd_keys_t; - ') - + ') + - files_search_pids($1) - stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) ') - + ######################################## ## -## Send to chronyd using a unix domain @@ -13766,15 +13766,15 @@ index 32e8265c2..ffebaf512 100644 +## +# +interface(`chronyd_stream_connect',` - gen_require(` - type chronyd_t, chronyd_var_run_t; - ') - - files_search_pids($1) + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) - dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) + stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ') - + ######################################## ## -## Read chronyd key files. @@ -13789,59 +13789,59 @@ index 32e8265c2..ffebaf512 100644 # -interface(`chronyd_read_key_files',` +interface(`chronyd_dgram_send',` - gen_require(` + gen_require(` - type chronyd_keys_t; + type chronyd_t, chronyd_var_run_t; - ') - + ') + - files_search_etc($1) - read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) + files_search_pids($1) + dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) ') - + #################################### @@ -176,28 +235,81 @@ interface(`chronyd_read_key_files',` # interface(`chronyd_admin',` - gen_require(` + gen_require(` - type chronyd_t, chronyd_var_log_t; - type chronyd_var_run_t, chronyd_var_lib_t; - type chronyd_initrc_exec_t, chronyd_keys_t; + type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; + type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; + type chronyd_keys_t, chronyd_unit_file_t; - ') - + ') + - allow $1 chronyd_t:process { ptrace signal_perms }; + allow $1 chronyd_t:process signal_perms; - ps_process_pattern($1, chronyd_t) - + ps_process_pattern($1, chronyd_t) + - chronyd_initrc_domtrans($1) + tunable_policy(`deny_ptrace',`',` + allow $1 chronyd_t:process ptrace; + ') + + init_labeled_script_domtrans($1, chronyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 chronyd_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) + files_list_etc($1) - admin_pattern($1, chronyd_keys_t) - + admin_pattern($1, chronyd_keys_t) + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, chronyd_var_log_t) - + admin_pattern($1, chronyd_var_log_t) + - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, chronyd_var_lib_t) - + admin_pattern($1, chronyd_var_lib_t) + - files_search_pids($1) + files_list_pids($1) - admin_pattern($1, chronyd_var_run_t) + admin_pattern($1, chronyd_var_run_t) + + admin_pattern($1, chronyd_tmpfs_t) + @@ -13899,7 +13899,7 @@ index e5b621c29..6ba55b0a4 100644 @@ -5,6 +5,9 @@ policy_module(chronyd, 1.2.0) # Declarations # - + +attribute_role chronyc_roles; +roleattribute system_r chronyc_roles; + @@ -13909,17 +13909,17 @@ index e5b621c29..6ba55b0a4 100644 @@ -18,6 +21,9 @@ files_type(chronyd_keys_t) type chronyd_tmpfs_t; files_tmpfs_file(chronyd_tmpfs_t) - + +type chronyd_unit_file_t; +systemd_unit_file(chronyd_unit_file_t) + type chronyd_var_lib_t; files_type(chronyd_var_lib_t) - + @@ -27,21 +33,40 @@ logging_log_file(chronyd_var_log_t) type chronyd_var_run_t; files_pid_file(chronyd_var_run_t) - + +type chronyd_tmp_t; +files_tmp_file(chronyd_tmp_t) + @@ -13933,7 +13933,7 @@ index e5b621c29..6ba55b0a4 100644 # # Local policy # - + -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -allow chronyd_t self:process { getcap setcap setrlimit signal }; +allow chronyd_t self:capability { dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown net_admin }; @@ -13943,11 +13943,11 @@ index e5b621c29..6ba55b0a4 100644 +allow chronyd_t self:udp_socket create_socket_perms; +allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto }; allow chronyd_t self:fifo_file rw_fifo_file_perms; - + +allow chronyd_t chronyd_keys_t:file append_file_perms; +allow chronyd_t chronyd_keys_t:file setattr_file_perms; allow chronyd_t chronyd_keys_t:file read_file_perms; - + +allow chronyd_t chronyc_t:unix_dgram_socket sendto; + +allow chronyd_t chronyc_exec_t:file mmap_file_perms; @@ -13956,11 +13956,11 @@ index e5b621c29..6ba55b0a4 100644 manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) +allow chronyd_t chronyd_tmpfs_t:file map; - + manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) @@ -61,6 +86,11 @@ files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file }) - + kernel_read_system_state(chronyd_t) kernel_read_network_state(chronyd_t) +kernel_request_load_module(chronyd_t) @@ -13968,13 +13968,13 @@ index e5b621c29..6ba55b0a4 100644 +can_exec(chronyd_t,chronyc_exec_t) + +clock_read_adjtime(chronyd_t) - + corenet_all_recvfrom_unlabeled(chronyd_t) corenet_all_recvfrom_netlabel(chronyd_t) @@ -76,18 +106,85 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) - + +domain_dontaudit_getsession_all_domains(chronyd_t) + +dev_read_rand(chronyd_t) @@ -13982,13 +13982,13 @@ index e5b621c29..6ba55b0a4 100644 +dev_read_sysfs(chronyd_t) + dev_rw_realtime_clock(chronyd_t) - + auth_use_nsswitch(chronyd_t) - + +corecmd_exec_bin(chronyd_t) + logging_send_syslog_msg(chronyd_t) - + -miscfiles_read_localization(chronyd_t) +mta_send_mail(chronyd_t) + @@ -13997,11 +13997,11 @@ index e5b621c29..6ba55b0a4 100644 +systemd_exec_systemctl(chronyd_t) + +userdom_dgram_send(chronyd_t) - + optional_policy(` - gpsd_rw_shm(chronyd_t) + gpsd_rw_shm(chronyd_t) ') - + optional_policy(` - mta_send_mail(chronyd_t) + virt_read_lib_files(chronyd_t) @@ -14067,7 +14067,7 @@ index 000000000..4b318b783 @@ -0,0 +1,16 @@ + +/usr/bin/cinder-api -- gen_context(system_u:object_r:cinder_api_exec_t,s0) -+/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0) ++/usr/bin/cinder-backup -- gen_context(system_u:object_r:cinder_backup_exec_t,s0) +/usr/bin/cinder-scheduler -- gen_context(system_u:object_r:cinder_scheduler_exec_t,s0) +/usr/bin/cinder-volume -- gen_context(system_u:object_r:cinder_volume_exec_t,s0) + @@ -14326,27 +14326,27 @@ index a0aa693d1..af571edbb 100644 @@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t) corecmd_exec_shell(ciped_t) corecmd_exec_bin(ciped_t) - + -corenet_all_recvfrom_unlabeled(ciped_t) corenet_all_recvfrom_netlabel(ciped_t) corenet_udp_sendrecv_generic_if(ciped_t) corenet_udp_sendrecv_generic_node(ciped_t) @@ -45,7 +44,6 @@ dev_read_urand(ciped_t) - + domain_use_interactive_fds(ciped_t) - + -files_read_etc_files(ciped_t) files_read_etc_runtime_files(ciped_t) files_dontaudit_search_var(ciped_t) - + @@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t) - + logging_send_syslog_msg(ciped_t) - + -miscfiles_read_localization(ciped_t) - sysnet_read_config(ciped_t) - + userdom_dontaudit_use_unpriv_user_fds(ciped_t) diff --git a/clamav.fc b/clamav.fc index d72afcc31..c53b80dcd 100644 @@ -14355,12 +14355,12 @@ index d72afcc31..c53b80dcd 100644 @@ -6,6 +6,8 @@ /usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0) /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0) - + +/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0) + /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0) /usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0) - + diff --git a/clamav.if b/clamav.if index 4cc4a5cd0..a6c632290 100644 --- a/clamav.if @@ -14368,17 +14368,17 @@ index 4cc4a5cd0..a6c632290 100644 @@ -1,4 +1,4 @@ -## ClamAV Virus Scanner. +## ClamAV Virus Scanner - + ######################################## ## @@ -15,14 +15,12 @@ interface(`clamav_domtrans',` - type clamd_t, clamd_exec_t; - ') - + type clamd_t, clamd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, clamd_exec_t, clamd_t) + domtrans_pattern($1, clamd_exec_t, clamd_t) ') - + ######################################## ## -## Connect to clamd using a unix @@ -14388,7 +14388,7 @@ index 4cc4a5cd0..a6c632290 100644 ## ## @@ -41,7 +39,8 @@ interface(`clamav_stream_connect',` - + ######################################## ## -## Append clamav log files. @@ -14398,9 +14398,9 @@ index 4cc4a5cd0..a6c632290 100644 ## ## @@ -59,27 +58,6 @@ interface(`clamav_append_log',` - append_files_pattern($1, clamd_var_log_t, clamd_var_log_t) + append_files_pattern($1, clamd_var_log_t, clamd_var_log_t) ') - + -######################################## -## -## Create, read, write, and delete @@ -14426,7 +14426,7 @@ index 4cc4a5cd0..a6c632290 100644 ## ## Read clamav configuration files. @@ -101,7 +79,7 @@ interface(`clamav_read_config',` - + ######################################## ## -## Search clamav library directories. @@ -14435,13 +14435,13 @@ index 4cc4a5cd0..a6c632290 100644 ## ## @@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',` - type clamscan_t, clamscan_exec_t; - ') - + type clamscan_t, clamscan_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, clamscan_exec_t, clamscan_t) + domtrans_pattern($1, clamscan_exec_t, clamscan_t) ') - + ######################################## ## -## Execute clamscan in the caller domain. @@ -14450,13 +14450,13 @@ index 4cc4a5cd0..a6c632290 100644 ## ## @@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',` - type clamscan_exec_t; - ') - + type clamscan_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, clamscan_exec_t) + can_exec($1, clamscan_exec_t) ') - + -####################################### +######################################## ## @@ -14471,11 +14471,11 @@ index 4cc4a5cd0..a6c632290 100644 # -interface(`clamav_read_state_clamd',` +interface(`clamav_manage_clamd_pid',` - gen_require(` + gen_require(` - type clamd_t; + type clamd_var_run_t; - ') - + ') + - kernel_search_proc($1) - allow $1 clamd_t:dir list_dir_perms; - read_files_pattern($1, clamd_t, clamd_t) @@ -14527,7 +14527,7 @@ index 4cc4a5cd0..a6c632290 100644 + + ps_process_pattern($1, clamd_t) ') - + ######################################## ## -## All of the rules required to @@ -14548,16 +14548,16 @@ index 4cc4a5cd0..a6c632290 100644 ## @@ -197,19 +215,36 @@ interface(`clamav_read_state_clamd',` interface(`clamav_admin',` - gen_require(` - type clamd_t, clamd_etc_t, clamd_tmp_t; + gen_require(` + type clamd_t, clamd_etc_t, clamd_tmp_t; - type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t; - type clamd_var_run_t, clamscan_t, clamscan_tmp_t; + type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; + type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; - type freshclam_t, freshclam_var_log_t; + type freshclam_t, freshclam_var_log_t; + type clamd_unit_file_t; - ') - + ') + - allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { clamd_t clamscan_t freshclam_t }) + allow $1 clamd_t:process signal_perms; @@ -14574,30 +14574,30 @@ index 4cc4a5cd0..a6c632290 100644 + + allow $1 freshclam_t:process signal_perms; + ps_process_pattern($1, freshclam_t) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 clamd_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, clamd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 clamd_initrc_exec_t system_r; + allow $2 system_r; + + clamd_systemctl($1) + admin_pattern($1, clamd_unit_file_t) + allow $1 clamd_unit_file_t:service all_service_perms; + - files_list_etc($1) - admin_pattern($1, clamd_etc_t) - + files_list_etc($1) + admin_pattern($1, clamd_etc_t) + @@ -217,11 +252,21 @@ interface(`clamav_admin',` - admin_pattern($1, clamd_var_lib_t) - - logging_list_logs($1) + admin_pattern($1, clamd_var_lib_t) + + logging_list_logs($1) - admin_pattern($1, { clamd_var_log_t freshclam_var_log_t }) + admin_pattern($1, clamd_var_log_t) - - files_list_pids($1) - admin_pattern($1, clamd_var_run_t) - - files_list_tmp($1) + + files_list_pids($1) + admin_pattern($1, clamd_var_run_t) + + files_list_tmp($1) - admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) + admin_pattern($1, clamd_tmp_t) + @@ -14618,17 +14618,17 @@ index ce3836acd..0263671f7 100644 @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) type clamd_initrc_exec_t; init_script_file(clamd_initrc_exec_t) - + +type clamd_unit_file_t; +systemd_unit_file(clamd_unit_file_t) + type clamd_tmp_t; files_tmp_file(clamd_tmp_t) - + @@ -70,9 +73,10 @@ logging_log_file(freshclam_var_log_t) # Clamd local policy # - + -allow clamd_t self:capability { kill setgid setuid dac_override }; +allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override }; dontaudit clamd_t self:capability sys_tty_config; @@ -14638,25 +14638,25 @@ index ce3836acd..0263671f7 100644 allow clamd_t self:unix_stream_socket { accept connectto listen }; allow clamd_t self:tcp_socket { listen accept }; @@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t) - + corecmd_exec_shell(clamd_t) - + -corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) corenet_tcp_sendrecv_generic_if(clamd_t) corenet_tcp_sendrecv_generic_node(clamd_t) @@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t) - + corenet_sendrecv_generic_client_packets(clamd_t) corenet_tcp_connect_generic_port(clamd_t) +corenet_tcp_connect_clamd_port(clamd_t) - + corenet_sendrecv_clamd_server_packets(clamd_t) corenet_tcp_bind_clamd_port(clamd_t) @@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t) - + logging_send_syslog_msg(clamd_t) - + -miscfiles_read_localization(clamd_t) - -tunable_policy(`clamd_use_jit',` @@ -14666,17 +14666,17 @@ index ce3836acd..0263671f7 100644 -') - optional_policy(` - amavis_read_lib_files(clamd_t) - amavis_read_spool_files(clamd_t) + amavis_read_lib_files(clamd_t) + amavis_read_spool_files(clamd_t) - amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file) + amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file }) - amavis_create_pid_files(clamd_t) + amavis_create_pid_files(clamd_t) ') - + @@ -165,12 +161,37 @@ optional_policy(` - mta_send_mail(clamd_t) + mta_send_mail(clamd_t) ') - + +optional_policy(` + spamd_stream_connect(clamd_t) + spamassassin_read_pid_files(clamd_t) @@ -14706,35 +14706,35 @@ index ce3836acd..0263671f7 100644 # # Freshclam local policy # - + -allow freshclam_t self:capability { setgid setuid dac_override }; +allow freshclam_t self:capability { setgid setuid dac_read_search dac_override }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket { accept listen }; allow freshclam_t self:tcp_socket { accept listen }; @@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t) - + logging_send_syslog_msg(freshclam_t) - + -miscfiles_read_localization(freshclam_t) - + tunable_policy(`clamd_use_jit',` - allow freshclam_t self:process execmem; + allow freshclam_t self:process execmem; @@ -240,6 +260,10 @@ optional_policy(` - amavis_manage_spool_files(freshclam_t) + amavis_manage_spool_files(freshclam_t) ') - + +optional_policy(` + clamd_systemctl(freshclam_t) +') + optional_policy(` - cron_system_entry(freshclam_t, freshclam_exec_t) + cron_system_entry(freshclam_t, freshclam_exec_t) ') @@ -249,7 +273,7 @@ optional_policy(` # Clamscam local policy # - + -allow clamscan_t self:capability { setgid setuid dac_override }; +allow clamscan_t self:capability { setgid setuid dac_read_search dac_override }; allow clamscan_t self:fifo_file rw_fifo_file_perms; @@ -14743,88 +14743,88 @@ index ce3836acd..0263671f7 100644 @@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) kernel_read_system_state(clamscan_t) - + -corenet_all_recvfrom_unlabeled(clamscan_t) corenet_all_recvfrom_netlabel(clamscan_t) corenet_tcp_sendrecv_generic_if(clamscan_t) corenet_tcp_sendrecv_generic_node(clamscan_t) @@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) - + corecmd_read_all_executables(clamscan_t) - + -files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) files_search_var_lib(clamscan_t) - + init_read_utmp(clamscan_t) init_dontaudit_write_utmp(clamscan_t) - + -miscfiles_read_localization(clamscan_t) miscfiles_read_public_files(clamscan_t) - + sysnet_dns_name_resolve(clamscan_t) @@ -309,10 +330,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',` - files_getattr_all_sockets(clamscan_t) + files_getattr_all_sockets(clamscan_t) ') - + -optional_policy(` - amavis_read_spool_files(clamscan_t) -') - optional_policy(` - apache_read_sys_content(clamscan_t) + apache_read_sys_content(clamscan_t) ') diff --git a/clockspeed.te b/clockspeed.te index d3e2a67e5..f5b330c08 100644 --- a/clockspeed.te +++ b/clockspeed.te @@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms; - + read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - + -corenet_all_recvfrom_unlabeled(clockspeed_cli_t) corenet_all_recvfrom_netlabel(clockspeed_cli_t) corenet_udp_sendrecv_generic_if(clockspeed_cli_t) corenet_udp_sendrecv_generic_node(clockspeed_cli_t) @@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t) corenet_udp_sendrecv_ntp_port(clockspeed_cli_t) - + files_list_var_lib(clockspeed_cli_t) -files_read_etc_files(clockspeed_cli_t) - + -miscfiles_read_localization(clockspeed_cli_t) - + -userdom_use_user_terminals(clockspeed_cli_t) +userdom_use_inherited_user_terminals(clockspeed_cli_t) - + ######################################## # @@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms; manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t) - + -corenet_all_recvfrom_unlabeled(clockspeed_srv_t) corenet_all_recvfrom_netlabel(clockspeed_srv_t) corenet_udp_sendrecv_generic_if(clockspeed_srv_t) corenet_udp_sendrecv_generic_node(clockspeed_srv_t) @@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t) corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t) - + files_list_var_lib(clockspeed_srv_t) -files_read_etc_files(clockspeed_srv_t) - + -miscfiles_read_localization(clockspeed_srv_t) - + optional_policy(` - daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) + daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t) diff --git a/clogd.te b/clogd.te index 4a5b3d1a5..cd146bd5a 100644 --- a/clogd.te +++ b/clogd.te @@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t) - + logging_send_syslog_msg(clogd_t) - + -miscfiles_read_localization(clogd_t) - optional_policy(` @@ -15241,33 +15241,33 @@ index cc4e7cb96..f348d2746 100644 --- a/cmirrord.if +++ b/cmirrord.if @@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',` - type cmirrord_t, cmirrord_tmpfs_t; - ') - + type cmirrord_t, cmirrord_tmpfs_t; + ') + - allow $1 cmirrord_t:shm rw_shm_perms; + allow $1 cmirrord_t:shm { rw_shm_perms destroy }; - - allow $1 cmirrord_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + + allow $1 cmirrord_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) - fs_search_tmpfs($1) + read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) + fs_search_tmpfs($1) ') @@ -103,9 +104,13 @@ interface(`cmirrord_admin',` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - + type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; + ') + - allow $1 cmirrord_t:process { ptrace signal_perms }; + allow $1 cmirrord_t:process signal_perms; - ps_process_pattern($1, cmirrord_t) - + ps_process_pattern($1, cmirrord_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 cmirrord_t:process ptrace; + ') + - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; + cmirrord_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/cmirrord.te b/cmirrord.te index bbdd3960e..28b176182 100644 --- a/cmirrord.te @@ -15275,7 +15275,7 @@ index bbdd3960e..28b176182 100644 @@ -23,13 +23,14 @@ files_pid_file(cmirrord_var_run_t) # Local policy # - + -allow cmirrord_t self:capability { net_admin kill }; +allow cmirrord_t self:capability { sys_admin net_admin kill }; dontaudit cmirrord_t self:capability sys_tty_config; @@ -15286,26 +15286,26 @@ index bbdd3960e..28b176182 100644 allow cmirrord_t self:netlink_socket create_socket_perms; +allow cmirrord_t self:netlink_connector_socket create_socket_perms; allow cmirrord_t self:unix_stream_socket { accept listen }; - + manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) @@ -42,16 +43,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) domain_use_interactive_fds(cmirrord_t) domain_obj_id_change_exemption(cmirrord_t) - + -files_read_etc_files(cmirrord_t) - storage_create_fixed_disk_dev(cmirrord_t) +storage_raw_read_fixed_disk(cmirrord_t) +storage_rw_inherited_fixed_disk_dev(cmirrord_t) - + seutil_read_file_contexts(cmirrord_t) - + logging_send_syslog_msg(cmirrord_t) - + -miscfiles_read_localization(cmirrord_t) - optional_policy(` - corosync_stream_connect(cmirrord_t) + corosync_stream_connect(cmirrord_t) ') + +optional_policy(` @@ -15316,12 +15316,12 @@ index 973d208ff..6ce88039f 100644 --- a/cobbler.fc +++ b/cobbler.fc @@ -4,11 +4,15 @@ - + /usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0) - + +/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) - + +/var/lib/tftpboot/aarch64(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) +/var/lib/tftpboot/boot(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) @@ -15336,9 +15336,9 @@ index c223f8132..8b567c191 100644 --- a/cobbler.if +++ b/cobbler.if @@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',` - init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) ') - + + + +######################################## @@ -15365,37 +15365,37 @@ index c223f8132..8b567c191 100644 ## ## Read cobbler configuration files. @@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',` - - files_search_var_lib($1) - read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + + files_search_var_lib($1) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ') - + ######################################## @@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',` - - files_search_var_lib($1) - manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + + files_search_var_lib($1) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ') - + ######################################## @@ -176,8 +201,8 @@ interface(`cobblerd_admin',` interface(`cobbler_admin',` - gen_require(` - type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; - type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t; - type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t; + type cobbler_etc_t, cobblerd_initrc_exec_t; + type cobbler_tmp_t; - ') - - allow $1 cobblerd_t:process { ptrace signal_perms }; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms }; @@ -199,7 +224,4 @@ interface(`cobbler_admin',` - - logging_search_logs($1) - admin_pattern($1, cobbler_var_log_t) + + logging_search_logs($1) + admin_pattern($1, cobbler_var_log_t) - - apache_search_sys_content($1) - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) @@ -15407,7 +15407,7 @@ index 5f306dd44..b6d1c0f70 100644 @@ -62,7 +62,7 @@ files_tmp_file(cobbler_tmp_t) # Local policy # - + -allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; +allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice }; dontaudit cobblerd_t self:capability sys_tty_config; @@ -15418,70 +15418,70 @@ index 5f306dd44..b6d1c0f70 100644 manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir) +files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler") - + append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) @@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) - + kernel_read_system_state(cobblerd_t) -kernel_dontaudit_search_network_state(cobblerd_t) +kernel_read_network_state(cobblerd_t) - + corecmd_exec_bin(cobblerd_t) corecmd_exec_shell(cobblerd_t) @@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t) corenet_tcp_connect_http_port(cobblerd_t) corenet_sendrecv_http_client_packets(cobblerd_t) - + +dev_read_sysfs(cobblerd_t) dev_read_urand(cobblerd_t) - + files_list_boot(cobblerd_t) files_list_tmp(cobblerd_t) files_read_boot_files(cobblerd_t) -files_read_etc_files(cobblerd_t) files_read_etc_runtime_files(cobblerd_t) -files_read_usr_files(cobblerd_t) - + fs_getattr_all_fs(cobblerd_t) fs_read_iso9660_files(cobblerd_t) @@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t) - + term_use_console(cobblerd_t) - + +auth_use_nsswitch(cobblerd_t) + logging_send_syslog_msg(cobblerd_t) - + miscfiles_read_localization(cobblerd_t) @@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',` ') - + optional_policy(` + apache_domtrans(cobblerd_t) - apache_search_sys_content(cobblerd_t) + apache_search_sys_content(cobblerd_t) ') - + @@ -170,6 +173,7 @@ optional_policy(` - bind_domtrans(cobblerd_t) - bind_initrc_domtrans(cobblerd_t) - bind_manage_zone(cobblerd_t) + bind_domtrans(cobblerd_t) + bind_initrc_domtrans(cobblerd_t) + bind_manage_zone(cobblerd_t) + bind_systemctl(cobblerd_t) ') - + optional_policy(` @@ -179,12 +183,22 @@ optional_policy(` optional_policy(` - dhcpd_domtrans(cobblerd_t) - dhcpd_initrc_domtrans(cobblerd_t) + dhcpd_domtrans(cobblerd_t) + dhcpd_initrc_domtrans(cobblerd_t) + dhcpd_systemctl(cobblerd_t) ') - + optional_policy(` - dnsmasq_domtrans(cobblerd_t) - dnsmasq_initrc_domtrans(cobblerd_t) - dnsmasq_write_config(cobblerd_t) + dnsmasq_domtrans(cobblerd_t) + dnsmasq_initrc_domtrans(cobblerd_t) + dnsmasq_write_config(cobblerd_t) + dnsmasq_systemctl(cobblerd_t) +') + @@ -15492,24 +15492,24 @@ index 5f306dd44..b6d1c0f70 100644 +optional_policy(` + mysql_stream_connect(cobblerd_t) ') - + optional_policy(` @@ -192,13 +206,13 @@ optional_policy(` ') - + optional_policy(` + rsync_exec(cobblerd_t) - rsync_read_config(cobblerd_t) + rsync_read_config(cobblerd_t) - rsync_manage_config_files(cobblerd_t) + rsync_manage_config(cobblerd_t) - rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") + rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf") ') - + optional_policy(` - tftp_manage_config_files(cobblerd_t) - tftp_etc_filetrans_config(cobblerd_t, file, "tftp") + tftp_manage_config(cobblerd_t) - tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 @@ -15859,16 +15859,16 @@ index 79a3abe3a..3237fb088 100644 +++ b/collectd.fc @@ -1,9 +1,12 @@ /etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0) + /usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0) - + /var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0) - + /var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0) +/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0) - + -/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0) +/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0) diff --git a/collectd.if b/collectd.if @@ -15876,7 +15876,7 @@ index 954309e64..67801421b 100644 --- a/collectd.if +++ b/collectd.if @@ -2,8 +2,145 @@ - + ######################################## ## -## All of the rules required to @@ -16025,29 +16025,29 @@ index 954309e64..67801421b 100644 ## @@ -20,13 +157,17 @@ interface(`collectd_admin',` - gen_require(` - type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; + gen_require(` + type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; - type collectd_var_lib_t; + type collectd_var_lib_t, collectd_unit_file_t; - ') - + ') + - allow $1 collectd_t:process { ptrace signal_perms }; + allow $1 collectd_t:process signal_perms; - ps_process_pattern($1, collectd_t) - + ps_process_pattern($1, collectd_t) + - init_labeled_script_domtrans($1, collectd_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 collectd_t:process ptrace; + ') + + collectd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 collectd_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 collectd_initrc_exec_t system_r; + allow $2 system_r; @@ -36,4 +177,9 @@ interface(`collectd_admin',` - - files_search_var_lib($1) - admin_pattern($1, collectd_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, collectd_var_lib_t) + + collectd_systemctl($1) + admin_pattern($1, collectd_unit_file_t) @@ -16061,7 +16061,7 @@ index 6471fa8c4..4abd55f87 100644 @@ -26,43 +26,59 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) - + +type collectd_unit_file_t; +systemd_unit_file(collectd_unit_file_t) + @@ -16070,12 +16070,12 @@ index 6471fa8c4..4abd55f87 100644 + +type collectd_script_tmp_t alias httpd_collectd_script_tmp_t; +files_tmp_file(collectd_script_tmp_t) - + ######################################## # # Local policy # - + -allow collectd_t self:capability { ipc_lock sys_nice }; +allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid }; allow collectd_t self:process { getsched setsched signal }; @@ -16086,21 +16086,21 @@ index 6471fa8c4..4abd55f87 100644 +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow collectd_t self:udp_socket create_socket_perms; +allow collectd_t self:rawip_socket create_socket_perms; - + manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) - + manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) -files_pid_filetrans(collectd_t, collectd_var_run_t, file) +manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) +files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file }) - + -domain_use_interactive_fds(collectd_t) +kernel_read_all_sysctls(collectd_t) +kernel_read_all_proc(collectd_t) +kernel_list_all_proc(collectd_t) - + -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) @@ -16108,30 +16108,30 @@ index 6471fa8c4..4abd55f87 100644 + +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) - + dev_read_rand(collectd_t) dev_read_sysfs(collectd_t) dev_read_urand(collectd_t) - + +domain_use_interactive_fds(collectd_t) +domain_read_all_domains_state(collectd_t) + files_getattr_all_dirs(collectd_t) -files_read_etc_files(collectd_t) -files_read_usr_files(collectd_t) - + fs_getattr_all_fs(collectd_t) +fs_getattr_all_dirs(collectd_t) - + -miscfiles_read_localization(collectd_t) +init_read_utmp(collectd_t) - + logging_send_syslog_msg(collectd_t) - + @@ -74,17 +90,40 @@ tunable_policy(`collectd_tcp_network_connect',` - corenet_tcp_sendrecv_all_ports(collectd_t) + corenet_tcp_sendrecv_all_ports(collectd_t) ') - + +optional_policy(` + mysql_stream_connect(collectd_t) +') @@ -16149,30 +16149,30 @@ index 6471fa8c4..4abd55f87 100644 +') + optional_policy(` - virt_read_config(collectd_t) + virt_read_config(collectd_t) + virt_stream_connect(collectd_t) ') - + ######################################## # -# Web local policy +# Web collectd local policy # - + -optional_policy(` - read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) - list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) - miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) -') + -+files_search_var_lib(collectd_script_t) ++files_search_var_lib(collectd_script_t) +read_files_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) +list_dirs_pattern(collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) +miscfiles_setattr_fonts_cache_dirs(collectd_script_t) + +manage_dirs_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t) +manage_files_pattern(collectd_script_t, collectd_script_tmp_t, collectd_script_tmp_t) -+files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir }) ++files_tmp_filetrans(collectd_script_t, collectd_script_tmp_t, { file dir }) + +auth_read_passwd(collectd_script_t) diff --git a/colord.fc b/colord.fc @@ -16182,7 +16182,7 @@ index 71639eb54..08ab89171 100644 @@ -7,5 +7,7 @@ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - + +/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) + /var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0) @@ -16194,28 +16194,28 @@ index 8e27a37c1..c69be28b9 100644 @@ -1,4 +1,4 @@ -## GNOME color manager. +## GNOME color manager - + ######################################## ## @@ -15,7 +15,6 @@ interface(`colord_domtrans',` - type colord_t, colord_exec_t; - ') - + type colord_t, colord_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, colord_exec_t, colord_t) + domtrans_pattern($1, colord_exec_t, colord_t) ') - + @@ -38,6 +37,7 @@ interface(`colord_dbus_chat',` - - allow $1 colord_t:dbus send_msg; - allow colord_t $1:dbus send_msg; + + allow $1 colord_t:dbus send_msg; + allow colord_t $1:dbus send_msg; + ps_process_pattern(colord_t, $1) ') - + ###################################### @@ -58,3 +58,27 @@ interface(`colord_read_lib_files',` - files_search_var_lib($1) - read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) + files_search_var_lib($1) + read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) ') + +######################################## @@ -16250,13 +16250,13 @@ index 9f2dfb233..ad8ae4228 100644 type colord_exec_t; dbus_system_domain(colord_t, colord_exec_t) +init_daemon_domain(colord_t, colord_exec_t) - + type colord_tmp_t; files_tmp_file(colord_tmp_t) @@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t) type colord_var_lib_t; files_type(colord_var_lib_t) - + +type colord_unit_file_t; +systemd_unit_file(colord_unit_file_t) + @@ -16275,7 +16275,7 @@ index 9f2dfb233..ad8ae4228 100644 allow colord_t self:shm create_shm_perms; +allow colord_t self:udp_socket create_socket_perms; +allow colord_t self:unix_dgram_socket create_socket_perms; - + manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) @@ -74,22 +81,21 @@ dev_read_video_dev(colord_t) @@ -16287,12 +16287,12 @@ index 9f2dfb233..ad8ae4228 100644 -dev_list_sysfs(colord_t) +dev_read_sysfs(colord_t) dev_rw_generic_usb_dev(colord_t) - + domain_use_interactive_fds(colord_t) - + files_list_mnt(colord_t) -files_read_usr_files(colord_t) - + -fs_getattr_noxattr_fs(colord_t) -fs_getattr_tmpfs(colord_t) +fs_getattr_all_fs(colord_t) @@ -16302,21 +16302,21 @@ index 9f2dfb233..ad8ae4228 100644 fs_dontaudit_getattr_all_fs(colord_t) +fs_getattr_tmpfs(colord_t) +fs_read_cgroup_files(colord_t) - + storage_getattr_fixed_disk_dev(colord_t) storage_getattr_removable_dev(colord_t) @@ -100,19 +106,17 @@ init_read_state(colord_t) - + auth_use_nsswitch(colord_t) - + +init_read_state(colord_t) + logging_send_syslog_msg(colord_t) - + -miscfiles_read_localization(colord_t) +systemd_read_logind_sessions_files(colord_t) +systemd_hwdb_manage_config(colord_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(colord_t) - fs_read_nfs_files(colord_t) @@ -16330,13 +16330,13 @@ index 9f2dfb233..ad8ae4228 100644 +userdom_home_reader(colord_t) +userdom_list_user_home_content(colord_t) +userdom_read_inherited_user_home_content_files(colord_t) - + optional_policy(` - cups_read_config(colord_t) + cups_read_config(colord_t) @@ -120,6 +124,13 @@ optional_policy(` - cups_read_state(colord_t) - cups_stream_connect(colord_t) - cups_dbus_chat(colord_t) + cups_read_state(colord_t) + cups_stream_connect(colord_t) + cups_dbus_chat(colord_t) + cups_read_state(colord_t) +') + @@ -16345,11 +16345,11 @@ index 9f2dfb233..ad8ae4228 100644 + # Fixes lots of breakage in F16 on upgrade + gnome_read_generic_data_home_files(colord_t) ') - + optional_policy(` @@ -137,3 +148,17 @@ optional_policy(` - udev_read_db(colord_t) - udev_read_pid_files(colord_t) + udev_read_db(colord_t) + udev_read_pid_files(colord_t) ') + +optional_policy(` @@ -16372,7 +16372,7 @@ index c63cf8556..dc6998b60 100644 @@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t) kernel_read_network_state(comsat_t) kernel_read_system_state(comsat_t) - + +corenet_all_recvfrom_netlabel(comsat_t) +corenet_tcp_sendrecv_generic_if(comsat_t) +corenet_udp_sendrecv_generic_if(comsat_t) @@ -16381,16 +16381,16 @@ index c63cf8556..dc6998b60 100644 +corenet_udp_sendrecv_all_ports(comsat_t) + dev_read_urand(comsat_t) - + fs_getattr_xattr_fs(comsat_t) @@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t) - + logging_send_syslog_msg(comsat_t) - + -miscfiles_read_localization(comsat_t) - userdom_dontaudit_getattr_user_ttys(comsat_t) - + mta_getattr_spool(comsat_t) diff --git a/condor.fc b/condor.fc index ad2b69606..28d1af020 100644 @@ -16398,10 +16398,10 @@ index ad2b69606..28d1af020 100644 +++ b/condor.fc @@ -1,6 +1,7 @@ /etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0) - + /etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0) +/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0) - + /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) diff --git a/condor.if b/condor.if @@ -16506,7 +16506,7 @@ index 881d92f35..a2d588a51 100644 + ') + +') - + ####################################### ## -## The template to define a condor domain. @@ -16547,12 +16547,12 @@ index 881d92f35..a2d588a51 100644 # -template(`condor_domain_template',` +interface(`condor_read_log',` - gen_require(` + gen_require(` - attribute condor_domain; - type condor_master_t; + type condor_log_t; - ') - + ') + - ############################# - # - # Declarations @@ -16560,7 +16560,7 @@ index 881d92f35..a2d588a51 100644 + logging_search_logs($1) + read_files_pattern($1, condor_log_t, condor_log_t) +') - + - type condor_$1_t, condor_domain; - type condor_$1_exec_t; - domain_type(condor_$1_t) @@ -16580,7 +16580,7 @@ index 881d92f35..a2d588a51 100644 + gen_require(` + type condor_log_t; + ') - + - ############################# - # - # Policy @@ -16588,7 +16588,7 @@ index 881d92f35..a2d588a51 100644 + logging_search_logs($1) + append_files_pattern($1, condor_log_t, condor_log_t) +') - + - domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) - allow condor_master_t condor_$1_exec_t:file ioctl; +######################################## @@ -16605,14 +16605,14 @@ index 881d92f35..a2d588a51 100644 + gen_require(` + type condor_log_t; + ') - + - auth_use_nsswitch(condor_$1_t) + logging_search_logs($1) + manage_dirs_pattern($1, condor_log_t, condor_log_t) + manage_files_pattern($1, condor_log_t, condor_log_t) + manage_lnk_files_pattern($1, condor_log_t, condor_log_t) ') - + ######################################## ## -## All of the rules required to @@ -16725,14 +16725,14 @@ index 881d92f35..a2d588a51 100644 +## +# +interface(`condor_read_pid_files',` - gen_require(` + gen_require(` - attribute condor_domain; - type condor_initrc_exec_config_t, condor_log_t; - type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; - type condor_var_run_t, condor_startd_tmp_t, condor_conf_t; + type condor_var_run_t; - ') - + ') + - allow $1 condor_domain:process { ptrace signal_perms }; + files_search_pids($1) + allow $1 condor_var_run_t:file read_file_perms; @@ -16760,7 +16760,7 @@ index 881d92f35..a2d588a51 100644 + allow $1 condor_unit_file_t:file read_file_perms; + allow $1 condor_unit_file_t:service manage_service_perms; + - ps_process_pattern($1, condor_domain) + ps_process_pattern($1, condor_domain) +') + +####################################### @@ -16777,7 +16777,7 @@ index 881d92f35..a2d588a51 100644 + gen_require(` + type condor_startd_t; + ') - + - init_labeled_script_domtrans($1, condor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 condor_initrc_exec_t system_r; @@ -16835,24 +16835,24 @@ index 881d92f35..a2d588a51 100644 + domain_system_change_exemption($1) + role_transition $2 condor_initrc_exec_t system_r; + allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, condor_conf_t) + + files_search_etc($1) + admin_pattern($1, condor_conf_t) @@ -77,8 +393,8 @@ interface(`condor_admin',` - logging_search_logs($1) - admin_pattern($1, condor_log_t) - + logging_search_logs($1) + admin_pattern($1, condor_log_t) + - files_search_locks($1) - admin_pattern($1, condor_var_lock_t) + files_search_locks($1) + admin_pattern($1, condor_var_lock_t) - - files_search_var_lib($1) - admin_pattern($1, condor_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, condor_var_lib_t) @@ -88,4 +404,13 @@ interface(`condor_admin',` - - files_search_tmp($1) - admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) + + files_search_tmp($1) + admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) + + condor_systemctl($1) + admin_pattern($1, condor_unit_file_t) @@ -16870,16 +16870,16 @@ index ce9f040e2..990ada3ad 100644 @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) type condor_startd_tmpfs_t; files_tmpfs_file(condor_startd_tmpfs_t) - + -type condor_conf_t; +type condor_conf_t alias condor_etc_rw_t; files_config_file(condor_conf_t) - + type condor_log_t; @@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t) type condor_var_run_t; files_pid_file(condor_var_run_t) - + +type condor_unit_file_t; +systemd_unit_file(condor_unit_file_t) + @@ -16889,7 +16889,7 @@ index ce9f040e2..990ada3ad 100644 @@ -60,10 +63,18 @@ condor_domain_template(startd) # Global local policy # - + +allow condor_domain self:capability { dac_read_search dac_override }; +allow condor_domain self:capability2 block_suspend; + @@ -16904,54 +16904,54 @@ index ce9f040e2..990ada3ad 100644 + +allow condor_domain condor_etc_rw_t:dir list_dir_perms; +rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) - + rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t) - + @@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) - + allow condor_domain condor_master_t:process signull; allow condor_domain condor_master_t:tcp_socket getattr; +allow condor_domain condor_master_t:udp_socket { read write }; - + -kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) -kernel_read_system_state(condor_domain) +kernel_rw_kernel_sysctl(condor_domain) +kernel_search_network_sysctl(condor_domain) - + corecmd_exec_bin(condor_domain) corecmd_exec_shell(condor_domain) - + -corenet_all_recvfrom_netlabel(condor_domain) -corenet_all_recvfrom_unlabeled(condor_domain) corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) - + @@ -109,9 +119,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) - + -logging_send_syslog_msg(condor_domain) +auth_read_passwd(condor_domain) - + -miscfiles_read_localization(condor_domain) +sysnet_dns_name_resolve(condor_domain) - + sysnet_dns_name_resolve(condor_domain) - + @@ -130,7 +140,7 @@ optional_policy(` # Master local policy # - + -allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; +allow condor_master_t self:capability { chown setuid setgid sys_ptrace net_admin }; - + allow condor_master_t condor_domain:process { sigkill signal }; - + @@ -138,6 +148,12 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) - + +can_exec(condor_master_t, condor_master_exec_t) + +kernel_read_system_state(condor_master_t) @@ -16962,18 +16962,18 @@ index ce9f040e2..990ada3ad 100644 corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) @@ -157,6 +173,8 @@ domain_read_all_domains_state(condor_master_t) - + auth_use_nsswitch(condor_master_t) - + +logging_send_syslog_msg(condor_master_t) + optional_policy(` - mta_send_mail(condor_master_t) - mta_read_config(condor_master_t) + mta_send_mail(condor_master_t) + mta_read_config(condor_master_t) @@ -174,6 +192,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; - + kernel_read_network_state(condor_collector_t) - + +corenet_tcp_bind_http_port(condor_collector_t) + ##################################### @@ -16982,40 +16982,40 @@ index ce9f040e2..990ada3ad 100644 @@ -183,12 +203,14 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; - + +corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t) + ###################################### # # Procd local policy # - + -allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; +allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace }; - + allow condor_procd_t condor_domain:process sigkill; - + @@ -199,13 +221,15 @@ domain_read_all_domains_state(condor_procd_t) # Schedd local policy # - + -allow condor_schedd_t self:capability { setuid chown setgid dac_override }; +allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override }; - + allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_schedd_t condor_master_t:udp_socket getattr; - + allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; - -+allow condor_schedd_t condor_master_tmp_t:dir getattr; + ++allow condor_schedd_t condor_master_tmp_t:dir getattr; + domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) - + @@ -214,12 +238,19 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) - + +corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t) + +optional_policy(` @@ -17027,28 +17027,28 @@ index ce9f040e2..990ada3ad 100644 # # Startd local policy # - + -allow condor_startd_t self:capability { setuid net_admin setgid dac_override }; +allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override }; allow condor_startd_t self:process execmem; - + manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t) @@ -238,11 +269,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) - + init_domtrans_script(condor_startd_t) +init_initrc_domain(condor_startd_t) - + libs_exec_lib_files(condor_startd_t) - + -files_read_usr_files(condor_startd_t) - optional_policy(` - ssh_basic_client_template(condor_startd, condor_startd_t, system_r) - ssh_domtrans(condor_startd_t) + ssh_basic_client_template(condor_startd, condor_startd_t, system_r) + ssh_domtrans(condor_startd_t) @@ -254,3 +284,7 @@ optional_policy(` - kerberos_use(condor_startd_ssh_t) - ') + kerberos_use(condor_startd_ssh_t) + ') ') + +optional_policy(` @@ -17351,16 +17351,16 @@ index 23c95582f..29e5fd38d 100644 +/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0) + /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0) - + /var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0) diff --git a/consolekit.if b/consolekit.if index 5b830ec9c..78025c5e7 100644 --- a/consolekit.if +++ b/consolekit.if @@ -19,6 +19,27 @@ interface(`consolekit_domtrans',` - domtrans_pattern($1, consolekit_exec_t, consolekit_t) + domtrans_pattern($1, consolekit_exec_t, consolekit_t) ') - + +######################################## +## +## dontaudit Send and receive messages from @@ -17386,9 +17386,9 @@ index 5b830ec9c..78025c5e7 100644 ## ## Send and receive messages from @@ -40,6 +61,24 @@ interface(`consolekit_dbus_chat',` - allow consolekit_t $1:dbus send_msg; + allow consolekit_t $1:dbus send_msg; ') - + +######################################## +## +## Dontaudit attempts to read consolekit log files. @@ -17411,8 +17411,8 @@ index 5b830ec9c..78025c5e7 100644 ## ## Read consolekit log files. @@ -98,3 +137,65 @@ interface(`consolekit_read_pid_files',` - allow $1 consolekit_var_run_t:dir list_dir_perms; - read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) + allow $1 consolekit_var_run_t:dir list_dir_perms; + read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) ') + +######################################## @@ -17483,7 +17483,7 @@ index bd18063f6..94407f854 100644 @@ -19,21 +19,23 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit") - + +type consolekit_unit_file_t; +systemd_unit_file(consolekit_unit_file_t) + @@ -17491,14 +17491,14 @@ index bd18063f6..94407f854 100644 # # Local policy # - + -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace }; + allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; - + -create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) -read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) @@ -17507,26 +17507,26 @@ index bd18063f6..94407f854 100644 +manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file }) - + manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) @@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t) - + domain_read_all_domains_state(consolekit_t) domain_use_interactive_fds(consolekit_t) -domain_dontaudit_ptrace_all_domains(consolekit_t) - + -files_read_usr_files(consolekit_t) +# needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) files_search_all_mountpoints(consolekit_t) - + fs_list_inotifyfs(consolekit_t) - + -mcs_ptrace_all(consolekit_t) - term_use_all_terms(consolekit_t) - + auth_use_nsswitch(consolekit_t) auth_manage_pam_console_data(consolekit_t) auth_write_login_records(consolekit_t) @@ -17534,35 +17534,35 @@ index bd18063f6..94407f854 100644 -auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console") + +init_read_utmp(consolekit_t) - + logging_send_syslog_msg(consolekit_t) logging_send_audit_msgs(consolekit_t) - + -miscfiles_read_localization(consolekit_t) +systemd_exec_systemctl(consolekit_t) +systemd_start_power_services(consolekit_t) - + +userdom_read_all_users_state(consolekit_t) userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_dontaudit_getattr_admin_home_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(consolekit_t) -') +userdom_home_reader(consolekit_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(consolekit_t) +optional_policy(` + cron_read_system_job_lib_files(consolekit_t) ') - + optional_policy(` @@ -109,13 +110,6 @@ optional_policy(` - ') + ') ') - + -optional_policy(` - hal_ptrace(consolekit_t) -') @@ -17570,9 +17570,9 @@ index bd18063f6..94407f854 100644 -optional_policy(` - networkmanager_append_log_files(consolekit_t) -') - + optional_policy(` - policykit_domtrans_auth(consolekit_t) + policykit_domtrans_auth(consolekit_t) diff --git a/container.fc b/container.fc new file mode 100644 index 000000000..bad12f421 @@ -18561,12 +18561,12 @@ index da39f0fcc..b26d3e0a4 100644 +++ b/corosync.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) - + +/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0) + /usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) /usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) - + @@ -10,3 +12,5 @@ /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) @@ -18578,9 +18578,9 @@ index 694a037da..d8596812d 100644 --- a/corosync.if +++ b/corosync.if @@ -77,6 +77,25 @@ interface(`corosync_read_log',` - read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) + read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) ') - + +####################################### +## +## Setattr corosync log files. @@ -18605,16 +18605,16 @@ index 694a037da..d8596812d 100644 ## Connect to corosync over a unix @@ -91,29 +110,55 @@ interface(`corosync_read_log',` interface(`corosync_stream_connect',` - gen_require(` - type corosync_t, corosync_var_run_t; + gen_require(` + type corosync_t, corosync_var_run_t; + type corosync_var_lib_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) + stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) - stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) + stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) ') - + ###################################### ## -## Read and write corosync tmpfs files. @@ -18648,12 +18648,12 @@ index 694a037da..d8596812d 100644 # -interface(`corosync_rw_tmpfs',` +interface(`corosync_systemctl',` - gen_require(` + gen_require(` - type corosync_tmpfs_t; + type corosync_t; + type corosync_unit_file_t; - ') - + ') + - fs_search_tmpfs($1) - rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) + systemd_exec_systemctl($1) @@ -18663,32 +18663,32 @@ index 694a037da..d8596812d 100644 + + ps_process_pattern($1, corosync_t) ') - + ###################################### @@ -160,12 +205,17 @@ interface(`corosync_admin',` - type corosync_t, corosync_var_lib_t, corosync_var_log_t; - type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; - type corosync_initrc_exec_t; + type corosync_t, corosync_var_lib_t, corosync_var_log_t; + type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; + type corosync_initrc_exec_t; + type corosync_unit_file_t; - ') - + ') + - allow $1 corosync_t:process { ptrace signal_perms }; + allow $1 corosync_t:process signal_perms; - ps_process_pattern($1, corosync_t) - + ps_process_pattern($1, corosync_t) + - corosync_initrc_domtrans($1) + tunable_policy(`deny_ptrace',`',` + allow $1 corosync_t:process ptrace; + ') + + init_labeled_script_domtrans($1, corosync_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 corosync_initrc_exec_t system_r; + allow $2 system_r; @@ -183,4 +233,8 @@ interface(`corosync_admin',` - - files_list_pids($1) - admin_pattern($1, corosync_var_run_t) + + files_list_pids($1) + admin_pattern($1, corosync_var_run_t) + + corosync_systemctl($1) + admin_pattern($1, corosync_unit_file_t) @@ -18701,7 +18701,7 @@ index d5aa1e446..9a2570145 100644 @@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t) type corosync_var_run_t; files_pid_file(corosync_var_run_t) - + +type corosync_unit_file_t; +systemd_unit_file(corosync_unit_file_t) + @@ -18709,7 +18709,7 @@ index d5aa1e446..9a2570145 100644 # # Local policy # - + -allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; +allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock }; # for hearbeat @@ -18717,15 +18717,15 @@ index d5aa1e446..9a2570145 100644 allow corosync_t self:process { setpgid setrlimit setsched signal signull }; @@ -93,7 +96,6 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) - + files_manage_mounttab(corosync_t) -files_read_usr_files(corosync_t) - + auth_use_nsswitch(corosync_t) - + @@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) - + userdom_read_user_tmp_files(corosync_t) -userdom_manage_user_tmpfs_files(corosync_t) +userdom_delete_user_tmp_files(corosync_t) @@ -18735,39 +18735,39 @@ index d5aa1e446..9a2570145 100644 + fs_manage_tmpfs_files(corosync_t) + init_manage_script_status_files(corosync_t) +') - + optional_policy(` - ccs_read_config(corosync_t) + ccs_read_config(corosync_t) @@ -128,21 +136,30 @@ optional_policy(` - drbd_domtrans(corosync_t) + drbd_domtrans(corosync_t) ') - + +optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) + lvm_delete_clvmd_tmpfs_files(corosync_t) +') + optional_policy(` - qpidd_rw_shm(corosync_t) + qpidd_rw_shm(corosync_t) ') - + optional_policy(` - rhcs_getattr_fenced_exec_files(corosync_t) + rhcs_getattr_fenced(corosync_t) + # to communication with RHCS - rhcs_rw_cluster_shm(corosync_t) - rhcs_rw_cluster_semaphores(corosync_t) - rhcs_stream_connect_cluster(corosync_t) + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) + rhcs_read_cluster_lib_files(corosync_t) + rhcs_manage_cluster_lib_files(corosync_t) + rhcs_relabel_cluster_lib_files(corosync_t) ') - + optional_policy(` - rgmanager_manage_tmpfs_files(corosync_t) + rpc_search_nfs_state_data(corosync_t) ') - + optional_policy(` - rpc_search_nfs_state_data(corosync_t) -') @@ -18782,22 +18782,22 @@ index c0863022d..5380ab641 100644 -/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) - /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) - + -/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) +/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0) + +/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0) + +/usr/libexec/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0) - + /var/lib/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_lib_t,s0) - + diff --git a/couchdb.if b/couchdb.if index 715a826f1..a1cbdb29e 100644 --- a/couchdb.if +++ b/couchdb.if @@ -2,7 +2,7 @@ - + ######################################## ## -## Read couchdb log files. @@ -18806,14 +18806,14 @@ index 715a826f1..a1cbdb29e 100644 ## ## @@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',` - type couchdb_log_t; - ') - + type couchdb_log_t; + ') + - logging_search_logs($1) + files_search_var_lib($1) - read_files_pattern($1, couchdb_log_t, couchdb_log_t) + read_files_pattern($1, couchdb_log_t, couchdb_log_t) ') - + ######################################## ## -## Read, write, and create couchdb lib files. @@ -18827,11 +18827,11 @@ index 715a826f1..a1cbdb29e 100644 # -interface(`couchdb_manage_lib_files',` +interface(`couchdb_read_lib_files',` - gen_require(` - type couchdb_var_lib_t; - ') + gen_require(` + type couchdb_var_lib_t; + ') @@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',` - + ######################################## ## -## Read couchdb config files. @@ -18879,14 +18879,14 @@ index 715a826f1..a1cbdb29e 100644 ## ## @@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',` - type couchdb_conf_t; - ') - + type couchdb_conf_t; + ') + - files_search_etc($1) + files_search_var_lib($1) - read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) + read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) ') - + ######################################## ## -## Read couchdb pid files. @@ -18895,9 +18895,9 @@ index 715a826f1..a1cbdb29e 100644 ## ## @@ -73,19 +112,88 @@ interface(`couchdb_read_pid_files',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) - read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) + allow $1 couchdb_var_run_t:file read_file_perms; +') @@ -18944,7 +18944,7 @@ index 715a826f1..a1cbdb29e 100644 + manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) + manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t) ') - + ######################################## ## -## All of the rules required to @@ -18990,28 +18990,28 @@ index 715a826f1..a1cbdb29e 100644 @@ -95,14 +203,19 @@ interface(`couchdb_read_pid_files',` # interface(`couchdb_admin',` - gen_require(` + gen_require(` + type couchdb_unit_file_t; - type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; - type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; - type couchdb_tmp_t; - ') - + type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; + type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; + type couchdb_tmp_t; + ') + - allow $1 couchdb_t:process { ptrace signal_perms }; + allow $1 couchdb_t:process { signal_perms }; - ps_process_pattern($1, couchdb_t) - + ps_process_pattern($1, couchdb_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 couchdb_t:process ptrace; + ') + - init_labeled_script_domtrans($1, couchdb_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 couchdb_initrc_exec_t system_r; + init_labeled_script_domtrans($1, couchdb_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 couchdb_initrc_exec_t system_r; @@ -122,4 +235,13 @@ interface(`couchdb_admin',` - - files_search_pids($1) - admin_pattern($1, couchdb_var_run_t) + + files_search_pids($1) + admin_pattern($1, couchdb_var_run_t) + + admin_pattern($1, couchdb_unit_file_t) + couchdb_systemctl($1) @@ -19029,7 +19029,7 @@ index ae1c1b12a..9b3a328c2 100644 @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) type couchdb_var_run_t; files_pid_file(couchdb_var_run_t) - + +type couchdb_unit_file_t; +systemd_unit_file(couchdb_unit_file_t) + @@ -19037,40 +19037,40 @@ index ae1c1b12a..9b3a328c2 100644 # # Local policy # - + -allow couchdb_t self:process { setsched signal signull sigkill }; +allow couchdb_t self:process { execmem setsched signal signull sigkill }; allow couchdb_t self:fifo_file rw_fifo_file_perms; allow couchdb_t self:unix_stream_socket create_stream_socket_perms; +allow couchdb_t self:unix_dgram_socket create_socket_perms; allow couchdb_t self:tcp_socket { accept listen }; - + -allow couchdb_t couchdb_conf_t:dir list_dir_perms; -allow couchdb_t couchdb_conf_t:file read_file_perms; +manage_files_pattern(couchdb_t, couchdb_conf_t, couchdb_conf_t) - + manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) @@ -56,11 +59,14 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) - + manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) -files_pid_filetrans(couchdb_t, couchdb_var_run_t, dir) +files_pid_filetrans(couchdb_t, couchdb_var_run_t, {file dir }) - + can_exec(couchdb_t, couchdb_exec_t) - + +kernel_read_network_state(couchdb_t) kernel_read_system_state(couchdb_t) +kernel_read_fs_sysctls(couchdb_t) +kernel_dgram_send(couchdb_t) - + corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t) @@ -75,14 +81,27 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) corenet_tcp_bind_couchdb_port(couchdb_t) corenet_tcp_sendrecv_couchdb_port(couchdb_t) - + +# disksup tries to monitor the local disks +fs_getattr_all_files(couchdb_t) +fs_getattr_all_dirs(couchdb_t) @@ -19083,10 +19083,10 @@ index ae1c1b12a..9b3a328c2 100644 dev_list_sysfs(couchdb_t) dev_read_sysfs(couchdb_t) dev_read_urand(couchdb_t) - + -files_read_usr_files(couchdb_t) +auth_use_nsswitch(couchdb_t) - + -fs_getattr_xattr_fs(couchdb_t) +optional_policy(` + gnome_dontaudit_search_config(couchdb_t) @@ -19095,9 +19095,9 @@ index ae1c1b12a..9b3a328c2 100644 +optional_policy(` + rpc_read_nfs_state_data(couchdb_t) +') - + -auth_use_nsswitch(couchdb_t) - + -miscfiles_read_localization(couchdb_t) diff --git a/courier.fc b/courier.fc index 2f017a076..defdc871e 100644 @@ -19105,7 +19105,7 @@ index 2f017a076..defdc871e 100644 +++ b/courier.fc @@ -11,17 +11,18 @@ /usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) - + /usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) -/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) /usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) @@ -19123,11 +19123,11 @@ index 2f017a076..defdc871e 100644 +/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0) - + +ifdef(`distro_gentoo',` +/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +') - + /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) diff --git a/courier.if b/courier.if @@ -19137,7 +19137,7 @@ index 10f820fc7..acdb179e8 100644 @@ -1,12 +1,12 @@ -## Courier IMAP and POP3 email servers. +## Courier IMAP and POP3 email servers - + -####################################### +######################################## ## @@ -19153,26 +19153,26 @@ index 10f820fc7..acdb179e8 100644 ## # @@ -15,7 +15,7 @@ template(`courier_domain_template',` - attribute courier_domain; - ') - + attribute courier_domain; + ') + - ######################################## + ############################## - # - # Declarations - # + # + # Declarations + # @@ -24,18 +24,30 @@ template(`courier_domain_template',` - type courier_$1_exec_t; - init_daemon_domain(courier_$1_t, courier_$1_exec_t) - + type courier_$1_exec_t; + init_daemon_domain(courier_$1_t, courier_$1_exec_t) + - ######################################## + ############################## - # + # - # Policy + # Declarations - # - - can_exec(courier_$1_t, courier_$1_exec_t) + # + + can_exec(courier_$1_t, courier_$1_exec_t) + + kernel_read_system_state(courier_$1_t) + @@ -19186,7 +19186,7 @@ index 10f820fc7..acdb179e8 100644 + + logging_send_syslog_msg(courier_$1_t) ') - + ######################################## ## -## Execute the courier authentication @@ -19197,13 +19197,13 @@ index 10f820fc7..acdb179e8 100644 ## ## @@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',` - type courier_authdaemon_t, courier_authdaemon_exec_t; - ') - + type courier_authdaemon_t, courier_authdaemon_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) ') - + ####################################### ## -## Connect to courier-authdaemon over @@ -19226,12 +19226,12 @@ index 10f820fc7..acdb179e8 100644 + gen_require(` + type courier_authdaemon_t, courier_spool_t; + ') - - files_search_spool($1) + + files_search_spool($1) - stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) + stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) ') - + ######################################## ## -## Execute the courier POP3 and IMAP @@ -19242,13 +19242,13 @@ index 10f820fc7..acdb179e8 100644 ## ## @@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',` - type courier_pop_t, courier_pop_exec_t; - ') - + type courier_pop_t, courier_pop_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) + domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) ') - + ######################################## ## -## Read courier config files. @@ -19257,14 +19257,14 @@ index 10f820fc7..acdb179e8 100644 ## ## @@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',` - type courier_spool_t; - ') - + type courier_spool_t; + ') + - files_search_var($1) + files_search_spool($1) - manage_dirs_pattern($1, courier_spool_t, courier_spool_t) + manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') - + @@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',` ## Create, read, write, and delete courier ## spool files. @@ -19275,23 +19275,23 @@ index 10f820fc7..acdb179e8 100644 ## Domain allowed access. ## @@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',` - type courier_spool_t; - ') - + type courier_spool_t; + ') + - files_search_var($1) + files_search_spool($1) - manage_files_pattern($1, courier_spool_t, courier_spool_t) + manage_files_pattern($1, courier_spool_t, courier_spool_t) ') - + @@ -166,13 +175,13 @@ interface(`courier_read_spool',` - type courier_spool_t; - ') - + type courier_spool_t; + ') + - files_search_var($1) + files_search_spool($1) - read_files_pattern($1, courier_spool_t, courier_spool_t) + read_files_pattern($1, courier_spool_t, courier_spool_t) ') - + ######################################## ## -## Read and write courier spool pipes. @@ -19300,11 +19300,11 @@ index 10f820fc7..acdb179e8 100644 ## ## @@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',` - type courier_spool_t; - ') - + type courier_spool_t; + ') + - files_search_var($1) - allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; + allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te index ae3bc70e9..d64452f77 100644 @@ -19312,17 +19312,17 @@ index ae3bc70e9..d64452f77 100644 +++ b/courier.te @@ -18,7 +18,7 @@ type courier_etc_t; files_config_file(courier_etc_t) - + type courier_spool_t; -files_type(courier_spool_t) +files_spool_file(courier_spool_t) - + type courier_var_lib_t; files_type(courier_var_lib_t) @@ -34,7 +34,7 @@ mta_agent_executable(courier_exec_t) # Common local policy # - + -allow courier_domain self:capability dac_override; +allow courier_domain self:capability { dac_read_search dac_override }; dontaudit courier_domain self:capability sys_tty_config; @@ -19330,70 +19330,70 @@ index ae3bc70e9..d64452f77 100644 allow courier_domain self:fifo_file rw_fifo_file_perms; @@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t) files_pid_filetrans(courier_domain, courier_var_run_t, dir) - + kernel_read_kernel_sysctls(courier_domain) -kernel_read_system_state(courier_domain) - + corecmd_exec_bin(courier_domain) - + @@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain) - + domain_use_interactive_fds(courier_domain) - + -files_read_etc_files(courier_domain) files_read_etc_runtime_files(courier_domain) -files_read_usr_files(courier_domain) - + fs_getattr_xattr_fs(courier_domain) fs_search_auto_mountpoints(courier_domain) - + -logging_send_syslog_msg(courier_domain) - sysnet_read_config(courier_domain) - + userdom_dontaudit_use_unpriv_user_fds(courier_domain) @@ -76,6 +71,10 @@ optional_policy(` - seutil_sigchld_newrole(courier_domain) + seutil_sigchld_newrole(courier_domain) ') - + +optional_policy(` + mysql_stream_connect(courier_domain) +') + optional_policy(` - udev_read_db(courier_domain) + udev_read_db(courier_domain) ') @@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) - + +manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) - + allow courier_authdaemon_t courier_tcpd_t:process sigchld; @@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) - + libs_read_lib_files(courier_authdaemon_t) - + -miscfiles_read_localization(courier_authdaemon_t) - + userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) - + @@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; - + allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; - + -allow courier_pop_t courier_var_lib_t:file { read write }; +allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; - + domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) - + @@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) dev_read_rand(courier_tcpd_t) dev_read_urand(courier_tcpd_t) - + -miscfiles_read_localization(courier_tcpd_t) - + ######################################## # diff --git a/cpucontrol.te b/cpucontrol.te @@ -19403,34 +19403,34 @@ index af72c4e55..afab0367f 100644 @@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain) init_use_fds(cpucontrol_domain) init_use_script_ptys(cpucontrol_domain) - + -logging_send_syslog_msg(cpucontrol_domain) - userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain) - + optional_policy(` @@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms; read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t) - + -kernel_list_proc(cpucontrol_t) kernel_read_proc_symlinks(cpucontrol_t) - + dev_read_sysfs(cpucontrol_t) dev_rw_cpu_microcode(cpucontrol_t) - + +logging_send_syslog_msg(cpucontrol_t) + optional_policy(` - rhgb_use_ptys(cpucontrol_t) + rhgb_use_ptys(cpucontrol_t) ') @@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t) - + domain_read_all_domains_state(cpuspeed_t) - + -files_read_etc_files(cpuspeed_t) files_read_etc_runtime_files(cpuspeed_t) - + -miscfiles_read_localization(cpuspeed_t) +logging_send_syslog_msg(cpuspeed_t) diff --git a/cpufreqselector.te b/cpufreqselector.te @@ -19440,31 +19440,31 @@ index 6cedb8724..530e250e5 100644 @@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t) # Local policy # - + -allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; +allow cpufreqselector_t self:capability sys_nice; allow cpufreqselector_t self:process getsched; allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; +allow cpufreqselector_t self:process getsched; - + kernel_read_system_state(cpufreqselector_t) - + -files_read_etc_files(cpufreqselector_t) -files_read_usr_files(cpufreqselector_t) - dev_rw_sysfs(cpufreqselector_t) - + -miscfiles_read_localization(cpufreqselector_t) - userdom_read_all_users_state(cpufreqselector_t) -userdom_dontaudit_search_user_home_dirs(cpufreqselector_t) +userdom_dontaudit_search_admin_dir(cpufreqselector_t) - + optional_policy(` - dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) + dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) @@ -51,3 +47,7 @@ optional_policy(` - policykit_read_lib(cpufreqselector_t) - policykit_read_reload(cpufreqselector_t) + policykit_read_lib(cpufreqselector_t) + policykit_read_reload(cpufreqselector_t) ') + +optional_policy(` @@ -19558,22 +19558,22 @@ index ad0bae948..615a947aa 100644 @@ -1,66 +1,77 @@ -/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) +/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0) - + -/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) +/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0) - + -/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) -/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) +/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0) - + -/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0) - + -/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) -/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) -/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) @@ -19581,19 +19581,19 @@ index ad0bae948..615a947aa 100644 -/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) +/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - + -/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) +/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0) +/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0) +/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0) - + -/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) +/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0) +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) - + -/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) -/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) @@ -19608,25 +19608,25 @@ index ad0bae948..615a947aa 100644 +/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) +/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0) - + -/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) -/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) -/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0) +/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0) +/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0) - + -/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0) -#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) -/var/spool/cron/[^/]* -- <> +/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) +#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +/var/spool/cron/[^/]* -- <> - + -/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> #/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) - + -/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) -/var/spool/fcron/.* <> +/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0) @@ -19648,7 +19648,7 @@ index ad0bae948..615a947aa 100644 +/var/spool/cron/lastrun/[^/]* -- <> +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +') - + ifdef(`distro_debian',` -/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0) @@ -19658,13 +19658,13 @@ index ad0bae948..615a947aa 100644 -/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0) ') - + ifdef(`distro_gentoo',` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> ') - + -ifdef(`distro_suse',` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) +ifdef(`distro_suse', ` @@ -19678,7 +19678,7 @@ index 1303b3036..f5bd4aee8 100644 --- a/cron.if +++ b/cron.if @@ -2,11 +2,12 @@ - + ####################################### ## -## The template to define a crontab domain. @@ -19694,20 +19694,20 @@ index 1303b3036..f5bd4aee8 100644 ## # @@ -36,22 +37,29 @@ template(`cron_common_crontab_template',` - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) - + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { dir file }) + + kernel_read_system_state($1_t) + - auth_domtrans_chk_passwd($1_t) - auth_use_nsswitch($1_t) + auth_domtrans_chk_passwd($1_t) + auth_use_nsswitch($1_t) + + logging_send_syslog_msg($1_t) + + userdom_home_reader($1_t) + ') - + ######################################## ## -## Role access for cron. @@ -19727,13 +19727,13 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -60,56 +68,66 @@ interface(`cron_role',` - gen_require(` - type cronjob_t, crontab_t, crontab_exec_t; - type user_cron_spool_t, crond_t; + gen_require(` + type cronjob_t, crontab_t, crontab_exec_t; + type user_cron_spool_t, crond_t; - bool cron_userdomain_transition; + bool cron_userdomain_transition; - ') - + ') + - ############################## - # - # Declarations @@ -19742,9 +19742,9 @@ index 1303b3036..f5bd4aee8 100644 + # + # Declarations + # - - role $1 types { cronjob_t crontab_t }; - + + role $1 types { cronjob_t crontab_t }; + - ############################## - # - # Local policy @@ -19753,21 +19753,21 @@ index 1303b3036..f5bd4aee8 100644 + # + # Local policy + # - + + # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - + domtrans_pattern($2, crontab_exec_t, crontab_t) + + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + allow $2 crond_t:process sigchld; + - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2 user_cron_spool_t:file { getattr read write ioctl }; - + - allow $2 crontab_t:process { ptrace signal_perms }; + # crontab shows up in user ps + allow $2 crontab_t:process signal_perms; - ps_process_pattern($2, crontab_t) - + ps_process_pattern($2, crontab_t) + + tunable_policy(`deny_ptrace',`',` + allow $2 crontab_t:process ptrace; + ') @@ -19775,9 +19775,9 @@ index 1303b3036..f5bd4aee8 100644 + # Run helper programs as the user domain + #corecmd_bin_domtrans(crontab_t, $2) + #corecmd_shell_domtrans(crontab_t, $2) - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) - + corecmd_exec_bin(crontab_t) + corecmd_exec_shell(crontab_t) + - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; @@ -19786,15 +19786,15 @@ index 1303b3036..f5bd4aee8 100644 + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; - + - allow $2 user_cron_spool_t:file entrypoint; + # needs to be authorized SELinux context for cron + allow $2 user_cron_spool_t:file entrypoint; + allow $2 crond_t:fifo_file rw_fifo_file_perms; - + - allow $2 crond_t:fifo_file rw_fifo_file_perms; + allow $2 cronjob_t:process { signal_perms }; - + - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` @@ -19806,28 +19806,28 @@ index 1303b3036..f5bd4aee8 100644 + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; - + - dontaudit $2 user_cron_spool_t:file entrypoint; + dontaudit $2 user_cron_spool_t:file entrypoint; - + - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - + - dontaudit $2 cronjob_t:process { ptrace signal_perms }; - ') + dontaudit $2 cronjob_t:process { signal_perms }; + ') - - optional_policy(` - gen_require(` + + optional_policy(` + gen_require(` @@ -119,78 +137,75 @@ interface(`cron_role',` - dbus_stub(cronjob_t) - - allow cronjob_t $2:dbus send_msg; + dbus_stub(cronjob_t) + + allow cronjob_t $2:dbus send_msg; - ') -+ ') ++ ') ') - + ######################################## ## -## Role access for unconfined cron. @@ -19848,14 +19848,14 @@ index 1303b3036..f5bd4aee8 100644 +## # interface(`cron_unconfined_role',` - gen_require(` - type unconfined_cronjob_t, crontab_t, crontab_exec_t; + gen_require(` + type unconfined_cronjob_t, crontab_t, crontab_exec_t; - type crond_t, user_cron_spool_t; - bool cron_userdomain_transition; + type crond_t, user_cron_spool_t; + bool cron_userdomain_transition; - ') - + ') + - ############################## - # - # Declarations @@ -19873,27 +19873,27 @@ index 1303b3036..f5bd4aee8 100644 + # + # Declarations + # -+ ++ + role $1 types unconfined_cronjob_t; - + - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; + ############################## + # + # Local policy + # - + - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - + - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) + allow $2 crond_t:process sigchld; - + - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) + allow $2 user_cron_spool_t:file { getattr read write ioctl }; - + - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; @@ -19901,18 +19901,18 @@ index 1303b3036..f5bd4aee8 100644 + # cronjob shows up in user ps + ps_process_pattern($2, unconfined_cronjob_t) + allow $2 unconfined_cronjob_t:process signal_perms; - + - allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`deny_ptrace',`',` + allow $2 unconfined_cronjob_t:process ptrace; + ') - + - allow $2 crond_t:fifo_file rw_fifo_file_perms; + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; - + - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, unconfined_cronjob_t) - ',` @@ -19920,33 +19920,33 @@ index 1303b3036..f5bd4aee8 100644 - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; + allow $2 user_cron_spool_t:file entrypoint; - + - dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 crond_t:fifo_file rw_fifo_file_perms; + ',` + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; - + - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + dontaudit $2 user_cron_spool_t:file entrypoint; - + - dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms }; -') + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + ') - - optional_policy(` - gen_require(` + + optional_policy(` + gen_require(` @@ -198,55 +213,60 @@ interface(`cron_unconfined_role',` - ') - - dbus_stub(unconfined_cronjob_t) + ') + + dbus_stub(unconfined_cronjob_t) - - allow unconfined_cronjob_t $2:dbus send_msg; - ') + allow unconfined_cronjob_t $2:dbus send_msg; + ') ') - + ######################################## ## -## Role access for admin cron. @@ -19967,16 +19967,16 @@ index 1303b3036..f5bd4aee8 100644 +## # interface(`cron_admin_role',` - gen_require(` + gen_require(` - type cronjob_t, crontab_exec_t, admin_crontab_t; + type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; + type user_cron_spool_t, crond_t; - class passwd crontab; + class passwd crontab; - type crond_t, user_cron_spool_t; - bool cron_userdomain_transition; + bool cron_userdomain_transition; - ') - + ') + - ############################## - # - # Declarations @@ -19985,10 +19985,10 @@ index 1303b3036..f5bd4aee8 100644 + # + # Declarations + # - + - role $1 types { cronjob_t admin_crontab_t }; + role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; - + - ############################## - # - # Local policy @@ -19997,31 +19997,31 @@ index 1303b3036..f5bd4aee8 100644 + # + # Local policy + # - + + # Transition from the user domain to the derived domain. - domtrans_pattern($2, crontab_exec_t, admin_crontab_t) - - dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crond_t:process sigchld; - + - allow $2 user_cron_spool_t:file { getattr read write ioctl }; + allow $2 crond_t:process sigchld; - + - allow $2 admin_crontab_t:process { ptrace signal_perms }; + # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) + ps_process_pattern($2, admin_crontab_t) + allow $2 admin_crontab_t:process signal_perms; + + tunable_policy(`deny_ptrace',`',` + allow $2 admin_crontab_t:process ptrace; + ') - - # Manipulate other users crontab. - allow $2 self:passwd crontab; + + # Manipulate other users crontab. + allow $2 self:passwd crontab; @@ -254,28 +274,26 @@ interface(`cron_admin_role',` - corecmd_exec_bin(admin_crontab_t) - corecmd_exec_shell(admin_crontab_t) - + corecmd_exec_bin(admin_crontab_t) + corecmd_exec_shell(admin_crontab_t) + - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; @@ -20030,13 +20030,13 @@ index 1303b3036..f5bd4aee8 100644 + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; - + - allow $2 user_cron_spool_t:file entrypoint; + allow $2 user_cron_spool_t:file entrypoint; - + - allow $2 crond_t:fifo_file rw_fifo_file_perms; + allow $2 crond_t:fifo_file rw_fifo_file_perms; - + - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` @@ -20049,7 +20049,7 @@ index 1303b3036..f5bd4aee8 100644 + dontaudit crond_t $2:process transition; + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; - + - dontaudit $2 user_cron_spool_t:file entrypoint; - - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; @@ -20060,17 +20060,17 @@ index 1303b3036..f5bd4aee8 100644 + dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; + dontaudit $2 cronjob_t:process { signal_perms }; + ') - - optional_policy(` - gen_require(` + + optional_policy(` + gen_require(` @@ -285,13 +303,13 @@ interface(`cron_admin_role',` - dbus_stub(admin_cronjob_t) - - allow cronjob_t $2:dbus send_msg; + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2:dbus send_msg; - ') -+ ') ++ ') ') - + ######################################## ## -## Make the specified program domain @@ -20082,48 +20082,48 @@ index 1303b3036..f5bd4aee8 100644 ## @@ -307,15 +325,15 @@ interface(`cron_admin_role',` interface(`cron_system_entry',` - gen_require(` - type crond_t, system_cronjob_t; + gen_require(` + type crond_t, system_cronjob_t; - type user_cron_spool_log_t; - ') - + ') + - rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t) - - domtrans_pattern(system_cronjob_t, $2, $1) - domtrans_pattern(crond_t, $2, $1) - - role system_r types $1; + domtrans_pattern(system_cronjob_t, $2, $1) + domtrans_pattern(crond_t, $2, $1) + + role system_r types $1; + + allow $1 crond_t:fifo_file rw_fifo_file_perms; + allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; ') - + ######################################## @@ -333,13 +351,12 @@ interface(`cron_domtrans',` - type system_cronjob_t, crond_exec_t; - ') - + type system_cronjob_t, crond_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, crond_exec_t, system_cronjob_t) + domtrans_pattern($1, crond_exec_t, system_cronjob_t) ') - + ######################################## ## --## Execute crond in the caller domain. -+## Execute crond_exec_t +-## Execute crond in the caller domain. ++## Execute crond_exec_t ## ## ## @@ -352,7 +369,6 @@ interface(`cron_exec',` - type crond_exec_t; - ') - + type crond_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, crond_exec_t) + can_exec($1, crond_exec_t) ') - + @@ -376,7 +392,32 @@ interface(`cron_initrc_domtrans',` - + ######################################## ## -## Use crond file descriptors. @@ -20157,7 +20157,7 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -394,7 +435,7 @@ interface(`cron_use_fds',` - + ######################################## ## -## Send child terminated signals to crond. @@ -20166,7 +20166,7 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -412,7 +453,7 @@ interface(`cron_sigchld',` - + ######################################## ## -## Set the attributes of cron log files. @@ -20180,15 +20180,15 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_setattr_log_files',` +interface(`cron_signal',` - gen_require(` + gen_require(` - type cron_log_t; + type crond_t; - ') - + ') + - allow $1 cron_log_t:file setattr_file_perms; + allow $1 crond_t:process signal; ') - + ######################################## ## -## Create cron log files. @@ -20202,15 +20202,15 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_create_log_files',` +interface(`cron_read_pipes',` - gen_require(` + gen_require(` - type cron_log_t; + type crond_t; - ') - + ') + - create_files_pattern($1, cron_log_t, cron_log_t) + allow $1 crond_t:fifo_file read_fifo_file_perms; ') - + ######################################## ## -## Write to cron log files. @@ -20224,16 +20224,16 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_write_log_files',` +interface(`cron_read_state_crond',` - gen_require(` + gen_require(` - type cron_log_t; + type crond_t; - ') - + ') + - allow $1 cron_log_t:file write_file_perms; + kernel_search_proc($1) + ps_process_pattern($1, crond_t) ') - + + ######################################## ## @@ -20250,19 +20250,19 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_manage_log_files',` +interface(`cron_dbus_chat_crond',` - gen_require(` + gen_require(` - type cron_log_t; + type crond_t; + class dbus send_msg; - ') - + ') + - manage_files_pattern($1, cron_log_t, cron_log_t) - - logging_search_logs($1) + allow $1 crond_t:dbus send_msg; + allow crond_t $1:dbus send_msg; ') - + ######################################## ## -## Create specified objects in generic @@ -20288,15 +20288,15 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_generic_log_filetrans_log',` +interface(`cron_dontaudit_write_pipes',` - gen_require(` + gen_require(` - type cron_log_t; + type crond_t; - ') - + ') + - logging_log_filetrans($1, cron_log_t, $2, $3) + dontaudit $1 crond_t:fifo_file write; ') - + ######################################## ## -## Read cron daemon unnamed pipes. @@ -20310,14 +20310,14 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_read_pipes',` +interface(`cron_rw_pipes',` - gen_require(` - type crond_t; - ') - + gen_require(` + type crond_t; + ') + - allow $1 crond_t:fifo_file read_fifo_file_perms; + allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## -## Do not audit attempts to write @@ -20332,14 +20332,14 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_dontaudit_write_pipes',` +interface(`cron_dontaudit_setattr_pipes',` - gen_require(` - type crond_t; - ') - + gen_require(` + type crond_t; + ') + - dontaudit $1 crond_t:fifo_file write; + dontaudit $1 crond_t:fifo_file setattr; ') - + ######################################## ## -## Read and write crond unnamed pipes. @@ -20353,15 +20353,15 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_rw_pipes',` +interface(`cron_rw_inherited_user_spool_files',` - gen_require(` + gen_require(` - type crond_t; + type user_cron_spool_t; - ') - + ') + - allow $1 crond_t:fifo_file rw_fifo_file_perms; + allow $1 user_cron_spool_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Read and write crond TCP sockets. @@ -20388,7 +20388,7 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -589,8 +638,7 @@ interface(`cron_rw_tcp_sockets',` - + ######################################## ## -## Do not audit attempts to read and @@ -20398,7 +20398,7 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -608,7 +656,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',` - + ######################################## ## -## Search cron spool directories. @@ -20407,7 +20407,7 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -627,8 +675,7 @@ interface(`cron_search_spool',` - + ######################################## ## -## Create, read, write, and delete @@ -20422,16 +20422,16 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_manage_pid_files',` +interface(`cron_manage_system_spool',` - gen_require(` + gen_require(` - type crond_var_run_t; + type cron_system_spool_t; - ') - + ') + - manage_files_pattern($1, crond_var_run_t, crond_var_run_t) + files_search_spool($1) + manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) ') - + ######################################## ## -## Execute anacron in the cron @@ -20447,17 +20447,17 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_anacron_domtrans_system_job',` +interface(`cron_manage_pid_files',` - gen_require(` + gen_require(` - type system_cronjob_t, anacron_exec_t; + type crond_var_run_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, anacron_exec_t, system_cronjob_t) + files_search_pids($1) + manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') - + ######################################## ## -## Use system cron job file descriptors. @@ -20471,16 +20471,16 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_use_system_job_fds',` +interface(`cron_read_pid_files',` - gen_require(` + gen_require(` - type system_cronjob_t; + type crond_var_run_t; - ') - + ') + - allow $1 system_cronjob_t:fd use; + files_search_pids($1) + read_files_pattern($1, crond_var_run_t, crond_var_run_t) ') - + ######################################## ## -## Read system cron job lib files. @@ -20495,16 +20495,16 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_read_system_job_lib_files',` +interface(`cron_anacron_domtrans_system_job',` - gen_require(` + gen_require(` - type system_cronjob_var_lib_t; + type system_cronjob_t, anacron_exec_t; - ') - + ') + - files_search_var_lib($1) - read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + domtrans_pattern($1, anacron_exec_t, system_cronjob_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -20520,16 +20520,16 @@ index 1303b3036..f5bd4aee8 100644 # -interface(`cron_manage_system_job_lib_files',` +interface(`cron_use_system_job_fds',` - gen_require(` + gen_require(` - type system_cronjob_var_lib_t; + type system_cronjob_t; - ') - + ') + - files_search_var_lib($1) - manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) + allow $1 system_cronjob_t:fd use; ') - + ######################################## ## -## Write system cron job unnamed pipes. @@ -20538,13 +20538,13 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -736,13 +782,12 @@ interface(`cron_write_system_job_pipes',` - type system_cronjob_t; - ') - + type system_cronjob_t; + ') + - allow $1 system_cronjob_t:file write; + allow $1 system_cronjob_t:fifo_file write; ') - + ######################################## ## -## Read and write system cron job @@ -20554,13 +20554,13 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -755,13 +800,12 @@ interface(`cron_rw_system_job_pipes',` - type system_cronjob_t; - ') - + type system_cronjob_t; + ') + - allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; + allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## -## Read and write inherited system cron @@ -20570,7 +20570,7 @@ index 1303b3036..f5bd4aee8 100644 ## ## @@ -779,7 +823,7 @@ interface(`cron_rw_system_job_stream_sockets',` - + ######################################## ## -## Read system cron job temporary files. @@ -20581,18 +20581,18 @@ index 1303b3036..f5bd4aee8 100644 @@ -789,17 +833,20 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` - gen_require(` + gen_require(` - type system_cronjob_tmp_t; + type system_cronjob_tmp_t, cron_var_run_t; - ') - - files_search_tmp($1) - allow $1 system_cronjob_tmp_t:file read_file_perms; + ') + + files_search_tmp($1) + allow $1 system_cronjob_tmp_t:file read_file_perms; + + files_search_pids($1) + allow $1 cron_var_run_t:file read_file_perms; ') - + ######################################## ## ## Do not audit attempts to append temporary @@ -20612,12 +20612,12 @@ index 1303b3036..f5bd4aee8 100644 ## @@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` - gen_require(` - type system_cronjob_tmp_t; + gen_require(` + type system_cronjob_tmp_t; + type cron_var_run_t; - ') - - dontaudit $1 system_cronjob_tmp_t:file write_file_perms; + ') + + dontaudit $1 system_cronjob_tmp_t:file write_file_perms; + dontaudit $1 cron_var_run_t:file write_file_perms; +') + @@ -20742,7 +20742,7 @@ index 7de385956..b9b2c8f7f 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` - + ## ##

      -## Determine whether system cron jobs @@ -20753,7 +20753,7 @@ index 7de385956..b9b2c8f7f 100644 ##

      ##       gen_tunable(cron_can_relabel, false) - + ## -##

      -## Determine whether crond can execute jobs @@ -20776,7 +20776,7 @@ index 7de385956..b9b2c8f7f 100644 ## -gen_tunable(cron_userdomain_transition, false) +gen_tunable(cron_system_cronjob_use_shares, false) - + ## ##

      -## Determine whether extra rules @@ -20786,34 +20786,34 @@ index 7de385956..b9b2c8f7f 100644 ##

      ##       gen_tunable(fcron_crond, false) - + -attribute cron_spool_type; attribute crontab_domain; +attribute cron_spool_type; - + type anacron_exec_t; application_executable_file(anacron_exec_t) - + type cron_spool_t; -files_type(cron_spool_t) -mta_system_content(cron_spool_t) +files_spool_file(cron_spool_t) - + +# var/lib files type cron_var_lib_t; files_type(cron_var_lib_t) - + type cron_var_run_t; files_pid_file(cron_var_run_t) - + +# var/log files type cron_log_t; logging_log_file(cron_log_t) - + @@ -71,6 +79,9 @@ domain_cron_exemption_source(crond_t) type crond_initrc_exec_t; init_script_file(crond_initrc_exec_t) - + +type crond_unit_file_t; +systemd_unit_file(crond_unit_file_t) + @@ -20825,12 +20825,12 @@ index 7de385956..b9b2c8f7f 100644 typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +allow admin_crontab_t crond_t:process signal; - + type system_cron_spool_t, cron_spool_type; -files_type(system_cron_spool_t) -mta_system_content(system_cron_spool_t) +files_spool_file(system_cron_spool_t) - + type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) @@ -20838,13 +20838,13 @@ index 7de385956..b9b2c8f7f 100644 +corecmd_bin_entry_type(system_cronjob_t) +role system_r types system_cronjob_t; +domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) - + type system_cronjob_lock_t alias system_crond_lock_t; files_lock_file(system_cronjob_lock_t) @@ -108,94 +121,34 @@ files_lock_file(system_cronjob_lock_t) type system_cronjob_tmp_t alias system_crond_tmp_t; files_tmp_file(system_cronjob_tmp_t) - + -type system_cronjob_var_lib_t; -files_type(system_cronjob_var_lib_t) - @@ -20859,7 +20859,7 @@ index 7de385956..b9b2c8f7f 100644 +files_spool_file(user_cron_spool_t) ubac_constrained(user_cron_spool_t) mta_system_content(user_cron_spool_t) - + -type user_cron_spool_log_t; -logging_log_file(user_cron_spool_log_t) -ubac_constrained(user_cron_spool_log_t) @@ -20870,11 +20870,11 @@ index 7de385956..b9b2c8f7f 100644 + +type system_cronjob_var_run_t; +files_pid_file(system_cronjob_var_run_t) - + ifdef(`enable_mcs',` - init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh) ') - + -############################## -# -# Common crontab local policy @@ -20938,31 +20938,31 @@ index 7de385956..b9b2c8f7f 100644 -# Admin local policy +# Admin crontab local policy # - + -allow admin_crontab_t self:capability fsetid; -allow admin_crontab_t crond_t:process signal; +# Allow our crontab domain to unlink a user cron spool file. +allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms }; - + +# Manipulate other users crontab. selinux_get_fs_mount(admin_crontab_t) selinux_validate_context(admin_crontab_t) selinux_compute_access_vector(admin_crontab_t) @@ -204,22 +157,26 @@ selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) - + tunable_policy(`fcron_crond',` + # fcron wants an instant update of a crontab change for the administrator + # also crontab does a security check for crontab -u - allow admin_crontab_t self:process setfscreate; + allow admin_crontab_t self:process setfscreate; ') - + ######################################## # -# Daemon local policy +# Cron daemon local policy # - + allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; -dontaudit crond_t self:capability { sys_resource sys_tty_config }; +dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config }; @@ -20981,22 +20981,22 @@ index 7de385956..b9b2c8f7f 100644 @@ -227,7 +184,7 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit; - + -allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(crond_t, cron_log_t, cron_log_t) logging_log_filetrans(crond_t, cron_log_t, file) - + manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t) @@ -237,73 +194,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t) - + manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t) manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t) -files_tmp_filetrans(crond_t, crond_tmp_t, { dir file }) +files_tmp_filetrans(crond_t, crond_tmp_t, { file dir }) - + list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t) - + -rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) -manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -21005,7 +21005,7 @@ index 7de385956..b9b2c8f7f 100644 +kernel_read_kernel_sysctls(crond_t) +kernel_read_fs_sysctls(crond_t) +kernel_search_key(crond_t) - + -allow crond_t system_cronjob_t:process transition; -allow crond_t system_cronjob_t:fd use; -allow crond_t system_cronjob_t:key manage_key_perms; @@ -21016,22 +21016,22 @@ index 7de385956..b9b2c8f7f 100644 +selinux_compute_create_context(crond_t) +selinux_compute_relabel_context(crond_t) +selinux_compute_user_contexts(crond_t) - + -dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh }; +dev_read_urand(crond_t) - + -domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t) +fs_getattr_all_fs(crond_t) +fs_search_auto_mountpoints(crond_t) +fs_list_inotifyfs(crond_t) - + -kernel_read_kernel_sysctls(crond_t) -kernel_read_fs_sysctls(crond_t) -kernel_search_key(crond_t) +# need auth_chkpwd to check for locked accounts. +auth_domtrans_chk_passwd(crond_t) +auth_manage_var_auth(crond_t) - + corecmd_exec_shell(crond_t) -corecmd_exec_bin(crond_t) corecmd_list_bin(crond_t) @@ -21040,11 +21040,11 @@ index 7de385956..b9b2c8f7f 100644 -dev_read_urand(crond_t) +corecmd_exec_bin(crond_t) +corecmd_read_bin_symlinks(crond_t) - + domain_use_interactive_fds(crond_t) domain_subj_id_change_exemption(crond_t) domain_role_change_exemption(crond_t) - + -fs_getattr_all_fs(crond_t) -fs_list_inotifyfs(crond_t) -fs_manage_cgroup_dirs(crond_t) @@ -21059,7 +21059,7 @@ index 7de385956..b9b2c8f7f 100644 files_search_var_lib(crond_t) files_search_default(crond_t) files_read_all_locks(crond_t) - + -mls_fd_share_all_levels(crond_t) +fs_manage_cgroup_dirs(crond_t) +fs_manage_cgroup_files(crond_t) @@ -21071,7 +21071,7 @@ index 7de385956..b9b2c8f7f 100644 +# needed because of kernel check of transition mls_process_set_level(crond_t) -mls_trusted_object(crond_t) - + -selinux_get_fs_mount(crond_t) -selinux_validate_context(crond_t) -selinux_compute_access_vector(crond_t) @@ -21081,30 +21081,30 @@ index 7de385956..b9b2c8f7f 100644 +# to make cronjob working +mls_fd_share_all_levels(crond_t) +mls_trusted_object(crond_t) - + init_read_state(crond_t) init_rw_utmp(crond_t) init_spec_domtrans_script(crond_t) - + -auth_domtrans_chk_passwd(crond_t) -auth_manage_var_auth(crond_t) auth_use_nsswitch(crond_t) - + logging_send_audit_msgs(crond_t) @@ -312,41 +264,46 @@ logging_set_loginuid(crond_t) - + seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) +seutil_sigchld_newrole(crond_t) - + -miscfiles_read_localization(crond_t) - + +userdom_use_unpriv_users_fds(crond_t) +# Not sure why this is needed userdom_list_user_home_dirs(crond_t) +userdom_list_admin_dir(crond_t) +userdom_manage_all_users_keys(crond_t) - + -tunable_policy(`cron_userdomain_transition',` - dontaudit crond_t cronjob_t:process transition; - dontaudit crond_t cronjob_t:fd use; @@ -21116,11 +21116,11 @@ index 7de385956..b9b2c8f7f 100644 -') +mta_send_mail(crond_t) +mta_system_content(cron_spool_t) - + ifdef(`distro_debian',` + # pam_limits is used - allow crond_t self:process setrlimit; - + allow crond_t self:process setrlimit; + - optional_policy(` - logwatch_search_cache_dir(crond_t) - ') @@ -21133,30 +21133,30 @@ index 7de385956..b9b2c8f7f 100644 +optional_policy(` + bind_read_config(crond_t) ') - + ifdef(`distro_redhat',` + # Run the rpm program in the rpm_t domain. Allow creation of RPM log files + # via redirection of standard out. - optional_policy(` - rpm_manage_log(crond_t) - ') + optional_policy(` + rpm_manage_log(crond_t) + ') ') - + -tunable_policy(`allow_polyinstantiation',` +tunable_policy(`polyinstantiation_enabled',` - files_polyinstantiate_all(crond_t) + files_polyinstantiate_all(crond_t) ') - + -tunable_policy(`fcron_crond',` - allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms; +tunable_policy(`fcron_crond', ` + allow crond_t system_cron_spool_t:file manage_file_perms; ') - + optional_policy(` @@ -354,103 +311,141 @@ optional_policy(` ') - + optional_policy(` - dbus_system_bus_client(crond_t) - @@ -21170,13 +21170,13 @@ index 7de385956..b9b2c8f7f 100644 + djbdns_search_tinydns_keys(crond_t) + djbdns_link_tinydns_keys(crond_t) ') - + optional_policy(` - amanda_search_var_lib(crond_t) + locallogin_search_keys(crond_t) + locallogin_link_keys(crond_t) ') - + optional_policy(` - amavis_search_lib(crond_t) + # these should probably be unconfined_crond_t @@ -21184,18 +21184,18 @@ index 7de385956..b9b2c8f7f 100644 + init_dbus_send_script(crond_t) + init_dbus_chat(crond_t) ') - + optional_policy(` - djbdns_search_tinydns_keys(crond_t) - djbdns_link_tinydns_keys(crond_t) + amanda_search_var_lib(crond_t) ') - + optional_policy(` - hal_write_log(crond_t) + antivirus_search_db(crond_t) ') - + optional_policy(` - locallogin_search_keys(crond_t) - locallogin_link_keys(crond_t) @@ -21203,78 +21203,78 @@ index 7de385956..b9b2c8f7f 100644 + hal_write_log(crond_t) + hal_dbus_chat(system_cronjob_t) ') - + optional_policy(` - mta_send_mail(crond_t) + # cjp: why? + munin_search_lib(crond_t) ') - + optional_policy(` - munin_search_lib(crond_t) + rpc_search_nfs_state_data(crond_t) ') - + optional_policy(` - postgresql_search_db(crond_t) + # Commonly used from postinst scripts + rpm_read_pipes(crond_t) ') - + optional_policy(` - rpc_search_nfs_state_data(crond_t) + # allow crond to find /usr/lib/postgresql/bin/do.maintenance + postgresql_search_db(crond_t) ') - + optional_policy(` - rpm_read_pipes(crond_t) + systemd_use_fds_logind(crond_t) + systemd_write_inherited_logind_sessions_pipes(crond_t) ') - + optional_policy(` - seutil_sigchld_newrole(crond_t) + udev_read_db(crond_t) ') - + optional_policy(` - udev_read_db(crond_t) + vnstatd_search_lib(crond_t) ') - + ######################################## # -# System local policy +# System cron process domain # - + allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; + allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; - + -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +# This is to handle creation of files in /var/log directory. +# Used currently by rpm script log files +allow system_cronjob_t cron_log_t:file manage_file_perms; logging_log_filetrans(system_cronjob_t, cron_log_t, file) - + +# This is to handle /var/lib/misc directory. Used currently -+# by prelink var/lib files for cron ++# by prelink var/lib files for cron allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) - + allow system_cronjob_t cron_var_run_t:file manage_file_perms; files_pid_filetrans(system_cronjob_t, cron_var_run_t, file) - + +allow system_cronjob_t system_cron_spool_t:file read_file_perms; + +# anacron forces the following manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t) - + +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that @@ -21291,7 +21291,7 @@ index 7de385956..b9b2c8f7f 100644 +') + +# Permit a transition from the crond_t domain to this domain. -+# The transition is requested explicitly by the modified crond ++# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t system_cronjob_t:process transition; @@ -21305,7 +21305,7 @@ index 7de385956..b9b2c8f7f 100644 +# Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file) - + +# write temporary files +manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) @@ -21314,11 +21314,11 @@ index 7de385956..b9b2c8f7f 100644 -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file }) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file }) - + +# var/lib files for system_crond +files_search_var_lib(system_cronjob_t) manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) - + -allow system_cronjob_t crond_t:fd use; -allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms; -allow system_cronjob_t crond_t:process sigchld; @@ -21326,16 +21326,16 @@ index 7de385956..b9b2c8f7f 100644 +# Read from /var/spool/cron. allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; - + @@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) - + +# ps does not need to access /boot when run from cron files_dontaudit_search_boot(system_cronjob_t) - + corecmd_exec_all_executables(system_cronjob_t) - + -corenet_all_recvfrom_unlabeled(system_cronjob_t) corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) @@ -21343,10 +21343,10 @@ index 7de385956..b9b2c8f7f 100644 @@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) - + +# quiet other ps operations domain_dontaudit_read_all_domains_state(system_cronjob_t) - + files_exec_etc_files(system_cronjob_t) @@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) @@ -21360,9 +21360,9 @@ index 7de385956..b9b2c8f7f 100644 +# /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) files_create_boot_flag(system_cronjob_t) - + mls_file_read_to_clearance(system_cronjob_t) - + init_domtrans_script(system_cronjob_t) -init_read_utmp(system_cronjob_t) init_use_script_fds(system_cronjob_t) @@ -21370,18 +21370,18 @@ index 7de385956..b9b2c8f7f 100644 +init_dontaudit_rw_utmp(system_cronjob_t) +# prelink tells init to restart it self, we either need to allow or dontaudit +init_telinit(system_cronjob_t) - + auth_use_nsswitch(system_cronjob_t) - + @@ -516,20 +517,28 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) - + -miscfiles_read_localization(system_cronjob_t) +miscfiles_filetrans_named_content_letsencrypt(system_cronjob_t) - + seutil_read_config(system_cronjob_t) - + +userdom_manage_tmpfs_files(system_cronjob_t, file) +userdom_tmpfs_filetrans(system_cronjob_t, file) + @@ -21390,29 +21390,29 @@ index 7de385956..b9b2c8f7f 100644 + allow crond_t system_cron_spool_t:file manage_file_perms; + + # via redirection of standard out. - optional_policy(` - rpm_manage_log(system_cronjob_t) - ') + optional_policy(` + rpm_manage_log(system_cronjob_t) + ') ') - + +selinux_get_fs_mount(system_cronjob_t) + tunable_policy(`cron_can_relabel',` - seutil_domtrans_setfiles(system_cronjob_t) + seutil_domtrans_setfiles(system_cronjob_t) ',` - selinux_get_fs_mount(system_cronjob_t) - selinux_validate_context(system_cronjob_t) - selinux_compute_access_vector(system_cronjob_t) - selinux_compute_create_context(system_cronjob_t) + selinux_validate_context(system_cronjob_t) + selinux_compute_access_vector(system_cronjob_t) + selinux_compute_create_context(system_cronjob_t) @@ -539,10 +548,26 @@ tunable_policy(`cron_can_relabel',` ') - + optional_policy(` + # Needed for certwatch - apache_exec_modules(system_cronjob_t) - apache_read_config(system_cronjob_t) - apache_read_log(system_cronjob_t) - apache_read_sys_content(system_cronjob_t) + apache_exec_modules(system_cronjob_t) + apache_read_config(system_cronjob_t) + apache_read_log(system_cronjob_t) + apache_read_sys_content(system_cronjob_t) + apache_manage_lib(system_cronjob_t) + apache_delete_cache_dirs(system_cronjob_t) + apache_delete_cache_files(system_cronjob_t) @@ -21429,41 +21429,41 @@ index 7de385956..b9b2c8f7f 100644 +optional_policy(` + chronyd_run_chronyc(system_cronjob_t,system_r) ') - + optional_policy(` @@ -551,10 +576,6 @@ optional_policy(` - + optional_policy(` - dbus_system_bus_client(system_cronjob_t) + dbus_system_bus_client(system_cronjob_t) - - optional_policy(` - networkmanager_dbus_chat(system_cronjob_t) - ') ') - + optional_policy(` @@ -566,6 +587,10 @@ optional_policy(` - exim_read_spool_files(system_cronjob_t) + exim_read_spool_files(system_cronjob_t) ') - + +optional_policy(` + firewalld_dbus_chat(system_cronjob_t) +') + optional_policy(` - ftp_read_log(system_cronjob_t) + ftp_read_log(system_cronjob_t) ') @@ -591,14 +616,39 @@ optional_policy(` optional_policy(` - mta_read_config(system_cronjob_t) - mta_send_mail(system_cronjob_t) + mta_read_config(system_cronjob_t) + mta_send_mail(system_cronjob_t) + mta_system_content(system_cron_spool_t) ') - + optional_policy(` - mysql_read_config(system_cronjob_t) + mysql_read_config(system_cronjob_t) ') - + +optional_policy(` + networkmanager_dbus_chat(system_cronjob_t) +') @@ -21473,8 +21473,8 @@ index 7de385956..b9b2c8f7f 100644 +') + optional_policy(` - postfix_read_config(system_cronjob_t) -+') + postfix_read_config(system_cronjob_t) ++') + +optional_policy(` + prelink_delete_cache(system_cronjob_t) @@ -21491,25 +21491,25 @@ index 7de385956..b9b2c8f7f 100644 +optional_policy(` + rhsmcertd_dbus_chat(system_cronjob_t) ') - + optional_policy(` @@ -606,8 +656,13 @@ optional_policy(` - samba_read_log(system_cronjob_t) + samba_read_log(system_cronjob_t) ') - + +optional_policy(` + snapper_dbus_chat(system_cronjob_t) +') + optional_policy(` - spamassassin_manage_lib_files(system_cronjob_t) + spamassassin_manage_lib_files(system_cronjob_t) + spamassassin_manage_home_client(system_cronjob_t) ') - + optional_policy(` @@ -615,12 +670,27 @@ optional_policy(` ') - + optional_policy(` - userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) + systemd_dbus_chat_logind(system_cronjob_t) @@ -21529,18 +21529,18 @@ index 7de385956..b9b2c8f7f 100644 + unconfined_dbus_send(crond_t) + userdom_filetrans_home_content(crond_t) ') - + ######################################## # -# Cronjob local policy +# User cronjobs local policy # - + allow cronjob_t self:process { signal_perms setsched }; @@ -628,12 +698,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; - + +# The entrypoint interface is not used as this is not +# a regular entrypoint. Since crontab files are +# not directly executed, crond must ensure that @@ -21551,7 +21551,7 @@ index 7de385956..b9b2c8f7f 100644 +allow cronjob_t user_cron_spool_t:file entrypoint; + +# Permit a transition from the crond_t domain to this domain. -+# The transition is requested explicitly by the modified crond ++# The transition is requested explicitly by the modified crond +# via setexeccon. There is no way to set up an automatic +# transition, since crontabs are configuration files, not executables. +allow crond_t cronjob_t:process transition; @@ -21563,10 +21563,10 @@ index 7de385956..b9b2c8f7f 100644 + kernel_read_system_state(cronjob_t) kernel_read_kernel_sysctls(cronjob_t) - + +# ps does not need to access /boot when run from cron files_dontaudit_search_boot(cronjob_t) - + -corenet_all_recvfrom_unlabeled(cronjob_t) corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) @@ -21581,17 +21581,17 @@ index 7de385956..b9b2c8f7f 100644 - -corecmd_exec_all_executables(cronjob_t) +corenet_sendrecv_all_client_packets(cronjob_t) - + dev_read_urand(cronjob_t) - + fs_getattr_all_fs(cronjob_t) - + +corecmd_exec_all_executables(cronjob_t) + +# quiet other ps operations domain_dontaudit_read_all_domains_state(cronjob_t) domain_dontaudit_getattr_all_domains(cronjob_t) - + files_exec_etc_files(cronjob_t) -files_read_etc_runtime_files(cronjob_t) -files_read_var_files(cronjob_t) @@ -21599,20 +21599,20 @@ index 7de385956..b9b2c8f7f 100644 -files_search_spool(cronjob_t) +# for nscd: files_dontaudit_search_pids(cronjob_t) - + libs_exec_lib_files(cronjob_t) libs_exec_ld_so(cronjob_t) - + +files_read_etc_runtime_files(cronjob_t) +files_read_var_files(cronjob_t) +files_search_spool(cronjob_t) + logging_search_logs(cronjob_t) - + seutil_read_config(cronjob_t) - + -miscfiles_read_localization(cronjob_t) - + userdom_manage_user_tmp_files(cronjob_t) userdom_manage_user_tmp_symlinks(cronjob_t) userdom_manage_user_tmp_pipes(cronjob_t) @@ -21624,7 +21624,7 @@ index 7de385956..b9b2c8f7f 100644 userdom_manage_user_home_content_symlinks(cronjob_t) userdom_manage_user_home_content_pipes(cronjob_t) userdom_manage_user_home_content_sockets(cronjob_t) - + -tunable_policy(`cron_userdomain_transition',` - dontaudit cronjob_t crond_t:fd use; - dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms; @@ -21640,21 +21640,21 @@ index 7de385956..b9b2c8f7f 100644 +read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +allow crond_t user_cron_spool_t:file manage_lnk_file_perms; - + - allow cronjob_t user_cron_spool_t:file entrypoint; +tunable_policy(`fcron_crond',` + allow crond_t user_cron_spool_t:file manage_file_perms; ') - + +# need a per-role version of this: +#optional_policy(` +# mono_domtrans(cronjob_t) +#') + optional_policy(` - nis_use_ypbind(cronjob_t) + nis_use_ypbind(cronjob_t) ') - + +############################## +# +# crontab common policy @@ -21732,7 +21732,7 @@ index 7de385956..b9b2c8f7f 100644 -# Unconfined local policy +# Unconfined cronjobs local policy # - + type unconfined_cronjob_t; diff --git a/ctdb.fc b/ctdb.fc index 8401fe6f3..84ece3e4a 100644 @@ -21740,24 +21740,24 @@ index 8401fe6f3..84ece3e4a 100644 +++ b/ctdb.fc @@ -1,12 +1,20 @@ /etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) - + +/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) +/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) - + +/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) - + /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) /var/log/log\.ctdb.* -- gen_context(system_u:object_r:ctdbd_log_t,s0) - + + +/var/run/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) /var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) - + /var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) diff --git a/ctdb.if b/ctdb.if index b25b01d12..06895f39a 100644 @@ -21936,7 +21936,7 @@ index b25b01d12..06895f39a 100644 + files_search_var_lib($1) + read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) +') - + ######################################## ## -## Create, read, write, and delete @@ -21946,13 +21946,13 @@ index b25b01d12..06895f39a 100644 ## ## @@ -17,13 +186,12 @@ interface(`ctdbd_manage_lib_files',` - ') - - files_search_var_lib($1) + ') + + files_search_var_lib($1) - manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) + manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) ') - + -####################################### +######################################## ## @@ -21987,12 +21987,12 @@ index b25b01d12..06895f39a 100644 +## +# +interface(`ctdbd_read_pid_files',` - gen_require(` + gen_require(` - type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; + type ctdbd_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) - stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t) + allow $1 ctdbd_var_run_t:file read_file_perms; +') @@ -22016,7 +22016,7 @@ index b25b01d12..06895f39a 100644 + stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) + stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t) ') - + ######################################## ## -## All of the rules required to @@ -22032,36 +22032,36 @@ index b25b01d12..06895f39a 100644 # -interface(`ctdb_admin',` +interface(`ctdbd_admin',` - gen_require(` + gen_require(` - type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t; + type ctdbd_t, ctdbd_initrc_exec_t; - type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; - ') - + type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; + ') + - allow $1 ctdbd_t:process { ptrace signal_perms }; + allow $1 ctdbd_t:process signal_perms; - ps_process_pattern($1, ctdbd_t) + ps_process_pattern($1, ctdbd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ctdbd_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) + ctdbd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ctdbd_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 ctdbd_initrc_exec_t system_r; + allow $2 system_r; @@ -74,12 +284,10 @@ interface(`ctdb_admin',` - logging_search_logs($1) - admin_pattern($1, ctdbd_log_t) - + logging_search_logs($1) + admin_pattern($1, ctdbd_log_t) + - files_search_tmp($1) - admin_pattern($1, ctdbd_tmp_t) - - files_search_var_lib($1) - admin_pattern($1, ctdbd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, ctdbd_var_run_t) + files_search_var_lib($1) + admin_pattern($1, ctdbd_var_lib_t) + + files_search_pids($1) + admin_pattern($1, ctdbd_var_run_t) ') + diff --git a/ctdb.te b/ctdb.te @@ -22071,17 +22071,17 @@ index 001b502e6..9ace4fe93 100644 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) type ctdbd_var_lib_t; files_type(ctdbd_var_lib_t) - + +type ctdbd_var_t; +files_type(ctdbd_var_t) + type ctdbd_var_run_t; files_pid_file(ctdbd_var_run_t) - + @@ -32,13 +35,17 @@ files_pid_file(ctdbd_var_run_t) # Local policy # - + -allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; -allow ctdbd_t self:process { setpgid signal_perms setsched }; +allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource }; @@ -22095,7 +22095,7 @@ index 001b502e6..9ace4fe93 100644 +allow ctdbd_t self:udp_socket create_socket_perms; +allow ctdbd_t self:rawip_socket create_socket_perms; +allow ctdbd_t self:netlink_tcpdiag_socket create_socket_perms; - + append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) @@ -57,12 +64,24 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) @@ -22110,12 +22110,12 @@ index 001b502e6..9ace4fe93 100644 +manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t) +files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd") +files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb") - + manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) +manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) - + +setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t) +write_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t) + @@ -22129,7 +22129,7 @@ index 001b502e6..9ace4fe93 100644 corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) +corenet_udp_bind_generic_node(ctdbd_t) - + corenet_sendrecv_ctdb_server_packets(ctdbd_t) corenet_tcp_bind_ctdb_port(ctdbd_t) +corenet_udp_bind_ctdb_port(ctdbd_t) @@ -22141,36 +22141,36 @@ index 001b502e6..9ace4fe93 100644 +corenet_tcp_connect_gluster_port(ctdbd_t) +corenet_tcp_connect_nfs_port(ctdbd_t) +corenet_tcp_connect_portmap_port(ctdbd_t) - + corecmd_exec_bin(ctdbd_t) corecmd_exec_shell(ctdbd_t) +corecmd_getattr_all_executables(ctdbd_t) - + dev_read_sysfs(ctdbd_t) dev_read_urand(ctdbd_t) - + domain_dontaudit_read_all_domains_state(ctdbd_t) - + -files_read_etc_files(ctdbd_t) files_search_all_mountpoints(ctdbd_t) - + +fs_getattr_all_fs(ctdbd_t) + +auth_use_nsswitch(ctdbd_t) + logging_send_syslog_msg(ctdbd_t) - + -miscfiles_read_localization(ctdbd_t) miscfiles_read_public_files(ctdbd_t) - + +userdom_home_manager(ctdbd_t) + optional_policy(` - consoletype_exec(ctdbd_t) + consoletype_exec(ctdbd_t) ') @@ -106,9 +139,22 @@ optional_policy(` ') - + optional_policy(` + rpc_domtrans_rpcd(ctdbd_t) + rpc_manage_nfs_state_data_dir(ctdbd_t) @@ -22179,9 +22179,9 @@ index 001b502e6..9ace4fe93 100644 + +optional_policy(` + samba_signull_smbd(ctdbd_t) - samba_initrc_domtrans(ctdbd_t) - samba_domtrans_net(ctdbd_t) - samba_rw_var_files(ctdbd_t) + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) + samba_rw_var_files(ctdbd_t) + samba_systemctl(ctdbd_t) +') + @@ -22189,7 +22189,7 @@ index 001b502e6..9ace4fe93 100644 + samba_signull_winbind(ctdbd_t) + samba_signull_unconfined_net(ctdbd_t) ') - + optional_policy(` diff --git a/cups.fc b/cups.fc index 949011ec8..9437dbe01 100644 @@ -22197,7 +22197,7 @@ index 949011ec8..9437dbe01 100644 +++ b/cups.fc @@ -1,77 +1,91 @@ -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - + -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -22219,30 +22219,30 @@ index 949011ec8..9437dbe01 100644 +/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) - + /etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0) - + -/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0) - -/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) - + -/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - + -/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0) - + -/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - + -/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) -/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - + -/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) @@ -22250,17 +22250,17 @@ index 949011ec8..9437dbe01 100644 -/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0) - + -/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) +/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0) +/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) - + -/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) +/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) - + -/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0) -/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) @@ -22275,34 +22275,34 @@ index 949011ec8..9437dbe01 100644 /usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) - + -/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) -/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0) +/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) +/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0) - + -/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) +/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - + /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) - + -/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0) +/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0) +/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) - + -/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - + -/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) -/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) @@ -22342,23 +22342,23 @@ index 3023be7f6..27938e4b4 100644 +++ b/cups.if @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` interface(`cups_read_config',` - gen_require(` - type cupsd_etc_t, cupsd_rw_etc_t; + gen_require(` + type cupsd_etc_t, cupsd_rw_etc_t; + type hplip_etc_t; - ') - - files_search_etc($1) + ') + + files_search_etc($1) - read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t }) + read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) + read_files_pattern($1, hplip_etc_t, hplip_etc_t) + read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) ') - + ######################################## @@ -304,6 +307,30 @@ interface(`cups_stream_connect_ptal',` - stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) + stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) ') - + +######################################## +## +## Execute cupsd server in the cupsd domain. @@ -22388,46 +22388,46 @@ index 3023be7f6..27938e4b4 100644 ## Read the process state (/proc/pid) of cupsd. @@ -344,18 +371,23 @@ interface(`cups_read_state',` interface(`cups_admin',` - gen_require(` - type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; - type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; + type cupsd_etc_t, cupsd_log_t; - type cupsd_config_var_run_t, cupsd_lpd_var_run_t; - type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; - type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; - type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; + type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; + type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; + type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; - type hplip_t, ptal_t; + type ptal_t; + type cupsd_unit_file_t; - ') - + ') + - allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; - allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; + allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; + allow $1 { cups_pdf_t ptal_t }:process { signal_perms }; - ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) + ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) - ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) + ps_process_pattern($1, { cups_pdf_t ptal_t }) + + tunable_policy(`deny_ptrace',`',` + allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; + ') - - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) + domain_system_change_exemption($1) @@ -368,13 +400,48 @@ interface(`cups_admin',` - logging_list_logs($1) - admin_pattern($1, cupsd_log_t) - + logging_list_logs($1) + admin_pattern($1, cupsd_log_t) + - files_list_spool($1) - admin_pattern($1, cupsd_spool_t) - - files_list_tmp($1) - admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) + files_list_tmp($1) + admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) - - files_list_pids($1) - admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) - admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) + admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) + admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) + + cupsd_systemctl($1) + admin_pattern($1, cupsd_unit_file_t) @@ -22476,7 +22476,7 @@ index c91813ccb..80859f130 100644 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) # Declarations # - + -type cupsd_config_t; +## +##

      @@ -22490,10 +22490,10 @@ index c91813ccb..80859f130 100644 +type cupsd_config_t, cups_domain; type cupsd_config_exec_t; init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) - + type cupsd_config_var_run_t; files_pid_file(cupsd_config_var_run_t) - + -type cupsd_t; +type cupsd_t, cups_domain; type cupsd_exec_t; @@ -22501,19 +22501,19 @@ index c91813ccb..80859f130 100644 +typealias cupsd_exec_t alias hplip_exec_t; init_daemon_domain(cupsd_t, cupsd_exec_t) mls_trusted_object(cupsd_t) - + type cupsd_etc_t; +typealias cupsd_etc_t alias hplip_etc_t; files_config_file(cupsd_etc_t) - + type cupsd_initrc_exec_t; @@ -33,13 +45,15 @@ type cupsd_lock_t; files_lock_file(cupsd_lock_t) - + type cupsd_log_t; +typealias cupsd_log_t alias hplip_var_log_t; logging_log_file(cupsd_log_t) - + -type cupsd_lpd_t; +type cupsd_var_lib_t alias hplip_var_lib_t; +files_type(cupsd_var_lib_t) @@ -22524,31 +22524,31 @@ index c91813ccb..80859f130 100644 -domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) -role system_r types cupsd_lpd_t; +init_domain(cupsd_lpd_t, cupsd_lpd_exec_t) - + type cupsd_lpd_tmp_t; files_tmp_file(cupsd_lpd_tmp_t) @@ -47,7 +61,7 @@ files_tmp_file(cupsd_lpd_tmp_t) type cupsd_lpd_var_run_t; files_pid_file(cupsd_lpd_var_run_t) - + -type cups_pdf_t; +type cups_pdf_t, cups_domain; type cups_pdf_exec_t; cups_backend(cups_pdf_t, cups_pdf_exec_t) - + @@ -55,29 +69,17 @@ type cups_pdf_tmp_t; files_tmp_file(cups_pdf_tmp_t) - + type cupsd_tmp_t; +typealias cupsd_tmp_t alias hplip_tmp_t; files_tmp_file(cupsd_tmp_t) - + type cupsd_var_run_t; +typealias cupsd_var_run_t alias hplip_var_run_t; files_pid_file(cupsd_var_run_t) init_daemon_run_dir(cupsd_var_run_t, "cups") mls_trusted_object(cupsd_var_run_t) - + -type hplip_t; -type hplip_exec_t; -init_daemon_domain(hplip_t, hplip_exec_t) @@ -22567,13 +22567,13 @@ index c91813ccb..80859f130 100644 -files_pid_file(hplip_var_run_t) +type cupsd_unit_file_t; +systemd_unit_file(cupsd_unit_file_t) - + type ptal_t; type ptal_exec_t; @@ -97,34 +99,65 @@ ifdef(`enable_mls',` - init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) + init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') - + +####################################### +# +# Cups general local policy @@ -22608,7 +22608,7 @@ index c91813ccb..80859f130 100644 # # Cups local policy # - + -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config }; +allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; @@ -22622,30 +22622,30 @@ index c91813ccb..80859f130 100644 allow cupsd_t self:sem create_sem_perms; -allow cupsd_t self:tcp_socket { accept listen }; allow cupsd_t self:appletalk_socket create_socket_perms; - + -allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -allow cupsd_t cupsd_etc_t:file setattr_file_perms; +allow cupsd_t cupsd_etc_t:dir manage_dir_perms; +allow cupsd_t cupsd_etc_t:file { map setattr_file_perms }; read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) - + manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) +can_exec(cupsd_t, cupsd_interface_t) - + manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) +cups_filetrans_named_content(cupsd_t) +can_exec(cupsd_t, cupsd_rw_etc_t) - + allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; @@ -136,22 +169,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) - + +manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) +manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) + @@ -22653,31 +22653,31 @@ index c91813ccb..80859f130 100644 manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file }) - + +allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms; manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t) files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file }) - + -allow cupsd_t hplip_t:process { signal sigkill }; +allow cupsd_t cupsd_unit_file_t:file read_file_perms; - + -read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) - -allow cupsd_t hplip_var_run_t:file read_file_perms; - + stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; @@ -159,11 +193,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) - + kernel_read_system_state(cupsd_t) -kernel_read_network_state(cupsd_t) kernel_read_all_sysctls(cupsd_t) kernel_request_load_module(cupsd_t) - + -corenet_all_recvfrom_unlabeled(cupsd_t) corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) @@ -22685,7 +22685,7 @@ index c91813ccb..80859f130 100644 @@ -186,12 +218,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) - + -corecmd_exec_bin(cupsd_t) -corecmd_exec_shell(cupsd_t) +corenet_sendrecv_hplip_client_packets(cupsd_t) @@ -22700,7 +22700,7 @@ index c91813ccb..80859f130 100644 + +corenet_sendrecv_howl_server_packets(cupsd_t) +corenet_udp_bind_howl_port(cupsd_t) - + dev_rw_printer(cupsd_t) -dev_read_urand(cupsd_t) -dev_read_sysfs(cupsd_t) @@ -22725,47 +22725,47 @@ index c91813ccb..80859f130 100644 # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) +files_dontaudit_write_usr_dirs(cupsd_t) - + -fs_getattr_all_fs(cupsd_t) fs_search_auto_mountpoints(cupsd_t) fs_search_fusefs(cupsd_t) fs_read_anon_inodefs_files(cupsd_t) +fs_rw_anon_inodefs_files(cupsd_t) +fs_rw_inherited_tmpfs_files(cupsd_t) - + +mls_dbus_send_all_levels(cupsd_t) mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_all_levels(cupsd_t) @@ -232,6 +273,8 @@ mls_socket_write_all_levels(cupsd_t) - + term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) +term_use_ptmx(cupsd_t) +term_use_usb_ttys(cupsd_t) - + selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) @@ -244,22 +287,27 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) - + -libs_read_lib_files(cupsd_t) libs_exec_lib_files(cupsd_t) +libs_exec_ldconfig(cupsd_t) - + logging_send_audit_msgs(cupsd_t) logging_send_syslog_msg(cupsd_t) - + -miscfiles_read_localization(cupsd_t) -miscfiles_read_fonts(cupsd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_t) - seutil_read_config(cupsd_t) - + sysnet_exec_ifconfig(cupsd_t) +sysnet_dns_name_resolve(cupsd_t) - + userdom_dontaudit_use_unpriv_user_fds(cupsd_t) +userdom_dontaudit_search_user_home_dirs(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -22776,68 +22776,68 @@ index c91813ccb..80859f130 100644 + allow cupsd_t self:process { execmem execstack }; +') + - + optional_policy(` - apm_domtrans_client(cupsd_t) + apm_domtrans_client(cupsd_t) @@ -272,18 +320,26 @@ optional_policy(` optional_policy(` - dbus_system_bus_client(cupsd_t) - + dbus_system_bus_client(cupsd_t) + + init_dbus_chat(cupsd_t) + - userdom_dbus_send_all_users(cupsd_t) - - optional_policy(` - avahi_dbus_chat(cupsd_t) - ') - + userdom_dbus_send_all_users(cupsd_t) + + optional_policy(` + avahi_dbus_chat(cupsd_t) + ') + + optional_policy(` + colord_read_lib_files(cupsd_t) + ') + - optional_policy(` - hal_dbus_chat(cupsd_t) - ') - + optional_policy(` + hal_dbus_chat(cupsd_t) + ') + + # talk to processes that do not have policy - optional_policy(` - unconfined_dbus_chat(cupsd_t) + optional_policy(` + unconfined_dbus_chat(cupsd_t) + files_write_generic_pid_pipes(cupsd_t) - ') + ') ') - + @@ -296,8 +352,8 @@ optional_policy(` ') - + optional_policy(` + kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0") - kerberos_manage_host_rcache(cupsd_t) + kerberos_manage_host_rcache(cupsd_t) - kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0") ') - + optional_policy(` @@ -306,7 +362,6 @@ optional_policy(` - + optional_policy(` - lpd_exec_lpr(cupsd_t) + lpd_exec_lpr(cupsd_t) - lpd_manage_spool(cupsd_t) - lpd_read_config(cupsd_t) - lpd_relabel_spool(cupsd_t) + lpd_read_config(cupsd_t) + lpd_relabel_spool(cupsd_t) ') @@ -315,6 +370,10 @@ optional_policy(` - mta_send_mail(cupsd_t) + mta_send_mail(cupsd_t) ') - + +optional_policy(` + networkmanager_dbus_chat(cupsd_t) +') + optional_policy(` - samba_read_config(cupsd_t) - samba_rw_var_files(cupsd_t) + samba_read_config(cupsd_t) + samba_rw_var_files(cupsd_t) @@ -334,7 +393,11 @@ optional_policy(` ') - + optional_policy(` - virt_rw_all_image_chr_files(cupsd_t) + virt_rw_chr_files(cupsd_t) @@ -22846,12 +22846,12 @@ index c91813ccb..80859f130 100644 +optional_policy(` + vmware_read_system_config(cupsd_t) ') - + ######################################## @@ -342,12 +405,11 @@ optional_policy(` # Configuration daemon local policy # - + -allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid }; +allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; @@ -22859,28 +22859,28 @@ index c91813ccb..80859f130 100644 -allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -allow cupsd_config_t self:tcp_socket { accept listen }; +allow cupsd_config_t self:process { getsched }; - + +domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t) allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) - + @@ -372,18 +434,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) - + -read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) +read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t) - + stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - + can_exec(cupsd_config_t, cupsd_config_exec_t) - -domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) +can_exec(cupsd_config_t, cupsd_exec_t) - + kernel_read_system_state(cupsd_config_t) kernel_read_all_sysctls(cupsd_config_t) - + -corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) @@ -22888,7 +22888,7 @@ index c91813ccb..80859f130 100644 @@ -392,20 +452,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) - + -corecmd_exec_bin(cupsd_config_t) -corecmd_exec_shell(cupsd_config_t) - @@ -22896,20 +22896,20 @@ index c91813ccb..80859f130 100644 -dev_read_urand(cupsd_config_t) -dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) - + files_read_etc_runtime_files(cupsd_config_t) -files_read_usr_files(cupsd_config_t) files_read_var_symlinks(cupsd_config_t) files_search_all_mountpoints(cupsd_config_t) - + -fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) - + domain_use_interactive_fds(cupsd_config_t) @@ -417,11 +469,6 @@ auth_use_nsswitch(cupsd_config_t) - + logging_send_syslog_msg(cupsd_config_t) - + -miscfiles_read_localization(cupsd_config_t) -miscfiles_read_hwdata(cupsd_config_t) - @@ -22919,91 +22919,91 @@ index c91813ccb..80859f130 100644 userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) @@ -448,10 +495,13 @@ optional_policy(` - ') + ') ') - + +optional_policy(` + gnome_dontaudit_read_config(cupsd_config_t) +') + optional_policy(` - hal_domtrans(cupsd_config_t) - hal_read_tmp_files(cupsd_config_t) + hal_domtrans(cupsd_config_t) + hal_read_tmp_files(cupsd_config_t) - hal_dontaudit_use_fds(hplip_t) ') - + optional_policy(` @@ -466,6 +516,10 @@ optional_policy(` - lpd_read_config(cupsd_config_t) + lpd_read_config(cupsd_config_t) ') - + +optional_policy(` + libs_exec_ldconfig(cupsd_config_t) +') + optional_policy(` - rpm_read_db(cupsd_config_t) + rpm_read_db(cupsd_config_t) ') @@ -487,10 +541,6 @@ optional_policy(` # Lpd local policy # - + -allow cupsd_lpd_t self:capability { setuid setgid }; -allow cupsd_lpd_t self:process signal_perms; -allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms; -allow cupsd_lpd_t self:tcp_socket { accept listen }; allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - + allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; @@ -508,15 +558,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) - + kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) -kernel_read_network_state(cupsd_lpd_t) - + -corenet_all_recvfrom_unlabeled(cupsd_lpd_t) corenet_all_recvfrom_netlabel(cupsd_lpd_t) corenet_tcp_sendrecv_generic_if(cupsd_lpd_t) corenet_tcp_sendrecv_generic_node(cupsd_lpd_t) - + corenet_sendrecv_ipp_client_packets(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) +corenet_tcp_bind_printer_port(cupsd_lpd_t) +corenet_tcp_connect_printer_port(cupsd_lpd_t) corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) - + corenet_sendrecv_printer_server_packets(cupsd_lpd_t) @@ -537,9 +587,6 @@ auth_use_nsswitch(cupsd_lpd_t) - + logging_send_syslog_msg(cupsd_lpd_t) - + -miscfiles_read_localization(cupsd_lpd_t) -miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) - optional_policy(` - inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) + inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') @@ -549,8 +596,7 @@ optional_policy(` # Pdf local policy # - + -allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; -allow cups_pdf_t self:fifo_file rw_fifo_file_perms; +allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override }; allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; - + append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) @@ -566,148 +612,23 @@ fs_search_auto_mountpoints(cups_pdf_t) - + kernel_read_system_state(cups_pdf_t) - + -files_read_usr_files(cups_pdf_t) - -corecmd_exec_bin(cups_pdf_t) -corecmd_exec_shell(cups_pdf_t) - auth_use_nsswitch(cups_pdf_t) - + -miscfiles_read_localization(cups_pdf_t) -miscfiles_read_fonts(cups_pdf_t) -miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) @@ -23012,23 +23012,23 @@ index c91813ccb..80859f130 100644 userdom_manage_user_home_content_files(cups_pdf_t) -userdom_home_filetrans_user_home_dir(cups_pdf_t) +userdom_filetrans_home_content(cups_pdf_t) - + tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(cups_pdf_t) - fs_manage_nfs_files(cups_pdf_t) + fs_manage_nfs_dirs(cups_pdf_t) + fs_manage_nfs_files(cups_pdf_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(cups_pdf_t) - fs_manage_cifs_files(cups_pdf_t) -') +userdom_home_manager(cups_pdf_t) - + optional_policy(` - lpd_manage_spool(cups_pdf_t) + gnome_read_config(cups_pdf_t) ') - + -######################################## -# -# HPLIP local policy @@ -23142,13 +23142,13 @@ index c91813ccb..80859f130 100644 -optional_policy(` - udev_read_db(hplip_t) -') - + ######################################## # @@ -735,7 +656,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) - + -corenet_all_recvfrom_unlabeled(ptal_t) corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) @@ -23156,29 +23156,29 @@ index c91813ccb..80859f130 100644 @@ -745,13 +665,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) - + -dev_read_sysfs(ptal_t) dev_read_usbfs(ptal_t) dev_rw_printer(ptal_t) - + domain_use_interactive_fds(ptal_t) - + -files_read_etc_files(ptal_t) files_read_etc_runtime_files(ptal_t) - + fs_getattr_all_fs(ptal_t) @@ -759,8 +677,6 @@ fs_search_auto_mountpoints(ptal_t) - + logging_send_syslog_msg(ptal_t) - + -miscfiles_read_localization(ptal_t) - sysnet_read_config(ptal_t) - + userdom_dontaudit_use_unpriv_user_fds(ptal_t) @@ -773,3 +689,4 @@ optional_policy(` optional_policy(` - udev_read_db(ptal_t) + udev_read_db(ptal_t) ') + diff --git a/cvs.fc b/cvs.fc @@ -23190,18 +23190,18 @@ index 75c8be90c..4c1a965c0 100644 +/root/\.cvsignore -- gen_context(system_u:object_r:cvs_home_t,s0) + /etc/rc\.d/init\.d/cvs -- gen_context(system_u:object_r:cvs_initrc_exec_t,s0) - + /opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - + /usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0) - + -/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) - + /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) - + /var/run/cvs\.pid -- gen_context(system_u:object_r:cvs_var_run_t,s0) - + -/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) +/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:cvs_script_exec_t,s0) diff --git a/cvs.if b/cvs.if @@ -23210,7 +23210,7 @@ index 64775fd37..91a60569c 100644 +++ b/cvs.if @@ -1,5 +1,23 @@ ##

      Concurrent versions system. - + +###################################### +## +## Dontaudit Attempts to list the CVS data and metadata. @@ -23233,9 +23233,9 @@ index 64775fd37..91a60569c 100644 ## ## Read CVS data and metadata content. @@ -39,6 +57,24 @@ interface(`cvs_exec',` - can_exec($1, cvs_exec_t) + can_exec($1, cvs_exec_t) ') - + +######################################## +## +## Transition to cvs named content @@ -23258,28 +23258,28 @@ index 64775fd37..91a60569c 100644 ## ## All of the rules required to @@ -60,11 +96,17 @@ interface(`cvs_admin',` - gen_require(` - type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; - type cvs_data_t, cvs_var_run_t, cvs_keytab_t; + gen_require(` + type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; + type cvs_data_t, cvs_var_run_t, cvs_keytab_t; + type cvs_home_t; - ') - + ') + - allow $1 cvs_t:process { ptrace signal_perms }; + allow $1 cvs_t:process signal_perms; - ps_process_pattern($1, cvs_t) - + ps_process_pattern($1, cvs_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 cvs_t:process ptrace; + ') + + # Allow cvs_t to restart the apache service - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cvs_initrc_exec_t system_r; + init_labeled_script_domtrans($1, cvs_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cvs_initrc_exec_t system_r; @@ -81,4 +123,7 @@ interface(`cvs_admin',` - - files_list_pids($1) - admin_pattern($1, cvs_var_run_t) + + files_list_pids($1) + admin_pattern($1, cvs_var_run_t) + + userdom_search_user_home_dirs($1) + admin_pattern($1, cvs_home_t) @@ -23294,13 +23294,13 @@ index 0f7755005..36e4a38cf 100644 ## -gen_tunable(allow_cvs_read_shadow, false) +gen_tunable(cvs_read_shadow, false) - + type cvs_t; type cvs_exec_t; @@ -34,17 +34,23 @@ files_tmp_file(cvs_tmp_t) type cvs_var_run_t; files_pid_file(cvs_var_run_t) - + +type cvs_home_t; +userdom_user_home_content(cvs_home_t) + @@ -23308,14 +23308,14 @@ index 0f7755005..36e4a38cf 100644 # # Local policy # - + -allow cvs_t self:capability { setuid setgid }; +allow cvs_t self:capability { dac_override dac_read_search setuid setgid }; allow cvs_t self:process signal_perms; allow cvs_t self:fifo_file rw_fifo_file_perms; allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cvs_t self:tcp_socket { accept listen }; - + +userdom_search_user_home_dirs(cvs_t) +allow cvs_t cvs_home_t:file read_file_perms; + @@ -23325,7 +23325,7 @@ index 0f7755005..36e4a38cf 100644 @@ -74,6 +80,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) - + +corenet_all_recvfrom_netlabel(cvs_t) +corenet_tcp_sendrecv_generic_if(cvs_t) +corenet_udp_sendrecv_generic_if(cvs_t) @@ -23336,21 +23336,21 @@ index 0f7755005..36e4a38cf 100644 +corenet_tcp_bind_cvs_port(cvs_t) + dev_read_urand(cvs_t) - + files_read_etc_runtime_files(cvs_t) @@ -86,19 +101,17 @@ auth_use_nsswitch(cvs_t) - + init_read_utmp(cvs_t) - + +init_dontaudit_read_utmp(cvs_t) + logging_send_syslog_msg(cvs_t) logging_send_audit_msgs(cvs_t) - + -miscfiles_read_localization(cvs_t) - mta_send_mail(cvs_t) - + -userdom_dontaudit_search_user_home_dirs(cvs_t) - # cjp: typeattribute doesnt work in conditionals yet @@ -23359,15 +23359,15 @@ index 0f7755005..36e4a38cf 100644 - allow cvs_t self:capability dac_override; +tunable_policy(`cvs_read_shadow',` + allow cvs_t self:capability { dac_read_search dac_override }; - auth_tunable_read_shadow(cvs_t) + auth_tunable_read_shadow(cvs_t) ') - + @@ -116,8 +129,10 @@ optional_policy(` - + optional_policy(` - apache_content_template(cvs) + apache_content_template(cvs) + apache_content_alias_template(cvs, cvs) - + - read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) - manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) - manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -23383,33 +23383,33 @@ index 77ffc7355..86e11f5e3 100644 @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t) corecmd_search_bin(cyphesis_t) corecmd_getattr_bin_files(cyphesis_t) - + -corenet_all_recvfrom_unlabeled(cyphesis_t) corenet_tcp_sendrecv_generic_if(cyphesis_t) corenet_tcp_sendrecv_generic_node(cyphesis_t) corenet_tcp_bind_generic_node(cyphesis_t) @@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t) - + domain_use_interactive_fds(cyphesis_t) - + -files_read_etc_files(cyphesis_t) -files_read_usr_files(cyphesis_t) - + logging_send_syslog_msg(cyphesis_t) - + -miscfiles_read_localization(cyphesis_t) - sysnet_dns_name_resolve(cyphesis_t) - + optional_policy(` diff --git a/cyrus.if b/cyrus.if index 83bfda6ed..92d9fb2e7 100644 --- a/cyrus.if +++ b/cyrus.if @@ -20,6 +20,25 @@ interface(`cyrus_manage_data',` - manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) + manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) ') - + +####################################### +## +## Allow write cyrus data files. @@ -23433,20 +23433,20 @@ index 83bfda6ed..92d9fb2e7 100644 ## ## Connect to Cyrus using a unix @@ -64,9 +83,13 @@ interface(`cyrus_admin',` - type cyrus_keytab_t; - ') - + type cyrus_keytab_t; + ') + - allow $1 cyrus_t:process { ptrace signal_perms }; + allow $1 cyrus_t:process signal_perms; - ps_process_pattern($1, cyrus_t) - + ps_process_pattern($1, cyrus_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 cyrus_t:process ptrace; + ') + - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te index 4283f2de2..21d93a737 100644 --- a/cyrus.te @@ -23454,7 +23454,7 @@ index 4283f2de2..21d93a737 100644 @@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t) # Local policy # - + -allow cyrus_t self:capability { dac_override setgid setuid sys_resource }; +allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource }; dontaudit cyrus_t self:capability sys_tty_config; @@ -23465,17 +23465,17 @@ index 4283f2de2..21d93a737 100644 manage_lnk_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) manage_sock_files_pattern(cyrus_t, cyrus_var_lib_t, cyrus_var_lib_t) +allow cyrus_t cyrus_var_lib_t:file map; - + manage_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) manage_sock_files_pattern(cyrus_t, cyrus_var_run_t, cyrus_var_run_t) files_pid_filetrans(cyrus_t, cyrus_var_run_t, { file sock_file }) +allow cyrus_t cyrus_var_run_t:file map; - + kernel_read_kernel_sysctls(cyrus_t) kernel_read_system_state(cyrus_t) kernel_read_all_sysctls(cyrus_t) +kernel_read_network_state(cyrus_t) - + -corenet_all_recvfrom_unlabeled(cyrus_t) corenet_all_recvfrom_netlabel(cyrus_t) corenet_tcp_sendrecv_generic_if(cyrus_t) @@ -23483,40 +23483,40 @@ index 4283f2de2..21d93a737 100644 corenet_tcp_sendrecv_all_ports(cyrus_t) corenet_tcp_bind_generic_node(cyrus_t) +corenet_tcp_bind_cyrus_imapd_port(cyrus_t) - + corenet_sendrecv_mail_server_packets(cyrus_t) corenet_tcp_bind_mail_port(cyrus_t) @@ -76,6 +79,9 @@ corenet_tcp_bind_mail_port(cyrus_t) corenet_sendrecv_lmtp_server_packets(cyrus_t) corenet_tcp_bind_lmtp_port(cyrus_t) - + +corenet_sendrecv_innd_server_packets(cyrus_t) +corenet_tcp_bind_innd_port(cyrus_t) + corenet_sendrecv_pop_server_packets(cyrus_t) corenet_tcp_bind_pop_port(cyrus_t) - + @@ -95,8 +101,6 @@ domain_use_interactive_fds(cyrus_t) - + files_list_var_lib(cyrus_t) files_read_etc_runtime_files(cyrus_t) -files_read_usr_files(cyrus_t) -files_dontaudit_write_usr_dirs(cyrus_t) - + fs_getattr_all_fs(cyrus_t) fs_search_auto_mountpoints(cyrus_t) @@ -107,7 +111,6 @@ libs_exec_lib_files(cyrus_t) - + logging_send_syslog_msg(cyrus_t) - + -miscfiles_read_localization(cyrus_t) miscfiles_read_generic_certs(cyrus_t) - + userdom_use_unpriv_users_fds(cyrus_t) @@ -120,6 +123,14 @@ optional_policy(` - cron_system_entry(cyrus_t, cyrus_exec_t) + cron_system_entry(cyrus_t, cyrus_exec_t) ') - + +optional_policy(` + dirsrv_stream_connect(cyrus_t) +') @@ -23526,26 +23526,26 @@ index 4283f2de2..21d93a737 100644 +') + optional_policy(` - kerberos_read_keytab(cyrus_t) - kerberos_use(cyrus_t) + kerberos_read_keytab(cyrus_t) + kerberos_use(cyrus_t) @@ -134,8 +145,8 @@ optional_policy(` ') - + optional_policy(` - snmp_read_snmp_var_lib_files(cyrus_t) - snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) + files_dontaudit_write_usr_dirs(cyrus_t) + snmp_manage_var_lib_files(cyrus_t) - snmp_stream_connect(cyrus_t) + snmp_stream_connect(cyrus_t) ') - + diff --git a/daemontools.if b/daemontools.if index 3b3d9a0b7..6c8106a87 100644 --- a/daemontools.if +++ b/daemontools.if @@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',` - allow $1 svc_svc_t:file manage_file_perms; - allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; + allow $1 svc_svc_t:file manage_file_perms; + allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; ') + diff --git a/daemontools.te b/daemontools.te @@ -23555,18 +23555,18 @@ index ee1b4aa8e..2fd746e05 100644 @@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld; allow svc_multilog_t svc_start_t:fd use; allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms; - + +term_write_console(svc_multilog_t) + init_use_fds(svc_multilog_t) +init_dontaudit_use_script_fds(svc_multilog_t) - + logging_manage_generic_logs(svc_multilog_t) - + @@ -77,7 +80,8 @@ dev_read_urand(svc_run_t) corecmd_exec_bin(svc_run_t) corecmd_exec_shell(svc_run_t) - + -files_read_etc_files(svc_run_t) +term_write_console(svc_run_t) + @@ -23574,17 +23574,17 @@ index ee1b4aa8e..2fd746e05 100644 files_search_pids(svc_run_t) files_search_var_lib(svc_run_t) @@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit }; - + can_exec(svc_start_t, svc_start_exec_t) - + +mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t) domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t) - + kernel_read_kernel_sysctls(svc_start_t) @@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t) corecmd_exec_bin(svc_start_t) corecmd_exec_shell(svc_start_t) - + -files_read_etc_files(svc_start_t) +corenet_tcp_bind_generic_node(svc_start_t) +corenet_tcp_bind_generic_port(svc_start_t) @@ -23594,7 +23594,7 @@ index ee1b4aa8e..2fd746e05 100644 files_read_etc_runtime_files(svc_start_t) files_search_var(svc_start_t) files_search_pids(svc_start_t) - + logging_send_syslog_msg(svc_start_t) - -miscfiles_read_localization(svc_start_t) @@ -23603,45 +23603,45 @@ index 5a5e2902a..6321a1d0a 100644 --- a/dante.te +++ b/dante.te @@ -53,7 +53,6 @@ dev_read_sysfs(dante_t) - + domain_use_interactive_fds(dante_t) - + -files_read_etc_files(dante_t) files_read_etc_runtime_files(dante_t) - + fs_getattr_all_fs(dante_t) diff --git a/dbadm.te b/dbadm.te index b60c464f1..3a5246a9b 100644 --- a/dbadm.te +++ b/dbadm.te @@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false) - + role dbadm_r; - + -userdom_base_user_template(dbadm) +userdom_confined_admin_template(dbadm) - + ######################################## # # Local policy # - + -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; +allow dbadm_t self:capability { dac_override dac_read_search }; - + files_dontaudit_search_all_dirs(dbadm_t) files_delete_generic_locks(dbadm_t) @@ -39,6 +39,7 @@ files_list_var(dbadm_t) selinux_get_enforce_mode(dbadm_t) - + logging_send_syslog_msg(dbadm_t) +logging_send_audit_msgs(dbadm_t) - + userdom_dontaudit_search_user_home_dirs(dbadm_t) - + @@ -60,3 +61,7 @@ optional_policy(` optional_policy(` - postgresql_admin(dbadm_t, dbadm_r) + postgresql_admin(dbadm_t, dbadm_r) ') + +optional_policy(` @@ -23654,19 +23654,19 @@ index f55c42082..e9d64ab5f 100644 @@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t) kernel_read_system_state(dbskkd_t) kernel_read_network_state(dbskkd_t) - + -corenet_all_recvfrom_unlabeled(dbskkd_t) corenet_all_recvfrom_netlabel(dbskkd_t) corenet_tcp_sendrecv_generic_if(dbskkd_t) corenet_udp_sendrecv_generic_if(dbskkd_t) @@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t) - + fs_getattr_xattr_fs(dbskkd_t) - + -files_read_etc_files(dbskkd_t) - + auth_use_nsswitch(dbskkd_t) - + logging_send_syslog_msg(dbskkd_t) - -miscfiles_read_localization(dbskkd_t) @@ -23677,40 +23677,40 @@ index dda905b9c..558729530 100644 @@ -1,20 +1,29 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) - + -/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) +/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) - + -/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0) +ifdef(`distro_redhat',` +/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/libexec/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') - + -/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - + -/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) - + -/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +ifdef(`distro_debian',` +/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') - + -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +ifdef(`distro_gentoo',` +/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +') - + -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) +/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - + -/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) -/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) - + +ifdef(`distro_redhat',` /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') @@ -23721,11 +23721,11 @@ index 62d22cb46..3b6a2c833 100644 @@ -1,4 +1,4 @@ -## Desktop messaging bus. +## Desktop messaging bus - + ######################################## ## @@ -19,7 +19,24 @@ interface(`dbus_stub',` - + ######################################## ## -## Role access for dbus. @@ -23752,67 +23752,67 @@ index 62d22cb46..3b6a2c833 100644 ## @@ -41,59 +58,68 @@ interface(`dbus_stub',` template(`dbus_role_template',` - gen_require(` - class dbus { send_msg acquire_svc }; + gen_require(` + class dbus { send_msg acquire_svc }; - attribute session_bus_type; - type system_dbusd_t, dbusd_exec_t; - type session_dbusd_tmp_t, session_dbusd_home_t; + attribute dbusd_unconfined, session_bus_type; + type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; + type $1_t; - ') - - ############################## - # + ') + + ############################## + # - # Declarations + # Delcarations - # - - type $1_dbusd_t, session_bus_type; + # + + type $1_dbusd_t, session_bus_type; - domain_type($1_dbusd_t) - domain_entry_file($1_dbusd_t, dbusd_exec_t) + application_domain($1_dbusd_t, dbusd_exec_t) - ubac_constrained($1_dbusd_t) + ubac_constrained($1_dbusd_t) - - role $2 types $1_dbusd_t; - + role $2 types $1_dbusd_t; + + kernel_read_system_state($1_dbusd_t) + + selinux_get_fs_mount($1_dbusd_t) + + userdom_home_manager($1_dbusd_t) + - ############################## - # - # Local policy - # - + ############################## + # + # Local policy + # + - allow $3 $1_dbusd_t:unix_stream_socket connectto; - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 $1_dbusd_t:fd use; -- +- - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; + # For connecting to the bus + allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms }; - + - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus") + # SE-DBus specific permissions + allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; - - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - - ps_process_pattern($3, $1_dbusd_t) + + domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) + + ps_process_pattern($3, $1_dbusd_t) - allow $3 $1_dbusd_t:process { ptrace signal_perms }; + allow $3 $1_dbusd_t:process signal_perms; - + - allow $1_dbusd_t $3:process sigkill; + tunable_policy(`deny_ptrace',`',` + allow $3 $1_dbusd_t:process ptrace; + ') - + - corecmd_bin_domtrans($1_dbusd_t, $3) - corecmd_shell_domtrans($1_dbusd_t, $3) + # cjp: this seems very broken @@ -23821,18 +23821,18 @@ index 62d22cb46..3b6a2c833 100644 + allow $1_dbusd_t $3:process sigkill; + allow $3 $1_dbusd_t:fd use; + allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - - auth_use_nsswitch($1_dbusd_t) - + + auth_use_nsswitch($1_dbusd_t) + - ifdef(`hide_broken_symptoms',` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; + logging_send_syslog_msg($1_dbusd_t) + + optional_policy(` + mozilla_domtrans_spec($1_dbusd_t, $1_t) - ') + ') ') - + ####################################### ## ## Template for creating connections to @@ -23844,39 +23844,39 @@ index 62d22cb46..3b6a2c833 100644 @@ -103,91 +129,88 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` - gen_require(` + gen_require(` - attribute dbusd_system_bus_client; - type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t; + type system_dbusd_t, system_dbusd_t; + type system_dbusd_var_run_t, system_dbusd_var_lib_t; - class dbus send_msg; + class dbus send_msg; + attribute dbusd_unconfined; - ') - + ') + - typeattribute $1 dbusd_system_bus_client; - + # SE-DBus specific permissions - allow $1 { system_dbusd_t self }:dbus send_msg; + allow $1 { system_dbusd_t self }:dbus send_msg; - allow system_dbusd_t $1:dbus send_msg; + allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; - + - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + files_search_var_lib($1) - + + dev_read_urand($1) + + # For connecting to the bus - files_search_pids($1) - stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) + files_search_pids($1) + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) - - dbus_read_config($1) + dbus_read_config($1) + + optional_policy(` + unconfined_server_dbus_chat($1) + ') ') - + ####################################### ## -## Acquire service on DBUS @@ -23911,19 +23911,19 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_connect_all_session_bus',` +interface(`dbus_session_client',` - gen_require(` + gen_require(` - attribute session_bus_type; - class dbus acquire_svc; + class dbus send_msg; + type $1_dbusd_t; - ') - + ') + - allow $1 session_bus_type:dbus acquire_svc; + allow $2 $1_dbusd_t:fd use; + allow $2 { $1_dbusd_t self }:dbus send_msg; + allow $2 $1_dbusd_t:unix_stream_socket connectto; ') - + ####################################### ## -## Acquire service on specified @@ -23945,13 +23945,13 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_connect_spec_session_bus',` +interface(`dbus_session_bus_client',` - gen_require(` + gen_require(` - type $1_dbusd_t; - class dbus acquire_svc; + attribute session_bus_type; + class dbus send_msg; - ') - + ') + - allow $2 $1_dbusd_t:dbus acquire_svc; + # SE-DBus specific permissions + allow $1 { session_bus_type self }:dbus send_msg; @@ -23961,7 +23961,7 @@ index 62d22cb46..3b6a2c833 100644 + + allow session_bus_type $1:process sigkill; ') - + -####################################### +######################################## ## @@ -23986,7 +23986,7 @@ index 62d22cb46..3b6a2c833 100644 + + allow $1 session_bus_type:dbus send_msg; ') - + -####################################### +######################################## ## @@ -24002,23 +24002,23 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_all_session_bus_client',` +interface(`dbus_read_config',` - gen_require(` + gen_require(` - attribute session_bus_type, dbusd_session_bus_client; - class dbus send_msg; + type dbusd_etc_t; - ') - + ') + - typeattribute $1 dbusd_session_bus_client; - - allow $1 { session_bus_type self }:dbus send_msg; - allow session_bus_type $1:dbus send_msg; -- +- - allow $1 session_bus_type:unix_stream_socket connectto; - allow $1 session_bus_type:fd use; + allow $1 dbusd_etc_t:dir list_dir_perms; + allow $1 dbusd_etc_t:file read_file_perms; ') - + -####################################### +######################################## ## @@ -24040,13 +24040,13 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_spec_session_bus_client',` +interface(`dbus_read_lib_files',` - gen_require(` + gen_require(` - attribute dbusd_session_bus_client; - type $1_dbusd_t; - class dbus send_msg; + type system_dbusd_var_lib_t; - ') - + ') + - typeattribute $2 dbusd_session_bus_client; - - allow $2 { $1_dbusd_t self }:dbus send_msg; @@ -24058,7 +24058,7 @@ index 62d22cb46..3b6a2c833 100644 + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ') - + -####################################### +######################################## ## @@ -24083,7 +24083,7 @@ index 62d22cb46..3b6a2c833 100644 + files_search_var_lib($1) + manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) ') - + -####################################### +######################################## ## @@ -24100,16 +24100,16 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_send_all_session_bus',` +interface(`dbus_connect_session_bus',` - gen_require(` - attribute session_bus_type; + gen_require(` + attribute session_bus_type; - class dbus send_msg; + class dbus acquire_svc; - ') - + ') + - allow $1 dbus_session_bus_type:dbus send_msg; + allow $1 session_bus_type:dbus acquire_svc; ') - + -####################################### +######################################## ## @@ -24141,18 +24141,18 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_send_spec_session_bus',` +interface(`dbus_session_domain',` - gen_require(` - type $1_dbusd_t; + gen_require(` + type $1_dbusd_t; - class dbus send_msg; - ') - + ') + - allow $2 $1_dbusd_t:dbus send_msg; + domtrans_pattern($1_dbusd_t, $2, $3) + + dbus_session_bus_client($3) + dbus_connect_session_bus($3) ') - + ######################################## ## -## Read dbus configuration content. @@ -24167,17 +24167,17 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_read_config',` +interface(`dbus_connect_system_bus',` - gen_require(` + gen_require(` - type dbusd_etc_t; + type system_dbusd_t; + class dbus acquire_svc; - ') - + ') + - allow $1 dbusd_etc_t:dir list_dir_perms; - allow $1 dbusd_etc_t:file read_file_perms; + allow $1 system_dbusd_t:dbus acquire_svc; ') - + ######################################## ## -## Read system dbus lib files. @@ -24191,18 +24191,18 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_read_lib_files',` +interface(`dbus_send_system_bus',` - gen_require(` + gen_require(` - type system_dbusd_var_lib_t; + type system_dbusd_t; + class dbus send_msg; - ') - + ') + - files_search_var_lib($1) - read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + allow $1 system_dbusd_t:dbus send_msg; ') - + ######################################## ## -## Create, read, write, and delete @@ -24217,17 +24217,17 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_manage_lib_files',` +interface(`dbus_system_bus_unconfined',` - gen_require(` + gen_require(` - type system_dbusd_var_lib_t; + type system_dbusd_t; + class dbus all_dbus_perms; - ') - + ') + - files_search_var_lib($1) - manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) + allow $1 system_dbusd_t:dbus *; ') - + ######################################## ## -## Allow a application domain to be @@ -24275,7 +24275,7 @@ index 62d22cb46..3b6a2c833 100644 + ps_process_pattern($1, system_dbusd_t) + ') - + ######################################## ## -## Allow a application domain to be @@ -24312,18 +24312,18 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_all_session_domain',` +interface(`dbus_unconfined',` - gen_require(` + gen_require(` - type session_bus_type; + attribute dbusd_unconfined; - ') - + ') + - domtrans_pattern(session_bus_type, $2, $1) - - dbus_all_session_bus_client($1) - dbus_connect_all_session_bus($1) + typeattribute $1 dbusd_unconfined; ') - + ######################################## ## -## Allow a application domain to be @@ -24385,18 +24385,18 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_spec_session_domain',` +interface(`dbus_dontaudit_stream_connect_session_bus',` - gen_require(` + gen_require(` - type $1_dbusd_t; + attribute session_bus_type; - ') - + ') + - domtrans_pattern($1_dbusd_t, $2, $3) - - dbus_spec_session_bus_client($1, $2) - dbus_connect_spec_session_bus($1, $2) + dontaudit $1 session_bus_type:unix_stream_socket connectto; ') - + ######################################## ## -## Acquire service on the DBUS system bus. @@ -24413,16 +24413,16 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_connect_system_bus',` +interface(`dbus_stream_connect_session_bus',` - gen_require(` + gen_require(` - type system_dbusd_t; - class dbus acquire_svc; + attribute session_bus_type; - ') - + ') + - allow $1 system_dbusd_t:dbus acquire_svc; + allow $1 session_bus_type:unix_stream_socket connectto; ') - + ######################################## ## -## Send messages to the DBUS system bus. @@ -24438,17 +24438,17 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_send_system_bus',` +interface(`dbus_chat_session_bus',` - gen_require(` + gen_require(` - type system_dbusd_t; + attribute session_bus_type; - class dbus send_msg; - ') - + class dbus send_msg; + ') + - allow $1 system_dbusd_t:dbus send_msg; + allow $1 session_bus_type:dbus send_msg; + allow session_bus_type $1:dbus send_msg; ') - + ######################################## ## -## Unconfined access to DBUS system bus. @@ -24464,17 +24464,17 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_system_bus_unconfined',` +interface(`dbus_dontaudit_chat_session_bus',` - gen_require(` + gen_require(` - type system_dbusd_t; - class dbus all_dbus_perms; + attribute session_bus_type; + class dbus send_msg; - ') - + ') + - allow $1 system_dbusd_t:dbus *; + dontaudit $1 session_bus_type:dbus send_msg; ') - + ######################################## ## -## Create a domain for processes which @@ -24516,11 +24516,11 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_system_domain',` +interface(`dbus_stream_connect_system_dbusd',` - gen_require(` - type system_dbusd_t; + gen_require(` + type system_dbusd_t; - role system_r; - ') - + ') + - domain_type($1) - domain_entry_file($1, $2) - @@ -24540,7 +24540,7 @@ index 62d22cb46..3b6a2c833 100644 - ') + allow $1 system_dbusd_t:unix_stream_socket connectto; ') - + + ######################################## ## @@ -24559,15 +24559,15 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_use_system_bus_fds',` +interface(`dbus_dontaudit_stream_connect_system_dbusd',` - gen_require(` + gen_require(` - type system_dbusd_t; + attribute system_dbusd_t; - ') - + ') + - allow $1 system_dbusd_t:fd use; + dontaudit $1 system_dbusd_t:unix_stream_socket connectto; ') - + ######################################## ## -## Do not audit attempts to read and @@ -24583,12 +24583,12 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +interface(`dbus_chat_system_bus',` - gen_require(` + gen_require(` - type system_dbusd_t; + attribute system_bus_type; + class dbus send_msg; - ') - + ') + - dontaudit $1 system_dbusd_t:tcp_socket { read write }; + allow $1 system_bus_type:dbus send_msg; + allow system_bus_type $1:dbus send_msg; @@ -24610,7 +24610,7 @@ index 62d22cb46..3b6a2c833 100644 + ') + files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') - + ######################################## ## -## Unconfined access to DBUS. @@ -24626,12 +24626,12 @@ index 62d22cb46..3b6a2c833 100644 # -interface(`dbus_unconfined',` +interface(`dbus_acquire_svc_system_dbusd',` - gen_require(` + gen_require(` - attribute dbusd_unconfined; + type system_dbusd_t; + class dbus acquire_svc; - ') - + ') + - typeattribute $1 dbusd_unconfined; + allow $1 system_dbusd_t:dbus acquire_svc; + @@ -24641,30 +24641,30 @@ index c9998c80d..5b5df4c14 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` - class dbus all_dbus_perms; + class dbus all_dbus_perms; ') - + -######################################## +############################## # -# Declarations +# Delcarations # - + attribute dbusd_unconfined; +attribute system_bus_type; attribute session_bus_type; - + -attribute dbusd_system_bus_client; -attribute dbusd_session_bus_client; - type dbusd_etc_t; files_config_file(dbusd_etc_t) - + @@ -22,9 +20,6 @@ type dbusd_exec_t; corecmd_executable_file(dbusd_exec_t) typealias dbusd_exec_t alias system_dbusd_exec_t; - + -type session_dbusd_home_t; -userdom_user_home_content(session_dbusd_home_t) - @@ -24672,26 +24672,26 @@ index c9998c80d..5b5df4c14 100644 typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; @@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t) - + type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) -init_daemon_run_dir(system_dbusd_var_run_t, "dbus") +init_sock_file(system_dbusd_var_run_t) +mls_trusted_object(system_dbusd_var_run_t) - + ifdef(`enable_mcs',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) @@ -51,59 +47,64 @@ ifdef(`enable_mls',` - init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) + init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') - + -######################################## +############################## # -# Local policy +# System bus local policy # - + -allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; +# dac_override: /var/run/dbus is owned by messagebus on Debian +# cjp: dac_override should probably go in a distro_debian @@ -24706,20 +24706,20 @@ index c9998c80d..5b5df4c14 100644 +allow system_dbusd_t self:unix_dgram_socket create_socket_perms; +# Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; - + +can_exec(system_dbusd_t, dbusd_exec_t) + allow system_dbusd_t dbusd_etc_t:dir list_dir_perms; read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t) - + manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file }) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) - + read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) - + manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) @@ -24727,7 +24727,7 @@ index c9998c80d..5b5df4c14 100644 - -can_exec(system_dbusd_t, dbusd_exec_t) +files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) - + kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) - @@ -24736,27 +24736,27 @@ index c9998c80d..5b5df4c14 100644 -corecmd_read_bin_sockets(system_dbusd_t) -corecmd_exec_shell(system_dbusd_t) +kernel_stream_connect(system_dbusd_t) - + dev_read_urand(system_dbusd_t) dev_read_sysfs(system_dbusd_t) - + -domain_use_interactive_fds(system_dbusd_t) -domain_read_all_domains_state(system_dbusd_t) +dev_rw_inherited_input_dev(system_dbusd_t) +dev_rw_inherited_dri(system_dbusd_t) - + -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) +dev_rw_nvme(system_dbusd_t) + +files_rw_inherited_non_security_files(system_dbusd_t) - + fs_getattr_all_fs(system_dbusd_t) fs_list_inotifyfs(system_dbusd_t) fs_search_auto_mountpoints(system_dbusd_t) -fs_search_cgroup_dirs(system_dbusd_t) fs_dontaudit_list_nfs(system_dbusd_t) - + +storage_rw_inherited_fixed_disk_dev(system_dbusd_t) +storage_rw_inherited_removable_device(system_dbusd_t) + @@ -24767,7 +24767,7 @@ index c9998c80d..5b5df4c14 100644 @@ -123,66 +124,170 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) - + +corecmd_list_bin(system_dbusd_t) +corecmd_read_bin_pipes(system_dbusd_t) +corecmd_read_bin_sockets(system_dbusd_t) @@ -24786,20 +24786,20 @@ index c9998c80d..5b5df4c14 100644 +init_domtrans_script(system_dbusd_t) +init_rw_stream_sockets(system_dbusd_t) +init_status(system_dbusd_t) - + logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) - + -miscfiles_read_localization(system_dbusd_t) miscfiles_read_generic_certs(system_dbusd_t) - + seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) +seutil_sigchld_newrole(system_dbusd_t) - + userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) - + +userdom_home_reader(system_dbusd_t) + +optional_policy(` @@ -24807,9 +24807,9 @@ index c9998c80d..5b5df4c14 100644 +') + optional_policy(` - bluetooth_stream_connect(system_dbusd_t) + bluetooth_stream_connect(system_dbusd_t) ') - + optional_policy(` - policykit_read_lib(system_dbusd_t) + cpufreqselector_dbus_chat(system_dbusd_t) @@ -24838,7 +24838,7 @@ index c9998c80d..5b5df4c14 100644 + policykit_domtrans_auth(system_dbusd_t) + policykit_search_lib(system_dbusd_t) ') - + optional_policy(` - seutil_sigchld_newrole(system_dbusd_t) + snapper_read_inherited_pipe(system_dbusd_t) @@ -24857,11 +24857,11 @@ index c9998c80d..5b5df4c14 100644 + systemd_config_all_services(system_dbusd_t) + files_config_all_files(system_dbusd_t) ') - + optional_policy(` - udev_read_db(system_dbusd_t) + udev_read_db(system_dbusd_t) ') - + +optional_policy(` + # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc + xserver_read_inherited_xdm_lib_files(system_dbusd_t) @@ -24912,7 +24912,7 @@ index c9998c80d..5b5df4c14 100644 +ifdef(`hide_broken_symptoms',` + dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write }; +') - + +######################################## +# +# session_bus_type rules @@ -24931,11 +24931,11 @@ index c9998c80d..5b5df4c14 100644 +allow session_bus_type self:unix_dgram_socket create_socket_perms; +allow session_bus_type self:tcp_socket create_stream_socket_perms; allow session_bus_type self:netlink_selinux_socket create_socket_perms; - + allow session_bus_type dbusd_etc_t:dir list_dir_perms; read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t) - + -manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) -manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t) -userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus") @@ -24944,15 +24944,15 @@ index c9998c80d..5b5df4c14 100644 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t) -files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file }) +files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir }) - + -kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) - + corecmd_list_bin(session_bus_type) @@ -191,23 +296,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) - + -corenet_all_recvfrom_unlabeled(session_bus_type) -corenet_all_recvfrom_netlabel(session_bus_type) corenet_tcp_sendrecv_generic_if(session_bus_type) @@ -24962,37 +24962,37 @@ index c9998c80d..5b5df4c14 100644 - -corenet_sendrecv_all_server_packets(session_bus_type) corenet_tcp_bind_reserved_port(session_bus_type) - + dev_read_urand(session_bus_type) - + -domain_read_all_domains_state(session_bus_type) domain_use_interactive_fds(session_bus_type) +domain_read_all_domains_state(session_bus_type) - + files_list_home(session_bus_type) -files_read_usr_files(session_bus_type) files_dontaudit_search_var(session_bus_type) - + fs_getattr_romfs(session_bus_type) @@ -215,7 +315,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) - + -selinux_get_fs_mount(session_bus_type) selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) @@ -225,18 +324,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) - + logging_send_audit_msgs(session_bus_type) -logging_send_syslog_msg(session_bus_type) - -miscfiles_read_localization(session_bus_type) - + seutil_read_config(session_bus_type) seutil_read_default_contexts(session_bus_type) - + -term_use_all_terms(session_bus_type) +term_use_all_inherited_terms(session_bus_type) + @@ -25001,7 +25001,7 @@ index c9998c80d..5b5df4c14 100644 +userdom_manage_user_home_content_files(session_bus_type) +userdom_manage_tmpfs_files(session_bus_type, file) +userdom_tmpfs_filetrans(session_bus_type, file) - + optional_policy(` - xserver_use_xdm_fds(session_bus_type) + gnome_read_config(session_bus_type) @@ -25018,16 +25018,16 @@ index c9998c80d..5b5df4c14 100644 + +optional_policy(` + xserver_search_xdm_lib(session_bus_type) - xserver_rw_xdm_pipes(session_bus_type) + xserver_rw_xdm_pipes(session_bus_type) + xserver_use_xdm_fds(session_bus_type) + xserver_append_xdm_home_files(session_bus_type) ') - + ######################################## @@ -244,5 +361,9 @@ optional_policy(` # Unconfined access to this module # - + -allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms; -allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg; +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; @@ -25043,7 +25043,7 @@ index 62d3c4e66..cef59a752 100644 @@ -10,6 +10,8 @@ /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0) - + +/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0) + /usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0) @@ -25054,12 +25054,12 @@ index a5c21e0e8..46394219a 100644 --- a/dcc.if +++ b/dcc.if @@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',` - type dcc_var_t, dccifd_var_run_t, dccifd_t; - ') - + type dcc_var_t, dccifd_var_run_t, dccifd_t; + ') + - files_search_var($1) + files_search_pids($1) - stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) + stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) ') diff --git a/dcc.te b/dcc.te index 353fa4a09..a5e912fca 100644 @@ -25067,48 +25067,48 @@ index 353fa4a09..a5e912fca 100644 +++ b/dcc.te @@ -45,7 +45,7 @@ type dcc_var_t; files_type(dcc_var_t) - + type dcc_var_run_t; -files_type(dcc_var_run_t) +files_pid_file(dcc_var_run_t) - + type dccd_t; type dccd_exec_t; @@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms; read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t) - + +corenet_all_recvfrom_netlabel(cdcc_t) +corenet_udp_sendrecv_generic_if(cdcc_t) +corenet_udp_sendrecv_generic_node(cdcc_t) +corenet_udp_sendrecv_all_ports(cdcc_t) + files_read_etc_runtime_files(cdcc_t) - + auth_use_nsswitch(cdcc_t) - + logging_send_syslog_msg(cdcc_t) - + -miscfiles_read_localization(cdcc_t) - -userdom_use_user_terminals(cdcc_t) +userdom_use_inherited_user_terminals(cdcc_t) - + ######################################## # @@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid }; - + allow dcc_client_t dcc_client_map_t:file rw_file_perms; - + +domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t) + manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t) files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir }) @@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) - + kernel_read_system_state(dcc_client_t) - + +corenet_all_recvfrom_netlabel(dcc_client_t) +corenet_udp_sendrecv_generic_if(dcc_client_t) +corenet_udp_sendrecv_generic_node(dcc_client_t) @@ -25116,123 +25116,123 @@ index 353fa4a09..a5e912fca 100644 +corenet_udp_bind_generic_node(dcc_client_t) + files_read_etc_runtime_files(dcc_client_t) - + fs_getattr_all_fs(dcc_client_t) @@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t) - + logging_send_syslog_msg(dcc_client_t) - + -miscfiles_read_localization(dcc_client_t) - -userdom_use_user_terminals(dcc_client_t) +userdom_use_inherited_user_terminals(dcc_client_t) - + optional_policy(` - amavis_read_spool_files(dcc_client_t) + antivirus_read_db(dcc_client_t) ') - + optional_policy(` @@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t) - + kernel_read_system_state(dcc_dbclean_t) - + +corenet_all_recvfrom_netlabel(dcc_dbclean_t) +corenet_udp_sendrecv_generic_if(dcc_dbclean_t) +corenet_udp_sendrecv_generic_node(dcc_dbclean_t) +corenet_udp_sendrecv_all_ports(dcc_dbclean_t) + files_read_etc_runtime_files(dcc_dbclean_t) - + auth_use_nsswitch(dcc_dbclean_t) - + logging_send_syslog_msg(dcc_dbclean_t) - + -miscfiles_read_localization(dcc_dbclean_t) - -userdom_use_user_terminals(dcc_dbclean_t) +userdom_use_inherited_user_terminals(dcc_dbclean_t) - + ######################################## # @@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file }) kernel_read_system_state(dccd_t) kernel_read_kernel_sysctls(dccd_t) - + -corenet_all_recvfrom_unlabeled(dccd_t) corenet_all_recvfrom_netlabel(dccd_t) corenet_udp_sendrecv_generic_if(dccd_t) corenet_udp_sendrecv_generic_node(dccd_t) @@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t) - + logging_send_syslog_msg(dccd_t) - + -miscfiles_read_localization(dccd_t) - userdom_dontaudit_use_unpriv_user_fds(dccd_t) userdom_dontaudit_search_user_home_dirs(dccd_t) - + @@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file) kernel_read_system_state(dccifd_t) kernel_read_kernel_sysctls(dccifd_t) - + +corenet_all_recvfrom_netlabel(dccifd_t) +corenet_udp_sendrecv_generic_if(dccifd_t) +corenet_udp_sendrecv_generic_node(dccifd_t) +corenet_udp_sendrecv_all_ports(dccifd_t) + dev_read_sysfs(dccifd_t) - + domain_use_interactive_fds(dccifd_t) @@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t) - + logging_send_syslog_msg(dccifd_t) - + -miscfiles_read_localization(dccifd_t) - userdom_dontaudit_use_unpriv_user_fds(dccifd_t) userdom_dontaudit_search_user_home_dirs(dccifd_t) - + @@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file) kernel_read_system_state(dccm_t) kernel_read_kernel_sysctls(dccm_t) - + +corenet_all_recvfrom_netlabel(dccm_t) +corenet_udp_sendrecv_generic_if(dccm_t) +corenet_udp_sendrecv_generic_node(dccm_t) +corenet_udp_sendrecv_all_ports(dccm_t) + dev_read_sysfs(dccm_t) - + domain_use_interactive_fds(dccm_t) @@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t) - + logging_send_syslog_msg(dccm_t) - + -miscfiles_read_localization(dccm_t) - userdom_dontaudit_use_unpriv_user_fds(dccm_t) userdom_dontaudit_search_user_home_dirs(dccm_t) - + diff --git a/ddclient.if b/ddclient.if index 5606b4069..cd18cf2a7 100644 --- a/ddclient.if +++ b/ddclient.if @@ -70,9 +70,13 @@ interface(`ddclient_admin',` - type ddclient_var_run_t, ddclient_initrc_exec_t; - ') - + type ddclient_var_run_t, ddclient_initrc_exec_t; + ') + - allow $1 ddclient_t:process { ptrace signal_perms }; + allow $1 ddclient_t:process signal_perms; - ps_process_pattern($1, ddclient_t) - + ps_process_pattern($1, ddclient_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 ddclient_t:process ptrace; + ') + - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te index a4caa1b5b..42f30662d 100644 --- a/ddclient.te @@ -25240,7 +25240,7 @@ index a4caa1b5b..42f30662d 100644 @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t) # Declarations # - + + dontaudit ddclient_t self:capability sys_tty_config; allow ddclient_t self:process signal_perms; @@ -25248,13 +25248,13 @@ index a4caa1b5b..42f30662d 100644 +allow ddclient_t self:tcp_socket create_socket_perms; +allow ddclient_t self:udp_socket create_socket_perms; +allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; - + read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) @@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t) corecmd_exec_shell(ddclient_t) corecmd_exec_bin(ddclient_t) - + -corenet_all_recvfrom_unlabeled(ddclient_t) corenet_all_recvfrom_netlabel(ddclient_t) corenet_tcp_sendrecv_generic_if(ddclient_t) @@ -25265,27 +25265,27 @@ index a4caa1b5b..42f30662d 100644 corenet_udp_sendrecv_all_ports(ddclient_t) +corenet_tcp_bind_generic_node(ddclient_t) +corenet_udp_bind_generic_node(ddclient_t) - + corenet_sendrecv_all_client_packets(ddclient_t) corenet_tcp_connect_all_ports(ddclient_t) @@ -92,16 +97,16 @@ dev_read_urand(ddclient_t) - + domain_use_interactive_fds(ddclient_t) - + -files_read_etc_files(ddclient_t) files_read_etc_runtime_files(ddclient_t) -files_read_usr_files(ddclient_t) - + fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) - + +auth_read_passwd(ddclient_t) + logging_send_syslog_msg(ddclient_t) - + -miscfiles_read_localization(ddclient_t) +mta_send_mail(ddclient_t) - + sysnet_exec_ifconfig(ddclient_t) sysnet_dns_name_resolve(ddclient_t) diff --git a/ddcprobe.te b/ddcprobe.te @@ -25295,11 +25295,11 @@ index 8fa4bb994..8f5ffb00a 100644 @@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t) dev_read_raw_memory(ddcprobe_t) dev_wx_raw_memory(ddcprobe_t) - + -files_read_etc_files(ddcprobe_t) files_read_etc_runtime_files(ddcprobe_t) -files_read_usr_files(ddcprobe_t) - + term_use_all_ttys(ddcprobe_t) term_use_all_ptys(ddcprobe_t) diff --git a/denyhosts.if b/denyhosts.if @@ -25313,35 +25313,35 @@ index a7326da62..c87b5b7c6 100644 +## # interface(`denyhosts_admin',` - gen_require(` + gen_require(` @@ -60,20 +61,24 @@ interface(`denyhosts_admin',` - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - + type denyhosts_var_log_t, denyhosts_initrc_exec_t; + ') + - allow $1 denyhosts_t:process { ptrace signal_perms }; + allow $1 denyhosts_t:process signal_perms; - ps_process_pattern($1, denyhosts_t) - + ps_process_pattern($1, denyhosts_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 denyhosts_t:process ptrace; + ') + - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; - allow $2 system_r; - + denyhosts_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 denyhosts_initrc_exec_t system_r; + allow $2 system_r; + - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, denyhosts_var_lib_t) - + admin_pattern($1, denyhosts_var_lib_t) + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, denyhosts_var_log_t) - + admin_pattern($1, denyhosts_var_log_t) + - files_search_locks($1) + files_list_locks($1) - admin_pattern($1, denyhosts_var_lock_t) + admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/denyhosts.te b/denyhosts.te index 583a52726..91c4104c7 100644 @@ -25354,13 +25354,13 @@ index 583a52726..91c4104c7 100644 +# Bug #588563 +allow denyhosts_t self:capability sys_tty_config; +allow denyhosts_t self:fifo_file rw_fifo_file_perms; - + allow denyhosts_t self:capability sys_tty_config; allow denyhosts_t self:fifo_file rw_fifo_file_perms; @@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t) corecmd_exec_bin(denyhosts_t) corecmd_exec_shell(denyhosts_t) - + -corenet_all_recvfrom_unlabeled(denyhosts_t) corenet_all_recvfrom_netlabel(denyhosts_t) corenet_tcp_sendrecv_generic_if(denyhosts_t) @@ -25368,20 +25368,20 @@ index 583a52726..91c4104c7 100644 @@ -57,13 +59,19 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) corenet_tcp_sendrecv_smtp_port(denyhosts_t) - + +corenet_sendrecv_sype_transport_client_packets(denyhosts_t) +corenet_tcp_connect_sype_transport_port(denyhosts_t) +corenet_tcp_sendrecv_sype_transport_port(denyhosts_t) + dev_read_urand(denyhosts_t) - + +auth_use_nsswitch(denyhosts_t) + +iptables_domtrans(denyhosts_t) + logging_read_generic_logs(denyhosts_t) logging_send_syslog_msg(denyhosts_t) - + -miscfiles_read_localization(denyhosts_t) - sysnet_dns_name_resolve(denyhosts_t) @@ -25389,7 +25389,7 @@ index 583a52726..91c4104c7 100644 sysnet_etc_filetrans_config(denyhosts_t) @@ -71,3 +79,7 @@ sysnet_etc_filetrans_config(denyhosts_t) optional_policy(` - cron_system_entry(denyhosts_t, denyhosts_exec_t) + cron_system_entry(denyhosts_t, denyhosts_exec_t) ') + +optional_policy(` @@ -25404,7 +25404,7 @@ index ae49c9d99..b8479873e 100644 /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) - + /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) diff --git a/devicekit.if b/devicekit.if @@ -25414,17 +25414,17 @@ index 8ce99ff48..1bc5d3aea 100644 @@ -1,4 +1,4 @@ -## Devicekit modular hardware abstraction layer. +## Devicekit modular hardware abstraction layer - + ######################################## ## @@ -15,10 +15,27 @@ interface(`devicekit_domtrans',` - type devicekit_t, devicekit_exec_t; - ') - + type devicekit_t, devicekit_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, devicekit_exec_t, devicekit_t) + domtrans_pattern($1, devicekit_exec_t, devicekit_t) ') - + +######################################## +## +## Execute a domain transition to run devicekit_disk. @@ -25449,19 +25449,19 @@ index 8ce99ff48..1bc5d3aea 100644 @@ -32,11 +49,10 @@ interface(`devicekit_domtrans',` # interface(`devicekit_dgram_send',` - gen_require(` + gen_require(` - type devicekit_t, devicekit_var_run_t; + type devicekit_t; - ') - + ') + - files_search_pids($1) - dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t) + allow $1 devicekit_t:unix_dgram_socket sendto; ') - + ######################################## @@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',` - + ######################################## ## -## Send generic signals to devicekit power. @@ -25475,15 +25475,15 @@ index 8ce99ff48..1bc5d3aea 100644 # -interface(`devicekit_signal_power',` +interface(`devicekit_use_fds_disk',` - gen_require(` + gen_require(` - type devicekit_power_t; + type devicekit_disk_t; - ') - + ') + - allow $1 devicekit_power_t:process signal; -+ allow $1 devicekit_disk_t:fd use; ++ allow $1 devicekit_disk_t:fd use; ') - + ######################################## ## -## Send and receive messages from @@ -25500,18 +25500,18 @@ index 8ce99ff48..1bc5d3aea 100644 # -interface(`devicekit_dbus_chat_power',` +interface(`devicekit_dontaudit_dbus_chat_disk',` - gen_require(` + gen_require(` - type devicekit_power_t; + type devicekit_disk_t; - class dbus send_msg; - ') - + class dbus send_msg; + ') + - allow $1 devicekit_power_t:dbus send_msg; - allow devicekit_power_t $1:dbus send_msg; + dontaudit $1 devicekit_disk_t:dbus send_msg; + dontaudit devicekit_disk_t $1:dbus send_msg; ') - + ######################################## ## -## Use and inherit devicekit power @@ -25526,14 +25526,14 @@ index 8ce99ff48..1bc5d3aea 100644 # -interface(`devicekit_use_fds_power',` +interface(`devicekit_signal_power',` - gen_require(` - type devicekit_power_t; - ') - + gen_require(` + type devicekit_power_t; + ') + - allow $1 devicekit_power_t:fd use; + allow $1 devicekit_power_t:process signal; ') - + ######################################## ## -## Append inherited devicekit log files. @@ -25586,17 +25586,17 @@ index 8ce99ff48..1bc5d3aea 100644 +## +# interface(`devicekit_append_inherited_log_files',` - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) + gen_require(` + type devicekit_var_log_t; + ') + + logging_search_logs($1) - allow $1 devicekit_var_log_t:file { getattr_file_perms append }; + allow $1 devicekit_var_log_t:file append_inherited_file_perms; - - devicekit_use_fds_power($1) + + devicekit_use_fds_power($1) ') - + -######################################## +####################################### ## @@ -25615,11 +25615,11 @@ index 8ce99ff48..1bc5d3aea 100644 # -interface(`devicekit_manage_log_files',` +interface(`devicekit_read_log_files',` - gen_require(` - type devicekit_var_log_t; - ') - - logging_search_logs($1) + gen_require(` + type devicekit_var_log_t; + ') + + logging_search_logs($1) - manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) + allow $1 devicekit_var_log_t:file read_file_perms; +') @@ -25642,7 +25642,7 @@ index 8ce99ff48..1bc5d3aea 100644 + + dontaudit $1 devicekit_var_log_t:file rw_file_perms; ') - + ######################################## ## -## Relabel devicekit log files. @@ -25656,20 +25656,20 @@ index 8ce99ff48..1bc5d3aea 100644 # -interface(`devicekit_relabel_log_files',` +interface(`devicekit_read_state_power',` - gen_require(` + gen_require(` - type devicekit_var_log_t; + type devicekit_power_t; - ') - + ') + - logging_search_logs($1) - relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) + kernel_search_proc($1) + ps_process_pattern($1, devicekit_power_t) ') - + ######################################## @@ -220,11 +293,30 @@ interface(`devicekit_read_pid_files',` - + ######################################## ## -## Create, read, write, and delete @@ -25683,7 +25683,7 @@ index 8ce99ff48..1bc5d3aea 100644 +## +# +interface(`devicekit_dontaudit_read_pid_files',` -+ gen_require(` ++ gen_require(` + type devicekit_var_run_t; + ') + @@ -25701,11 +25701,11 @@ index 8ce99ff48..1bc5d3aea 100644 ## ## @@ -235,22 +327,59 @@ interface(`devicekit_manage_pid_files',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) + manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) - manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") +') + @@ -25727,7 +25727,7 @@ index 8ce99ff48..1bc5d3aea 100644 + logging_search_logs($1) + relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) ') - + ######################################## ## -## All of the rules required to @@ -25765,12 +25765,12 @@ index 8ce99ff48..1bc5d3aea 100644 ## ## @@ -259,21 +388,48 @@ interface(`devicekit_admin',` - gen_require(` - type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; + gen_require(` + type devicekit_t, devicekit_disk_t, devicekit_power_t; + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; - type devicekit_var_log_t; - ') - + ') + - allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t }) + allow $1 devicekit_t:process signal_perms; @@ -25786,20 +25786,20 @@ index 8ce99ff48..1bc5d3aea 100644 + + allow $1 devicekit_power_t:process signal_perms; + ps_process_pattern($1, devicekit_power_t) - + - files_search_tmp($1) - admin_pattern($1, devicekit_tmp_t) + admin_pattern($1, devicekit_tmp_t) + files_list_tmp($1) - + - files_search_var_lib($1) - admin_pattern($1, devicekit_var_lib_t) + admin_pattern($1, devicekit_var_lib_t) + files_list_var_lib($1) - + - logging_search_logs($1) - admin_pattern($1, devicekit_var_log_t) - - files_search_pids($1) - admin_pattern($1, devicekit_var_run_t) + admin_pattern($1, devicekit_var_run_t) + files_list_pids($1) +') + @@ -25827,41 +25827,41 @@ index 77a5003c0..8d3dc77cb 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) - + type devicekit_t; type devicekit_exec_t; -dbus_system_domain(devicekit_t, devicekit_exec_t) +init_daemon_domain(devicekit_t, devicekit_exec_t) - + type devicekit_power_t; type devicekit_power_exec_t; -dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) +init_daemon_domain(devicekit_power_t, devicekit_power_exec_t) - + type devicekit_disk_t; type devicekit_disk_exec_t; -dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) +init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t) - + type devicekit_tmp_t; files_tmp_file(devicekit_tmp_t) @@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t) dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) - + -files_read_etc_files(devicekit_t) - -miscfiles_read_localization(devicekit_t) - optional_policy(` + dbus_system_domain(devicekit_t, devicekit_exec_t) - dbus_system_bus_client(devicekit_t) - - allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; + dbus_system_bus_client(devicekit_t) + + allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg; @@ -64,7 +61,8 @@ optional_policy(` # Disk local policy # - + -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; + @@ -25873,7 +25873,7 @@ index 77a5003c0..8d3dc77cb 100644 manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file }) +files_filetrans_named_content(devicekit_disk_t) - + +kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t) kernel_getattr_message_if(devicekit_disk_t) kernel_list_unlabeled(devicekit_disk_t) @@ -25886,11 +25886,11 @@ index 77a5003c0..8d3dc77cb 100644 kernel_request_load_module(devicekit_disk_t) -kernel_setsched(devicekit_disk_t) +kernel_dontaudit_setsched(devicekit_disk_t) - + corecmd_exec_bin(devicekit_disk_t) corecmd_exec_shell(devicekit_disk_t) @@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t) - + dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) +dev_rw_generic_blk_files(devicekit_disk_t) @@ -25905,55 +25905,55 @@ index 77a5003c0..8d3dc77cb 100644 +files_manage_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) -files_read_usr_files(devicekit_disk_t) - + fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) @@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) - + -term_use_all_terms(devicekit_disk_t) +term_use_all_inherited_terms(devicekit_disk_t) - + auth_use_nsswitch(devicekit_disk_t) - + logging_send_syslog_msg(devicekit_disk_t) - + -miscfiles_read_localization(devicekit_disk_t) - userdom_read_all_users_state(devicekit_disk_t) userdom_search_user_home_dirs(devicekit_disk_t) +userdom_manage_user_tmp_dirs(devicekit_disk_t) - + optional_policy(` + dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) - dbus_system_bus_client(devicekit_disk_t) - - allow devicekit_disk_t devicekit_t:dbus send_msg; + dbus_system_bus_client(devicekit_disk_t) + + allow devicekit_disk_t devicekit_t:dbus send_msg; @@ -170,6 +171,7 @@ optional_policy(` - + optional_policy(` - mount_domtrans(devicekit_disk_t) + mount_domtrans(devicekit_disk_t) + mount_read_pid_files(devicekit_disk_t) ') - + optional_policy(` @@ -182,6 +184,11 @@ optional_policy(` - raid_domtrans_mdadm(devicekit_disk_t) + raid_domtrans_mdadm(devicekit_disk_t) ') - + +optional_policy(` + systemd_read_logind_sessions_files(devicekit_disk_t) + systemd_write_inhibit_pipes(devicekit_disk_t) +') + optional_policy(` - udev_domtrans(devicekit_disk_t) - udev_read_db(devicekit_disk_t) + udev_domtrans(devicekit_disk_t) + udev_read_db(devicekit_disk_t) @@ -192,12 +199,19 @@ optional_policy(` - virt_manage_images(devicekit_disk_t) + virt_manage_images(devicekit_disk_t) ') - + +optional_policy(` + unconfined_domain(devicekit_t) + unconfined_domain(devicekit_power_t) @@ -25964,7 +25964,7 @@ index 77a5003c0..8d3dc77cb 100644 # # Power local policy # - + -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice }; +allow devicekit_power_t self:capability2 compromise_kernel; @@ -25974,13 +25974,13 @@ index 77a5003c0..8d3dc77cb 100644 @@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) - + -allow devicekit_power_t devicekit_var_log_t:file append_file_perms; -allow devicekit_power_t devicekit_var_log_t:file create_file_perms; -allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms; +manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t) logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) - + manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) @@ -224,12 +236,12 @@ files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, { dir file }) kernel_read_fs_sysctls(devicekit_power_t) @@ -25994,35 +25994,35 @@ index 77a5003c0..8d3dc77cb 100644 kernel_write_proc_files(devicekit_power_t) -kernel_setsched(devicekit_power_t) +kernel_dontaudit_setsched(devicekit_power_t) - + corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) @@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t) - + files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) -files_read_usr_files(devicekit_power_t) files_dontaudit_list_mnt(devicekit_power_t) - + fs_getattr_all_fs(devicekit_power_t) fs_list_inotifyfs(devicekit_power_t) - + -term_use_all_terms(devicekit_power_t) +term_use_all_inherited_terms(devicekit_power_t) - + auth_use_nsswitch(devicekit_power_t) - + init_all_labeled_script_domtrans(devicekit_power_t) init_read_utmp(devicekit_power_t) - + -miscfiles_read_localization(devicekit_power_t) - sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) - + @@ -277,6 +286,12 @@ optional_policy(` ') - + optional_policy(` + cron_initrc_domtrans(devicekit_power_t) + cron_systemctl(devicekit_power_t) @@ -26030,26 +26030,26 @@ index 77a5003c0..8d3dc77cb 100644 + +optional_policy(` + dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) - dbus_system_bus_client(devicekit_power_t) - - allow devicekit_power_t devicekit_t:dbus send_msg; + dbus_system_bus_client(devicekit_power_t) + + allow devicekit_power_t devicekit_t:dbus send_msg; @@ -306,9 +321,12 @@ optional_policy(` - fstools_domtrans(devicekit_power_t) + fstools_domtrans(devicekit_power_t) ') - + +optional_policy(` + gnome_manage_home_config(devicekit_power_t) +') + optional_policy(` - hal_domtrans_mac(devicekit_power_t) + hal_domtrans_mac(devicekit_power_t) - hal_manage_log(devicekit_power_t) - hal_manage_pid_dirs(devicekit_power_t) - hal_manage_pid_files(devicekit_power_t) + hal_manage_pid_dirs(devicekit_power_t) + hal_manage_pid_files(devicekit_power_t) ') @@ -347,3 +365,9 @@ optional_policy(` optional_policy(` - vbetool_domtrans(devicekit_power_t) + vbetool_domtrans(devicekit_power_t) ') + +optional_policy(` @@ -26064,7 +26064,7 @@ index 8182c4806..0b9bb9710 100644 @@ -1,6 +1,13 @@ /etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) - + -/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) +/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) +/usr/lib/systemd/system/dhcpd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0) @@ -26073,7 +26073,7 @@ index 8182c4806..0b9bb9710 100644 + +/usr/sbin/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0) +/usr/sbin/dhcrelay(6)? -- gen_context(system_u:object_r:dhcpd_exec_t,s0) - + /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) diff --git a/dhcp.if b/dhcp.if @@ -26081,18 +26081,18 @@ index c697edbcd..954c090bd 100644 --- a/dhcp.if +++ b/dhcp.if @@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',` - ') - - sysnet_search_dhcp_state($1) + ') + + sysnet_search_dhcp_state($1) - allow $1 dhcpd_state_t:file setattr; + allow $1 dhcpd_state_t:file setattr_file_perms; ') - + ######################################## @@ -58,6 +58,31 @@ interface(`dhcpd_initrc_domtrans',` - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) ') - + +######################################## +## +## Execute dhcpd server in the dhcpd domain. @@ -26122,27 +26122,27 @@ index c697edbcd..954c090bd 100644 ## ## All of the rules required to @@ -79,11 +104,16 @@ interface(`dhcpd_admin',` - gen_require(` - type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; - type dhcpd_var_run_t, dhcpd_initrc_exec_t; + gen_require(` + type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; + type dhcpd_var_run_t, dhcpd_initrc_exec_t; + type dhcpd_unit_file_t; - ') - + ') + - allow $1 dhcpd_t:process { ptrace signal_perms }; + allow $1 dhcpd_t:process signal_perms; - ps_process_pattern($1, dhcpd_t) - + ps_process_pattern($1, dhcpd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 dhcpd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dhcpd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dhcpd_initrc_exec_t system_r; @@ -97,4 +127,8 @@ interface(`dhcpd_admin',` - - files_list_pids($1) - admin_pattern($1, dhcpd_var_run_t) + + files_list_pids($1) + admin_pattern($1, dhcpd_var_run_t) + + dhcpd_systemctl($1) + admin_pattern($1, dhcpd_unit_file_t) @@ -26155,17 +26155,17 @@ index 98a24b989..3ca9fe61a 100644 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) type dhcpd_initrc_exec_t; init_script_file(dhcpd_initrc_exec_t) - + +type dhcpd_unit_file_t; +systemd_unit_file(dhcpd_unit_file_t) + type dhcpd_state_t; files_type(dhcpd_state_t) - + @@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t) # Local policy # - + -allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; +allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; @@ -26174,31 +26174,31 @@ index 98a24b989..3ca9fe61a 100644 @@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) kernel_read_network_state(dhcpd_t) - + -corenet_all_recvfrom_unlabeled(dhcpd_t) corenet_all_recvfrom_netlabel(dhcpd_t) corenet_tcp_sendrecv_generic_if(dhcpd_t) corenet_udp_sendrecv_generic_if(dhcpd_t) @@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t) - + domain_use_interactive_fds(dhcpd_t) - + -files_read_usr_files(dhcpd_t) files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) - + @@ -102,21 +103,41 @@ auth_use_nsswitch(dhcpd_t) - + logging_send_syslog_msg(dhcpd_t) - + -miscfiles_read_localization(dhcpd_t) - +sysnet_read_config(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) - + userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_user_home_dirs(dhcpd_t) - + tunable_policy(`dhcpd_use_ldap',` - sysnet_use_ldap(dhcpd_t) + allow dhcpd_t self:tcp_socket create_socket_perms; @@ -26219,36 +26219,36 @@ index 98a24b989..3ca9fe61a 100644 +ifdef(`distro_gentoo',` + allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot }; ') - + optional_policy(` + # used for dynamic DNS - bind_read_dnssec_keys(dhcpd_t) + bind_read_dnssec_keys(dhcpd_t) ') - + +optional_policy(` + cobbler_dontaudit_rw_log(dhcpd_t) +') + optional_policy(` - dbus_system_bus_client(dhcpd_t) - dbus_connect_system_bus(dhcpd_t) + dbus_system_bus_client(dhcpd_t) + dbus_connect_system_bus(dhcpd_t) diff --git a/dictd.if b/dictd.if index 3cc3494bd..cb0a1f4bf 100644 --- a/dictd.if +++ b/dictd.if @@ -38,8 +38,11 @@ interface(`dictd_admin',` - type dictd_var_run_t, dictd_initrc_exec_t; - ') - + type dictd_var_run_t, dictd_initrc_exec_t; + ') + - allow $1 dictd_t:process { ptrace signal_perms }; + allow $1 dictd_t:process signal_perms; - ps_process_pattern($1, dictd_t) + ps_process_pattern($1, dictd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 dictd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, dictd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/dictd.te b/dictd.te index 433d3c5a0..0dccebfd9 100644 --- a/dictd.te @@ -26256,38 +26256,38 @@ index 433d3c5a0..0dccebfd9 100644 @@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file) kernel_read_system_state(dictd_t) kernel_read_kernel_sysctls(dictd_t) - + -corenet_all_recvfrom_unlabeled(dictd_t) corenet_all_recvfrom_netlabel(dictd_t) corenet_tcp_sendrecv_generic_if(dictd_t) corenet_tcp_sendrecv_generic_node(dictd_t) @@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t) domain_use_interactive_fds(dictd_t) - + files_read_etc_runtime_files(dictd_t) -files_read_usr_files(dictd_t) files_search_var_lib(dictd_t) - + fs_getattr_xattr_fs(dictd_t) @@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t) - + logging_send_syslog_msg(dictd_t) - + -miscfiles_read_localization(dictd_t) - userdom_dontaudit_use_unpriv_user_fds(dictd_t) - + optional_policy(` diff --git a/dirmngr.te b/dirmngr.te index b3b218815..5f917054c 100644 --- a/dirmngr.te +++ b/dirmngr.te @@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) - + kernel_read_crypto_sysctls(dirmngr_t) - + -files_read_etc_files(dirmngr_t) - + miscfiles_read_localization(dirmngr_t) diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc new file mode 100644 @@ -26481,7 +26481,7 @@ index 000000000..51fb95d13 --- /dev/null +++ b/dirsrv-admin.te @@ -0,0 +1,173 @@ -+policy_module(dirsrv-admin,1.0.0) ++policy_module(dirsrv-admin,1.0.0) + +######################################## +# @@ -26591,7 +26591,7 @@ index 000000000..51fb95d13 + manage_lnk_files_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) + manage_dirs_pattern(dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) + files_tmp_filetrans(dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) -+ ++ + miscfiles_read_certs(dirsrvadmin_script_t) + + optional_policy(` @@ -27147,12 +27147,12 @@ index 24d8c740c..1790ec5dc 100644 @@ -19,7 +19,7 @@ # interface(`distcc_admin',` - gen_require(` + gen_require(` - type distccd_t, distccd_t, distccd_log_t; + type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t; - type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; - ') - + type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; + ') + diff --git a/distcc.te b/distcc.te index 898b2f433..8a1725b62 100644 --- a/distcc.te @@ -27160,28 +27160,28 @@ index 898b2f433..8a1725b62 100644 @@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file) kernel_read_system_state(distccd_t) kernel_read_kernel_sysctls(distccd_t) - + -corenet_all_recvfrom_unlabeled(distccd_t) corenet_all_recvfrom_netlabel(distccd_t) corenet_tcp_sendrecv_generic_if(distccd_t) corenet_tcp_sendrecv_generic_node(distccd_t) @@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t) - + logging_send_syslog_msg(distccd_t) - + -miscfiles_read_localization(distccd_t) - userdom_dontaudit_use_unpriv_user_fds(distccd_t) userdom_dontaudit_search_user_home_dirs(distccd_t) - + diff --git a/djbdns.if b/djbdns.if index 671d3c0a1..6d36c951a 100644 --- a/djbdns.if +++ b/djbdns.if @@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',` - - allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; - allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; + + allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; + allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; + + corenet_all_recvfrom_netlabel(djbdns_$1_t) + corenet_tcp_sendrecv_generic_if(djbdns_$1_t) @@ -27200,16 +27200,16 @@ index 671d3c0a1..6d36c951a 100644 + + files_search_var(djbdns_$1_t) ') - + ##################################### diff --git a/djbdns.te b/djbdns.te index 87ca536ae..ebd327ad1 100644 --- a/djbdns.te +++ b/djbdns.te @@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain) - + files_search_var(djbdns_domain) - + +daemontools_ipc_domain(djbdns_axfrdns_t) +daemontools_read_svc(djbdns_axfrdns_t) + @@ -27222,21 +27222,21 @@ index 5818418af..674367b3a 100644 --- a/dkim.fc +++ b/dkim.fc @@ -9,7 +9,6 @@ - + /var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - + -/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0) - + diff --git a/dmidecode.if b/dmidecode.if index 41c3f6770..653a1ecbb 100644 --- a/dmidecode.if +++ b/dmidecode.if @@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',` - domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) + domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) ') - + +###################################### +## +## Execute dmidecode in the caller domain. @@ -27264,9 +27264,9 @@ index aa0ef6e94..d55bbd34c 100644 --- a/dmidecode.te +++ b/dmidecode.te @@ -31,4 +31,9 @@ mls_file_read_all_levels(dmidecode_t) - + locallogin_use_fds(dmidecode_t) - + -userdom_use_user_terminals(dmidecode_t) +userdom_use_inherited_user_terminals(dmidecode_t) + @@ -27281,19 +27281,19 @@ index 23ab808d8..84735a8cb 100644 @@ -1,13 +1,16 @@ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0) +/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0) - + /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) - + +/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0) + /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) - + /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) - + -/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) +/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0) - + -/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) @@ -27307,12 +27307,12 @@ index 19aa0b80b..a79982cd6 100644 # -# interface(`dnsmasq_domtrans',` - gen_require(` - type dnsmasq_exec_t, dnsmasq_t; + gen_require(` + type dnsmasq_exec_t, dnsmasq_t; @@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',` - domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) + domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) ') - + +####################################### +## +## Execute dnsmasq server in the caller domain. @@ -27353,9 +27353,9 @@ index 19aa0b80b..a79982cd6 100644 ## ## Execute the dnsmasq init script in @@ -40,6 +75,49 @@ interface(`dnsmasq_initrc_domtrans',` - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) ') - + +######################################## +## +## Execute dnsmasq server in the dnsmasq domain. @@ -27408,20 +27408,20 @@ index 19aa0b80b..a79982cd6 100644 # -# interface(`dnsmasq_delete_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - + gen_require(` + type dnsmasq_var_run_t; + ') + + files_search_pids($1) - delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') - + + ######################################## ## ## Create, read, write, and delete @@ -176,7 +255,7 @@ interface(`dnsmasq_manage_pid_files',` - + ######################################## ## -## Read dnsmasq pid files. @@ -27435,16 +27435,16 @@ index 19aa0b80b..a79982cd6 100644 # -# interface(`dnsmasq_read_pid_files',` - gen_require(` - type dnsmasq_var_run_t; - ') - + gen_require(` + type dnsmasq_var_run_t; + ') + + files_search_pids($1) - read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) + read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') - + @@ -214,37 +293,66 @@ interface(`dnsmasq_create_pid_dirs',` - + ######################################## ## -## Create specified objects in specified @@ -27491,10 +27491,10 @@ index 19aa0b80b..a79982cd6 100644 # -interface(`dnsmasq_spec_filetrans_pid',` +interface(`dnsmasq_filetrans_named_content_fromdir',` - gen_require(` - type dnsmasq_var_run_t; - ') - + gen_require(` + type dnsmasq_var_run_t; + ') + - filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4) + filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") + filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") @@ -27522,39 +27522,39 @@ index 19aa0b80b..a79982cd6 100644 + files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf") + files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d") ') - + ######################################## @@ -267,12 +375,18 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` - gen_require(` - type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; + gen_require(` + type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; + type dnsmasq_var_log_t; + type dnsmasq_initrc_exec_t; + type dnsmasq_unit_file_t; - ') - + ') + - allow $1 dnsmasq_t:process { ptrace signal_perms }; + allow $1 dnsmasq_t:process signal_perms; - ps_process_pattern($1, dnsmasq_t) - + ps_process_pattern($1, dnsmasq_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 dnsmasq_t:process ptrace; + ') + - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dnsmasq_initrc_exec_t system_r; + init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dnsmasq_initrc_exec_t system_r; @@ -281,9 +395,36 @@ interface(`dnsmasq_admin',` - files_list_var_lib($1) - admin_pattern($1, dnsmasq_lease_t) - + files_list_var_lib($1) + admin_pattern($1, dnsmasq_lease_t) + - logging_seearch_logs($1) + logging_search_logs($1) - admin_pattern($1, dnsmasq_var_log_t) - - files_list_pids($1) - admin_pattern($1, dnsmasq_var_run_t) + admin_pattern($1, dnsmasq_var_log_t) + + files_list_pids($1) + admin_pattern($1, dnsmasq_var_run_t) + + dnsmasq_systemctl($1) + admin_pattern($1, dnsmasq_unit_file_t) @@ -27590,7 +27590,7 @@ index 37a3b7b30..67fa8a1a3 100644 @@ -24,12 +24,18 @@ logging_log_file(dnsmasq_var_log_t) type dnsmasq_var_run_t; files_pid_file(dnsmasq_var_run_t) - + +type dnsmasq_unit_file_t; +systemd_unit_file(dnsmasq_unit_file_t) + @@ -27601,7 +27601,7 @@ index 37a3b7b30..67fa8a1a3 100644 # # Local policy # - + -allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw }; +allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw }; dontaudit dnsmasq_t self:capability sys_tty_config; @@ -27609,16 +27609,16 @@ index 37a3b7b30..67fa8a1a3 100644 allow dnsmasq_t self:fifo_file rw_fifo_file_perms; @@ -38,6 +44,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; - + read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) +list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) - + manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) @@ -51,12 +58,19 @@ manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) - + +manage_dirs_pattern(dnsmasq_t, dnsmasq_tmp_t, dnsmasq_tmp_t) +manage_files_pattern(dnsmasq_t, dnsmasq_tmp_t, dnsmasq_tmp_t) +files_tmp_filetrans(dnsmasq_t, dnsmasq_tmp_t, { file dir }) @@ -27628,7 +27628,7 @@ index 37a3b7b30..67fa8a1a3 100644 kernel_read_network_state(dnsmasq_t) kernel_read_system_state(dnsmasq_t) kernel_request_load_module(dnsmasq_t) - + -corenet_all_recvfrom_unlabeled(dnsmasq_t) +corecmd_exec_bin(dnsmasq_t) +corecmd_exec_shell(dnsmasq_t) @@ -27638,40 +27638,40 @@ index 37a3b7b30..67fa8a1a3 100644 corenet_udp_sendrecv_generic_if(dnsmasq_t) @@ -80,15 +94,16 @@ dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) - + files_read_etc_runtime_files(dnsmasq_t) +files_manage_mnt_files(dnsmasq_t) - + fs_getattr_all_fs(dnsmasq_t) fs_search_auto_mountpoints(dnsmasq_t) - + auth_use_nsswitch(dnsmasq_t) - + -logging_send_syslog_msg(dnsmasq_t) +libs_exec_ldconfig(dnsmasq_t) - + -miscfiles_read_localization(dnsmasq_t) +logging_send_syslog_msg(dnsmasq_t) - + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) @@ -97,13 +112,26 @@ optional_policy(` - cobbler_read_lib_files(dnsmasq_t) + cobbler_read_lib_files(dnsmasq_t) ') - + +optional_policy(` + cron_manage_pid_files(dnsmasq_t) +') + optional_policy(` - dbus_connect_system_bus(dnsmasq_t) - dbus_system_bus_client(dnsmasq_t) + dbus_connect_system_bus(dnsmasq_t) + dbus_system_bus_client(dnsmasq_t) + + optional_policy(` + networkmanager_dbus_chat(dnsmasq_t) + ') ') - + optional_policy(` - networkmanager_read_pid_files(dnsmasq_t) + dnsmasq_domtrans(dnsmasq_t) @@ -27681,15 +27681,15 @@ index 37a3b7b30..67fa8a1a3 100644 + networkmanager_read_conf(dnsmasq_t) + networkmanager_manage_pid_files(dnsmasq_t) ') - + optional_policy(` @@ -124,6 +152,18 @@ optional_policy(` - + optional_policy(` - virt_manage_lib_files(dnsmasq_t) + virt_manage_lib_files(dnsmasq_t) + virt_read_lib_files(dnsmasq_t) - virt_read_pid_files(dnsmasq_t) - virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + virt_read_pid_files(dnsmasq_t) + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) ') + +optional_policy(` @@ -27916,9 +27916,9 @@ index c7bb4e782..e6fe2f402 100644 --- a/dnssectrigger.te +++ b/dnssectrigger.te @@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t) - + logging_send_syslog_msg(dnssec_triggerd_t) - + -miscfiles_read_localization(dnssec_triggerd_t) - sysnet_dns_name_resolve(dnssec_triggerd_t) @@ -27931,7 +27931,7 @@ index c88007004..444805588 100644 @@ -1,36 +1,48 @@ -/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - + -/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) -/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - @@ -27942,27 +27942,27 @@ index c88007004..444805588 100644 +/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0) +/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) - + +/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) /etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0) - + -/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) +# Debian uses /etc/dovecot/ +ifdef(`distro_debian',` +/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0) +') - + -/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) -/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +# +# /usr +# +/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0) - + -/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0) +/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) +/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0) - + -/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +ifdef(`distro_debian', ` @@ -27970,7 +27970,7 @@ index c88007004..444805588 100644 -/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +') - + -/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +ifdef(`distro_redhat', ` +/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) @@ -27980,7 +27980,7 @@ index c88007004..444805588 100644 +/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) +') - + -/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) -/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) +# @@ -27988,15 +27988,15 @@ index c88007004..444805588 100644 +# +/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) +/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) - + -/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) +/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) - + -/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) -/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0) +/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) - + -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if @@ -28028,7 +28028,7 @@ index d5badb755..c2431fc73 100644 + + kernel_read_system_state($1_t) +') - + ####################################### ## -## Connect to dovecot using a unix @@ -28051,13 +28051,13 @@ index d5badb755..c2431fc73 100644 + gen_require(` + type dovecot_t, dovecot_var_run_t; + ') - + - files_search_pids($1) - stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) + files_search_pids($1) + stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) ') - + ######################################## ## -## Connect to dovecot using a unix @@ -28067,7 +28067,7 @@ index d5badb755..c2431fc73 100644 ## ## @@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',` - + ######################################## ## -## Execute dovecot_deliver in the @@ -28077,13 +28077,13 @@ index d5badb755..c2431fc73 100644 ## ## @@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',` - type dovecot_deliver_t, dovecot_deliver_exec_t; - ') - + type dovecot_deliver_t, dovecot_deliver_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) + domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -28093,16 +28093,16 @@ index d5badb755..c2431fc73 100644 ## ## @@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',` - ') - - files_search_spool($1) + ') + + files_search_spool($1) - allow $1 dovecot_spool_t:dir manage_dir_perms; - allow $1 dovecot_spool_t:file manage_file_perms; - allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms; + manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) + manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) ') - + ######################################## ## -## Do not audit attempts to delete @@ -28112,13 +28112,13 @@ index d5badb755..c2431fc73 100644 ## ## @@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',` - type dovecot_var_lib_t; - ') - + type dovecot_var_lib_t; + ') + - dontaudit $1 dovecot_var_lib_t:file delete_file_perms; + dontaudit $1 dovecot_var_lib_t:file unlink; ') - + ###################################### ## -## Write inherited dovecot tmp files. @@ -28128,9 +28128,9 @@ index d5badb755..c2431fc73 100644 ## ## @@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',` - allow $1 dovecot_tmp_t:file write; + allow $1 dovecot_tmp_t:file write; ') - + +#################################### +## +## Read dovecot configuration file. @@ -28170,24 +28170,24 @@ index d5badb755..c2431fc73 100644 ## ## @@ -146,9 +182,13 @@ interface(`dovecot_admin',` - type dovecot_keytab_t; - ') - + type dovecot_keytab_t; + ') + - allow $1 dovecot_t:process { ptrace signal_perms }; + allow $1 dovecot_t:process signal_perms; - ps_process_pattern($1, dovecot_t) - + ps_process_pattern($1, dovecot_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 dovecot_t:process ptrace; + ') + - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 dovecot_initrc_exec_t system_r; + init_labeled_script_domtrans($1, dovecot_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 dovecot_initrc_exec_t system_r; @@ -157,20 +197,25 @@ interface(`dovecot_admin',` - files_list_etc($1) - admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) - + files_list_etc($1) + admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) + - logging_list_logs($1) - admin_pattern($1, dovecot_var_log_t) + files_list_tmp($1) @@ -28195,22 +28195,22 @@ index d5badb755..c2431fc73 100644 + admin_pattern($1, dovecot_tmp_t) + + admin_pattern($1, dovecot_keytab_t) - - files_list_spool($1) - admin_pattern($1, dovecot_spool_t) - + + files_list_spool($1) + admin_pattern($1, dovecot_spool_t) + - files_search_tmp($1) - admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, dovecot_var_lib_t) - + files_list_var_lib($1) + admin_pattern($1, dovecot_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, dovecot_var_log_t) + - files_list_pids($1) - admin_pattern($1, dovecot_var_run_t) - + files_list_pids($1) + admin_pattern($1, dovecot_var_run_t) + - admin_pattern($1, { dovecot_cert_t dovecot_passwd_t }) + admin_pattern($1, dovecot_cert_t) + @@ -28221,14 +28221,14 @@ index 0aabc7e66..641a03465 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) - + attribute dovecot_domain; - + -type dovecot_t, dovecot_domain; -type dovecot_exec_t; +dovecot_basic_types_template(dovecot) init_daemon_domain(dovecot_t, dovecot_exec_t) - + -type dovecot_auth_t, dovecot_domain; -type dovecot_auth_exec_t; +dovecot_basic_types_template(dovecot_auth) @@ -28238,7 +28238,7 @@ index 0aabc7e66..641a03465 100644 @@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t) type dovecot_cert_t; miscfiles_cert_type(dovecot_cert_t) - + -type dovecot_deliver_t, dovecot_domain; -type dovecot_deliver_exec_t; +dovecot_basic_types_template(dovecot_deliver) @@ -28247,54 +28247,54 @@ index 0aabc7e66..641a03465 100644 role system_r types dovecot_deliver_t; @@ -45,11 +42,12 @@ type dovecot_passwd_t; files_type(dovecot_passwd_t) - + type dovecot_spool_t; -files_type(dovecot_spool_t) +files_spool_file(dovecot_spool_t) - + type dovecot_tmp_t; files_tmp_file(dovecot_tmp_t) - + +# /var/lib/dovecot holds SSL parameters file type dovecot_var_lib_t; files_type(dovecot_var_lib_t) - + @@ -59,20 +57,20 @@ logging_log_file(dovecot_var_log_t) type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) - + -######################################## +####################################### # -# Common local policy +# dovecot domain local policy # - + -allow dovecot_domain self:capability2 block_suspend; -allow dovecot_domain self:fifo_file rw_fifo_file_perms; +allow dovecot_domain self:capability sys_resource; +dontaudit dovecot_domain self:capability2 block_suspend; +allow dovecot_domain self:process signal_perms; - + -allow dovecot_domain dovecot_etc_t:dir list_dir_perms; -allow dovecot_domain dovecot_etc_t:file read_file_perms; -allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms; +allow dovecot_domain self:unix_dgram_socket create_socket_perms; +allow dovecot_domain self:fifo_file rw_fifo_file_perms; - + kernel_read_all_sysctls(dovecot_domain) -kernel_read_system_state(dovecot_domain) +kernel_read_network_state(dovecot_domain) - + corecmd_exec_bin(dovecot_domain) corecmd_exec_shell(dovecot_domain) @@ -81,26 +79,34 @@ dev_read_sysfs(dovecot_domain) dev_read_rand(dovecot_domain) dev_read_urand(dovecot_domain) - + +# Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_domain) - + -logging_send_syslog_msg(dovecot_domain) - -miscfiles_read_localization(dovecot_domain) @@ -28304,7 +28304,7 @@ index 0aabc7e66..641a03465 100644 -# Local policy +# dovecot local policy # - + -allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot }; +allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot sys_resource }; dontaudit dovecot_t self:capability sys_tty_config; @@ -28317,7 +28317,7 @@ index 0aabc7e66..641a03465 100644 +domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) + +allow dovecot_t dovecot_auth_t:process signal; - + allow dovecot_t dovecot_cert_t:dir list_dir_perms; -allow dovecot_t dovecot_cert_t:file read_file_perms; -allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms; @@ -28330,25 +28330,25 @@ index 0aabc7e66..641a03465 100644 +files_search_etc(dovecot_t) + +can_exec(dovecot_t, dovecot_exec_t) - + allow dovecot_t dovecot_keytab_t:file read_file_perms; - + @@ -108,12 +114,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t) files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir }) - + +# Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) +files_search_var_lib(dovecot_t) +files_read_var_symlinks(dovecot_t) - + manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) -setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) +manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) - + manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -125,45 +132,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) @@ -28362,7 +28362,7 @@ index 0aabc7e66..641a03465 100644 - -domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) +files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file }) - + -corenet_all_recvfrom_unlabeled(dovecot_t) corenet_all_recvfrom_netlabel(dovecot_t) corenet_tcp_sendrecv_generic_if(dovecot_t) @@ -28388,9 +28388,9 @@ index 0aabc7e66..641a03465 100644 +fs_getattr_all_dirs(dovecot_t) +fs_search_auto_mountpoints(dovecot_t) +fs_list_inotifyfs(dovecot_t) - + domain_use_interactive_fds(dovecot_t) - + -files_read_var_lib_files(dovecot_t) -files_read_var_symlinks(dovecot_t) files_search_spool(dovecot_t) @@ -28404,17 +28404,17 @@ index 0aabc7e66..641a03465 100644 -fs_search_auto_mountpoints(dovecot_t) -fs_list_inotifyfs(dovecot_t) +files_read_var_lib_files(dovecot_t) - + init_getattr_utmp(dovecot_t) - + @@ -171,45 +168,45 @@ auth_use_nsswitch(dovecot_t) - + miscfiles_read_generic_certs(dovecot_t) - + -userdom_dontaudit_use_unpriv_user_fds(dovecot_t) -userdom_use_user_terminals(dovecot_t) +logging_send_syslog_msg(dovecot_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) @@ -28428,7 +28428,7 @@ index 0aabc7e66..641a03465 100644 +userdom_manage_user_home_content_pipes(dovecot_t) +userdom_manage_user_home_content_sockets(dovecot_t) +userdom_filetrans_home_content(dovecot_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) @@ -28438,15 +28438,15 @@ index 0aabc7e66..641a03465 100644 + mta_mmap_home_rw(dovecot_t) + mta_manage_spool(dovecot_t) ') - + optional_policy(` - kerberos_manage_host_rcache(dovecot_t) - kerberos_read_keytab(dovecot_t) + kerberos_manage_host_rcache(dovecot_t) + kerberos_read_keytab(dovecot_t) - kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0") + kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0") - kerberos_use(dovecot_t) + kerberos_use(dovecot_t) ') - + optional_policy(` - mta_manage_spool(dovecot_t) - mta_manage_mail_home_rw_content(dovecot_t) @@ -28454,32 +28454,32 @@ index 0aabc7e66..641a03465 100644 - mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") + gnome_manage_data(dovecot_t) ') - + optional_policy(` - postgresql_stream_connect(dovecot_t) + postfix_manage_private_sockets(dovecot_t) + postfix_search_spool(dovecot_t) ') - + optional_policy(` - postfix_manage_private_sockets(dovecot_t) - postfix_search_spool(dovecot_t) + postgresql_stream_connect(dovecot_t) ') - + optional_policy(` + # Handle sieve scripts - sendmail_domtrans(dovecot_t) + sendmail_domtrans(dovecot_t) ') - + @@ -227,103 +224,155 @@ optional_policy(` - + ######################################## # -# Auth local policy +# dovecot auth local policy # - + -allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; +allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice }; allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; @@ -28487,9 +28487,9 @@ index 0aabc7e66..641a03465 100644 +allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; + +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - + read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) - + +read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) + @@ -28498,41 +28498,41 @@ index 0aabc7e66..641a03465 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) - + allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) +manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) - + -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; +dovecot_stream_connect_auth(dovecot_auth_t) - + -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) +corecmd_exec_bin(dovecot_auth_t) + +logging_send_audit_msgs(dovecot_auth_t) - + auth_domtrans_chk_passwd(dovecot_auth_t) auth_use_nsswitch(dovecot_auth_t) - + -init_rw_utmp(dovecot_auth_t) +logging_send_syslog_msg(dovecot_auth_t) - + -logging_send_audit_msgs(dovecot_auth_t) +files_search_pids(dovecot_auth_t) +files_read_usr_symlinks(dovecot_auth_t) +files_read_var_lib_files(dovecot_auth_t) +files_search_tmp(dovecot_auth_t) - + -seutil_dontaudit_search_config(dovecot_auth_t) +fs_getattr_xattr_fs(dovecot_auth_t) + +init_rw_utmp(dovecot_auth_t) +init_stream_connect(dovecot_auth_t) - + sysnet_use_ldap(dovecot_auth_t) - + +systemd_login_read_pid_files(dovecot_auth_t) +systemd_dbus_chat_logind(dovecot_auth_t) +systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t) @@ -28543,23 +28543,23 @@ index 0aabc7e66..641a03465 100644 + kerberos_use(dovecot_auth_t) + + # for gssapi (kerberos) - userdom_list_user_tmp(dovecot_auth_t) - userdom_read_user_tmp_files(dovecot_auth_t) - userdom_read_user_tmp_symlinks(dovecot_auth_t) + userdom_list_user_tmp(dovecot_auth_t) + userdom_read_user_tmp_files(dovecot_auth_t) + userdom_read_user_tmp_symlinks(dovecot_auth_t) ') - + optional_policy(` + mysql_search_db(dovecot_auth_t) - mysql_stream_connect(dovecot_auth_t) - mysql_read_config(dovecot_auth_t) - mysql_tcp_connect(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) + mysql_read_config(dovecot_auth_t) + mysql_tcp_connect(dovecot_auth_t) + mysql_rw_db_sockets(dovecot_auth_t) ') - + optional_policy(` - nis_authenticate(dovecot_auth_t) + nis_authenticate(dovecot_auth_t) ') - + +optional_policy(` + dbus_system_bus_client(dovecot_auth_t) + optional_policy(` @@ -28569,17 +28569,17 @@ index 0aabc7e66..641a03465 100644 +') + optional_policy(` - postfix_manage_private_sockets(dovecot_auth_t) + postfix_manage_private_sockets(dovecot_auth_t) + postfix_rw_inherited_master_pipes(dovecot_deliver_t) - postfix_search_spool(dovecot_auth_t) + postfix_search_spool(dovecot_auth_t) ') - + ######################################## # -# Deliver local policy +# dovecot deliver local policy # - + +allow dovecot_deliver_t dovecot_t:process signull; + +allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; @@ -28587,16 +28587,16 @@ index 0aabc7e66..641a03465 100644 +read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) + allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; - + -append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) +manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) +manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) +logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir }) - + manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) - + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; -allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms; -allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms; @@ -28605,24 +28605,24 @@ index 0aabc7e66..641a03465 100644 +read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) +read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) +dovecot_stream_connect(dovecot_deliver_t) - + can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) - + -allow dovecot_deliver_t dovecot_t:process signull; +auth_use_nsswitch(dovecot_deliver_t) - + -fs_getattr_all_fs(dovecot_deliver_t) +logging_append_all_logs(dovecot_deliver_t) +logging_send_syslog_msg(dovecot_deliver_t) - + -auth_use_nsswitch(dovecot_deliver_t) +dovecot_stream_connect_auth(dovecot_deliver_t) - + -logging_search_logs(dovecot_deliver_t) +files_search_tmp(dovecot_deliver_t) +files_dontaudit_getattr_all_dirs(dovecot_deliver_t) +files_search_all_mountpoints(dovecot_deliver_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(dovecot_deliver_t) - fs_manage_nfs_files(dovecot_deliver_t) @@ -28639,7 +28639,7 @@ index 0aabc7e66..641a03465 100644 +userdom_manage_user_home_content_pipes(dovecot_deliver_t) +userdom_manage_user_home_content_sockets(dovecot_deliver_t) +userdom_filetrans_home_content(dovecot_deliver_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) - fs_manage_cifs_files(dovecot_deliver_t) @@ -28649,20 +28649,20 @@ index 0aabc7e66..641a03465 100644 +optional_policy(` + gnome_manage_data(dovecot_deliver_t) ') - + optional_policy(` - mta_mailserver_delivery(dovecot_deliver_t) + mta_mailserver_delivery(dovecot_deliver_t) + mta_mmap_home_rw(dovecot_deliver_t) + mta_manage_spool(dovecot_deliver_t) - mta_read_queue(dovecot_deliver_t) + mta_read_queue(dovecot_deliver_t) ') - + @@ -332,5 +381,6 @@ optional_policy(` ') - + optional_policy(` + # Handle sieve scripts - sendmail_domtrans(dovecot_deliver_t) + sendmail_domtrans(dovecot_deliver_t) ') diff --git a/dpkg.te b/dpkg.te index 50af48c89..5ab49010f 100644 @@ -28671,7 +28671,7 @@ index 50af48c89..5ab49010f 100644 @@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) # Local policy # - + -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; +allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; allow dpkg_t self:process { setpgid fork getsched setfscreate }; @@ -28684,15 +28684,15 @@ index 671a3fb6f..47b4958d0 100644 @@ -3,7 +3,7 @@ /sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) /sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) - + -/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) +/usr/lib/ocf/resource\.d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) - + /usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) /usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) @@ -11,3 +11,5 @@ /var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) - + /var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0) + +/var/run/drbd(/.*)? gen_context(system_u:object_r:drbd_var_run_t,s0) @@ -28701,7 +28701,7 @@ index 9a2163936..26c59868b 100644 --- a/drbd.if +++ b/drbd.if @@ -2,12 +2,11 @@ - + ######################################## ## -## Execute a domain transition to @@ -28716,13 +28716,13 @@ index 9a2163936..26c59868b 100644 ## # @@ -16,14 +15,91 @@ interface(`drbd_domtrans',` - type drbd_t, drbd_exec_t; - ') - + type drbd_t, drbd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, drbd_exec_t, drbd_t) + domtrans_pattern($1, drbd_exec_t, drbd_t) ') - + ######################################## ## -## All of the rules required to @@ -28817,25 +28817,25 @@ index 9a2163936..26c59868b 100644 -## # interface(`drbd_admin',` - gen_require(` + gen_require(` @@ -43,9 +118,13 @@ interface(`drbd_admin',` - type drbd_var_lib_t; - ') - + type drbd_var_lib_t; + ') + - allow $1 drbd_t:process { ptrace signal_perms }; + allow $1 drbd_t:process signal_perms; - ps_process_pattern($1, drbd_t) - + ps_process_pattern($1, drbd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 drbd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, drbd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 drbd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, drbd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 drbd_initrc_exec_t system_r; @@ -57,3 +136,4 @@ interface(`drbd_admin',` - files_search_var_lib($1) - admin_pattern($1, drbd_var_lib_t) + files_search_var_lib($1) + admin_pattern($1, drbd_var_lib_t) ') + diff --git a/drbd.te b/drbd.te @@ -28845,7 +28845,7 @@ index f2516cc07..af2c2ad81 100644 @@ -18,38 +18,72 @@ files_type(drbd_var_lib_t) type drbd_lock_t; files_lock_file(drbd_lock_t) - + +type drbd_var_run_t; +files_pid_file(drbd_var_run_t) + @@ -28856,7 +28856,7 @@ index f2516cc07..af2c2ad81 100644 # # Local policy # - + -allow drbd_t self:capability { kill net_admin }; +allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin }; dontaudit drbd_t self:capability sys_tty_config; @@ -28865,12 +28865,12 @@ index f2516cc07..af2c2ad81 100644 allow drbd_t self:netlink_socket create_socket_perms; -allow drbd_t self:netlink_route_socket nlmsg_write; +allow drbd_t self:netlink_route_socket rw_netlink_socket_perms; - + manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) - + +manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t) +manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t) +manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t) @@ -28878,12 +28878,12 @@ index f2516cc07..af2c2ad81 100644 + manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) files_lock_filetrans(drbd_t, drbd_lock_t, file) - + -can_exec(drbd_t, drbd_exec_t) +manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) +manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) +files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir}) - + kernel_read_system_state(drbd_t) +kernel_load_module(drbd_t) + @@ -28894,26 +28894,26 @@ index f2516cc07..af2c2ad81 100644 +corecmd_exec_bin(drbd_t) + +corenet_tcp_connect_http_port(drbd_t) - + dev_read_rand(drbd_t) dev_read_sysfs(drbd_t) dev_read_urand(drbd_t) - + -files_read_etc_files(drbd_t) +files_read_kernel_modules(drbd_t) - + -storage_raw_read_fixed_disk(drbd_t) +logging_send_syslog_msg(drbd_t) + +fs_getattr_xattr_fs(drbd_t) - + -miscfiles_read_localization(drbd_t) +modutils_read_module_config(drbd_t) +modutils_exec_insmod(drbd_t) + +storage_raw_read_fixed_disk(drbd_t) +storage_raw_write_fixed_disk(drbd_t) - + sysnet_dns_name_resolve(drbd_t) + +optional_policy(` @@ -28926,17 +28926,17 @@ index 5eddac51c..b5fcb7760 100644 --- a/dspam.fc +++ b/dspam.fc @@ -2,11 +2,16 @@ - + /usr/bin/dspam -- gen_context(system_u:object_r:dspam_exec_t,s0) - + -/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) +/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:dspam_script_exec_t,s0) - + /var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0) -/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0) - + /var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0) - + /var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0) + +# web @@ -28953,7 +28953,7 @@ index 18f245250..a446210f0 100644 + +## policy for dspam + - + ######################################## ## ## Execute a domain transition to run dspam. @@ -28968,13 +28968,13 @@ index 18f245250..a446210f0 100644 # interface(`dspam_domtrans',` @@ -15,35 +17,211 @@ interface(`dspam_domtrans',` - type dspam_t, dspam_exec_t; - ') - + type dspam_t, dspam_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, dspam_exec_t, dspam_t) + domtrans_pattern($1, dspam_exec_t, dspam_t) ') - + -####################################### + +######################################## @@ -29128,7 +29128,7 @@ index 18f245250..a446210f0 100644 +## +# +interface(`dspam_manage_lib_dirs',` - gen_require(` + gen_require(` - type dspam_t, dspam_var_run_t, dspam_tmp_t; + type dspam_var_lib_t; + ') @@ -29151,9 +29151,9 @@ index 18f245250..a446210f0 100644 +interface(`dspam_read_pid_files',` + gen_require(` + type dspam_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) + allow $1 dspam_var_run_t:file read_file_perms; +') + @@ -29173,12 +29173,12 @@ index 18f245250..a446210f0 100644 + ') + + files_search_pids($1) - files_search_tmp($1) + files_search_tmp($1) - stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t) + stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) + stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t) ') - + ######################################## ## -## All of the rules required to @@ -29191,7 +29191,7 @@ index 18f245250..a446210f0 100644 @@ -59,14 +237,20 @@ interface(`dspam_stream_connect',` # interface(`dspam_admin',` - gen_require(` + gen_require(` - type dspam_t, dspam_initrc_exec_t, dspam_log_t; - type dspam_var_lib_t, dspam_var_run_t; + type dspam_t; @@ -29199,24 +29199,24 @@ index 18f245250..a446210f0 100644 + type dspam_log_t; + type dspam_var_lib_t; + type dspam_var_run_t; - ') - + ') + - allow $1 dspam_t:process { ptrace signal_perms }; + allow $1 dspam_t:process signal_perms; - ps_process_pattern($1, dspam_t) + ps_process_pattern($1, dspam_t) + tunable_policy(`deny_ptrace',`',` + allow $1 dspam_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, dspam_initrc_exec_t) + dspam_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 dspam_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 dspam_initrc_exec_t system_r; + allow $2 system_r; @@ -79,4 +263,5 @@ interface(`dspam_admin',` - - files_search_pids($1) - admin_pattern($1, dspam_var_run_t) + + files_search_pids($1) + admin_pattern($1, dspam_var_run_t) + ') diff --git a/dspam.te b/dspam.te @@ -29224,7 +29224,7 @@ index ef6236335..6b0dc19d1 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) - + allow dspam_t self:capability net_admin; allow dspam_t self:process signal; + @@ -29232,7 +29232,7 @@ index ef6236335..6b0dc19d1 100644 + allow dspam_t self:fifo_file rw_fifo_file_perms; allow dspam_t self:unix_stream_socket { accept listen }; - + @@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t) corenet_tcp_bind_spamd_port(dspam_t) corenet_tcp_connect_spamd_port(dspam_t) @@ -29243,17 +29243,17 @@ index ef6236335..6b0dc19d1 100644 +kernel_read_system_state(dspam_t) + +corecmd_exec_shell(dspam_t) - + files_search_spool(dspam_t) - + @@ -64,14 +73,33 @@ auth_use_nsswitch(dspam_t) - + logging_send_syslog_msg(dspam_t) - + -miscfiles_read_localization(dspam_t) - optional_policy(` - apache_content_template(dspam) + apache_content_template(dspam) + apache_content_alias_template(dspam, dspam) + + allow dspam_t dspam_rw_content_t:file map; @@ -29268,7 +29268,7 @@ index ef6236335..6b0dc19d1 100644 + term_dontaudit_search_ptys(dspam_script_t) + term_dontaudit_getattr_all_ttys(dspam_script_t) + term_dontaudit_getattr_all_ptys(dspam_script_t) - + - list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) - manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) - manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t) @@ -29283,11 +29283,11 @@ index ef6236335..6b0dc19d1 100644 + mysql_stream_connect(dspam_script_t) + ') ') - + optional_policy(` @@ -87,3 +115,12 @@ optional_policy(` - - postgresql_tcp_connect(dspam_t) + + postgresql_tcp_connect(dspam_t) ') + +optional_policy(` @@ -29308,35 +29308,35 @@ index b8b8328c0..e3dc7c72c 100644 ## -gen_tunable(entropyd_use_audio, false) +gen_tunable(entropyd_use_audio, true) - + type entropyd_t; type entropyd_exec_t; @@ -29,7 +29,7 @@ files_pid_file(entropyd_var_run_t) # Local policy # - + -allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; +allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin }; dontaudit entropyd_t self:capability sys_tty_config; allow entropyd_t self:process signal_perms; - + @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) - + -files_read_etc_files(entropyd_t) -files_read_usr_files(entropyd_t) - fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) - + @@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t) - + logging_send_syslog_msg(entropyd_t) - + -miscfiles_read_localization(entropyd_t) +auth_use_nsswitch(entropyd_t) - + userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) diff --git a/etcd.fc b/etcd.fc @@ -29573,60 +29573,60 @@ index 597f305da..85206539c 100644 HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) - + /tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) - + diff --git a/evolution.te b/evolution.te index c99e07c48..ab9dd9f90 100644 --- a/evolution.te +++ b/evolution.te @@ -168,7 +168,6 @@ dev_read_urand(evolution_t) - + domain_dontaudit_read_all_domains_state(evolution_t) - + -files_read_usr_files(evolution_t) - + fs_search_auto_mountpoints(evolution_t) - + @@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t) - + userdom_manage_user_home_content_dirs(evolution_t) userdom_manage_user_home_content_files(evolution_t) -userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) +userdom_filetrans_home_content(evolution_t) - + userdom_write_user_tmp_sockets(evolution_t) - + @@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio - + dev_read_urand(evolution_alarm_t) - + -files_read_usr_files(evolution_alarm_t) - + fs_search_auto_mountpoints(evolution_alarm_t) - + @@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t) - + dev_read_urand(evolution_exchange_t) - + -files_read_usr_files(evolution_exchange_t) - + fs_search_auto_mountpoints(evolution_exchange_t) - + @@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t) - + dev_read_urand(evolution_server_t) - + -files_read_usr_files(evolution_server_t) - + fs_search_auto_mountpoints(evolution_server_t) - + diff --git a/exim.if b/exim.if index 9bbc6907a..4a8d0536b 100644 --- a/exim.if +++ b/exim.if @@ -21,35 +21,51 @@ interface(`exim_domtrans',` - + ######################################## ## -## Execute exim in the exim domain, @@ -29672,27 +29672,27 @@ index 9bbc6907a..4a8d0536b 100644 +## +# +interface(`exim_initrc_domtrans',` - gen_require(` + gen_require(` - attribute_role exim_roles; + type exim_initrc_exec_t; - ') - + ') + - exim_domtrans($1) - roleattribute $2 exim_roles; + init_labeled_script_domtrans($1, exim_initrc_exec_t) ') - + ######################################## ## -## Do not audit attempts to read exim -## temporary tmp files. -+## Do not audit attempts to read, ++## Do not audit attempts to read, +## exim tmp files ## ## ## @@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',` - + ######################################## ## -## Read exim temporary files. @@ -29701,7 +29701,7 @@ index 9bbc6907a..4a8d0536b 100644 ## ## @@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',` - + ######################################## ## -## Read exim pid files. @@ -29710,7 +29710,7 @@ index 9bbc6907a..4a8d0536b 100644 ## ## @@ -105,7 +121,7 @@ interface(`exim_read_pid_files',` - + ######################################## ## -## Read exim log files. @@ -29719,7 +29719,7 @@ index 9bbc6907a..4a8d0536b 100644 ## ## @@ -125,7 +141,8 @@ interface(`exim_read_log',` - + ######################################## ## -## Append exim log files. @@ -29729,7 +29729,7 @@ index 9bbc6907a..4a8d0536b 100644 ## ## @@ -144,8 +161,7 @@ interface(`exim_append_log',` - + ######################################## ## -## Create, read, write, and delete @@ -29754,35 +29754,35 @@ index 9bbc6907a..4a8d0536b 100644 -## # interface(`exim_admin',` - gen_require(` + gen_require(` @@ -285,10 +300,14 @@ interface(`exim_admin',` - type exim_keytab_t; - ') - + type exim_keytab_t; + ') + - allow $1 exim_t:process { ptrace signal_perms }; + allow $1 exim_t:process signal_perms; - ps_process_pattern($1, exim_t) - + ps_process_pattern($1, exim_t) + - init_labeled_script_domtrans($1, exim_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 exim_t:process ptrace; + ') + + exim_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 exim_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 exim_initrc_exec_t system_r; + allow $2 system_r; diff --git a/exim.te b/exim.te index 4086c51b9..3e7a99099 100644 --- a/exim.te +++ b/exim.te @@ -55,7 +55,7 @@ type exim_log_t; logging_log_file(exim_log_t) - + type exim_spool_t; -files_type(exim_spool_t) +files_spool_file(exim_spool_t) - + type exim_tmp_t; files_tmp_file(exim_tmp_t) @@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t) @@ -29791,29 +29791,29 @@ index 4086c51b9..3e7a99099 100644 kernel_read_network_state(exim_t) -kernel_dontaudit_read_system_state(exim_t) +kernel_read_system_state(exim_t) - + corecmd_search_bin(exim_t) - + -corenet_all_recvfrom_unlabeled(exim_t) corenet_all_recvfrom_netlabel(exim_t) corenet_tcp_sendrecv_generic_if(exim_t) corenet_udp_sendrecv_generic_if(exim_t) @@ -151,10 +150,10 @@ fs_getattr_xattr_fs(exim_t) fs_list_inotifyfs(exim_t) - + auth_use_nsswitch(exim_t) +auth_domtrans_chk_passwd(exim_t) - + logging_send_syslog_msg(exim_t) - + -miscfiles_read_localization(exim_t) miscfiles_read_generic_certs(exim_t) - + userdom_dontaudit_search_user_home_dirs(exim_t) @@ -170,9 +169,9 @@ tunable_policy(`exim_can_connect_db',` - corenet_sendrecv_mssql_client_packets(exim_t) - corenet_tcp_connect_mssql_port(exim_t) - corenet_tcp_sendrecv_mssql_port(exim_t) + corenet_sendrecv_mssql_client_packets(exim_t) + corenet_tcp_connect_mssql_port(exim_t) + corenet_tcp_sendrecv_mssql_port(exim_t) - corenet_sendrecv_oracledb_client_packets(exim_t) - corenet_tcp_connect_oracledb_port(exim_t) - corenet_tcp_sendrecv_oracledb_port(exim_t) @@ -29821,47 +29821,47 @@ index 4086c51b9..3e7a99099 100644 + corenet_tcp_connect_oracle_port(exim_t) + corenet_tcp_sendrecv_oracle_port(exim_t) ') - + tunable_policy(`exim_read_user_files',` @@ -186,8 +185,8 @@ tunable_policy(`exim_manage_user_files',` ') - + optional_policy(` - clamav_domtrans_clamscan(exim_t) - clamav_stream_connect(exim_t) + antivirus_domtrans(exim_t) + antivirus_stream_connect(exim_t) ') - + optional_policy(` @@ -209,11 +208,6 @@ optional_policy(` - kerberos_use(exim_t) + kerberos_use(exim_t) ') - + -optional_policy(` - mailman_read_data_files(exim_t) - mailman_domtrans(exim_t) -') - optional_policy(` - nagios_search_spool(exim_t) + nagios_search_spool(exim_t) ') @@ -236,6 +230,7 @@ optional_policy(` - + optional_policy(` - procmail_domtrans(exim_t) + procmail_domtrans(exim_t) + procmail_read_home_files(exim_t) ') - + optional_policy(` diff --git a/fail2ban.if b/fail2ban.if index 50d0084d4..94e193606 100644 --- a/fail2ban.if +++ b/fail2ban.if @@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',` - domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) ') - + -######################################## +####################################### ## @@ -29886,13 +29886,13 @@ index 50d0084d4..94e193606 100644 + gen_require(` + type fail2ban_client_t, fail2ban_client_exec_t; + ') - + - corecmd_search_bin($1) - domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) ') - + -######################################## +####################################### ## @@ -29929,13 +29929,13 @@ index 50d0084d4..94e193606 100644 + gen_require(` + attribute_role fail2ban_client_roles; + ') - + - fail2ban_domtrans_client($1) - roleattribute $2 fail2ban_client_roles; + fail2ban_domtrans_client($1) + roleattribute $2 fail2ban_client_roles; ') - + ##################################### ## -## Connect to fail2ban over a @@ -29946,13 +29946,13 @@ index 50d0084d4..94e193606 100644 ## ## @@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',` - ') - - files_search_tmp($1) + ') + + files_search_tmp($1) - allow $1 fail2ban_tmp_t:file { read write }; + allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Do not audit attempts to use @@ -29968,14 +29968,14 @@ index 50d0084d4..94e193606 100644 # -interface(`fail2ban_dontaudit_use_fds',` +interface(`fail2ban_rw_stream_sockets',` - gen_require(` - type fail2ban_t; - ') - + gen_require(` + type fail2ban_t; + ') + - dontaudit $1 fail2ban_t:fd use; + allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; ') - + -######################################## +####################################### ## @@ -30001,11 +30001,11 @@ index 50d0084d4..94e193606 100644 + gen_require(` + type fail2ban_t; + ') - + - dontaudit $1 fail2ban_t:unix_stream_socket { read write }; + dontaudit $1 fail2ban_t:fd use; ') - + -######################################## +####################################### ## @@ -30031,20 +30031,20 @@ index 50d0084d4..94e193606 100644 + gen_require(` + type fail2ban_t; + ') - + - allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; ') - + ######################################## @@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',` - ') - - files_search_var_lib($1) + ') + + files_search_var_lib($1) - allow $1 fail2ban_var_lib_t:file read_file_perms; + read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) ') - + ######################################## ## -## Read fail2ban log files. @@ -30053,13 +30053,13 @@ index 50d0084d4..94e193606 100644 ## ## @@ -198,12 +197,14 @@ interface(`fail2ban_read_log',` - ') - - logging_search_logs($1) + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file read_file_perms; + allow $1 fail2ban_log_t:file read_file_perms; ') - + ######################################## ## -## Append fail2ban log files. @@ -30069,13 +30069,13 @@ index 50d0084d4..94e193606 100644 ## ## @@ -217,12 +218,13 @@ interface(`fail2ban_append_log',` - ') - - logging_search_logs($1) + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; - allow $1 fail2ban_log_t:file append_file_perms; + allow $1 fail2ban_log_t:file append_file_perms; ') - + ######################################## ## -## Read fail2ban pid files. @@ -30084,7 +30084,7 @@ index 50d0084d4..94e193606 100644 ## ## @@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',` - + ######################################## ## -## All of the rules required to @@ -30109,7 +30109,7 @@ index 50d0084d4..94e193606 100644 + +######################################## +## -+## All of the rules required to administrate ++## All of the rules required to administrate +## an fail2ban environment ## ## @@ -30125,46 +30125,46 @@ index 50d0084d4..94e193606 100644 ## # interface(`fail2ban_admin',` - gen_require(` + gen_require(` - type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t; - type fail2ban_var_run_t, fail2ban_initrc_exec_t; - type fail2ban_var_lib_t, fail2ban_client_t; + type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; + type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; + type fail2ban_client_t; - ') - + ') + - allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; + allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; - ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) - + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + + tunable_policy(`deny_ptrace',`',` + allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; + ') + - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fail2ban_initrc_exec_t system_r; + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; @@ -277,10 +303,10 @@ interface(`fail2ban_admin',` - files_list_pids($1) - admin_pattern($1, fail2ban_var_run_t) - + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, fail2ban_var_lib_t) - + admin_pattern($1, fail2ban_var_lib_t) + - files_search_tmp($1) + files_list_tmp($1) - admin_pattern($1, fail2ban_tmp_t) - - fail2ban_run_client($1, $2) + admin_pattern($1, fail2ban_tmp_t) + + fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te index cf0e56772..62fb6587a 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; # - + allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config }; -allow fail2ban_t self:process signal; +allow fail2ban_t self:process { setsched signal }; @@ -30174,41 +30174,41 @@ index cf0e56772..62fb6587a 100644 @@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) - + -corenet_all_recvfrom_unlabeled(fail2ban_t) corenet_all_recvfrom_netlabel(fail2ban_t) corenet_tcp_sendrecv_generic_if(fail2ban_t) corenet_tcp_sendrecv_generic_node(fail2ban_t) @@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t) domain_dontaudit_read_all_domains_state(fail2ban_t) - + files_read_etc_runtime_files(fail2ban_t) -files_read_usr_files(fail2ban_t) files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) - + @@ -92,23 +90,37 @@ fs_getattr_all_fs(fail2ban_t) auth_use_nsswitch(fail2ban_t) - + logging_read_all_logs(fail2ban_t) +logging_read_audit_log(fail2ban_t) logging_send_syslog_msg(fail2ban_t) +logging_read_syslog_pid(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) +logging_mmap_generic_logs(fail2ban_t) - + -miscfiles_read_localization(fail2ban_t) +mta_send_mail(fail2ban_t) - + sysnet_manage_config(fail2ban_t) -sysnet_etc_filetrans_config(fail2ban_t) - -mta_send_mail(fail2ban_t) - + optional_policy(` - apache_read_log(fail2ban_t) + apache_read_log(fail2ban_t) ') - + +optional_policy(` + dbus_system_bus_client(fail2ban_t) + dbus_connect_system_bus(fail2ban_t) @@ -30219,56 +30219,56 @@ index cf0e56772..62fb6587a 100644 +') + optional_policy(` - ftp_read_log(fail2ban_t) + ftp_read_log(fail2ban_t) ') - + +optional_policy(` + gnome_dontaudit_search_config(fail2ban_t) +') + optional_policy(` - iptables_domtrans(fail2ban_t) + iptables_domtrans(fail2ban_t) ') @@ -117,6 +129,10 @@ optional_policy(` - libs_exec_ldconfig(fail2ban_t) + libs_exec_ldconfig(fail2ban_t) ') - + +optional_policy(` + rpm_exec(fail2ban_t) +') + optional_policy(` - shorewall_domtrans(fail2ban_t) + shorewall_domtrans(fail2ban_t) ') @@ -126,27 +142,37 @@ optional_policy(` # Client Local policy # - + -allow fail2ban_client_t self:capability dac_read_search; +allow fail2ban_client_t self:capability { dac_read_search dac_override }; allow fail2ban_client_t self:unix_stream_socket { create connect write read }; - + domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) - + +allow fail2ban_client_t fail2ban_t:process { rlimitinh }; + +dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; +allow fail2ban_client_t fail2ban_var_run_t:dir write; stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) - + kernel_read_system_state(fail2ban_client_t) - + corecmd_exec_bin(fail2ban_client_t) - + +dev_read_urand(fail2ban_client_t) +dev_read_rand(fail2ban_client_t) + domain_use_interactive_fds(fail2ban_client_t) - + -files_read_etc_files(fail2ban_client_t) -files_read_usr_files(fail2ban_client_t) files_search_pids(fail2ban_client_t) - + +auth_use_nsswitch(fail2ban_client_t) + logging_getattr_all_logs(fail2ban_client_t) @@ -30276,7 +30276,7 @@ index cf0e56772..62fb6587a 100644 - -miscfiles_read_localization(fail2ban_client_t) +logging_read_audit_log(fail2ban_client_t) - + userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) + @@ -30290,7 +30290,7 @@ index ce358fb3f..cdc11a7f9 100644 @@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t) # Local policy # - + -allow fcoemon_t self:capability { dac_override kill net_admin }; +allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override }; allow fcoemon_t self:fifo_file rw_fifo_file_perms; @@ -30300,25 +30300,25 @@ index ce358fb3f..cdc11a7f9 100644 +allow fcoemon_t self:netlink_scsitransport_socket create_socket_perms; +allow fcoemon_t self:packet_socket create_socket_perms; +allow fcoemon_t self:udp_socket create_socket_perms; - + manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) - + -files_read_etc_files(fcoemon_t) - -dev_read_sysfs(fcoemon_t) +dev_rw_sysfs(fcoemon_t) - + logging_send_syslog_msg(fcoemon_t) - + miscfiles_read_localization(fcoemon_t) - + +userdom_dgram_send(fcoemon_t) + optional_policy(` - lldpad_dgram_send(fcoemon_t) + lldpad_dgram_send(fcoemon_t) ') + +optional_policy(` @@ -30331,33 +30331,33 @@ index 133b8ee67..a47a12fe7 100644 @@ -1,4 +1,5 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0) +/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0) - + /etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0) - + diff --git a/fetchmail.if b/fetchmail.if index c3f791660..cab3954f3 100644 --- a/fetchmail.if +++ b/fetchmail.if @@ -23,14 +23,16 @@ interface(`fetchmail_admin',` - type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; - ') - + type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; + ') + + ps_process_pattern($1, fetchmail_t) + tunable_policy(`deny_ptrace',`',` + allow $1 fetchmail_t:process ptrace; + ') + - init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fetchmail_initrc_exec_t system_r; - allow $2 system_r; - + init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fetchmail_initrc_exec_t system_r; + allow $2 system_r; + - allow $1 fetchmail_t:process { ptrace signal_perms }; - ps_process_pattern($1, fetchmail_t) - - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) - + files_list_etc($1) + admin_pattern($1, fetchmail_etc_t) + diff --git a/fetchmail.te b/fetchmail.te index 742559a54..fa51d09dd 100644 --- a/fetchmail.te @@ -30372,36 +30372,36 @@ index 742559a54..fa51d09dd 100644 allow fetchmail_t self:process { signal_perms setrlimit }; allow fetchmail_t self:unix_stream_socket { accept listen }; +allow fetchmail_t self:key manage_key_perms; - + allow fetchmail_t fetchmail_etc_t:file read_file_perms; - + +list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t) +userdom_search_user_home_dirs(fetchmail_t) +userdom_search_admin_dir(fetchmail_t) - + manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) @@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) corecmd_exec_bin(fetchmail_t) corecmd_exec_shell(fetchmail_t) - + -corenet_all_recvfrom_unlabeled(fetchmail_t) corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) corenet_tcp_sendrecv_generic_node(fetchmail_t) @@ -84,15 +87,24 @@ fs_search_auto_mountpoints(fetchmail_t) - + domain_use_interactive_fds(fetchmail_t) - + -auth_use_nsswitch(fetchmail_t) +auth_read_passwd(fetchmail_t) - + logging_send_syslog_msg(fetchmail_t) - + -miscfiles_read_localization(fetchmail_t) miscfiles_read_generic_certs(fetchmail_t) - + +sysnet_dns_name_resolve(fetchmail_t) + userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) @@ -30415,9 +30415,9 @@ index 742559a54..fa51d09dd 100644 +optional_policy(` + kerberos_use(fetchmail_t) +') - + optional_policy(` - procmail_domtrans(fetchmail_t) + procmail_domtrans(fetchmail_t) diff --git a/finger.te b/finger.te index 35da09d97..85f1e03d4 100644 --- a/finger.te @@ -30425,36 +30425,36 @@ index 35da09d97..85f1e03d4 100644 @@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file) kernel_read_kernel_sysctls(fingerd_t) kernel_read_system_state(fingerd_t) - + -corenet_all_recvfrom_unlabeled(fingerd_t) corenet_all_recvfrom_netlabel(fingerd_t) corenet_tcp_sendrecv_generic_if(fingerd_t) corenet_tcp_sendrecv_generic_node(fingerd_t) @@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t) domain_use_interactive_fds(fingerd_t) - + files_read_etc_runtime_files(fingerd_t) +files_search_home(fingerd_t) - + fs_getattr_all_fs(fingerd_t) fs_search_auto_mountpoints(fingerd_t) @@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t) term_getattr_all_ptys(fingerd_t) - + auth_read_lastlog(fingerd_t) +auth_use_nsswitch(fingerd_t) - + init_read_utmp(fingerd_t) init_dontaudit_write_utmp(fingerd_t) @@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t) - + mta_getattr_spool(fingerd_t) - + -miscfiles_read_localization(fingerd_t) +sysnet_read_config(fingerd_t) - + userdom_dontaudit_use_unpriv_user_fds(fingerd_t) - + diff --git a/firewalld.fc b/firewalld.fc index 21d7b8442..0e272bd0e 100644 --- a/firewalld.fc @@ -30463,14 +30463,14 @@ index 21d7b8442..0e272bd0e 100644 +/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0) + /etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0) - + /etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0) diff --git a/firewalld.if b/firewalld.if index c62c5670a..2d9e254b4 100644 --- a/firewalld.if +++ b/firewalld.if @@ -2,7 +2,7 @@ - + ######################################## ## -## Read firewalld configuration files. @@ -30484,13 +30484,13 @@ index c62c5670a..2d9e254b4 100644 # -interface(`firewalld_read_config_files',` +interface(`firewalld_read_config',` - gen_require(` - type firewalld_etc_rw_t; - ') + gen_require(` + type firewalld_etc_rw_t; + ') @@ -19,6 +19,48 @@ interface(`firewalld_read_config_files',` - read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) + read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) ') - + +######################################## +## +## Execute firewalld server in the firewalld domain. @@ -30537,7 +30537,7 @@ index c62c5670a..2d9e254b4 100644 ## ## Send and receive messages from @@ -42,8 +84,8 @@ interface(`firewalld_dbus_chat',` - + ######################################## ## -## Do not audit attempts to read, snd @@ -30553,14 +30553,14 @@ index c62c5670a..2d9e254b4 100644 # -interface(`firewalld_dontaudit_rw_tmp_files',` +interface(`firewalld_dontaudit_write_tmp_files',` - gen_require(` - type firewalld_tmp_t; - ') - + gen_require(` + type firewalld_tmp_t; + ') + - dontaudit $1 firewalld_tmp_t:file { read write }; + dontaudit $1 firewalld_tmp_t:file write; ') - + ######################################## ## -## All of the rules required to @@ -30591,30 +30591,30 @@ index c62c5670a..2d9e254b4 100644 ## @@ -79,14 +140,18 @@ interface(`firewalld_dontaudit_rw_tmp_files',` interface(`firewalld_admin',` - gen_require(` - type firewalld_t, firewalld_initrc_exec_t; + gen_require(` + type firewalld_t, firewalld_initrc_exec_t; - type firewall_etc_rw_t, firewalld_var_run_t; + type firewalld_etc_rw_t, firewalld_var_run_t; - type firewalld_var_log_t; - ') - + type firewalld_var_log_t; + ') + - allow $1 firewalld_t:process { ptrace signal_perms }; + allow $1 firewalld_t:process signal_perms; - ps_process_pattern($1, firewalld_t) - + ps_process_pattern($1, firewalld_t) + - init_labeled_script_domtrans($1, firewalld_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 firewalld_t:process ptrace; + ') + + firewalld_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 firewalld_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 firewalld_initrc_exec_t system_r; + allow $2 system_r; @@ -97,6 +162,9 @@ interface(`firewalld_admin',` - logging_search_logs($1) - admin_pattern($1, firewalld_var_log_t) - + logging_search_logs($1) + admin_pattern($1, firewalld_var_log_t) + - files_search_etc($1) - admin_pattern($1, firewall_etc_rw_t) + admin_pattern($1, firewalld_etc_rw_t) @@ -30630,13 +30630,13 @@ index 98072a3a1..5fd0906be 100644 @@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t) type firewalld_tmp_t; files_tmp_file(firewalld_tmp_t) - + +type firewalld_tmpfs_t; +files_tmpfs_file(firewalld_tmpfs_t) + type firewalld_var_run_t; files_pid_file(firewalld_var_run_t) - + +type firewalld_unit_file_t; +systemd_unit_file(firewalld_unit_file_t) + @@ -30644,25 +30644,25 @@ index 98072a3a1..5fd0906be 100644 # # Local policy # - + -allow firewalld_t self:capability { dac_override net_admin }; +allow firewalld_t self:capability { dac_read_search dac_override net_admin }; dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; @@ -37,6 +43,8 @@ allow firewalld_t self:udp_socket create_socket_perms; - + manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) +relabel_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) +manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) - + allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; @@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t) files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file) allow firewalld_t firewalld_tmp_t:file mmap_file_perms; - + +manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) +fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file) +allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms; @@ -30672,34 +30672,34 @@ index 98072a3a1..5fd0906be 100644 +manage_dirs_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t) +files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file dir }) +can_exec(firewalld_t, firewalld_var_run_t) - + kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) kernel_rw_net_sysctls(firewalld_t) - + +files_list_kernel_modules(firewalld_t) + corecmd_exec_bin(firewalld_t) corecmd_exec_shell(firewalld_t) - + @@ -63,20 +79,24 @@ dev_search_sysfs(firewalld_t) - + domain_use_interactive_fds(firewalld_t) - + -files_read_etc_files(firewalld_t) -files_read_usr_files(firewalld_t) +files_dontaudit_access_check_tmp(firewalld_t) files_dontaudit_list_tmp(firewalld_t) - + fs_getattr_xattr_fs(firewalld_t) +fs_dontaudit_all_access_check(firewalld_t) - + -logging_send_syslog_msg(firewalld_t) +auth_use_nsswitch(firewalld_t) - + -miscfiles_read_localization(firewalld_t) +libs_exec_ldconfig(firewalld_t) - + -seutil_exec_setfiles(firewalld_t) -seutil_read_file_contexts(firewalld_t) +logging_send_syslog_msg(firewalld_t) @@ -30707,32 +30707,32 @@ index 98072a3a1..5fd0906be 100644 +sysnet_dns_name_resolve(firewalld_t) +sysnet_manage_config_dirs(firewalld_t) +sysnet_manage_config(firewalld_t) - + -sysnet_read_config(firewalld_t) +userdom_dontaudit_create_admin_dir(firewalld_t) +userdom_dontaudit_manage_admin_dir(firewalld_t) - + optional_policy(` - dbus_system_domain(firewalld_t, firewalld_exec_t) + dbus_system_domain(firewalld_t, firewalld_exec_t) @@ -94,6 +114,10 @@ optional_policy(` - ') + ') ') - + +optional_policy(` + gnome_read_generic_data_home_dirs(firewalld_t) +') + optional_policy(` - iptables_domtrans(firewalld_t) + iptables_domtrans(firewalld_t) ') diff --git a/firewallgui.if b/firewallgui.if index e6866d1fd..941f4ef73 100644 --- a/firewallgui.if +++ b/firewallgui.if @@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',` - type firewallgui_t; - ') - + type firewallgui_t; + ') + - dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms; + dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; ') @@ -30743,29 +30743,29 @@ index 209454664..2481a9704 100644 @@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t) dev_read_sysfs(firewallgui_t) dev_read_urand(firewallgui_t) - + +files_manage_system_conf_files(firewallgui_t) +files_etc_filetrans_system_conf(firewallgui_t) +files_search_kernel_modules(firewallgui_t) files_list_kernel_modules(firewallgui_t) -files_read_usr_files(firewallgui_t) - + auth_use_nsswitch(firewallgui_t) - + @@ -60,12 +62,13 @@ optional_policy(` ') - + optional_policy(` - gnome_read_generic_gconf_home_content(firewallgui_t) + gnome_read_gconf_home_files(firewallgui_t) ') - + optional_policy(` - iptables_domtrans(firewallgui_t) - iptables_initrc_domtrans(firewallgui_t) + iptables_domtrans(firewallgui_t) + iptables_initrc_domtrans(firewallgui_t) + iptables_systemctl(firewallgui_t) ') - + optional_policy(` diff --git a/firstboot.fc b/firstboot.fc index 12c782c89..ba614e457 100644 @@ -30774,7 +30774,7 @@ index 12c782c89..ba614e457 100644 @@ -1,5 +1,3 @@ -/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) +/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) - + -/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) - -/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) @@ -30789,17 +30789,17 @@ index 280f875f0..f3a67c911 100644 +## Final system configuration run during the first boot +## after installation of Red Hat/Fedora systems. +## - + ######################################## ## @@ -15,15 +18,13 @@ interface(`firstboot_domtrans',` - type firstboot_t, firstboot_exec_t; - ') - + type firstboot_t, firstboot_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, firstboot_exec_t, firstboot_t) + domtrans_pattern($1, firstboot_exec_t, firstboot_t) ') - + ######################################## ## -## Execute firstboot in the firstboot @@ -30813,16 +30813,16 @@ index 280f875f0..f3a67c911 100644 @@ -38,16 +39,16 @@ interface(`firstboot_domtrans',` # interface(`firstboot_run',` - gen_require(` + gen_require(` - attribute_role firstboot_roles; + type firstboot_t; - ') - - firstboot_domtrans($1) + ') + + firstboot_domtrans($1) - roleattribute $2 firstboot_roles; + role $2 types firstboot_t; ') - + ######################################## ## -## Inherit and use firstboot file descriptors. @@ -30831,7 +30831,7 @@ index 280f875f0..f3a67c911 100644 ## ## @@ -65,8 +66,8 @@ interface(`firstboot_use_fds',` - + ######################################## ## -## Do not audit attempts to inherit @@ -30842,7 +30842,7 @@ index 280f875f0..f3a67c911 100644 ## ## @@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',` - + ######################################## ## -## Write firstboot unnamed pipes. @@ -30870,13 +30870,13 @@ index 280f875f0..f3a67c911 100644 ## ## @@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',` - type firstboot_t; - ') - + type firstboot_t; + ') + + allow $1 firstboot_t:fd use; - allow $1 firstboot_t:fifo_file write; + allow $1 firstboot_t:fifo_file write; ') - + ######################################## ## -## Read and Write firstboot unnamed pipes. @@ -30885,7 +30885,7 @@ index 280f875f0..f3a67c911 100644 ## ## @@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',` - + ######################################## ## -## Do not audit attemps to read and @@ -30895,7 +30895,7 @@ index 280f875f0..f3a67c911 100644 ## ## @@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',` - + ######################################## ## -## Do not audit attemps to read and @@ -30912,17 +30912,17 @@ index 5010f04e1..0341ae121 100644 +++ b/firstboot.te @@ -1,7 +1,7 @@ policy_module(firstboot, 1.13.0) - + gen_require(` - class passwd { passwd chfn chsh rootok }; + class passwd { passwd chfn chsh rootok crontab }; ') - + ######################################## @@ -9,17 +9,12 @@ gen_require(` # Declarations # - + -attribute_role firstboot_roles; - type firstboot_t; @@ -30935,13 +30935,13 @@ index 5010f04e1..0341ae121 100644 -type firstboot_initrc_exec_t; -init_script_file(firstboot_initrc_exec_t) +role system_r types firstboot_t; - + type firstboot_etc_t; files_config_file(firstboot_etc_t) @@ -29,31 +24,28 @@ files_config_file(firstboot_etc_t) # Local policy # - + -allow firstboot_t self:capability { dac_override setgid }; +allow firstboot_t self:capability { dac_read_search dac_override setgid }; allow firstboot_t self:process setfscreate; @@ -30950,23 +30950,23 @@ index 5010f04e1..0341ae121 100644 +allow firstboot_t self:tcp_socket create_stream_socket_perms; +allow firstboot_t self:unix_stream_socket { connect create }; allow firstboot_t self:passwd { rootok passwd chfn chsh }; - + allow firstboot_t firstboot_etc_t:file read_file_perms; - + +files_manage_generic_tmp_dirs(firstboot_t) +files_manage_generic_tmp_files(firstboot_t) + kernel_read_system_state(firstboot_t) kernel_read_kernel_sysctls(firstboot_t) - + -corecmd_exec_all_executables(firstboot_t) +corenet_all_recvfrom_netlabel(firstboot_t) +corenet_tcp_sendrecv_generic_if(firstboot_t) +corenet_tcp_sendrecv_generic_node(firstboot_t) +corenet_tcp_sendrecv_all_ports(firstboot_t) - + dev_read_urand(firstboot_t) - + -files_exec_etc_files(firstboot_t) -files_manage_etc_files(firstboot_t) -files_manage_etc_runtime_files(firstboot_t) @@ -30981,9 +30981,9 @@ index 5010f04e1..0341ae121 100644 selinux_validate_context(firstboot_t) selinux_compute_access_vector(firstboot_t) @@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t) - + auth_dontaudit_getattr_shadow(firstboot_t) - + +corecmd_exec_all_executables(firstboot_t) + +files_exec_etc_files(firstboot_t) @@ -30997,15 +30997,15 @@ index 5010f04e1..0341ae121 100644 + init_domtrans_script(firstboot_t) init_rw_utmp(firstboot_t) - + @@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t) - + logging_send_syslog_msg(firstboot_t) - + -miscfiles_read_localization(firstboot_t) - sysnet_dns_name_resolve(firstboot_t) - + -userdom_use_user_terminals(firstboot_t) +userdom_use_inherited_user_terminals(firstboot_t) + @@ -31018,34 +31018,34 @@ index 5010f04e1..0341ae121 100644 userdom_home_filetrans_user_home_dir(firstboot_t) -userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) +userdom_filetrans_home_content(firstboot_t) - + optional_policy(` - dbus_system_bus_client(firstboot_t) + dbus_system_bus_client(firstboot_t) @@ -101,21 +104,18 @@ optional_policy(` - modutils_read_module_deps(firstboot_t) + modutils_read_module_deps(firstboot_t) ') - + -optional_policy(` - nis_use_ypbind(firstboot_t) -') - optional_policy(` - samba_rw_config(firstboot_t) + samba_rw_config(firstboot_t) ') - + optional_policy(` - unconfined_domtrans(firstboot_t) - unconfined_domain(firstboot_t) + # The big hammer + unconfined_domain_noaudit(firstboot_t) ') - + optional_policy(` - gnome_manage_generic_home_content(firstboot_t) + gnome_admin_home_gconf_filetrans(firstboot_t, dir) + gnome_manage_config(firstboot_t) ') - + optional_policy(` diff --git a/fprintd.te b/fprintd.te index 92a6479a2..66f574fc9 100644 @@ -31056,51 +31056,51 @@ index 92a6479a2..66f574fc9 100644 type fprintd_exec_t; init_daemon_domain(fprintd_t, fprintd_exec_t) +init_nnp_daemon_domain(fprintd_t) - + type fprintd_var_lib_t; files_type(fprintd_var_lib_t) @@ -18,25 +19,29 @@ files_type(fprintd_var_lib_t) # - + allow fprintd_t self:capability sys_nice; +allow fprintd_t self:capability2 wake_alarm; allow fprintd_t self:process { getsched setsched signal sigkill }; allow fprintd_t self:fifo_file rw_fifo_file_perms; +allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto }; - + manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) - + kernel_read_system_state(fprintd_t) - + +corecmd_exec_bin(fprintd_t) + dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) +dev_read_urand(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) - + -files_read_usr_files(fprintd_t) - fs_getattr_all_fs(fprintd_t) - + auth_use_nsswitch(fprintd_t) - + -miscfiles_read_localization(fprintd_t) +logging_send_syslog_msg(fprintd_t) - + userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) @@ -54,8 +59,17 @@ optional_policy(` - ') + ') ') - + + optional_policy(` - policykit_domtrans_auth(fprintd_t) - policykit_read_reload(fprintd_t) - policykit_read_lib(fprintd_t) + policykit_read_reload(fprintd_t) + policykit_read_lib(fprintd_t) + policykit_domtrans_auth(fprintd_t) +') + @@ -31433,12 +31433,12 @@ index ddb75c12c..44f74e62f 100644 +++ b/ftp.fc @@ -1,5 +1,8 @@ /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) - + +/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) - + /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0) diff --git a/ftp.if b/ftp.if index 44981434b..84a4858b6 100644 @@ -31446,7 +31446,7 @@ index 44981434b..84a4858b6 100644 +++ b/ftp.if @@ -1,5 +1,67 @@ ## File transfer protocol service. - + +###################################### +## +## Execute a domain transition to run ftpd. @@ -31513,27 +31513,27 @@ index 44981434b..84a4858b6 100644 ## ## Execute a dyntransition to run anon sftpd. @@ -179,8 +241,11 @@ interface(`ftp_admin',` - type ftpd_keytab_t; - ') - + type ftpd_keytab_t; + ') + - allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms }; + allow $1 ftpd_t:process signal_perms; - ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) + ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) + tunable_policy(`deny_ptrace',`',` + allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace; + ') - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, ftpd_initrc_exec_t) + domain_system_change_exemption($1) @@ -204,5 +269,9 @@ interface(`ftp_admin',` - logging_list_logs($1) - admin_pattern($1, xferlog_t) - + logging_list_logs($1) + admin_pattern($1, xferlog_t) + + ftp_systemctl($1) + admin_pattern($1, ftpd_unit_file_t) + allow $1 ftpd_unit_file_t:service all_service_perms; + - ftp_run_ftpdctl($1, $2) + ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te index 36838c202..d8066fbd4 100644 @@ -31545,7 +31545,7 @@ index 36838c202..d8066fbd4 100644 ## -gen_tunable(allow_ftpd_anon_write, false) +gen_tunable(ftpd_anon_write, false) - + ## ##

      @@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false) @@ -31554,7 +31554,7 @@ index 36838c202..d8066fbd4 100644 ## -gen_tunable(allow_ftpd_full_access, false) +gen_tunable(ftpd_full_access, false) - + ## ##

      @@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false) @@ -31570,7 +31570,7 @@ index 36838c202..d8066fbd4 100644 +##

      +##       +gen_tunable(ftpd_use_fusefs, false) - + ## ##

      @@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false) @@ -31579,12 +31579,12 @@ index 36838c202..d8066fbd4 100644 ## -gen_tunable(allow_ftpd_use_nfs, false) +gen_tunable(ftpd_use_nfs, false) - + ## ##

      @@ -49,11 +56,11 @@ gen_tunable(allow_ftpd_use_nfs, false) gen_tunable(ftpd_connect_db, false) - + ## -##

      -## Determine whether ftpd can bind to all @@ -31597,12 +31597,12 @@ index 36838c202..d8066fbd4 100644 +##

      +##       gen_tunable(ftpd_use_passive_mode, false) - + ## @@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false) ## gen_tunable(ftpd_connect_all_unreserved, false) - + -## -##

      -## Determine whether ftpd can read and write @@ -31647,22 +31647,22 @@ index 36838c202..d8066fbd4 100644 -gen_tunable(sftpd_write_ssh_home, false) - attribute_role ftpdctl_roles; - + type anon_sftpd_t; @@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) - + +type ftpd_unit_file_t; +systemd_unit_file(ftpd_unit_file_t) + type ftpd_keytab_t; files_type(ftpd_keytab_t) - + @@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) - + +manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) +manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t) + @@ -31670,9 +31670,9 @@ index 36838c202..d8066fbd4 100644 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) @@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) - + allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; - + -allow ftpd_t xferlog_t:dir setattr_dir_perms; -append_files_pattern(ftpd_t, xferlog_t, xferlog_t) -create_files_pattern(ftpd_t, xferlog_t, xferlog_t) @@ -31681,17 +31681,17 @@ index 36838c202..d8066fbd4 100644 +manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t) +manage_files_pattern(ftpd_t, xferlog_t, xferlog_t) +logging_log_filetrans(ftpd_t, xferlog_t, { dir file }) - + kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) -kernel_search_network_state(ftpd_t) +kernel_read_network_state(ftpd_t) - + dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t) - + corecmd_exec_bin(ftpd_t) - + -corenet_all_recvfrom_unlabeled(ftpd_t) corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) @@ -31699,27 +31699,27 @@ index 36838c202..d8066fbd4 100644 @@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) - + +corenet_tcp_bind_generic_port(ftpd_t) +corenet_tcp_bind_all_ephemeral_ports(ftpd_t) +corenet_tcp_connect_all_ephemeral_ports(ftpd_t) + domain_use_interactive_fds(ftpd_t) - + -files_read_etc_files(ftpd_t) files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) - + @@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) - + -miscfiles_read_localization(ftpd_t) miscfiles_read_public_files(ftpd_t) - + seutil_dontaudit_search_config(ftpd_t) @@ -259,37 +228,60 @@ sysnet_use_ldap(ftpd_t) - + userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) +userdom_filetrans_home_content(ftpd_t) @@ -31728,23 +31728,23 @@ index 36838c202..d8066fbd4 100644 +userdom_manage_user_tmp_dirs(ftpd_t) +userdom_manage_user_tmp_files(ftpd_t) + - + -tunable_policy(`allow_ftpd_anon_write',` +tunable_policy(`ftpd_anon_write',` - miscfiles_manage_public_files(ftpd_t) + miscfiles_manage_public_files(ftpd_t) ') - + -tunable_policy(`allow_ftpd_use_cifs',` +tunable_policy(`ftpd_use_cifs',` - fs_read_cifs_files(ftpd_t) - fs_read_cifs_symlinks(ftpd_t) + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) ') - + -tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` +tunable_policy(`ftpd_use_cifs && ftpd_anon_write',` - fs_manage_cifs_files(ftpd_t) + fs_manage_cifs_files(ftpd_t) ') - + -tunable_policy(`allow_ftpd_use_nfs',` +tunable_policy(`ftpd_use_fusefs',` + fs_manage_fusefs_dirs(ftpd_t) @@ -31755,23 +31755,23 @@ index 36838c202..d8066fbd4 100644 +') + +tunable_policy(`ftpd_use_nfs',` - fs_read_nfs_files(ftpd_t) - fs_read_nfs_symlinks(ftpd_t) + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) ') - + -tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` +tunable_policy(`ftpd_use_nfs && ftpd_anon_write',` - fs_manage_nfs_files(ftpd_t) + fs_manage_nfs_files(ftpd_t) ') - + -tunable_policy(`allow_ftpd_full_access',` +tunable_policy(`ftpd_full_access',` - allow ftpd_t self:capability { dac_override dac_read_search }; + allow ftpd_t self:capability { dac_override dac_read_search }; - files_manage_non_auth_files(ftpd_t) + files_manage_non_security_dirs(ftpd_t) + files_manage_non_security_files(ftpd_t) ') - + tunable_policy(`ftpd_use_passive_mode',` - corenet_sendrecv_all_server_packets(ftpd_t) - corenet_tcp_bind_all_unreserved_ports(ftpd_t) @@ -31786,12 +31786,12 @@ index 36838c202..d8066fbd4 100644 + corenet_sendrecv_all_server_packets(ftpd_t) + corenet_tcp_bind_all_unreserved_ports(ftpd_t) ') - + tunable_policy(`ftpd_connect_all_unreserved',` @@ -304,43 +296,23 @@ tunable_policy(`ftpd_connect_db',` - corenet_sendrecv_mssql_client_packets(ftpd_t) - corenet_tcp_connect_mssql_port(ftpd_t) - corenet_tcp_sendrecv_mssql_port(ftpd_t) + corenet_sendrecv_mssql_client_packets(ftpd_t) + corenet_tcp_connect_mssql_port(ftpd_t) + corenet_tcp_sendrecv_mssql_port(ftpd_t) - corenet_sendrecv_oracledb_client_packets(ftpd_t) - corenet_tcp_connect_oracledb_port(ftpd_t) - corenet_tcp_sendrecv_oracledb_port(ftpd_t) @@ -31799,7 +31799,7 @@ index 36838c202..d8066fbd4 100644 + corenet_tcp_connect_oracle_port(ftpd_t) + corenet_tcp_sendrecv_oracle_port(ftpd_t) ') - + -tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; - @@ -31816,18 +31816,18 @@ index 36838c202..d8066fbd4 100644 - -tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` +tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(ftpd_t) - fs_manage_nfs_files(ftpd_t) - fs_manage_nfs_symlinks(ftpd_t) + fs_manage_nfs_dirs(ftpd_t) + fs_manage_nfs_files(ftpd_t) + fs_manage_nfs_symlinks(ftpd_t) ') - + -tunable_policy(`ftp_home_dir && use_samba_home_dirs',` +tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ftpd_t) - fs_manage_cifs_files(ftpd_t) - fs_manage_cifs_symlinks(ftpd_t) + fs_manage_cifs_dirs(ftpd_t) + fs_manage_cifs_files(ftpd_t) + fs_manage_cifs_symlinks(ftpd_t) ') - + -optional_policy(` - tunable_policy(`ftp_home_dir',` - apache_search_sys_content(ftpd_t) @@ -31835,23 +31835,23 @@ index 36838c202..d8066fbd4 100644 -') - optional_policy(` - corecmd_exec_shell(ftpd_t) - + corecmd_exec_shell(ftpd_t) + @@ -363,9 +335,8 @@ optional_policy(` - + optional_policy(` - selinux_validate_context(ftpd_t) + selinux_validate_context(ftpd_t) - - kerberos_read_keytab(ftpd_t) + kerberos_read_keytab(ftpd_t) - kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") - kerberos_use(ftpd_t) + kerberos_use(ftpd_t) ') - + @@ -410,92 +381,49 @@ optional_policy(` - udev_read_db(ftpd_t) + udev_read_db(ftpd_t) ') - + +optional_policy(` + apache_manage_user_content(ftpd_t) +') @@ -31860,28 +31860,28 @@ index 36838c202..d8066fbd4 100644 # # Ctl local policy # - + stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) +files_search_pids(ftpdctl_t) - + allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms; files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file) - + -files_read_etc_files(ftpdctl_t) files_search_pids(ftpdctl_t) - + -userdom_use_user_terminals(ftpdctl_t) +userdom_use_inherited_user_terminals(ftpdctl_t) - + ######################################## # # Anon sftpd local policy # - + -files_read_etc_files(anon_sftpd_t) - miscfiles_read_public_files(anon_sftpd_t) - + -tunable_policy(`sftpd_anon_write',` - miscfiles_manage_public_files(anon_sftpd_t) -') @@ -31890,23 +31890,23 @@ index 36838c202..d8066fbd4 100644 # # Sftpd local policy # - + -files_read_etc_files(sftpd_t) - + userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t) - + -tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; +userdom_filetrans_home_content(sftpd_t) +userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - - userdom_manage_user_home_content_dirs(sftpd_t) - userdom_manage_user_home_content_files(sftpd_t) + + userdom_manage_user_home_content_dirs(sftpd_t) + userdom_manage_user_home_content_files(sftpd_t) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_manage_user_tmp_dirs(sftpd_t) - userdom_manage_user_tmp_files(sftpd_t) + userdom_manage_user_tmp_dirs(sftpd_t) + userdom_manage_user_tmp_files(sftpd_t) - userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) -',` - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) @@ -31938,14 +31938,14 @@ index 36838c202..d8066fbd4 100644 -tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) -') - + -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) - fs_read_cifs_symlinks(sftpd_t) -') +userdom_home_reader(sftpd_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(sftpd_t) - fs_read_nfs_files(sftpd_t) @@ -31956,8 +31956,8 @@ index e2a3e0dba..50ebd4080 100644 --- a/games.if +++ b/games.if @@ -58,3 +58,23 @@ interface(`games_rw_data',` - files_search_var_lib($1) - rw_files_pattern($1, games_data_t, games_data_t) + files_search_var_lib($1) + rw_files_pattern($1, games_data_t, games_data_t) ') + +######################################## @@ -31984,18 +31984,18 @@ index e5b15fb7e..220622e84 100644 --- a/games.te +++ b/games.te @@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t) - + logging_send_syslog_msg(games_srv_t) - + -miscfiles_read_localization(games_srv_t) - userdom_dontaudit_use_unpriv_user_fds(games_srv_t) - + userdom_dontaudit_search_user_home_dirs(games_srv_t) @@ -120,7 +118,6 @@ kernel_read_system_state(games_t) - + corecmd_exec_bin(games_t) - + -corenet_all_recvfrom_unlabeled(games_t) corenet_all_recvfrom_netlabel(games_t) corenet_tcp_sendrecv_generic_if(games_t) @@ -32007,52 +32007,52 @@ index e5b15fb7e..220622e84 100644 -files_read_etc_files(games_t) -files_read_usr_files(games_t) files_read_var_files(games_t) - + init_dontaudit_rw_utmp(games_t) @@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t) logging_dontaudit_search_logs(games_t) - + miscfiles_read_man_pages(games_t) -miscfiles_read_localization(games_t) - + sysnet_dns_name_resolve(games_t) - + @@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t) userdom_manage_user_tmp_sockets(games_t) userdom_dontaudit_read_user_home_content_files(games_t) - + -tunable_policy(`allow_execmem',` +tunable_policy(`deny_execmem',`', ` - allow games_t self:process execmem; + allow games_t self:process execmem; ') - + diff --git a/gatekeeper.te b/gatekeeper.te index 28203689c..88c98f481 100644 --- a/gatekeeper.te +++ b/gatekeeper.te @@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t) - + corecmd_list_bin(gatekeeper_t) - + -corenet_all_recvfrom_unlabeled(gatekeeper_t) corenet_all_recvfrom_netlabel(gatekeeper_t) corenet_tcp_sendrecv_generic_if(gatekeeper_t) corenet_udp_sendrecv_generic_if(gatekeeper_t) @@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t) - + domain_use_interactive_fds(gatekeeper_t) - + -files_read_etc_files(gatekeeper_t) - fs_getattr_all_fs(gatekeeper_t) fs_search_auto_mountpoints(gatekeeper_t) - + logging_send_syslog_msg(gatekeeper_t) - + -miscfiles_read_localization(gatekeeper_t) - sysnet_read_config(gatekeeper_t) - + userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) diff --git a/gdomap.te b/gdomap.te index db7b56c2d..3c2357965 100644 @@ -32765,9 +32765,9 @@ index 8a820face..996b30c16 100644 --- a/gift.te +++ b/gift.te @@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t) - + userdom_dontaudit_read_user_home_content_files(gift_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gift_t) - fs_manage_nfs_files(gift_t) @@ -32780,19 +32780,19 @@ index 8a820face..996b30c16 100644 - fs_manage_cifs_symlinks(gift_t) -') +userdom_home_manager(gift_t) - + optional_policy(` - xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) + xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t) @@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t) corenet_tcp_connect_all_ports(giftd_t) - + files_read_etc_runtime_files(giftd_t) -files_read_usr_files(giftd_t) - -miscfiles_read_localization(giftd_t) - + sysnet_dns_name_resolve(giftd_t) - + -userdom_use_user_terminals(giftd_t) - -tunable_policy(`use_nfs_home_dirs',` @@ -32813,16 +32813,16 @@ index 24700f84b..6561d568e 100644 --- a/git.fc +++ b/git.fc @@ -2,12 +2,12 @@ HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_user_content_t,s0) - + /usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t,s0) - + -/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) +/var/cache/cgit(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0) +/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:git_rw_content_t,s0) - + /var/lib/git(/.*)? gen_context(system_u:object_r:git_sys_content_t,s0) - + -/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) -/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -/var/www/git/gitweb\.cgi -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) @@ -32836,28 +32836,28 @@ index 1e29af196..6c64f55c3 100644 --- a/git.if +++ b/git.if @@ -37,7 +37,10 @@ template(`git_role',` - allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") - + allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; + userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") + - allow $2 git_session_t:process { ptrace signal_perms }; + allow $2 git_session_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $2 git_session_t:process ptrace; + ') - ps_process_pattern($2, git_session_t) - - tunable_policy(`git_session_users',` + ps_process_pattern($2, git_session_t) + + tunable_policy(`git_session_users',` @@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',` - - list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) - read_files_pattern($1, git_sys_content_t, git_sys_content_t) + + list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) + read_files_pattern($1, git_sys_content_t, git_sys_content_t) + read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) - - files_search_var_lib($1) - + + files_search_var_lib($1) + @@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',` - fs_read_nfs_files($1) - ') + fs_read_nfs_files($1) + ') ') + +####################################### @@ -32884,7 +32884,7 @@ index dc49c715e..43f79d6de 100644 @@ -47,14 +47,6 @@ gen_tunable(git_session_bind_all_unreserved_ports, false) ## gen_tunable(git_session_users, false) - + -## -##

      -## Determine whether Git session daemons @@ -32898,24 +32898,24 @@ index dc49c715e..43f79d6de 100644 ## Determine whether Git system daemon @@ -83,6 +75,7 @@ attribute git_daemon; attribute_role git_session_roles; - + apache_content_template(git) +apache_content_alias_template(git, git) - + type git_system_t, git_daemon; type gitd_exec_t; @@ -93,12 +86,15 @@ type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; - + -type git_sys_content_t; +type git_sys_content_t alias git_system_content_t; files_type(git_sys_content_t) - + -type git_user_content_t; +type git_user_content_t alias git_session_content_t; userdom_user_home_content(git_user_content_t) - + +type git_script_tmp_t; +files_tmp_file(git_script_tmp_t) + @@ -32925,27 +32925,27 @@ index dc49c715e..43f79d6de 100644 @@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) - + +kernel_read_system_state(git_session_t) + corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) @@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` - corenet_tcp_sendrecv_all_ports(git_session_t) + corenet_tcp_sendrecv_all_ports(git_session_t) ') - + -tunable_policy(`git_session_send_syslog_msg',` - logging_send_syslog_msg(git_session_t) -') +logging_send_syslog_msg(git_session_t) - + tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(git_session_t) + fs_getattr_nfs(git_session_t) @@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) - + +kernel_read_network_state(git_system_t) +kernel_read_system_state(git_system_t) + @@ -32953,20 +32953,20 @@ index dc49c715e..43f79d6de 100644 corenet_all_recvfrom_netlabel(git_system_t) corenet_tcp_sendrecv_generic_if(git_system_t) @@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t) - + tunable_policy(`git_system_enable_homedirs',` - userdom_search_user_home_dirs(git_system_t) + userdom_search_user_home_dirs(git_system_t) + list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t) + list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t) + read_files_pattern(git_system_t, git_user_content_t, git_user_content_t) + ') - + tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',` @@ -215,48 +218,54 @@ tunable_policy(`git_system_use_nfs',` # CGI policy # - + -list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) -files_search_var_lib(httpd_git_script_t) @@ -32974,22 +32974,22 @@ index dc49c715e..43f79d6de 100644 +manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t) +manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t) +files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir }) - + -files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t }) +files_search_var_lib(git_script_t) +allow git_script_t git_sys_content_t:file map; +allow git_script_t git_user_content_t:file map; - + -auth_use_nsswitch(httpd_git_script_t) +auth_use_nsswitch(git_script_t) - + tunable_policy(`git_cgi_enable_homedirs',` - userdom_search_user_home_dirs(httpd_git_script_t) + userdom_search_user_home_dirs(git_script_t) ') - + +fs_getattr_tmpfs(git_script_t) tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',` - fs_getattr_nfs(httpd_git_script_t) @@ -33002,7 +33002,7 @@ index dc49c715e..43f79d6de 100644 - fs_dontaudit_read_nfs_files(httpd_git_script_t) + fs_dontaudit_read_nfs_files(git_script_t) ') - + tunable_policy(`git_cgi_enable_homedirs && use_samba_home_dirs',` - fs_getattr_cifs(httpd_git_script_t) - fs_list_cifs(httpd_git_script_t) @@ -33014,7 +33014,7 @@ index dc49c715e..43f79d6de 100644 - fs_dontaudit_read_cifs_files(httpd_git_script_t) + fs_dontaudit_read_cifs_files(git_script_t) ') - + tunable_policy(`git_cgi_use_cifs',` - fs_getattr_cifs(httpd_git_script_t) - fs_list_cifs(httpd_git_script_t) @@ -33026,7 +33026,7 @@ index dc49c715e..43f79d6de 100644 - fs_dontaudit_read_cifs_files(httpd_git_script_t) + fs_dontaudit_read_cifs_files(git_script_t) ') - + tunable_policy(`git_cgi_use_nfs',` - fs_getattr_nfs(httpd_git_script_t) - fs_list_nfs(httpd_git_script_t) @@ -33038,38 +33038,38 @@ index dc49c715e..43f79d6de 100644 - fs_dontaudit_read_nfs_files(httpd_git_script_t) + fs_dontaudit_read_nfs_files(git_script_t) ') - + ######################################## @@ -266,12 +275,9 @@ tunable_policy(`git_cgi_use_nfs',` - + allow git_daemon self:fifo_file rw_fifo_file_perms; - + -kernel_read_system_state(git_daemon) +#kernel_read_system_state(git_daemon) - + corecmd_exec_bin(git_daemon) - + -files_read_usr_files(git_daemon) - fs_search_auto_mountpoints(git_daemon) - + -miscfiles_read_localization(git_daemon) diff --git a/gitosis.te b/gitosis.te index 582db0a2e..d77a1a549 100644 --- a/gitosis.te +++ b/gitosis.te @@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t) - + dev_read_urand(gitosis_t) - + -files_read_etc_files(gitosis_t) -files_read_usr_files(gitosis_t) files_search_var_lib(gitosis_t) - + -miscfiles_read_localization(gitosis_t) - sysnet_read_config(gitosis_t) - + tunable_policy(`gitosis_can_sendmail',` diff --git a/glance.fc b/glance.fc index c21a528b5..a746a2b16 100644 @@ -33079,7 +33079,7 @@ index c21a528b5..a746a2b16 100644 /etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) /etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) +/etc/rc\.d/init\.d/openstack-glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0) - + -/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) +/usr/lib/systemd/system/openstack-glance-api.* -- gen_context(system_u:object_r:glance_api_unit_file_t,s0) +/usr/lib/systemd/system/openstack-glance-registry.* -- gen_context(system_u:object_r:glance_registry_unit_file_t,s0) @@ -33088,16 +33088,16 @@ index c21a528b5..a746a2b16 100644 +/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) /usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) +/usr/bin/glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_exec_t,s0) - + /var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) - + diff --git a/glance.if b/glance.if index 9eacb2c9c..7b19ad2db 100644 --- a/glance.if +++ b/glance.if @@ -1,5 +1,38 @@ ##

      OpenStack image registry and delivery service. - + +####################################### +## +## Creates types and rules for a basic @@ -33147,9 +33147,9 @@ index 9eacb2c9c..7b19ad2db 100644 # interface(`glance_domtrans_api',` @@ -242,8 +275,13 @@ interface(`glance_admin',` - type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; - ') - + type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; + ') + - allow $1 { glance_api_t glance_registry_t }:process signal_perms; - ps_process_pattern($1, { glance_api_t glance_registry_t }) + allow $1 glance_registry_t:process signal_perms; @@ -33159,9 +33159,9 @@ index 9eacb2c9c..7b19ad2db 100644 + allow $1 glance_registry_t:process ptrace; + allow $1 glance_api_t:process ptrace; + ') - - init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) + domain_system_change_exemption($1) diff --git a/glance.te b/glance.te index 5cd09096a..bd3c3d21b 100644 --- a/glance.te @@ -33169,7 +33169,7 @@ index 5cd09096a..bd3c3d21b 100644 @@ -5,10 +5,31 @@ policy_module(glance, 1.1.0) # Declarations # - + +## +##

      +## Determine whether glance-api can @@ -33193,17 +33193,17 @@ index 5cd09096a..bd3c3d21b 100644 +gen_tunable(glance_use_execmem, false) + attribute glance_domain; - + -type glance_registry_t, glance_domain; -type glance_registry_exec_t; +glance_basic_types_template(glance_registry) init_daemon_domain(glance_registry_t, glance_registry_exec_t) - + type glance_registry_initrc_exec_t; @@ -17,13 +38,21 @@ init_script_file(glance_registry_initrc_exec_t) type glance_registry_tmp_t; files_tmp_file(glance_registry_tmp_t) - + -type glance_api_t, glance_domain; -type glance_api_exec_t; +type glance_registry_tmpfs_t; @@ -33211,10 +33211,10 @@ index 5cd09096a..bd3c3d21b 100644 + +glance_basic_types_template(glance_api) init_daemon_domain(glance_api_t, glance_api_exec_t) - + type glance_api_initrc_exec_t; init_script_file(glance_api_initrc_exec_t) - + +glance_basic_types_template(glance_scrubber) +init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t) + @@ -33223,11 +33223,11 @@ index 5cd09096a..bd3c3d21b 100644 + type glance_log_t; logging_log_file(glance_log_t) - + @@ -41,6 +70,7 @@ files_pid_file(glance_var_run_t) # Common local policy # - + +allow glance_domain self:process signal_perms; allow glance_domain self:fifo_file rw_fifo_file_perms; allow glance_domain self:unix_stream_socket create_stream_socket_perms; @@ -33235,7 +33235,7 @@ index 5cd09096a..bd3c3d21b 100644 @@ -56,29 +86,40 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) - + -kernel_read_system_state(glance_domain) - -corenet_all_recvfrom_unlabeled(glance_domain) @@ -33246,23 +33246,23 @@ index 5cd09096a..bd3c3d21b 100644 corenet_tcp_bind_generic_node(glance_domain) +corenet_tcp_connect_mysqld_port(glance_domain) +corenet_tcp_connect_http_port(glance_domain) - + corecmd_exec_bin(glance_domain) corecmd_exec_shell(glance_domain) - + dev_read_urand(glance_domain) +dev_read_sysfs(glance_domain) - + -files_read_etc_files(glance_domain) -files_read_usr_files(glance_domain) +auth_read_passwd(glance_domain) - + libs_exec_ldconfig(glance_domain) - + -miscfiles_read_localization(glance_domain) - sysnet_dns_name_resolve(glance_domain) - + +tunable_policy(`glance_use_fusefs',` + fs_manage_fusefs_dirs(glance_domain) + fs_manage_fusefs_files(glance_domain) @@ -33284,7 +33284,7 @@ index 5cd09096a..bd3c3d21b 100644 @@ -88,8 +129,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) - + +manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) +manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t) +fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file }) @@ -33295,20 +33295,20 @@ index 5cd09096a..bd3c3d21b 100644 +corenet_tcp_connect_all_ephemeral_ports(glance_registry_t) + +corenet_tcp_connect_keystone_port(glance_registry_t) - + logging_send_syslog_msg(glance_registry_t) - + @@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) - + -corenet_sendrecv_armtechdaemon_server_packets(glance_api_t) -corenet_tcp_bind_armtechdaemon_port(glance_api_t) - -corenet_sendrecv_hplip_server_packets(glance_api_t) -corenet_tcp_bind_hplip_port(glance_api_t) +corenet_tcp_bind_generic_node(glance_api_t) - + +corenet_tcp_bind_glance_port(glance_api_t) corenet_sendrecv_glance_registry_client_packets(glance_api_t) +corenet_tcp_connect_amqp_port(glance_api_t) @@ -33322,7 +33322,7 @@ index 5cd09096a..bd3c3d21b 100644 + +corenet_sendrecv_hplip_server_packets(glance_api_t) +corenet_tcp_bind_hplip_port(glance_api_t) - + fs_getattr_xattr_fs(glance_api_t) + +tunable_policy(`glance_api_can_network',` @@ -33663,7 +33663,7 @@ index 000000000..a62e355ac + type glusterd_initrc_exec_t; + type glusterd_log_t; + type glusterd_tmp_t; -+ type glusterd_conf_t; ++ type glusterd_conf_t; + ') + + allow $1 glusterd_t:process { signal_perms }; @@ -33719,7 +33719,7 @@ index 000000000..7804cbaf4 + +## +##

      -+## Allow glusterd_t domain to use executable memory ++## Allow glusterd_t domain to use executable memory +##

      +##       +gen_tunable(gluster_use_execmem, false) @@ -33926,17 +33926,17 @@ index 000000000..7804cbaf4 + +tunable_policy(`gluster_anon_write',` + miscfiles_manage_public_files(glusterd_t) -+') ++') + +tunable_policy(`gluster_export_all_ro',` -+ fs_read_noxattr_fs_files(glusterd_t) -+ files_read_non_security_files(glusterd_t) ++ fs_read_noxattr_fs_files(glusterd_t) ++ files_read_non_security_files(glusterd_t) + files_getattr_all_pipes(glusterd_t) + files_getattr_all_sockets(glusterd_t) +') + +tunable_policy(`gluster_export_all_rw',` -+ fs_manage_noxattr_fs_files(glusterd_t) ++ fs_manage_noxattr_fs_files(glusterd_t) + files_manage_non_security_dirs(glusterd_t) + files_manage_non_security_files(glusterd_t) + files_relabel_base_file_types(glusterd_t) @@ -34266,7 +34266,7 @@ index e39de436a..5edcb8330 100644 +HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0) +HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) - + -/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) +/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) @@ -34289,9 +34289,9 @@ index e39de436a..5edcb8330 100644 +/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0) + +/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) - + /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) - + +/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0) + /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) @@ -34301,7 +34301,7 @@ index e39de436a..5edcb8330 100644 +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) - + -/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) @@ -34313,7 +34313,7 @@ index ab09d6195..2e8661416 100644 @@ -1,52 +1,76 @@ -## GNU network object model environment. +## GNU network object model environment (GNOME) - + -######################################## +####################################### ## @@ -34365,7 +34365,7 @@ index ab09d6195..2e8661416 100644 +interface(`gnome_role_gkeyringd',` + refpolicywarn(`$0($*) has been deprecated') ') - + -####################################### +###################################### ## @@ -34404,19 +34404,19 @@ index ab09d6195..2e8661416 100644 - attribute gnomedomain, gkeyringd_domain; + gen_require(` + attribute gnomedomain, gkeyringd_domain, gnome_home_type; - attribute_role gconfd_roles; + attribute_role gconfd_roles; - type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; + type gkeyringd_exec_t, gkeyringd_tmp_t; - type gconfd_t, gconfd_exec_t, gconf_tmp_t; + type gconfd_t, gconfd_exec_t, gconf_tmp_t; - type gconf_home_t; + class dbus send_msg; - ') - - ######################################## + ') + + ######################################## @@ -74,14 +98,11 @@ template(`gnome_role_template',` - - domtrans_pattern($3, gconfd_exec_t, gconfd_t) - + + domtrans_pattern($3, gconfd_exec_t, gconfd_t) + - allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; - userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") @@ -34425,32 +34425,32 @@ index ab09d6195..2e8661416 100644 - allow $3 gconfd_t:process { ptrace signal_perms }; + allow $3 gconfd_t:process { signal_perms }; + allow $3 gconfd_t:unix_stream_socket connectto; - ps_process_pattern($3, gconfd_t) - + ps_process_pattern($3, gconfd_t) + + - ######################################## - # - # Gkeyringd policy + ######################################## + # + # Gkeyringd policy @@ -89,37 +110,86 @@ template(`gnome_role_template',` - - domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - + + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) + - allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; - allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms }; + allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; + allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms }; - + - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2") - userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private") -- +- - gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings") + userdom_home_manager($1_gkeyringd_t) - + - allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; + allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; - - ps_process_pattern($3, $1_gkeyringd_t) + + ps_process_pattern($3, $1_gkeyringd_t) - allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; + allow $3 $1_gkeyringd_t:process signal_perms; + dontaudit $3 gkeyringd_exec_t:file entrypoint; @@ -34463,10 +34463,10 @@ index ab09d6195..2e8661416 100644 + stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) + + kernel_read_system_state($1_gkeyringd_t) - - corecmd_bin_domtrans($1_gkeyringd_t, $3) - corecmd_shell_domtrans($1_gkeyringd_t, $3) - + + corecmd_bin_domtrans($1_gkeyringd_t, $3) + corecmd_shell_domtrans($1_gkeyringd_t, $3) + - gnome_stream_connect_gkeyringd($1, $3) + gnome_stream_connect_gkeyringd($3) + @@ -34478,23 +34478,23 @@ index ab09d6195..2e8661416 100644 + + allow $1_gkeyringd_t $3:dbus send_msg; + allow $3 $1_gkeyringd_t:dbus send_msg; - - optional_policy(` + + optional_policy(` - dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) + gnome_read_generic_data_home_files($1_gkeyringd_t) + gnome_read_generic_data_home_dirs($1_gkeyringd_t) - - optional_policy(` + + optional_policy(` - gnome_dbus_chat_gkeyringd($1, $3) + telepathy_mission_control_read_state($1_gkeyringd_t) + telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) - ') - ') + ') + ') ') - + +####################################### +## +## Allow domain to run gkeyring in the $1_gkeyringd_t domain. @@ -34537,21 +34537,21 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_exec_gconf',` +interface(`gnome_stream_connect_gconf',` - gen_require(` + gen_require(` - type gconfd_exec_t; + type gconfd_t, gconf_tmp_t; - ') - + ') + - corecmd_search_bin($1) - can_exec($1, gconfd_exec_t) + read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) + allow $1 gconfd_t:unix_stream_socket connectto; ') - + ######################################## ## -## Read gconf configuration content. -+## Connect to gkeyringd with a unix stream socket. ++## Connect to gkeyringd with a unix stream socket. ## ## ## @@ -34561,14 +34561,14 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_read_gconf_config',` +interface(`gnome_stream_connect_gkeyringd',` - gen_require(` + gen_require(` - type gconf_etc_t; + attribute gkeyringd_domain; + type gkeyringd_tmp_t; + type gconf_tmp_t; + type cache_home_t; - ') - + ') + - files_search_etc($1) - allow $1 gconf_etc_t:dir list_dir_perms; - allow $1 gconf_etc_t:file read_file_perms; @@ -34578,7 +34578,7 @@ index ab09d6195..2e8661416 100644 + stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) + stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain) ') - + ######################################## ## -## Do not audit attempts to read @@ -34594,15 +34594,15 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_dontaudit_read_inherited_gconf_config_files',` +interface(`gnome_domtrans_gconfd',` - gen_require(` + gen_require(` - type gconf_etc_t; + type gconfd_t, gconfd_exec_t; - ') - + ') + - dontaudit $1 gconf_etc_t:file read; + domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') - + -####################################### +######################################## ## @@ -34619,18 +34619,18 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_manage_gconf_config',` +interface(`gnome_dontaudit_read_config',` - gen_require(` + gen_require(` - type gconf_etc_t; + attribute gnome_home_type; - ') - + ') + - files_search_etc($1) - allow $1 gconf_etc_t:dir manage_dir_perms; - allow $1 gconf_etc_t:file manage_file_perms; - allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms; + dontaudit $1 gnome_home_type:dir read_inherited_file_perms; ') - + ######################################## ## -## Connect to gconf using a unix @@ -34646,16 +34646,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_stream_connect_gconf',` +interface(`gnome_dontaudit_search_config',` - gen_require(` + gen_require(` - type gconfd_t, gconf_tmp_t; + attribute gnome_home_type; - ') - + ') + - files_search_tmp($1) - stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t) + dontaudit $1 gnome_home_type:dir search_dir_perms; ') - + ######################################## ## -## Run gconfd in gconfd domain. @@ -34670,16 +34670,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_domtrans_gconfd',` +interface(`gnome_dontaudit_append_config_files',` - gen_require(` + gen_require(` - type gconfd_t, gconfd_exec_t; + attribute gnome_home_type; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, gconfd_exec_t, gconfd_t) + dontaudit $1 gnome_home_type:file append; ') - + + ######################################## ## @@ -34695,15 +34695,15 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_create_generic_home_dirs',` +interface(`gnome_dontaudit_write_config_files',` - gen_require(` + gen_require(` - type gnome_home_t; + attribute gnome_home_type; - ') - + ') + - allow $1 gnome_home_t:dir create_dir_perms; + dontaudit $1 gnome_home_type:file write; ') - + ######################################## ## -## Set attributes of generic gnome @@ -34730,7 +34730,7 @@ index ab09d6195..2e8661416 100644 + allow $1 gnome_home_type:sock_file manage_sock_file_perms; + userdom_search_user_home_dirs($1) ') - + ######################################## ## -## Set attributes of generic gnome @@ -34745,16 +34745,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_setattr_generic_home_dirs',` +interface(`gnome_signal_all',` - gen_require(` + gen_require(` - type gnome_home_t; + attribute gnomedomain; - ') - + ') + - userdom_search_user_home_dirs($1) - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) + allow $1 gnomedomain:process signal; ') - + ######################################## ## -## Read generic gnome user home content. (Deprecated) @@ -34794,7 +34794,7 @@ index ab09d6195..2e8661416 100644 + filetrans_pattern($1, cache_home_t, $2, $3, $4) + userdom_search_user_home_dirs($1) ') - + ######################################## ## -## Read generic gnome home content. @@ -34825,20 +34825,20 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_read_generic_home_content',` +interface(`gnome_config_filetrans',` - gen_require(` + gen_require(` - type gnome_home_t; + type config_home_t; - ') - + ') + + filetrans_pattern($1, config_home_t, $2, $3, $4) - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir list_dir_perms; - allow $1 gnome_home_t:file read_file_perms; - allow $1 gnome_home_t:fifo_file read_fifo_file_perms; - allow $1 gnome_home_t:lnk_file read_lnk_file_perms; - allow $1 gnome_home_t:sock_file read_sock_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -34862,7 +34862,7 @@ index ab09d6195..2e8661416 100644 + read_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) ') - + ######################################## ## -## Create, read, write, and delete @@ -34877,11 +34877,11 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_manage_generic_home_content',` +interface(`gnome_create_generic_cache_dir',` - gen_require(` + gen_require(` - type gnome_home_t; + type cache_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir manage_dir_perms; - allow $1 gnome_home_t:file manage_file_perms; @@ -34891,7 +34891,7 @@ index ab09d6195..2e8661416 100644 + allow $1 cache_home_t:dir create_dir_perms; + userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") ') - + ######################################## ## -## Search generic gnome home directories. @@ -34905,16 +34905,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_search_generic_home',` +interface(`gnome_setattr_cache_home_dir',` - gen_require(` + gen_require(` - type gnome_home_t; + type cache_home_t; - ') - + ') + + setattr_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - allow $1 gnome_home_t:dir search_dir_perms; ') - + ######################################## ## -## Create objects in gnome user home @@ -34944,16 +34944,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_home_filetrans',` +interface(`gnome_manage_cache_home_dir',` - gen_require(` + gen_require(` - type gnome_home_t; + type cache_home_t; - ') - + ') + + manage_dirs_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - filetrans_pattern($1, gnome_home_t, $2, $3, $4) ') - + ######################################## ## -## Create generic gconf home directories. @@ -34967,16 +34967,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_create_generic_gconf_home_dirs',` +interface(`gnome_append_generic_cache_files',` - gen_require(` + gen_require(` - type gconf_home_t; + type cache_home_t; - ') - + ') + - allow $1 gconf_home_t:dir create_dir_perms; + append_files_pattern($1, cache_home_t, cache_home_t) + userdom_search_user_home_dirs($1) ') - + ######################################## ## -## Read generic gconf home content. @@ -34990,20 +34990,20 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_read_generic_gconf_home_content',` +interface(`gnome_write_generic_cache_files',` - gen_require(` + gen_require(` - type gconf_home_t; + type cache_home_t; - ') - + ') + + write_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir list_dir_perms; - allow $1 gconf_home_t:file read_file_perms; - allow $1 gconf_home_t:fifo_file read_fifo_file_perms; - allow $1 gconf_home_t:lnk_file read_lnk_file_perms; - allow $1 gconf_home_t:sock_file read_sock_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -35018,20 +35018,20 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_manage_generic_gconf_home_content',` +interface(`gnome_manage_generic_cache_files',` - gen_require(` + gen_require(` - type gconf_home_t; + type cache_home_t; - ') - + ') + + manage_files_pattern($1, cache_home_t, cache_home_t) - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir manage_dir_perms; - allow $1 gconf_home_t:file manage_file_perms; - allow $1 gconf_home_t:fifo_file manage_fifo_file_perms; - allow $1 gconf_home_t:lnk_file manage_lnk_file_perms; - allow $1 gconf_home_t:sock_file manage_sock_file_perms; ') - + ######################################## ## -## Search generic gconf home directories. @@ -35045,16 +35045,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_search_generic_gconf_home',` +interface(`gnome_manage_generic_cache_sockets',` - gen_require(` + gen_require(` - type gconf_home_t; + type cache_home_t; - ') - - userdom_search_user_home_dirs($1) + ') + + userdom_search_user_home_dirs($1) - allow $1 gconf_home_t:dir search_dir_perms; + manage_sock_files_pattern($1, cache_home_t, cache_home_t) ') - + ######################################## ## -## Create objects in user home @@ -35081,15 +35081,15 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_home_filetrans_gconf_home',` +interface(`gnome_dontaudit_rw_generic_cache_files',` - gen_require(` + gen_require(` - type gconf_home_t; + type cache_home_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3) + dontaudit $1 cache_home_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Create objects in user home @@ -35115,18 +35115,18 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_home_filetrans_gnome_home',` +interface(`gnome_read_config',` - gen_require(` + gen_require(` - type gnome_home_t; + attribute gnome_home_type; - ') - + ') + - userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3) + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) + gnome_read_usr_config($1) ') - + ######################################## ## -## Create objects in gnome gconf home @@ -35158,17 +35158,17 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_gconf_home_filetrans',` +interface(`gnome_data_filetrans',` - gen_require(` + gen_require(` - type gconf_home_t; + type data_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - filetrans_pattern($1, gconf_home_t, $2, $3, $4) + filetrans_pattern($1, data_home_t, $2, $3, $4) + gnome_search_gconf($1) ') - + -######################################## +####################################### ## @@ -35183,17 +35183,17 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_read_keyring_home_files',` +interface(`gnome_read_generic_data_home_files',` - gen_require(` + gen_require(` - type gnome_home_t, gnome_keyring_home_t; + type data_home_t, gconf_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t) + read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) + read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) ') - + -######################################## +###################################### ## @@ -35252,12 +35252,12 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_dbus_chat_gkeyringd',` +interface(`gnome_read_home_icc_data_content',` - gen_require(` + gen_require(` - type $1_gkeyringd_t; - class dbus send_msg; + type icc_data_home_t, gconf_home_t, data_home_t; - ') - + ') + - allow $2 $1_gkeyringd_t:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg; + userdom_search_user_home_dirs($1) @@ -35267,7 +35267,7 @@ index ab09d6195..2e8661416 100644 + read_files_pattern($1, icc_data_home_t, icc_data_home_t) + read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ') - + ######################################## ## -## Send and receive messages from all @@ -35282,17 +35282,17 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_dbus_chat_all_gkeyringd',` +interface(`gnome_read_inherited_home_icc_data_files',` - gen_require(` + gen_require(` - attribute gkeyringd_domain; - class dbus send_msg; + type icc_data_home_t; - ') - + ') + - allow $1 gkeyringd_domain:dbus send_msg; - allow gkeyringd_domain $1:dbus send_msg; + allow $1 icc_data_home_t:file read_inherited_file_perms; ') - + ######################################## ## -## Connect to gnome keyring daemon @@ -35340,16 +35340,16 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_stream_connect_gkeyringd',` +interface(`gnome_dontaudit_read_inherited_gconf_config_files',` - gen_require(` + gen_require(` - type $1_gkeyringd_t, gnome_keyring_tmp_t; + type gconf_etc_t; - ') - + ') + - files_search_tmp($2) - stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) + dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ') - + ######################################## ## -## Connect to all gnome keyring daemon @@ -35364,7 +35364,7 @@ index ab09d6195..2e8661416 100644 # -interface(`gnome_stream_connect_all_gkeyringd',` +interface(`gnome_read_gconf_config',` - gen_require(` + gen_require(` - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; + type gconf_etc_t; @@ -35396,7 +35396,7 @@ index ab09d6195..2e8661416 100644 + +######################################## +## -+## Execute gconf programs in ++## Execute gconf programs in +## in the caller domain. +## +## @@ -35510,9 +35510,9 @@ index ab09d6195..2e8661416 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; - ') - - files_search_tmp($1) + ') + + files_search_tmp($1) - stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') @@ -35987,7 +35987,7 @@ index ab09d6195..2e8661416 100644 + +######################################## +## -+## Read/Write all inherited gnome home config ++## Read/Write all inherited gnome home config +## +## +## @@ -36005,7 +36005,7 @@ index ab09d6195..2e8661416 100644 + +######################################## +## -+## Dontaudit Read/Write all inherited gnome home config ++## Dontaudit Read/Write all inherited gnome home config +## +## +## @@ -36156,7 +36156,7 @@ index ab09d6195..2e8661416 100644 + files_search_usr($1) + list_dirs_pattern($1, config_usr_t, config_usr_t) + read_files_pattern($1, config_usr_t, config_usr_t) -+ read_lnk_files_pattern($1, config_usr_t, config_usr_t) ++ read_lnk_files_pattern($1, config_usr_t, config_usr_t) +') + +####################################### @@ -36316,7 +36316,7 @@ index ab09d6195..2e8661416 100644 +## in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified -+## domain. ++## domain. +##

      +##

      +## No interprocess communication (signals, pipes, @@ -36355,16 +36355,16 @@ index 63893eb2d..61dd9e336 100644 @@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0) # Declarations # - + -attribute gkeyringd_domain; attribute gnomedomain; +attribute gnome_home_type; +attribute gkeyringd_domain; attribute_role gconfd_roles; - + type gconf_etc_t; files_config_file(gconf_etc_t) - + -type gconf_home_t; +type data_home_t, gnome_home_type; +userdom_user_home_content(data_home_t) @@ -36391,14 +36391,14 @@ index 63893eb2d..61dd9e336 100644 @@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t }; userdom_user_application_domain(gconfd_t, gconfd_exec_t) role gconfd_roles types gconfd_t; - + -type gnome_home_t; +type gnome_home_t, gnome_home_type; typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t }; typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t }; typealias gnome_home_t alias unconfined_gnome_home_t; userdom_user_home_content(gnome_home_t) - + +# type KDE /usr/share/config files +type config_usr_t; +files_type(config_usr_t) @@ -36406,12 +36406,12 @@ index 63893eb2d..61dd9e336 100644 type gkeyringd_exec_t; -application_executable_file(gkeyringd_exec_t) +corecmd_executable_file(gkeyringd_exec_t) - + -type gnome_keyring_home_t; -userdom_user_home_content(gnome_keyring_home_t) +type gkeyringd_gnome_home_t, gnome_home_type; +userdom_user_home_content(gkeyringd_gnome_home_t) - + -type gnome_keyring_tmp_t; -userdom_user_tmp_file(gnome_keyring_tmp_t) +type gkeyringd_tmp_t; @@ -36424,51 +36424,51 @@ index 63893eb2d..61dd9e336 100644 +type gnomesystemmm_t; +type gnomesystemmm_exec_t; +init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) - + ############################## # -# Common local Policy +# Local Policy # - + -allow gnomedomain self:process { getsched signal }; -allow gnomedomain self:fifo_file rw_fifo_file_perms; +allow gconfd_t self:process getsched; +allow gconfd_t self:fifo_file rw_fifo_file_perms; - + -dev_read_urand(gnomedomain) +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) - + -domain_use_interactive_fds(gnomedomain) +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) - + -files_read_etc_files(gnomedomain) +allow gconfd_t gconf_etc_t:dir list_dir_perms; +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) + +dev_read_urand(gconfd_t) - + -miscfiles_read_localization(gnomedomain) - + -logging_send_syslog_msg(gnomedomain) - + -userdom_use_user_terminals(gnomedomain) +logging_send_syslog_msg(gconfd_t) + +userdom_manage_user_tmp_sockets(gconfd_t) +userdom_manage_user_tmp_dirs(gconfd_t) +userdom_tmp_filetrans_user_tmp(gconfd_t, dir) - + optional_policy(` - xserver_rw_xdm_pipes(gnomedomain) - xserver_use_xdm_fds(gnomedomain) + nscd_dontaudit_search_pid(gconfd_t) ') - + -############################## +optional_policy(` + xserver_use_xdm_fds(gconfd_t) @@ -36480,23 +36480,23 @@ index 63893eb2d..61dd9e336 100644 -# Conf daemon local Policy +# gconf-defaults-mechanisms local policy # - + -allow gconfd_t gconf_etc_t:dir list_dir_perms; -read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t) +allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice }; +allow gconfdefaultsm_t self:process getsched; +allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; - + -manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t) -manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t) -userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir) +corecmd_search_bin(gconfdefaultsm_t) - + -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) +auth_read_passwd(gconfdefaultsm_t) - + -userdom_manage_user_tmp_dirs(gconfd_t) -userdom_tmp_filetrans_user_tmp(gconfd_t, dir) +gnome_manage_gconf_home_files(gconfdefaultsm_t) @@ -36506,12 +36506,12 @@ index 63893eb2d..61dd9e336 100644 +userdom_search_user_home_dirs(gconfdefaultsm_t) + +userdom_dontaudit_search_admin_dir(gconfdefaultsm_t) - + optional_policy(` - nscd_dontaudit_search_pid(gconfd_t) + consolekit_dbus_chat(gconfdefaultsm_t) ') - + -############################## +optional_policy(` + dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) @@ -36587,17 +36587,17 @@ index 63893eb2d..61dd9e336 100644 -# Keyring-daemon local policy +# gnome-keyring-daemon local policy # - + allow gkeyringd_domain self:capability ipc_lock; -allow gkeyringd_domain self:process { getcap setcap }; +allow gkeyringd_domain self:process { getcap getsched setcap signal }; +allow gkeyringd_domain self:fifo_file rw_fifo_file_perms; allow gkeyringd_domain self:unix_stream_socket { connectto accept listen }; - + -allow gkeyringd_domain gnome_home_t:dir create_dir_perms; -gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2") +manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t) - + -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) -manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t) -gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings") @@ -36608,7 +36608,7 @@ index 63893eb2d..61dd9e336 100644 +filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share") +filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") +filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") - + -manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) -manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t) -files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir) @@ -36617,34 +36617,34 @@ index 63893eb2d..61dd9e336 100644 +files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) +fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir) +userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir }) - + -kernel_read_system_state(gkeyringd_domain) kernel_read_crypto_sysctls(gkeyringd_domain) - + +corecmd_search_bin(gkeyringd_domain) + dev_read_rand(gkeyringd_domain) +dev_read_urand(gkeyringd_domain) dev_read_sysfs(gkeyringd_domain) - + -files_read_usr_files(gkeyringd_domain) +# for nscd? +files_search_pids(gkeyringd_domain) - + -fs_getattr_all_fs(gkeyringd_domain) +fs_getattr_xattr_fs(gkeyringd_domain) +fs_getattr_tmpfs(gkeyringd_domain) - + -selinux_getattr_fs(gkeyringd_domain) +userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local") - + optional_policy(` - ssh_read_user_home_files(gkeyringd_domain) + xserver_append_xdm_home_files(gkeyringd_domain) + xserver_read_xdm_home_files(gkeyringd_domain) + xserver_use_xdm_fds(gkeyringd_domain) ') - + optional_policy(` - telepathy_mission_control_read_state(gkeyringd_domain) + gnome_create_home_config_dirs(gkeyringd_domain) @@ -36669,21 +36669,21 @@ index f9ba8cd99..690630113 100644 +/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - + -/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - + -/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) - + /usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) diff --git a/gnomeclock.if b/gnomeclock.if index 3f55702fb..25c7ab82c 100644 --- a/gnomeclock.if +++ b/gnomeclock.if @@ -2,8 +2,7 @@ - + ######################################## ##

      -## Execute a domain transition to @@ -36693,13 +36693,13 @@ index 3f55702fb..25c7ab82c 100644 ## ## @@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',` - type gnomeclock_t, gnomeclock_exec_t; - ') - + type gnomeclock_t, gnomeclock_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) + domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) ') - + ######################################## ## -## Execute gnomeclock in the gnomeclock @@ -36713,19 +36713,19 @@ index 3f55702fb..25c7ab82c 100644 @@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',` # interface(`gnomeclock_run',` - gen_require(` + gen_require(` - attribute_role gnomeclock_roles; + type gnomeclock_t; - ') - - gnomeclock_domtrans($1) + ') + + gnomeclock_domtrans($1) - roleattribute $2 gnomeclock_roles; + role $2 types gnomeclock_t; ') - + ######################################## @@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',` - + ######################################## ## -## Do not audit attempts to send and @@ -36743,7 +36743,7 @@ index 7cd7435e6..8f26e9862 100644 @@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0) # Declarations # - + -attribute_role gnomeclock_roles; - type gnomeclock_t; @@ -36754,13 +36754,13 @@ index 7cd7435e6..8f26e9862 100644 + +type gnomeclock_tmp_t; +files_tmp_file(gnomeclock_tmp_t) - + ######################################## # -# Local policy +# gnomeclock local policy # - + -allow gnomeclock_t self:capability { sys_nice sys_time }; +allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override }; allow gnomeclock_t self:process { getattr getsched signal }; @@ -36773,19 +36773,19 @@ index 7cd7435e6..8f26e9862 100644 +manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) +manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t) +files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir }) - + kernel_read_system_state(gnomeclock_t) - + corecmd_exec_bin(gnomeclock_t) corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) - + -corenet_all_recvfrom_unlabeled(gnomeclock_t) -corenet_all_recvfrom_netlabel(gnomeclock_t) -corenet_tcp_sendrecv_generic_if(gnomeclock_t) -corenet_tcp_sendrecv_generic_node(gnomeclock_t) +corenet_tcp_connect_time_port(gnomeclock_t) - + -# tcp:37 (time) -corenet_sendrecv_inetd_child_client_packets(gnomeclock_t) -corenet_tcp_connect_inetd_child_port(gnomeclock_t) @@ -36797,48 +36797,48 @@ index 7cd7435e6..8f26e9862 100644 +dev_read_urand(gnomeclock_t) +dev_write_kmsg(gnomeclock_t) +dev_read_sysfs(gnomeclock_t) - + -files_read_usr_files(gnomeclock_t) +files_read_etc_runtime_files(gnomeclock_t) - + fs_getattr_xattr_fs(gnomeclock_t) - + auth_use_nsswitch(gnomeclock_t) - + +init_dbus_chat(gnomeclock_t) + +logging_stream_connect_syslog(gnomeclock_t) logging_send_syslog_msg(gnomeclock_t) - + -miscfiles_etc_filetrans_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -miscfiles_read_localization(gnomeclock_t) +miscfiles_etc_filetrans_localization(gnomeclock_t) - + userdom_read_all_users_state(gnomeclock_t) - + optional_policy(` - chronyd_initrc_domtrans(gnomeclock_t) + chronyd_systemctl(gnomeclock_t) ') - + optional_policy(` + clock_read_adjtime(gnomeclock_t) - clock_domtrans(gnomeclock_t) + clock_domtrans(gnomeclock_t) ') - + optional_policy(` - dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) + consolekit_dbus_chat(gnomeclock_t) +') - + - optional_policy(` - consolekit_dbus_chat(gnomeclock_t) - ') +optional_policy(` + consoletype_exec(gnomeclock_t) +') - + - optional_policy(` - policykit_dbus_chat(gnomeclock_t) - ') @@ -36851,20 +36851,20 @@ index 7cd7435e6..8f26e9862 100644 + gnome_manage_home_config(gnomeclock_t) + gnome_filetrans_admin_home_content(gnomeclock_t) ') - + optional_policy(` - ntp_domtrans_ntpdate(gnomeclock_t) - ntp_initrc_domtrans(gnomeclock_t) + ntp_domtrans_ntpdate(gnomeclock_t) + ntp_initrc_domtrans(gnomeclock_t) + init_dontaudit_getattr_all_script_files(gnomeclock_t) + init_dontaudit_getattr_exec(gnomeclock_t) + ntp_systemctl(gnomeclock_t) ') - + optional_policy(` + policykit_dbus_chat(gnomeclock_t) - policykit_domtrans_auth(gnomeclock_t) - policykit_read_lib(gnomeclock_t) - policykit_read_reload(gnomeclock_t) + policykit_domtrans_auth(gnomeclock_t) + policykit_read_lib(gnomeclock_t) + policykit_read_reload(gnomeclock_t) diff --git a/gpg.fc b/gpg.fc index 888cd2c68..c02fa5694 100644 --- a/gpg.fc @@ -36878,13 +36878,13 @@ index 888cd2c68..c02fa5694 100644 +/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0) + +/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0) - + /usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) +/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0) /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) - + /usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0) -/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) @@ -36893,7 +36893,7 @@ index 180f1b7cc..350cb4f87 100644 --- a/gpg.if +++ b/gpg.if @@ -2,57 +2,79 @@ - + ############################################################ ## -## Role access for gpg. @@ -36913,7 +36913,7 @@ index 180f1b7cc..350cb4f87 100644 ## # interface(`gpg_role',` - gen_require(` + gen_require(` - attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; - type gpg_t, gpg_exec_t, gpg_agent_t; - type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t; @@ -36924,8 +36924,8 @@ index 180f1b7cc..350cb4f87 100644 + type gpg_agent_tmp_t; + type gpg_helper_t, gpg_pinentry_t; + type gpg_pinentry_tmp_t; - ') - + ') + - roleattribute $1 gpg_roles; - roleattribute $1 gpg_agent_roles; - roleattribute $1 gpg_helper_roles; @@ -36934,20 +36934,20 @@ index 180f1b7cc..350cb4f87 100644 + roleattribute $1 gpg_agent_roles; + roleattribute $1 gpg_helper_roles; + roleattribute $1 gpg_pinentry_roles; - + + # transition from the userdomain to the derived domain - domtrans_pattern($2, gpg_exec_t, gpg_t) + domtrans_pattern($2, gpg_exec_t, gpg_t) - domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) - + - allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }) + # allow ps to show gpg + ps_process_pattern($2, gpg_t) + allow $2 gpg_t:process { signull sigstop signal sigkill }; - + - allow gpg_pinentry_t $2:process signull; + # communicate with the user - allow gpg_helper_t $2:fd use; + allow gpg_helper_t $2:fd use; - allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write }; + allow gpg_helper_t $2:fifo_file write; + @@ -36961,7 +36961,7 @@ index 180f1b7cc..350cb4f87 100644 + manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) + files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - + - allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms }; - allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; @@ -36975,10 +36975,10 @@ index 180f1b7cc..350cb4f87 100644 + relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) + + allow gpg_pinentry_t $2:fifo_file { read write }; - - optional_policy(` - gpg_pinentry_dbus_chat($2) - ') + + optional_policy(` + gpg_pinentry_dbus_chat($2) + ') + + allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; + ifdef(`hide_broken_symptoms',` @@ -36987,7 +36987,7 @@ index 180f1b7cc..350cb4f87 100644 + dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; + ') ') - + ######################################## ## -## Execute the gpg in the gpg domain. @@ -36996,13 +36996,13 @@ index 180f1b7cc..350cb4f87 100644 ## ## @@ -65,13 +87,12 @@ interface(`gpg_domtrans',` - type gpg_t, gpg_exec_t; - ') - + type gpg_t, gpg_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, gpg_exec_t, gpg_t) + domtrans_pattern($1, gpg_exec_t, gpg_t) ') - + -######################################## +###################################### ## @@ -37012,9 +37012,9 @@ index 180f1b7cc..350cb4f87 100644 ## ## @@ -88,76 +109,46 @@ interface(`gpg_exec',` - can_exec($1, gpg_exec_t) + can_exec($1, gpg_exec_t) ') - + -######################################## -## -## Execute gpg in a specified domain. @@ -37071,7 +37071,7 @@ index 180f1b7cc..350cb4f87 100644 + + domtrans_pattern($1, gpg_exec_t, gpg_web_t) ') - + ###################################### ## -## Make gpg executable files an @@ -37095,11 +37095,11 @@ index 180f1b7cc..350cb4f87 100644 + gen_require(` + type gpg_exec_t; + ') - + - domain_entry_file($1, gpg_exec_t) + domain_entry_file($1, gpg_exec_t) ') - + ######################################## ## -## Send generic signals to gpg. @@ -37108,7 +37108,7 @@ index 180f1b7cc..350cb4f87 100644 ## ## @@ -175,7 +166,7 @@ interface(`gpg_signal',` - + ######################################## ## -## Read and write gpg agent pipes. @@ -37121,11 +37121,11 @@ index 180f1b7cc..350cb4f87 100644 # interface(`gpg_rw_agent_pipes',` + # Just wants read/write could this be a leak? - gen_require(` - type gpg_agent_t; - ') + gen_require(` + type gpg_agent_t; + ') @@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',` - + ######################################## ## -## Send messages to and from gpg @@ -37136,7 +37136,7 @@ index 180f1b7cc..350cb4f87 100644 ## ## @@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',` - + ######################################## ## -## List gpg user secrets. @@ -37145,8 +37145,8 @@ index 180f1b7cc..350cb4f87 100644 ## ## @@ -230,3 +222,57 @@ interface(`gpg_list_user_secrets',` - list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) - userdom_search_user_home_dirs($1) + list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) + userdom_search_user_home_dirs($1) ') +########################### +## @@ -37220,13 +37220,13 @@ index 0e97e82f1..78a2afc95 100644 -## -gen_tunable(gpg_agent_env_file, false) +attribute gpgdomain; - + attribute_role gpg_roles; roleattribute system_r gpg_roles; @@ -24,7 +16,15 @@ roleattribute system_r gpg_helper_roles; - + attribute_role gpg_pinentry_roles; - + -type gpg_t; +## +##

      @@ -37242,12 +37242,12 @@ index 0e97e82f1..78a2afc95 100644 typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t }; @@ -69,95 +69,103 @@ type gpg_pinentry_tmpfs_t; userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t) - + optional_policy(` - pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) + pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t) ') - + +type gpg_web_t; +domain_type(gpg_web_t) +gpg_entry_type(gpg_web_t) @@ -37258,7 +37258,7 @@ index 0e97e82f1..78a2afc95 100644 -# Local policy +# GPG local policy # - + -allow gpg_t self:capability { ipc_lock setuid }; -allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid }; -dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms; @@ -37273,11 +37273,11 @@ index 0e97e82f1..78a2afc95 100644 + +allow gpgdomain self:fifo_file rw_fifo_file_perms; +allow gpgdomain self:tcp_socket create_stream_socket_perms; - + manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) - + -manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) +allow gpg_t gpg_secret_t:dir create_dir_perms; manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) @@ -37290,14 +37290,14 @@ index 0e97e82f1..78a2afc95 100644 -domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) -domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") - + kernel_read_sysctl(gpg_t) +kernel_read_system_state(gpg_t) +kernel_getattr_core_if(gpg_t) - + corecmd_exec_shell(gpg_t) corecmd_exec_bin(gpg_t) - + -corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) @@ -37311,7 +37311,7 @@ index 0e97e82f1..78a2afc95 100644 +corenet_udp_sendrecv_all_ports(gpg_t) +corenet_tcp_connect_all_ports(gpg_t) +corenet_sendrecv_all_client_packets(gpg_t) - + -dev_read_generic_usb_dev(gpg_t) dev_read_rand(gpg_t) dev_read_urand(gpg_t) @@ -37323,24 +37323,24 @@ index 0e97e82f1..78a2afc95 100644 +dev_list_sysfs(gpg_t) +dev_read_sysfs(gpg_t) +dev_rw_generic_usb_dev(gpg_t) - + fs_getattr_xattr_fs(gpg_t) fs_list_inotifyfs(gpg_t) - + domain_use_interactive_fds(gpg_t) - + -auth_use_nsswitch(gpg_t) +files_dontaudit_search_var(gpg_t) - + -logging_send_syslog_msg(gpg_t) +auth_use_nsswitch(gpg_t) - + -miscfiles_read_localization(gpg_t) +init_dontaudit_getattr_initctl(gpg_t) - + -userdom_use_user_terminals(gpg_t) +logging_send_syslog_msg(gpg_t) - + -userdom_manage_user_tmp_files(gpg_t) +userdom_use_inherited_user_terminals(gpg_t) +# sign/encrypt user files @@ -37351,56 +37351,56 @@ index 0e97e82f1..78a2afc95 100644 +userdom_manage_user_home_content_dirs(gpg_t) +userdom_filetrans_home_content(gpg_t) +userdom_stream_connect(gpg_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_t) - fs_manage_nfs_files(gpg_t) -') +mta_manage_config(gpg_t) +mta_read_spool(gpg_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_t) - fs_manage_cifs_files(gpg_t) -') +userdom_home_manager(gpg_t) - + optional_policy(` - gnome_read_generic_home_content(gpg_t) - gnome_stream_connect_all_gkeyringd(gpg_t) + gpm_dontaudit_getattr_gpmctl(gpg_t) ') - + optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_t) + gnome_manage_config(gpg_t) + gnome_stream_connect_gkeyringd(gpg_t) ') - + optional_policy(` - mta_read_spool_files(gpg_t) - mta_write_config(gpg_t) + mozilla_read_user_home_files(gpg_t) + mozilla_write_user_home_files(gpg_t) ') - + optional_policy(` @@ -165,37 +173,55 @@ optional_policy(` ') - + optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) + xserver_use_xdm_fds(gpg_t) + xserver_rw_xdm_pipes(gpg_t) ') - + optional_policy(` - xserver_use_xdm_fds(gpg_t) - xserver_rw_xdm_pipes(gpg_t) + udev_read_db(gpg_t) ') - + +#optional_policy(` +# cron_system_entry(gpg_t, gpg_exec_t) +# cron_read_system_job_tmp_files(gpg_t) @@ -37411,7 +37411,7 @@ index 0e97e82f1..78a2afc95 100644 -# Helper local policy +# GPG helper local policy # - + +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + allow gpg_helper_t self:process { getsched setsched }; @@ -37423,10 +37423,10 @@ index 0e97e82f1..78a2afc95 100644 allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms; +allow gpg_helper_t self:tcp_socket { connect connected_socket_perms }; +allow gpg_helper_t self:udp_socket { connect connected_socket_perms }; - + -dontaudit gpg_helper_t gpg_secret_t:file read_file_perms; +dontaudit gpg_helper_t gpg_secret_t:file read; - + -corenet_all_recvfrom_unlabeled(gpg_helper_t) corenet_all_recvfrom_netlabel(gpg_helper_t) corenet_tcp_sendrecv_generic_if(gpg_helper_t) @@ -37442,17 +37442,17 @@ index 0e97e82f1..78a2afc95 100644 +corenet_tcp_bind_generic_node(gpg_helper_t) +corenet_udp_bind_generic_node(gpg_helper_t) corenet_tcp_connect_all_ports(gpg_helper_t) - + + auth_use_nsswitch(gpg_helper_t) - + -userdom_use_user_terminals(gpg_helper_t) +userdom_use_inherited_user_terminals(gpg_helper_t) - + tunable_policy(`use_nfs_home_dirs',` - fs_dontaudit_rw_nfs_files(gpg_helper_t) + fs_dontaudit_rw_nfs_files(gpg_helper_t) @@ -207,67 +233,84 @@ tunable_policy(`use_samba_home_dirs',` - + ######################################## # -# Agent local policy @@ -37462,39 +37462,39 @@ index 0e97e82f1..78a2afc95 100644 + +# rlimit: gpg-agent wants to prevent coredumps +allow gpg_agent_t self:process { setrlimit signal_perms }; - + -allow gpg_agent_t self:process setrlimit; -allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ; allow gpg_agent_t self:fifo_file rw_fifo_file_perms; +allow gpg_agent_t self:netlink_kobject_uevent_socket create_socket_perms; - + +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) - + +# Allow the gpg-agent to manage its tmp files (socket) manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) - + -filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket") - -domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) +# allow gpg to connect to the gpg agent +stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) - + -kernel_dontaudit_search_sysctl(gpg_agent_t) +kernel_read_system_state(gpg_agent_t) +kernel_read_core_if(gpg_agent_t) - + +corecmd_read_bin_symlinks(gpg_agent_t) +corecmd_exec_bin(gpg_agent_t) corecmd_exec_shell(gpg_agent_t) - + dev_read_rand(gpg_agent_t) dev_read_urand(gpg_agent_t) +dev_rw_generic_usb_dev(gpg_agent_t) @@ -37502,14 +37502,14 @@ index 0e97e82f1..78a2afc95 100644 +dev_read_sysfs(gpg_agent_t) +dev_dontaudit_getattr_all_chr_files(gpg_agent_t) +dev_dontaudit_getattr_all_blk_files(gpg_agent_t) - + domain_use_interactive_fds(gpg_agent_t) - + fs_dontaudit_list_inotifyfs(gpg_agent_t) - + -miscfiles_read_localization(gpg_agent_t) +miscfiles_read_certs(gpg_agent_t) - + -userdom_use_user_terminals(gpg_agent_t) +# Write to the user domain tty. +userdom_use_inherited_user_terminals(gpg_agent_t) @@ -37520,12 +37520,12 @@ index 0e97e82f1..78a2afc95 100644 +userdom_manage_user_home_content_dirs(gpg_agent_t) +userdom_manage_user_home_content_files(gpg_agent_t) +userdom_manage_all_user_tmp_content(gpg_agent_t) - + ifdef(`hide_broken_symptoms',` - userdom_dontaudit_read_user_tmp_files(gpg_agent_t) + userdom_dontaudit_read_user_tmp_files(gpg_agent_t) + userdom_dontaudit_write_user_tmp_files(gpg_agent_t) ') - + -tunable_policy(`gpg_agent_env_file',` - userdom_manage_user_home_content_dirs(gpg_agent_t) - userdom_manage_user_home_content_files(gpg_agent_t) @@ -37535,7 +37535,7 @@ index 0e97e82f1..78a2afc95 100644 +optional_policy(` + gnome_manage_config(gpg_agent_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(gpg_agent_t) - fs_manage_nfs_files(gpg_agent_t) @@ -37543,7 +37543,7 @@ index 0e97e82f1..78a2afc95 100644 +optional_policy(` + mozilla_dontaudit_rw_user_home_files(gpg_agent_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(gpg_agent_t) - fs_manage_cifs_files(gpg_agent_t) @@ -37551,15 +37551,15 @@ index 0e97e82f1..78a2afc95 100644 +optional_policy(` + pcscd_stream_connect(gpg_agent_t) ') - + optional_policy(` - mozilla_dontaudit_rw_user_home_files(gpg_agent_t) + udev_read_db(gpg_agent_t) ') - + ############################## @@ -277,63 +320,118 @@ optional_policy(` - + allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; +allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms; @@ -37574,10 +37574,10 @@ index 0e97e82f1..78a2afc95 100644 +# we need to allow gpg-agent to call pinentry so it can get the passphrase +# from the user. +domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t) - + manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) - + +manage_dirs_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_files_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t) +manage_sock_files_pattern(gpg_pinentry_t, gpg_agent_tmp_t, gpg_agent_tmp_t) @@ -37586,20 +37586,20 @@ index 0e97e82f1..78a2afc95 100644 manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) - + -can_exec(gpg_pinentry_t, pinentry_exec_t) +# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) +manage_dirs_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t) +manage_sock_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t) +manage_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t) +manage_lnk_files_pattern(gpg_pinentry_t, gpg_secret_t, gpg_secret_t) - + +# read /proc/meminfo kernel_read_system_state(gpg_pinentry_t) - + corecmd_exec_shell(gpg_pinentry_t) corecmd_exec_bin(gpg_pinentry_t) - + corenet_all_recvfrom_netlabel(gpg_pinentry_t) -corenet_all_recvfrom_unlabeled(gpg_pinentry_t) +corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t) @@ -37608,25 +37608,25 @@ index 0e97e82f1..78a2afc95 100644 corenet_tcp_sendrecv_generic_if(gpg_pinentry_t) corenet_tcp_sendrecv_generic_node(gpg_pinentry_t) +corenet_tcp_sendrecv_generic_port(gpg_pinentry_t) - + dev_read_urand(gpg_pinentry_t) dev_read_rand(gpg_pinentry_t) - + -domain_use_interactive_fds(gpg_pinentry_t) - -files_read_usr_files(gpg_pinentry_t) +# read /etc/X11/qtrc - + fs_dontaudit_list_inotifyfs(gpg_pinentry_t) +fs_getattr_all_fs(gpg_pinentry_t) - + auth_use_nsswitch(gpg_pinentry_t) - + logging_send_syslog_msg(gpg_pinentry_t) - + miscfiles_read_fonts(gpg_pinentry_t) -miscfiles_read_localization(gpg_pinentry_t) - + +# for .Xauthority +userdom_read_user_home_content_files(gpg_pinentry_t) +userdom_read_user_tmp_files(gpg_pinentry_t) @@ -37634,26 +37634,26 @@ index 0e97e82f1..78a2afc95 100644 +allow gpg_pinentry_t user_tmp_t:file unlink; +userdom_signull_unpriv_users(gpg_pinentry_t) userdom_use_user_terminals(gpg_pinentry_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(gpg_pinentry_t) -') +userdom_home_reader(gpg_pinentry_t) +userdom_stream_connect(gpg_pinentry_t) +userdom_map_tmp_files(gpg_pinentry_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) +optional_policy(` + gnome_manage_home_config(gpg_pinentry_t) ') - + optional_policy(` - dbus_all_session_bus_client(gpg_pinentry_t) + dbus_session_bus_client(gpg_pinentry_t) - dbus_system_bus_client(gpg_pinentry_t) + dbus_system_bus_client(gpg_pinentry_t) ') - + optional_policy(` - pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) + gnome_write_generic_cache_files(gpg_pinentry_t) @@ -37665,9 +37665,9 @@ index 0e97e82f1..78a2afc95 100644 + pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles) + pulseaudio_stream_connect(gpg_pinentry_t) ') - + optional_policy(` - xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) + +') + @@ -37697,62 +37697,62 @@ index 69734fd15..a659808d0 100644 +++ b/gpm.te @@ -13,7 +13,7 @@ type gpm_initrc_exec_t; init_script_file(gpm_initrc_exec_t) - + type gpm_conf_t; -files_type(gpm_conf_t) +files_config_file(gpm_conf_t) - + type gpm_tmp_t; files_tmp_file(gpm_tmp_t) @@ -29,7 +29,7 @@ files_type(gpmctl_t) # Local policy # - + -allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config }; +allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config }; allow gpm_t self:process { signal signull getcap setcap }; allow gpm_t self:unix_stream_socket { accept listen }; - + @@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t) dev_rw_input_dev(gpm_t) dev_rw_mouse(gpm_t) - + -files_read_etc_files(gpm_t) - + fs_getattr_all_fs(gpm_t) fs_search_auto_mountpoints(gpm_t) @@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t) - + logging_send_syslog_msg(gpm_t) - + -miscfiles_read_localization(gpm_t) - -userdom_use_user_terminals(gpm_t) userdom_dontaudit_use_unpriv_user_fds(gpm_t) userdom_dontaudit_search_user_home_dirs(gpm_t) +userdom_use_inherited_user_terminals(gpm_t) - + optional_policy(` - seutil_sigchld_newrole(gpm_t) + seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.if b/gpsd.if index 92eb56418..8aa8f6698 100644 --- a/gpsd.if +++ b/gpsd.if @@ -63,6 +63,7 @@ interface(`gpsd_rw_shm',` - allow $1 gpsd_tmpfs_t:dir list_dir_perms; - rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) - read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + allow $1 gpsd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + allow $1 gpsd_tmpfs_t:file map; - fs_search_tmpfs($1) + fs_search_tmpfs($1) ') - + diff --git a/gpsd.te b/gpsd.te index fe3895ece..ce48f6c49 100644 --- a/gpsd.te +++ b/gpsd.te @@ -28,15 +28,17 @@ files_pid_file(gpsd_var_run_t) # - + allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; -dontaudit gpsd_t self:capability { dac_read_search dac_override }; -allow gpsd_t self:process { setsched signal_perms }; @@ -37762,30 +37762,30 @@ index fe3895ece..ce48f6c49 100644 allow gpsd_t self:unix_dgram_socket sendto; allow gpsd_t self:tcp_socket { accept listen }; +allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms; - + manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) fs_tmpfs_filetrans(gpsd_t, gpsd_tmpfs_t, { dir file }) +allow gpsd_t gpsd_tmpfs_t:file map; - + manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) @@ -62,13 +64,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t) - + term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) +term_use_usb_ttys(gpsd_t) +term_setattr_usb_ttys(gpsd_t) - + auth_use_nsswitch(gpsd_t) - + logging_send_syslog_msg(gpsd_t) - + -miscfiles_read_localization(gpsd_t) - optional_policy(` - chronyd_rw_shm(gpsd_t) - chronyd_stream_connect(gpsd_t) + chronyd_rw_shm(gpsd_t) + chronyd_stream_connect(gpsd_t) diff --git a/gssproxy.fc b/gssproxy.fc new file mode 100644 index 000000000..f4659d125 @@ -38110,7 +38110,7 @@ index ad1653f9a..ff424b8e7 100644 @@ -1,4 +1,4 @@ -##

      Least privledge terminal user role. +## Least privileged terminal user role. - + ######################################## ## diff --git a/guest.te b/guest.te @@ -38118,9 +38118,9 @@ index 19cdbe1d7..060577633 100644 --- a/guest.te +++ b/guest.te @@ -20,4 +20,4 @@ optional_policy(` - apache_role(guest_r, guest_t) + apache_role(guest_r, guest_t) ') - + -#gen_user(guest_u, user, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/hadoop.te b/hadoop.te @@ -38129,37 +38129,37 @@ index e15137840..04d173d1d 100644 +++ b/hadoop.te @@ -155,7 +155,6 @@ dev_read_urand(hadoop_t) domain_use_interactive_fds(hadoop_t) - + files_dontaudit_search_spool(hadoop_t) -files_read_usr_files(hadoop_t) - + fs_getattr_xattr_fs(hadoop_t) - + @@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain) corecmd_exec_bin(hadoop_initrc_domain) corecmd_exec_shell(hadoop_initrc_domain) - + -files_read_etc_files(hadoop_initrc_domain) -files_read_usr_files(hadoop_initrc_domain) files_search_locks(hadoop_initrc_domain) files_search_pids(hadoop_initrc_domain) - + @@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t) - + domain_use_interactive_fds(zookeeper_t) - + -files_read_usr_files(zookeeper_t) - + auth_use_nsswitch(zookeeper_t) - + @@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t) dev_read_sysfs(zookeeper_server_t) dev_read_urand(zookeeper_server_t) - + -files_read_usr_files(zookeeper_server_t) - + fs_getattr_xattr_fs(zookeeper_server_t) - + diff --git a/hal.te b/hal.te index bbccc79f1..b02720214 100644 --- a/hal.te @@ -38167,11 +38167,11 @@ index bbccc79f1..b02720214 100644 @@ -61,7 +61,6 @@ files_type(hald_var_lib_t) # Common local policy # - + -files_read_usr_files(hald_domain) - + miscfiles_read_localization(hald_domain) - + @@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t) kernel_rw_vm_sysctls(hald_t) kernel_write_proc_files(hald_t) @@ -38179,33 +38179,33 @@ index bbccc79f1..b02720214 100644 -kernel_setsched(hald_t) +kernel_dontaudit_setsched(hald_t) kernel_request_load_module(hald_t) - + corecmd_exec_all_executables(hald_t) @@ -339,7 +338,7 @@ optional_policy(` # ACL local policy # - + -allow hald_acl_t self:capability { dac_override fowner sys_resource }; +allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource }; allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; - + @@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t) - + dev_rw_input_dev(hald_keymap_t) - + -files_read_etc_files(hald_keymap_t) - + logging_search_logs(hald_keymap_t) - + diff --git a/hddtemp.if b/hddtemp.if index 1728071d0..6e2d333d9 100644 --- a/hddtemp.if +++ b/hddtemp.if @@ -19,6 +19,32 @@ interface(`hddtemp_domtrans',` - domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) + domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) ') - + +######################################## +## +## Execute hddtemp in the hddtemp domain, and @@ -38236,20 +38236,20 @@ index 1728071d0..6e2d333d9 100644 ## ## Execute hddtemp in the caller domain. @@ -60,9 +86,13 @@ interface(`hddtemp_admin',` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - + type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; + ') + - allow $1 hddtemp_t:process { ptrace signal_perms }; + allow $1 hddtemp_t:process signal_perms; - ps_process_pattern($1, hddtemp_t) - + ps_process_pattern($1, hddtemp_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 hddtemp_t:process ptrace; + ') + - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hddtemp_initrc_exec_t system_r; + init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 hddtemp_initrc_exec_t system_r; diff --git a/hddtemp.te b/hddtemp.te index 9e11b9822..6338ea761 100644 --- a/hddtemp.te @@ -38259,18 +38259,18 @@ index 9e11b9822..6338ea761 100644 # Declarations # +attribute_role hddtemp_roles; - + type hddtemp_t; type hddtemp_exec_t; init_daemon_domain(hddtemp_t, hddtemp_exec_t) +role hddtemp_roles types hddtemp_t; - + type hddtemp_initrc_exec_t; init_script_file(hddtemp_initrc_exec_t) @@ -26,7 +28,6 @@ allow hddtemp_t self:tcp_socket { accept listen }; - + allow hddtemp_t hddtemp_etc_t:file read_file_perms; - + -corenet_all_recvfrom_unlabeled(hddtemp_t) corenet_all_recvfrom_netlabel(hddtemp_t) corenet_tcp_sendrecv_generic_if(hddtemp_t) @@ -38278,17 +38278,17 @@ index 9e11b9822..6338ea761 100644 @@ -36,9 +37,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) corenet_sendrecv_hddtemp_server_packets(hddtemp_t) corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) - + -files_search_etc(hddtemp_t) -files_read_usr_files(hddtemp_t) - storage_raw_read_fixed_disk(hddtemp_t) storage_raw_read_removable_device(hddtemp_t) - + @@ -46,4 +44,3 @@ auth_use_nsswitch(hddtemp_t) - + logging_send_syslog_msg(hddtemp_t) - + -miscfiles_read_localization(hddtemp_t) diff --git a/hostapd.fc b/hostapd.fc new file mode 100644 @@ -38473,20 +38473,20 @@ index b9e60ecfb..0477728a0 100644 @@ -36,7 +36,6 @@ kernel_request_load_module(howl_t) kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) - + -corenet_all_recvfrom_unlabeled(howl_t) corenet_all_recvfrom_netlabel(howl_t) corenet_tcp_sendrecv_generic_if(howl_t) corenet_udp_sendrecv_generic_if(howl_t) @@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t) - + logging_send_syslog_msg(howl_t) - + -miscfiles_read_localization(howl_t) - userdom_dontaudit_use_unpriv_user_fds(howl_t) userdom_dontaudit_search_user_home_dirs(howl_t) - + diff --git a/hsqldb.fc b/hsqldb.fc new file mode 100644 index 000000000..aa92d7118 @@ -38775,8 +38775,8 @@ index 000000000..8035eaf53 + +######################################## +# -+# hsqldb local policy -+# ++# hsqldb local policy ++# + +allow hsqldb_t self:process execmem; + @@ -38985,7 +38985,7 @@ index b46130ef5..e2ae3b22b 100644 @@ -1,3 +1,10 @@ -/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) - + -/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0) +/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) + @@ -39061,7 +39061,7 @@ index 6517fadbb..f1837481b 100644 + allow $1 hypervkvp_var_lib_t:dir list_dir_perms; + read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +') - + ######################################## ## -## All of the rules required to @@ -39123,7 +39123,7 @@ index 6517fadbb..f1837481b 100644 -## # interface(`hypervkvp_admin',` - gen_require(` + gen_require(` - type hypervkvpd_t, hypervkvpd_initrc_exec_t; + type hypervkvp_t; + type hypervkvp_unit_file_t; @@ -39134,12 +39134,12 @@ index 6517fadbb..f1837481b 100644 + + tunable_policy(`deny_ptrace',`',` + allow $1 hypervkvp_t:process ptrace; - ') - + ') + - allow $1 hypervkvpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, hypervkvpd_t) + hypervkvp_manage_lib_files($1) - + - init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 hypervkvpd_initrc_exec_t system_r; @@ -39155,12 +39155,12 @@ index 4eb7041ef..bce3f60a9 100644 @@ -5,24 +5,161 @@ policy_module(hypervkvp, 1.0.0) # Declarations # - + -type hypervkvpd_t; -type hypervkvpd_exec_t; -init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t) +attribute hyperv_domain; - + -type hypervkvpd_initrc_exec_t; -init_script_file(hypervkvpd_initrc_exec_t) +type hypervkvp_t, hyperv_domain; @@ -39185,7 +39185,7 @@ index 4eb7041ef..bce3f60a9 100644 + +type hypervvssd_unit_file_t; +systemd_unit_file(hypervvssd_unit_file_t) - + ######################################## # -# Local policy @@ -39207,7 +39207,7 @@ index 4eb7041ef..bce3f60a9 100644 # +# hypervkvp local policy # - + -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +allow hypervkvp_t self:capability sys_ptrace; @@ -39314,15 +39314,15 @@ index 4eb7041ef..bce3f60a9 100644 +allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin }; + +dev_rw_hypervvssd(hypervvssd_t) - + -logging_send_syslog_msg(hypervkvpd_t) +files_list_all_mountpoints(hypervvssd_t) +files_list_boot(hypervvssd_t) +files_list_non_auth_dirs(hypervvssd_t) - + -miscfiles_read_localization(hypervkvpd_t) +logging_send_syslog_msg(hypervvssd_t) - + -sysnet_dns_name_resolve(hypervkvpd_t) +storage_raw_read_fixed_disk(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te @@ -39332,23 +39332,23 @@ index 369a0566b..65fde93d9 100644 @@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t) kernel_read_kernel_sysctls(i18n_input_t) kernel_read_system_state(i18n_input_t) - + -corenet_all_recvfrom_unlabeled(i18n_input_t) corenet_all_recvfrom_netlabel(i18n_input_t) corenet_tcp_sendrecv_generic_if(i18n_input_t) corenet_tcp_sendrecv_generic_node(i18n_input_t) @@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t) fs_search_auto_mountpoints(i18n_input_t) - + files_read_etc_runtime_files(i18n_input_t) -files_read_usr_files(i18n_input_t) - + auth_use_nsswitch(i18n_input_t) - + @@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t) - + logging_send_syslog_msg(i18n_input_t) - + -miscfiles_read_localization(i18n_input_t) - userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) @@ -39364,17 +39364,17 @@ index 369a0566b..65fde93d9 100644 - fs_read_cifs_symlinks(i18n_input_t) -') +userdom_home_reader(i18n_input_t) - + optional_policy(` - canna_stream_connect(i18n_input_t) + canna_stream_connect(i18n_input_t) diff --git a/icecast.if b/icecast.if index 580b533ce..c267cea58 100644 --- a/icecast.if +++ b/icecast.if @@ -176,6 +176,14 @@ interface(`icecast_admin',` - type icecast_var_run_t; - ') - + type icecast_var_run_t; + ') + + allow $1 icecast_t:process signal_perms; + ps_process_pattern($1, icecast_t) + @@ -39383,9 +39383,9 @@ index 580b533ce..c267cea58 100644 + ') + + # Allow icecast_t to restart the apache service - icecast_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 icecast_initrc_exec_t system_r; + icecast_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te index a9e573a50..9a9245f49 100644 --- a/icecast.te @@ -39393,7 +39393,7 @@ index a9e573a50..9a9245f49 100644 @@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t) # Local policy # - + -allow icecast_t self:capability { dac_override setgid setuid sys_nice }; +allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice }; allow icecast_t self:process { getsched setsched signal }; @@ -39402,56 +39402,56 @@ index a9e573a50..9a9245f49 100644 @@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t) dev_read_urand(icecast_t) dev_read_rand(icecast_t) - + -domain_use_interactive_fds(icecast_t) - auth_use_nsswitch(icecast_t) - + -miscfiles_read_localization(icecast_t) +files_dontaudit_list_tmp(icecast_t) - + tunable_policy(`icecast_use_any_tcp_ports',` - corenet_tcp_connect_all_ports(icecast_t) + corenet_tcp_connect_all_ports(icecast_t) diff --git a/ifplugd.if b/ifplugd.if index 899989996..96909ae6a 100644 --- a/ifplugd.if +++ b/ifplugd.if @@ -119,7 +119,7 @@ interface(`ifplugd_admin',` - type ifplugd_initrc_exec_t; - ') - + type ifplugd_initrc_exec_t; + ') + - allow $1 ifplugd_t:process { ptrace signal_perms }; + allow $1 ifplugd_t:process signal_perms; - ps_process_pattern($1, ifplugd_t) - - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) + ps_process_pattern($1, ifplugd_t) + + init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff --git a/ifplugd.te b/ifplugd.te index b0546b43b..98d7326a8 100644 --- a/ifplugd.te +++ b/ifplugd.te @@ -10,7 +10,7 @@ type ifplugd_exec_t; init_daemon_domain(ifplugd_t, ifplugd_exec_t) - + type ifplugd_etc_t; -files_type(ifplugd_etc_t) +files_config_file(ifplugd_etc_t) - + type ifplugd_initrc_exec_t; init_script_file(ifplugd_initrc_exec_t) @@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t) dev_read_sysfs(ifplugd_t) - + domain_read_confined_domains_state(ifplugd_t) -domain_dontaudit_read_all_domains_state(ifplugd_t) - + auth_use_nsswitch(ifplugd_t) - + logging_send_syslog_msg(ifplugd_t) - + -miscfiles_read_localization(ifplugd_t) - netutils_domtrans(ifplugd_t) - + sysnet_domtrans_ifconfig(ifplugd_t) diff --git a/imaze.te b/imaze.te index 1eb24d8c8..b320d51ae 100644 @@ -39460,28 +39460,28 @@ index 1eb24d8c8..b320d51ae 100644 @@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t) kernel_read_kernel_sysctls(imazesrv_t) kernel_read_proc_symlinks(imazesrv_t) - + -corenet_all_recvfrom_unlabeled(imazesrv_t) corenet_all_recvfrom_netlabel(imazesrv_t) corenet_tcp_sendrecv_generic_if(imazesrv_t) corenet_udp_sendrecv_generic_if(imazesrv_t) @@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t) - + logging_send_syslog_msg(imazesrv_t) - + -miscfiles_read_localization(imazesrv_t) - userdom_use_unpriv_users_fds(imazesrv_t) userdom_dontaudit_search_user_home_dirs(imazesrv_t) - + diff --git a/inetd.if b/inetd.if index fbb54e7d8..05c377768 100644 --- a/inetd.if +++ b/inetd.if @@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',` - - domtrans_pattern(inetd_t, $2, $1) - allow inetd_t $1:process { siginh sigkill }; + + domtrans_pattern(inetd_t, $2, $1) + allow inetd_t $1:process { siginh sigkill }; + + init_domain($1, $2) + @@ -39489,7 +39489,7 @@ index fbb54e7d8..05c377768 100644 + abrt_stream_connect($1) + ') ') - + ######################################## diff --git a/inetd.te b/inetd.te index c6450df8a..0c88e1cf7 100644 @@ -39498,7 +39498,7 @@ index c6450df8a..0c88e1cf7 100644 @@ -37,9 +37,9 @@ ifdef(`enable_mcs',` # Local policy # - + -allow inetd_t self:capability { setuid setgid sys_resource }; +allow inetd_t self:capability { setuid setgid }; dontaudit inetd_t self:capability sys_tty_config; @@ -39509,16 +39509,16 @@ index c6450df8a..0c88e1cf7 100644 allow inetd_t self:fd use; @@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) kernel_tcp_recvfrom_unlabeled(inetd_t) - + corecmd_bin_domtrans(inetd_t, inetd_child_t) +corecmd_exec_shell(inetd_t) - + corenet_all_recvfrom_unlabeled(inetd_t) corenet_all_recvfrom_netlabel(inetd_t) @@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) - + +corenet_tcp_bind_echo_port(inetd_t) +corenet_udp_bind_echo_port(inetd_t) +corenet_tcp_bind_time_port(inetd_t) @@ -39526,21 +39526,21 @@ index c6450df8a..0c88e1cf7 100644 + corenet_sendrecv_ircd_server_packets(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) - + @@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t) corenet_tcp_bind_git_port(inetd_t) corenet_udp_bind_git_port(inetd_t) - + +dev_read_urand(inetd_t) +dev_read_rand(inetd_t) + dev_read_sysfs(inetd_t) - + domain_use_interactive_fds(inetd_t) @@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t) - + logging_send_syslog_msg(inetd_t) - + -miscfiles_read_localization(inetd_t) - mls_fd_share_all_levels(inetd_t) @@ -39548,16 +39548,16 @@ index c6450df8a..0c88e1cf7 100644 mls_socket_write_to_clearance(inetd_t) @@ -188,17 +195,13 @@ optional_policy(` ') - + optional_policy(` - tftp_read_config_files(inetd_t) + tftp_read_config(inetd_t) ') - + optional_policy(` - udev_read_db(inetd_t) + udev_read_db(inetd_t) ') - + -optional_policy(` - unconfined_domtrans(inetd_t) -') @@ -39568,7 +39568,7 @@ index c6450df8a..0c88e1cf7 100644 @@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) kernel_read_system_state(inetd_child_t) - + +corenet_all_recvfrom_netlabel(inetd_child_t) +corenet_tcp_sendrecv_generic_if(inetd_child_t) +corenet_udp_sendrecv_generic_if(inetd_child_t) @@ -39580,12 +39580,12 @@ index c6450df8a..0c88e1cf7 100644 +corecmd_bin_entry_type(inetd_child_t) + dev_read_urand(inetd_child_t) - + fs_getattr_xattr_fs(inetd_child_t) @@ -230,7 +243,23 @@ auth_use_nsswitch(inetd_child_t) - + logging_send_syslog_msg(inetd_child_t) - + -miscfiles_read_localization(inetd_child_t) +sysnet_read_config(inetd_child_t) + @@ -39604,26 +39604,26 @@ index c6450df8a..0c88e1cf7 100644 +optional_policy(` + systemd_dbus_chat_logind(inetd_child_t) +') - + optional_policy(` - unconfined_domain(inetd_child_t) + unconfined_domain(inetd_child_t) diff --git a/inn.fc b/inn.fc index 8c0a48b1d..b9eabf145 100644 --- a/inn.fc +++ b/inn.fc @@ -3,6 +3,8 @@ - + /etc/rc\.d/init\.d/innd -- gen_context(system_u:object_r:innd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/innd.* -- gen_context(system_u:object_r:innd_unit_file_t,s0) + /usr/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0) /usr/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0) /usr/bin/rpost -- gen_context(system_u:object_r:innd_exec_t,s0) @@ -13,42 +15,43 @@ - + /var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0) - + -/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0) -/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0) @@ -39697,7 +39697,7 @@ index 8c0a48b1d..b9eabf145 100644 +/usr/libexec/news/rc.news -- gen_context(system_u:object_r:innd_exec_t,s0) + +/var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0) - + /var/run/innd(/.*)? gen_context(system_u:object_r:innd_var_run_t,s0) /var/run/innd\.pid -- gen_context(system_u:object_r:innd_var_run_t,s0) diff --git a/inn.if b/inn.if @@ -39705,22 +39705,22 @@ index eb87f2341..d3d32c3ad 100644 --- a/inn.if +++ b/inn.if @@ -124,6 +124,7 @@ interface(`inn_read_config',` - type innd_etc_t; - ') - + type innd_etc_t; + ') + + files_search_etc($1) - allow $1 innd_etc_t:dir list_dir_perms; - allow $1 innd_etc_t:file read_file_perms; - allow $1 innd_etc_t:lnk_file read_lnk_file_perms; + allow $1 innd_etc_t:dir list_dir_perms; + allow $1 innd_etc_t:file read_file_perms; + allow $1 innd_etc_t:lnk_file read_lnk_file_perms; @@ -144,10 +145,29 @@ interface(`inn_read_news_lib',` - type innd_var_lib_t; - ') - + type innd_var_lib_t; + ') + + files_search_var_lib($1) - allow $1 innd_var_lib_t:dir list_dir_perms; - allow $1 innd_var_lib_t:file read_file_perms; + allow $1 innd_var_lib_t:dir list_dir_perms; + allow $1 innd_var_lib_t:file read_file_perms; ') - + +######################################## +## +## Write innd inherited news library content. @@ -39743,17 +39743,17 @@ index eb87f2341..d3d32c3ad 100644 ## ## Read innd news spool content. @@ -163,6 +183,7 @@ interface(`inn_read_news_spool',` - type news_spool_t; - ') - + type news_spool_t; + ') + + files_search_spool($1) - allow $1 news_spool_t:dir list_dir_perms; - allow $1 news_spool_t:file read_file_perms; - allow $1 news_spool_t:lnk_file read_lnk_file_perms; + allow $1 news_spool_t:dir list_dir_perms; + allow $1 news_spool_t:file read_file_perms; + allow $1 news_spool_t:lnk_file read_lnk_file_perms; @@ -226,8 +247,15 @@ interface(`inn_domtrans',` interface(`inn_admin',` - gen_require(` - type innd_t, innd_etc_t, innd_log_t; + gen_require(` + type innd_t, innd_etc_t, innd_log_t; - type news_spool_t, innd_var_lib_t; - type innd_var_run_t, innd_initrc_exec_t; + type news_spool_t, innd_var_lib_t, innd_var_run_t; @@ -39765,9 +39765,9 @@ index eb87f2341..d3d32c3ad 100644 + + tunable_policy(`deny_ptrace',`',` + allow $1 innd_t:process ptrace; - ') - - init_labeled_script_domtrans($1, innd_initrc_exec_t) + ') + + init_labeled_script_domtrans($1, innd_initrc_exec_t) diff --git a/inn.te b/inn.te index d39f0cc51..fc0bd082b 100644 --- a/inn.te @@ -39775,24 +39775,24 @@ index d39f0cc51..fc0bd082b 100644 @@ -15,6 +15,9 @@ files_config_file(innd_etc_t) type innd_initrc_exec_t; init_script_file(innd_initrc_exec_t) - + +type innd_unit_file_t; +systemd_unit_file(innd_unit_file_t) + type innd_log_t; logging_log_file(innd_log_t) - + @@ -26,13 +29,14 @@ files_pid_file(innd_var_run_t) - + type news_spool_t; files_mountpoint(news_spool_t) +files_spool_file(news_spool_t) - + ######################################## # # Local policy # - + -allow innd_t self:capability { dac_override kill setgid setuid }; +allow innd_t self:capability { dac_read_search dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; @@ -39801,7 +39801,7 @@ index d39f0cc51..fc0bd082b 100644 @@ -43,29 +47,29 @@ allow innd_t self:tcp_socket { accept listen }; read_files_pattern(innd_t, innd_etc_t, innd_etc_t) read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) - + -allow innd_t innd_log_t:dir setattr_dir_perms; -append_files_pattern(innd_t, innd_log_t, innd_log_t) -create_files_pattern(innd_t, innd_log_t, innd_log_t) @@ -39809,60 +39809,60 @@ index d39f0cc51..fc0bd082b 100644 +manage_files_pattern(innd_t, innd_log_t, innd_log_t) +manage_dirs_pattern(innd_t, innd_log_t, innd_log_t) +logging_log_filetrans(innd_t, innd_log_t, { dir file }) - + manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) +allow innd_t innd_var_lib_t:file map; - + manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) -files_pid_filetrans(innd_t, innd_var_run_t, file) +files_pid_filetrans(innd_t, innd_var_run_t, { dir file }) - + manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) manage_lnk_files_pattern(innd_t, news_spool_t, news_spool_t) +allow innd_t news_spool_t:file map; - + can_exec(innd_t, innd_exec_t) - + kernel_read_kernel_sysctls(innd_t) kernel_read_system_state(innd_t) - + -corenet_all_recvfrom_unlabeled(innd_t) corenet_all_recvfrom_netlabel(innd_t) corenet_tcp_sendrecv_generic_if(innd_t) corenet_tcp_sendrecv_generic_node(innd_t) @@ -91,18 +95,18 @@ fs_search_auto_mountpoints(innd_t) - + files_list_spool(innd_t) files_read_etc_runtime_files(innd_t) -files_read_usr_files(innd_t) + +inn_exec_config(innd_t) - + auth_use_nsswitch(innd_t) - + logging_send_syslog_msg(innd_t) - + -miscfiles_read_localization(innd_t) - seutil_dontaudit_search_config(innd_t) - + userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) +userdom_dgram_send(innd_t) - + mta_send_mail(innd_t) - + diff --git a/iodine.fc b/iodine.fc index ca07a8744..6ea129cf6 100644 --- a/iodine.fc +++ b/iodine.fc @@ -1,3 +1,5 @@ /etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0) - + +/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0) + /usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0) @@ -39872,7 +39872,7 @@ index a0bfbd04f..8dc7c3e31 100644 +++ b/iodine.if @@ -1,5 +1,49 @@ ## IP over DNS tunneling daemon. - + +######################################## +## +## Execute NetworkManager with a domain transition. @@ -39927,7 +39927,7 @@ index d443feee4..6cbbf7d84 100644 @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t) type iodined_initrc_exec_t; init_script_file(iodined_initrc_exec_t) - + +type iodined_unit_file_t; +systemd_unit_file(iodined_unit_file_t) + @@ -39935,14 +39935,14 @@ index d443feee4..6cbbf7d84 100644 # # Local policy @@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t) - + corecmd_exec_shell(iodined_t) - + -files_read_etc_files(iodined_t) +auth_use_nsswitch(iodined_t) - + logging_send_syslog_msg(iodined_t) - + diff --git a/iotop.fc b/iotop.fc new file mode 100644 index 000000000..c8d2deac2 @@ -40335,7 +40335,7 @@ index 000000000..c54d3d492 + gen_require(` + type ipa_tmp_t; + ') -+ ++ + files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12") +') + @@ -40815,25 +40815,25 @@ index 48e7739f9..1bf0326cd 100644 HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) -HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) +HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0) - + /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) - + diff --git a/irc.if b/irc.if index ac00fb0fb..36ef2e59c 100644 --- a/irc.if +++ b/irc.if @@ -20,6 +20,7 @@ interface(`irc_role',` - attribute_role irc_roles; - type irc_t, irc_exec_t, irc_home_t; - type irc_tmp_t, irc_log_home_t; + attribute_role irc_roles; + type irc_t, irc_exec_t, irc_home_t; + type irc_tmp_t, irc_log_home_t; + type irssi_t, irssi_exec_t, irssi_home_t; - ') - - ######################################## + ') + + ######################################## @@ -37,12 +38,42 @@ interface(`irc_role',` - domtrans_pattern($2, irc_exec_t, irc_t) - - ps_process_pattern($2, irc_t) + domtrans_pattern($2, irc_exec_t, irc_t) + + ps_process_pattern($2, irc_t) - allow $2 irc_t:process { ptrace signal_perms }; - - allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; @@ -40888,7 +40888,7 @@ index 263650367..5910c5931 100644 @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; userdom_user_home_content(irc_home_t) - + -type irc_log_home_t; -userdom_user_home_content(irc_log_home_t) - @@ -40922,7 +40922,7 @@ index 263650367..5910c5931 100644 + +type irssi_home_t alias irc_log_home_t; +userdom_user_home_content(irssi_home_t) - + ######################################## # @@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms; @@ -40937,13 +40937,13 @@ index 263650367..5910c5931 100644 -append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t) -userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs") +irc_filetrans_home_content(irc_t) - + manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) @@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) - + kernel_read_system_state(irc_t) - + -corenet_all_recvfrom_unlabeled(irc_t) +corecmd_exec_shell(irc_t) +corecmd_exec_bin(irc_t) @@ -40952,24 +40952,24 @@ index 263650367..5910c5931 100644 corenet_tcp_sendrecv_generic_if(irc_t) corenet_tcp_sendrecv_generic_node(irc_t) @@ -93,8 +111,6 @@ dev_read_rand(irc_t) - + domain_use_interactive_fds(irc_t) - + -files_read_usr_files(irc_t) - fs_getattr_all_fs(irc_t) fs_search_auto_mountpoints(irc_t) - + @@ -106,14 +122,16 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) - + -miscfiles_read_generic_certs(irc_t) -miscfiles_read_localization(irc_t) - -userdom_use_user_terminals(irc_t) +userdom_use_inherited_user_terminals(irc_t) - + userdom_manage_user_home_content_dirs(irc_t) userdom_manage_user_home_content_files(irc_t) -userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) @@ -40979,13 +40979,13 @@ index 263650367..5910c5931 100644 +userdom_use_inherited_user_terminals(irc_t) + +userdom_home_manager(irc_t) - + tunable_policy(`irc_use_any_tcp_ports',` - allow irc_t self:tcp_socket { accept listen }; + allow irc_t self:tcp_socket { accept listen }; @@ -124,18 +142,69 @@ tunable_policy(`irc_use_any_tcp_ports',` - corenet_tcp_sendrecv_all_ports(irc_t) + corenet_tcp_sendrecv_all_ports(irc_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(irc_t) - fs_manage_nfs_files(irc_t) @@ -40993,7 +40993,7 @@ index 263650367..5910c5931 100644 +optional_policy(` + nis_use_ypbind(irc_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(irc_t) - fs_manage_cifs_files(irc_t) @@ -41054,69 +41054,69 @@ index 263650367..5910c5931 100644 + corenet_sendrecv_generic_server_packets(irssi_t) + corenet_sendrecv_all_client_packets(irssi_t) ') - + +userdom_home_manager(irssi_t) + optional_policy(` - seutil_use_newrole_fds(irc_t) + seutil_use_newrole_fds(irc_t) ') diff --git a/ircd.if b/ircd.if index ade980323..3620c9a67 100644 --- a/ircd.if +++ b/ircd.if @@ -33,8 +33,8 @@ interface(`ircd_admin',` - - files_search_etc($1) - admin_pattern($1, ircd_etc_t) + + files_search_etc($1) + admin_pattern($1, ircd_etc_t) - - logging_search_log($1) -+ ++ + logging_search_logs($1) - admin_pattern($1, ircd_log_t) - - files_search_var_lib($1) + admin_pattern($1, ircd_log_t) + + files_search_var_lib($1) diff --git a/ircd.te b/ircd.te index efaf4b10a..bd1a132ac 100644 --- a/ircd.te +++ b/ircd.te @@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t) - + corecmd_exec_bin(ircd_t) - + -corenet_all_recvfrom_unlabeled(ircd_t) corenet_all_recvfrom_netlabel(ircd_t) corenet_tcp_sendrecv_generic_if(ircd_t) corenet_tcp_sendrecv_generic_node(ircd_t) @@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t) - + logging_send_syslog_msg(ircd_t) - + -miscfiles_read_localization(ircd_t) - userdom_dontaudit_use_unpriv_user_fds(ircd_t) userdom_dontaudit_search_user_home_dirs(ircd_t) - + diff --git a/irqbalance.te b/irqbalance.te index e1f302ddb..1e5418a2e 100644 --- a/irqbalance.te +++ b/irqbalance.te @@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t) - + dev_read_sysfs(irqbalance_t) - + -files_read_etc_files(irqbalance_t) files_read_etc_runtime_files(irqbalance_t) - + fs_getattr_all_fs(irqbalance_t) @@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t) - + logging_send_syslog_msg(irqbalance_t) - + -miscfiles_read_localization(irqbalance_t) - userdom_dontaudit_use_unpriv_user_fds(irqbalance_t) userdom_dontaudit_search_user_home_dirs(irqbalance_t) - + diff --git a/iscsi.fc b/iscsi.fc index 08b756047..417e63004 100644 --- a/iscsi.fc @@ -41127,19 +41127,19 @@ index 08b756047..417e63004 100644 /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) - + /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) +/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0) - + /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) - + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) - + -/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) /var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0) - + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) /var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) + @@ -41150,9 +41150,9 @@ index 1a354203e..77004ecad 100644 --- a/iscsi.if +++ b/iscsi.if @@ -17,6 +17,53 @@ interface(`iscsid_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, iscsid_exec_t, iscsid_t) + + corecmd_search_bin($1) + domtrans_pattern($1, iscsid_exec_t, iscsid_t) + allow $1 iscsid_exec_t:file map; +') + @@ -41201,10 +41201,10 @@ index 1a354203e..77004ecad 100644 + manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t) + manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t) ') - + ######################################## @@ -80,17 +127,54 @@ interface(`iscsi_read_lib_files',` - + ######################################## ## -## All of the rules required to @@ -41264,16 +41264,16 @@ index 1a354203e..77004ecad 100644 ## ## @@ -99,16 +183,16 @@ interface(`iscsi_admin',` - gen_require(` - type iscsid_t, iscsi_lock_t, iscsi_log_t; - type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; + gen_require(` + type iscsid_t, iscsi_lock_t, iscsi_log_t; + type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; - type iscsi_initrc_exec_t; + type iscsi_unit_file_t; - ') - - allow $1 iscsid_t:process { ptrace signal_perms }; - ps_process_pattern($1, iscsid_t) - + ') + + allow $1 iscsid_t:process { ptrace signal_perms }; + ps_process_pattern($1, iscsid_t) + - init_labeled_script_domtrans($1, iscsi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 iscsi_initrc_exec_t system_r; @@ -41282,9 +41282,9 @@ index 1a354203e..77004ecad 100644 + init_reload_services($1) + allow $1 iscsi_unit_file_t:file manage_file_perms; + allow $1 iscsi_unit_file_t:service manage_service_perms; - - logging_search_logs($1) - admin_pattern($1, iscsi_log_t) + + logging_search_logs($1) + admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te index ca020faa9..5b3ff1668 100644 --- a/iscsi.te @@ -41292,25 +41292,25 @@ index ca020faa9..5b3ff1668 100644 @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) # Declarations # - + +attribute_role iscsid_roles; + type iscsid_t; type iscsid_exec_t; init_daemon_domain(iscsid_t, iscsid_exec_t) +role iscsid_roles types iscsid_t; - + -type iscsi_initrc_exec_t; -init_script_file(iscsi_initrc_exec_t) +type iscsi_unit_file_t; +systemd_unit_file(iscsi_unit_file_t) - + type iscsi_lock_t; files_lock_file(iscsi_lock_t) @@ -32,17 +35,18 @@ files_pid_file(iscsi_var_run_t) # Local policy # - + -allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; +allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; @@ -41325,7 +41325,7 @@ index ca020faa9..5b3ff1668 100644 allow iscsid_t self:netlink_route_socket nlmsg_write; allow iscsid_t self:tcp_socket { listen accept }; +allow iscsid_t self:system module_load; - + manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) @@ -54,21 +58,24 @@ logging_log_filetrans(iscsid_t, iscsi_log_t, file) @@ -41333,7 +41333,7 @@ index ca020faa9..5b3ff1668 100644 manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file }) +allow iscsid_t iscsi_tmp_t:file map; - + -allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; -read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) -read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) @@ -41341,19 +41341,19 @@ index ca020faa9..5b3ff1668 100644 +manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir) - + manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) - + can_exec(iscsid_t, iscsid_exec_t) - + +kernel_load_module(iscsid_t) kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) -kernel_setsched(iscsid_t) +kernel_dontaudit_setsched(iscsid_t) +kernel_request_load_module(iscsid_t) - + -corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) @@ -41361,7 +41361,7 @@ index ca020faa9..5b3ff1668 100644 @@ -85,22 +92,43 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) - + -dev_read_raw_memory(iscsid_t) +corenet_sendrecv_winshadow_client_packets(iscsid_t) +corenet_tcp_connect_winshadow_port(iscsid_t) @@ -41376,19 +41376,19 @@ index ca020faa9..5b3ff1668 100644 dev_rw_userio_dev(iscsid_t) -dev_write_raw_memory(iscsid_t) +dev_map_userio_dev(iscsid_t) - + domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) - + +files_read_kernel_modules(iscsid_t) +files_map_kernel_modules(iscsid_t) + auth_use_nsswitch(iscsid_t) - + init_stream_connect_script(iscsid_t) - + logging_send_syslog_msg(iscsid_t) - + -miscfiles_read_localization(iscsid_t) +modutils_read_module_config(iscsid_t) + @@ -41397,9 +41397,9 @@ index ca020faa9..5b3ff1668 100644 +optional_policy(` + iscsi_systemctl(iscsid_t) +') - + optional_policy(` - tgtd_manage_semaphores(iscsid_t) + tgtd_manage_semaphores(iscsid_t) ') + +optional_policy(` @@ -41416,11 +41416,11 @@ index bc1103493..5a8ae798f 100644 +allow isnsd_t self:tcp_socket { listen accept }; allow isnsd_t self:udp_socket { accept listen }; allow isnsd_t self:unix_stream_socket { accept listen }; - + @@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file }) - + +kernel_read_system_state(isnsd_t) +kernel_read_network_state(isnsd_t) + @@ -41430,10 +41430,10 @@ index bc1103493..5a8ae798f 100644 @@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) - + -files_read_etc_files(isnsd_t) +auth_use_nsswitch(isnsd_t) - + logging_send_syslog_msg(isnsd_t) - -miscfiles_read_localization(isnsd_t) @@ -41446,7 +41446,7 @@ index 59ad3b3c4..bd02cc87d 100644 @@ -1,25 +1,18 @@ -/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0) - + -/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) -/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) @@ -41455,19 +41455,19 @@ index 59ad3b3c4..bd02cc87d 100644 +/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) +/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0) - + -/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) -/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0) -/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0) +/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) - + -/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0) +# pyicq-t - + -/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) -/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) +/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0) - + -/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) -/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0) -/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0) @@ -41475,7 +41475,7 @@ index 59ad3b3c4..bd02cc87d 100644 -/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0) -/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0) +/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0) - + -/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) -/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0) +/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0) @@ -41506,9 +41506,9 @@ index 7eb381121..8075ba5f0 100644 + ') + + ############################## -+ # ++ # + # $1_t declarations -+ # ++ # + + type $1_t, jabberd_domain; + type $1_exec_t; @@ -41520,7 +41520,7 @@ index 7eb381121..8075ba5f0 100644 + + logging_send_syslog_msg($1_t) +') - + ####################################### ## -## The template to define a jabber domain. @@ -41536,17 +41536,17 @@ index 7eb381121..8075ba5f0 100644 # -template(`jabber_domain_template',` +interface(`jabber_domtrans_jabberd',` - gen_require(` + gen_require(` - attribute jabberd_domain; + type jabberd_t, jabberd_exec_t; - ') - + ') + - type $1_t, jabberd_domain; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) + domtrans_pattern($1, jabberd_exec_t, jabberd_t) ') - + -######################################## +###################################### ## @@ -41580,15 +41580,15 @@ index 7eb381121..8075ba5f0 100644 # -interface(`jabber_manage_lib_files',` +interface(`jabberd_read_lib_files',` - gen_require(` - type jabberd_var_lib_t; - ') - - files_search_var_lib($1) + gen_require(` + type jabberd_var_lib_t; + ') + + files_search_var_lib($1) - manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) + read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) ') - + -######################################## +####################################### +## @@ -41630,12 +41630,12 @@ index 7eb381121..8075ba5f0 100644 + files_search_var_lib($1) + manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) ') - + ######################################## ## -## All of the rules required to -## administrate an jabber environment. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an jabber environment ## ## @@ -41651,7 +41651,7 @@ index 7eb381121..8075ba5f0 100644 ## # interface(`jabber_admin',` - gen_require(` + gen_require(` - attribute jabberd_domain; - type jabberd_lock_t, jabberd_log_t, jabberd_spool_t; - type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t; @@ -41659,8 +41659,8 @@ index 7eb381121..8075ba5f0 100644 + type jabberd_initrc_exec_t, jabberd_router_t; + type jabberd_lock_t; + type jabberd_var_spool_t; - ') - + ') + - allow $1 jabberd_domain:process { ptrace signal_perms }; - ps_process_pattern($1, jabberd_domain) + allow $1 jabberd_t:process signal_perms; @@ -41672,22 +41672,22 @@ index 7eb381121..8075ba5f0 100644 + + allow $1 jabberd_router_t:process signal_perms; + ps_process_pattern($1, jabberd_router_t) - - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, jabberd_initrc_exec_t) + domain_system_change_exemption($1) @@ -89,15 +168,9 @@ interface(`jabber_admin',` - files_search_locks($1) - admin_pattern($1, jabberd_lock_t) - + files_search_locks($1) + admin_pattern($1, jabberd_lock_t) + - logging_search_logs($1) - admin_pattern($1, jabberd_log_t) - - files_search_spool($1) + files_search_spool($1) - admin_pattern($1, jabberd_spool_t) + admin_pattern($1, jabberd_var_spool_t) - - files_search_var_lib($1) - admin_pattern($1, jabberd_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, jabberd_var_lib_t) - - files_search_pids($1) - admin_pattern($1, jabberd_var_run_t) @@ -41697,14 +41697,14 @@ index af67c36ee..4755e0af8 100644 --- a/jabber.te +++ b/jabber.te @@ -9,129 +9,137 @@ attribute jabberd_domain; - + jabber_domain_template(jabberd) jabber_domain_template(jabberd_router) +jabber_domain_template(pyicqt) - + type jabberd_initrc_exec_t; init_script_file(jabberd_initrc_exec_t) - + -type jabberd_lock_t; -files_lock_file(jabberd_lock_t) - @@ -41717,35 +41717,35 @@ index af67c36ee..4755e0af8 100644 +# type which includes log/pid files pro jabberd components type jabberd_var_lib_t; files_type(jabberd_var_lib_t) - + -type jabberd_var_run_t; -files_pid_file(jabberd_var_run_t) +# pyicq-t types +type pyicqt_log_t; +logging_log_file(pyicqt_log_t); - + -######################################## -# -# Common local policy -# +type pyicqt_var_spool_t; +files_spool_file(pyicqt_var_spool_t) - + -allow jabberd_domain self:process signal_perms; -allow jabberd_domain self:fifo_file rw_fifo_file_perms; -allow jabberd_domain self:tcp_socket { accept listen }; +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) - + -manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) +###################################### +# +# Local policy for jabberd-router and c2s components +# - + -kernel_read_system_state(jabberd_domain) +allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms; - + -corenet_all_recvfrom_unlabeled(jabberd_domain) -corenet_all_recvfrom_netlabel(jabberd_domain) -corenet_tcp_sendrecv_generic_if(jabberd_domain) @@ -41753,11 +41753,11 @@ index af67c36ee..4755e0af8 100644 -corenet_tcp_bind_generic_node(jabberd_domain) +manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) - + -dev_read_urand(jabberd_domain) -dev_read_sysfs(jabberd_domain) +kernel_read_network_state(jabberd_router_t) - + -fs_getattr_all_fs(jabberd_domain) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_router_port(jabberd_router_t) @@ -41765,30 +41765,30 @@ index af67c36ee..4755e0af8 100644 +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) +corenet_tcp_connect_postgresql_port(jabberd_router_t) - + -logging_send_syslog_msg(jabberd_domain) +fs_getattr_all_fs(jabberd_router_t) - + -miscfiles_read_localization(jabberd_domain) +miscfiles_read_generic_certs(jabberd_router_t) - + optional_policy(` - nis_use_ypbind(jabberd_domain) + kerberos_use(jabberd_router_t) ') - + optional_policy(` - seutil_sigchld_newrole(jabberd_domain) + nis_use_ypbind(jabberd_router_t) ') - + -######################################## +##################################### # -# Local policy +# Local policy for other jabberd components # - + -allow jabberd_t self:capability dac_override; -dontaudit jabberd_t self:capability sys_tty_config; -allow jabberd_t self:tcp_socket create_socket_perms; @@ -41802,90 +41802,90 @@ index af67c36ee..4755e0af8 100644 +corenet_tcp_connect_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_router_port(jabberd_t) +corenet_tcp_connect_postgresql_port(jabberd_t) - + -manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t) +userdom_dontaudit_use_unpriv_user_fds(jabberd_t) +userdom_dontaudit_search_user_home_dirs(jabberd_t) - + -allow jabberd_t jabberd_log_t:dir setattr_dir_perms; -append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t) -logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir }) +miscfiles_read_certs(jabberd_t) - + -manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) +optional_policy(` + seutil_sigchld_newrole(jabberd_t) +') - + -manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) -files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +optional_policy(` + udev_read_db(jabberd_t) +') - + -kernel_read_kernel_sysctls(jabberd_t) +###################################### +# +# Local policy for pyicq-t +# - + -corenet_sendrecv_jabber_client_server_packets(jabberd_t) -corenet_tcp_bind_jabber_client_port(jabberd_t) -corenet_tcp_sendrecv_jabber_client_port(jabberd_t) +# need for /var/log/pyicq-t.log +manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t) +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) - + -corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) -corenet_tcp_bind_jabber_interserver_port(jabberd_t) -corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t); - + -dev_read_rand(jabberd_t) +files_search_spool(pyicqt_t) +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); - + -domain_use_interactive_fds(jabberd_t) +corenet_tcp_bind_jabber_router_port(pyicqt_t) +corenet_tcp_connect_jabber_router_port(pyicqt_t) - + -files_read_etc_files(jabberd_t) -files_read_etc_runtime_files(jabberd_t) +corecmd_exec_bin(pyicqt_t) - + -fs_search_auto_mountpoints(jabberd_t) +dev_read_urand(pyicqt_t) - + -sysnet_read_config(jabberd_t) +auth_use_nsswitch(pyicqt_t) - + -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) +# needed for pyicq-t-mysql +optional_policy(` + corenet_tcp_connect_mysqld_port(pyicqt_t) +') - + optional_policy(` - udev_read_db(jabberd_t) + sysnet_use_ldap(pyicqt_t) ') - + -######################################## +####################################### # -# Router local policy +# Local policy for jabberd domains # - + -manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +allow jabberd_domain self:process signal_perms; +allow jabberd_domain self:fifo_file rw_fifo_file_perms; +allow jabberd_domain self:tcp_socket create_stream_socket_perms; +allow jabberd_domain self:udp_socket create_socket_perms; - + -kernel_read_network_state(jabberd_router_t) +corenet_tcp_sendrecv_generic_if(jabberd_domain) +corenet_udp_sendrecv_generic_if(jabberd_domain) @@ -41894,20 +41894,20 @@ index af67c36ee..4755e0af8 100644 +corenet_tcp_sendrecv_all_ports(jabberd_domain) +corenet_udp_sendrecv_all_ports(jabberd_domain) +corenet_tcp_bind_generic_node(jabberd_domain) - + -corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) -corenet_tcp_bind_jabber_client_port(jabberd_router_t) -corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t) +dev_read_sysfs(jabberd_domain) +dev_read_urand(jabberd_domain) - + -# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) -# corenet_tcp_bind_jabber_router_port(jabberd_router_t) -# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t) -# corenet_tcp_connect_jabber_router_port(jabberd_router_t) -# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t) +files_read_etc_runtime_files(jabberd_domain) - + -auth_use_nsswitch(jabberd_router_t) +sysnet_read_config(jabberd_domain) diff --git a/java.te b/java.te @@ -41920,16 +41920,16 @@ index a7ae1531b..6341e3119 100644 ## -gen_tunable(allow_java_execstack, false) +gen_tunable(java_execstack, false) - + attribute java_domain; - + @@ -90,7 +90,6 @@ dev_read_urand(java_domain) dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) - + -files_read_usr_files(java_domain) files_read_etc_runtime_files(java_domain) - + fs_getattr_all_fs(java_domain) @@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain) userdom_manage_user_home_content_symlinks(java_domain) @@ -41937,14 +41937,14 @@ index a7ae1531b..6341e3119 100644 userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +userdom_filetrans_home_content(java_domain_t) - + userdom_write_user_tmp_sockets(java_domain) - + -tunable_policy(`allow_java_execstack',` +tunable_policy(`java_execstack',` - allow java_domain self:process { execmem execstack }; - - libs_legacy_use_shared_libs(java_domain) + allow java_domain self:process { execmem execstack }; + + libs_legacy_use_shared_libs(java_domain) diff --git a/jetty.fc b/jetty.fc new file mode 100644 index 000000000..1725b7e69 @@ -42409,7 +42409,7 @@ index d59ec10a2..a46018d04 100644 @@ -15,6 +15,9 @@ files_type(jockey_cache_t) type jockey_var_log_t; logging_log_file(jockey_var_log_t) - + +type jockey_tmpfs_t; +files_tmpfs_file(jockey_tmpfs_t) + @@ -42419,35 +42419,35 @@ index d59ec10a2..a46018d04 100644 @@ -33,6 +36,10 @@ create_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) setattr_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t) logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir }) - + +manage_dirs_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t) +manage_files_pattern(jockey_t, jockey_tmpfs_t, jockey_tmpfs_t) +fs_tmpfs_filetrans(jockey_t, jockey_tmpfs_t, { dir file }) + kernel_read_system_state(jockey_t) - + corecmd_exec_bin(jockey_t) @@ -44,16 +51,19 @@ dev_read_urand(jockey_t) - + domain_use_interactive_fds(jockey_t) - + -files_read_etc_files(jockey_t) -files_read_usr_files(jockey_t) - + -miscfiles_read_localization(jockey_t) +auth_read_passwd(jockey_t) - + optional_policy(` - dbus_system_domain(jockey_t, jockey_exec_t) + dbus_system_domain(jockey_t, jockey_exec_t) ') - + +optional_policy(` + gnome_dontaudit_search_config(jockey_t) +') + optional_policy(` - modutils_domtrans_insmod(jockey_t) - modutils_read_module_config(jockey_t) + modutils_domtrans_insmod(jockey_t) + modutils_read_module_config(jockey_t) + modutils_list_module_config(jockey_t) ') diff --git a/journalctl.fc b/journalctl.fc @@ -42700,22 +42700,22 @@ index a49ae4e91..0c0e987a8 100644 @@ -1,13 +1,16 @@ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) +/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) - + -/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) +/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) - + -/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) - + -/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) +/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0) - + -/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) +/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) - + -/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) @@ -42728,13 +42728,13 @@ index 3a00b3a13..04dd6e97a 100644 @@ -1,4 +1,4 @@ -## Kernel crash dumping mechanism. +## Kernel crash dumping mechanism - + ###################################### ## @@ -19,6 +19,26 @@ interface(`kdump_domtrans',` - domtrans_pattern($1, kdump_exec_t, kdump_t) + domtrans_pattern($1, kdump_exec_t, kdump_t) ') - + +###################################### +## +## Execute kdumpctl in the kdumpctl domain. @@ -42759,9 +42759,9 @@ index 3a00b3a13..04dd6e97a 100644 ## ## Execute kdump in the kdump domain. @@ -37,9 +57,34 @@ interface(`kdump_initrc_domtrans',` - init_labeled_script_domtrans($1, kdump_initrc_exec_t) + init_labeled_script_domtrans($1, kdump_initrc_exec_t) ') - + +######################################## +## +## Execute kdump server in the kdump domain. @@ -42795,9 +42795,9 @@ index 3a00b3a13..04dd6e97a 100644 ## ## @@ -56,10 +101,67 @@ interface(`kdump_read_config',` - allow $1 kdump_etc_t:file read_file_perms; + allow $1 kdump_etc_t:file read_file_perms; ') - + +##################################### +## +## Read kdump crash files. @@ -42865,9 +42865,9 @@ index 3a00b3a13..04dd6e97a 100644 ## ## @@ -76,10 +178,89 @@ interface(`kdump_manage_config',` - allow $1 kdump_etc_t:file manage_file_perms; + allow $1 kdump_etc_t:file manage_file_perms; ') - + +##################################### +## +## Read and write kdump lock files. @@ -42951,7 +42951,7 @@ index 3a00b3a13..04dd6e97a 100644 ## -## All of the rules required to -## administrate an kdump environment. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an kdump environment ## ## @@ -42967,15 +42967,15 @@ index 3a00b3a13..04dd6e97a 100644 ## # interface(`kdump_admin',` - gen_require(` + gen_require(` - type kdump_t, kdump_etc_t, kdumpctl_tmp_t; - type kdump_initrc_exec_t, kdumpctl_t; + type kdump_t, kdump_etc_t; + type kdump_initrc_exec_t; + type kdump_unit_file_t; + type kdump_crash_t; - ') - + ') + - allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { kdump_t kdumpctl_t }) + allow $1 kdump_t:process signal_perms; @@ -42983,13 +42983,13 @@ index 3a00b3a13..04dd6e97a 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 kdump_t:process ptrace; + ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, kdump_initrc_exec_t) + domain_system_change_exemption($1) @@ -110,6 +296,29 @@ interface(`kdump_admin',` - files_search_etc($1) - admin_pattern($1, kdump_etc_t) - + files_search_etc($1) + admin_pattern($1, kdump_etc_t) + - files_search_tmp($1) - admin_pattern($1, kdumpctl_tmp_t) + files_search_var($1) @@ -43025,13 +43025,13 @@ index 715fc211c..41e1154ae 100644 @@ -12,34 +12,59 @@ init_system_domain(kdump_t, kdump_exec_t) type kdump_etc_t; files_config_file(kdump_etc_t) - + +type kdump_crash_t; +files_type(kdump_crash_t) + type kdump_initrc_exec_t; init_script_file(kdump_initrc_exec_t) - + +type kdump_unit_file_t alias kdumpctl_unit_file_t; +systemd_unit_file(kdump_unit_file_t) + @@ -43043,20 +43043,20 @@ index 715fc211c..41e1154ae 100644 init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) -application_executable_file(kdumpctl_exec_t) +init_initrc_domain(kdumpctl_t) - + type kdumpctl_tmp_t; files_tmp_file(kdumpctl_tmp_t) - + ##################################### # -# Local policy +# kdump local policy # - + -allow kdump_t self:capability { sys_boot dac_override }; +allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override }; +allow kdump_t self:capability2 compromise_kernel; - + -allow kdump_t kdump_etc_t:file read_file_perms; +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -43069,14 +43069,14 @@ index 715fc211c..41e1154ae 100644 +manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) +manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) +files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file }) - + -files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) +files_read_kernel_symbol_table(kdump_t) +files_read_kernel_modules(kdump_t) files_read_kernel_img(kdump_t) +files_map_boot_files(kdump_t) - + +kernel_read_system_state(kdump_t) kernel_read_core_if(kdump_t) kernel_read_debugfs(kdump_t) @@ -43085,17 +43085,17 @@ index 715fc211c..41e1154ae 100644 +kernel_read_ring_buffer(kdump_t) + +mls_file_read_all_levels(kdump_t) - + dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) @@ -48,69 +73,105 @@ term_use_console(kdump_t) - + ####################################### # -# Ctl local policy +# kdumpctl local policy # - + -allow kdumpctl_t self:capability { dac_override sys_chroot }; +#cjp:almost all rules are needed by dracut + @@ -43107,11 +43107,11 @@ index 715fc211c..41e1154ae 100644 allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -allow kdumpctl_t self:unix_stream_socket { accept listen }; +allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; - + -allow kdumpctl_t kdump_etc_t:file read_file_perms; +manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t) +files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump") - + manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) @@ -43119,7 +43119,7 @@ index 715fc211c..41e1154ae 100644 +manage_fifo_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) +can_exec(kdumpctl_t, kdumpctl_tmp_t) - + -domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) +manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) +manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) @@ -43127,21 +43127,21 @@ index 715fc211c..41e1154ae 100644 +files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash") + +read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) - + kernel_read_system_state(kdumpctl_t) +kernel_stream_connect(kdumpctl_t) + +mls_file_read_all_levels(kdumpctl_t) - + corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) - + dev_read_sysfs(kdumpctl_t) +# dracut dev_manage_all_dev_nodes(kdumpctl_t) - + domain_use_interactive_fds(kdumpctl_t) - + files_create_kernel_img(kdumpctl_t) -files_read_etc_files(kdumpctl_t) files_read_etc_runtime_files(kdumpctl_t) @@ -43149,10 +43149,10 @@ index 715fc211c..41e1154ae 100644 files_read_kernel_modules(kdumpctl_t) files_getattr_all_dirs(kdumpctl_t) +files_delete_kernel(kdumpctl_t) - + fs_getattr_all_fs(kdumpctl_t) fs_search_all(kdumpctl_t) - + -init_domtrans_script(kdumpctl_t) +application_executable_ioctl(kdumpctl_t) + @@ -43161,9 +43161,9 @@ index 715fc211c..41e1154ae 100644 init_exec(kdumpctl_t) +systemd_exec_systemctl(kdumpctl_t) +systemd_read_unit_files(kdumpctl_t) - + libs_exec_ld_so(kdumpctl_t) - + logging_send_syslog_msg(kdumpctl_t) +# Need log file from /var/log/dracut.log +logging_write_generic_logs(kdumpctl_t) @@ -43172,7 +43172,7 @@ index 715fc211c..41e1154ae 100644 + +storage_raw_read_fixed_disk(kdumpctl_t) +storage_getattr_fixed_disk_dev(kdumpctl_t) - + -miscfiles_read_localization(kdumpctl_t) +optional_policy(` + networkmanager_dbus_chat(kdumpctl_t) @@ -43181,30 +43181,30 @@ index 715fc211c..41e1154ae 100644 +optional_policy(` + gpg_exec(kdumpctl_t) +') - + optional_policy(` - gpg_exec(kdumpctl_t) + lvm_read_config(kdumpctl_t) ') - + optional_policy(` - lvm_read_config(kdumpctl_t) + modutils_domtrans_insmod(kdumpctl_t) + modutils_list_module_config(kdumpctl_t) + modutils_read_module_config(kdumpctl_t) ') - + optional_policy(` - modutils_domtrans_insmod(kdumpctl_t) - modutils_read_module_config(kdumpctl_t) + plymouthd_domtrans_plymouth(kdumpctl_t) ') - + optional_policy(` - plymouthd_domtrans_plymouth(kdumpctl_t) + ssh_exec(kdumpctl_t) ') - + optional_policy(` - ssh_exec(kdumpctl_t) + unconfined_domain(kdumpctl_t) @@ -43245,7 +43245,7 @@ index 2990962b6..abd217f1d 100644 @@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0) # Declarations # - + +## +##

      +## Allow s-c-kdump to run bootloader in bootloader_t. @@ -43257,41 +43257,41 @@ index 2990962b6..abd217f1d 100644 type kdumpgui_exec_t; -init_system_domain(kdumpgui_t, kdumpgui_exec_t) +init_daemon_domain(kdumpgui_t, kdumpgui_exec_t) - + type kdumpgui_tmp_t; files_tmp_file(kdumpgui_tmp_t) - + ###################################### # -# Local policy +# system-config-kdump local policy # - + allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio }; -allow kdumpgui_t self:process { setsched sigkill }; allow kdumpgui_t self:fifo_file rw_fifo_file_perms; allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; +allow kdumpgui_t self:process { setsched sigkill }; - + manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) - + -kernel_getattr_core_if(kdumpgui_t) kernel_read_system_state(kdumpgui_t) kernel_read_network_state(kdumpgui_t) +kernel_getattr_core_if(kdumpgui_t) - + corecmd_exec_bin(kdumpgui_t) corecmd_exec_shell(kdumpgui_t) - + -dev_getattr_all_blk_files(kdumpgui_t) dev_dontaudit_getattr_all_chr_files(kdumpgui_t) dev_read_sysfs(kdumpgui_t) +dev_read_urand(kdumpgui_t) +dev_getattr_all_blk_files(kdumpgui_t) +dev_read_nvme(kdumpgui_t) - + files_manage_boot_files(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t) +# Needed for running chkconfig @@ -43300,36 +43300,36 @@ index 2990962b6..abd217f1d 100644 files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) -files_read_usr_files(kdumpgui_t) - + +fs_manage_dos_files(kdumpgui_t) fs_getattr_all_fs(kdumpgui_t) fs_list_hugetlbfs(kdumpgui_t) -fs_read_dos_files(kdumpgui_t) - + storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) +storage_getattr_removable_dev(kdumpgui_t) - + auth_use_nsswitch(kdumpgui_t) - + +logging_send_syslog_msg(kdumpgui_t) logging_list_logs(kdumpgui_t) logging_read_generic_logs(kdumpgui_t) -logging_send_syslog_msg(kdumpgui_t) - -miscfiles_read_localization(kdumpgui_t) - + mount_exec(kdumpgui_t) - + init_dontaudit_read_all_script_files(kdumpgui_t) +init_access_check(kdumpgui_t) - + -optional_policy(` - bootloader_exec(kdumpgui_t) - bootloader_rw_config(kdumpgui_t) -') +userdom_dontaudit_search_admin_dir(kdumpgui_t) - + optional_policy(` - consoletype_exec(kdumpgui_t) + tunable_policy(`kdumpgui_run_bootloader',` @@ -43341,20 +43341,20 @@ index 2990962b6..abd217f1d 100644 + bootloader_manage_config(kdumpgui_t) + ') ') - + optional_policy(` - dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) - - optional_policy(` - policykit_dbus_chat(kdumpgui_t) - ') ') - + optional_policy(` @@ -87,4 +97,10 @@ optional_policy(` optional_policy(` - kdump_manage_config(kdumpgui_t) - kdump_initrc_domtrans(kdumpgui_t) + kdump_manage_config(kdumpgui_t) + kdump_initrc_domtrans(kdumpgui_t) + kdump_systemctl(kdumpgui_t) + kdumpctl_domtrans(kdumpgui_t) +') @@ -43597,24 +43597,24 @@ index 4fe75fd63..3504a9bf7 100644 +HOME_DIR/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0) +/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +/root/\.k5users -- gen_context(system_u:object_r:krb5_home_t,s0) - + -/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) -/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0) +/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0) - + -/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - + /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) - + -/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) @@ -43625,12 +43625,12 @@ index 4fe75fd63..3504a9bf7 100644 /usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) +/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) +/usr/sbin/\_kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) - + -/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) +/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - + -/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) +/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) @@ -43638,19 +43638,19 @@ index 4fe75fd63..3504a9bf7 100644 +/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) - + -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/lib/kdcproxy(/.*)? gen_context(system_u:object_r:krb5kdc_var_lib_t,s0) - + -/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) +/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) - + -/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) - + -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) @@ -43710,7 +43710,7 @@ index f6c00d8e6..79ea4d8d2 100644 +##

    +##

    +##     - + ######################################## ## -## Role access for kerberos. @@ -43738,21 +43738,21 @@ index f6c00d8e6..79ea4d8d2 100644 ## ## @@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',` - type kadmind_exec_t; - ') - + type kadmind_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, kadmind_exec_t) + can_exec($1, kadmind_exec_t) ') - + @@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',` - type kpropd_t, kpropd_exec_t; - ') - + type kpropd_t, kpropd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, kpropd_exec_t, kpropd_t) + domtrans_pattern($1, kpropd_exec_t, kpropd_t) ') - + ######################################## ## -## Support kerberos services. @@ -43763,12 +43763,12 @@ index f6c00d8e6..79ea4d8d2 100644 @@ -69,45 +69,45 @@ interface(`kerberos_domtrans_kpropd',` # interface(`kerberos_use',` - gen_require(` + gen_require(` - type krb5kdc_conf_t, krb5_host_rcache_t; + type krb5_conf_t, krb5kdc_conf_t; + type krb5_host_rcache_t; - ') - + ') + - kerberos_read_config($1) - - dontaudit $1 krb5_conf_t:file write_file_perms; @@ -43776,54 +43776,54 @@ index f6c00d8e6..79ea4d8d2 100644 + read_files_pattern($1, krb5_conf_t, krb5_conf_t) + list_dirs_pattern($1, krb5_conf_t, krb5_conf_t) + dontaudit $1 krb5_conf_t:file write; - dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; - dontaudit $1 krb5kdc_conf_t:file rw_file_perms; - + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; + + #kerberos libraries are attempting to set the correct file context - dontaudit $1 self:process setfscreate; + dontaudit $1 self:process setfscreate; - - selinux_dontaudit_validate_context($1) + selinux_dontaudit_validate_context($1) - seutil_dontaudit_read_file_contexts($1) + seutil_read_file_contexts($1) - + - tunable_policy(`allow_kerberos',` + tunable_policy(`kerberos_enabled',` - allow $1 self:tcp_socket create_socket_perms; - allow $1 self:udp_socket create_socket_perms; - + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) - corenet_udp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) + corenet_udp_sendrecv_generic_node($1) - - corenet_sendrecv_kerberos_client_packets($1) - corenet_tcp_connect_kerberos_port($1) - corenet_tcp_sendrecv_kerberos_port($1) - corenet_udp_sendrecv_kerberos_port($1) + corenet_tcp_sendrecv_kerberos_port($1) + corenet_udp_sendrecv_kerberos_port($1) - - corenet_sendrecv_ocsp_client_packets($1) + corenet_tcp_bind_generic_node($1) + corenet_udp_bind_generic_node($1) + corenet_tcp_connect_kerberos_port($1) - corenet_tcp_connect_ocsp_port($1) + corenet_tcp_connect_ocsp_port($1) - corenet_tcp_sendrecv_ocsp_port($1) + corenet_sendrecv_kerberos_client_packets($1) + corenet_sendrecv_ocsp_client_packets($1) - + + allow $1 krb5_host_rcache_t:dir search_dir_perms; - allow $1 krb5_host_rcache_t:file getattr_file_perms; - ') - - optional_policy(` + allow $1 krb5_host_rcache_t:file getattr_file_perms; + ') + + optional_policy(` - tunable_policy(`allow_kerberos',` + tunable_policy(`kerberos_enabled',` - pcscd_stream_connect($1) - ') - ') + pcscd_stream_connect($1) + ') + ') @@ -119,7 +119,7 @@ interface(`kerberos_use',` - + ######################################## ## -## Read kerberos configuration files. @@ -43832,14 +43832,14 @@ index f6c00d8e6..79ea4d8d2 100644 ## ## @@ -135,15 +135,13 @@ interface(`kerberos_read_config',` - - files_search_etc($1) - allow $1 krb5_conf_t:file read_file_perms; + + files_search_etc($1) + allow $1 krb5_conf_t:file read_file_perms; - - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file read_file_perms; + allow $1 krb5_home_t:file read_file_perms; ') - + ######################################## ## -## Do not audit attempts to write @@ -43850,13 +43850,13 @@ index f6c00d8e6..79ea4d8d2 100644 ## ## @@ -156,13 +154,12 @@ interface(`kerberos_dontaudit_write_config',` - type krb5_conf_t; - ') - + type krb5_conf_t; + ') + - dontaudit $1 krb5_conf_t:file write_file_perms; + dontaudit $1 krb5_conf_t:file write; ') - + ######################################## ## -## Read and write kerberos @@ -43866,7 +43866,7 @@ index f6c00d8e6..79ea4d8d2 100644 ## ## @@ -182,27 +179,27 @@ interface(`kerberos_rw_config',` - + ######################################## ## -## Create, read, write, and delete @@ -43882,17 +43882,17 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_manage_krb5_home_files',` +interface(`kerberos_read_keytab',` - gen_require(` + gen_require(` - type krb5_home_t; + type krb5_keytab_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file manage_file_perms; + files_search_etc($1) + allow $1 krb5_keytab_t:file read_file_perms; ') - + ######################################## ## -## Relabel kerberos home files. @@ -43906,17 +43906,17 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_relabel_krb5_home_files',` +interface(`kerberos_rw_keytab',` - gen_require(` + gen_require(` - type krb5_home_t; + type krb5_keytab_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 krb5_home_t:file relabel_file_perms; + files_search_etc($1) + allow $1 krb5_keytab_t:file rw_file_perms; ') - + ######################################## ## -## Create objects in user home @@ -43941,16 +43941,16 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_home_filetrans_krb5_home',` +interface(`kerberos_etc_filetrans_keytab',` - gen_require(` + gen_require(` - type krb5_home_t; + type krb5_keytab_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3) + allow $1 krb5_keytab_t:file manage_file_perms; + files_etc_filetrans($1, krb5_keytab_t, file, $2) ') - + ######################################## ## -## Read kerberos key table files. @@ -43980,7 +43980,7 @@ index f6c00d8e6..79ea4d8d2 100644 + kerberos_read_keytab($2) + kerberos_use($2) ') - + ######################################## ## -## Read and write kerberos key table files. @@ -43995,16 +43995,16 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_rw_keytab',` +interface(`kerberos_read_kdc_config',` - gen_require(` + gen_require(` - type krb5_keytab_t; + type krb5kdc_conf_t; - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 krb5_keytab_t:file rw_file_perms; + read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -44020,17 +44020,17 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_manage_keytab_files',` +interface(`kerberos_manage_kdc_config',` - gen_require(` + gen_require(` - type krb5_keytab_t; + type krb5kdc_conf_t; - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 krb5_keytab_t:file manage_file_perms; + manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) + manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) ') - + ######################################## ## -## Create specified objects in generic @@ -44056,15 +44056,15 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_etc_filetrans_keytab',` +interface(`kerberos_read_host_rcache',` - gen_require(` + gen_require(` - type krb5_keytab_t; + type krb5_host_rcache_t; - ') + ') - - files_etc_filetrans($1, krb5_keytab_t, $2, $3) + read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) ') - + ######################################## ## -## Create a derived type for kerberos @@ -44109,11 +44109,11 @@ index f6c00d8e6..79ea4d8d2 100644 + files_search_tmp($1) + ') ') - + ######################################## ## -## Read kerberos kdc configuration files. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an kerberos environment ## ## @@ -44130,15 +44130,15 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_read_kdc_config',` +interface(`kerberos_admin',` - gen_require(` + gen_require(` - type krb5kdc_conf_t; + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; + type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; + type krb5kdc_var_run_t, krb5_host_rcache_t; - ') - + ') + - files_search_etc($1) - read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) + allow $1 kadmind_t:process signal_perms; @@ -44181,7 +44181,7 @@ index f6c00d8e6..79ea4d8d2 100644 + + admin_pattern($1, krb5kdc_var_run_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -44203,10 +44203,10 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_manage_host_rcache',` +interface(`kerberos_tmp_filetrans_host_rcache',` - gen_require(` - type krb5_host_rcache_t; - ') - + gen_require(` + type krb5_host_rcache_t; + ') + - domain_obj_id_change_exemption($1) - - tunable_policy(`allow_kerberos',` @@ -44222,7 +44222,7 @@ index f6c00d8e6..79ea4d8d2 100644 + manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) + files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) ') - + ######################################## ## -## Create objects in generic temporary @@ -44249,16 +44249,16 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_tmp_filetrans_host_rcache',` +interface(`kerberos_tmp_filetrans_kadmin',` - gen_require(` + gen_require(` - type krb5_host_rcache_t; + type kadmind_tmp_t; - ') - + ') + - files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3) + manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t) + files_tmp_filetrans($1, kadmind_tmp_t, file, $2) ') - + ######################################## ## -## Connect to krb524 service. @@ -44284,12 +44284,12 @@ index f6c00d8e6..79ea4d8d2 100644 +interface(`kerberos_read_home_content',` + gen_require(` + type krb5_home_t; - ') + ') + + userdom_search_user_home_dirs($1) + read_files_pattern($1, krb5_home_t, krb5_home_t) ') - + ######################################## ## -## All of the rules required to @@ -44311,15 +44311,15 @@ index f6c00d8e6..79ea4d8d2 100644 # -interface(`kerberos_admin',` +interface(`kerberos_manage_kdc_var_lib',` - gen_require(` + gen_require(` - type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; - type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; - type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; - type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; - type krb5kdc_var_run_t, krb5_host_rcache_t; + type krb5kdc_var_lib_t; - ') - + ') + - allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms }; - ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd }) - @@ -44331,7 +44331,7 @@ index f6c00d8e6..79ea4d8d2 100644 + manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t) + manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t) +') - + - logging_list_logs($1) - admin_pattern($1, kadmind_log_t) +######################################## @@ -44349,13 +44349,13 @@ index f6c00d8e6..79ea4d8d2 100644 + gen_require(` + type krb5_home_t; + ') - + - files_list_tmp($1) - admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t }) + userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") + userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users") +') - + - kerberos_tmp_filetrans_host_rcache($1, file, "host_0") - kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") - kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") @@ -44378,13 +44378,13 @@ index f6c00d8e6..79ea4d8d2 100644 + gen_require(` + type krb5_home_t; + ') - + - files_list_pids($1) - admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t }) + userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") + userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users") +') - + - files_list_etc($1) - admin_pattern($1, krb5_conf_t) +######################################## @@ -44402,15 +44402,15 @@ index f6c00d8e6..79ea4d8d2 100644 + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') - - files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") - - admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t }) - + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") - filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") - - kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") @@ -44434,7 +44434,7 @@ index 8833d596d..3519d8b7b 100644 +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) # - + ## -##

    -## Determine whether kerberos is supported. @@ -44445,47 +44445,47 @@ index 8833d596d..3519d8b7b 100644 ## -gen_tunable(allow_kerberos, false) +gen_tunable(kerberos_enabled, false) - + type kadmind_t; type kadmind_exec_t; @@ -35,23 +35,29 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) domain_obj_id_change_exemption(kpropd_t) - + type krb5_conf_t; -files_type(krb5_conf_t) +files_config_file(krb5_conf_t) - + type krb5_home_t; userdom_user_home_content(krb5_home_t) - + -type krb5_host_rcache_t; +type krb5_host_rcache_t alias saslauthd_tmp_t; files_tmp_file(krb5_host_rcache_t) - + +# types for general configuration files in /etc type krb5_keytab_t; files_security_file(krb5_keytab_t) - + +# types for KDC configs and principal file(s) type krb5kdc_conf_t; -files_type(krb5kdc_conf_t) +files_config_file(krb5kdc_conf_t) - + type krb5kdc_lock_t; -files_type(krb5kdc_lock_t) +files_lock_file(krb5kdc_lock_t) - + +type krb5kdc_var_lib_t; +files_type(krb5kdc_var_lib_t) + +# types for KDC principal file(s) type krb5kdc_principal_t; files_type(krb5kdc_principal_t) - + @@ -74,28 +80,33 @@ files_pid_file(krb5kdc_var_run_t) # kadmind local policy # - + -allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice }; -dontaudit kadmind_t self:capability sys_tty_config; +# Use capabilities. Surplus capabilities may be allowed. @@ -44498,25 +44498,25 @@ index 8833d596d..3519d8b7b 100644 +allow kadmind_t self:unix_dgram_socket { connect create write }; +allow kadmind_t self:tcp_socket connected_stream_socket_perms; allow kadmind_t self:udp_socket create_socket_perms; - + -allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow kadmind_t kadmind_log_t:file manage_file_perms; logging_log_filetrans(kadmind_t, kadmind_log_t, file) - + allow kadmind_t krb5_conf_t:file read_file_perms; -dontaudit kadmind_t krb5_conf_t:file write_file_perms; +dontaudit kadmind_t krb5_conf_t:file write; - + -read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms }; +manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t) - + allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - + -allow kadmind_t krb5kdc_principal_t:file manage_file_perms; +allow kadmind_t krb5kdc_principal_t:file { manage_file_perms map }; filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) - + +allow kadmind_t krb5_keytab_t:file read_file_perms; + +can_exec(kadmind_t, kadmind_exec_t) @@ -44527,7 +44527,7 @@ index 8833d596d..3519d8b7b 100644 @@ -103,13 +114,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) - + -can_exec(kadmind_t, kadmind_exec_t) - kernel_read_kernel_sysctls(kadmind_t) @@ -44535,7 +44535,7 @@ index 8833d596d..3519d8b7b 100644 kernel_read_network_state(kadmind_t) +kernel_read_proc_symlinks(kadmind_t) kernel_read_system_state(kadmind_t) - + -corenet_all_recvfrom_unlabeled(kadmind_t) +corecmd_exec_bin(kadmind_t) +corecmd_exec_shell(kadmind_t) @@ -44559,60 +44559,60 @@ index 8833d596d..3519d8b7b 100644 +corenet_sendrecv_kerberos_password_server_packets(kadmind_t) +corenet_tcp_bind_kprop_port(kadmind_t) +corenet_tcp_connect_kprop_port(kadmind_t) - + dev_read_sysfs(kadmind_t) +dev_read_rand(kadmind_t) +dev_read_urand(kadmind_t) - + fs_getattr_all_fs(kadmind_t) fs_search_auto_mountpoints(kadmind_t) +fs_rw_anon_inodefs_files(kadmind_t) - + domain_use_interactive_fds(kadmind_t) - + files_read_etc_files(kadmind_t) -files_read_usr_files(kadmind_t) +files_read_usr_symlinks(kadmind_t) files_read_var_files(kadmind_t) - + selinux_validate_context(kadmind_t) - + +auth_read_passwd(kadmind_t) + logging_send_syslog_msg(kadmind_t) - + +miscfiles_read_generic_certs(kadmind_t) miscfiles_read_localization(kadmind_t) - + +seutil_read_config(kadmind_t) seutil_read_file_contexts(kadmind_t) - + +sysnet_read_config(kadmind_t) sysnet_use_ldap(kadmind_t) - + userdom_dontaudit_use_unpriv_user_fds(kadmind_t) @@ -153,12 +179,17 @@ optional_policy(` - ldap_stream_connect(kadmind_t) + ldap_stream_connect(kadmind_t) ') - + +optional_policy(` + dirsrv_stream_connect(kadmind_t) +') + optional_policy(` - nis_use_ypbind(kadmind_t) + nis_use_ypbind(kadmind_t) ') - + optional_policy(` - sssd_read_public_files(kadmind_t) + sssd_read_public_files(kadmind_t) + sssd_stream_connect(kadmind_t) ') - + optional_policy(` @@ -174,24 +205,28 @@ optional_policy(` # Krb5kdc local policy # - + -allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice }; -dontaudit krb5kdc_t self:capability sys_tty_config; +# Use capabilities. Surplus capabilities may be allowed. @@ -44625,46 +44625,46 @@ index 8833d596d..3519d8b7b 100644 +allow krb5kdc_t self:tcp_socket create_stream_socket_perms; allow krb5kdc_t self:udp_socket create_socket_perms; allow krb5kdc_t self:fifo_file rw_fifo_file_perms; - + allow krb5kdc_t krb5_conf_t:file read_file_perms; dontaudit krb5kdc_t krb5_conf_t:file write; - + +can_exec(krb5kdc_t, krb5kdc_exec_t) + +list_dirs_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) -dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms; +dontaudit krb5kdc_t krb5kdc_conf_t:file write; - + allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; - + -allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) - + allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; @@ -201,77 +236,93 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - + manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) -files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) +manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) +manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) +files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file }) - + -can_exec(krb5kdc_t, krb5kdc_exec_t) +manage_files_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t) +manage_dirs_pattern(krb5kdc_t, krb5kdc_var_lib_t, krb5kdc_var_lib_t) - + kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctls(krb5kdc_t) +kernel_list_proc(krb5kdc_t) +kernel_read_proc_symlinks(krb5kdc_t) kernel_read_network_state(krb5kdc_t) kernel_search_network_sysctl(krb5kdc_t) - + corecmd_exec_bin(krb5kdc_t) - + -corenet_all_recvfrom_unlabeled(krb5kdc_t) corenet_all_recvfrom_netlabel(krb5kdc_t) corenet_tcp_sendrecv_generic_if(krb5kdc_t) @@ -44687,73 +44687,73 @@ index 8833d596d..3519d8b7b 100644 -corenet_tcp_sendrecv_ocsp_port(krb5kdc_t) +corenet_sendrecv_kerberos_server_packets(krb5kdc_t) +corenet_sendrecv_ocsp_client_packets(krb5kdc_t) - + dev_read_sysfs(krb5kdc_t) +dev_read_urand(krb5kdc_t) - + fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) +fs_rw_anon_inodefs_files(krb5kdc_t) - + domain_use_interactive_fds(krb5kdc_t) - + -files_read_etc_files(krb5kdc_t) files_read_usr_symlinks(krb5kdc_t) files_read_var_files(krb5kdc_t) - + selinux_validate_context(krb5kdc_t) - + +auth_use_nsswitch(krb5kdc_t) + logging_send_syslog_msg(krb5kdc_t) - + miscfiles_read_generic_certs(krb5kdc_t) -miscfiles_read_localization(krb5kdc_t) - + seutil_read_file_contexts(krb5kdc_t) - + +sysnet_read_config(krb5kdc_t) sysnet_use_ldap(krb5kdc_t) - + userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_user_home_dirs(krb5kdc_t) - + +optional_policy(` + ipa_stream_connect_otpd(krb5kdc_t) +') + optional_policy(` - ldap_stream_connect(krb5kdc_t) + ldap_stream_connect(krb5kdc_t) ') - + +optional_policy(` + dirsrv_stream_connect(krb5kdc_t) +') + optional_policy(` - nis_use_ypbind(krb5kdc_t) + nis_use_ypbind(krb5kdc_t) ') - + optional_policy(` - sssd_read_public_files(krb5kdc_t) + realmd_read_var_lib(krb5kdc_t) ') - + optional_policy(` - seutil_sigchld_newrole(krb5kdc_t) + seutil_sigchld_newrole(krb5kdc_t) ') - + +optional_policy(` + sssd_read_public_files(krb5kdc_t) +') + optional_policy(` - udev_read_db(krb5kdc_t) + udev_read_db(krb5kdc_t) ') @@ -281,10 +332,12 @@ optional_policy(` # kpropd local policy # - + +allow kpropd_t self:capability net_bind_service; allow kpropd_t self:process setfscreate; -allow kpropd_t self:fifo_file rw_fifo_file_perms; @@ -44763,26 +44763,26 @@ index 8833d596d..3519d8b7b 100644 +allow kpropd_t self:fifo_file rw_file_perms; +allow kpropd_t self:unix_stream_socket create_stream_socket_perms; +allow kpropd_t self:tcp_socket create_stream_socket_perms; - + allow kpropd_t krb5_host_rcache_t:file manage_file_perms; - + @@ -296,32 +349,35 @@ manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) - + manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) +allow kpropd_t krb5kdc_principal_t:file map; - + manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) - + +kernel_read_system_state(kpropd_t) +kernel_read_network_state(kpropd_t) + +can_exec(kpropd_t,kpropd_exec_t) + corecmd_exec_bin(kpropd_t) - + -corenet_all_recvfrom_unlabeled(kpropd_t) corenet_tcp_sendrecv_generic_if(kpropd_t) corenet_tcp_sendrecv_generic_node(kpropd_t) @@ -44793,22 +44793,22 @@ index 8833d596d..3519d8b7b 100644 corenet_tcp_bind_kprop_port(kpropd_t) -corenet_tcp_sendrecv_kprop_port(kpropd_t) +corenet_tcp_connect_kprop_port(kpropd_t) - + dev_read_urand(kpropd_t) - + -files_read_etc_files(kpropd_t) files_search_tmp(kpropd_t) - + selinux_validate_context(kpropd_t) - + -logging_send_syslog_msg(kpropd_t) +auth_use_nsswitch(kpropd_t) - + -miscfiles_read_localization(kpropd_t) +logging_send_syslog_msg(kpropd_t) - + seutil_read_file_contexts(kpropd_t) - + diff --git a/kerneloops.if b/kerneloops.if index 714448f8d..fa0c994e5 100644 --- a/kerneloops.if @@ -44816,31 +44816,31 @@ index 714448f8d..fa0c994e5 100644 @@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',` # interface(`kerneloops_admin',` - gen_require(` + gen_require(` - type kerneloops_t, kerneloops_initrc_exec_t; - type kerneloops_tmp_t; + type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; - ') - + ') + - allow $1 kerneloops_t:process { ptrace signal_perms }; + allow $1 kerneloops_t:process signal_perms; - ps_process_pattern($1, kerneloops_t) - + ps_process_pattern($1, kerneloops_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 kerneloops_t:process ptrace; + ') + - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kerneloops_initrc_exec_t system_r; + init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kerneloops_initrc_exec_t system_r; diff --git a/kerneloops.te b/kerneloops.te index bcdb29599..f6e3736dd 100644 --- a/kerneloops.te +++ b/kerneloops.te @@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t) - + domain_use_interactive_fds(kerneloops_t) - + -corenet_all_recvfrom_unlabeled(kerneloops_t) corenet_all_recvfrom_netlabel(kerneloops_t) corenet_tcp_sendrecv_generic_if(kerneloops_t) @@ -44848,11 +44848,11 @@ index bcdb29599..f6e3736dd 100644 @@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t) logging_send_syslog_msg(kerneloops_t) logging_read_generic_logs(kerneloops_t) - + -miscfiles_read_localization(kerneloops_t) - optional_policy(` - dbus_system_domain(kerneloops_t, kerneloops_exec_t) + dbus_system_domain(kerneloops_t, kerneloops_exec_t) ') diff --git a/keyboardd.if b/keyboardd.if index 8982b9106..6134ef258 100644 @@ -44860,7 +44860,7 @@ index 8982b9106..6134ef258 100644 +++ b/keyboardd.if @@ -1,19 +1,39 @@ -##

    Xorg.conf keyboard layout callout. - + -###################################### +## policy for system-setup-keyboard daemon + @@ -44879,7 +44879,7 @@ index 8982b9106..6134ef258 100644 # -interface(`keyboardd_read_pipes',` +interface(`keyboardd_domtrans',` - gen_require(` + gen_require(` - type keyboardd_t; + type keyboardd_t, keyboardd_exec_t; + ') @@ -44901,8 +44901,8 @@ index 8982b9106..6134ef258 100644 +interface(`keyboardd_read_pipes',` + gen_require(` + type keyboardd_t; - ') - + ') + - allow $1 keyboardd_t:fifo_file read_fifo_file_perms; + allow $1 keyboardd_t:fifo_file read_fifo_file_perms; ') @@ -44911,7 +44911,7 @@ index 628b78b4b..fe656175e 100644 --- a/keyboardd.te +++ b/keyboardd.te @@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms; - + files_manage_etc_runtime_files(keyboardd_t) files_etc_filetrans_etc_runtime(keyboardd_t, file) -files_read_etc_files(keyboardd_t) @@ -44925,13 +44925,13 @@ index b273d803c..6b2b50d69 100644 +/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0) + /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) - + /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) - + +/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0) + /var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) - + /var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) + +/var/run/keystone(/.*)? gen_context(system_u:object_r:keystone_var_run_t,s0) @@ -44943,7 +44943,7 @@ index e88fb16e0..ec6121a5c 100644 -## Python implementation of the OpenStack identity service API. + +## policy for keystone - + ######################################## ## -## All of the rules required to @@ -45141,29 +45141,29 @@ index e88fb16e0..ec6121a5c 100644 -## # interface(`keystone_admin',` - gen_require(` + gen_require(` - type keystone_t, keystone_initrc_exec_t, keystone_log_t; - type keystone_var_lib_t, keystone_tmp_t; + type keystone_t; + type keystone_log_t; + type keystone_var_lib_t; + type keystone_unit_file_t; - ') - - allow $1 keystone_t:process { ptrace signal_perms }; - ps_process_pattern($1, keystone_t) - + ') + + allow $1 keystone_t:process { ptrace signal_perms }; + ps_process_pattern($1, keystone_t) + - init_labeled_script_domtrans($1, keystone_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 keystone_initrc_exec_t system_r; - allow $2 system_r; - - logging_search_logs($1) - admin_pattern($1, keystone_log_t) - - files_search_var_lib($1) - admin_pattern($1, keystone_var_lib_t) - + logging_search_logs($1) + admin_pattern($1, keystone_log_t) + + files_search_var_lib($1) + admin_pattern($1, keystone_var_lib_t) + - files_search_tmp($1) - admin_pattern($1, keystone_tmp_t) + keystone_systemctl($1) @@ -45181,13 +45181,13 @@ index 992964774..c573d0ed5 100644 @@ -18,13 +18,20 @@ logging_log_file(keystone_log_t) type keystone_var_lib_t; files_type(keystone_var_lib_t) - + +type keystone_var_run_t; +files_pid_file(keystone_var_run_t) + type keystone_tmp_t; files_tmp_file(keystone_tmp_t) - + +type keystone_unit_file_t; +systemd_unit_file(keystone_unit_file_t) + @@ -45196,19 +45196,19 @@ index 992964774..c573d0ed5 100644 # Local policy # +allow keystone_t self:process { getsched setsched signal }; - + allow keystone_t self:fifo_file rw_fifo_file_perms; allow keystone_t self:unix_stream_socket { accept listen }; @@ -45,6 +52,10 @@ manage_dirs_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) manage_files_pattern(keystone_t, keystone_var_lib_t, keystone_var_lib_t) files_var_lib_filetrans(keystone_t, keystone_var_lib_t, dir) - + +manage_dirs_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t) +manage_files_pattern(keystone_t, keystone_var_run_t, keystone_var_run_t) +files_pid_filetrans(keystone_t, keystone_var_run_t, { dir }) + can_exec(keystone_t, keystone_tmp_t) - + kernel_read_system_state(keystone_t) @@ -57,20 +68,53 @@ corenet_all_recvfrom_netlabel(keystone_t) corenet_tcp_sendrecv_generic_if(keystone_t) @@ -45219,26 +45219,26 @@ index 992964774..c573d0ed5 100644 +corenet_tcp_connect_keystone_port(keystone_t) +corenet_tcp_connect_amqp_port(keystone_t) +corenet_tcp_connect_osapi_compute_port(keystone_t) - + corenet_sendrecv_commplex_main_server_packets(keystone_t) corenet_tcp_bind_commplex_main_port(keystone_t) corenet_tcp_sendrecv_commplex_main_port(keystone_t) - + -files_read_usr_files(keystone_t) +corenet_tcp_bind_keystone_port(keystone_t) - + auth_use_pam(keystone_t) - + libs_exec_ldconfig(keystone_t) - + -miscfiles_read_localization(keystone_t) +optional_policy(` + ldap_stream_connect(keystone_t) +') - + optional_policy(` - mysql_stream_connect(keystone_t) - mysql_tcp_connect(keystone_t) + mysql_stream_connect(keystone_t) + mysql_tcp_connect(keystone_t) + mysql_read_db_lnk_files(keystone_t) +') + @@ -45272,26 +45272,26 @@ index aa2a3379b..7ff229f32 100644 +++ b/kismet.if @@ -283,7 +283,7 @@ interface(`kismet_manage_log',` interface(`kismet_admin',` - gen_require(` - type kismet_t, kismet_var_lib_t, kismet_var_run_t; + gen_require(` + type kismet_t, kismet_var_lib_t, kismet_var_run_t; - type kismet_log_t, kismet_tmp_t; + type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, kismet_initrc_exec_t) + ') + + init_labeled_script_domtrans($1, kismet_initrc_exec_t) @@ -292,7 +292,11 @@ interface(`kismet_admin',` - allow $2 system_r; - - ps_process_pattern($1, kismet_t) + allow $2 system_r; + + ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; + allow $1 kismet_t:process signal_perms; + + tunable_policy(`deny_ptrace',`',` + allow $1 kismet_t:process ptrace; + ') - - files_search_var_lib($1) - admin_pattern($1, kismet_var_lib_t) + + files_search_var_lib($1) + admin_pattern($1, kismet_var_lib_t) diff --git a/kismet.te b/kismet.te index 8ad0d4d50..01e503790 100644 --- a/kismet.te @@ -45299,29 +45299,29 @@ index 8ad0d4d50..01e503790 100644 @@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t) # Local policy # - + -allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid }; +allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid }; allow kismet_t self:process signal_perms; allow kismet_t self:fifo_file rw_fifo_file_perms; allow kismet_t self:packet_socket create_socket_perms; @@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t) - + corecmd_exec_bin(kismet_t) - + -corenet_all_recvfrom_unlabeled(kismet_t) corenet_all_recvfrom_netlabel(kismet_t) corenet_tcp_sendrecv_generic_if(kismet_t) corenet_tcp_sendrecv_generic_node(kismet_t) corenet_tcp_bind_generic_node(kismet_t) - + -corenet_sendrecv_kismet_server_packets(kismet_t) -corenet_tcp_bind_kismet_port(kismet_t) -corenet_sendrecv_kismet_client_packets(kismet_t) -corenet_tcp_connect_kismet_port(kismet_t) -corenet_tcp_sendrecv_kismet_port(kismet_t) +corenet_tcp_connect_pulseaudio_port(kismet_t) - + -auth_use_nsswitch(kismet_t) - -files_read_usr_files(kismet_t) @@ -45329,16 +45329,16 @@ index 8ad0d4d50..01e503790 100644 +corenet_tcp_bind_rtsclient_port(kismet_t) +corenet_sendrecv_rtsclient_client_packets(kismet_t) +corenet_tcp_connect_rtsclient_port(kismet_t) - + -miscfiles_read_localization(kismet_t) +auth_use_nsswitch(kismet_t) - + -userdom_use_user_terminals(kismet_t) +userdom_use_inherited_user_terminals(kismet_t) +userdom_read_user_tmp_files(kismet_t) - + optional_policy(` - dbus_system_bus_client(kismet_t) + dbus_system_bus_client(kismet_t) diff --git a/kmscon.fc b/kmscon.fc new file mode 100644 index 000000000..ccd29c079 @@ -45479,20 +45479,20 @@ index e736c450c..4b1e1e453 100644 +++ b/ksmtuned.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0) - + +/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0) + /usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0) - + /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/ksmtuned.if b/ksmtuned.if index 93a64bc50..af6d741d6 100644 --- a/ksmtuned.if +++ b/ksmtuned.if @@ -38,6 +38,30 @@ interface(`ksmtuned_initrc_domtrans',` - init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) + init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) ') - + +####################################### +## +## Execute ksmtuned server in the ksmtunedd domain. @@ -45532,13 +45532,13 @@ index 93a64bc50..af6d741d6 100644 ## # interface(`ksmtuned_admin',` - gen_require(` + gen_require(` - type ksmtuned_t, ksmtuned_var_run_t; - type ksmtuned_initrc_exec_t, ksmtuned_log_t; + type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t; + type ksmtuned_log_t; - ') - + ') + - ksmtuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ksmtuned_initrc_exec_t system_r; @@ -45546,17 +45546,17 @@ index 93a64bc50..af6d741d6 100644 - - allow $1 ksmtuned_t:process { ptrace signal_perms }; + allow $1 ksmtuned_t:process signal_perms; - ps_process_pattern($1, ksmtuned_t) - + ps_process_pattern($1, ksmtuned_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 ksmtuned_t:process ptrace; + ') + - files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) - - logging_search_logs($1) - admin_pattern($1, ksmtuned_log_t) + files_list_pids($1) + admin_pattern($1, ksmtuned_var_run_t) + + logging_search_logs($1) + admin_pattern($1, ksmtuned_log_t) + + ksmtuned_systemctl($1) + admin_pattern($1, ksmtuned_unit_file_t) @@ -45569,7 +45569,7 @@ index 8eef134ac..9636a5343 100644 @@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1) # Declarations # - + +## +##

    +## Allow ksmtuned to use nfs file systems @@ -45587,29 +45587,29 @@ index 8eef134ac..9636a5343 100644 type ksmtuned_t; type ksmtuned_exec_t; init_daemon_domain(ksmtuned_t, ksmtuned_exec_t) - + +type ksmtuned_unit_file_t; +systemd_unit_file(ksmtuned_unit_file_t) + type ksmtuned_initrc_exec_t; init_script_file(ksmtuned_initrc_exec_t) - + @@ -40,9 +57,10 @@ kernel_read_system_state(ksmtuned_t) corecmd_exec_bin(ksmtuned_t) corecmd_exec_shell(ksmtuned_t) - + -dev_rw_sysfs(ksmtuned_t) +dev_manage_sysfs(ksmtuned_t) - + domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) - + mls_file_read_to_clearance(ksmtuned_t) - + @@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t) - + logging_send_syslog_msg(ksmtuned_t) - + -miscfiles_read_localization(ksmtuned_t) +tunable_policy(`ksmtuned_use_nfs',` + fs_read_nfs_files(ksmtuned_t) @@ -45627,7 +45627,7 @@ index 38ecb07d1..451067ebd 100644 +/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0) + /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) - + /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) diff --git a/ktalk.if b/ktalk.if index 19777b806..cd721fd6b 100644 @@ -45719,27 +45719,27 @@ index c5548c5ed..1356fcbd2 100644 @@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) type ktalkd_log_t; logging_log_file(ktalkd_log_t) - + +type ktalkd_unit_file_t; +systemd_unit_file(ktalkd_unit_file_t) + type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) - + @@ -50,7 +53,8 @@ dev_read_urand(ktalkd_t) - + fs_getattr_xattr_fs(ktalkd_t) - + -term_use_all_terms(ktalkd_t) +term_search_ptys(ktalkd_t) +term_use_all_inherited_terms(ktalkd_t) - + auth_use_nsswitch(ktalkd_t) - + @@ -58,4 +62,5 @@ init_read_utmp(ktalkd_t) - + logging_send_syslog_msg(ktalkd_t) - + -miscfiles_read_localization(ktalkd_t) +userdom_use_user_ptys(ktalkd_t) +userdom_use_user_ttys(ktalkd_t) @@ -45942,20 +45942,20 @@ index 52970645f..6ba810834 100644 --- a/kudzu.if +++ b/kudzu.if @@ -86,9 +86,13 @@ interface(`kudzu_admin',` - type kudzu_tmp_t; - ') - + type kudzu_tmp_t; + ') + - allow $1 kudzu_t:process { ptrace signal_perms }; + allow $1 kudzu_t:process { signal_perms }; - ps_process_pattern($1, kudzu_t) - + ps_process_pattern($1, kudzu_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 kudzu_t:process ptrace; + ') + - init_labeled_script_domtrans($1, kudzu_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 kudzu_initrc_exec_t system_r; + init_labeled_script_domtrans($1, kudzu_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 kudzu_initrc_exec_t system_r; diff --git a/kudzu.te b/kudzu.te index 16640364b..ee7a9a1d5 100644 --- a/kudzu.te @@ -45963,7 +45963,7 @@ index 16640364b..ee7a9a1d5 100644 @@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t) # Local policy # - + -allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; +allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; dontaudit kudzu_t self:capability sys_tty_config; @@ -45976,11 +45976,11 @@ index 16640364b..ee7a9a1d5 100644 -kernel_rw_hotplug_sysctls(kudzu_t) +kernel_rw_usermodehelper_state(kudzu_t) kernel_rw_kernel_sysctl(kudzu_t) - + corecmd_exec_all_executables(kudzu_t) @@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t) domain_use_interactive_fds(kudzu_t) - + files_read_kernel_modules(kudzu_t) -files_read_usr_files(kudzu_t) files_search_locks(kudzu_t) @@ -45988,31 +45988,31 @@ index 16640364b..ee7a9a1d5 100644 files_manage_etc_runtime_files(kudzu_t) @@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t) logging_send_syslog_msg(kudzu_t) - + miscfiles_read_hwdata(kudzu_t) -miscfiles_read_localization(kudzu_t) - + sysnet_read_config(kudzu_t) - + -userdom_use_user_terminals(kudzu_t) +userdom_use_inherited_user_terminals(kudzu_t) userdom_dontaudit_use_unpriv_user_fds(kudzu_t) userdom_search_user_home_dirs(kudzu_t) - + @@ -121,10 +119,6 @@ optional_policy(` - modutils_domtrans_insmod(kudzu_t) + modutils_domtrans_insmod(kudzu_t) ') - + -optional_policy(` - nscd_use(kudzu_t) -') - optional_policy(` - seutil_sigchld_newrole(kudzu_t) + seutil_sigchld_newrole(kudzu_t) ') @@ -132,7 +126,3 @@ optional_policy(` optional_policy(` - udev_read_db(kudzu_t) + udev_read_db(kudzu_t) ') - -optional_policy(` @@ -46024,10 +46024,10 @@ index d5d1572b1..ddc6ef210 100644 +++ b/l2tp.fc @@ -5,7 +5,9 @@ /etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0) - + /usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0) +/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0) - + /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) /var/run/.*l2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) @@ -46039,7 +46039,7 @@ index 73e2803ee..34ca3aa22 100644 @@ -1,9 +1,45 @@ -##

    Layer 2 Tunneling Protocol. +## Layer 2 Tunneling Protocol daemons. - + ######################################## ## -## Send to l2tpd with a unix @@ -46086,17 +46086,17 @@ index 73e2803ee..34ca3aa22 100644 ## ## @@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',` - type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; - ') - + type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; + ') + - files_search_pids($1) - files_search_tmp($1) - dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + files_search_tmp($1) + dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) ') @@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',` - allow $1 l2tpd_t:socket rw_socket_perms; + allow $1 l2tpd_t:socket rw_socket_perms; ') - + +######################################## +## +## Read l2tpd PID files. @@ -46126,15 +46126,15 @@ index 73e2803ee..34ca3aa22 100644 ## ## @@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) - files_search_tmp($1) - stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) + stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) + stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) ') - + ######################################## ## -## All of the rules required to @@ -46243,31 +46243,31 @@ index 73e2803ee..34ca3aa22 100644 # -interface(`l2tp_admin',` +interface(`l2tpd_admin',` - gen_require(` - type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; - type l2tp_conf_t, l2tpd_tmp_t; - ') - + gen_require(` + type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; + type l2tp_conf_t, l2tpd_tmp_t; + ') + - allow $1 l2tpd_t:process { ptrace signal_perms }; + allow $1 l2tpd_t:process signal_perms; - ps_process_pattern($1, l2tpd_t) - + ps_process_pattern($1, l2tpd_t) + - init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 l2tpd_t:process ptrace; + ') + + l2tpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 l2tpd_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 l2tpd_initrc_exec_t system_r; + allow $2 system_r; diff --git a/l2tp.te b/l2tp.te index bb06a7fee..01e784bf5 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) # - + allow l2tpd_t self:capability net_admin; -allow l2tpd_t self:process signal; +allow l2tpd_t self:process signal_perms; @@ -46280,37 +46280,37 @@ index bb06a7fee..01e784bf5 100644 manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t) -files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) +files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file }) - + manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) - + +can_exec(l2tpd_t, l2tpd_exec_t) + corenet_all_recvfrom_unlabeled(l2tpd_t) corenet_all_recvfrom_netlabel(l2tpd_t) corenet_raw_sendrecv_generic_if(l2tpd_t) @@ -75,18 +77,36 @@ corecmd_exec_bin(l2tpd_t) - + dev_read_urand(l2tpd_t) - + -files_read_etc_files(l2tpd_t) - term_setattr_generic_ptys(l2tpd_t) term_use_generic_ptys(l2tpd_t) term_use_ptmx(l2tpd_t) - + -logging_send_syslog_msg(l2tpd_t) +auth_read_passwd(l2tpd_t) - + -miscfiles_read_localization(l2tpd_t) +logging_send_syslog_msg(l2tpd_t) - + sysnet_dns_name_resolve(l2tpd_t) - + +optional_policy(` + dbus_system_bus_client(l2tpd_t) + dbus_connect_system_bus(l2tpd_t) -+ ++ + optional_policy(` + networkmanager_dbus_chat(l2tpd_t) + ') @@ -46328,8 +46328,8 @@ index bb06a7fee..01e784bf5 100644 +') + optional_policy(` - ppp_domtrans(l2tpd_t) - ppp_signal(l2tpd_t) + ppp_domtrans(l2tpd_t) + ppp_signal(l2tpd_t) diff --git a/ldap.fc b/ldap.fc index b7e567916..c93db3316 100644 --- a/ldap.fc @@ -46340,18 +46340,18 @@ index b7e567916..c93db3316 100644 + +/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0) /etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0) - + -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + +/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0) - + /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) - + @@ -22,8 +25,7 @@ /var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0) /var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0) - + -/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0) -/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) @@ -46428,7 +46428,7 @@ index 3602712d0..af83a5b6b 100644 + + ps_process_pattern($1, slapd_t) +') - + ######################################## ## -## List ldap database directories. @@ -46438,13 +46438,13 @@ index 3602712d0..af83a5b6b 100644 ## ## @@ -15,13 +76,31 @@ interface(`ldap_list_db',` - type slapd_db_t; - ') - + type slapd_db_t; + ') + - files_search_etc($1) - allow $1 slapd_db_t:dir list_dir_perms; + allow $1 slapd_db_t:dir list_dir_perms; ') - + ######################################## ## -## Read ldap configuration files. @@ -46472,7 +46472,7 @@ index 3602712d0..af83a5b6b 100644 ## ## @@ -41,22 +120,29 @@ interface(`ldap_read_config',` - + ######################################## ## -## Use LDAP over TCP connection. (Deprecated) @@ -46497,7 +46497,7 @@ index 3602712d0..af83a5b6b 100644 + read_files_pattern($1, slapd_cert_t, slapd_cert_t) + read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t) ') - + ######################################## ## -## Connect to slapd over an unix @@ -46520,7 +46520,7 @@ index 3602712d0..af83a5b6b 100644 +interface(`ldap_use',` + refpolicywarn(`$0($*) has been deprecated.') ') - + ######################################## ## -## Connect to ldap over the network. @@ -46534,11 +46534,11 @@ index 3602712d0..af83a5b6b 100644 # -interface(`ldap_tcp_connect',` +interface(`ldap_stream_connect',` - gen_require(` + gen_require(` - type slapd_t; + type slapd_t, slapd_var_run_t; - ') - + ') + - corenet_sendrecv_ldap_client_packets($1) - corenet_tcp_connect_ldap_port($1) - corenet_tcp_recvfrom_labeled($1, slapd_t) @@ -46546,7 +46546,7 @@ index 3602712d0..af83a5b6b 100644 + files_search_pids($1) + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) ') - + ######################################## ## -## All of the rules required to @@ -46566,42 +46566,42 @@ index 3602712d0..af83a5b6b 100644 ## ## @@ -117,11 +196,16 @@ interface(`ldap_admin',` - type slapd_lock_t, slapd_etc_t, slapd_var_run_t; - type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; - type slapd_db_t, slapd_keytab_t; + type slapd_lock_t, slapd_etc_t, slapd_var_run_t; + type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; + type slapd_db_t, slapd_keytab_t; + type slapd_unit_file_t; - ') - + ') + - allow $1 slapd_t:process { ptrace signal_perms }; + allow $1 slapd_t:process signal_perms; - ps_process_pattern($1, slapd_t) - + ps_process_pattern($1, slapd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 slapd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 slapd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, slapd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 slapd_initrc_exec_t system_r; @@ -130,13 +214,9 @@ interface(`ldap_admin',` - files_list_etc($1) - admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) - + files_list_etc($1) + admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) + - files_list_locks($1) - admin_pattern($1, slapd_lock_t) - + admin_pattern($1, slapd_lock_t) + - logging_list_logs($1) - admin_pattern($1, slapd_log_t) - - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, slapd_replog_t) - - files_list_tmp($1) + admin_pattern($1, slapd_replog_t) + + files_list_tmp($1) @@ -144,4 +224,8 @@ interface(`ldap_admin',` - - files_list_pids($1) - admin_pattern($1, slapd_var_run_t) + + files_list_pids($1) + admin_pattern($1, slapd_var_run_t) + + ldap_systemctl($1) + admin_pattern($1, slapd_unit_file_t) @@ -46614,15 +46614,15 @@ index 4c2b1110e..1c922b340 100644 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) type slapd_initrc_exec_t; init_script_file(slapd_initrc_exec_t) - + +type slapd_unit_file_t; +systemd_unit_file(slapd_unit_file_t) + type slapd_keytab_t; files_type(slapd_keytab_t) - + @@ -49,7 +52,8 @@ files_pid_file(slapd_var_run_t) - + allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; dontaudit slapd_t self:capability sys_tty_config; -allow slapd_t self:process setsched; @@ -46630,34 +46630,34 @@ index 4c2b1110e..1c922b340 100644 +allow slapd_t self:process { setsched signal } ; allow slapd_t self:fifo_file rw_fifo_file_perms; allow slapd_t self:tcp_socket { accept listen }; - + @@ -60,6 +64,7 @@ read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t) manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t) manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t) manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t) +allow slapd_t slapd_db_t:file map; - + allow slapd_t slapd_etc_t:file read_file_perms; - + @@ -69,9 +74,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t, slapd_lock_t, file) - + manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t) -append_files_pattern(slapd_t, slapd_log_t, slapd_log_t) -create_files_pattern(slapd_t, slapd_log_t, slapd_log_t) -setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t) +manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t) logging_log_filetrans(slapd_t, slapd_log_t, { file dir }) - + manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t) @@ -80,7 +83,8 @@ manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t) - + manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) -files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) +manage_lnk_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t) +files_tmp_filetrans(slapd_t, slapd_tmp_t, { file lnk_file dir }) - + manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t) fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t, file) @@ -89,11 +93,11 @@ manage_dirs_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) @@ -46665,64 +46665,64 @@ index 4c2b1110e..1c922b340 100644 manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t) files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) +allow slapd_t slapd_var_run_t:file map; - + kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) - + -corenet_all_recvfrom_unlabeled(slapd_t) corenet_all_recvfrom_netlabel(slapd_t) corenet_tcp_sendrecv_generic_if(slapd_t) corenet_tcp_sendrecv_generic_node(slapd_t) @@ -115,25 +119,27 @@ fs_getattr_all_fs(slapd_t) fs_search_auto_mountpoints(slapd_t) - + files_read_etc_runtime_files(slapd_t) -files_read_usr_files(slapd_t) files_list_var_lib(slapd_t) - + auth_use_nsswitch(slapd_t) +auth_rw_cache(slapd_t) - + logging_send_syslog_msg(slapd_t) - + miscfiles_read_generic_certs(slapd_t) -miscfiles_read_localization(slapd_t) +miscfiles_map_generic_certs(slapd_t) - + userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) - + +usermanage_read_crack_db(slapd_t) + optional_policy(` - kerberos_manage_host_rcache(slapd_t) - kerberos_read_keytab(slapd_t) + kerberos_manage_host_rcache(slapd_t) + kerberos_read_keytab(slapd_t) - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0") - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487") - kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487") + kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55") - kerberos_use(slapd_t) + kerberos_use(slapd_t) ') - + diff --git a/lightsquid.fc b/lightsquid.fc index 044390c6e..63e205863 100644 --- a/lightsquid.fc +++ b/lightsquid.fc @@ -1,11 +1,11 @@ /etc/cron\.daily/lightsquid -- gen_context(system_u:object_r:lightsquid_exec_t,s0) - + -/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) -/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) +/usr/lib/cgi-bin/lightsquid/.*\.cfg -- gen_context(system_u:object_r:lightsquid_content_t,s0) +/usr/lib/cgi-bin/lightsquid/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0) - + -/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:httpd_lightsquid_script_exec_t,s0) +/usr/share/lightsquid/cgi/.*\.cgi -- gen_context(system_u:object_r:lightsquid_script_exec_t,s0) - + /var/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) - + -/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:httpd_lightsquid_content_t,s0) -/var/www/html/lightsquid/report(/.*)? gen_context(system_u:object_r:lightsquid_rw_content_t,s0) +/var/www/html/lightsquid(/.*)? gen_context(system_u:object_r:lightsquid_content_t,s0) @@ -46732,9 +46732,9 @@ index 33a28b9ad..33ffe2484 100644 --- a/lightsquid.if +++ b/lightsquid.if @@ -76,5 +76,7 @@ interface(`lightsquid_admin',` - files_search_var_lib($1) - admin_pattern($1, lightsquid_rw_content_t) - + files_search_var_lib($1) + admin_pattern($1, lightsquid_rw_content_t) + - apache_list_sys_content($1) + optional_policy(` + apache_list_sys_content($1) @@ -46747,17 +46747,17 @@ index 09c4f27ba..6c7855e4e 100644 @@ -13,38 +13,34 @@ type lightsquid_exec_t; application_domain(lightsquid_t, lightsquid_exec_t) role lightsquid_roles types lightsquid_t; - + -type lightsquid_rw_content_t; -files_type(lightsquid_rw_content_t) +type lightsquid_report_content_t; +files_type(lightsquid_report_content_t) - + ######################################## # # Local policy # - + -manage_dirs_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -manage_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) -manage_lnk_files_pattern(lightsquid_t, lightsquid_rw_content_t, lightsquid_rw_content_t) @@ -46766,12 +46766,12 @@ index 09c4f27ba..6c7855e4e 100644 +manage_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) +manage_lnk_files_pattern(lightsquid_t, lightsquid_report_content_t, lightsquid_report_content_t) +files_var_filetrans(lightsquid_t, lightsquid_report_content_t, dir) - + corecmd_exec_bin(lightsquid_t) corecmd_exec_shell(lightsquid_t) - + dev_read_urand(lightsquid_t) - + -files_read_etc_files(lightsquid_t) -files_read_usr_files(lightsquid_t) - @@ -46779,11 +46779,11 @@ index 09c4f27ba..6c7855e4e 100644 - squid_read_config(lightsquid_t) squid_read_log(lightsquid_t) - + optional_policy(` - apache_content_template(lightsquid) + apache_content_template(lightsquid) + apache_content_alias_template(lightsquid, lightsquid) - + - list_dirs_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) - read_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) - read_lnk_files_pattern(httpd_lightsquid_script_t, lightsquid_rw_content_t, lightsquid_rw_content_t) @@ -46791,7 +46791,7 @@ index 09c4f27ba..6c7855e4e 100644 + read_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) + read_lnk_files_pattern(lightsquid_script_t, lightsquid_report_content_t, lightsquid_report_content_t) ') - + optional_policy(` diff --git a/likewise.if b/likewise.if index bd20e8cc9..3393a01e6 100644 @@ -46806,7 +46806,7 @@ index bd20e8cc9..3393a01e6 100644 +## users with their domain credentials. +##

    +## - + ####################################### ## ## The template to define a likewise domain. @@ -46825,48 +46825,48 @@ index bd20e8cc9..3393a01e6 100644 # template(`likewise_domain_template',` + - gen_require(` - attribute likewise_domains; - type likewise_var_lib_t; + gen_require(` + attribute likewise_domains; + type likewise_var_lib_t; @@ -24,6 +38,7 @@ template(`likewise_domain_template',` - type $1_t; - type $1_exec_t; - init_daemon_domain($1_t, $1_exec_t) + type $1_t; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + domain_use_interactive_fds($1_t) - - typeattribute $1_t likewise_domains; - + + typeattribute $1_t likewise_domains; + @@ -38,15 +53,18 @@ template(`likewise_domain_template',` - - #################################### - # + + #################################### + # - # Policy + # Local Policy - # - - allow $1_t self:process { signal_perms getsched setsched }; - allow $1_t self:fifo_file rw_fifo_file_perms; + # + + allow $1_t self:process { signal_perms getsched setsched }; + allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_stream_socket { accept listen }; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; - + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + + allow $1_t likewise_var_lib_t:dir setattr_dir_perms; + - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, file) - + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, file) + @@ -55,12 +73,15 @@ template(`likewise_domain_template',` - - manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) - filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) + + manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) + filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) + + kernel_read_system_state($1_t) + + logging_send_syslog_msg($1_t) ') - + ######################################## ## -## Connect to lsassd with a unix domain @@ -46876,8 +46876,8 @@ index bd20e8cc9..3393a01e6 100644 ## ## @@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',` - files_search_pids($1) - stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) + files_search_pids($1) + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) ') - -######################################## @@ -46941,27 +46941,27 @@ index d8c2442a8..f5dff3173 100644 +++ b/likewise.te @@ -26,7 +26,7 @@ type likewise_var_lib_t; files_type(likewise_var_lib_t) - + type likewise_pstore_lock_t; -files_type(likewise_pstore_lock_t) +files_lock_file(likewise_pstore_lock_t) - + type likewise_krb5_ad_t; files_type(likewise_krb5_ad_t) @@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t) - + allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms; - + -kernel_read_system_state(likewise_domains) - dev_read_rand(likewise_domains) dev_read_urand(likewise_domains) - + domain_use_interactive_fds(likewise_domains) - + -files_read_etc_files(likewise_domains) files_search_var_lib(likewise_domains) - + -logging_send_syslog_msg(likewise_domains) - -miscfiles_read_localization(likewise_domains) @@ -46972,41 +46972,41 @@ index d8c2442a8..f5dff3173 100644 @@ -102,7 +95,7 @@ corenet_tcp_sendrecv_epmap_port(eventlogd_t) # lsassd local policy # - + -allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; +allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time }; allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; - + @@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t) corecmd_exec_shell(lsassd_t) - + corenet_all_recvfrom_netlabel(lsassd_t) -corenet_all_recvfrom_unlabeled(lsassd_t) corenet_tcp_sendrecv_generic_if(lsassd_t) corenet_tcp_sendrecv_generic_node(lsassd_t) - + @@ -165,7 +157,7 @@ optional_policy(` # lwiod local policy # - + -allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource }; +allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource }; allow lwiod_t self:process setrlimit; allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; - + @@ -221,7 +213,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_ # netlogond local policy # - + -allow netlogond_t self:capability dac_override; +allow netlogond_t self:capability { dac_read_search dac_override }; - + manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) - + @@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) - + corenet_all_recvfrom_netlabel(srvsvcd_t) -corenet_all_recvfrom_unlabeled(srvsvcd_t) corenet_sendrecv_generic_server_packets(srvsvcd_t) @@ -47376,47 +47376,47 @@ index dff21a7c4..b6981c846 100644 --- a/lircd.if +++ b/lircd.if @@ -81,8 +81,11 @@ interface(`lircd_admin',` - type lircd_initrc_exec_t, lircd_etc_t; - ') - + type lircd_initrc_exec_t, lircd_etc_t; + ') + - allow $1 lircd_t:process { ptrace signal_perms }; + allow $1 lircd_t:process signal_perms; - ps_process_pattern($1, lircd_t) + ps_process_pattern($1, lircd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 lircd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, lircd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te index 483c87bb6..f9d2e10b1 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; init_script_file(lircd_initrc_exec_t) - + type lircd_etc_t; -files_type(lircd_etc_t) +files_config_file(lircd_etc_t) - + type lircd_var_run_t alias lircd_sock_t; files_pid_file(lircd_var_run_t) @@ -23,10 +23,11 @@ files_pid_file(lircd_var_run_t) # Local policy # - + -allow lircd_t self:capability { chown kill sys_admin }; +allow lircd_t self:capability { chown kill setgid setuid sys_admin dac_read_search dac_override }; allow lircd_t self:process signal; allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:tcp_socket { accept listen }; +allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms; - + read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) - + @@ -38,6 +39,12 @@ files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) dev_filetrans(lircd_t, lircd_var_run_t, sock_file) - + kernel_request_load_module(lircd_t) +kernel_read_system_state(lircd_t) + @@ -47424,19 +47424,19 @@ index 483c87bb6..f9d2e10b1 100644 + +corecmd_exec_shell(lircd_t) +corecmd_exec_bin(lircd_t) - + corenet_all_recvfrom_unlabeled(lircd_t) corenet_all_recvfrom_netlabel(lircd_t) @@ -64,9 +71,14 @@ files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) - + term_use_ptmx(lircd_t) +term_use_usb_ttys(lircd_t) +term_use_unallocated_ttys(lircd_t) - + +auth_use_nsswitch(lircd_t) logging_send_syslog_msg(lircd_t) - + -miscfiles_read_localization(lircd_t) - sysnet_dns_name_resolve(lircd_t) @@ -47451,14 +47451,14 @@ index e3541811a..fc614bac2 100644 @@ -38,11 +38,36 @@ interface(`livecd_domtrans',` # interface(`livecd_run',` - gen_require(` + gen_require(` + type livecd_t; + type livecd_exec_t; - attribute_role livecd_roles; - ') - - livecd_domtrans($1) - roleattribute $2 livecd_roles; + attribute_role livecd_roles; + ') + + livecd_domtrans($1) + roleattribute $2 livecd_roles; + role_transition $2 livecd_exec_t system_r; + + optional_policy(` @@ -47483,7 +47483,7 @@ index e3541811a..fc614bac2 100644 + + dontaudit $1 livecd_t:unix_dgram_socket { read write }; ') - + ######################################## diff --git a/livecd.te b/livecd.te index 2f974bf83..f6e97faaf 100644 @@ -47492,32 +47492,32 @@ index 2f974bf83..f6e97faaf 100644 @@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t) # Local policy # - + -dontaudit livecd_t self:capability2 mac_admin; +allow livecd_t self:capability2 mac_admin; - + -domain_ptrace_all_domains(livecd_t) +tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(livecd_t) +') - + manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) @@ -35,12 +37,13 @@ sysnet_etc_filetrans_config(livecd_t) optional_policy(` - hal_dbus_chat(livecd_t) + hal_dbus_chat(livecd_t) ') + optional_policy(` - mount_run(livecd_t, livecd_roles) + mount_run(livecd_t, livecd_roles) ') - + optional_policy(` - rpm_domtrans(livecd_t) + seutil_run_setfiles_mac(livecd_t, livecd_roles) ') - + optional_policy(` diff --git a/lldpad.fc b/lldpad.fc index 8031a78eb..72e56acc3 100644 @@ -47525,7 +47525,7 @@ index 8031a78eb..72e56acc3 100644 +++ b/lldpad.fc @@ -5,3 +5,5 @@ /var/lib/lldpad(/.*)? gen_context(system_u:object_r:lldpad_var_lib_t,s0) - + /var/run/lldpad.* gen_context(system_u:object_r:lldpad_var_run_t,s0) + +/dev/shm/lldpad.* -- gen_context(system_u:object_r:lldpad_tmpfs_t,s0) @@ -47535,7 +47535,7 @@ index d18c96023..fb5b67416 100644 +++ b/lldpad.if @@ -1,5 +1,24 @@ ## Intel LLDP Agent. - + +####################################### +## +## Transition to lldpad. @@ -47559,20 +47559,20 @@ index d18c96023..fb5b67416 100644 ## ## Send to lldpad with a unix dgram socket. @@ -42,9 +61,13 @@ interface(`lldpad_admin',` - type lldpad_var_run_t; - ') - + type lldpad_var_run_t; + ') + - allow $1 lldpad_t:process { ptrace signal_perms }; + allow $1 lldpad_t:process { signal_perms }; - ps_process_pattern($1, lldpad_t) - + ps_process_pattern($1, lldpad_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 lldpad_t:process ptrace; + ') + - init_labeled_script_domtrans($1, lldpad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 lldpad_initrc_exec_t system_r; + init_labeled_script_domtrans($1, lldpad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 lldpad_initrc_exec_t system_r; diff --git a/lldpad.te b/lldpad.te index 2a491d96c..d909b408c 100644 --- a/lldpad.te @@ -47580,34 +47580,34 @@ index 2a491d96c..d909b408c 100644 @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) # Local policy # - + -allow lldpad_t self:capability { net_admin net_raw }; +allow lldpad_t self:capability { net_admin net_raw sys_resource }; allow lldpad_t self:shm create_shm_perms; allow lldpad_t self:fifo_file rw_fifo_file_perms; allow lldpad_t self:unix_stream_socket { accept listen }; @@ -36,6 +36,7 @@ allow lldpad_t self:udp_socket create_socket_perms; - + manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t) fs_tmpfs_filetrans(lldpad_t, lldpad_tmpfs_t, file) +allow lldpad_t lldpad_tmpfs_t:file map; - + manage_dirs_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) manage_files_pattern(lldpad_t, lldpad_var_lib_t, lldpad_var_lib_t) @@ -51,12 +52,20 @@ kernel_request_load_module(lldpad_t) - + dev_read_sysfs(lldpad_t) - + -files_read_etc_files(lldpad_t) +fs_getattr_tmpfs(lldpad_t) - + logging_send_syslog_msg(lldpad_t) - + -miscfiles_read_localization(lldpad_t) +userdom_dgram_send(lldpad_t) - + optional_policy(` - fcoe_dgram_send_fcoemon(lldpad_t) + fcoe_dgram_send_fcoemon(lldpad_t) ') + +optional_policy(` @@ -47624,30 +47624,30 @@ index d2f464375..ecbfa88ff 100644 @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t) corecmd_exec_bin(loadkeys_t) corecmd_exec_shell(loadkeys_t) - + -files_read_etc_files(loadkeys_t) files_read_etc_runtime_files(loadkeys_t) - + term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t) - + +auth_read_passwd(loadkeys_t) + init_dontaudit_use_fds(loadkeys_t) init_dontaudit_use_script_ptys(loadkeys_t) - + locallogin_use_fds(loadkeys_t) - + -miscfiles_read_localization(loadkeys_t) - -userdom_use_user_ttys(loadkeys_t) +userdom_use_inherited_user_ttys(loadkeys_t) userdom_list_user_home_content(loadkeys_t) - + ifdef(`hide_broken_symptoms',` @@ -52,3 +51,8 @@ optional_policy(` optional_policy(` - nscd_dontaudit_search_pid(loadkeys_t) + nscd_dontaudit_search_pid(loadkeys_t) ') + +optional_policy(` @@ -47660,7 +47660,7 @@ index 4313b8bc0..cd1435cdf 100644 +++ b/lockdev.if @@ -1,5 +1,25 @@ ## Library for locking devices. - + +####################################### +## +## Create, read, write, and delete @@ -47689,9 +47689,9 @@ index 61db5a0a7..9d5d25524 100644 --- a/lockdev.te +++ b/lockdev.te @@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t) - + logging_send_syslog_msg(lockdev_t) - + -userdom_use_user_terminals(lockdev_t) +userdom_use_inherited_user_terminals(lockdev_t) + @@ -47702,9 +47702,9 @@ index a11d5be99..dc14626a9 100644 @@ -1,6 +1,7 @@ -/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) +/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) - + /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) - + /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) @@ -47716,11 +47716,11 @@ index dd8e01af3..9cd6b0b8e 100644 @@ -1,4 +1,4 @@ -## Rotates, compresses, removes and mails system log files. +## Rotate and archive system logs - + ######################################## ## @@ -21,9 +21,8 @@ interface(`logrotate_domtrans',` - + ######################################## ## -## Execute logrotate in the logrotate @@ -47734,19 +47734,19 @@ index dd8e01af3..9cd6b0b8e 100644 @@ -39,11 +38,11 @@ interface(`logrotate_domtrans',` # interface(`logrotate_run',` - gen_require(` + gen_require(` - attribute_role logrotate_roles; + type logrotate_t; - ') - - logrotate_domtrans($1) + ') + + logrotate_domtrans($1) - roleattribute $2 logrotate_roles; + role $2 types logrotate_t; ') - + ######################################## @@ -85,8 +84,7 @@ interface(`logrotate_use_fds',` - + ######################################## ## -## Do not audit attempts to inherit @@ -47756,7 +47756,7 @@ index dd8e01af3..9cd6b0b8e 100644 ## ## @@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',` - + ######################################## ## -## Read logrotate temporary files. @@ -47771,7 +47771,7 @@ index be0ab84b3..91cf286d5 100644 @@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0) # Declarations # - + -attribute_role logrotate_roles; -roleattribute system_r logrotate_roles; +gen_require(` @@ -47787,12 +47787,12 @@ index be0ab84b3..91cf286d5 100644 + +## +##

    -+## Allow logrotate to read logs inside ++## Allow logrotate to read logs inside +##

    +##     +gen_tunable(logrotate_read_inside_containers, false) + - + type logrotate_t; -type logrotate_exec_t; domain_type(logrotate_t) @@ -47803,13 +47803,13 @@ index be0ab84b3..91cf286d5 100644 +type logrotate_exec_t; domain_entry_file(logrotate_t, logrotate_exec_t) -role logrotate_roles types logrotate_t; - + type logrotate_lock_t; files_lock_file(logrotate_lock_t) @@ -25,21 +42,30 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) - + -mta_base_mail_template(logrotate) -role system_r types logrotate_mail_t; - @@ -47817,7 +47817,7 @@ index be0ab84b3..91cf286d5 100644 # # Local policy # - + -allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; -allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; +# Change ownership on log files. @@ -47846,24 +47846,24 @@ index be0ab84b3..91cf286d5 100644 @@ -48,36 +74,53 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) - + +can_exec(logrotate_t, logrotate_tmp_t) + manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t) files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) - + +# for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) - + -can_exec(logrotate_t, logrotate_tmp_t) - kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) - + +dev_read_urand(logrotate_t) +dev_read_sysfs(logrotate_t) +dev_write_kmsg(logrotate_t) @@ -47884,7 +47884,7 @@ index be0ab84b3..91cf286d5 100644 corecmd_exec_bin(logrotate_t) corecmd_exec_shell(logrotate_t) corecmd_getattr_all_executables(logrotate_t) - + -dev_read_urand(logrotate_t) - domain_signal_all_domains(logrotate_t) @@ -47892,7 +47892,7 @@ index be0ab84b3..91cf286d5 100644 domain_getattr_all_entry_files(logrotate_t) +# Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) - + -files_read_usr_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) @@ -47905,23 +47905,23 @@ index be0ab84b3..91cf286d5 100644 @@ -95,32 +138,58 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) - + +application_exec_all(logrotate_t) + +auth_domtrans_chk_passwd(logrotate_t) auth_manage_login_records(logrotate_t) auth_use_nsswitch(logrotate_t) - + init_all_labeled_script_domtrans(logrotate_t) +init_reload_services(logrotate_t) +init_reload_transient_unit(logrotate_t) - + logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) +# cjp: why is this needed? logging_exec_all_logs(logrotate_t) - + -miscfiles_read_localization(logrotate_t) +systemd_exec_systemctl(logrotate_t) +systemd_getattr_unit_files(logrotate_t) @@ -47934,106 +47934,106 @@ index be0ab84b3..91cf286d5 100644 +init_reload_transient_unit(logrotate_t) + +miscfiles_read_hwdata(logrotate_t) - + -seutil_dontaudit_read_config(logrotate_t) +term_dontaudit_use_unallocated_ttys(logrotate_t) - + -userdom_use_user_terminals(logrotate_t) +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) +userdom_list_admin_dir(logrotate_t) +userdom_dontaudit_getattr_user_home_content(logrotate_t) - + -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) +tunable_policy(`logrotate_use_nfs',` + fs_manage_nfs_files(logrotate_t) + fs_manage_nfs_dirs(logrotate_t) + fs_manage_nfs_symlinks(logrotate_t) +') - + -ifdef(`distro_debian',` +ifdef(`distro_debian', ` - allow logrotate_t logrotate_tmp_t:file relabel_file_perms; + allow logrotate_t logrotate_tmp_t:file relabel_file_perms; + # for savelog - can_exec(logrotate_t, logrotate_exec_t) - + can_exec(logrotate_t, logrotate_exec_t) + - logging_check_exec_syslog(logrotate_t) + # for syslogd-listfiles - logging_read_syslog_config(logrotate_t) + logging_read_syslog_config(logrotate_t) + + # for "test -x /sbin/syslogd" + logging_check_exec_syslog(logrotate_t) ') - + optional_policy(` @@ -135,16 +204,17 @@ optional_policy(` - + optional_policy(` - apache_read_config(logrotate_t) + apache_read_config(logrotate_t) + apache_read_sys_content_rw_dirs(logrotate_t) - apache_domtrans(logrotate_t) - apache_signull(logrotate_t) + apache_domtrans(logrotate_t) + apache_signull(logrotate_t) ') - + optional_policy(` - asterisk_domtrans(logrotate_t) + awstats_domtrans(logrotate_t) ') - + optional_policy(` - awstats_domtrans(logrotate_t) + asterisk_domtrans(logrotate_t) ') - + optional_policy(` @@ -170,6 +240,11 @@ optional_policy(` ') - + optional_policy(` + dbus_system_bus_client(logrotate_t) +') + +optional_policy(` + fail2ban_domtrans_client(logrotate_t) - fail2ban_stream_connect(logrotate_t) + fail2ban_stream_connect(logrotate_t) ') - + @@ -178,7 +253,8 @@ optional_policy(` ') - + optional_policy(` - chronyd_read_key_files(logrotate_t) + chronyd_domtrans_chronyc(logrotate_t) + chronyd_read_keys(logrotate_t) ') - + optional_policy(` @@ -198,23 +274,32 @@ optional_policy(` ') - + optional_policy(` + mysql_read_home_content(logrotate_t) - mysql_read_config(logrotate_t) + mysql_read_config(logrotate_t) + mysql_search_db(logrotate_t) - mysql_stream_connect(logrotate_t) + mysql_stream_connect(logrotate_t) ') - + optional_policy(` - openvswitch_read_pid_files(logrotate_t) - openvswitch_domtrans(logrotate_t) + polipo_named_filetrans_log_files(logrotate_t) ') - + optional_policy(` - polipo_log_filetrans_log(logrotate_t, file, "polipo") + prosody_stream_connect(logrotate_t) ') - + optional_policy(` - psad_domtrans(logrotate_t) + psad_domtrans(logrotate_t) ') - + +optional_policy(` + rabbitmq_domtrans(logrotate_t) +') @@ -48043,12 +48043,12 @@ index be0ab84b3..91cf286d5 100644 +') + optional_policy(` - samba_exec_log(logrotate_t) + samba_exec_log(logrotate_t) ') @@ -227,27 +312,51 @@ optional_policy(` - slrnpull_manage_spool(logrotate_t) + slrnpull_manage_spool(logrotate_t) ') - + +optional_policy(` + openshift_manage_lib_files(logrotate_t) +') @@ -48059,23 +48059,23 @@ index be0ab84b3..91cf286d5 100644 +') + optional_policy(` - squid_domtrans(logrotate_t) + squid_domtrans(logrotate_t) + squid_read_config(logrotate_t) ') - + optional_policy(` + #Red Hat bug 564565 - su_exec(logrotate_t) + su_exec(logrotate_t) ') - + +optional_policy(` + rpm_read_cache(logrotate_t) +') + optional_policy(` - varnishd_manage_log(logrotate_t) + varnishd_manage_log(logrotate_t) ') - + +optional_policy(` + virt_manage_cache(logrotate_t) +') @@ -48092,7 +48092,7 @@ index be0ab84b3..91cf286d5 100644 -# Mail local policy +# logrotate_mail local policy # - + -allow logrotate_mail_t logrotate_t:fd use; -allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; -allow logrotate_mail_t logrotate_t:process sigchld; @@ -48109,8 +48109,8 @@ index 06c3d36ca..37e71b3d7 100644 --- a/logwatch.if +++ b/logwatch.if @@ -37,3 +37,42 @@ interface(`logwatch_search_cache_dir',` - files_search_var($1) - allow $1 logwatch_cache_t:dir search_dir_perms; + files_search_var($1) + allow $1 logwatch_cache_t:dir search_dir_perms; ') + +####################################### @@ -48156,29 +48156,29 @@ index ab650340c..6d6816bb6 100644 --- a/logwatch.te +++ b/logwatch.te @@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) - + type logwatch_t; type logwatch_exec_t; -init_system_domain(logwatch_t, logwatch_exec_t) +init_daemon_domain(logwatch_t, logwatch_exec_t) +application_domain(logwatch_t, logwatch_exec_t) - + type logwatch_cache_t; files_type(logwatch_cache_t) @@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) - + -allow logwatch_t logwatch_lock_t:file manage_file_perms; +manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) +manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t) files_lock_filetrans(logwatch_t, logwatch_lock_t, file) - + manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) @@ -61,6 +63,11 @@ kernel_read_system_state(logwatch_t) kernel_read_net_sysctls(logwatch_t) kernel_read_network_state(logwatch_t) - + +corenet_all_recvfrom_unlabeled(logwatch_t) +corenet_all_recvfrom_netlabel(logwatch_t) +corenet_tcp_sendrecv_generic_if(logwatch_t) @@ -48186,49 +48186,49 @@ index ab650340c..6d6816bb6 100644 + corecmd_exec_bin(logwatch_t) corecmd_exec_shell(logwatch_t) - + @@ -75,10 +82,11 @@ files_list_var(logwatch_t) files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_runtime_files(logwatch_t) -files_read_usr_files(logwatch_t) +files_read_system_conf_files(logwatch_t) - + fs_getattr_all_dirs(logwatch_t) fs_getattr_all_fs(logwatch_t) +fs_getattr_all_dirs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) - + @@ -100,23 +108,16 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) - logging_send_syslog_msg(logwatch_t) - + logging_send_syslog_msg(logwatch_t) + -miscfiles_read_localization(logwatch_t) +miscfiles_read_hwdata(logwatch_t) - + selinux_dontaudit_getattr_dir(logwatch_t) - + sysnet_exec_ifconfig(logwatch_t) - + -userdom_dontaudit_search_user_home_dirs(logwatch_t) - mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) - + tunable_policy(`logwatch_can_network_connect_mail',` - corenet_all_recvfrom_unlabeled(logwatch_t) - corenet_all_recvfrom_netlabel(logwatch_t) - corenet_tcp_sendrecv_generic_if(logwatch_t) - corenet_tcp_sendrecv_generic_node(logwatch_t) - - corenet_sendrecv_smtp_client_packets(logwatch_t) - corenet_tcp_connect_smtp_port(logwatch_t) - corenet_tcp_sendrecv_smtp_port(logwatch_t) + corenet_sendrecv_smtp_client_packets(logwatch_t) + corenet_tcp_connect_smtp_port(logwatch_t) + corenet_tcp_sendrecv_smtp_port(logwatch_t) @@ -159,6 +160,16 @@ optional_policy(` - ntp_domtrans(logwatch_t) + ntp_domtrans(logwatch_t) ') - + +optional_policy(` + postfix_domtrans_postqueue(logwatch_t) +') @@ -48240,18 +48240,18 @@ index ab650340c..6d6816bb6 100644 +') + optional_policy(` - rpc_search_nfs_state_data(logwatch_t) + rpc_search_nfs_state_data(logwatch_t) ') @@ -187,6 +198,19 @@ dev_read_sysfs(logwatch_mail_t) - + logging_read_all_logs(logwatch_mail_t) - + +mta_read_home(logwatch_mail_t) +mta_filetrans_home_content(logwatch_mail_t) +mta_filetrans_admin_home_content(logwatch_mail_t) + optional_policy(` - cron_use_system_job_fds(logwatch_mail_t) + cron_use_system_job_fds(logwatch_mail_t) ') + +optional_policy(` @@ -48269,10 +48269,10 @@ index 2fb9b2ec2..08974e376 100644 @@ -19,6 +19,7 @@ /usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0) - + +/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) /usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0) - + /usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0) diff --git a/lpd.if b/lpd.if index 62563717b..ce2acb881 100644 @@ -48281,7 +48281,7 @@ index 62563717b..ce2acb881 100644 @@ -1,44 +1,49 @@ -## Line printer daemon. +## Line printer daemon - + ######################################## ## -## Role access for lpd. @@ -48302,23 +48302,23 @@ index 62563717b..ce2acb881 100644 +## # interface(`lpd_role',` - gen_require(` - attribute_role lpr_roles; + gen_require(` + attribute_role lpr_roles; - type lpr_t, lpr_exec_t; + type lpr_t, lpr_exec_t, print_spool_t; - ') - + ') + - ######################################## - # - # Declarations - # + ######################################## -+ # ++ # + # Declarations -+ # - - roleattribute $1 lpr_roles; - ++ # + + roleattribute $1 lpr_roles; + - ######################################## - # - # Policy @@ -48326,31 +48326,31 @@ index 62563717b..ce2acb881 100644 + ######################################## + # + # Policy -+ # - ++ # + + # Transition from the user domain to the derived domain. - domtrans_pattern($2, lpr_exec_t, lpr_t) + domtrans_pattern($2, lpr_exec_t, lpr_t) + dontaudit lpr_t $2:unix_stream_socket { read write }; - + - allow $2 lpr_t:process { ptrace signal_perms }; - ps_process_pattern($2, lpr_t) + ps_process_pattern($2, lpr_t) + allow $2 lpr_t:process signal_perms; - + - dontaudit lpr_t $2:unix_stream_socket { read write }; + tunable_policy(`deny_ptrace',`',` + allow $2 lpr_t:process ptrace; + ') - - optional_policy(` - cups_read_config($2) + + optional_policy(` + cups_read_config($2) @@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',` - type checkpc_t, checkpc_exec_t; - ') - + type checkpc_t, checkpc_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, checkpc_exec_t, checkpc_t) + domtrans_pattern($1, checkpc_exec_t, checkpc_t) ') - + ######################################## ## -## Execute amrecover in the lpd @@ -48364,16 +48364,16 @@ index 62563717b..ce2acb881 100644 @@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',` # interface(`lpd_run_checkpc',` - gen_require(` + gen_require(` - attribute_role checkpc_roles; + type checkpc_t; - ') - - lpd_domtrans_checkpc($1) + ') + + lpd_domtrans_checkpc($1) - roleattribute $2 checkpc_roles; + role $2 types checkpc_t; ') - + ######################################## ## -## List printer spool directories. @@ -48382,7 +48382,7 @@ index 62563717b..ce2acb881 100644 ## ## @@ -112,7 +115,7 @@ interface(`lpd_list_spool',` - + ######################################## ## -## Read printer spool files. @@ -48391,7 +48391,7 @@ index 62563717b..ce2acb881 100644 ## ## @@ -131,8 +134,7 @@ interface(`lpd_read_spool',` - + ######################################## ## -## Create, read, write, and delete @@ -48401,12 +48401,12 @@ index 62563717b..ce2acb881 100644 ## ## @@ -149,11 +151,12 @@ interface(`lpd_manage_spool',` - manage_dirs_pattern($1, print_spool_t, print_spool_t) - manage_files_pattern($1, print_spool_t, print_spool_t) - manage_lnk_files_pattern($1, print_spool_t, print_spool_t) + manage_dirs_pattern($1, print_spool_t, print_spool_t) + manage_files_pattern($1, print_spool_t, print_spool_t) + manage_lnk_files_pattern($1, print_spool_t, print_spool_t) + manage_fifo_files_pattern($1, print_spool_t, print_spool_t) ') - + ######################################## ## -## Relabel spool files. @@ -48415,7 +48415,7 @@ index 62563717b..ce2acb881 100644 ## ## @@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',` - + ######################################## ## -## Read printer configuration files. @@ -48429,16 +48429,16 @@ index 62563717b..ce2acb881 100644 # -template(`lpd_domtrans_lpr',` +interface(`lpd_domtrans_lpr',` - gen_require(` - type lpr_t, lpr_exec_t; - ') - + gen_require(` + type lpr_t, lpr_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, lpr_exec_t, lpr_t) + domtrans_pattern($1, lpr_exec_t, lpr_t) ') - + @@ -237,7 +239,8 @@ interface(`lpd_run_lpr',` - + ######################################## ## -## Execute lpr in the caller domain. @@ -48448,11 +48448,11 @@ index 62563717b..ce2acb881 100644 ## ## @@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',` - type lpr_exec_t; - ') - + type lpr_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, lpr_exec_t) + can_exec($1, lpr_exec_t) ') diff --git a/lpd.te b/lpd.te index 39d31640e..1ec2cd26e 100644 @@ -48465,53 +48465,53 @@ index 39d31640e..1ec2cd26e 100644 -files_type(print_spool_t) +files_spool_file(print_spool_t) ubac_constrained(print_spool_t) - + type printer_t; @@ -62,7 +62,7 @@ files_config_file(printconf_t) # Checkpc local policy # - + -allow checkpc_t self:capability { setgid setuid dac_override }; +allow checkpc_t self:capability { setgid setuid dac_read_search dac_override }; allow checkpc_t self:process signal_perms; allow checkpc_t self:unix_stream_socket create_socket_perms; allow checkpc_t self:tcp_socket create_socket_perms; @@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms; - + kernel_read_system_state(checkpc_t) - + -corenet_all_recvfrom_unlabeled(checkpc_t) corenet_all_recvfrom_netlabel(checkpc_t) corenet_tcp_sendrecv_generic_if(checkpc_t) corenet_tcp_sendrecv_generic_node(checkpc_t) @@ -97,7 +96,6 @@ dev_append_printer(checkpc_t) - + domain_use_interactive_fds(checkpc_t) - + -files_read_etc_files(checkpc_t) files_read_etc_runtime_files(checkpc_t) files_search_pids(checkpc_t) files_search_spool(checkpc_t) @@ -107,7 +105,7 @@ init_use_fds(checkpc_t) - + sysnet_read_config(checkpc_t) - + -userdom_use_user_terminals(checkpc_t) +userdom_use_inherited_user_terminals(checkpc_t) - + optional_policy(` - cron_system_entry(checkpc_t, checkpc_exec_t) + cron_system_entry(checkpc_t, checkpc_exec_t) @@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t) kernel_read_kernel_sysctls(lpd_t) kernel_read_system_state(lpd_t) - + -corenet_all_recvfrom_unlabeled(lpd_t) corenet_all_recvfrom_netlabel(lpd_t) corenet_tcp_sendrecv_generic_if(lpd_t) corenet_tcp_sendrecv_generic_node(lpd_t) @@ -174,14 +171,12 @@ dev_rw_printer(lpd_t) domain_use_interactive_fds(lpd_t) - + files_read_etc_runtime_files(lpd_t) -files_read_usr_files(lpd_t) files_list_world_readable(lpd_t) @@ -48522,50 +48522,50 @@ index 39d31640e..1ec2cd26e 100644 files_read_var_lib_symlinks(lpd_t) -files_read_etc_files(lpd_t) files_search_spool(lpd_t) - + fs_getattr_all_fs(lpd_t) @@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t) logging_send_syslog_msg(lpd_t) - + miscfiles_read_fonts(lpd_t) -miscfiles_read_localization(lpd_t) - + sysnet_read_config(lpd_t) - + @@ -214,7 +208,7 @@ optional_policy(` # Lpr local policy # - + -allow lpr_t self:capability { setuid dac_override net_bind_service chown }; +allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown }; allow lpr_t self:unix_stream_socket { accept listen }; - + allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; @@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t) kernel_read_crypto_sysctls(lpr_t) kernel_read_kernel_sysctls(lpr_t) - + -corenet_all_recvfrom_unlabeled(lpr_t) corenet_all_recvfrom_netlabel(lpr_t) corenet_tcp_sendrecv_generic_if(lpr_t) corenet_tcp_sendrecv_generic_node(lpr_t) @@ -239,7 +232,6 @@ dev_read_urand(lpr_t) domain_use_interactive_fds(lpr_t) - + files_search_spool(lpr_t) -files_read_usr_files(lpr_t) files_list_home(lpr_t) - + fs_getattr_all_fs(lpr_t) @@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t) - + auth_use_nsswitch(lpr_t) - + -logging_send_syslog_msg(lpr_t) - miscfiles_read_fonts(lpr_t) -miscfiles_read_localization(lpr_t) - + userdom_read_user_tmp_symlinks(lpr_t) -userdom_use_user_terminals(lpr_t) +# Write to the user domain tty. @@ -48574,7 +48574,7 @@ index 39d31640e..1ec2cd26e 100644 userdom_read_user_tmp_files(lpr_t) +userdom_write_user_tmp_sockets(lpr_t) +userdom_stream_connect(lpr_t) - + tunable_policy(`use_lpd_server',` - allow lpr_t lpd_t:process signal; - @@ -48582,20 +48582,20 @@ index 39d31640e..1ec2cd26e 100644 + # lpr can run in lightweight mode, without a local print spooler. + allow lpr_t lpd_var_run_t:dir search_dir_perms; + allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms; - files_read_var_files(lpr_t) - + files_read_var_files(lpr_t) + + # Connect to lpd via a Unix domain socket. + allow lpr_t printer_t:sock_file read_sock_file_perms; - stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) + stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t) + # Send SIGHUP to lpd. + allow lpr_t lpd_t:process signal; - - manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) - manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + + manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) + manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t) @@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',` - allow lpr_t printconf_t:lnk_file read_lnk_file_perms; + allow lpr_t printconf_t:lnk_file read_lnk_file_perms; ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_list_auto_mountpoints(lpr_t) - fs_read_nfs_files(lpr_t) @@ -48608,12 +48608,12 @@ index 39d31640e..1ec2cd26e 100644 - fs_read_cifs_symlinks(lpr_t) -') +userdom_home_reader(lpr_t) - + optional_policy(` - cups_read_config(lpr_t) + cups_read_config(lpr_t) @@ -298,5 +284,13 @@ optional_policy(` ') - + optional_policy(` - gnome_stream_connect_all_gkeyringd(lpr_t) + gnome_stream_connect_gkeyringd(lpr_t) @@ -48632,7 +48632,7 @@ index c45573053..6e1466794 100644 +++ b/lsm.fc @@ -1,3 +1,7 @@ /usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) - + +/usr/bin/.*_lsmplugin -- gen_context(system_u:object_r:lsmd_plugin_exec_t,s0) + +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) @@ -48646,7 +48646,7 @@ index d3143334d..27ede090c 100644 -## Storage array management library. + +## libStorageMgmt plug-in daemon - + ######################################## ## -## All of the rules required to administrate @@ -48727,18 +48727,18 @@ index d3143334d..27ede090c 100644 ## # interface(`lsmd_admin',` - gen_require(` + gen_require(` - type lsmd_t, type lsmd_var_run_t; + type lsmd_t; + type lsmd_var_run_t; + type lsmd_unit_file_t; - ') - - allow $1 lsmd_t:process { ptrace signal_perms }; + ') + + allow $1 lsmd_t:process { ptrace signal_perms }; @@ -27,4 +88,13 @@ interface(`lsmd_admin',` - - files_search_pids($1) - admin_pattern($1, lsmd_var_run_t) + + files_search_pids($1) + admin_pattern($1, lsmd_var_run_t) + + lsmd_systemctl($1) + admin_pattern($1, lsmd_unit_file_t) @@ -48764,13 +48764,13 @@ index 4ec0eea30..32d0ded84 100644 +##

    +## +gen_tunable(lsmd_plugin_connect_any, false) - + type lsmd_t; type lsmd_exec_t; @@ -12,12 +19,23 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) type lsmd_var_run_t; files_pid_file(lsmd_var_run_t) - + +type lsmd_unit_file_t; +systemd_unit_file(lsmd_unit_file_t) + @@ -48786,16 +48786,16 @@ index 4ec0eea30..32d0ded84 100644 # # Local policy # - + -allow lsmd_t self:capability setgid; +allow lsmd_t self:capability { setuid setgid }; allow lsmd_t self:unix_stream_socket create_stream_socket_perms; - + manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) @@ -26,4 +44,72 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) - + +auth_use_nsswitch(lsmd_t) + +corecmd_exec_bin(lsmd_t) @@ -49070,9 +49070,9 @@ index 995d0a5d3..3d40d59d2 100644 --- a/mailman.fc +++ b/mailman.fc @@ -2,10 +2,12 @@ - + /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) - + +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) +/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) @@ -49081,7 +49081,7 @@ index 995d0a5d3..3d40d59d2 100644 -/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) +/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) /var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) - + /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) diff --git a/mailman.if b/mailman.if index 108c0f1f5..a2485018e 100644 @@ -49090,7 +49090,7 @@ index 108c0f1f5..a2485018e 100644 @@ -1,44 +1,70 @@ -## Manage electronic mail discussion and e-newsletter lists. +## Mailman is for managing electronic mail discussion and e-newsletter lists - + ####################################### ## -## The template to define a mailman domain. @@ -49115,16 +49115,16 @@ index 108c0f1f5..a2485018e 100644 - attribute mailman_domain; - ') +template(`mailman_domain_template', ` - + - ######################################## - # - # Declarations - # + ######################################## -+ # ++ # + # Declarations -+ # - ++ # + - type mailman_$1_t; - type mailman_$1_exec_t; + gen_require(` @@ -49132,27 +49132,27 @@ index 108c0f1f5..a2485018e 100644 + ') + + type mailman_$1_t, mailman_domain; - domain_type(mailman_$1_t) + domain_type(mailman_$1_t) + type mailman_$1_exec_t; - domain_entry_file(mailman_$1_t, mailman_$1_exec_t) - role system_r types mailman_$1_t; - - type mailman_$1_tmp_t; - files_tmp_file(mailman_$1_tmp_t) - + domain_entry_file(mailman_$1_t, mailman_$1_exec_t) + role system_r types mailman_$1_t; + + type mailman_$1_tmp_t; + files_tmp_file(mailman_$1_tmp_t) + - #################################### - # - # Policy - # + #################################### -+ # ++ # + # Policy -+ # - - manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) - files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) - ++ # + + manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) + files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) + + kernel_read_system_state(mailman_$1_t) + + corenet_all_recvfrom_unlabeled(mailman_$1_t) @@ -49170,20 +49170,20 @@ index 108c0f1f5..a2485018e 100644 + corenet_tcp_connect_smtp_port(mailman_$1_t) + corenet_sendrecv_smtp_client_packets(mailman_$1_t) + - auth_use_nsswitch(mailman_$1_t) + auth_use_nsswitch(mailman_$1_t) + + logging_send_syslog_msg(mailman_$1_t) ') - + ####################################### @@ -56,15 +82,12 @@ interface(`mailman_domtrans',` - type mailman_mail_exec_t, mailman_mail_t; - ') - + type mailman_mail_exec_t, mailman_mail_t; + ') + - libs_search_lib($1) - domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) ') - + ######################################## ## -## Execute the mailman program in the @@ -49204,33 +49204,33 @@ index 108c0f1f5..a2485018e 100644 ## # interface(`mailman_run',` - gen_require(` + gen_require(` - attribute_role mailman_roles; + type mailman_mail_t; - ') - - mailman_domtrans($1) + ') + + mailman_domtrans($1) - roleattribute $2 mailman_roles; + role $2 types mailman_mail_t; ') - + ####################################### @@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',` - type mailman_cgi_exec_t, mailman_cgi_t; - ') - + type mailman_cgi_exec_t, mailman_cgi_t; + ') + - libs_search_lib($1) - domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) + domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) ') - + @@ -122,13 +144,12 @@ interface(`mailman_exec',` - type mailman_mail_exec_t; - ') - + type mailman_mail_exec_t; + ') + - libs_search_lib($1) - can_exec($1, mailman_mail_exec_t) + can_exec($1, mailman_mail_exec_t) ') - + ####################################### ## -## Send generic signals to mailman cgi. @@ -49239,7 +49239,7 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',` - + ####################################### ## -## Search mailman data directories. @@ -49248,13 +49248,13 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -159,13 +180,12 @@ interface(`mailman_search_data',` - type mailman_data_t; - ') - + type mailman_data_t; + ') + - files_search_spool($1) - allow $1 mailman_data_t:dir search_dir_perms; + allow $1 mailman_data_t:dir search_dir_perms; ') - + ####################################### ## -## Read mailman data content. @@ -49263,15 +49263,15 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -178,7 +198,6 @@ interface(`mailman_read_data_files',` - type mailman_data_t; - ') - + type mailman_data_t; + ') + - files_search_spool($1) - list_dirs_pattern($1, mailman_data_t, mailman_data_t) - read_files_pattern($1, mailman_data_t, mailman_data_t) - read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) + list_dirs_pattern($1, mailman_data_t, mailman_data_t) + read_files_pattern($1, mailman_data_t, mailman_data_t) + read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) @@ -186,8 +205,8 @@ interface(`mailman_read_data_files',` - + ####################################### ## -## Create, read, write, and delete @@ -49282,14 +49282,14 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',` - type mailman_data_t; - ') - + type mailman_data_t; + ') + - files_search_spool($1) - manage_dirs_pattern($1, mailman_data_t, mailman_data_t) - manage_files_pattern($1, mailman_data_t, mailman_data_t) + manage_dirs_pattern($1, mailman_data_t, mailman_data_t) + manage_files_pattern($1, mailman_data_t, mailman_data_t) ') - + ####################################### ## -## List mailman data directories. @@ -49298,13 +49298,13 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -220,13 +238,12 @@ interface(`mailman_list_data',` - type mailman_data_t; - ') - + type mailman_data_t; + ') + - files_search_spool($1) - allow $1 mailman_data_t:dir list_dir_perms; + allow $1 mailman_data_t:dir list_dir_perms; ') - + ####################################### ## -## Read mailman data symbolic links. @@ -49313,7 +49313,7 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',` - + ####################################### ## -## Read mailman log files. @@ -49322,13 +49322,13 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -257,13 +274,12 @@ interface(`mailman_read_log',` - type mailman_log_t; - ') - + type mailman_log_t; + ') + - logging_search_logs($1) - read_files_pattern($1, mailman_log_t, mailman_log_t) + read_files_pattern($1, mailman_log_t, mailman_log_t) ') - + ####################################### ## -## Append mailman log files. @@ -49337,13 +49337,13 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -276,14 +292,13 @@ interface(`mailman_append_log',` - type mailman_log_t; - ') - + type mailman_log_t; + ') + - logging_search_logs($1) - append_files_pattern($1, mailman_log_t, mailman_log_t) + append_files_pattern($1, mailman_log_t, mailman_log_t) ') - + ####################################### ## ## Create, read, write, and delete @@ -49353,14 +49353,14 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -296,14 +311,13 @@ interface(`mailman_manage_log',` - type mailman_log_t; - ') - + type mailman_log_t; + ') + - logging_search_logs($1) - manage_files_pattern($1, mailman_log_t, mailman_log_t) - manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) + manage_files_pattern($1, mailman_log_t, mailman_log_t) + manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) ') - + ####################################### ## -## Read mailman archive content. @@ -49369,15 +49369,15 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -316,7 +330,6 @@ interface(`mailman_read_archive',` - type mailman_archive_t; - ') - + type mailman_archive_t; + ') + - files_search_var_lib($1) - allow $1 mailman_archive_t:dir list_dir_perms; - read_files_pattern($1, mailman_archive_t, mailman_archive_t) - read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) + allow $1 mailman_archive_t:dir list_dir_perms; + read_files_pattern($1, mailman_archive_t, mailman_archive_t) + read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) @@ -324,8 +337,7 @@ interface(`mailman_read_archive',` - + ####################################### ## -## Execute mailman_queue in the @@ -49387,11 +49387,11 @@ index 108c0f1f5..a2485018e 100644 ## ## @@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',` - type mailman_queue_exec_t, mailman_queue_t; - ') - + type mailman_queue_exec_t, mailman_queue_t; + ') + - libs_search_lib($1) - domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) + domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te index ac81c7fa9..2bbde0b7c 100644 @@ -49407,32 +49407,32 @@ index ac81c7fa9..2bbde0b7c 100644 +##

    +## +gen_tunable(mailman_use_fusefs, false) - + attribute mailman_domain; - + @@ -50,16 +56,12 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t) manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t) files_lock_filetrans(mailman_domain, mailman_lock_t, file) - + -append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) -create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) -setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) logging_log_filetrans(mailman_domain, mailman_log_t, file) - + kernel_read_kernel_sysctls(mailman_domain) -kernel_read_system_state(mailman_domain) +kernel_read_network_state(mailman_domain) - + -corenet_all_recvfrom_unlabeled(mailman_domain) -corenet_all_recvfrom_netlabel(mailman_domain) corenet_tcp_sendrecv_generic_if(mailman_domain) corenet_tcp_sendrecv_generic_node(mailman_domain) - + @@ -82,10 +84,6 @@ fs_getattr_all_fs(mailman_domain) libs_exec_ld_so(mailman_domain) libs_exec_lib_files(mailman_domain) - + -logging_send_syslog_msg(mailman_domain) - -miscfiles_read_localization(mailman_domain) @@ -49441,63 +49441,63 @@ index ac81c7fa9..2bbde0b7c 100644 # # CGI local policy @@ -103,7 +101,7 @@ optional_policy(` - apache_dontaudit_append_log(mailman_cgi_t) - apache_search_sys_script_state(mailman_cgi_t) - apache_read_config(mailman_cgi_t) + apache_dontaudit_append_log(mailman_cgi_t) + apache_search_sys_script_state(mailman_cgi_t) + apache_read_config(mailman_cgi_t) - apache_dontaudit_rw_stream_sockets(mailman_cgi_t) + apache_rw_stream_sockets(mailman_cgi_t) ') - + optional_policy(` @@ -115,20 +113,23 @@ optional_policy(` # Mail local policy # - + -allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config }; -allow mailman_mail_t self:process { signal signull }; +allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config }; +allow mailman_mail_t self:process { setsched signal signull }; +allow mailman_mail_t self:unix_dgram_socket create_socket_perms; - + manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir }) - + +can_exec(mailman_mail_t, mailman_mail_exec_t) + corenet_sendrecv_innd_client_packets(mailman_mail_t) corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_sendrecv_innd_port(mailman_mail_t) - + corenet_sendrecv_spamd_client_packets(mailman_mail_t) -corenet_tcp_connect_spamd_port(mailman_mail_t) corenet_tcp_sendrecv_spamd_port(mailman_mail_t) +corenet_tcp_connect_spamd_port(mailman_mail_t) - + dev_read_urand(mailman_mail_t) - + @@ -137,10 +138,18 @@ fs_rw_anon_inodefs_files(mailman_mail_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) mta_dontaudit_rw_queue(mailman_mail_t) - + +optional_policy(` + apache_search_config(mailman_mail_t) +') + optional_policy(` - courier_read_spool(mailman_mail_t) + courier_read_spool(mailman_mail_t) ') - + +optional_policy(` + gnome_dontaudit_search_config(mailman_mail_t) +') + optional_policy(` - cron_read_pipes(mailman_mail_t) + cron_read_pipes(mailman_mail_t) ') @@ -182,3 +191,9 @@ optional_policy(` optional_policy(` - su_exec(mailman_queue_t) + su_exec(mailman_queue_t) ') + +tunable_policy(`mailman_use_fusefs',` @@ -49510,7 +49510,7 @@ index 214cb4498..bd1d48e4f 100644 --- a/mailscanner.if +++ b/mailscanner.if @@ -2,29 +2,27 @@ - + ######################################## ## -## Create, read, write, and delete @@ -49527,17 +49527,17 @@ index 214cb4498..bd1d48e4f 100644 # -interface(`mscan_manage_spool_content',` +interface(`mailscanner_initrc_domtrans',` - gen_require(` + gen_require(` - type mscan_spool_t; + type mscan_initrc_exec_t; - ') - + ') + - files_search_spool($1) - manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t) - manage_files_pattern($1, mscan_spool_t, mscan_spool_t) + init_labeled_script_domtrans($1, mscan_initrc_exec_t) ') - + ######################################## ## -## All of the rules required to @@ -49553,22 +49553,22 @@ index 214cb4498..bd1d48e4f 100644 # -interface(`mscan_admin',` +interface(`mailscanner_admin',` - gen_require(` + gen_require(` - type mscan_t, mscan_etc_t, mscan_initrc_exec_t; - type mscan_var_run_t, mscan_spool_t; + type mscan_t, mscan_var_run_t, mscan_etc_t; + type mscan_initrc_exec_t; - ') - + ') + - allow $1 mscan_t:process { ptrace signal_perms }; - ps_process_pattern($1, mscan_t) - - init_labeled_script_domtrans($1, mscan_initrc_exec_t) + mailscanner_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mscan_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 mscan_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) + allow $1 mscan_t:process signal_perms; + ps_process_pattern($1, mscan_t) @@ -49576,11 +49576,11 @@ index 214cb4498..bd1d48e4f 100644 + allow $1 mscan_t:process ptrace; + ') + - admin_pattern($1, mscan_etc_t) + admin_pattern($1, mscan_etc_t) + files_list_etc($1) - + - files_search_pids($1) - admin_pattern($1, mscan_var_run_t) + admin_pattern($1, mscan_var_run_t) - - files_search_spool($1) - admin_pattern($1, mscan_spool_t) @@ -49593,29 +49593,29 @@ index 6b6e2e130..3fb3393ba 100644 @@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t) # Local policy # - + -allow mscan_t self:capability { setuid chown setgid dac_override }; +allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override }; allow mscan_t self:process signal; allow mscan_t self:fifo_file rw_fifo_file_perms; - + read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t) +list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t) - + manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t) files_pid_filetrans(mscan_t, mscan_var_run_t, file) @@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t) - + dev_read_urand(mscan_t) - + -files_read_usr_files(mscan_t) - + fs_getattr_xattr_fs(mscan_t) - + @@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t) - + logging_send_syslog_msg(mscan_t) - + -miscfiles_read_localization(mscan_t) - optional_policy(` @@ -49623,14 +49623,14 @@ index 6b6e2e130..3fb3393ba 100644 + antivirus_domtrans(mscan_t) + antivirus_manage_pid(mscan_t) ') - + optional_policy(` @@ -97,5 +96,6 @@ optional_policy(` ') - + optional_policy(` + spamassassin_read_home_client(mscan_t) - spamassassin_read_lib_files(mscan_t) + spamassassin_read_lib_files(mscan_t) ') diff --git a/man2html.fc b/man2html.fc index 82f625551..368673237 100644 @@ -49643,7 +49643,7 @@ index 82f625551..368673237 100644 +/usr/lib/man2html/cgi-bin/man/man2html -- gen_context(system_u:object_r:man2html_script_exec_t,s0) +/usr/lib/man2html/cgi-bin/man/mansec -- gen_context(system_u:object_r:man2html_script_exec_t,s0) +/usr/lib/man2html/cgi-bin/man/manwhatis -- gen_context(system_u:object_r:man2html_script_exec_t,s0) - + -/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) +/var/cache/man2html(/.*)? gen_context(system_u:object_r:man2html_rw_content_t,s0) diff --git a/man2html.if b/man2html.if @@ -49795,18 +49795,18 @@ index e08c55d43..24b56e9ee 100644 @@ -5,22 +5,18 @@ policy_module(man2html, 1.0.0) # Declarations # - + -apache_content_template(man2html) - -type httpd_man2html_script_cache_t; -files_type(httpd_man2html_script_cache_t) - + ######################################## # -# Local policy +# man2html_script local policy # - + -manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) -manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t) @@ -49814,10 +49814,10 @@ index e08c55d43..24b56e9ee 100644 +optional_policy(` + apache_content_template(man2html) + apache_content_alias_template(man2html, man2html) - + -files_read_etc_files(httpd_man2html_script_t) + allow man2html_script_t self:process fork; - + -miscfiles_read_localization(httpd_man2html_script_t) -miscfiles_read_man_pages(httpd_man2html_script_t) + typealias man2html_rw_content_t alias man2html_script_cache_t; @@ -49848,7 +49848,7 @@ index 327f3f726..d6ae4eab6 100644 -## On-line manual database. + +## policy for mandb - + ######################################## ## -## Execute the mandb program in @@ -49865,7 +49865,7 @@ index 327f3f726..d6ae4eab6 100644 # interface(`mandb_domtrans',` @@ -22,33 +22,45 @@ interface(`mandb_domtrans',` - + ######################################## ## -## Execute mandb in the mandb @@ -49903,17 +49903,17 @@ index 327f3f726..d6ae4eab6 100644 # -interface(`mandb_run',` +interface(`mandb_read_cache_files',` - gen_require(` + gen_require(` - attribute_role mandb_roles; + type mandb_cache_t; - ') - + ') + - lightsquid_domtrans($1) - roleattribute $2 mandb_roles; + files_search_var($1) + read_files_pattern($1, mandb_cache_t, mandb_cache_t) ') - + ######################################## ## -## Search mandb cache directories. @@ -49934,7 +49934,7 @@ index 327f3f726..d6ae4eab6 100644 + + allow $1 mandb_cache_t:file map; ') - + ######################################## ## -## Delete mandb cache content. @@ -49956,7 +49956,7 @@ index 327f3f726..d6ae4eab6 100644 + allow $1 mandb_cache_t:dir relabel_dir_perms; + allow $1 mandb_cache_t:file relabel_file_perms; ') - + ######################################## ## -## Read mandb cache content. @@ -50000,7 +50000,7 @@ index 327f3f726..d6ae4eab6 100644 + delete_files_pattern($1, mandb_cache_t, mandb_cache_t) + delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t) ') - + ######################################## @@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',` ## @@ -50016,7 +50016,7 @@ index 327f3f726..d6ae4eab6 100644 + files_search_var($1) + manage_files_pattern($1, mandb_cache_t, mandb_cache_t) ') - + ######################################## ## -## All of the rules required to @@ -50073,19 +50073,19 @@ index 327f3f726..d6ae4eab6 100644 -## # interface(`mandb_admin',` - gen_require(` + gen_require(` - type mandb_t, mandb_cache_t; + type mandb_t; + type mandb_cache_t, mandb_lock_t; - ') - - allow $1 mandb_t:process { ptrace signal_perms }; - ps_process_pattern($1, mandb_t) - + ') + + allow $1 mandb_t:process { ptrace signal_perms }; + ps_process_pattern($1, mandb_t) + - mandb_run($1, $2) + files_search_var($1) + admin_pattern($1, mandb_cache_t) - + - # pending - # miscfiles_manage_man_cache_content(mandb_t) + files_search_locks($1) @@ -50101,13 +50101,13 @@ index e6136fd37..2edabefc3 100644 --- a/mandb.te +++ b/mandb.te @@ -10,19 +10,41 @@ roleattribute system_r mandb_roles; - + type mandb_t; type mandb_exec_t; -application_domain(mandb_t, mandb_exec_t) +init_daemon_domain(mandb_t, mandb_exec_t) role mandb_roles types mandb_t; - + +type mandb_cache_t; +files_type(mandb_cache_t) + @@ -50121,13 +50121,13 @@ index e6136fd37..2edabefc3 100644 # # Local policy # - + -allow mandb_t self:capability { setuid setgid }; +allow mandb_t self:capability { dac_read_search dac_override setuid setgid fsetid }; allow mandb_t self:process { setsched signal }; allow mandb_t self:fifo_file rw_fifo_file_perms; allow mandb_t self:unix_stream_socket create_stream_socket_perms; - + +manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) @@ -50143,32 +50143,32 @@ index e6136fd37..2edabefc3 100644 + kernel_read_kernel_sysctls(mandb_t) kernel_read_system_state(mandb_t) - + @@ -33,11 +55,14 @@ dev_search_sysfs(mandb_t) - + domain_use_interactive_fds(mandb_t) - + -files_read_etc_files(mandb_t) +files_search_locks(mandb_t) +files_dontaudit_search_all_mountpoints(mandb_t) + +fs_getattr_all_fs(mandb_t) - + miscfiles_manage_man_cache(mandb_t) +miscfiles_setattr_man_pages(mandb_t) miscfiles_read_man_pages(mandb_t) -miscfiles_read_localization(mandb_t) - + ifdef(`distro_debian',` - optional_policy(` + optional_policy(` diff --git a/mcelog.if b/mcelog.if index f89651e75..c73214d81 100644 --- a/mcelog.if +++ b/mcelog.if @@ -19,6 +19,25 @@ interface(`mcelog_domtrans',` - domtrans_pattern($1, mcelog_exec_t, mcelog_t) + domtrans_pattern($1, mcelog_exec_t, mcelog_t) ') - + +###################################### +## +## Read mcelog logs. @@ -50198,7 +50198,7 @@ index 59b3b3dd6..494c4f3a4 100644 @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false) ## gen_tunable(mcelog_server, false) - + -## -##

    -## Determine whether mcelog can use syslog. @@ -50210,9 +50210,9 @@ index 59b3b3dd6..494c4f3a4 100644 type mcelog_exec_t; init_daemon_domain(mcelog_t, mcelog_exec_t) @@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) - + kernel_read_system_state(mcelog_t) - + +corecmd_exec_shell(mcelog_t) +corecmd_exec_bin(mcelog_t) + @@ -50222,28 +50222,28 @@ index 59b3b3dd6..494c4f3a4 100644 - -files_read_etc_files(mcelog_t) +dev_rw_cpu_microcode(mcelog_t) - + mls_file_read_all_levels(mcelog_t) - + +auth_use_nsswitch(mcelog_t) + locallogin_use_fds(mcelog_t) - + -miscfiles_read_localization(mcelog_t) +logging_send_syslog_msg(mcelog_t) - + tunable_policy(`mcelog_client',` - allow mcelog_t self:unix_stream_socket connectto; + allow mcelog_t self:unix_stream_socket connectto; @@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',` - allow mcelog_t self:unix_stream_socket { listen accept }; + allow mcelog_t self:unix_stream_socket { listen accept }; ') - + -tunable_policy(`mcelog_syslog',` - logging_send_syslog_msg(mcelog_t) -') - + optional_policy(` - cron_system_entry(mcelog_t, mcelog_exec_t) + cron_system_entry(mcelog_t, mcelog_exec_t) diff --git a/mcollective.fc b/mcollective.fc new file mode 100644 index 000000000..821bf8822 @@ -50412,10 +50412,10 @@ index 99f7c4187..174560318 100644 +/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) +/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) +/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) - + -/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) +/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) - + -/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) -/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) +/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) @@ -50473,19 +50473,19 @@ index c528b9fa7..f577a7fa6 100644 @@ -5,13 +5,29 @@ policy_module(mediawiki, 1.0.0) # Declarations # - + -apache_content_template(mediawiki) +type mediawiki_tmp_t; +files_tmp_file(mediawiki_tmp_t) - + ######################################## # # Local policy # - + -files_search_var_lib(httpd_mediawiki_script_t) +optional_policy(` - + -miscfiles_read_tetex_data(httpd_mediawiki_script_t) + apache_content_template(mediawiki) + apache_content_alias_template(mediawiki, mediawiki) @@ -50510,22 +50510,22 @@ index 1d4eb19b8..650014e0f 100644 @@ -1,4 +1,4 @@ -##

    High-performance memory object caching system. +## high-performance memory object caching system - + ######################################## ## @@ -12,17 +12,16 @@ # interface(`memcached_domtrans',` - gen_require(` + gen_require(` - type memcached_t,memcached_exec_t; + type memcached_t; + type memcached_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, memcached_exec_t, memcached_t) + domtrans_pattern($1, memcached_exec_t, memcached_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -50540,15 +50540,15 @@ index 1d4eb19b8..650014e0f 100644 # -interface(`memcached_manage_pid_files',` +interface(`memcached_read_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) - manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) + allow $1 memcached_var_run_t:file read_file_perms; ') - + ######################################## ## -## Read memcached pid files. @@ -50562,15 +50562,15 @@ index 1d4eb19b8..650014e0f 100644 # -interface(`memcached_read_pid_files',` +interface(`memcached_manage_pid_files',` - gen_require(` - type memcached_var_run_t; - ') - - files_search_pids($1) + gen_require(` + type memcached_var_run_t; + ') + + files_search_pids($1) - allow $1 memcached_var_run_t:file read_file_perms; + manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) ') - + ######################################## ## -## Connect to memcached using a unix @@ -50580,7 +50580,7 @@ index 1d4eb19b8..650014e0f 100644 ## ## @@ -80,29 +78,8 @@ interface(`memcached_stream_connect',` - + ######################################## ## -## Connect to memcache over the network. @@ -50606,7 +50606,7 @@ index 1d4eb19b8..650014e0f 100644 -## -## All of the rules required to -## administrate an memcached environment. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an memcached environment ## ## @@ -50621,24 +50621,24 @@ index 1d4eb19b8..650014e0f 100644 ## ## @@ -121,14 +98,17 @@ interface(`memcached_admin',` - type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; - ') - + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; + ') + - allow $1 memcached_t:process { ptrace signal_perms }; + allow $1 memcached_t:process signal_perms; - ps_process_pattern($1, memcached_t) + ps_process_pattern($1, memcached_t) + tunable_policy(`deny_ptrace',`',` + allow $1 memcached_t:process ptrace; + ') - - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 memcached_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, memcached_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 memcached_initrc_exec_t system_r; + allow $2 system_r; + - files_search_pids($1) + files_list_pids($1) - admin_pattern($1, memcached_var_run_t) + admin_pattern($1, memcached_var_run_t) ') diff --git a/memcached.te b/memcached.te index 29b752160..5000dd91c 100644 @@ -50649,13 +50649,13 @@ index 29b752160..5000dd91c 100644 type memcached_exec_t; init_daemon_domain(memcached_t, memcached_exec_t) +init_nnp_daemon_domain(memcached_t) - + type memcached_initrc_exec_t; init_script_file(memcached_initrc_exec_t) @@ -20,7 +21,7 @@ files_pid_file(memcached_var_run_t) # Local policy # - + -allow memcached_t self:capability { setuid setgid }; +allow memcached_t self:capability { setuid setgid sys_resource }; dontaudit memcached_t self:capability sys_tty_config; @@ -50664,16 +50664,16 @@ index 29b752160..5000dd91c 100644 @@ -28,6 +29,8 @@ allow memcached_t self:udp_socket { accept listen }; allow memcached_t self:fifo_file rw_fifo_file_perms; allow memcached_t self:unix_stream_socket create_stream_socket_perms; - + +allow memcached_t memcached_exec_t:file map; + manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) @@ -59,4 +62,3 @@ term_dontaudit_use_console(memcached_t) - + auth_use_nsswitch(memcached_t) - + -miscfiles_read_localization(memcached_t) diff --git a/milter.fc b/milter.fc index 89409ebbc..67e42f6a9 100644 @@ -50691,7 +50691,7 @@ index 89409ebbc..67e42f6a9 100644 +/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) +/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) - + -/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) -/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) @@ -50699,7 +50699,7 @@ index 89409ebbc..67e42f6a9 100644 +/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) - + -/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) +/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) +/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) @@ -50713,7 +50713,7 @@ index 89409ebbc..67e42f6a9 100644 +/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) +/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) - + -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) /var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) @@ -50726,7 +50726,7 @@ index cba62db12..562833a81 100644 @@ -1,47 +1,43 @@ -## Milter mail filters. +## Milter mail filters - + -####################################### +######################################## ## @@ -50744,39 +50744,39 @@ index cba62db12..562833a81 100644 # template(`milter_template',` + # attributes common to all milters - gen_require(` - attribute milter_data_type, milter_domains; - ') - + gen_require(` + attribute milter_data_type, milter_domains; + ') + - ######################################## - # - # Declarations - # - - type $1_milter_t, milter_domains; - type $1_milter_exec_t; - init_daemon_domain($1_milter_t, $1_milter_exec_t) + type $1_milter_t, milter_domains; + type $1_milter_exec_t; + init_daemon_domain($1_milter_t, $1_milter_exec_t) + role system_r types $1_milter_t; - + + # Type for the milter data (e.g. the socket used to communicate with the MTA) - type $1_milter_data_t, milter_data_type; - files_pid_file($1_milter_data_t) - + type $1_milter_data_t, milter_data_type; + files_pid_file($1_milter_data_t) + - ######################################## - # - # Policy - # + # Allow communication with MTA over a unix-domain socket + manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - + + # Create other data files and directories in the data directory - manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) + manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) - + - auth_use_nsswitch($1_milter_t) + logging_send_syslog_msg($1_milter_t) ') - + ######################################## ## -## connect to all milter domains using @@ -50786,13 +50786,13 @@ index cba62db12..562833a81 100644 ## ## @@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) + getattr_dirs_pattern($1, milter_data_type, milter_data_type) - stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) + stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) ') - + ######################################## ## -## Get attributes of all milter sock files. @@ -50801,13 +50801,13 @@ index cba62db12..562833a81 100644 ## ## @@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',` - attribute milter_data_type; - ') - + attribute milter_data_type; + ') + + getattr_dirs_pattern($1, milter_data_type, milter_data_type) - getattr_sock_files_pattern($1, milter_data_type, milter_data_type) + getattr_sock_files_pattern($1, milter_data_type, milter_data_type) ') - + ######################################## ## -## Create, read, write, and delete @@ -50835,8 +50835,8 @@ index cba62db12..562833a81 100644 ## ## @@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',` - manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) - manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) + manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) ') + +####################################### @@ -50864,11 +50864,11 @@ index 4dc99f464..48e3f3813 100644 @@ -5,73 +5,117 @@ policy_module(milter, 1.5.0) # Declarations # - + +# attributes common to all milters attribute milter_domains; attribute milter_data_type; - + +# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter +milter_template(dkim) + @@ -50883,20 +50883,20 @@ index 4dc99f464..48e3f3813 100644 milter_template(greylist) milter_template(regex) milter_template(spamass) - + +# Type for the spamass-milter home directory, under which spamassassin will +# store system-wide preferences, bayes databases etc. if not configured to +# use per-user configuration type spamass_milter_state_t; files_type(spamass_milter_state_t) - + + ####################################### # -# Common local policy +# milter domains local policy # - + +# Allow communication with MTA over a unix-domain socket +# Note: usage with TCP sockets requires additional policy + @@ -50907,9 +50907,9 @@ index 4dc99f464..48e3f3813 100644 + +# Allow communication with MTA over a TCP socket +allow milter_domains self:tcp_socket create_stream_socket_perms; - + kernel_dontaudit_read_system_state(milter_domains) - + -corenet_all_recvfrom_unlabeled(milter_domains) -corenet_all_recvfrom_netlabel(milter_domains) -corenet_tcp_sendrecv_generic_if(milter_domains) @@ -50918,7 +50918,7 @@ index 4dc99f464..48e3f3813 100644 - corenet_tcp_bind_milter_port(milter_domains) -corenet_tcp_sendrecv_all_ports(milter_domains) - + -miscfiles_read_localization(milter_domains) +dev_read_rand(milter_domains) +dev_read_urand(milter_domains) @@ -50936,7 +50936,7 @@ index 4dc99f464..48e3f3813 100644 +allow dkim_milter_t self:process signal; +allow dkim_milter_t self:tcp_socket create_stream_socket_perms; +allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; - + -logging_send_syslog_msg(milter_domains) +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + @@ -50951,7 +50951,7 @@ index 4dc99f464..48e3f3813 100644 +auth_use_nsswitch(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) - + ######################################## # -# greylist local policy @@ -50959,21 +50959,21 @@ index 4dc99f464..48e3f3813 100644 +# ensure smtp clients retry mail like real MTAs and not spamware +# http://hcpnet.free.fr/milter-greylist/ # - + -allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; +# It removes any existing socket (not owned by root) whilst running as root, +# fixes permissions, renices itself and then calls setgid() and setuid() to +# drop privileges +allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice }; allow greylist_milter_t self:process { setsched getsched }; - + +allow greylist_milter_t self:tcp_socket create_stream_socket_perms; + +# It creates a pid file /var/run/milter-greylist.pid files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) - + kernel_read_kernel_sysctls(greylist_milter_t) - + -corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t) -corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) -corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t) @@ -50986,29 +50986,29 @@ index 4dc99f464..48e3f3813 100644 - corecmd_exec_bin(greylist_milter_t) corecmd_exec_shell(greylist_milter_t) - + -dev_read_rand(greylist_milter_t) -dev_read_urand(greylist_milter_t) +corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) +corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) +corenet_tcp_bind_rtsclient_port(greylist_milter_t) - + -files_read_usr_files(greylist_milter_t) +# perl getgroups() reads a bunch of files in /etc +# Allow the milter to read a GeoIP database in /usr/share +# The milter runs from /var/lib/milter-greylist and maintains files there files_search_var_lib(greylist_milter_t) - + -mta_read_config(greylist_milter_t) - -miscfiles_read_localization(greylist_milter_t) +# Look up username for dropping privs +auth_use_nsswitch(greylist_milter_t) - + optional_policy(` - mysql_stream_connect(greylist_milter_t) + mysql_stream_connect(greylist_milter_t) @@ -79,30 +123,45 @@ optional_policy(` - + ######################################## # -# regex local policy @@ -51016,19 +51016,19 @@ index 4dc99f464..48e3f3813 100644 +# filter emails using regular expressions +# http://www.benzedrine.cx/milter-regex.html # - + -allow regex_milter_t self:capability { setuid setgid dac_override }; +# It removes any existing socket (not owned by root) whilst running as root +# and then calls setgid() and setuid() to drop privileges +allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override }; - + +# The milter's socket directory lives under /var/spool files_search_spool(regex_milter_t) - + -mta_read_config(regex_milter_t) +# Look up username for dropping privs +auth_use_nsswitch(regex_milter_t) - + ######################################## # -# spamass local policy @@ -51036,27 +51036,27 @@ index 4dc99f464..48e3f3813 100644 +# pipe emails through SpamAssassin +# http://savannah.nongnu.org/projects/spamass-milt/ # - + +# The milter runs from /var/lib/spamass-milter allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; +files_search_var_lib(spamass_milter_t) - + kernel_read_system_state(spamass_milter_t) - + +# When used with -b or -B options, the milter invokes sendmail to send mail +# to a spamtrap address, using popen() corecmd_exec_shell(spamass_milter_t) +corecmd_read_bin_symlinks(spamass_milter_t) +corecmd_search_bin(spamass_milter_t) - + -files_search_var_lib(spamass_milter_t) +auth_use_nsswitch(spamass_milter_t) - + mta_send_mail(spamass_milter_t) - + +# The main job of the milter is to pipe spam through spamc and act on the result optional_policy(` - spamassassin_domtrans_client(spamass_milter_t) + spamassassin_domtrans_client(spamass_milter_t) ') diff --git a/minissdpd.if b/minissdpd.if index b3301610f..54509375e 100644 @@ -51064,17 +51064,17 @@ index b3301610f..54509375e 100644 +++ b/minissdpd.if @@ -39,10 +39,10 @@ interface(`minissdpd_read_config',` interface(`minissdpd_admin',` - gen_require(` - type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; + gen_require(` + type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; - type minissdpd_var_run_t + type minissdpd_var_run_t; - ') - + ') + - allow $1 minissdpd_t:process { ptrace signal_perms }; + allow $1 minissdpd_t:process { signal_perms }; - ps_process_pattern($1, minissdpd_t) - - init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) + ps_process_pattern($1, minissdpd_t) + + init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) diff --git a/mip6d.fc b/mip6d.fc new file mode 100644 index 000000000..767bbad7b @@ -51832,7 +51832,7 @@ index 000000000..f5b98e6de + +######################################## +## -+## All of the rules required to administrate ++## All of the rules required to administrate +## an mock environment +## +## @@ -52000,7 +52000,7 @@ index 000000000..f647022cb +fs_manage_cgroup_dirs(mock_t) +fs_search_all(mock_t) +fs_setattr_tmpfs_dirs(mock_t) -+ ++ +selinux_get_enforce_mode(mock_t) + +term_search_ptys(mock_t) @@ -52088,7 +52088,7 @@ index 000000000..f647022cb +allow mock_build_t self:unix_dgram_socket create_socket_perms; +allow mock_build_t self:dir list_dir_perms; +allow mock_build_t self:dir read_file_perms; -+ ++ +ps_process_pattern(mock_t, mock_build_t) +allow mock_t mock_build_t:process signal_perms; +domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t) @@ -52174,9 +52174,9 @@ index b1ac8b5d8..24782b35f 100644 --- a/modemmanager.if +++ b/modemmanager.if @@ -19,6 +19,31 @@ interface(`modemmanager_domtrans',` - domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) + domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) ') - + +######################################## +## +## Execute modemmanager server in the modemmanager domain. @@ -52206,8 +52206,8 @@ index b1ac8b5d8..24782b35f 100644 ## ## Send and receive messages from @@ -39,3 +64,33 @@ interface(`modemmanager_dbus_chat',` - allow $1 modemmanager_t:dbus send_msg; - allow modemmanager_t $1:dbus send_msg; + allow $1 modemmanager_t:dbus send_msg; + allow modemmanager_t $1:dbus send_msg; ') + +######################################## @@ -52246,7 +52246,7 @@ index d15eb5b64..5a177cd5a 100644 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) typealias modemmanager_t alias ModemManager_t; typealias modemmanager_exec_t alias ModemManager_exec_t; - + +type modemmanager_unit_file_t; +systemd_unit_file(modemmanager_unit_file_t) + @@ -52260,37 +52260,37 @@ index d15eb5b64..5a177cd5a 100644 -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; +allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms}; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; - + kernel_read_system_state(modemmanager_t) - + +corecmd_exec_bin(modemmanager_t) + dev_read_sysfs(modemmanager_t) +dev_read_urand(modemmanager_t) dev_rw_modem(modemmanager_t) - + -files_read_etc_files(modemmanager_t) - term_use_generic_ptys(modemmanager_t) term_use_unallocated_ttys(modemmanager_t) +term_use_usb_ttys(modemmanager_t) - + -miscfiles_read_localization(modemmanager_t) +xserver_read_state_xdm(modemmanager_t) - + logging_send_syslog_msg(modemmanager_t) - + @@ -50,6 +55,11 @@ optional_policy(` - optional_policy(` - policykit_dbus_chat(modemmanager_t) - ') + optional_policy(` + policykit_dbus_chat(modemmanager_t) + ') + + optional_policy(` + systemd_dbus_chat_logind(modemmanager_t) + systemd_write_inhibit_pipes(modemmanager_t) + ') ') - + optional_policy(` diff --git a/mojomojo.fc b/mojomojo.fc index 7b827ca7f..5ee8a0f2b 100644 @@ -52299,10 +52299,10 @@ index 7b827ca7f..5ee8a0f2b 100644 @@ -1,5 +1,5 @@ -/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:httpd_mojomojo_script_exec_t,s0) +/usr/bin/mojomojo_fastcgi\.pl -- gen_context(system_u:object_r:mojomojo_script_exec_t,s0) - + -/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:httpd_mojomojo_content_t,s0) +/usr/share/mojomojo/root(/.*)? gen_context(system_u:object_r:mojomojo_content_t,s0) - + -/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:httpd_mojomojo_rw_content_t,s0) +/var/lib/mojomojo(/.*)? gen_context(system_u:object_r:mojomojo_rw_content_t,s0) diff --git a/mojomojo.if b/mojomojo.if @@ -52316,7 +52316,7 @@ index 73952f4c9..b19a6ee2d 100644 -## # interface(`mojomojo_admin',` - refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') + refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') diff --git a/mojomojo.te b/mojomojo.te index b94102efd..25d1d33a1 100644 --- a/mojomojo.te @@ -52324,28 +52324,28 @@ index b94102efd..25d1d33a1 100644 @@ -5,21 +5,40 @@ policy_module(mojomojo, 1.1.0) # Declarations # - + -apache_content_template(mojomojo) +type mojomojo_tmp_t alias httpd_mojomojo_tmp_t; +files_tmp_file(mojomojo_tmp_t) - + ######################################## # # Local policy # - + -allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms; +optional_policy(` + apache_content_template(mojomojo) + apache_content_alias_template(mojomojo, mojomojo) - + -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) -corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t) -corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t) + manage_dirs_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t) + manage_files_pattern(mojomojo_script_t, mojomojo_tmp_t, mojomojo_tmp_t) + files_tmp_filetrans(mojomojo_script_t, mojomojo_tmp_t, { file dir }) - + -files_search_var_lib(httpd_mojomojo_script_t) + corenet_tcp_connect_postgresql_port(mojomojo_script_t) + corenet_tcp_connect_mysqld_port(mojomojo_script_t) @@ -52353,10 +52353,10 @@ index b94102efd..25d1d33a1 100644 + corenet_sendrecv_postgresql_client_packets(mojomojo_script_t) + corenet_sendrecv_mysqld_client_packets(mojomojo_script_t) + corenet_sendrecv_smtp_client_packets(mojomojo_script_t) - + -sysnet_dns_name_resolve(httpd_mojomojo_script_t) + files_search_var_lib(mojomojo_script_t) - + -mta_send_mail(httpd_mojomojo_script_t) + sysnet_dns_name_resolve(mojomojo_script_t) + @@ -52517,7 +52517,7 @@ index 6fcfc31b4..e9e6bc51c 100644 @@ -1,9 +1,19 @@ /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) - + -/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0) +/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0) @@ -52527,13 +52527,13 @@ index 6fcfc31b4..e9e6bc51c 100644 +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) + +/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0) - + /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) - + -/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) +/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0) +/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0) - + -/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) @@ -52544,17 +52544,17 @@ index 169f236e8..bc47602c8 100644 @@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t) type mongod_initrc_exec_t; init_script_file(mongod_initrc_exec_t) - + +type mongod_unit_file_t; +systemd_unit_file(mongod_unit_file_t) + type mongod_log_t; logging_log_file(mongod_log_t) - + @@ -21,41 +24,73 @@ files_type(mongod_var_lib_t) type mongod_var_run_t; files_pid_file(mongod_var_run_t) - + +type mongod_tmp_t; +files_tmp_file(mongod_tmp_t) + @@ -52562,12 +52562,12 @@ index 169f236e8..bc47602c8 100644 # # Local policy # - + -allow mongod_t self:process signal; + +allow mongod_t self:process { setsched signal execmem }; allow mongod_t self:fifo_file rw_fifo_file_perms; - + -manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) -append_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -create_files_pattern(mongod_t, mongod_log_t, mongod_log_t) @@ -52580,12 +52580,12 @@ index 169f236e8..bc47602c8 100644 + +manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +logging_log_filetrans(mongod_t, mongod_log_t, { dir file }) - + manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +allow mongod_t mongod_var_lib_t:file map; - + manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -files_pid_filetrans(mongod_t, mongod_var_run_t, dir) @@ -52596,13 +52596,13 @@ index 169f236e8..bc47602c8 100644 +manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) +manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) +files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) - + kernel_read_system_state(mongod_t) +kernel_read_vm_sysctls(mongod_t) + +corecmd_exec_bin(mongod_t) +corecmd_exec_shell(mongod_t) - + corenet_all_recvfrom_unlabeled(mongod_t) corenet_all_recvfrom_netlabel(mongod_t) corenet_tcp_sendrecv_generic_if(mongod_t) @@ -52610,14 +52610,14 @@ index 169f236e8..bc47602c8 100644 +corenet_tcp_connect_mongod_port(mongod_t) +corenet_tcp_bind_mongod_port(mongod_t) corenet_tcp_bind_generic_node(mongod_t) - + dev_read_sysfs(mongod_t) dev_read_urand(mongod_t) - + -files_read_etc_files(mongod_t) - fs_getattr_all_fs(mongod_t) - + -miscfiles_read_localization(mongod_t) +auth_use_nsswitch(mongod_t) + @@ -52642,25 +52642,25 @@ index a6a86439f..c0f6cf503 100644 @@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack }; # local policy # - + -userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file }) +userdom_filetrans_home_content(mono_t) - + init_dbus_chat_script(mono_t) - + diff --git a/monop.if b/monop.if index 8fdaecea2..544075765 100644 --- a/monop.if +++ b/monop.if @@ -31,7 +31,7 @@ interface(`monop_admin',` - role_transition $2 monopd_initrc_exec_t system_r; - allow $2 system_r; - + role_transition $2 monopd_initrc_exec_t system_r; + allow $2 system_r; + - logging_search_etc($1) + logging_search_logs($1) - admin_pattern($1, monopd_etc_t) - - files_search_pids($1) + admin_pattern($1, monopd_etc_t) + + files_search_pids($1) diff --git a/monop.te b/monop.te index 5f9376384..8596763e7 100644 --- a/monop.te @@ -52668,26 +52668,26 @@ index 5f9376384..8596763e7 100644 @@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t) kernel_list_proc(monopd_t) kernel_read_proc_symlinks(monopd_t) - + -corenet_all_recvfrom_unlabeled(monopd_t) corenet_all_recvfrom_netlabel(monopd_t) corenet_tcp_sendrecv_generic_if(monopd_t) corenet_tcp_sendrecv_generic_node(monopd_t) @@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t) - + domain_use_interactive_fds(monopd_t) - + -files_read_etc_files(monopd_t) - fs_getattr_all_fs(monopd_t) fs_search_auto_mountpoints(monopd_t) - + logging_send_syslog_msg(monopd_t) - + -miscfiles_read_localization(monopd_t) - sysnet_dns_name_resolve(monopd_t) - + userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/motion.fc b/motion.fc new file mode 100644 @@ -53098,7 +53098,7 @@ index 6194b806b..ded39ae5c 100644 @@ -1,146 +1,75 @@ -## Policy for Mozilla and related web browsers. +## Policy for Mozilla and related web browsers - + ######################################## ## -## Role access for mozilla. @@ -53118,20 +53118,20 @@ index 6194b806b..ded39ae5c 100644 ## # interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; + gen_require(` + type mozilla_t, mozilla_exec_t, mozilla_home_t; - type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t; - type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t; - attribute_role mozilla_roles; - ') - + attribute_role mozilla_roles; + ') + - ######################################## - # - # Declarations - # - - roleattribute $1 mozilla_roles; - + roleattribute $1 mozilla_roles; + - ######################################## - # - # Policy @@ -53144,16 +53144,16 @@ index 6194b806b..ded39ae5c 100644 + allow mozilla_t $2:fd use; + allow mozilla_t $2:process { sigchld signull }; + allow mozilla_t $2:unix_stream_socket connectto; - + - allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; + # Allow the user domain to signal/ps. - ps_process_pattern($2, mozilla_t) + ps_process_pattern($2, mozilla_t) - - allow mozilla_t $2:process signull; - allow mozilla_t $2:unix_stream_socket connectto; + allow $2 mozilla_t:process signal_perms; - - allow $2 mozilla_t:fd use; + + allow $2 mozilla_t:fd use; - allow $2 mozilla_t:shm rw_shm_perms; - - stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t) @@ -53168,7 +53168,7 @@ index 6194b806b..ded39ae5c 100644 + allow $2 mozilla_t:shm { associate getattr }; + allow $2 mozilla_t:shm { unix_read unix_write }; + allow $2 mozilla_t:unix_stream_socket connectto; - + - filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") + # X access, Home files + manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) @@ -53177,26 +53177,26 @@ index 6194b806b..ded39ae5c 100644 + relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) + relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - + - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; + #should be remove then with adding of roleattribute + mozilla_run_plugin(mozilla_t, $1) + mozilla_dbus_chat($2) - + - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_manage_tmp_role($1, mozilla_t) - - optional_policy(` + + optional_policy(` - mozilla_dbus_chat($2) + nsplugin_role($1, mozilla_t) - ') + ') -') - + -######################################## -## -## Role access for mozilla plugin. @@ -53220,15 +53220,15 @@ index 6194b806b..ded39ae5c 100644 + pulseaudio_role($1, mozilla_t) + pulseaudio_filetrans_admin_home_content(mozilla_t) + pulseaudio_filetrans_home_content(mozilla_t) - ') - + ') + - mozilla_run_plugin($2, $1) - mozilla_run_plugin_config($2, $1) - - allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t }) + mozilla_filetrans_home_content($2) - + - allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms; - allow $2 mozilla_plugin_t:fd use; - @@ -53267,7 +53267,7 @@ index 6194b806b..ded39ae5c 100644 - mozilla_dbus_chat_plugin($2) - ') ') - + ######################################## ## -## Read mozilla home directory content. @@ -53276,16 +53276,16 @@ index 6194b806b..ded39ae5c 100644 ## ## @@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',` - type mozilla_home_t; - ') - + type mozilla_home_t; + ') + - userdom_search_user_home_dirs($1) - allow $1 mozilla_home_t:dir list_dir_perms; - allow $1 mozilla_home_t:file read_file_perms; - allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; + allow $1 mozilla_home_t:dir list_dir_perms; + allow $1 mozilla_home_t:file read_file_perms; + allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; + userdom_search_user_home_dirs($1) ') - + ######################################## ## -## Write mozilla home directory files. @@ -53294,14 +53294,14 @@ index 6194b806b..ded39ae5c 100644 ## ## @@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',` - type mozilla_home_t; - ') - + type mozilla_home_t; + ') + - userdom_search_user_home_dirs($1) - write_files_pattern($1, mozilla_home_t, mozilla_home_t) + write_files_pattern($1, mozilla_home_t, mozilla_home_t) + userdom_search_user_home_dirs($1) ') - + ######################################## ## -## Do not audit attempts to read and @@ -53311,13 +53311,13 @@ index 6194b806b..ded39ae5c 100644 ## ## @@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',` - type mozilla_home_t; - ') - + type mozilla_home_t; + ') + - dontaudit $1 mozilla_home_t:file rw_file_perms; + dontaudit $1 mozilla_home_t:file rw_inherited_file_perms; ') - + ######################################## ## -## Do not audit attempt to Create, @@ -53328,12 +53328,12 @@ index 6194b806b..ded39ae5c 100644 ## ## @@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',` - - dontaudit $1 mozilla_home_t:dir manage_dir_perms; - dontaudit $1 mozilla_home_t:file manage_file_perms; + + dontaudit $1 mozilla_home_t:dir manage_dir_perms; + dontaudit $1 mozilla_home_t:file manage_file_perms; - dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms; ') - + ######################################## ## -## Execute mozilla home directory files. (Deprecated) @@ -53360,16 +53360,16 @@ index 6194b806b..ded39ae5c 100644 -## -# -interface(`mozilla_exec_user_plugin_home_files',` - gen_require(` + gen_require(` - type mozilla_home_t, mozilla_plugin_home_t; + type mozilla_home_t; - ') - + ') + - userdom_search_user_home_dirs($1) - exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) + can_exec($1, mozilla_home_t) ') - + ######################################## ## -## Mozilla home directory file @@ -53390,7 +53390,7 @@ index 6194b806b..ded39ae5c 100644 + + allow $1 mozilla_home_t:file execmod; ') - + ######################################## ## -## Mozilla plugin home directory file @@ -53406,15 +53406,15 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_execmod_user_plugin_home_files',` +interface(`mozilla_domtrans',` - gen_require(` + gen_require(` - type mozilla_plugin_home_t; + type mozilla_t, mozilla_exec_t; - ') - + ') + - allow $1 mozilla_plugin_home_t:file execmod; + domtrans_pattern($1, mozilla_exec_t, mozilla_t) ') - + ######################################## ## -## Run mozilla in the mozilla domain. @@ -53433,17 +53433,17 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_domtrans',` +interface(`mozilla_domtrans_spec',` - gen_require(` + gen_require(` - type mozilla_t, mozilla_exec_t; + type mozilla_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_exec_t, mozilla_t) + domain_entry_file($2, mozilla_exec_t) + domtrans_pattern($1, mozilla_exec_t, $2) ') - + ######################################## ## -## Execute a domain transition to @@ -53458,15 +53458,15 @@ index 6194b806b..ded39ae5c 100644 ## # interface(`mozilla_domtrans_plugin',` - gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t; + gen_require(` + type mozilla_plugin_t, mozilla_plugin_exec_t; + type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; + type mozilla_plugin_rw_t; + class dbus send_msg; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) + domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + allow mozilla_plugin_t $1:process signull; + dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms; @@ -53496,7 +53496,7 @@ index 6194b806b..ded39ae5c 100644 + + allow mozilla_plugin_t $1:process signull; ') - + ######################################## ## -## Execute mozilla plugin in the @@ -53520,17 +53520,17 @@ index 6194b806b..ded39ae5c 100644 ## # interface(`mozilla_run_plugin',` - gen_require(` + gen_require(` - attribute_role mozilla_plugin_roles; + type mozilla_plugin_t; + attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; - ') - - mozilla_domtrans_plugin($1) - roleattribute $2 mozilla_plugin_roles; + ') + + mozilla_domtrans_plugin($1) + roleattribute $2 mozilla_plugin_roles; -') + roleattribute $2 mozilla_plugin_config_roles; - + -######################################## -## -## Execute a domain transition to @@ -53547,15 +53547,15 @@ index 6194b806b..ded39ae5c 100644 - type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; + tunable_policy(`deny_ptrace',`',` + allow $1 mozilla_plugin_t:process ptrace; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + optional_policy(` + lpd_run_lpr(mozilla_plugin_t, $2) + ') ') - + -######################################## +####################################### ## @@ -53588,16 +53588,16 @@ index 6194b806b..ded39ae5c 100644 + gen_require(` + attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; + ') - + - mozilla_domtrans_plugin_config($1) - roleattribute $2 mozilla_plugin_config_roles; + roleattribute $1 mozilla_plugin_roles; + roleattribute $1 mozilla_plugin_config_roles; ') - + ######################################## @@ -424,8 +349,7 @@ interface(`mozilla_dbus_chat',` - + ######################################## ## -## Send and receive messages from @@ -53612,12 +53612,12 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_dbus_chat_plugin',` +interface(`mozilla_rw_tcp_sockets',` - gen_require(` + gen_require(` - type mozilla_plugin_t; - class dbus send_msg; + type mozilla_t; - ') - + ') + - allow $1 mozilla_plugin_t:dbus send_msg; - allow mozilla_plugin_t $1:dbus send_msg; + allow $1 mozilla_t:tcp_socket rw_socket_perms; @@ -53658,7 +53658,7 @@ index 6194b806b..ded39ae5c 100644 + + rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) ') - + ######################################## ## -## Read and write mozilla TCP sockets. @@ -53673,11 +53673,11 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_rw_tcp_sockets',` +interface(`mozilla_plugin_delete_tmpfs_files',` - gen_require(` + gen_require(` - type mozilla_t; + type mozilla_plugin_tmpfs_t; - ') - + ') + - allow $1 mozilla_t:tcp_socket rw_socket_perms; + allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; +') @@ -53717,7 +53717,7 @@ index 6194b806b..ded39ae5c 100644 + + allow $1 mozilla_plugin_t:sem { associate unix_read unix_write }; ') - + ######################################## ## -## Create, read, write, and delete @@ -53733,11 +53733,11 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_manage_plugin_rw_files',` +interface(`mozilla_plugin_dontaudit_leaks',` - gen_require(` + gen_require(` - type mozilla_plugin_rw_t; + type mozilla_plugin_t; - ') - + ') + - libs_search_lib($1) - manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; @@ -53778,7 +53778,7 @@ index 6194b806b..ded39ae5c 100644 + + dontaudit $1 mozilla_plugin_tmp_t:file { read write }; ') - + ######################################## ## -## Read mozilla_plugin tmpfs files. @@ -53793,17 +53793,17 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_plugin_read_tmpfs_files',` +interface(`mozilla_plugin_manage_rw_files',` - gen_require(` + gen_require(` - type mozilla_plugin_tmpfs_t; + type mozilla_plugin_rw_t; - ') - + ') + - fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; + allow $1 mozilla_plugin_rw_t:file manage_file_perms; + allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; ') - + ######################################## ## -## Delete mozilla_plugin tmpfs files. @@ -53817,16 +53817,16 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_plugin_delete_tmpfs_files',` +interface(`mozilla_plugin_read_rw_files',` - gen_require(` + gen_require(` - type mozilla_plugin_tmpfs_t; + type mozilla_plugin_rw_t; - ') - + ') + - fs_search_tmpfs($1) - allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -53843,11 +53843,11 @@ index 6194b806b..ded39ae5c 100644 -interface(`mozilla_manage_generic_plugin_home_content',` +interface(`mozilla_filetrans_home_content',` + - gen_require(` + gen_require(` - type mozilla_plugin_home_t; + type mozilla_home_t, mozilla_plugin_rw_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 mozilla_plugin_home_t:dir manage_dir_perms; - allow $1 mozilla_plugin_home_t:file manage_file_perms; @@ -53884,7 +53884,7 @@ index 6194b806b..ded39ae5c 100644 + gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web") + ') ') - + ######################################## ## -## Create objects in user home @@ -53910,11 +53910,11 @@ index 6194b806b..ded39ae5c 100644 # -interface(`mozilla_home_filetrans_plugin_home',` +interface(`mozilla_plugin_read_state',` - gen_require(` + gen_require(` - type mozilla_plugin_home_t; + type mozilla_plugin_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3) + kernel_search_proc($1) + ps_process_pattern($1, mozilla_plugin_t) @@ -53926,7 +53926,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) # - + ## -##

    -## Determine whether mozilla can @@ -53974,11 +53974,11 @@ index 11ac8e4fc..e2a8b27f6 100644 +##

    +##     +gen_tunable(mozilla_read_content, false) - + attribute_role mozilla_roles; attribute_role mozilla_plugin_roles; attribute_role mozilla_plugin_config_roles; - + +roleattribute system_r mozilla_roles; +roleattribute system_r mozilla_plugin_roles; +roleattribute system_r mozilla_plugin_config_roles; @@ -53989,7 +53989,7 @@ index 11ac8e4fc..e2a8b27f6 100644 @@ -24,6 +63,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; - + +type mozilla_conf_t; +files_config_file(mozilla_conf_t) + @@ -53997,43 +53997,43 @@ index 11ac8e4fc..e2a8b27f6 100644 typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; @@ -31,28 +73,24 @@ userdom_user_home_content(mozilla_home_t) - + type mozilla_plugin_t; type mozilla_plugin_exec_t; -userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) role mozilla_plugin_roles types mozilla_plugin_t; - + -type mozilla_plugin_home_t; -userdom_user_home_content(mozilla_plugin_home_t) - type mozilla_plugin_tmp_t; +userdom_user_tmp_content(mozilla_plugin_tmp_t) userdom_user_tmp_file(mozilla_plugin_tmp_t) - + type mozilla_plugin_tmpfs_t; +userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t) userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t) - + -optional_policy(` - pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t) -') - type mozilla_plugin_rw_t; files_type(mozilla_plugin_rw_t) - + type mozilla_plugin_config_t; type mozilla_plugin_config_exec_t; -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +role mozilla_roles types mozilla_plugin_config_t; role mozilla_plugin_config_roles types mozilla_plugin_config_t; - + type mozilla_tmp_t; @@ -63,10 +101,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) - + -optional_policy(` - pulseaudio_tmpfs_content(mozilla_tmpfs_t) -') @@ -54054,12 +54054,12 @@ index 11ac8e4fc..e2a8b27f6 100644 +# Browse the web, connect to printer +allow mozilla_t self:tcp_socket create_socket_perms; +allow mozilla_t self:netlink_route_socket r_netlink_socket_perms; - + -allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms; -allow mozilla_t mozilla_plugin_t:fd use; +# for bash - old mozilla binary +can_exec(mozilla_t, mozilla_exec_t) - + -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms; -allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms; -allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms; @@ -54072,17 +54072,17 @@ index 11ac8e4fc..e2a8b27f6 100644 +manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t) +userdom_search_user_home_dirs(mozilla_t) - + -filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +# Mozpluggerrc +allow mozilla_t mozilla_conf_t:file read_file_perms; - + manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t) -files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) +# mozilla will manage user_tmp_t, so it will transition to it. +#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir }) - + manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) @@ -54097,19 +54097,19 @@ index 11ac8e4fc..e2a8b27f6 100644 - -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) +allow mozilla_plugin_t mozilla_tmpfs_t:file map; - + kernel_read_kernel_sysctls(mozilla_t) kernel_read_network_state(mozilla_t) +# Access /proc, sysctl kernel_read_system_state(mozilla_t) kernel_read_net_sysctls(mozilla_t) - + +# Look for plugins corecmd_list_bin(mozilla_t) +# for bash - old mozilla binary corecmd_exec_shell(mozilla_t) corecmd_exec_bin(mozilla_t) - + -corenet_all_recvfrom_unlabeled(mozilla_t) +# Browse the web, connect to printer corenet_all_recvfrom_netlabel(mozilla_t) @@ -54161,7 +54161,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +corenet_dontaudit_tcp_bind_generic_port(mozilla_t) corenet_tcp_connect_speech_port(mozilla_t) -corenet_tcp_sendrecv_speech_port(mozilla_t) - + -dev_getattr_sysfs_dirs(mozilla_t) -dev_read_sound(mozilla_t) -dev_read_rand(mozilla_t) @@ -54172,9 +54172,9 @@ index 11ac8e4fc..e2a8b27f6 100644 +dev_read_sound(mozilla_t) +dev_dontaudit_rw_dri(mozilla_t) +dev_getattr_sysfs_dirs(mozilla_t) - + domain_dontaudit_read_all_domains_state(mozilla_t) - + files_read_etc_runtime_files(mozilla_t) -files_read_usr_files(mozilla_t) -files_read_var_files(mozilla_t) @@ -54184,29 +54184,29 @@ index 11ac8e4fc..e2a8b27f6 100644 +files_read_var_files(mozilla_t) files_read_var_symlinks(mozilla_t) files_dontaudit_getattr_boot_dirs(mozilla_t) - + -fs_getattr_all_fs(mozilla_t) +fs_dontaudit_getattr_all_fs(mozilla_t) fs_search_auto_mountpoints(mozilla_t) fs_list_inotifyfs(mozilla_t) -fs_rw_tmpfs_files(mozilla_t) +fs_rw_inherited_tmpfs_files(mozilla_t) - + term_dontaudit_getattr_pty_dirs(mozilla_t) - + @@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) - + miscfiles_read_fonts(mozilla_t) -miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) - + -userdom_use_user_ptys(mozilla_t) - -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t) - + -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) @@ -54216,11 +54216,11 @@ index 11ac8e4fc..e2a8b27f6 100644 -mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles) - + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) - + -ifndef(`enable_mls',` - fs_list_dos(mozilla_t) - fs_read_dos_files(mozilla_t) @@ -54233,12 +54233,12 @@ index 11ac8e4fc..e2a8b27f6 100644 +tunable_policy(`selinuxuser_execstack',` + allow mozilla_t self:process execstack; ') - + -tunable_policy(`allow_execmem',` +tunable_policy(`deny_execmem',`',` - allow mozilla_t self:process execmem; + allow mozilla_t self:process execmem; ') - + -tunable_policy(`mozilla_execstack',` - allow mozilla_t self:process { execmem execstack }; -') @@ -54303,18 +54303,18 @@ index 11ac8e4fc..e2a8b27f6 100644 + userdom_dontaudit_list_user_home_dirs(mozilla_t) + userdom_dontaudit_read_user_home_content_files(mozilla_t) ') - + optional_policy(` @@ -244,19 +292,12 @@ optional_policy(` - + optional_policy(` - cups_read_rw_config(mozilla_t) + cups_read_rw_config(mozilla_t) + cups_dbus_chat(mozilla_t) ') - + optional_policy(` - dbus_all_session_bus_client(mozilla_t) - dbus_system_bus_client(mozilla_t) + dbus_system_bus_client(mozilla_t) - - optional_policy(` - cups_dbus_chat(mozilla_t) @@ -54324,13 +54324,13 @@ index 11ac8e4fc..e2a8b27f6 100644 - mozilla_dbus_chat_plugin(mozilla_t) - ') + dbus_session_bus_client(mozilla_t) - - optional_policy(` - networkmanager_dbus_chat(mozilla_t) + + optional_policy(` + networkmanager_dbus_chat(mozilla_t) @@ -265,33 +306,32 @@ optional_policy(` - + optional_policy(` - gnome_stream_connect_gconf(mozilla_t) + gnome_stream_connect_gconf(mozilla_t) - gnome_manage_generic_gconf_home_content(mozilla_t) - gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf") - gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd") @@ -54345,27 +54345,27 @@ index 11ac8e4fc..e2a8b27f6 100644 +optional_policy(` + java_domtrans(mozilla_t) ') - + optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") + lpd_domtrans_lpr(mozilla_t) ') - + optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) + mplayer_domtrans(mozilla_t) + mplayer_read_user_home_files(mozilla_t) ') - + optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") + nscd_socket_use(mozilla_t) ') - + optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) + #pulseaudio_role(mozilla_roles, mozilla_t) @@ -54373,16 +54373,16 @@ index 11ac8e4fc..e2a8b27f6 100644 + pulseaudio_stream_connect(mozilla_t) + pulseaudio_manage_home_files(mozilla_t) ') - + optional_policy(` @@ -300,259 +340,261 @@ optional_policy(` - + ######################################## # -# Plugin local policy +# mozilla_plugin local policy # - + -dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config }; -allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit }; -allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; @@ -54435,7 +54435,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) - + manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -54446,7 +54446,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) - + manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) @@ -54454,20 +54454,20 @@ index 11ac8e4fc..e2a8b27f6 100644 fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +userdom_manage_home_texlive(mozilla_plugin_t) +allow mozilla_plugin_t mozilla_plugin_tmpfs_t:file map; - + -allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - + -dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) - + -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) - + kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) kernel_read_network_state(mozilla_plugin_t) @@ -54476,12 +54476,12 @@ index 11ac8e4fc..e2a8b27f6 100644 +files_dontaudit_read_root_files(mozilla_plugin_t) +kernel_dontaudit_list_all_proc(mozilla_plugin_t) +kernel_dontaudit_list_all_sysctls(mozilla_plugin_t) - + corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) +corecmd_dontaudit_access_all_executables(mozilla_plugin_t) +corecmd_getattr_all_executables(mozilla_plugin_t) - + -corenet_all_recvfrom_netlabel(mozilla_plugin_t) -corenet_all_recvfrom_unlabeled(mozilla_plugin_t) -corenet_tcp_sendrecv_generic_if(mozilla_plugin_t) @@ -54563,7 +54563,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +corenet_udp_bind_generic_node(mozilla_plugin_t) +corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) +corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) - + -dev_read_generic_usb_dev(mozilla_plugin_t) +dev_dontaudit_append_rand(mozilla_plugin_t) dev_read_rand(mozilla_plugin_t) @@ -54586,17 +54586,17 @@ index 11ac8e4fc..e2a8b27f6 100644 +dev_dontaudit_read_mtrr(mozilla_plugin_t) +dev_map_video_dev(mozilla_plugin_t) +xserver_dri_domain(mozilla_plugin_t) - + -dev_dontaudit_getattr_generic_files(mozilla_plugin_t) -dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) +dev_dontaudit_leaked_xserver_misc(mozilla_plugin_t) - + domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) - + -files_exec_usr_files(mozilla_plugin_t) -files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) @@ -54605,7 +54605,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +files_exec_usr_files(mozilla_plugin_t) +fs_rw_inherited_tmpfs_files(mozilla_plugin_t) +files_dontaudit_all_access_check(mozilla_plugin_t) - + fs_getattr_all_fs(mozilla_plugin_t) -# fs_read_hugetlbfs_files(mozilla_plugin_t) -fs_search_auto_mountpoints(mozilla_plugin_t) @@ -54613,38 +54613,38 @@ index 11ac8e4fc..e2a8b27f6 100644 +fs_read_noxattr_fs_files(mozilla_plugin_t) +fs_read_hugetlbfs_files(mozilla_plugin_t) +fs_exec_hugetlbfs_files(mozilla_plugin_t) - + -term_getattr_all_ttys(mozilla_plugin_t) -term_getattr_all_ptys(mozilla_plugin_t) +storage_raw_read_removable_device(mozilla_plugin_t) +fs_read_removable_files(mozilla_plugin_t) +fs_read_removable_symlinks(mozilla_plugin_t) - + application_exec(mozilla_plugin_t) +application_dontaudit_signull(mozilla_plugin_t) - + auth_use_nsswitch(mozilla_plugin_t) - + +init_dontaudit_getattr_initctl(mozilla_plugin_t) +init_read_all_script_files(mozilla_plugin_t) + libs_exec_ld_so(mozilla_plugin_t) libs_exec_lib_files(mozilla_plugin_t) +libs_legacy_use_shared_libs(mozilla_plugin_t) - + logging_send_syslog_msg(mozilla_plugin_t) - + -miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) miscfiles_read_generic_certs(mozilla_plugin_t) +miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) - + -userdom_manage_user_tmp_dirs(mozilla_plugin_t) -userdom_manage_user_tmp_files(mozilla_plugin_t) +systemd_read_logind_sessions_files(mozilla_plugin_t) - + -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) @@ -54654,7 +54654,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +term_getattr_all_ptys(mozilla_plugin_t) +term_getattr_ptmx(mozilla_plugin_t) +term_dontaudit_use_ptmx(mozilla_plugin_t) - + +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) userdom_dontaudit_use_user_terminals(mozilla_plugin_t) +userdom_manage_user_tmp_sockets(mozilla_plugin_t) @@ -54667,7 +54667,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +userdom_stream_connect(mozilla_plugin_t) +userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t) +userdom_map_user_home_files(mozilla_plugin_t) - + -ifndef(`enable_mls',` - fs_list_dos(mozilla_plugin_t) - fs_read_dos_files(mozilla_plugin_t) @@ -54676,23 +54676,23 @@ index 11ac8e4fc..e2a8b27f6 100644 +userdom_read_home_certs(mozilla_plugin_t) +userdom_read_home_audio_files(mozilla_plugin_t) +userdom_exec_user_tmp_files(mozilla_plugin_t) - + - fs_search_removable(mozilla_plugin_t) - fs_read_removable_files(mozilla_plugin_t) - fs_read_removable_symlinks(mozilla_plugin_t) +userdom_home_manager(mozilla_plugin_t) - + - fs_read_iso9660_files(mozilla_plugin_t) +tunable_policy(`mozilla_plugin_can_network_connect',` + corenet_tcp_connect_all_ports(mozilla_plugin_t) ') - + -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process execmem; +optional_policy(` + abrt_stream_connect(mozilla_plugin_t) ') - + -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_t self:process { execmem execstack }; +optional_policy(` @@ -54700,7 +54700,7 @@ index 11ac8e4fc..e2a8b27f6 100644 + alsa_read_rw_config(mozilla_plugin_config_t) + alsa_read_home_files(mozilla_plugin_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) @@ -54708,7 +54708,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +optional_policy(` + apache_list_modules(mozilla_plugin_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_t) - fs_manage_cifs_files(mozilla_plugin_t) @@ -54716,22 +54716,22 @@ index 11ac8e4fc..e2a8b27f6 100644 +optional_policy(` + bluetooth_stream_connect(mozilla_plugin_t) ') - + optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) - alsa_read_home_files(mozilla_plugin_t) + bumblebee_stream_connect(mozilla_plugin_t) ') - + optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) + cups_stream_connect(mozilla_plugin_t) ') - + optional_policy(` - dbus_all_session_bus_client(mozilla_plugin_t) - dbus_connect_all_session_bus(mozilla_plugin_t) - dbus_system_bus_client(mozilla_plugin_t) + dbus_system_bus_client(mozilla_plugin_t) + dbus_session_bus_client(mozilla_plugin_t) + dbus_connect_session_bus(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) @@ -54747,7 +54747,7 @@ index 11ac8e4fc..e2a8b27f6 100644 + gnome_filetrans_home_content(mozilla_plugin_t) + gnome_exec_gstreamer_home_files(mozilla_plugin_t) ') - + optional_policy(` - gnome_manage_generic_home_content(mozilla_plugin_t) - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome") @@ -54755,20 +54755,20 @@ index 11ac8e4fc..e2a8b27f6 100644 - gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private") + gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t) ') - + optional_policy(` - java_exec(mozilla_plugin_t) + java_exec(mozilla_plugin_t) - java_manage_generic_home_content(mozilla_plugin_t) - java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java") ') - + optional_policy(` - lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles) + mplayer_exec(mozilla_plugin_t) + mplayer_manage_generic_home_content(mozilla_plugin_t) + mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer") ') - + optional_policy(` - mplayer_exec(mozilla_plugin_t) - mplayer_manage_generic_home_content(mozilla_plugin_t) @@ -54780,11 +54780,11 @@ index 11ac8e4fc..e2a8b27f6 100644 + pulseaudio_manage_home_files(mozilla_plugin_t) + pulseaudio_manage_home_symlinks(mozilla_plugin_t) ') - + optional_policy(` @@ -560,7 +602,11 @@ optional_policy(` ') - + optional_policy(` - pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) + policykit_dbus_chat(mozilla_plugin_t) @@ -54793,18 +54793,18 @@ index 11ac8e4fc..e2a8b27f6 100644 +optional_policy(` + rtkit_scheduled(mozilla_plugin_t) ') - + optional_policy(` @@ -568,108 +614,144 @@ optional_policy(` ') - + optional_policy(` - xserver_read_user_xauth(mozilla_plugin_t) + xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) + xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) - xserver_read_xdm_pid(mozilla_plugin_t) - xserver_stream_connect(mozilla_plugin_t) - xserver_use_user_fonts(mozilla_plugin_t) + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) - xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) + xserver_read_user_iceauth(mozilla_plugin_t) + xserver_read_user_xauth(mozilla_plugin_t) @@ -54813,13 +54813,13 @@ index 11ac8e4fc..e2a8b27f6 100644 + xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t) + xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t) ') - + ######################################## # -# Plugin config local policy +# mozilla_plugin_config local policy # - + allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched }; -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms; @@ -54833,7 +54833,7 @@ index 11ac8e4fc..e2a8b27f6 100644 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t) +allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack }; - + -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla") -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape") @@ -54849,20 +54849,20 @@ index 11ac8e4fc..e2a8b27f6 100644 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata") +allow mozilla_plugin_config_t self:fifo_file rw_file_perms; +allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; - + -filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins") +ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) - + -can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t }) +dev_read_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) +dev_dontaudit_read_rand(mozilla_plugin_config_t) +dev_dontaudit_rw_dri(mozilla_plugin_config_t) - + -ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t) +fs_search_auto_mountpoints(mozilla_plugin_config_t) +fs_list_inotifyfs(mozilla_plugin_config_t) - + -kernel_read_system_state(mozilla_plugin_config_t) -kernel_request_load_module(mozilla_plugin_config_t) +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) @@ -54883,35 +54883,35 @@ index 11ac8e4fc..e2a8b27f6 100644 +userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file }) +mozilla_filetrans_home_content(mozilla_plugin_config_t) +dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom; - + corecmd_exec_bin(mozilla_plugin_config_t) corecmd_exec_shell(mozilla_plugin_config_t) - + -dev_read_urand(mozilla_plugin_config_t) -dev_rw_dri(mozilla_plugin_config_t) -dev_search_sysfs(mozilla_plugin_config_t) -dev_dontaudit_read_rand(mozilla_plugin_config_t) +kernel_read_system_state(mozilla_plugin_config_t) +kernel_request_load_module(mozilla_plugin_config_t) - + domain_use_interactive_fds(mozilla_plugin_config_t) - + -files_list_tmp(mozilla_plugin_config_t) -files_read_usr_files(mozilla_plugin_config_t) files_dontaudit_search_home(mozilla_plugin_config_t) +files_list_tmp(mozilla_plugin_config_t) - + fs_getattr_all_fs(mozilla_plugin_config_t) -fs_search_auto_mountpoints(mozilla_plugin_config_t) -fs_list_inotifyfs(mozilla_plugin_config_t) + +term_dontaudit_use_ptmx(mozilla_plugin_config_t) - + auth_use_nsswitch(mozilla_plugin_config_t) - + -miscfiles_read_localization(mozilla_plugin_config_t) miscfiles_read_fonts(mozilla_plugin_config_t) - + +userdom_search_user_home_content(mozilla_plugin_config_t) userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) userdom_read_user_home_content_files(mozilla_plugin_config_t) @@ -54927,17 +54927,17 @@ index 11ac8e4fc..e2a8b27f6 100644 +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(mozilla_plugin_config_t) +') - + -userdom_use_user_ptys(mozilla_plugin_config_t) +optional_policy(` + gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) +') - + -mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) +optional_policy(` + xserver_use_user_fonts(mozilla_plugin_config_t) +') - + -tunable_policy(`allow_execmem',` - allow mozilla_plugin_config_t self:process execmem; +ifdef(`distro_redhat',` @@ -54949,7 +54949,7 @@ index 11ac8e4fc..e2a8b27f6 100644 + typealias mozilla_plugin_config_t alias nsplugin_config_t; + typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; ') - + -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_config_t self:process { execmem execstack }; +#tunable_policy(`mozilla_plugin_enable_homedirs',` @@ -54963,7 +54963,7 @@ index 11ac8e4fc..e2a8b27f6 100644 +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(mozilla_plugin_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_config_t) - fs_manage_nfs_files(mozilla_plugin_config_t) @@ -54973,7 +54973,7 @@ index 11ac8e4fc..e2a8b27f6 100644 + dev_setattr_generic_usb_dev(mozilla_plugin_t) + corenet_tcp_bind_vnc_port(mozilla_plugin_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_config_t) - fs_manage_cifs_files(mozilla_plugin_config_t) @@ -54982,7 +54982,7 @@ index 11ac8e4fc..e2a8b27f6 100644 + fs_manage_dos_dirs(mozilla_plugin_t) + fs_manage_dos_files(mozilla_plugin_t) ') - + -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_bluejeans',` @@ -54992,7 +54992,7 @@ index 11ac8e4fc..e2a8b27f6 100644 + corenet_dontaudit_udp_bind_all_ports(mozilla_plugin_t) + corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t) ') - + -optional_policy(` - xserver_use_user_fonts(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_bind_unreserved_ports',` @@ -55007,11 +55007,11 @@ index 313ce521c..ae93e07eb 100644 +HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0) + /etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0) - + /etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0) @@ -9,3 +11,5 @@ /var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0) - + /var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0) + +/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0) @@ -55020,9 +55020,9 @@ index 5fa77c7e6..2e01c7d0a 100644 --- a/mpd.if +++ b/mpd.if @@ -320,6 +320,25 @@ interface(`mpd_manage_lib_dirs',` - manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) + manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) ') - + +######################################## +## +## Connect to mpd over a unix stream socket. @@ -55046,20 +55046,20 @@ index 5fa77c7e6..2e01c7d0a 100644 ## ## All of the rules required to @@ -344,9 +363,13 @@ interface(`mpd_admin',` - type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; - ') - + type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; + ') + - allow $1 mpd_t:process { ptrace signal_perms }; + allow $1 mpd_t:process signal_perms; - ps_process_pattern($1, mpd_t) - + ps_process_pattern($1, mpd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 mpd_t:process ptrace; + ') + - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 mpd_initrc_exec_t system_r; + mpd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te index fe7252355..062ad640a 100644 --- a/mpd.te @@ -55067,7 +55067,7 @@ index fe7252355..062ad640a 100644 @@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) type mpd_user_data_t; userdom_user_home_content(mpd_user_data_t) # customizable - + +type mpd_home_t; +userdom_user_home_content(mpd_home_t) + @@ -55078,7 +55078,7 @@ index fe7252355..062ad640a 100644 # # Local policy # - + -allow mpd_t self:capability { dac_override kill setgid setuid }; +allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid }; allow mpd_t self:process { getsched setsched setrlimit signal signull setcap }; @@ -55088,13 +55088,13 @@ index fe7252355..062ad640a 100644 allow mpd_t self:tcp_socket { accept listen }; allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow mpd_t self:unix_dgram_socket { create_socket_perms sendto }; - + allow mpd_t mpd_data_t:dir manage_dir_perms; allow mpd_t mpd_data_t:file manage_file_perms; @@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t) files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir) - + +manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) +manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) +manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t) @@ -55108,9 +55108,9 @@ index fe7252355..062ad640a 100644 kernel_getattr_proc(mpd_t) kernel_read_system_state(mpd_t) kernel_read_kernel_sysctls(mpd_t) - + corecmd_exec_bin(mpd_t) - + -corenet_all_recvfrom_unlabeled(mpd_t) corenet_all_recvfrom_netlabel(mpd_t) corenet_tcp_sendrecv_generic_if(mpd_t) @@ -55118,21 +55118,21 @@ index fe7252355..062ad640a 100644 @@ -139,9 +155,9 @@ dev_read_sound(mpd_t) dev_write_sound(mpd_t) dev_read_sysfs(mpd_t) - + -files_read_usr_files(mpd_t) - + fs_getattr_all_fs(mpd_t) +fs_getattr_all_dirs(mpd_t) fs_list_inotifyfs(mpd_t) fs_rw_anon_inodefs_files(mpd_t) fs_search_auto_mountpoints(mpd_t) @@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t) - + logging_send_syslog_msg(mpd_t) - + -miscfiles_read_localization(mpd_t) +userdom_home_reader(mpd_t) - + tunable_policy(`mpd_enable_homedirs',` - userdom_search_user_home_dirs(mpd_t) + userdom_stream_connect(mpd_t) @@ -55147,26 +55147,26 @@ index fe7252355..062ad640a 100644 + pulseaudio_read_home_files(mpd_t) + ') ') - + tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(mpd_t) - fs_read_nfs_symlinks(mpd_t) + fs_read_nfs_files(mpd_t) + fs_read_nfs_symlinks(mpd_t) + ') - + tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` @@ -191,13 +218,23 @@ optional_policy(` ') - + optional_policy(` - pulseaudio_domtrans(mpd_t) + pulseaudio_exec(mpd_t) ') - + optional_policy(` - rpc_search_nfs_state_data(mpd_t) + rpc_search_nfs_state_data(mpd_t) ') - + +optional_policy(` + #needed by pulseaudio + systemd_read_logind_sessions_files(mpd_t) @@ -55178,15 +55178,15 @@ index fe7252355..062ad640a 100644 +') + optional_policy(` - udev_read_db(mpd_t) + udev_read_db(mpd_t) ') diff --git a/mplayer.if b/mplayer.if index 861d5e974..1c3d5a538 100644 --- a/mplayer.if +++ b/mplayer.if @@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',` - - userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) + + userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) ') + +######################################## @@ -55218,99 +55218,99 @@ index 0f03cd937..e3ed3933d 100644 ## -gen_tunable(allow_mplayer_execstack, false) +gen_tunable(mplayer_execstack, false) - + attribute_role mencoder_roles; attribute_role mplayer_roles; @@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t) dev_rwx_zero(mencoder_t) dev_read_video_dev(mencoder_t) - + -files_read_usr_files(mencoder_t) - + fs_search_auto_mountpoints(mencoder_t) - + @@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t) - + userdom_manage_user_home_content_dirs(mencoder_t) userdom_manage_user_home_content_files(mencoder_t) -userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file }) +userdom_filetrans_home_content(mencoder_t) - + ifndef(`enable_mls',` - fs_list_dos(mencoder_t) + fs_list_dos(mencoder_t) @@ -95,15 +94,15 @@ ifndef(`enable_mls',` - fs_read_iso9660_files(mencoder_t) + fs_read_iso9660_files(mencoder_t) ') - + -tunable_policy(`allow_execmem',` - allow mencoder_t self:process execmem; +tunable_policy(`deny_execmem',`',` + allow mencoder_t self:process execmem; ') - + -tunable_policy(`allow_execmod',` +tunable_policy(`selinuxuser_execmod',` - dev_execmod_zero(mencoder_t) + dev_execmod_zero(mencoder_t) ') - + -tunable_policy(`allow_mplayer_execstack',` +tunable_policy(`mplayer_execstack',` - allow mencoder_t self:process { execmem execstack }; + allow mencoder_t self:process { execmem execstack }; ') - + @@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t) files_read_non_security_files(mplayer_t) files_list_home(mplayer_t) files_read_etc_runtime_files(mplayer_t) -files_read_usr_files(mplayer_t) - + fs_getattr_all_fs(mplayer_t) fs_search_auto_mountpoints(mplayer_t) @@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file }) - + userdom_manage_user_home_content_dirs(mplayer_t) userdom_manage_user_home_content_files(mplayer_t) -userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file }) +userdom_filetrans_home_content(mplayer_t) - + userdom_write_user_tmp_sockets(mplayer_t) - + @@ -221,15 +219,15 @@ ifndef(`enable_mls',` - fs_read_iso9660_files(mplayer_t) + fs_read_iso9660_files(mplayer_t) ') - + -tunable_policy(`allow_execmem',` - allow mplayer_t self:process execmem; +tunable_policy(`deny_execmem',`',` + allow mplayer_t self:process execmem; ') - + -tunable_policy(`allow_execmod',` +tunable_policy(`selinuxuser_execmod',` - dev_execmod_zero(mplayer_t) + dev_execmod_zero(mplayer_t) ') - + -tunable_policy(`allow_mplayer_execstack',` +tunable_policy(`mplayer_execstack',` - allow mplayer_t self:process { execmem execstack }; + allow mplayer_t self:process { execmem execstack }; ') - + @@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_symlinks(mplayer_t) + fs_manage_cifs_symlinks(mplayer_t) ') - + -tunable_policy(`allow_mplayer_execstack',` +tunable_policy(`mplayer_execstack',` - allow mplayer_t mplayer_tmpfs_t:file execute; + allow mplayer_t mplayer_tmpfs_t:file execute; ') - + diff --git a/mrtg.if b/mrtg.if index c595094a6..23464583b 100644 --- a/mrtg.if +++ b/mrtg.if @@ -1,5 +1,24 @@ ## Network traffic graphing. - + +######################################## +## +## Read mrtg lib files. @@ -55340,13 +55340,13 @@ index 65a246a52..fa8632064 100644 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t) corecmd_exec_bin(mrtg_t) corecmd_exec_shell(mrtg_t) - + -corenet_all_recvfrom_unlabeled(mrtg_t) corenet_all_recvfrom_netlabel(mrtg_t) corenet_tcp_sendrecv_generic_if(mrtg_t) corenet_tcp_sendrecv_generic_node(mrtg_t) @@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t) - + files_getattr_tmp_dirs(mrtg_t) files_read_etc_runtime_files(mrtg_t) -files_read_usr_files(mrtg_t) @@ -55354,21 +55354,21 @@ index 65a246a52..fa8632064 100644 files_search_locks(mrtg_t) files_search_var_lib(mrtg_t) @@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t) - + logging_send_syslog_msg(mrtg_t) - + -miscfiles_read_localization(mrtg_t) - selinux_dontaudit_getattr_dir(mrtg_t) - + -userdom_use_user_terminals(mrtg_t) +userdom_use_inherited_user_terminals(mrtg_t) userdom_dontaudit_read_user_home_content_files(mrtg_t) userdom_dontaudit_use_unpriv_user_fds(mrtg_t) +userdom_dontaudit_list_admin_dir(mrtg_t) - + netutils_domtrans_ping(mrtg_t) - + diff --git a/mta.fc b/mta.fc index f42896cbf..fce39c1ce 100644 --- a/mta.fc @@ -55383,7 +55383,7 @@ index f42896cbf..fce39c1ce 100644 +HOME_DIR/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) +HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) - + -/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) - -/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) @@ -55411,19 +55411,19 @@ index f42896cbf..fce39c1ce 100644 +/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - + -/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) - + -/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - + /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) - + -/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) @@ -55438,11 +55438,11 @@ index ed81cac5a..806055cba 100644 @@ -1,4 +1,4 @@ -## Common e-mail transfer agent policy. +## Policy common to all email tranfer agents. - + ######################################## ## @@ -18,23 +18,37 @@ interface(`mta_stub',` - + ####################################### ## -## The template to define a mail domain. @@ -55470,45 +55470,45 @@ index ed81cac5a..806055cba 100644 # template(`mta_base_mail_template',` + - gen_require(` - attribute user_mail_domain; - type sendmail_exec_t; - ') - + gen_require(` + attribute user_mail_domain; + type sendmail_exec_t; + ') + - ######################################## + ############################## - # + # - # Declarations + # $1_mail_t declarations - # - - type $1_mail_t, user_mail_domain; + # + + type $1_mail_t, user_mail_domain; @@ -43,17 +57,18 @@ template(`mta_base_mail_template',` - type $1_mail_tmp_t; - files_tmp_file($1_mail_tmp_t) - + type $1_mail_tmp_t; + files_tmp_file($1_mail_tmp_t) + - ######################################## - # - # Declarations - # - - manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) - files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) - + manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) + files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) + + kernel_read_system_state($1_mail_t) + + corenet_all_recvfrom_netlabel($1_mail_t) + - auth_use_nsswitch($1_mail_t) - + auth_use_nsswitch($1_mail_t) + + logging_send_syslog_msg($1_mail_t) + - optional_policy(` - postfix_domtrans_user_mail_handler($1_mail_t) - ') + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') @@ -61,61 +76,41 @@ template(`mta_base_mail_template',` - + ######################################## ## -## Role access for mta. @@ -55528,14 +55528,14 @@ index ed81cac5a..806055cba 100644 ## # interface(`mta_role',` - gen_require(` - attribute mta_user_agent; + gen_require(` + attribute mta_user_agent; - attribute_role user_mail_roles; - type user_mail_t, sendmail_exec_t, mail_home_t; - type user_mail_tmp_t, mail_home_rw_t; + type user_mail_t, sendmail_exec_t; - ') - + ') + - roleattribute $1 user_mail_roles; - - # this is something i need to fix @@ -55543,11 +55543,11 @@ index ed81cac5a..806055cba 100644 - # will role attribute work? - role $1 types mta_user_agent; + role $1 types { user_mail_t mta_user_agent }; - + + # Transition from the user domain to the derived domain. - domtrans_pattern($2, sendmail_exec_t, user_mail_t) - allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; - + domtrans_pattern($2, sendmail_exec_t, user_mail_t) + allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; + - allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms }; - ps_process_pattern($2, { user_mail_t mta_user_agent }) - @@ -55568,21 +55568,21 @@ index ed81cac5a..806055cba 100644 + allow mta_user_agent $2:fd use; + allow mta_user_agent $2:process sigchld; + allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms; - - optional_policy(` - exim_run($2, $1) - ') - - optional_policy(` + + optional_policy(` + exim_run($2, $1) + ') + + optional_policy(` - mailman_run($2, $1) + mailman_run(mta_user_agent, $1) - ') + ') ') - + @@ -163,125 +158,23 @@ interface(`mta_agent_executable',` - application_executable_file($1) + application_executable_file($1) ') - + -####################################### -## -## Read mta mail home files. @@ -55701,29 +55701,29 @@ index ed81cac5a..806055cba 100644 # -interface(`mta_home_filetrans_mail_home_rw',` +interface(`mta_dontaudit_leaks_system_mail',` - gen_require(` + gen_require(` - type mail_home_rw_t; + type system_mail_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3) + dontaudit $1 system_mail_t:fifo_file write; + dontaudit $1 system_mail_t:tcp_socket { read write }; ') - + ######################################## @@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',` - ') - - init_system_domain($1, sendmail_exec_t) + ') + + init_system_domain($1, sendmail_exec_t) - - typeattribute $1 mailserver_domain; + typeattribute $1 mailserver_domain; ') - + @@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',` - ') - - typeattribute $1 mailserver_delivery; + ') + + typeattribute $1 mailserver_delivery; + + userdom_home_manager($1) + @@ -55734,12 +55734,12 @@ index ed81cac5a..806055cba 100644 + userdom_filetrans_home_content($1) + ') - + ####################################### @@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',` - ') - - typeattribute $1 mta_user_agent; + ') + + typeattribute $1 mta_user_agent; + + optional_policy(` + # apache should set close-on-exec @@ -55747,45 +55747,45 @@ index ed81cac5a..806055cba 100644 + apache_dontaudit_rw_sys_script_stream_sockets($1) + ') ') - + ######################################## @@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` - gen_require(` + gen_require(` + attribute mta_user_agent; - type system_mail_t; - attribute mta_exec_type; - ') - + type system_mail_t; + attribute mta_exec_type; + ') + - corecmd_search_bin($1) + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + corecmd_read_bin_symlinks($1) - domtrans_pattern($1, mta_exec_type, system_mail_t) - + domtrans_pattern($1, mta_exec_type, system_mail_t) + - allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + allow mta_user_agent $1:fd use; + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; + dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; ') - + ######################################## @@ -445,18 +357,24 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` - gen_require(` + gen_require(` - type sendmail_exec_t; + attribute mta_exec_type; + attribute mta_user_agent; - ') - + ') + - corecmd_search_bin($1) - domain_auto_trans($1, sendmail_exec_t, $2) + files_search_usr($1) + allow $1 mta_exec_type:lnk_file read_lnk_file_perms; + corecmd_read_bin_symlinks($1) - + - allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms; + allow $2 mta_exec_type:file entrypoint; + domtrans_pattern($1, mta_exec_type, $2) @@ -55793,7 +55793,7 @@ index ed81cac5a..806055cba 100644 + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## -## Send signals to system mail. @@ -55807,10 +55807,10 @@ index ed81cac5a..806055cba 100644 # -# interface(`mta_signal_system_mail',` - gen_require(` - type system_mail_t; + gen_require(` + type system_mail_t; @@ -475,7 +392,61 @@ interface(`mta_signal_system_mail',` - + ######################################## ## -## Send kill signals to system mail. @@ -55873,13 +55873,13 @@ index ed81cac5a..806055cba 100644 ## ## @@ -506,13 +477,32 @@ interface(`mta_sendmail_exec',` - type sendmail_exec_t; - ') - + type sendmail_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, sendmail_exec_t) + can_exec($1, sendmail_exec_t) ') - + ######################################## ## -## Read mail server configuration content. @@ -55908,15 +55908,15 @@ index ed81cac5a..806055cba 100644 ## ## @@ -528,13 +518,13 @@ interface(`mta_read_config',` - - files_search_etc($1) - allow $1 etc_mail_t:dir list_dir_perms; + + files_search_etc($1) + allow $1 etc_mail_t:dir list_dir_perms; - allow $1 etc_mail_t:file read_file_perms; - allow $1 etc_mail_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, etc_mail_t, etc_mail_t) + read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) ') - + ######################################## ## -## Write mail server configuration files. @@ -55925,13 +55925,13 @@ index ed81cac5a..806055cba 100644 ## ## @@ -548,33 +538,31 @@ interface(`mta_write_config',` - type etc_mail_t; - ') - + type etc_mail_t; + ') + - files_search_etc($1) - write_files_pattern($1, etc_mail_t, etc_mail_t) + write_files_pattern($1, etc_mail_t, etc_mail_t) ') - + ######################################## ## -## Read mail address alias files. @@ -55946,16 +55946,16 @@ index ed81cac5a..806055cba 100644 # -interface(`mta_read_aliases',` +interface(`mta_manage_config',` - gen_require(` + gen_require(` - type etc_aliases_t; + type etc_mail_t; - ') - + ') + - files_search_etc($1) - allow $1 etc_aliases_t:file read_file_perms; + manage_files_pattern($1, etc_mail_t, etc_mail_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -55970,17 +55970,17 @@ index ed81cac5a..806055cba 100644 # -interface(`mta_manage_aliases',` +interface(`mta_read_aliases',` - gen_require(` - type etc_aliases_t; - ') - - files_search_etc($1) + gen_require(` + type etc_aliases_t; + ') + + files_search_etc($1) - manage_files_pattern($1, etc_aliases_t, etc_aliases_t) - manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) + allow $1 etc_aliases_t:file read_file_perms; + allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; ') - + ######################################## ## -## Create specified object in generic @@ -56006,17 +56006,17 @@ index ed81cac5a..806055cba 100644 # -interface(`mta_etc_filetrans_aliases',` +interface(`mta_manage_aliases',` - gen_require(` - type etc_aliases_t; - ') - + gen_require(` + type etc_aliases_t; + ') + - files_etc_filetrans($1, etc_aliases_t, $2, $3) + files_search_etc($1) + manage_files_pattern($1, etc_aliases_t, etc_aliases_t) + manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) + mta_filetrans_named_content($1) ') - + ######################################## ## -## Create specified objects in specified @@ -56048,14 +56048,14 @@ index ed81cac5a..806055cba 100644 # -interface(`mta_spec_filetrans_aliases',` +interface(`mta_etc_filetrans_aliases',` - gen_require(` - type etc_aliases_t; - ') - + gen_require(` + type etc_aliases_t; + ') + - filetrans_pattern($1, $2, etc_aliases_t, $3, $4) + files_etc_filetrans($1, etc_aliases_t, file, $2) ') - + ######################################## ## -## Read and write mail alias files. @@ -56064,13 +56064,13 @@ index ed81cac5a..806055cba 100644 ## ## @@ -674,14 +642,13 @@ interface(`mta_rw_aliases',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 etc_aliases_t:file rw_file_perms; + allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; ') - + ####################################### ## -## Do not audit attempts to read @@ -56082,9 +56082,9 @@ index ed81cac5a..806055cba 100644 ## ## @@ -697,6 +664,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',` - dontaudit $1 mailserver_delivery:tcp_socket { read write }; + dontaudit $1 mailserver_delivery:tcp_socket { read write }; ') - + +###################################### +## +## Allow attempts to read and write TCP @@ -56108,7 +56108,7 @@ index ed81cac5a..806055cba 100644 ## ## Connect to all mail servers over TCP. (Deprecated) @@ -713,8 +699,8 @@ interface(`mta_tcp_connect_all_mailservers',` - + ####################################### ## -## Do not audit attempts to read @@ -56119,7 +56119,7 @@ index ed81cac5a..806055cba 100644 ## ## @@ -732,7 +718,7 @@ interface(`mta_dontaudit_read_spool_symlinks',` - + ######################################## ## -## Get attributes of mail spool content. @@ -56128,7 +56128,7 @@ index ed81cac5a..806055cba 100644 ## ## @@ -753,8 +739,8 @@ interface(`mta_getattr_spool',` - + ######################################## ## -## Do not audit attempts to get @@ -56139,7 +56139,7 @@ index ed81cac5a..806055cba 100644 ## ## @@ -775,9 +761,8 @@ interface(`mta_dontaudit_getattr_spool_files',` - + ####################################### ## -## Create specified objects in the @@ -56151,7 +56151,7 @@ index ed81cac5a..806055cba 100644 ## ## @@ -811,7 +796,7 @@ interface(`mta_spool_filetrans',` - + ####################################### ## -## Read mail spool files. @@ -56171,11 +56171,11 @@ index ed81cac5a..806055cba 100644 + gen_require(` + type mail_spool_t; + ') - - files_search_spool($1) - read_files_pattern($1, mail_spool_t, mail_spool_t) + + files_search_spool($1) + read_files_pattern($1, mail_spool_t, mail_spool_t) @@ -830,7 +815,7 @@ interface(`mta_read_spool_files',` - + ######################################## ## -## Read and write mail spool files. @@ -56184,16 +56184,16 @@ index ed81cac5a..806055cba 100644 ## ## @@ -845,13 +830,14 @@ interface(`mta_rw_spool',` - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; - allow $1 mail_spool_t:file rw_file_perms; - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; + allow $1 mail_spool_t:file setattr_file_perms; + manage_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') - + ####################################### ## -## Create, read, and write mail spool files. @@ -56202,16 +56202,16 @@ index ed81cac5a..806055cba 100644 ## ## @@ -866,13 +852,14 @@ interface(`mta_append_spool',` - - files_search_spool($1) - allow $1 mail_spool_t:dir list_dir_perms; + + files_search_spool($1) + allow $1 mail_spool_t:dir list_dir_perms; - manage_files_pattern($1, mail_spool_t, mail_spool_t) - allow $1 mail_spool_t:lnk_file read_lnk_file_perms; + create_files_pattern($1, mail_spool_t, mail_spool_t) + write_files_pattern($1, mail_spool_t, mail_spool_t) + read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') - + ####################################### ## -## Delete mail spool files. @@ -56220,7 +56220,7 @@ index ed81cac5a..806055cba 100644 ## ## @@ -891,8 +878,7 @@ interface(`mta_delete_spool',` - + ######################################## ## -## Create, read, write, and delete @@ -56230,9 +56230,9 @@ index ed81cac5a..806055cba 100644 ## ## @@ -909,47 +895,12 @@ interface(`mta_manage_spool',` - manage_dirs_pattern($1, mail_spool_t, mail_spool_t) - manage_files_pattern($1, mail_spool_t, mail_spool_t) - manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) + manage_dirs_pattern($1, mail_spool_t, mail_spool_t) + manage_files_pattern($1, mail_spool_t, mail_spool_t) + manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) -') - -####################################### @@ -56271,7 +56271,7 @@ index ed81cac5a..806055cba 100644 - filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) + allow $1 mail_spool_t:file map; ') - + ######################################## ## -## Search mail queue directories. @@ -56280,7 +56280,7 @@ index ed81cac5a..806055cba 100644 ## ## @@ -968,7 +919,7 @@ interface(`mta_search_queue',` - + ####################################### ## -## List mail queue directories. @@ -56289,14 +56289,14 @@ index ed81cac5a..806055cba 100644 ## ## @@ -981,13 +932,13 @@ interface(`mta_list_queue',` - type mqueue_spool_t; - ') - + type mqueue_spool_t; + ') + - files_search_spool($1) - allow $1 mqueue_spool_t:dir list_dir_perms; + allow $1 mqueue_spool_t:dir list_dir_perms; + files_search_spool($1) ') - + ####################################### ## -## Read mail queue files. @@ -56305,14 +56305,14 @@ index ed81cac5a..806055cba 100644 ## ## @@ -1000,14 +951,14 @@ interface(`mta_read_queue',` - type mqueue_spool_t; - ') - + type mqueue_spool_t; + ') + - files_search_spool($1) - read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) + read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) + files_search_spool($1) ') - + ####################################### ## ## Do not audit attempts to read and @@ -56331,9 +56331,9 @@ index ed81cac5a..806055cba 100644 ## ## @@ -1045,6 +996,41 @@ interface(`mta_manage_queue',` - manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) + manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) ') - + +####################################### +## +## Create private objects in the @@ -56378,10 +56378,10 @@ index ed81cac5a..806055cba 100644 # +# cjp: added for postfix interface(`mta_read_sendmail_bin',` - gen_require(` - type sendmail_exec_t; + gen_require(` + type sendmail_exec_t; @@ -1065,8 +1052,8 @@ interface(`mta_read_sendmail_bin',` - + ####################################### ## -## Read and write unix domain stream @@ -56392,13 +56392,13 @@ index ed81cac5a..806055cba 100644 ## ## @@ -1081,3 +1068,227 @@ interface(`mta_rw_user_mail_stream_sockets',` - - allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; + + allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') + +######################################## +## -+## Type transition files created in calling dir ++## Type transition files created in calling dir +## to the mail address aliases type. +## +## @@ -56624,24 +56624,24 @@ index ff1d68c6a..630956deb 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; - + attribute user_mail_domain; - + -attribute_role user_mail_roles; - type etc_aliases_t; files_type(etc_aliases_t) - + @@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t) - + type mqueue_spool_t; files_mountpoint(mqueue_spool_t) +files_spool_file(mqueue_spool_t) - + type mail_spool_t; files_mountpoint(mail_spool_t) +files_spool_file(mail_spool_t) - + type sendmail_exec_t; mta_agent_executable(sendmail_exec_t) @@ -43,11 +43,9 @@ role system_r types system_mail_t; @@ -56655,75 +56655,75 @@ index ff1d68c6a..630956deb 100644 typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t }; +userdom_user_application_type(user_mail_t) userdom_user_tmp_file(user_mail_tmp_t) - + ######################################## @@ -61,13 +59,11 @@ allow user_mail_domain self:fifo_file rw_fifo_file_perms; - + allow user_mail_domain mta_exec_type:file entrypoint; - + -allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms }; +manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t) - + manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t) -userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir") -userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir") - + read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t }) - + @@ -79,12 +75,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms; can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t }) - + kernel_read_crypto_sysctls(user_mail_domain) -kernel_read_system_state(user_mail_domain) kernel_read_kernel_sysctls(user_mail_domain) kernel_read_network_state(user_mail_domain) kernel_request_load_module(user_mail_domain) - + -corenet_all_recvfrom_netlabel(user_mail_domain) corenet_tcp_sendrecv_generic_if(user_mail_domain) corenet_tcp_sendrecv_generic_node(user_mail_domain) - + @@ -107,10 +101,6 @@ fs_getattr_all_fs(user_mail_domain) - + init_dontaudit_rw_utmp(user_mail_domain) - + -logging_send_syslog_msg(user_mail_domain) - -miscfiles_read_localization(user_mail_domain) - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(user_mail_domain) - fs_manage_cifs_files(user_mail_domain) + fs_manage_cifs_dirs(user_mail_domain) + fs_manage_cifs_files(user_mail_domain) @@ -123,6 +113,11 @@ tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_symlinks(user_mail_domain) + fs_read_nfs_symlinks(user_mail_domain) ') - + +optional_policy(` + antivirus_stream_connect(user_mail_domain) + antivirus_stream_connect(mta_user_agent) +') + optional_policy(` - courier_manage_spool_dirs(user_mail_domain) - courier_manage_spool_files(user_mail_domain) + courier_manage_spool_dirs(user_mail_domain) + courier_manage_spool_files(user_mail_domain) @@ -149,6 +144,11 @@ optional_policy(` - ') + ') ') - + +optional_policy(` + openshift_rw_inherited_content(mta_user_agent) + openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent) +') + optional_policy(` - procmail_exec(user_mail_domain) + procmail_exec(user_mail_domain) ') @@ -166,57 +166,79 @@ optional_policy(` - uucp_manage_spool(user_mail_domain) + uucp_manage_spool(user_mail_domain) ') - + +mta_filetrans_admin_home_content(user_mail_domain) +mta_filetrans_home_content(user_mail_domain) + @@ -56731,17 +56731,17 @@ index ff1d68c6a..630956deb 100644 # # System local policy # - + -allow system_mail_t self:capability { dac_override fowner }; +# newalias required this, not sure if it is needed in 'if' file +allow system_mail_t self:capability { dac_read_search dac_override fowner }; +dontaudit system_mail_t self:capability net_admin; - + -read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t) +allow system_mail_t mail_home_t:file manage_file_perms; - + read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) - + -allow system_mail_t mail_home_t:file manage_file_perms; -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward") @@ -56752,20 +56752,20 @@ index ff1d68c6a..630956deb 100644 -allow system_mail_t user_mail_domain:file read_file_perms; -allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms; +kernel_search_network_sysctl(system_mail_t) - + corecmd_exec_shell(system_mail_t) - + -dev_read_rand(system_mail_t) dev_read_sysfs(system_mail_t) +dev_read_rand(system_mail_t) +dev_read_urand(system_mail_t) - + fs_rw_anon_inodefs_files(system_mail_t) - + -selinux_getattr_fs(system_mail_t) - term_dontaudit_use_unallocated_ttys(system_mail_t) - + init_use_script_ptys(system_mail_t) +init_dontaudit_rw_stream_socket(system_mail_t) + @@ -56774,7 +56774,7 @@ index ff1d68c6a..630956deb 100644 +userdom_dontaudit_list_admin_dir(system_mail_t) +userdom_dontaudit_list_user_tmp(system_mail_t) +userdom_dontaudit_read_inherited_admin_home_files(system_mail_t) - + -userdom_use_user_terminals(system_mail_t) +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) @@ -56785,16 +56785,16 @@ index ff1d68c6a..630956deb 100644 +logging_append_all_logs(system_mail_t) + +logging_send_syslog_msg(system_mail_t) - + optional_policy(` - apache_read_squirrelmail_data(system_mail_t) - apache_append_squirrelmail_data(system_mail_t) + apache_read_squirrelmail_data(system_mail_t) + apache_append_squirrelmail_data(system_mail_t) + + # apache should set close-on-exec - apache_dontaudit_append_log(system_mail_t) - apache_dontaudit_rw_stream_sockets(system_mail_t) - apache_dontaudit_rw_tcp_sockets(system_mail_t) - apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_append_log(system_mail_t) + apache_dontaudit_rw_stream_sockets(system_mail_t) + apache_dontaudit_rw_tcp_sockets(system_mail_t) + apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_rw_tmp_files(system_mail_t) + + apache_dontaudit_rw_fifo_file(user_mail_domain) @@ -56804,10 +56804,10 @@ index ff1d68c6a..630956deb 100644 + apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) + apache_append_log(mta_user_agent) ') - + optional_policy(` - arpwatch_manage_tmp_files(system_mail_t) - + arpwatch_manage_tmp_files(system_mail_t) + - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(system_mail_t) - ') @@ -56816,35 +56816,35 @@ index ff1d68c6a..630956deb 100644 + ') + ') - + optional_policy(` @@ -225,17 +247,21 @@ optional_policy(` ') - + optional_policy(` - clamav_stream_connect(system_mail_t) - clamav_append_log(system_mail_t) + courier_stream_connect_authdaemon(system_mail_t) ') - + optional_policy(` - cron_read_system_job_tmp_files(system_mail_t) - cron_dontaudit_write_pipes(system_mail_t) - cron_rw_system_job_stream_sockets(system_mail_t) + cron_read_system_job_tmp_files(system_mail_t) + cron_dontaudit_write_pipes(system_mail_t) + cron_rw_system_job_stream_sockets(system_mail_t) + cron_rw_inherited_spool_files(system_mail_t) + cron_rw_inherited_user_spool_files(system_mail_t) ') - + optional_policy(` + courier_manage_spool_dirs(system_mail_t) + courier_manage_spool_files(system_mail_t) + courier_rw_spool_pipes(system_mail_t) - courier_stream_connect_authdaemon(system_mail_t) + courier_stream_connect_authdaemon(system_mail_t) ') - + @@ -244,9 +270,10 @@ optional_policy(` ') - + optional_policy(` - fail2ban_dontaudit_rw_stream_sockets(system_mail_t) - fail2ban_append_log(system_mail_t) @@ -56854,16 +56854,16 @@ index ff1d68c6a..630956deb 100644 + fail2ban_rw_inherited_tmp_files(mta_user_agent) + fail2ban_rw_inherited_tmp_files(user_mail_domain) ') - + optional_policy(` @@ -258,10 +285,17 @@ optional_policy(` ') - + optional_policy(` + # newaliases runs as system_mail_t when the sendmail initscript does a restart - milter_getattr_all_sockets(system_mail_t) + milter_getattr_all_sockets(system_mail_t) ') - + optional_policy(` + munin_dontaudit_leaks(system_mail_t) + munin_manage_var_lib_files(system_mail_t) @@ -56871,13 +56871,13 @@ index ff1d68c6a..630956deb 100644 + +optional_policy(` + nagios_append_spool(system_mail_t) - nagios_read_tmp_files(system_mail_t) + nagios_read_tmp_files(system_mail_t) ') - + @@ -272,12 +306,29 @@ optional_policy(` - manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) - files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) + manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t) + files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) + + domain_use_interactive_fds(system_mail_t) +') @@ -56892,30 +56892,30 @@ index ff1d68c6a..630956deb 100644 + qmail_manage_spool_files(system_mail_t) + qmail_rw_spool_pipes(system_mail_t) ') - + optional_policy(` - sxid_read_log(system_mail_t) + sxid_read_log(system_mail_t) ') - + +optional_policy(` + systemd_write_inhibit_pipes(system_mail_t) +') + optional_policy(` - userdom_dontaudit_use_user_ptys(system_mail_t) - + userdom_dontaudit_use_user_ptys(system_mail_t) + @@ -287,42 +338,36 @@ optional_policy(` ') - + optional_policy(` - spamassassin_stream_connect_spamd(system_mail_t) + spamd_stream_connect(system_mail_t) ') - + optional_policy(` - smartmon_read_tmp_files(system_mail_t) + smartmon_read_tmp_files(system_mail_t) ') - + -######################################## -# -# MTA user agent local policy @@ -56927,21 +56927,21 @@ index ff1d68c6a..630956deb 100644 - apache_append_log(mta_user_agent) -') +# should break this up among sections: - + optional_policy(` + # why is mail delivered to a directory of type arpwatch_data_t? + arpwatch_search_data(mailserver_delivery) - arpwatch_manage_tmp_files(mta_user_agent) - + arpwatch_manage_tmp_files(mta_user_agent) + - ifdef(`hide_broken_symptoms',` - arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) - ') - - optional_policy(` - cron_read_system_job_tmp_files(mta_user_agent) - ') + optional_policy(` + cron_read_system_job_tmp_files(mta_user_agent) + ') ') - + +ifdef(`hide_broken_symptoms',` + domain_dontaudit_leaks(user_mail_domain) + domain_dontaudit_leaks(mta_user_agent) @@ -56951,16 +56951,16 @@ index ff1d68c6a..630956deb 100644 # # Mailserver delivery local policy # - + -allow mailserver_delivery self:fifo_file rw_fifo_file_perms; +allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms; - + allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -331,44 +376,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) - + +userdom_search_admin_dir(mailserver_delivery) +read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t) + @@ -56974,9 +56974,9 @@ index ff1d68c6a..630956deb 100644 -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir") -userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir") - + read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mailserver_delivery) - fs_manage_cifs_files(mailserver_delivery) @@ -56985,7 +56985,7 @@ index ff1d68c6a..630956deb 100644 + dovecot_manage_spool(mailserver_delivery) + dovecot_domtrans_deliver(mailserver_delivery) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mailserver_delivery) - fs_manage_nfs_files(mailserver_delivery) @@ -56993,7 +56993,7 @@ index ff1d68c6a..630956deb 100644 +optional_policy(` + logwatch_search_cache_dir(mailserver_delivery) ') - + optional_policy(` - arpwatch_search_data(mailserver_delivery) + # so MTA can access /var/lib/mailman/mail/wrapper @@ -57002,7 +57002,7 @@ index ff1d68c6a..630956deb 100644 + mailman_domtrans(mailserver_delivery) + mailman_read_data_symlinks(mailserver_delivery) ') - + optional_policy(` - dovecot_manage_spool(mailserver_delivery) - dovecot_domtrans_deliver(mailserver_delivery) @@ -57011,7 +57011,7 @@ index ff1d68c6a..630956deb 100644 + mailman_append_log(mailserver_domain) + mailman_read_log(mailserver_domain) ') - + optional_policy(` - files_search_var_lib(mailserver_delivery) + mta_filetrans_home_content(mailserver_domain) @@ -57019,22 +57019,22 @@ index ff1d68c6a..630956deb 100644 + mta_read_home(mailserver_domain) + mta_append_home(mailserver_domain) +') - + - mailman_domtrans(mailserver_delivery) - mailman_read_data_symlinks(mailserver_delivery) +optional_policy(` + pcp_read_lib_files(mailserver_delivery) ') - + optional_policy(` @@ -381,24 +430,49 @@ optional_policy(` - + ######################################## # -# User local policy +# User send mail local policy # - + -manage_files_pattern(user_mail_t, mail_home_t, mail_home_t) -userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue") -userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward") @@ -57063,25 +57063,25 @@ index ff1d68c6a..630956deb 100644 +# cjp: this should probably be read all user tmp +# files in an appropriate place for mta_user_agent +userdom_read_user_tmp_files(mta_user_agent) - + dev_read_sysfs(user_mail_t) - + -userdom_use_user_terminals(user_mail_t) +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_files(user_mail_t) + fs_manage_cifs_symlinks(user_mail_t) +') - + optional_policy(` - allow user_mail_t self:capability dac_override; + allow user_mail_t self:capability {dac_read_search dac_override }; - + + # Read user temporary files. + # postfix seems to need write access if the file handle is opened read/write - userdom_rw_user_tmp_files(user_mail_t) - - postfix_read_config(user_mail_t) - postfix_list_spool(user_mail_t) + userdom_rw_user_tmp_files(user_mail_t) + + postfix_read_config(user_mail_t) + postfix_list_spool(user_mail_t) ') + + @@ -57094,7 +57094,7 @@ index eb4b72a92..4ea6ce7e2 100644 - +/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0) /etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0) - + -/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - -/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) @@ -57102,10 +57102,10 @@ index eb4b72a92..4ea6ce7e2 100644 +/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) +/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) /usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0) - + +# label all plugins as unconfined_munin_plugin_exec_t /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0) - + -/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +# disk plugins +/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) @@ -57114,7 +57114,7 @@ index eb4b72a92..4ea6ce7e2 100644 -/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0) - + -/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) @@ -57130,7 +57130,7 @@ index eb4b72a92..4ea6ce7e2 100644 +/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0) - + -/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) @@ -57163,10 +57163,10 @@ index eb4b72a92..4ea6ce7e2 100644 +/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) +/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0) - + +# selinux plugins /usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0) - + +# system plugins /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -57197,7 +57197,7 @@ index eb4b72a92..4ea6ce7e2 100644 /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) - + -/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) @@ -57221,7 +57221,7 @@ index b744fe35e..cb0e2af61 100644 @@ -1,12 +1,13 @@ -## Munin network-wide load graphing. +## Munin network-wide load graphing (formerly LRRD) - + -####################################### +######################################## ## @@ -57238,47 +57238,47 @@ index b744fe35e..cb0e2af61 100644 ## # @@ -14,12 +15,8 @@ template(`munin_plugin_template',` - gen_require(` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t; + gen_require(` + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t; - ') - + - ######################################## - # - # Declarations - # + ') - - type $1_munin_plugin_t, munin_plugin_domain; - type $1_munin_plugin_exec_t; + + type $1_munin_plugin_t, munin_plugin_domain; + type $1_munin_plugin_exec_t; @@ -33,15 +30,22 @@ template(`munin_plugin_template',` - files_tmp_file($1_munin_plugin_tmp_t) - - ######################################## + files_tmp_file($1_munin_plugin_tmp_t) + + ######################################## - # - # Policy - # -+ # ++ # + # Policy -+ # - ++ # + + # automatic transition rules from munin domain + # to specific munin plugin domain - domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) - - manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) - files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) + domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) + + manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) + files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) + + kernel_read_system_state($1_munin_plugin_t) + + corenet_all_recvfrom_unlabeled($1_munin_plugin_t) + corenet_all_recvfrom_netlabel($1_munin_plugin_t) ') - + ######################################## @@ -66,7 +70,7 @@ interface(`munin_stream_connect',` - + ####################################### ## -## Read munin configuration content. @@ -57287,13 +57287,13 @@ index b744fe35e..cb0e2af61 100644 ## ## @@ -80,15 +84,92 @@ interface(`munin_read_config',` - type munin_etc_t; - ') - + type munin_etc_t; + ') + - files_search_etc($1) - allow $1 munin_etc_t:dir list_dir_perms; - allow $1 munin_etc_t:file read_file_perms; - allow $1 munin_etc_t:lnk_file read_lnk_file_perms; + allow $1 munin_etc_t:dir list_dir_perms; + allow $1 munin_etc_t:file read_file_perms; + allow $1 munin_etc_t:lnk_file read_lnk_file_perms; + files_search_etc($1) +') + @@ -57312,7 +57312,7 @@ index b744fe35e..cb0e2af61 100644 + type munin_var_lib_t; + ') + -+ files_search_var_lib($1) ++ files_search_var_lib($1) + read_files_pattern($1, munin_var_lib_t, munin_var_lib_t) + +') @@ -57332,7 +57332,7 @@ index b744fe35e..cb0e2af61 100644 + type munin_var_lib_t; + ') + -+ files_search_var_lib($1) ++ files_search_var_lib($1) + manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t) +') + @@ -57351,7 +57351,7 @@ index b744fe35e..cb0e2af61 100644 + type munin_var_lib_t; + ') + -+ files_search_var_lib($1) ++ files_search_var_lib($1) + append_files_pattern($1, munin_var_lib_t, munin_var_lib_t) + +') @@ -57373,7 +57373,7 @@ index b744fe35e..cb0e2af61 100644 + + dontaudit $1 munin_t:tcp_socket { read write }; ') - + ####################################### ## -## Append munin log files. @@ -57382,7 +57382,7 @@ index b744fe35e..cb0e2af61 100644 ## ## @@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',` - + ######################################## ## -## All of the rules required to @@ -57402,13 +57402,13 @@ index b744fe35e..cb0e2af61 100644 ## ## @@ -167,11 +248,15 @@ interface(`munin_admin',` - attribute munin_plugin_domain, munin_plugin_tmp_content; - type munin_t, munin_etc_t, munin_tmp_t; - type munin_log_t, munin_var_lib_t, munin_var_run_t; + attribute munin_plugin_domain, munin_plugin_tmp_content; + type munin_t, munin_etc_t, munin_tmp_t; + type munin_log_t, munin_var_lib_t, munin_var_run_t; - type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; + type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; - ') - + ') + - allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { munin_plugin_domain munin_t }) + allow $1 munin_t:process signal_perms; @@ -57417,13 +57417,13 @@ index b744fe35e..cb0e2af61 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 munin_t:process ptrace; + ') - - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, munin_initrc_exec_t) + domain_system_change_exemption($1) @@ -193,5 +278,5 @@ interface(`munin_admin',` - files_list_pids($1) - admin_pattern($1, munin_var_run_t) - + files_list_pids($1) + admin_pattern($1, munin_var_run_t) + - admin_pattern($1, httpd_munin_content_t) + admin_pattern($1, munin_content_t) ') @@ -57434,7 +57434,7 @@ index b70870816..7d87f0a80 100644 @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) munin_plugin_template(system) munin_plugin_template(unconfined) - + +type munin_script_tmp_t alias httpd_munin_script_tmp_t; +files_tmp_file(munin_script_tmp_t) + @@ -57442,48 +57442,48 @@ index b70870816..7d87f0a80 100644 # # Common munin plugin local policy # - + -allow munin_plugin_domain self:process signal; +allow munin_plugin_domain self:process signal_perms; allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; - + allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; - + read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) - + +allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms; + allow munin_plugin_domain munin_exec_t:file read_file_perms; - + allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; - + manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) - + -kernel_read_system_state(munin_plugin_domain) - -corenet_all_recvfrom_unlabeled(munin_plugin_domain) -corenet_all_recvfrom_netlabel(munin_plugin_domain) corenet_tcp_sendrecv_generic_if(munin_plugin_domain) corenet_tcp_sendrecv_generic_node(munin_plugin_domain) - + corecmd_exec_bin(munin_plugin_domain) corecmd_exec_shell(munin_plugin_domain) - + -files_read_etc_files(munin_plugin_domain) -files_read_usr_files(munin_plugin_domain) files_search_var_lib(munin_plugin_domain) - + fs_getattr_all_fs(munin_plugin_domain) - + -miscfiles_read_localization(munin_plugin_domain) +auth_read_passwd(munin_plugin_domain) - + optional_policy(` - nscd_use(munin_plugin_domain) + nscd_use(munin_plugin_domain) @@ -89,7 +88,7 @@ optional_policy(` # Local policy # - + -allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio }; +allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio }; dontaudit munin_t self:capability sys_tty_config; @@ -57492,40 +57492,40 @@ index b70870816..7d87f0a80 100644 @@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) - + -read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) +rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t) - + manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) @@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) - + -corenet_all_recvfrom_unlabeled(munin_t) corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) @@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) - + files_read_etc_runtime_files(munin_t) -files_read_usr_files(munin_t) files_list_spool(munin_t) - + fs_getattr_all_fs(munin_t) @@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) - + miscfiles_read_fonts(munin_t) -miscfiles_read_localization(munin_t) miscfiles_setattr_fonts_cache_dirs(munin_t) - + sysnet_exec_ifconfig(munin_t) @@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) - + -optional_policy(` - apache_content_template(munin) - @@ -57533,27 +57533,27 @@ index b70870816..7d87f0a80 100644 - manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) - apache_search_sys_content(munin_t) -') - + optional_policy(` - cron_system_entry(munin_t, munin_exec_t) + cron_system_entry(munin_t, munin_exec_t) @@ -217,7 +206,6 @@ optional_policy(` - + optional_policy(` - postfix_list_spool(munin_t) + postfix_list_spool(munin_t) - postfix_getattr_all_spool_files(munin_t) ') - + optional_policy(` @@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; - + rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - + +kernel_read_fs_sysctls(disk_munin_plugin_t) + corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t) - + -dev_getattr_all_blk_files(disk_munin_plugin_t) +files_read_etc_runtime_files(disk_munin_plugin_t) + @@ -57563,19 +57563,19 @@ index b70870816..7d87f0a80 100644 - -files_read_etc_runtime_files(disk_munin_plugin_t) +dev_read_all_blk_files(disk_munin_plugin_t) - + fs_getattr_all_fs(disk_munin_plugin_t) fs_getattr_all_dirs(disk_munin_plugin_t) - + -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) +storage_raw_read_fixed_disk(disk_munin_plugin_t) - + sysnet_read_config(disk_munin_plugin_t) - + @@ -272,34 +262,50 @@ optional_policy(` - fstools_exec(disk_munin_plugin_t) + fstools_exec(disk_munin_plugin_t) ') - + +optional_policy(` + rpc_search_nfs_state_data(disk_munin_plugin_t) +') @@ -57584,22 +57584,22 @@ index b70870816..7d87f0a80 100644 # # Mail local policy # - + -allow mail_munin_plugin_t self:capability dac_override; +allow mail_munin_plugin_t self:capability { dac_read_search dac_override }; + +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mail_munin_plugin_t self:udp_socket create_socket_perms; - + rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) - + +kernel_read_net_sysctls(mail_munin_plugin_t) + dev_read_urand(mail_munin_plugin_t) - + logging_read_generic_logs(mail_munin_plugin_t) - + +sysnet_read_config(mail_munin_plugin_t) + +optional_policy(` @@ -57608,49 +57608,49 @@ index b70870816..7d87f0a80 100644 + optional_policy(` - mta_list_queue(mail_munin_plugin_t) - mta_read_config(mail_munin_plugin_t) + mta_read_config(mail_munin_plugin_t) - mta_read_queue(mail_munin_plugin_t) - mta_send_mail(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) + mta_list_queue(mail_munin_plugin_t) + mta_read_queue(mail_munin_plugin_t) ') - + optional_policy(` - nscd_use(mail_munin_plugin_t) + nscd_socket_use(mail_munin_plugin_t) ') - + optional_policy(` - postfix_getattr_all_spool_files(mail_munin_plugin_t) - postfix_read_config(mail_munin_plugin_t) - postfix_list_spool(mail_munin_plugin_t) + postfix_read_config(mail_munin_plugin_t) + postfix_list_spool(mail_munin_plugin_t) + postfix_getattr_spool_files(mail_munin_plugin_t) ') - + optional_policy(` @@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) - + optional_policy(` - bind_read_config(munin_services_plugin_t) + bind_read_config(services_munin_plugin_t) ') - + optional_policy(` @@ -347,6 +353,10 @@ optional_policy(` - cups_stream_connect(services_munin_plugin_t) + cups_stream_connect(services_munin_plugin_t) ') - + +optional_policy(` + fail2ban_domtrans_client(services_munin_plugin_t) +') + optional_policy(` - lpd_exec_lpr(services_munin_plugin_t) + lpd_exec_lpr(services_munin_plugin_t) ') @@ -361,7 +371,11 @@ optional_policy(` ') - + optional_policy(` - nscd_use(services_munin_plugin_t) + nscd_socket_use(services_munin_plugin_t) @@ -57659,19 +57659,19 @@ index b70870816..7d87f0a80 100644 +optional_policy(` + ntp_exec(services_munin_plugin_t) ') - + optional_policy(` @@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) - + kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) +kernel_read_fs_sysctls(system_munin_plugin_t) - + dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) @@ -421,3 +436,33 @@ optional_policy(` optional_policy(` - unconfined_domain(unconfined_munin_plugin_t) + unconfined_domain(unconfined_munin_plugin_t) ') + + @@ -57742,16 +57742,16 @@ index 06f8666df..3932ae105 100644 +# /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) - + /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) + - + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) -/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) - + -/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) -/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0) +# @@ -57759,10 +57759,10 @@ index 06f8666df..3932ae105 100644 +# +/var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) - + /var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) - + -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) -/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0) @@ -57795,17 +57795,17 @@ index 687af38bb..5381f1b39 100644 - refpolicywarn(`$0($*) has been deprecated') -') +## Policy for MySQL - + ###################################### ## @@ -34,38 +15,30 @@ interface(`mysql_domtrans',` - type mysqld_t, mysqld_exec_t; - ') - + type mysqld_t, mysqld_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, mysqld_exec_t, mysqld_t) + domtrans_pattern($1, mysqld_exec_t, mysqld_t) ') - + -######################################## +###################################### ## @@ -57827,16 +57827,16 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_run_mysqld',` +interface(`mysql_exec',` - gen_require(` + gen_require(` - attribute_role mysqld_roles; + type mysqld_exec_t; - ') - + ') + - mysql_domtrans($1) - roleattribute $2 mysqld_roles; + can_exec($1, mysqld_exec_t) ') - + ######################################## ## -## Send generic signals to mysqld. @@ -57845,9 +57845,9 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -81,9 +54,27 @@ interface(`mysql_signal',` - allow $1 mysqld_t:process signal; + allow $1 mysqld_t:process signal; ') - + +####################################### +## +## Send a null signal to mysql. @@ -57874,7 +57874,7 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',` - + ######################################## ## -## Connect to mysqld with a unix @@ -57884,14 +57884,14 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -120,12 +110,13 @@ interface(`mysql_stream_connect',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) - stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) + stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) ') - + ######################################## ## -## Read mysqld configuration content. @@ -57900,15 +57900,15 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -139,7 +130,6 @@ interface(`mysql_read_config',` - type mysqld_etc_t; - ') - + type mysqld_etc_t; + ') + - files_search_etc($1) - allow $1 mysqld_etc_t:dir list_dir_perms; - allow $1 mysqld_etc_t:file read_file_perms; - allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; + allow $1 mysqld_etc_t:dir list_dir_perms; + allow $1 mysqld_etc_t:file read_file_perms; + allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; @@ -147,7 +137,8 @@ interface(`mysql_read_config',` - + ######################################## ## -## Search mysqld db directories. @@ -57924,10 +57924,10 @@ index 687af38bb..5381f1b39 100644 +# cjp: "_dir" in the name is added to clarify that this +# is not searching the database itself. interface(`mysql_search_db',` - gen_require(` - type mysqld_db_t; + gen_require(` + type mysqld_db_t; @@ -166,7 +159,27 @@ interface(`mysql_search_db',` - + ######################################## ## -## Read and write mysqld database directories. @@ -57956,7 +57956,7 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',` - + ######################################## ## -## Create, read, write, and delete @@ -57966,7 +57966,7 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',` - + ####################################### ## -## Append mysqld database files. @@ -57975,8 +57975,8 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -221,10 +233,28 @@ interface(`mysql_append_db_files',` - files_search_var_lib($1) - append_files_pattern($1, mysqld_db_t, mysqld_db_t) + files_search_var_lib($1) + append_files_pattern($1, mysqld_db_t, mysqld_db_t) ') +####################################### +## @@ -57996,7 +57996,7 @@ index 687af38bb..5381f1b39 100644 + files_search_var_lib($1) + read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t) +') - + ####################################### ## -## Read and write mysqld database files. @@ -58005,7 +58005,7 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',` - + ####################################### ## -## Create, read, write, and delete @@ -58015,7 +58015,7 @@ index 687af38bb..5381f1b39 100644 ## ## @@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',` - + ######################################## ## -## Read and write mysqld database sockets. @@ -58036,7 +58036,7 @@ index 687af38bb..5381f1b39 100644 + allow $1 mysqld_db_t:dir search_dir_perms; + allow $1 mysqld_db_t:sock_file rw_sock_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -58051,17 +58051,17 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_manage_mysqld_home_files',` +interface(`mysql_write_log',` - gen_require(` + gen_require(` - type mysqld_home_t; + type mysqld_log_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 mysqld_home_t:file manage_file_perms; + logging_search_logs($1) + allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; ') - + -######################################## +###################################### ## @@ -58077,16 +58077,16 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_relabel_mysqld_home_files',` +interface(`mysql_domtrans_mysql_safe',` - gen_require(` + gen_require(` - type mysqld_home_t; + type mysqld_safe_t, mysqld_safe_exec_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 mysqld_home_t:file relabel_file_perms; + domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) ') - + -######################################## +###################################### ## @@ -58127,16 +58127,16 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_home_filetrans_mysqld_home',` +interface(`mysql_read_pid_files',` - gen_require(` + gen_require(` - type mysqld_home_t; + type mysqld_var_run_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3) + mysql_search_pid_files($1) + read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ') - + -######################################## +##################################### ## @@ -58152,16 +58152,16 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_write_log',` +interface(`mysql_search_pid_files',` - gen_require(` + gen_require(` - type mysqld_log_t; + type mysqld_var_run_t; - ') - + ') + - logging_search_logs($1) - allow $1 mysqld_log_t:file write_file_perms; + search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) ') - + -###################################### +######################################## ## @@ -58177,12 +58177,12 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_domtrans_mysql_safe',` +interface(`mysql_systemctl',` - gen_require(` + gen_require(` - type mysqld_safe_t, mysqld_safe_exec_t; + type mysqld_unit_file_t; + type mysqld_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) + systemd_exec_systemctl($1) @@ -58192,7 +58192,7 @@ index 687af38bb..5381f1b39 100644 + + ps_process_pattern($1, mysqld_t) ') - + -##################################### +######################################## ## @@ -58207,17 +58207,17 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_read_pid_files',` +interface(`mysql_read_home_content',` - gen_require(` + gen_require(` - type mysqld_var_run_t; + type mysqld_home_t; - ') - + ') + - files_search_pids($1) - read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + userdom_search_user_home_dirs($1) + read_files_pattern($1, mysqld_home_t, mysqld_home_t) ') - + -##################################### +######################################## ## @@ -58234,17 +58234,17 @@ index 687af38bb..5381f1b39 100644 # -interface(`mysql_search_pid_files',` +interface(`mysql_filetrans_named_content',` - gen_require(` + gen_require(` - type mysqld_var_run_t; + type mysqld_home_t; - ') - + ') + - files_search_pids($1) - search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) + userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") + userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") ') - + ######################################## ## -## All of the rules required to @@ -58264,17 +58264,17 @@ index 687af38bb..5381f1b39 100644 ## # interface(`mysql_admin',` - gen_require(` + gen_require(` - type mysqld_t, mysqld_var_run_t, mysqld_etc_t; + type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; - type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; + type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; - type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t; - type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t; + type mysqld_etc_t; + type mysqld_home_t; + type mysqld_unit_file_t; - ') - + ') + - allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t }) + allow $1 mysqld_t:process signal_perms; @@ -58282,35 +58282,35 @@ index 687af38bb..5381f1b39 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 mysqld_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t }) + init_labeled_script_domtrans($1, mysqld_initrc_exec_t) - domain_system_change_exemption($1) + domain_system_change_exemption($1) - role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r; + role_transition $2 mysqld_initrc_exec_t system_r; - allow $2 system_r; - + allow $2 system_r; + - files_search_pids($1) - admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t }) + files_list_pids($1) + admin_pattern($1, mysqld_var_run_t) - + - files_search_var_lib($1) - admin_pattern($1, mysqld_db_t) - + admin_pattern($1, mysqld_db_t) + - files_search_etc($1) - admin_pattern($1, { mysqld_etc_t mysqld_home_t }) + files_list_etc($1) + admin_pattern($1, mysqld_etc_t) - + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, mysqld_log_t) - + admin_pattern($1, mysqld_log_t) + - files_search_tmp($1) + files_list_tmp($1) - admin_pattern($1, mysqld_tmp_t) - + admin_pattern($1, mysqld_tmp_t) + - mysql_run_mysqld($1, $2) + userdom_search_user_home_dirs($1) + files_list_root($1) @@ -58328,7 +58328,7 @@ index 7584bbe7c..b02e50d45 100644 +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) # - + ## -##

    -## Determine whether mysqld can @@ -58339,7 +58339,7 @@ index 7584bbe7c..b02e50d45 100644 +##

    ##     gen_tunable(mysql_connect_any, false) - + -attribute_role mysqld_roles; - type mysqld_t; @@ -58347,31 +58347,31 @@ index 7584bbe7c..b02e50d45 100644 init_daemon_domain(mysqld_t, mysqld_exec_t) -application_domain(mysqld_t, mysqld_exec_t) -role mysqld_roles types mysqld_t; - + type mysqld_safe_t; type mysqld_safe_exec_t; @@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t) - + type mysqld_var_run_t; files_pid_file(mysqld_var_run_t) -init_daemon_run_dir(mysqld_var_run_t, "mysqld") - + type mysqld_db_t; files_type(mysqld_db_t) @@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t) type mysqld_home_t; userdom_user_home_content(mysqld_home_t) - + +type mysqld_unit_file_t; +systemd_unit_file(mysqld_unit_file_t) + type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) - + @@ -62,89 +59,108 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # - + -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; +allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_nice sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; @@ -58383,14 +58383,14 @@ index 7584bbe7c..b02e50d45 100644 +allow mysqld_t self:unix_stream_socket create_stream_socket_perms; +allow mysqld_t self:tcp_socket create_stream_socket_perms; +allow mysqld_t self:udp_socket create_socket_perms; - + manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) +manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) +allow mysqld_t mysqld_db_t:file map; - + -filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) - -allow mysqld_t mysqld_etc_t:dir list_dir_perms; @@ -58398,23 +58398,23 @@ index 7584bbe7c..b02e50d45 100644 +allow mysqld_t mysqld_etc_t:file read_file_perms; allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms; +allow mysqld_t mysqld_etc_t:dir list_dir_perms; - + manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) +manage_fifo_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) - + manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) +allow mysqld_t mysqld_tmp_t:file map; - + manage_dirs_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) - + -kernel_read_kernel_sysctls(mysqld_t) +userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + @@ -58424,7 +58424,7 @@ index 7584bbe7c..b02e50d45 100644 + +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) - + -corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) corenet_tcp_sendrecv_generic_if(mysqld_t) @@ -58444,20 +58444,20 @@ index 7584bbe7c..b02e50d45 100644 +corenet_tcp_connect_tram_port(mysqld_t) +corenet_sendrecv_mysqld_client_packets(mysqld_t) +corenet_sendrecv_mysqld_server_packets(mysqld_t) - + -corecmd_exec_bin(mysqld_t) -corecmd_exec_shell(mysqld_t) +can_exec(mysqld_t, mysqld_exec_t) - + dev_read_sysfs(mysqld_t) dev_read_urand(mysqld_t) - + -domain_use_interactive_fds(mysqld_t) - fs_getattr_all_fs(mysqld_t) fs_search_auto_mountpoints(mysqld_t) fs_rw_hugetlbfs_files(mysqld_t) - + +domain_use_interactive_fds(mysqld_t) +domain_read_all_domains_state(mysqld_t) + @@ -58467,90 +58467,90 @@ index 7584bbe7c..b02e50d45 100644 +files_search_var_lib(mysqld_t) +files_search_pids(mysqld_t) +files_getattr_all_sockets(mysqld_t) - + -auth_use_nsswitch(mysqld_t) +auth_use_pam(mysqld_t) - + logging_send_syslog_msg(mysqld_t) - + -miscfiles_read_localization(mysqld_t) +sysnet_read_config(mysqld_t) +sysnet_exec_ifconfig(mysqld_t) - + -userdom_search_user_home_dirs(mysqld_t) -userdom_dontaudit_use_unpriv_user_fds(mysqld_t) +ifdef(`distro_redhat',` + filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) +') - + tunable_policy(`mysql_connect_any',` - corenet_sendrecv_all_client_packets(mysqld_t) - corenet_tcp_connect_all_ports(mysqld_t) + corenet_tcp_connect_all_ports(mysqld_t) - corenet_tcp_sendrecv_all_ports(mysqld_t) + corenet_sendrecv_all_client_packets(mysqld_t) ') - + optional_policy(` - daemontools_service_domain(mysqld_t, mysqld_exec_t) + daemontools_service_domain(mysqld_t, mysqld_exec_t) ') - + +optional_policy(` + openshift_search_lib(mysqld_t) +') + optional_policy(` - seutil_sigchld_newrole(mysqld_t) + seutil_sigchld_newrole(mysqld_t) ') @@ -155,21 +171,20 @@ optional_policy(` - + ####################################### # -# Safe local policy +# Local mysqld_safe policy # - + -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; +allow mysqld_safe_t self:capability { chown dac_read_search dac_override setgid setuid fowner kill sys_nice sys_resource }; +dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - + -allow mysqld_safe_t mysqld_t:process signull; +allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure }; - + read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) - + -allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms; -allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms; -allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms; +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) - + list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) @@ -177,31 +192,39 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) - + manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) -delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t) - -domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) +delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) - + kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) - + +can_exec(mysqld_safe_t, mysqld_safe_exec_t) + corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) - + +dev_read_urand(mysqld_safe_t) dev_list_sysfs(mysqld_safe_t) - + domain_read_all_domains_state(mysqld_safe_t) - + -files_read_etc_files(mysqld_safe_t) -files_read_usr_files(mysqld_safe_t) -files_search_pids(mysqld_safe_t) @@ -58558,41 +58558,41 @@ index 7584bbe7c..b02e50d45 100644 +files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) - + +files_write_root_dirs(mysqld_safe_t) + +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) - + -miscfiles_read_localization(mysqld_safe_t) +auth_use_nsswitch(mysqld_safe_t) + +domain_dontaudit_signull_all_domains(mysqld_safe_t) - + -userdom_search_user_home_dirs(mysqld_safe_t) +mysql_manage_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) +mysql_signull(mysqld_safe_t) +mysql_write_log(mysqld_safe_t) - + optional_policy(` - hostname_exec(mysqld_safe_t) + hostname_exec(mysqld_safe_t) @@ -209,20 +232,21 @@ optional_policy(` - + ######################################## # -# Manager local policy +# MySQL Manager Policy # - + -allow mysqlmanagerd_t self:capability { dac_override kill }; +allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill }; allow mysqlmanagerd_t self:process signal; allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; - + -allow mysqlmanagerd_t mysqld_t:process signal; - -allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms; @@ -58604,19 +58604,19 @@ index 7584bbe7c..b02e50d45 100644 +mysql_search_db(mysqlmanagerd_t) +mysql_signal(mysqlmanagerd_t) +mysql_stream_connect(mysqlmanagerd_t) - + domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) - + @@ -230,31 +254,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) - + -stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t) - kernel_read_system_state(mysqlmanagerd_t) - + corecmd_exec_shell(mysqlmanagerd_t) - + -corenet_all_recvfrom_unlabeled(mysqlmanagerd_t) corenet_all_recvfrom_netlabel(mysqlmanagerd_t) corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t) @@ -58631,9 +58631,9 @@ index 7584bbe7c..b02e50d45 100644 -corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t) +corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t) +corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t) - + dev_read_urand(mysqlmanagerd_t) - + -files_read_etc_files(mysqlmanagerd_t) -files_read_usr_files(mysqlmanagerd_t) -files_search_pids(mysqlmanagerd_t) @@ -59275,35 +59275,35 @@ index d78dfc38d..c781b72bb 100644 +/etc/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - + -/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - + -/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) +/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - + -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0) +/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) - + -/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) +/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) +/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) - + -/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +/var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - + -/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) +/var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) + @@ -59311,7 +59311,7 @@ index d78dfc38d..c781b72bb 100644 + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) - + +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') @@ -59320,14 +59320,14 @@ index d78dfc38d..c781b72bb 100644 + +# admin plugins /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) - + -/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) +# check disk plugins +/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) - + -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) @@ -59462,7 +59462,7 @@ index 0641e970f..d012e9b04 100644 @@ -1,12 +1,13 @@ -## Network monitoring server. +## Net Saint / NAGIOS - network monitoring server - + -####################################### +######################################## ## @@ -59479,29 +59479,29 @@ index 0641e970f..d012e9b04 100644 ## # @@ -16,38 +17,51 @@ template(`nagios_plugin_template',` - type nagios_t, nrpe_t; - ') - + type nagios_t, nrpe_t; + ') + - ######################################## - # - # Declarations - # - - type nagios_$1_plugin_t, nagios_plugin_domain; - type nagios_$1_plugin_exec_t; - application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) - role system_r types nagios_$1_plugin_t; - + type nagios_$1_plugin_t, nagios_plugin_domain; + type nagios_$1_plugin_exec_t; + application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) + role system_r types nagios_$1_plugin_t; + - ######################################## - # - # Policy - # - - domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) - allow nagios_t nagios_$1_plugin_exec_t:file ioctl; - + domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + allow nagios_t nagios_$1_plugin_exec_t:file ioctl; + + # needed by command.cfg - domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) + + kernel_read_system_state(nagios_$1_plugin_t) + @@ -59526,7 +59526,7 @@ index 0641e970f..d012e9b04 100644 + + domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) ') - + ######################################## ## -## Do not audit attempts to read or @@ -59542,9 +59542,9 @@ index 0641e970f..d012e9b04 100644 -## # interface(`nagios_dontaudit_rw_pipes',` - gen_require(` + gen_require(` @@ -59,7 +73,8 @@ interface(`nagios_dontaudit_rw_pipes',` - + ######################################## ## -## Read nagios configuration content. @@ -59554,12 +59554,12 @@ index 0641e970f..d012e9b04 100644 ## ## @@ -73,15 +88,33 @@ interface(`nagios_read_config',` - type nagios_etc_t; - ') - + type nagios_etc_t; + ') + - files_search_etc($1) - allow $1 nagios_etc_t:dir list_dir_perms; - allow $1 nagios_etc_t:file read_file_perms; + allow $1 nagios_etc_t:dir list_dir_perms; + allow $1 nagios_etc_t:file read_file_perms; - allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; + files_search_etc($1) +') @@ -59582,7 +59582,7 @@ index 0641e970f..d012e9b04 100644 + list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t) + read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t) ') - + ###################################### ## -## Read nagios log files. @@ -59591,7 +59591,7 @@ index 0641e970f..d012e9b04 100644 ## ## @@ -100,8 +133,7 @@ interface(`nagios_read_log',` - + ######################################## ## -## Do not audit attempts to read or @@ -59601,11 +59601,11 @@ index 0641e970f..d012e9b04 100644 ## ## @@ -132,13 +164,33 @@ interface(`nagios_search_spool',` - type nagios_spool_t; - ') - + type nagios_spool_t; + ') + - files_search_spool($1) - allow $1 nagios_spool_t:dir search_dir_perms; + allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) +') + @@ -59627,7 +59627,7 @@ index 0641e970f..d012e9b04 100644 + allow $1 nagios_spool_t:file append_file_perms; + files_search_spool($1) ') - + ######################################## ## -## Read nagios temporary files. @@ -59637,11 +59637,11 @@ index 0641e970f..d012e9b04 100644 ## ## @@ -151,13 +203,34 @@ interface(`nagios_read_tmp_files',` - type nagios_tmp_t; - ') - + type nagios_tmp_t; + ') + - files_search_tmp($1) - allow $1 nagios_tmp_t:file read_file_perms; + allow $1 nagios_tmp_t:file read_file_perms; + files_search_tmp($1) +') + @@ -59664,7 +59664,7 @@ index 0641e970f..d012e9b04 100644 + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) ') - + ######################################## ## -## Execute nrpe with a domain transition. @@ -59674,13 +59674,13 @@ index 0641e970f..d012e9b04 100644 ## ## @@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',` - type nrpe_t, nrpe_exec_t; - ') - + type nrpe_t, nrpe_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, nrpe_exec_t, nrpe_t) + domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') - + +###################################### +## +## Do not audit attempts to write nrpe daemon unnamed pipes. @@ -59719,17 +59719,17 @@ index 0641e970f..d012e9b04 100644 ## # interface(`nagios_admin',` - gen_require(` + gen_require(` - attribute nagios_plugin_domain; - type nagios_t, nrpe_t, nagios_initrc_exec_t; + type nagios_t, nrpe_t, nagios_initrc_exec_t; - type nagios_tmp_t, nagios_log_t, nagios_var_lib_t; - type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t; - type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t; - type nagios_eventhandler_plugin_tmp_t; + type nagios_tmp_t, nagios_log_t, nagios_var_run_t; + type nagios_etc_t, nrpe_etc_t, nagios_spool_t; - ') - + ') + - allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms }; - ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain }) + allow $1 nagios_t:process signal_perms; @@ -59737,30 +59737,30 @@ index 0641e970f..d012e9b04 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 nagios_t:process ptrace; + ') - - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nagios_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, nagios_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 nagios_initrc_exec_t system_r; + allow $2 system_r; + - files_search_tmp($1) - admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t }) + files_list_tmp($1) + admin_pattern($1, nagios_tmp_t) - + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, nagios_log_t) - + admin_pattern($1, nagios_log_t) + - files_search_etc($1) - admin_pattern($1, { nrpe_etc_t nagios_etc_t }) + files_list_etc($1) + admin_pattern($1, nagios_etc_t) - + - files_search_spool($1) + files_list_spool($1) - admin_pattern($1, nagios_spool_t) - + admin_pattern($1, nagios_spool_t) + - files_search_pids($1) - admin_pattern($1, { nrpe_var_run_t nagios_var_run_t }) + files_list_pids($1) @@ -59783,7 +59783,7 @@ index 0641e970f..d012e9b04 100644 + gen_require(` + type nagios_unconfined_plugin_t; + ') - + - files_search_var_lib($1) - admin_pattern($1, nagios_var_lib_t) + allow $1 nagios_unconfined_plugin_t:process signull; @@ -59795,7 +59795,7 @@ index 7b3e682e6..a5e1cfda8 100644 @@ -5,6 +5,33 @@ policy_module(nagios, 1.13.0) # Declarations # - + +## +##

    +## Allow nagios/nrpe to call sudo from NRPE utils scripts. @@ -59824,15 +59824,15 @@ index 7b3e682e6..a5e1cfda8 100644 +') + attribute nagios_plugin_domain; - + type nagios_t; @@ -27,7 +54,7 @@ type nagios_var_run_t; files_pid_file(nagios_var_run_t) - + type nagios_spool_t; -files_type(nagios_spool_t) +files_spool_file(nagios_spool_t) - + type nagios_var_lib_t; files_type(nagios_var_lib_t) @@ -39,6 +66,7 @@ nagios_plugin_template(services) @@ -59840,13 +59840,13 @@ index 7b3e682e6..a5e1cfda8 100644 nagios_plugin_template(unconfined) nagios_plugin_template(eventhandler) +nagios_plugin_template(openshift) - + type nagios_eventhandler_plugin_tmp_t; files_tmp_file(nagios_eventhandler_plugin_tmp_t) @@ -46,6 +74,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t) type nagios_system_plugin_tmp_t; files_tmp_file(nagios_system_plugin_tmp_t) - + +type nagios_openshift_plugin_tmp_t; +files_tmp_file(nagios_openshift_plugin_tmp_t) + @@ -59854,24 +59854,24 @@ index 7b3e682e6..a5e1cfda8 100644 type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) @@ -63,44 +94,50 @@ files_pid_file(nrpe_var_run_t) - + allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms; - + +allow nrpe_t nagios_plugin_domain:process { signal sigkill }; -+ ++ +allow nagios_t nagios_plugin_domain:process signal_perms; +allow nagios_plugin_domain nagios_t:process signal_perms; + +# cjp: leaked file descriptor dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write }; dontaudit nagios_plugin_domain nagios_log_t:file { read write }; - + -kernel_read_system_state(nagios_plugin_domain) - dev_read_urand(nagios_plugin_domain) dev_read_rand(nagios_plugin_domain) +dev_read_sysfs(nagios_plugin_domain) - + -files_read_usr_files(nagios_plugin_domain) - -miscfiles_read_localization(nagios_plugin_domain) @@ -59879,12 +59879,12 @@ index 7b3e682e6..a5e1cfda8 100644 -userdom_use_user_terminals(nagios_plugin_domain) +userdom_use_inherited_user_ptys(nagios_plugin_domain) +userdom_use_inherited_user_ttys(nagios_plugin_domain) - + ######################################## # # Nagios local policy # - + -allow nagios_t self:capability { dac_override setgid setuid }; +allow nagios_t self:capability { dac_read_search dac_override setgid setuid }; dontaudit nagios_t self:capability sys_tty_config; @@ -59892,16 +59892,16 @@ index 7b3e682e6..a5e1cfda8 100644 allow nagios_t self:fifo_file rw_fifo_file_perms; allow nagios_t self:tcp_socket { accept listen }; +allow nagios_t self:unix_stream_socket { connectto }; - + allow nagios_t nagios_plugin_domain:process signal_perms; - + allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; - + allow nagios_t nagios_etc_t:dir list_dir_perms; -allow nagios_t nagios_etc_t:file read_file_perms; +allow nagios_t nagios_etc_t:file { read_file_perms map }; allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms; - + -allow nagios_t nagios_log_t:dir setattr_dir_perms; -append_files_pattern(nagios_t, nagios_log_t, nagios_log_t) -create_files_pattern(nagios_t, nagios_log_t, nagios_log_t) @@ -59915,59 +59915,59 @@ index 7b3e682e6..a5e1cfda8 100644 +manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t) +logging_log_filetrans(nagios_t, nagios_log_t, { dir file }) +allow nagios_t nagios_log_t:file map; - + manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t) @@ -110,11 +147,15 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) - + manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) -files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) +manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +manage_sock_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t) +files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file }) +allow nagios_t nagios_spool_t:file map; - + manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { file fifo_file }) +manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) +files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file }) - + kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) @@ -123,7 +164,6 @@ kernel_read_software_raid_state(nagios_t) corecmd_exec_bin(nagios_t) corecmd_exec_shell(nagios_t) - + -corenet_all_recvfrom_unlabeled(nagios_t) corenet_all_recvfrom_netlabel(nagios_t) corenet_tcp_sendrecv_generic_if(nagios_t) corenet_tcp_sendrecv_generic_node(nagios_t) @@ -143,18 +183,16 @@ domain_read_all_domains_state(nagios_t) - + files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) -files_read_usr_files(nagios_t) files_search_spool(nagios_t) - + fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) +fs_search_cgroup_dirs(nagios_t) - + auth_use_nsswitch(nagios_t) - + logging_send_syslog_msg(nagios_t) - + -miscfiles_read_localization(nagios_t) - userdom_dontaudit_use_unpriv_user_fds(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t) - + @@ -162,6 +200,47 @@ mta_send_mail(nagios_t) mta_signal_system_mail(nagios_t) mta_kill_system_mail(nagios_t) - + +systemd_exec_systemctl(nagios_t) + +tunable_policy(`nagios_run_sudo',` @@ -60010,7 +60010,7 @@ index 7b3e682e6..a5e1cfda8 100644 +') + optional_policy(` - netutils_kill_ping(nagios_t) + netutils_kill_ping(nagios_t) ') @@ -178,35 +257,40 @@ optional_policy(` # @@ -60018,35 +60018,35 @@ index 7b3e682e6..a5e1cfda8 100644 # + optional_policy(` - apache_content_template(nagios) + apache_content_template(nagios) - typealias httpd_nagios_script_t alias nagios_cgi_t; - typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t; + apache_content_alias_template(nagios, nagios) + typealias nagios_script_t alias nagios_cgi_t; + typealias nagios_script_exec_t alias nagios_cgi_exec_t; - + - allow httpd_nagios_script_t self:process signal_perms; + allow nagios_script_t self:process signal_perms; - + - read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) + read_files_pattern(nagios_script_t, nagios_t, nagios_t) + read_lnk_files_pattern(nagios_script_t, nagios_t, nagios_t) - + - allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; - allow httpd_nagios_script_t nagios_etc_t:file read_file_perms; - allow httpd_nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; + allow nagios_script_t nagios_etc_t:dir list_dir_perms; + allow nagios_script_t nagios_etc_t:file { map read_file_perms }; + allow nagios_script_t nagios_etc_t:lnk_file read_lnk_file_perms; - + - files_search_spool(httpd_nagios_script_t) - rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + files_search_spool(nagios_script_t) + rw_fifo_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t) + read_files_pattern(nagios_script_t, nagios_spool_t, nagios_spool_t) + allow nagios_script_t nagios_spool_t:file map; - + - allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; - read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) - read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) @@ -60054,63 +60054,63 @@ index 7b3e682e6..a5e1cfda8 100644 + read_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t) + read_lnk_files_pattern(nagios_script_t, nagios_etc_t, nagios_log_t) + allow nagios_script_t nagios_log_t:file map; - + - kernel_read_system_state(httpd_nagios_script_t) + kernel_read_system_state(nagios_script_t) - + - domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + domain_dontaudit_read_all_domains_state(nagios_script_t) - + - files_read_etc_runtime_files(httpd_nagios_script_t) - files_read_kernel_symbol_table(httpd_nagios_script_t) + files_read_etc_runtime_files(nagios_script_t) + files_read_kernel_symbol_table(nagios_script_t) - + - logging_send_syslog_msg(httpd_nagios_script_t) + logging_send_syslog_msg(nagios_script_t) ') - + ######################################## @@ -214,7 +298,7 @@ optional_policy(` # Nrpe local policy # - + -allow nrpe_t self:capability { setuid setgid }; +allow nrpe_t self:capability { setuid setgid kill }; dontaudit nrpe_t self:capability { sys_tty_config sys_resource }; allow nrpe_t self:process { setpgid signal_perms setsched setrlimit }; allow nrpe_t self:fifo_file rw_fifo_file_perms; @@ -229,9 +313,11 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file) - + domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) - + +kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) kernel_read_software_raid_state(nrpe_t) -kernel_read_system_state(nrpe_t) + +can_exec(nagios_t, nagios_exec_t) - + corecmd_exec_bin(nrpe_t) corecmd_exec_shell(nrpe_t) @@ -252,8 +338,8 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) domain_read_all_domains_state(nrpe_t) - + +files_list_var(nrpe_t) files_read_etc_runtime_files(nrpe_t) -files_read_usr_files(nrpe_t) - + fs_getattr_all_fs(nrpe_t) fs_search_auto_mountpoints(nrpe_t) @@ -262,10 +348,40 @@ auth_use_nsswitch(nrpe_t) - + logging_send_syslog_msg(nrpe_t) - + -miscfiles_read_localization(nrpe_t) - userdom_dontaudit_use_unpriv_user_fds(nrpe_t) - + +tunable_policy(`nagios_run_sudo',` + allow nrpe_t self:capability { setuid setgid sys_resource sys_ptrace }; + allow nrpe_t self:process { setrlimit setsched }; @@ -60144,48 +60144,48 @@ index 7b3e682e6..a5e1cfda8 100644 +') + optional_policy(` - inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) + inetd_tcp_service_domain(nrpe_t, nrpe_exec_t) ') @@ -309,16 +425,16 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # Mail local policy # - + -allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; -allow nagios_mail_plugin_t self:tcp_socket { accept listen }; +allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override }; +allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_mail_plugin_t self:udp_socket create_socket_perms; - + kernel_read_kernel_sysctls(nagios_mail_plugin_t) - + corecmd_read_bin_files(nagios_mail_plugin_t) corecmd_read_bin_symlinks(nagios_mail_plugin_t) - + -files_read_etc_files(nagios_mail_plugin_t) - logging_send_syslog_msg(nagios_mail_plugin_t) - + sysnet_dns_name_resolve(nagios_mail_plugin_t) @@ -345,9 +461,14 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; - + kernel_read_software_raid_state(nagios_checkdisk_plugin_t) - + +corecmd_exec_bin(nagios_checkdisk_plugin_t) + +files_getattr_all_dirs(nagios_checkdisk_plugin_t) files_getattr_all_mountpoints(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t) - + +fs_read_configfs_files(nagios_checkdisk_plugin_t) +fs_read_configfs_dirs(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) - + storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) @@ -357,9 +478,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) # Services local policy # - + -allow nagios_services_plugin_t self:capability net_raw; +allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; @@ -60193,58 +60193,58 @@ index 7b3e682e6..a5e1cfda8 100644 +allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; +allow nagios_services_plugin_t self:udp_socket create_socket_perms; +allow nagios_services_plugin_t self:rawip_socket create_socket_perms; - + corecmd_exec_bin(nagios_services_plugin_t) - + @@ -391,6 +514,11 @@ optional_policy(` - + optional_policy(` - mysql_stream_connect(nagios_services_plugin_t) + mysql_stream_connect(nagios_services_plugin_t) + mysql_read_config(nagios_services_plugin_t) +') + +optional_policy(` + postgresql_stream_connect(nagios_services_plugin_t) ') - + optional_policy(` @@ -402,32 +530,40 @@ optional_policy(` # System local policy # - + -allow nagios_system_plugin_t self:capability dac_override; +allow nagios_system_plugin_t self:capability { dac_read_search dac_override }; dontaudit nagios_system_plugin_t self:capability { setuid setgid }; - + read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) +allow nagios_system_plugin_t nrpe_exec_t:file read_file_perms; +allow nagios_system_plugin_t nagios_exec_t:file read_file_perms; - + manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) - + +kernel_read_system_state(nagios_system_plugin_t) kernel_read_kernel_sysctls(nagios_system_plugin_t) - + corecmd_exec_bin(nagios_system_plugin_t) corecmd_exec_shell(nagios_system_plugin_t) +corecmd_getattr_all_executables(nagios_system_plugin_t) - + dev_read_sysfs(nagios_system_plugin_t) - + domain_read_all_domains_state(nagios_system_plugin_t) - + -files_read_etc_files(nagios_system_plugin_t) - fs_getattr_all_fs(nagios_system_plugin_t) - + +auth_read_passwd(nagios_system_plugin_t) + optional_policy(` - init_read_utmp(nagios_system_plugin_t) + init_read_utmp(nagios_system_plugin_t) ') - + +optional_policy(` + mrtg_read_lib_files(nagios_system_plugin_t) +') @@ -60253,9 +60253,9 @@ index 7b3e682e6..a5e1cfda8 100644 # # Event local policy @@ -442,9 +578,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) - + init_domtrans_script(nagios_eventhandler_plugin_t) - + +systemd_exec_systemctl(nagios_eventhandler_plugin_t) + +allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms; @@ -60291,7 +60291,7 @@ index 7b3e682e6..a5e1cfda8 100644 +# +# nagios plugin domain policy # - + optional_policy(` diff --git a/namespace.fc b/namespace.fc new file mode 100644 @@ -60410,13 +60410,13 @@ index db9578f4e..4309e3da5 100644 @@ -38,9 +38,11 @@ interface(`ncftool_domtrans',` # interface(`ncftool_run',` - gen_require(` + gen_require(` + type ncftool_t; - attribute_role ncftool_roles; - ') - - ncftool_domtrans($1) - roleattribute $2 ncftool_roles; + attribute_role ncftool_roles; + ') + + ncftool_domtrans($1) + roleattribute $2 ncftool_roles; ') + diff --git a/ncftool.te b/ncftool.te @@ -60424,7 +60424,7 @@ index 71f30ba60..d61686078 100644 --- a/ncftool.te +++ b/ncftool.te @@ -22,13 +22,14 @@ role ncftool_roles types ncftool_t; - + allow ncftool_t self:capability net_admin; allow ncftool_t self:process signal; + @@ -60432,7 +60432,7 @@ index 71f30ba60..d61686078 100644 allow ncftool_t self:unix_stream_socket create_stream_socket_perms; allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; allow ncftool_t self:tcp_socket create_stream_socket_perms; - + kernel_read_kernel_sysctls(ncftool_t) -kernel_read_modprobe_sysctls(ncftool_t) +kernel_read_usermodehelper_state(ncftool_t) @@ -60440,18 +60440,18 @@ index 71f30ba60..d61686078 100644 kernel_read_system_state(ncftool_t) kernel_request_load_module(ncftool_t) @@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t) - + dev_read_sysfs(ncftool_t) - + -files_read_etc_files(ncftool_t) +files_manage_system_conf_files(ncftool_t) +files_relabelto_system_conf_files(ncftool_t) files_read_etc_runtime_files(ncftool_t) -files_read_usr_files(ncftool_t) - + -miscfiles_read_localization(ncftool_t) +term_use_all_inherited_terms(ncftool_t) - + sysnet_delete_dhcpc_pid(ncftool_t) sysnet_run_dhcpc(ncftool_t, ncftool_roles) @@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles) @@ -60462,50 +60462,50 @@ index 71f30ba60..d61686078 100644 +sysnet_relabelto_net_conf(ncftool_t) sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) - + @@ -73,11 +76,14 @@ optional_policy(` - + optional_policy(` - iptables_initrc_domtrans(ncftool_t) + iptables_initrc_domtrans(ncftool_t) + iptables_systemctl(ncftool_t) ') - + optional_policy(` + modutils_list_module_config(ncftool_t) - modutils_read_module_config(ncftool_t) - modutils_run_insmod(ncftool_t, ncftool_roles) + modutils_read_module_config(ncftool_t) + modutils_run_insmod(ncftool_t, ncftool_roles) + ') - + optional_policy(` diff --git a/nessus.te b/nessus.te index fe1068ba5..98166ee0b 100644 --- a/nessus.te +++ b/nessus.te @@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t) - + corecmd_exec_bin(nessusd_t) - + -corenet_all_recvfrom_unlabeled(nessusd_t) corenet_all_recvfrom_netlabel(nessusd_t) corenet_tcp_sendrecv_generic_if(nessusd_t) corenet_udp_sendrecv_generic_if(nessusd_t) @@ -82,7 +81,6 @@ dev_read_urand(nessusd_t) domain_use_interactive_fds(nessusd_t) - + files_list_var_lib(nessusd_t) -files_read_etc_files(nessusd_t) files_read_etc_runtime_files(nessusd_t) - + fs_getattr_all_fs(nessusd_t) @@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t) - + logging_send_syslog_msg(nessusd_t) - + -miscfiles_read_localization(nessusd_t) - sysnet_read_config(nessusd_t) - + userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc index 94b973407..448a7e836 100644 @@ -60514,38 +60514,38 @@ index 94b973407..448a7e836 100644 @@ -1,44 +1,46 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - + /etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0) /etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) /etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0) /etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) - + -/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) - + -/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) -/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0) +/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0) - + -/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) -/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0) - + -/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/libexec/nm-dispatcher.* -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - + /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) /usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - + /usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -60559,14 +60559,14 @@ index 94b973407..448a7e836 100644 + +/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) +/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) - + -/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) -/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) +/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - + -/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0) /var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) - + /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -60584,7 +60584,7 @@ index 86dc29dfa..690cb88a8 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ - + ######################################## ##

    -## Read and write networkmanager udp sockets. @@ -60598,10 +60598,10 @@ index 86dc29dfa..690cb88a8 100644 # +# cjp: added for named. interface(`networkmanager_rw_udp_sockets',` - gen_require(` - type NetworkManager_t; + gen_require(` + type NetworkManager_t; @@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',` - + ######################################## ## -## Read and write networkmanager packet sockets. @@ -60615,10 +60615,10 @@ index 86dc29dfa..690cb88a8 100644 # +# cjp: added for named. interface(`networkmanager_rw_packet_sockets',` - gen_require(` - type NetworkManager_t; + gen_require(` + type NetworkManager_t; @@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',` - + ####################################### ## -## Relabel networkmanager tun socket. @@ -60635,7 +60635,7 @@ index 86dc29dfa..690cb88a8 100644 # interface(`networkmanager_attach_tun_iface',` @@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',` - + ######################################## ## -## Read and write networkmanager netlink @@ -60649,10 +60649,10 @@ index 86dc29dfa..690cb88a8 100644 # +# cjp: added for named. interface(`networkmanager_rw_routing_sockets',` - gen_require(` - type NetworkManager_t; + gen_require(` + type NetworkManager_t; @@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',` - + ######################################## ## -## Execute networkmanager with a domain transition. @@ -60661,9 +60661,9 @@ index 86dc29dfa..690cb88a8 100644 ## ## @@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',` - domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) + domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) ') - + +####################################### +## +## Execute NetworkManager scripts with an automatic domain transition to initrc. @@ -60696,12 +60696,12 @@ index 86dc29dfa..690cb88a8 100644 # -interface(`networkmanager_initrc_domtrans',` +interface(`networkmanager_systemctl',` - gen_require(` + gen_require(` - type NetworkManager_initrc_exec_t; + type NetworkManager_unit_file_t; + type NetworkManager_t; - ') - + ') + - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) + systemd_exec_systemctl($1) + init_reload_services($1) @@ -60710,7 +60710,7 @@ index 86dc29dfa..690cb88a8 100644 + + ps_process_pattern($1, NetworkManager_t) ') - + ######################################## ## ## Send and receive messages from @@ -60720,7 +60720,7 @@ index 86dc29dfa..690cb88a8 100644 ## ## @@ -155,7 +181,29 @@ interface(`networkmanager_read_state',` - + ######################################## ## -## Send generic signals to networkmanager. @@ -60751,17 +60751,17 @@ index 86dc29dfa..690cb88a8 100644 ## ## @@ -189,6 +237,7 @@ interface(`networkmanager_manage_lib_files',` - - files_search_var_lib($1) - manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + + files_search_var_lib($1) + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; ') - + ######################################## @@ -209,11 +258,31 @@ interface(`networkmanager_read_lib_files',` - files_search_var_lib($1) - list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) - read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + files_search_var_lib($1) + list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + allow $1 NetworkManager_var_lib_t:file map; +') + @@ -60783,7 +60783,7 @@ index 86dc29dfa..690cb88a8 100644 + allow $1 NetworkManager_etc_t:dir list_dir_perms; + read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) ') - + ######################################## ## -## Append networkmanager log files. @@ -60797,18 +60797,18 @@ index 86dc29dfa..690cb88a8 100644 # -interface(`networkmanager_append_log_files',` +interface(`networkmanager_read_pid_files',` - gen_require(` + gen_require(` - type NetworkManager_log_t; + type NetworkManager_var_run_t; - ') - + ') + - logging_search_logs($1) - allow $1 NetworkManager_log_t:dir list_dir_perms; - append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) + files_search_pids($1) + read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') - + ######################################## ## -## Read networkmanager pid files. @@ -60841,11 +60841,11 @@ index 86dc29dfa..690cb88a8 100644 +## +# +interface(`networkmanager_manage_pid_sock_files',` - gen_require(` - type NetworkManager_var_run_t; - ') - - files_search_pids($1) + gen_require(` + type NetworkManager_var_run_t; + ') + + files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; + manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) +') @@ -60883,10 +60883,10 @@ index 86dc29dfa..690cb88a8 100644 + + filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4) ') - + #################################### @@ -272,14 +393,33 @@ interface(`networkmanager_stream_connect',` - + ######################################## ## -## All of the rules required to @@ -60927,13 +60927,13 @@ index 86dc29dfa..690cb88a8 100644 # -interface(`networkmanager_admin',` +interface(`networkmanager_run',` - gen_require(` + gen_require(` - type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t; - type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t; - type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t; + type NetworkManager_t, NetworkManager_exec_t; - ') - + ') + - allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { wpa_cli_t NetworkManager_t }) - @@ -60944,7 +60944,7 @@ index 86dc29dfa..690cb88a8 100644 + networkmanager_domtrans($1) + role $2 types NetworkManager_t; +') - + - logging_search_etc($1) - admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t }) +######################################## @@ -60962,13 +60962,13 @@ index 86dc29dfa..690cb88a8 100644 + gen_require(` + type NetworkManager_log_t; + ') - - logging_search_logs($1) + + logging_search_logs($1) - admin_pattern($1, NetworkManager_log_t) + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) + allow $1 NetworkManager_var_lib_t:file map; - + - files_search_var_lib($1) - admin_pattern($1, NetworkManager_var_lib_t) +') @@ -61028,8 +61028,8 @@ index 86dc29dfa..690cb88a8 100644 + gen_require(` + type NetworkManager_t, NetworkManager_var_run_t; + ') - - files_search_pids($1) + + files_search_pids($1) - admin_pattern($1, NetworkManager_var_run_t) + dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) +') @@ -61106,7 +61106,7 @@ index 86dc29dfa..690cb88a8 100644 + type NetworkManager_var_run_t; + type NetworkManager_var_lib_t; + ') - + - files_search_tmp($1) - admin_pattern($1, NetworkManager_tmp_t) + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf") @@ -61142,7 +61142,7 @@ index 55f20095e..b717dd886 100644 @@ -9,15 +9,18 @@ type NetworkManager_t; type NetworkManager_exec_t; init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) - + +type NetworkManager_initrc_exec_t; +init_script_file(NetworkManager_initrc_exec_t) + @@ -61151,20 +61151,20 @@ index 55f20095e..b717dd886 100644 + type NetworkManager_etc_t; files_config_file(NetworkManager_etc_t) - + type NetworkManager_etc_rw_t; files_config_file(NetworkManager_etc_rw_t) - + -type NetworkManager_initrc_exec_t; -init_script_file(NetworkManager_initrc_exec_t) - type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) - + @@ -39,25 +42,56 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # - + -allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; -dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace }; -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; @@ -61205,9 +61205,9 @@ index 55f20095e..b717dd886 100644 allow NetworkManager_t self:packet_socket create_socket_perms; +allow NetworkManager_t self:rawip_socket create_socket_perms; +allow NetworkManager_t self:socket create_socket_perms; - + allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; - + -allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms; -allow NetworkManager_t NetworkManager_etc_t:file read_file_perms; -allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms; @@ -61218,7 +61218,7 @@ index 55f20095e..b717dd886 100644 +list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) - + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -61230,7 +61230,7 @@ index 55f20095e..b717dd886 100644 @@ -68,6 +102,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) - + +can_exec(NetworkManager_t, NetworkManager_tmp_t) manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) @@ -61238,7 +61238,7 @@ index 55f20095e..b717dd886 100644 @@ -81,17 +116,17 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) - + -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) - -kernel_read_crypto_sysctls(NetworkManager_t) @@ -61250,7 +61250,7 @@ index 55f20095e..b717dd886 100644 kernel_rw_net_sysctls(NetworkManager_t) +kernel_dontaudit_setsched(NetworkManager_t) +kernel_signull(NetworkManager_t) - + -corenet_all_recvfrom_unlabeled(NetworkManager_t) +corenet_ib_manage_subnet_unlabeled_endports(NetworkManager_t) +corenet_ib_access_unlabeled_pkeys(NetworkManager_t) @@ -61276,7 +61276,7 @@ index 55f20095e..b717dd886 100644 +corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_rw_tun_tap_dev(NetworkManager_t) corenet_getattr_ppp_dev(NetworkManager_t) - + -corecmd_exec_shell(NetworkManager_t) -corecmd_exec_bin(NetworkManager_t) - @@ -61288,7 +61288,7 @@ index 55f20095e..b717dd886 100644 dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) - + -domain_use_interactive_fds(NetworkManager_t) -domain_read_all_domains_state(NetworkManager_t) - @@ -61300,9 +61300,9 @@ index 55f20095e..b717dd886 100644 fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) @@ -140,18 +163,35 @@ mls_file_read_all_levels(NetworkManager_t) - + selinux_dontaudit_search_fs(NetworkManager_t) - + +corecmd_exec_shell(NetworkManager_t) +corecmd_exec_bin(NetworkManager_t) + @@ -61315,7 +61315,7 @@ index 55f20095e..b717dd886 100644 +files_read_isid_type_files(NetworkManager_t) + storage_getattr_fixed_disk_dev(NetworkManager_t) - + +term_open_unallocated_ttys(NetworkManager_t) + init_read_utmp(NetworkManager_t) @@ -61324,18 +61324,18 @@ index 55f20095e..b717dd886 100644 +init_signull_script(NetworkManager_t) +init_signal_script(NetworkManager_t) +init_sigkill_script(NetworkManager_t) - + auth_use_nsswitch(NetworkManager_t) - + +libs_exec_ldconfig(NetworkManager_t) + logging_send_syslog_msg(NetworkManager_t) - + miscfiles_read_generic_certs(NetworkManager_t) -miscfiles_read_localization(NetworkManager_t) - + seutil_read_config(NetworkManager_t) - + @@ -166,21 +206,37 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) @@ -61345,13 +61345,13 @@ index 55f20095e..b717dd886 100644 -sysnet_etc_filetrans_config(NetworkManager_t) +sysnet_filetrans_named_content(NetworkManager_t) +sysnet_filetrans_net_conf(NetworkManager_t) - + -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) +systemd_machined_read_pid_files(NetworkManager_t) + +term_use_unallocated_ttys(NetworkManager_t) - + -userdom_write_user_tmp_sockets(NetworkManager_t) +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) @@ -61368,61 +61368,61 @@ index 55f20095e..b717dd886 100644 +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(NetworkManager_t) +') - + optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) - avahi_signull(NetworkManager_t) + avahi_domtrans(NetworkManager_t) + avahi_kill(NetworkManager_t) + avahi_signal(NetworkManager_t) + avahi_signull(NetworkManager_t) + avahi_dbus_chat(NetworkManager_t) ') - + optional_policy(` @@ -195,10 +251,6 @@ optional_policy(` - bluetooth_dontaudit_read_helper_state(NetworkManager_t) + bluetooth_dontaudit_read_helper_state(NetworkManager_t) ') - + -optional_policy(` - consolekit_read_pid_files(NetworkManager_t) -') - optional_policy(` - consoletype_exec(NetworkManager_t) + consoletype_exec(NetworkManager_t) ') @@ -210,31 +262,36 @@ optional_policy(` optional_policy(` - dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) - + dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) + - optional_policy(` - avahi_dbus_chat(NetworkManager_t) - ') + init_dbus_chat(NetworkManager_t) - - optional_policy(` - consolekit_dbus_chat(NetworkManager_t) + + optional_policy(` + consolekit_dbus_chat(NetworkManager_t) + consolekit_read_pid_files(NetworkManager_t) - ') + ') +') - + - optional_policy(` - policykit_dbus_chat(NetworkManager_t) - ') +optional_policy(` + dnssec_trigger_domtrans(NetworkManager_t) ') - + optional_policy(` - dnsmasq_read_pid_files(NetworkManager_t) + dnsmasq_read_pid_files(NetworkManager_t) + dnsmasq_dbus_chat(NetworkManager_t) - dnsmasq_delete_pid_files(NetworkManager_t) - dnsmasq_domtrans(NetworkManager_t) - dnsmasq_initrc_domtrans(NetworkManager_t) - dnsmasq_kill(NetworkManager_t) - dnsmasq_signal(NetworkManager_t) - dnsmasq_signull(NetworkManager_t) + dnsmasq_delete_pid_files(NetworkManager_t) + dnsmasq_domtrans(NetworkManager_t) + dnsmasq_initrc_domtrans(NetworkManager_t) + dnsmasq_kill(NetworkManager_t) + dnsmasq_signal(NetworkManager_t) + dnsmasq_signull(NetworkManager_t) + dnsmasq_systemctl(NetworkManager_t) ') - + optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) + dnssec_trigger_signull(NetworkManager_t) @@ -61431,12 +61431,12 @@ index 55f20095e..b717dd886 100644 +optional_policy(` + fcoe_dgram_send_fcoemon(NetworkManager_t) ') - + optional_policy(` @@ -245,11 +302,27 @@ optional_policy(` - howl_signal(NetworkManager_t) + howl_signal(NetworkManager_t) ') - + +optional_policy(` + gnome_dontaudit_search_config(NetworkManager_t) +') @@ -61450,20 +61450,20 @@ index 55f20095e..b717dd886 100644 +') + optional_policy(` - ipsec_domtrans_mgmt(NetworkManager_t) - ipsec_kill_mgmt(NetworkManager_t) - ipsec_signal_mgmt(NetworkManager_t) - ipsec_signull_mgmt(NetworkManager_t) + ipsec_domtrans_mgmt(NetworkManager_t) + ipsec_kill_mgmt(NetworkManager_t) + ipsec_signal_mgmt(NetworkManager_t) + ipsec_signull_mgmt(NetworkManager_t) + ipsec_domtrans(NetworkManager_t) + ipsec_kill(NetworkManager_t) + ipsec_signal(NetworkManager_t) + ipsec_signull(NetworkManager_t) ') - + optional_policy(` @@ -257,15 +330,19 @@ optional_policy(` ') - + optional_policy(` - libs_exec_ldconfig(NetworkManager_t) + l2tpd_domtrans(NetworkManager_t) @@ -61471,69 +61471,69 @@ index 55f20095e..b717dd886 100644 + l2tpd_signal(NetworkManager_t) + l2tpd_signull(NetworkManager_t) ') - + optional_policy(` - modutils_domtrans_insmod(NetworkManager_t) + lldpad_dgram_send(NetworkManager_t) ') - + optional_policy(` - netutils_exec_ping(NetworkManager_t) + netutils_exec_ping(NetworkManager_t) + netutils_exec(NetworkManager_t) ') - + optional_policy(` @@ -274,10 +351,17 @@ optional_policy(` - nscd_signull(NetworkManager_t) - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) + nscd_signull(NetworkManager_t) + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) + nscd_systemctl(NetworkManager_t) ') - + optional_policy(` + # Dispatcher starting and stoping ntp - ntp_initrc_domtrans(NetworkManager_t) + ntp_initrc_domtrans(NetworkManager_t) + ntp_systemctl(NetworkManager_t) +') + +optional_policy(` + modutils_domtrans_insmod(NetworkManager_t) ') - + optional_policy(` @@ -286,9 +370,12 @@ optional_policy(` - openvpn_kill(NetworkManager_t) - openvpn_signal(NetworkManager_t) - openvpn_signull(NetworkManager_t) + openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) + openvpn_stream_connect(NetworkManager_t) + openvpn_noatsecure(NetworkManager_t) ') - + optional_policy(` + policykit_dbus_chat(NetworkManager_t) - policykit_domtrans_auth(NetworkManager_t) - policykit_read_lib(NetworkManager_t) - policykit_read_reload(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) @@ -296,7 +383,7 @@ optional_policy(` ') - + optional_policy(` - polipo_initrc_domtrans(NetworkManager_t) + polipo_systemctl(NetworkManager_t) ') - + optional_policy(` @@ -307,6 +394,7 @@ optional_policy(` - ppp_signal(NetworkManager_t) - ppp_signull(NetworkManager_t) - ppp_read_config(NetworkManager_t) + ppp_signal(NetworkManager_t) + ppp_signull(NetworkManager_t) + ppp_read_config(NetworkManager_t) + ppp_systemctl(NetworkManager_t) ') - + optional_policy(` @@ -320,14 +408,21 @@ optional_policy(` ') - + optional_policy(` - udev_exec(NetworkManager_t) - udev_read_db(NetworkManager_t) @@ -61544,7 +61544,7 @@ index 55f20095e..b717dd886 100644 + systemd_dbus_chat_hostnamed(NetworkManager_t) + systemd_hostnamed_manage_config(NetworkManager_t) ') - + optional_policy(` - # unconfined_dgram_send(NetworkManager_t) - unconfined_stream_connect(NetworkManager_t) @@ -61556,12 +61556,12 @@ index 55f20095e..b717dd886 100644 + udev_read_db(NetworkManager_t) + udev_read_pid_files(NetworkManager_t) ') - + optional_policy(` @@ -338,12 +433,16 @@ optional_policy(` - vpn_relabelfrom_tun_socket(NetworkManager_t) + vpn_relabelfrom_tun_socket(NetworkManager_t) ') - + +optional_policy(` + openvswitch_stream_connect(NetworkManager_t) +') @@ -61570,16 +61570,16 @@ index 55f20095e..b717dd886 100644 # # wpa_cli local policy # - + -allow wpa_cli_t self:capability dac_override; +allow wpa_cli_t self:capability { dac_read_search dac_override }; allow wpa_cli_t self:unix_dgram_socket create_socket_perms; - + allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; @@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) - + -miscfiles_read_localization(wpa_cli_t) - term_dontaudit_use_console(wpa_cli_t) @@ -61733,22 +61733,22 @@ index 8aa1bfa28..cd0e015f8 100644 /etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0) - /etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0) - + -/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) +/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) - + /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0) - + -/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) +/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0) /usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0) /usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0) /usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0) - + -/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) +/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0) - + /var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0) /var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0) /var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0) @@ -61765,56 +61765,56 @@ index 46e55c3ff..afe399a0e 100644 @@ -1,4 +1,4 @@ -## Policy for NIS (YP) servers and clients. +## Policy for NIS (YP) servers and clients - + ######################################## ## @@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',` - gen_require(` - type var_yp_t; - ') + gen_require(` + type var_yp_t; + ') - - allow $1 self:capability net_bind_service; + dontaudit $1 self:capability net_bind_service; - - allow $1 self:tcp_socket create_stream_socket_perms; - allow $1 self:udp_socket create_socket_perms; - - allow $1 var_yp_t:dir list_dir_perms; + + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + allow $1 var_yp_t:dir list_dir_perms; - allow $1 var_yp_t:file read_file_perms; - allow $1 var_yp_t:lnk_file read_lnk_file_perms; + allow $1 var_yp_t:lnk_file read_lnk_file_perms; + allow $1 var_yp_t:file read_file_perms; - + - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_generic_node($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_generic_node($1) @@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',` - corenet_udp_bind_generic_node($1) - corenet_tcp_bind_generic_port($1) - corenet_udp_bind_generic_port($1) + corenet_udp_bind_generic_node($1) + corenet_tcp_bind_generic_port($1) + corenet_udp_bind_generic_port($1) - corenet_dontaudit_tcp_bind_all_reserved_ports($1) - corenet_dontaudit_udp_bind_all_reserved_ports($1) - corenet_dontaudit_tcp_bind_all_ports($1) - corenet_dontaudit_udp_bind_all_ports($1) - corenet_tcp_connect_portmap_port($1) + corenet_dontaudit_tcp_bind_all_ports($1) + corenet_dontaudit_udp_bind_all_ports($1) + corenet_tcp_connect_portmap_port($1) - corenet_tcp_connect_reserved_port($1) + corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_generic_port($1) + corenet_tcp_connect_generic_port($1) - corenet_dontaudit_tcp_connect_all_ports($1) - corenet_sendrecv_portmap_client_packets($1) - corenet_sendrecv_generic_client_packets($1) - corenet_sendrecv_generic_server_packets($1) + corenet_sendrecv_portmap_client_packets($1) + corenet_sendrecv_generic_client_packets($1) + corenet_sendrecv_generic_server_packets($1) @@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',` ## # interface(`nis_use_ypbind',` - tunable_policy(`allow_ypbind',` + tunable_policy(`nis_enabled',` - nis_use_ypbind_uncond($1) - ') + nis_use_ypbind_uncond($1) + ') ') - + ######################################## ## -## Use nis to authenticate passwords. @@ -61828,11 +61828,11 @@ index 46e55c3ff..afe399a0e 100644 interface(`nis_authenticate',` - tunable_policy(`allow_ypbind',` + tunable_policy(`nis_enabled',` - nis_use_ypbind_uncond($1) - corenet_tcp_bind_all_rpc_ports($1) - corenet_udp_bind_all_rpc_ports($1) + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) @@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',` - + ####################################### ## -## Execute ypbind in the caller domain. @@ -61854,27 +61854,27 @@ index 46e55c3ff..afe399a0e 100644 + gen_require(` + type ypbind_t, ypbind_exec_t; + ') - + - corecmd_search_bin($1) - can_exec($1, ypbind_exec_t) + can_exec($1, ypbind_exec_t) ') - + @@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',` # interface(`nis_run_ypbind',` - gen_require(` + gen_require(` - attribute_role ypbind_roles; + type ypbind_t; - ') - - nis_domtrans_ypbind($1) + ') + + nis_domtrans_ypbind($1) - roleattribute $2 ypbind_roles; + role $2 types ypbind_t; ') - + ######################################## @@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',` - + ######################################## ## -## List nis data directories. @@ -61885,19 +61885,19 @@ index 46e55c3ff..afe399a0e 100644 @@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',` # interface(`nis_delete_ypbind_pid',` - gen_require(` + gen_require(` - type ypbind_var_run_t; + type ypbind_t; - ') - + ') + - allow $1 ypbind_var_run_t:file delete_file_perms; + # TODO: add delete pid from dir call to files + allow $1 ypbind_t:file unlink; ') - + ######################################## @@ -355,8 +349,59 @@ interface(`nis_initrc_domtrans_ypbind',` - + ######################################## ## -## All of the rules required to @@ -61961,12 +61961,12 @@ index 46e55c3ff..afe399a0e 100644 @@ -372,32 +417,56 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` - gen_require(` + gen_require(` - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_t, yppasswdd_t, ypserv_t; + type ypserv_conf_t; - type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; + type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t; + type ypserv_tmp_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; @@ -61981,8 +61981,8 @@ index 46e55c3ff..afe399a0e 100644 + allow $1 yppasswdd_t:process ptrace; + allow $1 ypserv_t:process ptrace; + allow $1 ypxfr_t:process ptrace; - ') - + ') + - allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t }) + allow $1 yppasswdd_t:process signal_perms; @@ -61993,19 +61993,19 @@ index 46e55c3ff..afe399a0e 100644 + + allow $1 ypxfr_t:process signal_perms; + ps_process_pattern($1, ypxfr_t) - - nis_initrc_domtrans($1) - nis_initrc_domtrans_ypbind($1) - domain_system_change_exemption($1) + + nis_initrc_domtrans($1) + nis_initrc_domtrans_ypbind($1) + domain_system_change_exemption($1) - role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r; + role_transition $2 nis_initrc_exec_t system_r; + role_transition $2 ypbind_initrc_exec_t system_r; - allow $2 system_r; - + allow $2 system_r; + - files_list_tmp($1) - admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t }) - - files_list_pids($1) + files_list_pids($1) - admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t }) + admin_pattern($1, ypbind_var_run_t) + nis_systemctl_ypbind($1) @@ -62013,16 +62013,16 @@ index 46e55c3ff..afe399a0e 100644 + allow $1 ypbind_unit_file_t:service all_service_perms; + + admin_pattern($1, yppasswdd_var_run_t) - - files_list_etc($1) - admin_pattern($1, ypserv_conf_t) - + + files_list_etc($1) + admin_pattern($1, ypserv_conf_t) + - files_search_var($1) - admin_pattern($1, var_yp_t) + admin_pattern($1, ypserv_var_run_t) + + admin_pattern($1, ypserv_tmp_t) - + - nis_run_ypbind($1, $2) + nis_systemctl($1) + admin_pattern($1, nis_unit_file_t) @@ -62035,47 +62035,47 @@ index 3a6b0352e..31577d567 100644 @@ -5,8 +5,6 @@ policy_module(nis, 1.12.0) # Declarations # - + -attribute_role ypbind_roles; - type nis_initrc_exec_t; init_script_file(nis_initrc_exec_t) - + @@ -16,16 +14,18 @@ files_type(var_yp_t) type ypbind_t; type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) -role ypbind_roles types ypbind_t; - + type ypbind_initrc_exec_t; init_script_file(ypbind_initrc_exec_t) - + +type ypbind_var_run_t; +files_pid_file(ypbind_var_run_t) + type ypbind_tmp_t; files_tmp_file(ypbind_tmp_t) - + -type ypbind_var_run_t; -files_pid_file(ypbind_var_run_t) +type ypbind_unit_file_t; +systemd_unit_file(ypbind_unit_file_t) - + type yppasswdd_t; type yppasswdd_exec_t; @@ -40,7 +40,7 @@ type ypserv_exec_t; init_daemon_domain(ypserv_t, ypserv_exec_t) - + type ypserv_conf_t; -files_type(ypserv_conf_t) +files_config_file(ypserv_conf_t) - + type ypserv_tmp_t; files_tmp_file(ypserv_tmp_t) @@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) - + +type nis_unit_file_t; +systemd_unit_file(nis_unit_file_t) + @@ -62093,7 +62093,7 @@ index 3a6b0352e..31577d567 100644 @@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) kernel_read_system_state(ypbind_t) kernel_read_kernel_sysctls(ypbind_t) - + -corenet_all_recvfrom_unlabeled(ypbind_t) corenet_all_recvfrom_netlabel(ypbind_t) corenet_tcp_sendrecv_generic_if(ypbind_t) @@ -62117,36 +62117,36 @@ index 3a6b0352e..31577d567 100644 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) +corenet_sendrecv_all_client_packets(ypbind_t) +corenet_sendrecv_generic_server_packets(ypbind_t) - + dev_read_sysfs(ypbind_t) - + @@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t) - + domain_use_interactive_fds(ypbind_t) - + -files_read_etc_files(ypbind_t) files_list_var(ypbind_t) - + -logging_send_syslog_msg(ypbind_t) +init_search_pid_dirs(ypbind_t) - + -miscfiles_read_localization(ypbind_t) +logging_send_syslog_msg(ypbind_t) - + sysnet_read_config(ypbind_t) - + @@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) optional_policy(` - dbus_system_bus_client(ypbind_t) - dbus_connect_system_bus(ypbind_t) + dbus_system_bus_client(ypbind_t) + dbus_connect_system_bus(ypbind_t) - - init_dbus_chat_script(ypbind_t) - - optional_policy(` + init_dbus_chat_script(ypbind_t) + + optional_policy(` @@ -145,11 +144,12 @@ optional_policy(` # yppasswdd local policy # - + -allow yppasswdd_t self:capability dac_override; +allow yppasswdd_t self:capability { dac_read_search dac_override }; dontaudit yppasswdd_t self:capability sys_tty_config; @@ -62161,15 +62161,15 @@ index 3a6b0352e..31577d567 100644 @@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file) manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t) - + -can_exec(yppasswdd_t, yppasswdd_exec_t) +can_exec(yppasswdd_t,yppasswdd_exec_t) - + kernel_list_proc(yppasswdd_t) kernel_read_proc_symlinks(yppasswdd_t) kernel_getattr_proc_files(yppasswdd_t) kernel_read_kernel_sysctls(yppasswdd_t) - + -corenet_all_recvfrom_unlabeled(yppasswdd_t) corenet_all_recvfrom_netlabel(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) @@ -62186,7 +62186,7 @@ index 3a6b0352e..31577d567 100644 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) +corenet_sendrecv_generic_server_packets(yppasswdd_t) - + -corecmd_exec_bin(yppasswdd_t) -corecmd_exec_shell(yppasswdd_t) - @@ -62198,16 +62198,16 @@ index 3a6b0352e..31577d567 100644 - +dev_read_urand(yppasswdd_t) dev_read_sysfs(yppasswdd_t) - + fs_getattr_all_fs(yppasswdd_t) @@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t) selinux_get_fs_mount(yppasswdd_t) - + auth_manage_shadow(yppasswdd_t) +auth_manage_passwd(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) auth_etc_filetrans_shadow(yppasswdd_t) - + +corecmd_exec_bin(yppasswdd_t) +corecmd_exec_shell(yppasswdd_t) + @@ -62217,15 +62217,15 @@ index 3a6b0352e..31577d567 100644 +files_relabel_etc_files(yppasswdd_t) + logging_send_syslog_msg(yppasswdd_t) - + -miscfiles_read_localization(yppasswdd_t) - + sysnet_read_config(yppasswdd_t) - + @@ -218,6 +215,14 @@ optional_policy(` - hostname_exec(yppasswdd_t) + hostname_exec(yppasswdd_t) ') - + +optional_policy(` + mta_send_mail(yppasswdd_t) +') @@ -62235,7 +62235,7 @@ index 3a6b0352e..31577d567 100644 +') + optional_policy(` - seutil_sigchld_newrole(yppasswdd_t) + seutil_sigchld_newrole(yppasswdd_t) ') @@ -234,12 +239,14 @@ optional_policy(` dontaudit ypserv_t self:capability sys_tty_config; @@ -62247,16 +62247,16 @@ index 3a6b0352e..31577d567 100644 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; - + manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) +allow ypserv_t var_yp_t:file map; - + allow ypserv_t ypserv_conf_t:file read_file_perms; - + @@ -254,7 +261,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) - + -corenet_all_recvfrom_unlabeled(ypserv_t) corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) @@ -62276,34 +62276,34 @@ index 3a6b0352e..31577d567 100644 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) +corenet_sendrecv_generic_server_packets(ypserv_t) +corenet_tcp_connect_portmap_port(ypserv_t) - + -corecmd_exec_bin(ypserv_t) +dev_read_sysfs(ypserv_t) - + -files_read_etc_files(ypserv_t) -files_read_var_files(ypserv_t) +fs_getattr_all_fs(ypserv_t) +fs_search_auto_mountpoints(ypserv_t) - + -dev_read_sysfs(ypserv_t) +corecmd_exec_bin(ypserv_t) - + domain_use_interactive_fds(ypserv_t) - + -fs_getattr_all_fs(ypserv_t) -fs_search_auto_mountpoints(ypserv_t) +files_read_var_files(ypserv_t) - + logging_send_syslog_msg(ypserv_t) - + -miscfiles_read_localization(ypserv_t) - + nis_domtrans_ypxfr(ypserv_t) - + @@ -305,13 +308,17 @@ optional_policy(` - udev_read_db(ypserv_t) + udev_read_db(ypserv_t) ') - + +optional_policy(` + rpcbind_stream_connect(ypserv_t) +') @@ -62312,7 +62312,7 @@ index 3a6b0352e..31577d567 100644 # # ypxfr local policy # - + -allow ypxfr_t self:unix_stream_socket { accept listen }; -allow ypxfr_t self:unix_dgram_socket { accept listen }; +allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; @@ -62323,7 +62323,7 @@ index 3a6b0352e..31577d567 100644 @@ -326,7 +333,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) - + -corenet_all_recvfrom_unlabeled(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) @@ -62342,17 +62342,17 @@ index 3a6b0352e..31577d567 100644 corenet_tcp_connect_all_ports(ypxfr_t) corenet_sendrecv_generic_server_packets(ypxfr_t) corenet_sendrecv_all_client_packets(ypxfr_t) - + -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) - -files_read_etc_files(ypxfr_t) files_search_usr(ypxfr_t) - + logging_send_syslog_msg(ypxfr_t) - + -miscfiles_read_localization(ypxfr_t) - + sysnet_read_config(ypxfr_t) diff --git a/nova.fc b/nova.fc new file mode 100644 @@ -62653,18 +62653,18 @@ index ba6448507..429bd799c 100644 +++ b/nscd.fc @@ -1,13 +1,15 @@ /etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0) - + -/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) +/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0) - + -/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - -/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) +/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - + /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - + -/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) @@ -62679,7 +62679,7 @@ index 8f2ab09f5..e05a0c73e 100644 @@ -1,8 +1,8 @@ -## Name service cache daemon. +## Name service cache daemon - + ######################################## ## -## Send generic signals to nscd. @@ -62688,7 +62688,7 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -20,7 +20,7 @@ interface(`nscd_signal',` - + ######################################## ## -## Send kill signals to nscd. @@ -62697,7 +62697,7 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -38,7 +38,7 @@ interface(`nscd_kill',` - + ######################################## ## -## Send null signals to nscd. @@ -62706,7 +62706,7 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -56,7 +56,7 @@ interface(`nscd_signull',` - + ######################################## ## -## Execute nscd in the nscd domain. @@ -62715,12 +62715,12 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -71,11 +71,13 @@ interface(`nscd_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, nscd_exec_t, nscd_t) + + corecmd_search_bin($1) + domtrans_pattern($1, nscd_exec_t, nscd_t) + allow $1 nscd_exec_t:file map; ') - + ######################################## ## -## Execute nscd in the caller domain. @@ -62730,14 +62730,14 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -88,14 +90,14 @@ interface(`nscd_exec',` - type nscd_exec_t; - ') - + type nscd_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, nscd_exec_t) + can_exec($1, nscd_exec_t) + allow $1 nscd_exec_t:file map; ') - + ######################################## ## -## Use nscd services by connecting using @@ -62748,22 +62748,22 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -112,22 +114,19 @@ interface(`nscd_socket_use',` - allow $1 self:unix_stream_socket create_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost }; + allow $1 self:unix_stream_socket create_socket_perms; + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; - - dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + dontaudit $1 nscd_t:fd use; + dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; - - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + files_search_pids($1) + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + allow $1 nscd_t:unix_stream_socket { connectto create_socket_perms }; - dontaudit $1 nscd_var_run_t:file read_file_perms; + dontaudit $1 nscd_var_run_t:file read_file_perms; - + allow $1 nscd_var_run_t:file map; - ps_process_pattern(nscd_t, $1) + ps_process_pattern(nscd_t, $1) ') - + ######################################## ## -## Use nscd services by mapping the @@ -62797,11 +62797,11 @@ index 8f2ab09f5..e05a0c73e 100644 +## +# +interface(`nscd_dontaudit_write_sock_file',` - gen_require(` - type nscd_t, nscd_var_run_t; + gen_require(` + type nscd_t, nscd_var_run_t; - class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - ') - + ') + - allow $1 self:unix_stream_socket create_stream_socket_perms; - - allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; @@ -62813,11 +62813,11 @@ index 8f2ab09f5..e05a0c73e 100644 + dontaudit $1 nscd_t:sock_file write; + dontaudit $1 nscd_var_run_t:sock_file write; + dontaudit $1 nscd_t:unix_stream_socket connectto; - + - allow $1 nscd_var_run_t:dir list_dir_perms; - allow $1 nscd_var_run_t:sock_file read_sock_file_perms; ') - + ######################################## ## -## Use nscd services. @@ -62839,7 +62839,7 @@ index 8f2ab09f5..e05a0c73e 100644 + gen_require(` + type nscd_t, nscd_var_run_t; + class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp }; - ') + ') + + allow $1 nscd_var_run_t:dir list_dir_perms; + allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv shmemnetgrp}; @@ -62859,7 +62859,7 @@ index 8f2ab09f5..e05a0c73e 100644 + allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp }; + dontaudit $1 nscd_var_run_t:file read_file_perms; ') - + ######################################## ## -## Do not audit attempts to search @@ -62869,7 +62869,7 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -193,7 +219,25 @@ interface(`nscd_dontaudit_search_pid',` - + ######################################## ## -## Read nscd pid files. @@ -62896,7 +62896,7 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -212,7 +256,7 @@ interface(`nscd_read_pid',` - + ######################################## ## -## Unconfined access to nscd services. @@ -62911,16 +62911,16 @@ index 8f2ab09f5..e05a0c73e 100644 +## # interface(`nscd_run',` - gen_require(` + gen_require(` - attribute_role nscd_roles; + type nscd_t; - ') - - nscd_domtrans($1) + ') + + nscd_domtrans($1) - roleattribute $2 nscd_roles; + role $2 types nscd_t; ') - + ######################################## ## -## Execute the nscd server init @@ -62930,7 +62930,7 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -275,8 +319,32 @@ interface(`nscd_initrc_domtrans',` - + ######################################## ## -## All of the rules required to @@ -62959,7 +62959,7 @@ index 8f2ab09f5..e05a0c73e 100644 + +######################################## +## -+## All of the rules required to administrate ++## All of the rules required to administrate +## an nscd environment ## ## @@ -62974,25 +62974,25 @@ index 8f2ab09f5..e05a0c73e 100644 ## ## @@ -294,10 +362,14 @@ interface(`nscd_admin',` - gen_require(` - type nscd_t, nscd_log_t, nscd_var_run_t; - type nscd_initrc_exec_t; + gen_require(` + type nscd_t, nscd_log_t, nscd_var_run_t; + type nscd_initrc_exec_t; + type nscd_unit_file_t; - ') - + ') + - allow $1 nscd_t:process { ptrace signal_perms }; + allow $1 nscd_t:process signal_perms; - ps_process_pattern($1, nscd_t) + ps_process_pattern($1, nscd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 nscd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, nscd_initrc_exec_t) + domain_system_change_exemption($1) @@ -310,5 +382,7 @@ interface(`nscd_admin',` - files_list_pids($1) - admin_pattern($1, nscd_var_run_t) - + files_list_pids($1) + admin_pattern($1, nscd_var_run_t) + - nscd_run($1, $2) + nscd_systemctl($1) + admin_pattern($1, nscd_unit_file_t) @@ -63003,9 +63003,9 @@ index bcd7d0a7d..1cd3a8b62 100644 --- a/nscd.te +++ b/nscd.te @@ -4,33 +4,34 @@ gen_require(` - class nscd all_nscd_perms; + class nscd all_nscd_perms; ') - + -######################################## -# -# Declarations @@ -63019,37 +63019,37 @@ index bcd7d0a7d..1cd3a8b62 100644 ##

    ## gen_tunable(nscd_use_shm, false) - + -attribute_role nscd_roles; +######################################## +# +# Declarations +# - + +# cjp: this is out of order because of an +# ordering problem with loadable modules type nscd_var_run_t; files_pid_file(nscd_var_run_t) -init_daemon_run_dir(nscd_var_run_t, "nscd") - + +# nscd is both the client program and the daemon. type nscd_t; type nscd_exec_t; init_daemon_domain(nscd_t, nscd_exec_t) -role nscd_roles types nscd_t; - + type nscd_initrc_exec_t; init_script_file(nscd_initrc_exec_t) - + +type nscd_unit_file_t; +systemd_unit_file(nscd_unit_file_t) + type nscd_log_t; logging_log_file(nscd_log_t) - + @@ -40,56 +41,61 @@ logging_log_file(nscd_log_t) # - + allow nscd_t self:capability { kill setgid setuid }; +allow nscd_t self:capability2 block_suspend; dontaudit nscd_t self:capability sys_tty_config; @@ -63061,25 +63061,25 @@ index bcd7d0a7d..1cd3a8b62 100644 allow nscd_t self:netlink_selinux_socket create_socket_perms; +allow nscd_t self:tcp_socket create_socket_perms; +allow nscd_t self:udp_socket create_socket_perms; - + +# For client program operation, invoked from sysadm_t. +# Transition occurs to nscd_t due to direct_sysadm_daemon. allow nscd_t self:nscd { admin getstat }; - + -allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow nscd_t nscd_log_t:file manage_file_perms; logging_log_filetrans(nscd_t, nscd_log_t, file) - + +manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t) -files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file }) +allow nscd_t nscd_var_run_t:file map; +files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir }) - + +corecmd_search_bin(nscd_t) can_exec(nscd_t, nscd_exec_t) - + -kernel_list_proc(nscd_t) -kernel_read_kernel_sysctls(nscd_t) kernel_read_network_state(nscd_t) @@ -63090,11 +63090,11 @@ index bcd7d0a7d..1cd3a8b62 100644 - -corecmd_search_bin(nscd_t) +kernel_read_net_sysctls(nscd_t) - + dev_read_sysfs(nscd_t) dev_read_rand(nscd_t) dev_read_urand(nscd_t) - + -domain_search_all_domains_state(nscd_t) -domain_use_interactive_fds(nscd_t) - @@ -63104,11 +63104,11 @@ index bcd7d0a7d..1cd3a8b62 100644 fs_getattr_all_fs(nscd_t) fs_search_auto_mountpoints(nscd_t) fs_list_inotifyfs(nscd_t) - + +# for when /etc/passwd has just been updated and has the wrong type auth_getattr_shadow(nscd_t) auth_use_nsswitch(nscd_t) - + -corenet_all_recvfrom_unlabeled(nscd_t) corenet_all_recvfrom_netlabel(nscd_t) corenet_tcp_sendrecv_generic_if(nscd_t) @@ -63125,7 +63125,7 @@ index bcd7d0a7d..1cd3a8b62 100644 +corenet_tcp_connect_all_ports(nscd_t) +corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) - + selinux_get_fs_mount(nscd_t) @@ -98,16 +104,24 @@ selinux_compute_access_vector(nscd_t) selinux_compute_create_context(nscd_t) @@ -63139,16 +63139,16 @@ index bcd7d0a7d..1cd3a8b62 100644 +files_read_etc_runtime_files(nscd_t) + +files_map_system_db_files(nscd_t) - + logging_send_audit_msgs(nscd_t) logging_send_syslog_msg(nscd_t) - + -miscfiles_read_localization(nscd_t) - seutil_read_config(nscd_t) seutil_read_default_contexts(nscd_t) seutil_sigchld_newrole(nscd_t) - + +sysnet_read_config(nscd_t) + userdom_dontaudit_use_user_terminals(nscd_t) @@ -63156,7 +63156,7 @@ index bcd7d0a7d..1cd3a8b62 100644 userdom_dontaudit_search_user_home_dirs(nscd_t) @@ -121,13 +135,11 @@ optional_policy(` ') - + optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(nscd_t) @@ -63164,17 +63164,17 @@ index bcd7d0a7d..1cd3a8b62 100644 - ') + kerberos_use(nscd_t) +') - + - samba_read_config(nscd_t) - samba_read_var_files(nscd_t) +optional_policy(` + nis_authenticate(nscd_t) ') - + optional_policy(` @@ -138,3 +150,20 @@ optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) - xen_append_log(nscd_t) + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) ') + +optional_policy(` @@ -63199,7 +63199,7 @@ index 4f2b1b663..0e24b49a9 100644 +++ b/nsd.fc @@ -1,16 +1,19 @@ -/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) - + -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) -/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0) -/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) @@ -63207,7 +63207,7 @@ index 4f2b1b663..0e24b49a9 100644 +/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0) +/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) - + -/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) -/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0) @@ -63222,7 +63222,7 @@ index 4f2b1b663..0e24b49a9 100644 +/usr/sbin/nsd-checkzone -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsd-control -- gen_context(system_u:object_r:nsd_exec_t,s0) +/usr/sbin/nsd-control-setup -- gen_context(system_u:object_r:nsd_exec_t,s0) - + +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) + @@ -63234,7 +63234,7 @@ index a9c60ff87..ad4f14ad6 100644 @@ -1,8 +1,8 @@ -## Authoritative only name server. +## Authoritative only name server - + ######################################## ## -## Send and receive datagrams from NSD. (Deprecated) @@ -63256,7 +63256,7 @@ index a9c60ff87..ad4f14ad6 100644 + files_search_pids($1) + read_files_pattern($1, nsd_var_run_t, nsd_var_run_t) ') - + ######################################## ## -## Connect to NSD over a TCP socket (Deprecated) @@ -63270,9 +63270,9 @@ index a9c60ff87..ad4f14ad6 100644 # -interface(`nsd_tcp_connect',` +interface(`nsd_udp_chat',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicywarn(`$0($*) has been deprecated.') ') - + ######################################## ## -## All of the rules required to @@ -63323,31 +63323,31 @@ index 47bb1d204..94070d223 100644 @@ -9,9 +9,7 @@ type nsd_t; type nsd_exec_t; init_daemon_domain(nsd_t, nsd_exec_t) - + -type nsd_initrc_exec_t; -init_script_file(nsd_initrc_exec_t) - +# A type for configuration files of nsd type nsd_conf_t; files_type(nsd_conf_t) - + @@ -20,40 +18,51 @@ domain_type(nsd_crond_t) domain_entry_file(nsd_crond_t, nsd_exec_t) role system_r types nsd_crond_t; - + -type nsd_db_t; -files_type(nsd_db_t) +type nsd_log_t; +logging_log_file(nsd_log_t) - + type nsd_var_run_t; files_pid_file(nsd_var_run_t) - + -type nsd_zone_t; +# A type for zone files +type nsd_zone_t alias nsd_db_t; files_type(nsd_zone_t) - + +type nsd_tmp_t; +files_tmp_file(nsd_tmp_t) + @@ -63356,7 +63356,7 @@ index 47bb1d204..94070d223 100644 -# Local policy +# NSD Local policy # - + -allow nsd_t self:capability { chown dac_override kill setgid setuid }; +allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; @@ -63365,7 +63365,7 @@ index 47bb1d204..94070d223 100644 +allow nsd_t self:udp_socket create_socket_perms; allow nsd_t self:fifo_file rw_fifo_file_perms; -allow nsd_t self:tcp_socket { accept listen }; - + -allow nsd_t nsd_conf_t:dir list_dir_perms; -allow nsd_t nsd_conf_t:file read_file_perms; -allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms; @@ -63375,10 +63375,10 @@ index 47bb1d204..94070d223 100644 +manage_dirs_pattern(nsd_t, nsd_conf_t, nsd_conf_t) +manage_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) +read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t) - + manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) files_pid_filetrans(nsd_t, nsd_var_run_t, file) - + +manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t) +logging_log_filetrans(nsd_t, nsd_log_t, file) + @@ -63392,13 +63392,13 @@ index 47bb1d204..94070d223 100644 +manage_files_pattern(nsd_t, nsd_tmp_t, nsd_tmp_t) +files_tmp_filetrans(nsd_t, nsd_tmp_t, { file dir }) +allow nsd_t nsd_tmp_t:file { map } ; - + can_exec(nsd_t, nsd_exec_t) - + @@ -62,7 +71,6 @@ kernel_read_kernel_sysctls(nsd_t) - + corecmd_exec_bin(nsd_t) - + -corenet_all_recvfrom_unlabeled(nsd_t) corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) @@ -63415,34 +63415,34 @@ index 47bb1d204..94070d223 100644 +corenet_tcp_bind_nsd_control_port(nsd_t) +corenet_sendrecv_nsd_control_server_packets(nsd_t) +corenet_tcp_connect_nsd_control_port(nsd_t) - + dev_read_sysfs(nsd_t) +dev_read_urand(nsd_t) - + domain_use_interactive_fds(nsd_t) - + files_read_etc_runtime_files(nsd_t) +files_search_var_lib(nsd_t) - + fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) @@ -90,8 +102,6 @@ auth_use_nsswitch(nsd_t) - + logging_send_syslog_msg(nsd_t) - + -miscfiles_read_localization(nsd_t) - userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) - + @@ -105,23 +115,24 @@ optional_policy(` - + ######################################## # -# Cron local policy +# Zone update cron job local policy # - + -allow nsd_crond_t self:capability { dac_override kill }; +# kill capability for root cron job and non-root daemon +allow nsd_crond_t self:capability { dac_read_search dac_override kill }; @@ -63451,14 +63451,14 @@ index 47bb1d204..94070d223 100644 allow nsd_crond_t self:fifo_file rw_fifo_file_perms; +allow nsd_crond_t self:tcp_socket create_socket_perms; +allow nsd_crond_t self:udp_socket create_socket_perms; - + -allow nsd_crond_t nsd_t:process signal; -ps_process_pattern(nsd_crond_t, nsd_t) - -allow nsd_crond_t nsd_conf_t:dir list_dir_perms; allow nsd_crond_t nsd_conf_t:file read_file_perms; -allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms; - + -allow nsd_crond_t nsd_db_t:file manage_file_perms; -filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file) +files_search_var_lib(nsd_crond_t) @@ -63466,13 +63466,13 @@ index 47bb1d204..94070d223 100644 +allow nsd_crond_t nsd_t:process signal; + +ps_process_pattern(nsd_crond_t, nsd_t) - + manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) @@ -133,29 +144,33 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) - + -corenet_all_recvfrom_unlabeled(nsd_crond_t) corenet_all_recvfrom_netlabel(nsd_crond_t) corenet_tcp_sendrecv_generic_if(nsd_crond_t) @@ -63486,28 +63486,28 @@ index 47bb1d204..94070d223 100644 +corenet_udp_sendrecv_all_ports(nsd_crond_t) +corenet_tcp_connect_all_ports(nsd_crond_t) +corenet_sendrecv_all_client_packets(nsd_crond_t) - + dev_read_urand(nsd_crond_t) - + domain_dontaudit_read_all_domains_state(nsd_crond_t) - + files_read_etc_runtime_files(nsd_crond_t) +files_search_var_lib(nsd_t) - + auth_use_nsswitch(nsd_crond_t) - + logging_send_syslog_msg(nsd_crond_t) - + -miscfiles_read_localization(nsd_crond_t) - userdom_dontaudit_search_user_home_dirs(nsd_crond_t) - + +optional_policy(` + nsd_read_pid(nsd_crond_t) +') + optional_policy(` - cron_system_entry(nsd_crond_t, nsd_exec_t) + cron_system_entry(nsd_crond_t, nsd_exec_t) ') diff --git a/nslcd.fc b/nslcd.fc index 402100e40..ce913b244 100644 @@ -63532,19 +63532,19 @@ index 97df768d9..852d1c6c7 100644 @@ -1,4 +1,4 @@ -## Local LDAP name service daemon. +## nslcd - local LDAP name service daemon. - + ######################################## ## @@ -15,7 +15,6 @@ interface(`nslcd_domtrans',` - type nslcd_t, nslcd_exec_t; - ') - + type nslcd_t, nslcd_exec_t; + ') + - corecmd_searh_bin($1) - domtrans_pattern($1, nslcd_exec_t, nslcd_t) + domtrans_pattern($1, nslcd_exec_t, nslcd_t) ') - + @@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',` - + ######################################## ## -## Read nslcd pid files. @@ -63553,7 +63553,7 @@ index 97df768d9..852d1c6c7 100644 ## ## @@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',` - + ######################################## ## -## Connect to nslcd over an unix @@ -63581,11 +63581,11 @@ index 97df768d9..852d1c6c7 100644 ## ## @@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',` - type nslcd_t, nslcd_var_run_t; - ') - + type nslcd_t, nslcd_var_run_t; + ') + - files_search_pids($1) - stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) + stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) + files_search_pids($1) +') + @@ -63607,7 +63607,7 @@ index 97df768d9..852d1c6c7 100644 + dontaudit $1 nslcd_t:sock_file write; + dontaudit $1 nslcd_var_run_t:sock_file write; ') - + ######################################## ## -## All of the rules required to @@ -63618,26 +63618,26 @@ index 97df768d9..852d1c6c7 100644 ## ## @@ -99,17 +134,21 @@ interface(`nslcd_admin',` - type nslcd_conf_t; - ') - + type nslcd_conf_t; + ') + - allow $1 nslcd_t:process { ptrace signal_perms }; - ps_process_pattern($1, nslcd_t) + ps_process_pattern($1, nslcd_t) + allow $1 nslcd_t:process signal_perms; + tunable_policy(`deny_ptrace',`',` + allow $1 nslcd_t:process ptrace; + ') - + + # Allow nslcd_t to restart the apache service - nslcd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 nslcd_initrc_exec_t system_r; - allow $2 system_r; - + nslcd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) + files_list_etc($1) - admin_pattern($1, nslcd_conf_t) - + admin_pattern($1, nslcd_conf_t) + - files_search_pids($1) - admin_pattern($1, nslcd_var_run_t) + files_list_pids($1) @@ -63648,26 +63648,26 @@ index 421bf1a56..1be3b6b30 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) - + ######################################## # -# Local policy +# nslcd local policy # - + -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; +allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal signull }; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; - + allow nslcd_t nslcd_conf_t:file read_file_perms; - + @@ -36,16 +36,17 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) - + kernel_read_system_state(nslcd_t) - + +dev_read_sysfs(nslcd_t) + corenet_all_recvfrom_unlabeled(nslcd_t) @@ -63679,28 +63679,28 @@ index 421bf1a56..1be3b6b30 100644 corenet_tcp_connect_ldap_port(nslcd_t) -corenet_tcp_sendrecv_ldap_port(nslcd_t) +corenet_sendrecv_ldap_client_packets(nslcd_t) - + dev_read_sysfs(nslcd_t) +dev_read_urand(nslcd_t) + +corecmd_exec_bin(nslcd_t) - + files_read_usr_symlinks(nslcd_t) files_list_tmp(nslcd_t) @@ -54,10 +55,13 @@ auth_use_nsswitch(nslcd_t) - + logging_send_syslog_msg(nslcd_t) - + -miscfiles_read_localization(nslcd_t) - userdom_read_user_tmp_files(nslcd_t) - + +optional_policy(` + dirsrv_stream_connect(nslcd_t) +') + optional_policy(` - ldap_stream_connect(nslcd_t) + ldap_stream_connect(nslcd_t) ') + diff --git a/nsplugin.fc b/nsplugin.fc @@ -64039,7 +64039,7 @@ index 000000000..bceb5271e + type nsplugin_home_t; + ') + -+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; ++ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; +') + +######################################## @@ -64080,13 +64080,13 @@ index 000000000..bceb5271e + +######################################## +## -+## Execute nsplugin_exec_t ++## Execute nsplugin_exec_t +## in the specified domain. +## +## +##

    +## Execute a nsplugin_exec_t -+## in the specified domain. ++## in the specified domain. +##

    +##

    +## No interprocess communication (signals, pipes, @@ -64275,7 +64275,7 @@ index 000000000..7d839fe6e + allow nsplugin_t self:process { execstack execmem }; + allow nsplugin_config_t self:process { execstack execmem }; +') -+ ++ +tunable_policy(`nsplugin_can_network',` + corenet_tcp_connect_all_unreserved_ports(nsplugin_t) + corenet_tcp_connect_all_ephemeral_ports(nsplugin_t) @@ -64531,7 +64531,7 @@ index 8ec78595b..c696f6765 100644 @@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t) # Local Policy # - + -allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin }; +allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override }; dontaudit ntop_t self:capability sys_tty_config; @@ -64544,52 +64544,52 @@ index 8ec78595b..c696f6765 100644 @@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t) kernel_read_network_state(ntop_t) kernel_read_kernel_sysctls(ntop_t) - + -corenet_all_recvfrom_unlabeled(ntop_t) corenet_all_recvfrom_netlabel(ntop_t) corenet_tcp_sendrecv_generic_if(ntop_t) corenet_raw_sendrecv_generic_if(ntop_t) @@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t) - + dev_read_sysfs(ntop_t) dev_rw_generic_usb_dev(ntop_t) +dev_read_usbmon_dev(ntop_t) +dev_write_usbmon_dev(ntop_t) - + domain_use_interactive_fds(ntop_t) - + -files_read_usr_files(ntop_t) - + fs_getattr_all_fs(ntop_t) fs_search_auto_mountpoints(ntop_t) @@ -100,6 +101,10 @@ optional_policy(` - apache_read_sys_content(ntop_t) + apache_read_sys_content(ntop_t) ') - + +optional_policy(` + snmp_read_snmp_var_lib_files(ntop_t) +') + optional_policy(` - seutil_sigchld_newrole(ntop_t) + seutil_sigchld_newrole(ntop_t) ') diff --git a/ntp.fc b/ntp.fc index af3c91e70..3e5f9cfa6 100644 --- a/ntp.fc +++ b/ntp.fc @@ -11,9 +11,13 @@ - + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +/usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0) /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - + +/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) + /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - + /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/ntp.if b/ntp.if index e96a309a5..42453089c 100644 @@ -64598,13 +64598,13 @@ index e96a309a5..42453089c 100644 @@ -1,4 +1,4 @@ -##

    Network time protocol daemon. +## Network time protocol daemon - + ######################################## ## @@ -35,6 +35,25 @@ interface(`ntp_domtrans',` - domtrans_pattern($1, ntpd_exec_t, ntpd_t) + domtrans_pattern($1, ntpd_exec_t, ntpd_t) ') - + +######################################## +## +## Execute ntp server in the caller domain. @@ -64630,21 +64630,21 @@ index e96a309a5..42453089c 100644 @@ -54,11 +73,11 @@ interface(`ntp_domtrans',` # interface(`ntp_run',` - gen_require(` + gen_require(` - attribute_role ntpd_roles; + type ntpd_t; - ') - - ntp_domtrans($1) + ') + + ntp_domtrans($1) - roleattribute $2 ntpd_roles; + role $2 types ntpd_t; ') - + ######################################## @@ -98,6 +117,67 @@ interface(`ntp_initrc_domtrans',` - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) ') - + +##################################### +## +## Allow domain to read ntpd systemd unit files. @@ -64710,7 +64710,7 @@ index e96a309a5..42453089c 100644 ## ## Read ntp drift files. @@ -141,8 +221,27 @@ interface(`ntp_rw_shm',` - + ######################################## ## -## All of the rules required to @@ -64750,38 +64750,38 @@ index e96a309a5..42453089c 100644 ## # interface(`ntp_admin',` - gen_require(` + gen_require(` - type ntpd_t, ntpd_tmp_t, ntpd_log_t; - type ntpd_key_t, ntpd_var_run_t, ntp_conf_t; - type ntpd_initrc_exec_t, ntp_drift_t; + type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t; + type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; + type ntpd_unit_file_t; - ') - + ') + - allow $1 ntpd_t:process { ptrace signal_perms }; + allow $1 ntpd_t:process signal_perms; - ps_process_pattern($1, ntpd_t) - + ps_process_pattern($1, ntpd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 ntpd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ntpd_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) + init_labeled_script_domtrans($1, ntpd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 ntpd_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) - admin_pattern($1, { ntpd_key_t ntp_conf_t }) + admin_pattern($1, ntpd_key_t) - - logging_list_logs($1) - admin_pattern($1, ntpd_log_t) + + logging_list_logs($1) + admin_pattern($1, ntpd_log_t) @@ -186,5 +289,53 @@ interface(`ntp_admin',` - files_list_pids($1) - admin_pattern($1, ntpd_var_run_t) - + files_list_pids($1) + admin_pattern($1, ntpd_var_run_t) + - ntp_run($1, $2) + ntp_systemctl($1) + admin_pattern($1, ntpd_unit_file_t) @@ -64826,7 +64826,7 @@ index e96a309a5..42453089c 100644 + gen_require(` + type ntpd_log_t; + ') -+ ++ + logging_search_logs($1) + manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t) + manage_files_pattern($1, ntpd_log_t, ntpd_log_t) @@ -64840,53 +64840,53 @@ index f81b113c7..bc1e8ce99 100644 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; type ntpd_initrc_exec_t; init_script_file(ntpd_initrc_exec_t) - + +type ntpd_unit_file_t; +systemd_unit_file(ntpd_unit_file_t) + type ntp_conf_t; files_config_file(ntp_conf_t) - + @@ -44,7 +47,7 @@ init_system_domain(ntpd_t, ntpdate_exec_t) # Local policy # - + -allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; +allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; allow ntpd_t self:fifo_file rw_fifo_file_perms; @@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen }; - + manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) +files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp") +files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod") - + allow ntpd_t ntp_conf_t:file read_file_perms; - + @@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) - + allow ntpd_t ntpd_log_t:dir setattr_dir_perms; -append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) -setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) +manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) - + manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) @@ -77,27 +80,23 @@ manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) - + can_exec(ntpd_t, ntpd_exec_t) +can_exec(ntpd_t, ntpdate_exec_t) - + kernel_read_kernel_sysctls(ntpd_t) kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) - + -corenet_all_recvfrom_unlabeled(ntpd_t) corenet_all_recvfrom_netlabel(ntpd_t) corenet_tcp_sendrecv_generic_if(ntpd_t) @@ -64904,61 +64904,61 @@ index f81b113c7..bc1e8ce99 100644 -corenet_tcp_sendrecv_ntp_port(ntpd_t) +corenet_sendrecv_ntp_server_packets(ntpd_t) +corenet_sendrecv_ntp_client_packets(ntpd_t) - + corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) @@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) - + files_read_etc_runtime_files(ntpd_t) -files_read_usr_files(ntpd_t) files_list_var_lib(ntpd_t) - + fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +# Necessary to communicate with gpsd devices +fs_rw_tmpfs_files(ntpd_t) - + term_use_ptmx(ntpd_t) +term_use_unallocated_ttys(ntpd_t) - + auth_use_nsswitch(ntpd_t) - + @@ -124,11 +125,13 @@ init_exec_script_files(ntpd_t) - + logging_send_syslog_msg(ntpd_t) - + -miscfiles_read_localization(ntpd_t) - userdom_dontaudit_use_unpriv_user_fds(ntpd_t) userdom_list_user_home_dirs(ntpd_t) - + +optional_policy(` + clock_domtrans(ntpd_t) +') + optional_policy(` - cron_system_entry(ntpd_t, ntpdate_exec_t) + cron_system_entry(ntpd_t, ntpdate_exec_t) ') @@ -151,10 +154,19 @@ optional_policy(` - logrotate_exec(ntpd_t) + logrotate_exec(ntpd_t) ') - + +optional_policy(` + ptp4l_rw_shm(ntpd_t) +') + optional_policy(` - seutil_sigchld_newrole(ntpd_t) + seutil_sigchld_newrole(ntpd_t) ') - + +optional_policy(` + timemaster_read_pid_files(ntpd_t) + timemaster_rw_shm(ntpd_t) +') + optional_policy(` - udev_read_db(ntpd_t) + udev_read_db(ntpd_t) ') diff --git a/numad.fc b/numad.fc index 3488bb0d3..1f9762420 100644 @@ -64967,13 +64967,13 @@ index 3488bb0d3..1f9762420 100644 @@ -1,7 +1,7 @@ -/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0) +/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) - + -/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0) +/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0) - + -/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0) +/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0) - + -/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) +/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/numad.if b/numad.if @@ -65027,7 +65027,7 @@ index 0d3c270b9..f307835ce 100644 + + ps_process_pattern($1, numad_t) +') - + ######################################## ## -## All of the rules required to @@ -65066,16 +65066,16 @@ index 0d3c270b9..f307835ce 100644 -## # interface(`numad_admin',` - gen_require(` + gen_require(` - type numad_t, numad_initrc_exec_t, numad_log_t; - type numad_var_run_t; + type numad_t; + type numad_unit_file_t; - ') - - allow $1 numad_t:process { ptrace signal_perms }; - ps_process_pattern($1, numad_t) - + ') + + allow $1 numad_t:process { ptrace signal_perms }; + ps_process_pattern($1, numad_t) + - init_labeled_script_domtrans($1, numad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 numad_initrc_exec_t system_r; @@ -65101,54 +65101,54 @@ index b0a1be482..303a9279f 100644 type numad_exec_t; init_daemon_domain(numad_t, numad_exec_t) -application_executable_file(numad_exec_t) - + -type numad_initrc_exec_t; -init_script_file(numad_initrc_exec_t) +type numad_unit_file_t; +systemd_unit_file(numad_unit_file_t) - + -type numad_log_t; -logging_log_file(numad_log_t) +type numad_var_log_t; +logging_log_file(numad_var_log_t) - + type numad_var_run_t; files_pid_file(numad_var_run_t) - + ######################################## # -# Local policy +# numad local policy # - + +allow numad_t self:capability sys_ptrace; allow numad_t self:fifo_file rw_fifo_file_perms; -allow numad_t self:msg { send receive }; allow numad_t self:msgq create_msgq_perms; +allow numad_t self:msg { send receive }; allow numad_t self:unix_stream_socket create_stream_socket_perms; - + -allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(numad_t, numad_log_t, file) +manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t) +logging_log_filetrans(numad_t, numad_var_log_t, file) - + manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) files_pid_filetrans(numad_t, numad_var_run_t, file) - + kernel_read_system_state(numad_t) - + -dev_read_sysfs(numad_t) +dev_rw_sysfs(numad_t) + +domain_use_interactive_fds(numad_t) +domain_read_all_domains_state(numad_t) +domain_setpriority_all_domains(numad_t) - + -files_read_etc_files(numad_t) +fs_manage_cgroup_dirs(numad_t) +fs_rw_cgroup_files(numad_t) - + -miscfiles_read_localization(numad_t) +tunable_policy(`deny_ptrace',`',` + virt_ptrace(numad_t) @@ -65161,27 +65161,27 @@ index 379af962c..fac7d7bc9 100644 -/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) -/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) +/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) - + -/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0) - -/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - + -/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0) - + /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) +/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) - + /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) - + -/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) @@ -65195,7 +65195,7 @@ index 57c0161ed..c554eb6e1 100644 @@ -1,39 +1,60 @@ -## Network UPS Tools +## nut - Network UPS Tools - + -######################################## +####################################### ## @@ -65222,11 +65222,11 @@ index 57c0161ed..c554eb6e1 100644 # -interface(`nut_admin',` +template(`nut_domain_template',` - gen_require(` - attribute nut_domain; + gen_require(` + attribute nut_domain; - type nut_initrc_exec_t, nut_var_run_t, nut_conf_t; - ') - + ') + - allow $1 nut_domain:process { ptrace signal_perms }; - ps_process_pattern($1, nut_domain_t) + type nut_$1_t, nut_domain; @@ -65241,7 +65241,7 @@ index 57c0161ed..c554eb6e1 100644 + manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) + files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) + fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) - + - init_labeled_script_domtrans($1, nut_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 nut_initrc_exec_t system_r; @@ -65267,14 +65267,14 @@ index 57c0161ed..c554eb6e1 100644 + type nut_t; + type nut_unit_file_t; + ') - + - files_search_etc($1) - admin_pattern($1, nut_conf_t) + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 nut_unit_file_t:file read_file_perms; + allow $1 nut_unit_file_t:service manage_service_perms; - + - files_search_pids($1) - admin_pattern($1, nut_var_run_t) + ps_process_pattern($1, nut_t) @@ -65284,16 +65284,16 @@ index 5b2cb0d59..35b45d22e 100644 --- a/nut.te +++ b/nut.te @@ -7,154 +7,143 @@ policy_module(nut, 1.3.0) - + attribute nut_domain; - + +nut_domain_template(upsd) +nut_domain_template(upsmon) +nut_domain_template(upsdrvctl) + type nut_conf_t; files_config_file(nut_conf_t) - + -type nut_upsd_t, nut_domain; -type nut_upsd_exec_t; -init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) @@ -65312,7 +65312,7 @@ index 5b2cb0d59..35b45d22e 100644 type nut_var_run_t; files_pid_file(nut_var_run_t) -init_daemon_run_dir(nut_var_run_t, "nut") - + -######################################## +type nut_unit_file_t; +systemd_unit_file(nut_unit_file_t) @@ -65322,20 +65322,20 @@ index 5b2cb0d59..35b45d22e 100644 -# Common nut domain local policy +# Local policy for upsd # - + -allow nut_domain self:capability { setgid setuid dac_override kill }; +allow nut_domain self:capability { setgid setuid dac_read_search dac_override }; + allow nut_domain self:process signal_perms; -allow nut_domain self:fifo_file rw_fifo_file_perms; -allow nut_domain self:unix_dgram_socket sendto; - + -allow nut_domain nut_conf_t:dir list_dir_perms; -allow nut_domain nut_conf_t:file read_file_perms; -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; +allow nut_domain self:fifo_file rw_fifo_file_perms; +allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; - + +# pid file manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) @@ -65348,24 +65348,24 @@ index 5b2cb0d59..35b45d22e 100644 -miscfiles_read_localization(nut_domain) +manage_sock_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_domain, nut_var_run_t, dir) - + ######################################## # -# Upsd local policy +# Local policy for upsd # - + -allow nut_upsd_t self:tcp_socket { accept listen }; +allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; - + -manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) +allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; - + -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) +read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) - + -corenet_all_recvfrom_unlabeled(nut_upsd_t) -corenet_all_recvfrom_netlabel(nut_upsd_t) -corenet_tcp_sendrecv_generic_if(nut_upsd_t) @@ -65373,7 +65373,7 @@ index 5b2cb0d59..35b45d22e 100644 -corenet_tcp_sendrecv_all_ports(nut_upsd_t) -corenet_tcp_bind_generic_node(nut_upsd_t) +kernel_read_kernel_sysctls(nut_upsd_t) - + -corenet_sendrecv_ups_server_packets(nut_upsd_t) corenet_tcp_bind_ups_port(nut_upsd_t) - @@ -65384,27 +65384,27 @@ index 5b2cb0d59..35b45d22e 100644 - -auth_use_nsswitch(nut_upsd_t) +corenet_tcp_bind_all_nodes(nut_upsd_t) - + ######################################## # -# Upsmon local policy +# Local policy for upsmon # - + -allow nut_upsmon_t self:capability dac_read_search; -allow nut_upsmon_t self:unix_stream_socket connectto; +allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; - + +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) - + corecmd_exec_bin(nut_upsmon_t) corecmd_exec_shell(nut_upsmon_t) - + -corenet_all_recvfrom_unlabeled(nut_upsmon_t) -corenet_all_recvfrom_netlabel(nut_upsmon_t) -corenet_tcp_sendrecv_generic_if(nut_upsmon_t) @@ -65417,75 +65417,75 @@ index 5b2cb0d59..35b45d22e 100644 - -corenet_sendrecv_generic_client_packets(nut_upsmon_t) corenet_tcp_connect_generic_port(nut_upsmon_t) - + +# Creates /etc/killpower files_manage_etc_runtime_files(nut_upsmon_t) files_etc_filetrans_etc_runtime(nut_upsmon_t, file) files_search_usr(nut_upsmon_t) - + +# /usr/bin/wall term_write_all_terms(nut_upsmon_t) - + -auth_use_nsswitch(nut_upsmon_t) +# upsmon runs shutdown, probably need a shutdown domain +init_rw_utmp(nut_upsmon_t) +init_telinit(nut_upsmon_t) + - + mta_send_mail(nut_upsmon_t) - + +systemd_start_power_services(nut_upsmon_t) + optional_policy(` - shutdown_domtrans(nut_upsmon_t) + shutdown_domtrans(nut_upsmon_t) ') - + ######################################## # -# Upsdrvctl local policy +# Local policy for upsdrvctl # - + +allow nut_upsdrvctl_t self:capability { kill }; allow nut_upsdrvctl_t self:fd use; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; + +can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) - + -manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file) +read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) - + +kernel_read_kernel_sysctls(nut_upsdrvctl_t) + +# /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) - + dev_read_sysfs(nut_upsdrvctl_t) -dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) - + term_use_unallocated_ttys(nut_upsdrvctl_t) - -auth_use_nsswitch(nut_upsdrvctl_t) +term_use_usb_ttys(nut_upsdrvctl_t) - + init_sigchld(nut_upsdrvctl_t) - + ####################################### # -# Cgi local policy +# Local policy for upscgi scripts +# requires httpd_enable_cgi and httpd_can_network_connect # - + optional_policy(` - apache_content_template(nutups_cgi) + apache_content_template(nutups_cgi) + apache_content_alias_template(nutups_cgi,nutups_cgi) + + read_files_pattern(nutups_cgi_script_t, nut_conf_t, nut_conf_t) - + - allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms; - allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms; - allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms; @@ -65497,7 +65497,7 @@ index 5b2cb0d59..35b45d22e 100644 + corenet_udp_sendrecv_generic_if(nutups_cgi_script_t) + corenet_udp_sendrecv_generic_node(nutups_cgi_script_t) + corenet_udp_sendrecv_all_ports(nutups_cgi_script_t) - + - sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) + sysnet_dns_name_resolve(nutups_cgi_script_t) ') @@ -65506,19 +65506,19 @@ index 251d6816a..50ae2a94b 100644 --- a/nx.if +++ b/nx.if @@ -35,7 +35,9 @@ interface(`nx_read_home_files',` - ') - - files_search_var_lib($1) + ') + + files_search_var_lib($1) - read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t) + allow $1 nx_server_var_lib_t:dir search_dir_perms; + read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) + read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) ') - + ######################################## @@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',` - - filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) + + filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) ') + +######################################## @@ -65545,7 +65545,7 @@ index 091f87272..62a0b1229 100644 @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t) type nx_server_var_run_t; files_pid_file(nx_server_var_run_t) - + +type nx_server_home_ssh_t; +files_type(nx_server_home_ssh_t) + @@ -65555,24 +65555,24 @@ index 091f87272..62a0b1229 100644 @@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir }) manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t) files_pid_filetrans(nx_server_t, nx_server_var_run_t, file) - + +manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) +manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t) + kernel_read_system_state(nx_server_t) kernel_read_kernel_sysctls(nx_server_t) - + corecmd_exec_shell(nx_server_t) corecmd_exec_bin(nx_server_t) - + -corenet_all_recvfrom_unlabeled(nx_server_t) corenet_all_recvfrom_netlabel(nx_server_t) corenet_tcp_sendrecv_generic_if(nx_server_t) corenet_tcp_sendrecv_generic_node(nx_server_t) @@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t) - + dev_read_urand(nx_server_t) - + -files_read_etc_files(nx_server_t) files_read_etc_runtime_files(nx_server_t) -files_read_usr_files(nx_server_t) @@ -65580,21 +65580,21 @@ index 091f87272..62a0b1229 100644 -miscfiles_read_localization(nx_server_t) - -seutil_dontaudit_search_config(nx_server_t) - + sysnet_read_config(nx_server_t) - + diff --git a/oav.te b/oav.te index b09c4c412..995c3f6a6 100644 --- a/oav.te +++ b/oav.te @@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t) domain_use_interactive_fds(scannerdaemon_t) - + files_exec_etc_files(scannerdaemon_t) -files_read_etc_files(scannerdaemon_t) files_read_etc_runtime_files(scannerdaemon_t) files_search_var_lib(scannerdaemon_t) - + diff --git a/obex.fc b/obex.fc index 03fa56040..b254dd104 100644 --- a/obex.fc @@ -65609,7 +65609,7 @@ index 8635ea205..eec20b413 100644 +++ b/obex.if @@ -1,15 +1,50 @@ ## D-Bus service providing high-level OBEX client and server side functionality. - + -####################################### +######################################## ## @@ -65677,38 +65677,38 @@ index 8635ea205..eec20b413 100644 # -template(`obex_role_template',` +template(`obex_role',` - gen_require(` - attribute_role obex_roles; + gen_require(` + attribute_role obex_roles; - type obex_t, obex_exec_exec_t; + type obex_t, obex_exec_t; - ') - - ######################################## + ') + + ######################################## - # -+ # - # Declarations - # - ++ # + # Declarations + # + - roleattribute $2 obex_roles; + roleattribute $1 obex_roles; - - ######################################## + + ######################################## - # -+ # - # Policy ++ # + # Policy - # - - allow $3 obex_t:process { ptrace signal_perms }; - ps_process_pattern($3, obex_t) -+ # - ++ # + - dbus_spec_session_domain($1, obex_exec_t, obex_t) - - obex_dbus_chat($3) -') + allow $2 obex_t:process signal_perms; + ps_process_pattern($2, obex_t) - + -######################################## -## -## Execute obex in the obex domain. @@ -65745,7 +65745,7 @@ index 8635ea205..eec20b413 100644 - class dbus send_msg; - ') + dbus_session_domain($3, obex_exec_t, obex_t) - + - allow $1 obex_t:dbus send_msg; - allow obex_t $1:dbus send_msg; + obex_dbus_chat($2) @@ -65756,45 +65756,45 @@ index cd29ea899..d01d2c8e6 100644 +++ b/obex.te @@ -1,4 +1,4 @@ -policy_module(obex, 1.0.0) -+policy_module(obex,1.0.0) - ++policy_module(obex,1.0.0) + ######################################## # @@ -14,30 +14,26 @@ role obex_roles types obex_t; - + ######################################## # -# Local policy +# obex local policy # - + allow obex_t self:fifo_file rw_fifo_file_perms; allow obex_t self:socket create_stream_socket_perms; +allow obex_t self:netlink_kobject_uevent_socket create_socket_perms; - + -dev_read_urand(obex_t) +kernel_request_load_module(obex_t) - + -files_read_etc_files(obex_t) +dev_read_urand(obex_t) - + logging_send_syslog_msg(obex_t) - + -miscfiles_read_localization(obex_t) - userdom_search_user_home_content(obex_t) - + -optional_policy(` - bluetooth_stream_connect(obex_t) -') - optional_policy(` - dbus_system_bus_client(obex_t) - - optional_policy(` + dbus_system_bus_client(obex_t) + + optional_policy(` + bluetooth_stream_connect(obex_t) - bluetooth_dbus_chat(obex_t) - ') + bluetooth_dbus_chat(obex_t) + ') ') diff --git a/oddjob.fc b/oddjob.fc index dd1d9ef5a..c48733aa4 100644 @@ -65802,20 +65802,20 @@ index dd1d9ef5a..c48733aa4 100644 +++ b/oddjob.fc @@ -1,10 +1,12 @@ -/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - + -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0) - + +/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) - + -/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/bin/oddjob_request -- gen_context(system_u:object_r:oddjob_exec_t,s0) + +/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) - + -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if @@ -65829,20 +65829,20 @@ index c87bd2a30..c7bfd1fde 100644 +## request that specified privileged operations be performed on their +## behalf. +## - + ######################################## ## @@ -15,14 +19,32 @@ interface(`oddjob_domtrans',` - type oddjob_t, oddjob_exec_t; - ') - + type oddjob_t, oddjob_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, oddjob_exec_t, oddjob_t) + domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') - + +##################################### +## -+## Do not audit attempts to read and write ++## Do not audit attempts to read and write +## oddjob fifo file. +## +## @@ -65869,17 +65869,17 @@ index c87bd2a30..c7bfd1fde 100644 ## ## @@ -41,6 +63,7 @@ interface(`oddjob_system_entry',` - ') - - domtrans_pattern(oddjob_t, $2, $1) + ') + + domtrans_pattern(oddjob_t, $2, $1) + domain_user_exemption_target($1) ') - + ######################################## @@ -64,32 +87,46 @@ interface(`oddjob_dbus_chat',` - allow oddjob_t $1:dbus send_msg; + allow oddjob_t $1:dbus send_msg; ') - + -######################################## +###################################### ## @@ -65913,15 +65913,15 @@ index c87bd2a30..c7bfd1fde 100644 +## +# interface(`oddjob_domtrans_mkhomedir',` - gen_require(` - type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; - ') - + gen_require(` + type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) + allow $1 oddjob_mkhomedir_exec_t:file map; ') - + ######################################## ## -## Execute oddjob mkhomedir in the @@ -65935,20 +65935,20 @@ index c87bd2a30..c7bfd1fde 100644 @@ -105,46 +142,114 @@ interface(`oddjob_domtrans_mkhomedir',` # interface(`oddjob_run_mkhomedir',` - gen_require(` + gen_require(` - attribute_role oddjob_mkhomedir_roles; + type oddjob_mkhomedir_t; - ') - - oddjob_domtrans_mkhomedir($1) + ') + + oddjob_domtrans_mkhomedir($1) - roleattribute $2 oddjob_mkhomedir_roles; + role $2 types oddjob_mkhomedir_t; ') - + -##################################### +######################################## ## --## Do not audit attempts to read and write +-## Do not audit attempts to read and write -## oddjob fifo files. +## Execute the oddjob program in the oddjob domain. ## @@ -65967,15 +65967,15 @@ index c87bd2a30..c7bfd1fde 100644 # -interface(`oddjob_dontaudit_rw_fifo_files',` +interface(`oddjob_run',` - gen_require(` - type oddjob_t; - ') - + gen_require(` + type oddjob_t; + ') + - dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; + oddjob_domtrans($1) + role $2 types oddjob_t; ') - + -###################################### +####################################### +## @@ -66026,10 +66026,10 @@ index c87bd2a30..c7bfd1fde 100644 # -interface(`oddjob_sigchld',` +interface(`oddjob_ranged_domain',` - gen_require(` - type oddjob_t; - ') - + gen_require(` + type oddjob_t; + ') + - allow $1 oddjob_t:process sigchld; + oddjob_system_entry($1, $2) + @@ -66067,7 +66067,7 @@ index e403097c6..4737529c6 100644 @@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0) # Declarations # - + -attribute_role oddjob_mkhomedir_roles; - type oddjob_t; @@ -66079,59 +66079,59 @@ index e403097c6..4737529c6 100644 init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) -role oddjob_mkhomedir_roles types oddjob_mkhomedir_t; +oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) - + +# pid files type oddjob_var_run_t; files_pid_file(oddjob_var_run_t) - + +type oddjob_unit_file_t; +systemd_unit_file(oddjob_unit_file_t) + ifdef(`enable_mcs',` - init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) ') - + ######################################## # -# Local policy +# oddjob local policy # - + allow oddjob_t self:capability setgid; @@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) - + -domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) - kernel_read_system_state(oddjob_t) - + corecmd_exec_bin(oddjob_t) @@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t) - + selinux_compute_create_context(oddjob_t) - + + auth_use_nsswitch(oddjob_t) - + -miscfiles_read_localization(oddjob_t) - + locallogin_dontaudit_use_fds(oddjob_t) - + @@ -66,27 +66,31 @@ optional_policy(` ') - + optional_policy(` - unconfined_domtrans(oddjob_t) + apache_dbus_chat(oddjob_t) ') - + ######################################## # -# Mkhomedir local policy +# oddjob_mkhomedir local policy # - + -allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override }; +allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override }; allow oddjob_mkhomedir_t self:process setfscreate; @@ -66140,17 +66140,17 @@ index e403097c6..4737529c6 100644 +allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms; + +allow oddjob_t oddjob_mkhomedir_exec_t:file map; - + kernel_read_system_state(oddjob_mkhomedir_t) - + +fs_manage_auto_mountpoints(oddjob_mkhomedir_t) + +mls_file_upgrade(oddjob_mkhomedir_t) + auth_use_nsswitch(oddjob_mkhomedir_t) - + logging_send_syslog_msg(oddjob_mkhomedir_t) - + -miscfiles_read_localization(oddjob_mkhomedir_t) - selinux_get_fs_mount(oddjob_mkhomedir_t) @@ -66159,7 +66159,7 @@ index e403097c6..4737529c6 100644 @@ -98,8 +102,11 @@ seutil_read_config(oddjob_mkhomedir_t) seutil_read_file_contexts(oddjob_mkhomedir_t) seutil_read_default_contexts(oddjob_mkhomedir_t) - + +# Add/remove user home directories userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) @@ -66178,34 +66178,34 @@ index 3b6920e31..3e9b17fde 100644 @@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) - + -can_exec(openct_t, openct_exec_t) - kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) kernel_read_proc_symlinks(openct_t) - + +can_exec(openct_t, openct_exec_t) + dev_read_sysfs(openct_t) dev_rw_usbfs(openct_t) dev_rw_smartcard(openct_t) @@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) - + domain_use_interactive_fds(openct_t) - + -files_read_etc_files(openct_t) - + fs_getattr_all_fs(openct_t) fs_search_auto_mountpoints(openct_t) - + logging_send_syslog_msg(openct_t) - + -miscfiles_read_localization(openct_t) - userdom_dontaudit_use_unpriv_user_fds(openct_t) userdom_dontaudit_search_user_home_dirs(openct_t) - + diff --git a/opendnssec.fc b/opendnssec.fc new file mode 100644 index 000000000..08d0e793d @@ -66520,20 +66520,20 @@ index 8de619112..1a01e99f2 100644 @@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir) manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) files_pid_filetrans(openhpid_t, openhpid_var_run_t, file) - + +kernel_read_system_state(openhpid_t) + corenet_all_recvfrom_unlabeled(openhpid_t) corenet_all_recvfrom_netlabel(openhpid_t) corenet_tcp_sendrecv_generic_if(openhpid_t) @@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) - + dev_read_urand(openhpid_t) - + -files_read_etc_files(openhpid_t) - logging_send_syslog_msg(openhpid_t) - + miscfiles_read_localization(openhpid_t) + +optional_policy(` @@ -67214,7 +67214,7 @@ index 000000000..c20cac397 + +######################################## +## -+## Relabel openshift library files ++## Relabel openshift library files +## +## +## @@ -67576,7 +67576,7 @@ index 000000000..a98990f3a +gen_require(` + role system_r; +') -+ ++ +## +##

    +## Allow openshift to access nfs file systems without labels @@ -67758,7 +67758,7 @@ index 000000000..a98990f3a +# Allow users to execute files in their home dir +allow openshift_domain openshift_file_type:file { execute execute_no_trans }; + -+# Dontaudit openshift domains trying to search other openshift domains directories, ++# Dontaudit openshift domains trying to search other openshift domains directories, +# this happens just when users are probing the system +dontaudit openshift_domain openshift_file_type:dir search_dir_perms +; @@ -67881,7 +67881,7 @@ index 000000000..a98990f3a + +optional_policy(` + ############################################# -+ # ++ # + # openshift cgi script policy + # + apache_content_template(openshift) @@ -68511,24 +68511,24 @@ index 300213f83..4cdfe097c 100644 /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) - + /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) - + /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) - + +/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0) + /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) - + diff --git a/openvpn.if b/openvpn.if index 6837e9a2b..8d6e33b00 100644 --- a/openvpn.if +++ b/openvpn.if @@ -20,6 +20,25 @@ interface(`openvpn_domtrans',` - domtrans_pattern($1, openvpn_exec_t, openvpn_t) + domtrans_pattern($1, openvpn_exec_t, openvpn_t) ') - + +######################################## +##

    +## Execute openvpn clients in the @@ -68552,9 +68552,9 @@ index 6837e9a2b..8d6e33b00 100644 ## ## Execute openvpn clients in the @@ -123,6 +142,44 @@ interface(`openvpn_read_config',` - allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; + allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; ') - + +#################################### +## +## Connect to openvpn over @@ -68597,20 +68597,20 @@ index 6837e9a2b..8d6e33b00 100644 ## ## All of the rules required to @@ -147,9 +204,13 @@ interface(`openvpn_admin',` - type openvpn_status_t; - ') - + type openvpn_status_t; + ') + - allow $1 openvpn_t:process { ptrace signal_perms }; + allow $1 openvpn_t:process signal_perms; - ps_process_pattern($1, openvpn_t) - + ps_process_pattern($1, openvpn_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 openvpn_t:process ptrace; + ') + - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvpn_initrc_exec_t system_r; + init_labeled_script_domtrans($1, openvpn_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te index 63957a362..91dead6e7 100644 --- a/openvpn.te @@ -68618,7 +68618,7 @@ index 63957a362..91dead6e7 100644 @@ -5,6 +5,13 @@ policy_module(openvpn, 1.12.2) # Declarations # - + +## +##

    +## Allow openvpn to run unconfined scripts @@ -68635,23 +68635,23 @@ index 63957a362..91dead6e7 100644 ## -gen_tunable(openvpn_can_network_connect, false) +gen_tunable(openvpn_can_network_connect, true) - + attribute_role openvpn_roles; - + @@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t) type openvpn_status_t; logging_log_file(openvpn_status_t) - + +type openvpn_var_lib_t; +files_type(openvpn_var_lib_t) + type openvpn_tmp_t; files_tmp_file(openvpn_tmp_t) - + @@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # - + -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; +allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; allow openvpn_t self:process { signal getsched setsched }; @@ -68660,7 +68660,7 @@ index 63957a362..91dead6e7 100644 @@ -63,6 +73,8 @@ allow openvpn_t self:tcp_socket server_stream_socket_perms; allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto }; allow openvpn_t self:netlink_route_socket nlmsg_write; - + +dontaudit openvpn_t self:capability2 block_suspend ; + allow openvpn_t openvpn_etc_t:dir list_dir_perms; @@ -68669,7 +68669,7 @@ index 63957a362..91dead6e7 100644 @@ -73,18 +85,23 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") - + +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + @@ -68678,26 +68678,26 @@ index 63957a362..91dead6e7 100644 + allow openvpn_t openvpn_tmp_t:file manage_file_perms; files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) - + manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) - + manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) -files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) +manage_sock_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) +files_pid_filetrans(openvpn_t, openvpn_var_run_t, { sock_file file dir }) - + can_exec(openvpn_t, openvpn_etc_t) - + @@ -97,7 +114,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) - + -corenet_all_recvfrom_unlabeled(openvpn_t) corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) @@ -68713,31 +68713,31 @@ index 63957a362..91dead6e7 100644 corenet_sendrecv_http_cache_client_packets(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) corenet_tcp_sendrecv_http_cache_port(openvpn_t) - + +corenet_tcp_connect_tor_port(openvpn_t) + corenet_rw_tun_tap_dev(openvpn_t) - + dev_read_rand(openvpn_t) @@ -132,21 +150,31 @@ files_read_etc_runtime_files(openvpn_t) - + fs_getattr_all_fs(openvpn_t) fs_search_auto_mountpoints(openvpn_t) +fs_list_cgroup_dirs(openvpn_t) - + auth_use_pam(openvpn_t) - + -miscfiles_read_localization(openvpn_t) +logging_send_syslog_msg(openvpn_t) + miscfiles_read_all_certs(openvpn_t) - + +sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) sysnet_use_ldap(openvpn_t) - + -userdom_use_user_terminals(openvpn_t) +systemd_passwd_agent_domtrans(openvpn_t) +systemd_manage_passwd_run(openvpn_t) @@ -68747,25 +68747,25 @@ index 63957a362..91dead6e7 100644 +userdom_attach_admin_tun_iface(openvpn_t) +userdom_read_inherited_user_tmp_files(openvpn_t) +userdom_read_inherited_user_home_content_files(openvpn_t) - + tunable_policy(`openvpn_enable_homedirs',` - userdom_read_user_home_content_files(openvpn_t) + userdom_search_user_home_dirs(openvpn_t) ') - + tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` @@ -163,10 +191,20 @@ tunable_policy(`openvpn_can_network_connect',` - corenet_tcp_sendrecv_all_ports(openvpn_t) + corenet_tcp_sendrecv_all_ports(openvpn_t) ') - + +optional_policy(` + brctl_domtrans(openvpn_t) +') + optional_policy(` - daemontools_service_domain(openvpn_t, openvpn_exec_t) + daemontools_service_domain(openvpn_t, openvpn_exec_t) ') - + +optional_policy(` + networkmanager_stream_connect(openvpn_t) + networkmanager_manage_pid_files(openvpn_t) @@ -68773,11 +68773,11 @@ index 63957a362..91dead6e7 100644 +') + optional_policy(` - dbus_system_bus_client(openvpn_t) - dbus_connect_system_bus(openvpn_t) + dbus_system_bus_client(openvpn_t) + dbus_connect_system_bus(openvpn_t) @@ -175,3 +213,27 @@ optional_policy(` - networkmanager_dbus_chat(openvpn_t) - ') + networkmanager_dbus_chat(openvpn_t) + ') ') + +optional_policy(` @@ -68810,7 +68810,7 @@ index 45d7cc508..c5b9607c1 100644 @@ -1,12 +1,16 @@ -/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0) +/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0) - + -/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0) +/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) @@ -68818,17 +68818,17 @@ index 45d7cc508..c5b9607c1 100644 +/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) - + -/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0) -/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0) +/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) - + -/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0) +/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) - + -/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0) +/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) - + -/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0) +/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0) diff --git a/openvswitch.if b/openvswitch.if @@ -68839,7 +68839,7 @@ index 9b157305b..cb00f200a 100644 -##

    Multilayer virtual switch. + +## policy for openvswitch - + ######################################## ## -## Execute openvswitch in the openvswitch domain. @@ -68855,8 +68855,8 @@ index 9b157305b..cb00f200a 100644 # interface(`openvswitch_domtrans',` @@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) + corecmd_search_bin($1) + domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) ') +######################################## +## @@ -68896,7 +68896,7 @@ index 9b157305b..cb00f200a 100644 + logging_search_logs($1) + append_files_pattern($1, openvswitch_log_t, openvswitch_log_t) +') - + ######################################## ## -## Read openvswitch pid files. @@ -69002,7 +69002,7 @@ index 9b157305b..cb00f200a 100644 ## ## @@ -40,44 +176,87 @@ interface(`openvswitch_read_pid_files',` - + ######################################## ## -## All of the rules required to @@ -69065,36 +69065,36 @@ index 9b157305b..cb00f200a 100644 ## # interface(`openvswitch_admin',` - gen_require(` + gen_require(` - type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t; - type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t; + type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t; + type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t; - ') - - allow $1 openvswitch_t:process { ptrace signal_perms }; - ps_process_pattern($1, openvswitch_t) - + ') + + allow $1 openvswitch_t:process { ptrace signal_perms }; + ps_process_pattern($1, openvswitch_t) + - init_labeled_script_domtrans($1, openvswitch_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 openvswitch_initrc_exec_t system_r; - allow $2 system_r; + logging_search_logs($1) + admin_pattern($1, openvswitch_rw_t) - + - files_search_etc($1) - admin_pattern($1, openvswitch_conf_t) + logging_search_logs($1) + admin_pattern($1, openvswitch_log_t) - - files_search_var_lib($1) - admin_pattern($1, openvswitch_var_lib_t) - + + files_search_var_lib($1) + admin_pattern($1, openvswitch_var_lib_t) + - logging_search_logs($1) - admin_pattern($1, openvswitch_log_t) - - files_search_pids($1) - admin_pattern($1, openvswitch_var_run_t) + files_search_pids($1) + admin_pattern($1, openvswitch_var_run_t) + + openvswitch_systemctl($1) + admin_pattern($1, openvswitch_unit_file_t) @@ -69111,7 +69111,7 @@ index 44dbc99ab..f2c237099 100644 @@ -9,11 +9,8 @@ type openvswitch_t; type openvswitch_exec_t; init_daemon_domain(openvswitch_t, openvswitch_exec_t) - + -type openvswitch_initrc_exec_t; -init_script_file(openvswitch_initrc_exec_t) - @@ -69119,13 +69119,13 @@ index 44dbc99ab..f2c237099 100644 -files_config_file(openvswitch_conf_t) +type openvswitch_rw_t; +files_config_file(openvswitch_rw_t) - + type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) @@ -27,20 +24,31 @@ files_tmp_file(openvswitch_tmp_t) type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) - + +type openvswitch_unit_file_t; +systemd_unit_file(openvswitch_unit_file_t) + @@ -69134,7 +69134,7 @@ index 44dbc99ab..f2c237099 100644 -# Local policy +# openvswitch local policy # - + -allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock }; -allow openvswitch_t self:process { setrlimit setsched signal }; +allow openvswitch_t self:capability { dac_override dac_read_search net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; @@ -69152,19 +69152,19 @@ index 44dbc99ab..f2c237099 100644 +allow openvswitch_t self:system { module_load }; + +can_exec(openvswitch_t, openvswitch_exec_t) - + -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) - + manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) @@ -48,50 +56,103 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) - + manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) -create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -69172,14 +69172,14 @@ index 44dbc99ab..f2c237099 100644 +manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) - + manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) -files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) +manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) +files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file }) - + manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -69188,14 +69188,14 @@ index 44dbc99ab..f2c237099 100644 - -can_exec(openvswitch_t, openvswitch_exec_t) +files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file sock_file }) - + +kernel_load_module(openvswitch_t) kernel_read_network_state(openvswitch_t) kernel_read_system_state(openvswitch_t) +kernel_request_load_module(openvswitch_t) +files_map_kernel_modules(openvswitch_t) +kernel_read_net_sysctls(openvswitch_t) - + -corenet_all_recvfrom_unlabeled(openvswitch_t) -corenet_all_recvfrom_netlabel(openvswitch_t) -corenet_raw_sendrecv_generic_if(openvswitch_t) @@ -69206,10 +69206,10 @@ index 44dbc99ab..f2c237099 100644 +corenet_tcp_connect_openvswitch_port(openvswitch_t) +corenet_tcp_bind_generic_node(openvswitch_t) +corenet_tcp_bind_openvswitch_port(openvswitch_t) - + corecmd_exec_bin(openvswitch_t) +corecmd_exec_shell(openvswitch_t) - + +dev_read_rand(openvswitch_t) dev_read_urand(openvswitch_t) +dev_rw_sysfs(openvswitch_t) @@ -69217,22 +69217,22 @@ index 44dbc99ab..f2c237099 100644 +corenet_rw_tun_tap_dev(openvswitch_t) +dev_rw_infiniband_dev(openvswitch_t) +dev_read_cpuid(openvswitch_t) - + domain_use_interactive_fds(openvswitch_t) - + -files_read_etc_files(openvswitch_t) +files_read_kernel_modules(openvswitch_t) +files_load_kernel_modules(openvswitch_t) - + fs_getattr_all_fs(openvswitch_t) fs_search_cgroup_dirs(openvswitch_t) +fs_manage_hugetlbfs_files(openvswitch_t) +fs_manage_hugetlbfs_dirs(openvswitch_t) + +auth_use_nsswitch(openvswitch_t) - + logging_send_syslog_msg(openvswitch_t) - + -miscfiles_read_localization(openvswitch_t) +init_read_script_state(openvswitch_t) + @@ -69240,9 +69240,9 @@ index 44dbc99ab..f2c237099 100644 +modutils_list_module_config(openvswitch_t) +modutils_read_module_config(openvswitch_t) +modutils_read_module_deps(openvswitch_t) - + sysnet_dns_name_resolve(openvswitch_t) - + +logging_send_audit_msgs(openvswitch_t) + +write_sock_files_pattern(init_t, openvswitch_var_run_t, openvswitch_var_run_t) @@ -69254,7 +69254,7 @@ index 44dbc99ab..f2c237099 100644 +') + optional_policy(` - iptables_domtrans(openvswitch_t) + iptables_domtrans(openvswitch_t) ') + +optional_policy(` @@ -69877,11 +69877,11 @@ index 2f0ad56d6..d4da0b8d0 100644 +++ b/pacemaker.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0) - + +/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0) + /usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0) - + /var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0) diff --git a/pacemaker.if b/pacemaker.if index 9682d9af8..f1f421f9e 100644 @@ -69890,7 +69890,7 @@ index 9682d9af8..f1f421f9e 100644 @@ -1,9 +1,167 @@ -## A scalable high-availability cluster resource manager. +## >A scalable high-availability cluster resource manager. - + ######################################## ## -## All of the rules required to @@ -70061,27 +70061,27 @@ index 9682d9af8..f1f421f9e 100644 @@ -19,14 +177,17 @@ # interface(`pacemaker_admin',` - gen_require(` + gen_require(` - type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t; + type pacemaker_t; + type pacemaker_initrc_exec_t; + type pacemaker_var_lib_t; - type pacemaker_var_run_t; + type pacemaker_var_run_t; + type pacemaker_unit_file_t; - ') - - allow $1 pacemaker_t:process { ptrace signal_perms }; - ps_process_pattern($1, pacemaker_t) - + ') + + allow $1 pacemaker_t:process { ptrace signal_perms }; + ps_process_pattern($1, pacemaker_t) + - init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) + pacemaker_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pacemaker_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 pacemaker_initrc_exec_t system_r; + allow $2 system_r; @@ -36,4 +197,13 @@ interface(`pacemaker_admin',` - - files_search_pids($1) - admin_pattern($1, pacemaker_var_run_t) + + files_search_pids($1) + admin_pattern($1, pacemaker_var_run_t) + + pacemaker_systemctl($1) + admin_pattern($1, pacemaker_unit_file_t) @@ -70099,7 +70099,7 @@ index 6e6efb642..d56c04963 100644 @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0) # Declarations # - + +## +##

    +## Allow pacemaker memcheck-amd64- to use executable memory @@ -70113,7 +70113,7 @@ index 6e6efb642..d56c04963 100644 @@ -12,31 +19,36 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t) type pacemaker_initrc_exec_t; init_script_file(pacemaker_initrc_exec_t) - + +type pacemaker_var_lib_t; +files_type(pacemaker_var_lib_t) + @@ -70122,10 +70122,10 @@ index 6e6efb642..d56c04963 100644 + type pacemaker_tmp_t; files_tmp_file(pacemaker_tmp_t) - + type pacemaker_tmpfs_t; files_tmpfs_file(pacemaker_tmpfs_t) - + -type pacemaker_var_lib_t; -files_type(pacemaker_var_lib_t) - @@ -70133,59 +70133,59 @@ index 6e6efb642..d56c04963 100644 -files_pid_file(pacemaker_var_run_t) +type pacemaker_unit_file_t; +systemd_unit_file(pacemaker_unit_file_t) - + ######################################## # # Local policy # - + -allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid }; +allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid }; +allow pacemaker_t self:capability2 block_suspend; allow pacemaker_t self:process { setrlimit signal setpgid }; allow pacemaker_t self:fifo_file rw_fifo_file_perms; allow pacemaker_t self:unix_stream_socket { connectto accept listen }; - + manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) -files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir }) +manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t) +files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir }) - + manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t) @@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t) corecmd_exec_bin(pacemaker_t) corecmd_exec_shell(pacemaker_t) - + +domain_use_interactive_fds(pacemaker_t) +domain_read_all_domains_state(pacemaker_t) + dev_getattr_mtrr_dev(pacemaker_t) dev_read_rand(pacemaker_t) dev_read_urand(pacemaker_t) - + -domain_read_all_domains_state(pacemaker_t) -domain_use_interactive_fds(pacemaker_t) - files_read_kernel_symbol_table(pacemaker_t) - + fs_getattr_all_fs(pacemaker_t) @@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t) - + logging_send_syslog_msg(pacemaker_t) - + -miscfiles_read_localization(pacemaker_t) +sysnet_domtrans_ifconfig(pacemaker_t) + +tunable_policy(`pacemaker_use_execmem',` + allow pacemaker_t self:process { execmem }; +') - + optional_policy(` - corosync_read_log(pacemaker_t) + corosync_read_log(pacemaker_t) + corosync_setattr_log(pacemaker_t) - corosync_stream_connect(pacemaker_t) + corosync_stream_connect(pacemaker_t) + corosync_rw_tmpfs(pacemaker_t) +') + @@ -70203,22 +70203,22 @@ index 6e097c919..503c97a2d 100644 # -interface(`pads_admin', ` +interface(`pads_admin',` - gen_require(` - type pads_t, pads_config_t, pads_var_run_t; - type pads_initrc_exec_t; - ') - + gen_require(` + type pads_t, pads_config_t, pads_var_run_t; + type pads_initrc_exec_t; + ') + - allow $1 pads_t:process { ptrace signal_perms }; + allow $1 pads_t:process signal_perms; - ps_process_pattern($1, pads_t) - + ps_process_pattern($1, pads_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 pads_t:process ptrace; + ') + - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pads_initrc_exec_t system_r; + init_labeled_script_domtrans($1, pads_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pads_initrc_exec_t system_r; diff --git a/pads.te b/pads.te index 078adc478..f0c65e5de 100644 --- a/pads.te @@ -70226,7 +70226,7 @@ index 078adc478..f0c65e5de 100644 @@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t) # Declarations # - + -allow pads_t self:capability { dac_override net_raw }; +allow pads_t self:capability { dac_read_search dac_override net_raw }; +allow pads_t self:netlink_route_socket create_netlink_socket_perms; @@ -70234,13 +70234,13 @@ index 078adc478..f0c65e5de 100644 allow pads_t self:socket create_socket_perms; +allow pads_t self:udp_socket create_socket_perms; +allow pads_t self:unix_dgram_socket create_socket_perms; - + allow pads_t pads_config_t:file manage_file_perms; files_etc_filetrans(pads_t, pads_config_t, file) @@ -39,7 +42,6 @@ kernel_read_network_state(pads_t) - + corecmd_search_bin(pads_t) - + -corenet_all_recvfrom_unlabeled(pads_t) corenet_all_recvfrom_netlabel(pads_t) corenet_tcp_sendrecv_generic_if(pads_t) @@ -70248,14 +70248,14 @@ index 078adc478..f0c65e5de 100644 @@ -52,11 +54,8 @@ dev_read_rand(pads_t) dev_read_urand(pads_t) dev_read_sysfs(pads_t) - + -files_read_etc_files(pads_t) files_search_spool(pads_t) - + -miscfiles_read_localization(pads_t) - logging_send_syslog_msg(pads_t) - + sysnet_dns_name_resolve(pads_t) diff --git a/passenger.fc b/passenger.fc index 2c389ea7c..9155bd0dd 100644 @@ -70269,14 +70269,14 @@ index 2c389ea7c..9155bd0dd 100644 +/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) -+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) - ++/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) + -/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) +/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0) - + -/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) +/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) - + -/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) +/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0) + @@ -70286,14 +70286,14 @@ index bf59ef731..0e333279c 100644 --- a/passenger.if +++ b/passenger.if @@ -15,17 +15,17 @@ interface(`passenger_domtrans',` - type passenger_t, passenger_exec_t; - ') - + type passenger_t, passenger_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, passenger_exec_t, passenger_t) + domtrans_pattern($1, passenger_exec_t, passenger_t) + allow passenger_t $1:unix_stream_socket { accept getattr read write }; ') - + ###################################### ##

    -## Execute passenger in the caller domain. @@ -70307,13 +70307,13 @@ index bf59ef731..0e333279c 100644 ## # @@ -34,13 +34,30 @@ interface(`passenger_exec',` - type passenger_exec_t; - ') - + type passenger_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, passenger_exec_t) + can_exec($1, passenger_exec_t) ') - + +####################################### +## +## Getattr passenger log files @@ -70340,11 +70340,11 @@ index bf59ef731..0e333279c 100644 ## ## @@ -53,6 +70,112 @@ interface(`passenger_read_lib_files',` - type passenger_var_lib_t; - ') - + type passenger_var_lib_t; + ') + - files_search_var_lib($1) - read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + files_search_var_lib($1) +') @@ -70460,27 +70460,27 @@ index 08ec33bf2..175a4ed46 100644 @@ -1,4 +1,4 @@ -policy_module(passanger, 1.1.1) +policy_module(passenger, 1.1.1) - + ######################################## # @@ -14,6 +14,9 @@ role system_r types passenger_t; type passenger_log_t; logging_log_file(passenger_log_t) - + +type passenger_tmp_t; +files_tmp_file(passenger_tmp_t) + type passenger_var_lib_t; files_type(passenger_var_lib_t) - + @@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t) - + ######################################## # -# Local policy +# passanger local policy # - + -allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; -allow passenger_t self:process { setpgid setsched sigkill signal }; +allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; @@ -70492,7 +70492,7 @@ index 08ec33bf2..175a4ed46 100644 +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +can_exec(passenger_t, passenger_exec_t) - + manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) -append_files_pattern(passenger_t, passenger_log_t, passenger_log_t) -create_files_pattern(passenger_t, passenger_log_t, passenger_log_t) @@ -70500,29 +70500,29 @@ index 08ec33bf2..175a4ed46 100644 -logging_log_filetrans(passenger_t, passenger_log_t, file) +manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +logging_log_filetrans(passenger_t, passenger_log_t, { dir file }) - + manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) +files_search_var_lib(passenger_t) - + manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) @@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) - + -can_exec(passenger_t, passenger_exec_t) +#needed by puppet +manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t) +files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file }) - + kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) @@ -53,13 +63,11 @@ kernel_read_network_state(passenger_t) kernel_read_net_sysctls(passenger_t) - + corenet_all_recvfrom_netlabel(passenger_t) -corenet_all_recvfrom_unlabeled(passenger_t) corenet_tcp_sendrecv_generic_if(passenger_t) @@ -70533,33 +70533,33 @@ index 08ec33bf2..175a4ed46 100644 -corenet_tcp_sendrecv_http_port(passenger_t) +corenet_tcp_connect_postgresql_port(passenger_t) +corenet_tcp_connect_mysqld_port(passenger_t) - + corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) @@ -68,10 +76,10 @@ dev_read_urand(passenger_t) - + domain_read_all_domains_state(passenger_t) - + -files_read_etc_files(passenger_t) - auth_use_nsswitch(passenger_t) - + +fs_getattr_xattr_fs(passenger_t) + logging_send_syslog_msg(passenger_t) - + miscfiles_read_localization(passenger_t) @@ -83,6 +91,7 @@ userdom_dontaudit_use_user_terminals(passenger_t) optional_policy(` - apache_append_log(passenger_t) - apache_read_sys_content(passenger_t) + apache_append_log(passenger_t) + apache_read_sys_content(passenger_t) + apache_rw_stream_sockets(passenger_t) ') - + optional_policy(` @@ -94,14 +103,21 @@ optional_policy(` ') - + optional_policy(` - puppet_manage_lib_files(passenger_t) + mysql_stream_connect(passenger_t) @@ -70569,7 +70569,7 @@ index 08ec33bf2..175a4ed46 100644 +optional_policy(` + puppet_domtrans_master(passenger_t) + puppet_manage_lib(passenger_t) - puppet_read_config(passenger_t) + puppet_read_config(passenger_t) - puppet_append_log_files(passenger_t) - puppet_create_log_files(passenger_t) - puppet_read_log_files(passenger_t) @@ -70578,7 +70578,7 @@ index 08ec33bf2..175a4ed46 100644 + puppet_read_log(passenger_t) + puppet_search_pid(passenger_t) ') - + optional_policy(` - rpm_exec(passenger_t) - rpm_read_db(passenger_t) @@ -70590,27 +70590,27 @@ index 8176e4aa4..2df178919 100644 --- a/pcmcia.te +++ b/pcmcia.te @@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t) - + logging_send_syslog_msg(cardmgr_t) - + -miscfiles_read_localization(cardmgr_t) - modutils_domtrans_insmod(cardmgr_t) - + sysnet_domtrans_ifconfig(cardmgr_t) sysnet_etc_filetrans_config(cardmgr_t) sysnet_manage_config(cardmgr_t) - + -userdom_use_user_terminals(cardmgr_t) +userdom_use_inherited_user_terminals(cardmgr_t) userdom_dontaudit_use_unpriv_user_fds(cardmgr_t) userdom_dontaudit_search_user_home_dirs(cardmgr_t) - + optional_policy(` - seutil_dontaudit_read_config(cardmgr_t) - seutil_sigchld_newrole(cardmgr_t) + seutil_sigchld_newrole(cardmgr_t) ') - + diff --git a/pcp.fc b/pcp.fc new file mode 100644 index 000000000..de7c78ca0 @@ -70677,7 +70677,7 @@ index 000000000..abb250dba + type pcp_$1_t, pcp_domain; + type pcp_$1_exec_t; + init_daemon_domain(pcp_$1_t, pcp_$1_exec_t) -+ ++ + type pcp_$1_initrc_exec_t; + init_script_file(pcp_$1_initrc_exec_t) + @@ -70927,7 +70927,7 @@ index 000000000..89c3f11d8 + corenet_sendrecv_all_server_packets(pcp_pmlogger_t) + corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t) + corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t) -+ ++ +') + + @@ -71147,22 +71147,22 @@ index 43d50f95b..6b1544f62 100644 --- a/pcscd.if +++ b/pcscd.if @@ -17,6 +17,8 @@ interface(`pcscd_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, pcscd_exec_t, pcscd_t) + + corecmd_search_bin($1) + domtrans_pattern($1, pcscd_exec_t, pcscd_t) + + ps_process_pattern(pcscd_t, $1) ') - + ######################################## @@ -50,7 +52,7 @@ interface(`pcscd_read_pid_files',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) - allow $1 pcscd_var_run_t:file read_file_perms; + read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) ') - + ######################################## diff --git a/pcscd.te b/pcscd.te index 1fb196410..5212cd203 100644 @@ -71170,7 +71170,7 @@ index 1fb196410..5212cd203 100644 +++ b/pcscd.te @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") # - + allow pcscd_t self:capability { dac_override dac_read_search fsetid }; -allow pcscd_t self:process signal; +allow pcscd_t self:process { signal signull }; @@ -71181,12 +71181,12 @@ index 1fb196410..5212cd203 100644 +allow pcscd_t self:unix_dgram_socket create_socket_perms; +allow pcscd_t self:tcp_socket create_stream_socket_perms; allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms; - + manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) @@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) - + kernel_read_system_state(pcscd_t) - + -corenet_all_recvfrom_unlabeled(pcscd_t) corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) @@ -71194,34 +71194,34 @@ index 1fb196410..5212cd203 100644 @@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) corenet_tcp_connect_http_port(pcscd_t) corenet_tcp_sendrecv_http_port(pcscd_t) - + +domain_read_all_domains_state(pcscd_t) + dev_rw_generic_usb_dev(pcscd_t) dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) dev_read_sysfs(pcscd_t) - + -files_read_etc_files(pcscd_t) files_read_etc_runtime_files(pcscd_t) - + term_use_unallocated_ttys(pcscd_t) @@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t) - + logging_send_syslog_msg(pcscd_t) - + -miscfiles_read_localization(pcscd_t) - sysnet_dns_name_resolve(pcscd_t) - + +userdom_read_all_users_state(pcscd_t) + optional_policy(` - dbus_system_bus_client(pcscd_t) - - optional_policy(` - hal_dbus_chat(pcscd_t) - ') + dbus_system_bus_client(pcscd_t) + + optional_policy(` + hal_dbus_chat(pcscd_t) + ') + + optional_policy(` + policykit_dbus_chat(pcscd_t) @@ -71233,11 +71233,11 @@ index 1fb196410..5212cd203 100644 +optional_policy(` + policykit_dbus_chat(pcscd_t) ') - + optional_policy(` @@ -85,3 +96,8 @@ optional_policy(` optional_policy(` - udev_read_db(pcscd_t) + udev_read_db(pcscd_t) ') + +optional_policy(` @@ -71254,24 +71254,24 @@ index dfd46e412..feaa8e174 100644 +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) +/etc/Pegasus/cimserver_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) - + -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) - + -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) - + -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) +/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) - + -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) +/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) - + -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) +/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) - + -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) +/var/run/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0) + @@ -71296,7 +71296,7 @@ index d2fc677c1..86dce34a2 100644 +++ b/pegasus.if @@ -1,52 +1,60 @@ ## The Open Group Pegasus CIM/WBEM Server. - + +###################################### +## +## Creates types and rules for a basic @@ -71327,7 +71327,7 @@ index d2fc677c1..86dce34a2 100644 + # + # Local policy + # -+ ++ + domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t) + allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl; + @@ -71355,13 +71355,13 @@ index d2fc677c1..86dce34a2 100644 # -interface(`pegasus_admin',` +interface(`pegasus_stream_connect',` - gen_require(` + gen_require(` - type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; - type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; - type pegasus_mof_t, pegasus_var_run_t; + type pegasus_t, pegasus_var_run_t, pegasus_tmp_t; - ') - + ') + - allow $1 pegasus_t:process { ptrace signal_perms }; - ps_process_pattern($1, pegasus_t) - @@ -71385,7 +71385,7 @@ index d2fc677c1..86dce34a2 100644 - files_search_var_lib($1) - admin_pattern($1, pegasus_data_t) - - files_search_pids($1) + files_search_pids($1) - admin_pattern($1, pegasus_var_run_t) + stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t) + stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t) @@ -71398,23 +71398,23 @@ index 608f454d8..a78b356aa 100644 @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) # Declarations # - + +attribute pegasus_openlmi_domain; + type pegasus_t; type pegasus_exec_t; init_daemon_domain(pegasus_t, pegasus_exec_t) - + -type pegasus_initrc_exec_t; -init_script_file(pegasus_initrc_exec_t) - type pegasus_cache_t; files_type(pegasus_cache_t) - + @@ -30,20 +29,337 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) - + +# pegasus openlmi providers +pegasus_openlmi_domain_template(admin) +typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; @@ -71617,7 +71617,7 @@ index 608f454d8..a78b356aa 100644 + +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_admin_t) -+ ++ + optional_policy(` + init_dbus_chat(pegasus_openlmi_admin_t) + ') @@ -71686,7 +71686,7 @@ index 608f454d8..a78b356aa 100644 +miscfiles_read_hwdata(pegasus_openlmi_storage_t) + +optional_policy(` -+ dmidecode_domtrans(pegasus_openlmi_storage_t) ++ dmidecode_domtrans(pegasus_openlmi_storage_t) +') + +optional_policy(` @@ -71717,7 +71717,7 @@ index 608f454d8..a78b356aa 100644 +') + +optional_policy(` -+ raid_domtrans_mdadm(pegasus_openlmi_storage_t) ++ raid_domtrans_mdadm(pegasus_openlmi_storage_t) + raid_filetrans_named_content(pegasus_openlmi_storage_t) + raid_manage_conf_files(pegasus_openlmi_storage_t) +') @@ -71736,7 +71736,7 @@ index 608f454d8..a78b356aa 100644 -# Local policy +# pegasus local policy # - + -allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service }; -dontaudit pegasus_t self:capability sys_tty_config; -allow pegasus_t self:process signal; @@ -71749,12 +71749,12 @@ index 608f454d8..a78b356aa 100644 +allow pegasus_t self:unix_dgram_socket create_socket_perms; +allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow pegasus_t self:tcp_socket create_stream_socket_perms; - + allow pegasus_t pegasus_conf_t:dir rw_dir_perms; -allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms }; +allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; - + manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) @@ -54,25 +370,26 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -71764,18 +71764,18 @@ index 608f454d8..a78b356aa 100644 +filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir }) + +can_exec(pegasus_t, pegasus_exec_t) - + allow pegasus_t pegasus_mof_t:dir list_dir_perms; -allow pegasus_t pegasus_mof_t:file read_file_perms; -allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms; +read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) +read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t) - + manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) -files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file }) +files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) - + +manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t) @@ -71784,7 +71784,7 @@ index 608f454d8..a78b356aa 100644 - -can_exec(pegasus_t, pegasus_exec_t) +files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir }) - + kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) +kernel_read_sysctl(pegasus_t) @@ -71794,7 +71794,7 @@ index 608f454d8..a78b356aa 100644 @@ -80,43 +397,42 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) - + -corenet_all_recvfrom_unlabeled(pegasus_t) corenet_all_recvfrom_netlabel(pegasus_t) corenet_tcp_sendrecv_generic_if(pegasus_t) @@ -71821,43 +71821,43 @@ index 608f454d8..a78b356aa 100644 +corenet_sendrecv_pegasus_http_server_packets(pegasus_t) +corenet_sendrecv_pegasus_https_client_packets(pegasus_t) +corenet_sendrecv_pegasus_https_server_packets(pegasus_t) - + corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) - + dev_rw_sysfs(pegasus_t) dev_read_urand(pegasus_t) +dev_rw_lvm_control(pegasus_t) - + fs_getattr_all_fs(pegasus_t) fs_search_auto_mountpoints(pegasus_t) +fs_mount_tracefs(pegasus_t) +fs_unmount_tracefs(pegasus_t) files_getattr_all_dirs(pegasus_t) - + auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) +auth_read_shadow(pegasus_t) - + domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) +domain_named_filetrans(pegasus_t) - + files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) @@ -128,18 +444,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) - + -miscfiles_read_localization(pegasus_t) +mount_domtrans(pegasus_t) + +sysnet_read_config(pegasus_t) +sysnet_domtrans_ifconfig(pegasus_t) - + userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_user_home_dirs(pegasus_t) - + optional_policy(` - dbus_system_bus_client(pegasus_t) - dbus_connect_system_bus(pegasus_t) @@ -71872,28 +71872,28 @@ index 608f454d8..a78b356aa 100644 + networkmanager_dbus_chat(pegasus_t) + ') +') - + - optional_policy(` - networkmanager_dbus_chat(pegasus_t) - ') +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') - + optional_policy(` @@ -151,16 +478,28 @@ optional_policy(` ') - + optional_policy(` - rpm_exec(pegasus_t) + lvm_exec(pegasus_t) ') - + optional_policy(` - samba_manage_config(pegasus_t) + ricci_stream_connect_modclusterd(pegasus_t) ') - + optional_policy(` - seutil_sigchld_newrole(pegasus_t) - seutil_dontaudit_read_config(pegasus_t) @@ -71912,34 +71912,34 @@ index 608f454d8..a78b356aa 100644 +optional_policy(` + samba_manage_config(pegasus_t) ') - + optional_policy(` @@ -168,7 +507,7 @@ optional_policy(` ') - + optional_policy(` - sysnet_domtrans_ifconfig(pegasus_t) + seutil_sigchld_newrole(pegasus_t) ') - + optional_policy(` @@ -180,11 +519,16 @@ optional_policy(` ') - + optional_policy(` + virt_getattr_images(pegasus_t) - virt_domtrans(pegasus_t) - virt_stream_connect(pegasus_t) - virt_manage_config(pegasus_t) + virt_domtrans(pegasus_t) + virt_stream_connect(pegasus_t) + virt_manage_config(pegasus_t) ') - + +optional_policy(` + qemu_getattr_exec(pegasus_t) +') + optional_policy(` - xen_stream_connect(pegasus_t) - xen_stream_connect_xenstore(pegasus_t) + xen_stream_connect(pegasus_t) + xen_stream_connect_xenstore(pegasus_t) diff --git a/pesign.fc b/pesign.fc new file mode 100644 index 000000000..7b54c3926 @@ -72122,53 +72122,53 @@ index 21a6ecbe7..b99e4cb0b 100644 --- a/pingd.if +++ b/pingd.if @@ -55,7 +55,8 @@ interface(`pingd_manage_config',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 pingd_etc_t:file manage_file_perms; + manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) + manage_files_pattern($1, pingd_etc_t, pingd_etc_t) ') - + ####################################### @@ -81,9 +82,13 @@ interface(`pingd_admin',` - type pingd_initrc_exec_t; - ') - + type pingd_initrc_exec_t; + ') + - allow $1 pingd_t:process { ptrace signal_perms }; + allow $1 pingd_t:process signal_perms; - ps_process_pattern($1, pingd_t) - + ps_process_pattern($1, pingd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 pingd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pingd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, pingd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pingd_initrc_exec_t system_r; diff --git a/pingd.te b/pingd.te index ab0106027..778c8eb12 100644 --- a/pingd.te +++ b/pingd.te @@ -10,7 +10,7 @@ type pingd_exec_t; init_daemon_domain(pingd_t, pingd_exec_t) - + type pingd_etc_t; -files_type(pingd_etc_t) +files_config_file(pingd_etc_t) - + type pingd_initrc_exec_t; init_script_file(pingd_initrc_exec_t) @@ -45,10 +45,10 @@ corenet_tcp_bind_generic_node(pingd_t) corenet_sendrecv_pingd_server_packets(pingd_t) corenet_tcp_bind_pingd_port(pingd_t) - + +dev_read_urand(pingd_t) + auth_use_nsswitch(pingd_t) - + files_search_usr(pingd_t) - + logging_send_syslog_msg(pingd_t) - -miscfiles_read_localization(pingd_t) @@ -72698,9 +72698,9 @@ index 9a72226e3..b2968942f 100644 --- a/pkcs.fc +++ b/pkcs.fc @@ -4,4 +4,8 @@ - + /var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0) - + +/var/log/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_log_t,s0) + +/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0) @@ -72713,41 +72713,41 @@ index 69be2aaf2..2d7b3f656 100644 @@ -19,7 +19,7 @@ # interface(`pkcs_admin_slotd',` - gen_require(` + gen_require(` - type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t; + type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t; - type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; - ') - + type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; + ') + @@ -34,6 +34,9 @@ interface(`pkcs_admin_slotd',` - files_search_var_lib($1) - admin_pattern($1, pkcs_slotd_var_lib_t) - + files_search_var_lib($1) + admin_pattern($1, pkcs_slotd_var_lib_t) + + files_search_locks($1) + admin_pattern($1, pkcs_slotd_lock_t) + - files_search_pids($1) - admin_pattern($1, pkcs_slotd_var_run_t) - + files_search_pids($1) + admin_pattern($1, pkcs_slotd_var_run_t) + diff --git a/pkcs.te b/pkcs.te index 8eb3f7bc1..1b79ed454 100644 --- a/pkcs.te +++ b/pkcs.te @@ -7,21 +7,34 @@ policy_module(pkcs, 1.0.1) - + type pkcs_slotd_t; type pkcs_slotd_exec_t; +typealias pkcs_slotd_t alias pkcsslotd_t; +typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t; init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) - + type pkcs_slotd_initrc_exec_t; init_script_file(pkcs_slotd_initrc_exec_t) - + type pkcs_slotd_var_lib_t; +typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t; files_type(pkcs_slotd_var_lib_t) - + +type pkcs_slotd_lock_t; +typealias pkcs_slotd_lock_t alias pkcsslotd_lock_t; +files_lock_file(pkcs_slotd_lock_t) @@ -72758,20 +72758,20 @@ index 8eb3f7bc1..1b79ed454 100644 type pkcs_slotd_var_run_t; +typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t; files_pid_file(pkcs_slotd_var_run_t) - + type pkcs_slotd_tmp_t; +typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t; files_tmp_file(pkcs_slotd_tmp_t) - + type pkcs_slotd_tmpfs_t; +typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t; files_tmpfs_file(pkcs_slotd_tmpfs_t) - + ######################################## @@ -40,6 +53,14 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir) - + +manage_files_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t) +manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_lock_t, pkcs_slotd_lock_t) +files_lock_filetrans(pkcs_slotd_t, pkcs_slotd_lock_t, dir) @@ -72784,7 +72784,7 @@ index 8eb3f7bc1..1b79ed454 100644 manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) manage_sock_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t) @@ -51,10 +72,13 @@ files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir) - + manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) -fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir) @@ -72792,12 +72792,12 @@ index 8eb3f7bc1..1b79ed454 100644 +allow pkcs_slotd_t pkcs_slotd_tmpfs_t:file map; + +auth_use_nsswitch(pkcs_slotd_t) - + -files_read_etc_files(pkcs_slotd_t) +files_search_locks(pkcs_slotd_t) - + logging_send_syslog_msg(pkcs_slotd_t) - + -miscfiles_read_localization(pkcs_slotd_t) +userdom_read_all_users_state(pkcs_slotd_t) diff --git a/pki.fc b/pki.fc @@ -73690,23 +73690,23 @@ index 735500fd1..7f694728c 100644 @@ -1,15 +1,14 @@ -/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - + -/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) +/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - + -/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) +/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0) - + -/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) +/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) - + -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) +/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) - + -/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) - + -/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) - -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) @@ -73718,7 +73718,7 @@ index 30e751f18..61feb3a81 100644 @@ -1,4 +1,4 @@ -## Plymouth graphical boot. +## Plymouth graphical boot - + ######################################## ## @@ -10,18 +10,17 @@ @@ -73727,14 +73727,14 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_domtrans',` +interface(`plymouthd_domtrans', ` - gen_require(` - type plymouthd_t, plymouthd_exec_t; - ') - + gen_require(` + type plymouthd_t, plymouthd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) + domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) ') - + ######################################## ## -## Execute plymouthd in the caller domain. @@ -73748,14 +73748,14 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_exec',` +interface(`plymouthd_exec', ` - gen_require(` - type plymouthd_exec_t; - ') - + gen_require(` + type plymouthd_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, plymouthd_exec_t) + can_exec($1, plymouthd_exec_t) ') - + ######################################## ## -## Connect to plymouthd using a unix @@ -73771,16 +73771,16 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_stream_connect',` +interface(`plymouthd_stream_connect', ` - gen_require(` + gen_require(` - type plymouthd_t, plymouthd_spool_t; + type plymouthd_t; - ') - + ') + - files_search_spool($1) - stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) + allow $1 plymouthd_t:unix_stream_socket connectto; ') - + ######################################## ## -## Execute plymouth in the caller domain. @@ -73794,14 +73794,14 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_exec_plymouth',` +interface(`plymouthd_exec_plymouth', ` - gen_require(` - type plymouth_exec_t; - ') - + gen_require(` + type plymouth_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, plymouth_exec_t) + can_exec($1, plymouth_exec_t) ') - + ######################################## ## -## Execute a domain transition to run plymouth. @@ -73815,29 +73815,29 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_domtrans_plymouth',` +interface(`plymouthd_domtrans_plymouth', ` - gen_require(` - type plymouth_t, plymouth_exec_t; - ') - + gen_require(` + type plymouth_t, plymouth_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, plymouth_exec_t, plymouth_t) + domtrans_pattern($1, plymouth_exec_t, plymouth_t) ') - + @@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',` ## ## # -interface(`plymouthd_search_spool',` +interface(`plymouthd_search_spool', ` - gen_require(` - type plymouthd_spool_t; - ') - + gen_require(` + type plymouthd_spool_t; + ') + - files_search_spool($1) - allow $1 plymouthd_spool_t:dir search_dir_perms; + allow $1 plymouthd_spool_t:dir search_dir_perms; + files_search_spool($1) ') - + ######################################## @@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',` ## @@ -73845,24 +73845,24 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_manage_spool_files',` +interface(`plymouthd_manage_spool_files', ` - gen_require(` - type plymouthd_spool_t; - ') + gen_require(` + type plymouthd_spool_t; + ') @@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',` ## ## # -interface(`plymouthd_search_lib',` +interface(`plymouthd_search_lib', ` - gen_require(` - type plymouthd_var_lib_t; - ') - + gen_require(` + type plymouthd_var_lib_t; + ') + - files_search_var_lib($1) - allow $1 plymouthd_var_lib_t:dir search_dir_perms; + allow $1 plymouthd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') - + ######################################## @@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',` ## @@ -73870,20 +73870,20 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_read_lib_files',` +interface(`plymouthd_read_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') + gen_require(` + type plymouthd_var_lib_t; + ') @@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',` ## ## # -interface(`plymouthd_manage_lib_files',` +interface(`plymouthd_manage_lib_files', ` - gen_require(` - type plymouthd_var_lib_t; - ') + gen_require(` + type plymouthd_var_lib_t; + ') @@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',` - + ######################################## ## -## Read plymouthd pid files. @@ -73897,11 +73897,11 @@ index 30e751f18..61feb3a81 100644 # -interface(`plymouthd_read_pid_files',` +interface(`plymouthd_read_pid_files', ` - gen_require(` - type plymouthd_var_run_t; - ') + gen_require(` + type plymouthd_var_run_t; + ') @@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',` - + ######################################## ## -## All of the rules required to @@ -73984,7 +73984,7 @@ index 30e751f18..61feb3a81 100644 + gen_require(` + type plymouthd_var_log_t; + ') -+ ++ + logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log") +') + @@ -74000,11 +74000,11 @@ index 30e751f18..61feb3a81 100644 +## +# +interface(`plymouthd_admin', ` - gen_require(` - type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; - type plymouthd_var_run_t; - ') - + gen_require(` + type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; + type plymouthd_var_run_t; + ') + - allow $1 plymouthd_t:process { ptrace signal_perms }; - read_files_pattern($1, plymouthd_t, plymouthd_t) + allow $1 plymouthd_t:process signal_perms; @@ -74012,17 +74012,17 @@ index 30e751f18..61feb3a81 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 plymouthd_t:process ptrace; + ') - + - files_search_spool($1) + files_list_var_lib($1) - admin_pattern($1, plymouthd_spool_t) - + admin_pattern($1, plymouthd_spool_t) + - files_search_var_lib($1) - admin_pattern($1, plymouthd_var_lib_t) - + admin_pattern($1, plymouthd_var_lib_t) + - files_search_pids($1) + files_list_pids($1) - admin_pattern($1, plymouthd_var_run_t) + admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te index 3078ce905..39e5a88ee 100644 @@ -74030,21 +74030,21 @@ index 3078ce905..39e5a88ee 100644 +++ b/plymouthd.te @@ -15,7 +15,7 @@ type plymouthd_exec_t; init_daemon_domain(plymouthd_t, plymouthd_exec_t) - + type plymouthd_spool_t; -files_type(plymouthd_spool_t) +files_spool_file(plymouthd_spool_t) - + type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) @@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t) - + ######################################## # -# Daemon local policy +# Plymouthd private policy # - + allow plymouthd_t self:capability { sys_admin sys_tty_config }; -dontaudit plymouthd_t self:capability dac_override; allow plymouthd_t self:capability2 block_suspend; @@ -74053,28 +74053,28 @@ index 3078ce905..39e5a88ee 100644 +allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms; allow plymouthd_t self:fifo_file rw_fifo_file_perms; allow plymouthd_t self:unix_stream_socket create_stream_socket_perms; - + @@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t) files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir }) - + manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) -setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) +manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t) logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir }) - + manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) @@ -65,24 +64,33 @@ dev_rw_dri(plymouthd_t) dev_read_sysfs(plymouthd_t) dev_read_framebuffer(plymouthd_t) dev_write_framebuffer(plymouthd_t) +dev_map_framebuffer(plymouthd_t) - + domain_use_interactive_fds(plymouthd_t) - + fs_getattr_all_fs(plymouthd_t) - + -files_read_etc_files(plymouthd_t) -files_read_usr_files(plymouthd_t) - @@ -74089,11 +74089,11 @@ index 3078ce905..39e5a88ee 100644 +logging_delete_generic_logs(plymouthd_t) + +auth_use_nsswitch(plymouthd_t) - + -miscfiles_read_localization(plymouthd_t) miscfiles_read_fonts(plymouthd_t) miscfiles_manage_fonts_cache(plymouthd_t) - + +userdom_read_admin_home_files(plymouthd_t) + +term_use_unallocated_ttys(plymouthd_t) @@ -74102,11 +74102,11 @@ index 3078ce905..39e5a88ee 100644 - gnome_read_generic_home_content(plymouthd_t) + gnome_read_config(plymouthd_t) ') - + optional_policy(` @@ -90,35 +98,37 @@ optional_policy(` ') - + optional_policy(` - xserver_manage_xdm_spool_files(plymouthd_t) - xserver_read_xdm_state(plymouthd_t) @@ -74117,40 +74117,40 @@ index 3078ce905..39e5a88ee 100644 + xserver_xdm_manage_spool(plymouthd_t) + xserver_read_state_xdm(plymouthd_t) ') - + ######################################## # -# Client local policy +# Plymouth private policy # - + allow plymouth_t self:process signal; -allow plymouth_t self:fifo_file rw_fifo_file_perms; +allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; - + -stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t) - kernel_read_system_state(plymouth_t) kernel_stream_connect(plymouth_t) - + domain_use_interactive_fds(plymouth_t) - + -files_read_etc_files(plymouth_t) - + term_use_ptmx(plymouth_t) - + -miscfiles_read_localization(plymouth_t) - + sysnet_read_config(plymouth_t) - + -ifdef(`hide_broken_symptoms',` +plymouthd_stream_connect(plymouth_t) + +ifdef(`hide_broken_symptoms', ` - optional_policy(` - hal_dontaudit_write_log(plymouth_t) - hal_dontaudit_rw_pipes(plymouth_t) + optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) diff --git a/podsleuth.te b/podsleuth.te index 9123f7152..232e28a75 100644 --- a/podsleuth.te @@ -74158,7 +74158,7 @@ index 9123f7152..232e28a75 100644 @@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t) # Local policy # - + -allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; +allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio }; @@ -74168,28 +74168,28 @@ index 9123f7152..232e28a75 100644 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:sem create_sem_perms; @@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t) - + dev_read_urand(podsleuth_t) - + -files_read_etc_files(podsleuth_t) - + fs_mount_dos_fs(podsleuth_t) fs_unmount_dos_fs(podsleuth_t) @@ -76,13 +76,11 @@ fs_getattr_tmpfs(podsleuth_t) fs_list_tmpfs(podsleuth_t) fs_rw_removable_blk_files(podsleuth_t) - + -miscfiles_read_localization(podsleuth_t) - sysnet_dns_name_resolve(podsleuth_t) - + userdom_signal_unpriv_users(podsleuth_t) userdom_signull_unpriv_users(podsleuth_t) -userdom_read_user_tmpfs_files(podsleuth_t) +userdom_read_user_tmp_files(podsleuth_t) - + optional_policy(` - dbus_system_bus_client(podsleuth_t) + dbus_system_bus_client(podsleuth_t) diff --git a/policykit.fc b/policykit.fc index 1d76c7288..93d09d92f 100644 --- a/policykit.fc @@ -74210,7 +74210,7 @@ index 1d76c7288..93d09d92f 100644 +/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) +/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) +/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0) - + /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0) -/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0) @@ -74223,7 +74223,7 @@ index 1d76c7288..93d09d92f 100644 +/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0) +/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0) - + -/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0) -/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) -/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) @@ -74233,20 +74233,20 @@ index 1d76c7288..93d09d92f 100644 +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0) +/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) - + -/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0) diff --git a/policykit.if b/policykit.if index 032a84d1c..be00a65f1 100644 --- a/policykit.if +++ b/policykit.if @@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',` - class dbus send_msg; - ') - + class dbus send_msg; + ') + + ps_process_pattern(policykit_t, $1) + - allow $1 policykit_t:dbus send_msg; - allow policykit_t $1:dbus send_msg; + allow $1 policykit_t:dbus send_msg; + allow policykit_t $1:dbus send_msg; ') @@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',` ######################################## @@ -74258,13 +74258,13 @@ index 032a84d1c..be00a65f1 100644 ## ## @@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',` - class dbus send_msg; - ') - + class dbus send_msg; + ') + + ps_process_pattern(policykit_auth_t, $1) + - allow $1 policykit_auth_t:dbus send_msg; - allow policykit_auth_t $1:dbus send_msg; + allow $1 policykit_auth_t:dbus send_msg; + allow policykit_auth_t $1:dbus send_msg; ') @@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',` ## Execute a domain transition to run polkit_auth. @@ -74279,13 +74279,13 @@ index 032a84d1c..be00a65f1 100644 # interface(`policykit_domtrans_auth',` @@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',` - type policykit_auth_t, policykit_auth_exec_t; - ') - + type policykit_auth_t, policykit_auth_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) + domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) ') - + ######################################## ## -## Execute a policy_auth in the policy @@ -74303,19 +74303,19 @@ index 032a84d1c..be00a65f1 100644 +## # interface(`policykit_run_auth',` - gen_require(` + gen_require(` - attribute_role policykit_auth_roles; + type policykit_auth_t; - ') - - policykit_domtrans_auth($1) + ') + + policykit_domtrans_auth($1) - roleattribute $2 policykit_auth_roles; + role $2 types policykit_auth_t; + + allow $1 policykit_auth_t:process signal; + ps_process_pattern(policykit_auth_t, $1) ') - + ######################################## ## -## Execute a domain transition to run polkit grant. @@ -74331,13 +74331,13 @@ index 032a84d1c..be00a65f1 100644 # interface(`policykit_domtrans_grant',` @@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',` - type policykit_grant_t, policykit_grant_exec_t; - ') - + type policykit_grant_t, policykit_grant_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) + domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) ') - + ######################################## ## -## Execute a policy_grant in the policy @@ -74351,12 +74351,12 @@ index 032a84d1c..be00a65f1 100644 @@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',` # interface(`policykit_run_grant',` - gen_require(` + gen_require(` - attribute_role policykit_grant_roles; + type policykit_grant_t; - ') - - policykit_domtrans_grant($1) + ') + + policykit_domtrans_grant($1) - roleattribute $2 policykit_grant_roles; + role $2 types policykit_grant_t; + @@ -74364,7 +74364,7 @@ index 032a84d1c..be00a65f1 100644 + + ps_process_pattern(policykit_grant_t, $1) ') - + ######################################## ## -## Read policykit reload files. @@ -74373,7 +74373,7 @@ index 032a84d1c..be00a65f1 100644 ## ## @@ -154,7 +162,7 @@ interface(`policykit_read_reload',` - + ######################################## ## -## Read and write policykit reload files. @@ -74382,7 +74382,7 @@ index 032a84d1c..be00a65f1 100644 ## ## @@ -173,12 +181,12 @@ interface(`policykit_rw_reload',` - + ######################################## ## -## Execute a domain transition to run polkit resolve. @@ -74398,25 +74398,25 @@ index 032a84d1c..be00a65f1 100644 # interface(`policykit_domtrans_resolve',` @@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',` - type policykit_resolve_t, policykit_resolve_exec_t; - ') - + type policykit_resolve_t, policykit_resolve_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) + domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) + + ps_process_pattern(policykit_resolve_t, $1) ') - + ######################################## @@ -205,13 +214,13 @@ interface(`policykit_search_lib',` - type policykit_var_lib_t; - ') - + type policykit_var_lib_t; + ') + - files_search_var_lib($1) - allow $1 policykit_var_lib_t:dir search_dir_perms; + allow $1 policykit_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') - + ######################################## ## -## Read policykit lib files. @@ -74425,9 +74425,9 @@ index 032a84d1c..be00a65f1 100644 ## ## @@ -226,4 +235,50 @@ interface(`policykit_read_lib',` - - files_search_var_lib($1) - read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) + + files_search_var_lib($1) + read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) + + optional_policy(` + # Broken placement @@ -74480,9 +74480,9 @@ index ee91778f7..5e92592f0 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) - + attribute policykit_domain; - + -attribute_role policykit_auth_roles; -attribute_role policykit_grant_roles; - @@ -74494,31 +74494,31 @@ index ee91778f7..5e92592f0 100644 type policykit_auth_exec_t; init_daemon_domain(policykit_auth_t, policykit_auth_exec_t) -role policykit_auth_roles types policykit_auth_t; - + type policykit_grant_t, policykit_domain; type policykit_grant_exec_t; init_system_domain(policykit_grant_t, policykit_grant_exec_t) -role policykit_grant_roles types policykit_grant_t; - + type policykit_resolve_t, policykit_domain; type policykit_resolve_exec_t; @@ -42,63 +37,74 @@ files_pid_file(policykit_var_run_t) - + ####################################### # -# Common policykit domain local policy +# policykit_domain local policy # - + allow policykit_domain self:process { execmem getattr }; allow policykit_domain self:fifo_file rw_fifo_file_perms; - + -kernel_search_proc(policykit_domain) - -corecmd_exec_bin(policykit_domain) - dev_read_sysfs(policykit_domain) - + -files_read_usr_files(policykit_domain) - -logging_send_syslog_msg(policykit_domain) @@ -74530,7 +74530,7 @@ index ee91778f7..5e92592f0 100644 -# Local policy +# policykit local policy # - + allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; allow policykit_t self:process { getsched setsched signal }; -allow policykit_t self:unix_stream_socket { accept connectto listen }; @@ -74546,17 +74546,17 @@ index ee91778f7..5e92592f0 100644 +corecmd_exec_bin(policykit_t) + +dev_read_sysfs(policykit_t) - + rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) - + +policykit_domtrans_resolve(policykit_t) + manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t) - + manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) - + -can_exec(policykit_t, policykit_exec_t) - -domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t) @@ -74565,17 +74565,17 @@ index ee91778f7..5e92592f0 100644 -kernel_read_kernel_sysctls(policykit_t) kernel_read_system_state(policykit_t) +kernel_read_kernel_sysctls(policykit_t) - + domain_read_all_domains_state(policykit_t) - + files_dontaudit_search_all_mountpoints(policykit_t) - + +fs_getattr_all_fs(policykit_t) fs_list_inotifyfs(policykit_t) +fs_list_cgroup_dirs(policykit_t) - + auth_use_nsswitch(policykit_t) - + +init_list_pid_dirs(policykit_t) + +logging_send_syslog_msg(policykit_t) @@ -74585,31 +74585,31 @@ index ee91778f7..5e92592f0 100644 userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) +userdom_dontaudit_search_admin_dir(policykit_t) - + optional_policy(` - dbus_system_domain(policykit_t, policykit_exec_t) - + dbus_system_domain(policykit_t, policykit_exec_t) + + init_dbus_chat(policykit_t) + + sysnet_dbus_chat_dhcpc(policykit_t) + - optional_policy(` - consolekit_dbus_chat(policykit_t) - ') + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') @@ -109,29 +115,43 @@ optional_policy(` ') - + optional_policy(` + consolekit_list_pid_files(policykit_t) - consolekit_read_pid_files(policykit_t) + consolekit_read_pid_files(policykit_t) ') - + optional_policy(` - gnome_read_generic_home_content(policykit_t) + kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0") + kerberos_manage_host_rcache(policykit_t) ') - + optional_policy(` - kerberos_manage_host_rcache(policykit_t) - kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0") @@ -74621,20 +74621,20 @@ index ee91778f7..5e92592f0 100644 + systemd_login_list_pid_dirs(policykit_t) + systemd_login_read_pid_files(policykit_t) ') - + ######################################## # -# Auth local policy +# polkit_auth local policy # - + -allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice }; +allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid }; dontaudit policykit_auth_t self:capability sys_tty_config; -allow policykit_auth_t self:process { getsched setsched signal }; -allow policykit_auth_t self:unix_stream_socket { accept listen }; +allow policykit_auth_t self:process { setsched getsched signal }; - + -ps_process_pattern(policykit_auth_t, policykit_domain) +allow policykit_auth_t self:unix_dgram_socket create_socket_perms; +allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -74645,53 +74645,53 @@ index ee91778f7..5e92592f0 100644 + +can_exec(policykit_auth_t, policykit_auth_exec_t) +corecmd_exec_bin(policykit_auth_t) - + rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) - + @@ -145,65 +165,80 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) - + -can_exec(policykit_auth_t, policykit_auth_exec_t) - -kernel_read_system_state(policykit_auth_t) kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) - + dev_read_video_dev(policykit_auth_t) - + files_read_etc_runtime_files(policykit_auth_t) files_search_home(policykit_auth_t) +files_dontaudit_access_check_home_dir(policykit_auth_t) - + fs_getattr_all_fs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t) +fs_dontaudit_append_ecryptfs_files(policykit_auth_t) - + auth_rw_var_auth(policykit_auth_t) auth_use_nsswitch(policykit_auth_t) auth_domtrans_chk_passwd(policykit_auth_t) - + +logging_send_syslog_msg(policykit_auth_t) + miscfiles_read_fonts(policykit_auth_t) miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) - + userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_dontaudit_write_user_tmp_files(policykit_auth_t) +userdom_dontaudit_access_check_user_content(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) - + optional_policy(` - dbus_system_domain(policykit_auth_t, policykit_auth_exec_t) - dbus_all_session_bus_client(policykit_auth_t) + dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) + dbus_session_bus_client(policykit_auth_t) - - optional_policy(` - consolekit_dbus_chat(policykit_auth_t) - ') + + optional_policy(` + consolekit_dbus_chat(policykit_auth_t) + ') +') - + - optional_policy(` - policykit_dbus_chat(policykit_auth_t) - ') @@ -74699,38 +74699,38 @@ index ee91778f7..5e92592f0 100644 + gnome_read_config(policykit_auth_t) + gnome_access_check_usr_config(policykit_auth_t) ') - + optional_policy(` + kernel_search_proc(policykit_auth_t) - hal_read_state(policykit_auth_t) + hal_read_state(policykit_auth_t) ') - + optional_policy(` - kerberos_manage_host_rcache(policykit_auth_t) - kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0") + kerberos_manage_host_rcache(policykit_auth_t) ') - + optional_policy(` - xserver_stream_connect(policykit_auth_t) + xserver_stream_connect(policykit_auth_t) + xserver_xdm_append_log(policykit_auth_t) - xserver_read_xdm_pid(policykit_auth_t) + xserver_read_xdm_pid(policykit_auth_t) + xserver_search_xdm_lib(policykit_auth_t) + xserver_create_xdm_tmp_sockets(policykit_auth_t) ') - + ######################################## # -# Grant local policy +# polkit_grant local policy # - + allow policykit_grant_t self:capability setuid; + allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; - + -ps_process_pattern(policykit_grant_t, policykit_domain) +policykit_domtrans_auth(policykit_grant_t) + @@ -74738,77 +74738,77 @@ index ee91778f7..5e92592f0 100644 + +can_exec(policykit_grant_t, policykit_grant_exec_t) +corecmd_search_bin(policykit_grant_t) - + rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) - + @@ -211,23 +246,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t - + manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) - + -can_exec(policykit_grant_t, policykit_grant_exec_t) - -domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t) -domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t) - + auth_domtrans_chk_passwd(policykit_grant_t) auth_use_nsswitch(policykit_grant_t) - + +logging_send_syslog_msg(policykit_grant_t) + userdom_read_all_users_state(policykit_grant_t) - + optional_policy(` - cron_manage_system_job_lib_files(policykit_grant_t) + cron_manage_system_job_lib_files(policykit_grant_t) ') - + -optional_policy(` + optional_policy(` - dbus_system_bus_client(policykit_grant_t) + dbus_system_bus_client(policykit_grant_t) - - optional_policy(` - consolekit_dbus_chat(policykit_grant_t) - ') + optional_policy(` + consolekit_dbus_chat(policykit_grant_t) + ') @@ -235,26 +267,28 @@ optional_policy(` - + ######################################## # -# Resolve local policy +# polkit_resolve local policy # - + allow policykit_resolve_t self:capability { setuid sys_nice }; -allow policykit_resolve_t self:unix_stream_socket { accept listen }; - + -ps_process_pattern(policykit_resolve_t, policykit_domain) +allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; +allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; + +policykit_domtrans_auth(policykit_resolve_t) - + read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t) - + read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t) - + can_exec(policykit_resolve_t, policykit_resolve_exec_t) +corecmd_search_bin(policykit_resolve_t) - + -domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) - -mcs_ptrace_all(policykit_resolve_t) - + auth_use_nsswitch(policykit_resolve_t) - + +logging_send_syslog_msg(policykit_resolve_t) + userdom_read_all_users_state(policykit_resolve_t) - + optional_policy(` @@ -266,6 +300,6 @@ optional_policy(` ') - + optional_policy(` + kernel_search_proc(policykit_resolve_t) - hal_read_state(policykit_resolve_t) + hal_read_state(policykit_resolve_t) ') - diff --git a/polipo.fc b/polipo.fc @@ -74819,20 +74819,20 @@ index d35614b78..11f77ee32 100644 -HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0) HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0) HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0) - + -/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0) +/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0) - + /etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0) - + +/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0) + /usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0) - + /var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0) - + /var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0) - + -/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0) +/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0) diff --git a/polipo.if b/polipo.if @@ -74842,7 +74842,7 @@ index ae27bb7fe..10a778780 100644 @@ -1,8 +1,8 @@ -## Lightweight forwarding and caching proxy server. +## Caching web proxy. - + ######################################## ## -## Role access for Polipo session. @@ -74860,17 +74860,17 @@ index ae27bb7fe..10a778780 100644 ## # template(`polipo_role',` - gen_require(` + gen_require(` - type polipo_session_t, polipo_exec_t, polipo_config_home_t; - type polipo_cache_home_t; + type polipo_session_t, polipo_exec_t; - ') - - ######################################## + ') + + ######################################## @@ -33,15 +32,11 @@ template(`polipo_role',` - # Policy - # - + # Policy + # + - allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; - @@ -74880,15 +74880,15 @@ index ae27bb7fe..10a778780 100644 - - allow $2 polipo_session_t:process { ptrace signal_perms }; + allow $2 polipo_session_t:process signal_perms; - ps_process_pattern($2, polipo_session_t) + ps_process_pattern($2, polipo_session_t) + tunable_policy(`deny_ptrace',`',` + allow $2 polipo_session_t:process ptrace; + ') - - tunable_policy(`polipo_session_users',` - domtrans_pattern($2, polipo_exec_t, polipo_session_t) + + tunable_policy(`polipo_session_users',` + domtrans_pattern($2, polipo_exec_t, polipo_session_t) @@ -52,57 +47,130 @@ template(`polipo_role',` - + ######################################## ## -## Execute Polipo in the Polipo @@ -74906,11 +74906,11 @@ index ae27bb7fe..10a778780 100644 # -interface(`polipo_initrc_domtrans',` +interface(`polipo_named_filetrans_config_home_files',` - gen_require(` + gen_require(` - type polipo_initrc_exec_t; + type polipo_config_home_t; - ') - + ') + - init_labeled_script_domtrans($1, polipo_initrc_exec_t) + userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") +') @@ -74934,7 +74934,7 @@ index ae27bb7fe..10a778780 100644 + + userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") ') - + ######################################## ## -## Create specified objects in generic @@ -74995,10 +74995,10 @@ index ae27bb7fe..10a778780 100644 # -interface(`polipo_log_filetrans_log',` +interface(`polipo_named_filetrans_log_files',` - gen_require(` - type polipo_log_t; - ') - + gen_require(` + type polipo_log_t; + ') + - logging_log_filetrans($1, polipo_log_t, $2, $3) + logging_log_named_filetrans($1, polipo_log_t, file, "polipo") +') @@ -75026,7 +75026,7 @@ index ae27bb7fe..10a778780 100644 + + ps_process_pattern($1, polipo_t) ') - + ######################################## ## -## All of the rules required to @@ -75038,14 +75038,14 @@ index ae27bb7fe..10a778780 100644 @@ -118,27 +186,35 @@ interface(`polipo_log_filetrans_log',` # interface(`polipo_admin',` - gen_require(` + gen_require(` - type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; - type polipo_conf_t, polipo_log_t, polipo_var_run_t; + type polipo_t, polipo_pid_t, polipo_cache_t; + type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; + type polipo_unit_file_t; - ') - + ') + - allow $1 polipo_system_t:process { ptrace signal_perms }; - ps_process_pattern($1, polipo_system_t) + allow $1 polipo_t:process signal_perms; @@ -75053,13 +75053,13 @@ index ae27bb7fe..10a778780 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 polipo_t:process ptrace; + ') - + - polipo_initrc_domtrans($1) + init_labeled_script_domtrans($1, polipo_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 polipo_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 polipo_initrc_exec_t system_r; + allow $2 system_r; + - files_search_var($1) - admin_pattern($1, polipo_cache_t) - @@ -75067,11 +75067,11 @@ index ae27bb7fe..10a778780 100644 - admin_pattern($1, polipo_conf_t) + files_list_etc($1) + admin_pattern($1, polipo_etc_t) - + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, polipo_log_t) - + admin_pattern($1, polipo_log_t) + - files_search_pids($1) - admin_pattern($1, polipo_var_run_t) + files_list_var($1) @@ -75089,7 +75089,7 @@ index 9764bfef8..8870de713 100644 --- a/polipo.te +++ b/polipo.te @@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1) - + ## ##

    -## Determine whether Polipo system @@ -75100,7 +75100,7 @@ index 9764bfef8..8870de713 100644 ## -gen_tunable(polipo_system_use_cifs, false) +gen_tunable(polipo_use_cifs, false) - + ## ##

    -## Determine whether Polipo system @@ -75119,12 +75119,12 @@ index 9764bfef8..8870de713 100644 +##

    +##     +gen_tunable(polipo_session_bind_all_unreserved_ports, false) - + ## ##

    @@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false) gen_tunable(polipo_session_users, false) - + ## -##

    -## Determine whether Polipo session daemon @@ -75136,34 +75136,34 @@ index 9764bfef8..8870de713 100644 ## -gen_tunable(polipo_session_send_syslog_msg, false) +gen_tunable(polipo_connect_all_unreserved, false) - + attribute polipo_daemon; - + -type polipo_system_t, polipo_daemon; +type polipo_t, polipo_daemon; type polipo_exec_t; -init_daemon_domain(polipo_system_t, polipo_exec_t) +init_daemon_domain(polipo_t, polipo_exec_t) - + type polipo_initrc_exec_t; init_script_file(polipo_initrc_exec_t) - + -type polipo_conf_t; -files_config_file(polipo_conf_t) +type polipo_etc_t; +files_config_file(polipo_etc_t) - + type polipo_cache_t; files_type(polipo_cache_t) @@ -56,116 +63,104 @@ files_type(polipo_cache_t) type polipo_log_t; logging_log_file(polipo_log_t) - + -type polipo_var_run_t; -files_pid_file(polipo_var_run_t) +type polipo_pid_t; +files_pid_file(polipo_pid_t) - + type polipo_session_t, polipo_daemon; -userdom_user_application_domain(polipo_session_t, polipo_exec_t) +application_domain(polipo_session_t, polipo_exec_t) @@ -75171,21 +75171,21 @@ index 9764bfef8..8870de713 100644 + +type polipo_config_home_t; +userdom_user_home_content(polipo_config_home_t) - + type polipo_cache_home_t; userdom_user_home_content(polipo_cache_home_t) - + -type polipo_config_home_t; -userdom_user_home_content(polipo_config_home_t) +type polipo_unit_file_t; +systemd_unit_file(polipo_unit_file_t) - + ######################################## # -# Session local policy +# Global local policy # - + -allow polipo_session_t polipo_config_home_t:file read_file_perms; - -manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) @@ -75197,7 +75197,7 @@ index 9764bfef8..8870de713 100644 -userdom_use_user_terminals(polipo_session_t) +allow polipo_daemon self:fifo_file rw_fifo_file_perms; +allow polipo_daemon self:tcp_socket { listen accept }; - + -tunable_policy(`polipo_session_send_syslog_msg',` - logging_send_syslog_msg(polipo_session_t) -') @@ -75211,54 +75211,54 @@ index 9764bfef8..8870de713 100644 +corenet_tcp_connect_http_cache_port(polipo_daemon) +corenet_tcp_connect_tor_port(polipo_daemon) +corenet_tcp_connect_flash_port(polipo_daemon) - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(polipo_session_t) -',` - fs_dontaudit_read_nfs_files(polipo_session_t) -') +fs_search_auto_mountpoints(polipo_daemon) - + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(polipo_session_t) -',` - fs_dontaudit_read_cifs_files(polipo_session_t) -') - + ######################################## # -# System local policy +# Polipo local policy # - + -read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t) +read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t) - + -manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) -manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t) -files_var_filetrans(polipo_system_t, polipo_cache_t, dir) +manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t) +manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t) +files_var_filetrans(polipo_t, polipo_cache_t, dir) - + -append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) -create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) -setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t) -logging_log_filetrans(polipo_system_t, polipo_log_t, file) +manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t) +logging_log_filetrans(polipo_t, polipo_log_t, file) - + -manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t) -files_pid_filetrans(polipo_system_t, polipo_var_run_t, file) +manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t) +files_pid_filetrans(polipo_t, polipo_pid_t, file) - + -auth_use_nsswitch(polipo_system_t) +auth_use_nsswitch(polipo_t) - + -logging_send_syslog_msg(polipo_system_t) +logging_send_syslog_msg(polipo_t) - + optional_policy(` - cron_system_entry(polipo_system_t, polipo_exec_t) + cron_system_entry(polipo_t, polipo_exec_t) @@ -75267,7 +75267,7 @@ index 9764bfef8..8870de713 100644 +tunable_policy(`polipo_connect_all_unreserved',` + corenet_tcp_connect_all_unreserved_ports(polipo_t) ') - + -tunable_policy(`polipo_system_use_cifs',` - fs_manage_cifs_files(polipo_system_t) -',` @@ -75275,7 +75275,7 @@ index 9764bfef8..8870de713 100644 +tunable_policy(`polipo_use_cifs',` + fs_manage_cifs_files(polipo_t) ') - + -tunable_policy(`polipo_system_use_nfs',` - fs_manage_nfs_files(polipo_system_t) -',` @@ -75283,13 +75283,13 @@ index 9764bfef8..8870de713 100644 +tunable_policy(`polipo_use_nfs',` + fs_manage_nfs_files(polipo_t) ') - + ######################################## # -# Polipo global local policy +# Polipo session local policy # - + -allow polipo_daemon self:fifo_file rw_fifo_file_perms; -allow polipo_daemon self:tcp_socket { listen accept }; - @@ -75300,25 +75300,25 @@ index 9764bfef8..8870de713 100644 -corenet_tcp_bind_generic_node(polipo_daemon) +read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t) +manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t) - + -corenet_sendrecv_http_client_packets(polipo_daemon) -corenet_tcp_sendrecv_http_port(polipo_daemon) -corenet_tcp_connect_http_port(polipo_daemon) +auth_use_nsswitch(polipo_session_t) - + -corenet_sendrecv_http_cache_server_packets(polipo_daemon) -corenet_tcp_sendrecv_http_cache_port(polipo_daemon) -corenet_tcp_bind_http_cache_port(polipo_daemon) +userdom_use_user_terminals(polipo_session_t) - + corenet_sendrecv_tor_client_packets(polipo_daemon) corenet_tcp_sendrecv_tor_port(polipo_daemon) corenet_tcp_connect_tor_port(polipo_daemon) +corenet_tcp_connect_all_ephemeral_ports(polipo_daemon) - + -files_read_usr_files(polipo_daemon) +logging_send_syslog_msg(polipo_session_t) - + -fs_search_auto_mountpoints(polipo_daemon) +userdom_home_manager(polipo_session_t) + @@ -75326,30 +75326,30 @@ index 9764bfef8..8870de713 100644 + corenet_tcp_sendrecv_all_ports(polipo_session_t) + corenet_tcp_bind_all_unreserved_ports(polipo_session_t) +') - + -miscfiles_read_localization(polipo_daemon) diff --git a/portage.if b/portage.if index 67e8c12c4..058c99481 100644 --- a/portage.if +++ b/portage.if @@ -67,9 +67,10 @@ interface(`portage_compile_domain',` - class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; - type portage_tmpfs_t; + class dbus send_msg; + type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; + type portage_tmpfs_t; + type portage_sandbox_t; - ') - + ') + - allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; + allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw }; - dontaudit $1 self:capability sys_chroot; - allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; - allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; + dontaudit $1 self:capability sys_chroot; + allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; + allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/portage.te b/portage.te index b410c67c1..f1ec41d39 100644 --- a/portage.te +++ b/portage.te @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t) - + files_manage_etc_files(gcc_config_t) files_rw_etc_runtime_files(gcc_config_t) -files_read_usr_files(gcc_config_t) @@ -75358,7 +75358,7 @@ index b410c67c1..f1ec41d39 100644 # complains loudly about not being able to list @@ -239,7 +238,7 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms; # - + allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; +allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown }; @@ -75367,11 +75367,11 @@ index b410c67c1..f1ec41d39 100644 allow portage_fetch_t self:unix_stream_socket create_socket_perms; @@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t) - + files_read_etc_runtime_files(portage_fetch_t) -files_read_usr_files(portage_fetch_t) files_dontaudit_search_pids(portage_fetch_t) - + fs_search_auto_mountpoints(portage_fetch_t) diff --git a/portmap.fc b/portmap.fc index cd45831ca..69406ee17 100644 @@ -75380,7 +75380,7 @@ index cd45831ca..69406ee17 100644 @@ -4,9 +4,14 @@ /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) - + +ifdef(`distro_debian',` +/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) +/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) @@ -75389,7 +75389,7 @@ index cd45831ca..69406ee17 100644 /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0) /usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0) +') - + /var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0) /var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0) diff --git a/portmap.te b/portmap.te @@ -75399,36 +75399,36 @@ index 18b255e7a..e75c4ec24 100644 @@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file) kernel_read_system_state(portmap_t) kernel_read_kernel_sysctls(portmap_t) - + -corenet_all_recvfrom_unlabeled(portmap_t) corenet_all_recvfrom_netlabel(portmap_t) corenet_tcp_sendrecv_generic_if(portmap_t) corenet_udp_sendrecv_generic_if(portmap_t) @@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t) - + domain_use_interactive_fds(portmap_t) - + +auth_use_nsswitch(portmap_t) + logging_send_syslog_msg(portmap_t) - + -miscfiles_read_localization(portmap_t) +sysnet_read_config(portmap_t) - + userdom_dontaudit_use_unpriv_user_fds(portmap_t) userdom_dontaudit_search_user_home_dirs(portmap_t) @@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen }; allow portmap_helper_t portmap_var_run_t:file manage_file_perms; files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file) - + -corenet_all_recvfrom_unlabeled(portmap_helper_t) corenet_all_recvfrom_netlabel(portmap_helper_t) corenet_tcp_sendrecv_generic_if(portmap_helper_t) corenet_udp_sendrecv_generic_if(portmap_helper_t) @@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t) - + logging_send_syslog_msg(portmap_helper_t) - + -userdom_use_user_terminals(portmap_helper_t) +sysnet_read_config(portmap_helper_t) + @@ -75440,37 +75440,37 @@ index 1b2b4f908..575b7d69b 100644 +++ b/portreserve.fc @@ -1,6 +1,6 @@ /etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0) - + -/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) +/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0) - + /sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0) - + diff --git a/portreserve.if b/portreserve.if index 5ad529154..7f1ae2a78 100644 --- a/portreserve.if +++ b/portreserve.if @@ -105,8 +105,11 @@ interface(`portreserve_admin',` - type portreserve_initrc_exec_t; - ') - + type portreserve_initrc_exec_t; + ') + - allow $1 portreserve_t:process { ptrace signal_perms }; + allow $1 portreserve_t:process signal_perms; - ps_process_pattern($1, portreserve_t) + ps_process_pattern($1, portreserve_t) + tunable_policy(`deny_ptrace',`',` + allow $1 portreserve_t:process ptrace; + ') - - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) + + portreserve_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te index 00b01e2ea..10b45127a 100644 --- a/portreserve.te +++ b/portreserve.te @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } - + corecmd_getattr_bin_files(portreserve_t) - + -corenet_all_recvfrom_unlabeled(portreserve_t) corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_sendrecv_generic_if(portreserve_t) @@ -75478,7 +75478,7 @@ index 00b01e2ea..10b45127a 100644 @@ -56,6 +55,7 @@ corenet_sendrecv_all_server_packets(portreserve_t) corenet_tcp_bind_all_ports(portreserve_t) corenet_udp_bind_all_ports(portreserve_t) - + -files_read_etc_files(portreserve_t) - userdom_dontaudit_search_user_home_content(portreserve_t) @@ -75492,19 +75492,19 @@ index cbe36c1d0..8ebeb87d2 100644 @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t) corecmd_exec_bin(portslave_t) corecmd_exec_shell(portslave_t) - + -corenet_all_recvfrom_unlabeled(portslave_t) corenet_all_recvfrom_netlabel(portslave_t) corenet_tcp_sendrecv_generic_if(portslave_t) corenet_udp_sendrecv_generic_if(portslave_t) @@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t) - + term_use_unallocated_ttys(portslave_t) term_setattr_unallocated_ttys(portslave_t) -term_use_all_ttys(portslave_t) +term_use_all_inherited_ttys(portslave_t) term_search_ptys(portslave_t) - + auth_domtrans_chk_passwd(portslave_t) diff --git a/postfix.fc b/postfix.fc index c0e878537..3070aa066 100644 @@ -75577,10 +75577,10 @@ index c0e878537..3070aa066 100644 @@ -44,14 +44,14 @@ /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - + -/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) +/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) - + -/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) -/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) -/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0) @@ -75606,13 +75606,13 @@ index ded95ec3a..137ae2d3d 100644 @@ -1,4 +1,4 @@ -##

    Postfix email server. +## Postfix email server - + ######################################## ## @@ -16,13 +16,14 @@ interface(`postfix_stub',` - ') + ') ') - + -####################################### +######################################## ## @@ -75629,20 +75629,20 @@ index ded95ec3a..137ae2d3d 100644 ## # @@ -31,73 +32,69 @@ template(`postfix_domain_template',` - attribute postfix_domain; - ') - + attribute postfix_domain; + ') + - ######################################## - # - # Declarations - # - - type postfix_$1_t, postfix_domain; - type postfix_$1_exec_t; - domain_type(postfix_$1_t) - domain_entry_file(postfix_$1_t, postfix_$1_exec_t) - role system_r types postfix_$1_t; - + type postfix_$1_t, postfix_domain; + type postfix_$1_exec_t; + domain_type(postfix_$1_t) + domain_entry_file(postfix_$1_t, postfix_$1_exec_t) + role system_r types postfix_$1_t; + - ######################################## - # - # Policy @@ -75650,14 +75650,14 @@ index ded95ec3a..137ae2d3d 100644 - - can_exec(postfix_$1_t, postfix_$1_exec_t) + kernel_read_system_state(postfix_$1_t) - - auth_use_nsswitch(postfix_$1_t) + + auth_use_nsswitch(postfix_$1_t) + + logging_send_syslog_msg(postfix_$1_t) + + can_exec(postfix_$1_t, postfix_$1_exec_t) ') - + -####################################### +######################################## ## @@ -75682,14 +75682,14 @@ index ded95ec3a..137ae2d3d 100644 - # Declarations - # - - postfix_domain_template($1) - + postfix_domain_template($1) + - typeattribute postfix_$1_t postfix_server_domain; - - type postfix_$1_tmp_t, postfix_server_tmp_content; + type postfix_$1_tmp_t; - files_tmp_file(postfix_$1_tmp_t) - + files_tmp_file(postfix_$1_tmp_t) + - ######################################## - # - # Declarations @@ -75698,12 +75698,12 @@ index ded95ec3a..137ae2d3d 100644 + allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + allow postfix_$1_t self:tcp_socket create_socket_perms; + allow postfix_$1_t self:udp_socket create_socket_perms; - - manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) - files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) - - domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + + manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) + files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) + + domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) + + corenet_all_recvfrom_netlabel(postfix_$1_t) + corenet_tcp_sendrecv_generic_if(postfix_$1_t) @@ -75717,7 +75717,7 @@ index ded95ec3a..137ae2d3d 100644 + corenet_tcp_connect_all_ports(postfix_$1_t) + corenet_sendrecv_all_client_packets(postfix_$1_t) ') - + -####################################### +######################################## ## @@ -75734,18 +75734,18 @@ index ded95ec3a..137ae2d3d 100644 ## # @@ -106,30 +103,22 @@ template(`postfix_user_domain_template',` - attribute postfix_user_domains, postfix_user_domtrans; - ') - + attribute postfix_user_domains, postfix_user_domtrans; + ') + - ######################################## - # - # Declarations - # - - postfix_domain_template($1) - - typeattribute postfix_$1_t postfix_user_domains; - + postfix_domain_template($1) + + typeattribute postfix_$1_t postfix_user_domains; + - ######################################## - # - # Policy @@ -75753,14 +75753,14 @@ index ded95ec3a..137ae2d3d 100644 - - allow postfix_$1_t self:capability dac_override; + allow postfix_$1_t self:capability { dac_read_search dac_override }; - - domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) - - domain_use_interactive_fds(postfix_$1_t) + + domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) + + domain_use_interactive_fds(postfix_$1_t) + + application_domain(postfix_$1_t, postfix_$1_exec_t) ') - + ######################################## ## -## Read postfix configuration content. @@ -75769,17 +75769,17 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -143,16 +132,15 @@ interface(`postfix_read_config',` - type postfix_etc_t; - ') - + type postfix_etc_t; + ') + + read_files_pattern($1, postfix_etc_t, postfix_etc_t) + read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) - files_search_etc($1) + files_search_etc($1) - allow $1 postfix_etc_t:dir list_dir_perms; - allow $1 postfix_etc_t:file read_file_perms; - allow $1 postfix_etc_t:lnk_file read_lnk_file_perms; ') - + ######################################## ## -## Create specified object in postfix @@ -75790,15 +75790,15 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',` - type postfix_etc_t; - ') - + type postfix_etc_t; + ') + + files_search_etc($1) - filetrans_pattern($1, postfix_etc_t, $2, $3, $4) + filetrans_pattern($1, postfix_etc_t, $2, $3, $4) ') - + @@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',` - + ######################################## ## -## Read and write postfix local pipes. @@ -75808,9 +75808,9 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',` - allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; + allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; ') - + -######################################## +####################################### ## @@ -75835,14 +75835,14 @@ index ded95ec3a..137ae2d3d 100644 + gen_require(` + type postfix_public_t; + ') - + - kernel_search_proc($1) - allow $1 postfix_local_t:dir list_dir_perms; - allow $1 postfix_local_t:file read_file_perms; - allow $1 postfix_local_t:lnk_file read_lnk_file_perms; + allow $1 postfix_public_t:fifo_file rw_fifo_file_perms; ') - + ######################################## ## -## Read and write inherited postfix master pipes. @@ -75856,17 +75856,17 @@ index ded95ec3a..137ae2d3d 100644 # -interface(`postfix_rw_inherited_master_pipes',` +interface(`postfix_read_local_state',` - gen_require(` + gen_require(` - type postfix_master_t; + type postfix_local_t; - ') - + ') + - allow $1 postfix_master_t:fd use; - allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read }; + kernel_search_proc($1) + ps_process_pattern($1, postfix_local_t) ') - + ######################################## ## -## Read postfix master process state files. @@ -75875,15 +75875,15 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -277,14 +265,13 @@ interface(`postfix_read_master_state',` - ') - - kernel_search_proc($1) + ') + + kernel_search_proc($1) - allow $1 postfix_master_t:dir list_dir_perms; - allow $1 postfix_master_t:file read_file_perms; - allow $1 postfix_master_t:lnk_file read_lnk_file_perms; + ps_process_pattern($1, postfix_master_t) ') - + ######################################## ## -## Use postfix master file descriptors. @@ -75893,13 +75893,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',` - type postfix_map_t, postfix_map_exec_t; - ') - + type postfix_map_t, postfix_map_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) + domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) ') - + ######################################## ## -## Execute postfix map in the postfix @@ -75913,16 +75913,16 @@ index ded95ec3a..137ae2d3d 100644 @@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',` # interface(`postfix_run_map',` - gen_require(` + gen_require(` - attribute_role postfix_map_roles; + type postfix_map_t; - ') - - postfix_domtrans_map($1) + ') + + postfix_domtrans_map($1) - roleattribute $2 postfix_map_roles; + role $2 types postfix_map_t; ') - + ######################################## ## -## Execute the master postfix program @@ -75934,16 +75934,16 @@ index ded95ec3a..137ae2d3d 100644 ## @@ -380,16 +365,36 @@ interface(`postfix_run_map',` interface(`postfix_domtrans_master',` - gen_require(` - type postfix_master_t, postfix_master_exec_t; + gen_require(` + type postfix_master_t, postfix_master_exec_t; + attribute postfix_domain; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) + domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) + allow $1 postfix_master_exec_t:file map; ') - + + ######################################## ## @@ -75973,13 +75973,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -402,21 +407,18 @@ interface(`postfix_exec_master',` - type postfix_master_exec_t; - ') - + type postfix_master_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, postfix_master_exec_t) + can_exec($1, postfix_master_exec_t) ') - + ####################################### ## -## Connect to postfix master process @@ -75994,9 +75994,9 @@ index ded95ec3a..137ae2d3d 100644 -## # interface(`postfix_stream_connect_master',` - gen_require(` + gen_require(` @@ -428,8 +430,7 @@ interface(`postfix_stream_connect_master',` - + ######################################## ## -## Read and write postfix master @@ -76019,7 +76019,7 @@ index ded95ec3a..137ae2d3d 100644 + + allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## ## Execute the master postdrop in the @@ -76029,14 +76029,14 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -458,14 +462,14 @@ interface(`postfix_domtrans_postdrop',` - type postfix_postdrop_t, postfix_postdrop_exec_t; - ') - + type postfix_postdrop_t, postfix_postdrop_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) + domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) + allow $1 postfix_postdrop_exec_t:file map; ') - + ######################################## ## ## Execute the master postqueue in the @@ -76046,13 +76046,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -478,30 +482,85 @@ interface(`postfix_domtrans_postqueue',` - type postfix_postqueue_t, postfix_postqueue_exec_t; - ') - + type postfix_postqueue_t, postfix_postqueue_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) + domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) ') - + -####################################### +######################################## ## @@ -76131,7 +76131,7 @@ index ded95ec3a..137ae2d3d 100644 + postfix_domtrans_postgqueue($1) + role $2 types postfix_postgqueue_t; ') - + + ####################################### ## @@ -76142,13 +76142,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -514,13 +573,12 @@ interface(`postfix_exec_postqueue',` - type postfix_postqueue_exec_t; - ') - + type postfix_postqueue_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, postfix_postqueue_exec_t) + can_exec($1, postfix_postqueue_exec_t) ') - + ######################################## ## -## Create postfix private sock files. @@ -76157,13 +76157,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -533,13 +591,13 @@ interface(`postfix_create_private_sockets',` - type postfix_private_t; - ') - + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; - create_sock_files_pattern($1, postfix_private_t, postfix_private_t) + create_sock_files_pattern($1, postfix_private_t, postfix_private_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -76173,13 +76173,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -552,13 +610,14 @@ interface(`postfix_manage_private_sockets',` - type postfix_private_t; - ') - + type postfix_private_t; + ') + + allow $1 postfix_private_t:dir list_dir_perms; - manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) + manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) ') - + ######################################## ## -## Execute the smtp postfix program @@ -76190,13 +76190,13 @@ index ded95ec3a..137ae2d3d 100644 ## ## @@ -571,14 +630,12 @@ interface(`postfix_domtrans_smtp',` - type postfix_smtp_t, postfix_smtp_exec_t; - ') - + type postfix_smtp_t, postfix_smtp_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) + domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) ') - + ######################################## ## -## Get attributes of all postfix mail @@ -76211,50 +76211,50 @@ index ded95ec3a..137ae2d3d 100644 # -interface(`postfix_getattr_all_spool_files',` +interface(`postfix_getattr_spool_files',` - gen_require(` - attribute postfix_spool_type; - ') + gen_require(` + attribute postfix_spool_type; + ') @@ -607,11 +664,11 @@ interface(`postfix_getattr_all_spool_files',` # interface(`postfix_search_spool',` - gen_require(` + gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; - ') - + ') + + allow $1 postfix_spool_type:dir search_dir_perms; - files_search_spool($1) + files_search_spool($1) - allow $1 postfix_spool_t:dir search_dir_perms; ') - + ######################################## @@ -626,11 +683,11 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` - gen_require(` + gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; - ') - + ') + + allow $1 postfix_spool_type:dir list_dir_perms; - files_search_spool($1) + files_search_spool($1) - allow $1 postfix_spool_t:dir list_dir_perms; ') - + ######################################## @@ -645,17 +702,16 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` - gen_require(` + gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; - ') - - files_search_spool($1) + ') + + files_search_spool($1) - read_files_pattern($1, postfix_spool_t, postfix_spool_t) + read_files_pattern($1, postfix_spool_type, postfix_spool_type) ') - + ######################################## ## -## Create, read, write, and delete @@ -76266,12 +76266,12 @@ index ded95ec3a..137ae2d3d 100644 @@ -665,11 +721,50 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` - gen_require(` + gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; - ') - - files_search_spool($1) + ') + + files_search_spool($1) - manage_files_pattern($1, postfix_spool_t, postfix_spool_t) + manage_files_pattern($1, postfix_spool_type, postfix_spool_type) +') @@ -76314,10 +76314,10 @@ index ded95ec3a..137ae2d3d 100644 + manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) ') - + ######################################## @@ -693,8 +788,8 @@ interface(`postfix_domtrans_user_mail_handler',` - + ######################################## ## -## All of the rules required to @@ -76330,7 +76330,7 @@ index ded95ec3a..137ae2d3d 100644 @@ -710,38 +805,137 @@ interface(`postfix_domtrans_user_mail_handler',` # interface(`postfix_admin',` - gen_require(` + gen_require(` - attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content; - type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; - type postfix_data_t, postfix_var_run_t, postfix_public_t; @@ -76348,8 +76348,8 @@ index ded95ec3a..137ae2d3d 100644 + ps_process_pattern($1, postfix_bounce_t) + tunable_policy(`deny_ptrace',`',` + allow $1 postfix_bounce_t:process ptrace; - ') - + ') + - allow $1 postfix_domain:process { ptrace signal_perms }; - ps_process_pattern($1, postfix_domain) + allow $1 postfix_cleanup_t:process signal_perms; @@ -76362,7 +76362,7 @@ index ded95ec3a..137ae2d3d 100644 + allow $1 postfix_qmgr_t:process ptrace; + allow $1 postfix_smtpd_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, postfix_initrc_exec_t) + allow $1 postfix_local_t:process signal_perms; + ps_process_pattern($1, postfix_local_t) @@ -76384,34 +76384,34 @@ index ded95ec3a..137ae2d3d 100644 + postfix_run_postqueue($1, $2) + + postfix_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 postfix_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 postfix_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) - admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t }) -+ admin_pattern($1, postfix_data_t) - ++ admin_pattern($1, postfix_data_t) + - files_search_spool($1) - admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type }) + files_list_etc($1) + admin_pattern($1, postfix_etc_t) - + - files_search_var_lib($1) - admin_pattern($1, postfix_data_t) + files_list_spool($1) + admin_pattern($1, postfix_spool_type) - + - files_search_pids($1) - admin_pattern($1, postfix_var_run_t) - + admin_pattern($1, postfix_var_run_t) + - files_search_tmp($1) - admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t }) + files_list_tmp($1) + admin_pattern($1, postfix_map_tmp_t) -+ ++ + admin_pattern($1, postfix_prng_t) - + - postfix_exec_master($1) - postfix_exec_postqueue($1) - postfix_stream_connect_master($1) @@ -76492,7 +76492,7 @@ index 5cfb83eca..921fcfe70 100644 +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) # - + ## -##

    -## Determine whether postfix local @@ -76503,7 +76503,7 @@ index 5cfb83eca..921fcfe70 100644 +##

    ##     gen_tunable(postfix_local_write_mail_spool, true) - + attribute postfix_domain; -attribute postfix_server_domain; -attribute postfix_server_tmp_content; @@ -76512,76 +76512,76 @@ index 5cfb83eca..921fcfe70 100644 +# domains that transition to the +# postfix user domains attribute postfix_user_domtrans; - + -attribute_role postfix_map_roles; -roleattribute system_r postfix_map_roles; - postfix_server_domain_template(bounce) - + type postfix_spool_bounce_t, postfix_spool_type; -files_type(postfix_spool_bounce_t) +files_spool_file(postfix_spool_bounce_t) - + postfix_server_domain_template(cleanup) - + @@ -42,16 +38,19 @@ files_type(postfix_keytab_t) postfix_server_domain_template(local) mta_mailserver_delivery(postfix_local_t) - + +# Program for creating database files type postfix_map_t; type postfix_map_exec_t; application_domain(postfix_map_t, postfix_map_exec_t) -role postfix_map_roles types postfix_map_t; +role system_r types postfix_map_t; - + type postfix_map_tmp_t; files_tmp_file(postfix_map_tmp_t) - + postfix_domain_template(master) typealias postfix_master_t alias postfix_t; +# alias is a hack to make the disable trans bool +# generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) - + type postfix_initrc_exec_t; @@ -63,6 +62,7 @@ postfix_server_domain_template(pipe) - + postfix_user_domain_template(postdrop) mta_mailserver_user_agent(postfix_postdrop_t) +mta_agent_executable(postfix_postdrop_t) - + postfix_user_domain_template(postqueue) mta_mailserver_user_agent(postfix_postqueue_t) @@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) - + type postfix_spool_t, postfix_spool_type; -files_type(postfix_spool_t) +files_spool_file(postfix_spool_t) - + -type postfix_spool_maildrop_t, postfix_spool_type; -files_type(postfix_spool_maildrop_t) +typealias postfix_spool_t alias postfix_spool_maildrop_t; +files_spool_file(postfix_spool_maildrop_t) - + -type postfix_spool_flush_t, postfix_spool_type; -files_type(postfix_spool_flush_t) +typealias postfix_spool_t alias postfix_spool_flush_t; +files_spool_file(postfix_spool_flush_t) - + type postfix_public_t; files_type(postfix_public_t) @@ -97,6 +97,7 @@ files_type(postfix_public_t) type postfix_var_run_t; files_pid_file(postfix_var_run_t) - + +# the data_directory config parameter type postfix_data_t; files_type(postfix_data_t) - + @@ -105,109 +106,23 @@ mta_mailserver_delivery(postfix_virtual_t) - + ######################################## # -# Common postfix domain local policy @@ -76649,7 +76649,7 @@ index 5cfb83eca..921fcfe70 100644 -# Common postfix server domain local policy +# Postfix master process local policy # - + -allow postfix_server_domain self:capability { setuid setgid dac_override }; - -allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -76686,7 +76686,7 @@ index 5cfb83eca..921fcfe70 100644 allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; - + -allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms; -allow postfix_master_t postfix_domain:process signal; - @@ -76695,13 +76695,13 @@ index 5cfb83eca..921fcfe70 100644 +mta_filetrans_aliases(postfix_master_t, postfix_etc_t) + +can_exec(postfix_master_t, postfix_exec_t) - + allow postfix_master_t postfix_data_t:dir manage_dir_perms; allow postfix_master_t postfix_data_t:file manage_file_perms; @@ -216,34 +131,36 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms; - + allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; - + -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; + @@ -76710,9 +76710,9 @@ index 5cfb83eca..921fcfe70 100644 +manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) + +domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) - + allow postfix_master_t postfix_prng_t:file rw_file_perms; - + +manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) +manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) + @@ -76726,11 +76726,11 @@ index 5cfb83eca..921fcfe70 100644 manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) - + allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms; -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce") - + manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) @@ -76747,13 +76747,13 @@ index 5cfb83eca..921fcfe70 100644 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public") - + create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -253,16 +170,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred") filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") - + -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") @@ -76763,7 +76763,7 @@ index 5cfb83eca..921fcfe70 100644 -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) +kernel_read_all_sysctls(postfix_master_t) - + -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) @@ -76793,7 +76793,7 @@ index 5cfb83eca..921fcfe70 100644 +corenet_sendrecv_all_client_packets(postfix_master_t) +# for spampd +corenet_tcp_bind_spamd_port(postfix_master_t) - + -# Can this be conditional? -corenet_sendrecv_all_server_packets(postfix_master_t) -corenet_udp_bind_all_unreserved_ports(postfix_master_t) @@ -76801,26 +76801,26 @@ index 5cfb83eca..921fcfe70 100644 - +# for a find command selinux_dontaudit_search_fs(postfix_master_t) - + +corecmd_exec_shell(postfix_master_t) corecmd_exec_bin(postfix_master_t) - + domain_use_interactive_fds(postfix_master_t) - + +files_search_var_lib(postfix_master_t) files_search_tmp(postfix_master_t) - + -mcs_file_read_all(postfix_master_t) - + -term_dontaudit_search_ptys(postfix_master_t) +init_stream_connect(postfix_master_t) - + -miscfiles_read_man_pages(postfix_master_t) +term_dontaudit_search_ptys(postfix_master_t) - + seutil_sigchld_newrole(postfix_master_t) -seutil_dontaudit_search_config(postfix_master_t) - + -mta_manage_aliases(postfix_master_t) -mta_etc_filetrans_aliases(postfix_master_t, file, "aliases") -mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db") @@ -76829,7 +76829,7 @@ index 5cfb83eca..921fcfe70 100644 +mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) mta_getattr_spool(postfix_master_t) - + +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) @@ -76837,12 +76837,12 @@ index 5cfb83eca..921fcfe70 100644 +') + optional_policy(` - cyrus_stream_connect(postfix_master_t) + cyrus_stream_connect(postfix_master_t) ') @@ -323,14 +229,6 @@ optional_policy(` - kerberos_use(postfix_master_t) + kerberos_use(postfix_master_t) ') - + -optional_policy(` - mailman_manage_data_files(postfix_master_t) -') @@ -76852,33 +76852,33 @@ index 5cfb83eca..921fcfe70 100644 -') - optional_policy(` - postgrey_search_spool(postfix_master_t) + postgrey_search_spool(postfix_master_t) ') @@ -341,12 +239,14 @@ optional_policy(` - + ######################################## # -# Bounce local policy +# Postfix bounce local policy # - + allow postfix_bounce_t self:capability dac_read_search; +allow postfix_bounce_t self:tcp_socket create_socket_perms; - + -write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t) +allow postfix_bounce_t postfix_public_t:sock_file write; +allow postfix_bounce_t postfix_public_t:dir search_dir_perms; - + manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) @@ -363,74 +263,89 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool - + ######################################## # -# Cleanup local policy +# Postfix cleanup local policy # - + allow postfix_cleanup_t self:process setrlimit; - allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms; @@ -76887,27 +76887,27 @@ index 5cfb83eca..921fcfe70 100644 -allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; -allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; -allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - + +# connect to master process stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t) - + rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) +allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms; - + manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) - + +allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; +allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; +allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; - + corecmd_exec_bin(postfix_cleanup_t) - + -corenet_sendrecv_kismet_client_packets(postfix_cleanup_t) -corenet_tcp_connect_kismet_port(postfix_cleanup_t) -corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t) @@ -76915,11 +76915,11 @@ index 5cfb83eca..921fcfe70 100644 -mta_read_aliases(postfix_cleanup_t) +# allow postfix to connect to sqlgrey +corenet_tcp_connect_rtsclient_port(postfix_cleanup_t) - + optional_policy(` - mailman_read_data_files(postfix_cleanup_t) + mailman_read_data_files(postfix_cleanup_t) ') - + +optional_policy(` + milter_stream_connect_all(postfix_cleanup_t) +') @@ -76929,35 +76929,35 @@ index 5cfb83eca..921fcfe70 100644 -# Local local policy +# Postfix local local policy # - + -allow postfix_local_t self:capability chown; -allow postfix_local_t self:process setrlimit; +allow postfix_local_t self:process { setsched setrlimit }; - + +# connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) - + +# for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) - -allow postfix_local_t postfix_spool_t:file rw_file_perms; +rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - + domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) - + +allow postfix_local_t postfix_spool_t:file rw_file_perms; + +corecmd_exec_shell(postfix_local_t) corecmd_exec_bin(postfix_local_t) - + logging_dontaudit_search_logs(postfix_local_t) - + mta_delete_spool(postfix_local_t) -mta_read_aliases(postfix_local_t) -mta_read_config(postfix_local_t) +# Handle vacation script mta_send_mail(postfix_local_t) - + +userdom_read_user_home_content_files(postfix_local_t) +userdom_exec_user_bin_files(postfix_local_t) + @@ -76970,9 +76970,9 @@ index 5cfb83eca..921fcfe70 100644 +') + tunable_policy(`postfix_local_write_mail_spool',` - mta_manage_spool(postfix_local_t) + mta_manage_spool(postfix_local_t) ') - + optional_policy(` - clamav_search_lib(postfix_local_t) - clamav_exec_clamscan(postfix_local_t) @@ -76980,35 +76980,35 @@ index 5cfb83eca..921fcfe70 100644 + antivirus_exec(postfix_local_t) + antivirus_stream_connect(postfix_domain) ') - + optional_policy(` @@ -442,15 +357,24 @@ optional_policy(` ') - + optional_policy(` +# for postalias - mailman_manage_data_files(postfix_local_t) - mailman_append_log(postfix_local_t) - mailman_read_log(postfix_local_t) + mailman_manage_data_files(postfix_local_t) + mailman_append_log(postfix_local_t) + mailman_read_log(postfix_local_t) ') - + +optional_policy(` + munin_search_lib(postfix_local_t) +') + optional_policy(` - nagios_search_spool(postfix_local_t) + nagios_search_spool(postfix_local_t) ') - + +optional_policy(` + openshift_search_lib(postfix_local_t) +') + optional_policy(` - procmail_domtrans(postfix_local_t) + procmail_domtrans(postfix_local_t) ') @@ -466,15 +390,17 @@ optional_policy(` - + ######################################## # -# Map local policy @@ -77019,7 +77019,7 @@ index 5cfb83eca..921fcfe70 100644 +allow postfix_map_t self:unix_dgram_socket create_socket_perms; +allow postfix_map_t self:tcp_socket create_stream_socket_perms; +allow postfix_map_t self:udp_socket create_socket_perms; - + -allow postfix_map_t self:capability { dac_override setgid setuid }; -allow postfix_map_t self:tcp_socket { accept listen }; - @@ -77029,13 +77029,13 @@ index 5cfb83eca..921fcfe70 100644 +manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) +manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) +manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t) - + manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) @@ -484,14 +410,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) - + -corenet_all_recvfrom_unlabeled(postfix_map_t) corenet_all_recvfrom_netlabel(postfix_map_t) corenet_tcp_sendrecv_generic_if(postfix_map_t) @@ -77049,55 +77049,55 @@ index 5cfb83eca..921fcfe70 100644 +corenet_udp_sendrecv_all_ports(postfix_map_t) +corenet_tcp_connect_all_ports(postfix_map_t) +corenet_sendrecv_all_client_packets(postfix_map_t) - + corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) @@ -500,7 +427,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) - + files_list_home(postfix_map_t) -files_read_usr_files(postfix_map_t) files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) - + @@ -508,21 +434,24 @@ auth_use_nsswitch(postfix_map_t) - + logging_send_syslog_msg(postfix_map_t) - + -miscfiles_read_localization(postfix_map_t) - optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) + locallogin_dontaudit_use_fds(postfix_map_t) ') - + optional_policy(` +# for postalias - mailman_manage_data_files(postfix_map_t) + mailman_manage_data_files(postfix_map_t) ') - + ######################################## # -# Pickup local policy +# Postfix pickup local policy # - + +dontaudit postfix_pickup_t self:capability net_admin; + +allow postfix_pickup_t self:tcp_socket create_socket_perms; + stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) - + rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -532,21 +461,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) - + +postfix_list_spool(postfix_pickup_t) + allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - + -mcs_file_read_all(postfix_pickup_t) -mcs_file_write_all(postfix_pickup_t) - @@ -77106,33 +77106,33 @@ index 5cfb83eca..921fcfe70 100644 -# Pipe local policy +# Postfix pipe local policy # - + allow postfix_pipe_t self:process setrlimit; - + write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) +write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) - + write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) - + @@ -556,6 +485,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) - + corecmd_exec_bin(postfix_pipe_t) - + +optional_policy(` + cyrus_stream_connect(postfix_pipe_t) +') + optional_policy(` - dovecot_domtrans_deliver(postfix_pipe_t) + dovecot_domtrans_deliver(postfix_pipe_t) ') @@ -584,19 +517,28 @@ optional_policy(` - + ######################################## # -# Postdrop local policy +# Postfix postdrop local policy # - + +# usually it does not need a UDP socket allow postfix_postdrop_t self:capability sys_resource; +allow postfix_postdrop_t self:tcp_socket create; @@ -77141,81 +77141,81 @@ index 5cfb83eca..921fcfe70 100644 +# Might be a leak, but I need a postfix expert to explain +allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto; - + rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) +rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) - + -manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) +rw_fifo_files_pattern(postfix_postdrop_t, postfix_master_t, postfix_master_t) - + -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; +postfix_list_spool(postfix_postdrop_t) +manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - + -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) +corenet_udp_sendrecv_generic_if(postfix_postdrop_t) +corenet_udp_sendrecv_generic_node(postfix_postdrop_t) - + term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) @@ -611,10 +553,7 @@ optional_policy(` - cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) + cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') - + -optional_policy(` - fail2ban_dontaudit_use_fds(postfix_postdrop_t) -') - +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951 optional_policy(` - fstools_read_pipes(postfix_postdrop_t) + fstools_read_pipes(postfix_postdrop_t) ') @@ -629,17 +568,24 @@ optional_policy(` - + ####################################### # -# Postqueue local policy +# Postfix postqueue local policy # - + +allow postfix_postqueue_t self:capability2 block_suspend; +allow postfix_postqueue_t self:tcp_socket create; +allow postfix_postqueue_t self:udp_socket { create ioctl }; + +# wants to write to /var/spool/postfix/public/showq stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t) - + +# write to /var/spool/postfix/public/qmgr write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t) - + domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) - + -term_use_all_ptys(postfix_postqueue_t) -term_use_all_ttys(postfix_postqueue_t) +# to write the mailq output, it really should not need read access! +term_use_all_inherited_ptys(postfix_postqueue_t) +term_use_all_inherited_ttys(postfix_postqueue_t) - + init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -655,69 +601,84 @@ optional_policy(` - + ######################################## # -# Qmgr local policy +# Postfix qmgr local policy # - + -allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; +dontaudit postfix_qmgr_t self:capability { net_admin }; - + stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - + rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) - + -manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; @@ -77225,7 +77225,7 @@ index 5cfb83eca..921fcfe70 100644 manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) - + +allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; @@ -77235,18 +77235,18 @@ index 5cfb83eca..921fcfe70 100644 +allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + corecmd_exec_bin(postfix_qmgr_t) - + ######################################## # -# Showq local policy +# Postfix showq local policy # - + allow postfix_showq_t self:capability { setuid setgid }; +allow postfix_showq_t self:tcp_socket create_socket_perms; - + allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; - + +allow postfix_showq_t postfix_spool_t:file read_file_perms; + +postfix_list_spool(postfix_showq_t) @@ -77254,7 +77254,7 @@ index 5cfb83eca..921fcfe70 100644 allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; - + -allow postfix_showq_t postfix_spool_t:file read_file_perms; - -mcs_file_read_all(postfix_showq_t) @@ -77262,7 +77262,7 @@ index 5cfb83eca..921fcfe70 100644 +# to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) - + +optional_policy(` + logwatch_dontaudit_leaks(postfix_showq_t) +') @@ -77272,37 +77272,37 @@ index 5cfb83eca..921fcfe70 100644 -# Smtp delivery local policy +# Postfix smtp delivery local policy # - + +# connect to master process allow postfix_smtp_t self:capability sys_chroot; - stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - + -allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms; +allow postfix_smtp_t postfix_prng_t:file rw_file_perms; + +allow postfix_smtp_t postfix_spool_t:file rw_file_perms; - + rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) - + corenet_tcp_bind_generic_node(postfix_smtp_t) +# for spampd +corenet_tcp_connect_spamd_port(postfix_master_t) + +files_search_all_mountpoints(postfix_smtp_t) - + optional_policy(` - cyrus_stream_connect(postfix_smtp_t) + cyrus_stream_connect(postfix_smtp_t) ') - + optional_policy(` - dovecot_stream_connect(postfix_smtp_t) + dovecot_stream_connect(postfix_smtp_t) ') - + optional_policy(` @@ -730,28 +691,32 @@ optional_policy(` - + ######################################## # -# Smtpd local policy @@ -77310,10 +77310,10 @@ index 5cfb83eca..921fcfe70 100644 # - allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms; - + +# connect to master process stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - + +# Connect to policy server +corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) + @@ -77322,38 +77322,38 @@ index 5cfb83eca..921fcfe70 100644 manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t) allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; - + -corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t) -corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) -corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t) - corecmd_exec_bin(postfix_smtpd_t) - + +# for OpenSSL certificates + +# postfix checks the size of all mounted file systems fs_getattr_all_dirs(postfix_smtpd_t) -fs_getattr_all_fs(postfix_smtpd_t) - + -mta_read_aliases(postfix_smtpd_t) +optional_policy(` + antivirus_stream_connect(postfix_smtpd_t) +') - + optional_policy(` - dovecot_stream_connect_auth(postfix_smtpd_t) + dovecot_stream_connect_auth(postfix_smtpd_t) @@ -764,6 +729,7 @@ optional_policy(` - + optional_policy(` - milter_stream_connect_all(postfix_smtpd_t) + milter_stream_connect_all(postfix_smtpd_t) + spamassassin_read_pid_files(postfix_smtpd_t) ') - + optional_policy(` @@ -774,31 +740,105 @@ optional_policy(` - sasl_connect(postfix_smtpd_t) + sasl_connect(postfix_smtpd_t) ') - + -optional_policy(` - spamassassin_read_spamd_pid_files(postfix_smtpd_t) - spamassassin_stream_connect_spamd(postfix_smtpd_t) @@ -77364,24 +77364,24 @@ index 5cfb83eca..921fcfe70 100644 -# Virtual local policy +# Postfix virtual local policy # - + -allow postfix_virtual_t self:process setrlimit; +allow postfix_virtual_t self:process { setsched setrlimit }; - + -allow postfix_virtual_t postfix_spool_t:file rw_file_perms; +manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t) - + +# connect to master process stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - + +corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) - + -mta_read_aliases(postfix_virtual_t) mta_delete_spool(postfix_virtual_t) -mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) - + userdom_manage_user_home_dirs(postfix_virtual_t) -userdom_manage_user_home_content_dirs(postfix_virtual_t) -userdom_manage_user_home_content_files(postfix_virtual_t) @@ -77475,18 +77475,18 @@ index 5de817368..985b877ab 100644 --- a/postfixpolicyd.if +++ b/postfixpolicyd.if @@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` - type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; - ') - + type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; + ') + - allow $1 postfix_policyd_t:process { ptrace signal_perms }; + allow $1 postfix_policyd_t:process signal_perms; - ps_process_pattern($1, postfix_policyd_t) + ps_process_pattern($1, postfix_policyd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 postfix_policyd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/postfixpolicyd.te b/postfixpolicyd.te index ea1582a3a..0c1a05983 100644 --- a/postfixpolicyd.te @@ -77494,7 +77494,7 @@ index ea1582a3a..0c1a05983 100644 @@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms; manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t) files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file) - + -corenet_all_recvfrom_unlabeled(postfix_policyd_t) corenet_tcp_sendrecv_generic_if(postfix_policyd_t) corenet_tcp_sendrecv_generic_node(postfix_policyd_t) @@ -77502,12 +77502,12 @@ index ea1582a3a..0c1a05983 100644 @@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t) corenet_tcp_bind_mysqld_port(postfix_policyd_t) corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t) - + -files_read_etc_files(postfix_policyd_t) -files_read_usr_files(postfix_policyd_t) - + logging_send_syslog_msg(postfix_policyd_t) - + -miscfiles_read_localization(postfix_policyd_t) - sysnet_dns_name_resolve(postfix_policyd_t) @@ -77516,55 +77516,55 @@ index b9e71b537..a7502cd0e 100644 --- a/postgrey.if +++ b/postgrey.if @@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',` - type postgrey_var_run_t, postgrey_t, postgrey_spool_t; - ') - + type postgrey_var_run_t, postgrey_t, postgrey_spool_t; + ') + + stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) - files_search_pids($1) - files_search_spool($1) + files_search_pids($1) + files_search_spool($1) - stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) ') - + ######################################## @@ -59,14 +59,17 @@ interface(`postgrey_search_spool',` # interface(`postgrey_admin',` - gen_require(` + gen_require(` - type postgrey_t, postgrey_etc_t, postgrey_spool_t; - type postgrey_var_lib_t, postgrey_var_run_t; - type postgrey_initrc_exec_t; + type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; + type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t; - ') - + ') + - allow $1 postgrey_t:process { ptrace signal_perms }; + allow $1 postgrey_t:process signal_perms; - ps_process_pattern($1, postgrey_t) - + ps_process_pattern($1, postgrey_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 postgrey_t:process ptrace; + ') + - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 postgrey_initrc_exec_t system_r; + init_labeled_script_domtrans($1, postgrey_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te index fd58805e5..fbb01fc23 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; init_script_file(postgrey_initrc_exec_t) - + type postgrey_spool_t; -files_type(postgrey_spool_t) +files_spool_file(postgrey_spool_t) - + type postgrey_var_lib_t; files_type(postgrey_var_lib_t) @@ -29,7 +29,7 @@ files_pid_file(postgrey_var_run_t) # Local policy # - + -allow postgrey_t self:capability { chown dac_override setgid setuid }; +allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid }; dontaudit postgrey_t self:capability sys_tty_config; @@ -77575,42 +77575,42 @@ index fd58805e5..fbb01fc23 100644 manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) +allow postgrey_t postgrey_spool_t:file map; - + manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) @@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) - + -corecmd_search_bin(postgrey_t) +auth_use_nsswitch(postgrey_t) + +corecmd_exec_bin(postgrey_t) - + -corenet_all_recvfrom_unlabeled(postgrey_t) corenet_all_recvfrom_netlabel(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t) @@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t) - + domain_use_interactive_fds(postgrey_t) - + -files_read_etc_files(postgrey_t) files_read_etc_runtime_files(postgrey_t) -files_read_usr_files(postgrey_t) files_getattr_tmp_dirs(postgrey_t) - + fs_getattr_all_fs(postgrey_t) fs_search_auto_mountpoints(postgrey_t) - + -logging_send_syslog_msg(postgrey_t) +auth_read_passwd(postgrey_t) - + -miscfiles_read_localization(postgrey_t) +logging_send_syslog_msg(postgrey_t) - + sysnet_read_config(postgrey_t) - + diff --git a/ppp.fc b/ppp.fc index efcb6532d..ff2c96adb 100644 --- a/ppp.fc @@ -77621,7 +77621,7 @@ index efcb6532d..ff2c96adb 100644 +# /etc +# +/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - + -/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) +/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) @@ -77630,7 +77630,7 @@ index efcb6532d..ff2c96adb 100644 +/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) +# Fix /etc/ppp {up,down} family scripts (see man pppd) +/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) - + -/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) -/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) @@ -77638,11 +77638,11 @@ index efcb6532d..ff2c96adb 100644 -/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) -/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0) +/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) - + -/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) -/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0) - + -/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) -/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) @@ -77653,7 +77653,7 @@ index efcb6532d..ff2c96adb 100644 +# +/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0) - + -/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) - -/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) @@ -77667,7 +77667,7 @@ index efcb6532d..ff2c96adb 100644 +/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0) +/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0) - + +# +# /var +# @@ -77690,7 +77690,7 @@ index cd8b8b9cb..ad8424ba3 100644 @@ -1,110 +1,91 @@ -## Point to Point Protocol daemon creates links in ppp networks. +## Point to Point Protocol daemon creates links in ppp networks - + -######################################## -## -## Role access for ppp. @@ -77734,13 +77734,13 @@ index cd8b8b9cb..ad8424ba3 100644 + gen_require(` + type ppp_home_t; + ') - + - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file manage_file_perms; + userdom_search_user_home_dirs($1) + allow $1 ppp_home_t:file manage_file_perms; ') - + -######################################## +####################################### ## @@ -77761,16 +77761,16 @@ index cd8b8b9cb..ad8424ba3 100644 - type ppp_home_t; + gen_require(` + type ppp_home_t; - + - ') + ') - + - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file read_file_perms; + userdom_search_user_home_dirs($1) + allow $1 ppp_home_t:file read_file_perms; ') - + -######################################## +####################################### ## @@ -77793,13 +77793,13 @@ index cd8b8b9cb..ad8424ba3 100644 + gen_require(` + type ppp_home_t; + ') - + - userdom_search_user_home_dirs($1) - allow $1 ppp_home_t:file relabel_file_perms; + userdom_search_user_home_dirs($1) + allow $1 ppp_home_t:file relabel_file_perms; ') - + -######################################## +####################################### ## @@ -77840,11 +77840,11 @@ index cd8b8b9cb..ad8424ba3 100644 + gen_require(` + type ppp_home_t; + ') - + - userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) + userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) ') - + ######################################## @@ -128,7 +109,7 @@ interface(`ppp_use_fds',` ######################################## @@ -77856,7 +77856,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',` - + ######################################## ## -## Send child terminated signals to ppp. @@ -77865,7 +77865,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -165,7 +146,7 @@ interface(`ppp_sigchld',` - + ######################################## ## -## Send kill signals to ppp. @@ -77879,10 +77879,10 @@ index cd8b8b9cb..ad8424ba3 100644 # -# interface(`ppp_kill',` - gen_require(` - type pppd_t; + gen_require(` + type pppd_t; @@ -184,7 +164,7 @@ interface(`ppp_kill',` - + ######################################## ## -## Send generic signals to ppp. @@ -77891,7 +77891,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -202,7 +182,7 @@ interface(`ppp_signal',` - + ######################################## ## -## Send null signals to ppp. @@ -77900,7 +77900,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -220,7 +200,7 @@ interface(`ppp_signull',` - + ######################################## ## -## Execute pppd in the pppd domain. @@ -77909,7 +77909,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -239,8 +219,7 @@ interface(`ppp_domtrans',` - + ######################################## ## -## Conditionally execute pppd on @@ -77928,7 +77928,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -268,8 +247,7 @@ interface(`ppp_run_cond',` - + ######################################## ## -## Unconditionally execute ppp daemon @@ -77947,7 +77947,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -294,7 +272,7 @@ interface(`ppp_run',` - + ######################################## ## -## Execute domain in the caller domain. @@ -77956,14 +77956,14 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -326,13 +304,13 @@ interface(`ppp_read_config',` - type pppd_etc_t; - ') - + type pppd_etc_t; + ') + - files_search_etc($1) - read_files_pattern($1, pppd_etc_t, pppd_etc_t) + read_files_pattern($1, pppd_etc_t, pppd_etc_t) + files_search_etc($1) ') - + ######################################## ## -## Read ppp writable configuration content. @@ -77972,17 +77972,17 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',` - type pppd_etc_t, pppd_etc_rw_t; - ') - + type pppd_etc_t, pppd_etc_rw_t; + ') + - files_search_etc($1) - allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms; + allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_etc_rw_t:file read_file_perms; + allow $1 pppd_etc_rw_t:file read_file_perms; - allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms; + files_search_etc($1) ') - + ######################################## ## -## Read ppp secret files. @@ -77991,16 +77991,16 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -366,15 +343,14 @@ interface(`ppp_read_secrets',` - type pppd_etc_t, pppd_secret_t; - ') - + type pppd_etc_t, pppd_secret_t; + ') + - files_search_etc($1) - allow $1 pppd_etc_t:dir list_dir_perms; - allow $1 pppd_secret_t:file read_file_perms; + allow $1 pppd_etc_t:dir list_dir_perms; + allow $1 pppd_secret_t:file read_file_perms; - allow $1 pppd_etc_t:lnk_file read_lnk_file_perms; + files_search_etc($1) ') - + ######################################## ## -## Read ppp pid files. @@ -78009,13 +78009,13 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) - allow $1 pppd_var_run_t:file read_file_perms; + read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -78025,13 +78025,13 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',` - ') - - files_search_pids($1) + ') + + files_search_pids($1) - allow $1 pppd_var_run_t:file manage_file_perms; + manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) ') - + ######################################## ## -## Create specified pppd pid objects @@ -78055,14 +78055,14 @@ index cd8b8b9cb..ad8424ba3 100644 -## # interface(`ppp_pid_filetrans',` - gen_require(` - type pppd_var_run_t; - ') - + gen_require(` + type pppd_var_run_t; + ') + - files_pid_filetrans($1, pppd_var_run_t, $2, $3) + files_pid_filetrans($1, pppd_var_run_t, file) ') - + ######################################## ## -## Execute pppd init script in @@ -78072,7 +78072,7 @@ index cd8b8b9cb..ad8424ba3 100644 ## ## @@ -461,31 +424,82 @@ interface(`ppp_initrc_domtrans',` - + ######################################## ## -## All of the rules required to @@ -78139,12 +78139,12 @@ index cd8b8b9cb..ad8424ba3 100644 ## # interface(`ppp_admin',` - gen_require(` - type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; + gen_require(` + type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; - type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t; - type pppd_var_run_t, pppd_initrc_exec_t; + type pppd_etc_t, pppd_secret_t, pppd_var_run_t; - type pptp_t, pptp_log_t, pptp_var_run_t; + type pptp_t, pptp_log_t, pptp_var_run_t; + type pppd_initrc_exec_t, pppd_etc_rw_t; + type pppd_unit_file_t; + ') @@ -78154,34 +78154,34 @@ index cd8b8b9cb..ad8424ba3 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 pppd_t:process ptrace; + allow $1 pptp_t:process ptrace; - ') - + ') + - allow $1 { pptp_t pppd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { pptp_t pppd_t }) + allow $1 pptp_t:process signal_perms; + ps_process_pattern($1, pptp_t) - - ppp_initrc_domtrans($1) - domain_system_change_exemption($1) + + ppp_initrc_domtrans($1) + domain_system_change_exemption($1) @@ -496,14 +510,26 @@ interface(`ppp_admin',` - admin_pattern($1, pppd_tmp_t) - - logging_list_logs($1) + admin_pattern($1, pppd_tmp_t) + + logging_list_logs($1) - admin_pattern($1, { pptp_log_t pppd_log_t }) + admin_pattern($1, pppd_log_t) - - files_list_locks($1) - admin_pattern($1, pppd_lock_t) - - files_list_etc($1) + + files_list_locks($1) + admin_pattern($1, pppd_lock_t) + + files_list_etc($1) - admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t }) + admin_pattern($1, pppd_etc_t) + + admin_pattern($1, pppd_etc_rw_t) + + admin_pattern($1, pppd_secret_t) - - files_list_pids($1) + + files_list_pids($1) - admin_pattern($1, { pptp_var_run_t pppd_var_run_t }) + admin_pattern($1, pppd_var_run_t) + @@ -78199,7 +78199,7 @@ index d616ca3e3..7910fb889 100644 +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) # - + ## -##

    -## Determine whether pppd can @@ -78210,7 +78210,7 @@ index d616ca3e3..7910fb889 100644 +##

    ##     gen_tunable(pppd_can_insmod, false) - + ## -##

    -## Determine whether common users can @@ -78221,10 +78221,10 @@ index d616ca3e3..7910fb889 100644 +##

    ##     gen_tunable(pppd_for_user, false) - + attribute_role pppd_roles; -attribute_role pptp_roles; - + +# pppd_t is the domain for the pppd program. +# pppd_exec_t is the type of the pppd executable. type pppd_t; @@ -78232,28 +78232,28 @@ index d616ca3e3..7910fb889 100644 init_daemon_domain(pppd_t, pppd_exec_t) role pppd_roles types pppd_t; +role system_r types pppd_t; - + type pppd_devpts_t; term_pty(pppd_devpts_t) - + +# Define a separate type for /etc/ppp type pppd_etc_t; files_config_file(pppd_etc_t) - + +# Define a separate type for writable files under /etc/ppp type pppd_etc_rw_t; files_type(pppd_etc_rw_t) - + type pppd_initrc_exec_t alias pppd_script_exec_t; init_script_file(pppd_initrc_exec_t) - + +type pppd_unit_file_t; +systemd_unit_file(pppd_unit_file_t) + +# pppd_secret_t is the type of the pap and chap password files type pppd_secret_t; files_type(pppd_secret_t) - + @@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t) type pptp_t; type pptp_exec_t; @@ -78261,13 +78261,13 @@ index d616ca3e3..7910fb889 100644 -role pptp_roles types pptp_t; +#role pppd_roles types pptp_t; +role system_r types pptp_t; - + type pptp_log_t; logging_log_file(pptp_log_t) @@ -67,54 +74,61 @@ logging_log_file(pptp_log_t) type pptp_var_run_t; files_pid_file(pptp_var_run_t) - + -type ppp_home_t; -userdom_user_home_content(ppp_home_t) - @@ -78276,7 +78276,7 @@ index d616ca3e3..7910fb889 100644 -# PPPD local policy +# PPPD Local policy # - + -allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice }; +allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot }; dontaudit pppd_t self:capability sys_tty_config; @@ -78293,35 +78293,35 @@ index d616ca3e3..7910fb889 100644 +allow pppd_t self:tcp_socket create_stream_socket_perms; +allow pppd_t self:udp_socket { connect connected_socket_perms }; allow pppd_t self:packet_socket create_socket_perms; - + +domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) + allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - + allow pppd_t pppd_etc_t:dir rw_dir_perms; -allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms; +allow pppd_t pppd_etc_t:file read_file_perms; allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms; - + manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) +# Automatically label newly created files under /etc/ppp with this type filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - + -allow pppd_t pppd_lock_t:file manage_file_perms; -files_lock_filetrans(pppd_t, pppd_lock_t, file) +manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) +files_lock_filetrans(pppd_t, pppd_lock_t, dir) +files_search_locks(pppd_t) - + -allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) logging_log_filetrans(pppd_t, pppd_log_t, file) - + manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t) -files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file}) +files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir }) - + manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) +manage_sock_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t) @@ -78331,13 +78331,13 @@ index d616ca3e3..7910fb889 100644 - -domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) +allow pppd_t pppd_var_run_t:file map; - + allow pppd_t pptp_t:process signal; - + +# for SSP +# Access secret files allow pppd_t pppd_secret_t:file read_file_perms; - + +ppp_initrc_domtrans(pppd_t) + kernel_read_kernel_sysctls(pppd_t) @@ -78345,12 +78345,12 @@ index d616ca3e3..7910fb889 100644 kernel_rw_net_sysctls(pppd_t) @@ -122,10 +136,10 @@ kernel_read_network_state(pppd_t) kernel_request_load_module(pppd_t) - + dev_read_urand(pppd_t) +dev_search_sysfs(pppd_t) dev_read_sysfs(pppd_t) dev_rw_modem(pppd_t) - + -corenet_all_recvfrom_unlabeled(pppd_t) corenet_all_recvfrom_netlabel(pppd_t) corenet_tcp_sendrecv_generic_if(pppd_t) @@ -78363,7 +78363,7 @@ index d616ca3e3..7910fb889 100644 +corenet_tcp_connect_http_port(pppd_t) +# Access /dev/ppp. corenet_rw_ppp_dev(pppd_t) - + +fs_getattr_all_fs(pppd_t) +fs_search_auto_mountpoints(pppd_t) + @@ -78378,15 +78378,15 @@ index d616ca3e3..7910fb889 100644 +# allow running ip-up and ip-down scripts and running chat. corecmd_exec_bin(pppd_t) corecmd_exec_shell(pppd_t) - + @@ -147,36 +174,31 @@ files_exec_etc_files(pppd_t) files_manage_etc_runtime_files(pppd_t) files_dontaudit_write_etc_files(pppd_t) - + -fs_getattr_all_fs(pppd_t) -fs_search_auto_mountpoints(pppd_t) +# for scripts - + -term_use_unallocated_ttys(pppd_t) -term_setattr_unallocated_ttys(pppd_t) -term_ioctl_generic_ptys(pppd_t) @@ -78398,23 +78398,23 @@ index d616ca3e3..7910fb889 100644 -init_signal_script(pppd_t) init_dontaudit_write_utmp(pppd_t) +init_signal_script(pppd_t) - + -auth_run_chk_passwd(pppd_t, pppd_roles) auth_use_nsswitch(pppd_t) +auth_domtrans_chk_passwd(pppd_t) +#auth_run_chk_passwd(pppd_t,pppd_roles) auth_write_login_records(pppd_t) - + logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) - + -miscfiles_read_localization(pppd_t) - sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) +sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf") - + -userdom_use_user_terminals(pppd_t) +userdom_use_inherited_user_terminals(pppd_t) userdom_dontaudit_use_unpriv_user_fds(pppd_t) @@ -78422,32 +78422,32 @@ index d616ca3e3..7910fb889 100644 +userdom_search_admin_dir(pppd_t) + +ppp_exec(pppd_t) - + optional_policy(` - ddclient_run(pppd_t, pppd_roles) + ddclient_run(pppd_t, pppd_roles) @@ -186,11 +208,13 @@ optional_policy(` - l2tpd_dgram_send(pppd_t) - l2tpd_rw_socket(pppd_t) - l2tpd_stream_connect(pppd_t) + l2tpd_dgram_send(pppd_t) + l2tpd_rw_socket(pppd_t) + l2tpd_stream_connect(pppd_t) + l2tpd_read_pid_files(pppd_t) + l2tpd_dbus_chat(pppd_t) ') - + optional_policy(` - tunable_policy(`pppd_can_insmod',` + tunable_policy(`pppd_can_insmod',` - modutils_domtrans_insmod(pppd_t) + modutils_domtrans_insmod_uncond(pppd_t) - ') + ') ') - + @@ -218,16 +242,19 @@ optional_policy(` - + ######################################## # -# PPTP local policy +# PPTP Local policy # - + allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin }; dontaudit pptp_t self:capability sys_tty_config; allow pptp_t self:process signal; @@ -78460,7 +78460,7 @@ index d616ca3e3..7910fb889 100644 +allow pptp_t self:tcp_socket create_socket_perms; +allow pptp_t self:udp_socket create_socket_perms; +allow pptp_t self:netlink_route_socket rw_netlink_socket_perms; - + allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; @@ -236,45 +263,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; @@ -78468,14 +78468,14 @@ index d616ca3e3..7910fb889 100644 allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; +can_exec(pptp_t, pppd_etc_rw_t) - + +# Allow pptp to append to pppd log files allow pptp_t pppd_log_t:file append_file_perms; - + -allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) - + +manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t) @@ -78483,19 +78483,19 @@ index d616ca3e3..7910fb889 100644 - -can_exec(pptp_t, pppd_etc_rw_t) +files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir }) - + +kernel_list_proc(pptp_t) kernel_read_kernel_sysctls(pptp_t) kernel_read_network_state(pptp_t) +kernel_read_proc_symlinks(pptp_t) kernel_read_system_state(pptp_t) kernel_signal(pptp_t) - + +dev_read_sysfs(pptp_t) + corecmd_exec_shell(pptp_t) corecmd_read_bin_symlinks(pptp_t) - + -corenet_all_recvfrom_unlabeled(pptp_t) corenet_all_recvfrom_netlabel(pptp_t) corenet_tcp_sendrecv_generic_if(pptp_t) @@ -78512,57 +78512,57 @@ index d616ca3e3..7910fb889 100644 - -corenet_sendrecv_pptp_client_packets(pptp_t) corenet_tcp_connect_pptp_port(pptp_t) - + -dev_read_sysfs(pptp_t) - -domain_use_interactive_fds(pptp_t) - fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) - + @@ -282,12 +307,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) - + +domain_use_interactive_fds(pptp_t) + auth_use_nsswitch(pptp_t) - + logging_send_syslog_msg(pptp_t) - + -miscfiles_read_localization(pptp_t) - sysnet_exec_ifconfig(pptp_t) - + userdom_dontaudit_use_unpriv_user_fds(pptp_t) @@ -298,6 +323,10 @@ optional_policy(` - consoletype_exec(pppd_t) + consoletype_exec(pppd_t) ') - + +optional_policy(` + gnome_dontaudit_search_config(pppd_t) +') + optional_policy(` - dbus_system_domain(pppd_t, pppd_exec_t) - + dbus_system_domain(pppd_t, pppd_exec_t) + diff --git a/prelink.fc b/prelink.fc index a90d6231f..62af9a4a0 100644 --- a/prelink.fc +++ b/prelink.fc @@ -1,11 +1,11 @@ /etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0) - + -/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) +/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0) - + /usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0) - + -/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) -/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) +/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0) +/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0) - + -/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) -/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0) +/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0) @@ -78572,7 +78572,7 @@ index 20d469793..e6605c100 100644 --- a/prelink.if +++ b/prelink.if @@ -2,7 +2,7 @@ - + ######################################## ## -## Execute prelink in the prelink domain. @@ -78581,17 +78581,17 @@ index 20d469793..e6605c100 100644 ## ## @@ -18,15 +18,15 @@ interface(`prelink_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, prelink_exec_t, prelink_t) - + corecmd_search_bin($1) + domtrans_pattern($1, prelink_exec_t, prelink_t) + - ifdef(`hide_broken_symptoms',` + ifdef(`hide_broken_symptoms', ` - dontaudit prelink_t $1:socket_class_set { read write }; + dontaudit prelink_t $1:socket_class_set { read write }; - dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms; + dontaudit prelink_t $1:fifo_file setattr; - ') + ') ') - + ######################################## ## -## Execute prelink in the caller domain. @@ -78600,7 +78600,7 @@ index 20d469793..e6605c100 100644 ## ## @@ -45,9 +45,7 @@ interface(`prelink_exec',` - + ######################################## ## -## Execute prelink in the prelink @@ -78621,16 +78621,16 @@ index 20d469793..e6605c100 100644 ## # interface(`prelink_run',` - gen_require(` + gen_require(` - attribute_role prelink_roles; + type prelink_t; - ') - - prelink_domtrans($1) + ') + + prelink_domtrans($1) - roleattribute $2 prelink_roles; + role $2 types prelink_t; ') - + ######################################## @@ -80,6 +78,7 @@ interface(`prelink_run',` ## @@ -78638,10 +78638,10 @@ index 20d469793..e6605c100 100644 # +# cjp: added for misc non-entrypoint objects interface(`prelink_object_file',` - gen_require(` - attribute prelink_object; + gen_require(` + attribute prelink_object; @@ -90,7 +89,7 @@ interface(`prelink_object_file',` - + ######################################## ## -## Read prelink cache files. @@ -78650,7 +78650,7 @@ index 20d469793..e6605c100 100644 ## ## @@ -109,7 +108,7 @@ interface(`prelink_read_cache',` - + ######################################## ## -## Delete prelink cache files. @@ -78659,17 +78659,17 @@ index 20d469793..e6605c100 100644 ## ## @@ -122,8 +121,8 @@ interface(`prelink_delete_cache',` - type prelink_cache_t; - ') - + type prelink_cache_t; + ') + + allow $1 prelink_cache_t:file unlink; - files_rw_etc_dirs($1) + files_rw_etc_dirs($1) - allow $1 prelink_cache_t:file delete_file_perms; ') - + ######################################## @@ -168,7 +167,7 @@ interface(`prelink_manage_lib',` - + ######################################## ## -## Relabel from prelink lib files. @@ -78678,7 +78678,7 @@ index 20d469793..e6605c100 100644 ## ## @@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',` - + ######################################## ## -## Relabel prelink lib files. @@ -78687,8 +78687,8 @@ index 20d469793..e6605c100 100644 ## ## @@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',` - files_search_var_lib($1) - relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) + files_search_var_lib($1) + relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) ') + +######################################## @@ -78713,9 +78713,9 @@ index 8e262163b..6facb3465 100644 --- a/prelink.te +++ b/prelink.te @@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0) - + attribute prelink_object; - + -attribute_role prelink_roles; - type prelink_t; @@ -78723,55 +78723,55 @@ index 8e262163b..6facb3465 100644 init_system_domain(prelink_t, prelink_exec_t) domain_obj_id_change_exemption(prelink_t) -role prelink_roles types prelink_t; - + type prelink_cache_t; files_type(prelink_cache_t) @@ -40,31 +37,34 @@ files_type(prelink_var_lib_t) # Local policy # - + -allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource }; +allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource }; allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; - + allow prelink_t prelink_cache_t:file manage_file_perms; files_etc_filetrans(prelink_t, prelink_cache_t, file) - + -allow prelink_t prelink_log_t:dir setattr_dir_perms; +allow prelink_t prelink_log_t:dir setattr; create_files_pattern(prelink_t, prelink_log_t, prelink_log_t) append_files_pattern(prelink_t, prelink_log_t, prelink_log_t) read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t) logging_log_filetrans(prelink_t, prelink_log_t, file) - + -allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; +allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; files_tmp_filetrans(prelink_t, prelink_tmp_t, file) - + -allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod }; +allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod }; fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file) - + manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t) files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file }) +files_search_var_lib(prelink_t) - + -allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms }; +# prelink misc objects that are not system +# libraries or entrypoints +allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms }; - + kernel_read_system_state(prelink_t) kernel_read_kernel_sysctls(prelink_t) @@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t) corecmd_read_bin_symlinks(prelink_t) - + dev_read_urand(prelink_t) +dev_getattr_all_chr_files(prelink_t) - + -files_getattr_all_files(prelink_t) files_list_all(prelink_t) +files_getattr_all_files(prelink_t) @@ -78786,15 +78786,15 @@ index 8e262163b..6facb3465 100644 -files_search_var_lib(prelink_t) -files_write_non_security_dirs(prelink_t) -files_dontaudit_read_all_symlinks(prelink_t) - + -fs_getattr_all_fs(prelink_t) -fs_search_auto_mountpoints(prelink_t) - -selinux_get_enforce_mode(prelink_t) +fs_getattr_xattr_fs(prelink_t) - + storage_getattr_fixed_disk_dev(prelink_t) - + +selinux_get_enforce_mode(prelink_t) + libs_exec_ld_so(prelink_t) @@ -78803,9 +78803,9 @@ index 8e262163b..6facb3465 100644 @@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t) libs_relabel_shared_libs(prelink_t) libs_delete_lib_symlinks(prelink_t) - + -miscfiles_read_localization(prelink_t) - + -userdom_use_user_terminals(prelink_t) -userdom_manage_user_home_content_files(prelink_t) -# pending @@ -78816,11 +78816,11 @@ index 8e262163b..6facb3465 100644 +userdom_relabel_user_home_files(prelink_t) +userdom_execmod_user_home_files(prelink_t) userdom_exec_user_home_content_files(prelink_t) - + -ifdef(`hide_broken_symptoms',` - miscfiles_read_man_pages(prelink_t) +systemd_read_unit_files(prelink_t) - + - optional_policy(` - dbus_read_config(prelink_t) - ') @@ -78836,86 +78836,86 @@ index 8e262163b..6facb3465 100644 - fs_manage_cifs_files(prelink_t) -') +term_use_all_inherited_terms(prelink_t) - + optional_policy(` - amanda_manage_lib(prelink_t) + amanda_manage_lib(prelink_t) @@ -138,11 +120,12 @@ optional_policy(` ') - + optional_policy(` + gnome_dontaudit_read_config(prelink_t) - gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) + gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) ') - + optional_policy(` - mozilla_manage_plugin_rw_files(prelink_t) + mozilla_plugin_manage_rw_files(prelink_t) ') - + optional_policy(` @@ -155,17 +138,18 @@ optional_policy(` - + ######################################## # -# Cron system local policy +# Prelink Cron system Policy # - + optional_policy(` - allow prelink_cron_system_t self:capability setuid; - allow prelink_cron_system_t self:process { setsched setfscreate signal }; - allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; + allow prelink_cron_system_t self:capability setuid; + allow prelink_cron_system_t self:process { setsched setfscreate signal }; + allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms; - allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms; + allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; - - read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) + + read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) - allow prelink_cron_system_t prelink_cache_t:file delete_file_perms; + allow prelink_cron_system_t prelink_cache_t:file unlink; + files_delete_etc_dir_entry(prelink_cron_system_t) - - domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) - allow prelink_cron_system_t prelink_t:process noatsecure; + + domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) + allow prelink_cron_system_t prelink_t:process noatsecure; @@ -174,7 +158,7 @@ optional_policy(` - - manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) - files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) + + manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t) + files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file) - allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms; + allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto }; - - kernel_read_system_state(prelink_cron_system_t) - + + kernel_read_system_state(prelink_cron_system_t) + @@ -184,23 +168,36 @@ optional_policy(` - dev_list_sysfs(prelink_cron_system_t) - dev_read_sysfs(prelink_cron_system_t) - + dev_list_sysfs(prelink_cron_system_t) + dev_read_sysfs(prelink_cron_system_t) + - files_rw_etc_dirs(prelink_cron_system_t) - files_dontaudit_search_all_mountpoints(prelink_cron_system_t) + files_dontaudit_search_all_mountpoints(prelink_cron_system_t) + files_search_var_lib(prelink_cron_system_t) + files_dontaudit_list_non_security(prelink_cron_system_t) + + fs_search_cgroup_dirs(prelink_cron_system_t) - - auth_use_nsswitch(prelink_cron_system_t) - - init_telinit(prelink_cron_system_t) - init_exec(prelink_cron_system_t) + + auth_use_nsswitch(prelink_cron_system_t) + + init_telinit(prelink_cron_system_t) + init_exec(prelink_cron_system_t) + init_reload_services(prelink_cron_system_t) - - libs_exec_ld_so(prelink_cron_system_t) - - logging_search_logs(prelink_cron_system_t) - + + libs_exec_ld_so(prelink_cron_system_t) + + logging_search_logs(prelink_cron_system_t) + - miscfiles_read_localization(prelink_cron_system_t) + init_stream_connect(prelink_cron_system_t) + - - cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) - + + cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) + + userdom_dontaudit_list_admin_dir(prelink_cron_system_t) + - optional_policy(` - rpm_read_db(prelink_cron_system_t) - ') + optional_policy(` + rpm_read_db(prelink_cron_system_t) + ') ') + +ifdef(`hide_broken_symptoms', ` @@ -78928,14 +78928,14 @@ index 8dbc76372..b580f852b 100644 --- a/prelude.fc +++ b/prelude.fc @@ -12,7 +12,7 @@ - + /usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) - + -/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) +/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:prewikka_script_exec_t,s0) - + /var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) - + diff --git a/prelude.if b/prelude.if index c83a838d7..f41a4f7dd 100644 --- a/prelude.if @@ -78943,7 +78943,7 @@ index c83a838d7..f41a4f7dd 100644 @@ -1,13 +1,13 @@ -## Prelude hybrid intrusion detection system. +## Prelude hybrid intrusion detection system - + ######################################## ## ## Execute a domain transition to run prelude. @@ -78958,13 +78958,13 @@ index c83a838d7..f41a4f7dd 100644 # interface(`prelude_domtrans',` @@ -15,19 +15,17 @@ interface(`prelude_domtrans',` - type prelude_t, prelude_exec_t; - ') - + type prelude_t, prelude_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, prelude_exec_t, prelude_t) + domtrans_pattern($1, prelude_exec_t, prelude_t) ') - + ######################################## ## -## Execute a domain transition to @@ -78981,13 +78981,13 @@ index c83a838d7..f41a4f7dd 100644 # interface(`prelude_domtrans_audisp',` @@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',` - type prelude_audisp_t, prelude_audisp_exec_t; - ') - + type prelude_audisp_t, prelude_audisp_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) + domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) ') - + ######################################## ## -## Send generic signals to prelude audisp. @@ -79004,7 +79004,7 @@ index c83a838d7..f41a4f7dd 100644 # interface(`prelude_signal_audisp',` @@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',` - + ######################################## ## -## Read prelude spool files. @@ -79013,7 +79013,7 @@ index c83a838d7..f41a4f7dd 100644 ## ## @@ -78,13 +75,12 @@ interface(`prelude_read_spool',` - + ######################################## ## -## Create, read, write, and delete @@ -79030,12 +79030,12 @@ index c83a838d7..f41a4f7dd 100644 # interface(`prelude_manage_spool',` @@ -99,8 +95,8 @@ interface(`prelude_manage_spool',` - + ######################################## ## -## All of the rules required to -## administrate an prelude environment. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an prelude environment ## ## @@ -79043,7 +79043,7 @@ index c83a838d7..f41a4f7dd 100644 @@ -116,32 +112,42 @@ interface(`prelude_manage_spool',` # interface(`prelude_admin',` - gen_require(` + gen_require(` - type prelude_t, prelude_spool_t, prelude_lml_var_run_t; - type prelude_var_run_t, prelude_var_lib_t, prelude_log_t; - type prelude_audisp_t, prelude_audisp_var_run_t; @@ -79052,8 +79052,8 @@ index c83a838d7..f41a4f7dd 100644 + type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; + type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; + type prelude_lml_t; - ') - + ') + - allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }) + allow $1 prelude_t:process signal_perms; @@ -79069,33 +79069,33 @@ index c83a838d7..f41a4f7dd 100644 + + allow $1 prelude_lml_t:process signal_perms; + ps_process_pattern($1, prelude_lml_t) - - init_labeled_script_domtrans($1, prelude_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 prelude_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, prelude_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 prelude_initrc_exec_t system_r; + allow $2 system_r; + - files_search_spool($1) + files_list_spool($1) - admin_pattern($1, prelude_spool_t) - + admin_pattern($1, prelude_spool_t) + - logging_search_logs($1) - admin_pattern($1, prelude_log_t) - - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, prelude_var_lib_t) - + admin_pattern($1, prelude_var_lib_t) + - files_search_pids($1) - admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t }) + files_list_pids($1) + admin_pattern($1, prelude_var_run_t) + admin_pattern($1, prelude_audisp_var_run_t) + admin_pattern($1, prelude_lml_var_run_t) - + - files_search_tmp($1) + files_list_tmp($1) - admin_pattern($1, prelude_lml_tmp_t) + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/prelude.te b/prelude.te index 8f4460928..dd7065356 100644 @@ -79103,93 +79103,93 @@ index 8f4460928..dd7065356 100644 +++ b/prelude.te @@ -13,7 +13,7 @@ type prelude_initrc_exec_t; init_script_file(prelude_initrc_exec_t) - + type prelude_spool_t; -files_type(prelude_spool_t) +files_spool_file(prelude_spool_t) - + type prelude_log_t; logging_log_file(prelude_log_t) @@ -54,7 +54,7 @@ files_pid_file(prelude_lml_var_run_t) # Prelude local policy # - + -allow prelude_t self:capability { dac_override sys_tty_config }; +allow prelude_t self:capability { dac_read_search dac_override sys_tty_config }; allow prelude_t self:fifo_file rw_fifo_file_perms; allow prelude_t self:unix_stream_socket { accept listen }; allow prelude_t self:tcp_socket { accept listen }; @@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t) - + corecmd_search_bin(prelude_t) - + -corenet_all_recvfrom_unlabeled(prelude_t) corenet_all_recvfrom_netlabel(prelude_t) corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) @@ -97,7 +96,6 @@ dev_read_rand(prelude_t) dev_read_urand(prelude_t) - + files_read_etc_runtime_files(prelude_t) -files_read_usr_files(prelude_t) files_search_spool(prelude_t) files_search_tmp(prelude_t) - + @@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t) logging_send_audit_msgs(prelude_t) logging_send_syslog_msg(prelude_t) - + -miscfiles_read_localization(prelude_t) - optional_policy(` - mysql_stream_connect(prelude_t) - mysql_tcp_connect(prelude_t) + mysql_stream_connect(prelude_t) + mysql_tcp_connect(prelude_t) @@ -125,7 +121,7 @@ optional_policy(` # Audisp local policy # - + -allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap }; +allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap }; allow prelude_audisp_t self:process { getcap setcap }; allow prelude_audisp_t self:fifo_file rw_fifo_file_perms; allow prelude_audisp_t self:unix_stream_socket { accept listen }; @@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t) - + corecmd_search_bin(prelude_audisp_t) - + -corenet_all_recvfrom_unlabeled(prelude_audisp_t) corenet_all_recvfrom_netlabel(prelude_audisp_t) corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) @@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t) - + domain_use_interactive_fds(prelude_audisp_t) - + -files_read_etc_files(prelude_audisp_t) files_read_etc_runtime_files(prelude_audisp_t) files_search_spool(prelude_audisp_t) files_search_tmp(prelude_audisp_t) - + logging_send_syslog_msg(prelude_audisp_t) - + -miscfiles_read_localization(prelude_audisp_t) - sysnet_dns_name_resolve(prelude_audisp_t) - + ######################################## @@ -171,7 +163,7 @@ sysnet_dns_name_resolve(prelude_audisp_t) # Correlator local policy # - + -allow prelude_correlator_t self:capability dac_override; +allow prelude_correlator_t self:capability { dac_read_search dac_override }; allow prelude_correlator_t self:tcp_socket { accept listen }; - + manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t) @@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t) - + corecmd_search_bin(prelude_correlator_t) - + -corenet_all_recvfrom_unlabeled(prelude_correlator_t) corenet_all_recvfrom_netlabel(prelude_correlator_t) corenet_tcp_sendrecv_generic_if(prelude_correlator_t) @@ -79197,95 +79197,95 @@ index 8f4460928..dd7065356 100644 @@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t) dev_read_rand(prelude_correlator_t) dev_read_urand(prelude_correlator_t) - + -files_read_etc_files(prelude_correlator_t) -files_read_usr_files(prelude_correlator_t) files_search_spool(prelude_correlator_t) - + logging_send_syslog_msg(prelude_correlator_t) - + -miscfiles_read_localization(prelude_correlator_t) - sysnet_dns_name_resolve(prelude_correlator_t) - + ######################################## @@ -211,7 +198,9 @@ sysnet_dns_name_resolve(prelude_correlator_t) # Lml local declarations # - + -allow prelude_lml_t self:capability dac_override; +allow prelude_lml_t self:capability { dac_read_search dac_override }; +allow prelude_lml_t self:tcp_socket { setopt create_socket_perms }; +allow prelude_lml_t self:unix_dgram_socket create_socket_perms; allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; - + @@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t) logging_send_syslog_msg(prelude_lml_t) logging_read_generic_logs(prelude_lml_t) - + -miscfiles_read_localization(prelude_lml_t) - userdom_read_all_users_state(prelude_lml_t) - + optional_policy(` @@ -278,27 +265,28 @@ optional_policy(` - + optional_policy(` - apache_content_template(prewikka) + apache_content_template(prewikka) + apache_content_alias_template(prewikka, prewikka) - + - can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + can_exec(prewikka_script_t, prewikka_script_exec_t) - + - files_search_tmp(httpd_prewikka_script_t) + files_search_tmp(prewikka_script_t) - + - kernel_read_sysctl(httpd_prewikka_script_t) - kernel_search_network_sysctl(httpd_prewikka_script_t) + kernel_read_sysctl(prewikka_script_t) + kernel_search_network_sysctl(prewikka_script_t) - + - auth_use_nsswitch(httpd_prewikka_script_t) + auth_use_nsswitch(prewikka_script_t) - + - logging_send_syslog_msg(httpd_prewikka_script_t) + logging_send_syslog_msg(prewikka_script_t) - + - apache_search_sys_content(httpd_prewikka_script_t) + apache_search_sys_content(prewikka_script_t) - - optional_policy(` + + optional_policy(` - mysql_stream_connect(httpd_prewikka_script_t) - mysql_tcp_connect(httpd_prewikka_script_t) + mysql_stream_connect(prewikka_script_t) + mysql_tcp_connect(prewikka_script_t) - ') - - optional_policy(` + ') + + optional_policy(` - postgresql_stream_connect(httpd_prewikka_script_t) - postgresql_tcp_connect(httpd_prewikka_script_t) + postgresql_stream_connect(prewikka_script_t) + postgresql_tcp_connect(prewikka_script_t) - ') + ') ') diff --git a/privoxy.if b/privoxy.if index bdcee30f5..34f314344 100644 --- a/privoxy.if +++ b/privoxy.if @@ -23,8 +23,11 @@ interface(`privoxy_admin',` - type privoxy_etc_rw_t, privoxy_var_run_t; - ') - + type privoxy_etc_rw_t, privoxy_var_run_t; + ') + - allow $1 privoxy_t:process { ptrace signal_perms }; + allow $1 privoxy_t:process signal_perms; - ps_process_pattern($1, privoxy_t) + ps_process_pattern($1, privoxy_t) + tunable_policy(`deny_ptrace',`',` + allow $1 privoxy_t:process ptrace; + ') - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, privoxy_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/privoxy.te b/privoxy.te index ec21f80d7..a9f650a1f 100644 --- a/privoxy.te @@ -79293,20 +79293,20 @@ index ec21f80d7..a9f650a1f 100644 @@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t) corenet_tcp_connect_tor_port(privoxy_t) corenet_tcp_sendrecv_tor_port(privoxy_t) - + + dev_read_sysfs(privoxy_t) - + domain_use_interactive_fds(privoxy_t) @@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t) - + logging_send_syslog_msg(privoxy_t) - + -miscfiles_read_localization(privoxy_t) - userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) - + diff --git a/procmail.fc b/procmail.fc index bdff6c931..4b36a13de 100644 --- a/procmail.fc @@ -79315,13 +79315,13 @@ index bdff6c931..4b36a13de 100644 -HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0) +HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) +/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0) - + /usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0) - + -/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) +/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0) -+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) ++/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0) diff --git a/procmail.if b/procmail.if index 00edeab17..cb6c0edbf 100644 --- a/procmail.if @@ -79329,30 +79329,30 @@ index 00edeab17..cb6c0edbf 100644 @@ -1,4 +1,4 @@ -## Procmail mail delivery agent. +## Procmail mail delivery agent - + ######################################## ## @@ -15,8 +15,11 @@ interface(`procmail_domtrans',` - type procmail_exec_t, procmail_t; - ') - + type procmail_exec_t, procmail_t; + ') + + files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, procmail_exec_t, procmail_t) + corecmd_search_bin($1) + domtrans_pattern($1, procmail_exec_t, procmail_t) + + allow $1 procmail_exec_t:file map; ') - + ######################################## @@ -34,101 +37,33 @@ interface(`procmail_exec',` - type procmail_exec_t; - ') - + type procmail_exec_t; + ') + + files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, procmail_exec_t) + corecmd_search_bin($1) + can_exec($1, procmail_exec_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -79436,16 +79436,16 @@ index 00edeab17..cb6c0edbf 100644 # -interface(`procmail_home_filetrans_procmail_home',` +interface(`procmail_read_tmp_files',` - gen_require(` + gen_require(` - type procmail_home_t; + type procmail_tmp_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3) + files_search_tmp($1) + allow $1 procmail_tmp_t:file read_file_perms; ') - + ######################################## ## -## Read procmail tmp files. @@ -79459,15 +79459,15 @@ index 00edeab17..cb6c0edbf 100644 # -interface(`procmail_read_tmp_files',` +interface(`procmail_rw_tmp_files',` - gen_require(` - type procmail_tmp_t; - ') - - files_search_tmp($1) + gen_require(` + type procmail_tmp_t; + ') + + files_search_tmp($1) - allow $1 procmail_tmp_t:file read_file_perms; + rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) ') - + ######################################## ## -## Read and write procmail tmp files. @@ -79481,11 +79481,11 @@ index 00edeab17..cb6c0edbf 100644 # -interface(`procmail_rw_tmp_files',` +interface(`procmail_read_home_files',` - gen_require(` + gen_require(` - type procmail_tmp_t; + type procmail_home_t; - ') - + ') + - files_search_tmp($1) - rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) + userdom_search_user_home_dirs($1) @@ -79497,17 +79497,17 @@ index cc426e62a..91a1f537e 100644 +++ b/procmail.te @@ -14,7 +14,7 @@ type procmail_home_t; userdom_user_home_content(procmail_home_t) - + type procmail_log_t; -logging_log_file(procmail_log_t) -+logging_log_file(procmail_log_t) - ++logging_log_file(procmail_log_t) + type procmail_tmp_t; files_tmp_file(procmail_tmp_t) @@ -24,13 +24,17 @@ files_tmp_file(procmail_tmp_t) # Local policy # - + -allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override }; +allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override }; allow procmail_t self:process { setsched signal signull }; @@ -79517,10 +79517,10 @@ index cc426e62a..91a1f537e 100644 +allow procmail_t self:unix_dgram_socket create_socket_perms; +allow procmail_t self:tcp_socket create_stream_socket_perms; +allow procmail_t self:udp_socket create_socket_perms; - + -allow procmail_t procmail_home_t:file read_file_perms; +can_exec(procmail_t, procmail_exec_t) - + +# Write log to /var/log/procmail.log or /var/log/procmail/.* allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) @@ -79528,13 +79528,13 @@ index cc426e62a..91a1f537e 100644 @@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) - + -can_exec(procmail_t, procmail_exec_t) - +kernel_read_network_state(procmail_t) kernel_read_system_state(procmail_t) kernel_read_kernel_sysctls(procmail_t) - + -corenet_all_recvfrom_unlabeled(procmail_t) corenet_all_recvfrom_netlabel(procmail_t) corenet_tcp_sendrecv_generic_if(procmail_t) @@ -79556,17 +79556,17 @@ index cc426e62a..91a1f537e 100644 - -corecmd_exec_bin(procmail_t) -corecmd_exec_shell(procmail_t) - + +dev_read_rand(procmail_t) dev_read_urand(procmail_t) - + -fs_getattr_all_fs(procmail_t) +fs_getattr_xattr_fs(procmail_t) fs_search_auto_mountpoints(procmail_t) fs_rw_anon_inodefs_files(procmail_t) - + auth_use_nsswitch(procmail_t) - + +corecmd_exec_bin(procmail_t) +corecmd_exec_shell(procmail_t) + @@ -79574,13 +79574,13 @@ index cc426e62a..91a1f537e 100644 -files_read_usr_files(procmail_t) +files_search_pids(procmail_t) +# for spamassasin - + -logging_send_syslog_msg(procmail_t) +application_exec_all(procmail_t) - + -miscfiles_read_localization(procmail_t) +init_read_utmp(procmail_t) - + +logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) + @@ -79588,7 +79588,7 @@ index cc426e62a..91a1f537e 100644 +read_files_pattern(procmail_t, procmail_home_t, procmail_home_t) userdom_search_user_home_dirs(procmail_t) +userdom_search_admin_dir(procmail_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(procmail_t) - fs_manage_nfs_files(procmail_t) @@ -79605,7 +79605,7 @@ index cc426e62a..91a1f537e 100644 +userdom_manage_user_tmp_dirs(procmail_t) +userdom_manage_user_tmp_files(procmail_t) +userdom_manage_user_tmp_symlinks(procmail_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(procmail_t) - fs_manage_cifs_files(procmail_t) @@ -79619,7 +79619,7 @@ index cc426e62a..91a1f537e 100644 +ifdef(`hide_broken_symptoms',` + mta_dontaudit_rw_queue(procmail_t) ') - + +userdom_home_manager(procmail_t) + optional_policy(` @@ -79628,13 +79628,13 @@ index cc426e62a..91a1f537e 100644 + antivirus_domtrans(procmail_t) + antivirus_search_db(procmail_t) ') - + optional_policy(` - cyrus_stream_connect(procmail_t) + dovecot_stream_connect(procmail_t) + dovecot_read_config(procmail_t) ') - + optional_policy(` - mta_manage_spool(procmail_t) - mta_read_config(procmail_t) @@ -79644,45 +79644,45 @@ index cc426e62a..91a1f537e 100644 - mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir") + cyrus_stream_connect(procmail_t) ') - + optional_policy(` - munin_dontaudit_search_lib(procmail_t) + gnome_manage_data(procmail_t) ') - + optional_policy(` - nagios_search_spool(procmail_t) + munin_dontaudit_search_lib(procmail_t) ') - + optional_policy(` + # for a bug in the postfix local program - postfix_dontaudit_rw_local_tcp_sockets(procmail_t) - postfix_dontaudit_use_fds(procmail_t) - postfix_read_spool_files(procmail_t) + postfix_dontaudit_rw_local_tcp_sockets(procmail_t) + postfix_dontaudit_use_fds(procmail_t) + postfix_read_spool_files(procmail_t) @@ -125,12 +144,19 @@ optional_policy(` - postfix_rw_inherited_master_pipes(procmail_t) + postfix_rw_inherited_master_pipes(procmail_t) ') - + +optional_policy(` + nagios_search_spool(procmail_t) +') + optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) + pyzor_domtrans(procmail_t) + pyzor_signal(procmail_t) ') - + optional_policy(` + mta_read_config(procmail_t) + mta_mailserver_delivery(procmail_t) + mta_manage_home_rw(procmail_t) - sendmail_domtrans(procmail_t) - sendmail_signal(procmail_t) - sendmail_dontaudit_rw_tcp_sockets(procmail_t) + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) + sendmail_dontaudit_rw_tcp_sockets(procmail_t) @@ -145,3 +171,8 @@ optional_policy(` - spamassassin_domtrans_client(procmail_t) - spamassassin_read_lib_files(procmail_t) + spamassassin_domtrans_client(procmail_t) + spamassassin_read_lib_files(procmail_t) ') + +optional_policy(` @@ -80076,19 +80076,19 @@ index d4dcf782c..3cce82e50 100644 --- a/psad.if +++ b/psad.if @@ -93,9 +93,8 @@ interface(`psad_manage_config',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) - allow $1 psad_etc_t:dir manage_dir_perms; - allow $1 psad_etc_t:file manage_file_perms; - allow $1 psad_etc_t:lnk_file manage_lnk_file_perms; + manage_dirs_pattern($1, psad_etc_t, psad_etc_t) + manage_files_pattern($1, psad_etc_t, psad_etc_t) ') - + ######################################## @@ -119,7 +118,7 @@ interface(`psad_read_pid_files',` - + ######################################## ## -## Read and write psad pid files. @@ -80097,9 +80097,9 @@ index d4dcf782c..3cce82e50 100644 ## ## @@ -177,6 +176,45 @@ interface(`psad_append_log',` - append_files_pattern($1, psad_var_log_t, psad_var_log_t) + append_files_pattern($1, psad_var_log_t, psad_var_log_t) ') - + +######################################## +## +## Allow the specified domain to write to psad's log files. @@ -80143,9 +80143,9 @@ index d4dcf782c..3cce82e50 100644 ## ## Read and write psad fifo files. @@ -196,6 +234,45 @@ interface(`psad_rw_fifo_file',` - rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) + rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) ') - + +####################################### +## +## Allow setattr to psad fifo files. @@ -80190,45 +80190,45 @@ index d4dcf782c..3cce82e50 100644 ## Read and write psad temporary files. @@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` - gen_require(` - type psad_t, psad_var_run_t, psad_var_log_t; + gen_require(` + type psad_t, psad_var_run_t, psad_var_log_t; - type psad_initrc_exec_t, psad_var_lib_t; + type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; - type psad_tmp_t; - ') - + type psad_tmp_t; + ') + - allow $1 psad_t:process { ptrace signal_perms }; + allow $1 psad_t:process signal_perms; - ps_process_pattern($1, psad_t) - + ps_process_pattern($1, psad_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 psad_t:process ptrace; + ') + - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 psad_initrc_exec_t system_r; - allow $2 system_r; - + init_labeled_script_domtrans($1, psad_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 psad_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) + files_list_etc($1) - admin_pattern($1, psad_etc_t) - + admin_pattern($1, psad_etc_t) + - files_search_pids($1) + files_list_pids($1) - admin_pattern($1, psad_var_run_t) - + admin_pattern($1, psad_var_run_t) + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, psad_var_log_t) - + admin_pattern($1, psad_var_log_t) + - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, psad_var_lib_t) - + admin_pattern($1, psad_var_lib_t) + - files_search_tmp($1) + files_list_tmp($1) - admin_pattern($1, psad_tmp_t) + admin_pattern($1, psad_tmp_t) ') diff --git a/psad.te b/psad.te index b5d717b09..e716d9d2c 100644 @@ -80237,7 +80237,7 @@ index b5d717b09..e716d9d2c 100644 @@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t) # Local policy # - + -allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; +allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override }; dontaudit psad_t self:capability sys_tty_config; @@ -80246,30 +80246,30 @@ index b5d717b09..e716d9d2c 100644 @@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t) corecmd_exec_bin(psad_t) corecmd_exec_shell(psad_t) - + -corenet_all_recvfrom_unlabeled(psad_t) corenet_all_recvfrom_netlabel(psad_t) corenet_tcp_sendrecv_generic_if(psad_t) corenet_tcp_sendrecv_generic_node(psad_t) @@ -77,8 +76,9 @@ corenet_tcp_sendrecv_whois_port(psad_t) - + dev_read_urand(psad_t) - + +domain_read_all_domains_state(psad_t) + files_read_etc_runtime_files(psad_t) -files_read_usr_files(psad_t) - + fs_getattr_all_fs(psad_t) - + @@ -88,8 +88,6 @@ logging_read_generic_logs(psad_t) logging_read_syslog_config(psad_t) logging_send_syslog_msg(psad_t) - + -miscfiles_read_localization(psad_t) - sysnet_exec_ifconfig(psad_t) - + optional_policy(` diff --git a/ptchown.te b/ptchown.te index 28d2abc03..c2cfb5eaa 100644 @@ -80278,15 +80278,15 @@ index 28d2abc03..c2cfb5eaa 100644 @@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t; allow ptchown_t self:capability { chown fowner fsetid setuid }; allow ptchown_t self:process { getcap setcap }; - + -files_read_etc_files(ptchown_t) - + fs_rw_anon_inodefs_files(ptchown_t) - + @@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t) term_use_generic_ptys(ptchown_t) term_use_ptmx(ptchown_t) - + -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) diff --git a/publicfile.te b/publicfile.te @@ -80296,10 +80296,10 @@ index 3246befff..dd66a21cb 100644 @@ -17,7 +17,7 @@ files_type(publicfile_content_t) # Local policy # - + -allow publicfile_t self:capability { dac_override setgid setuid sys_chroot }; +allow publicfile_t self:capability { dac_read_search dac_override setgid setuid sys_chroot }; - + allow publicfile_t publicfile_content_t:dir list_dir_perms; allow publicfile_t publicfile_content_t:file read_file_perms; diff --git a/pulseaudio.fc b/pulseaudio.fc @@ -80312,16 +80312,16 @@ index 6864479a7..0e7d87513 100644 HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - + -/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) +/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - + -/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) - + -/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) +/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) +/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) @@ -80330,7 +80330,7 @@ index 45843b55c..4d1adace5 100644 --- a/pulseaudio.if +++ b/pulseaudio.if @@ -2,43 +2,47 @@ - + ######################################## ## -## Role access for pulseaudio. @@ -80350,24 +80350,24 @@ index 45843b55c..4d1adace5 100644 ## # interface(`pulseaudio_role',` - gen_require(` + gen_require(` - attribute pulseaudio_tmpfsfile; - type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; - type pulseaudio_tmp_t; + attribute pulseaudio_tmpfsfile; + type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t; + class dbus { acquire_svc send_msg }; - ') - + ') + - pulseaudio_run($2, $1) + role $1 types pulseaudio_t; + + # Transition from the user domain to the derived domain. + domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) - + - allow $2 pulseaudio_t:process { ptrace signal_perms }; - ps_process_pattern($2, pulseaudio_t) - + ps_process_pattern($2, pulseaudio_t) + - allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; @@ -80377,23 +80377,23 @@ index 45843b55c..4d1adace5 100644 + + allow pulseaudio_t $2:unix_stream_socket connectto; + allow $2 pulseaudio_t:unix_stream_socket connectto; - - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; - + + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; + - allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + userdom_manage_tmp_role($1, pulseaudio_t) - + - allow pulseaudio_t $2:unix_stream_socket connectto; + allow $2 pulseaudio_t:dbus send_msg; + allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') - + ######################################## @@ -65,9 +69,8 @@ interface(`pulseaudio_domtrans',` - + ######################################## ## -## Execute pulseaudio in the pulseaudio @@ -80407,16 +80407,16 @@ index 45843b55c..4d1adace5 100644 @@ -82,16 +85,16 @@ interface(`pulseaudio_domtrans',` # interface(`pulseaudio_run',` - gen_require(` + gen_require(` - attribute_role pulseaudio_roles; + type pulseaudio_t; - ') - - pulseaudio_domtrans($1) + ') + + pulseaudio_domtrans($1) - roleattribute $2 pulseaudio_roles; + role $2 types pulseaudio_t; ') - + ######################################## ## -## Execute pulseaudio in the caller domain. @@ -80425,13 +80425,13 @@ index 45843b55c..4d1adace5 100644 ## ## @@ -104,13 +107,12 @@ interface(`pulseaudio_exec',` - type pulseaudio_exec_t; - ') - + type pulseaudio_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, pulseaudio_exec_t) + can_exec($1, pulseaudio_exec_t) ') - + ######################################## ## -## Do not audit attempts to execute pulseaudio. @@ -80440,7 +80440,7 @@ index 45843b55c..4d1adace5 100644 ## ## @@ -128,7 +130,7 @@ interface(`pulseaudio_dontaudit_exec',` - + ######################################## ## -## Send null signals to pulseaudio. @@ -80449,7 +80449,7 @@ index 45843b55c..4d1adace5 100644 ## ## @@ -147,8 +149,8 @@ interface(`pulseaudio_signull',` - + ##################################### ## -## Connect to pulseaudio with a unix @@ -80462,23 +80462,23 @@ index 45843b55c..4d1adace5 100644 @@ -158,11 +160,15 @@ interface(`pulseaudio_signull',` # interface(`pulseaudio_stream_connect',` - gen_require(` + gen_require(` - type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; + type pulseaudio_t, pulseaudio_var_run_t; + type pulseaudio_home_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) - stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) + allow $1 pulseaudio_t:process signull; + allow pulseaudio_t $1:process signull; + stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) + stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t) ') - + ######################################## @@ -188,9 +194,9 @@ interface(`pulseaudio_dbus_chat',` - + ######################################## ## -## Set attributes of pulseaudio home directories. @@ -80490,13 +80490,13 @@ index 45843b55c..4d1adace5 100644 ## Domain allowed access. ## @@ -201,148 +207,190 @@ interface(`pulseaudio_setattr_home_dir',` - type pulseaudio_home_t; - ') - + type pulseaudio_home_t; + ') + - allow $1 pulseaudio_home_t:dir setattr_dir_perms; + allow $1 pulseaudio_home_t:dir setattr; ') - + ######################################## ## -## Read pulseaudio home content. @@ -80520,7 +80520,7 @@ index 45843b55c..4d1adace5 100644 + read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') - + ######################################## ## -## Read pulseaudio home content. @@ -80535,18 +80535,18 @@ index 45843b55c..4d1adace5 100644 # -interface(`pulseaudio_read_home',` +interface(`pulseaudio_rw_home_files',` - gen_require(` - type pulseaudio_home_t; - ') - + gen_require(` + type pulseaudio_home_t; + ') + + rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - userdom_search_user_home_dirs($1) + userdom_search_user_home_dirs($1) - allow $1 pulseaudio_home_t:dir list_dir_perms; - allow $1 pulseaudio_home_t:file read_file_perms; - allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; ') - + ######################################## ## -## Read and write Pulse Audio files. @@ -80562,16 +80562,16 @@ index 45843b55c..4d1adace5 100644 # -interface(`pulseaudio_rw_home_files',` +interface(`pulseaudio_manage_home_dirs',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) - rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) - read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -80598,7 +80598,7 @@ index 45843b55c..4d1adace5 100644 + read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + pulseaudio_filetrans_home_content($1) ') - + ######################################## ## -## Create, read, write, and delete @@ -80615,17 +80615,17 @@ index 45843b55c..4d1adace5 100644 # -interface(`pulseaudio_manage_home',` +interface(`pulseaudio_manage_home_symlinks',` - gen_require(` - type pulseaudio_home_t; - ') - - userdom_search_user_home_dirs($1) + gen_require(` + type pulseaudio_home_t; + ') + + userdom_search_user_home_dirs($1) - allow $1 pulseaudio_home_t:dir manage_dir_perms; - allow $1 pulseaudio_home_t:file manage_file_perms; - allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; + manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') - + ######################################## ## -## Create objects in user home @@ -80673,16 +80673,16 @@ index 45843b55c..4d1adace5 100644 # -interface(`pulseaudio_home_filetrans_pulseaudio_home',` +interface(`pulseaudio_filetrans_admin_home_content',` - gen_require(` - type pulseaudio_home_t; - ') - + gen_require(` + type pulseaudio_home_t; + ') + - userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ') - + -######################################## +####################################### ## @@ -80718,11 +80718,11 @@ index 45843b55c..4d1adace5 100644 # -interface(`pulseaudio_tmpfs_content',` +interface(`pulseaudio_read_state',` - gen_require(` + gen_require(` - attribute pulseaudio_tmpfsfile; + type pulseaudio_t; - ') - + ') + - typeattribute $1 pulseaudio_tmpfsfile; + kernel_search_proc($1) + ps_process_pattern($1, pulseaudio_t) @@ -80734,7 +80734,7 @@ index 6643b49c2..6c374240b 100644 @@ -8,61 +8,51 @@ policy_module(pulseaudio, 1.6.0) attribute pulseaudio_client; attribute pulseaudio_tmpfsfile; - + -attribute_role pulseaudio_roles; - type pulseaudio_t; @@ -80743,30 +80743,30 @@ index 6643b49c2..6c374240b 100644 userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t) -role pulseaudio_roles types pulseaudio_t; +role system_r types pulseaudio_t; - + type pulseaudio_home_t; userdom_user_home_content(pulseaudio_home_t) - + -type pulseaudio_tmp_t; -userdom_user_tmp_file(pulseaudio_tmp_t) - type pulseaudio_tmpfs_t; userdom_user_tmpfs_file(pulseaudio_tmpfs_t) - + type pulseaudio_var_lib_t; files_type(pulseaudio_var_lib_t) +ubac_constrained(pulseaudio_var_lib_t) - + type pulseaudio_var_run_t; files_pid_file(pulseaudio_var_run_t) +ubac_constrained(pulseaudio_var_run_t) - + ######################################## # -# Local policy +# pulseaudio local policy # - + allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; -allow pulseaudio_t self:fifo_file rw_fifo_file_perms; @@ -80779,7 +80779,7 @@ index 6643b49c2..6c374240b 100644 +allow pulseaudio_t self:tcp_socket create_stream_socket_perms; +allow pulseaudio_t self:udp_socket create_socket_perms; allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; - + -allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; -allow pulseaudio_t pulseaudio_home_t:file manage_file_perms; -allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; @@ -80801,7 +80801,7 @@ index 6643b49c2..6c374240b 100644 +userdom_search_user_home_dirs(pulseaudio_t) +pulseaudio_filetrans_home_content(pulseaudio_t) +allow pulseaudio_t pulseaudio_home_t:file map; - + -manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) -manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) -fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) @@ -80809,7 +80809,7 @@ index 6643b49c2..6c374240b 100644 +userdom_read_user_home_content_files(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) +userdom_map_tmp_files(pulseaudio_t) - + manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) @@ -72,10 +62,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) @@ -80821,13 +80821,13 @@ index 6643b49c2..6c374240b 100644 -allow pulseaudio_t pulseaudio_client:process signull; -ps_process_pattern(pulseaudio_t, pulseaudio_client) +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir }) - + can_exec(pulseaudio_t, pulseaudio_exec_t) - + @@ -85,62 +72,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) - + corecmd_exec_bin(pulseaudio_t) - + -corenet_all_recvfrom_unlabeled(pulseaudio_t) corenet_all_recvfrom_netlabel(pulseaudio_t) -corenet_tcp_sendrecv_generic_if(pulseaudio_t) @@ -80851,77 +80851,77 @@ index 6643b49c2..6c374240b 100644 +corenet_udp_sendrecv_generic_if(pulseaudio_t) +corenet_udp_sendrecv_generic_node(pulseaudio_t) +corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t) - + dev_read_sound(pulseaudio_t) dev_write_sound(pulseaudio_t) dev_read_sysfs(pulseaudio_t) dev_read_urand(pulseaudio_t) - + -files_read_usr_files(pulseaudio_t) - + +fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) -fs_getattr_all_fs(pulseaudio_t) fs_list_inotifyfs(pulseaudio_t) -fs_rw_anon_inodefs_files(pulseaudio_t) -fs_search_auto_mountpoints(pulseaudio_t) - + -term_use_all_ttys(pulseaudio_t) -term_use_all_ptys(pulseaudio_t) +term_use_all_inherited_ttys(pulseaudio_t) +term_use_all_inherited_ptys(pulseaudio_t) - + auth_use_nsswitch(pulseaudio_t) - + logging_send_syslog_msg(pulseaudio_t) - + -miscfiles_read_localization(pulseaudio_t) - -userdom_read_user_tmpfs_files(pulseaudio_t) +userdom_read_user_tmp_files(pulseaudio_t) - + userdom_search_user_home_dirs(pulseaudio_t) userdom_write_user_tmp_sockets(pulseaudio_t) +userdom_manage_user_tmp_files(pulseaudio_t) +userdom_execute_user_tmp_files(pulseaudio_t) - + tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs(pulseaudio_t) + fs_mounton_nfs(pulseaudio_t) - fs_manage_nfs_dirs(pulseaudio_t) - fs_manage_nfs_files(pulseaudio_t) - fs_manage_nfs_symlinks(pulseaudio_t) + fs_manage_nfs_dirs(pulseaudio_t) + fs_manage_nfs_files(pulseaudio_t) + fs_manage_nfs_symlinks(pulseaudio_t) + fs_manage_nfs_named_sockets(pulseaudio_t) + fs_manage_nfs_named_pipes(pulseaudio_t) ') - + tunable_policy(`use_samba_home_dirs',` + fs_mount_cifs(pulseaudio_t) + fs_mounton_cifs(pulseaudio_t) - fs_manage_cifs_dirs(pulseaudio_t) - fs_manage_cifs_files(pulseaudio_t) - fs_manage_cifs_symlinks(pulseaudio_t) + fs_manage_cifs_dirs(pulseaudio_t) + fs_manage_cifs_files(pulseaudio_t) + fs_manage_cifs_symlinks(pulseaudio_t) + fs_manage_cifs_named_sockets(pulseaudio_t) + fs_manage_cifs_named_pipes(pulseaudio_t) ') - + optional_policy(` @@ -153,8 +136,9 @@ optional_policy(` - + optional_policy(` - dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) + dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) - dbus_all_session_bus_client(pulseaudio_t) - dbus_connect_all_session_bus(pulseaudio_t) + dbus_system_bus_client(pulseaudio_t) + dbus_session_bus_client(pulseaudio_t) + dbus_connect_session_bus(pulseaudio_t) - - optional_policy(` - consolekit_dbus_chat(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) @@ -173,16 +157,33 @@ optional_policy(` - ') + ') ') - + +optional_policy(` + gnome_read_gkeyringd_state(pulseaudio_t) + gnome_signull_gkeyringd(pulseaudio_t) @@ -80930,38 +80930,38 @@ index 6643b49c2..6c374240b 100644 +') + optional_policy(` - rtkit_scheduled(pulseaudio_t) + rtkit_scheduled(pulseaudio_t) ') - + +optional_policy(` + mozilla_plugin_delete_tmpfs_files(pulseaudio_t) + mozilla_plugin_read_tmpfs_files(pulseaudio_t) +') + optional_policy(` - policykit_domtrans_auth(pulseaudio_t) - policykit_read_lib(pulseaudio_t) - policykit_read_reload(pulseaudio_t) + policykit_domtrans_auth(pulseaudio_t) + policykit_read_lib(pulseaudio_t) + policykit_read_reload(pulseaudio_t) ') - + +optional_policy(` + systemd_read_logind_sessions_files(pulseaudio_t) + systemd_login_read_pid_files(pulseaudio_t) +') + optional_policy(` - udev_read_state(pulseaudio_t) - udev_read_db(pulseaudio_t) + udev_read_state(pulseaudio_t) + udev_read_db(pulseaudio_t) @@ -190,13 +191,16 @@ optional_policy(` - + optional_policy(` - xserver_stream_connect(pulseaudio_t) + xserver_stream_connect(pulseaudio_t) - xserver_manage_xdm_tmp_files(pulseaudio_t) - xserver_read_xdm_lib_files(pulseaudio_t) - xserver_read_xdm_pid(pulseaudio_t) - xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) + xserver_read_xdm_lib_files(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) + xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') - + -######################################## +optional_policy(` + virt_manage_tmpfs_files(pulseaudio_t) @@ -80972,17 +80972,17 @@ index 6643b49c2..6c374240b 100644 # Client local policy # @@ -210,8 +214,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi - + fs_getattr_tmpfs(pulseaudio_client) - + -corenet_all_recvfrom_unlabeled(pulseaudio_client) -corenet_all_recvfrom_netlabel(pulseaudio_client) corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) - + @@ -220,38 +222,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) - + pulseaudio_stream_connect(pulseaudio_client) -pulseaudio_manage_home(pulseaudio_client) -pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") @@ -80990,14 +80990,14 @@ index 6643b49c2..6c374240b 100644 -pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") +pulseaudio_manage_home_files(pulseaudio_client) pulseaudio_signull(pulseaudio_client) - + -# TODO: ~/.cache userdom_manage_user_home_content_files(pulseaudio_client) - + -userdom_read_user_tmpfs_files(pulseaudio_client) -# userdom_delete_user_tmpfs_files(pulseaudio_client) +userdom_read_user_tmp_files(pulseaudio_client) - + tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(pulseaudio_client) - fs_manage_nfs_dirs(pulseaudio_client) @@ -81008,7 +81008,7 @@ index 6643b49c2..6c374240b 100644 + fs_manage_nfs_files(pulseaudio_client) + fs_read_nfs_symlinks(pulseaudio_client) ') - + tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(pulseaudio_client) - fs_manage_cifs_dirs(pulseaudio_client) @@ -81019,17 +81019,17 @@ index 6643b49c2..6c374240b 100644 + fs_manage_cifs_files(pulseaudio_client) + fs_read_cifs_symlinks(pulseaudio_client) ') - + optional_policy(` - pulseaudio_dbus_chat(pulseaudio_client) + pulseaudio_dbus_chat(pulseaudio_client) ') - + optional_policy(` - rtkit_scheduled(pulseaudio_client) + rtkit_scheduled(pulseaudio_client) ') - + optional_policy(` diff --git a/puppet.fc b/puppet.fc index d68e26d1f..3b08cfd9d 100644 @@ -81039,12 +81039,12 @@ index d68e26d1f..3b08cfd9d 100644 -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) - + -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0) +/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) - + -/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) @@ -81052,7 +81052,7 @@ index d68e26d1f..3b08cfd9d 100644 +/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/bin/start-puppet-ca -- gen_context(system_u:object_r:puppetca_exec_t,s0) - + -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) @@ -81060,12 +81060,12 @@ index d68e26d1f..3b08cfd9d 100644 +/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) - + -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) +/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) - + -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) - -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) @@ -81127,11 +81127,11 @@ index 7cb8b1f9c..173bc5b0e 100644 + corecmd_search_bin($1) + domtrans_pattern($1, puppet_exec_t, puppet_t) +') - + ######################################## ## @@ -22,7 +70,7 @@ interface(`puppet_domtrans_puppetca',` - + ##################################### ## -## Execute puppetca in the puppetca @@ -81145,17 +81145,17 @@ index 7cb8b1f9c..173bc5b0e 100644 # -interface(`puppet_run_puppetca',` +interface(`puppet_run',` - gen_require(` + gen_require(` - attribute_role puppetca_roles; + type puppet_t, puppet_exec_t; - ') - + ') + - puppet_domtrans_puppetca($1) - roleattribute $2 puppetca_roles; + puppet_domtrans($1) + role $2 types puppet_t; ') - + -#################################### +##################################### ## @@ -81179,11 +81179,11 @@ index 7cb8b1f9c..173bc5b0e 100644 # -interface(`puppet_read_config',` +interface(`puppet_run_puppetca',` - gen_require(` + gen_require(` - type puppet_etc_t; + type puppetca_t, puppetca_exec_t; - ') - + ') + - files_search_etc($1) - allow $1 puppet_etc_t:dir list_dir_perms; - allow $1 puppet_etc_t:file read_file_perms; @@ -81191,7 +81191,7 @@ index 7cb8b1f9c..173bc5b0e 100644 + puppet_domtrans_puppetca($1) + role $2 types puppetca_t; ') - + + ################################################ ## @@ -81209,17 +81209,17 @@ index 7cb8b1f9c..173bc5b0e 100644 # -interface(`puppet_read_lib_files',` +interface(`puppet_rw_tmp', ` - gen_require(` + gen_require(` - type puppet_var_lib_t; + type puppet_tmp_t; - ') - + ') + - files_search_var_lib($1) - read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + allow $1 puppet_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) ') - + -############################################### +################################################ ## @@ -81235,15 +81235,15 @@ index 7cb8b1f9c..173bc5b0e 100644 # -interface(`puppet_manage_lib_files',` +interface(`puppet_read_lib',` - gen_require(` - type puppet_var_lib_t; - ') - + gen_require(` + type puppet_var_lib_t; + ') + + read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) - files_search_var_lib($1) + files_search_var_lib($1) - manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) ') - + -##################################### +############################################### ## @@ -81267,13 +81267,13 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_var_lib_t; + ') - + - logging_search_logs($1) - append_files_pattern($1, puppet_log_t, puppet_log_t) + manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) + files_search_var_lib($1) ') - + -##################################### +###################################### ## @@ -81297,13 +81297,13 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_log_t; + ') - + - logging_search_logs($1) - create_files_pattern($1, puppet_log_t, puppet_log_t) + logging_search_logs($1) + allow $1 puppet_log_t:dir search_dir_perms; ') - + ##################################### ## -## Read puppet log files. @@ -81326,12 +81326,12 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_log_t; + ') - + - logging_search_logs($1) + logging_search_logs($1) - read_files_pattern($1, puppet_log_t, puppet_log_t) + read_files_pattern($1, puppet_log_t, puppet_log_t) ') - + -################################################ +##################################### ## @@ -81355,13 +81355,13 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_log_t; + ') - + - files_search_tmp($1) - allow $1 puppet_tmp_t:file rw_file_perms; + logging_search_logs($1) + create_files_pattern($1, puppet_log_t, puppet_log_t) ') - + -######################################## +#################################### ## @@ -81395,13 +81395,13 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_log_t; + ') - + - allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) + logging_search_logs($1) + append_files_pattern($1, puppet_log_t, puppet_log_t) +') - + - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; @@ -81420,13 +81420,13 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_log_t; + ') - + - files_search_etc($1) - admin_pattern($1, puppet_etc_t) + logging_search_logs($1) + manage_files_pattern($1, puppet_log_t, puppet_log_t) +') - + - logging_search_logs($1) - admin_pattern($1, puppet_log_t) +#################################### @@ -81443,14 +81443,14 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_etc_t; + ') - + - files_search_var_lib($1) - admin_pattern($1, puppet_var_lib_t) + files_search_etc($1) + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) + read_files_pattern($1, puppet_etc_t, puppet_etc_t) +') - + +##################################### +## +## Allow the specified domain to search puppet's pid files. @@ -81465,8 +81465,8 @@ index 7cb8b1f9c..173bc5b0e 100644 + gen_require(` + type puppet_var_run_t; + ') -+ - files_search_pids($1) ++ + files_search_pids($1) - admin_pattern($1, puppet_var_run_t) - - files_search_tmp($1) @@ -81481,7 +81481,7 @@ index 618dcfeed..6bd7543ae 100644 +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) # - + ## -##

    -## Determine whether puppet can @@ -81494,7 +81494,7 @@ index 618dcfeed..6bd7543ae 100644 ## -gen_tunable(puppet_manage_all_files, false) +gen_tunable(puppetagent_manage_all_files, false) - + -attribute_role puppetca_roles; -roleattribute system_r puppetca_roles; +## @@ -81503,7 +81503,7 @@ index 618dcfeed..6bd7543ae 100644 +##

    +##     +gen_tunable(puppetmaster_use_db, false) - + -type puppet_t; -type puppet_exec_t; -init_daemon_domain(puppet_t, puppet_exec_t) @@ -81512,40 +81512,40 @@ index 618dcfeed..6bd7543ae 100644 +typealias puppetagent_exec_t alias puppet_exec_t; +typealias puppetagent_t alias puppet_t; +init_daemon_domain(puppetagent_t, puppetagent_exec_t) - + type puppet_etc_t; files_config_file(puppet_etc_t) - + -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) +type puppetagent_initrc_exec_t; +typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t; +init_script_file(puppetagent_initrc_exec_t) - + type puppet_log_t; logging_log_file(puppet_log_t) @@ -37,12 +44,11 @@ files_type(puppet_var_lib_t) - + type puppet_var_run_t; files_pid_file(puppet_var_run_t) -init_daemon_run_dir(puppet_var_run_t, "puppet") - + type puppetca_t; type puppetca_exec_t; application_domain(puppetca_t, puppetca_exec_t) -role puppetca_roles types puppetca_t; +role system_r types puppetca_t; - + type puppetmaster_t; type puppetmaster_exec_t; @@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t) - + ######################################## # -# Local policy +# Puppet personal policy # - + -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; -allow puppet_t self:process { signal signull getsched setsched }; -allow puppet_t self:fifo_file rw_fifo_file_perms; @@ -81750,32 +81750,32 @@ index 618dcfeed..6bd7543ae 100644 +optional_policy(` + consoletype_exec(puppetagent_t) ') - + optional_policy(` - cfengine_read_lib_files(puppet_t) + hostname_exec(puppetagent_t) ') - + optional_policy(` - consoletype_exec(puppet_t) + mount_domtrans(puppetagent_t) ') - + optional_policy(` - hostname_exec(puppet_t) + mta_send_mail(puppetagent_t) ') - + optional_policy(` - mount_domtrans(puppet_t) + networkmanager_dbus_chat(puppetagent_t) ') - + optional_policy(` - mta_send_mail(puppet_t) + firewalld_dbus_chat(puppetagent_t) ') - + optional_policy(` - portage_domtrans(puppet_t) - portage_domtrans_fetch(puppet_t) @@ -81784,11 +81784,11 @@ index 618dcfeed..6bd7543ae 100644 + portage_domtrans_fetch(puppetagent_t) + portage_domtrans_gcc_config(puppetagent_t) ') - + optional_policy(` - files_rw_var_files(puppet_t) + files_rw_var_files(puppetagent_t) - + - rpm_domtrans(puppet_t) - rpm_manage_db(puppet_t) - rpm_manage_log(puppet_t) @@ -81796,64 +81796,64 @@ index 618dcfeed..6bd7543ae 100644 + rpm_manage_db(puppetagent_t) + rpm_manage_log(puppetagent_t) ') - + optional_policy(` - unconfined_domain(puppet_t) + unconfined_domain_noaudit(puppetagent_t) ') - + optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) + rhsmcertd_dbus_chat(puppetagent_t) ') - + ######################################## # -# Ca local policy +# PuppetCA personal policy # - + -allow puppetca_t self:capability { dac_override setgid setuid }; +allow puppetca_t self:capability { dac_read_search dac_override setgid setuid }; allow puppetca_t self:fifo_file rw_fifo_file_perms; - + -allow puppetca_t puppet_etc_t:dir list_dir_perms; -allow puppetca_t puppet_etc_t:file read_file_perms; -allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms; +read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t) +read_lnk_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t) - + allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) @@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; - + kernel_read_system_state(puppetca_t) +# Maybe dontaudit this like we did with other puppet domains? kernel_read_kernel_sysctls(puppetca_t) - + corecmd_exec_bin(puppetca_t) @@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) - + -files_read_etc_files(puppetca_t) -files_search_pids(puppetca_t) files_search_var_lib(puppetca_t) - + selinux_validate_context(puppetca_t) - + logging_search_logs(puppetca_t) - + -miscfiles_read_localization(puppetca_t) miscfiles_read_generic_certs(puppetca_t) - + seutil_read_file_contexts(puppetca_t) @@ -246,38 +259,50 @@ optional_policy(` - hostname_exec(puppetca_t) + hostname_exec(puppetca_t) ') - + +optional_policy(` + mta_sendmail_access_check(puppetca_t) +') @@ -81864,7 +81864,7 @@ index 618dcfeed..6bd7543ae 100644 -# Master local policy +# Pupper master personal policy # - + allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; allow puppetmaster_t self:process { signal_perms getsched setsched }; allow puppetmaster_t self:fifo_file rw_fifo_file_perms; @@ -81874,12 +81874,12 @@ index 618dcfeed..6bd7543ae 100644 -allow puppetmaster_t self:tcp_socket { accept listen }; +allow puppetmaster_t self:tcp_socket create_stream_socket_perms; +allow puppetmaster_t self:udp_socket create_socket_perms; - + -allow puppetmaster_t puppet_etc_t:dir list_dir_perms; -allow puppetmaster_t puppet_etc_t:file read_file_perms; -allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; +domtrans_pattern(puppetmaster_t, puppetagent_exec_t, puppetagent_t) - + -allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) @@ -81892,14 +81892,14 @@ index 618dcfeed..6bd7543ae 100644 +allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) +allow puppetmaster_t puppet_log_t:file relabel_file_perms; - + -allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; +manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; +allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; - + -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_run_t:file manage_file_perms; +setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) @@ -81907,19 +81907,19 @@ index 618dcfeed..6bd7543ae 100644 +manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; - + -allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; +manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) +manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) +allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; - + kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) @@ -289,23 +314,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) - + corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) corenet_tcp_sendrecv_generic_if(puppetmaster_t) @@ -81935,29 +81935,29 @@ index 618dcfeed..6bd7543ae 100644 +# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. +corenet_udp_bind_generic_node(puppetmaster_t) +corenet_udp_bind_generic_port(puppetmaster_t) - + dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) dev_search_sysfs(puppetmaster_t) - + -domain_obj_id_change_exemption(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t) +domain_obj_id_change_exemption(puppetmaster_t) - + -files_read_usr_files(puppetmaster_t) - + selinux_validate_context(puppetmaster_t) - + @@ -314,26 +340,32 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) - + miscfiles_read_generic_certs(puppetmaster_t) -miscfiles_read_localization(puppetmaster_t) - + seutil_read_file_contexts(puppetmaster_t) - + sysnet_run_ifconfig(puppetmaster_t, system_r) - + +mta_send_mail(puppetmaster_t) + optional_policy(` @@ -81966,29 +81966,29 @@ index 618dcfeed..6bd7543ae 100644 + mysql_stream_connect(puppetmaster_t) + ') ') - + optional_policy(` - mta_send_mail(puppetmaster_t) + tunable_policy(`puppetmaster_use_db',` + postgresql_stream_connect(puppetmaster_t) + ') ') - + optional_policy(` - mysql_stream_connect(puppetmaster_t) + systemd_dbus_chat_timedated(puppetagent_t) + systemd_dbus_chat_timedated(puppetmaster_t) ') - + optional_policy(` - postgresql_stream_connect(puppetmaster_t) + hostname_exec(puppetmaster_t) ') - + optional_policy(` @@ -342,3 +374,9 @@ optional_policy(` - rpm_exec(puppetmaster_t) - rpm_read_db(puppetmaster_t) + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) ') + +optional_policy(` @@ -82003,7 +82003,7 @@ index 7e7b44434..e2f8687db 100644 @@ -1,3 +1,3 @@ -/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) +/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0) - + -/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) +/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0) diff --git a/pwauth.if b/pwauth.if @@ -82014,7 +82014,7 @@ index 1148dce1a..86d25ea26 100644 -## External plugin for mod_authnz_external authenticator. + +## policy for pwauth - + ######################################## ## -## Role access for pwauth. @@ -82036,11 +82036,11 @@ index 1148dce1a..86d25ea26 100644 # -interface(`pwauth_role',` +interface(`pwauth_domtrans',` - gen_require(` + gen_require(` - type pwauth_t; + type pwauth_t, pwauth_exec_t; - ') - + ') + - pwauth_run($2, $1) - - ps_process_pattern($2, pwauth_t) @@ -82048,7 +82048,7 @@ index 1148dce1a..86d25ea26 100644 + corecmd_search_bin($1) + domtrans_pattern($1, pwauth_exec_t, pwauth_t) ') - + ######################################## ## -## Execute pwauth in the pwauth domain. @@ -82069,17 +82069,17 @@ index 1148dce1a..86d25ea26 100644 # -interface(`pwauth_domtrans',` +interface(`pwauth_run',` - gen_require(` + gen_require(` - type pwauth_t, pwauth_exec_t; + type pwauth_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, pwauth_exec_t, pwauth_t) + pwauth_domtrans($1) + role $2 types pwauth_t; ') - + ######################################## ## -## Execute pwauth in the pwauth @@ -82104,11 +82104,11 @@ index 1148dce1a..86d25ea26 100644 # -interface(`pwauth_run',` +interface(`pwauth_role',` - gen_require(` + gen_require(` - attribute_role pwauth_roles; + type pwauth_t; - ') - + ') + - pwauth_domtrans($1) - roleattribute $2 pwauth_roles; + role $1 types pwauth_t; @@ -82125,7 +82125,7 @@ index 3078e349e..215df880c 100644 @@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0) # Declarations # - + -attribute_role pwauth_roles; -roleattribute system_r pwauth_roles; - @@ -82134,10 +82134,10 @@ index 3078e349e..215df880c 100644 application_domain(pwauth_t, pwauth_exec_t) -role pwauth_roles types pwauth_t; +role system_r types pwauth_t; - + type pwauth_var_run_t; files_pid_file(pwauth_var_run_t) - + ######################################## # -# Local policy @@ -82150,18 +82150,18 @@ index 3078e349e..215df880c 100644 allow pwauth_t self:fifo_file manage_fifo_file_perms; -allow pwauth_t self:unix_stream_socket { accept listen }; +allow pwauth_t self:unix_stream_socket create_stream_socket_perms; - + manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t) files_pid_filetrans(pwauth_t, pwauth_var_run_t, file) @@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t) - + auth_domtrans_chkpwd(pwauth_t) auth_use_nsswitch(pwauth_t) +auth_read_shadow(pwauth_t) +auth_rw_lastlog(pwauth_t) - + init_read_utmp(pwauth_t) - + logging_send_syslog_msg(pwauth_t) logging_send_audit_msgs(pwauth_t) - @@ -82171,21 +82171,21 @@ index 06bec9ba9..1b32632dc 100644 --- a/pxe.te +++ b/pxe.te @@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t) - + domain_use_interactive_fds(pxe_t) - + -files_read_etc_files(pxe_t) - + fs_getattr_all_fs(pxe_t) fs_search_auto_mountpoints(pxe_t) - + logging_send_syslog_msg(pxe_t) - + -miscfiles_read_localization(pxe_t) - userdom_dontaudit_use_unpriv_user_fds(pxe_t) userdom_dontaudit_search_user_home_dirs(pxe_t) - + diff --git a/pyicqt.fc b/pyicqt.fc deleted file mode 100644 index 0c143e3e8..000000000 @@ -82363,18 +82363,18 @@ index af13139a1..a927c5a15 100644 - +/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0) /etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0) - + -/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) -/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0) - + -/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) +/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0) - + +/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0) /var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0) diff --git a/pyzor.if b/pyzor.if @@ -82382,7 +82382,7 @@ index 593c03d09..2c411af3e 100644 --- a/pyzor.if +++ b/pyzor.if @@ -2,7 +2,7 @@ - + ######################################## ## -## Role access for pyzor. @@ -82397,23 +82397,23 @@ index 593c03d09..2c411af3e 100644 +## # interface(`pyzor_role',` - gen_require(` + gen_require(` - attribute_role pyzor_roles; - type pyzor_t, pyzor_exec_t, pyzor_home_t; - type pyzor_tmp_t; + type pyzor_t, pyzor_exec_t; + type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; - ') - + ') + - roleattribute $1 pyzor_roles; + role $1 types pyzor_t; - + + # Transition from the user domain to the derived domain. - domtrans_pattern($2, pyzor_exec_t, pyzor_t) - + domtrans_pattern($2, pyzor_exec_t, pyzor_t) + - allow $2 pyzor_t:process { ptrace signal_perms }; -+ # allow ps to show pyzor and allow the user to kill it - ps_process_pattern($2, pyzor_t) ++ # allow ps to show pyzor and allow the user to kill it + ps_process_pattern($2, pyzor_t) - - allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms }; @@ -82425,7 +82425,7 @@ index 593c03d09..2c411af3e 100644 + allow $2 pyzor_t:process ptrace; + ') ') - + ######################################## ## -## Send generic signals to pyzor. @@ -82434,22 +82434,22 @@ index 593c03d09..2c411af3e 100644 ## ## @@ -69,6 +68,7 @@ interface(`pyzor_domtrans',` - type pyzor_exec_t, pyzor_t; - ') - + type pyzor_exec_t, pyzor_t; + ') + + files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, pyzor_exec_t, pyzor_t) + corecmd_search_bin($1) + domtrans_pattern($1, pyzor_exec_t, pyzor_t) ') @@ -88,14 +88,15 @@ interface(`pyzor_exec',` - type pyzor_exec_t; - ') - + type pyzor_exec_t; + ') + + files_search_usr($1) - corecmd_search_bin($1) - can_exec($1, pyzor_exec_t) + corecmd_search_bin($1) + can_exec($1, pyzor_exec_t) ') - + ######################################## ## -## All of the rules required to @@ -82470,39 +82470,39 @@ index 593c03d09..2c411af3e 100644 ## # interface(`pyzor_admin',` - gen_require(` + gen_require(` - type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t; - type pyzor_var_lib_t, pyzor_etc_t; + type pyzord_t, pyzor_tmp_t, pyzord_log_t; + type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; - ') - + ') + - allow $1 pyzord_t:process { ptrace signal_perms }; + allow $1 pyzord_t:process signal_perms; - ps_process_pattern($1, pyzord_t) + ps_process_pattern($1, pyzord_t) + tunable_policy(`deny_ptrace',`',` + allow $1 pyzord_t:process ptrace; + ') - - init_labeled_script_domtrans($1, pyzord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 pyzord_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, pyzord_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 pyzord_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) - admin_pattern($1, pyzor_etc_t) + files_list_tmp($1) + admin_pattern($1, pyzor_tmp_t) - + - logging_search_logs($1) + logging_list_logs($1) - admin_pattern($1, pyzord_log_t) - + admin_pattern($1, pyzord_log_t) + - files_search_var_lib($1) - admin_pattern($1, pyzor_var_lib_t) + files_list_etc($1) + admin_pattern($1, pyzor_etc_t) - + - pyzor_role($2, $1) + files_list_var_lib($1) + admin_pattern($1, pyzor_var_lib_t) @@ -82514,7 +82514,7 @@ index 2439d1304..d7bd6e9a1 100644 @@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0) # Declarations # - + -attribute_role pyzor_roles; -roleattribute system_r pyzor_roles; - @@ -82609,13 +82609,13 @@ index 2439d1304..d7bd6e9a1 100644 + type pyzord_log_t; + logging_log_file(pyzord_log_t) +') - + ######################################## # -# Local policy +# Pyzor client local policy # - + +allow pyzor_t self:udp_socket create_socket_perms; + manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) @@ -82623,17 +82623,17 @@ index 2439d1304..d7bd6e9a1 100644 manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t) -userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor") +userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file }) - + allow pyzor_t pyzor_var_lib_t:dir list_dir_perms; read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t) +files_search_var_lib(pyzor_t) - + manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t) @@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t) corecmd_list_bin(pyzor_t) corecmd_getattr_bin_files(pyzor_t) - + -corenet_all_recvfrom_unlabeled(pyzor_t) -corenet_all_recvfrom_netlabel(pyzor_t) corenet_tcp_sendrecv_generic_if(pyzor_t) @@ -82646,20 +82646,20 @@ index 2439d1304..d7bd6e9a1 100644 +corenet_udp_sendrecv_all_ports(pyzor_t) corenet_tcp_connect_http_port(pyzor_t) -corenet_tcp_sendrecv_http_port(pyzor_t) - + dev_read_urand(pyzor_t) - + -fs_getattr_all_fs(pyzor_t) -fs_search_auto_mountpoints(pyzor_t) +fs_getattr_xattr_fs(pyzor_t) + - + auth_use_nsswitch(pyzor_t) - + -miscfiles_read_localization(pyzor_t) - + mta_read_queue(pyzor_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(pyzor_t) - fs_manage_nfs_files(pyzor_t) @@ -82672,34 +82672,34 @@ index 2439d1304..d7bd6e9a1 100644 - fs_manage_cifs_symlinks(pyzor_t) -') +userdom_dontaudit_search_user_home_dirs(pyzor_t) - + optional_policy(` - amavis_manage_lib_files(pyzor_t) - amavis_manage_spool_files(pyzor_t) + antivirus_manage_db(pyzor_t) ') - + optional_policy(` @@ -111,25 +119,24 @@ optional_policy(` - + ######################################## # -# Daemon local policy +# Pyzor server local policy # - + -allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms; +allow pyzord_t self:udp_socket create_socket_perms; + manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t) +allow pyzord_t pyzor_var_lib_t:dir setattr; files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir }) - + +read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t) allow pyzord_t pyzor_etc_t:dir list_dir_perms; -allow pyzord_t pyzor_etc_t:file read_file_perms; -allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms; - + +can_exec(pyzord_t, pyzor_exec_t) + +manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) @@ -82708,16 +82708,16 @@ index 2439d1304..d7bd6e9a1 100644 -create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) -setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t) logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir }) - + -can_exec(pyzord_t, pyzor_exec_t) - kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) - + @@ -137,24 +144,25 @@ dev_read_urand(pyzord_t) - + corecmd_exec_bin(pyzord_t) - + -corenet_all_recvfrom_unlabeled(pyzord_t) corenet_all_recvfrom_netlabel(pyzord_t) corenet_udp_sendrecv_generic_if(pyzord_t) @@ -82729,19 +82729,19 @@ index 2439d1304..d7bd6e9a1 100644 corenet_udp_bind_pyzor_port(pyzord_t) -corenet_udp_sendrecv_pyzor_port(pyzord_t) +corenet_sendrecv_pyzor_server_packets(pyzord_t) - + -auth_use_nsswitch(pyzord_t) - + -logging_send_syslog_msg(pyzord_t) +auth_use_nsswitch(pyzord_t) - + locallogin_dontaudit_use_fds(pyzord_t) - + -miscfiles_read_localization(pyzord_t) - + +# Do not audit attempts to access /root. userdom_dontaudit_search_user_home_dirs(pyzord_t) - + mta_manage_spool(pyzord_t) + +optional_policy(` @@ -82764,7 +82764,7 @@ index eaf56b8b0..889472688 100644 @@ -1,19 +1,21 @@ -## QEMU machine emulator and virtualizer. +## QEMU machine emulator and virtualizer - + -####################################### +######################################## ## @@ -82782,66 +82782,66 @@ index eaf56b8b0..889472688 100644 # template(`qemu_domain_template',` + - ############################## - # + ############################## + # - # Declarations + # Local Policy - # - - type $1_t; + # + + type $1_t; @@ -22,9 +24,12 @@ template(`qemu_domain_template',` - type $1_tmp_t; - files_tmp_file($1_tmp_t) - + type $1_tmp_t; + files_tmp_file($1_tmp_t) + + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + - ############################## - # + ############################## + # - # Policy + # Local Policy - # - - allow $1_t self:capability { dac_read_search dac_override }; + # + + allow $1_t self:capability { dac_read_search dac_override }; @@ -39,9 +44,12 @@ template(`qemu_domain_template',` - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir }) + - kernel_read_system_state($1_t) - + kernel_read_system_state($1_t) + - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_generic_node($1_t) + corenet_all_recvfrom_netlabel($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_generic_node($1_t) @@ -61,7 +69,6 @@ template(`qemu_domain_template',` - - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) + + fs_list_inotifyfs($1_t) + fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) - - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) + + storage_raw_write_removable_device($1_t) + storage_raw_read_removable_device($1_t) @@ -70,11 +77,10 @@ template(`qemu_domain_template',` - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) - + term_getattr_pty_fs($1_t) + term_use_generic_ptys($1_t) + - miscfiles_read_localization($1_t) - - sysnet_read_config($1_t) - + + sysnet_read_config($1_t) + - userdom_use_user_terminals($1_t) + userdom_use_inherited_user_terminals($1_t) - userdom_attach_admin_tun_iface($1_t) - - optional_policy(` + userdom_attach_admin_tun_iface($1_t) + + optional_policy(` @@ -96,40 +102,14 @@ template(`qemu_domain_template',` - ') + ') ') - + -######################################## -## -## Role access for qemu. @@ -82882,13 +82882,13 @@ index eaf56b8b0..889472688 100644 # interface(`qemu_domtrans',` @@ -137,18 +117,17 @@ interface(`qemu_domtrans',` - type qemu_t, qemu_exec_t; - ') - + type qemu_t, qemu_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, qemu_t) + domtrans_pattern($1, qemu_exec_t, qemu_t) ') - + ######################################## ## -## Execute a qemu in the caller domain. @@ -82904,13 +82904,13 @@ index eaf56b8b0..889472688 100644 # interface(`qemu_exec',` @@ -156,15 +135,12 @@ interface(`qemu_exec',` - type qemu_exec_t; - ') - + type qemu_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, qemu_exec_t) + can_exec($1, qemu_exec_t) ') - + ######################################## ## -## Execute qemu in the qemu domain, @@ -82931,18 +82931,18 @@ index eaf56b8b0..889472688 100644 ## # interface(`qemu_run',` - gen_require(` + gen_require(` - attribute_role qemu_roles; + type qemu_t; - ') - - qemu_domtrans($1) + ') + + qemu_domtrans($1) - roleattribute $2 qemu_roles; + role $2 types qemu_t; + allow qemu_t $1:process signull; + allow $1 qemu_t:process signull; ') - + ######################################## ## -## Read qemu process state files. @@ -82951,16 +82951,16 @@ index eaf56b8b0..889472688 100644 ## ## @@ -202,15 +180,12 @@ interface(`qemu_read_state',` - type qemu_t; - ') - + type qemu_t; + ') + - kernel_search_proc($1) - allow $1 qemu_t:dir list_dir_perms; - allow $1 qemu_t:file read_file_perms; - allow $1 qemu_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, qemu_t, qemu_t) ') - + ######################################## ## -## Set qemu scheduler. @@ -82969,7 +82969,7 @@ index eaf56b8b0..889472688 100644 ## ## @@ -228,7 +203,7 @@ interface(`qemu_setsched',` - + ######################################## ## -## Send generic signals to qemu. @@ -82978,7 +82978,7 @@ index eaf56b8b0..889472688 100644 ## ## @@ -246,7 +221,7 @@ interface(`qemu_signal',` - + ######################################## ## -## Send kill signals to qemu. @@ -82987,19 +82987,19 @@ index eaf56b8b0..889472688 100644 ## ## @@ -264,28 +239,68 @@ interface(`qemu_kill',` - + ######################################## ## -## Execute a domain transition to -## run qemu unconfined. -+## Execute qemu_exec_t ++## Execute qemu_exec_t +## in the specified domain but do not +## do it automatically. This is an explicit +## transition, requiring the caller to use setexeccon(). ## +## +##

    -+## Execute qemu_exec_t ++## Execute qemu_exec_t +## in the specified domain. This allows +## the specified domain to qemu programs +## on these filesystems in the specified @@ -83020,11 +83020,11 @@ index eaf56b8b0..889472688 100644 # -interface(`qemu_domtrans_unconfined',` +interface(`qemu_spec_domtrans',` - gen_require(` + gen_require(` - type unconfined_qemu_t, qemu_exec_t; + type qemu_exec_t; - ') -+ + ') ++ + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) + domain_transition_pattern($1, qemu_exec_t, $2) + domain_entry_file($2,qemu_exec_t) @@ -83034,7 +83034,7 @@ index eaf56b8b0..889472688 100644 + allow $2 $1:fifo_file rw_fifo_file_perms; + allow $2 $1:process sigchld; +') - + - corecmd_search_bin($1) - domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t) +######################################## @@ -83055,7 +83055,7 @@ index eaf56b8b0..889472688 100644 + role $1 types unconfined_qemu_t; + role $1 types qemu_t; ') - + ######################################## ##

    -## Create, read, write, and delete @@ -83065,13 +83065,13 @@ index eaf56b8b0..889472688 100644 ## ## @@ -298,14 +313,12 @@ interface(`qemu_manage_tmp_dirs',` - type qemu_tmp_t; - ') - + type qemu_tmp_t; + ') + - files_search_tmp($1) - manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) + manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -83081,13 +83081,13 @@ index eaf56b8b0..889472688 100644 ## ## @@ -318,59 +331,42 @@ interface(`qemu_manage_tmp_files',` - type qemu_tmp_t; - ') - + type qemu_tmp_t; + ') + - files_search_tmp($1) - manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') - + ######################################## ## -## Execute qemu in a specified domain. @@ -83121,15 +83121,15 @@ index eaf56b8b0..889472688 100644 # -interface(`qemu_spec_domtrans',` +interface(`qemu_entry_type',` - gen_require(` - type qemu_exec_t; - ') - + gen_require(` + type qemu_exec_t; + ') + - corecmd_search_bin($1) - domain_auto_trans($1, qemu_exec_t, $2) + domain_entry_file($1, qemu_exec_t) ') - + -###################################### +####################################### ## @@ -83154,7 +83154,7 @@ index eaf56b8b0..889472688 100644 + gen_require(` + type qemu_exec_t; + ') - + - domain_entry_file($1, qemu_exec_t) + allow $1 qemu_exec_t:file getattr; ') @@ -83164,7 +83164,7 @@ index 4f9074343..958c0ef1e 100644 +++ b/qemu.te @@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0) # - + ## -##

    -## Determine whether qemu has full @@ -83175,7 +83175,7 @@ index 4f9074343..958c0ef1e 100644 +##

    ##     gen_tunable(qemu_full_network, false) - + -attribute_role qemu_roles; -roleattribute system_r qemu_roles; +## @@ -83191,7 +83191,7 @@ index 4f9074343..958c0ef1e 100644 +##

    +##     +gen_tunable(qemu_use_comm, false) - + -type qemu_exec_t; -application_executable_file(qemu_exec_t) +## @@ -83207,17 +83207,17 @@ index 4f9074343..958c0ef1e 100644 +##

    +##     +gen_tunable(qemu_use_usb, true) - + virt_domain_template(qemu) -role qemu_roles types qemu_t; +role system_r types qemu_t; - + ######################################## # -# Local policy +# qemu local policy # - + +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + @@ -83228,13 +83228,13 @@ index 4f9074343..958c0ef1e 100644 tunable_policy(`qemu_full_network',` + allow qemu_t self:udp_socket create_socket_perms; + - corenet_udp_sendrecv_generic_if(qemu_t) - corenet_udp_sendrecv_generic_node(qemu_t) - corenet_udp_sendrecv_all_ports(qemu_t) + corenet_udp_sendrecv_generic_if(qemu_t) + corenet_udp_sendrecv_generic_node(qemu_t) + corenet_udp_sendrecv_all_ports(qemu_t) @@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',` - corenet_tcp_connect_all_ports(qemu_t) + corenet_tcp_connect_all_ports(qemu_t) ') - + +tunable_policy(`qemu_use_cifs',` + fs_manage_cifs_dirs(qemu_t) + fs_manage_cifs_files(qemu_t) @@ -83260,7 +83260,7 @@ index 4f9074343..958c0ef1e 100644 - xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) + dbus_read_lib_files(qemu_t) ') - + -######################################## -# -# Unconfined local policy @@ -83275,7 +83275,7 @@ index 4f9074343..958c0ef1e 100644 + samba_domtrans_smbd(qemu_t) + ') +') - + optional_policy(` - type unconfined_qemu_t; - typealias unconfined_qemu_t alias qemu_unconfined_t; @@ -83289,7 +83289,7 @@ index 4f9074343..958c0ef1e 100644 + virt_manage_images(qemu_t) + virt_append_log(qemu_t) +') - + - allow unconfined_qemu_t self:process { execstack execmem }; - allow unconfined_qemu_t qemu_exec_t:file execmod; +optional_policy(` @@ -83327,7 +83327,7 @@ index e53fe5a97..edee505d7 100644 + +/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0) +/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0) - + /var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0) /var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0) @@ -29,9 +13,36 @@ @@ -83365,11 +83365,11 @@ index e53fe5a97..edee505d7 100644 +/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0) + +/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) - + -/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) +/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) +') - + -/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) diff --git a/qmail.if b/qmail.if index e4f0000e5..05e219e13 100644 @@ -83378,7 +83378,7 @@ index e4f0000e5..05e219e13 100644 @@ -1,12 +1,12 @@ -## Qmail Mail Server. +## Qmail Mail Server - + ######################################## ## -## Template for qmail parent/sub-domain pairs. @@ -83407,13 +83407,13 @@ index e4f0000e5..05e219e13 100644 - type $1_t, qmail_child_domain; - type $1_exec_t; + type $1_t; - domain_type($1_t) + domain_type($1_t) + type $1_exec_t; - domain_entry_file($1_t, $1_exec_t) + domain_entry_file($1_t, $1_exec_t) - + domain_auto_trans($2, $1_exec_t, $1_t) - role system_r types $1_t; - + role system_r types $1_t; + - ######################################## - # - # Policy @@ -83432,17 +83432,17 @@ index e4f0000e5..05e219e13 100644 + + kernel_list_proc($2) + kernel_read_proc_symlinks($2) - + - domtrans_pattern($2, $1_exec_t, $1_t) + corecmd_search_bin($1_t) + + files_search_var($1_t) + + fs_getattr_xattr_fs($1_t) - + - kernel_read_system_state($2) ') - + ######################################## ## -## Transition to qmail_inject_t. @@ -83451,20 +83451,20 @@ index e4f0000e5..05e219e13 100644 ## ## @@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',` - type qmail_inject_t, qmail_inject_exec_t; - ') - + type qmail_inject_t, qmail_inject_exec_t; + ') + + corecmd_search_bin($1) - domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) - - ifdef(`distro_debian',` - files_search_usr($1) + domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) + + ifdef(`distro_debian',` + files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - ') + ',` + files_search_var($1) + ') @@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',` - + ######################################## ## -## Transition to qmail_queue_t. @@ -83473,46 +83473,46 @@ index e4f0000e5..05e219e13 100644 ## ## @@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',` - type qmail_queue_t, qmail_queue_exec_t; - ') - + type qmail_queue_t, qmail_queue_exec_t; + ') + + corecmd_search_bin($1) - domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) - - ifdef(`distro_debian',` - files_search_usr($1) + domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) + + ifdef(`distro_debian',` + files_search_usr($1) - corecmd_search_bin($1) - ',` - files_search_var($1) - ') + ',` + files_search_var($1) + ') @@ -108,20 +112,21 @@ interface(`qmail_read_config',` - type qmail_etc_t; - ') - + type qmail_etc_t; + ') + - files_search_var($1) - allow $1 qmail_etc_t:dir list_dir_perms; - allow $1 qmail_etc_t:file read_file_perms; - allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; + allow $1 qmail_etc_t:dir list_dir_perms; + allow $1 qmail_etc_t:file read_file_perms; + allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; + files_search_var($1) - - ifdef(`distro_debian',` + + ifdef(`distro_debian',` + # handle /etc/qmail - files_search_etc($1) - ') + files_search_etc($1) + ') ') - + ######################################## ## -## Define the specified domain as a -## qmail-smtp service. -+## Define the specified domain as a qmail-smtp service. ++## Define the specified domain as a qmail-smtp service. +## Needed by antivirus/antispam filters. ## ## ## @@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',` - - domtrans_pattern(qmail_smtpd_t, $2, $1) + + domtrans_pattern(qmail_smtpd_t, $2, $1) ') + +######################################## @@ -83577,16 +83577,16 @@ index 87429441c..53a2fe597 100644 @@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1) # Declarations # - + -attribute qmail_child_domain; +attribute qmail_user_domains; - + type qmail_alias_home_t; files_type(qmail_alias_home_t) @@ -18,7 +18,7 @@ files_config_file(qmail_etc_t) type qmail_exec_t; files_type(qmail_exec_t) - + -type qmail_inject_t; +type qmail_inject_t, qmail_user_domains; type qmail_inject_exec_t; @@ -83594,14 +83594,14 @@ index 87429441c..53a2fe597 100644 domain_entry_file(qmail_inject_t, qmail_inject_exec_t) @@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t) mta_mailserver_delivery(qmail_lspawn_t) - + qmail_child_domain_template(qmail_queue, qmail_inject_t) +typeattribute qmail_queue_t qmail_user_domains; mta_mailserver_user_agent(qmail_queue_t) - + qmail_child_domain_template(qmail_remote, qmail_rspawn_t) mta_mailserver_sender(qmail_remote_t) - + qmail_child_domain_template(qmail_rspawn, qmail_start_t) + qmail_child_domain_template(qmail_send, qmail_start_t) @@ -83609,18 +83609,18 @@ index 87429441c..53a2fe597 100644 qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) + qmail_child_domain_template(qmail_splogger, qmail_start_t) - + type qmail_keytab_t; files_type(qmail_keytab_t) - + type qmail_spool_t; -files_type(qmail_spool_t) +files_spool_file(qmail_spool_t) - + type qmail_start_t; type qmail_start_exec_t; @@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) - + ######################################## # -# Common qmail child domain local policy @@ -83648,107 +83648,107 @@ index 87429441c..53a2fe597 100644 +# qmail-clean local policy +# this component cleans up the queue directory # - + read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) @@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t) - + ######################################## # -# Inject local policy +# qmail-inject local policy +# this component preprocesses mail from stdin and invokes qmail-queue # - + -allow qmail_inject_t self:fifo_file write_fifo_file_perms; allow qmail_inject_t self:process signal_perms; +allow qmail_inject_t self:fifo_file write_fifo_file_perms; - + allow qmail_inject_t qmail_queue_exec_t:file read_file_perms; - + @@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t) - + files_search_var(qmail_inject_t) - + -miscfiles_read_localization(qmail_inject_t) - + qmail_read_config(qmail_inject_t) - + ######################################## # -# Local local policy +# qmail-local local policy +# this component delivers a mail message # - + -allow qmail_local_t self:fifo_file write_fifo_file_perms; allow qmail_local_t self:process signal_perms; -allow qmail_local_t self:unix_stream_socket { accept listen }; +allow qmail_local_t self:fifo_file write_file_perms; +allow qmail_local_t self:unix_stream_socket create_stream_socket_perms; - + manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t) @@ -136,13 +121,18 @@ mta_append_spool(qmail_local_t) - + qmail_domtrans_queue(qmail_local_t) - + +optional_policy(` + uucp_domtrans(qmail_local_t) +') + optional_policy(` - spamassassin_domtrans_client(qmail_local_t) + spamassassin_domtrans_client(qmail_local_t) ') - + ######################################## # -# Lspawn local policy +# qmail-lspawn local policy +# this component schedules local deliveries # - + allow qmail_lspawn_t self:capability { setuid setgid }; @@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms; - + read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t) - + -files_read_etc_files(qmail_lspawn_t) +corecmd_search_bin(qmail_lspawn_t) + files_search_pids(qmail_lspawn_t) files_search_tmp(qmail_lspawn_t) - + ######################################## # -# Queue local policy +# qmail-queue local policy +# this component places a mail in a delivery queue, later to be processed by qmail-send # - + allow qmail_queue_t qmail_lspawn_t:fd use; allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms; - + +allow qmail_queue_t qmail_smtpd_t:process sigchld; allow qmail_queue_t qmail_smtpd_t:fd use; allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms; -allow qmail_queue_t qmail_smtpd_t:process sigchld; - + manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t) @@ -186,28 +178,34 @@ optional_policy(` - + ######################################## # -# Remote local policy +# qmail-remote local policy +# this component sends mail via SMTP # - + +allow qmail_remote_t self:tcp_socket create_socket_perms; +allow qmail_remote_t self:udp_socket create_socket_perms; + rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t) - + -corenet_all_recvfrom_unlabeled(qmail_remote_t) corenet_all_recvfrom_netlabel(qmail_remote_t) corenet_tcp_sendrecv_generic_if(qmail_remote_t) @@ -83762,25 +83762,25 @@ index 87429441c..53a2fe597 100644 +corenet_udp_sendrecv_dns_port(qmail_remote_t) +corenet_tcp_connect_smtp_port(qmail_remote_t) +corenet_sendrecv_smtp_client_packets(qmail_remote_t) - + dev_read_rand(qmail_remote_t) dev_read_urand(qmail_remote_t) - + -sysnet_dns_name_resolve(qmail_remote_t) +sysnet_read_config(qmail_remote_t) - + ######################################## # -# Rspawn local policy +# qmail-rspawn local policy +# this component scedules remote deliveries # - + allow qmail_rspawn_t self:process signal_perms; @@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms; - + rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t) - + +corecmd_search_bin(qmail_rspawn_t) + ######################################## @@ -83789,59 +83789,59 @@ index 87429441c..53a2fe597 100644 +# qmail-send local policy +# this component delivers mail messages from the queue # - + allow qmail_send_t self:process signal_perms; @@ -237,7 +238,8 @@ optional_policy(` - + ######################################## # -# Smtpd local policy +# qmail-smtpd local policy +# this component receives mails via SMTP # - + allow qmail_smtpd_t self:process signal_perms; @@ -268,26 +270,26 @@ optional_policy(` - + ######################################## # -# Splogger local policy +# splogger local policy +# this component creates entries in syslog # - + allow qmail_splogger_t self:unix_dgram_socket create_socket_perms; - + -files_read_etc_files(qmail_splogger_t) - + init_dontaudit_use_script_fds(qmail_splogger_t) - + -miscfiles_read_localization(qmail_splogger_t) - + ######################################## # -# Start local policy +# qmail-start local policy +# this component starts up the mail delivery component # - + allow qmail_start_t self:capability { setgid setuid }; dontaudit qmail_start_t self:capability sys_tty_config; -allow qmail_start_t self:fifo_file rw_fifo_file_perms; allow qmail_start_t self:process signal_perms; +allow qmail_start_t self:fifo_file rw_fifo_file_perms; - + can_exec(qmail_start_t, qmail_start_exec_t) - + @@ -304,7 +306,8 @@ optional_policy(` - + ######################################## # -# Tcp-env local policy +# tcp-env local policy +# this component sets up TCP-related environment variables # - + allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms; diff --git a/qpid.if b/qpid.if index fe2adf8ae..f7e9c70b0 100644 @@ -83850,17 +83850,17 @@ index fe2adf8ae..f7e9c70b0 100644 @@ -1,4 +1,4 @@ -## Apache QPID AMQP messaging server. +## policy for qpidd - + ######################################## ## @@ -15,13 +15,12 @@ interface(`qpidd_domtrans',` - type qpidd_t, qpidd_exec_t; - ') - + type qpidd_t, qpidd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, qpidd_exec_t, qpidd_t) + domtrans_pattern($1, qpidd_exec_t, qpidd_t) ') - + -##################################### +######################################## ## @@ -83875,15 +83875,15 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_rw_semaphores',` +interface(`qpidd_initrc_domtrans',` - gen_require(` + gen_require(` - type qpidd_t; + type qpidd_initrc_exec_t; - ') - + ') + - allow $1 qpidd_t:sem rw_sem_perms; + init_labeled_script_domtrans($1, qpidd_initrc_exec_t) ') - + ######################################## ## -## Read and write qpidd shared memory. @@ -83897,16 +83897,16 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_rw_shm',` +interface(`qpidd_read_pid_files',` - gen_require(` + gen_require(` - type qpidd_t; + type qpidd_var_run_t; - ') - + ') + - allow $1 qpidd_t:shm rw_shm_perms; + files_search_pids($1) + allow $1 qpidd_var_run_t:file read_file_perms; ') - + ######################################## ## -## Execute qpidd init script in @@ -83922,18 +83922,18 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_initrc_domtrans',` +interface(`qpidd_manage_var_run',` - gen_require(` + gen_require(` - type qpidd_initrc_exec_t; + type qpidd_var_run_t; - ') - + ') + - init_labeled_script_domtrans($1, qpidd_initrc_exec_t) + files_search_pids($1) + manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) + manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) ') - + ######################################## ## -## Read qpidd pid files. @@ -83947,17 +83947,17 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_read_pid_files',` +interface(`qpidd_search_lib',` - gen_require(` + gen_require(` - type qpidd_var_run_t; + type qpidd_var_lib_t; - ') - + ') + - files_search_pids($1) - allow $1 qpidd_var_run_t:file read_file_perms; + allow $1 qpidd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') - + ######################################## ## -## Search qpidd lib directories. @@ -83971,15 +83971,15 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_search_lib',` +interface(`qpidd_read_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) - allow $1 qpidd_var_lib_t:dir search_dir_perms; + read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') - + ######################################## ## -## Read qpidd lib files. @@ -83994,15 +83994,15 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_read_lib_files',` +interface(`qpidd_manage_lib_files',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) - read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -84017,16 +84017,16 @@ index fe2adf8ae..f7e9c70b0 100644 # -interface(`qpidd_manage_lib_files',` +interface(`qpidd_manage_var_lib',` - gen_require(` - type qpidd_var_lib_t; - ') - - files_search_var_lib($1) + gen_require(` + type qpidd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) - manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) + manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) ') - + -######################################## +##################################### ## @@ -84098,12 +84098,12 @@ index fe2adf8ae..f7e9c70b0 100644 + type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; + type qpidd_var_run_t; + ') - + - allow $1 qpidd_t:process { ptrace signal_perms }; - ps_process_pattern($1, qpidd_t) + allow $1 qpidd_t:process { signal_perms }; + ps_process_pattern($1, qpidd_t) - + - qpidd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 qpidd_initrc_exec_t system_r; @@ -84111,14 +84111,14 @@ index fe2adf8ae..f7e9c70b0 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 qpidd_t:process ptrace; + ') - + - files_search_var_lib($1) - admin_pattern($1, qpidd_var_lib_t) + qpidd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 qpidd_initrc_exec_t system_r; + allow $2 system_r; - + - files_search_pids($1) - admin_pattern($1, qpidd_var_run_t) + files_search_var_lib($1) @@ -84134,17 +84134,17 @@ index 83eb09ef6..a5e7068f6 100644 @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) type qpidd_initrc_exec_t; init_script_file(qpidd_initrc_exec_t) - + +type qpidd_tmp_t; +files_tmp_file(qpidd_tmp_t) + type qpidd_tmpfs_t; files_tmpfs_file(qpidd_tmpfs_t) - + @@ -33,41 +36,58 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket { accept listen }; allow qpidd_t self:unix_stream_socket { accept listen }; - + +manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) +manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) +files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file }) @@ -84152,7 +84152,7 @@ index 83eb09ef6..a5e7068f6 100644 manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) - + -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) @@ -84161,25 +84161,25 @@ index 83eb09ef6..a5e7068f6 100644 +manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file }) +allow qpidd_t qpidd_var_lib_t:file map; - + -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) +manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) - + kernel_read_system_state(qpidd_t) +kernel_read_network_state(qpidd_t) + +auth_read_passwd(qpidd_t) - + -corenet_all_recvfrom_unlabeled(qpidd_t) corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) corenet_tcp_sendrecv_generic_node(qpidd_t) -corenet_tcp_bind_generic_node(qpidd_t) - + corenet_sendrecv_amqp_server_packets(qpidd_t) corenet_tcp_bind_amqp_port(qpidd_t) corenet_tcp_sendrecv_amqp_port(qpidd_t) @@ -84187,21 +84187,21 @@ index 83eb09ef6..a5e7068f6 100644 + +corenet_tcp_bind_matahari_port(qpidd_t) +corenet_tcp_connect_matahari_port(qpidd_t) - + dev_read_sysfs(qpidd_t) dev_read_urand(qpidd_t) +dev_read_rand(qpidd_t) - + -files_read_etc_files(qpidd_t) +# needed by ssl +files_list_tmp(qpidd_t) - + logging_send_syslog_msg(qpidd_t) - + -miscfiles_read_localization(qpidd_t) - sysnet_dns_name_resolve(qpidd_t) - + optional_policy(` - corosync_stream_connect(qpidd_t) + kerberos_use(qpidd_t) @@ -84219,7 +84219,7 @@ index 70ab68b02..b985b6570 100644 -/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0) +/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) +/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0) - + -/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0) -/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) -/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0) @@ -84243,11 +84243,11 @@ index 70ab68b02..b985b6570 100644 +/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0) +/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) +/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0) - + -/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) +/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0) +/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0) - + -/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) +/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0) +/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0) @@ -84262,7 +84262,7 @@ index afc00688d..e974fad4b 100644 --- a/quantum.if +++ b/quantum.if @@ -2,41 +2,314 @@ - + ######################################## ## -## All of the rules required to @@ -84414,12 +84414,12 @@ index afc00688d..e974fad4b 100644 +## +# +interface(`neutron_read_lib_files',` - gen_require(` + gen_require(` - type quantum_t, quantum_initrc_exec_t, quantum_log_t; - type quantum_var_lib_t, quantum_tmp_t; + type neutron_var_lib_t; - ') - + ') + - allow $1 quantum_t:process { ptrace signal_perms }; - ps_process_pattern($1, quantum_t) + files_search_var_lib($1) @@ -84460,7 +84460,7 @@ index afc00688d..e974fad4b 100644 + gen_require(` + type neutron_var_lib_t; + ') - + - init_labeled_script_domtrans($1, quantum_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 quantum_initrc_exec_t system_r; @@ -84574,15 +84574,15 @@ index afc00688d..e974fad4b 100644 + + allow $1 neutron_t:process { ptrace signal_perms }; + ps_process_pattern($1, neutron_t) - - logging_search_logs($1) + + logging_search_logs($1) - admin_pattern($1, quantum_log_t) + admin_pattern($1, neutron_log_t) - - files_search_var_lib($1) + + files_search_var_lib($1) - admin_pattern($1, quantum_var_lib_t) + admin_pattern($1, neutron_var_lib_t) - + - files_search_tmp($1) - admin_pattern($1, quantum_tmp_t) + neutron_systemctl($1) @@ -84600,7 +84600,7 @@ index 8644d8b3f..6c415e8b9 100644 @@ -5,92 +5,185 @@ policy_module(quantum, 1.1.0) # Declarations # - + -type quantum_t; -type quantum_exec_t; -init_daemon_domain(quantum_t, quantum_exec_t) @@ -84611,23 +84611,23 @@ index 8644d8b3f..6c415e8b9 100644 +##

    +## +gen_tunable(neutron_can_network, false) - + -type quantum_initrc_exec_t; -init_script_file(quantum_initrc_exec_t) +type neutron_t alias quantum_t; +type neutron_exec_t alias quantum_exec_t; +init_daemon_domain(neutron_t, neutron_exec_t) - + -type quantum_log_t; -logging_log_file(quantum_log_t) +type neutron_initrc_exec_t alias quantum_initrc_exec_t; +init_script_file(neutron_initrc_exec_t) - + -type quantum_tmp_t; -files_tmp_file(quantum_tmp_t) +type neutron_log_t alias quantum_log_t; +logging_log_file(neutron_log_t) - + -type quantum_var_lib_t; -files_type(quantum_var_lib_t) +type neutron_tmp_t alias quantum_tmp_t; @@ -84641,12 +84641,12 @@ index 8644d8b3f..6c415e8b9 100644 + +type neutron_unit_file_t alias quantum_unit_file_t; +systemd_unit_file(neutron_unit_file_t) - + ######################################## # # Local policy # - + -allow quantum_t self:capability { setgid setuid sys_resource }; -allow quantum_t self:process { setsched setrlimit }; -allow quantum_t self:fifo_file rw_fifo_file_perms; @@ -84772,17 +84772,17 @@ index 8644d8b3f..6c415e8b9 100644 + corenet_tcp_connect_all_ports(neutron_t) + corenet_tcp_sendrecv_all_ports(neutron_t) +') - + -files_read_usr_files(quantum_t) +optional_policy(` + dbus_system_bus_client(neutron_t) +') - + -auth_use_nsswitch(quantum_t) +optional_policy(` + brctl_domtrans(neutron_t) +') - + -libs_exec_ldconfig(quantum_t) +optional_policy(` + dnsmasq_domtrans(neutron_t) @@ -84790,24 +84790,24 @@ index 8644d8b3f..6c415e8b9 100644 + dnsmasq_kill(neutron_t) + dnsmasq_read_state(neutron_t) +') - + -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) +optional_policy(` + rhcs_domtrans_haproxy(neutron_t) + rhcs_stream_connect_haproxy(neutron_t) +') - + -miscfiles_read_localization(quantum_t) +optional_policy(` + iptables_domtrans(neutron_t) +') - + -sysnet_domtrans_ifconfig(quantum_t) +optional_policy(` + modutils_domtrans_insmod(neutron_t) +') - + optional_policy(` - brctl_domtrans(quantum_t) + mysql_stream_connect(neutron_t) @@ -84815,7 +84815,7 @@ index 8644d8b3f..6c415e8b9 100644 + mysql_read_config(neutron_t) + mysql_tcp_connect(neutron_t) ') - + optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) @@ -84823,20 +84823,20 @@ index 8644d8b3f..6c415e8b9 100644 + postgresql_unpriv_client(neutron_t) + postgresql_tcp_connect(neutron_t) +') - + - mysql_tcp_connect(quantum_t) +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) ') - + optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) + rpm_exec(neutron_t) + rpm_read_db(neutron_t) +') - + - postgresql_tcp_connect(quantum_t) +optional_policy(` + sudo_exec(neutron_t) @@ -84844,7 +84844,7 @@ index 8644d8b3f..6c415e8b9 100644 + +optional_policy(` + udev_domtrans(neutron_t) -+') ++') diff --git a/quota.fc b/quota.fc index cadabe360..54ba01d0d 100644 --- a/quota.fc @@ -84854,42 +84854,42 @@ index cadabe360..54ba01d0d 100644 - -HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - + /a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - + @@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - + /etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - + -/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0) - -/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) -/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) +/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) - + -/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) /usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0) -/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) - + /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) +/var/spool/cron/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - + -/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0) +ifdef(`distro_redhat',` +/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +',` +/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0) +') - + -/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0) +/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0) - + -/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) +/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) - + -/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) -/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0) @@ -84902,11 +84902,11 @@ index da6421861..3fb8575ca 100644 @@ -1,4 +1,4 @@ -## File system quota management. +## File system quota management - + ######################################## ## @@ -21,9 +21,8 @@ interface(`quota_domtrans',` - + ######################################## ## -## Execute quota management tools in @@ -84920,16 +84920,16 @@ index da6421861..3fb8575ca 100644 @@ -39,90 +38,54 @@ interface(`quota_domtrans',` # interface(`quota_run',` - gen_require(` + gen_require(` - attribute_role quota_roles; + type quota_t; - ') - - quota_domtrans($1) + ') + + quota_domtrans($1) - roleattribute $2 quota_roles; + role $2 types quota_t; ') - + ####################################### ## -## Execute quota nld in the quota nld domain. @@ -84952,12 +84952,12 @@ index da6421861..3fb8575ca 100644 + gen_require(` + type quota_db_t; + ') - + - corecmd_search_bin($1) - domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) + allow $1 quota_db_t:file read_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -85009,14 +85009,14 @@ index da6421861..3fb8575ca 100644 # -interface(`quota_spec_filetrans_db',` +interface(`quota_dontaudit_getattr_db',` - gen_require(` - type quota_db_t; - ') - + gen_require(` + type quota_db_t; + ') + - filetrans_pattern($1, $2, quota_db_t, $3, $4) + dontaudit $1 quota_db_t:file getattr_file_perms; ') - + ######################################## ## -## Do not audit attempts to get attributes @@ -85032,14 +85032,14 @@ index da6421861..3fb8575ca 100644 # -interface(`quota_dontaudit_getattr_db',` +interface(`quota_manage_db',` - gen_require(` - type quota_db_t; - ') - + gen_require(` + type quota_db_t; + ') + - dontaudit $1 quota_db_t:file getattr_file_perms; + allow $1 quota_db_t:file manage_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -85050,7 +85050,7 @@ index da6421861..3fb8575ca 100644 ## ## @@ -160,37 +123,56 @@ interface(`quota_manage_flags',` - + ######################################## ## -## All of the rules required to @@ -85072,12 +85072,12 @@ index da6421861..3fb8575ca 100644 # -interface(`quota_admin',` +interface(`quota_filetrans_named_content',` - gen_require(` + gen_require(` - type quota_nld_t, quota_t, quota_db_t; - type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t; + type quota_db_t; - ') - + ') + - allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { quota_nld_t quota_t }) - @@ -85106,7 +85106,7 @@ index da6421861..3fb8575ca 100644 + mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user") + mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group") +') - + - files_list_all($1) - admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t }) +####################################### @@ -85123,7 +85123,7 @@ index da6421861..3fb8575ca 100644 + gen_require(` + type quota_nld_t, quota_nld_exec_t; + ') - + - quota_run($1, $2) + corecmd_search_bin($1) + domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) @@ -85135,7 +85135,7 @@ index f47c8e81f..0f0b0b43f 100644 @@ -5,12 +5,10 @@ policy_module(quota, 1.6.0) # Declarations # - + -attribute_role quota_roles; - type quota_t; @@ -85144,28 +85144,28 @@ index f47c8e81f..0f0b0b43f 100644 -role quota_roles types quota_t; +application_domain(quota_t, quota_exec_t) +#init_system_domain(quota_t, quota_exec_t) - + type quota_db_t; files_type(quota_db_t) @@ -22,9 +20,6 @@ type quota_nld_t; type quota_nld_exec_t; init_daemon_domain(quota_nld_t, quota_nld_exec_t) - + -type quota_nld_initrc_exec_t; -init_script_file(quota_nld_initrc_exec_t) - type quota_nld_var_run_t; files_pid_file(quota_nld_var_run_t) - + @@ -33,10 +28,11 @@ files_pid_file(quota_nld_var_run_t) # Local policy # - + -allow quota_t self:capability { sys_admin dac_override }; +allow quota_t self:capability { sys_admin dac_read_search dac_override }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; - + +# for /quota.* allow quota_t quota_db_t:file { manage_file_perms quotaon }; files_root_filetrans(quota_t, quota_db_t, file) @@ -85173,18 +85173,18 @@ index f47c8e81f..0f0b0b43f 100644 @@ -48,24 +44,15 @@ files_var_filetrans(quota_t, quota_db_t, file) files_spool_filetrans(quota_t, quota_db_t, file) userdom_user_home_dir_filetrans(quota_t, quota_db_t, file) - + -kernel_request_load_module(quota_t) kernel_list_proc(quota_t) kernel_read_proc_symlinks(quota_t) kernel_read_kernel_sysctls(quota_t) -kernel_setsched(quota_t) +kernel_dontaudit_setsched(quota_t) - + dev_read_sysfs(quota_t) dev_getattr_all_blk_files(quota_t) dev_getattr_all_chr_files(quota_t) - + -files_list_all(quota_t) -files_read_all_files(quota_t) -files_read_all_symlinks(quota_t) @@ -85197,9 +85197,9 @@ index f47c8e81f..0f0b0b43f 100644 fs_set_xattr_fs_quotas(quota_t) fs_getattr_xattr_fs(quota_t) @@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t) - + domain_use_interactive_fds(quota_t) - + +files_list_all(quota_t) +files_read_all_files(quota_t) +files_read_all_symlinks(quota_t) @@ -85211,47 +85211,47 @@ index f47c8e81f..0f0b0b43f 100644 + init_use_fds(quota_t) init_use_script_ptys(quota_t) - + logging_send_syslog_msg(quota_t) - + -userdom_use_user_terminals(quota_t) +mta_spool_filetrans(quota_t, quota_db_t, file) +mta_spool_filetrans_queue(quota_t, quota_db_t, file) + +userdom_use_inherited_user_terminals(quota_t) userdom_dontaudit_use_unpriv_user_fds(quota_t) - + optional_policy(` - mta_queue_filetrans(quota_t, quota_db_t, file) - mta_spool_filetrans(quota_t, quota_db_t, file) + openshift_lib_filetrans(quota_t, quota_db_t, file) ') - + optional_policy(` @@ -103,12 +101,13 @@ optional_policy(` - + ####################################### # -# Nld local policy +# Local policy # - + allow quota_nld_t self:fifo_file rw_fifo_file_perms; allow quota_nld_t self:netlink_socket create_socket_perms; -allow quota_nld_t self:unix_stream_socket { accept listen }; +allow quota_nld_t self:netlink_generic_socket create_socket_perms; +allow quota_nld_t self:unix_stream_socket create_stream_socket_perms; - + manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t) files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file }) @@ -121,11 +120,9 @@ init_read_utmp(quota_nld_t) - + logging_send_syslog_msg(quota_nld_t) - + -miscfiles_read_localization(quota_nld_t) - userdom_use_user_terminals(quota_nld_t) - + optional_policy(` - dbus_system_bus_client(quota_nld_t) - dbus_connect_system_bus(quota_nld_t) @@ -85264,7 +85264,7 @@ index c5ad6de76..af2d46f13 100644 +++ b/rabbitmq.fc @@ -1,10 +1,18 @@ /etc/rc\.d/init\.d/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_initrc_exec_t,s0) - + -/usr/lib/erlang/erts.*/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0) -/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) +/usr/lib/systemd/system/rabbitmq-server.* -- gen_context(system_u:object_r:rabbitmq_unit_file_t,s0) @@ -85273,15 +85273,15 @@ index c5ad6de76..af2d46f13 100644 +/usr/lib/rabbitmq/lib/rabbitmq_server-.*/sbin/rabbitmq-server -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) + +/usr/bin/ejabberdctl -- gen_context(system_u:object_r:rabbitmq_exec_t,s0) - + /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) +/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) + +/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0) - + /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) +/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) - + /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.if b/rabbitmq.if index 2c3d33896..7d49554eb 100644 @@ -85290,19 +85290,19 @@ index 2c3d33896..7d49554eb 100644 @@ -38,12 +38,12 @@ interface(`rabbitmq_domtrans',` # interface(`rabbitmq_admin',` - gen_require(` + gen_require(` - type rabbitmq_epmd_t, rabbitmq_beam_t, rabbitmq_initrc_exec_t; + type rabbitmq_t, rabbitmq_initrc_exec_t; - type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t; - ') - + type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t; + ') + - allow $1 { rabbitmq_epmd_t rabbitmq_beam_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rabbitmq_epmd_t rabbitmq_beam_t }) + allow $1 { rabbitmq_t }:process { ptrace signal_perms }; + ps_process_pattern($1, rabbitmq_t) - - init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te index dc3b0ed87..f14522964 100644 --- a/rabbitmq.te @@ -85310,14 +85310,14 @@ index dc3b0ed87..f14522964 100644 @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) # Declarations # - + -type rabbitmq_epmd_t; -type rabbitmq_epmd_exec_t; -init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t) +type rabbitmq_t; +type rabbitmq_exec_t; +init_daemon_domain(rabbitmq_t, rabbitmq_exec_t) - + -type rabbitmq_beam_t; -type rabbitmq_beam_exec_t; -init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t) @@ -85325,22 +85325,22 @@ index dc3b0ed87..f14522964 100644 + +type rabbitmq_unit_file_t; +systemd_unit_file(rabbitmq_unit_file_t) - + type rabbitmq_initrc_exec_t; init_script_file(rabbitmq_initrc_exec_t) @@ -19,106 +20,111 @@ init_script_file(rabbitmq_initrc_exec_t) type rabbitmq_var_lib_t; files_type(rabbitmq_var_lib_t) - + +type rabbitmq_var_lock_t; +files_lock_file(rabbitmq_var_lock_t) + type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) - + type rabbitmq_var_run_t; files_pid_file(rabbitmq_var_run_t) - + -###################################### -# -# Beam local policy @@ -85386,7 +85386,7 @@ index dc3b0ed87..f14522964 100644 -corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) +type rabbitmq_tmp_t; +files_tmp_file(rabbitmq_tmp_t) - + -corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t) -corenet_tcp_bind_couchdb_port(rabbitmq_beam_t) -corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t) @@ -85418,7 +85418,7 @@ index dc3b0ed87..f14522964 100644 -# Epmd local policy +# Rabbitmq local policy # - + +allow rabbitmq_t self:capability setuid; + +allow rabbitmq_t self:process { setsched signal signull }; @@ -85509,7 +85509,7 @@ index dc3b0ed87..f14522964 100644 +optional_policy(` + rpc_read_nfs_state_data(rabbitmq_t) +') - + -allow rabbitmq_epmd_t self:process signal; -allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; -allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; @@ -85539,12 +85539,12 @@ index d447e8548..76ed794ce 100644 @@ -9,7 +9,9 @@ /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) - + -/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) +/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0) + +/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) - + /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) /var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) diff --git a/radius.if b/radius.if @@ -85552,9 +85552,9 @@ index 44605825c..4c66c2502 100644 --- a/radius.if +++ b/radius.if @@ -14,6 +14,30 @@ interface(`radius_use',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicywarn(`$0($*) has been deprecated.') ') - + +####################################### +## +## Execute radiusd server in the radiusd domain. @@ -85583,26 +85583,26 @@ index 44605825c..4c66c2502 100644 ## ## All of the rules required to @@ -35,11 +59,14 @@ interface(`radius_admin',` - gen_require(` - type radiusd_t, radiusd_etc_t, radiusd_log_t; - type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; + gen_require(` + type radiusd_t, radiusd_etc_t, radiusd_log_t; + type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; - type radiusd_initrc_exec_t; + type radiusd_initrc_exec_t, radiusd_unit_file_t; - ') - + ') + - allow $1 radiusd_t:process { ptrace signal_perms }; + allow $1 radiusd_t:process signal_perms; - ps_process_pattern($1, radiusd_t) + ps_process_pattern($1, radiusd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 radiusd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, radiusd_initrc_exec_t) + domain_system_change_exemption($1) @@ -57,4 +84,9 @@ interface(`radius_admin',` - - files_list_pids($1) - admin_pattern($1, radiusd_var_run_t) + + files_list_pids($1) + admin_pattern($1, radiusd_var_run_t) + + admin_pattern($1, radiusd_unit_file_t) + bind_systemctl($1) @@ -85616,7 +85616,7 @@ index 403a4fed1..9de0a3d77 100644 @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) # Declarations # - + +## +##

    +## Determine whether radius can use JIT compiler. @@ -85630,7 +85630,7 @@ index 403a4fed1..9de0a3d77 100644 @@ -27,14 +34,17 @@ files_type(radiusd_var_lib_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) - + +type radiusd_unit_file_t; +systemd_unit_file(radiusd_unit_file_t) + @@ -85638,7 +85638,7 @@ index 403a4fed1..9de0a3d77 100644 # # Local policy # - + -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace }; dontaudit radiusd_t self:capability sys_tty_config; @@ -85650,7 +85650,7 @@ index 403a4fed1..9de0a3d77 100644 @@ -43,15 +53,18 @@ allow radiusd_t radiusd_etc_t:dir list_dir_perms; allow radiusd_t radiusd_etc_t:file read_file_perms; allow radiusd_t radiusd_etc_t:lnk_file read_lnk_file_perms; - + +tunable_policy(`deny_ptrace',`',` + allow radiusd_t self:process ptrace; +') @@ -85660,26 +85660,26 @@ index 403a4fed1..9de0a3d77 100644 manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) +allow radiusd_t radiusd_etc_rw_t:file map; - + manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -append_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -create_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) -setattr_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) +manage_files_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) - + manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) @@ -60,11 +73,13 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) +files_dontaudit_list_tmp(radiusd_t) - + kernel_read_kernel_sysctls(radiusd_t) kernel_read_system_state(radiusd_t) +kernel_read_net_sysctls(radiusd_t) +kernel_search_network_sysctl(radiusd_t) - + -corenet_all_recvfrom_unlabeled(radiusd_t) corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) @@ -85687,18 +85687,18 @@ index 403a4fed1..9de0a3d77 100644 @@ -74,12 +89,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) - + +corenet_tcp_connect_postgresql_port(radiusd_t) +corenet_tcp_connect_http_port(radiusd_t) + corenet_sendrecv_radacct_server_packets(radiusd_t) +corenet_tcp_bind_radacct_port(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) - + corenet_sendrecv_radius_server_packets(radiusd_t) +corenet_tcp_bind_radius_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) - + +corenet_sendrecv_radsec_server_packets(radiusd_t) +corenet_tcp_bind_radsec_port(radiusd_t) +corenet_udp_bind_radsec_port(radiusd_t) @@ -85706,27 +85706,27 @@ index 403a4fed1..9de0a3d77 100644 + corenet_sendrecv_snmp_client_packets(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) - + @@ -97,7 +122,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) - + -files_read_usr_files(radiusd_t) files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) - + @@ -109,7 +133,6 @@ libs_exec_lib_files(radiusd_t) - + logging_send_syslog_msg(radiusd_t) - + -miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) - + sysnet_use_ldap(radiusd_t) @@ -117,10 +140,21 @@ sysnet_use_ldap(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_search_user_home_dirs(radiusd_t) - + +tunable_policy(`radius_use_jit',` + allow radiusd_t self:process execmem; +',` @@ -85734,40 +85734,40 @@ index 403a4fed1..9de0a3d77 100644 +') + optional_policy(` - cron_system_entry(radiusd_t, radiusd_exec_t) + cron_system_entry(radiusd_t, radiusd_exec_t) ') - + +optional_policy(` + kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0") + kerberos_manage_host_rcache(radiusd_t) +') + optional_policy(` - logrotate_exec(radiusd_t) + logrotate_exec(radiusd_t) ') @@ -131,6 +165,11 @@ optional_policy(` - mysql_tcp_connect(radiusd_t) + mysql_tcp_connect(radiusd_t) ') - + +optional_policy(` + postgresql_stream_connect(radiusd_t) + postgresql_tcp_connect(radiusd_t) +') + optional_policy(` - samba_domtrans_winbind_helper(radiusd_t) + samba_domtrans_winbind_helper(radiusd_t) ') @@ -139,6 +178,11 @@ optional_policy(` - seutil_sigchld_newrole(radiusd_t) + seutil_sigchld_newrole(radiusd_t) ') - + +optional_policy(` + snmp_read_snmp_var_lib_files(radiusd_t) + snmp_read_snmp_var_lib_files(radiusd_t) +') + optional_policy(` - udev_read_db(radiusd_t) + udev_read_db(radiusd_t) ') diff --git a/radvd.if b/radvd.if index ac7058d1e..48739ac1b 100644 @@ -85775,7 +85775,7 @@ index ac7058d1e..48739ac1b 100644 +++ b/radvd.if @@ -1,5 +1,24 @@ ##

    IPv6 router advertisement daemon. - + +###################################### +## +## Read radvd PID files. @@ -85799,39 +85799,39 @@ index ac7058d1e..48739ac1b 100644 ## ## All of the rules required to @@ -23,8 +42,11 @@ interface(`radvd_admin',` - type radvd_var_run_t; - ') - + type radvd_var_run_t; + ') + - allow $1 radvd_t:process { ptrace signal_perms }; + allow $1 radvd_t:process signal_perms; - ps_process_pattern($1, radvd_t) + ps_process_pattern($1, radvd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 radvd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, radvd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/radvd.te b/radvd.te index 6d162e4e6..889c0ed5f 100644 --- a/radvd.te +++ b/radvd.te @@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t) - + logging_send_syslog_msg(radvd_t) - + -miscfiles_read_localization(radvd_t) - userdom_dontaudit_use_unpriv_user_fds(radvd_t) userdom_dontaudit_search_user_home_dirs(radvd_t) - + diff --git a/raid.fc b/raid.fc index 5806046b1..2a4769ff4 100644 --- a/raid.fc +++ b/raid.fc @@ -3,6 +3,12 @@ - + /etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0) - + +/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0) +/etc/mdadm\.conf\.anacbak -- gen_context(system_u:object_r:mdadm_conf_t,s0) + @@ -85847,7 +85847,7 @@ index 5806046b1..2a4769ff4 100644 /usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) - + +/var/log/iprdbg -- gen_context(system_u:object_r:mdadm_log_t,s0) +/var/log/iprdump.* -- gen_context(system_u:object_r:mdadm_log_t,s0) + @@ -85859,7 +85859,7 @@ index 951db7f1b..00e699da4 100644 @@ -1,9 +1,8 @@ -## RAID array management tools. +## RAID array management tools - + ######################################## ## -## Execute software raid tools in @@ -85869,7 +85869,7 @@ index 951db7f1b..00e699da4 100644 ## ## @@ -22,34 +21,57 @@ interface(`raid_domtrans_mdadm',` - + ###################################### ## -## Execute mdadm in the mdadm @@ -85893,13 +85893,13 @@ index 951db7f1b..00e699da4 100644 ## # interface(`raid_run_mdadm',` - gen_require(` + gen_require(` - attribute_role mdadm_roles; + type mdadm_t; - ') - + ') + + role $1 types mdadm_t; - raid_domtrans_mdadm($2) + raid_domtrans_mdadm($2) - roleattribute $1 mdadm_roles; +') + @@ -85926,7 +85926,7 @@ index 951db7f1b..00e699da4 100644 + + ps_process_pattern($1, mdadm_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -85941,15 +85941,15 @@ index 951db7f1b..00e699da4 100644 # -interface(`raid_manage_mdadm_pid',` +interface(`raid_read_mdadm_pid',` - gen_require(` - type mdadm_var_run_t; - ') - + gen_require(` + type mdadm_var_run_t; + ') + - files_search_pids($1) - allow $1 mdadm_var_run_t:file manage_file_perms; + read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) ') - + ######################################## ## -## All of the rules required to @@ -86015,11 +86015,11 @@ index 951db7f1b..00e699da4 100644 # -interface(`raid_admin_mdadm',` +interface(`raid_read_conf_files',` - gen_require(` + gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; + type mdadm_conf_t; - ') - + ') + - allow $1 mdadm_t:process { ptrace signal_perms }; - ps_process_pattern($1, mdadm_t) + read_files_pattern($1, mdadm_conf_t, mdadm_conf_t) @@ -86039,14 +86039,14 @@ index 951db7f1b..00e699da4 100644 + gen_require(` + type mdadm_conf_t; + ') - + - init_labeled_script_domtrans($1, mdadm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; - allow $2 system_r; + manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) +') - + - files_search_pids($1) - admin_pattern($1, mdadm_var_run_t) +######################################## @@ -86063,7 +86063,7 @@ index 951db7f1b..00e699da4 100644 + gen_require(` + type mdadm_conf_t; + ') - + - raid_run_mdadm($2, $1) + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") @@ -86075,7 +86075,7 @@ index c99753f2c..55294acec 100644 @@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) - + +type mdadm_conf_t; +files_config_file(mdadm_conf_t) + @@ -86091,7 +86091,7 @@ index c99753f2c..55294acec 100644 type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) - + +type mdadm_log_t; +logging_log_file(mdadm_log_t) + @@ -86099,7 +86099,7 @@ index c99753f2c..55294acec 100644 # # Local policy # - + -allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; -dontaudit mdadm_t self:capability sys_tty_config; -allow mdadm_t self:process { getsched setsched signal_perms }; @@ -86121,7 +86121,7 @@ index c99753f2c..55294acec 100644 +manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t) +manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t) +fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, { dir file }) - + manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) @@ -86135,7 +86135,7 @@ index c99753f2c..55294acec 100644 +logging_log_filetrans(mdadm_t, mdadm_log_t, file) + +can_exec(mdadm_t, mdadm_exec_t) - + kernel_getattr_core_if(mdadm_t) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) @@ -86145,10 +86145,10 @@ index c99753f2c..55294acec 100644 +kernel_signal(mdadm_t) +kernel_signull(mdadm_t) +kernel_stream_connect(mdadm_t) - + corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) - + dev_rw_sysfs(mdadm_t) -dev_dontaudit_getattr_all_blk_files(mdadm_t) -dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -86171,12 +86171,12 @@ index c99753f2c..55294acec 100644 + +domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) - + -files_read_etc_files(mdadm_t) files_read_etc_runtime_files(mdadm_t) -files_dontaudit_getattr_all_files(mdadm_t) +files_dontaudit_getattr_tmpfs_files(mdadm_t) - + fs_getattr_all_fs(mdadm_t) fs_list_auto_mountpoints(mdadm_t) fs_list_hugetlbfs(mdadm_t) @@ -86184,7 +86184,7 @@ index c99753f2c..55294acec 100644 fs_dontaudit_list_tmpfs(mdadm_t) +fs_manage_cgroup_files(mdadm_t) +fs_read_efivarfs_files(mdadm_t) - + mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) @@ -71,15 +121,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) @@ -86193,58 +86193,58 @@ index c99753f2c..55294acec 100644 storage_write_scsi_generic(mdadm_t) +storage_raw_read_removable_device(mdadm_t) +storage_tmp_filetrans_fixed_disk(mdadm_t) - + term_dontaudit_list_ptys(mdadm_t) term_dontaudit_use_unallocated_ttys(mdadm_t) - + +auth_use_nsswitch(mdadm_t) + init_dontaudit_getattr_initctl(mdadm_t) +init_getattr_script_status_files(mdadm_t) - + +logging_dontaudit_getattr_all_logs(mdadm_t) logging_send_syslog_msg(mdadm_t) - + -miscfiles_read_localization(mdadm_t) +systemd_exec_systemctl(mdadm_t) +systemd_start_systemd_services(mdadm_t) + +term_use_generic_ptys(mdadm_t) +term_use_unallocated_ttys(mdadm_t) - + userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) @@ -89,14 +149,27 @@ optional_policy(` - cron_system_entry(mdadm_t, mdadm_exec_t) + cron_system_entry(mdadm_t, mdadm_exec_t) ') - + +optional_policy(` + dbus_system_bus_client(mdadm_t) +') + optional_policy(` - gpm_dontaudit_getattr_gpmctl(mdadm_t) + gpm_dontaudit_getattr_gpmctl(mdadm_t) ') - + +optional_policy(` + kdump_manage_kdumpctl_tmp_files(mdadm_t) + kdump_rw_lock(mdadm_t) +') + optional_policy(` - mta_send_mail(mdadm_t) + mta_send_mail(mdadm_t) ') - + +optional_policy(` + mdadm_systemctl(mdadm_t) +') + optional_policy(` - seutil_sigchld_newrole(mdadm_t) + seutil_sigchld_newrole(mdadm_t) ') @@ -104,3 +177,11 @@ optional_policy(` optional_policy(` - udev_read_db(mdadm_t) + udev_read_db(mdadm_t) ') + +optional_policy(` @@ -86497,13 +86497,13 @@ index 6723f4d3b..6e2667392 100644 -HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) +#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) +#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0) - + -/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) +#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0) - + -/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) +#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0) - + -/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0) - -/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0) @@ -86525,7 +86525,7 @@ index 1e4b523bf..fee3b7cd1 100644 +## $HOME/.razor. +##

    +## - + ####################################### ## -## The template to define a razor domain. @@ -86542,12 +86542,12 @@ index 1e4b523bf..fee3b7cd1 100644 ## # template(`razor_common_domain_template',` - gen_require(` + gen_require(` - attribute razor_domain; - type razor_exec_t; + type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; - ') - + ') + - ######################################## - # - # Declarations @@ -86555,9 +86555,9 @@ index 1e4b523bf..fee3b7cd1 100644 - - type $1_t, razor_domain; + type $1_t; - domain_type($1_t) - domain_entry_file($1_t, razor_exec_t) - + domain_type($1_t) + domain_entry_file($1_t, razor_exec_t) + - ######################################## - # - # Declarations @@ -86635,7 +86635,7 @@ index 1e4b523bf..fee3b7cd1 100644 + nis_use_ypbind($1_t) + ') ') - + ######################################## ## -## Role access for razor. @@ -86656,20 +86656,20 @@ index 1e4b523bf..fee3b7cd1 100644 +## # interface(`razor_role',` - gen_require(` + gen_require(` - attribute_role razor_roles; - type razor_t, razor_exec_t, razor_home_t; + type razor_t, razor_exec_t, razor_home_t; - type razor_tmp_t; - ') - + ') + - roleattribute $1 razor_roles; + role $1 types razor_t; - + + # Transition from the user domain to the derived domain. - domtrans_pattern($2, razor_exec_t, razor_t) - -+ # allow ps to show razor and allow the user to kill it - ps_process_pattern($2, razor_t) + domtrans_pattern($2, razor_exec_t, razor_t) + ++ # allow ps to show razor and allow the user to kill it + ps_process_pattern($2, razor_t) - allow $2 razor_t:process signal; - - allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; @@ -86679,7 +86679,7 @@ index 1e4b523bf..fee3b7cd1 100644 + tunable_policy(`deny_ptrace',`',` + allow $2 razor_t:process ptrace; + ') - + - userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor") + manage_dirs_pattern($2, razor_home_t, razor_home_t) + manage_files_pattern($2, razor_home_t, razor_home_t) @@ -86688,21 +86688,21 @@ index 1e4b523bf..fee3b7cd1 100644 + relabel_files_pattern($2, razor_home_t, razor_home_t) + relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) ') - + ######################################## @@ -81,17 +156,16 @@ interface(`razor_role',` # interface(`razor_domtrans',` - gen_require(` + gen_require(` - type system_razor_t, razor_exec_t; + type razor_t, razor_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, razor_exec_t, system_razor_t) + domtrans_pattern($1, razor_exec_t, razor_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -86718,18 +86718,18 @@ index 1e4b523bf..fee3b7cd1 100644 # -interface(`razor_manage_home_content',` +interface(`razor_manage_user_home_files',` - gen_require(` - type razor_home_t; - ') - - userdom_search_user_home_dirs($1) + gen_require(` + type razor_home_t; + ') + + userdom_search_user_home_dirs($1) - allow $1 razor_home_t:dir manage_dir_perms; - allow $1 razor_home_t:file manage_file_perms; - allow $1 razor_home_t:lnk_file manage_lnk_file_perms; + manage_files_pattern($1, razor_home_t, razor_home_t) + read_lnk_files_pattern($1, razor_home_t, razor_home_t) ') - + ######################################## ## -## Read razor lib files. @@ -86744,7 +86744,7 @@ index 68455f909..38f69685c 100644 @@ -5,135 +5,124 @@ policy_module(razor, 2.4.0) # Declarations # - + -attribute razor_domain; +ifdef(`distro_redhat',` + gen_require(` @@ -86855,19 +86855,19 @@ index 68455f909..38f69685c 100644 + files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + + auth_use_nsswitch(razor_t) - + -attribute_role razor_roles; + logging_send_syslog_msg(razor_t) - + -type razor_exec_t; -corecmd_executable_file(razor_exec_t) + userdom_search_user_home_dirs(razor_t) + userdom_use_inherited_user_terminals(razor_t) - + -type razor_etc_t; -files_config_file(razor_etc_t) + userdom_home_manager(razor_t) - + -type razor_home_t; -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; @@ -87000,15 +87000,15 @@ index e9765c0f2..ea21331d8 100644 @@ -1,3 +1,3 @@ -/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) +/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0) - + /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) diff --git a/rdisc.if b/rdisc.if index 170ef52fb..28ccc4a75 100644 --- a/rdisc.if +++ b/rdisc.if @@ -18,3 +18,58 @@ interface(`rdisc_exec',` - corecmd_search_bin($1) - can_exec($1, rdisc_exec_t) + corecmd_search_bin($1) + can_exec($1, rdisc_exec_t) ') + +######################################## @@ -87072,7 +87072,7 @@ index 9196c1dbb..b7759316f 100644 @@ -9,6 +9,9 @@ type rdisc_t; type rdisc_exec_t; init_daemon_domain(rdisc_t, rdisc_exec_t) - + +type rdisc_unit_file_t; +systemd_unit_file(rdisc_unit_file_t) + @@ -87082,23 +87082,23 @@ index 9196c1dbb..b7759316f 100644 @@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t) kernel_read_proc_symlinks(rdisc_t) kernel_read_kernel_sysctls(rdisc_t) - + -corenet_all_recvfrom_unlabeled(rdisc_t) corenet_all_recvfrom_netlabel(rdisc_t) corenet_udp_sendrecv_generic_if(rdisc_t) corenet_raw_sendrecv_generic_if(rdisc_t) @@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t) - + domain_use_interactive_fds(rdisc_t) - + -files_read_etc_files(rdisc_t) - + logging_send_syslog_msg(rdisc_t) - + -miscfiles_read_localization(rdisc_t) - sysnet_read_config(rdisc_t) - + userdom_dontaudit_use_unpriv_user_fds(rdisc_t) diff --git a/readahead.fc b/readahead.fc index f01b32fe2..46279e853 100644 @@ -87107,14 +87107,14 @@ index f01b32fe2..46279e853 100644 @@ -1,7 +1,11 @@ -/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) - + +/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) - + +/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) - + +/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0) /var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0) diff --git a/readahead.if b/readahead.if @@ -87122,8 +87122,8 @@ index 661bb88fd..06f69c4ad 100644 --- a/readahead.if +++ b/readahead.if @@ -19,3 +19,27 @@ interface(`readahead_domtrans',` - corecmd_search_bin($1) - domtrans_pattern($1, readahead_exec_t, readahead_t) + corecmd_search_bin($1) + domtrans_pattern($1, readahead_exec_t, readahead_t) ') + +######################################## @@ -87145,7 +87145,7 @@ index 661bb88fd..06f69c4ad 100644 + manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t) + dev_filetrans($1, readahead_var_run_t, { dir file }) + init_pid_filetrans($1, readahead_var_run_t, { dir file }) -+ files_search_pids($1) ++ files_search_pids($1) + init_search_pid_dirs($1) +') + @@ -87154,26 +87154,26 @@ index c0b02c91c..f4705559c 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; - + type readahead_var_run_t; files_pid_file(readahead_var_run_t) +dev_associate(readahead_var_run_t) init_daemon_run_dir(readahead_var_run_t, "readahead") - + ######################################## @@ -31,13 +32,19 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) - + manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) +dev_filetrans(readahead_t, readahead_var_run_t, { dir file }) files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file }) +allow readahead_t readahead_var_run_t:file map; - + kernel_read_all_sysctls(readahead_t) kernel_read_system_state(readahead_t) kernel_dontaudit_getattr_core_if(readahead_t) +kernel_list_all_proc(readahead_t) - + -dev_read_sysfs(readahead_t) +dev_rw_sysfs(readahead_t) +dev_read_kmsg(readahead_t) @@ -87184,7 +87184,7 @@ index c0b02c91c..f4705559c 100644 dev_getattr_all_chr_files(readahead_t) @@ -51,12 +58,22 @@ domain_use_interactive_fds(readahead_t) domain_read_all_domains_state(readahead_t) - + files_create_boot_flag(readahead_t) +files_delete_root_files(readahead_t) files_getattr_all_pipes(readahead_t) @@ -87202,7 +87202,7 @@ index c0b02c91c..f4705559c 100644 + dev_dontaudit_write_all_chr_files(readahead_t) + dev_dontaudit_write_all_blk_files(readahead_t) +') - + fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) @@ -66,13 +83,12 @@ fs_read_cgroup_files(readahead_t) @@ -87214,11 +87214,11 @@ index c0b02c91c..f4705559c 100644 fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) fs_dontaudit_use_tmpfs_chr_dev(readahead_t) - + -mcs_file_read_all(readahead_t) - mls_file_read_all_levels(readahead_t) - + storage_raw_read_fixed_disk(readahead_t) @@ -84,13 +100,15 @@ auth_dontaudit_read_shadow(readahead_t) init_use_fds(readahead_t) @@ -87228,16 +87228,16 @@ index c0b02c91c..f4705559c 100644 +init_write_pid_socket(readahead_t) +init_create_pid_dirs(readahead_t) +init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead") - + logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) logging_dontaudit_search_audit_config(readahead_t) - + -miscfiles_read_localization(readahead_t) - userdom_dontaudit_use_unpriv_user_fds(readahead_t) userdom_dontaudit_search_user_home_dirs(readahead_t) - + diff --git a/realmd.fc b/realmd.fc index 04babe3d5..3b92679bb 100644 --- a/realmd.fc @@ -87257,7 +87257,7 @@ index bff31dfd2..1663054d9 100644 -## Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA. + +## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA - + ######################################## ## -## Execute realmd in the realmd domain. @@ -87266,8 +87266,8 @@ index bff31dfd2..1663054d9 100644 ## ## @@ -39,3 +40,120 @@ interface(`realmd_dbus_chat',` - allow $1 realmd_t:dbus send_msg; - allow realmd_t $1:dbus send_msg; + allow $1 realmd_t:dbus send_msg; + allow realmd_t $1:dbus send_msg; ') + +######################################## @@ -87391,7 +87391,7 @@ index 5bc878b29..573620309 100644 --- a/realmd.te +++ b/realmd.te @@ -7,46 +7,88 @@ policy_module(realmd, 1.1.0) - + type realmd_t; type realmd_exec_t; -init_system_domain(realmd_t, realmd_exec_t) @@ -87407,13 +87407,13 @@ index 5bc878b29..573620309 100644 + +type realmd_var_lib_t; +files_type(realmd_var_lib_t) - + ######################################## # -# Local policy +# realmd local policy # - + -allow realmd_t self:capability sys_nice; +allow realmd_t self:capability { sys_nice }; +allow realmd_t self:capability2 block_suspend; @@ -87430,13 +87430,13 @@ index 5bc878b29..573620309 100644 +manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) +manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t) +files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir) - + kernel_read_system_state(realmd_t) +kernel_read_network_state(realmd_t) - + corecmd_exec_bin(realmd_t) corecmd_exec_shell(realmd_t) - + -corenet_all_recvfrom_unlabeled(realmd_t) -corenet_all_recvfrom_netlabel(realmd_t) -corenet_tcp_sendrecv_generic_if(realmd_t) @@ -87447,25 +87447,25 @@ index 5bc878b29..573620309 100644 -corenet_tcp_sendrecv_http_port(realmd_t) +corenet_tcp_connect_ldap_port(realmd_t) +corenet_tcp_connect_smbd_port(realmd_t) - + domain_use_interactive_fds(realmd_t) - + dev_read_rand(realmd_t) dev_read_urand(realmd_t) - + -fs_getattr_all_fs(realmd_t) +files_manage_etc_files(realmd_t) - + -files_read_usr_files(realmd_t) +fs_getattr_all_fs(realmd_t) - + auth_use_nsswitch(realmd_t) - + +init_filetrans_named_content(realmd_t) + +logging_manage_generic_logs(realmd_t) logging_send_syslog_msg(realmd_t) - + +miscfiles_manage_generic_cert_files(realmd_t) + +seutil_domtrans_setfiles(realmd_t) @@ -87482,19 +87482,19 @@ index 5bc878b29..573620309 100644 +') + optional_policy(` - dbus_system_domain(realmd_t, realmd_exec_t) - + dbus_system_domain(realmd_t, realmd_exec_t) + + optional_policy(` + certmonger_dbus_chat(realmd_t) + ') + - optional_policy(` - networkmanager_dbus_chat(realmd_t) - ') + optional_policy(` + networkmanager_dbus_chat(realmd_t) + ') @@ -63,21 +105,40 @@ optional_policy(` optional_policy(` - kerberos_use(realmd_t) - kerberos_rw_keytab(realmd_t) + kerberos_use(realmd_t) + kerberos_rw_keytab(realmd_t) + kerberos_rw_config(realmd_t) + kerberos_filetrans_named_content(realmd_t) +') @@ -87507,13 +87507,13 @@ index 5bc878b29..573620309 100644 + ssh_domtrans(realmd_t) + ssh_systemctl(realmd_t) ') - + optional_policy(` - nis_exec_ypbind(realmd_t) + nis_exec_ypbind(realmd_t) - nis_initrc_domtrans(realmd_t) + nis_systemctl_ypbind(realmd_t) ') - + optional_policy(` - gnome_read_generic_home_content(realmd_t) + gnome_read_config(realmd_t) @@ -87522,10 +87522,10 @@ index 5bc878b29..573620309 100644 + gnome_manage_cache_home_dir(realmd_t) + ') - + optional_policy(` - samba_domtrans_net(realmd_t) - samba_manage_config(realmd_t) + samba_domtrans_net(realmd_t) + samba_manage_config(realmd_t) - samba_getattr_winbind_exec(realmd_t) + samba_getattr_winbind(realmd_t) +') @@ -87533,12 +87533,12 @@ index 5bc878b29..573620309 100644 +optional_policy(` + rpm_dbus_chat(realmd_t) ') - + optional_policy(` @@ -86,5 +147,27 @@ optional_policy(` - sssd_manage_lib_files(realmd_t) - sssd_manage_public_files(realmd_t) - sssd_read_pid_files(realmd_t) + sssd_manage_lib_files(realmd_t) + sssd_manage_public_files(realmd_t) + sssd_read_pid_files(realmd_t) - sssd_initrc_domtrans(realmd_t) + sssd_systemctl(realmd_t) +') @@ -87560,7 +87560,7 @@ index 5bc878b29..573620309 100644 + userhelper_console_role_template(realmd, system_r, realmd_t) + authconfig_manage_lib_files(realmd_consolehelper_t) + -+ oddjob_systemctl(realmd_consolehelper_t) ++ oddjob_systemctl(realmd_consolehelper_t) + + unconfined_domain_noaudit(realmd_consolehelper_t) ') @@ -87570,16 +87570,16 @@ index e240ac99c..83edd1be2 100644 +++ b/redis.fc @@ -1,9 +1,16 @@ /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) - + -/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) +/etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0) - + -/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) +/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) - + -/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) +/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) - + -/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) +/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) + @@ -87596,7 +87596,7 @@ index 16c8ecbe3..4e021eca7 100644 @@ -1,9 +1,225 @@ -## Advanced key-value store. +## Advanced key-value store - + ######################################## ## -## All of the rules required to @@ -87824,25 +87824,25 @@ index 16c8ecbe3..4e021eca7 100644 ## @@ -20,7 +236,7 @@ interface(`redis_admin',` - gen_require(` - type redis_t, redis_initrc_exec_t, redis_var_lib_t; + gen_require(` + type redis_t, redis_initrc_exec_t, redis_var_lib_t; - type redis_log_t, redis_var_run_t; + type redis_log_t, redis_var_run_t, redis_unit_file_t; - ') - - allow $1 redis_t:process { ptrace signal_perms }; + ') + + allow $1 redis_t:process { ptrace signal_perms }; @@ -32,11 +248,20 @@ interface(`redis_admin',` - allow $2 system_r; - - logging_search_logs($1) + allow $2 system_r; + + logging_search_logs($1) - admin_pattern($!, redis_log_t) + admin_pattern($1, redis_log_t) - - files_search_var_lib($1) - admin_pattern($1, redis_var_lib_t) - - files_search_pids($1) - admin_pattern($1, redis_var_run_t) + + files_search_var_lib($1) + admin_pattern($1, redis_var_lib_t) + + files_search_pids($1) + admin_pattern($1, redis_var_run_t) + + redis_systemctl($1) + admin_pattern($1, redis_unit_file_t) @@ -87860,7 +87860,7 @@ index 25cd4175f..82c34b2e9 100644 @@ -5,6 +5,13 @@ policy_module(redis, 1.0.1) # Declarations # - + +## +##

    +## Allow Redis to run redis-sentinal notification scripts. @@ -87874,17 +87874,17 @@ index 25cd4175f..82c34b2e9 100644 @@ -12,6 +19,9 @@ init_daemon_domain(redis_t, redis_exec_t) type redis_initrc_exec_t; init_script_file(redis_initrc_exec_t) - + +type redis_conf_t; +files_config_file(redis_conf_t) + type redis_log_t; logging_log_file(redis_log_t) - + @@ -21,6 +31,9 @@ files_type(redis_var_lib_t) type redis_var_run_t; files_pid_file(redis_var_run_t) - + +type redis_unit_file_t; +systemd_unit_file(redis_unit_file_t) + @@ -87894,7 +87894,7 @@ index 25cd4175f..82c34b2e9 100644 @@ -31,6 +44,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms; allow redis_t self:unix_stream_socket create_stream_socket_perms; allow redis_t self:tcp_socket create_stream_socket_perms; - + +manage_files_pattern(redis_t, redis_conf_t, redis_conf_t) + manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) @@ -87905,23 +87905,23 @@ index 25cd4175f..82c34b2e9 100644 manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) - + kernel_read_system_state(redis_t) +kernel_read_net_sysctls(redis_t) - + corenet_all_recvfrom_unlabeled(redis_t) corenet_all_recvfrom_netlabel(redis_t) corenet_tcp_sendrecv_generic_if(redis_t) corenet_tcp_sendrecv_generic_node(redis_t) corenet_tcp_bind_generic_node(redis_t) +corenet_tcp_connect_redis_port(redis_t) - + corenet_sendrecv_redis_server_packets(redis_t) corenet_tcp_bind_redis_port(redis_t) @@ -60,6 +78,10 @@ dev_read_urand(redis_t) - + logging_send_syslog_msg(redis_t) - + -miscfiles_read_localization(redis_t) - sysnet_dns_name_resolve(redis_t) @@ -87945,17 +87945,17 @@ index a9ce68e33..92520aa92 100644 @@ -1,4 +1,4 @@ -##

    Rshd, rlogind, and telnetd. +## Policy for rshd, rlogind, and telnetd. - + ######################################## ## @@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',` - type remote_login_t; - ') - + type remote_login_t; + ') + - corecmd_search_bin($1) - auth_domtrans_login_program($1, remote_login_t) + auth_domtrans_login_program($1, remote_login_t) ') - + ######################################## ## -## Send generic signals to remote login. @@ -87964,7 +87964,7 @@ index a9ce68e33..92520aa92 100644 ## ## @@ -39,8 +38,7 @@ interface(`remotelogin_signal',` - + ######################################## ## -## Create, read, write, and delete @@ -87979,7 +87979,7 @@ index a9ce68e33..92520aa92 100644 # -interface(`remotelogin_manage_tmp_content',` +interface(`remotelogin_signull',` - gen_require(` + gen_require(` - type remote_login_tmp_t; - ') - @@ -88002,8 +88002,8 @@ index a9ce68e33..92520aa92 100644 - gen_require(` - type remote_login_tmp_t; + type remote_login_t; - ') - + ') + - files_search_tmp($1) - allow $1 remote_login_tmp_t:dir relabel_dir_perms; - allow $1 remote_login_tmp_t:file relabel_file_perms; @@ -88016,7 +88016,7 @@ index ae308717f..15a669cd4 100644 @@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t) auth_login_pgm_domain(remote_login_t) auth_login_entry_type(remote_login_t) - + -type remote_login_tmp_t; -files_tmp_file(remote_login_tmp_t) - @@ -88025,7 +88025,7 @@ index ae308717f..15a669cd4 100644 -# Local policy +# Remote login remote policy # - + -allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; +allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config }; allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -88047,37 +88047,37 @@ index ae308717f..15a669cd4 100644 +allow remote_login_t self:msgq create_msgq_perms; +allow remote_login_t self:msg { send receive }; +allow remote_login_t self:key write; - + kernel_read_system_state(remote_login_t) kernel_read_kernel_sysctls(remote_login_t) - + dev_getattr_mouse_dev(remote_login_t) dev_setattr_mouse_dev(remote_login_t) +dev_dontaudit_search_sysfs(remote_login_t) - + fs_getattr_xattr_fs(remote_login_t) +fs_search_auto_mountpoints(remote_login_t) - + term_relabel_all_ptys(remote_login_t) term_use_all_ptys(remote_login_t) term_setattr_all_ptys(remote_login_t) - + -auth_manage_pam_console_data(remote_login_t) -auth_domtrans_pam_console(remote_login_t) auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) +auth_manage_pam_console_data(remote_login_t) +auth_domtrans_pam_console(remote_login_t) - + corecmd_list_bin(remote_login_t) corecmd_read_bin_symlinks(remote_login_t) +# cjp: these are probably not needed: +corecmd_read_bin_files(remote_login_t) +corecmd_read_bin_pipes(remote_login_t) +corecmd_read_bin_sockets(remote_login_t) - + domain_read_all_entry_files(remote_login_t) - + files_read_etc_runtime_files(remote_login_t) files_list_home(remote_login_t) -files_read_usr_files(remote_login_t) @@ -88089,11 +88089,11 @@ index ae308717f..15a669cd4 100644 files_list_mnt(remote_login_t) +# for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) - + -miscfiles_read_localization(remote_login_t) +auth_use_nsswitch(remote_login_t) + - + userdom_use_unpriv_users_fds(remote_login_t) userdom_search_user_home_content(remote_login_t) +# Only permit unprivileged user domains to be entered via rlogin, @@ -88101,7 +88101,7 @@ index ae308717f..15a669cd4 100644 userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) +userdom_use_user_ptys(remote_login_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(remote_login_t) - fs_read_nfs_symlinks(remote_login_t) @@ -88109,22 +88109,22 @@ index ae308717f..15a669cd4 100644 +userdom_manage_user_tmp_dirs(remote_login_t) +userdom_manage_user_tmp_files(remote_login_t) +userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) - + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(remote_login_t) - fs_read_cifs_symlinks(remote_login_t) -') +userdom_home_reader(remote_login_t) - + optional_policy(` - alsa_domtrans(remote_login_t) + alsa_domtrans(remote_login_t) ') - + optional_policy(` + # Search for mail spool file. - mta_getattr_spool(remote_login_t) + mta_getattr_spool(remote_login_t) ') - + diff --git a/resmgr.te b/resmgr.te index f6eb358ad..b6319191c 100644 --- a/resmgr.te @@ -88132,28 +88132,28 @@ index f6eb358ad..b6319191c 100644 @@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t) # Local policy # - + -allow resmgrd_t self:capability { dac_override sys_admin sys_rawio }; +allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio }; dontaudit resmgrd_t self:capability sys_tty_config; allow resmgrd_t self:process signal_perms; - + @@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t) - + domain_use_interactive_fds(resmgrd_t) - + -files_read_etc_files(resmgrd_t) - + fs_search_auto_mountpoints(resmgrd_t) - + @@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t) - + logging_send_syslog_msg(resmgrd_t) - + -miscfiles_read_localization(resmgrd_t) - userdom_dontaudit_use_unpriv_user_fds(resmgrd_t) - + optional_policy(` diff --git a/rgmanager.fc b/rgmanager.fc index 5421af0b6..91e69b869 100644 @@ -88164,25 +88164,25 @@ index 5421af0b6..91e69b869 100644 +/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) - + -/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - + -/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0) - + -/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) +/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0) +/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0) - + -/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) - + -/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) + @@ -88196,7 +88196,7 @@ index 1c2f9aa12..a4133dc92 100644 @@ -1,13 +1,13 @@ -## Resource Group Manager. +## rgmanager - Resource Group Manager - + ####################################### ## ## Execute a domain transition to run rgmanager. @@ -88211,7 +88211,7 @@ index 1c2f9aa12..a4133dc92 100644 # interface(`rgmanager_domtrans',` @@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',` - + ######################################## ## -## Connect to rgmanager with a unix @@ -88221,9 +88221,9 @@ index 1c2f9aa12..a4133dc92 100644 ## ## @@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',` - stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) + stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) ') - + +######################################## +## +## Manage rgmanager pid files @@ -88252,7 +88252,7 @@ index 1c2f9aa12..a4133dc92 100644 ## ## @@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',` - + ###################################### ## -## Create, read, write, and delete @@ -88262,9 +88262,9 @@ index 1c2f9aa12..a4133dc92 100644 ## ## @@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',` - manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) + manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) ') - + +####################################### +## +## Allow read and write access to rgmanager semaphores. @@ -88302,21 +88302,21 @@ index 1c2f9aa12..a4133dc92 100644 ## ## @@ -102,8 +136,11 @@ interface(`rgmanager_admin',` - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') - + type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; + ') + - allow $1 rgmanager_t:process { ptrace signal_perms }; + allow $1 rgmanager_t:process signal_perms; - ps_process_pattern($1, rgmanager_t) + ps_process_pattern($1, rgmanager_t) + tunable_policy(`deny_ptrace',`',` + allow $1 rgmanager_t:process ptrace; + ') - - init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) + domain_system_change_exemption($1) @@ -121,3 +158,66 @@ interface(`rgmanager_admin',` - files_list_pids($1) - admin_pattern($1, rgmanager_var_run_t) + files_list_pids($1) + admin_pattern($1, rgmanager_var_run_t) ') + + @@ -88387,7 +88387,7 @@ index c8a1e16e4..f9d6fb341 100644 +++ b/rgmanager.te @@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0) # - + ## -##

    -## Determine whether rgmanager can @@ -88398,25 +88398,25 @@ index c8a1e16e4..f9d6fb341 100644 +##

    ##     gen_tunable(rgmanager_can_network_connect, false) - + @@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t) type rgmanager_tmpfs_t; files_tmpfs_file(rgmanager_tmpfs_t) - + +type rgmanager_var_lib_t; +files_type(rgmanager_var_lib_t) + type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) - + @@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t) - + ######################################## # -# Local policy +# rgmanager local policy # - + -allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; allow rgmanager_t self:process { setsched signal }; @@ -88427,13 +88427,13 @@ index c8a1e16e4..f9d6fb341 100644 +allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; +allow rgmanager_t self:unix_dgram_socket create_socket_perms; +allow rgmanager_t self:tcp_socket create_stream_socket_perms; - + manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) @@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) - + -allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file) +# var/lib files @@ -88448,13 +88448,13 @@ index c8a1e16e4..f9d6fb341 100644 + +manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) +logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) - + +manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) -files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) +files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir }) - + +kernel_kill(rgmanager_t) kernel_read_kernel_sysctls(rgmanager_t) +kernel_read_rpc_sysctls(rgmanager_t) @@ -88462,7 +88462,7 @@ index c8a1e16e4..f9d6fb341 100644 kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) kernel_search_network_state(rgmanager_t) - + -corenet_all_recvfrom_unlabeled(rgmanager_t) -corenet_all_recvfrom_netlabel(rgmanager_t) -corenet_tcp_sendrecv_generic_if(rgmanager_t) @@ -88470,16 +88470,16 @@ index c8a1e16e4..f9d6fb341 100644 - corecmd_exec_bin(rgmanager_t) corecmd_exec_shell(rgmanager_t) - + +# need to write to /dev/misc/dlm-control dev_rw_dlm_control(rgmanager_t) dev_setattr_dlm_control(rgmanager_t) dev_search_sysfs(rgmanager_t) - + domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) -domain_dontaudit_ptrace_all_domains(rgmanager_t) - + -files_list_all(rgmanager_t) +files_create_var_run_dirs(rgmanager_t) files_getattr_all_symlinks(rgmanager_t) @@ -88490,77 +88490,77 @@ index c8a1e16e4..f9d6fb341 100644 +files_manage_isid_type_files(rgmanager_t) files_manage_isid_type_dirs(rgmanager_t) -files_read_non_security_files(rgmanager_t) - + +fs_getattr_xattr_fs(rgmanager_t) fs_getattr_all_fs(rgmanager_t) - + storage_raw_read_fixed_disk(rgmanager_t) +storage_getattr_fixed_disk_dev(rgmanager_t) - + term_getattr_pty_fs(rgmanager_t) - + +# needed by resources scripts +files_read_non_security_files(rgmanager_t) auth_dontaudit_getattr_shadow(rgmanager_t) auth_use_nsswitch(rgmanager_t) - + init_domtrans_script(rgmanager_t) +init_initrc_domain(rgmanager_t) - + logging_send_syslog_msg(rgmanager_t) - + -miscfiles_read_localization(rgmanager_t) +userdom_kill_all_users(rgmanager_t) - + tunable_policy(`rgmanager_can_network_connect',` - corenet_sendrecv_all_client_packets(rgmanager_t) - corenet_tcp_connect_all_ports(rgmanager_t) + corenet_tcp_connect_all_ports(rgmanager_t) - corenet_tcp_sendrecv_all_ports(rgmanager_t) ') - + +# rgmanager can run resource scripts optional_policy(` - aisexec_stream_connect(rgmanager_t) + aisexec_stream_connect(rgmanager_t) + corosync_stream_connect(rgmanager_t) ') - + optional_policy(` - consoletype_exec(rgmanager_t) + apache_domtrans(rgmanager_t) + apache_signal(rgmanager_t) ') - + optional_policy(` - corosync_stream_connect(rgmanager_t) + consoletype_exec(rgmanager_t) ') - + optional_policy(` - apache_domtrans(rgmanager_t) - apache_signal(rgmanager_t) + dbus_system_bus_client(rgmanager_t) ') - + optional_policy(` @@ -130,7 +150,6 @@ optional_policy(` - + optional_policy(` - rhcs_stream_connect_groupd(rgmanager_t) + rhcs_stream_connect_groupd(rgmanager_t) - rhcs_stream_connect_gfs_controld(rgmanager_t) ') - + optional_policy(` @@ -140,12 +159,19 @@ optional_policy(` optional_policy(` - ccs_manage_config(rgmanager_t) - ccs_stream_connect(rgmanager_t) + ccs_manage_config(rgmanager_t) + ccs_stream_connect(rgmanager_t) + rhcs_stream_connect_gfs_controld(rgmanager_t) ') - + optional_policy(` - lvm_domtrans(rgmanager_t) + lvm_domtrans(rgmanager_t) ') - + +optional_policy(` + ldap_initrc_domtrans(rgmanager_t) + ldap_systemctl(rgmanager_t) @@ -88568,37 +88568,37 @@ index c8a1e16e4..f9d6fb341 100644 +') + optional_policy(` - mount_domtrans(rgmanager_t) + mount_domtrans(rgmanager_t) ') @@ -174,12 +200,18 @@ optional_policy(` ') - + optional_policy(` + rpc_initrc_domtrans_nfsd(rgmanager_t) + rpc_initrc_domtrans_rpcd(rgmanager_t) + rpc_systemctl_nfsd(rgmanager_t) + rpc_systemctl_rpcd(rgmanager_t) + - rpc_domtrans_nfsd(rgmanager_t) - rpc_domtrans_rpcd(rgmanager_t) - rpc_manage_nfs_state_data(rgmanager_t) + rpc_domtrans_nfsd(rgmanager_t) + rpc_domtrans_rpcd(rgmanager_t) + rpc_manage_nfs_state_data(rgmanager_t) ') - + optional_policy(` + samba_initrc_domtrans(rgmanager_t) - samba_domtrans_smbd(rgmanager_t) - samba_domtrans_nmbd(rgmanager_t) - samba_manage_var_files(rgmanager_t) + samba_domtrans_smbd(rgmanager_t) + samba_domtrans_nmbd(rgmanager_t) + samba_manage_var_files(rgmanager_t) @@ -200,6 +232,10 @@ optional_policy(` - virt_stream_connect(rgmanager_t) + virt_stream_connect(rgmanager_t) ') - + +optional_policy(` + unconfined_domain(rgmanager_t) +') + optional_policy(` - xen_domtrans_xm(rgmanager_t) + xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc index 47de2d681..c06395f39 100644 @@ -88611,15 +88611,15 @@ index 47de2d681..c06395f39 100644 +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) -+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) +/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0) +/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) +/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0) +/usr/sbin/haproxy-systemd-wrapper -- gen_context(system_u:object_r:haproxy_exec_t,s0) +/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) - + -/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) -/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) -/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -88629,15 +88629,15 @@ index 47de2d681..c06395f39 100644 -/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0) -/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0) +/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0) - + -/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) +/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0) - + -/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) +/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0) +/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0) - + -/var/log/cluster/.*\.*log <> +/var/log/cluster/.*\.*log <> /var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0) @@ -88648,7 +88648,7 @@ index 47de2d681..c06395f39 100644 -/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) +/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0) +/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0) - + /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0) -/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0) @@ -88733,7 +88733,7 @@ index 47de2d681..c06395f39 100644 +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) -+/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/pacemaker\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if index c8bdea28d..0f8b732c4 100644 @@ -88742,7 +88742,7 @@ index c8bdea28d..0f8b732c4 100644 @@ -1,19 +1,19 @@ -## Red Hat Cluster Suite. +## RHCS - Red Hat Cluster Suite - + ####################################### ## -## The template to define a rhcs domain. @@ -88758,29 +88758,29 @@ index c8bdea28d..0f8b732c4 100644 ## # template(`rhcs_domain_template',` - gen_require(` + gen_require(` - attribute cluster_domain, cluster_pid, cluster_tmpfs; - attribute cluster_log; + attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log; - ') - - ############################## + ') + + ############################## @@ -43,11 +43,6 @@ template(`rhcs_domain_template',` - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) - + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) + - manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t) - append_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - create_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t) - logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) @@ -56,20 +51,21 @@ template(`rhcs_domain_template',` - manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) - + manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) + - optional_policy(` - dbus_system_bus_client($1_t) - ') @@ -88790,7 +88790,7 @@ index c8bdea28d..0f8b732c4 100644 + + logging_send_syslog_msg($1_t) ') - + ###################################### ## -## Execute a domain transition to @@ -88807,7 +88807,7 @@ index c8bdea28d..0f8b732c4 100644 # interface(`rhcs_domtrans_dlm_controld',` @@ -83,8 +79,8 @@ interface(`rhcs_domtrans_dlm_controld',` - + ##################################### ## -## Get attributes of fenced @@ -88823,16 +88823,16 @@ index c8bdea28d..0f8b732c4 100644 # -interface(`rhcs_getattr_fenced_exec_files',` +interface(`rhcs_stream_connect_dlm_controld',` - gen_require(` + gen_require(` - type fenced_exec_t; + type dlm_controld_t, dlm_controld_var_run_t; - ') - + ') + - allow $1 fenced_exec_t:file getattr_file_perms; + files_search_pids($1) + stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) ') - + ##################################### ## -## Connect to dlm_controld with a @@ -88848,12 +88848,12 @@ index c8bdea28d..0f8b732c4 100644 # -interface(`rhcs_stream_connect_dlm_controld',` +interface(`rhcs_stream_connect_haproxy',` - gen_require(` + gen_require(` - type dlm_controld_t, dlm_controld_var_run_t; + type haproxy_t, haproxy_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) - stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) + stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t) +') @@ -88875,7 +88875,7 @@ index c8bdea28d..0f8b732c4 100644 + + allow $1 haproxy_t:process signull; ') - + ##################################### ## -## Read and write dlm_controld semaphores. @@ -88884,9 +88884,9 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -160,9 +175,27 @@ interface(`rhcs_domtrans_fenced',` - domtrans_pattern($1, fenced_exec_t, fenced_t) + domtrans_pattern($1, fenced_exec_t, fenced_t) ') - + +##################################### +## +## Allow a domain to getattr on fenced executable. @@ -88913,9 +88913,9 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -181,10 +214,9 @@ interface(`rhcs_rw_fenced_semaphores',` - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) ') - + -#################################### +###################################### ## @@ -88931,16 +88931,16 @@ index c8bdea28d..0f8b732c4 100644 # -interface(`rhcs_stream_connect_cluster',` +interface(`rhcs_read_fenced_pid_files',` - gen_require(` + gen_require(` - attribute cluster_domain, cluster_pid; + type fenced_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) - stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) + read_files_pattern($1, fenced_var_run_t, fenced_var_run_t) ') - + ###################################### ## -## Connect to fenced with an unix @@ -88950,9 +88950,9 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -221,10 +252,28 @@ interface(`rhcs_stream_connect_fenced',` - stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) + stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) ') - + +###################################### +## +## Execute a domain transition to run fenced. @@ -88981,7 +88981,7 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -243,7 +292,7 @@ interface(`rhcs_domtrans_gfs_controld',` - + #################################### ## -## Read and write gfs_controld semaphores. @@ -88990,7 +88990,7 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -264,7 +313,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` - + ######################################## ## -## Read and write gfs_controld_t shared memory. @@ -88999,7 +88999,7 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -285,8 +334,7 @@ interface(`rhcs_rw_gfs_controld_shm',` - + ##################################### ## -## Connect to gfs_controld_t with @@ -89009,7 +89009,7 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -324,8 +372,8 @@ interface(`rhcs_domtrans_groupd',` - + ##################################### ## -## Connect to groupd with a unix @@ -89020,9 +89020,9 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -342,10 +390,51 @@ interface(`rhcs_stream_connect_groupd',` - stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) + stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) ') - + +##################################### +## +## Allow read and write access to groupd semaphores. @@ -89074,12 +89074,12 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -362,12 +451,12 @@ interface(`rhcs_rw_cluster_shm',` - - fs_search_tmpfs($1) - manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) + + fs_search_tmpfs($1) + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) + allow $1 cluster_tmpfs_t:file map; ') - + #################################### ## -## Read and write all cluster @@ -89089,9 +89089,9 @@ index c8bdea28d..0f8b732c4 100644 ## ## @@ -383,9 +472,10 @@ interface(`rhcs_rw_cluster_semaphores',` - allow $1 cluster_domain:sem { rw_sem_perms destroy }; + allow $1 cluster_domain:sem { rw_sem_perms destroy }; ') - + -##################################### +#################################### ## @@ -89107,16 +89107,16 @@ index c8bdea28d..0f8b732c4 100644 # -interface(`rhcs_rw_groupd_semaphores',` +interface(`rhcs_stream_connect_cluster',` - gen_require(` + gen_require(` - type groupd_t, groupd_tmpfs_t; + attribute cluster_domain, cluster_pid; - ') - + ') + - allow $1 groupd_t:sem { rw_sem_perms destroy }; + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) +') - + - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) +##################################### @@ -89144,7 +89144,7 @@ index c8bdea28d..0f8b732c4 100644 + files_search_pids($1) + stream_connect_pattern($1, cluster_pid, cluster_pid, $2) ') - + ######################################## ## -## Read and write groupd shared memory. @@ -89158,21 +89158,21 @@ index c8bdea28d..0f8b732c4 100644 # -interface(`rhcs_rw_groupd_shm',` +interface(`rhcs_signull_cluster',` - gen_require(` + gen_require(` - type groupd_t, groupd_tmpfs_t; + type cluster_t; - ') - + ') + - allow $1 groupd_t:shm { rw_shm_perms destroy }; - - fs_search_tmpfs($1) - manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) + allow $1 cluster_t:process signull; ') - + ###################################### @@ -446,52 +557,424 @@ interface(`rhcs_domtrans_qdiskd',` - + ######################################## ## -## All of the rules required to @@ -89209,20 +89209,20 @@ index c8bdea28d..0f8b732c4 100644 # -interface(`rhcs_admin',` +interface(`rhcs_read_cluster_lib_files',` - gen_require(` + gen_require(` - attribute cluster_domain, cluster_pid, cluster_tmpfs; - attribute cluster_log; - type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t; - type fenced_tmp_t, qdiskd_var_lib_t; + type cluster_var_lib_t; - ') - + ') + - allow $1 cluster_domain:process { ptrace signal_perms }; - ps_process_pattern($1, cluster_domain) + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - + - init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; @@ -89241,13 +89241,13 @@ index c8bdea28d..0f8b732c4 100644 + gen_require(` + type cluster_var_lib_t; + ') - + - files_search_pids($1) - admin_pattern($1, cluster_pid) + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - + - files_search_locks($1) - admin_pattern($1, fenced_lock_t) +#################################### @@ -89269,7 +89269,7 @@ index c8bdea28d..0f8b732c4 100644 + relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') - + - files_search_tmp($1) - admin_pattern($1, fenced_tmp_t) +###################################### @@ -89286,13 +89286,13 @@ index c8bdea28d..0f8b732c4 100644 + gen_require(` + type cluster_t, cluster_exec_t; + ') - + - files_search_var_lib($1) - admin_pattern($1, qdiskd_var_lib_t) + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') - + - fs_search_tmpfs($1) - admin_pattern($1, cluster_tmpfs) +####################################### @@ -89619,7 +89619,7 @@ index c8bdea28d..0f8b732c4 100644 + gen_require(` + type var_log_t; + ') - + - logging_search_logs($1) - admin_pattern($1, cluster_log) + logging_log_named_filetrans($1, var_log_t, dir, "bundles") @@ -89631,7 +89631,7 @@ index 6cf79c449..0e8b031bb 100644 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) ## gen_tunable(fenced_can_ssh, false) - + +## +##

    +## Allow cluster administrative domains to connect to the network using TCP. @@ -89666,7 +89666,7 @@ index 6cf79c449..0e8b031bb 100644 attribute cluster_pid; @@ -44,34 +73,295 @@ type foghorn_initrc_exec_t; init_script_file(foghorn_initrc_exec_t) - + rhcs_domain_template(gfs_controld) +rhcs_domain_template(haproxy) + @@ -89678,11 +89678,11 @@ index 6cf79c449..0e8b031bb 100644 + rhcs_domain_template(groupd) rhcs_domain_template(qdiskd) - + type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) - -+# cluster_t is a new domain for administrative generic cluster services + ++# cluster_t is a new domain for administrative generic cluster services +# (rgmanager, corosync, hearbeat, cman, pacemaker) +rhcs_domain_template(cluster) + @@ -89712,7 +89712,7 @@ index 6cf79c449..0e8b031bb 100644 # # Common cluster domains local policy # - + allow cluster_domain self:capability sys_nice; -allow cluster_domain self:process setsched; +allow cluster_domain self:process { signal setsched }; @@ -89720,21 +89720,21 @@ index 6cf79c449..0e8b031bb 100644 allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_dgram_socket create_socket_perms; - + -logging_send_syslog_msg(cluster_domain) +manage_dirs_pattern(cluster_domain, cluster_log, cluster_log) +manage_files_pattern(cluster_domain, cluster_log, cluster_log) +manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log) - + -miscfiles_read_localization(cluster_domain) +tunable_policy(`cluster_use_execmem',` + allow cluster_domain self:process execmem; +') - + optional_policy(` - ccs_stream_connect(cluster_domain) + ccs_stream_connect(cluster_domain) ') - + optional_policy(` - corosync_stream_connect(cluster_domain) + dbus_system_bus_client(cluster_domain) @@ -89962,31 +89962,31 @@ index 6cf79c449..0e8b031bb 100644 +optional_policy(` + xen_domtrans_xm(cluster_t) ') - + ##################################### @@ -79,13 +369,16 @@ optional_policy(` # dlm_controld local policy # - + -allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; +allow dlm_controld_t self:capability { dac_read_search dac_override net_admin sys_admin sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; - + +allow dlm_controld_t cluster_t:process { signull }; + +files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir) + stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - + -kernel_read_system_state(dlm_controld_t) kernel_rw_net_sysctls(dlm_controld_t) - + corecmd_exec_bin(dlm_controld_t) @@ -98,16 +391,30 @@ fs_manage_configfs_dirs(dlm_controld_t) - + init_rw_script_tmp_files(dlm_controld_t) - + +logging_send_syslog_msg(dlm_controld_t) + +optional_policy(` @@ -90001,7 +90001,7 @@ index 6cf79c449..0e8b031bb 100644 # # fenced local policy # - + -allow fenced_t self:capability { sys_rawio sys_resource }; -allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; @@ -90011,35 +90011,35 @@ index 6cf79c449..0e8b031bb 100644 +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; allow fenced_t self:unix_stream_socket connectto; - + +can_exec(fenced_t, fenced_exec_t) + manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) - + @@ -118,9 +425,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) - + stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - + -can_exec(fenced_t, fenced_exec_t) - -kernel_read_system_state(fenced_t) +kernel_read_network_state(fenced_t) +kernel_read_fs_sysctls(fenced_t) - + corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) @@ -140,6 +446,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) - + corenet_sendrecv_zented_server_packets(fenced_t) corenet_tcp_bind_zented_port(fenced_t) +corenet_udp_bind_zented_port(fenced_t) +corenet_tcp_connect_zented_port(fenced_t) corenet_tcp_sendrecv_zented_port(fenced_t) - + corenet_sendrecv_http_client_packets(fenced_t) @@ -148,9 +456,8 @@ corenet_tcp_sendrecv_http_port(fenced_t) - + dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) - @@ -90047,51 +90047,51 @@ index 6cf79c449..0e8b031bb 100644 -files_read_usr_symlinks(fenced_t) +dev_read_rand(fenced_t) +dev_rw_lvm_control(fenced_t) - + storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) @@ -160,7 +467,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) - + -auth_use_nsswitch(fenced_t) +logging_send_syslog_msg(fenced_t) - + tunable_policy(`fenced_can_network_connect',` - corenet_sendrecv_all_client_packets(fenced_t) + corenet_sendrecv_all_client_packets(fenced_t) @@ -182,7 +489,8 @@ optional_policy(` ') - + optional_policy(` - corosync_exec(fenced_t) + rhcs_exec_cluster(fenced_t) + rhcs_rw_cluster_tmpfs(fenced_t) ') - + optional_policy(` @@ -190,12 +498,17 @@ optional_policy(` ') - + optional_policy(` - gnome_read_generic_home_content(fenced_t) + libs_exec_ldconfig(fenced_t) ') - + optional_policy(` - lvm_domtrans(fenced_t) - lvm_read_config(fenced_t) + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) + lvm_stream_connect(fenced_t) +') + +optional_policy(` + sanlock_domtrans(fenced_t) ') - + optional_policy(` @@ -203,6 +516,21 @@ optional_policy(` - snmp_manage_var_lib_dirs(fenced_t) + snmp_manage_var_lib_dirs(fenced_t) ') - + +optional_policy(` + virt_domtrans(fenced_t) + virt_read_config(fenced_t) @@ -90113,54 +90113,54 @@ index 6cf79c449..0e8b031bb 100644 @@ -221,16 +549,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) - + +corenet_tcp_connect_snmp_port(foghorn_t) + dev_read_urand(foghorn_t) - + -files_read_usr_files(foghorn_t) +logging_send_syslog_msg(foghorn_t) - + optional_policy(` - dbus_connect_system_bus(foghorn_t) + dbus_connect_system_bus(foghorn_t) ') - + optional_policy(` - snmp_read_snmp_var_lib_files(foghorn_t) + snmp_manage_var_lib_files(foghorn_t) - snmp_stream_connect(foghorn_t) + snmp_stream_connect(foghorn_t) ') - + @@ -247,16 +577,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) - + -kernel_read_system_state(gfs_controld_t) - + dev_rw_dlm_control(gfs_controld_t) dev_setattr_dlm_control(gfs_controld_t) dev_rw_sysfs(gfs_controld_t) +storage_getattr_fixed_disk_dev(gfs_controld_t) + +fs_getattr_all_fs(gfs_controld_t) - + storage_getattr_removable_dev(gfs_controld_t) - + init_rw_script_tmp_files(gfs_controld_t) - + +logging_send_syslog_msg(gfs_controld_t) + optional_policy(` - lvm_exec(gfs_controld_t) - dev_rw_lvm_control(gfs_controld_t) + lvm_exec(gfs_controld_t) + dev_rw_lvm_control(gfs_controld_t) @@ -275,10 +609,59 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) - + dev_list_sysfs(groupd_t) - + -files_read_etc_files(groupd_t) - init_rw_script_tmp_files(groupd_t) - + +logging_send_syslog_msg(groupd_t) + +######################################## @@ -90218,19 +90218,19 @@ index 6cf79c449..0e8b031bb 100644 @@ -292,7 +675,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) - + -kernel_read_system_state(qdiskd_t) kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) - + @@ -321,6 +703,8 @@ storage_raw_write_fixed_disk(qdiskd_t) - + auth_use_nsswitch(qdiskd_t) - + +logging_send_syslog_msg(qdiskd_t) + optional_policy(` - netutils_domtrans_ping(qdiskd_t) + netutils_domtrans_ping(qdiskd_t) ') diff --git a/rhev.fc b/rhev.fc new file mode 100644 @@ -90474,11 +90474,11 @@ index 1a134a72e..793a29f88 100644 @@ -1,4 +1,4 @@ -##

    Red Hat Graphical Boot. +## Red Hat Graphical Boot - + ######################################## ## @@ -18,7 +18,7 @@ interface(`rhgb_stub',` - + ######################################## ## -## Inherit and use rhgb file descriptors. @@ -90487,7 +90487,7 @@ index 1a134a72e..793a29f88 100644 ## ## @@ -54,7 +54,7 @@ interface(`rhgb_getpgid',` - + ######################################## ## -## Send generic signals to rhgb. @@ -90496,7 +90496,7 @@ index 1a134a72e..793a29f88 100644 ## ## @@ -72,8 +72,7 @@ interface(`rhgb_signal',` - + ######################################## ## -## Read and write inherited rhgb unix @@ -90506,7 +90506,7 @@ index 1a134a72e..793a29f88 100644 ## ## @@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` - + ######################################## ## -## Connected to rhgb with a unix @@ -90518,19 +90518,19 @@ index 1a134a72e..793a29f88 100644 @@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',` # interface(`rhgb_stream_connect',` - gen_require(` + gen_require(` - type rhgb_t, rhgb_tmpfs_t; + type rhgb_t; - ') - + ') + - fs_search_tmpfs($1) - stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t) + allow $1 rhgb_t:unix_stream_socket connectto; ') - + ######################################## @@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',` - + ######################################## ## -## Read and write rhgb pty devices. @@ -90539,13 +90539,13 @@ index 1a134a72e..793a29f88 100644 ## ## @@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',` - type rhgb_devpts_t; - ') - + type rhgb_devpts_t; + ') + - dev_list_all_dev_nodes($1) - allow $1 rhgb_devpts_t:chr_file rw_term_perms; + allow $1 rhgb_devpts_t:chr_file rw_term_perms; ') - + ######################################## ## -## Do not audit attempts to read and @@ -90555,7 +90555,7 @@ index 1a134a72e..793a29f88 100644 ## ## @@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',` - + ######################################## ## -## Read and write to rhgb tmpfs files. @@ -90564,12 +90564,12 @@ index 1a134a72e..793a29f88 100644 ## ## @@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',` - type rhgb_tmpfs_t; - ') - + type rhgb_tmpfs_t; + ') + - - fs_search_tmpfs($1) - allow $1 rhgb_tmpfs_t:file rw_file_perms; + fs_search_tmpfs($1) + allow $1 rhgb_tmpfs_t:file rw_file_perms; ') diff --git a/rhgb.te b/rhgb.te index 3f32e4bb3..f97ea42f8 100644 @@ -90578,15 +90578,15 @@ index 3f32e4bb3..f97ea42f8 100644 @@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t) corecmd_exec_bin(rhgb_t) corecmd_exec_shell(rhgb_t) - + -corenet_all_recvfrom_unlabeled(rhgb_t) corenet_all_recvfrom_netlabel(rhgb_t) corenet_tcp_sendrecv_generic_if(rhgb_t) corenet_tcp_sendrecv_generic_node(rhgb_t) @@ -57,11 +56,9 @@ dev_read_urand(rhgb_t) - + domain_use_interactive_fds(rhgb_t) - + -files_read_etc_files(rhgb_t) files_read_var_files(rhgb_t) files_read_etc_runtime_files(rhgb_t) @@ -90596,13 +90596,13 @@ index 3f32e4bb3..f97ea42f8 100644 files_dontaudit_rw_root_dir(rhgb_t) files_dontaudit_read_default_files(rhgb_t) @@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t) - + logging_send_syslog_msg(rhgb_t) - + -miscfiles_read_localization(rhgb_t) miscfiles_read_fonts(rhgb_t) miscfiles_dontaudit_write_fonts(rhgb_t) - + diff --git a/rhnsd.fc b/rhnsd.fc new file mode 100644 index 000000000..860a91df8 @@ -90803,13 +90803,13 @@ index 8c0280418..896c8c67f 100644 --- a/rhsmcertd.fc +++ b/rhsmcertd.fc @@ -2,6 +2,8 @@ - + /usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) - + +/usr/libexec/rhsmd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) + /var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) - + /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) diff --git a/rhsmcertd.if b/rhsmcertd.if index 6dbc905b3..42e4306c8 100644 @@ -90818,7 +90818,7 @@ index 6dbc905b3..42e4306c8 100644 @@ -1,8 +1,8 @@ -## Subscription Management Certificate Daemon. +## Subscription Management Certificate Daemon policy - + ######################################## ## -## Execute rhsmcertd in the rhsmcertd domain. @@ -90827,7 +90827,7 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',` - + ######################################## ## -## Execute rhsmcertd init scripts @@ -90842,7 +90842,7 @@ index 6dbc905b3..42e4306c8 100644 ## # @@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',` - + ######################################## ## -## Read rhsmcertd log files. @@ -90851,7 +90851,7 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',` - + ######################################## ## -## Append rhsmcertd log files. @@ -90860,7 +90860,7 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',` - + ######################################## ## -## Create, read, write, and delete @@ -90870,17 +90870,17 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',` - type rhsmcertd_var_lib_t; - ') - + type rhsmcertd_var_lib_t; + ') + - files_search_var_lib($1) - allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; + allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') - + ######################################## @@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',` - + ######################################## ## -## Create, read, write, and delete @@ -90890,7 +90890,7 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',` - + ######################################## ## -## Create, read, write, and delete @@ -90900,7 +90900,7 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',` - + ######################################## ## -## Read rhsmcertd pid files. @@ -90909,9 +90909,9 @@ index 6dbc905b3..42e4306c8 100644 ## ## @@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',` - allow $1 rhsmcertd_var_run_t:file read_file_perms; + allow $1 rhsmcertd_var_run_t:file read_file_perms; ') - + -#################################### +######################################## +## @@ -90984,10 +90984,10 @@ index 6dbc905b3..42e4306c8 100644 +## +# interface(`rhsmcertd_stream_connect',` - gen_require(` - type rhsmcertd_t, rhsmcertd_var_run_t; + gen_require(` + type rhsmcertd_t, rhsmcertd_var_run_t; @@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',` - + ###################################### ## -## Do not audit attempts to send @@ -91014,13 +91014,13 @@ index 6dbc905b3..42e4306c8 100644 + type rhsmcertd_t; + class dbus send_msg; + ') - + - dontaudit $1 rhsmcertd_t:dbus send_msg; - dontaudit rhsmcertd_t $1:dbus send_msg; + dontaudit $1 rhsmcertd_t:dbus send_msg; + dontaudit rhsmcertd_t $1:dbus send_msg; ') - + ######################################## ## -## All of the rules required to @@ -91045,16 +91045,16 @@ index 6dbc905b3..42e4306c8 100644 # + interface(`rhsmcertd_admin',` - gen_require(` - type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; + gen_require(` + type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; - type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t; + type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t; - ') - + ') + - allow $1 rhsmcertd_t:process { ptrace signal_perms }; + allow $1 rhsmcertd_t:process signal_perms; - ps_process_pattern($1, rhsmcertd_t) - + ps_process_pattern($1, rhsmcertd_t) + - rhsmcertd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 rhsmcertd_initrc_exec_t system_r; @@ -91062,19 +91062,19 @@ index 6dbc905b3..42e4306c8 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') - + - logging_search_logs($1) - admin_pattern($1, rhsmcertd_log_t) + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; - + - files_search_var_lib($1) - admin_pattern($1, rhsmcertd_var_lib_t) + logging_search_logs($1) + admin_pattern($1, rhsmcertd_log_t) - + - files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) + files_search_var_lib($1) @@ -91085,7 +91085,7 @@ index 6dbc905b3..42e4306c8 100644 + + files_search_locks($1) + admin_pattern($1, rhsmcertd_lock_t) - + - files_search_locks($1) - admin_pattern($1, rhsmcertd_lock_t) ') @@ -91096,17 +91096,17 @@ index d32e1a279..a61e352c6 100644 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) type rhsmcertd_lock_t; files_lock_file(rhsmcertd_lock_t) - + +type rhsmcertd_tmp_t; +files_tmp_file(rhsmcertd_tmp_t) + type rhsmcertd_var_lib_t; files_type(rhsmcertd_var_lib_t) - + @@ -29,19 +32,22 @@ files_pid_file(rhsmcertd_var_run_t) # Local policy # - + -allow rhsmcertd_t self:capability sys_nice; -allow rhsmcertd_t self:process { signal setsched }; +allow rhsmcertd_t self:capability { kill sys_nice }; @@ -91114,26 +91114,26 @@ index d32e1a279..a61e352c6 100644 + allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; - + manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) -setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t) - + manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) - + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) +files_tmp_filetrans(rhsmcertd_t, rhsmcertd_tmp_t, { dir file }) + manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) - + @@ -50,25 +56,111 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) - + kernel_read_network_state(rhsmcertd_t) +kernel_read_net_sysctls(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -91145,15 +91145,15 @@ index d32e1a279..a61e352c6 100644 +corenet_tcp_connect_squid_port(rhsmcertd_t) +corenet_tcp_connect_netport_port(rhsmcertd_t) +corenet_tcp_connect_websm_port(rhsmcertd_t) - + corecmd_exec_bin(rhsmcertd_t) +corecmd_exec_shell(rhsmcertd_t) - + dev_read_sysfs(rhsmcertd_t) dev_read_rand(rhsmcertd_t) dev_read_urand(rhsmcertd_t) +dev_read_raw_memory(rhsmcertd_t) - + files_list_tmp(rhsmcertd_t) -files_read_etc_files(rhsmcertd_t) -files_read_usr_files(rhsmcertd_t) @@ -91168,9 +91168,9 @@ index d32e1a279..a61e352c6 100644 +auth_read_passwd(rhsmcertd_t) + +libs_exec_ldconfig(rhsmcertd_t) - + init_read_state(rhsmcertd_t) - + -miscfiles_read_localization(rhsmcertd_t) -miscfiles_read_generic_certs(rhsmcertd_t) +logging_send_syslog_msg(rhsmcertd_t) @@ -91179,9 +91179,9 @@ index d32e1a279..a61e352c6 100644 +miscfiles_manage_generic_cert_dirs(rhsmcertd_t) + +nis_use_ypbind(rhsmcertd_t) - + sysnet_dns_name_resolve(rhsmcertd_t) - + +ifdef(`hide_broken_symptoms',` + exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) + exec_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) @@ -91255,7 +91255,7 @@ index 2ab3ed1d4..23d579cde 100644 @@ -1,13 +1,13 @@ -## Ricci cluster management agent. +## Ricci cluster management agent - + ######################################## ## ## Execute a domain transition to run ricci. @@ -91270,13 +91270,13 @@ index 2ab3ed1d4..23d579cde 100644 # interface(`ricci_domtrans',` @@ -15,19 +15,35 @@ interface(`ricci_domtrans',` - type ricci_t, ricci_exec_t; - ') - + type ricci_t, ricci_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, ricci_exec_t, ricci_t) + domtrans_pattern($1, ricci_exec_t, ricci_t) ') - + -######################################## +####################################### ## @@ -91311,13 +91311,13 @@ index 2ab3ed1d4..23d579cde 100644 # interface(`ricci_domtrans_modcluster',` @@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',` - type ricci_modcluster_t, ricci_modcluster_exec_t; - ') - + type ricci_modcluster_t, ricci_modcluster_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) + domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) ') - + ######################################## ## ## Do not audit attempts to use @@ -91336,13 +91336,13 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` - type ricci_modcluster_t; - ') - + type ricci_modcluster_t; + ') + - dontaudit $1 ricci_modcluster_t:fifo_file { read write }; + dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## -## Connect to ricci_modclusterd with @@ -91352,7 +91352,7 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',` - + ######################################## ## -## Execute a domain transition to @@ -91381,13 +91381,13 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',` - type ricci_modlog_t, ricci_modlog_exec_t; - ') - + type ricci_modlog_t, ricci_modlog_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) + domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) ') - + ######################################## ## -## Execute a domain transition to @@ -91397,13 +91397,13 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',` - type ricci_modrpm_t, ricci_modrpm_exec_t; - ') - + type ricci_modrpm_t, ricci_modrpm_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) + domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) ') - + ######################################## ## -## Execute a domain transition to @@ -91413,13 +91413,13 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',` - type ricci_modservice_t, ricci_modservice_exec_t; - ') - + type ricci_modservice_t, ricci_modservice_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) + domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) ') - + ######################################## ## -## Execute a domain transition to @@ -91429,13 +91429,13 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',` - type ricci_modstorage_t, ricci_modstorage_exec_t; - ') - + type ricci_modstorage_t, ricci_modstorage_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) + domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) ') - + +#################################### +## +## Allow the specified domain to manage ricci's lib files. @@ -91466,54 +91466,54 @@ index 2ab3ed1d4..23d579cde 100644 ## ## @@ -200,10 +245,13 @@ interface(`ricci_admin',` - type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; - ') - + type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; + ') + - allow $1 ricci_t:process { ptrace signal_perms }; + allow $1 ricci_t:process signal_perms; - ps_process_pattern($1, ricci_t) + ps_process_pattern($1, ricci_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ricci_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, ricci_initrc_exec_t) + ricci_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ricci_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 ricci_initrc_exec_t system_r; + allow $2 system_r; diff --git a/ricci.te b/ricci.te index 0ba2569a5..161850d41 100644 --- a/ricci.te +++ b/ricci.te @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t) - + corecmd_exec_bin(ricci_t) - + -corenet_all_recvfrom_unlabeled(ricci_t) corenet_all_recvfrom_netlabel(ricci_t) corenet_tcp_sendrecv_generic_if(ricci_t) corenet_tcp_sendrecv_generic_node(ricci_t) @@ -136,7 +135,6 @@ dev_read_urand(ricci_t) - + domain_read_all_domains_state(ricci_t) - + -files_read_etc_files(ricci_t) files_read_etc_runtime_files(ricci_t) files_create_boot_flag(ricci_t) - + @@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t) - + logging_send_syslog_msg(ricci_t) - + -miscfiles_read_localization(ricci_t) +systemd_start_power_services(ricci_t) - + sysnet_dns_name_resolve(ricci_t) - + @@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t) - + logging_send_syslog_msg(ricci_modcluster_t) - + -miscfiles_read_localization(ricci_modcluster_t) - -ricci_stream_connect_modclusterd(ricci_modcluster_t) @@ -91523,106 +91523,106 @@ index 0ba2569a5..161850d41 100644 - corosync_stream_connect(ricci_modcluster_t) + ricci_stream_connect_modclusterd(ricci_modcluster_t) ') - + optional_policy(` @@ -271,7 +264,7 @@ optional_policy(` ') - + optional_policy(` - rgmanager_stream_connect(ricci_modcluster_t) + rhcs_stream_connect_cluster(ricci_modcluster_t) ') - + ######################################## @@ -336,15 +329,8 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t) - + logging_send_syslog_msg(ricci_modclusterd_t) - + -miscfiles_read_localization(ricci_modclusterd_t) - sysnet_domtrans_ifconfig(ricci_modclusterd_t) - + -optional_policy(` - aisexec_stream_connect(ricci_modclusterd_t) - corosync_stream_connect(ricci_modclusterd_t) -') - optional_policy(` - ccs_domtrans(ricci_modclusterd_t) - ccs_stream_connect(ricci_modclusterd_t) + ccs_domtrans(ricci_modclusterd_t) + ccs_stream_connect(ricci_modclusterd_t) @@ -352,7 +338,7 @@ optional_policy(` ') - + optional_policy(` - rgmanager_stream_connect(ricci_modclusterd_t) + rhcs_stream_connect_cluster(ricci_modclusterd_t) ') - + optional_policy(` @@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t) - + domain_read_all_domains_state(ricci_modlog_t) - + -files_read_etc_files(ricci_modlog_t) files_search_usr(ricci_modlog_t) - + logging_read_generic_logs(ricci_modlog_t) - + -miscfiles_read_localization(ricci_modlog_t) - + optional_policy(` - nscd_dontaudit_search_pid(ricci_modlog_t) + nscd_dontaudit_search_pid(ricci_modlog_t) @@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t) corecmd_exec_bin(ricci_modrpm_t) - + files_search_usr(ricci_modrpm_t) -files_read_etc_files(ricci_modrpm_t) - + -miscfiles_read_localization(ricci_modrpm_t) +logging_send_syslog_msg(ricci_modrpm_t) - + optional_policy(` - oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) + oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t) @@ -418,7 +401,7 @@ optional_policy(` # Modservice local policy # - + -allow ricci_modservice_t self:capability { dac_override sys_nice }; +allow ricci_modservice_t self:capability {dac_read_search dac_override sys_nice }; allow ricci_modservice_t self:process setsched; allow ricci_modservice_t self:fifo_file rw_fifo_file_perms; - + @@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t) corecmd_exec_bin(ricci_modservice_t) corecmd_exec_shell(ricci_modservice_t) - + -files_read_etc_files(ricci_modservice_t) files_read_etc_runtime_files(ricci_modservice_t) files_search_usr(ricci_modservice_t) files_manage_etc_symlinks(ricci_modservice_t) - + init_domtrans_script(ricci_modservice_t) - + -miscfiles_read_localization(ricci_modservice_t) +logging_send_syslog_msg(ricci_modservice_t) - + optional_policy(` - ccs_read_config(ricci_modservice_t) + ccs_read_config(ricci_modservice_t) @@ -460,7 +442,6 @@ optional_policy(` - + allow ricci_modstorage_t self:capability { mknod sys_nice }; allow ricci_modstorage_t self:process { setsched signal }; -dontaudit ricci_modstorage_t self:process ptrace; allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; - + kernel_read_kernel_sysctls(ricci_modstorage_t) @@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t) - + files_manage_etc_files(ricci_modstorage_t) files_read_etc_runtime_files(ricci_modstorage_t) -files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) - + +files_create_default_dir(ricci_modstorage_t) +files_root_filetrans_default(ricci_modstorage_t, dir) +files_mounton_default(ricci_modstorage_t) @@ -91630,22 +91630,22 @@ index 0ba2569a5..161850d41 100644 +files_manage_default_files(ricci_modstorage_t) + storage_raw_read_fixed_disk(ricci_modstorage_t) - + term_dontaudit_use_console(ricci_modstorage_t) - + -logging_send_syslog_msg(ricci_modstorage_t) - -miscfiles_read_localization(ricci_modstorage_t) +auth_use_nsswitch(ricci_modstorage_t) - + -optional_policy(` - aisexec_stream_connect(ricci_modstorage_t) - corosync_stream_connect(ricci_modstorage_t) -') +logging_send_syslog_msg(ricci_modstorage_t) - + optional_policy(` - ccs_stream_connect(ricci_modstorage_t) + ccs_stream_connect(ricci_modstorage_t) diff --git a/rkhunter.fc b/rkhunter.fc new file mode 100644 index 000000000..645a9cc1a @@ -91719,9 +91719,9 @@ index f11187720..e361ee9e2 100644 +HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0) +/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0) - + /usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0) - + diff --git a/rlogin.if b/rlogin.if index 050479dea..0e1b364fb 100644 --- a/rlogin.if @@ -91732,9 +91732,9 @@ index 050479dea..0e1b364fb 100644 # -template(`rlogin_read_home_content',` +interface(`rlogin_read_home_content',` - gen_require(` - type rlogind_home_t; - ') + gen_require(` + type rlogind_home_t; + ') diff --git a/rlogin.te b/rlogin.te index ee2794858..34d2ee96f 100644 --- a/rlogin.te @@ -91742,7 +91742,7 @@ index ee2794858..34d2ee96f 100644 @@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t) # Local policy # - + -allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override }; allow rlogind_t self:process signal_perms; @@ -91751,21 +91751,21 @@ index ee2794858..34d2ee96f 100644 +allow rlogind_t self:tcp_socket connected_stream_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - + allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) @@ -45,7 +47,6 @@ allow rlogind_t rlogind_keytab_t:file read_file_perms; - + manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) -files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file }) - + manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) @@ -56,7 +57,6 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) - + -corenet_all_recvfrom_unlabeled(rlogind_t) corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) @@ -91773,30 +91773,30 @@ index ee2794858..34d2ee96f 100644 @@ -65,6 +65,10 @@ corenet_sendrecv_rlogind_server_packets(rlogind_t) corenet_tcp_bind_rlogind_port(rlogind_t) corenet_tcp_sendrecv_rlogind_port(rlogind_t) - + +corenet_sendrecv_rlogin_server_packets(rlogind_t) +corenet_tcp_bind_rlogin_port(rlogind_t) +corenet_tcp_sendrecv_rlogin_port(rlogind_t) + dev_read_urand(rlogind_t) - + domain_interactive_fd(rlogind_t) @@ -73,6 +77,7 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) - + auth_domtrans_chk_passwd(rlogind_t) +auth_signal_chk_passwd(rlogind_t) auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) - + @@ -83,29 +88,23 @@ init_rw_utmp(rlogind_t) - + logging_send_syslog_msg(rlogind_t) - + -miscfiles_read_localization(rlogind_t) - seutil_read_config(rlogind_t) - + userdom_search_user_home_dirs(rlogind_t) userdom_setattr_user_ptys(rlogind_t) +# cjp: this is egregious @@ -91806,7 +91806,7 @@ index ee2794858..34d2ee96f 100644 +userdom_tmp_filetrans_user_tmp(rlogind_t, file) userdom_use_user_terminals(rlogind_t) +userdom_home_reader(rlogind_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_list_nfs(rlogind_t) - fs_read_nfs_files(rlogind_t) @@ -91819,13 +91819,13 @@ index ee2794858..34d2ee96f 100644 - fs_read_cifs_symlinks(rlogind_t) -') +rlogin_read_home_content(rlogind_t) - + optional_policy(` - kerberos_read_keytab(rlogind_t) + kerberos_read_keytab(rlogind_t) - kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0") - kerberos_manage_host_rcache(rlogind_t) - kerberos_use(rlogind_t) + kerberos_manage_host_rcache(rlogind_t) + kerberos_use(rlogind_t) ') diff --git a/rngd.fc b/rngd.fc index fa19aa8de..90eb481c1 100644 @@ -91833,11 +91833,11 @@ index fa19aa8de..90eb481c1 100644 +++ b/rngd.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0) + /usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) - + /var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0) diff --git a/rngd.if b/rngd.if index 13f788fd5..10e203301 100644 @@ -91845,7 +91845,7 @@ index 13f788fd5..10e203301 100644 +++ b/rngd.if @@ -1,5 +1,28 @@ ## Check and feed random data from hardware device to kernel random device. - + +######################################## +## +## Execute rngd in the rngd domain. @@ -91878,26 +91878,26 @@ index 13f788fd5..10e203301 100644 # -interface(`rngd_admin',` +interface(`rng_admin',` - gen_require(` + gen_require(` - type rngd_t, rngd_initrc_exec_t, rngd_var_run_t; + type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t; - ') - + ') + - allow $1 rngd_t:process { ptrace signal_perms }; + allow $1 rngd_t:process signal_perms; - ps_process_pattern($1, rngd_t) - + ps_process_pattern($1, rngd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 rngd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, rngd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rngd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, rngd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 rngd_initrc_exec_t system_r; @@ -32,4 +59,8 @@ interface(`rngd_admin',` - - files_search_pids($1) - admin_pattern($1, rngd_var_run_t) + + files_search_pids($1) + admin_pattern($1, rngd_var_run_t) + + rng_systemctl_rngd($1) + admin_pattern($1, rngd_unit_file_t) @@ -91910,13 +91910,13 @@ index a7b7717b7..6023a77e9 100644 @@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t) type rngd_initrc_exec_t; init_script_file(rngd_initrc_exec_t) - + +type rngd_unit_file_t; +systemd_unit_file(rngd_unit_file_t) + type rngd_var_run_t; files_pid_file(rngd_var_run_t) - + @@ -34,9 +37,10 @@ dev_read_rand(rngd_t) dev_read_urand(rngd_t) dev_rw_tpm(rngd_t) @@ -91924,9 +91924,9 @@ index a7b7717b7..6023a77e9 100644 - -files_read_etc_files(rngd_t) +dev_read_sysfs(rngd_t) - + logging_send_syslog_msg(rngd_t) - + -miscfiles_read_localization(rngd_t) +miscfiles_read_certs(rngd_t) + @@ -92124,46 +92124,46 @@ index 975bb6a45..ce4f5ead8 100644 --- a/roundup.if +++ b/roundup.if @@ -23,8 +23,11 @@ interface(`roundup_admin',` - type roundup_initrc_exec_t; - ') - + type roundup_initrc_exec_t; + ') + - allow $1 roundup_t:process { ptrace signal_perms }; + allow $1 roundup_t:process signal_perms; - ps_process_pattern($1, roundup_t) + ps_process_pattern($1, roundup_t) + tunable_policy(`deny_ptrace',`',` + allow $1 roundup_t:process ptrace; + ') - - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, roundup_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/roundup.te b/roundup.te index ccb5991ed..189ac011c 100644 --- a/roundup.te +++ b/roundup.te @@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t) - + corecmd_exec_bin(roundup_t) - + -corenet_all_recvfrom_unlabeled(roundup_t) corenet_all_recvfrom_netlabel(roundup_t) corenet_tcp_sendrecv_generic_if(roundup_t) corenet_tcp_sendrecv_generic_node(roundup_t) @@ -60,16 +59,11 @@ dev_read_urand(roundup_t) - + domain_use_interactive_fds(roundup_t) - + -files_read_etc_files(roundup_t) -files_read_usr_files(roundup_t) - fs_getattr_all_fs(roundup_t) fs_search_auto_mountpoints(roundup_t) - + logging_send_syslog_msg(roundup_t) - + -miscfiles_read_localization(roundup_t) - sysnet_dns_name_resolve(roundup_t) - + userdom_dontaudit_use_unpriv_user_fds(roundup_t) diff --git a/rpc.fc b/rpc.fc index a6fb30cb3..b08ec8d2d 100644 @@ -92171,11 +92171,11 @@ index a6fb30cb3..b08ec8d2d 100644 +++ b/rpc.fc @@ -1,12 +1,29 @@ -/etc/exports -- gen_context(system_u:object_r:exports_t,s0) - + -/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - + -/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0) -/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) +# @@ -92185,7 +92185,7 @@ index a6fb30cb3..b08ec8d2d 100644 +/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - + +/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) + @@ -92208,10 +92208,10 @@ index a6fb30cb3..b08ec8d2d 100644 @@ -16,7 +33,15 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - + -/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) +/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) - + +# +# /var +# @@ -92230,7 +92230,7 @@ index 0bf13c220..2ee527f2a 100644 @@ -1,4 +1,4 @@ -## Remote Procedure Call Daemon. +## Remote Procedure Call Daemon for managment of network based process communication - + ######################################## ## @@ -20,15 +20,21 @@ interface(`rpc_stub',` @@ -92252,36 +92252,36 @@ index 0bf13c220..2ee527f2a 100644 ## # template(`rpc_domain_template',` - gen_require(` + gen_require(` - attribute rpc_domain; + attribute rpc_domain; - ') - - ######################################## + ') + + ######################################## @@ -42,12 +48,19 @@ template(`rpc_domain_template',` - - domain_use_interactive_fds($1_t) - + + domain_use_interactive_fds($1_t) + - ######################################## + #################################### - # + # - # Policy + # Local Policy - # - + # + + kernel_read_system_state($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) + - auth_use_nsswitch($1_t) + auth_use_nsswitch($1_t) + + logging_send_syslog_msg($1_t) ') - + ######################################## @@ -66,8 +79,8 @@ interface(`rpc_udp_send',` - + ######################################## ## -## Do not audit attempts to get @@ -92292,13 +92292,13 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -80,12 +93,12 @@ interface(`rpc_dontaudit_getattr_exports',` - type exports_t; - ') - + type exports_t; + ') + - dontaudit $1 exports_t:file getattr; + dontaudit $1 exports_t:file getattr_file_perms; ') - + ######################################## ## -## Read export files. @@ -92307,7 +92307,7 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -103,7 +116,7 @@ interface(`rpc_read_exports',` - + ######################################## ## -## Write export files. @@ -92316,13 +92316,13 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -116,12 +129,12 @@ interface(`rpc_write_exports',` - type exports_t; - ') - + type exports_t; + ') + - allow $1 exports_t:file write; + allow $1 exports_t:file write_file_perms; ') - + ######################################## ## -## Execute nfsd in the nfsd domain. @@ -92331,13 +92331,13 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -134,14 +147,12 @@ interface(`rpc_domtrans_nfsd',` - type nfsd_t, nfsd_exec_t; - ') - + type nfsd_t, nfsd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, nfsd_exec_t, nfsd_t) + domtrans_pattern($1, nfsd_exec_t, nfsd_t) ') - + ####################################### ## -## Execute nfsd init scripts in @@ -92347,7 +92347,7 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -159,7 +170,7 @@ interface(`rpc_initrc_domtrans_nfsd',` - + ######################################## ## -## Execute rpcd in the rpcd domain. @@ -92361,12 +92361,12 @@ index 0bf13c220..2ee527f2a 100644 # -interface(`rpc_domtrans_rpcd',` +interface(`rpc_systemctl_nfsd',` - gen_require(` + gen_require(` - type rpcd_t, rpcd_exec_t; + type nfsd_unit_file_t; + type nfsd_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, rpcd_exec_t, rpcd_t) + systemd_exec_systemctl($1) @@ -92376,7 +92376,7 @@ index 0bf13c220..2ee527f2a 100644 + + ps_process_pattern($1, nfsd_t) ') - + -####################################### +######################################## ## @@ -92393,15 +92393,15 @@ index 0bf13c220..2ee527f2a 100644 # -interface(`rpc_initrc_domtrans_rpcd',` +interface(`rpc_kill_rpcd',` - gen_require(` + gen_require(` - type rpcd_initrc_exec_t; + type rpcd_t; - ') - + ') + - init_labeled_script_domtrans($1, rpcd_initrc_exec_t) + allow $1 rpcd_t:process sigkill; ') - + ######################################## ## -## Read nfs exported content. @@ -92417,18 +92417,18 @@ index 0bf13c220..2ee527f2a 100644 # -interface(`rpc_read_nfs_content',` +interface(`rpc_domtrans_rpcd',` - gen_require(` + gen_require(` - type nfsd_ro_t, nfsd_rw_t; + type rpcd_t, rpcd_exec_t; - ') - + ') + - allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; - allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms; + domtrans_pattern($1, rpcd_exec_t, rpcd_t) + allow rpcd_t $1:process signal; ') - + ######################################## ## -## Create, read, write, and delete @@ -92451,18 +92451,18 @@ index 0bf13c220..2ee527f2a 100644 # -interface(`rpc_manage_nfs_rw_content',` +interface(`rpc_run_rpcd',` - gen_require(` + gen_require(` - type nfsd_rw_t; + type rpcd_t; - ') - + ') + - manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t) - manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t) + rpc_domtrans_rpcd($1) + role $2 types rpcd_t; ') - + -######################################## +####################################### ## @@ -92480,17 +92480,17 @@ index 0bf13c220..2ee527f2a 100644 # -interface(`rpc_manage_nfs_ro_content',` +interface(`rpc_initrc_domtrans_rpcd',` - gen_require(` + gen_require(` - type nfsd_ro_t; + type rpcd_initrc_exec_t; - ') - + ') + - manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t) - manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t) + init_labeled_script_domtrans($1, rpcd_initrc_exec_t) ') - + ######################################## ## -## Read and write to nfsd tcp sockets. @@ -92505,12 +92505,12 @@ index 0bf13c220..2ee527f2a 100644 # -interface(`rpc_tcp_rw_nfs_sockets',` +interface(`rpc_systemctl_rpcd',` - gen_require(` + gen_require(` - type nfsd_t; + type rpcd_unit_file_t; + type rpcd_t; - ') - + ') + - allow $1 nfsd_t:tcp_socket rw_socket_perms; + systemd_exec_systemctl($1) + init_reload_services($1) @@ -92519,7 +92519,7 @@ index 0bf13c220..2ee527f2a 100644 + + ps_process_pattern($1, rpcd_t) ') - + ######################################## ## -## Read and write to nfsd udp sockets. @@ -92528,7 +92528,7 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -312,7 +331,7 @@ interface(`rpc_udp_send_nfs',` - + ######################################## ## -## Search nfs lib directories. @@ -92537,9 +92537,9 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -326,12 +345,50 @@ interface(`rpc_search_nfs_state_data',` - ') - - files_search_var_lib($1) + ') + + files_search_var_lib($1) - allow $1 var_lib_nfs_t:dir search; + allow $1 var_lib_nfs_t:dir search_dir_perms; +') @@ -92581,7 +92581,7 @@ index 0bf13c220..2ee527f2a 100644 + files_search_var_lib($1) + allow $1 var_lib_nfs_t:dir manage_dir_perms; ') - + ######################################## ## -## Read nfs lib files. @@ -92590,12 +92590,12 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -346,12 +403,12 @@ interface(`rpc_read_nfs_state_data',` - - files_search_var_lib($1) - read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + + files_search_var_lib($1) + read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -92605,12 +92605,12 @@ index 0bf13c220..2ee527f2a 100644 ## ## @@ -366,31 +423,68 @@ interface(`rpc_manage_nfs_state_data',` - - files_search_var_lib($1) - manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + + files_search_var_lib($1) + manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) + allow $1 var_lib_nfs_t:file relabel_file_perms; ') - + ######################################## ## -## All of the rules required to @@ -92671,25 +92671,25 @@ index 0bf13c220..2ee527f2a 100644 interface(`rpc_admin',` - gen_require(` + gen_require(` - attribute rpc_domain; - type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; - type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; + attribute rpc_domain; + type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; + type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; - type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t; + type nfsd_rw_t, gssd_keytab_t; - ') - - allow $1 rpc_domain:process { ptrace signal_perms }; + ') + + allow $1 rpc_domain:process { ptrace signal_perms }; @@ -411,10 +505,49 @@ interface(`rpc_admin',` - admin_pattern($1, rpcd_var_run_t) - - files_list_all($1) + admin_pattern($1, rpcd_var_run_t) + + files_list_all($1) - admin_pattern($1, { nfsd_ro_t nfsd_rw_t }) + admin_pattern($1, nfsd_rw_t ) - - files_list_tmp($1) - admin_pattern($1, gssd_tmp_t) - - fs_search_nfsd_fs($1) + + files_list_tmp($1) + admin_pattern($1, gssd_tmp_t) + + fs_search_nfsd_fs($1) ') + +######################################## @@ -92736,7 +92736,7 @@ index 2da9fca2f..f4df4fda2 100644 +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) # - + ## -##

    -## Determine whether gssd can read @@ -92748,7 +92748,7 @@ index 2da9fca2f..f4df4fda2 100644 ## -gen_tunable(allow_gssd_read_tmp, false) +gen_tunable(gssd_read_tmp, true) - + ## -##

    -## Determine whether nfs can modify @@ -92771,28 +92771,28 @@ index 2da9fca2f..f4df4fda2 100644 +##

    +##     +gen_tunable(rpcd_use_fusefs, false) - + attribute rpc_domain; - + @@ -39,25 +44,34 @@ files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) - + +# rpcd_t is the domain of rpc daemons. +# rpc_exec_t is the type of rpc daemon programs. rpc_domain_template(rpcd) - + type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t) - + +type rpcd_unit_file_t; +systemd_unit_file(rpcd_unit_file_t) + rpc_domain_template(nfsd) - + type nfsd_initrc_exec_t; init_script_file(nfsd_initrc_exec_t) - + -type nfsd_rw_t; -files_type(nfsd_rw_t) - @@ -92800,10 +92800,10 @@ index 2da9fca2f..f4df4fda2 100644 -files_type(nfsd_ro_t) +type nfsd_unit_file_t; +systemd_unit_file(nfsd_unit_file_t) - + type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) - + +type nfsd_tmp_t; +files_tmp_file(nfsd_tmp_t) + @@ -92817,15 +92817,15 @@ index 2da9fca2f..f4df4fda2 100644 @@ -71,7 +85,6 @@ allow rpc_domain self:tcp_socket { accept listen }; manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t) - + -kernel_read_system_state(rpc_domain) kernel_read_kernel_sysctls(rpc_domain) kernel_rw_rpc_sysctls(rpc_domain) - + @@ -79,8 +92,6 @@ dev_read_sysfs(rpc_domain) dev_read_urand(rpc_domain) dev_read_rand(rpc_domain) - + -corenet_all_recvfrom_unlabeled(rpc_domain) -corenet_all_recvfrom_netlabel(rpc_domain) corenet_tcp_sendrecv_generic_if(rpc_domain) @@ -92834,51 +92834,51 @@ index 2da9fca2f..f4df4fda2 100644 @@ -108,41 +119,45 @@ files_read_etc_runtime_files(rpc_domain) files_read_usr_files(rpc_domain) files_list_home(rpc_domain) - + -logging_send_syslog_msg(rpc_domain) - -miscfiles_read_localization(rpc_domain) - userdom_dontaudit_use_unpriv_user_fds(rpc_domain) - + optional_policy(` - rpcbind_stream_connect(rpc_domain) + rpcbind_stream_connect(rpc_domain) ') - + optional_policy(` - seutil_sigchld_newrole(rpc_domain) + seutil_sigchld_newrole(rpc_domain) ') - + optional_policy(` - udev_read_db(rpc_domain) + udev_read_db(rpc_domain) ') - + ######################################## # -# Local policy +# RPC local policy # - + -allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid }; +allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search dac_override setgid setuid }; allow rpcd_t self:capability2 block_suspend; + allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; - + +allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms; manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) - + +read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t) + +# rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) - + +kernel_read_system_state(rpcd_t) +kernel_write_proc_files(rpcd_t) kernel_read_network_state(rpcd_t) @@ -92887,19 +92887,19 @@ index 2da9fca2f..f4df4fda2 100644 kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) @@ -163,13 +178,21 @@ fs_getattr_all_fs(rpcd_t) - + storage_getattr_fixed_disk_dev(rpcd_t) - + +init_read_utmp(rpcd_t) + selinux_dontaudit_read_fs(rpcd_t) - + miscfiles_read_generic_certs(rpcd_t) - + -seutil_dontaudit_search_config(rpcd_t) +userdom_signal_unpriv_users(rpcd_t) +userdom_read_user_home_content_files(rpcd_t) - + -userdom_signal_all_users(rpcd_t) +tunable_policy(`rpcd_use_fusefs',` + fs_manage_fusefs_dirs(rpcd_t) @@ -92907,13 +92907,13 @@ index 2da9fca2f..f4df4fda2 100644 + fs_read_fusefs_symlinks(rpcd_t) + fs_getattr_fusefs(rpcd_t) +') - + ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcd_t) + term_dontaudit_use_unallocated_ttys(rpcd_t) @@ -180,20 +203,28 @@ optional_policy(` - automount_dontaudit_write_pipes(rpcd_t) + automount_dontaudit_write_pipes(rpcd_t) ') - + +optional_policy(` + domain_unconfined_signal(rpcd_t) +') @@ -92923,37 +92923,37 @@ index 2da9fca2f..f4df4fda2 100644 +') + optional_policy(` - nis_read_ypserv_config(rpcd_t) + nis_read_ypserv_config(rpcd_t) ') - + optional_policy(` - quota_manage_db_files(rpcd_t) + quota_read_db(rpcd_t) ') - + optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) + rhcs_manage_cluster_tmp_files(rpcd_t) ') - + optional_policy(` - unconfined_signal(rpcd_t) + samba_stream_connect_nmbd(rpcd_t) ') - + ######################################## @@ -201,42 +232,70 @@ optional_policy(` # NFSD local policy # - + -allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; +allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource }; + +allow nfsd_t self:process { setcap }; - + allow nfsd_t exports_t:file read_file_perms; -allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; - + +manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) +manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) +files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir }) @@ -92975,7 +92975,7 @@ index 2da9fca2f..f4df4fda2 100644 +kernel_rw_fs_sysctls(nfsd_t) + +corecmd_exec_shell(nfsd_t) - + -corenet_sendrecv_nfs_server_packets(nfsd_t) +corenet_tcp_bind_all_rpc_ports(nfsd_t) +corenet_udp_bind_all_rpc_ports(nfsd_t) @@ -92985,11 +92985,11 @@ index 2da9fca2f..f4df4fda2 100644 -corecmd_exec_shell(nfsd_t) +corenet_udp_bind_mountd_port(nfsd_t) +corenet_tcp_bind_mountd_port(nfsd_t) - + dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) dev_rw_lvm_control(nfsd_t) - + +# does not really need this, but it is easier to just allow it +files_search_pids(nfsd_t) +# for exportfs and rpc.mountd @@ -92997,7 +92997,7 @@ index 2da9fca2f..f4df4fda2 100644 +# cjp: this should really have its own type files_manage_mounttab(nfsd_t) +files_read_etc_runtime_files(nfsd_t) - + +fs_read_configfs_files(nfsd_t) +fs_read_configfs_dirs(nfsd_t) +fs_mounton_nfsd_fs(nfsd_t) @@ -93007,35 +93007,35 @@ index 2da9fca2f..f4df4fda2 100644 -fs_rw_nfsd_fs(nfsd_t) -# fs_manage_nfsd_fs(nfsd_t) +fs_manage_nfsd_fs(nfsd_t) - + -storage_dontaudit_read_fixed_disk(nfsd_t) +storage_raw_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) - + +# Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) - + -tunable_policy(`allow_nfsd_anon_write',` +userdom_filetrans_home_content(nfsd_t) +userdom_list_user_tmp(nfsd_t) + +# Write access to public_content_t and public_content_rw_t +tunable_policy(`nfsd_anon_write',` - miscfiles_manage_public_files(nfsd_t) + miscfiles_manage_public_files(nfsd_t) ') - + @@ -245,7 +304,6 @@ tunable_policy(`nfs_export_all_rw',` - dev_getattr_all_chr_files(nfsd_t) - - fs_read_noxattr_fs_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) + + fs_read_noxattr_fs_files(nfsd_t) - files_manage_non_auth_files(nfsd_t) ') - + tunable_policy(`nfs_export_all_ro',` @@ -257,12 +315,22 @@ tunable_policy(`nfs_export_all_ro',` - - fs_read_noxattr_fs_files(nfsd_t) - + + fs_read_noxattr_fs_files(nfsd_t) + - files_list_non_auth_dirs(nfsd_t) - files_read_non_auth_files(nfsd_t) + files_read_non_security_files(nfsd_t) @@ -93050,79 +93050,79 @@ index 2da9fca2f..f4df4fda2 100644 + dbus_system_bus_client(nfsd_t) + dbus_acquire_svc_system_dbusd(nfsd_t) ') - + optional_policy(` - mount_exec(nfsd_t) + mount_exec(nfsd_t) + mount_manage_pid_files(nfsd_t) ') - + ######################################## @@ -270,7 +338,7 @@ optional_policy(` # GSSD local policy # - + -allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; +allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice }; allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; - + @@ -280,6 +348,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - + +kernel_read_system_state(gssd_t) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) @@ -288,35 +357,44 @@ kernel_signal(gssd_t) - + corecmd_exec_bin(gssd_t) - + -fs_list_inotifyfs(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -fs_read_nfs_files(gssd_t) +fs_read_nfsd_files(gssd_t) - + +fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) +files_read_usr_symlinks(gssd_t) files_dontaudit_write_var_dirs(gssd_t) - + +auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) +auth_login_manage_key(gssd_t) - + miscfiles_read_generic_certs(gssd_t) - + userdom_signal_all_users(gssd_t) +userdom_manage_all_users_keys(gssd_t) - + -tunable_policy(`allow_gssd_read_tmp',` +tunable_policy(`gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) - userdom_read_user_tmp_symlinks(gssd_t) + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) + userdom_read_user_tmp_symlinks(gssd_t) + userdom_manage_user_tmp_files(gssd_t) + files_read_generic_tmp_files(gssd_t) ') - + optional_policy(` - automount_signal(gssd_t) + automount_signal(gssd_t) ') - + +optional_policy(` + gssproxy_stream_connect(gssd_t) +') optional_policy(` - kerberos_manage_host_rcache(gssd_t) - kerberos_read_keytab(gssd_t) + kerberos_manage_host_rcache(gssd_t) + kerberos_read_keytab(gssd_t) - kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") - kerberos_use(gssd_t) + kerberos_use(gssd_t) ') - + diff --git a/rpcbind.if b/rpcbind.if index 3b5e9eed6..ff1163ff6 100644 --- a/rpcbind.if @@ -93130,17 +93130,17 @@ index 3b5e9eed6..ff1163ff6 100644 @@ -1,4 +1,4 @@ -## Universal Addresses to RPC Program Number Mapper. +## Universal Addresses to RPC Program Number Mapper - + ######################################## ## @@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',` - type rpcbind_t, rpcbind_exec_t; - ') - + type rpcbind_t, rpcbind_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) + domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) ') - + ######################################## ## -## Connect to rpcbindd with a @@ -93150,7 +93150,7 @@ index 3b5e9eed6..ff1163ff6 100644 ## ## @@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',` - + ######################################## ## -## Read rpcbind pid files. @@ -93159,34 +93159,34 @@ index 3b5e9eed6..ff1163ff6 100644 ## ## @@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',` - type rpcbind_var_lib_t; - ') - + type rpcbind_var_lib_t; + ') + - files_search_var_lib($1) - allow $1 rpcbind_var_lib_t:dir search_dir_perms; + allow $1 rpcbind_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') - + ######################################## @@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',` - type rpcbind_var_lib_t; - ') - + type rpcbind_var_lib_t; + ') + - files_search_var_lib($1) - read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) + read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) + files_search_var_lib($1) ') - + ######################################## @@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',` - type rpcbind_var_lib_t; - ') - + type rpcbind_var_lib_t; + ') + - files_search_var_lib($1) - manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) + manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) + files_search_var_lib($1) ') - + ######################################## ## -## Send null signals to rpcbind. @@ -93195,7 +93195,7 @@ index 3b5e9eed6..ff1163ff6 100644 ## ## @@ -136,8 +134,44 @@ interface(`rpcbind_signull',` - + ######################################## ## -## All of the rules required to @@ -93251,28 +93251,28 @@ index 3b5e9eed6..ff1163ff6 100644 ## ## @@ -157,17 +191,20 @@ interface(`rpcbind_admin',` - type rpcbind_initrc_exec_t; - ') - + type rpcbind_initrc_exec_t; + ') + - allow $1 rpcbind_t:process { ptrace signal_perms }; + allow $1 rpcbind_t:process signal_perms; - ps_process_pattern($1, rpcbind_t) + ps_process_pattern($1, rpcbind_t) + tunable_policy(`deny_ptrace',`',` + allow $1 rpcbind_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, rbcbind_initrc_exec_t) + init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rpcbind_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 rpcbind_initrc_exec_t system_r; + allow $2 system_r; + - files_search_pids($1) - admin_pattern($1, rpcbind_var_run_t) - - files_search_var_lib($1) + files_list_var_lib($1) - admin_pattern($1, rpcbind_var_lib_t) + admin_pattern($1, rpcbind_var_lib_t) + + files_list_pids($1) + admin_pattern($1, rpcbind_var_run_t) @@ -93284,7 +93284,7 @@ index 54de77ccd..a17c004c3 100644 @@ -12,6 +12,9 @@ init_daemon_domain(rpcbind_t, rpcbind_exec_t) type rpcbind_initrc_exec_t; init_script_file(rpcbind_initrc_exec_t) - + +type rpcbind_tmp_t; +files_tmp_file(rpcbind_tmp_t) + @@ -93294,13 +93294,13 @@ index 54de77ccd..a17c004c3 100644 @@ -24,11 +27,15 @@ files_type(rpcbind_var_lib_t) # Local policy # - + -allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; +allow rpcbind_t self:capability { chown dac_read_search dac_override setgid setuid sys_tty_config }; allow rpcbind_t self:fifo_file rw_fifo_file_perms; allow rpcbind_t self:unix_stream_socket { accept listen }; allow rpcbind_t self:tcp_socket { accept listen }; - + +manage_files_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t) +manage_dirs_pattern(rpcbind_t, rpcbind_tmp_t, rpcbind_tmp_t) +files_tmp_filetrans(rpcbind_t, rpcbind_tmp_t, { file dir }) @@ -93311,36 +93311,36 @@ index 54de77ccd..a17c004c3 100644 @@ -42,7 +49,6 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) kernel_request_load_module(rpcbind_t) - + -corenet_all_recvfrom_unlabeled(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t) corenet_tcp_sendrecv_generic_if(rpcbind_t) corenet_udp_sendrecv_generic_if(rpcbind_t) @@ -68,7 +74,11 @@ auth_use_nsswitch(rpcbind_t) - + logging_send_syslog_msg(rpcbind_t) - + -miscfiles_read_localization(rpcbind_t) +sysnet_dns_name_resolve(rpcbind_t) + +optional_policy(` + nis_use_ypbind(rpcbind_t) +') - + ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(rpcbind_t) + term_dontaudit_use_unallocated_ttys(rpcbind_t) diff --git a/rpm.fc b/rpm.fc index ebe91fc70..27beed27d 100644 --- a/rpm.fc +++ b/rpm.fc @@ -1,61 +1,81 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - + -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) - -/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) - + +/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) -/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -93360,9 +93360,9 @@ index ebe91fc70..27beed27d 100644 +/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/yum-deprecated -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) - + /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -93373,7 +93373,7 @@ index ebe91fc70..27beed27d 100644 +/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - + -/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -93411,13 +93411,13 @@ index ebe91fc70..27beed27d 100644 +/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') - + -/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - + -/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) @@ -93426,24 +93426,24 @@ index ebe91fc70..27beed27d 100644 +/var/lib/rpmrebuilddb.*(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - + -/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/log/up2date.* -- gen_context(system_u:object_r:rpm_log_t,s0) - + -/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0) - + -/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) -/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - + -/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - + -/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) -/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) +# SuSE @@ -93453,7 +93453,7 @@ index ebe91fc70..27beed27d 100644 +/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0) +') - + ifdef(`enable_mls',` -/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -93465,7 +93465,7 @@ index ef3b22507..c3788ab75 100644 @@ -1,8 +1,8 @@ -## Redhat package manager. +## Policy for the RPM package manager. - + ######################################## ## -## Execute rpm in the rpm domain. @@ -93475,17 +93475,17 @@ index ef3b22507..c3788ab75 100644 ## @@ -13,16 +13,18 @@ interface(`rpm_domtrans',` - gen_require(` - type rpm_t, rpm_exec_t; + gen_require(` + type rpm_t, rpm_exec_t; + attribute rpm_transition_domain; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rpm_exec_t, rpm_t) + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rpm_exec_t, rpm_t) + typeattribute $1 rpm_transition_domain; + rpm_debuginfo_domtrans($1) ') - + ######################################## ## -## Execute debuginfo install @@ -93495,7 +93495,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',` - + ######################################## ## -## Execute rpm scripts in the rpm script domain. @@ -93504,18 +93504,18 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',` - type rpm_script_t; - ') - + type rpm_script_t; + ') + + # transition to rpm script: - corecmd_shell_domtrans($1, rpm_script_t) + corecmd_shell_domtrans($1, rpm_script_t) - - allow rpm_script_t $1:fd use; + allow rpm_script_t $1:fd use; - allow rpm_script_t $1:fifo_file rw_fifo_file_perms; + allow rpm_script_t $1:fifo_file rw_file_perms; - allow rpm_script_t $1:process sigchld; + allow rpm_script_t $1:process sigchld; ') - + ######################################## ## -## Execute rpm in the rpm domain, @@ -93536,13 +93536,13 @@ index ef3b22507..c3788ab75 100644 ## # interface(`rpm_run',` - gen_require(` + gen_require(` - attribute_role rpm_roles; + type rpm_t, rpm_script_t; + attribute_role rpm_script_roles; - ') - - rpm_domtrans($1) + ') + + rpm_domtrans($1) - roleattribute $2 rpm_roles; + roleattribute $2 rpm_script_roles; + @@ -93550,7 +93550,7 @@ index ef3b22507..c3788ab75 100644 + role_transition $2 rpm_exec_t system_r; + allow $2 system_r; ') - + ######################################## ## -## Execute the rpm in the caller domain. @@ -93559,7 +93559,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -109,7 +114,25 @@ interface(`rpm_exec',` - + ######################################## ## -## Send null signals to rpm. @@ -93586,7 +93586,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -127,7 +150,7 @@ interface(`rpm_signull',` - + ######################################## ## -## Inherit and use file descriptors from rpm. @@ -93595,7 +93595,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -145,7 +168,7 @@ interface(`rpm_use_fds',` - + ######################################## ## -## Read rpm unnamed pipes. @@ -93604,7 +93604,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -163,7 +186,7 @@ interface(`rpm_read_pipes',` - + ######################################## ## -## Read and write rpm unnamed pipes. @@ -93613,9 +93613,9 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -179,6 +202,60 @@ interface(`rpm_rw_pipes',` - allow $1 rpm_t:fifo_file rw_fifo_file_perms; + allow $1 rpm_t:fifo_file rw_fifo_file_perms; ') - + +######################################## +## +## Read and write an unnamed RPM script pipe. @@ -93683,7 +93683,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -244,7 +321,7 @@ interface(`rpm_script_dbus_chat',` - + ######################################## ## -## Search rpm log directories. @@ -93692,7 +93692,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -263,7 +340,8 @@ interface(`rpm_search_log',` - + ##################################### ## -## Append rpm log files. @@ -93702,9 +93702,9 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -276,14 +354,30 @@ interface(`rpm_append_log',` - type rpm_log_t; - ') - + type rpm_log_t; + ') + - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; @@ -93727,7 +93727,7 @@ index ef3b22507..c3788ab75 100644 + + read_files_pattern($1, rpm_log_t, rpm_log_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -93737,7 +93737,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -302,7 +396,32 @@ interface(`rpm_manage_log',` - + ######################################## ## -## Inherit and use rpm script file descriptors. @@ -93771,7 +93771,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -320,8 +439,8 @@ interface(`rpm_use_script_fds',` - + ######################################## ## -## Create, read, write, and delete @@ -93782,14 +93782,14 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -335,12 +454,15 @@ interface(`rpm_manage_script_tmp_files',` - ') - - files_search_tmp($1) + ') + + files_search_tmp($1) + manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) - manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) + manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) ') - + ##################################### ## -## Append rpm temporary files. @@ -93799,14 +93799,14 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -353,14 +475,13 @@ interface(`rpm_append_tmp_files',` - type rpm_tmp_t; - ') - + type rpm_tmp_t; + ') + - files_search_tmp($1) - append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) + allow $1 rpm_tmp_t:file append_inherited_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -93817,14 +93817,14 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -374,12 +495,14 @@ interface(`rpm_manage_tmp_files',` - ') - - files_search_tmp($1) + ') + + files_search_tmp($1) + manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) - manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) + manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) + manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ') - + ######################################## ## -## Read rpm script temporary files. @@ -93833,7 +93833,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -399,7 +522,7 @@ interface(`rpm_read_script_tmp_files',` - + ######################################## ## -## Read rpm cache content. @@ -93842,7 +93842,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -420,8 +543,7 @@ interface(`rpm_read_cache',` - + ######################################## ## -## Create, read, write, and delete @@ -93852,7 +93852,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -442,7 +564,7 @@ interface(`rpm_manage_cache',` - + ######################################## ## -## Read rpm lib content. @@ -93861,13 +93861,13 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -459,11 +581,13 @@ interface(`rpm_read_db',` - allow $1 rpm_var_lib_t:dir list_dir_perms; - read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + allow $1 rpm_var_lib_t:dir list_dir_perms; + read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + allow $1 rpm_var_lib_t:file map; + rpm_read_cache($1) ') - + ######################################## ## -## Delete rpm lib files. @@ -93876,7 +93876,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -482,8 +606,7 @@ interface(`rpm_delete_db',` - + ######################################## ## -## Create, read, write, and delete @@ -93886,9 +93886,9 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -499,12 +622,33 @@ interface(`rpm_manage_db',` - files_search_var_lib($1) - manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) - manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + files_search_var_lib($1) + manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) + allow $1 rpm_var_lib_t:file map; +') + @@ -93911,7 +93911,7 @@ index ef3b22507..c3788ab75 100644 + dontaudit $1 rpm_var_lib_t:file read_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms; ') - + ######################################## ## ## Do not audit attempts to create, read, @@ -93921,19 +93921,19 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -517,9 +661,10 @@ interface(`rpm_dontaudit_manage_db',` - type rpm_var_lib_t; - ') - + type rpm_var_lib_t; + ') + - dontaudit $1 rpm_var_lib_t:dir rw_dir_perms; + dontaudit $1 rpm_var_lib_t:dir manage_dir_perms; - dontaudit $1 rpm_var_lib_t:file manage_file_perms; - dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; + dontaudit $1 rpm_var_lib_t:file manage_file_perms; + dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; + dontaudit $1 rpm_var_lib_t:file map; ') - + ##################################### @@ -543,8 +688,7 @@ interface(`rpm_read_pid_files',` - + ##################################### ## -## Create, read, write, and delete @@ -93943,7 +93943,7 @@ index ef3b22507..c3788ab75 100644 ## ## @@ -563,8 +707,7 @@ interface(`rpm_manage_pid_files',` - + ###################################### ## -## Create files in pid directories @@ -93964,7 +93964,7 @@ index ef3b22507..c3788ab75 100644 + + files_pid_filetrans($1, rpm_var_run_t, file) ') - + ######################################## ## -## Create specified objects in pid directories @@ -94005,17 +94005,17 @@ index ef3b22507..c3788ab75 100644 ## -# -interface(`rpm_pid_filetrans_rpm_pid',` -+# ++# +interface(`rpm_entry_type',` - gen_require(` + gen_require(` - type rpm_var_run_t; + type rpm_exec_t; - ') - + ') + - files_pid_filetrans($1, rpm_var_run_t, $3, $4) + domain_entry_file($1, rpm_exec_t) ') - + ######################################## ## -## All of the rules required to @@ -94039,7 +94039,7 @@ index ef3b22507..c3788ab75 100644 # -interface(`rpm_admin',` +interface(`rpm_transition_script',` - gen_require(` + gen_require(` - type rpm_t, rpm_script_t, rpm_initrc_exec_t; - type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; - type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; @@ -94047,8 +94047,8 @@ index ef3b22507..c3788ab75 100644 + type rpm_script_t; + attribute rpm_transition_domain; + attribute_role rpm_script_roles; - ') - + ') + - allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { rpm_t rpm_script_t }) + typeattribute $1 rpm_transition_domain; @@ -94090,26 +94090,26 @@ index ef3b22507..c3788ab75 100644 + + allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; + ps_process_pattern($1, { rpm_t rpm_script_t }) - - init_labeled_script_domtrans($1, rpm_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, rpm_initrc_exec_t) + domain_system_change_exemption($1) @@ -641,9 +830,6 @@ interface(`rpm_admin',` - - admin_pattern($1, rpm_file_t) - + + admin_pattern($1, rpm_file_t) + - files_list_var($1) - admin_pattern($1, rpm_cache_t) - - files_list_tmp($1) - admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) - + files_list_tmp($1) + admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) + diff --git a/rpm.te b/rpm.te index 6fc360e60..7394a0dfc 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ policy_module(rpm, 1.16.0) - + +attribute rpm_transition_domain; +attribute_role rpm_script_roles; +roleattribute system_r rpm_script_roles; @@ -94133,24 +94133,24 @@ index 6fc360e60..7394a0dfc 100644 domain_interactive_fd(rpm_t) -role rpm_roles types rpm_t; +role rpm_script_roles types rpm_t; - + -type rpm_initrc_exec_t; -init_script_file(rpm_initrc_exec_t) +type debuginfo_exec_t; +domain_entry_file(rpm_t, debuginfo_exec_t) - + type rpm_file_t; files_type(rpm_file_t) @@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t) type rpm_tmpfs_t; files_tmpfs_file(rpm_tmpfs_t) - + -type rpm_lock_t; -files_lock_file(rpm_lock_t) - type rpm_log_t; logging_log_file(rpm_log_t) - + @@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) @@ -94158,13 +94158,13 @@ index 6fc360e60..7394a0dfc 100644 -role rpm_roles types rpm_script_t; -role system_r types rpm_script_t; +role rpm_script_roles types rpm_script_t; - + type rpm_script_tmp_t; files_tmp_file(rpm_script_tmp_t) @@ -70,28 +64,35 @@ files_tmpfs_file(rpm_script_tmpfs_t) # rpm Local policy # - + -allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:capability2 block_suspend; +allow rpm_t self:capability { audit_write chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; @@ -94191,16 +94191,16 @@ index 6fc360e60..7394a0dfc 100644 +allow rpm_t self:file rw_file_perms;; allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; +allow rpm_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; - + -allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow rpm_t rpm_log_t:file manage_file_perms; logging_log_filetrans(rpm_t, rpm_log_t, file) - + manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) +can_exec(rpm_t, rpm_tmp_t) - + manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) @@ -99,23 +100,20 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) @@ -94208,11 +94208,11 @@ index 6fc360e60..7394a0dfc 100644 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_t, rpm_tmpfs_t) - + manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) files_var_filetrans(rpm_t, rpm_var_cache_t, dir) - + -manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t) -files_lock_filetrans(rpm_t, rpm_lock_t, file) - @@ -94222,20 +94222,20 @@ index 6fc360e60..7394a0dfc 100644 -files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) +files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) +allow rpm_t rpm_var_lib_t:file map; - + manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) -files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file }) - -can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t }) +files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir }) - + kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) @@ -126,41 +124,34 @@ kernel_rw_irq_sysctls(rpm_t) - + corecmd_exec_all_executables(rpm_t) - + -corenet_all_recvfrom_unlabeled(rpm_t) corenet_all_recvfrom_netlabel(rpm_t) corenet_tcp_sendrecv_generic_if(rpm_t) @@ -94250,7 +94250,7 @@ index 6fc360e60..7394a0dfc 100644 +corenet_udp_sendrecv_all_ports(rpm_t) corenet_tcp_connect_all_ports(rpm_t) +corenet_sendrecv_all_client_packets(rpm_t) - + dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) @@ -94258,7 +94258,7 @@ index 6fc360e60..7394a0dfc 100644 - dev_manage_all_dev_nodes(rpm_t) -dev_relabel_all_dev_nodes(rpm_t) - + +#devices_manage_all_device_types(rpm_t) dev_create_generic_blk_files(rpm_t) dev_create_generic_chr_files(rpm_t) @@ -94285,26 +94285,26 @@ index 6fc360e60..7394a0dfc 100644 +dev_rename_generic_chr_files(rpm_t) +dev_setattr_all_blk_files(rpm_t) +dev_setattr_all_chr_files(rpm_t) - + fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) @@ -183,29 +174,49 @@ selinux_compute_relabel_context(rpm_t) selinux_compute_user_contexts(rpm_t) - + storage_raw_write_fixed_disk(rpm_t) +# for installing kernel packages storage_raw_read_fixed_disk(rpm_t) - + term_list_ptys(rpm_t) - + +files_relabel_all_files(rpm_t) +files_manage_all_files(rpm_t) auth_dontaudit_read_shadow(rpm_t) auth_use_nsswitch(rpm_t) - + +# transition to rpm script: rpm_domtrans_script(rpm_t) - + +domain_read_all_domains_state(rpm_t) +domain_getattr_all_domains(rpm_t) +domain_use_interactive_fds(rpm_t) @@ -94322,33 +94322,33 @@ index 6fc360e60..7394a0dfc 100644 init_domtrans_script(rpm_t) init_use_script_ptys(rpm_t) init_signull_script(rpm_t) - + libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -libs_run_ldconfig(rpm_t, rpm_roles) - + logging_send_syslog_msg(rpm_t) - + +miscfiles_filetrans_named_content(rpm_t) + +# allow compiling and loading new policy seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) - + -userdom_use_user_terminals(rpm_t) +userdom_use_inherited_user_terminals(rpm_t) userdom_use_unpriv_users_fds(rpm_t) - + optional_policy(` @@ -224,13 +235,17 @@ optional_policy(` - networkmanager_dbus_chat(rpm_t) - ') - + networkmanager_dbus_chat(rpm_t) + ') + - optional_policy(` - unconfined_dbus_chat(rpm_t) - ') ') - + optional_policy(` - prelink_run(rpm_t, rpm_roles) + prelink_domtrans(rpm_t) @@ -94360,11 +94360,11 @@ index 6fc360e60..7394a0dfc 100644 + unconfined_dbus_chat(rpm_t) + unconfined_dbus_chat(rpm_script_t) ') - + ######################################## @@ -239,18 +254,20 @@ optional_policy(` # - + allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; @@ -94383,24 +94383,24 @@ index 6fc360e60..7394a0dfc 100644 - -allow rpm_script_t rpm_t:netlink_route_socket { read write }; +allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; - + allow rpm_script_t rpm_tmp_t:file read_file_perms; - + @@ -267,8 +284,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_script_t, rpm_script_tmpfs_t) - + -can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t }) +allow rpm_script_t rpm_t:netlink_route_socket { read write }; - + kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) @@ -277,45 +295,29 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) - + -corenet_all_recvfrom_unlabeled(rpm_script_t) -corenet_all_recvfrom_netlabel(rpm_script_t) -corenet_tcp_sendrecv_generic_if(rpm_script_t) @@ -94414,7 +94414,7 @@ index 6fc360e60..7394a0dfc 100644 -corecmd_exec_all_executables(rpm_script_t) +# needed by unbound-anchor +corenet_udp_bind_all_unreserved_ports(rpm_script_t) - + dev_list_sysfs(rpm_script_t) + +# ideally we would not need this @@ -94422,7 +94422,7 @@ index 6fc360e60..7394a0dfc 100644 dev_manage_generic_chr_files(rpm_script_t) dev_manage_all_blk_files(rpm_script_t) dev_manage_all_chr_files(rpm_script_t) - + -domain_read_all_domains_state(rpm_script_t) -domain_getattr_all_domains(rpm_script_t) -domain_use_interactive_fds(rpm_script_t) @@ -94443,22 +94443,22 @@ index 6fc360e60..7394a0dfc 100644 fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) - + -mcs_killall(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) - + @@ -331,73 +333,129 @@ storage_raw_write_fixed_disk(rpm_script_t) - + term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) -term_use_all_terms(rpm_script_t) +term_use_all_inherited_terms(rpm_script_t) - + auth_dontaudit_getattr_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) - + +corecmd_exec_all_executables(rpm_script_t) +can_exec(rpm_script_t, rpm_script_tmp_t) +can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -94482,23 +94482,23 @@ index 6fc360e60..7394a0dfc 100644 +init_manage_transient_unit(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) - + +systemd_config_all_services(rpm_script_t) + libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -libs_run_ldconfig(rpm_script_t, rpm_roles) +libs_ldconfig_exec_entry_type(rpm_script_t) - + logging_send_syslog_msg(rpm_script_t) +logging_send_audit_msgs(rpm_script_t) - + -miscfiles_read_localization(rpm_script_t) - -modutils_run_depmod(rpm_script_t, rpm_roles) -modutils_run_insmod(rpm_script_t, rpm_roles) +miscfiles_filetrans_named_content(rpm_script_t) - + -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) @@ -94506,23 +94506,23 @@ index 6fc360e60..7394a0dfc 100644 +seutil_run_setfiles(rpm_script_t, rpm_script_roles) +seutil_run_semanage(rpm_script_t, rpm_script_roles) +seutil_run_setsebool(rpm_script_t, rpm_script_roles) - + userdom_use_all_users_fds(rpm_script_t) +userdom_exec_admin_home_files(rpm_script_t) - + ifdef(`distro_redhat',` - optional_policy(` - mta_send_mail(rpm_script_t) + optional_policy(` + mta_send_mail(rpm_script_t) + mta_role_access_system_mail(rpm_script_roles) - mta_system_content(rpm_var_run_t) - ') + mta_system_content(rpm_var_run_t) + ') ') - + -tunable_policy(`allow_execmem',` +tunable_policy(`deny_execmem',`',` - allow rpm_script_t self:process execmem; + allow rpm_script_t self:process execmem; ') - + optional_policy(` - bootloader_run(rpm_script_t, rpm_roles) + bootloader_run(rpm_script_t, rpm_script_roles) @@ -94542,15 +94542,15 @@ index 6fc360e60..7394a0dfc 100644 + +optional_policy(` + glusterd_filetrans_named_pid(rpm_script_t) -+') ++') + +optional_policy(` + sblim_filetrans_named_content(rpm_script_t) ') - + optional_policy(` - dbus_system_bus_client(rpm_script_t) - + dbus_system_bus_client(rpm_script_t) + - optional_policy(` - unconfined_dbus_chat(rpm_script_t) - ') @@ -94568,40 +94568,40 @@ index 6fc360e60..7394a0dfc 100644 +optional_policy(` + ntp_run(rpm_script_t, rpm_script_roles) ') - + optional_policy(` - lvm_run(rpm_script_t, rpm_roles) + modutils_run_depmod(rpm_script_t, rpm_script_roles) + modutils_run_insmod(rpm_script_t, rpm_script_roles) ') - + optional_policy(` - ntp_domtrans(rpm_script_t) + openshift_initrc_run(rpm_script_t, rpm_script_roles) ') - + optional_policy(` - tzdata_run(rpm_t, rpm_roles) - tzdata_run(rpm_script_t, rpm_roles) + tzdata_domtrans(rpm_t) + tzdata_run(rpm_script_t, rpm_script_roles) ') - + optional_policy(` - udev_domtrans(rpm_script_t) + udev_run(rpm_script_t, rpm_script_roles) ') - + optional_policy(` - unconfined_domtrans(rpm_script_t) + unconfined_domain_noaudit(rpm_script_t) + domain_named_filetrans(rpm_script_t) - - optional_policy(` - java_domtrans_unconfined(rpm_script_t) + + optional_policy(` + java_domtrans_unconfined(rpm_script_t) @@ -409,6 +467,6 @@ optional_policy(` ') - + optional_policy(` - usermanage_run_groupadd(rpm_script_t, rpm_roles) - usermanage_run_useradd(rpm_script_t, rpm_roles) @@ -94615,14 +94615,14 @@ index 9ad0d58dc..6a4db031f 100644 @@ -1,3 +1,4 @@ + /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) - + /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/rshd.if b/rshd.if index 7ad29c046..2e87d76b4 100644 --- a/rshd.if +++ b/rshd.if @@ -2,7 +2,7 @@ - + ######################################## ## -## Execute rshd in the rshd domain. @@ -94631,12 +94631,12 @@ index 7ad29c046..2e87d76b4 100644 ## ## @@ -15,6 +15,7 @@ interface(`rshd_domtrans',` - type rshd_exec_t, rshd_t; - ') - + type rshd_exec_t, rshd_t; + ') + + files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, rshd_exec_t, rshd_t) + corecmd_search_bin($1) + domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te index 864e089a0..f919bc537 100644 @@ -94654,7 +94654,7 @@ index 864e089a0..f919bc537 100644 +domain_subj_id_change_exemption(rshd_t) +domain_role_change_exemption(rshd_t) +role system_r types rshd_t; - + type rshd_keytab_t; files_type(rshd_keytab_t) @@ -17,51 +18,66 @@ files_type(rshd_keytab_t) @@ -94668,12 +94668,12 @@ index 864e089a0..f919bc537 100644 +allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; - + allow rshd_t rshd_keytab_t:file read_file_perms; - + kernel_read_kernel_sysctls(rshd_t) +kernel_read_net_sysctls(rshd_t) - + -corenet_all_recvfrom_unlabeled(rshd_t) corenet_all_recvfrom_netlabel(rshd_t) corenet_tcp_sendrecv_generic_if(rshd_t) @@ -94701,45 +94701,45 @@ index 864e089a0..f919bc537 100644 +selinux_compute_create_context(rshd_t) +selinux_compute_relabel_context(rshd_t) +selinux_compute_user_contexts(rshd_t) - + corecmd_read_bin_symlinks(rshd_t) - + files_list_home(rshd_t) +files_search_tmp(rshd_t) + +auth_login_pgm_domain(rshd_t) +auth_write_login_records(rshd_t) - + +init_rw_utmp(rshd_t) + +logging_send_syslog_msg(rshd_t) logging_search_logs(rshd_t) - + -miscfiles_read_localization(rshd_t) +seutil_read_config(rshd_t) +seutil_read_default_contexts(rshd_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(rshd_t) - fs_read_nfs_symlinks(rshd_t) -') +userdom_search_user_home_content(rshd_t) +userdom_manage_tmp_role(system_r, rshd_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(rshd_t) - fs_read_cifs_symlinks(rshd_t) -') +userdom_home_reader(rshd_t) - + optional_policy(` - kerberos_manage_host_rcache(rshd_t) - kerberos_read_keytab(rshd_t) + kerberos_manage_host_rcache(rshd_t) + kerberos_read_keytab(rshd_t) - kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(rshd_t, "host_0") - kerberos_use(rshd_t) + kerberos_use(rshd_t) ') - + diff --git a/rssh.te b/rssh.te index 5c5465feb..60059323f 100644 --- a/rssh.te @@ -94747,25 +94747,25 @@ index 5c5465feb..60059323f 100644 @@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) kernel_read_system_state(rssh_t) kernel_read_kernel_sysctls(rssh_t) - + -files_read_etc_files(rssh_t) files_read_etc_runtime_files(rssh_t) files_list_home(rssh_t) -files_read_usr_files(rssh_t) files_list_var(rssh_t) - + fs_search_auto_mountpoints(rssh_t) - + logging_send_syslog_msg(rssh_t) - + -miscfiles_read_localization(rssh_t) - rssh_domtrans_chroot_helper(rssh_t) - + ssh_rw_tcp_sockets(rssh_t) @@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t) auth_use_nsswitch(rssh_chroot_helper_t) - + logging_send_syslog_msg(rssh_chroot_helper_t) - -miscfiles_read_localization(rssh_chroot_helper_t) @@ -94775,13 +94775,13 @@ index d25301b85..f3eeec7b6 100644 +++ b/rsync.fc @@ -1,7 +1,8 @@ /etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0) - + -/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) +/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0) - + -/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0) +/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0) - + /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) +/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if @@ -94807,7 +94807,7 @@ index f1140efe4..642e062f4 100644 + type rsync_t; + ') +') - + ######################################## ## -## Make rsync executable file an @@ -94824,8 +94824,8 @@ index f1140efe4..642e062f4 100644 -# +# cjp: added for portage interface(`rsync_entry_type',` - gen_require(` - type rsync_exec_t; + gen_require(` + type rsync_exec_t; @@ -43,14 +59,13 @@ interface(`rsync_entry_type',` ## Domain to transition to. ## @@ -94833,15 +94833,15 @@ index f1140efe4..642e062f4 100644 -# +# cjp: added for portage interface(`rsync_entry_spec_domtrans',` - gen_require(` - type rsync_exec_t; - ') - + gen_require(` + type rsync_exec_t; + ') + - corecmd_search_bin($1) - auto_trans($1, rsync_exec_t, $2) + domain_trans($1, rsync_exec_t, $2) ') - + ######################################## @@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',` ## Domain to transition to. @@ -94850,14 +94850,14 @@ index f1140efe4..642e062f4 100644 -# +# cjp: added for portage interface(`rsync_entry_domtrans',` - gen_require(` - type rsync_exec_t; - ') - + gen_require(` + type rsync_exec_t; + ') + - corecmd_search_bin($1) - domain_auto_trans($1, rsync_exec_t, $2) + domain_auto_trans($1, rsync_exec_t, $2) ') - + ######################################## ## -## Execute the rsync program in the rsync domain. @@ -94873,16 +94873,16 @@ index f1140efe4..642e062f4 100644 # -interface(`rsync_domtrans',` +interface(`rsync_exec',` - gen_require(` + gen_require(` - type rsync_t, rsync_exec_t; + type rsync_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, rsync_exec_t, rsync_t) + can_exec($1, rsync_exec_t) ') - + ######################################## ## -## Execute rsync in the rsync domain, and @@ -94922,17 +94922,17 @@ index f1140efe4..642e062f4 100644 # -interface(`rsync_exec',` +interface(`rsync_read_config',` - gen_require(` + gen_require(` - type rsync_exec_t; + type rsync_etc_t; - ') - + ') + - corecmd_search_bin($1) - can_exec($1, rsync_exec_t) + read_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) ') - + ######################################## ## -## Read rsync config files. @@ -94946,16 +94946,16 @@ index f1140efe4..642e062f4 100644 # -interface(`rsync_read_config',` +interface(`rsync_read_data',` - gen_require(` + gen_require(` - type rsync_etc_t; + type rsync_data_t; - ') - + ') + - files_search_etc($1) - allow $1 rsync_etc_t:file read_file_perms; + read_files_pattern($1, rsync_data_t, rsync_data_t) ') - + + ######################################## ## @@ -94972,14 +94972,14 @@ index f1140efe4..642e062f4 100644 # interface(`rsync_write_config',` @@ -184,14 +173,13 @@ interface(`rsync_write_config',` - type rsync_etc_t; - ') - + type rsync_etc_t; + ') + + write_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) + files_search_etc($1) - allow $1 rsync_etc_t:file write_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -94994,15 +94994,15 @@ index f1140efe4..642e062f4 100644 # -interface(`rsync_manage_config_files',` +interface(`rsync_manage_config',` - gen_require(` - type rsync_etc_t; - ') - + gen_require(` + type rsync_etc_t; + ') + - files_search_etc($1) - manage_files_pattern($1, rsync_etc_t, rsync_etc_t) + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) ') - + ######################################## ## -## Create specified objects in etc directories @@ -95011,7 +95011,7 @@ index f1140efe4..642e062f4 100644 ## ## @@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',` - + ######################################## ## -## All of the rules required to @@ -95033,13 +95033,13 @@ index f1140efe4..642e062f4 100644 # -interface(`rsync_admin',` +interface(`rsync_filetrans_named_content',` - gen_require(` + gen_require(` - type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t. rsync_var_run_t; + type rsync_etc_t; + type rsync_var_run_t; - ') - + ') + - allow $1 rsync_t:process { ptrace signal_perms }; - ps_process_pattern($1, rsync_t) - @@ -95068,7 +95068,7 @@ index abeb302a7..6836678c8 100644 +++ b/rsync.te @@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) # - + ## -##

    -## Determine whether rsync can use @@ -95080,7 +95080,7 @@ index abeb302a7..6836678c8 100644 ## -gen_tunable(rsync_use_cifs, false) +gen_tunable(rsync_client, false) - + ## -##

    -## Determine whether rsync can @@ -95092,7 +95092,7 @@ index abeb302a7..6836678c8 100644 ## -gen_tunable(rsync_use_fusefs, false) +gen_tunable(rsync_export_all_ro, false) - + ## -##

    -## Determine whether rsync can use @@ -95106,7 +95106,7 @@ index abeb302a7..6836678c8 100644 ## -gen_tunable(rsync_use_nfs, false) +gen_tunable(rsync_anon_write, false) - + ## ##

    -## Determine whether rsync can @@ -95116,7 +95116,7 @@ index abeb302a7..6836678c8 100644 ## -gen_tunable(rsync_client, false) +gen_tunable(rsync_full_access, false) - + -## -##

    -## Determine whether rsync can @@ -95136,7 +95136,7 @@ index abeb302a7..6836678c8 100644 -gen_tunable(allow_rsync_anon_write, false) - -attribute_role rsync_roles; - + type rsync_t; type rsync_exec_t; -init_daemon_domain(rsync_t, rsync_exec_t) @@ -95144,14 +95144,14 @@ index abeb302a7..6836678c8 100644 -role rsync_roles types rsync_t; +application_executable_file(rsync_exec_t) +role system_r types rsync_t; - + type rsync_etc_t; files_config_file(rsync_etc_t) - + -type rsync_data_t; # customizable +type rsync_data_t; files_type(rsync_data_t) - + type rsync_log_t; @@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; @@ -95166,10 +95166,10 @@ index abeb302a7..6836678c8 100644 +# search home and kerberos also. +allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +#end for identd - + -allow rsync_t rsync_etc_t:file read_file_perms; +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) - + allow rsync_t rsync_data_t:dir list_dir_perms; -allow rsync_t rsync_data_t:file read_file_perms; -allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms; @@ -95178,16 +95178,16 @@ index abeb302a7..6836678c8 100644 +allow rsync_t rsync_data_t:dir_file_class_set getattr; +allow rsync_t rsync_data_t:socket_class_set getattr; +allow rsync_t rsync_data_t:sock_file setattr; - + -allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t) logging_log_filetrans(rsync_t, rsync_log_t, file) - + manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) @@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) - + -corenet_all_recvfrom_unlabeled(rsync_t) corenet_all_recvfrom_netlabel(rsync_t) corenet_tcp_sendrecv_generic_if(rsync_t) @@ -95202,23 +95202,23 @@ index abeb302a7..6836678c8 100644 corenet_tcp_bind_rsync_port(rsync_t) -corenet_tcp_sendrecv_rsync_port(rsync_t) +corenet_sendrecv_rsync_server_packets(rsync_t) - + dev_read_urand(rsync_t) - + -fs_getattr_all_fs(rsync_t) +fs_getattr_xattr_fs(rsync_t) fs_search_auto_mountpoints(rsync_t) - + files_search_home(rsync_t) - + -auth_can_read_shadow_passwords(rsync_t) auth_use_nsswitch(rsync_t) - + logging_send_syslog_msg(rsync_t) - + -miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) - + -tunable_policy(`allow_rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) +userdom_home_manager(rsync_t) @@ -95226,21 +95226,21 @@ index abeb302a7..6836678c8 100644 +optional_policy(` + daemontools_service_domain(rsync_t, rsync_exec_t) ') - + -tunable_policy(`rsync_client',` - corenet_sendrecv_rsync_client_packets(rsync_t) - corenet_tcp_connect_rsync_port(rsync_t) +optional_policy(` + kerberos_use(rsync_t) +') - + - corenet_sendrecv_ssh_client_packets(rsync_t) - corenet_tcp_connect_ssh_port(rsync_t) - corenet_tcp_sendrecv_ssh_port(rsync_t) +optional_policy(` + inetd_service_domain(rsync_t, rsync_exec_t) +') - + - manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) @@ -95256,12 +95256,12 @@ index abeb302a7..6836678c8 100644 + allow rsync_t self:capability { dac_override dac_read_search }; + files_manage_non_auth_files(rsync_t) ') - + tunable_policy(`rsync_export_all_ro',` @@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',` - auth_tunable_read_shadow(rsync_t) + auth_tunable_read_shadow(rsync_t) ') - + -tunable_policy(`rsync_use_cifs',` - fs_list_cifs(rsync_t) - fs_read_cifs_files(rsync_t) @@ -95285,14 +95285,14 @@ index abeb302a7..6836678c8 100644 + manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) + manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) ') - + optional_policy(` - tunable_policy(`rsync_client',` + tunable_policy(`rsync_client',` - ssh_exec(rsync_t) -+ ssh_exec(rsync_t) - ') ++ ssh_exec(rsync_t) + ') ') - + -optional_policy(` - daemontools_service_domain(rsync_t, rsync_exec_t) -') @@ -95301,7 +95301,7 @@ index abeb302a7..6836678c8 100644 - kerberos_use(rsync_t) -') +auth_can_read_shadow_passwords(rsync_t) - + optional_policy(` - inetd_service_domain(rsync_t, rsync_exec_t) + swift_manage_data_files(rsync_t) @@ -95603,15 +95603,15 @@ index e904ec472..e0dd20eeb 100644 --- a/rtkit.if +++ b/rtkit.if @@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',` - type rtkit_daemon_t, rtkit_daemon_exec_t; - ') - + type rtkit_daemon_t, rtkit_daemon_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) + domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) ') - + @@ -42,56 +41,47 @@ interface(`rtkit_daemon_dbus_chat',` - + ######################################## ##

    -## Allow rtkit to control scheduling for your process. @@ -95627,11 +95627,11 @@ index e904ec472..e0dd20eeb 100644 # -interface(`rtkit_scheduled',` +interface(`rtkit_daemon_dontaudit_dbus_chat',` - gen_require(` - type rtkit_daemon_t; + gen_require(` + type rtkit_daemon_t; + class dbus send_msg; - ') - + ') + - allow rtkit_daemon_t $1:process { getsched setsched }; - - kernel_search_proc($1) @@ -95644,7 +95644,7 @@ index e904ec472..e0dd20eeb 100644 + dontaudit rtkit_daemon_t $1:dbus send_msg; + dontaudit rtkit_daemon_t $1:process { getsched setsched }; ') - + ######################################## ## -## All of the rules required to @@ -95665,18 +95665,18 @@ index e904ec472..e0dd20eeb 100644 # -interface(`rtkit_admin',` +interface(`rtkit_scheduled',` - gen_require(` + gen_require(` - type rtkit_daemon_t, rtkit_daemon_initrc_exec_t; + type rtkit_daemon_t; - ') - + ') + - allow $1 rtkit_daemon_t:process { ptrace signal_perms }; - ps_process_pattern($1, rtkit_daemon_t) + allow rtkit_daemon_t $1:process { getsched setsched }; + + kernel_search_proc($1) + ps_process_pattern(rtkit_daemon_t, $1) - + - init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 rtkit_daemon_initrc_exec_t system_r; @@ -95690,69 +95690,69 @@ index 7eea21f3f..714064633 100644 --- a/rtkit.te +++ b/rtkit.te @@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t) - + logging_send_syslog_msg(rtkit_daemon_t) - + -miscfiles_read_localization(rtkit_daemon_t) - optional_policy(` - dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) - + dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) + diff --git a/rwho.if b/rwho.if index 0360ff013..e6cb34f71 100644 --- a/rwho.if +++ b/rwho.if @@ -139,8 +139,11 @@ interface(`rwho_admin',` - type rwho_initrc_exec_t; - ') - + type rwho_initrc_exec_t; + ') + - allow $1 rwho_t:process { ptrace signal_perms }; + allow $1 rwho_t:process signal_perms; - ps_process_pattern($1, rwho_t) + ps_process_pattern($1, rwho_t) + tunable_policy(`deny_ptrace',`',` + allow $1 rwho_t:process ptrace; + ') - - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, rwho_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/rwho.te b/rwho.te index 7fb75f457..eafd70620 100644 --- a/rwho.te +++ b/rwho.te @@ -16,7 +16,7 @@ type rwho_log_t; files_type(rwho_log_t) - + type rwho_spool_t; -files_type(rwho_spool_t) +files_spool_file(rwho_spool_t) - + ######################################## # @@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir }) - + kernel_read_system_state(rwho_t) - + -corenet_all_recvfrom_unlabeled(rwho_t) corenet_all_recvfrom_netlabel(rwho_t) corenet_udp_sendrecv_generic_if(rwho_t) corenet_udp_sendrecv_generic_node(rwho_t) @@ -50,15 +49,15 @@ corenet_udp_sendrecv_rwho_port(rwho_t) - + domain_use_interactive_fds(rwho_t) - + -files_read_etc_files(rwho_t) - + init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) - + -logging_send_syslog_msg(rwho_t) +auth_use_nsswitch(rwho_t) - + -miscfiles_read_localization(rwho_t) +logging_send_syslog_msg(rwho_t) - + sysnet_dns_name_resolve(rwho_t) - + -# userdom_getattr_user_terminals(rwho_t) +userdom_getattr_user_terminals(rwho_t) + @@ -95775,7 +95775,7 @@ index b8b66ff4d..a93346efe 100644 +/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0) +/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0) - + -/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) -/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0) @@ -95787,7 +95787,7 @@ index b8b66ff4d..a93346efe 100644 +/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) - + -/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) -/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) @@ -95798,7 +95798,7 @@ index b8b66ff4d..a93346efe 100644 +/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) - + -/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) -/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) -/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) @@ -95807,7 +95807,7 @@ index b8b66ff4d..a93346efe 100644 +/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) +/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) +/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0) - + -/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +# @@ -95815,23 +95815,23 @@ index b8b66ff4d..a93346efe 100644 +# +/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - + -/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) -/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) - + -/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) +/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) - + -/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) - + -/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) -/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) - + -/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) @@ -95845,14 +95845,14 @@ index b8b66ff4d..a93346efe 100644 @@ -45,7 +58,11 @@ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) - + -/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) + +/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_spool_t,s0) - + -/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) +ifndef(`enable_mls',` +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) @@ -95868,7 +95868,7 @@ index 50d07fb2e..a15cd5b6b 100644 +## name Service Switch daemon for resolving names +## from Windows NT servers. +## - + ######################################## ## -## Execute nmbd in the nmbd domain. @@ -95877,7 +95877,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',` - + ####################################### ## -## Send generic signals to nmbd. @@ -95886,7 +95886,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',` - + ######################################## ## -## Connect to nmbd with a unix domain @@ -95917,17 +95917,17 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',` # interface(`samba_stream_connect_nmbd',` - gen_require(` + gen_require(` - type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; + type nmbd_t, nmbd_var_run_t; - ') - + ') + - files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) + samba_search_pid($1) + stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ') - + ######################################## ## -## Execute samba init scripts in @@ -95937,7 +95937,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -77,7 +98,31 @@ interface(`samba_initrc_domtrans',` - + ######################################## ## -## Execute samba net in the samba net domain. @@ -95970,7 +95970,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -96,9 +141,27 @@ interface(`samba_domtrans_net',` - + ######################################## ## -## Execute samba net in the samba net @@ -96003,12 +96003,12 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -114,11 +177,56 @@ interface(`samba_domtrans_net',` # interface(`samba_run_net',` - gen_require(` + gen_require(` - attribute_role samba_net_roles; + type samba_net_t; - ') - - samba_domtrans_net($1) + ') + + samba_domtrans_net($1) - roleattribute $2 samba_net_roles; + role $2 types samba_net_t; +') @@ -96057,10 +96057,10 @@ index 50d07fb2e..a15cd5b6b 100644 + samba_domtrans_unconfined_net($1) + role $2 types samba_unconfined_net_t; ') - + ######################################## @@ -142,9 +250,8 @@ interface(`samba_domtrans_smbmount',` - + ######################################## ## -## Execute smbmount in the smbmount @@ -96074,16 +96074,16 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -160,16 +267,17 @@ interface(`samba_domtrans_smbmount',` # interface(`samba_run_smbmount',` - gen_require(` + gen_require(` - attribute_role smbmount_roles; + type smbmount_t; - ') - - samba_domtrans_smbmount($1) + ') + + samba_domtrans_smbmount($1) - roleattribute $2 smbmount_roles; + role $2 types smbmount_t; ') - + ######################################## ## -## Read samba configuration files. @@ -96093,13 +96093,13 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -184,12 +292,14 @@ interface(`samba_read_config',` - ') - - files_search_etc($1) + ') + + files_search_etc($1) + list_dirs_pattern($1, samba_etc_t, samba_etc_t) - read_files_pattern($1, samba_etc_t, samba_etc_t) + read_files_pattern($1, samba_etc_t, samba_etc_t) ') - + ######################################## ## -## Read and write samba configuration files. @@ -96109,7 +96109,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -209,8 +319,8 @@ interface(`samba_rw_config',` - + ######################################## ## -## Create, read, write, and delete @@ -96120,7 +96120,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -231,7 +341,7 @@ interface(`samba_manage_config',` - + ######################################## ## -## Read samba log files. @@ -96129,7 +96129,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -252,7 +362,7 @@ interface(`samba_read_log',` - + ######################################## ## -## Append to samba log files. @@ -96138,7 +96138,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -273,7 +383,7 @@ interface(`samba_append_log',` - + ######################################## ## -## Execute samba log files in the caller domain. @@ -96147,7 +96147,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -292,7 +402,7 @@ interface(`samba_exec_log',` - + ######################################## ## -## Read samba secret files. @@ -96156,7 +96156,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -311,7 +421,7 @@ interface(`samba_read_secrets',` - + ######################################## ## -## Read samba share files. @@ -96165,7 +96165,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -330,7 +440,8 @@ interface(`samba_read_share_files',` - + ######################################## ## -## Search samba var directories. @@ -96175,14 +96175,14 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -343,13 +454,15 @@ interface(`samba_search_var',` - type samba_var_t; - ') - + type samba_var_t; + ') + + files_search_var($1) - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; + files_search_var_lib($1) + allow $1 samba_var_t:dir search_dir_perms; ') - + ######################################## ## -## Read samba var files. @@ -96192,14 +96192,14 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -362,14 +475,15 @@ interface(`samba_read_var_files',` - type samba_var_t; - ') - + type samba_var_t; + ') + + files_search_var($1) - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) + files_search_var_lib($1) + read_files_pattern($1, samba_var_t, samba_var_t) ') - + ######################################## ## -## Do not audit attempts to write @@ -96210,7 +96210,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -387,7 +501,8 @@ interface(`samba_dontaudit_write_var_files',` - + ######################################## ## -## Read and write samba var files. @@ -96220,15 +96220,15 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -400,14 +515,16 @@ interface(`samba_rw_var_files',` - type samba_var_t; - ') - + type samba_var_t; + ') + + files_search_var($1) - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) + files_search_var_lib($1) + rw_files_pattern($1, samba_var_t, samba_var_t) + allow $1 samba_var_t:file { map}; ') - + ######################################## ## -## Create, read, write, and delete @@ -96239,16 +96239,16 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -420,34 +537,57 @@ interface(`samba_manage_var_files',` - type samba_var_t; - ') - + type samba_var_t; + ') + + files_search_var_lib($1) - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) + files_search_var_lib($1) + manage_files_pattern($1, samba_var_t, samba_var_t) + manage_lnk_files_pattern($1, samba_var_t, samba_var_t) + allow $1 samba_var_t:file { map}; ') - + ######################################## ## -## Execute smbcontrol in the smbcontrol domain. @@ -96283,16 +96283,16 @@ index 50d07fb2e..a15cd5b6b 100644 +## +# interface(`samba_domtrans_smbcontrol',` - gen_require(` + gen_require(` - type smbcontrol_t, smbcontrol_exec_t; + type smbcontrol_t; + type smbcontrol_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) + domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) ') - + ######################################## ## -## Execute smbcontrol in the smbcontrol @@ -96306,16 +96306,16 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -462,16 +602,16 @@ interface(`samba_domtrans_smbcontrol',` # interface(`samba_run_smbcontrol',` - gen_require(` + gen_require(` - attribute_role smbcontrol_roles; + type smbcontrol_t; - ') - - samba_domtrans_smbcontrol($1) + ') + + samba_domtrans_smbcontrol($1) - roleattribute $2 smbcontrol_roles; + role $2 types smbcontrol_t; ') - + ######################################## ## -## Execute smbd in the smbd domain. @@ -96324,9 +96324,9 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -488,9 +628,27 @@ interface(`samba_domtrans_smbd',` - domtrans_pattern($1, smbd_exec_t, smbd_t) + domtrans_pattern($1, smbd_exec_t, smbd_t) ') - + +######################################## +## +## Set attributes of samba_share directories. @@ -96353,9 +96353,9 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -505,10 +663,26 @@ interface(`samba_signal_smbd',` - allow $1 smbd_t:process signal; + allow $1 smbd_t:process signal; ') - + +###################################### +## +## Allow domain to signull samba @@ -96382,7 +96382,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -526,7 +700,7 @@ interface(`samba_dontaudit_use_fds',` - + ######################################## ## -## Write smbmount tcp sockets. @@ -96391,7 +96391,7 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -544,7 +718,7 @@ interface(`samba_write_smbmount_tcp_sockets',` - + ######################################## ## -## Read and write smbmount tcp sockets. @@ -96400,9 +96400,9 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -560,49 +734,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` - allow $1 smbmount_t:tcp_socket { read write }; + allow $1 smbmount_t:tcp_socket { read write }; ') - + -######################################## +####################################### ## @@ -96427,12 +96427,12 @@ index 50d07fb2e..a15cd5b6b 100644 + gen_require(` + type winbind_exec_t; + ') - + - corecmd_search_bin($1) - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_exec_t:file getattr; ') - + -####################################### +######################################## ## @@ -96448,16 +96448,16 @@ index 50d07fb2e..a15cd5b6b 100644 # -interface(`samba_getattr_winbind_exec',` +interface(`samba_domtrans_winbind_helper',` - gen_require(` + gen_require(` - type winbind_exec_t; + type winbind_helper_t, winbind_helper_exec_t; - ') - + ') + - allow $1 winbind_exec_t:file getattr_file_perms; + domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_helper_t:process signal; ') - + ######################################## ## -## Execute winbind helper in the winbind @@ -96471,16 +96471,16 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -618,16 +790,16 @@ interface(`samba_getattr_winbind_exec',` # interface(`samba_run_winbind_helper',` - gen_require(` + gen_require(` - attribute_role winbind_helper_roles; + type winbind_helper_t; - ') - - samba_domtrans_winbind_helper($1) + ') + + samba_domtrans_winbind_helper($1) - roleattribute $2 winbind_helper_roles; + role $2 types winbind_helper_t; ') - + ######################################## ## -## Read winbind pid files. @@ -96491,7 +96491,7 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -637,17 +809,71 @@ interface(`samba_run_winbind_helper',` # interface(`samba_read_winbind_pid',` - gen_require(` + gen_require(` - type winbind_var_run_t, smbd_var_run_t; + type winbind_var_run_t; + ') @@ -96513,9 +96513,9 @@ index 50d07fb2e..a15cd5b6b 100644 +interface(`samba_manage_winbind_pid',` + gen_require(` + type winbind_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) - read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) + manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t) + manage_files_pattern($1, winbind_var_run_t, winbind_var_run_t) @@ -96555,7 +96555,7 @@ index 50d07fb2e..a15cd5b6b 100644 + ') + allow $1 samba_unconfined_net_t:process signull; ') - + ######################################## ## -## Connect to winbind with a unix @@ -96567,11 +96567,11 @@ index 50d07fb2e..a15cd5b6b 100644 @@ -657,17 +883,61 @@ interface(`samba_read_winbind_pid',` # interface(`samba_stream_connect_winbind',` - gen_require(` + gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; + type samba_var_t, winbind_t, winbind_var_run_t; - ') - + ') + - files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) + samba_search_pid($1) @@ -96621,12 +96621,12 @@ index 50d07fb2e..a15cd5b6b 100644 + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; ') - + ######################################## ## -## All of the rules required to -## administrate an samba environment. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an samba environment ## ## @@ -96641,15 +96641,15 @@ index 50d07fb2e..a15cd5b6b 100644 ## ## @@ -689,11 +959,30 @@ interface(`samba_admin',` - type samba_etc_t, samba_share_t, samba_initrc_exec_t; - type swat_var_run_t, swat_tmp_t, winbind_log_t; - type winbind_var_run_t, winbind_tmp_t; + type samba_etc_t, samba_share_t, samba_initrc_exec_t; + type swat_var_run_t, swat_tmp_t, winbind_log_t; + type winbind_var_run_t, winbind_tmp_t; - type smbd_keytab_t; + type smbd_keytab_t, samba_unit_file_t; + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; - ') - + ') + - allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { nmbd_t smbd_t }) + allow $1 smbd_t:process signal_perms; @@ -96671,36 +96671,36 @@ index 50d07fb2e..a15cd5b6b 100644 + samba_run_winbind_helper($1, $2) + samba_run_smbmount($1, $2) + samba_run_net($1, $2) - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, samba_initrc_exec_t) + domain_system_change_exemption($1) @@ -703,23 +992,34 @@ interface(`samba_admin',` - files_list_etc($1) - admin_pattern($1, { samba_etc_t smbd_keytab_t }) - + files_list_etc($1) + admin_pattern($1, { samba_etc_t smbd_keytab_t }) + + admin_pattern($1, samba_log_t) - logging_list_logs($1) + logging_list_logs($1) - admin_pattern($1, { samba_log_t winbind_log_t }) - + - files_list_var($1) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) + admin_pattern($1, samba_secrets_t) - + - files_list_spool($1) - admin_pattern($1, smbd_spool_t) + admin_pattern($1, samba_share_t) - + + admin_pattern($1, samba_var_t) + files_list_var($1) + + admin_pattern($1, smbd_var_run_t) - files_list_pids($1) + files_list_pids($1) - admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) - + + admin_pattern($1, smbd_tmp_t) - files_list_tmp($1) + files_list_tmp($1) - admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) - + - samba_run_smbcontrol($1, $2) - samba_run_winbind_helper($1, $2) - samba_run_smbmount($1, $2) @@ -96726,7 +96726,7 @@ index 2b7c441e7..3bc2124af 100644 +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) # - + ## -##

    -## Determine whether samba can modify @@ -96742,7 +96742,7 @@ index 2b7c441e7..3bc2124af 100644 ## -gen_tunable(allow_smbd_anon_write, false) +gen_tunable(smbd_anon_write, false) - + ## -##

    -## Determine whether samba can @@ -96753,7 +96753,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_create_home_dirs, false) - + ## -##

    -## Determine whether samba can act as the @@ -96767,7 +96767,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_domain_controller, false) - + ## -##

    -## Determine whether samba can @@ -96775,11 +96775,11 @@ index 2b7c441e7..3bc2124af 100644 -##

    +##

    +## Allow samba to act as a portmapper -+## ++## +##

    ##     gen_tunable(samba_portmapper, false) - + ## -##

    -## Determine whether samba can share @@ -96790,7 +96790,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_enable_home_dirs, false) - + ## -##

    -## Determine whether samba can share @@ -96801,7 +96801,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_export_all_ro, false) - + ## -##

    -## Determine whether samba can share any @@ -96812,7 +96812,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_export_all_rw, false) - + ## -##

    -## Determine whether samba can @@ -96823,7 +96823,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_run_unconfined, false) - + ## -##

    -## Determine whether samba can @@ -96834,7 +96834,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_share_nfs, false) - + ## -##

    -## Determine whether samba can @@ -96845,7 +96845,7 @@ index 2b7c441e7..3bc2124af 100644 +##

    ##     gen_tunable(samba_share_fusefs, false) - + -attribute_role samba_net_roles; -roleattribute system_r samba_net_roles; - @@ -96863,55 +96863,55 @@ index 2b7c441e7..3bc2124af 100644 +##

    +## +gen_tunable(samba_load_libgfapi, false) - + type nmbd_t; type nmbd_exec_t; @@ -113,13 +100,16 @@ files_config_file(samba_etc_t) type samba_initrc_exec_t; init_script_file(samba_initrc_exec_t) - + +type samba_unit_file_t; +systemd_unit_file(samba_unit_file_t) + type samba_log_t; logging_log_file(samba_log_t) - + type samba_net_t; type samba_net_exec_t; application_domain(samba_net_t, samba_net_exec_t) -role samba_net_roles types samba_net_t; +role system_r types samba_net_t; - + type samba_net_tmp_t; files_tmp_file(samba_net_tmp_t) @@ -130,13 +120,16 @@ files_type(samba_secrets_t) type samba_share_t; # customizable files_type(samba_share_t) - + +type samba_spool_t; +files_type(samba_spool_t) + type samba_var_t; files_type(samba_var_t) - + type smbcontrol_t; type smbcontrol_exec_t; application_domain(smbcontrol_t, smbcontrol_exec_t) -role smbcontrol_roles types smbcontrol_t; +role system_r types smbcontrol_t; - + type smbd_t; type smbd_exec_t; @@ -148,13 +141,17 @@ files_type(smbd_keytab_t) type smbd_tmp_t; files_tmp_file(smbd_tmp_t) - + +type smbd_tmpfs_t; +files_tmpfs_file(smbd_tmpfs_t) + type smbd_var_run_t; files_pid_file(smbd_var_run_t) - + type smbmount_t; +domain_type(smbmount_t) + @@ -96919,12 +96919,12 @@ index 2b7c441e7..3bc2124af 100644 -application_domain(smbmount_t, smbmount_exec_t) -role smbmount_roles types smbmount_t; +domain_entry_file(smbmount_t, smbmount_exec_t) - + type swat_t; type swat_exec_t; @@ -173,28 +170,29 @@ type winbind_exec_t; init_daemon_domain(winbind_t, winbind_exec_t) - + type winbind_helper_t; +domain_type(winbind_helper_t) +role system_r types winbind_helper_t; @@ -96933,16 +96933,16 @@ index 2b7c441e7..3bc2124af 100644 -application_domain(winbind_helper_t, winbind_helper_exec_t) -role winbind_helper_roles types winbind_helper_t; +domain_entry_file(winbind_helper_t, winbind_helper_exec_t) - + type winbind_log_t; logging_log_file(winbind_log_t) - + -type winbind_tmp_t; -files_tmp_file(winbind_tmp_t) - type winbind_var_run_t; files_pid_file(winbind_var_run_t) - + ######################################## # -# Net local policy @@ -96957,9 +96957,9 @@ index 2b7c441e7..3bc2124af 100644 +allow samba_net_t self:unix_stream_socket create_stream_socket_perms; +allow samba_net_t self:udp_socket create_socket_perms; +allow samba_net_t self:tcp_socket create_socket_perms; - + allow samba_net_t samba_etc_t:file read_file_perms; - + @@ -208,19 +206,26 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) @@ -96967,11 +96967,11 @@ index 2b7c441e7..3bc2124af 100644 +manage_sock_files_pattern(samba_net_t, samba_var_t, samba_var_t) files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") +allow samba_net_t samba_var_t:file { map } ; - + +kernel_read_proc_symlinks(samba_net_t) kernel_read_system_state(samba_net_t) kernel_read_network_state(samba_net_t) - + -corenet_all_recvfrom_unlabeled(samba_net_t) corenet_all_recvfrom_netlabel(samba_net_t) +corenet_tcp_sendrecv_generic_if(samba_net_t) @@ -96988,23 +96988,23 @@ index 2b7c441e7..3bc2124af 100644 +corenet_udp_bind_generic_node(samba_net_t) corenet_tcp_connect_smbd_port(samba_net_t) -corenet_tcp_sendrecv_smbd_port(samba_net_t) - + dev_read_urand(samba_net_t) - + @@ -233,63 +238,86 @@ auth_manage_cache(samba_net_t) - + logging_send_syslog_msg(samba_net_t) - + -miscfiles_read_localization(samba_net_t) - samba_read_var_files(samba_net_t) - + -userdom_use_user_terminals(samba_net_t) +sysnet_use_ldap(samba_net_t) + +userdom_use_inherited_user_terminals(samba_net_t) userdom_list_user_home_dirs(samba_net_t) - + optional_policy(` - ldap_stream_connect(samba_net_t) + ctdbd_stream_connect(samba_net_t) @@ -97016,28 +97016,28 @@ index 2b7c441e7..3bc2124af 100644 + ldap_stream_connect(samba_net_t) + dirsrv_stream_connect(samba_net_t) ') - + optional_policy(` - pcscd_read_pid_files(samba_net_t) + pcscd_read_pid_files(samba_net_t) ') - + +optional_policy(` + realmd_manage_cache_files(samba_net_t) + realmd_read_tmp_files(samba_net_t) +') + optional_policy(` - kerberos_use(samba_net_t) + kerberos_use(samba_net_t) - kerberos_etc_filetrans_keytab(samba_net_t, file) + kerberos_etc_filetrans_keytab(samba_net_t) ') - + ######################################## # -# Smbd Local policy +# smbd Local policy # - + -allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search }; +allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin }; dontaudit smbd_t self:capability sys_tty_config; @@ -97060,10 +97060,10 @@ index 2b7c441e7..3bc2124af 100644 +allow smbd_t self:udp_socket create_socket_perms; +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - + -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; +allow smbd_t nmbd_t:process { signal signull }; - + -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; +allow smbd_t nmbd_t:unix_dgram_socket sendto; + @@ -97071,21 +97071,21 @@ index 2b7c441e7..3bc2124af 100644 +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + +allow smbd_t samba_etc_t:file { rw_file_perms setattr }; - + allow smbd_t smbd_keytab_t:file read_file_perms; - + manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t) -append_files_pattern(smbd_t, samba_log_t, samba_log_t) -create_files_pattern(smbd_t, samba_log_t, samba_log_t) -setattr_files_pattern(smbd_t, samba_log_t, samba_log_t) +manage_files_pattern(smbd_t, samba_log_t, samba_log_t) - + -allow smbd_t samba_net_tmp_t:file getattr_file_perms; +allow smbd_t samba_net_tmp_t:file getattr; - + manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) - + manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) +manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -97093,7 +97093,7 @@ index 2b7c441e7..3bc2124af 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) +allow smbd_t samba_share_t:file { map }; allow smbd_t samba_share_t:filesystem { getattr quotaget }; - + manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) @@ -297,66 +325,76 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) @@ -97111,11 +97111,11 @@ index 2b7c441e7..3bc2124af 100644 +allow smbd_t smbcontrol_t:unix_dgram_socket sendto; + +allow smbd_t winbind_t:unix_dgram_socket sendto; - + manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) - + +manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t) +manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t) +fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir }) @@ -97124,17 +97124,17 @@ index 2b7c441e7..3bc2124af 100644 manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) - + -allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; -stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) +allow smbd_t swat_t:process signal; - + -allow smbd_t nmbd_var_run_t:file read_file_perms; -stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms; + +allow smbd_t winbind_t:process { signal signull }; - + kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) @@ -97144,11 +97144,11 @@ index 2b7c441e7..3bc2124af 100644 +kernel_read_usermodehelper_state(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) - + -corecmd_exec_bin(smbd_t) corecmd_exec_shell(smbd_t) +corecmd_exec_bin(smbd_t) - + -corenet_all_recvfrom_unlabeled(smbd_t) corenet_all_recvfrom_netlabel(smbd_t) corenet_tcp_sendrecv_generic_if(smbd_t) @@ -97172,7 +97172,7 @@ index 2b7c441e7..3bc2124af 100644 corenet_tcp_connect_ipp_port(smbd_t) -corenet_tcp_sendrecv_ipp_port(smbd_t) +corenet_tcp_connect_smbd_port(smbd_t) - + dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) +dev_dontaudit_write_urand(smbd_t) @@ -97181,7 +97181,7 @@ index 2b7c441e7..3bc2124af 100644 +# For redhat bug 566984 dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) - + -domain_use_interactive_fds(smbd_t) -domain_dontaudit_list_all_domains_state(smbd_t) - @@ -97193,13 +97193,13 @@ index 2b7c441e7..3bc2124af 100644 -files_dontaudit_list_all_mountpoints(smbd_t) -files_list_mnt(smbd_t) +domain_dontaudit_signull_all_domains(smbd_t) - + fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) @@ -366,44 +404,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) - + -term_use_ptmx(smbd_t) - auth_use_nsswitch(smbd_t) @@ -97207,7 +97207,7 @@ index 2b7c441e7..3bc2124af 100644 auth_domtrans_upd_passwd(smbd_t) auth_manage_cache(smbd_t) auth_write_login_records(smbd_t) - + +domain_use_interactive_fds(smbd_t) +domain_dontaudit_list_all_domains_state(smbd_t) + @@ -97221,38 +97221,38 @@ index 2b7c441e7..3bc2124af 100644 +files_list_mnt(smbd_t) + init_rw_utmp(smbd_t) - + logging_search_logs(smbd_t) logging_send_syslog_msg(smbd_t) - + -miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) - + sysnet_use_ldap(smbd_t) - + userdom_use_unpriv_users_fds(smbd_t) +userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -userdom_home_filetrans_user_home_dir(smbd_t) -userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) - + usermanage_read_crack_db(smbd_t) - + -ifdef(`hide_broken_symptoms',` +term_use_ptmx(smbd_t) + +ifdef(`hide_broken_symptoms', ` - files_dontaudit_getattr_default_dirs(smbd_t) - files_dontaudit_getattr_boot_dirs(smbd_t) + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') - + -tunable_policy(`allow_smbd_anon_write',` +tunable_policy(`smbd_anon_write',` - miscfiles_manage_public_files(smbd_t) + miscfiles_manage_public_files(smbd_t) -') -+') - ++') + -tunable_policy(`samba_create_home_dirs',` - allow smbd_t self:capability chown; - userdom_create_user_home_dirs(smbd_t) @@ -97260,11 +97260,11 @@ index 2b7c441e7..3bc2124af 100644 + corenet_tcp_bind_epmap_port(smbd_t) + corenet_tcp_bind_all_unreserved_ports(smbd_t) ') - + tunable_policy(`samba_domain_controller',` @@ -419,20 +466,16 @@ tunable_policy(`samba_domain_controller',` ') - + tunable_policy(`samba_enable_home_dirs',` - userdom_manage_user_home_content_dirs(smbd_t) - userdom_manage_user_home_content_files(smbd_t) @@ -97273,7 +97273,7 @@ index 2b7c441e7..3bc2124af 100644 - userdom_manage_user_home_content_pipes(smbd_t) + userdom_manage_user_home_content(smbd_t) ') - + -tunable_policy(`samba_portmapper',` - corenet_sendrecv_all_server_packets(smbd_t) - corenet_tcp_bind_epmap_port(smbd_t) @@ -97284,23 +97284,23 @@ index 2b7c441e7..3bc2124af 100644 + apache_manage_user_content(smbd_t) + ') ') - + +# Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` - fs_manage_nfs_dirs(smbd_t) - fs_manage_nfs_files(smbd_t) + fs_manage_nfs_dirs(smbd_t) + fs_manage_nfs_files(smbd_t) @@ -441,6 +484,7 @@ tunable_policy(`samba_share_nfs',` - fs_manage_nfs_named_sockets(smbd_t) + fs_manage_nfs_named_sockets(smbd_t) ') - + +# Support Samba sharing of ntfs/fusefs mount points tunable_policy(`samba_share_fusefs',` - fs_manage_fusefs_dirs(smbd_t) - fs_manage_fusefs_files(smbd_t) + fs_manage_fusefs_dirs(smbd_t) + fs_manage_fusefs_files(smbd_t) @@ -448,15 +492,14 @@ tunable_policy(`samba_share_fusefs',` - fs_search_fusefs(smbd_t) + fs_search_fusefs(smbd_t) ') - + -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(smbd_t) - files_list_non_auth_dirs(smbd_t) @@ -97310,27 +97310,27 @@ index 2b7c441e7..3bc2124af 100644 + corenet_tcp_bind_all_ports(smbd_t) + corenet_sendrecv_all_packets(smbd_t) ') - + -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(smbd_t) - files_manage_non_auth_files(smbd_t) +optional_policy(` + avahi_dbus_chat(smbd_t) ') - + optional_policy(` @@ -466,6 +509,7 @@ optional_policy(` optional_policy(` - ctdbd_stream_connect(smbd_t) - ctdbd_manage_lib_files(smbd_t) + ctdbd_stream_connect(smbd_t) + ctdbd_manage_lib_files(smbd_t) + ctdbd_manage_lib_dirs(smbd_t) ') - + optional_policy(` @@ -473,9 +517,31 @@ optional_policy(` - cups_stream_connect(smbd_t) + cups_stream_connect(smbd_t) ') - + +optional_policy(` + dbus_system_bus_client(smbd_t) + @@ -97347,8 +97347,8 @@ index 2b7c441e7..3bc2124af 100644 +') + optional_policy(` - kerberos_read_keytab(smbd_t) - kerberos_use(smbd_t) + kerberos_read_keytab(smbd_t) + kerberos_use(smbd_t) + kerberos_tmp_filetrans_host_rcache(smbd_t, "host_0") + kerberos_manage_host_rcache(smbd_t) +') @@ -97357,23 +97357,23 @@ index 2b7c441e7..3bc2124af 100644 + ldap_stream_connect(smbd_t) + dirsrv_stream_connect(smbd_t) ') - + optional_policy(` @@ -487,6 +553,10 @@ optional_policy(` - qemu_manage_tmp_files(smbd_t) + qemu_manage_tmp_files(smbd_t) ') - + +optional_policy(` + rhcs_signull_cluster(smbd_t) +') + optional_policy(` - rpc_search_nfs_state_data(smbd_t) + rpc_search_nfs_state_data(smbd_t) ') @@ -499,12 +569,53 @@ optional_policy(` - udev_read_db(smbd_t) + udev_read_db(smbd_t) ') - + +tunable_policy(`samba_create_home_dirs',` + allow smbd_t self:capability chown; + userdom_create_user_home_dirs(smbd_t) @@ -97383,13 +97383,13 @@ index 2b7c441e7..3bc2124af 100644 + +tunable_policy(`samba_export_all_ro',` + allow nmbd_t self:capability { dac_read_search dac_override }; -+ fs_read_noxattr_fs_files(smbd_t) ++ fs_read_noxattr_fs_files(smbd_t) + files_read_non_security_files(smbd_t) + files_dontaudit_list_security_dirs(smbd_t) + files_dontaudit_search_security_files(smbd_t) + files_dontaudit_read_security_files(smbd_t) -+ fs_read_noxattr_fs_files(nmbd_t) -+ files_read_non_security_files(nmbd_t) ++ fs_read_noxattr_fs_files(nmbd_t) ++ files_read_non_security_files(nmbd_t) + files_dontaudit_list_security_dirs(nmbd_t) + files_dontaudit_search_security_files(nmbd_t) + files_dontaudit_read_security_files(nmbd_t) @@ -97397,13 +97397,13 @@ index 2b7c441e7..3bc2124af 100644 + +tunable_policy(`samba_export_all_rw',` + allow nmbd_t self:capability { dac_read_search dac_override }; -+ fs_manage_noxattr_fs_files(smbd_t) ++ fs_manage_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) + files_manage_non_security_dirs(smbd_t) + files_dontaudit_list_security_dirs(smbd_t) + files_dontaudit_search_security_files(smbd_t) + files_dontaudit_read_security_files(smbd_t) -+ fs_manage_noxattr_fs_files(nmbd_t) ++ fs_manage_noxattr_fs_files(nmbd_t) + files_manage_non_security_files(nmbd_t) + files_manage_non_security_dirs(nmbd_t) + files_dontaudit_list_security_dirs(nmbd_t) @@ -97418,7 +97418,7 @@ index 2b7c441e7..3bc2124af 100644 -# Nmbd Local policy +# nmbd Local policy # - + dontaudit nmbd_t self:capability sys_tty_config; +allow nmbd_t self:capability {net_admin}; +allow nmbd_t self:capability2 block_suspend; @@ -97437,18 +97437,18 @@ index 2b7c441e7..3bc2124af 100644 +allow nmbd_t self:udp_socket create_socket_perms; +allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - + manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) @@ -526,20 +639,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) - + manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) -append_files_pattern(nmbd_t, samba_log_t, samba_log_t) -create_files_pattern(nmbd_t, samba_log_t, samba_log_t) -setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) +manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) - + -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t) manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) @@ -97457,13 +97457,13 @@ index 2b7c441e7..3bc2124af 100644 -files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") +allow nmbd_t samba_var_t:file map; - + -allow nmbd_t { swat_t smbcontrol_t }:process signal; - -allow nmbd_t smbd_var_run_t:dir rw_dir_perms; +allow nmbd_t smbcontrol_t:process signal; +allow nmbd_t smbcontrol_t:unix_dgram_socket sendto; - + kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) @@ -547,53 +657,44 @@ kernel_read_kernel_sysctls(nmbd_t) @@ -97471,7 +97471,7 @@ index 2b7c441e7..3bc2124af 100644 kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) +kernel_read_usermodehelper_state(nmbd_t) - + -corenet_all_recvfrom_unlabeled(nmbd_t) corenet_all_recvfrom_netlabel(nmbd_t) corenet_tcp_sendrecv_generic_if(nmbd_t) @@ -97491,7 +97491,7 @@ index 2b7c441e7..3bc2124af 100644 +corenet_sendrecv_nmbd_client_packets(nmbd_t) corenet_tcp_connect_smbd_port(nmbd_t) -corenet_tcp_sendrecv_smbd_port(nmbd_t) - + -dev_read_sysfs(nmbd_t) dev_getattr_mtrr_dev(nmbd_t) +dev_read_sysfs(nmbd_t) @@ -97499,20 +97499,20 @@ index 2b7c441e7..3bc2124af 100644 + +fs_getattr_all_fs(nmbd_t) +fs_search_auto_mountpoints(nmbd_t) - + domain_use_interactive_fds(nmbd_t) - + -files_read_usr_files(nmbd_t) files_list_var_lib(nmbd_t) - + -fs_getattr_all_fs(nmbd_t) -fs_search_auto_mountpoints(nmbd_t) - auth_use_nsswitch(nmbd_t) - + logging_search_logs(nmbd_t) logging_send_syslog_msg(nmbd_t) - + -miscfiles_read_localization(nmbd_t) - userdom_use_unpriv_users_fds(nmbd_t) @@ -97524,7 +97524,7 @@ index 2b7c441e7..3bc2124af 100644 - files_read_non_auth_files(nmbd_t) -') +userdom_dontaudit_search_user_home_dirs(nmbd_t) - + -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -97533,16 +97533,16 @@ index 2b7c441e7..3bc2124af 100644 + ctdbd_manage_lib_dirs(nmbd_t) + ctdbd_manage_lib_files(nmbd_t) ') - + optional_policy(` @@ -606,18 +707,31 @@ optional_policy(` - + ######################################## # -# Smbcontrol local policy +# smbcontrol local policy # - + -allow smbcontrol_t self:process signal; -allow smbcontrol_t self:fifo_file rw_fifo_file_perms; -allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; @@ -97555,13 +97555,13 @@ index 2b7c441e7..3bc2124af 100644 + +allow smbcontrol_t nmbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t) - + -allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) +allow smbcontrol_t smbd_t:process { signal signull }; +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t) +allow smbcontrol_t winbind_t:process { signal signull }; - + manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +manage_dirs_pattern(smbcontrol_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) @@ -97570,37 +97570,37 @@ index 2b7c441e7..3bc2124af 100644 +allow smbcontrol_t nmbd_t:unix_dgram_socket sendto; +allow smbcontrol_t smbd_t:unix_dgram_socket sendto; +allow smbcontrol_t winbind_t:unix_dgram_socket sendto; - + samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -627,39 +741,38 @@ domain_use_interactive_fds(smbcontrol_t) - + dev_read_urand(smbcontrol_t) - + -files_read_etc_files(smbcontrol_t) -files_search_var_lib(smbcontrol_t) - term_use_console(smbcontrol_t) - + -miscfiles_read_localization(smbcontrol_t) +auth_read_passwd(smbcontrol_t) - + sysnet_use_ldap(smbcontrol_t) - + -userdom_use_user_terminals(smbcontrol_t) +userdom_use_inherited_user_terminals(smbcontrol_t) - + optional_policy(` - ctdbd_stream_connect(smbcontrol_t) + ctdbd_stream_connect(smbcontrol_t) + ctdbd_sigchld(smbcontrol_t) ') - + ######################################## # -# Smbmount Local policy +# smbmount Local policy # - + -allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; -allow smbmount_t self:process signal_perms; -allow smbmount_t self:tcp_socket { accept listen }; @@ -97610,30 +97610,30 @@ index 2b7c441e7..3bc2124af 100644 +allow smbmount_t self:udp_socket connect; allow smbmount_t self:unix_dgram_socket create_socket_perms; allow smbmount_t self:unix_stream_socket create_socket_perms; - + allow smbmount_t samba_etc_t:dir list_dir_perms; allow smbmount_t samba_etc_t:file read_file_perms; - + -allow smbmount_t samba_log_t:dir list_dir_perms; -append_files_pattern(smbmount_t, samba_log_t, samba_log_t) -create_files_pattern(smbmount_t, samba_log_t, samba_log_t) -setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t) +can_exec(smbmount_t, smbmount_exec_t) + -+allow smbmount_t samba_log_t:dir list_dir_perms; ++allow smbmount_t samba_log_t:dir list_dir_perms; +allow smbmount_t samba_log_t:file manage_file_perms; - + allow smbmount_t samba_secrets_t:file manage_file_perms; - + @@ -668,26 +781,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") - + -can_exec(smbmount_t, smbmount_exec_t) +files_list_var_lib(smbmount_t) - + kernel_read_system_state(smbmount_t) - + -corenet_all_recvfrom_unlabeled(smbmount_t) corenet_all_recvfrom_netlabel(smbmount_t) corenet_tcp_sendrecv_generic_if(smbmount_t) @@ -97658,13 +97658,13 @@ index 2b7c441e7..3bc2124af 100644 +corenet_tcp_bind_generic_node(smbmount_t) +corenet_udp_bind_generic_node(smbmount_t) +corenet_tcp_connect_all_ports(smbmount_t) - + fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) @@ -699,58 +808,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) - + -auth_use_nsswitch(smbmount_t) +corecmd_list_bin(smbmount_t) + @@ -97672,24 +97672,24 @@ index 2b7c441e7..3bc2124af 100644 +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_etc_filetrans_etc_runtime(smbmount_t, file) - + -miscfiles_read_localization(smbmount_t) +auth_use_nsswitch(smbmount_t) - + -mount_use_fds(smbmount_t) - + locallogin_use_fds(smbmount_t) - + logging_search_logs(smbmount_t) - + -userdom_use_user_terminals(smbmount_t) +userdom_use_inherited_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) - + optional_policy(` - cups_read_rw_config(smbmount_t) + cups_read_rw_config(smbmount_t) ') - + +optional_policy(` + mount_use_fds(smbmount_t) +') @@ -97699,7 +97699,7 @@ index 2b7c441e7..3bc2124af 100644 -# Swat Local policy +# SWAT Local policy # - + -allow swat_t self:capability { dac_override setuid setgid sys_resource }; +allow swat_t self:capability { dac_read_search dac_override setuid setgid sys_resource }; +allow swat_t self:capability2 block_suspend; @@ -97710,11 +97710,11 @@ index 2b7c441e7..3bc2124af 100644 +allow swat_t self:tcp_socket create_stream_socket_perms; +allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; - + -allow swat_t { nmbd_t smbd_t }:process { signal signull }; +samba_domtrans_smbd(swat_t) +allow swat_t smbd_t:process { signal signull }; - + -allow swat_t smbd_var_run_t:file read_file_perms; -allow swat_t smbd_var_run_t:file { lock delete_file_perms }; +samba_domtrans_nmbd(swat_t) @@ -97727,37 +97727,37 @@ index 2b7c441e7..3bc2124af 100644 +allow swat_t smbd_port_t:tcp_socket name_bind; + +allow swat_t nmbd_port_t:udp_socket name_bind; - + rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) - + manage_dirs_pattern(swat_t, samba_log_t, samba_log_t) -append_files_pattern(swat_t, samba_log_t, samba_log_t) -create_files_pattern(swat_t, samba_log_t, samba_log_t) -setattr_files_pattern(swat_t, samba_log_t, samba_log_t) +manage_files_pattern(swat_t, samba_log_t, samba_log_t) - + manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) - + manage_dirs_pattern(swat_t, samba_var_t, samba_var_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) -manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t) files_var_filetrans(swat_t, samba_var_t, dir, "samba") - + allow swat_t smbd_exec_t:file mmap_file_perms ; - + -allow swat_t { winbind_t smbd_t }:process { signal signull }; +allow swat_t smbd_t:process signull; + +allow swat_t smbd_var_run_t:file read_file_perms; +allow swat_t smbd_var_run_t:file { lock unlink }; - + manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) @@ -759,17 +887,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) - + -read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) -allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; -allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; @@ -97775,13 +97775,13 @@ index 2b7c441e7..3bc2124af 100644 +read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) +allow swat_t winbind_var_run_t:dir { write add_name remove_name }; +allow swat_t winbind_var_run_t:sock_file { create unlink }; - + kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) @@ -777,36 +901,25 @@ kernel_read_network_state(swat_t) - + corecmd_search_bin(swat_t) - + -corenet_all_recvfrom_unlabeled(swat_t) corenet_all_recvfrom_netlabel(swat_t) corenet_tcp_sendrecv_generic_if(swat_t) @@ -97810,35 +97810,35 @@ index 2b7c441e7..3bc2124af 100644 -corenet_tcp_sendrecv_ipp_port(swat_t) +corenet_sendrecv_smbd_client_packets(swat_t) +corenet_sendrecv_ipp_client_packets(swat_t) - + dev_read_urand(swat_t) - + files_list_var_lib(swat_t) files_search_home(swat_t) -files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) -files_list_var_lib(swat_t) - + auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) @@ -818,10 +931,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) - + -miscfiles_read_localization(swat_t) - sysnet_use_ldap(swat_t) - + + +userdom_dontaudit_search_admin_dir(swat_t) + optional_policy(` - cups_read_rw_config(swat_t) - cups_stream_connect(swat_t) + cups_read_rw_config(swat_t) + cups_stream_connect(swat_t) @@ -840,17 +954,21 @@ optional_policy(` # Winbind local policy # - + -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +allow winbind_t self:capability { kill dac_read_search dac_override ipc_lock setuid sys_nice }; +allow winbind_t self:capability2 block_suspend; @@ -97852,41 +97852,41 @@ index 2b7c441e7..3bc2124af 100644 +allow winbind_t self:tcp_socket create_stream_socket_perms; +allow winbind_t self:udp_socket create_socket_perms; +allow winbind_t self:socket create_socket_perms; - + allow winbind_t nmbd_t:process { signal signull }; - + -allow winbind_t nmbd_var_run_t:file read_file_perms; -stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) +samba_stream_connect_nmbd(winbind_t) - + allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) @@ -860,9 +978,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) - + manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) -append_files_pattern(winbind_t, samba_log_t, samba_log_t) -create_files_pattern(winbind_t, samba_log_t, samba_log_t) -setattr_files_pattern(winbind_t, samba_log_t, samba_log_t) +manage_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) - + manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) @@ -870,41 +986,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t) manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t) files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +allow winbind_t samba_var_t:file { map } ; - + -rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +manage_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) - + -# This needs a file context specification -allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) - + -manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) -manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) @@ -97894,7 +97894,7 @@ index 2b7c441e7..3bc2124af 100644 +userdom_manage_user_tmp_dirs(winbind_t) +userdom_manage_user_tmp_files(winbind_t) +userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) - + manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) @@ -97906,15 +97906,15 @@ index 2b7c441e7..3bc2124af 100644 manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) - + kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) +kernel_read_usermodehelper_state(winbind_t) +kernel_request_load_module(winbind_t) - + corecmd_exec_bin(winbind_t) - + -corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) @@ -97935,30 +97935,30 @@ index 2b7c441e7..3bc2124af 100644 @@ -912,38 +1033,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) - + -domain_use_interactive_fds(winbind_t) - -files_read_usr_symlinks(winbind_t) -files_list_var_lib(winbind_t) - + fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) +fs_read_anon_inodefs_files(winbind_t) - + auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) - + +domain_use_interactive_fds(winbind_t) + +files_read_usr_symlinks(winbind_t) +files_list_var_lib(winbind_t) + logging_send_syslog_msg(winbind_t) - + -miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) - + +sysnet_use_ldap(winbind_t) + userdom_dontaudit_use_unpriv_user_fds(winbind_t) @@ -97969,10 +97969,10 @@ index 2b7c441e7..3bc2124af 100644 userdom_manage_user_home_content_sockets(winbind_t) -userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) +userdom_filetrans_home_content(winbind_t) - + optional_policy(` - ctdbd_stream_connect(winbind_t) - ctdbd_manage_lib_files(winbind_t) + ctdbd_stream_connect(winbind_t) + ctdbd_manage_lib_files(winbind_t) + ctdbd_manage_lib_dirs(winbind_t) +') + @@ -97980,44 +97980,44 @@ index 2b7c441e7..3bc2124af 100644 +optional_policy(` + dirsrv_stream_connect(winbind_t) ') - + optional_policy(` - kerberos_use(winbind_t) + kerberos_use(winbind_t) + kerberos_filetrans_named_content(winbind_t) +') + +optional_policy(` + nis_authenticate(winbind_t) ') - + optional_policy(` @@ -959,31 +1094,36 @@ optional_policy(` # Winbind helper local policy # - + -allow winbind_helper_t self:unix_stream_socket { accept listen }; +allow winbind_helper_t self:unix_dgram_socket create_socket_perms; +allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms; - + allow winbind_helper_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t) - + allow winbind_helper_t samba_var_t:dir search_dir_perms; +files_list_var_lib(winbind_helper_t) - + allow winbind_t smbcontrol_t:process signal; +allow winbind_t smbcontrol_t:unix_dgram_socket sendto; - + stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t) - + -domain_use_interactive_fds(winbind_helper_t) - -files_list_var_lib(winbind_helper_t) +dev_read_urand(winbind_helper_t) - + term_list_ptys(winbind_helper_t) - + +corecmd_exec_bin(winbind_helper_t) + +domain_use_interactive_fds(winbind_helper_t) @@ -98025,24 +98025,24 @@ index 2b7c441e7..3bc2124af 100644 +files_list_tmp(winbind_helper_t) + auth_use_nsswitch(winbind_helper_t) - + logging_send_syslog_msg(winbind_helper_t) - + -miscfiles_read_localization(winbind_helper_t) - -userdom_use_user_terminals(winbind_helper_t) +userdom_use_inherited_user_terminals(winbind_helper_t) - + optional_policy(` - apache_append_log(winbind_helper_t) + apache_append_log(winbind_helper_t) @@ -997,25 +1137,38 @@ optional_policy(` - + ######################################## # -# Unconfined script local policy +# samba_unconfined_script_t local policy # - + optional_policy(` - type samba_unconfined_script_t; - type samba_unconfined_script_exec_t; @@ -98056,14 +98056,14 @@ index 2b7c441e7..3bc2124af 100644 + role system_r types samba_unconfined_net_t; + + unconfined_domain(samba_unconfined_net_t) - + - allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; - allow smbd_t samba_unconfined_script_exec_t:file ioctl; + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) +') - + +type samba_unconfined_script_t; +type samba_unconfined_script_exec_t; +domain_type(samba_unconfined_script_t) @@ -98075,12 +98075,12 @@ index 2b7c441e7..3bc2124af 100644 +allow smbd_t samba_unconfined_script_exec_t:file ioctl; + +optional_policy(` - unconfined_domain(samba_unconfined_script_t) + unconfined_domain(samba_unconfined_script_t) +') - + - tunable_policy(`samba_run_unconfined',` +tunable_policy(`samba_run_unconfined',` - domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) - ',` - can_exec(smbd_t, samba_unconfined_script_exec_t) - ') @@ -98094,71 +98094,71 @@ index e18b0a284..f497f5eb5 100644 @@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t; # Local policy # - + -allow sambagui_t self:capability dac_override; +allow sambagui_t self:capability { dac_read_search dac_override }; allow sambagui_t self:fifo_file rw_fifo_file_perms; - + kernel_read_system_state(sambagui_t) @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t) - + dev_dontaudit_read_urand(sambagui_t) - + -files_read_usr_files(sambagui_t) +files_search_var_lib(sambagui_t) - + auth_use_nsswitch(sambagui_t) auth_dontaudit_read_shadow(sambagui_t) - + -logging_send_syslog_msg(sambagui_t) +init_access_check(sambagui_t) - + -miscfiles_read_localization(sambagui_t) +logging_send_syslog_msg(sambagui_t) - + sysnet_use_ldap(sambagui_t) - + @@ -61,6 +61,7 @@ optional_policy(` - samba_manage_var_files(sambagui_t) - samba_read_secrets(sambagui_t) - samba_initrc_domtrans(sambagui_t) + samba_manage_var_files(sambagui_t) + samba_read_secrets(sambagui_t) + samba_initrc_domtrans(sambagui_t) + samba_systemctl(sambagui_t) - samba_domtrans_smbd(sambagui_t) - samba_domtrans_nmbd(sambagui_t) + samba_domtrans_smbd(sambagui_t) + samba_domtrans_nmbd(sambagui_t) ') diff --git a/samhain.if b/samhain.if index f0236d67d..37665a1b6 100644 --- a/samhain.if +++ b/samhain.if @@ -23,6 +23,8 @@ template(`samhain_service_template',` - files_read_all_files($1_t) - - mls_file_write_all_levels($1_t) + files_read_all_files($1_t) + + mls_file_write_all_levels($1_t) + + logging_send_syslog_msg($1_t) ') - + ######################################## diff --git a/samhain.te b/samhain.te index c41ce4bff..8837e4c41 100644 --- a/samhain.te +++ b/samhain.te @@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain) - + init_read_utmp(samhain_domain) - + -logging_send_syslog_msg(samhain_domain) - ######################################## # # Client local policy @@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t) - + seutil_sigchld_newrole(samhain_t) - + -userdom_use_user_terminals(samhain_t) +userdom_use_inherited_user_terminals(samhain_t) - + ######################################## # diff --git a/sandbox.fc b/sandbox.fc @@ -98386,7 +98386,7 @@ index 000000000..885d79974 + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:process { signal sigkill }; -+ ++ + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; + @@ -98477,7 +98477,7 @@ index 000000000..885d79974 + +######################################## +## -+## allow domain to read, ++## allow domain to read, +## write sandbox_xserver tmp files +## +## @@ -99277,12 +99277,12 @@ index 3df2a0f14..7264d8ae1 100644 @@ -1,7 +1,18 @@ + /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) - + -/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) +/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0) + +/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) -+ ++ +/var/run/sanlk-resetd(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) + +/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0) @@ -99290,10 +99290,10 @@ index 3df2a0f14..7264d8ae1 100644 +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) + +/usr/sbin/sanlk-resetd -- gen_context(system_u:object_r:sanlk_resetd_exec_t,s0) - + -/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) +/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0) - + -/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) +/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0) diff --git a/sanlock.if b/sanlock.if @@ -99305,17 +99305,17 @@ index cd6c213d2..9becdddcc 100644 + +## Sanlock - lock manager built on shared storage. + - + ######################################## ## @@ -15,18 +17,17 @@ interface(`sanlock_domtrans',` - type sanlock_t, sanlock_exec_t; - ') - + type sanlock_t, sanlock_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, sanlock_exec_t, sanlock_t) + domtrans_pattern($1, sanlock_exec_t, sanlock_t) ') - + + ######################################## ## @@ -99331,7 +99331,7 @@ index cd6c213d2..9becdddcc 100644 ## # @@ -40,8 +41,7 @@ interface(`sanlock_initrc_domtrans',` - + ###################################### ## -## Create, read, write, and delete @@ -99341,7 +99341,7 @@ index cd6c213d2..9becdddcc 100644 ## ## @@ -60,28 +60,51 @@ interface(`sanlock_manage_pid_files',` - + ######################################## ## -## Connect to sanlock with a unix @@ -99376,12 +99376,12 @@ index cd6c213d2..9becdddcc 100644 # -interface(`sanlock_stream_connect',` +interface(`sanlock_systemctl',` - gen_require(` + gen_require(` - type sanlock_t, sanlock_var_run_t; + type sanlock_unit_file_t; + type sanlock_t; - ') - + ') + - files_search_pids($1) - stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) + systemd_exec_systemctl($1) @@ -99391,7 +99391,7 @@ index cd6c213d2..9becdddcc 100644 + + ps_process_pattern($1, sanlock_t) ') - + ######################################## ## -## All of the rules required to @@ -99404,26 +99404,26 @@ index cd6c213d2..9becdddcc 100644 @@ -97,21 +120,139 @@ interface(`sanlock_stream_connect',` # interface(`sanlock_admin',` - gen_require(` + gen_require(` - type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t; - type sanlock_log_t; + type sanlock_t; + type sanlock_initrc_exec_t; + type sanlock_unit_file_t; - ') - + ') + - allow $1 sanlock_t:process { ptrace signal_perms }; + allow $1 sanlock_t:process signal_perms; - ps_process_pattern($1, sanlock_t) + ps_process_pattern($1, sanlock_t) + tunable_policy(`deny_ptrace',`',` + allow $1 sanlock_t:process ptrace; + ') - - sanlock_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sanlock_initrc_exec_t system_r; - allow $2 system_r; - + + sanlock_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sanlock_initrc_exec_t system_r; + allow $2 system_r; + + virt_systemctl($1) + admin_pattern($1, sanlock_unit_file_t) + allow $1 sanlock_unit_file_t:service all_service_perms; @@ -99516,9 +99516,9 @@ index cd6c213d2..9becdddcc 100644 + allow $1 sanlk_resetd_t:process ptrace; + ') + - files_search_pids($1) + files_search_pids($1) - admin_pattern($1, sanlock_var_run_t) - + - logging_search_logs($1) - admin_pattern($1, sanlock_log_t) + sanlock_systemctl_sanlk_resetd($1) @@ -99553,7 +99553,7 @@ index 0045465a0..f5f692136 100644 +++ b/sanlock.te @@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0) # - + ## -##

    -## Determine whether sanlock can use @@ -99564,7 +99564,7 @@ index 0045465a0..f5f692136 100644 +##

    ##     gen_tunable(sanlock_use_nfs, false) - + +## +##

    +## Allow sanlock to manage cifs files @@ -99588,11 +99588,11 @@ index 0045465a0..f5f692136 100644 ## -gen_tunable(sanlock_use_samba, false) +gen_tunable(sanlock_enable_home_dirs, false) - + type sanlock_t; type sanlock_exec_t; init_daemon_domain(sanlock_t, sanlock_exec_t) - + +type sanlk_resetd_t; +type sanlk_resetd_exec_t; +init_daemon_domain(sanlk_resetd_t, sanlk_resetd_exec_t) @@ -99602,11 +99602,11 @@ index 0045465a0..f5f692136 100644 + type sanlock_var_run_t; files_pid_file(sanlock_var_run_t) - + @@ -34,6 +53,12 @@ logging_log_file(sanlock_log_t) type sanlock_initrc_exec_t; init_script_file(sanlock_initrc_exec_t) - + +type sanlock_unit_file_t; +systemd_unit_file(sanlock_unit_file_t) + @@ -99614,10 +99614,10 @@ index 0045465a0..f5f692136 100644 +systemd_unit_file(sanlk_resetd_unit_file_t) + ifdef(`enable_mcs',` - init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) ') @@ -44,17 +69,18 @@ ifdef(`enable_mls',` - + ######################################## # -# Local policy @@ -99634,40 +99634,40 @@ index 0045465a0..f5f692136 100644 + +manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) +manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) - + -append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) +manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) logging_log_filetrans(sanlock_t, sanlock_log_t, file) - + manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) @@ -65,13 +91,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) - + -dev_read_rand(sanlock_t) -dev_read_urand(sanlock_t) - domain_use_interactive_fds(sanlock_t) - + +files_read_mnt_symlinks(sanlock_t) + +fs_rw_cephfs_files(sanlock_t) + storage_raw_rw_fixed_disk(sanlock_t) - + +dev_read_rand(sanlock_t) +dev_read_urand(sanlock_t) +dev_read_sysfs(sanlock_t) + auth_use_nsswitch(sanlock_t) - + init_read_utmp(sanlock_t) @@ -79,20 +110,35 @@ init_dontaudit_write_utmp(sanlock_t) - + logging_send_syslog_msg(sanlock_t) - + -miscfiles_read_localization(sanlock_t) +tunable_policy(`sanlock_use_fusefs',` + fs_manage_fusefs_dirs(sanlock_t) @@ -99675,7 +99675,7 @@ index 0045465a0..f5f692136 100644 + fs_read_fusefs_symlinks(sanlock_t) + fs_getattr_fusefs(sanlock_t) +') - + tunable_policy(`sanlock_use_nfs',` - fs_manage_nfs_dirs(sanlock_t) - fs_manage_nfs_files(sanlock_t) @@ -99686,7 +99686,7 @@ index 0045465a0..f5f692136 100644 + fs_manage_nfs_named_sockets(sanlock_t) + fs_read_nfs_symlinks(sanlock_t) ') - + tunable_policy(`sanlock_use_samba',` - fs_manage_cifs_dirs(sanlock_t) - fs_manage_cifs_files(sanlock_t) @@ -99707,17 +99707,17 @@ index 0045465a0..f5f692136 100644 +optional_policy(` + rhcs_domtrans_fenced(sanlock_t) ') - + optional_policy(` @@ -100,7 +146,34 @@ optional_policy(` ') - + optional_policy(` - virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) + virt_kill(sanlock_t) + virt_signal(sanlock_t) - virt_manage_lib_files(sanlock_t) + virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) + virt_read_pid_files(sanlock_t) @@ -99752,12 +99752,12 @@ index 54f41c2b7..7e5867968 100644 +++ b/sasl.fc @@ -1,7 +1,12 @@ /etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) - + +# +# /usr +# /usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) - + -/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0) - +# @@ -99772,42 +99772,42 @@ index 8c3c151cb..93b722789 100644 @@ -1,4 +1,4 @@ -##

    SASL authentication server. +## SASL authentication server - + ######################################## ## @@ -21,8 +21,8 @@ interface(`sasl_connect',` - + ######################################## ## -## All of the rules required to -## administrate an sasl environment. -+## All of the rules required to administrate ++## All of the rules required to administrate +## an sasl environment ## ## ## @@ -42,9 +42,13 @@ interface(`sasl_admin',` - type saslauthd_keytab_t; - ') - + type saslauthd_keytab_t; + ') + - allow $1 saslauthd_t:process { ptrace signal_perms }; + allow $1 saslauthd_t:process signal_perms; - ps_process_pattern($1, saslauthd_t) - + ps_process_pattern($1, saslauthd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 saslauthd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 saslauthd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 saslauthd_initrc_exec_t system_r; diff --git a/sasl.te b/sasl.te index 6c3bc2059..eb05a4920 100644 --- a/sasl.te +++ b/sasl.te @@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1) # - + ## -##

    -## Determine whether sasl can @@ -99819,7 +99819,7 @@ index 6c3bc2059..eb05a4920 100644 ## -gen_tunable(allow_saslauthd_read_shadow, false) +gen_tunable(saslauthd_read_shadow, false) - + type saslauthd_t; type saslauthd_exec_t; @@ -35,7 +34,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice }; @@ -99830,13 +99830,13 @@ index 6c3bc2059..eb05a4920 100644 +allow saslauthd_t self:unix_dgram_socket create_socket_perms; +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; +allow saslauthd_t self:tcp_socket create_socket_perms; - + allow saslauthd_t saslauthd_keytab_t:file read_file_perms; - + @@ -48,29 +49,20 @@ kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) kernel_rw_afs_state(saslauthd_t) - + -corenet_all_recvfrom_unlabeled(saslauthd_t) +#577519 +corecmd_exec_bin(saslauthd_t) @@ -99857,9 +99857,9 @@ index 6c3bc2059..eb05a4920 100644 - -corecmd_exec_bin(saslauthd_t) +corenet_sendrecv_pop_client_packets(saslauthd_t) - + dev_read_urand(saslauthd_t) - + -domain_use_interactive_fds(saslauthd_t) - -files_dontaudit_read_etc_runtime_files(saslauthd_t) @@ -99868,11 +99868,11 @@ index 6c3bc2059..eb05a4920 100644 - fs_getattr_all_fs(saslauthd_t) fs_search_auto_mountpoints(saslauthd_t) - + @@ -78,34 +70,39 @@ selinux_compute_access_vector(saslauthd_t) - + auth_use_pam(saslauthd_t) - + +domain_use_interactive_fds(saslauthd_t) + +files_dontaudit_read_etc_runtime_files(saslauthd_t) @@ -99881,40 +99881,40 @@ index 6c3bc2059..eb05a4920 100644 +files_dontaudit_getattr_tmp_dirs(saslauthd_t) + init_dontaudit_stream_connect_script(saslauthd_t) - + logging_send_syslog_msg(saslauthd_t) - + -miscfiles_read_localization(saslauthd_t) miscfiles_read_generic_certs(saslauthd_t) - + -seutil_dontaudit_read_config(saslauthd_t) - userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) userdom_dontaudit_search_user_home_dirs(saslauthd_t) - + +# cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) -tunable_policy(`allow_saslauthd_read_shadow',` - allow saslauthd_t self:capability dac_override; +tunable_policy(`saslauthd_read_shadow',` + allow saslauthd_t self:capability { dac_read_search dac_override }; - auth_tunable_read_shadow(saslauthd_t) + auth_tunable_read_shadow(saslauthd_t) ') - + optional_policy(` - kerberos_read_keytab(saslauthd_t) - kerberos_manage_host_rcache(saslauthd_t) + kerberos_read_keytab(saslauthd_t) + kerberos_manage_host_rcache(saslauthd_t) - kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") - kerberos_use(saslauthd_t) + kerberos_use(saslauthd_t) ') - + optional_policy(` + mysql_search_db(saslauthd_t) - mysql_stream_connect(saslauthd_t) + mysql_stream_connect(saslauthd_t) - mysql_tcp_connect(saslauthd_t) ') - + optional_policy(` diff --git a/sbd.fc b/sbd.fc new file mode 100644 @@ -100138,13 +100138,13 @@ index 68a550d54..e976fc62e 100644 @@ -1,6 +1,10 @@ /etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) +/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0) - + /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) +/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0) + +/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0) - + /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/sblim.if b/sblim.if index 98c9e0a88..562666e06 100644 @@ -100181,7 +100181,7 @@ index 98c9e0a88..562666e06 100644 + + logging_send_syslog_msg(sblim_$1_t) +') - + ######################################## ##

    -## Execute gatherd in the gatherd domain. @@ -100190,7 +100190,7 @@ index 98c9e0a88..562666e06 100644 ## ## @@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',` - + ######################################## ## -## Read gatherd pid files. @@ -100199,7 +100199,7 @@ index 98c9e0a88..562666e06 100644 ## ## @@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',` - + ######################################## ## -## All of the rules required to @@ -100313,14 +100313,14 @@ index 98c9e0a88..562666e06 100644 ## # interface(`sblim_admin',` - gen_require(` + gen_require(` - attribute sblim_domain; - type sblim_initrc_exec_t, sblim_var_run_t; + type sblim_gatherd_t; + type sblim_reposd_t; + type sblim_var_run_t; - ') - + ') + - allow $1 sblim_domain:process { ptrace signal_perms }; - ps_process_pattern($1, sblim_domain) + allow $1 sblim_gatherd_t:process signal_perms; @@ -100330,42 +100330,42 @@ index 98c9e0a88..562666e06 100644 + allow $1 sblim_gatherd_t:process ptrace; + allow $1 sblim_reposd_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, sblim_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sblim_initrc_exec_t system_r; - allow $2 system_r; + allow $1 sblim_reposd_t:process signal_perms; + ps_process_pattern($1, sblim_reposd_t) - - files_search_pids($1) - admin_pattern($1, sblim_var_run_t) + + files_search_pids($1) + admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te index 299756bc8..6a6dc53c7 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) - + attribute sblim_domain; - + -type sblim_gatherd_t, sblim_domain; -type sblim_gatherd_exec_t; -init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) +sblim_domain_template(gatherd) - + -type sblim_reposd_t, sblim_domain; -type sblim_reposd_exec_t; -init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) +sblim_domain_template(reposd) + +sblim_domain_template(sfcbd) - + type sblim_initrc_exec_t; init_script_file(sblim_initrc_exec_t) @@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t) type sblim_var_run_t; files_pid_file(sblim_var_run_t) - + +type sblim_var_lib_t; +files_type(sblim_var_lib_t) + @@ -100393,69 +100393,69 @@ index 299756bc8..6a6dc53c7 100644 +manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) +manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t) +files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file}) - + kernel_read_network_state(sblim_domain) -kernel_read_system_state(sblim_domain) +kernel_read_sysctl(sblim_domain) - + -corenet_all_recvfrom_unlabeled(sblim_domain) -corenet_all_recvfrom_netlabel(sblim_domain) corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain) - + corenet_tcp_sendrecv_repository_port(sblim_domain) - + dev_read_sysfs(sblim_domain) +dev_read_rand(sblim_domain) +dev_read_urand(sblim_domain) - + -logging_send_syslog_msg(sblim_domain) - -files_read_etc_files(sblim_domain) - -miscfiles_read_localization(sblim_domain) +auth_read_passwd(sblim_domain) - + ######################################## # # Gatherd local policy # - + -allow sblim_gatherd_t self:capability dac_override; -allow sblim_gatherd_t self:process signal; +allow sblim_gatherd_t self:capability { dac_read_search dac_override sys_nice sys_ptrace }; +allow sblim_gatherd_t self:process { setsched signal }; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; - + @@ -82,8 +96,12 @@ fs_search_cgroup_dirs(sblim_gatherd_t) storage_raw_read_fixed_disk(sblim_gatherd_t) storage_raw_read_removable_device(sblim_gatherd_t) - + +auth_use_nsswitch(sblim_gatherd_t) + init_read_utmp(sblim_gatherd_t) - + +logging_send_syslog_msg(sblim_gatherd_t) + sysnet_dns_name_resolve(sblim_gatherd_t) - + term_getattr_pty_fs(sblim_gatherd_t) @@ -103,8 +121,9 @@ optional_policy(` ') - + optional_policy(` - virt_getattr_virtd_exec_files(sblim_gatherd_t) + virt_read_config(sblim_gatherd_t) - virt_stream_connect(sblim_gatherd_t) + virt_stream_connect(sblim_gatherd_t) + virt_getattr_exec(sblim_gatherd_t) ') - + optional_policy(` @@ -117,6 +136,64 @@ optional_policy(` # Reposd local policy # - + +corenet_tcp_bind_generic_node(sblim_reposd_t) + corenet_sendrecv_repository_server_packets(sblim_reposd_t) @@ -100525,11 +100525,11 @@ index e7c2cf74f..435aaa61c 100644 @@ -2,8 +2,10 @@ HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0) - + -/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) -/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) +/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0) - + -/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) @@ -100544,55 +100544,55 @@ index be5cce2d3..7b4d6294c 100644 @@ -1,4 +1,4 @@ -## GNU terminal multiplexer. +## GNU terminal multiplexer - + ####################################### ## @@ -23,10 +23,9 @@ # template(`screen_role_template',` - gen_require(` + gen_require(` - attribute screen_domain; - attribute_role screen_roles; - type screen_exec_t, screen_tmp_t; - type screen_home_t, screen_var_run_t; + type screen_exec_t, screen_tmp_t; + type screen_home_t, screen_var_run_t; + attribute screen_domain; - ') - - ######################################## + ') + + ######################################## @@ -35,50 +34,54 @@ template(`screen_role_template',` - # - - type $1_screen_t, screen_domain; + # + + type $1_screen_t, screen_domain; - userdom_user_application_domain($1_screen_t, screen_exec_t) + application_domain($1_screen_t, screen_exec_t) - domain_interactive_fd($1_screen_t) + domain_interactive_fd($1_screen_t) - role screen_roles types $1_screen_t; + ubac_constrained($1_screen_t) + role $2 types $1_screen_t; - + - roleattribute $2 screen_roles; + tunable_policy(`deny_ptrace',`',` + allow $3 $1_screen_t:process ptrace; + ') - + - ######################################## - # - # Local policy - # + userdom_home_reader($1_screen_t) - - domtrans_pattern($3, screen_exec_t, $1_screen_t) + + domtrans_pattern($3, screen_exec_t, $1_screen_t) - - ps_process_pattern($3, $1_screen_t) - allow $3 $1_screen_t:process { ptrace signal_perms }; - + allow $3 $1_screen_t:process { signal sigchld }; - dontaudit $3 $1_screen_t:unix_stream_socket { read write }; + dontaudit $3 $1_screen_t:unix_stream_socket { read write }; + allow $1_screen_t $3:unix_stream_socket { connectto }; - allow $1_screen_t $3:process signal; + allow $1_screen_t $3:process signal; + allow $3 screen_exec_t:file entrypoint; + ps_process_pattern($1_screen_t, $3) - + - allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms }; - allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms }; - allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; @@ -100608,37 +100608,37 @@ index be5cce2d3..7b4d6294c 100644 + relabel_dirs_pattern($3, screen_home_t, screen_home_t) + relabel_files_pattern($3, screen_home_t, screen_home_t) + relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) - - userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") - userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") - userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") - - manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) + + userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") + userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") + userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") + + manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) - manage_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) - manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) + manage_sock_files_pattern($3, screen_var_run_t, screen_var_run_t) - + - corecmd_bin_domtrans($1_screen_t, $3) + kernel_read_system_state($1_screen_t) + + # Revert to the user domain when a shell is executed. - corecmd_shell_domtrans($1_screen_t, $3) + corecmd_shell_domtrans($1_screen_t, $3) + corecmd_bin_domtrans($1_screen_t, $3) - - auth_domtrans_chk_passwd($1_screen_t) - auth_use_nsswitch($1_screen_t) - + + auth_domtrans_chk_passwd($1_screen_t) + auth_use_nsswitch($1_screen_t) + + logging_send_syslog_msg($1_screen_t) + - userdom_user_home_domtrans($1_screen_t, $3) + userdom_user_home_domtrans($1_screen_t, $3) + userdom_manage_tmp_role($2, $1_screen_t) - - tunable_policy(`use_samba_home_dirs',` - fs_cifs_domtrans($1_screen_t, $3) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) @@ -88,3 +91,41 @@ template(`screen_role_template',` - fs_nfs_domtrans($1_screen_t, $3) - ') + fs_nfs_domtrans($1_screen_t, $3) + ') ') + +####################################### @@ -100685,18 +100685,18 @@ index 5466a7327..33598f3b3 100644 @@ -5,9 +5,7 @@ policy_module(screen, 2.6.0) # Declarations # - + -attribute screen_domain; - -attribute_role screen_roles; +attribute screen_domain; - + type screen_exec_t; application_executable_file(screen_exec_t) @@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t }; userdom_user_home_content(screen_home_t) - + -type screen_tmp_t; -typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t }; -typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t }; @@ -100706,13 +100706,13 @@ index 5466a7327..33598f3b3 100644 typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; @@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t) - + ######################################## # -# Common screen domain local policy +# Local policy # - + -allow screen_domain self:capability { setuid setgid fsetid }; +allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; +dontaudit screen_domain self:capability { dac_read_search dac_override }; @@ -100733,13 +100733,13 @@ index 5466a7327..33598f3b3 100644 +allow screen_domain self:fd use; +allow screen_domain self:unix_stream_socket { create_socket_perms connectto }; +allow screen_domain self:unix_dgram_socket create_socket_perms; - + +# Create fifo manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) files_pid_filetrans(screen_domain, screen_var_run_t, dir) - + +allow screen_domain screen_home_t:dir list_dir_perms; manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) -read_files_pattern(screen_domain, screen_home_t, screen_home_t) @@ -100750,15 +100750,15 @@ index 5466a7327..33598f3b3 100644 +read_files_pattern(screen_domain, screen_home_t, screen_home_t) read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) -userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen") - + -kernel_read_system_state(screen_domain) kernel_read_kernel_sysctls(screen_domain) - + corecmd_list_bin(screen_domain) @@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain) corecmd_read_bin_pipes(screen_domain) corecmd_read_bin_sockets(screen_domain) - + -corenet_all_recvfrom_unlabeled(screen_domain) -corenet_all_recvfrom_netlabel(screen_domain) corenet_tcp_sendrecv_generic_if(screen_domain) @@ -100770,38 +100770,38 @@ index 5466a7327..33598f3b3 100644 -corenet_sendrecv_all_client_packets(screen_domain) +corenet_udp_sendrecv_all_ports(screen_domain) corenet_tcp_connect_all_ports(screen_domain) - + dev_dontaudit_getattr_all_chr_files(screen_domain) dev_dontaudit_getattr_all_blk_files(screen_domain) +# for SSP dev_read_urand(screen_domain) - + -domain_use_interactive_fds(screen_domain) domain_sigchld_interactive_fds(screen_domain) +domain_use_interactive_fds(screen_domain) domain_read_all_domains_state(screen_domain) - + +files_search_tmp(screen_domain) +files_search_home(screen_domain) files_list_home(screen_domain) -files_read_usr_files(screen_domain) - + fs_search_auto_mountpoints(screen_domain) -fs_getattr_all_fs(screen_domain) +fs_getattr_xattr_fs(screen_domain) - + auth_dontaudit_read_shadow(screen_domain) auth_dontaudit_exec_utempter(screen_domain) - + +# Write to utmp. init_rw_utmp(screen_domain) - + -logging_send_syslog_msg(screen_domain) - -miscfiles_read_localization(screen_domain) - seutil_read_config(screen_domain) - + userdom_use_user_terminals(screen_domain) userdom_create_user_pty(screen_domain) userdom_setattr_user_ptys(screen_domain) @@ -100826,7 +100826,7 @@ index 64a239453..3f1dac59a 100644 +++ b/sectoolm.fc @@ -1,5 +1,4 @@ /usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0) - + -/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0) - -/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0) @@ -100839,7 +100839,7 @@ index c78a569c3..900745118 100644 @@ -1,24 +1,2 @@ -## Sectool security audit tool. +## Sectool security audit tool - + -######################################## -## -## Role access for sectoolm. @@ -100867,22 +100867,22 @@ index 4bc8c13ea..e05d74d48 100644 --- a/sectoolm.te +++ b/sectoolm.te @@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0) - + type sectoolm_t; type sectoolm_exec_t; -init_system_domain(sectoolm_t, sectoolm_exec_t) +init_daemon_domain(sectoolm_t, sectoolm_exec_t) - + type sectool_var_lib_t; files_type(sectool_var_lib_t) @@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t) - + ######################################## # -# Local policy +# sectool local policy # - + -allow sectoolm_t self:capability { dac_override net_admin sys_nice }; +allow sectoolm_t self:capability { dac_read_search dac_override net_admin sys_nice sys_ptrace }; allow sectoolm_t self:process { getcap getsched signull setsched }; @@ -100890,48 +100890,48 @@ index 4bc8c13ea..e05d74d48 100644 allow sectoolm_t self:fifo_file rw_fifo_file_perms; -allow sectoolm_t self:unix_dgram_socket sendto; +allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto }; - + manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t) @@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t) files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir }) - + -allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t) logging_log_filetrans(sectoolm_t, sectool_var_log_t, file) - + kernel_read_net_sysctls(sectoolm_t) @@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t) - + selinux_validate_context(sectoolm_t) - + +# tcp_wrappers test application_exec_all(sectoolm_t) - + auth_use_nsswitch(sectoolm_t) @@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t) - + logging_send_syslog_msg(sectoolm_t) - + +# tests related to network sysnet_domtrans_ifconfig(sectoolm_t) - + -userdom_write_user_tmp_sockets(sectoolm_t) +userdom_manage_user_tmp_sockets(sectoolm_t) +userdom_dgram_send(sectoolm_t) - + optional_policy(` - mount_exec(sectoolm_t) + dbus_system_domain(sectoolm_t, sectoolm_exec_t) ') - + optional_policy(` - dbus_system_domain(sectoolm_t, sectoolm_exec_t) + # tests related to network + hostname_exec(sectoolm_t) +') - + - optional_policy(` - policykit_dbus_chat(sectoolm_t) - ') @@ -100939,21 +100939,21 @@ index 4bc8c13ea..e05d74d48 100644 + # tests related to network + iptables_domtrans(sectoolm_t) ') - + optional_policy(` - hostname_exec(sectoolm_t) + mount_exec(sectoolm_t) ') - + optional_policy(` - iptables_domtrans(sectoolm_t) + policykit_dbus_chat(sectoolm_t) ') - + +# suid test using +# rpm -Vf option optional_policy(` - prelink_domtrans(sectoolm_t) + prelink_domtrans(sectoolm_t) ') diff --git a/sendmail.fc b/sendmail.fc index d14b6bfc7..da5d41d5c 100644 @@ -100961,11 +100961,11 @@ index d14b6bfc7..da5d41d5c 100644 +++ b/sendmail.fc @@ -1,7 +1,8 @@ -/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - + -/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) -/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) +/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - + -/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) @@ -100980,11 +100980,11 @@ index 35ad2a733..afdc7da29 100644 @@ -1,4 +1,4 @@ -## Internetwork email routing facility. +## Policy for sendmail. - + ######################################## ## @@ -18,7 +18,8 @@ interface(`sendmail_stub',` - + ######################################## ## -## Read and write sendmail unnamed pipes. @@ -100994,7 +100994,7 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',` - + ######################################## ## -## Execute a domain transition to run sendmail. @@ -101003,13 +101003,13 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -49,19 +50,30 @@ interface(`sendmail_domtrans',` - type sendmail_t; - ') - + type sendmail_t; + ') + - corecmd_search_bin($1) - mta_sendmail_domtrans($1, sendmail_t) + mta_sendmail_domtrans($1, sendmail_t) +') - + - allow sendmail_t $1:fd use; - allow sendmail_t $1:fifo_file rw_fifo_file_perms; - allow sendmail_t $1:process sigchld; @@ -101030,7 +101030,7 @@ index 35ad2a733..afdc7da29 100644 + + init_labeled_script_domtrans($1, sendmail_initrc_exec_t) ') - + ######################################## ## -## Execute the sendmail program in the @@ -101050,18 +101050,18 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -81,7 +93,7 @@ interface(`sendmail_run',` - ') - - sendmail_domtrans($1) + ') + + sendmail_domtrans($1) - roleattribute $2 sendmail_roles; + roleattribute $2 sendmail_roles; ') - + ######################################## @@ -102,6 +114,53 @@ interface(`sendmail_signal',` - allow $1 sendmail_t:process signal; + allow $1 sendmail_t:process signal; ') - + +######################################## +## +## Execute sendmail in the sendmail_unconfined domain. @@ -101113,7 +101113,7 @@ index 35ad2a733..afdc7da29 100644 ## ## Read and write sendmail TCP sockets. @@ -141,8 +200,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',` - + ######################################## ## -## Read and write sendmail unix @@ -101123,7 +101123,7 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -179,7 +237,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',` - + ######################################## ## -## Read sendmail log files. @@ -101132,7 +101132,7 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -199,8 +257,7 @@ interface(`sendmail_read_log',` - + ######################################## ## -## Create, read, write, and delete @@ -101142,7 +101142,7 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -220,8 +277,7 @@ interface(`sendmail_manage_log',` - + ######################################## ## -## Create specified objects in generic @@ -101154,13 +101154,13 @@ index 35ad2a733..afdc7da29 100644 @@ -231,7 +287,6 @@ interface(`sendmail_manage_log',` # interface(`sendmail_create_log',` - refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') + refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') - sendmail_log_filetrans_sendmail_log($1, $2, $3) ') - + ######################################## @@ -265,8 +320,7 @@ interface(`sendmail_log_filetrans_sendmail_log',` - + ######################################## ## -## Create, read, write, and delete @@ -101170,7 +101170,7 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -285,58 +339,27 @@ interface(`sendmail_manage_tmp_files',` - + ######################################## ## -## Execute sendmail in the unconfined sendmail domain. @@ -101216,17 +101216,17 @@ index 35ad2a733..afdc7da29 100644 # -interface(`sendmail_run_unconfined',` +interface(`sendmail_setattr_pid_files',` - gen_require(` + gen_require(` - attribute_role sendmail_unconfined_roles; + type sendmail_var_run_t; - ') - + ') + - sendmail_domtrans_unconfined($1) - roleattribute $2 sendmail_unconfined_roles; + allow $1 sendmail_var_run_t:file setattr_file_perms; + files_search_pids($1) ') - + ######################################## ## -## All of the rules required to @@ -101237,30 +101237,30 @@ index 35ad2a733..afdc7da29 100644 ## ## @@ -355,12 +378,17 @@ interface(`sendmail_admin',` - type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; - type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; - type sendmail_keytab_t; + type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; + type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; + type sendmail_keytab_t; + type mail_spool_t; - ') - + ') + - allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { unconfined_sendmail_t sendmail_t }) + allow $1 sendmail_t:process signal_perms; + ps_process_pattern($1, sendmail_t) - + - init_labeled_script_domtrans($1, sendmail_initrc_exec_t) + tunable_policy(`deny_ptrace',`',` + allow $1 sendmail_t:process ptrace; + ') + + sendmail_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sendmail_initrc_exec_t system_r; - + domain_system_change_exemption($1) + role_transition $2 sendmail_initrc_exec_t system_r; + @@ -376,6 +404,6 @@ interface(`sendmail_admin',` - files_list_pids($1) - admin_pattern($1, sendmail_var_run_t) - + files_list_pids($1) + admin_pattern($1, sendmail_var_run_t) + - sendmail_run($1, $2) - sendmail_run_unconfined($1, $2) + files_list_spool($1) @@ -101271,13 +101271,13 @@ index 12700b413..8ba299515 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; - + ######################################## # -# Local policy +# Sendmail local policy # - + -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config }; +allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +dontaudit sendmail_t self:capability net_admin; @@ -101290,20 +101290,20 @@ index 12700b413..8ba299515 100644 +allow sendmail_t self:unix_dgram_socket create_socket_perms; +allow sendmail_t self:tcp_socket create_stream_socket_perms; +allow sendmail_t self:udp_socket create_socket_perms; - + +allow sendmail_t sendmail_log_t:dir setattr_dir_perms; +manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) allow sendmail_t sendmail_keytab_t:file read_file_perms; - + -allow sendmail_t sendmail_log_t:dir setattr_dir_perms; -append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) -setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t) logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) - + manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) @@ -63,33 +65,24 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) - + kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) +# for piping mail to a command @@ -101311,7 +101311,7 @@ index 12700b413..8ba299515 100644 +kernel_search_network_sysctl(sendmail_t) +kernel_read_kernel_sysctls(sendmail_t) +kernel_read_net_sysctls(sendmail_t) - + -corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_generic_if(sendmail_t) @@ -101326,7 +101326,7 @@ index 12700b413..8ba299515 100644 corenet_tcp_connect_all_ports(sendmail_t) +corenet_sendrecv_smtp_server_packets(sendmail_t) +corenet_sendrecv_smtp_client_packets(sendmail_t) - + -corecmd_exec_bin(sendmail_t) -corecmd_exec_shell(sendmail_t) - @@ -101340,13 +101340,13 @@ index 12700b413..8ba299515 100644 -files_read_usr_files(sendmail_t) -files_search_spool(sendmail_t) +dev_read_sysfs(sendmail_t) - + fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) @@ -98,35 +91,49 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) term_dontaudit_use_generic_ptys(sendmail_t) - + +# for piping mail to a command +corecmd_exec_shell(sendmail_t) +corecmd_exec_bin(sendmail_t) @@ -101364,22 +101364,22 @@ index 12700b413..8ba299515 100644 init_read_utmp(sendmail_t) init_dontaudit_write_utmp(sendmail_t) init_rw_script_tmp_files(sendmail_t) - + auth_use_nsswitch(sendmail_t) - + +# Read /usr/lib/sasl2/.* libs_read_lib_files(sendmail_t) - + logging_send_syslog_msg(sendmail_t) logging_dontaudit_write_generic_logs(sendmail_t) - + miscfiles_read_generic_certs(sendmail_t) -miscfiles_read_localization(sendmail_t) - + userdom_dontaudit_use_unpriv_user_fds(sendmail_t) +userdom_read_user_home_content_files(sendmail_t) +userdom_dontaudit_list_user_home_dirs(sendmail_t) - + -mta_etc_filetrans_aliases(sendmail_t, file, "aliases") -mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") -mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp") @@ -101392,67 +101392,67 @@ index 12700b413..8ba299515 100644 mta_manage_spool(sendmail_t) -mta_read_config(sendmail_t) mta_sendmail_exec(sendmail_t) - + optional_policy(` - cfengine_dontaudit_write_log_files(sendmail_t) + cfengine_dontaudit_write_log(sendmail_t) ') - + optional_policy(` @@ -134,8 +141,8 @@ optional_policy(` ') - + optional_policy(` - clamav_search_lib(sendmail_t) - clamav_stream_connect(sendmail_t) + antivirus_search_db(sendmail_t) + antivirus_stream_connect(sendmail_t) ') - + optional_policy(` @@ -163,6 +170,10 @@ optional_policy(` - kerberos_use(sendmail_t) + kerberos_use(sendmail_t) ') - + +optional_policy(` + inn_write_inherited_news_lib(sendmail_t) +') + optional_policy(` - milter_stream_connect_all(sendmail_t) + milter_stream_connect_all(sendmail_t) ') @@ -171,6 +182,11 @@ optional_policy(` - munin_dontaudit_search_lib(sendmail_t) + munin_dontaudit_search_lib(sendmail_t) ') - + +optional_policy(` + openshift_dontaudit_rw_inherited_fifo_files(sendmail_t) + openshift_rw_inherited_content(sendmail_t) +') + optional_policy(` - postfix_domtrans_postdrop(sendmail_t) - postfix_domtrans_master(sendmail_t) + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) @@ -192,6 +208,10 @@ optional_policy(` - sasl_connect(sendmail_t) + sasl_connect(sendmail_t) ') - + +optional_policy(` + spamd_stream_connect(sendmail_t) +') + optional_policy(` - udev_read_db(sendmail_t) + udev_read_db(sendmail_t) ') @@ -206,8 +226,6 @@ optional_policy(` # - + optional_policy(` - mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases") - mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db") - mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp") + mta_filetrans_named_content(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) + unconfined_domain(unconfined_sendmail_t) ') diff --git a/sensord.fc b/sensord.fc index 8185d5a6b..9be989a08 100644 @@ -101462,9 +101462,9 @@ index 8185d5a6b..9be989a08 100644 +/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) + /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) - + /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) - + +/var/log/sensor.* gen_context(system_u:object_r:sensord_log_t,s0) + /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) @@ -101476,7 +101476,7 @@ index d204752b3..85631b346 100644 -## Sensor information logging daemon. + +## Sensor information logging daemon - + ######################################## ## -## All of the rules required to @@ -101538,17 +101538,17 @@ index d204752b3..85631b346 100644 ## # interface(`sensord_admin',` - gen_require(` + gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + type sensord_t; + type sensord_unit_file_t; + type sensord_log_t; + type sensord_var_run_t; - ') - - allow $1 sensord_t:process { ptrace signal_perms }; - ps_process_pattern($1, sensord_t) - + ') + + allow $1 sensord_t:process { ptrace signal_perms }; + ps_process_pattern($1, sensord_t) + - init_labeled_script_domtrans($1, sensord_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 sensord_initrc_exec_t system_r; @@ -101556,10 +101556,10 @@ index d204752b3..85631b346 100644 + sensord_systemctl($1) + admin_pattern($1, sensord_unit_file_t) + allow $1 sensord_unit_file_t:service all_service_perms; - + - files_search_pids($1) + admin_pattern($1, sensord_log_t) - admin_pattern($1, sensord_var_run_t) + admin_pattern($1, sensord_var_run_t) + + optional_policy(` + systemd_passwd_agent_exec($1) @@ -101573,16 +101573,16 @@ index 5e82fd616..ddb249dfb 100644 @@ -9,27 +9,38 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) - + +type sensord_unit_file_t; +systemd_unit_file(sensord_unit_file_t) + type sensord_initrc_exec_t; init_script_file(sensord_initrc_exec_t) - + type sensord_var_run_t; files_pid_file(sensord_var_run_t) - + +type sensord_log_t; +logging_log_file(sensord_log_t) + @@ -101590,27 +101590,27 @@ index 5e82fd616..ddb249dfb 100644 # # Local policy # - + +allow sensord_t self:process { signal execmem }; + allow sensord_t self:fifo_file rw_fifo_file_perms; allow sensord_t self:unix_stream_socket create_stream_socket_perms; - + +manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t) +logging_log_filetrans(sensord_t, sensord_log_t, file) + manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) files_pid_filetrans(sensord_t, sensord_var_run_t, file) - + -dev_read_sysfs(sensord_t) +kernel_read_system_state(sensord_t) - + -files_read_etc_files(sensord_t) +dev_read_sysfs(sensord_t) +dev_getattr_sysfs_fs(sensord_t) - + logging_send_syslog_msg(sensord_t) - + -miscfiles_read_localization(sensord_t) diff --git a/setroubleshoot.fc b/setroubleshoot.fc index 0b3a971f4..397a5225b 100644 @@ -101618,16 +101618,16 @@ index 0b3a971f4..397a5225b 100644 +++ b/setroubleshoot.fc @@ -1,9 +1,9 @@ /usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0) - + -/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) - + -/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) +/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0) - + -/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) +/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0) - + -/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) +/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0) diff --git a/setroubleshoot.if b/setroubleshoot.if @@ -101637,7 +101637,7 @@ index 3a9a70bef..903109c98 100644 @@ -1,9 +1,8 @@ -## SELinux troubleshooting service. +## SELinux troubleshooting service - + ######################################## ## -## Connect to setroubleshootd with a @@ -101647,7 +101647,7 @@ index 3a9a70bef..903109c98 100644 ## ## @@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',` - + ######################################## ## -## Do not audit attempts to connect to @@ -101659,9 +101659,9 @@ index 3a9a70bef..903109c98 100644 ## ## @@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',` - dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; + dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; ') - + +####################################### +## +## Send null signals to setroubleshoot. @@ -101684,7 +101684,7 @@ index 3a9a70bef..903109c98 100644 ## ## Send and receive messages from @@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',` - + ######################################## ## -## All of the rules required to @@ -101716,13 +101716,13 @@ index 3a9a70bef..903109c98 100644 @@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',` # interface(`setroubleshoot_admin',` - gen_require(` + gen_require(` - type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t; - type setroubleshoot_var_lib_t, setroubleshoot_var_run_t; + type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; + type setroubleshoot_var_lib_t; - ') - + ') + - allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t }) + allow $1 setroubleshootd_t:process signal_perms; @@ -101730,43 +101730,43 @@ index 3a9a70bef..903109c98 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 setroubleshootd_t:process ptrace; + ') - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_var_log_t) + + logging_list_logs($1) + admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te index ce6793506..130eca9f1 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) - + type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_exec_t; -init_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +domain_type(setroubleshootd_t) +init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) - + type setroubleshoot_fixit_t; type setroubleshoot_fixit_exec_t; -init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) +init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - + type setroubleshoot_var_lib_t; files_type(setroubleshoot_var_lib_t) - + +# log files type setroubleshoot_var_log_t; logging_log_file(setroubleshoot_var_log_t) - + +# pid files type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) - + ######################################## # -# Local policy +# setroubleshootd local policy # - + -allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; +allow setroubleshootd_t self:capability { sys_nice sys_ptrace sys_tty_config }; @@ -101781,13 +101781,13 @@ index ce6793506..130eca9f1 100644 +allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; - + -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; +# database files +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir }) - + -allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms; -append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) -create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) @@ -101797,7 +101797,7 @@ index ce6793506..130eca9f1 100644 +manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t) logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) - + +# pid file manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) @@ -101808,11 +101808,11 @@ index ce6793506..130eca9f1 100644 kernel_read_irq_sysctls(setroubleshootd_t) +kernel_read_rpc_sysctls(setroubleshootd_t) kernel_read_unlabeled_state(setroubleshootd_t) - + corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) corecmd_read_all_executables(setroubleshootd_t) - + -corenet_all_recvfrom_unlabeled(setroubleshootd_t) corenet_all_recvfrom_netlabel(setroubleshootd_t) corenet_tcp_sendrecv_generic_if(setroubleshootd_t) @@ -101824,34 +101824,34 @@ index ce6793506..130eca9f1 100644 corenet_tcp_connect_smtp_port(setroubleshootd_t) -corenet_tcp_sendrecv_smtp_port(setroubleshootd_t) +corenet_sendrecv_smtp_client_packets(setroubleshootd_t) - + dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) - + -domain_dontaudit_search_all_domains_state(setroubleshootd_t) +domain_read_all_domains_state(setroubleshootd_t) domain_signull_all_domains(setroubleshootd_t) - + -files_read_usr_files(setroubleshootd_t) files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) @@ -109,37 +117,42 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) - + libs_exec_ld_so(setroubleshootd_t) +libs_exec_ldconfig(setroubleshootd_t) - + locallogin_dontaudit_use_fds(setroubleshootd_t) - + logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) +logging_stream_connect_syslog(setroubleshootd_t) - + -miscfiles_read_localization(setroubleshootd_t) - +seutil_read_bin_policy(setroubleshootd_t) @@ -101859,9 +101859,9 @@ index ce6793506..130eca9f1 100644 +seutil_read_default_contexts(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) -seutil_read_bin_policy(setroubleshootd_t) - + userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) - + optional_policy(` - dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) - @@ -101870,52 +101870,52 @@ index ce6793506..130eca9f1 100644 - ') + abrt_dbus_chat(setroubleshootd_t) ') - + optional_policy(` - locate_read_lib_files(setroubleshootd_t) + locate_read_lib_files(setroubleshootd_t) ') - + +optional_policy(` + mock_getattr_lib(setroubleshootd_t) +') + optional_policy(` - modutils_read_module_config(setroubleshootd_t) + modutils_read_module_config(setroubleshootd_t) ') - + +optional_policy(` + dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) +') + optional_policy(` - rpm_exec(setroubleshootd_t) - rpm_signull(setroubleshootd_t) + rpm_exec(setroubleshootd_t) + rpm_signull(setroubleshootd_t) @@ -150,26 +163,36 @@ optional_policy(` - + ######################################## # -# Fixit local policy +# setroubleshoot_fixit local policy # - + allow setroubleshoot_fixit_t self:capability sys_nice; allow setroubleshoot_fixit_t self:process { setsched getsched }; +dontaudit setroubleshoot_fixit_t self:process execmem; allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; +allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; - + allow setroubleshoot_fixit_t setroubleshootd_t:process signull; - + +setroubleshoot_dbus_chat(setroubleshoot_fixit_t) setroubleshoot_stream_connect(setroubleshoot_fixit_t) - + kernel_read_system_state(setroubleshoot_fixit_t) +kernel_read_network_state(setroubleshoot_fixit_t) - + corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t) - + +dev_read_sysfs(setroubleshoot_fixit_t) +dev_read_urand(setroubleshoot_fixit_t) + @@ -101924,39 +101924,39 @@ index ce6793506..130eca9f1 100644 seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) +seutil_read_module_store(setroubleshoot_fixit_t) - + -files_read_usr_files(setroubleshoot_fixit_t) files_list_tmp(setroubleshoot_fixit_t) - + auth_use_nsswitch(setroubleshoot_fixit_t) @@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) - + -miscfiles_read_localization(setroubleshoot_fixit_t) - -userdom_read_all_users_state(setroubleshoot_fixit_t) +userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) userdom_signull_unpriv_users(setroubleshoot_fixit_t) - + optional_policy(` - dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) - setroubleshoot_dbus_chat(setroubleshoot_fixit_t) +') - + - optional_policy(` - policykit_dbus_chat(setroubleshoot_fixit_t) - ') +optional_policy(` + gnome_dontaudit_search_config(setroubleshoot_fixit_t) ') - + optional_policy(` + rpm_exec(setroubleshoot_fixit_t) - rpm_signull(setroubleshoot_fixit_t) - rpm_read_db(setroubleshoot_fixit_t) - rpm_dontaudit_manage_db(setroubleshoot_fixit_t) - rpm_use_script_fds(setroubleshoot_fixit_t) + rpm_signull(setroubleshoot_fixit_t) + rpm_read_db(setroubleshoot_fixit_t) + rpm_dontaudit_manage_db(setroubleshoot_fixit_t) + rpm_use_script_fds(setroubleshoot_fixit_t) ') + +optional_policy(` @@ -102240,25 +102240,25 @@ index 1aeef8ac3..d5ce40a96 100644 @@ -1,4 +1,4 @@ -## Shoreline Firewall high-level tool for configuring netfilter. +## Shoreline Firewall high-level tool for configuring netfilter - + ######################################## ## @@ -15,7 +15,6 @@ interface(`shorewall_domtrans',` - type shorewall_t, shorewall_exec_t; - ') - + type shorewall_t, shorewall_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, shorewall_exec_t, shorewall_t) + domtrans_pattern($1, shorewall_exec_t, shorewall_t) ') - + @@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',` - type shorewall_t, shorewall_var_lib_t; - ') - + type shorewall_t, shorewall_var_lib_t; + ') + - files_search_var_lib($1) - domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) + domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) ') - + ####################################### ## -## Read shorewall configuration files. @@ -102267,9 +102267,9 @@ index 1aeef8ac3..d5ce40a96 100644 ## ## @@ -57,47 +55,9 @@ interface(`shorewall_read_config',` - read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) + read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) ') - + -####################################### -## -## Read shorewall pid files. @@ -102321,17 +102321,17 @@ index 1aeef8ac3..d5ce40a96 100644 interface(`shorewall_read_lib_files',` - gen_require(` + gen_require(` - type shorewall_var_lib_t; + type shorewall_var_lib_t; - ') + ') - + - files_search_var_lib($1) - read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ') - + ####################################### ## -## Read and write shorewall lib files. @@ -102353,14 +102353,14 @@ index 1aeef8ac3..d5ce40a96 100644 + gen_require(` + type shorewall_var_lib_t; + ') - + - files_search_var_lib($1) - rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + files_search_var_lib($1) + search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) + rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ') - + ####################################### ## -## Read shorewall temporary files. @@ -102369,7 +102369,7 @@ index 1aeef8ac3..d5ce40a96 100644 ## ## @@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',` - + ####################################### ## -## All of the rules required to @@ -102390,32 +102390,32 @@ index 1aeef8ac3..d5ce40a96 100644 ## # interface(`shorewall_admin',` - gen_require(` + gen_require(` - type shorewall_t, shorewall_lock_t, shorewall_log_t; - type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t; + type shorewall_t, shorewall_lock_t; + type shorewall_log_t; + type shorewall_initrc_exec_t, shorewall_var_lib_t; - type shorewall_tmp_t, shorewall_etc_t; - ') - + type shorewall_tmp_t, shorewall_etc_t; + ') + - allow $1 shorewall_t:process { ptrace signal_perms }; + allow $1 shorewall_t:process signal_perms; - ps_process_pattern($1, shorewall_t) + ps_process_pattern($1, shorewall_t) + tunable_policy(`deny_ptrace',`',` + allow $1 shorewall_t:process ptrace; + ') - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 shorewall_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, shorewall_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 shorewall_initrc_exec_t system_r; + allow $2 system_r; + - can_exec($1, shorewall_exec_t) - - files_list_etc($1) - admin_pattern($1, shorewall_etc_t) - + files_list_etc($1) + admin_pattern($1, shorewall_etc_t) + diff --git a/shorewall.te b/shorewall.te index 7710b9f76..04af4ec4d 100644 --- a/shorewall.te @@ -102423,24 +102423,24 @@ index 7710b9f76..04af4ec4d 100644 @@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t) # Local policy # - + -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; +allow shorewall_t self:capability { dac_read_search dac_override net_admin net_raw setuid setgid sys_nice sys_admin }; dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:process signal_perms; allow shorewall_t self:fifo_file rw_fifo_file_perms; allow shorewall_t self:netlink_socket create_socket_perms; - + @@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t) files_lock_filetrans(shorewall_t, shorewall_lock_t, file) - + manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) -setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) +manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t) logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir }) - + manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t) @@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t) @@ -102449,52 +102449,52 @@ index 7710b9f76..04af4ec4d 100644 +allow shorewall_t shorewall_var_lib_t:file entrypoint; + +allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - + allow shorewall_t shorewall_initrc_exec_t:file read_file_perms; - + @@ -74,7 +76,6 @@ dev_read_urand(shorewall_t) domain_read_all_domains_state(shorewall_t) - + files_getattr_kernel_modules(shorewall_t) -files_read_usr_files(shorewall_t) files_search_kernel_modules(shorewall_t) - + fs_getattr_all_fs(shorewall_t) @@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t) logging_read_generic_logs(shorewall_t) logging_send_syslog_msg(shorewall_t) - + -miscfiles_read_localization(shorewall_t) - sysnet_domtrans_ifconfig(shorewall_t) - + -userdom_dontaudit_list_user_home_dirs(shorewall_t) -userdom_use_user_terminals(shorewall_t) +userdom_dontaudit_list_admin_dir(shorewall_t) +userdom_use_inherited_user_ttys(shorewall_t) +userdom_use_inherited_user_ptys(shorewall_t) - + optional_policy(` - brctl_domtrans(shorewall_t) + brctl_domtrans(shorewall_t) @@ -109,6 +109,10 @@ optional_policy(` - modutils_domtrans_insmod(shorewall_t) + modutils_domtrans_insmod(shorewall_t) ') - + +optional_policy(` + netutils_domtrans(shorewall_t) +') + optional_policy(` - ulogd_search_log(shorewall_t) + ulogd_search_log(shorewall_t) ') diff --git a/shutdown.fc b/shutdown.fc index a91f33b0f..631dbc1dc 100644 --- a/shutdown.fc +++ b/shutdown.fc @@ -8,4 +8,4 @@ - + /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) - + -/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) diff --git a/shutdown.if b/shutdown.if @@ -102530,13 +102530,13 @@ index d1706bf87..3aa7c9fd1 100644 - ps_process_pattern($2, shutdown_t) -') +## System shutdown command - + ######################################## ## @@ -43,13 +17,27 @@ interface(`shutdown_domtrans',` - - corecmd_search_bin($1) - domtrans_pattern($1, shutdown_exec_t, shutdown_t) + + corecmd_search_bin($1) + domtrans_pattern($1, shutdown_exec_t, shutdown_t) + + init_reboot($1) + init_halt($1) @@ -102553,7 +102553,7 @@ index d1706bf87..3aa7c9fd1 100644 + dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; + ') ') - + ######################################## ## -## Execute shutdown in the shutdown @@ -102567,17 +102567,17 @@ index d1706bf87..3aa7c9fd1 100644 @@ -64,16 +52,62 @@ interface(`shutdown_domtrans',` # interface(`shutdown_run',` - gen_require(` + gen_require(` + type shutdown_t; - attribute_role shutdown_roles; - ') - + attribute_role shutdown_roles; + ') + - shutdown_domtrans($1) - roleattribute $2 shutdown_roles; + shutdown_domtrans($1) + roleattribute $2 shutdown_roles; ') - + ######################################## ## -## Send generic signals to shutdown. @@ -102636,16 +102636,16 @@ index d1706bf87..3aa7c9fd1 100644 # -interface(`shutdown_signal',` +interface(`shutdown_dbus_chat',` - gen_require(` - type shutdown_t; + gen_require(` + type shutdown_t; + class dbus send_msg; - ') - + ') + - allow shutdown_t $1:process signal; + allow $1 shutdown_t:dbus send_msg; + allow shutdown_t $1:dbus send_msg; ') - + ######################################## ## -## Get attributes of shutdown executable files. @@ -102660,33 +102660,33 @@ index e2544e147..2196974f5 100644 @@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t) # Local policy # - + -allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config }; +allow shutdown_t self:capability { dac_read_search dac_override kill setuid sys_nice sys_tty_config }; allow shutdown_t self:process { setsched signal signull }; allow shutdown_t self:fifo_file manage_fifo_file_perms; allow shutdown_t self:unix_stream_socket create_stream_socket_perms; @@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t) - + mls_file_write_to_clearance(shutdown_t) - + -term_use_all_terms(shutdown_t) +term_use_all_inherited_terms(shutdown_t) - + auth_use_nsswitch(shutdown_t) auth_write_login_records(shutdown_t) @@ -56,8 +56,6 @@ init_telinit(shutdown_t) logging_search_logs(shutdown_t) logging_send_audit_msgs(shutdown_t) - + -miscfiles_read_localization(shutdown_t) - optional_policy(` - cron_system_entry(shutdown_t, shutdown_exec_t) + cron_system_entry(shutdown_t, shutdown_exec_t) ') @@ -68,10 +66,15 @@ optional_policy(` ') - + optional_policy(` - oddjob_dontaudit_rw_fifo_files(shutdown_t) - oddjob_sigchld(shutdown_t) @@ -102697,9 +102697,9 @@ index e2544e147..2196974f5 100644 +optional_policy(` + rhev_sigchld_agentd(shutdown_t) ') - + optional_policy(` - xserver_dontaudit_write_log(shutdown_t) + xserver_dontaudit_write_log(shutdown_t) + xserver_xdm_append_log(shutdown_t) ') diff --git a/slocate.te b/slocate.te @@ -102708,7 +102708,7 @@ index 7292dc064..26fc8f4bc 100644 +++ b/slocate.te @@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t) dev_getattr_all_chr_files(locate_t) - + files_list_all(locate_t) +files_list_isid_type_dirs(locate_t) +files_getattr_isid_type(locate_t) @@ -102720,16 +102720,16 @@ index 7292dc064..26fc8f4bc 100644 files_getattr_all_sockets(locate_t) files_read_etc_runtime_files(locate_t) @@ -62,7 +66,6 @@ fs_read_noxattr_fs_symlinks(locate_t) - + auth_use_nsswitch(locate_t) - + -miscfiles_read_localization(locate_t) - + ifdef(`enable_mls',` - files_dontaudit_getattr_all_dirs(locate_t) + files_dontaudit_getattr_all_dirs(locate_t) @@ -71,3 +74,8 @@ ifdef(`enable_mls',` optional_policy(` - cron_system_entry(locate_t, locate_exec_t) + cron_system_entry(locate_t, locate_exec_t) ') + +optional_policy(` @@ -102742,7 +102742,7 @@ index ca32e8946..98278dd2c 100644 +++ b/slpd.if @@ -1,5 +1,42 @@ ## OpenSLP server daemon to dynamically register services. - + +######################################## +## +## Transition to slpd. @@ -102784,18 +102784,18 @@ index ca32e8946..98278dd2c 100644 ## ## All of the rules required to @@ -26,7 +63,7 @@ interface(`slpd_admin',` - allow $1 slpd_t:process { ptrace signal_perms }; - ps_process_pattern($1, slpd_t) - + allow $1 slpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, slpd_t) + - init_labeled_script_domtrans($1, slpd_initrc_exec_t) + slpd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 slpd_initrc_exec_t system_r; - allow $2 system_r; + domain_system_change_exemption($1) + role_transition $2 slpd_initrc_exec_t system_r; + allow $2 system_r; @@ -36,4 +73,10 @@ interface(`slpd_admin',` - - files_search_pids($1) - admin_pattern($1, slpd_var_run_t) + + files_search_pids($1) + admin_pattern($1, slpd_var_run_t) + + optional_policy(` + systemd_passwd_agent_exec($1) @@ -102810,7 +102810,7 @@ index 731512a66..4ce76cd9c 100644 @@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t) # Local policy # - + -allow slpd_t self:capability { kill setgid setuid }; +allow slpd_t self:capability { kill net_admin setgid setuid }; allow slpd_t self:process signal; @@ -102819,7 +102819,7 @@ index 731512a66..4ce76cd9c 100644 @@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file) manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) files_pid_filetrans(slpd_t, slpd_var_run_t, file) - + +kernel_read_system_state(slpd_t) +kernel_read_network_state(slpd_t) + @@ -102829,13 +102829,13 @@ index 731512a66..4ce76cd9c 100644 @@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) corenet_tcp_bind_svrloc_port(slpd_t) corenet_udp_bind_svrloc_port(slpd_t) - + +corenet_udp_bind_dhcpc_port(slpd_t) + +dev_read_urand(slpd_t) + auth_use_nsswitch(slpd_t) - + -miscfiles_read_localization(slpd_t) +logging_send_syslog_msg(slpd_t) + @@ -102846,49 +102846,49 @@ index 59eb07fa9..4626942ae 100644 +++ b/slrnpull.te @@ -13,7 +13,7 @@ type slrnpull_var_run_t; files_pid_file(slrnpull_var_run_t) - + type slrnpull_spool_t; -files_type(slrnpull_spool_t) +files_spool_file(slrnpull_spool_t) - + type slrnpull_log_t; logging_log_file(slrnpull_log_t) @@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t) - + domain_use_interactive_fds(slrnpull_t) - + -files_read_etc_files(slrnpull_t) files_search_spool(slrnpull_t) - + fs_getattr_all_fs(slrnpull_t) @@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t) - + logging_send_syslog_msg(slrnpull_t) - + -miscfiles_read_localization(slrnpull_t) - userdom_dontaudit_use_unpriv_user_fds(slrnpull_t) userdom_dontaudit_search_user_home_dirs(slrnpull_t) - + diff --git a/smartmon.if b/smartmon.if index e0644b5cf..ea347ccd5 100644 --- a/smartmon.if +++ b/smartmon.if @@ -42,9 +42,13 @@ interface(`smartmon_admin',` - type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; - ') - + type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; + ') + - allow $1 fsdaemon_t:process { ptrace signal_perms }; + allow $1 fsdaemon_t:process signal_perms; - ps_process_pattern($1, fsdaemon_t) - + ps_process_pattern($1, fsdaemon_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 fsdaemon_t:process ptrace; + ') + - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 fsdaemon_initrc_exec_t system_r; + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fsdaemon_initrc_exec_t system_r; diff --git a/smartmon.te b/smartmon.te index 9cf6582d2..052179c3f 100644 --- a/smartmon.te @@ -102896,16 +102896,16 @@ index 9cf6582d2..052179c3f 100644 @@ -38,7 +38,7 @@ ifdef(`enable_mls',` # Local policy # - + -allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; +allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t) - + corecmd_exec_all_executables(fsdaemon_t) - + +corenet_all_recvfrom_netlabel(fsdaemon_t) +corenet_udp_sendrecv_generic_if(fsdaemon_t) +corenet_udp_sendrecv_generic_node(fsdaemon_t) @@ -102913,59 +102913,59 @@ index 9cf6582d2..052179c3f 100644 + dev_read_sysfs(fsdaemon_t) dev_read_urand(fsdaemon_t) - + domain_use_interactive_fds(fsdaemon_t) - + files_exec_etc_files(fsdaemon_t) -files_read_etc_files(fsdaemon_t) files_read_etc_runtime_files(fsdaemon_t) -files_read_usr_files(fsdaemon_t) - + fs_getattr_all_fs(fsdaemon_t) fs_search_auto_mountpoints(fsdaemon_t) +fs_read_removable_files(fsdaemon_t) - + mls_file_read_all_levels(fsdaemon_t) - + +storage_create_fixed_disk_dev(fsdaemon_t) +storage_dev_filetrans_named_fixed_disk(fsdaemon_t) storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) storage_raw_read_removable_device(fsdaemon_t) @@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t) - + term_dontaudit_search_ptys(fsdaemon_t) - + -application_signull(fsdaemon_t) +domain_signull_all_domains(fsdaemon_t) + +auth_read_passwd(fsdaemon_t) - + init_read_utmp(fsdaemon_t) - + @@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t) - + logging_send_syslog_msg(fsdaemon_t) - + -miscfiles_read_localization(fsdaemon_t) +seutil_sigchld_newrole(fsdaemon_t) - + sysnet_dns_name_resolve(fsdaemon_t) - + userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) userdom_dontaudit_search_user_home_dirs(fsdaemon_t) +userdom_use_user_terminals(fsdaemon_t) - + tunable_policy(`smartmon_3ware',` - allow fsdaemon_t self:process setfscreate; + allow fsdaemon_t self:process setfscreate; @@ -116,9 +125,9 @@ optional_policy(` ') - + optional_policy(` - seutil_sigchld_newrole(fsdaemon_t) + udev_read_db(fsdaemon_t) ') - + optional_policy(` - udev_read_db(fsdaemon_t) + virt_read_images(fsdaemon_t) @@ -102975,88 +102975,88 @@ index 335981945..a231ecb56 100644 --- a/smokeping.fc +++ b/smokeping.fc @@ -2,7 +2,7 @@ - + /usr/sbin/smokeping -- gen_context(system_u:object_r:smokeping_exec_t,s0) - + -/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0) +/usr/share/smokeping/cgi(/.*)? gen_context(system_u:object_r:smokeping_cgi_script_exec_t,s0) - + /var/lib/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_lib_t,s0) - + diff --git a/smokeping.if b/smokeping.if index 1fa51c11f..82e111c80 100644 --- a/smokeping.if +++ b/smokeping.if @@ -158,8 +158,11 @@ interface(`smokeping_admin',` - type smokeping_var_run_t; - ') - + type smokeping_var_run_t; + ') + - allow $1 smokeping_t:process { ptrace signal_perms }; + allow $1 smokeping_t:process signal_perms; - ps_process_pattern($1, smokeping_t) + ps_process_pattern($1, smokeping_t) + tunable_policy(`deny_ptrace',`',` + allow $1 smokeping_t:process ptrace; + ') - - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) + + smokeping_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/smokeping.te b/smokeping.te index ec031a031..61a9f8c08 100644 --- a/smokeping.te +++ b/smokeping.te @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t) # - + dontaudit smokeping_t self:capability { dac_read_search dac_override }; +allow smokeping_t self:process signal_perms; allow smokeping_t self:fifo_file rw_fifo_file_perms; allow smokeping_t self:unix_stream_socket { accept listen }; - + @@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t) - + dev_read_urand(smokeping_t) - + -files_read_usr_files(smokeping_t) files_search_tmp(smokeping_t) - + auth_use_nsswitch(smokeping_t) @@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t) - + logging_send_syslog_msg(smokeping_t) - + -miscfiles_read_localization(smokeping_t) - mta_send_mail(smokeping_t) - + netutils_domtrans_ping(smokeping_t) @@ -60,17 +58,22 @@ netutils_domtrans_ping(smokeping_t) - + optional_policy(` - apache_content_template(smokeping_cgi) + apache_content_template(smokeping_cgi) + apache_content_alias_template(smokeping_cgi, smokeping_cgi) + + manage_dirs_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + manage_files_pattern(smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + + getattr_files_pattern(smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) - + - manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) - manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t) + files_read_etc_files(smokeping_cgi_script_t) + files_search_tmp(smokeping_cgi_script_t) + files_search_var_lib(smokeping_cgi_script_t) - + - getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) + auth_read_passwd(smokeping_cgi_script_t) - + - files_read_etc_files(httpd_smokeping_cgi_script_t) - files_search_tmp(httpd_smokeping_cgi_script_t) - files_search_var_lib(httpd_smokeping_cgi_script_t) + logging_send_syslog_msg(smokeping_cgi_script_t) - + - sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t) + sysnet_dns_name_resolve(smokeping_cgi_script_t) - + - netutils_domtrans_ping(httpd_smokeping_cgi_script_t) + netutils_domtrans_ping(smokeping_cgi_script_t) ') @@ -103065,39 +103065,39 @@ index b3f2c6f26..4e629a10b 100644 --- a/smoltclient.te +++ b/smoltclient.te @@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t) - + corenet_sendrecv_http_client_packets(smoltclient_t) corenet_tcp_connect_http_port(smoltclient_t) +corenet_tcp_connect_http_cache_port(smoltclient_t) corenet_tcp_sendrecv_http_port(smoltclient_t) - + dev_read_sysfs(smoltclient_t) @@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t) - + files_getattr_generic_locks(smoltclient_t) files_read_etc_runtime_files(smoltclient_t) -files_read_usr_files(smoltclient_t) - + auth_use_nsswitch(smoltclient_t) - + logging_send_syslog_msg(smoltclient_t) - + miscfiles_read_hwdata(smoltclient_t) -miscfiles_read_localization(smoltclient_t) - + optional_policy(` - abrt_stream_connect(smoltclient_t) + abrt_stream_connect(smoltclient_t) @@ -76,6 +75,10 @@ optional_policy(` - ') + ') ') - + +optional_policy(` + libs_exec_ldconfig(smoltclient_t) +') + optional_policy(` - rpm_exec(smoltclient_t) - rpm_read_db(smoltclient_t) + rpm_exec(smoltclient_t) + rpm_read_db(smoltclient_t) diff --git a/smsd.fc b/smsd.fc new file mode 100644 index 000000000..4c3fcec7d @@ -103446,7 +103446,7 @@ index cbfe369a6..6594af373 100644 +++ b/smstools.if @@ -1,5 +1,81 @@ ## Tools to send and receive short messages through GSM modems or mobile phones. - + +####################################### +## +## Search smsd lib directories. @@ -103527,14 +103527,14 @@ index cbfe369a6..6594af373 100644 ## ## All of the rules required to @@ -32,7 +108,7 @@ interface(`smstools_admin',` - role_transition $2 smsd_initrc_exec_t system_r; - allow $2 system_r; - + role_transition $2 smsd_initrc_exec_t system_r; + allow $2 system_r; + - files_search_config($1) + files_search_etc($1) - admin_pattern($1, smsd_conf_t) - - files_search_var_lib($1) + admin_pattern($1, smsd_conf_t) + + files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 index 000000000..4f4bdb397 @@ -103638,7 +103638,7 @@ index 000000000..6e3a54de7 + gen_require(` + type snapperd_data_t; + ') -+ ++ + files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots") +') + @@ -103740,20 +103740,20 @@ index 2f0a2f205..1569e3369 100644 +++ b/snmp.fc @@ -1,6 +1,6 @@ /etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) - + -/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) +/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) - + /usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -10,9 +10,12 @@ - + /var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) /var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) - + /var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0) - + -/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) -/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) @@ -103767,7 +103767,7 @@ index 7a9cc9df7..6085a4160 100644 +++ b/snmp.if @@ -1,5 +1,23 @@ ## Simple network management protocol services. - + +######################################## +## +## Send null signals to snmp. @@ -103790,7 +103790,7 @@ index 7a9cc9df7..6085a4160 100644 ## ## Connect to snmpd with a unix @@ -57,8 +75,7 @@ interface(`snmp_udp_chat',` - + ######################################## ## -## Create, read, write, and delete @@ -103805,11 +103805,11 @@ index 7a9cc9df7..6085a4160 100644 # -interface(`snmp_manage_var_lib_dirs',` +interface(`snmp_read_snmp_var_lib_files',` - gen_require(` - type snmpd_var_lib_t; - ') - - files_search_var_lib($1) + gen_require(` + type snmpd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; + read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) @@ -103849,9 +103849,9 @@ index 7a9cc9df7..6085a4160 100644 + type snmpd_var_lib_t; + ') + - allow $1 snmpd_var_lib_t:dir manage_dir_perms; + allow $1 snmpd_var_lib_t:dir manage_dir_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -103861,7 +103861,7 @@ index 7a9cc9df7..6085a4160 100644 ## ## @@ -98,7 +153,7 @@ interface(`snmp_manage_var_lib_files',` - + ######################################## ## -## Read snmpd lib content. @@ -103875,12 +103875,12 @@ index 7a9cc9df7..6085a4160 100644 # -interface(`snmp_read_snmp_var_lib_files',` +interface(`snmp_manage_var_lib_sock_files',` - gen_require(` - type snmpd_var_lib_t; - ') - + gen_require(` + type snmpd_var_lib_t; + ') + + files_search_var_lib($1) - allow $1 snmpd_var_lib_t:dir list_dir_perms; + allow $1 snmpd_var_lib_t:dir list_dir_perms; - read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) - read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) + manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) @@ -103906,22 +103906,22 @@ index 7a9cc9df7..6085a4160 100644 + dontaudit $1 snmpd_var_lib_t:file manage_file_perms; + dontaudit $1 snmpd_var_lib_t:lnk_file manage_lnk_file_perms; ') - + ######################################## @@ -179,8 +255,12 @@ interface(`snmp_admin',` - type snmpd_var_lib_t, snmpd_var_run_t; - ') - + type snmpd_var_lib_t, snmpd_var_run_t; + ') + - allow $1 snmpd_t:process { ptrace signal_perms }; + allow $1 snmpd_t:process signal_perms; + - ps_process_pattern($1, snmpd_t) + ps_process_pattern($1, snmpd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 snmpd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, snmpd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te index 9dcaeb875..e8446db05 100644 --- a/snmp.te @@ -103929,7 +103929,7 @@ index 9dcaeb875..e8446db05 100644 @@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t) # Local policy # - + -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; +allow snmpd_t self:capability { chown dac_read_search dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + @@ -103942,11 +103942,11 @@ index 9dcaeb875..e8446db05 100644 +allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; - + -allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t) logging_log_filetrans(snmpd_t, snmpd_log_t, file) - + manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) @@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t) kernel_read_fs_sysctls(snmpd_t) @@ -103955,10 +103955,10 @@ index 9dcaeb875..e8446db05 100644 +kernel_read_proc_symlinks(snmpd_t) +kernel_read_all_proc(snmpd_t) kernel_read_system_state(snmpd_t) - + corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) - + -corenet_all_recvfrom_unlabeled(snmpd_t) corenet_all_recvfrom_netlabel(snmpd_t) corenet_tcp_sendrecv_generic_if(snmpd_t) @@ -103966,7 +103966,7 @@ index 9dcaeb875..e8446db05 100644 @@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t) corenet_tcp_sendrecv_snmp_port(snmpd_t) corenet_udp_sendrecv_snmp_port(snmpd_t) - + -corenet_sendrecv_snmp_client_packets(snmpd_t) corenet_tcp_connect_agentx_port(snmpd_t) -corenet_sendrecv_snmp_server_packets(snmpd_t) @@ -103976,35 +103976,35 @@ index 9dcaeb875..e8446db05 100644 @@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) domain_exec_all_entry_files(snmpd_t) - + -files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) - + @@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) storage_dontaudit_write_removable_device(snmpd_t) +storage_getattr_fixed_disk_dev(snmpd_t) +storage_getattr_removable_dev(snmpd_t) - + auth_use_nsswitch(snmpd_t) - + init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) +# need write to /var/run/systemd/notify +init_write_pid_socket(snmpd_t) - + logging_send_syslog_msg(snmpd_t) - + -miscfiles_read_localization(snmpd_t) +sysnet_read_config(snmpd_t) - + seutil_dontaudit_search_config(snmpd_t) - + @@ -131,7 +135,11 @@ optional_policy(` ') - + optional_policy(` - corosync_stream_connect(snmpd_t) + fstools_domtrans(snmpd_t) @@ -104013,45 +104013,45 @@ index 9dcaeb875..e8446db05 100644 +optional_policy(` + rhcs_stream_connect_cluster(snmpd_t) ') - + optional_policy(` @@ -140,6 +148,7 @@ optional_policy(` - + optional_policy(` - mta_read_config(snmpd_t) + mta_read_config(snmpd_t) + mta_read_aliases(snmpd_t) - mta_search_queue(snmpd_t) + mta_search_queue(snmpd_t) ') - + diff --git a/snort.if b/snort.if index 7d86b3485..5f581804e 100644 --- a/snort.if +++ b/snort.if @@ -42,8 +42,11 @@ interface(`snort_admin',` - type snort_etc_t, snort_initrc_exec_t; - ') - + type snort_etc_t, snort_initrc_exec_t; + ') + - allow $1 snort_t:process { ptrace signal_perms }; + allow $1 snort_t:process signal_perms; - ps_process_pattern($1, snort_t) + ps_process_pattern($1, snort_t) + tunable_policy(`deny_ptrace',`',` + allow $1 snort_t:process ptrace; + ') - - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, snort_initrc_exec_t) + domain_system_change_exemption($1) @@ -51,11 +54,11 @@ interface(`snort_admin',` - allow $2 system_r; - - admin_pattern($1, snort_etc_t) + allow $2 system_r; + + admin_pattern($1, snort_etc_t) - files_search_etc($1) + files_list_etc($1) - - admin_pattern($1, snort_log_t) + + admin_pattern($1, snort_log_t) - logging_search_logs($1) + logging_list_logs($1) - - admin_pattern($1, snort_var_run_t) + + admin_pattern($1, snort_var_run_t) - files_search_pids($1) + files_list_pids($1) ') @@ -104062,7 +104062,7 @@ index 1af72df55..d545f2aea 100644 @@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t) # Local policy # - + -allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; +allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search dac_override }; dontaudit snort_t self:capability sys_tty_config; @@ -104076,66 +104076,66 @@ index 1af72df55..d545f2aea 100644 allow snort_t self:socket create_socket_perms; +# Snort IPS node. unverified. allow snort_t self:netlink_firewall_socket create_socket_perms; - + allow snort_t snort_etc_t:dir list_dir_perms; @@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms; allow snort_t snort_etc_t:lnk_file read_lnk_file_perms; - + manage_dirs_pattern(snort_t, snort_log_t, snort_log_t) -append_files_pattern(snort_t, snort_log_t, snort_log_t) -create_files_pattern(snort_t, snort_log_t, snort_log_t) -setattr_files_pattern(snort_t, snort_log_t, snort_log_t) +manage_files_pattern(snort_t, snort_log_t, snort_log_t) logging_log_filetrans(snort_t, snort_log_t, { file dir }) - + manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t) @@ -63,7 +64,6 @@ kernel_request_load_module(snort_t) kernel_dontaudit_read_system_state(snort_t) kernel_read_network_state(snort_t) - + -corenet_all_recvfrom_unlabeled(snort_t) corenet_all_recvfrom_netlabel(snort_t) corenet_tcp_sendrecv_generic_if(snort_t) corenet_udp_sendrecv_generic_if(snort_t) @@ -86,18 +86,19 @@ dev_rw_generic_usb_dev(snort_t) - + domain_use_interactive_fds(snort_t) - + -files_read_etc_files(snort_t) files_dontaudit_read_etc_runtime_files(snort_t) - + fs_getattr_all_fs(snort_t) fs_search_auto_mountpoints(snort_t) - + +auth_read_passwd(snort_t) + +auth_use_nsswitch(snort_t) + init_read_utmp(snort_t) - + logging_send_syslog_msg(snort_t) - + -miscfiles_read_localization(snort_t) - sysnet_dns_name_resolve(snort_t) - + userdom_dontaudit_use_unpriv_user_fds(snort_t) diff --git a/sosreport.if b/sosreport.if index 634c6b4fa..f6db7a796 100644 --- a/sosreport.if +++ b/sosreport.if @@ -42,7 +42,7 @@ interface(`sosreport_run',` - ') - - sosreport_domtrans($1) + ') + + sosreport_domtrans($1) - roleattribute $2 sospreport_roles; + roleattribute $2 sosreport_roles; ') - + ######################################## @@ -127,3 +127,22 @@ interface(`sosreport_delete_tmp_files',` - files_delete_tmp_dir_entry($1) - delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) + files_delete_tmp_dir_entry($1) + delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) ') + +######################################## @@ -104163,26 +104163,26 @@ index f2f507dae..0ac6752b4 100644 @@ -13,15 +13,15 @@ type sosreport_exec_t; application_domain(sosreport_t, sosreport_exec_t) role sosreport_roles types sosreport_t; - + -type sosreport_var_run_t; -files_pid_file(sosreport_var_run_t) - type sosreport_tmp_t; files_tmp_file(sosreport_tmp_t) - + type sosreport_tmpfs_t; files_tmpfs_file(sosreport_tmpfs_t) - + +type sosreport_var_run_t; +files_pid_file(sosreport_var_run_t) + optional_policy(` - pulseaudio_tmpfs_content(sosreport_tmpfs_t) + pulseaudio_tmpfs_content(sosreport_tmpfs_t) ') @@ -31,12 +31,14 @@ optional_policy(` # Local policy # - + -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; +allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search dac_override }; dontaudit sosreport_t self:capability sys_ptrace; @@ -104193,13 +104193,13 @@ index f2f507dae..0ac6752b4 100644 allow sosreport_t self:unix_stream_socket { accept listen }; +allow sosreport_t self:rawip_socket create_socket_perms; +allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms; - + manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) @@ -44,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) - + +manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) +manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) +manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) @@ -104208,7 +104208,7 @@ index f2f507dae..0ac6752b4 100644 + manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) - + @@ -58,6 +66,18 @@ kernel_read_all_sysctls(sosreport_t) kernel_read_software_raid_state(sosreport_t) kernel_search_debugfs(sosreport_t) @@ -104225,9 +104225,9 @@ index f2f507dae..0ac6752b4 100644 +corenet_tcp_connect_http_port(sosreport_t) +corenet_tcp_connect_all_ports(sosreport_t) +corenet_sendrecv_http_client_packets(sosreport_t) - + corecmd_exec_all_executables(sosreport_t) - + @@ -69,6 +89,9 @@ dev_read_urand(sosreport_t) dev_read_raw_memory(sosreport_t) dev_read_sysfs(sosreport_t) @@ -104235,7 +104235,7 @@ index f2f507dae..0ac6752b4 100644 +dev_rw_lvm_control(sosreport_t) +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) - + domain_getattr_all_domains(sosreport_t) domain_read_all_domains_state(sosreport_t) @@ -83,7 +106,6 @@ files_list_all(sosreport_t) @@ -104248,47 +104248,47 @@ index f2f507dae..0ac6752b4 100644 files_read_kernel_modules(sosreport_t) @@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) - + fs_getattr_all_fs(sosreport_t) +fs_getattr_all_dirs(sosreport_t) fs_list_inotifyfs(sosreport_t) - + storage_dontaudit_read_fixed_disk(sosreport_t) storage_dontaudit_read_removable_device(sosreport_t) - + +term_getattr_pty_fs(sosreport_t) +term_getattr_all_ptys(sosreport_t) term_use_generic_ptys(sosreport_t) - + +# some config files do not have configfile attribute +# sosreport needs to read various files on system +files_read_non_security_files(sosreport_t) + auth_use_nsswitch(sosreport_t) +auth_dontaudit_read_shadow(sosreport_t) - + init_domtrans_script(sosreport_t) +init_getattr_initctl(sosreport_t) +init_status(sosreport_t) +init_stream_connect(sosreport_t) - + libs_domtrans_ldconfig(sosreport_t) +libs_use_ld_so(sosreport_t) - + logging_read_all_logs(sosreport_t) logging_send_syslog_msg(sosreport_t) - + -miscfiles_read_localization(sosreport_t) - -modutils_read_module_deps(sosreport_t) +sysnet_read_config(sosreport_t) - + optional_policy(` - abrt_manage_pid_files(sosreport_t) + abrt_manage_pid_files(sosreport_t) @@ -118,6 +150,14 @@ optional_policy(` - abrt_stream_connect(sosreport_t) + abrt_stream_connect(sosreport_t) ') - + +optional_policy(` + bootloader_exec(sosreport_t) +') @@ -104298,12 +104298,12 @@ index f2f507dae..0ac6752b4 100644 +') + optional_policy(` - cups_stream_connect(sosreport_t) + cups_stream_connect(sosreport_t) ') @@ -126,6 +166,20 @@ optional_policy(` - dmesg_domtrans(sosreport_t) + dmesg_domtrans(sosreport_t) ') - + +optional_policy(` + iptables_domtrans(sosreport_t) +') @@ -104319,12 +104319,12 @@ index f2f507dae..0ac6752b4 100644 +') + optional_policy(` - fstools_domtrans(sosreport_t) + fstools_domtrans(sosreport_t) ') @@ -136,6 +190,14 @@ optional_policy(` - optional_policy(` - hal_dbus_chat(sosreport_t) - ') + optional_policy(` + hal_dbus_chat(sosreport_t) + ') + + optional_policy(` + rpm_dbus_chat(sosreport_t) @@ -104334,20 +104334,20 @@ index f2f507dae..0ac6752b4 100644 + networkmanager_dbus_chat(sosreport_t) + ') ') - + optional_policy(` @@ -146,14 +208,36 @@ optional_policy(` - mount_domtrans(sosreport_t) + mount_domtrans(sosreport_t) ') - + +optional_policy(` + prelink_domtrans(sosreport_t) +') + optional_policy(` - pulseaudio_run(sosreport_t, sosreport_roles) + pulseaudio_run(sosreport_t, sosreport_roles) ') - + optional_policy(` - rpm_exec(sosreport_t) - rpm_dontaudit_manage_db(sosreport_t) @@ -104374,27 +104374,27 @@ index f2f507dae..0ac6752b4 100644 + unconfined_signull(sosreport_t) + unconfined_domain(sosreport_t) ') - + optional_policy(` diff --git a/soundserver.if b/soundserver.if index a5abc5a8d..b9eff74cb 100644 --- a/soundserver.if +++ b/soundserver.if @@ -38,9 +38,13 @@ interface(`soundserver_admin',` - type soundd_state_t; - ') - + type soundd_state_t; + ') + - allow $1 soundd_t:process { ptrace signal_perms }; + allow $1 soundd_t:process signal_perms; - ps_process_pattern($1, soundd_t) - + ps_process_pattern($1, soundd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 soundd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 soundd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, soundd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 soundd_initrc_exec_t system_r; diff --git a/soundserver.te b/soundserver.te index 0919e0c86..df28aadba 100644 --- a/soundserver.te @@ -104402,7 +104402,7 @@ index 0919e0c86..df28aadba 100644 @@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t) # Declarations # - + -allow soundd_t self:capability dac_override; +allow soundd_t self:capability { dac_read_search dac_override }; dontaudit soundd_t self:capability sys_tty_config; @@ -104411,27 +104411,27 @@ index 0919e0c86..df28aadba 100644 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) kernel_read_proc_symlinks(soundd_t) - + -corenet_all_recvfrom_unlabeled(soundd_t) corenet_all_recvfrom_netlabel(soundd_t) corenet_tcp_sendrecv_generic_if(soundd_t) corenet_tcp_sendrecv_generic_node(soundd_t) @@ -81,7 +80,6 @@ dev_write_sound(soundd_t) - + domain_use_interactive_fds(soundd_t) - + -files_read_etc_files(soundd_t) files_read_etc_runtime_files(soundd_t) - + fs_getattr_all_fs(soundd_t) @@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t) - + logging_send_syslog_msg(soundd_t) - + -miscfiles_read_localization(soundd_t) - sysnet_read_config(soundd_t) - + userdom_dontaudit_use_unpriv_user_fds(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc index e9bd097b7..5724bcf0f 100644 @@ -104448,12 +104448,12 @@ index e9bd097b7..5724bcf0f 100644 +/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) - + /etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) - + /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0) -/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) @@ -104461,7 +104461,7 @@ index e9bd097b7..5724bcf0f 100644 +/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) - + -/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) @@ -104470,12 +104470,12 @@ index e9bd097b7..5724bcf0f 100644 -/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/libexec/mimedefang-wrapper -- gen_context(system_u:object_r:spamd_exec_t,s0) - + /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) /var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0) @@ -25,7 +32,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) - + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) -/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) @@ -104503,7 +104503,7 @@ index 1499b0bbf..e695a62f3 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -2,39 +2,45 @@ - + ######################################## ## -## Role access for spamassassin. @@ -104524,27 +104524,27 @@ index 1499b0bbf..e695a62f3 100644 +## # interface(`spamassassin_role',` - gen_require(` - type spamc_t, spamc_exec_t, spamc_tmp_t; + gen_require(` + type spamc_t, spamc_exec_t, spamc_tmp_t; - type spamassassin_t, spamassassin_exec_t, spamd_home_t; + type spamassassin_t, spamassassin_exec_t; - type spamassassin_home_t, spamassassin_tmp_t; - ') - - role $1 types { spamc_t spamassassin_t }; - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + type spamassassin_home_t, spamassassin_tmp_t; + ') + + role $1 types { spamc_t spamassassin_t }; + + domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) + + allow $2 spamassassin_t:process signal_perms; + ps_process_pattern($2, spamassassin_t) + - domtrans_pattern($2, spamc_exec_t, spamc_t) - + domtrans_pattern($2, spamc_exec_t, spamc_t) + - allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms }; - ps_process_pattern($2, { spamc_t spamassassin_t }) + allow $2 spamc_t:process signal_perms; + ps_process_pattern($2, spamc_t) - + - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; @@ -104557,16 +104557,16 @@ index 1499b0bbf..e695a62f3 100644 + relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) + relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) ') - + ######################################## @@ -53,13 +59,12 @@ interface(`spamassassin_exec',` - type spamassassin_exec_t; - ') - + type spamassassin_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, spamassassin_exec_t) + can_exec($1, spamassassin_exec_t) ') - + ######################################## ## -## Send generic signals to spamd. @@ -104575,7 +104575,7 @@ index 1499b0bbf..e695a62f3 100644 ## ## @@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',` - + ######################################## ## -## Execute spamd in the caller domain. @@ -104585,13 +104585,13 @@ index 1499b0bbf..e695a62f3 100644 ## ## @@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',` - type spamd_exec_t; - ') - + type spamd_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, spamd_exec_t) + can_exec($1, spamd_exec_t) ') - + ######################################## ## -## Execute spamc in the spamc domain. @@ -104600,14 +104600,14 @@ index 1499b0bbf..e695a62f3 100644 ## ## @@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',` - type spamc_t, spamc_exec_t; - ') - + type spamc_t, spamc_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, spamc_exec_t, spamc_t) + domtrans_pattern($1, spamc_exec_t, spamc_t) + allow $1 spamc_exec_t:file ioctl; ') - + ######################################## ## -## Execute spamc in the caller domain. @@ -104635,7 +104635,7 @@ index 1499b0bbf..e695a62f3 100644 ## ## @@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',` - + ######################################## ## -## Execute spamassassin standalone client @@ -104651,11 +104651,11 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_domtrans_local_client',` +interface(`spamassassin_manage_home_client',` - gen_require(` + gen_require(` - type spamassassin_t, spamassassin_exec_t; + type spamc_home_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) + userdom_search_user_home_dirs($1) @@ -104663,7 +104663,7 @@ index 1499b0bbf..e695a62f3 100644 + manage_files_pattern($1, spamc_home_t, spamc_home_t) + manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -104678,12 +104678,12 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_manage_spamd_home_content',` +interface(`spamassassin_read_home_client',` - gen_require(` + gen_require(` - type spamd_home_t; + type spamc_home_t; - ') - - userdom_search_user_home_dirs($1) + ') + + userdom_search_user_home_dirs($1) - allow $1 spamd_home_t:dir manage_dir_perms; - allow $1 spamd_home_t:file manage_file_perms; - allow $1 spamd_home_t:lnk_file manage_lnk_file_perms; @@ -104691,7 +104691,7 @@ index 1499b0bbf..e695a62f3 100644 + read_files_pattern($1, spamc_home_t, spamc_home_t) + read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) ') - + ######################################## ## -## Relabel spamd home content. @@ -104706,18 +104706,18 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_relabel_spamd_home_content',` +interface(`spamassassin_exec_client',` - gen_require(` + gen_require(` - type spamd_home_t; + type spamc_exec_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 spamd_home_t:dir relabel_dir_perms; - allow $1 spamd_home_t:file relabel_file_perms; - allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms; + can_exec($1, spamc_exec_t) ') - + ######################################## ## -## Create objects in user home @@ -104743,15 +104743,15 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_home_filetrans_spamd_home',` +interface(`spamassassin_domtrans_local_client',` - gen_require(` + gen_require(` - type spamd_home_t; + type spamassassin_t, spamassassin_exec_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3) + domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) ') - + ######################################## ## -## Read spamd lib files. @@ -104760,17 +104760,17 @@ index 1499b0bbf..e695a62f3 100644 ## ## @@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',` - ') - - files_search_var_lib($1) + ') + + files_search_var_lib($1) + list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) - read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) + read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) ') - + ######################################## @@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',` - + ######################################## ## -## Read spamd pid files. @@ -104784,17 +104784,17 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_read_spamd_pid_files',` +interface(`spamassassin_read_spamd_tmp_files',` - gen_require(` + gen_require(` - type spamd_var_run_t; + type spamd_tmp_t; - ') - + ') + - files_search_pids($1) - read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) + files_search_tmp($1) + allow $1 spamd_tmp_t:file read_file_perms; ') - + ######################################## ## -## Read temporary spamd files. @@ -104810,14 +104810,14 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_read_spamd_tmp_files',` +interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` - gen_require(` - type spamd_tmp_t; - ') - + gen_require(` + type spamd_tmp_t; + ') + - allow $1 spamd_tmp_t:file read_file_perms; + dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; ') - + ######################################## ## -## Do not audit attempts to get @@ -104833,16 +104833,16 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +interface(`spamd_stream_connect',` - gen_require(` + gen_require(` - type spamd_tmp_t; + type spamd_t, spamd_var_run_t; - ') - + ') + - dontaudit $1 spamd_tmp_t:sock_file getattr; + files_search_pids($1) + stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ') - + ######################################## ## -## Connect to spamd with a unix @@ -104857,16 +104857,16 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_stream_connect_spamd',` +interface(`spamassassin_read_pid_files',` - gen_require(` + gen_require(` - type spamd_t, spamd_var_run_t; + type spamd_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) - stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) + read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) ') - + +###################################### +## +## Transition to spamassassin named content @@ -104931,25 +104931,25 @@ index 1499b0bbf..e695a62f3 100644 # -interface(`spamassassin_admin',` +interface(`spamassassin_spamd_admin',` - gen_require(` - type spamd_t, spamd_tmp_t, spamd_log_t; - type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; - type spamd_initrc_exec_t; - ') - + gen_require(` + type spamd_t, spamd_tmp_t, spamd_log_t; + type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; + type spamd_initrc_exec_t; + ') + - allow $1 spamd_t:process { ptrace signal_perms }; + allow $1 spamd_t:process signal_perms; - ps_process_pattern($1, spamd_t) + ps_process_pattern($1, spamd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 spamd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, spamd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, spamd_initrc_exec_t) + domain_system_change_exemption($1) @@ -403,6 +423,4 @@ interface(`spamassassin_admin',` - - files_list_pids($1) - admin_pattern($1, spamd_var_run_t) + + files_list_pids($1) + admin_pattern($1, spamd_var_run_t) - - spamassassin_role($2, $1) ') @@ -104958,7 +104958,7 @@ index cc58e3578..c7a301d4f 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) - + ## ##

    -## Determine whether spamassassin @@ -104967,7 +104967,7 @@ index cc58e3578..c7a301d4f 100644 ##

    ##     gen_tunable(spamassassin_can_network, false) - + ## ##

    -## Determine whether spamd can manage @@ -104985,7 +104985,7 @@ index cc58e3578..c7a301d4f 100644 +## +gen_tunable(spamd_update_can_network, false) + - + type spamd_update_t; type spamd_update_exec_t; -init_system_domain(spamd_update_t, spamd_update_exec_t) @@ -105018,13 +105018,13 @@ index cc58e3578..c7a301d4f 100644 -userdom_user_tmp_file(spamc_tmp_t) +application_domain(spamd_update_t, spamd_update_exec_t) +role system_r types spamd_update_t; - + type spamd_t; type spamd_exec_t; @@ -59,12 +39,6 @@ init_daemon_domain(spamd_t, spamd_exec_t) type spamd_compiled_t; files_type(spamd_compiled_t) - + -type spamd_etc_t; -files_config_file(spamd_etc_t) - @@ -105033,24 +105033,24 @@ index cc58e3578..c7a301d4f 100644 - type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) - + @@ -72,87 +46,197 @@ type spamd_log_t; logging_log_file(spamd_log_t) - + type spamd_spool_t; -files_type(spamd_spool_t) +files_spool_file(spamd_spool_t) - + type spamd_tmp_t; files_tmp_file(spamd_tmp_t) - + +# var/lib files type spamd_var_lib_t; files_type(spamd_var_lib_t) - + type spamd_var_run_t; files_pid_file(spamd_var_run_t) - + -######################################## +ifdef(`distro_redhat',` + # spamassassin client executable @@ -105140,7 +105140,7 @@ index cc58e3578..c7a301d4f 100644 -# Standalone local policy +# Standalone program local policy # - + allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamassassin_t self:fd use; allow spamassassin_t self:fifo_file rw_fifo_file_perms; @@ -105154,18 +105154,18 @@ index cc58e3578..c7a301d4f 100644 +allow spamassassin_t self:sem create_sem_perms; +allow spamassassin_t self:msgq create_msgq_perms; +allow spamassassin_t self:msg { send receive }; - + manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t) -userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin") - + manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t) files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir }) - + +manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) @@ -105174,9 +105174,9 @@ index cc58e3578..c7a301d4f 100644 +userdom_home_manager(spamassassin_t) + kernel_read_kernel_sysctls(spamassassin_t) - + dev_read_urand(spamassassin_t) - + -fs_getattr_all_fs(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) +fs_getattr_all_fs(spamassassin_t) @@ -105187,47 +105187,47 @@ index cc58e3578..c7a301d4f 100644 +corecmd_read_bin_files(spamassassin_t) +corecmd_read_bin_pipes(spamassassin_t) +corecmd_read_bin_sockets(spamassassin_t) - + domain_use_interactive_fds(spamassassin_t) - + -files_read_etc_files(spamassassin_t) files_read_etc_runtime_files(spamassassin_t) files_list_home(spamassassin_t) -files_read_usr_files(spamassassin_t) files_dontaudit_search_var(spamassassin_t) - + logging_send_syslog_msg(spamassassin_t) - + -miscfiles_read_localization(spamassassin_t) +# cjp: this could probably be removed +seutil_read_config(spamassassin_t) - + sysnet_dns_name_resolve(spamassassin_t) - + +# set tunable if you have spamassassin do DNS lookups tunable_policy(`spamassassin_can_network',` - allow spamassassin_t self:tcp_socket { accept listen }; + allow spamassassin_t self:tcp_socket create_stream_socket_perms; + allow spamassassin_t self:udp_socket create_socket_perms; - + - corenet_all_recvfrom_unlabeled(spamassassin_t) - corenet_all_recvfrom_netlabel(spamassassin_t) - corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_tcp_sendrecv_generic_if(spamassassin_t) + corenet_udp_sendrecv_generic_if(spamassassin_t) - corenet_tcp_sendrecv_generic_node(spamassassin_t) + corenet_tcp_sendrecv_generic_node(spamassassin_t) + corenet_udp_sendrecv_generic_node(spamassassin_t) - corenet_tcp_sendrecv_all_ports(spamassassin_t) + corenet_tcp_sendrecv_all_ports(spamassassin_t) - + corenet_udp_sendrecv_all_ports(spamassassin_t) - corenet_tcp_connect_all_ports(spamassassin_t) - corenet_sendrecv_all_client_packets(spamassassin_t) + corenet_tcp_connect_all_ports(spamassassin_t) + corenet_sendrecv_all_client_packets(spamassassin_t) + corenet_udp_bind_generic_node(spamassassin_t) + corenet_udp_bind_generic_port(spamassassin_t) + corenet_dontaudit_udp_bind_all_ports(spamassassin_t) + + sysnet_read_config(spamassassin_t) ') - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamassassin_t) - fs_manage_nfs_files(spamassassin_t) @@ -105238,7 +105238,7 @@ index cc58e3578..c7a301d4f 100644 + userdom_manage_user_home_content_symlinks(spamd_t) + userdom_exec_user_bin_files(spamd_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamassassin_t) - fs_manage_cifs_files(spamassassin_t) @@ -105247,26 +105247,26 @@ index cc58e3578..c7a301d4f 100644 + # Write pid file and socket in ~/.evolution/cache/tmp + evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) ') - + optional_policy(` - tunable_policy(`spamassassin_can_network && allow_ypbind',` + tunable_policy(`spamassassin_can_network && nis_enabled',` - nis_use_ypbind_uncond(spamassassin_t) - ') + nis_use_ypbind_uncond(spamassassin_t) + ') ') @@ -160,6 +244,8 @@ optional_policy(` optional_policy(` - mta_read_config(spamassassin_t) - sendmail_stub(spamassassin_t) + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) + sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t) + sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) ') - + ######################################## @@ -167,72 +253,95 @@ optional_policy(` # Client local policy # - + -allow spamc_t self:capability dac_override; allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamc_t self:fd use; @@ -105286,11 +105286,11 @@ index cc58e3578..c7a301d4f 100644 +allow spamc_t self:udp_socket create_socket_perms; + +can_exec(spamc_t, spamc_exec_t) - + manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t) files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir }) - + -manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t) @@ -105307,10 +105307,10 @@ index cc58e3578..c7a301d4f 100644 +spamassassin_filetrans_admin_home_content(spamc_t) +# for /root/.pyzor +allow spamc_t self:capability { dac_read_search dac_override }; - + list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) - + -stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) +read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t) +list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t) @@ -105323,10 +105323,10 @@ index cc58e3578..c7a301d4f 100644 +allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; +spamd_stream_connect(spamc_t) +allow spamc_t spamd_tmp_t:file read_inherited_file_perms; - + kernel_read_kernel_sysctls(spamc_t) kernel_read_system_state(spamc_t) - + -corenet_all_recvfrom_unlabeled(spamc_t) +corecmd_exec_bin(spamc_t) + @@ -105342,10 +105342,10 @@ index cc58e3578..c7a301d4f 100644 corenet_tcp_connect_all_ports(spamc_t) +corenet_sendrecv_all_client_packets(spamc_t) +corenet_tcp_connect_spamd_port(spamc_t) - + -corecmd_exec_bin(spamc_t) +fs_search_auto_mountpoints(spamc_t) - + -domain_use_interactive_fds(spamc_t) +# cjp: these should probably be removed: +corecmd_list_bin(spamc_t) @@ -105353,59 +105353,59 @@ index cc58e3578..c7a301d4f 100644 +corecmd_read_bin_files(spamc_t) +corecmd_read_bin_pipes(spamc_t) +corecmd_read_bin_sockets(spamc_t) - + -fs_getattr_all_fs(spamc_t) -fs_search_auto_mountpoints(spamc_t) +domain_use_interactive_fds(spamc_t) - + files_read_etc_runtime_files(spamc_t) -files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) +# cjp: this may be removable: files_list_home(spamc_t) files_list_var_lib(spamc_t) - + -auth_use_nsswitch(spamc_t) +fs_search_auto_mountpoints(spamc_t) - + -logging_send_syslog_msg(spamc_t) +libs_exec_ldconfig(spamc_t) - + -miscfiles_read_localization(spamc_t) +logging_send_syslog_msg(spamc_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(spamc_t) - fs_manage_nfs_files(spamc_t) - fs_manage_nfs_symlinks(spamc_t) -') +auth_use_nsswitch(spamc_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(spamc_t) - fs_manage_cifs_files(spamc_t) - fs_manage_cifs_symlinks(spamc_t) -') +userdom_home_manager(spamc_t) - + optional_policy(` - abrt_stream_connect(spamc_t) + abrt_stream_connect(spamc_t) @@ -243,19 +352,31 @@ optional_policy(` ') - + optional_policy(` + # Allow connection to spamd socket above - evolution_stream_connect(spamc_t) + evolution_stream_connect(spamc_t) ') - + +optional_policy(` + cyrus_stream_connect(spamc_t) +') + optional_policy(` - milter_manage_spamass_state(spamc_t) + milter_manage_spamass_state(spamc_t) ') - + +optional_policy(` + postfix_domtrans_postdrop(spamc_t) + postfix_search_spool(spamc_t) @@ -105414,23 +105414,23 @@ index cc58e3578..c7a301d4f 100644 +') + optional_policy(` - mta_send_mail(spamc_t) - mta_read_config(spamc_t) - mta_read_queue(spamc_t) + mta_send_mail(spamc_t) + mta_read_config(spamc_t) + mta_read_queue(spamc_t) - sendmail_rw_pipes(spamc_t) - sendmail_stub(spamc_t) + sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) ') - + optional_policy(` @@ -267,36 +388,40 @@ optional_policy(` - + ######################################## # -# Daemon local policy +# Server local policy # - + -allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config }; +# Spamassassin, when run as root and using per-user config files, +# setuids to the user running spamc. Comment this if you are not @@ -105454,7 +105454,7 @@ index cc58e3578..c7a301d4f 100644 +allow spamd_t self:unix_stream_socket connectto; +allow spamd_t self:tcp_socket create_stream_socket_perms; +allow spamd_t self:udp_socket create_socket_perms; - + -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) @@ -105472,38 +105472,38 @@ index cc58e3578..c7a301d4f 100644 +list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t) +read_lnk_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) +rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t) - + +can_exec(spamd_t, spamd_compiled_t) manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t) - + -allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) logging_log_filetrans(spamd_t, spamd_log_t, file) - + manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) @@ -308,7 +433,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) - + -allow spamd_t spamd_var_lib_t:dir list_dir_perms; +# var/lib files for spamd +manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) - + @@ -317,12 +443,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) - + -can_exec(spamd_t, { spamd_exec_t spamd_compiled_t }) +read_files_pattern(spamd_t, spamc_home_t, spamc_home_t) + +can_exec(spamd_t, spamd_exec_t) - + kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) - + -corenet_all_recvfrom_unlabeled(spamd_t) corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) @@ -105541,10 +105541,10 @@ index cc58e3578..c7a301d4f 100644 -corecmd_exec_bin(spamd_t) +corenet_sendrecv_imaze_server_packets(spamd_t) +corenet_sendrecv_generic_server_packets(spamd_t) - + dev_read_sysfs(spamd_t) dev_read_urand(spamd_t) - + -domain_use_interactive_fds(spamd_t) - -files_read_usr_files(spamd_t) @@ -105552,10 +105552,10 @@ index cc58e3578..c7a301d4f 100644 - fs_getattr_all_fs(spamd_t) fs_search_auto_mountpoints(spamd_t) - + -auth_use_nsswitch(spamd_t) auth_dontaudit_read_shadow(spamd_t) - + +corecmd_exec_bin(spamd_t) + +domain_use_interactive_fds(spamd_t) @@ -105565,14 +105565,14 @@ index cc58e3578..c7a301d4f 100644 +files_read_var_lib_files(spamd_t) + init_dontaudit_rw_utmp(spamd_t) - + +auth_use_nsswitch(spamd_t) + libs_use_ld_so(spamd_t) libs_use_shared_libs(spamd_t) - + logging_send_syslog_msg(spamd_t) - + -miscfiles_read_localization(spamd_t) - -sysnet_use_ldap(spamd_t) @@ -105598,23 +105598,23 @@ index cc58e3578..c7a301d4f 100644 -') +userdom_search_user_home_dirs(spamd_t) +userdom_home_manager(spamd_t) - + optional_policy(` - amavis_manage_lib_files(spamd_t) + antivirus_stream_connect(spamd_t) + antivirus_manage_db(spamd_t) ') - + optional_policy(` - clamav_stream_connect(spamd_t) + exim_manage_spool_dirs(spamd_t) + exim_manage_spool_files(spamd_t) ') - + optional_policy(` @@ -421,21 +529,17 @@ optional_policy(` ') - + optional_policy(` - evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) -') @@ -105624,35 +105624,35 @@ index cc58e3578..c7a301d4f 100644 - exim_manage_spool_files(spamd_t) + milter_manage_spamass_state(spamd_t) ') - + optional_policy(` - milter_manage_spamass_state(spamd_t) + mysql_tcp_connect(spamd_t) + mysql_search_db(spamd_t) + mysql_stream_connect(spamd_t) ') - + optional_policy(` - mysql_stream_connect(spamd_t) - mysql_tcp_connect(spamd_t) + logwatch_manage_cache(spamd_t) ') - + optional_policy(` @@ -443,8 +547,8 @@ optional_policy(` ') - + optional_policy(` - postgresql_stream_connect(spamd_t) - postgresql_tcp_connect(spamd_t) + postgresql_tcp_connect(spamd_t) + postgresql_stream_connect(spamd_t) ') - + optional_policy(` @@ -455,7 +559,17 @@ optional_policy(` optional_policy(` - razor_domtrans(spamd_t) - razor_read_lib_files(spamd_t) + razor_domtrans(spamd_t) + razor_read_lib_files(spamd_t) - razor_manage_home_content(spamd_t) +') + @@ -105666,82 +105666,82 @@ index cc58e3578..c7a301d4f 100644 + spamassassin_filetrans_home_content(spamd_t) + spamassassin_filetrans_admin_home_content(spamd_t) ') - + optional_policy(` @@ -463,9 +577,9 @@ optional_policy(` ') - + optional_policy(` + mta_send_mail(spamd_t) - sendmail_stub(spamd_t) - mta_read_config(spamd_t) + sendmail_stub(spamd_t) + mta_read_config(spamd_t) - mta_send_mail(spamd_t) ') - + optional_policy(` @@ -474,32 +588,32 @@ optional_policy(` - + ######################################## # -# Update local policy +# spamd_update local policy # - + -allow spamd_update_t self:capability dac_override; allow spamd_update_t self:fifo_file manage_fifo_file_perms; allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; +allow spamd_update_t self:capability dac_read_search; +dontaudit spamd_update_t self:capability dac_override; - + manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir }) - + +allow spamd_update_t spamd_var_lib_t:dir list_dir_perms; manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) - + -kernel_read_system_state(spamd_update_t) +allow spamd_update_t spamc_home_t:dir search_dir_perms; +allow spamd_update_t spamd_tmp_t:file read_file_perms; + +allow spamd_update_t spamc_home_t:dir search_dir_perms; - + -corenet_all_recvfrom_unlabeled(spamd_update_t) -corenet_all_recvfrom_netlabel(spamd_update_t) -corenet_tcp_sendrecv_generic_if(spamd_update_t) -corenet_tcp_sendrecv_generic_node(spamd_update_t) -corenet_tcp_sendrecv_all_ports(spamd_update_t) +kernel_read_system_state(spamd_update_t) - + -corenet_sendrecv_http_client_packets(spamd_update_t) -+# for updating rules ++# for updating rules corenet_tcp_connect_http_port(spamd_update_t) -corenet_tcp_sendrecv_http_port(spamd_update_t) - + corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) @@ -508,25 +622,26 @@ dev_read_urand(spamd_update_t) - + domain_use_interactive_fds(spamd_update_t) - + -files_read_usr_files(spamd_update_t) - + auth_use_nsswitch(spamd_update_t) auth_dontaudit_read_shadow(spamd_update_t) - + -miscfiles_read_localization(spamd_update_t) +mta_read_config(spamd_update_t) - + -userdom_use_user_terminals(spamd_update_t) +userdom_search_admin_dir(spamd_update_t) +userdom_use_inherited_user_ptys(spamd_update_t) - + optional_policy(` - cron_system_entry(spamd_update_t, spamd_update_exec_t) + cron_system_entry(spamd_update_t, spamd_update_exec_t) ') - + -# probably want a solution same as httpd_use_gpg since this will -# give spamd_update a path to users gpg keys -# optional_policy(` @@ -105991,22 +105991,22 @@ index b38b8b180..eb36653b8 100644 --- a/speedtouch.te +++ b/speedtouch.te @@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t) - + domain_use_interactive_fds(speedmgmt_t) - + -files_read_etc_files(speedmgmt_t) -files_read_usr_files(speedmgmt_t) - + fs_getattr_all_fs(speedmgmt_t) fs_search_auto_mountpoints(speedmgmt_t) - + logging_send_syslog_msg(speedmgmt_t) - + -miscfiles_read_localization(speedmgmt_t) - userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t) userdom_dontaudit_search_user_home_dirs(speedmgmt_t) - + diff --git a/squid.fc b/squid.fc index 0a8b0f7c0..2a569691f 100644 --- a/squid.fc @@ -106017,34 +106017,34 @@ index 0a8b0f7c0..2a569691f 100644 +/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/etc/squid/ssl_db(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) - + -/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0) +/usr/libexec/squid/cache_swap\.sh -- gen_context(system_u:object_r:squid_exec_t,s0) - + -/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0) +/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:squid_script_exec_t,s0) + +/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0) - + /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0) - + /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) +/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:squid_script_exec_t,s0) - + /var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - + /var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0) /var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0) - + -/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0) +/var/run/squid.* gen_context(system_u:object_r:squid_var_run_t,s0) + +/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - + -/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/lib/ssl_db(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) - + -/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) +/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) diff --git a/squid.if b/squid.if @@ -106052,13 +106052,13 @@ index 5e1f0534c..e7820bce3 100644 --- a/squid.if +++ b/squid.if @@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',` - type squid_t; - ') - + type squid_t; + ') + - allow $1 squid_t:unix_stream_socket { getattr read write }; + allow $1 squid_t:unix_stream_socket rw_socket_perms; ') - + ######################################## @@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',` ## Domain to not audit. @@ -106067,51 +106067,51 @@ index 5e1f0534c..e7820bce3 100644 -## # interface(`squid_dontaudit_search_cache',` - gen_require(` + gen_require(` @@ -213,9 +212,13 @@ interface(`squid_admin',` - type squid_initrc_exec_t, squid_tmp_t; - ') - + type squid_initrc_exec_t, squid_tmp_t; + ') + - allow $1 squid_t:process { ptrace signal_perms }; + allow $1 squid_t:process signal_perms; - ps_process_pattern($1, squid_t) - + ps_process_pattern($1, squid_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 squid_t:process ptrace; + ') + - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 squid_initrc_exec_t system_r; + init_labeled_script_domtrans($1, squid_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te index 03472ed9b..4b272687e 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; files_type(squid_cache_t) - + type squid_conf_t; -files_type(squid_conf_t) +files_config_file(squid_conf_t) - + type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) @@ -37,21 +37,28 @@ init_script_file(squid_initrc_exec_t) type squid_log_t; logging_log_file(squid_log_t) - + +type squid_tmpfs_t; +files_tmpfs_file(squid_tmpfs_t) + type squid_tmp_t; files_tmp_file(squid_tmp_t) - + -type squid_tmpfs_t; -files_tmpfs_file(squid_tmpfs_t) - + type squid_var_run_t; files_pid_file(squid_var_run_t) - + +type squid_cron_t; +type squid_cron_exec_t; +init_daemon_domain(squid_cron_t, squid_cron_exec_t) @@ -106122,7 +106122,7 @@ index 03472ed9b..4b272687e 100644 # # Local policy # - + -allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; +allow squid_t self:capability { setgid kill setuid dac_read_search dac_override sys_resource }; dontaudit squid_t self:capability sys_tty_config; @@ -106133,13 +106133,13 @@ index 03472ed9b..4b272687e 100644 manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) files_var_filetrans(squid_t, squid_cache_t, dir, "squid") +filetrans_pattern(squid_t, squid_conf_t, squid_cache_t, dir, "ssl_db") - + allow squid_t squid_conf_t:dir list_dir_perms; allow squid_t squid_conf_t:file read_file_perms; @@ -78,15 +86,19 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t) manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t) logging_log_filetrans(squid_t, squid_log_t, { file dir }) - + +manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) +manage_dirs_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) +fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, { dir file }) @@ -106148,7 +106148,7 @@ index 03472ed9b..4b272687e 100644 manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) - + -manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) -fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) - @@ -106157,20 +106157,20 @@ index 03472ed9b..4b272687e 100644 -files_pid_filetrans(squid_t, squid_var_run_t, file) +manage_sock_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) +files_pid_filetrans(squid_t, squid_var_run_t, { dir file sock_file }) - + can_exec(squid_t, squid_exec_t) - + @@ -94,7 +106,6 @@ kernel_read_kernel_sysctls(squid_t) kernel_read_system_state(squid_t) kernel_read_network_state(squid_t) - + -corenet_all_recvfrom_unlabeled(squid_t) corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) @@ -132,6 +143,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) corenet_udp_sendrecv_gopher_port(squid_t) - + corenet_sendrecv_squid_server_packets(squid_t) +corenet_sendrecv_squid_client_packets(squid_t) corenet_tcp_bind_squid_port(squid_t) @@ -106178,7 +106178,7 @@ index 03472ed9b..4b272687e 100644 corenet_tcp_sendrecv_squid_port(squid_t) @@ -154,7 +166,6 @@ dev_read_urand(squid_t) domain_use_interactive_fds(squid_t) - + files_read_etc_runtime_files(squid_t) -files_read_usr_files(squid_t) files_search_spool(squid_t) @@ -106186,29 +106186,29 @@ index 03472ed9b..4b272687e 100644 files_getattr_home_dir(squid_t) @@ -172,11 +183,11 @@ auth_use_nsswitch(squid_t) auth_domtrans_chk_passwd(squid_t) - + libs_exec_lib_files(squid_t) +libs_exec_ldconfig(squid_t) - + logging_send_syslog_msg(squid_t) - + miscfiles_read_generic_certs(squid_t) -miscfiles_read_localization(squid_t) - + userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) @@ -197,28 +208,31 @@ tunable_policy(`squid_use_tproxy',` - + optional_policy(` - apache_content_template(squid) + apache_content_template(squid) + apache_content_alias_template(squid, squid) - + - corenet_all_recvfrom_unlabeled(httpd_squid_script_t) - corenet_all_recvfrom_netlabel(httpd_squid_script_t) - corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) - corenet_tcp_sendrecv_generic_node(httpd_squid_script_t) + allow squid_script_t self:tcp_socket create_socket_perms; - + - corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t) - corenet_tcp_connect_http_cache_port(httpd_squid_script_t) - corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) @@ -106216,16 +106216,16 @@ index 03472ed9b..4b272687e 100644 + corenet_all_recvfrom_netlabel(squid_script_t) + corenet_tcp_sendrecv_generic_if(squid_script_t) + corenet_tcp_sendrecv_generic_node(squid_script_t) - + - sysnet_dns_name_resolve(httpd_squid_script_t) + corenet_sendrecv_http_cache_client_packets(squid_script_t) + corenet_tcp_connect_http_cache_port(squid_script_t) + corenet_tcp_sendrecv_http_cache_port(squid_script_t) - + - squid_read_config(httpd_squid_script_t) -') + corenet_tcp_connect_squid_port(squid_script_t) - + -optional_policy(` - cron_system_entry(squid_t, squid_exec_t) + sysnet_dns_name_resolve(squid_script_t) @@ -106234,18 +106234,18 @@ index 03472ed9b..4b272687e 100644 + squid_read_config(squid_script_t) + ') ') - + optional_policy(` - kerberos_manage_host_rcache(squid_t) - kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") + kerberos_manage_host_rcache(squid_t) ') - + optional_policy(` @@ -236,3 +250,24 @@ optional_policy(` optional_policy(` - udev_read_db(squid_t) + udev_read_db(squid_t) ') + +######################################## @@ -106274,30 +106274,30 @@ index dbb005aca..da2394c68 100644 +++ b/sssd.fc @@ -1,15 +1,23 @@ /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) - + -/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) +/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) - + -/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_kcm -- gen_context(system_u:object_r:sssd_exec_t,s0) +/usr/libexec/sssd/sssd_secrets -- gen_context(system_u:object_r:sssd_exec_t,s0) - + -/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0) - + -/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) +/usr/libexec/sssd/selinux_child -- gen_context(system_u:object_r:sssd_selinux_manager_exec_t,s0) + +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) + +/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - + /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0) - + -/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) +/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) - + -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0) @@ -106309,7 +106309,7 @@ index a24045518..47530e258 100644 @@ -1,21 +1,21 @@ -##

    System Security Services Daemon. +## System Security Services Daemon - + ####################################### ## -## Get attributes of sssd executable files. @@ -106331,20 +106331,20 @@ index a24045518..47530e258 100644 + gen_require(` + type sssd_t, sssd_exec_t; + ') - + - allow $1 sssd_exec_t:file getattr_file_perms; + allow $1 sssd_exec_t:file getattr; ') - + ######################################## @@ -33,14 +33,12 @@ interface(`sssd_domtrans',` - type sssd_t, sssd_exec_t; - ') - + type sssd_t, sssd_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, sssd_exec_t, sssd_t) + domtrans_pattern($1, sssd_exec_t, sssd_t) ') - + ######################################## ## -## Execute sssd init scripts in @@ -106354,9 +106354,9 @@ index a24045518..47530e258 100644 ## ## @@ -56,49 +54,91 @@ interface(`sssd_initrc_domtrans',` - init_labeled_script_domtrans($1, sssd_initrc_exec_t) + init_labeled_script_domtrans($1, sssd_initrc_exec_t) ') - + +######################################## +## +## Execute sssd server in the sssd domain. @@ -106402,7 +106402,7 @@ index a24045518..47530e258 100644 + gen_require(` + type sssd_conf_t; + ') - + - files_search_etc($1) - list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) - read_files_pattern($1, sssd_conf_t, sssd_conf_t) @@ -106410,7 +106410,7 @@ index a24045518..47530e258 100644 + list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) + read_files_pattern($1, sssd_conf_t, sssd_conf_t) ') - + ###################################### ## -## Write sssd configuration files. @@ -106436,7 +106436,7 @@ index a24045518..47530e258 100644 + files_search_etc($1) + write_files_pattern($1, sssd_conf_t, sssd_conf_t) +') - + - files_search_etc($1) - write_files_pattern($1, sssd_conf_t, sssd_conf_t) +##################################### @@ -106457,7 +106457,7 @@ index a24045518..47530e258 100644 + files_search_etc($1) + create_files_pattern($1, sssd_conf_t, sssd_conf_t) ') - + #################################### ## -## Create, read, write, and delete @@ -106476,24 +106476,24 @@ index a24045518..47530e258 100644 + gen_require(` + type sssd_conf_t; + ') - + - files_search_etc($1) - manage_files_pattern($1, sssd_conf_t, sssd_conf_t) + files_search_etc($1) + manage_files_pattern($1, sssd_conf_t, sssd_conf_t) ') - + ######################################## @@ -131,14 +171,14 @@ interface(`sssd_read_public_files',` - ') - - sssd_search_lib($1) + ') + + sssd_search_lib($1) - allow $1 sssd_public_t:dir list_dir_perms; + list_dirs_pattern($1, sssd_public_t, sssd_public_t) - read_files_pattern($1, sssd_public_t, sssd_public_t) + read_files_pattern($1, sssd_public_t, sssd_public_t) + allow $1 sssd_public_t:file map; ') - + -####################################### +######################################## ## @@ -106509,15 +106509,15 @@ index a24045518..47530e258 100644 # -interface(`sssd_manage_public_files',` +interface(`sssd_delete_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) + gen_require(` + type sssd_public_t; + ') + + sssd_search_lib($1) - manage_files_pattern($1, sssd_public_t, sssd_public_t) + allow $1 sssd_public_t:file unlink; ') - + ######################################## ## -## Read sssd pid files. @@ -106563,7 +106563,7 @@ index a24045518..47530e258 100644 ## ## @@ -176,8 +253,7 @@ interface(`sssd_read_pid_files',` - + ######################################## ## -## Create, read, write, and delete @@ -106573,7 +106573,7 @@ index a24045518..47530e258 100644 ## ## @@ -216,8 +292,7 @@ interface(`sssd_search_lib',` - + ######################################## ## -## Do not audit attempts to search @@ -106583,9 +106583,9 @@ index a24045518..47530e258 100644 ## ## @@ -233,6 +308,24 @@ interface(`sssd_dontaudit_search_lib',` - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; + dontaudit $1 sssd_var_lib_t:dir search_dir_perms; ') - + +######################################## +## +## Do not audit attempts to read sssd lib files. @@ -106608,7 +106608,7 @@ index a24045518..47530e258 100644 ## ## Read sssd lib files. @@ -297,8 +390,7 @@ interface(`sssd_dbus_chat',` - + ######################################## ## -## Connect to sssd with a unix @@ -106618,7 +106618,7 @@ index a24045518..47530e258 100644 ## ## @@ -317,8 +409,130 @@ interface(`sssd_stream_connect',` - + ######################################## ## -## All of the rules required to @@ -106761,34 +106761,34 @@ index a24045518..47530e258 100644 ## @@ -335,27 +549,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` - gen_require(` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; + gen_require(` + type sssd_t, sssd_public_t, sssd_initrc_exec_t; - type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; - type sssd_log_t; + type sssd_unit_file_t; - ') - + ') + - allow $1 sssd_t:process { ptrace signal_perms }; + allow $1 sssd_t:process signal_perms; - ps_process_pattern($1, sssd_t) + ps_process_pattern($1, sssd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 sssd_t:process ptrace; + ') - + + # Allow sssd_t to restart the apache service - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; - + sssd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 sssd_initrc_exec_t system_r; + allow $2 system_r; + - files_search_etc($1) - admin_pattern($1, sssd_conf_t) + sssd_manage_pids($1) - + - files_search_var_lib($1) - admin_pattern($1, { sssd_var_lib_t sssd_public_t }) + sssd_manage_lib_files($1) - + - files_search_pids($1) - admin_pattern($1, sssd_var_run_t) + admin_pattern($1, sssd_public_t) @@ -106796,7 +106796,7 @@ index a24045518..47530e258 100644 + sssd_systemctl($1) + admin_pattern($1, sssd_unit_file_t) + allow $1 sssd_unit_file_t:service all_service_perms; - + - logging_search_logs($1) - admin_pattern($1, sssd_log_t) ') @@ -106807,7 +106807,7 @@ index 2d8db1fa3..07cf9c8ac 100644 @@ -28,51 +28,58 @@ logging_log_file(sssd_var_log_t) type sssd_var_run_t; files_pid_file(sssd_var_run_t) - + +type sssd_unit_file_t; +systemd_unit_file(sssd_unit_file_t) + @@ -106821,7 +106821,7 @@ index 2d8db1fa3..07cf9c8ac 100644 -# Local policy +# sssd local policy # - + -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:capability2 block_suspend; @@ -106831,37 +106831,37 @@ index 2d8db1fa3..07cf9c8ac 100644 allow sssd_t self:key manage_key_perms; -allow sssd_t self:unix_stream_socket { accept connectto listen }; +allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - + read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) +list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t) - + manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) +allow sssd_t sssd_public_t:file map; - + manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +allow sssd_t sssd_var_lib_t:file map; files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) - + -append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) -setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) +manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) - + manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file }) - + kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) +kernel_request_load_module(sssd_t) - + -corenet_all_recvfrom_unlabeled(sssd_t) -corenet_all_recvfrom_netlabel(sssd_t) -corenet_udp_sendrecv_generic_if(sssd_t) @@ -106876,24 +106876,24 @@ index 2d8db1fa3..07cf9c8ac 100644 +corenet_tcp_connect_smbd_port(sssd_t) +corenet_tcp_connect_http_port(sssd_t) +corenet_tcp_connect_http_cache_port(sssd_t) - + corecmd_exec_bin(sssd_t) - + @@ -83,28 +90,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) - + files_list_tmp(sssd_t) -files_read_etc_files(sssd_t) files_read_etc_runtime_files(sssd_t) -files_read_usr_files(sssd_t) files_list_var_lib(sssd_t) - + fs_list_inotifyfs(sssd_t) +fs_getattr_xattr_fs(sssd_t) - + selinux_validate_context(sssd_t) +seutil_read_config(sssd_t) - + seutil_read_file_contexts(sssd_t) # sssd wants to write /etc/selinux//logins/ for SELinux PAM module -# seutil_rw_login_config_dirs(sssd_t) @@ -106905,45 +106905,45 @@ index 2d8db1fa3..07cf9c8ac 100644 +seutil_dontaudit_access_check_setfiles(sssd_t) +seutil_dontaudit_access_check_semanage_read_lock(sssd_t) +seutil_dontaudit_access_check_semanage_module_store(sssd_t) - + mls_file_read_to_clearance(sssd_t) mls_socket_read_to_clearance(sssd_t) mls_socket_write_to_clearance(sssd_t) mls_trusted_object(sssd_t) - + +# auth_use_nsswitch(sssd_t) auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) +# Bogus allow because we don't handle keyring properly in code. +auth_login_manage_key(sssd_t) - + init_read_utmp(sssd_t) - + @@ -112,18 +127,74 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) - + miscfiles_read_generic_certs(sssd_t) -miscfiles_read_localization(sssd_t) +miscfiles_dontaudit_access_check_cert(sssd_t) +miscfiles_map_generic_certs(sssd_t) - + sysnet_dns_name_resolve(sssd_t) sysnet_use_ldap(sssd_t) - + +userdom_manage_tmp_role(system_r, sssd_t) +userdom_manage_all_users_keys(sssd_t) +userdom_dbus_send_all_users(sssd_t) +userdom_home_reader(sssd_t) + optional_policy(` - dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) ') - + optional_policy(` - kerberos_read_config(sssd_t) - kerberos_manage_host_rcache(sssd_t) + kerberos_manage_host_rcache(sssd_t) - kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0") + kerberos_read_home_content(sssd_t) @@ -107178,13 +107178,13 @@ index ffde36864..fbfffa42a 100644 @@ -1,4 +1,4 @@ -policy_module(systemtap, 1.1.0) +policy_module(stapserver, 1.1.0) - + ######################################## # @@ -9,12 +9,6 @@ type stapserver_t; type stapserver_exec_t; init_daemon_domain(stapserver_t, stapserver_exec_t) - + -type stapserver_initrc_exec_t; -init_script_file(stapserver_initrc_exec_t) - @@ -107193,11 +107193,11 @@ index ffde36864..fbfffa42a 100644 - type stapserver_var_lib_t; files_type(stapserver_var_lib_t) - + @@ -24,50 +18,64 @@ logging_log_file(stapserver_log_t) type stapserver_var_run_t; files_pid_file(stapserver_var_run_t) - + +type stapserver_tmp_t; +files_tmp_file(stapserver_tmp_t) + @@ -107206,7 +107206,7 @@ index ffde36864..fbfffa42a 100644 -# Local policy +# stapserver local policy # - + -allow stapserver_t self:capability { dac_override kill setuid setgid }; -allow stapserver_t self:process { setrlimit setsched signal }; +#runuser @@ -107224,18 +107224,18 @@ index ffde36864..fbfffa42a 100644 -allow stapserver_t stapserver_conf_t:file read_file_perms; +allow stapserver_t self:unix_stream_socket create_stream_socket_perms; +allow stapserver_t self:tcp_socket { accept listen }; - + manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) - + manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) -setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) +manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) - + +manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) +manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t) @@ -107245,55 +107245,55 @@ index ffde36864..fbfffa42a 100644 manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) - + -kernel_read_kernel_sysctls(stapserver_t) kernel_read_system_state(stapserver_t) +kernel_read_kernel_sysctls(stapserver_t) +files_list_kernel_modules(stapserver_t) - + corecmd_exec_bin(stapserver_t) corecmd_exec_shell(stapserver_t) - + domain_read_all_domains_state(stapserver_t) +domain_use_interactive_fds(stapserver_t) - + -dev_read_rand(stapserver_t) dev_read_sysfs(stapserver_t) +dev_read_rand(stapserver_t) dev_read_urand(stapserver_t) - + files_list_tmp(stapserver_t) -files_read_usr_files(stapserver_t) files_search_kernel_modules(stapserver_t) - + +fs_search_cgroup_dirs(stapserver_t) +fs_getattr_all_fs(stapserver_t) + auth_use_nsswitch(stapserver_t) - + init_read_utmp(stapserver_t) @@ -75,11 +83,17 @@ init_read_utmp(stapserver_t) logging_send_audit_msgs(stapserver_t) logging_send_syslog_msg(stapserver_t) - + -miscfiles_read_localization(stapserver_t) +#lspci miscfiles_read_hwdata(stapserver_t) - + +systemd_dbus_chat_logind(stapserver_t) + userdom_use_user_terminals(stapserver_t) - + +optional_policy(` + avahi_dbus_chat(stapserver_t) +') + optional_policy(` - consoletype_exec(stapserver_t) + consoletype_exec(stapserver_t) ') @@ -99,3 +113,4 @@ optional_policy(` optional_policy(` - rpm_exec(stapserver_t) + rpm_exec(stapserver_t) ') + diff --git a/stunnel.fc b/stunnel.fc @@ -107302,7 +107302,7 @@ index 49dd63ca1..ae2e798f5 100644 +++ b/stunnel.fc @@ -5,3 +5,5 @@ /usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0) - + /var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0) + +/var/log/stunnel.* -- gen_context(system_u:object_r:stunnel_log_t,s0) @@ -107313,17 +107313,17 @@ index 27a8480bc..89b475bcb 100644 @@ -12,6 +12,9 @@ init_daemon_domain(stunnel_t, stunnel_exec_t) type stunnel_etc_t; files_config_file(stunnel_etc_t) - + +type stunnel_log_t; +logging_log_file(stunnel_log_t) + type stunnel_tmp_t; files_tmp_file(stunnel_tmp_t) - + @@ -23,9 +26,9 @@ files_pid_file(stunnel_var_run_t) # Local policy # - + -allow stunnel_t self:capability { setgid setuid sys_chroot }; +allow stunnel_t self:capability { setgid setuid sys_nice sys_chroot }; dontaudit stunnel_t self:capability sys_tty_config; @@ -107335,7 +107335,7 @@ index 27a8480bc..89b475bcb 100644 @@ -34,6 +37,9 @@ allow stunnel_t stunnel_etc_t:dir list_dir_perms; allow stunnel_t stunnel_etc_t:file read_file_perms; allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; - + +allow stunnel_t stunnel_log_t:file manage_file_perms; +logging_log_filetrans(stunnel_t, stunnel_log_t, file) + @@ -107343,24 +107343,24 @@ index 27a8480bc..89b475bcb 100644 manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) files_tmp_filetrans(stunnel_t, stunnel_tmp_t, { file dir }) @@ -48,7 +54,6 @@ kernel_read_network_state(stunnel_t) - + corecmd_exec_bin(stunnel_t) - + -corenet_all_recvfrom_unlabeled(stunnel_t) corenet_all_recvfrom_netlabel(stunnel_t) corenet_tcp_sendrecv_generic_if(stunnel_t) corenet_tcp_sendrecv_generic_node(stunnel_t) @@ -75,7 +80,6 @@ auth_use_nsswitch(stunnel_t) logging_send_syslog_msg(stunnel_t) - + miscfiles_read_generic_certs(stunnel_t) -miscfiles_read_localization(stunnel_t) - + userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) @@ -105,4 +109,5 @@ optional_policy(` gen_require(` - type stunnel_port_t; + type stunnel_port_t; ') + allow stunnel_t stunnel_port_t:tcp_socket name_bind; @@ -107371,22 +107371,22 @@ index effffd028..0d5c275de 100644 @@ -1,8 +1,15 @@ -/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) +/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) - + -/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) +/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0) - + -/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) +/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0) - + -/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) -/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) +/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) +/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) + +/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) -+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) ++/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) + +/var/log/svnserve(/.*)? gen_context(system_u:object_r:svnserve_log_t,s0) diff --git a/svnserve.if b/svnserve.if @@ -107460,7 +107460,7 @@ index 2ac91b6e0..a97033d2b 100644 + + ps_process_pattern($1, svnserve_t) +') - + ######################################## ## -## All of the rules required to @@ -107498,22 +107498,22 @@ index 2ac91b6e0..a97033d2b 100644 -## # interface(`svnserve_admin',` - gen_require(` + gen_require(` - type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t; + type svnserve_t; + type svnserve_var_run_t; + type svnserve_unit_file_t; - ') - - allow $1 svnserve_t:process { ptrace signal_perms }; - ps_process_pattern($1, svnserve_t) - + ') + + allow $1 svnserve_t:process { ptrace signal_perms }; + ps_process_pattern($1, svnserve_t) + - init_labeled_script_domtrans($1, svnserve_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 svnserve_initrc_exec_t system_r; - allow $2 system_r; - - files_search_pids($1) + files_search_pids($1) - admin_pattern($1, httpd_var_run_t) + admin_pattern($1, svnserve_var_run_t) + @@ -107533,16 +107533,16 @@ index 49d688d66..07990d975 100644 @@ -12,12 +12,21 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) type svnserve_initrc_exec_t; init_script_file(svnserve_initrc_exec_t) - + +type svnserve_unit_file_t; +systemd_unit_file(svnserve_unit_file_t) + type svnserve_content_t; files_type(svnserve_content_t) - + type svnserve_var_run_t; files_pid_file(svnserve_var_run_t) - + +type svnserve_tmp_t; +files_tmp_file(svnserve_tmp_t) + @@ -107555,7 +107555,7 @@ index 49d688d66..07990d975 100644 @@ -27,6 +36,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; allow svnserve_t self:tcp_socket create_stream_socket_perms; allow svnserve_t self:unix_stream_socket { listen accept }; - + +manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) +manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) +manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) @@ -107563,29 +107563,29 @@ index 49d688d66..07990d975 100644 + manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) - + @@ -34,8 +48,9 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) - + -files_read_etc_files(svnserve_t) -files_read_usr_files(svnserve_t) +manage_files_pattern(svnserve_t, svnserve_log_t, svnserve_log_t) +manage_dirs_pattern(svnserve_t, svnserve_log_t, svnserve_log_t) +logging_log_filetrans(svnserve_t, svnserve_log_t, { dir file }) - + corenet_all_recvfrom_unlabeled(svnserve_t) corenet_all_recvfrom_netlabel(svnserve_t) @@ -52,8 +67,18 @@ corenet_tcp_sendrecv_svn_port(svnserve_t) corenet_udp_bind_svn_port(svnserve_t) corenet_udp_sendrecv_svn_port(svnserve_t) - + -logging_send_syslog_msg(svnserve_t) +dev_read_urand(svnserve_t) - + -miscfiles_read_localization(svnserve_t) +logging_send_syslog_msg(svnserve_t) - + sysnet_dns_name_resolve(svnserve_t) + +optional_policy(` @@ -107990,28 +107990,28 @@ index 01a9d0acd..154872e4b 100644 @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) corecmd_exec_bin(sxid_t) corecmd_exec_shell(sxid_t) - + -corenet_all_recvfrom_unlabeled(sxid_t) corenet_all_recvfrom_netlabel(sxid_t) corenet_tcp_sendrecv_generic_if(sxid_t) corenet_udp_sendrecv_generic_if(sxid_t) @@ -66,7 +65,7 @@ fs_list_all(sxid_t) - + term_dontaudit_use_console(sxid_t) - + -files_read_non_auth_files(sxid_t) +files_read_non_security_files(sxid_t) auth_dontaudit_getattr_shadow(sxid_t) - + init_use_fds(sxid_t) @@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t) - + logging_send_syslog_msg(sxid_t) - + -miscfiles_read_localization(sxid_t) - sysnet_read_config(sxid_t) - + userdom_dontaudit_use_unpriv_user_fds(sxid_t) diff --git a/sysstat.te b/sysstat.te index b92f6775a..a2690e315 100644 @@ -108020,11 +108020,11 @@ index b92f6775a..a2690e315 100644 @@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t) # Local policy # - + -allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; +allow sysstat_t self:capability { dac_read_search dac_override sys_admin sys_resource sys_tty_config }; allow sysstat_t self:fifo_file rw_fifo_file_perms; - + manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) @@ -108032,41 +108032,41 @@ index b92f6775a..a2690e315 100644 +manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) - + @@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t) kernel_read_fs_sysctls(sysstat_t) kernel_read_rpc_sysctls(sysstat_t) - + +corecmd_exec_shell(sysstat_t) corecmd_exec_bin(sysstat_t) - + dev_read_sysfs(sysstat_t) @@ -46,11 +45,13 @@ dev_read_urand(sysstat_t) files_search_var(sysstat_t) files_read_etc_runtime_files(sysstat_t) - + -fs_getattr_xattr_fs(sysstat_t) +fs_getattr_all_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) - + +storage_getattr_fixed_disk_dev(sysstat_t) + term_use_console(sysstat_t) -term_use_all_terms(sysstat_t) +term_use_all_inherited_terms(sysstat_t) - + auth_use_nsswitch(sysstat_t) - + @@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t) - + logging_send_syslog_msg(sysstat_t) - + -miscfiles_read_localization(sysstat_t) - userdom_dontaudit_list_user_home_dirs(sysstat_t) - + optional_policy(` - cron_system_entry(sysstat_t, sysstat_exec_t) + cron_system_entry(sysstat_t, sysstat_exec_t) ') + diff --git a/systemtap.fc b/systemtap.fc @@ -108565,45 +108565,45 @@ index 2d6d2c23d..db18a804b 100644 @@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir }) - + -corenet_all_recvfrom_unlabeled(tcpd_t) corenet_all_recvfrom_netlabel(tcpd_t) corenet_tcp_sendrecv_generic_if(tcpd_t) corenet_tcp_sendrecv_generic_node(tcpd_t) @@ -31,15 +30,12 @@ corenet_tcp_sendrecv_all_ports(tcpd_t) - + fs_getattr_xattr_fs(tcpd_t) - + -corecmd_search_bin(tcpd_t) +corecmd_exec_bin(tcpd_t) - + -files_read_etc_files(tcpd_t) files_dontaudit_search_var(tcpd_t) - + logging_send_syslog_msg(tcpd_t) - + -miscfiles_read_localization(tcpd_t) - sysnet_read_config(tcpd_t) - + inetd_domtrans_child(tcpd_t) diff --git a/tcsd.if b/tcsd.if index b42ec1d83..91b8f71dc 100644 --- a/tcsd.if +++ b/tcsd.if @@ -138,8 +138,11 @@ interface(`tcsd_admin',` - type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; - ') - + type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; + ') + - allow $1 tcsd_t:process { ptrace signal_perms }; + allow $1 tcsd_t:process signal_perms; - ps_process_pattern($1, tcsd_t) + ps_process_pattern($1, tcsd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 tcsd_t:process ptrace; + ') - - tcsd_initrc_domtrans($1) - domain_system_change_exemption($1) + + tcsd_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te index b26d44a8c..5a79afdb5 100644 --- a/tcsd.te @@ -108611,22 +108611,22 @@ index b26d44a8c..5a79afdb5 100644 @@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t) # Local policy # - + -allow tcsd_t self:capability { dac_override setuid }; +allow tcsd_t self:capability { dac_read_search dac_override setuid }; allow tcsd_t self:process { signal sigkill }; allow tcsd_t self:tcp_socket { accept listen }; - + @@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) dev_read_urand(tcsd_t) dev_rw_tpm(tcsd_t) - + -files_read_usr_files(tcsd_t) - auth_use_nsswitch(tcsd_t) - + init_read_utmp(tcsd_t) - + logging_send_syslog_msg(tcsd_t) - -miscfiles_read_localization(tcsd_t) @@ -108654,7 +108654,7 @@ index 6c7f8f8a3..03fc88079 100644 +HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0) +HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0) +HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) - + -/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0) -/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0) -/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0) @@ -108694,7 +108694,7 @@ index 42946bc10..9f70e4cf1 100644 --- a/telepathy.if +++ b/telepathy.if @@ -2,45 +2,39 @@ - + ####################################### ## -## The template to define a telepathy domain. @@ -108710,27 +108710,27 @@ index 42946bc10..9f70e4cf1 100644 ## # template(`telepathy_domain_template',` - gen_require(` + gen_require(` - attribute telepathy_domain, telepathy_executable, telepathy_tmp_content; + attribute telepathy_domain; + attribute telepathy_executable; - ') - - type telepathy_$1_t, telepathy_domain; - type telepathy_$1_exec_t, telepathy_executable; + ') + + type telepathy_$1_t, telepathy_domain; + type telepathy_$1_exec_t, telepathy_executable; - userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ubac_constrained(telepathy_$1_t) - + - type telepathy_$1_tmp_t, telepathy_tmp_content; + type telepathy_$1_tmp_t; - userdom_user_tmp_file(telepathy_$1_tmp_t) - + userdom_user_tmp_file(telepathy_$1_tmp_t) + + kernel_read_system_state(telepathy_$1_t) + - auth_use_nsswitch(telepathy_$1_t) + auth_use_nsswitch(telepathy_$1_t) ') - + ####################################### ## -## The role template for the telepathy module. @@ -108764,34 +108764,34 @@ index 42946bc10..9f70e4cf1 100644 # -template(`telepathy_role_template',` +template(`telepathy_role',` - gen_require(` + gen_require(` - attribute telepathy_domain, telepathy_tmp_content; + attribute telepathy_domain; - type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; - type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; - type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; + type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; + type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; + type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; @@ -63,91 +62,84 @@ template(`telepathy_role_template',` - type telepathy_mission_control_exec_t, telepathy_salut_exec_t; - type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; - type telepathy_msn_exec_t; + type telepathy_mission_control_exec_t, telepathy_salut_exec_t; + type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; + type telepathy_msn_exec_t; - - type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t; - type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t; - type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t; - ') - + ') + - role $2 types telepathy_domain; - - allow $3 telepathy_domain:process { ptrace signal_perms }; - ps_process_pattern($3, telepathy_domain) + role $1 types telepathy_domain; - + - telepathy_gabble_stream_connect($3) - telepathy_msn_stream_connect($3) - telepathy_salut_stream_connect($3) + allow $2 telepathy_domain:process signal_perms; + ps_process_pattern($2, telepathy_domain) - + - dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t) - dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) - dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t) @@ -108804,7 +108804,7 @@ index 42946bc10..9f70e4cf1 100644 + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) - + - allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms }; @@ -108817,7 +108817,7 @@ index 42946bc10..9f70e4cf1 100644 + dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) + dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) + dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) - + - allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms }; - allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms }; @@ -108842,7 +108842,7 @@ index 42946bc10..9f70e4cf1 100644 - allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + telepathy_dbus_chat($2) ') - + ######################################## ## -## Connect to gabble with a unix @@ -108858,15 +108858,15 @@ index 42946bc10..9f70e4cf1 100644 # -interface(`telepathy_gabble_stream_connect',` +interface(`telepathy_gabble_stream_connect', ` - gen_require(` - type telepathy_gabble_t, telepathy_gabble_tmp_t; - ') - + gen_require(` + type telepathy_gabble_t, telepathy_gabble_tmp_t; + ') + - files_search_tmp($1) - stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) + stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) + files_search_tmp($1) ') - + ######################################## ## -## Send dbus messages to and from @@ -108906,11 +108906,11 @@ index 42946bc10..9f70e4cf1 100644 # -interface(`telepathy_gabble_dbus_chat',` +interface(`telepathy_gabble_dbus_chat', ` - gen_require(` - type telepathy_gabble_t; - class dbus send_msg; + gen_require(` + type telepathy_gabble_t; + class dbus send_msg; @@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',` - + ######################################## ## -## Read mission control process state files. @@ -108923,15 +108923,15 @@ index 42946bc10..9f70e4cf1 100644 ## ## @@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',` - ') - - kernel_search_proc($1) + ') + + kernel_search_proc($1) - allow $1 telepathy_mission_control_t:dir list_dir_perms; - allow $1 telepathy_mission_control_t:file read_file_perms; - allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms; + ps_process_pattern($1, telepathy_mission_control_t) ') - + ####################################### ## -## Connect to msn with a unix @@ -108946,15 +108946,15 @@ index 42946bc10..9f70e4cf1 100644 # -interface(`telepathy_msn_stream_connect',` +interface(`telepathy_msn_stream_connect', ` - gen_require(` - type telepathy_msn_t, telepathy_msn_tmp_t; - ') - + gen_require(` + type telepathy_msn_t, telepathy_msn_tmp_t; + ') + - files_search_tmp($1) - stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) + stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) + files_search_tmp($1) ') - + ######################################## ## -## Connect to salut with a unix @@ -108969,12 +108969,12 @@ index 42946bc10..9f70e4cf1 100644 # -interface(`telepathy_salut_stream_connect',` +interface(`telepathy_salut_stream_connect', ` - gen_require(` - type telepathy_salut_t, telepathy_salut_tmp_t; - ') - + gen_require(` + type telepathy_salut_t, telepathy_salut_tmp_t; + ') + - files_search_tmp($1) - stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) + stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) + files_search_tmp($1) +') + @@ -109010,7 +109010,7 @@ index 42946bc10..9f70e4cf1 100644 +## in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified -+## domain. ++## domain. +##

    +##

    +## No interprocess communication (signals, pipes, @@ -109079,7 +109079,7 @@ index 42946bc10..9f70e4cf1 100644 + + optional_policy(` + gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections") -+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") ++ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") + gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky") + gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy") + @@ -109111,13 +109111,13 @@ index 9afcbc95c..b19622dc6 100644 --- a/telepathy.te +++ b/telepathy.te @@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2) - + ######################################## # -# Declarations +# Declarations. # - + ## -##

    -## Determine whether telepathy connection @@ -109129,7 +109129,7 @@ index 9afcbc95c..b19622dc6 100644 +##

    ## gen_tunable(telepathy_tcp_connect_generic_network_ports, false) - + ## -##

    -## Determine whether telepathy connection @@ -109141,25 +109141,25 @@ index 9afcbc95c..b19622dc6 100644 +##

    ##     gen_tunable(telepathy_connect_all_ports, false) - + attribute telepathy_domain; attribute telepathy_executable; -attribute telepathy_tmp_content; - + telepathy_domain_template(gabble) - + @@ -67,179 +66,157 @@ userdom_user_home_content(telepathy_sunshine_home_t) - + ####################################### # -# Gabble local policy +# Telepathy Gabble local policy. # - + -allow telepathy_gabble_t self:tcp_socket { accept listen }; +allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms; allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto }; - + -# ~/.cache/telepathy/gabble/caps-cache.db-journal -manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) @@ -109169,7 +109169,7 @@ index 9afcbc95c..b19622dc6 100644 manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) - + -corenet_all_recvfrom_unlabeled(telepathy_gabble_t) +# ~/.cache/telepathy/gabble/caps-cache.db-journal +optional_policy(` @@ -109198,26 +109198,26 @@ index 9afcbc95c..b19622dc6 100644 +corenet_sendrecv_http_client_packets(telepathy_gabble_t) +corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t) +corenet_sendrecv_vnc_client_packets(telepathy_gabble_t) - + dev_read_rand(telepathy_gabble_t) - + files_read_config_files(telepathy_gabble_t) -files_read_usr_files(telepathy_gabble_t) + +fs_getattr_all_fs(telepathy_gabble_t) - + miscfiles_read_all_certs(telepathy_gabble_t) - + tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_gabble_t) - corenet_tcp_connect_all_ports(telepathy_gabble_t) - corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) + corenet_tcp_connect_all_ports(telepathy_gabble_t) + corenet_tcp_sendrecv_all_ports(telepathy_gabble_t) + corenet_udp_sendrecv_all_ports(telepathy_gabble_t) ') - + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) - corenet_tcp_connect_generic_port(telepathy_gabble_t) + corenet_tcp_connect_generic_port(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) -') - @@ -109226,17 +109226,17 @@ index 9afcbc95c..b19622dc6 100644 - fs_manage_nfs_files(telepathy_gabble_t) + corenet_sendrecv_generic_client_packets(telepathy_gabble_t) ') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) -') +userdom_home_manager(telepathy_gabble_t) - + optional_policy(` - dbus_system_bus_client(telepathy_gabble_t) + dbus_system_bus_client(telepathy_gabble_t) ') - + -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_gabble_t) @@ -109244,13 +109244,13 @@ index 9afcbc95c..b19622dc6 100644 +optional_policy(` + gnome_manage_home_config(telepathy_gabble_t) +') - + ####################################### # -# Idle local policy +# Telepathy Idle local policy. # - + corenet_all_recvfrom_netlabel(telepathy_idle_t) -corenet_all_recvfrom_unlabeled(telepathy_idle_t) corenet_tcp_sendrecv_generic_if(telepathy_idle_t) @@ -109264,69 +109264,69 @@ index 9afcbc95c..b19622dc6 100644 corenet_tcp_connect_ircd_port(telepathy_idle_t) -corenet_tcp_sendrecv_ircd_port(telepathy_idle_t) +corenet_sendrecv_ircd_client_packets(telepathy_idle_t) - + dev_read_rand(telepathy_idle_t) - + -files_read_usr_files(telepathy_idle_t) - tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_idle_t) - corenet_tcp_connect_all_ports(telepathy_idle_t) - corenet_tcp_sendrecv_all_ports(telepathy_idle_t) + corenet_tcp_connect_all_ports(telepathy_idle_t) + corenet_tcp_sendrecv_all_ports(telepathy_idle_t) + corenet_udp_sendrecv_all_ports(telepathy_idle_t) ') - + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_idle_t) - corenet_tcp_connect_generic_port(telepathy_idle_t) + corenet_tcp_connect_generic_port(telepathy_idle_t) - corenet_tcp_sendrecv_generic_port(telepathy_idle_t) + corenet_sendrecv_generic_client_packets(telepathy_idle_t) ') - + ####################################### # -# Logger local policy +# Telepathy Logger local policy. # - + allow telepathy_logger_t self:unix_stream_socket create_socket_perms; - + manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) -filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") +filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir) - + manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) -# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger") - + -files_read_usr_files(telepathy_logger_t) +optional_policy(` + gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir) +') + files_search_pids(telepathy_logger_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_logger_t) - fs_manage_nfs_files(telepathy_logger_t) -') +fs_getattr_all_fs(telepathy_logger_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_logger_t) - fs_manage_cifs_files(telepathy_logger_t) -') +userdom_home_manager(telepathy_logger_t) - + -# optional_policy(` +optional_policy(` - # ~/.config/dconf/user + # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_logger_t) -# ') + gnome_manage_home_config(telepathy_logger_t) +') - + ####################################### # -# Mission-Control local policy @@ -109334,7 +109334,7 @@ index 9afcbc95c..b19622dc6 100644 # - allow telepathy_mission_control_t self:process setsched; - + manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") @@ -109342,13 +109342,13 @@ index 9afcbc95c..b19622dc6 100644 + +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) - + -manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") +filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file }) - + -manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) -# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections") +manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_tmp_t, telepathy_mission_control_tmp_t) @@ -109362,42 +109362,42 @@ index 9afcbc95c..b19622dc6 100644 + gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir) + gnome_manage_home_config(telepathy_mission_control_t) +') - + manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) - + dev_read_rand(telepathy_mission_control_t) - + -files_list_tmp(telepathy_mission_control_t) -files_read_usr_files(telepathy_mission_control_t) +fs_getattr_all_fs(telepathy_mission_control_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -') +files_list_tmp(telepathy_mission_control_t) - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) -') +userdom_home_manager(telepathy_mission_control_t) - + optional_policy(` - dbus_system_bus_client(telepathy_mission_control_t) + dbus_system_bus_client(telepathy_mission_control_t) @@ -248,59 +225,47 @@ optional_policy(` - devicekit_dbus_chat_power(telepathy_mission_control_t) - ') - optional_policy(` + devicekit_dbus_chat_power(telepathy_mission_control_t) + ') + optional_policy(` - gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t) + gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) - ') - optional_policy(` - networkmanager_dbus_chat(telepathy_mission_control_t) - ') + ') + optional_policy(` + networkmanager_dbus_chat(telepathy_mission_control_t) + ') ') - + -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_mission_control_t) @@ -109407,16 +109407,16 @@ index 9afcbc95c..b19622dc6 100644 + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) + gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file) +') - + ####################################### # -# Butterfly and Haze local policy +# Telepathy Butterfly and Haze local policy. # - + allow telepathy_msn_t self:process setsched; +allow telepathy_msn_t self:unix_dgram_socket { write create connect }; - + manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -109427,7 +109427,7 @@ index 9afcbc95c..b19622dc6 100644 - +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) can_exec(telepathy_msn_t, telepathy_msn_tmp_t) - + corenet_all_recvfrom_netlabel(telepathy_msn_t) -corenet_all_recvfrom_unlabeled(telepathy_msn_t) corenet_tcp_sendrecv_generic_if(telepathy_msn_t) @@ -109457,25 +109457,25 @@ index 9afcbc95c..b19622dc6 100644 +corenet_sendrecv_http_client_packets(telepathy_msn_t) +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) +corenet_sendrecv_msnp_client_packets(telepathy_msn_t) - + init_read_state(telepathy_msn_t) - + @@ -310,18 +275,19 @@ logging_send_syslog_msg(telepathy_msn_t) - + miscfiles_read_all_certs(telepathy_msn_t) - + -# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t) - tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_msn_t) - corenet_tcp_connect_all_ports(telepathy_msn_t) - corenet_tcp_sendrecv_all_ports(telepathy_msn_t) + corenet_tcp_connect_all_ports(telepathy_msn_t) + corenet_tcp_sendrecv_all_ports(telepathy_msn_t) + corenet_udp_sendrecv_all_ports(telepathy_msn_t) ') - + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_msn_t) - corenet_tcp_connect_generic_port(telepathy_msn_t) + corenet_tcp_connect_generic_port(telepathy_msn_t) - corenet_tcp_sendrecv_generic_port(telepathy_msn_t) + corenet_sendrecv_generic_client_packets(telepathy_msn_t) +') @@ -109483,12 +109483,12 @@ index 9afcbc95c..b19622dc6 100644 +optional_policy(` + gnome_read_gconf_home_files(telepathy_msn_t) ') - + optional_policy(` @@ -332,43 +298,33 @@ optional_policy(` - ') + ') ') - + -# optional_policy(` - # ~/.config/dconf/user - # gnome_manage_generic_home_content(telepathy_msn_t) @@ -109499,13 +109499,13 @@ index 9afcbc95c..b19622dc6 100644 -# Salut local policy +# Telepathy Salut local policy. # - + -allow telepathy_salut_t self:tcp_socket { accept listen }; +allow telepathy_salut_t self:tcp_socket create_stream_socket_perms; - + manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t) files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) - + corenet_all_recvfrom_netlabel(telepathy_salut_t) -corenet_all_recvfrom_unlabeled(telepathy_salut_t) corenet_tcp_sendrecv_generic_if(telepathy_salut_t) @@ -109518,35 +109518,35 @@ index 9afcbc95c..b19622dc6 100644 corenet_tcp_connect_presence_port(telepathy_salut_t) -corenet_tcp_sendrecv_presence_port(telepathy_salut_t) +corenet_sendrecv_presence_server_packets(telepathy_salut_t) - + tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_salut_t) - corenet_tcp_connect_all_ports(telepathy_salut_t) - corenet_tcp_sendrecv_all_ports(telepathy_salut_t) + corenet_tcp_connect_all_ports(telepathy_salut_t) + corenet_tcp_sendrecv_all_ports(telepathy_salut_t) + corenet_udp_sendrecv_all_ports(telepathy_salut_t) ') - + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_salut_t) - corenet_tcp_connect_generic_port(telepathy_salut_t) + corenet_tcp_connect_generic_port(telepathy_salut_t) - corenet_tcp_sendrecv_generic_port(telepathy_salut_t) + corenet_sendrecv_generic_client_packets(telepathy_salut_t) ') - + optional_policy(` @@ -381,73 +337,51 @@ optional_policy(` - + ####################################### # -# Sofiasip local policy +# Telepathy Sofiasip local policy. # - + -allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms; -allow telepathy_sofiasip_t self:tcp_socket { accept listen }; +allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; +allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; - + corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) -corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t) corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) @@ -109566,39 +109566,39 @@ index 9afcbc95c..b19622dc6 100644 corenet_tcp_connect_sip_port(telepathy_sofiasip_t) -corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t) +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) - + kernel_request_load_module(telepathy_sofiasip_t) - + tunable_policy(`telepathy_connect_all_ports',` - corenet_sendrecv_all_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_all_ports(telepathy_sofiasip_t) - corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) + corenet_tcp_connect_all_ports(telepathy_sofiasip_t) + corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t) + corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t) ') - + tunable_policy(`telepathy_tcp_connect_generic_network_ports',` - corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) - corenet_tcp_connect_generic_port(telepathy_sofiasip_t) + corenet_tcp_connect_generic_port(telepathy_sofiasip_t) - corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t) + corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t) ') - + ####################################### # -# Sunshine local policy +# Telepathy Sunshine local policy. # - + manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t) -userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") +userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file }) +userdom_search_user_home_dirs(telepathy_sunshine_t) - + manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) +exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t) files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file) - + -can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) - -corecmd_exec_bin(telepathy_sunshine_t) @@ -109616,48 +109616,48 @@ index 9afcbc95c..b19622dc6 100644 -') - optional_policy(` - xserver_read_xdm_pid(telepathy_sunshine_t) - xserver_stream_connect(telepathy_sunshine_t) + xserver_read_xdm_pid(telepathy_sunshine_t) + xserver_stream_connect(telepathy_sunshine_t) @@ -455,31 +389,51 @@ optional_policy(` - + ####################################### # -# Common telepathy domain local policy +# telepathy domains common policy # - + allow telepathy_domain self:process { getsched signal sigkill }; allow telepathy_domain self:fifo_file rw_fifo_file_perms; +allow telepathy_domain self:tcp_socket create_socket_perms; +allow telepathy_domain self:udp_socket create_socket_perms; - + manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) -# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +optional_policy(` + gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +') - + -manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) -# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") +corecmd_exec_bin(telepathy_domain) +corecmd_exec_shell(telepathy_domain) - + dev_read_urand(telepathy_domain) - + -kernel_read_system_state(telepathy_domain) - fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) +fs_rw_inherited_tmpfs_files(telepathy_domain) - + -miscfiles_read_localization(telepathy_domain) +userdom_search_user_tmp_dirs(telepathy_domain) +userdom_search_user_home_dirs(telepathy_domain) - + optional_policy(` - automount_dontaudit_getattr_tmp_dirs(telepathy_domain) + automount_dontaudit_getattr_tmp_dirs(telepathy_domain) ') - + +optional_policy(` + gnome_read_generic_cache_files(telepathy_domain) + gnome_write_generic_cache_files(telepathy_domain) @@ -109674,7 +109674,7 @@ index 9afcbc95c..b19622dc6 100644 +') + optional_policy(` - xserver_rw_xdm_pipes(telepathy_domain) + xserver_rw_xdm_pipes(telepathy_domain) ') + diff --git a/telnet.te b/telnet.te @@ -109684,7 +109684,7 @@ index d7c863369..0d3d4392a 100644 @@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t) # Local policy # - + -allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; +allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override }; allow telnetd_t self:process signal_perms; @@ -109694,58 +109694,58 @@ index d7c863369..0d3d4392a 100644 +allow telnetd_t self:udp_socket create_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; - + allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty(telnetd_t, telnetd_devpts_t) - + allow telnetd_t telnetd_keytab_t:file read_file_perms; - + manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) -files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir }) - + manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t) files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) @@ -48,7 +51,6 @@ kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) kernel_read_network_state(telnetd_t) - + -corenet_all_recvfrom_unlabeled(telnetd_t) corenet_all_recvfrom_netlabel(telnetd_t) corenet_tcp_sendrecv_generic_if(telnetd_t) corenet_tcp_sendrecv_generic_node(telnetd_t) @@ -63,7 +65,6 @@ dev_read_urand(telnetd_t) - + domain_interactive_fd(telnetd_t) - + -files_read_usr_files(telnetd_t) files_read_etc_runtime_files(telnetd_t) files_search_home(telnetd_t) - + @@ -76,12 +77,12 @@ init_rw_utmp(telnetd_t) - + logging_send_syslog_msg(telnetd_t) - + -miscfiles_read_localization(telnetd_t) - seutil_read_config(telnetd_t) - + userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) +userdom_manage_user_tmp_files(telnetd_t) +userdom_tmp_filetrans_user_tmp(telnetd_t, file) - + tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(telnetd_t) + fs_search_nfs(telnetd_t) @@ -93,7 +94,7 @@ tunable_policy(`use_samba_home_dirs',` - + optional_policy(` - kerberos_read_keytab(telnetd_t) + kerberos_read_keytab(telnetd_t) - kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") + kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") - kerberos_manage_host_rcache(telnetd_t) - kerberos_use(telnetd_t) + kerberos_manage_host_rcache(telnetd_t) + kerberos_use(telnetd_t) ') diff --git a/tftp.fc b/tftp.fc index 3dd87daf5..0d13384b0 100644 @@ -109754,15 +109754,15 @@ index 3dd87daf5..0d13384b0 100644 @@ -1,9 +1,9 @@ -/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0) +/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0) - + /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0) - + -/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) -/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) +/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) +/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) - + -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/tftp.if b/tftp.if @@ -109772,7 +109772,7 @@ index 9957e300d..cd2132109 100644 @@ -1,8 +1,8 @@ -## Trivial file transfer protocol daemon. +## Trivial file transfer protocol daemon - + ######################################## ## -## Read tftp content files. @@ -109782,11 +109782,11 @@ index 9957e300d..cd2132109 100644 ## @@ -13,18 +13,21 @@ interface(`tftp_read_content',` - gen_require(` - type tftpdir_t; + gen_require(` + type tftpdir_t; + type tftpdir_rw_t; - ') - + ') + - files_search_var_lib($1) - allow $1 tftpdir_t:dir list_dir_perms; - allow $1 tftpdir_t:file read_file_perms; @@ -109799,7 +109799,7 @@ index 9957e300d..cd2132109 100644 + read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) + read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -109814,17 +109814,17 @@ index 9957e300d..cd2132109 100644 # -interface(`tftp_manage_rw_content',` +interface(`tftp_search_rw_content',` - gen_require(` - type tftpdir_rw_t; - ') - + gen_require(` + type tftpdir_rw_t; + ') + + search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) - files_search_var_lib($1) + files_search_var_lib($1) - allow $1 tftpdir_rw_t:dir manage_dir_perms; - allow $1 tftpdir_rw_t:file manage_file_perms; - allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms; ') - + ######################################## ## -## Read tftpd configuration files. @@ -109838,17 +109838,17 @@ index 9957e300d..cd2132109 100644 # -interface(`tftp_read_config_files',` +interface(`tftp_read_rw_content',` - gen_require(` + gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; - ') - + ') + - files_search_etc($1) - allow $1 tftpd_conf_t:file read_file_perms; + files_search_var_lib($1) + read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -109863,17 +109863,17 @@ index 9957e300d..cd2132109 100644 # -interface(`tftp_manage_config_files',` +interface(`tftp_write_rw_content',` - gen_require(` + gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; - ') - + ') + - files_search_etc($1) - allow $1 tftpd_conf_t:file manage_file_perms; + files_search_var_lib($1) + write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') - + ######################################## ## -## Create objects in etc directories @@ -109931,16 +109931,16 @@ index 9957e300d..cd2132109 100644 # -interface(`tftp_etc_filetrans_config',` +interface(`tftp_manage_config',` - gen_require(` + gen_require(` - type tftp_conf_t; + type tftpd_etc_t; - ') - + ') + - files_etc_filetrans($1, tftp_conf_t, $2, $3) + manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) + files_etc_filetrans($1, tftpd_etc_t, file, "tftp") ') - + ######################################## ## ## Create objects in tftpdir directories @@ -109968,15 +109968,15 @@ index 9957e300d..cd2132109 100644 -## # interface(`tftp_filetrans_tftpdir',` - gen_require(` - type tftpdir_rw_t; - ') - + gen_require(` + type tftpdir_rw_t; + ') + + filetrans_pattern($1, tftpdir_rw_t, $2, $3) - files_search_var_lib($1) + files_search_var_lib($1) - filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4) ') - + ######################################## ## -## All of the rules required to @@ -110006,30 +110006,30 @@ index 9957e300d..cd2132109 100644 ## @@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',` interface(`tftp_admin',` - gen_require(` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; + gen_require(` + type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; - type tftpd_conf_t; - ') - + ') + - allow $1 tftpd_t:process { ptrace signal_perms }; + allow $1 tftpd_t:process signal_perms; - ps_process_pattern($1, tftpd_t) + ps_process_pattern($1, tftpd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 tftpd_t:process ptrace; + ') - + - files_search_etc($1) - admin_pattern($1, tftpd_conf_t) + files_list_var_lib($1) - + - files_search_var_lib($1) - admin_pattern($1, { tftpdir_t tftpdir_rw_t }) + admin_pattern($1, tftpdir_rw_t) + + admin_pattern($1, tftpdir_t) - - files_list_pids($1) - admin_pattern($1, tftpd_var_run_t) + + files_list_pids($1) + admin_pattern($1, tftpd_var_run_t) + + tftp_manage_config($1) ') @@ -110039,7 +110039,7 @@ index cfaa2a19c..a9bc6f1ff 100644 +++ b/tftp.te @@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0) # - + ## -##

    -## Determine whether tftp can modify @@ -110053,7 +110053,7 @@ index cfaa2a19c..a9bc6f1ff 100644 +##

    ##     gen_tunable(tftp_anon_write, false) - + ## -##

    -## Determine whether tftp can manage @@ -110065,21 +110065,21 @@ index cfaa2a19c..a9bc6f1ff 100644 ## -gen_tunable(tftp_enable_homedir, false) +gen_tunable(tftp_home_dir, false) - + type tftpd_t; type tftpd_exec_t; init_daemon_domain(tftpd_t, tftpd_exec_t) - + -type tftpd_conf_t; -files_config_file(tftpd_conf_t) - type tftpd_var_run_t; files_pid_file(tftpd_var_run_t) - + @@ -39,6 +33,9 @@ files_type(tftpdir_t) type tftpdir_rw_t; files_type(tftpdir_rw_t) - + +type tftpd_etc_t; +files_config_file(tftpd_etc_t) + @@ -110087,7 +110087,7 @@ index cfaa2a19c..a9bc6f1ff 100644 # # Local policy @@ -46,15 +43,17 @@ files_type(tftpdir_rw_t) - + allow tftpd_t self:capability { setgid setuid sys_chroot }; dontaudit tftpd_t self:capability sys_tty_config; -allow tftpd_t self:tcp_socket { accept listen }; @@ -110098,11 +110098,11 @@ index cfaa2a19c..a9bc6f1ff 100644 +allow tftpd_t self:udp_socket create_socket_perms; +allow tftpd_t self:unix_dgram_socket create_socket_perms; +allow tftpd_t self:unix_stream_socket create_stream_socket_perms; - + allow tftpd_t tftpdir_t:dir list_dir_perms; allow tftpd_t tftpdir_t:file read_file_perms; allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; - + +read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t) + manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) @@ -110111,7 +110111,7 @@ index cfaa2a19c..a9bc6f1ff 100644 @@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) kernel_read_system_state(tftpd_t) kernel_read_kernel_sysctls(tftpd_t) - + -corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) +corenet_tcp_sendrecv_generic_if(tftpd_t) @@ -110127,47 +110127,47 @@ index cfaa2a19c..a9bc6f1ff 100644 corenet_udp_bind_tftp_port(tftpd_t) -corenet_udp_sendrecv_tftp_port(tftpd_t) +corenet_sendrecv_tftp_server_packets(tftpd_t) - + dev_read_sysfs(tftpd_t) - + +fs_getattr_all_fs(tftpd_t) +fs_search_auto_mountpoints(tftpd_t) + domain_use_interactive_fds(tftpd_t) - + files_read_etc_runtime_files(tftpd_t) @@ -84,43 +88,46 @@ files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) - + -fs_getattr_all_fs(tftpd_t) -fs_search_auto_mountpoints(tftpd_t) - auth_use_nsswitch(tftpd_t) - + logging_send_syslog_msg(tftpd_t) - + -miscfiles_read_localization(tftpd_t) miscfiles_read_public_files(tftpd_t) - + userdom_dontaudit_use_unpriv_user_fds(tftpd_t) userdom_dontaudit_use_user_terminals(tftpd_t) -userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) +userdom_dontaudit_search_user_home_dirs(tftpd_t) + +userdom_home_manager(tftpd_t) - + tunable_policy(`tftp_anon_write',` - miscfiles_manage_public_files(tftpd_t) + miscfiles_manage_public_files(tftpd_t) ') - + -tunable_policy(`tftp_enable_homedir',` - allow tftpd_t self:capability { dac_override dac_read_search }; +tunable_policy(`tftp_home_dir',` + allow tftpd_t self:capability { dac_override dac_read_search }; - + + # allow access to /home - files_list_home(tftpd_t) + files_list_home(tftpd_t) - userdom_manage_user_home_content_dirs(tftpd_t) - userdom_manage_user_home_content_files(tftpd_t) - userdom_manage_user_home_content_symlinks(tftpd_t) @@ -110181,7 +110181,7 @@ index cfaa2a19c..a9bc6f1ff 100644 + # Needed for permissive mode, to make sure everything gets labeled correctly + userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file }) ') - + -tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` - fs_manage_nfs_dirs(tftpd_t) - fs_manage_nfs_files(tftpd_t) @@ -110190,7 +110190,7 @@ index cfaa2a19c..a9bc6f1ff 100644 + fs_manage_nfs_files(tftpd_t) + fs_read_nfs_symlinks(tftpd_t) ') - + -tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` - fs_manage_cifs_dirs(tftpd_t) - fs_manage_cifs_files(tftpd_t) @@ -110199,7 +110199,7 @@ index cfaa2a19c..a9bc6f1ff 100644 + fs_manage_cifs_files(tftpd_t) + fs_read_cifs_symlinks(tftpd_t) ') - + optional_policy(` diff --git a/tgtd.fc b/tgtd.fc index 38389e675..ae0f9ab51 100644 @@ -110222,12 +110222,12 @@ index 5406b6ee8..dc5b46e28 100644 --- a/tgtd.if +++ b/tgtd.if @@ -97,6 +97,6 @@ interface(`tgtd_admin',` - files_search_tmp($1) - admin_pattern($1, tgtd_tmp_t) - + files_search_tmp($1) + admin_pattern($1, tgtd_tmp_t) + - files_search_tmpfs($1) + fs_search_tmpfs($1) - admin_pattern($1, tgtd_tmpfs_t) + admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te index d01096386..65498f7a4 100644 @@ -110236,7 +110236,7 @@ index d01096386..65498f7a4 100644 @@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t) # Local policy # - + -allow tgtd_t self:capability sys_resource; -allow tgtd_t self:capability2 block_suspend; +allow tgtd_t self:capability { dac_read_search dac_override ipc_lock sys_resource sys_rawio sys_admin }; @@ -110245,44 +110245,44 @@ index d01096386..65498f7a4 100644 allow tgtd_t self:fifo_file rw_fifo_file_perms; allow tgtd_t self:netlink_route_socket r_netlink_socket_perms; @@ -56,15 +56,16 @@ files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) - + kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) +kernel_read_network_state(tgtd_t) - + corenet_all_recvfrom_netlabel(tgtd_t) -corenet_all_recvfrom_unlabeled(tgtd_t) corenet_tcp_sendrecv_generic_if(tgtd_t) corenet_tcp_sendrecv_generic_node(tgtd_t) corenet_tcp_bind_generic_node(tgtd_t) - + corenet_sendrecv_iscsi_server_packets(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) +corenet_tcp_connect_isns_port(tgtd_t) corenet_tcp_sendrecv_iscsi_port(tgtd_t) - + corenet_sendrecv_iscsi_client_packets(tgtd_t) @@ -72,16 +73,18 @@ corenet_tcp_connect_isns_port(tgtd_t) - + dev_read_sysfs(tgtd_t) - + -files_read_etc_files(tgtd_t) +files_list_mnt(tgtd_t) - + fs_read_anon_inodefs_files(tgtd_t) - + +miscfiles_read_generic_certs(tgtd_t) + storage_manage_fixed_disk(tgtd_t) +storage_read_scsi_generic(tgtd_t) +storage_write_scsi_generic(tgtd_t) - + logging_send_syslog_msg(tgtd_t) - + -miscfiles_read_localization(tgtd_t) - optional_policy(` - iscsi_manage_semaphores(tgtd_t) + iscsi_manage_semaphores(tgtd_t) ') diff --git a/thin.fc b/thin.fc new file mode 100644 @@ -110575,7 +110575,7 @@ index 000000000..9524b50aa + dontaudit thumb_t $1:dir list_dir_perms; + dontaudit thumb_t $1:file read_file_perms; + dontaudit thumb_t $1:unix_stream_socket rw_socket_perms; -+ ++ + allow thumb_t $1:shm create_shm_perms; + allow thumb_t $1:sem create_sem_perms; +') @@ -110831,16 +110831,16 @@ index 5e867da56..b25ea6e08 100644 --- a/thunderbird.te +++ b/thunderbird.te @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t) - + corecmd_exec_shell(thunderbird_t) - + -corenet_all_recvfrom_unlabeled(thunderbird_t) corenet_all_recvfrom_netlabel(thunderbird_t) corenet_tcp_sendrecv_generic_if(thunderbird_t) corenet_tcp_sendrecv_generic_node(thunderbird_t) @@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t) dev_dontaudit_search_sysfs(thunderbird_t) - + files_list_tmp(thunderbird_t) -files_read_usr_files(thunderbird_t) files_read_etc_runtime_files(thunderbird_t) @@ -110848,23 +110848,23 @@ index 5e867da56..b25ea6e08 100644 files_read_var_symlinks(thunderbird_t) @@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t) auth_use_nsswitch(thunderbird_t) - + miscfiles_read_fonts(thunderbird_t) -miscfiles_read_localization(thunderbird_t) - + userdom_write_user_tmp_sockets(thunderbird_t) - + @@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t) - + userdom_manage_user_home_content_dirs(thunderbird_t) userdom_manage_user_home_content_files(thunderbird_t) -userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file }) +userdom_filetrans_home_content(thunderbird_t) - + xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t) xserver_read_xdm_tmp_files(thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(thunderbird_t) - fs_manage_nfs_files(thunderbird_t) @@ -110878,9 +110878,9 @@ index 5e867da56..b25ea6e08 100644 -') +# Access ~/.thunderbird +userdom_home_manager(thunderbird_t) - + ifndef(`enable_mls',` - fs_search_removable(thunderbird_t) + fs_search_removable(thunderbird_t) diff --git a/timidity.te b/timidity.te index 97cd15589..49321a5bf 100644 --- a/timidity.te @@ -110888,19 +110888,19 @@ index 97cd15589..49321a5bf 100644 @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f kernel_read_kernel_sysctls(timidity_t) kernel_read_system_state(timidity_t) - + -corenet_all_recvfrom_unlabeled(timidity_t) corenet_all_recvfrom_netlabel(timidity_t) corenet_tcp_sendrecv_generic_if(timidity_t) corenet_udp_sendrecv_generic_if(timidity_t) @@ -51,8 +50,6 @@ dev_write_sound(timidity_t) - + domain_use_interactive_fds(timidity_t) - + -files_read_etc_files(timidity_t) -files_read_usr_files(timidity_t) files_search_tmp(timidity_t) - + fs_search_auto_mountpoints(timidity_t) diff --git a/tlp.fc b/tlp.fc new file mode 100644 @@ -111213,7 +111213,7 @@ index 585a77f95..a00757adc 100644 @@ -5,9 +5,35 @@ policy_module(tmpreaper, 1.7.1) # Declarations # - + +## +##

    +## Determine whether tmpreaper can use @@ -111243,24 +111243,24 @@ index 585a77f95..a00757adc 100644 init_system_domain(tmpreaper_t, tmpreaper_exec_t) +application_domain(tmpreaper_t, tmpreaper_exec_t) +init_nnp_daemon_domain(tmpreaper_t) - + ######################################## # @@ -19,6 +45,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; - + kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) +kernel_delete_unlabeled(tmpreaper_t) - + dev_read_urand(tmpreaper_t) - + @@ -27,15 +54,16 @@ corecmd_exec_shell(tmpreaper_t) - + fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) +fs_setattr_tmpfs_dirs(tmpreaper_t) +fs_delete_tmpfs_files(tmpreaper_t) - + -files_getattr_all_dirs(tmpreaper_t) -files_getattr_all_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) @@ -111270,31 +111270,31 @@ index 585a77f95..a00757adc 100644 +files_setattr_non_security_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) - + -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) - + @@ -45,7 +73,6 @@ init_use_inherited_script_ptys(tmpreaper_t) - + logging_send_syslog_msg(tmpreaper_t) - + -miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) - + ifdef(`distro_debian',` @@ -53,10 +80,33 @@ ifdef(`distro_debian',` ') - + ifdef(`distro_redhat',` - userdom_list_all_user_home_content(tmpreaper_t) + userdom_list_user_home_content(tmpreaper_t) + userdom_list_admin_dir(tmpreaper_t) - userdom_delete_all_user_home_content_dirs(tmpreaper_t) - userdom_delete_all_user_home_content_files(tmpreaper_t) + userdom_delete_all_user_home_content_dirs(tmpreaper_t) + userdom_delete_all_user_home_content_files(tmpreaper_t) + userdom_delete_all_user_home_content_sock_files(tmpreaper_t) - userdom_delete_all_user_home_content_symlinks(tmpreaper_t) + userdom_delete_all_user_home_content_symlinks(tmpreaper_t) + userdom_setattr_all_user_home_content_dirs(tmpreaper_t) +') + @@ -111317,19 +111317,19 @@ index 585a77f95..a00757adc 100644 + samba_setattr_samba_share_dirs(tmpreaper_t) + ') ') - + optional_policy(` @@ -64,6 +114,7 @@ optional_policy(` ') - + optional_policy(` + apache_delete_sys_content_rw(tmpreaper_t) - apache_list_cache(tmpreaper_t) - apache_delete_cache_dirs(tmpreaper_t) - apache_delete_cache_files(tmpreaper_t) + apache_list_cache(tmpreaper_t) + apache_delete_cache_dirs(tmpreaper_t) + apache_delete_cache_files(tmpreaper_t) @@ -79,7 +130,19 @@ optional_policy(` ') - + optional_policy(` - lpd_manage_spool(tmpreaper_t) + lpd_manage_spool(tmpreaper_t) @@ -111346,11 +111346,11 @@ index 585a77f95..a00757adc 100644 + sandbox_delete_sock_files(tmpreaper_t) + sandbox_setattr_dirs(tmpreaper_t) ') - + optional_policy(` @@ -89,3 +152,8 @@ optional_policy(` optional_policy(` - rpm_manage_cache(tmpreaper_t) + rpm_manage_cache(tmpreaper_t) ') + +optional_policy(` @@ -111961,20 +111961,20 @@ index dce42ecc5..b6b67bffe 100644 @@ -5,6 +5,8 @@ /usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) - + +/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0) + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) /var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) - + diff --git a/tor.if b/tor.if index 61c2e07d6..3b860953c 100644 --- a/tor.if +++ b/tor.if @@ -19,6 +19,30 @@ interface(`tor_domtrans',` - domtrans_pattern($1, tor_exec_t, tor_t) + domtrans_pattern($1, tor_exec_t, tor_t) ') - + +####################################### +##

    +## Execute tor server in the tor domain. @@ -112004,29 +112004,29 @@ index 61c2e07d6..3b860953c 100644 ## All of the rules required to @@ -39,12 +63,18 @@ interface(`tor_domtrans',` interface(`tor_admin',` - gen_require(` - type tor_t, tor_var_log_t, tor_etc_t; + gen_require(` + type tor_t, tor_var_log_t, tor_etc_t; - type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t; + type tor_var_lib_t, tor_var_run_t; + type tor_initrc_exec_t; + type tor_unit_file_t; - ') - + ') + - allow $1 tor_t:process { ptrace signal_perms }; + allow $1 tor_t:process signal_perms; - ps_process_pattern($1, tor_t) - + ps_process_pattern($1, tor_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 tor_t:process ptrace; + ') + - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 tor_initrc_exec_t system_r; + init_labeled_script_domtrans($1, tor_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 tor_initrc_exec_t system_r; @@ -61,4 +91,13 @@ interface(`tor_admin',` - - files_list_pids($1) - admin_pattern($1, tor_var_run_t) + + files_list_pids($1) + admin_pattern($1, tor_var_run_t) + + tor_systemctl($1) + admin_pattern($1, tor_unit_file_t) @@ -112044,7 +112044,7 @@ index 5ceacde8c..9c178da36 100644 @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) ## gen_tunable(tor_bind_all_unreserved_ports, false) - + +## +##

    +## Allow tor to act as a relay @@ -112058,7 +112058,7 @@ index 5ceacde8c..9c178da36 100644 @@ -33,12 +40,15 @@ type tor_var_run_t; files_pid_file(tor_var_run_t) init_daemon_run_dir(tor_var_run_t, "tor") - + +type tor_unit_file_t; +systemd_unit_file(tor_unit_file_t) + @@ -112066,7 +112066,7 @@ index 5ceacde8c..9c178da36 100644 # # Local policy # - + -allow tor_t self:capability { setgid setuid sys_tty_config }; +allow tor_t self:capability { dac_read_search dac_override setgid setuid sys_tty_config }; allow tor_t self:process signal; @@ -112077,7 +112077,7 @@ index 5ceacde8c..9c178da36 100644 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) files_var_lib_filetrans(tor_t, tor_var_lib_t, dir) +allow tor_t tor_var_lib_t:file map; - + allow tor_t tor_var_log_t:dir setattr_dir_perms; append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) @@ -77,7 +88,6 @@ corenet_tcp_sendrecv_generic_node(tor_t) @@ -112093,26 +112093,26 @@ index 5ceacde8c..9c178da36 100644 corenet_tcp_bind_tor_port(tor_t) corenet_tcp_sendrecv_tor_port(tor_t) +corenet_tcp_bind_hplip_port(tor_t) - + corenet_sendrecv_all_client_packets(tor_t) corenet_tcp_connect_all_ports(tor_t) @@ -98,19 +109,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) - + files_read_etc_runtime_files(tor_t) -files_read_usr_files(tor_t) - + auth_use_nsswitch(tor_t) - + logging_send_syslog_msg(tor_t) - + -miscfiles_read_localization(tor_t) - tunable_policy(`tor_bind_all_unreserved_ports',` - corenet_sendrecv_all_server_packets(tor_t) - corenet_tcp_bind_all_unreserved_ports(tor_t) + corenet_sendrecv_all_server_packets(tor_t) + corenet_tcp_bind_all_unreserved_ports(tor_t) ') - + +tunable_policy(`tor_can_network_relay',` + # allow httpd to work as a relay + corenet_tcp_connect_all_ephemeral_ports(tor_t) @@ -112120,7 +112120,7 @@ index 5ceacde8c..9c178da36 100644 +') + optional_policy(` - seutil_sigchld_newrole(tor_t) + seutil_sigchld_newrole(tor_t) ') diff --git a/transproxy.te b/transproxy.te index 34973ee4c..1c9a4c613 100644 @@ -112129,26 +112129,26 @@ index 34973ee4c..1c9a4c613 100644 @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t) kernel_list_proc(transproxy_t) kernel_read_proc_symlinks(transproxy_t) - + -corenet_all_recvfrom_unlabeled(transproxy_t) corenet_all_recvfrom_netlabel(transproxy_t) corenet_tcp_sendrecv_generic_if(transproxy_t) corenet_tcp_sendrecv_generic_node(transproxy_t) @@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t) - + domain_use_interactive_fds(transproxy_t) - + -files_read_etc_files(transproxy_t) - + fs_getattr_all_fs(transproxy_t) fs_search_auto_mountpoints(transproxy_t) - + logging_send_syslog_msg(transproxy_t) - + -miscfiles_read_localization(transproxy_t) - sysnet_read_config(transproxy_t) - + userdom_dontaudit_use_unpriv_user_fds(transproxy_t) diff --git a/tripwire.te b/tripwire.te index 03aa6b7f0..53c0c7366 100644 @@ -112157,47 +112157,47 @@ index 03aa6b7f0..53c0c7366 100644 @@ -47,7 +47,7 @@ role twprint_roles types twprint_t; # Local policy # - + -allow tripwire_t self:capability { setgid setuid dac_override }; +allow tripwire_t self:capability { setgid setuid dac_read_search dac_override }; - + allow tripwire_t tripwire_etc_t:dir list_dir_perms; allow tripwire_t tripwire_etc_t:file read_file_perms; @@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t) - + logging_send_syslog_msg(tripwire_t) - + -userdom_use_user_terminals(tripwire_t) +userdom_use_inherited_user_terminals(tripwire_t) - + optional_policy(` - cron_system_entry(tripwire_t, tripwire_exec_t) + cron_system_entry(tripwire_t, tripwire_exec_t) @@ -107,9 +107,7 @@ files_search_etc(twadmin_t) - + logging_send_syslog_msg(twadmin_t) - + -miscfiles_read_localization(twadmin_t) - -userdom_use_user_terminals(twadmin_t) +userdom_use_inherited_user_terminals(twadmin_t) - + ######################################## # @@ -135,9 +133,7 @@ files_search_var_lib(twprint_t) - + logging_send_syslog_msg(twprint_t) - + -miscfiles_read_localization(twprint_t) - -userdom_use_user_terminals(twprint_t) +userdom_use_inherited_user_terminals(twprint_t) - + ######################################## # @@ -150,6 +146,4 @@ files_read_all_files(siggen_t) - + logging_send_syslog_msg(siggen_t) - + -miscfiles_read_localization(siggen_t) - -userdom_use_user_terminals(siggen_t) @@ -112207,20 +112207,20 @@ index e29db63a2..061fb983c 100644 --- a/tuned.if +++ b/tuned.if @@ -119,9 +119,13 @@ interface(`tuned_admin',` - type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; - ') - + type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; + ') + - allow $1 tuned_t:process { ptrace signal_perms }; + allow $1 tuned_t:process signal_perms; - ps_process_pattern($1, tuned_t) - + ps_process_pattern($1, tuned_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 tuned_t:process ptrace; + ') + - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 tuned_initrc_exec_t system_r; + tuned_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te index 393a33073..76390e2f6 100644 --- a/tuned.te @@ -112228,17 +112228,17 @@ index 393a33073..76390e2f6 100644 @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) type tuned_log_t; logging_log_file(tuned_log_t) - + +type tuned_tmp_t; +files_tmp_file(tuned_tmp_t) + type tuned_var_run_t; files_pid_file(tuned_var_run_t) - + @@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t) # Local policy # - + -allow tuned_t self:capability { sys_admin sys_nice }; -dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; @@ -112250,12 +112250,12 @@ index 393a33073..76390e2f6 100644 +allow tuned_t self:netlink_socket create_socket_perms; +allow tuned_t self:udp_socket create_socket_perms; +allow tuned_t self:socket create_socket_perms; - + read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) @@ -41,22 +48,29 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") - + manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) -append_files_pattern(tuned_t, tuned_log_t, tuned_log_t) -create_files_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -112268,13 +112268,13 @@ index 393a33073..76390e2f6 100644 +manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) +files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir }) +can_exec(tuned_t, tuned_tmp_t) - + manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) +allow tuned_t tuned_var_run_t:file relabel_file_perms; +can_exec(tuned_t, tuned_var_run_t) - + kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) kernel_read_kernel_sysctls(tuned_t) @@ -112285,7 +112285,7 @@ index 393a33073..76390e2f6 100644 kernel_rw_vm_sysctls(tuned_t) +kernel_setsched(tuned_t) +kernel_rw_all_sysctls(tuned_t) - + corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) @@ -64,31 +78,64 @@ corecmd_exec_shell(tuned_t) @@ -112295,7 +112295,7 @@ index 393a33073..76390e2f6 100644 +dev_rw_cpu_microcode(tuned_t) dev_rw_sysfs(tuned_t) dev_rw_netcontrol(tuned_t) - + -files_read_usr_files(tuned_t) +files_dontaudit_all_access_check(tuned_t) files_dontaudit_search_home(tuned_t) @@ -112305,24 +112305,24 @@ index 393a33073..76390e2f6 100644 +fs_getattr_all_fs(tuned_t) +fs_search_all(tuned_t) +fs_rw_hugetlbfs_files(tuned_t) - + -fs_getattr_xattr_fs(tuned_t) +auth_use_nsswitch(tuned_t) - + logging_send_syslog_msg(tuned_t) +#bug in tuned +logging_manage_syslog_config(tuned_t) +logging_filetrans_named_conf(tuned_t) - + -miscfiles_read_localization(tuned_t) +mount_read_pid_files(tuned_t) + +modutils_domtrans_insmod(tuned_t) - + udev_read_pid_files(tuned_t) - + userdom_dontaudit_search_user_home_dirs(tuned_t) - + +optional_policy(` + dbus_system_bus_client(tuned_t) + dbus_connect_system_bus(tuned_t) @@ -112334,9 +112334,9 @@ index 393a33073..76390e2f6 100644 + +# to allow disk tuning optional_policy(` - fstools_domtrans(tuned_t) + fstools_domtrans(tuned_t) ') - + +optional_policy(` + gnome_dontaudit_search_config(tuned_t) +') @@ -112346,20 +112346,20 @@ index 393a33073..76390e2f6 100644 +') + optional_policy(` - mount_domtrans(tuned_t) + mount_domtrans(tuned_t) ') - + +optional_policy(` + policykit_dbus_chat(tuned_t) +') + +# to allow network interface tuning optional_policy(` - sysnet_domtrans_ifconfig(tuned_t) + sysnet_domtrans_ifconfig(tuned_t) ') @@ -96,3 +143,7 @@ optional_policy(` optional_policy(` - unconfined_dbus_send(tuned_t) + unconfined_dbus_send(tuned_t) ') + +optional_policy(` @@ -112371,7 +112371,7 @@ index 1bb0f7c78..372be2f21 100644 +++ b/tvtime.if @@ -1,5 +1,23 @@ ##

    High quality television application. - + +####################################### +## +## Transition to alsa named content @@ -112402,27 +112402,27 @@ index afd2d6c3f..3ce900e99 100644 manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t) -userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir) - + manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t) @@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t) dev_read_sound(tvtime_t) dev_read_urand(tvtime_t) - + -files_read_usr_files(tvtime_t) - + fs_getattr_all_fs(tvtime_t) fs_search_auto_mountpoints(tvtime_t) @@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t) auth_use_nsswitch(tvtime_t) - + miscfiles_read_fonts(tvtime_t) -miscfiles_read_localization(tvtime_t) - + -userdom_use_user_terminals(tvtime_t) +userdom_use_inherited_user_terminals(tvtime_t) +userdom_read_user_home_content_files(tvtime_t) - + -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(tvtime_t) - fs_manage_nfs_files(tvtime_t) @@ -112436,26 +112436,26 @@ index afd2d6c3f..3ce900e99 100644 -') +# X access, Home files +userdom_home_manager(tvtime_t) - + optional_policy(` - xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) + xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t) diff --git a/tzdata.te b/tzdata.te index 221c43b84..2b9c49ac1 100644 --- a/tzdata.te +++ b/tzdata.te @@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t) - + locallogin_dontaudit_use_fds(tzdata_t) - + -miscfiles_read_localization(tzdata_t) miscfiles_manage_localization(tzdata_t) miscfiles_etc_filetrans_localization(tzdata_t) - + -userdom_use_user_terminals(tzdata_t) +userdom_use_inherited_user_terminals(tzdata_t) - + optional_policy(` - postfix_search_spool(tzdata_t) + postfix_search_spool(tzdata_t) diff --git a/ucspitcp.te b/ucspitcp.te index 7745b72e6..329c3d899 100644 --- a/ucspitcp.te @@ -112463,36 +112463,36 @@ index 7745b72e6..329c3d899 100644 @@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t) corenet_tcp_bind_generic_node(rblsmtpd_t) corenet_udp_bind_generic_port(rblsmtpd_t) - + -files_read_etc_files(rblsmtpd_t) files_search_var(rblsmtpd_t) - + optional_policy(` @@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t) corenet_sendrecv_generic_server_packets(ucspitcp_t) corenet_udp_bind_generic_port(ucspitcp_t) - + -files_read_etc_files(ucspitcp_t) files_search_var(ucspitcp_t) - + sysnet_read_config(ucspitcp_t) diff --git a/ulogd.if b/ulogd.if index 9b95c3ef7..a892845bb 100644 --- a/ulogd.if +++ b/ulogd.if @@ -123,8 +123,11 @@ interface(`ulogd_admin',` - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - + type ulogd_var_log_t, ulogd_initrc_exec_t; + ') + - allow $1 ulogd_t:process { ptrace signal_perms }; + allow $1 ulogd_t:process signal_perms; - ps_process_pattern($1, ulogd_t) + ps_process_pattern($1, ulogd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 ulogd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, ulogd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/ulogd.te b/ulogd.te index de35e5f4c..e710f37a7 100644 --- a/ulogd.te @@ -112508,52 +112508,52 @@ index de35e5f4c..e710f37a7 100644 +allow ulogd_t self:tcp_socket { create_stream_socket_perms connect }; +allow ulogd_t self:udp_socket create_socket_perms; +allow ulogd_t self:unix_dgram_socket create_socket_perms; - + read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) - + @@ -42,10 +46,10 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) - + -files_read_etc_files(ulogd_t) -files_read_usr_files(ulogd_t) +kernel_request_load_module(ulogd_t) +kernel_dgram_send(ulogd_t) - + -miscfiles_read_localization(ulogd_t) +logging_send_syslog_msg(ulogd_t) - + sysnet_dns_name_resolve(ulogd_t) - + diff --git a/uml.if b/uml.if index ab5c1d0da..d13105ea7 100644 --- a/uml.if +++ b/uml.if @@ -32,7 +32,7 @@ interface(`uml_role',` - allow uml_t $2:unix_dgram_socket sendto; - - ps_process_pattern($2, uml_t) + allow uml_t $2:unix_dgram_socket sendto; + + ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; + allow $2 uml_t:process signal_perms; - - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; + + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; diff --git a/uml.te b/uml.te index b68bd49ff..da0c6912f 100644 --- a/uml.te +++ b/uml.te @@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t) - + corecmd_exec_bin(uml_t) - + -corenet_all_recvfrom_unlabeled(uml_t) corenet_all_recvfrom_netlabel(uml_t) corenet_tcp_sendrecv_generic_if(uml_t) corenet_tcp_sendrecv_generic_node(uml_t) @@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t) - + libs_exec_lib_files(uml_t) - + -userdom_use_user_terminals(uml_t) +# Inherit and use descriptors from newrole. +seutil_use_newrole_fds(uml_t) @@ -112563,28 +112563,28 @@ index b68bd49ff..da0c6912f 100644 + +userdom_use_inherited_user_terminals(uml_t) userdom_attach_admin_tun_iface(uml_t) - + tunable_policy(`use_nfs_home_dirs',` @@ -132,10 +137,6 @@ tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_symlinks(uml_t) + fs_manage_cifs_symlinks(uml_t) ') - + -optional_policy(` - seutil_use_newrole_fds(uml_t) -') - optional_policy(` - virt_attach_tun_iface(uml_t) + virt_attach_tun_iface(uml_t) ') @@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t) - + logging_send_syslog_msg(uml_switch_t) - + -miscfiles_read_localization(uml_switch_t) - userdom_dontaudit_use_unpriv_user_fds(uml_switch_t) userdom_dontaudit_search_user_home_dirs(uml_switch_t) - + diff --git a/updfstab.te b/updfstab.te index 5ceb91249..232e9ac93 100644 --- a/updfstab.te @@ -112592,7 +112592,7 @@ index 5ceb91249..232e9ac93 100644 @@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t) # Local policy # - + -allow updfstab_t self:capability dac_override; +allow updfstab_t self:capability { dac_read_search dac_override }; dontaudit updfstab_t self:capability { sys_admin sys_tty_config }; @@ -112601,7 +112601,7 @@ index 5ceb91249..232e9ac93 100644 @@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t) logging_search_logs(updfstab_t) logging_send_syslog_msg(updfstab_t) - + -miscfiles_read_localization(updfstab_t) - seutil_read_config(updfstab_t) @@ -112610,15 +112610,15 @@ index 5ceb91249..232e9ac93 100644 @@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t) userdom_dontaudit_search_user_home_content(updfstab_t) userdom_dontaudit_use_unpriv_user_fds(updfstab_t) - + -optional_policy(` - auth_domtrans_pam_console(updfstab_t) -') +auth_use_nsswitch(updfstab_t) +auth_domtrans_pam_console(updfstab_t) - + optional_policy(` - dbus_system_bus_client(updfstab_t) + dbus_system_bus_client(updfstab_t) diff --git a/uptime.if b/uptime.if index 01a3234b6..19f472475 100644 --- a/uptime.if @@ -112626,34 +112626,34 @@ index 01a3234b6..19f472475 100644 @@ -19,7 +19,7 @@ # interface(`uptime_admin',` - gen_require(` + gen_require(` - type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t; + type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; - type uptimed_spool_t, uptimed_var_run_t; - ') - + type uptimed_spool_t, uptimed_var_run_t; + ') + diff --git a/uptime.te b/uptime.te index 58397dc31..e6b6a3472 100644 --- a/uptime.te +++ b/uptime.te @@ -16,7 +16,7 @@ type uptimed_initrc_exec_t; init_script_file(uptimed_initrc_exec_t) - + type uptimed_spool_t; -files_type(uptimed_spool_t) +files_spool_file(uptimed_spool_t) - + type uptimed_var_run_t; files_pid_file(uptimed_var_run_t) @@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t) - + logging_send_syslog_msg(uptimed_t) - + -miscfiles_read_localization(uptimed_t) - userdom_dontaudit_use_unpriv_user_fds(uptimed_t) userdom_dontaudit_search_user_home_dirs(uptimed_t) - + diff --git a/usbmodules.te b/usbmodules.te index 279e511df..4f79ad697 100644 --- a/usbmodules.te @@ -112661,23 +112661,23 @@ index 279e511df..4f79ad697 100644 @@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t) dev_list_usbfs(usbmodules_t) dev_rw_usbfs(usbmodules_t) - + -files_list_etc(usbmodules_t) - term_read_console(usbmodules_t) term_write_console(usbmodules_t) - + @@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t) - + miscfiles_read_hwdata(usbmodules_t) - + -modutils_read_module_deps(usbmodules_t) - -userdom_use_user_terminals(usbmodules_t) +userdom_use_inherited_user_terminals(usbmodules_t) - + optional_policy(` - hotplug_read_config(usbmodules_t) + hotplug_read_config(usbmodules_t) ') + +optional_policy(` @@ -112689,7 +112689,7 @@ index 220f6add1..ccbb5dabc 100644 +++ b/usbmuxd.fc @@ -1,3 +1,6 @@ /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) - + -/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) +/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0) @@ -112700,8 +112700,8 @@ index 1ec5e996b..5b6c80bba 100644 --- a/usbmuxd.if +++ b/usbmuxd.if @@ -38,3 +38,67 @@ interface(`usbmuxd_stream_connect',` - files_search_pids($1) - stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) + files_search_pids($1) + stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) ') + +######################################## @@ -112772,16 +112772,16 @@ index 34a891755..933baa42d 100644 --- a/usbmuxd.te +++ b/usbmuxd.te @@ -10,34 +10,58 @@ roleattribute system_r usbmuxd_roles; - + type usbmuxd_t; type usbmuxd_exec_t; +init_system_domain(usbmuxd_t, usbmuxd_exec_t) application_domain(usbmuxd_t, usbmuxd_exec_t) role usbmuxd_roles types usbmuxd_t; - + type usbmuxd_var_run_t; files_pid_file(usbmuxd_var_run_t) - + +type usbmuxd_var_lib_t; +files_type(usbmuxd_var_lib_t) + @@ -112792,7 +112792,7 @@ index 34a891755..933baa42d 100644 # # Local policy # - + -allow usbmuxd_t self:capability { kill setgid setuid }; -allow usbmuxd_t self:process { signal signull }; +allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid }; @@ -112801,12 +112801,12 @@ index 34a891755..933baa42d 100644 allow usbmuxd_t self:fifo_file rw_fifo_file_perms; +allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow usbmuxd_t self:unix_stream_socket connectto; - + manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t) files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file }) - + +manage_dirs_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) +manage_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) +manage_lnk_files_pattern(usbmuxd_t, usbmuxd_var_lib_t, usbmuxd_var_lib_t) @@ -112814,13 +112814,13 @@ index 34a891755..933baa42d 100644 + kernel_read_kernel_sysctls(usbmuxd_t) kernel_read_system_state(usbmuxd_t) - + dev_read_sysfs(usbmuxd_t) +dev_read_urand(usbmuxd_t) dev_rw_generic_usb_dev(usbmuxd_t) - + auth_use_nsswitch(usbmuxd_t) - + -miscfiles_read_localization(usbmuxd_t) - logging_send_syslog_msg(usbmuxd_t) @@ -112844,7 +112844,7 @@ index c416a833e..cd83b89ee 100644 +# /etc +# +/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0) - + -/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0) - -/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0) @@ -112861,49 +112861,49 @@ index 98b51fd0b..c7e44cada 100644 @@ -1,4 +1,4 @@ -## A wrapper that helps users run system programs. +## SELinux utility to run a shell with a new role - + ####################################### ## @@ -23,9 +23,9 @@ # template(`userhelper_role_template',` - gen_require(` + gen_require(` - attribute userhelper_type, consolehelper_type; - attribute_role userhelper_roles, consolehelper_roles; - type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t; + attribute userhelper_type; + type userhelper_exec_t, userhelper_conf_t; + class dbus send_msg; - ') - - ######################################## + ') + + ######################################## @@ -33,64 +33,123 @@ template(`userhelper_role_template',` - # Declarations - # - + # Declarations + # + - type $1_consolehelper_t, consolehelper_type; - userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t) -- +- - role consolehelper_roles types $1_consolehelper_t; - roleattribute $2 consolehelper_roles; - - type $1_userhelper_t, userhelper_type; - userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) -- - domain_role_change_exemption($1_userhelper_t) - domain_obj_id_change_exemption($1_userhelper_t) - domain_interactive_fd($1_userhelper_t) - domain_subj_id_change_exemption($1_userhelper_t) + type $1_userhelper_t, userhelper_type; + userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) - + domain_role_change_exemption($1_userhelper_t) + domain_obj_id_change_exemption($1_userhelper_t) + domain_interactive_fd($1_userhelper_t) + domain_subj_id_change_exemption($1_userhelper_t) +- - role userhelper_roles types $1_userhelper_t; - roleattribute $2 userhelper_roles; + role $2 types $1_userhelper_t; - - ######################################## - # + + ######################################## + # - # Consolehelper local policy + # Local policy - # + # + allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search dac_override chown sys_tty_config }; + allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_userhelper_t self:process setexec; @@ -112921,30 +112921,30 @@ index 98b51fd0b..c7e44cada 100644 + + #Transition to the derived domain. + domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) - + - allow $1_consolehelper_t $3:unix_stream_socket connectto; + allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; + rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) - + - domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) + can_exec($1_userhelper_t, userhelper_exec_t) - + - allow $3 $1_consolehelper_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_consolehelper_t) + dontaudit $3 $1_userhelper_t:process signal; - + - auth_use_pam($1_consolehelper_t) + kernel_read_all_sysctls($1_userhelper_t) + kernel_getattr_debugfs($1_userhelper_t) + kernel_read_system_state($1_userhelper_t) - + - optional_policy(` - dbus_connect_all_session_bus($1_consolehelper_t) + # Execute shells + corecmd_exec_shell($1_userhelper_t) + # By default, revert to the calling domain when a program is executed + corecmd_bin_domtrans($1_userhelper_t, $3) - + - optional_policy(` - userhelper_dbus_chat_all_consolehelper($3) - ') @@ -112987,7 +112987,7 @@ index 98b51fd0b..c7e44cada 100644 + # Access terminals. + term_use_all_ttys($1_userhelper_t) + term_use_all_ptys($1_userhelper_t) - + - ######################################## - # - # Userhelper local policy @@ -112997,28 +112997,28 @@ index 98b51fd0b..c7e44cada 100644 + auth_manage_var_auth($1_userhelper_t) + auth_search_pam_console_data($1_userhelper_t) + auth_use_nsswitch($1_userhelper_t) - + - domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) + logging_send_syslog_msg($1_userhelper_t) - + - dontaudit $3 $1_userhelper_t:process signal; + # Inherit descriptors from the current session. + init_use_fds($1_userhelper_t) + # Write to utmp. + init_manage_utmp($1_userhelper_t) + init_pid_filetrans_utmp($1_userhelper_t) - + - corecmd_bin_domtrans($1_userhelper_t, $3) - + - auth_domtrans_chk_passwd($1_userhelper_t) - auth_use_nsswitch($1_userhelper_t) + seutil_read_config($1_userhelper_t) + seutil_read_default_contexts($1_userhelper_t) - + + # Allow $1_userhelper_t to transition to user domains. - userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) - userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) - + userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) + userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) + + ifdef(`distro_redhat',` + optional_policy(` + # Allow transitioning to rpm_t, for up2date @@ -113026,14 +113026,14 @@ index 98b51fd0b..c7e44cada 100644 + ') + ') + - optional_policy(` - tunable_policy(`! secure_mode',` + optional_policy(` + tunable_policy(`! secure_mode',` + #if we are not in secure mode then we can transition to sysadm_t - sysadm_bin_spec_domtrans($1_userhelper_t) - sysadm_entry_spec_domtrans($1_userhelper_t) - ') + sysadm_bin_spec_domtrans($1_userhelper_t) + sysadm_entry_spec_domtrans($1_userhelper_t) + ') @@ -99,7 +158,7 @@ template(`userhelper_role_template',` - + ######################################## ## -## Search userhelper configuration directories. @@ -113051,7 +113051,7 @@ index 98b51fd0b..c7e44cada 100644 ## ## @@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',` - + ######################################## ## -## Send and receive messages from @@ -113068,17 +113068,17 @@ index 98b51fd0b..c7e44cada 100644 # -interface(`userhelper_dbus_chat_all_consolehelper',` +interface(`userhelper_dontaudit_write_config',` - gen_require(` + gen_require(` - attribute consolehelper_type; - class dbus send_msg; + type userhelper_conf_t; - ') - + ') + - allow $1 consolehelper_type:dbus send_msg; - allow consolehelper_type $1:dbus send_msg; + dontaudit $1 userhelper_conf_t:file write; ') - + ######################################## ## -## Use userhelper all userhelper file descriptors. @@ -113087,7 +113087,7 @@ index 98b51fd0b..c7e44cada 100644 ## ## @@ -175,7 +232,7 @@ interface(`userhelper_use_fd',` - + ######################################## ## -## Send child terminated signals to all userhelper. @@ -113096,13 +113096,13 @@ index 98b51fd0b..c7e44cada 100644 ## ## @@ -206,10 +263,83 @@ interface(`userhelper_exec',` - type userhelper_exec_t; - ') - + type userhelper_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, userhelper_exec_t) + can_exec($1, userhelper_exec_t) ') - + +####################################### +## +## The role template for the consolehelper module. @@ -113187,24 +113187,24 @@ index 42cfce06e..b7e3e2532 100644 @@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1) # Declarations # - + -attribute consolehelper_type; attribute userhelper_type; - -attribute_role consolehelper_roles; -attribute_role userhelper_roles; +attribute consolehelper_domain; - + type userhelper_conf_t; files_config_file(userhelper_conf_t) @@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t) - + ######################################## # -# Common consolehelper domain local policy +# consolehelper local policy # - + -allow consolehelper_type self:capability { setgid setuid dac_override }; -allow consolehelper_type self:process signal; -allow consolehelper_type self:fifo_file rw_fifo_file_perms; @@ -113214,32 +113214,32 @@ index 42cfce06e..b7e3e2532 100644 -dontaudit consolehelper_type userhelper_conf_t:file audit_access; -read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t) +allow consolehelper_domain self:shm create_shm_perms; -+allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice }; ++allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice }; +allow consolehelper_domain self:process { signal_perms getsched setsched }; - + -domain_use_interactive_fds(consolehelper_type) +allow consolehelper_domain userhelper_conf_t:file audit_access; +dontaudit consolehelper_domain userhelper_conf_t:file write; +read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t) - + -kernel_read_system_state(consolehelper_type) -kernel_read_kernel_sysctls(consolehelper_type) +# Init script handling +domain_use_interactive_fds(consolehelper_domain) - + -corecmd_exec_bin(consolehelper_type) +# internal communication is often done using fifo and unix sockets. +allow consolehelper_domain self:fifo_file rw_fifo_file_perms; +allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms; - + -dev_getattr_all_chr_files(consolehelper_type) -dev_dontaudit_list_all_dev_nodes(consolehelper_type) +kernel_read_kernel_sysctls(consolehelper_domain) - + -files_read_config_files(consolehelper_type) -files_read_usr_files(consolehelper_type) +corecmd_exec_bin(consolehelper_domain) - + -fs_getattr_all_dirs(consolehelper_type) -fs_getattr_all_fs(consolehelper_type) -fs_search_auto_mountpoints(consolehelper_type) @@ -113249,32 +113249,32 @@ index 42cfce06e..b7e3e2532 100644 +dev_dontaudit_getattr_all(consolehelper_domain) +fs_getattr_all_fs(consolehelper_domain) +fs_getattr_all_dirs(consolehelper_domain) - + -term_list_ptys(consolehelper_type) +files_read_config_files(consolehelper_domain) - + -auth_search_pam_console_data(consolehelper_type) -auth_read_pam_pid(consolehelper_type) +term_list_ptys(consolehelper_domain) - + -miscfiles_read_localization(consolehelper_type) -miscfiles_read_fonts(consolehelper_type) +auth_search_pam_console_data(consolehelper_domain) +auth_read_pam_pid(consolehelper_domain) - + -userhelper_exec(consolehelper_type) +init_read_utmp(consolehelper_domain) +init_telinit(consolehelper_domain) - + -userdom_use_user_terminals(consolehelper_type) +miscfiles_read_fonts(consolehelper_domain) - + -# might want to make this consolehelper_tmp_t -userdom_manage_user_tmp_dirs(consolehelper_type) -userdom_manage_user_tmp_files(consolehelper_type) -userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) +userhelper_exec(consolehelper_domain) - + -tunable_policy(`use_nfs_home_dirs',` - fs_search_nfs(consolehelper_type) -') @@ -113282,7 +113282,7 @@ index 42cfce06e..b7e3e2532 100644 +userdom_use_user_ttys(consolehelper_domain) +userdom_read_user_home_content_files(consolehelper_domain) +userdom_search_admin_dir(consolehelper_domain) - + -tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(consolehelper_type) +optional_policy(` @@ -113291,13 +113291,13 @@ index 42cfce06e..b7e3e2532 100644 + devicekit_dbus_chat_disk(consolehelper_domain) + ') ') - + optional_policy(` - shutdown_run(consolehelper_type, consolehelper_roles) - shutdown_signal(consolehelper_type) + gnome_read_gconf_home_files(consolehelper_domain) ') - + optional_policy(` - xserver_domtrans_xauth(consolehelper_type) - xserver_read_xdm_pid(consolehelper_type) @@ -113307,7 +113307,7 @@ index 42cfce06e..b7e3e2532 100644 + xserver_admin_home_dir_filetrans_xauth(consolehelper_domain) + xserver_manage_user_xauth(consolehelper_domain) ') - + -######################################## -# -# Common userhelper domain local policy @@ -113380,7 +113380,7 @@ index 42cfce06e..b7e3e2532 100644 + files_search_mnt(consolehelper_domain) + fs_search_nfs(consolehelper_domain) +') - + -optional_policy(` - rpm_domtrans(userhelper_type) +tunable_policy(`use_samba_home_dirs',` @@ -113394,32 +113394,32 @@ index 7deec55cf..c542887da 100644 @@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',` # interface(`usernetctl_run',` - gen_require(` + gen_require(` + type usernetctl_t; - attribute_role usernetctl_roles; - ') - + attribute_role usernetctl_roles; + ') + diff --git a/usernetctl.te b/usernetctl.te index f973af82b..860643991 100644 --- a/usernetctl.te +++ b/usernetctl.te @@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0) # - + attribute_role usernetctl_roles; +roleattribute system_r usernetctl_roles; - + type usernetctl_t; type usernetctl_exec_t; application_domain(usernetctl_t, usernetctl_exec_t) domain_interactive_fd(usernetctl_t) -role usernetctl_roles types usernetctl_t; - + ######################################## # # Local policy # - + -allow usernetctl_t self:capability { setuid setgid dac_override }; +allow usernetctl_t self:capability { setuid setgid dac_read_search dac_override }; allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -113430,41 +113430,41 @@ index f973af82b..860643991 100644 files_list_pids(usernetctl_t) files_list_home(usernetctl_t) -files_read_usr_files(usernetctl_t) - + fs_search_auto_mountpoints(usernetctl_t) - + @@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t) - + logging_send_syslog_msg(usernetctl_t) - + -miscfiles_read_localization(usernetctl_t) - seutil_read_config(usernetctl_t) - + +sysnet_read_config(usernetctl_t) + sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) - + -userdom_use_user_terminals(usernetctl_t) - -optional_policy(` - consoletype_run(usernetctl_t, usernetctl_roles) -') +userdom_use_inherited_user_terminals(usernetctl_t) - + optional_policy(` - hostname_exec(usernetctl_t) + hostname_exec(usernetctl_t) @@ -73,6 +68,10 @@ optional_policy(` - modutils_run_insmod(usernetctl_t, usernetctl_roles) + modutils_run_insmod(usernetctl_t, usernetctl_roles) ') - + +optional_policy(` + nis_use_ypbind(usernetctl_t) +') + optional_policy(` - ppp_run(usernetctl_t, usernetctl_roles) + ppp_run(usernetctl_t, usernetctl_roles) ') diff --git a/uucp.if b/uucp.if index af9acc0d3..cdaf82e21 100644 @@ -113483,9 +113483,9 @@ index af9acc0d3..cdaf82e21 100644 # interface(`uucp_admin',` @@ -104,14 +99,13 @@ interface(`uucp_admin',` - type uucpd_var_run_t, uucpd_initrc_exec_t; - ') - + type uucpd_var_run_t, uucpd_initrc_exec_t; + ') + - init_labeled_script_domtrans($1, uucpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 uucpd_initrc_exec_t system_r; @@ -113493,32 +113493,32 @@ index af9acc0d3..cdaf82e21 100644 - - allow $1 uucpd_t:process { ptrace signal_perms }; + allow $1 uucpd_t:process signal_perms; - ps_process_pattern($1, uucpd_t) - + ps_process_pattern($1, uucpd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 uucpd_t:process ptrace; + ') + - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) - + logging_list_logs($1) + admin_pattern($1, uucpd_log_t) + diff --git a/uucp.te b/uucp.te index 849f607b1..e01ec6d2e 100644 --- a/uucp.te +++ b/uucp.te @@ -31,7 +31,7 @@ type uucpd_ro_t; files_type(uucpd_ro_t) - + type uucpd_spool_t; -files_type(uucpd_spool_t) +files_spool_file(uucpd_spool_t) - + type uucpd_log_t; logging_log_file(uucpd_log_t) @@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t) kernel_read_system_state(uucpd_t) kernel_read_network_state(uucpd_t) - + -corenet_all_recvfrom_unlabeled(uucpd_t) corenet_all_recvfrom_netlabel(uucpd_t) corenet_tcp_sendrecv_generic_if(uucpd_t) @@ -113526,50 +113526,50 @@ index 849f607b1..e01ec6d2e 100644 +corenet_udp_sendrecv_generic_node(uucpd_t) +corenet_tcp_sendrecv_all_ports(uucpd_t) +corenet_udp_sendrecv_all_ports(uucpd_t) - + corenet_sendrecv_ssh_client_packets(uucpd_t) corenet_tcp_connect_ssh_port(uucpd_t) corenet_tcp_sendrecv_ssh_port(uucpd_t) - + +corenet_tcp_bind_uucpd_port(uucpd_t) +corenet_tcp_connect_uucpd_port(uucpd_t) + corecmd_exec_bin(uucpd_t) corecmd_exec_shell(uucpd_t) - + @@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t) - + logging_send_syslog_msg(uucpd_t) - + -miscfiles_read_localization(uucpd_t) +mta_send_mail(uucpd_t) - + optional_policy(` - cron_system_entry(uucpd_t, uucpd_exec_t) + cron_system_entry(uucpd_t, uucpd_exec_t) @@ -124,10 +129,6 @@ optional_policy(` - kerberos_use(uucpd_t) + kerberos_use(uucpd_t) ') - + -optional_policy(` - mta_send_mail(uucpd_t) -') - optional_policy(` - ssh_exec(uucpd_t) + ssh_exec(uucpd_t) ') @@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t) logging_search_logs(uux_t) logging_send_syslog_msg(uux_t) - + -miscfiles_read_localization(uux_t) - optional_policy(` - mta_send_mail(uux_t) - mta_read_queue(uux_t) + mta_send_mail(uux_t) + mta_read_queue(uux_t) +') + +optional_policy(` - sendmail_dontaudit_rw_unix_stream_sockets(uux_t) + sendmail_dontaudit_rw_unix_stream_sockets(uux_t) ') + +optional_policy(` @@ -113582,37 +113582,37 @@ index 6e4865333..6abf74a90 100644 @@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',` # interface(`uuidd_stream_connect_manager',` - gen_require(` + gen_require(` - type uuidd_t, uuidd_var_run_t; + type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) + ') + + files_search_pids($1) + stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) + stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t) ') - + ######################################## @@ -180,6 +181,9 @@ interface(`uuidd_admin',` - - allow $1 uuidd_t:process signal_perms; - ps_process_pattern($1, uuidd_t) + + allow $1 uuidd_t:process signal_perms; + ps_process_pattern($1, uuidd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 uuidd_t:process ptrace; + ') - - uuidd_initrc_domtrans($1) - domain_system_change_exemption($1) + + uuidd_initrc_domtrans($1) + domain_system_change_exemption($1) diff --git a/uuidd.te b/uuidd.te index f8e52fc97..b283c25f7 100644 --- a/uuidd.te +++ b/uuidd.te @@ -42,6 +42,4 @@ dev_read_urand(uuidd_t) - + domain_use_interactive_fds(uuidd_t) - + -files_read_etc_files(uuidd_t) - + -miscfiles_read_localization(uuidd_t) diff --git a/uwimap.te b/uwimap.te index acdc78ae7..9e5ee472d 100644 @@ -113621,7 +113621,7 @@ index acdc78ae7..9e5ee472d 100644 @@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t) # Local policy # - + -allow imapd_t self:capability { dac_override setgid setuid sys_resource }; +allow imapd_t self:capability { dac_read_search dac_override setgid setuid sys_resource }; dontaudit imapd_t self:capability sys_tty_config; @@ -113630,28 +113630,28 @@ index acdc78ae7..9e5ee472d 100644 @@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t) kernel_list_proc(imapd_t) kernel_read_proc_symlinks(imapd_t) - + -corenet_all_recvfrom_unlabeled(imapd_t) corenet_all_recvfrom_netlabel(imapd_t) corenet_tcp_sendrecv_generic_if(imapd_t) corenet_tcp_sendrecv_generic_node(imapd_t) @@ -56,8 +55,6 @@ dev_read_urand(imapd_t) - + domain_use_interactive_fds(imapd_t) - + -files_read_etc_files(imapd_t) - fs_getattr_all_fs(imapd_t) fs_search_auto_mountpoints(imapd_t) - + @@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t) - + logging_send_syslog_msg(imapd_t) - + -miscfiles_read_localization(imapd_t) - sysnet_dns_name_resolve(imapd_t) - + userdom_dontaudit_use_unpriv_user_fds(imapd_t) diff --git a/varnishd.if b/varnishd.if index 1c35171d8..2cba4dfea 100644 @@ -113660,61 +113660,61 @@ index 1c35171d8..2cba4dfea 100644 @@ -153,12 +153,16 @@ interface(`varnishd_manage_log',` # interface(`varnishd_admin_varnishlog',` - gen_require(` + gen_require(` + type varnishd_t; - type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; - type varnishlog_var_run_t; - ') - + type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; + type varnishlog_var_run_t; + ') + - allow $1 varnishlog_t:process { ptrace signal_perms }; + allow $1 varnishlog_t:process signal_perms; - ps_process_pattern($1, varnishlog_t) + ps_process_pattern($1, varnishlog_t) + tunable_policy(`deny_ptrace',`',` + allow $1 varnishd_t:process ptrace; + ') - - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) + domain_system_change_exemption($1) @@ -196,9 +200,13 @@ interface(`varnishd_admin',` - type varnishd_initrc_exec_t; - ') - + type varnishd_initrc_exec_t; + ') + - allow $1 varnishd_t:process { ptrace signal_perms }; + allow $1 varnishd_t:process signal_perms; - ps_process_pattern($1, varnishd_t) - + ps_process_pattern($1, varnishd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 varnishd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 varnishd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, varnishd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te index 9d4d8cbb0..3b30d5ac5 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; init_script_file(varnishd_initrc_exec_t) - + type varnishd_etc_t; -files_type(varnishd_etc_t) +files_config_file(varnishd_etc_t) - + type varnishd_tmp_t; files_tmp_file(varnishd_tmp_t) @@ -43,16 +43,16 @@ type varnishlog_var_run_t; files_pid_file(varnishlog_var_run_t) - + type varnishlog_log_t; -files_type(varnishlog_log_t) +logging_log_file(varnishlog_log_t) - + ######################################## # # Local policy # - + -allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +allow varnishd_t self:capability { kill dac_read_search dac_override ipc_lock setuid setgid chown fowner fsetid }; dontaudit varnishd_t self:capability sys_tty_config; @@ -113722,30 +113722,30 @@ index 9d4d8cbb0..3b30d5ac5 100644 +allow varnishd_t self:process { execmem signal }; allow varnishd_t self:fifo_file rw_fifo_file_perms; allow varnishd_t self:tcp_socket { accept listen }; - + @@ -103,15 +103,13 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t) - + dev_read_urand(varnishd_t) - + -files_read_usr_files(varnishd_t) - fs_getattr_all_fs(varnishd_t) - + auth_use_nsswitch(varnishd_t) - + logging_send_syslog_msg(varnishd_t) - + -miscfiles_read_localization(varnishd_t) +sysnet_read_config(varnishd_t) - + tunable_policy(`varnishd_connect_any',` - corenet_sendrecv_all_client_packets(varnishd_t) + corenet_sendrecv_all_client_packets(varnishd_t) @@ -136,5 +134,6 @@ setattr_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir }) - + read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t) +allow varnishlog_t varnishd_var_lib_t:file map; - + files_search_var_lib(varnishlog_t) diff --git a/vbetool.te b/vbetool.te index 2a61f7526..cea4ee220 100644 @@ -113754,21 +113754,21 @@ index 2a61f7526..cea4ee220 100644 @@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t; # Local policy # - + -allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; +allow vbetool_t self:capability { dac_read_search dac_override sys_tty_config sys_admin }; +allow vbetool_t self:capability2 compromise_kernel; allow vbetool_t self:process execmem; - + dev_wx_raw_memory(vbetool_t) @@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t) - + term_use_unallocated_ttys(vbetool_t) - + -miscfiles_read_localization(vbetool_t) - + tunable_policy(`vbetool_mmap_zero_ignore',` - dontaudit vbetool_t self:memprotect mmap_zero; + dontaudit vbetool_t self:memprotect mmap_zero; diff --git a/vdagent.if b/vdagent.if index 31c752ea6..ef522355b 100644 --- a/vdagent.if @@ -113791,8 +113791,8 @@ index 31c752ea6..ef522355b 100644 + gen_require(` + type vdagent_exec_t; + ') - - allow $1 vdagent_exec_t:file getattr_file_perms; + + allow $1 vdagent_exec_t:file getattr_file_perms; ') @@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',` ## Get attributes of vdagent log files. @@ -113813,13 +113813,13 @@ index 31c752ea6..ef522355b 100644 + gen_require(` + type vdagent_log_t; + ') - + - logging_search_logs($1) - allow $1 vdagent_log_t:file getattr_file_perms; + logging_search_logs($1) + allow $1 vdagent_log_t:file getattr_file_perms; ') - + ######################################## @@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',` ## domain stream socket. @@ -113840,13 +113840,13 @@ index 31c752ea6..ef522355b 100644 + gen_require(` + type vdagent_var_run_t, vdagent_t; + ') - + - files_search_pids($1) - stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) + files_search_pids($1) + stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ') - + ######################################## @@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',` ## Role allowed access. @@ -113855,80 +113855,80 @@ index 31c752ea6..ef522355b 100644 -## # interface(`vdagent_admin',` - gen_require(` + gen_require(` @@ -120,6 +119,9 @@ interface(`vdagent_admin',` - - allow $1 vdagent_t:process signal_perms; - ps_process_pattern($1, vdagent_t) + + allow $1 vdagent_t:process signal_perms; + ps_process_pattern($1, vdagent_t) + tunable_policy(`deny_ptrace',`',` + allow $1 vdagent_t:process ptrace; + ') - - init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) - domain_system_change_exemption($1) + + init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) + domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te index 87da8a24d..70531c93e 100644 --- a/vdagent.te +++ b/vdagent.te @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) - + dontaudit vdagent_t self:capability sys_admin; allow vdagent_t self:process signal; + allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; - + @@ -39,23 +40,27 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) logging_log_filetrans(vdagent_t, vdagent_log_t, file) - + +kernel_request_load_module(vdagent_t) + dev_rw_input_dev(vdagent_t) dev_rw_mtrr(vdagent_t) dev_read_sysfs(vdagent_t) dev_dontaudit_write_mtrr(vdagent_t) - + -files_read_etc_files(vdagent_t) - term_use_virtio_console(vdagent_t) - + init_read_state(vdagent_t) - + -logging_send_syslog_msg(vdagent_t) +systemd_read_logind_sessions_files(vdagent_t) +systemd_login_read_pid_files(vdagent_t) +systemd_dbus_chat_logind(vdagent_t) - + -miscfiles_read_localization(vdagent_t) +logging_send_syslog_msg(vdagent_t) - + userdom_read_all_users_state(vdagent_t) - + +xserver_read_xdm_state(vdagent_t) + optional_policy(` - dbus_system_bus_client(vdagent_t) - + dbus_system_bus_client(vdagent_t) + diff --git a/vhostmd.if b/vhostmd.if index 22edd58f8..c3a536427 100644 --- a/vhostmd.if +++ b/vhostmd.if @@ -216,9 +216,13 @@ interface(`vhostmd_admin',` - type vhostmd_tmpfs_t; - ') - + type vhostmd_tmpfs_t; + ') + - allow $1 vhostmd_t:process { ptrace signal_perms }; + allow $1 vhostmd_t:process signal_perms; - ps_process_pattern($1, vhostmd_t) - + ps_process_pattern($1, vhostmd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 vhostmd_t:process ptrace; + ') + - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 vhostmd_initrc_exec_t system_r; + vhostmd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 vhostmd_initrc_exec_t system_r; diff --git a/vhostmd.te b/vhostmd.te index 3d11c6a3d..2eb57ded1 100644 --- a/vhostmd.te @@ -113936,35 +113936,35 @@ index 3d11c6a3d..2eb57ded1 100644 @@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t) # Local policy # - + -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; +allow vhostmd_t self:capability { dac_read_search dac_override ipc_lock setuid setgid }; allow vhostmd_t self:process { setsched getsched signal }; allow vhostmd_t self:fifo_file rw_fifo_file_perms; - + @@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t) dev_read_sysfs(vhostmd_t) - + files_list_tmp(vhostmd_t) -files_read_usr_files(vhostmd_t) - + auth_use_nsswitch(vhostmd_t) - + logging_send_syslog_msg(vhostmd_t) - + -miscfiles_read_localization(vhostmd_t) - optional_policy(` - hostname_exec(vhostmd_t) + hostname_exec(vhostmd_t) ') @@ -77,6 +74,8 @@ optional_policy(` - + optional_policy(` - virt_stream_connect(vhostmd_t) + virt_stream_connect(vhostmd_t) + virt_write_content(vhostmd_t) + virt_rw_svirt_image(vhostmd_t) ') - + optional_policy(` diff --git a/virt.fc b/virt.fc index a4f20bcfc..66ac61408 100644 @@ -113990,7 +113990,7 @@ index a4f20bcfc..66ac61408 100644 +HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) - + -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) @@ -114004,11 +114004,11 @@ index a4f20bcfc..66ac61408 100644 +/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - + -/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) - + -/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -114032,9 +114032,9 @@ index a4f20bcfc..66ac61408 100644 +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) - + /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - + -/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) @@ -114045,7 +114045,7 @@ index a4f20bcfc..66ac61408 100644 +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) - + -/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) @@ -114062,10 +114062,10 @@ index a4f20bcfc..66ac61408 100644 +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0) - + -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - + -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) @@ -114129,7 +114129,7 @@ index facdee8b3..b149565d0 100644 @@ -1,120 +1,104 @@ -## Libvirt virtualization API. +## Libvirt virtualization API - + -####################################### +######################################## ## @@ -114146,7 +114146,7 @@ index facdee8b3..b149565d0 100644 # -template(`virt_domain_template',` +interface(`virt_stub_lxc',` - gen_require(` + gen_require(` - attribute_role virt_domain_roles; - attribute virt_image_type, virt_domain, virt_tmpfs_type; - attribute virt_ptynode, virt_tmp_type; @@ -114177,9 +114177,9 @@ index facdee8b3..b149565d0 100644 - optional_policy(` - pulseaudio_tmpfs_content($1_tmpfs_t) + type virtd_lxc_t; - ') + ') +') - + - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) @@ -114227,9 +114227,9 @@ index facdee8b3..b149565d0 100644 +interface(`virt_stub_svirt_sandbox_domain',` + gen_require(` + attribute svirt_sandbox_domain; - ') + ') +') - + - optional_policy(` - xserver_rw_shm($1_t) +######################################## @@ -114245,9 +114245,9 @@ index facdee8b3..b149565d0 100644 +interface(`virt_stub_svirt_sandbox_file',` + gen_require(` + type container_file_t; - ') + ') ') - + -####################################### +######################################## ## @@ -114265,7 +114265,7 @@ index facdee8b3..b149565d0 100644 # -template(`virt_lxc_domain_template',` +template(`virt_domain_template',` - gen_require(` + gen_require(` - attribute_role svirt_lxc_domain_roles; - attribute svirt_lxc_domain; + attribute virt_image_type, virt_domain; @@ -114273,15 +114273,15 @@ index facdee8b3..b149565d0 100644 + attribute virt_ptynode; + type qemu_exec_t; + type virtlogd_t; - ') - + ') + - type $1_t, svirt_lxc_domain; - domain_type($1_t) + type $1_t, virt_domain; + application_domain($1_t, qemu_exec_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) - role svirt_lxc_domain_roles types $1_t; + role system_r types $1_t; + @@ -114301,7 +114301,7 @@ index facdee8b3..b149565d0 100644 + allow $1_t virtlogd_t:fd use; + allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; ') - + ######################################## ## -## Make the specified type virt image type. @@ -114315,14 +114315,14 @@ index facdee8b3..b149565d0 100644 ## # @@ -125,31 +109,32 @@ interface(`virt_image',` - - typeattribute $1 virt_image_type; - files_type($1) + + typeattribute $1 virt_image_type; + files_type($1) + + # virt images can be assigned to blk devices - dev_node($1) + dev_node($1) ') - + -######################################## +####################################### ## @@ -114346,12 +114346,12 @@ index facdee8b3..b149565d0 100644 + gen_require(` + type virtd_exec_t; + ') - + - corecmd_search_bin($1) - domtrans_pattern($1, virtd_exec_t, virtd_t) + allow $1 virtd_exec_t:file getattr; ') - + ######################################## ## -## Execute a domain transition to run virt qmf. @@ -114365,16 +114365,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_domtrans_qmf',` +interface(`virt_domtrans',` - gen_require(` + gen_require(` - type virt_qmf_t, virt_qmf_exec_t; + type virtd_t, virtd_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) + domtrans_pattern($1, virtd_exec_t, virtd_t) ') - + ######################################## ## -## Execute a domain transition to @@ -114390,16 +114390,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_domtrans_bridgehelper',` +interface(`virt_exec',` - gen_require(` + gen_require(` - type virt_bridgehelper_t, virt_bridgehelper_exec_t; + type virtd_exec_t; - ') - + ') + - corecmd_search_bin($1) - domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) + can_exec($1, virtd_exec_t) ') - + ######################################## ## -## Execute bridgehelper in the bridgehelper @@ -114422,17 +114422,17 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_run_bridgehelper',` +interface(`virt_domtrans_qmf',` - gen_require(` + gen_require(` - attribute_role virt_bridgehelper_roles; + type virt_qmf_t, virt_qmf_exec_t; - ') - + ') + - virt_domtrans_bridgehelper($1) - roleattribute $2 virt_bridgehelper_roles; + corecmd_search_bin($1) + domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) ') - + ######################################## ## -## Execute virt domain in the their @@ -114456,12 +114456,12 @@ index facdee8b3..b149565d0 100644 -# -interface(`virt_run_virt_domain',` +interface(`virt_domtrans_bridgehelper',` - gen_require(` + gen_require(` - attribute virt_domain; - attribute_role virt_domain_roles; + type virt_bridgehelper_t, virt_bridgehelper_exec_t; - ') - + ') + - allow $1 virt_domain:process { signal transition }; - roleattribute $2 virt_domain_roles; - @@ -114470,7 +114470,7 @@ index facdee8b3..b149565d0 100644 - allow virt_domain $1:process sigchld; + domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) ') - + -######################################## +####################################### ## @@ -114485,16 +114485,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_signal_all_virt_domains',` +interface(`virt_stream_connect',` - gen_require(` + gen_require(` - attribute virt_domain; + type virtd_t, virt_var_run_t; - ') - + ') + - allow $1 virt_domain:process signal; + files_search_pids($1) + stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') - + -######################################## +####################################### ## @@ -114509,15 +114509,15 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_kill_all_virt_domains',` +interface(`virt_stream_connect_svirt',` - gen_require(` + gen_require(` - attribute virt_domain; + type svirt_t; - ') - + ') + - allow $1 virt_domain:process sigkill; + allow $1 svirt_t:unix_stream_socket connectto; ') - + ######################################## ## -## Execute svirt lxc domains in their @@ -114540,12 +114540,12 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_run_svirt_lxc_domain',` +interface(`virt_rw_stream_sockets_svirt',` - gen_require(` + gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; + type svirt_t; - ') - + ') + - allow $1 svirt_lxc_domain:process { signal transition }; - roleattribute $2 svirt_lxc_domain_roles; - @@ -114554,7 +114554,7 @@ index facdee8b3..b149565d0 100644 - allow svirt_lxc_domain $1:process sigchld; + allow $1 svirt_t:unix_stream_socket { setopt getopt read write }; ') - + -####################################### +######################################## ## @@ -114569,16 +114569,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_getattr_virtd_exec_files',` +interface(`virt_attach_tun_iface',` - gen_require(` + gen_require(` - type virtd_exec_t; + type virtd_t; - ') - + ') + - allow $1 virtd_exec_t:file getattr_file_perms; + allow $1 virtd_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; ') - + -####################################### +######################################## ## @@ -114594,17 +114594,17 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_stream_connect',` +interface(`virt_attach_sandbox_tun_iface',` - gen_require(` + gen_require(` - type virtd_t, virt_var_run_t; + attribute svirt_sandbox_domain; - ') - + ') + - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + allow $1 svirt_sandbox_domain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; ') - + ######################################## ## -## Attach to virt tun devices. @@ -114618,11 +114618,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_attach_tun_iface',` +interface(`virt_read_config',` - gen_require(` + gen_require(` - type virtd_t; + type virt_etc_t, virt_etc_rw_t; - ') - + ') + - allow $1 virtd_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; + files_search_etc($1) @@ -114630,7 +114630,7 @@ index facdee8b3..b149565d0 100644 + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') - + ######################################## ## -## Read virt configuration content. @@ -114644,11 +114644,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_read_config',` +interface(`virt_manage_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) + gen_require(` + type virt_etc_t, virt_etc_rw_t; + ') + + files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -114657,7 +114657,7 @@ index facdee8b3..b149565d0 100644 + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -114672,11 +114672,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_config',` +interface(`virt_getattr_content',` - gen_require(` + gen_require(` - type virt_etc_t, virt_etc_rw_t; + type virt_content_t; - ') - + ') + - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; - manage_files_pattern($1, virt_etc_t, virt_etc_t) @@ -114684,7 +114684,7 @@ index facdee8b3..b149565d0 100644 - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + allow $1 virt_content_t:file getattr_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -114694,15 +114694,15 @@ index facdee8b3..b149565d0 100644 ## ## @@ -434,6 +379,7 @@ interface(`virt_read_content',` - read_files_pattern($1, virt_content_t, virt_content_t) - read_lnk_files_pattern($1, virt_content_t, virt_content_t) - read_blk_files_pattern($1, virt_content_t, virt_content_t) + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) + read_blk_files_pattern($1, virt_content_t, virt_content_t) + read_chr_files_pattern($1, virt_content_t, virt_content_t) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) @@ -450,8 +396,7 @@ interface(`virt_read_content',` - + ######################################## ## -## Create, read, write, and delete @@ -114717,10 +114717,10 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_virt_content',` +interface(`virt_write_content',` - gen_require(` - type virt_content_t; - ') - + gen_require(` + type virt_content_t; + ') + - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir manage_dir_perms; - allow $1 virt_content_t:file manage_file_perms; @@ -114742,7 +114742,7 @@ index facdee8b3..b149565d0 100644 - ') + allow $1 virt_content_t:file write_file_perms; ') - + ######################################## ## -## Relabel virt content. @@ -114756,11 +114756,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_relabel_virt_content',` +interface(`virt_read_pid_symlinks',` - gen_require(` + gen_require(` - type virt_content_t; + type virt_var_run_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir relabel_dir_perms; - allow $1 virt_content_t:file relabel_file_perms; @@ -114771,7 +114771,7 @@ index facdee8b3..b149565d0 100644 + files_search_pids($1) + read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) ') - + ######################################## ## -## Create specified objects in user home @@ -114796,17 +114796,17 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_home_filetrans_virt_content',` +interface(`virt_read_pid_files',` - gen_require(` + gen_require(` - type virt_content_t; + type virt_var_run_t; - ') - + ') + - virt_home_filetrans($1, virt_content_t, $2, $3) + files_search_pids($1) + read_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -114821,7 +114821,7 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_svirt_home_content',` +interface(`virt_manage_pid_dirs',` - gen_require(` + gen_require(` - type svirt_home_t; - ') - @@ -114838,8 +114838,8 @@ index facdee8b3..b149565d0 100644 - fs_manage_nfs_symlinks($1) + type virt_var_run_t; + type virt_lxc_var_run_t; - ') - + ') + - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) @@ -114850,7 +114850,7 @@ index facdee8b3..b149565d0 100644 + manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) + virt_filetrans_named_content($1) ') - + ######################################## ## -## Relabel svirt home content. @@ -114864,12 +114864,12 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_relabel_svirt_home_content',` +interface(`virt_manage_pid_files',` - gen_require(` + gen_require(` - type svirt_home_t; + type virt_var_run_t; + type virt_lxc_var_run_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir relabel_dir_perms; - allow $1 svirt_home_t:file relabel_file_perms; @@ -114880,7 +114880,7 @@ index facdee8b3..b149565d0 100644 + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ') - + ######################################## ## -## Create specified objects in user home @@ -114913,15 +114913,15 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_home_filetrans_svirt_home',` +interface(`virt_pid_filetrans',` - gen_require(` + gen_require(` - type svirt_home_t; + type virt_var_run_t; - ') - + ') + - virt_home_filetrans($1, svirt_home_t, $2, $3) + filetrans_pattern($1, virt_var_run_t, $2, $3, $4) ') - + ######################################## ## -## Create specified objects in generic @@ -114952,17 +114952,17 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_home_filetrans',` +interface(`virt_search_lib',` - gen_require(` + gen_require(` - type virt_home_t; + type virt_var_lib_t; - ') - + ') + - userdom_search_user_home_dirs($1) - filetrans_pattern($1, virt_home_t, $2, $3, $4) + allow $1 virt_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) ') - + ######################################## ## -## Create, read, write, and delete @@ -114977,11 +114977,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_home_files',` +interface(`virt_read_lib_files',` - gen_require(` + gen_require(` - type virt_home_t; + type virt_var_lib_t; - ') - + ') + - userdom_search_user_home_dirs($1) - manage_files_pattern($1, virt_home_t, virt_home_t) + files_search_var_lib($1) @@ -114989,7 +114989,7 @@ index facdee8b3..b149565d0 100644 + list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t) + read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -115005,11 +115005,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_generic_virt_home_content',` +interface(`virt_dontaudit_read_lib_files',` - gen_require(` + gen_require(` - type virt_home_t; + type virt_var_lib_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir manage_dir_perms; - allow $1 virt_home_t:file manage_file_perms; @@ -115160,8 +115160,8 @@ index facdee8b3..b149565d0 100644 + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` + + tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) @@ -115551,8 +115551,8 @@ index facdee8b3..b149565d0 100644 +interface(`virt_kill_svirt',` + gen_require(` + attribute virt_domain; - ') - + ') + - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) @@ -115560,7 +115560,7 @@ index facdee8b3..b149565d0 100644 - ') + allow $1 virt_domain:process sigkill; ') - + ######################################## ## -## Relabel virt home content. @@ -115574,11 +115574,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_relabel_generic_virt_home_content',` +interface(`virt_kill',` - gen_require(` + gen_require(` - type virt_home_t; + type virtd_t; - ') - + ') + - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir relabel_dir_perms; - allow $1 virt_home_t:file relabel_file_perms; @@ -115587,7 +115587,7 @@ index facdee8b3..b149565d0 100644 - allow $1 virt_home_t:sock_file relabel_sock_file_perms; + allow $1 virtd_t:process sigkill; ') - + ######################################## ## -## Create specified objects in user home @@ -115613,15 +115613,15 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_home_filetrans_virt_home',` +interface(`virt_signal',` - gen_require(` + gen_require(` - type virt_home_t; + type virtd_t; - ') - + ') + - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) + allow $1 virtd_t:process signal; ') - + ######################################## ## -## Read virt pid files. @@ -115635,16 +115635,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_read_pid_files',` +interface(`virt_signull',` - gen_require(` + gen_require(` - type virt_var_run_t; + type virtd_t; - ') - + ') + - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) + allow $1 virtd_t:process signull; ') - + ######################################## ## -## Create, read, write, and delete @@ -115659,16 +115659,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_pid_files',` +interface(`virt_signal_svirt',` - gen_require(` + gen_require(` - type virt_var_run_t; + attribute virt_domain; - ') - + ') + - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + allow $1 virt_domain:process signal; ') - + ######################################## ## -## Search virt lib directories. @@ -115682,16 +115682,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_search_lib',` +interface(`virt_signal_sandbox',` - gen_require(` + gen_require(` - type virt_var_lib_t; + attribute svirt_sandbox_domain; - ') - + ') + - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; + allow $1 svirt_sandbox_domain:process signal; ') - + ######################################## ## -## Read virt lib files. @@ -115705,18 +115705,18 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_read_lib_files',` +interface(`virt_manage_home_files',` - gen_require(` + gen_require(` - type virt_var_lib_t; + type virt_home_t; - ') - + ') + - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, virt_home_t, virt_home_t) ') - + ######################################## ## -## Create, read, write, and delete @@ -115733,16 +115733,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_lib_files',` +interface(`virt_read_tmpfs_files',` - gen_require(` + gen_require(` - type virt_var_lib_t; + attribute virt_tmpfs_type; - ') - + ') + - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + allow $1 virt_tmpfs_type:file read_file_perms; ') - + ######################################## ## -## Create objects in virt pid @@ -115818,16 +115818,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_pid_filetrans',` +interface(`virt_dontaudit_read_chr_dev',` - gen_require(` + gen_require(` - type virt_var_run_t; + attribute virt_image_type; - ') - + ') + - files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') - + ######################################## ## -## Read virt log files. @@ -115845,11 +115845,11 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_read_log',` +template(`virt_sandbox_domain_template',` - gen_require(` + gen_require(` - type virt_log_t; + attribute svirt_sandbox_domain; - ') - + ') + - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) + type $1_t, svirt_sandbox_domain; @@ -115863,7 +115863,7 @@ index facdee8b3..b149565d0 100644 + + kernel_read_system_state($1_t) ') - + ######################################## ## -## Append virt log files. @@ -115879,16 +115879,16 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_append_log',` +template(`virt_sandbox_domain',` - gen_require(` + gen_require(` - type virt_log_t; + attribute svirt_sandbox_domain; - ') - + ') + - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) + typeattribute $1 svirt_sandbox_domain; ') - + ######################################## ## -## Create, read, write, and delete @@ -115905,18 +115905,18 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_log',` +interface(`virt_exec_qemu',` - gen_require(` + gen_require(` - type virt_log_t; + type qemu_exec_t; - ') - + ') + - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + can_exec($1, qemu_exec_t) ') - + ######################################## ## -## Search virt image directories. @@ -115931,19 +115931,19 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_search_images',` +interface(`virt_filetrans_named_content',` - gen_require(` + gen_require(` - attribute virt_image_type; + type virt_lxc_var_run_t; + type virt_var_run_t; - ') - + ') + - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") ') - + ######################################## ## -## Read virt image files. @@ -115965,12 +115965,12 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_read_images',` +interface(`virt_transition_svirt_sandbox',` - gen_require(` + gen_require(` - type virt_var_lib_t; - attribute virt_image_type; + attribute svirt_sandbox_domain; - ') - + ') + - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) @@ -115980,14 +115980,14 @@ index facdee8b3..b149565d0 100644 + allow $1 svirt_sandbox_domain:process { transition signal_perms }; + role $2 types svirt_sandbox_domain; + allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; - + - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') + allow svirt_sandbox_domain $1:fd use; - + - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) @@ -115997,7 +115997,7 @@ index facdee8b3..b149565d0 100644 + allow svirt_sandbox_domain $1:process sigchld; + ps_process_pattern($1, svirt_sandbox_domain) ') - + ######################################## ## -## Read and write all virt image @@ -116012,17 +116012,17 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_rw_all_image_chr_files',` +interface(`virt_sandbox_read_state',` - gen_require(` + gen_require(` - attribute virt_image_type; + attribute svirt_sandbox_domain; - ') - + ') + - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) + ps_process_pattern($1, svirt_sandbox_domain) ') - + ######################################## ## -## Create, read, write, and delete @@ -116045,7 +116045,7 @@ index facdee8b3..b149565d0 100644 + + allow $1 svirt_image_t:chr_file rw_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -116060,18 +116060,18 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_virt_cache',` +interface(`virt_rw_svirt_image',` - gen_require(` + gen_require(` - type virt_cache_t; + type svirt_image_t; - ') - + ') + - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + allow $1 svirt_image_t:file rw_file_perms; ') - + ######################################## ## -## Create, read, write, and delete @@ -116086,12 +116086,12 @@ index facdee8b3..b149565d0 100644 # -interface(`virt_manage_images',` +interface(`virt_rlimitinh',` - gen_require(` + gen_require(` - type virt_var_lib_t; - attribute virt_image_type; + type virtd_t; - ') - + ') + - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) @@ -116100,7 +116100,7 @@ index facdee8b3..b149565d0 100644 - rw_blk_files_pattern($1, virt_image_type, virt_image_type) + allow $1 virtd_t:process { rlimitinh }; +') - + - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) @@ -116118,8 +116118,8 @@ index facdee8b3..b149565d0 100644 +interface(`virt_noatsecure',` + gen_require(` + type virtd_t; - ') - + ') + - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) @@ -116127,7 +116127,7 @@ index facdee8b3..b149565d0 100644 - ') + allow $1 virtd_t:process { noatsecure rlimitinh }; ') - + ######################################## ## -## All of the rules required to @@ -116140,7 +116140,7 @@ index facdee8b3..b149565d0 100644 @@ -1136,50 +1544,137 @@ interface(`virt_manage_images',` # interface(`virt_admin',` - gen_require(` + gen_require(` - attribute virt_domain, virt_image_type, virt_tmpfs_type; - attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; - type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; @@ -116154,8 +116154,8 @@ index facdee8b3..b149565d0 100644 + attribute svirt_file_type; + attribute virt_file_type; + type virtd_initrc_exec_t; - ') - + ') + - allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) @@ -116168,26 +116168,26 @@ index facdee8b3..b149565d0 100644 + allow $1 virt_system_domain:process ptrace; + allow $1 virt_domain:process ptrace; + ') - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; - + + init_labeled_script_domtrans($1, virtd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 virtd_initrc_exec_t system_r; + allow $2 system_r; + - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) + allow $1 virt_domain:process signal_perms; - + - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) + admin_pattern($1, virt_file_type) + admin_pattern($1, svirt_file_type) - + - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + virt_systemctl($1) + allow $1 virtd_unit_file_t:service all_service_perms; - + - logging_search_logs($1) - admin_pattern($1, virt_log_t) + virt_stream_connect_sandbox($1) @@ -116208,15 +116208,15 @@ index facdee8b3..b149565d0 100644 + gen_require(` + attribute sandbox_caps_domain; + ') - + - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) + typeattribute $1 sandbox_caps_domain; +') - + - files_search_var($1) - admin_pattern($1, svirt_cache_t) - + - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) +######################################## @@ -116276,13 +116276,13 @@ index facdee8b3..b149565d0 100644 + gen_require(` + type virtd_t, virt_var_run_t; + ') - + - files_search_locks($1) - admin_pattern($1, virt_lock_t) + files_search_pids($1) + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) +') - + - dev_list_all_dev_nodes($1) - allow $1 virt_ptynode:chr_file rw_term_perms; +######################################## @@ -116312,12 +116312,12 @@ index f03dcf567..a030fcba1 100644 @@ -1,451 +1,399 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) - + ######################################## # # Declarations # - + +gen_require(` + class passwd rootok; + class passwd passwd; @@ -116355,7 +116355,7 @@ index f03dcf567..a030fcba1 100644 +##

    ## gen_tunable(virt_use_comm, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116374,7 +116374,7 @@ index f03dcf567..a030fcba1 100644 +##

    ##     gen_tunable(virt_use_execmem, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116385,7 +116385,7 @@ index f03dcf567..a030fcba1 100644 +##

    ##     gen_tunable(virt_use_fusefs, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116403,7 +116403,7 @@ index f03dcf567..a030fcba1 100644 +##

    ##     gen_tunable(virt_use_nfs, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116414,7 +116414,7 @@ index f03dcf567..a030fcba1 100644 +##

    ##     gen_tunable(virt_use_samba, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116426,7 +116426,7 @@ index f03dcf567..a030fcba1 100644 ## -gen_tunable(virt_use_sysfs, false) +gen_tunable(virt_use_sanlock, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116438,7 +116438,7 @@ index f03dcf567..a030fcba1 100644 ## -gen_tunable(virt_use_usb, false) +gen_tunable(virt_use_rawip, false) - + ## -##

    -## Determine whether confined virtual guests @@ -116449,7 +116449,7 @@ index f03dcf567..a030fcba1 100644 +##

    ##     gen_tunable(virt_use_xserver, false) - + -attribute virt_ptynode; -attribute virt_domain; -attribute virt_image_type; @@ -116483,7 +116483,7 @@ index f03dcf567..a030fcba1 100644 +##

    +## +gen_tunable(virt_sandbox_use_sys_admin, false) - + -attribute svirt_lxc_domain; +## +##

    @@ -116498,7 +116498,7 @@ index f03dcf567..a030fcba1 100644 +##

    +##     +gen_tunable(virt_sandbox_use_all_caps, true) - + -attribute_role virt_domain_roles; -roleattribute system_r virt_domain_roles; +## @@ -116507,7 +116507,7 @@ index f03dcf567..a030fcba1 100644 +##

    +##     +gen_tunable(virt_read_qemu_ga_data, false) - + -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; +## @@ -116516,7 +116516,7 @@ index f03dcf567..a030fcba1 100644 +##

    +##     +gen_tunable(virt_rw_qemu_ga_data, false) - + -attribute_role svirt_lxc_domain_roles; -roleattribute system_r svirt_lxc_domain_roles; +## @@ -116525,7 +116525,7 @@ index f03dcf567..a030fcba1 100644 +##

    +##     +gen_tunable(virt_sandbox_use_fusefs, false) - + virt_domain_template(svirt) -virt_domain_template(svirt_prot_exec) +role system_r types svirt_t; @@ -116533,29 +116533,29 @@ index f03dcf567..a030fcba1 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; - + -type virt_cache_t alias svirt_cache_t; +type qemu_exec_t, virt_file_type; + +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) - + -type virt_etc_t; +type virt_etc_t, virt_file_type; files_config_file(virt_etc_t) - + -type virt_etc_rw_t; +type virt_etc_rw_t, virt_file_type; files_type(virt_etc_rw_t) - + -type virt_home_t; +type virt_home_t, virt_file_type; userdom_user_home_content(virt_home_t) - + -type svirt_home_t; +type svirt_home_t, svirt_file_type; userdom_user_home_content(svirt_home_t) - + -type svirt_var_run_t; -files_pid_file(svirt_var_run_t) -mls_trusted_object(svirt_var_run_t) @@ -116565,36 +116565,36 @@ index f03dcf567..a030fcba1 100644 +type virt_image_t, virt_file_type; # customizable virt_image(virt_image_t) files_mountpoint(virt_image_t) - + -type virt_content_t; # customizable +# virt Image files +type virt_content_t, virt_file_type; # customizable virt_image(virt_content_t) userdom_user_home_content(virt_content_t) - + -type virt_lock_t; -files_lock_file(virt_lock_t) +type virt_tmp_t, virt_file_type; +files_tmp_file(virt_tmp_t) - + -type virt_log_t; +type virt_log_t, virt_file_type; logging_log_file(virt_log_t) mls_trusted_object(virt_log_t) - + -type virt_tmp_t; -files_tmp_file(virt_tmp_t) +type virt_lock_t, virt_file_type; +files_lock_file(virt_lock_t) - + -type virt_var_run_t; +type virt_var_run_t, virt_file_type; files_pid_file(virt_var_run_t) - + -type virt_var_lib_t; +type virt_var_lib_t, virt_file_type; files_mountpoint(virt_var_lib_t) - + -type virtd_t; -type virtd_exec_t; +type virtd_t, virt_system_domain; @@ -116602,17 +116602,17 @@ index f03dcf567..a030fcba1 100644 init_daemon_domain(virtd_t, virtd_exec_t) domain_obj_id_change_exemption(virtd_t) domain_subj_id_change_exemption(virtd_t) - + -type virtd_initrc_exec_t; +type virtd_unit_file_t, virt_file_type; +systemd_unit_file(virtd_unit_file_t) + +type virtd_initrc_exec_t, virt_file_type; init_script_file(virtd_initrc_exec_t) - + type virtd_keytab_t; files_type(virtd_keytab_t) - + +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) @@ -116632,21 +116632,21 @@ index f03dcf567..a030fcba1 100644 +mls_trusted_object(qemu_var_run_t) + ifdef(`enable_mcs',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') - + ifdef(`enable_mls',` - init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') - + -type virt_qmf_t; -type virt_qmf_exec_t; +type virt_qmf_t, virt_system_domain; +type virt_qmf_exec_t, virt_file_type; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) - + -type virt_bridgehelper_t; -type virt_bridgehelper_exec_t; +type virt_bridgehelper_t, virt_system_domain; @@ -116656,7 +116656,7 @@ index f03dcf567..a030fcba1 100644 domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) -role virt_bridgehelper_roles types virt_bridgehelper_t; +role system_r types virt_bridgehelper_t; - + -type virtd_lxc_t; -type virtd_lxc_exec_t; -init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) @@ -116664,23 +116664,23 @@ index f03dcf567..a030fcba1 100644 +type virt_qemu_ga_t, virt_system_domain; +type virt_qemu_ga_exec_t, virt_file_type; +init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) - + -type virtd_lxc_var_run_t; -files_pid_file(virtd_lxc_var_run_t) +type virt_qemu_ga_var_run_t, virt_file_type; +files_pid_file(virt_qemu_ga_var_run_t) - + -type svirt_lxc_file_t; -files_mountpoint(svirt_lxc_file_t) -fs_noxattr_type(svirt_lxc_file_t) -term_pty(svirt_lxc_file_t) +type virt_qemu_ga_log_t, virt_file_type; +logging_log_file(virt_qemu_ga_log_t) - + -virt_lxc_domain_template(svirt_lxc_net) +type virt_qemu_ga_tmp_t, virt_file_type; +files_tmp_file(virt_qemu_ga_tmp_t) - + -type virsh_t; -type virsh_exec_t; -init_system_domain(virsh_t, virsh_exec_t) @@ -116689,14 +116689,14 @@ index f03dcf567..a030fcba1 100644 + +type virt_qemu_ga_unconfined_exec_t, virt_file_type; +application_executable_file(virt_qemu_ga_unconfined_exec_t) - + ######################################## # -# Common virt domain local policy +# Declarations # +attribute svirt_sandbox_domain; - + -allow virt_domain self:process { signal getsched signull }; -allow virt_domain self:fifo_file rw_fifo_file_perms; -allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; @@ -116868,14 +116868,14 @@ index f03dcf567..a030fcba1 100644 +type virtd_lxc_t, virt_system_domain; +type virtd_lxc_exec_t, virt_file_type; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) - + -optional_policy(` - samba_domtrans_smbd(virt_domain) -') +type virt_lxc_var_run_t, virt_file_type; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; - + -optional_policy(` - xen_rw_image_files(virt_domain) -') @@ -116883,12 +116883,12 @@ index f03dcf567..a030fcba1 100644 +type container_file_t, svirt_file_type; +typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t }; +files_mountpoint(container_file_t) - + ######################################## # # svirt local policy # - + -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -read_files_pattern(svirt_t, virt_content_t, virt_content_t) - @@ -116903,7 +116903,7 @@ index f03dcf567..a030fcba1 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - + -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) @@ -116928,7 +116928,7 @@ index f03dcf567..a030fcba1 100644 - -corenet_sendrecv_all_client_packets(svirt_t) corenet_tcp_connect_all_ports(svirt_t) - + +init_dontaudit_read_state(svirt_t) + +virt_dontaudit_read_state(svirt_t) @@ -116955,7 +116955,7 @@ index f03dcf567..a030fcba1 100644 # # virtd local policy # - + -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:capability { chown dac_read_search dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:capability2 compromise_kernel; @@ -116987,16 +116987,16 @@ index f03dcf567..a030fcba1 100644 -domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t self:netlink_route_socket create_netlink_socket_perms; +allow virtd_t self:netlink_socket create_socket_perms; - + manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) - + manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) manage_files_pattern(virtd_t, virt_content_t, virt_content_t) -filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") - + allow virtd_t virtd_keytab_t:file read_file_perms; - + -allow virtd_t svirt_var_run_t:file relabel_file_perms; -manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) @@ -117018,13 +117018,13 @@ index f03dcf567..a030fcba1 100644 +manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) +filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") - + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -455,71 +403,60 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) - + -manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) -manage_files_pattern(virtd_t, virt_home_t, virt_home_t) -manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) @@ -117047,18 +117047,18 @@ index f03dcf567..a030fcba1 100644 - +allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; - + manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) +can_exec(virtd_t, virt_tmp_t) - + -# This needs a file context specification manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) - + manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) -append_files_pattern(virtd_t, virt_log_t, virt_log_t) -create_files_pattern(virtd_t, virt_log_t, virt_log_t) @@ -117066,19 +117066,19 @@ index f03dcf567..a030fcba1 100644 -setattr_files_pattern(virtd_t, virt_log_t, virt_log_t) +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) logging_log_filetrans(virtd_t, virt_log_t, { file dir }) - + manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) +allow virtd_t virt_var_lib_t:file { relabelfrom relabelto }; - + manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +files_pid_filetrans(virtd_t, virt_var_run_t, { file dir sock_file }) - + -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") @@ -117087,14 +117087,14 @@ index f03dcf567..a030fcba1 100644 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) - + -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) - + -can_exec(virtd_t, virt_tmp_t) - + -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -117105,7 +117105,7 @@ index f03dcf567..a030fcba1 100644 -kernel_setsched(virtd_t) +kernel_dontaudit_setsched(virtd_t) +kernel_write_proc_files(virtd_t) - + corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) @@ -527,24 +464,16 @@ corecmd_exec_shell(virtd_t) @@ -117131,7 +117131,7 @@ index f03dcf567..a030fcba1 100644 - corenet_rw_tun_tap_dev(virtd_t) +corenet_relabel_tun_tap_dev(virtd_t) - + +dev_rw_vfio_dev(virtd_t) dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) @@ -117139,12 +117139,12 @@ index f03dcf567..a030fcba1 100644 @@ -555,20 +484,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) - + +# Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) +domain_signull_all_domains(virtd_t) - + -files_read_usr_files(virtd_t) +files_list_all_mountpoints(virtd_t) files_read_etc_runtime_files(virtd_t) @@ -117156,43 +117156,43 @@ index f03dcf567..a030fcba1 100644 +files_relabelfrom_boot_files(virtd_t) +files_relabelto_boot_files(virtd_t) +files_manage_boot_files(virtd_t) - + # Manages /etc/sysconfig/system-config-firewall -# files_relabelto_system_conf_files(virtd_t) -# files_relabelfrom_system_conf_files(virtd_t) -# files_manage_system_conf_files(virtd_t) +files_manage_system_conf_files(virtd_t) - + +fs_read_tmpfs_symlinks(virtd_t) fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) @@ -601,15 +536,18 @@ term_use_ptmx(virtd_t) - + auth_use_nsswitch(virtd_t) - + -miscfiles_read_localization(virtd_t) +init_dbus_chat(virtd_t) + miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) - + modutils_read_module_deps(virtd_t) +modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) - + logging_send_syslog_msg(virtd_t) logging_send_audit_msgs(virtd_t) +logging_stream_connect_syslog(virtd_t) - + selinux_validate_context(virtd_t) - + @@ -620,18 +558,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) - + -userdom_read_all_users_state(virtd_t) - -ifdef(`hide_broken_symptoms',` @@ -117200,7 +117200,7 @@ index f03dcf567..a030fcba1 100644 -') +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) - + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -117221,82 +117221,82 @@ index f03dcf567..a030fcba1 100644 +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) +virt_filetrans_home_content(virtd_t) - + tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virtd_t) + fs_manage_nfs_dirs(virtd_t) @@ -640,7 +586,7 @@ tunable_policy(`virt_use_nfs',` ') - + tunable_policy(`virt_use_samba',` - fs_manage_cifs_files(virtd_t) + fs_manage_cifs_dirs(virtd_t) - fs_manage_cifs_files(virtd_t) - fs_read_cifs_symlinks(virtd_t) + fs_manage_cifs_files(virtd_t) + fs_read_cifs_symlinks(virtd_t) ') @@ -664,10 +610,6 @@ optional_policy(` - consolekit_dbus_chat(virtd_t) - ') - + consolekit_dbus_chat(virtd_t) + ') + - optional_policy(` - firewalld_dbus_chat(virtd_t) - ') - - optional_policy(` - hal_dbus_chat(virtd_t) - ') + optional_policy(` + hal_dbus_chat(virtd_t) + ') @@ -675,11 +617,7 @@ optional_policy(` - optional_policy(` - networkmanager_dbus_chat(virtd_t) - ') + optional_policy(` + networkmanager_dbus_chat(virtd_t) + ') - - optional_policy(` - policykit_dbus_chat(virtd_t) - ') -') +') - + optional_policy(` - dmidecode_domtrans(virtd_t) + dmidecode_domtrans(virtd_t) @@ -691,20 +629,26 @@ optional_policy(` - dnsmasq_kill(virtd_t) - dnsmasq_signull(virtd_t) - dnsmasq_create_pid_dirs(virtd_t) + dnsmasq_kill(virtd_t) + dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) - dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network") - dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid") + dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); - dnsmasq_manage_pid_files(virtd_t) + dnsmasq_manage_pid_files(virtd_t) ') - + +optional_policy(` + firewalld_dbus_chat(virtd_t) +') + optional_policy(` - iptables_domtrans(virtd_t) - iptables_initrc_domtrans(virtd_t) + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + + # Manages /etc/sysconfig/system-config-firewall - iptables_manage_config(virtd_t) + iptables_manage_config(virtd_t) ') - + optional_policy(` - kerberos_read_keytab(virtd_t) - kerberos_use(virtd_t) + kerberos_read_keytab(virtd_t) + kerberos_use(virtd_t) ') - + optional_policy(` @@ -712,11 +656,18 @@ optional_policy(` ') - + optional_policy(` + # Run mount in the mount_t domain. - mount_domtrans(virtd_t) - mount_signal(virtd_t) + mount_domtrans(virtd_t) + mount_signal(virtd_t) ') - + optional_policy(` + numad_domtrans(virtd_t) + numad_dbus_chat(virtd_t) @@ -117304,32 +117304,32 @@ index f03dcf567..a030fcba1 100644 + +optional_policy(` + policykit_dbus_chat(virtd_t) - policykit_domtrans_auth(virtd_t) - policykit_domtrans_resolve(virtd_t) - policykit_read_lib(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) @@ -726,10 +677,18 @@ optional_policy(` - qemu_exec(virtd_t) + qemu_exec(virtd_t) ') - + +optional_policy(` + sanlock_stream_connect(virtd_t) +') + optional_policy(` - sasl_connect(virtd_t) + sasl_connect(virtd_t) ') - + +optional_policy(` + setrans_manage_pid_files(virtd_t) +') + optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) @@ -746,44 +705,368 @@ optional_policy(` - udev_read_pid_files(virtd_t) + udev_read_pid_files(virtd_t) ') - + +optional_policy(` + unconfined_domain(virtd_t) +') @@ -117339,7 +117339,7 @@ index f03dcf567..a030fcba1 100644 -# Virsh local policy +# virtlogd local policy # - + -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; -allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -117347,7 +117347,7 @@ index f03dcf567..a030fcba1 100644 -allow virsh_t self:tcp_socket { accept listen }; +# virtlogd is allowed to manage files it creates in /var/run/libvirt +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) - + -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) @@ -117357,7 +117357,7 @@ index f03dcf567..a030fcba1 100644 +files_search_etc(virtlogd_t) +allow virtlogd_t virt_etc_t:lnk_file read_file_perms; +allow virtlogd_t virt_etc_t:dir search; - + -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -117369,7 +117369,7 @@ index f03dcf567..a030fcba1 100644 +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file }) +# This lets systemd create the socket itself too +files_pid_file(virtlogd_var_run_t) - + -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") @@ -117377,17 +117377,17 @@ index f03dcf567..a030fcba1 100644 +allow virtlogd_t virtlogd_var_run_t:file manage_file_perms; +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) +files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file) - + -dontaudit virsh_t virt_var_lib_t:file read_file_perms; +manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file }) - + -allow virsh_t svirt_lxc_domain:process transition; +manage_dirs_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t) - + -can_exec(virsh_t, virsh_exec_t) +can_exec(virtlogd_t, virtlogd_exec_t) + @@ -117550,7 +117550,7 @@ index f03dcf567..a030fcba1 100644 +miscfiles_read_generic_certs(virt_domain) + +storage_raw_read_removable_device(virt_domain) - + +sysnet_read_config(virt_domain) + +term_use_all_inherited_terms(virt_domain) @@ -117687,7 +117687,7 @@ index f03dcf567..a030fcba1 100644 virt_manage_images(virsh_t) virt_manage_config(virsh_t) virt_stream_connect(virsh_t) - + -kernel_read_crypto_sysctls(virsh_t) +manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t) +manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t) @@ -117720,7 +117720,7 @@ index f03dcf567..a030fcba1 100644 @@ -794,25 +1077,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) - + -corenet_all_recvfrom_unlabeled(virsh_t) -corenet_all_recvfrom_netlabel(virsh_t) corenet_tcp_sendrecv_generic_if(virsh_t) @@ -117730,90 +117730,90 @@ index f03dcf567..a030fcba1 100644 -corenet_sendrecv_soundd_client_packets(virsh_t) corenet_tcp_connect_soundd_port(virsh_t) -corenet_tcp_sendrecv_soundd_port(virsh_t) - + dev_read_rand(virsh_t) dev_read_urand(virsh_t) dev_read_sysfs(virsh_t) - + files_read_etc_runtime_files(virsh_t) -files_read_etc_files(virsh_t) -files_read_usr_files(virsh_t) files_list_mnt(virsh_t) files_list_tmp(virsh_t) +# Some common macros (you might be able to remove some) - + fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) @@ -821,23 +1097,25 @@ fs_search_auto_mountpoints(virsh_t) - + storage_raw_read_fixed_disk(virsh_t) - + -term_use_all_terms(virsh_t) +term_use_all_inherited_terms(virsh_t) +term_dontaudit_use_generic_ptys(virsh_t) + +userdom_search_admin_dir(virsh_t) +userdom_read_home_certs(virsh_t) - + init_stream_connect_script(virsh_t) init_rw_script_stream_sockets(virsh_t) init_use_fds(virsh_t) - + -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) - + -miscfiles_read_localization(virsh_t) +auth_read_passwd(virsh_t) + +logging_send_syslog_msg(virsh_t) - + sysnet_dns_name_resolve(virsh_t) - + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virsh_t) - fs_manage_fusefs_files(virsh_t) - fs_read_fusefs_symlinks(virsh_t) -') +userdom_stream_connect(virsh_t) - + tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virsh_t) + fs_manage_nfs_dirs(virsh_t) @@ -855,15 +1133,21 @@ optional_policy(` - cron_system_entry(virsh_t, virsh_exec_t) + cron_system_entry(virsh_t, virsh_exec_t) ') - + +optional_policy(` + rhcs_domtrans_fenced(virsh_t) +') + optional_policy(` - rpm_exec(virsh_t) + rpm_exec(virsh_t) ') - + optional_policy(` - xen_manage_image_dirs(virsh_t) + xen_manage_image_dirs(virsh_t) + xen_read_image_files(virsh_t) + xen_read_lib_files(virsh_t) - xen_append_log(virsh_t) - xen_domtrans(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) - xen_read_xenstored_pid_files(virsh_t) + xen_read_pid_files_xenstored(virsh_t) - xen_stream_connect(virsh_t) - xen_stream_connect_xenstore(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) ') @@ -888,49 +1172,65 @@ optional_policy(` - kernel_read_xen_state(virsh_ssh_t) - kernel_write_xen_state(virsh_ssh_t) - + kernel_read_xen_state(virsh_ssh_t) + kernel_write_xen_state(virsh_ssh_t) + + dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp(virsh_ssh_t) - - fs_manage_xenfs_dirs(virsh_ssh_t) - fs_manage_xenfs_files(virsh_ssh_t) + files_search_tmp(virsh_ssh_t) + + fs_manage_xenfs_dirs(virsh_ssh_t) + fs_manage_xenfs_files(virsh_ssh_t) + + userdom_search_admin_dir(virsh_ssh_t) ') - + ######################################## # -# Lxc local policy @@ -117822,7 +117822,7 @@ index f03dcf567..a030fcba1 100644 +allow virtd_lxc_t self:capability { dac_read_search dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms }; +allow virtd_lxc_t self:capability2 compromise_kernel; - + -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; @@ -117833,13 +117833,13 @@ index f03dcf567..a030fcba1 100644 allow virtd_lxc_t self:packet_socket create_socket_perms; +ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain) +allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; - + -allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; +files_entrypoint_all_files(virtd_lxc_t) - + allow virtd_lxc_t virt_image_type:dir mounton; manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) - + +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms }; + @@ -117874,21 +117874,21 @@ index f03dcf567..a030fcba1 100644 +files_associate_rootfs(container_file_t) + +seutil_read_file_contexts(virtd_lxc_t) - + storage_manage_fixed_disk(virtd_lxc_t) +storage_rw_fuse(virtd_lxc_t) - + kernel_read_all_sysctls(virtd_lxc_t) kernel_read_network_state(virtd_lxc_t) kernel_read_system_state(virtd_lxc_t) +kernel_request_load_module(virtd_lxc_t) - + corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) @@ -942,17 +1242,16 @@ dev_read_urand(virtd_lxc_t) - + domain_use_interactive_fds(virtd_lxc_t) - + -files_associate_rootfs(svirt_lxc_file_t) files_search_all(virtd_lxc_t) files_getattr_all_files(virtd_lxc_t) @@ -117900,7 +117900,7 @@ index f03dcf567..a030fcba1 100644 files_list_isid_type_dirs(virtd_lxc_t) -files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) +files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set) - + +fs_read_fusefs_files(virtd_lxc_t) fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) @@ -117908,7 +117908,7 @@ index f03dcf567..a030fcba1 100644 @@ -964,15 +1263,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) - + +logging_send_audit_msgs(virtd_lxc_t) + selinux_mount_fs(virtd_lxc_t) @@ -117921,19 +117921,19 @@ index f03dcf567..a030fcba1 100644 -selinux_compute_relabel_context(virtd_lxc_t) -selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) - + term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) @@ -982,186 +1277,296 @@ auth_use_nsswitch(virtd_lxc_t) - + logging_send_syslog_msg(virtd_lxc_t) - + -miscfiles_read_localization(virtd_lxc_t) - seutil_domtrans_setfiles(virtd_lxc_t) -seutil_read_config(virtd_lxc_t) seutil_read_default_contexts(virtd_lxc_t) - + -sysnet_domtrans_ifconfig(virtd_lxc_t) +selinux_get_enforce_mode(virtd_lxc_t) +selinux_get_fs_mount(virtd_lxc_t) @@ -117942,13 +117942,13 @@ index f03dcf567..a030fcba1 100644 +selinux_compute_create_context(virtd_lxc_t) +selinux_compute_relabel_context(virtd_lxc_t) +selinux_compute_user_contexts(virtd_lxc_t) - + -######################################## -# -# Common virt lxc domain local policy -# +sysnet_exec_ifconfig(virtd_lxc_t) - + -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -allow svirt_lxc_domain self:fifo_file manage_file_perms; @@ -117958,31 +117958,31 @@ index f03dcf567..a030fcba1 100644 -allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +systemd_dbus_chat_machined(virtd_lxc_t) - + -allow svirt_lxc_domain virtd_lxc_t:fd use; -allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; -allow svirt_lxc_domain virtd_lxc_t:process sigchld; +userdom_read_admin_home_files(virtd_lxc_t) - + -allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +optional_policy(` + container_exec_lib(virtd_lxc_t) +') - + -allow svirt_lxc_domain virsh_t:fd use; -allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; -allow svirt_lxc_domain virsh_t:process sigchld; +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) - + -allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; -allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') - + -manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -117993,18 +117993,18 @@ index f03dcf567..a030fcba1 100644 +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') - + -allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; -allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - + -can_exec(svirt_lxc_domain, svirt_lxc_file_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') - + -kernel_getattr_proc(svirt_lxc_domain) -kernel_list_all_proc(svirt_lxc_domain) -kernel_read_kernel_sysctls(svirt_lxc_domain) @@ -118033,7 +118033,7 @@ index f03dcf567..a030fcba1 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - + -corecmd_exec_all_executables(svirt_lxc_domain) +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; @@ -118122,7 +118122,7 @@ index f03dcf567..a030fcba1 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - + -files_dontaudit_getattr_all_dirs(svirt_lxc_domain) -files_dontaudit_getattr_all_files(svirt_lxc_domain) -files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) @@ -118141,38 +118141,38 @@ index f03dcf567..a030fcba1 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') - + -fs_getattr_all_fs(svirt_lxc_domain) -fs_list_inotifyfs(svirt_lxc_domain) +optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) +') - + -# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) -# fs_rw_inherited_cifs_files(svirt_lxc_domain) -# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') - + -auth_dontaudit_read_login_records(svirt_lxc_domain) -auth_dontaudit_write_login_records(svirt_lxc_domain) -auth_search_pam_console_data(svirt_lxc_domain) +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') - + -clock_read_adjtime(svirt_lxc_domain) +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') - + -init_read_utmp(svirt_lxc_domain) -init_dontaudit_write_utmp(svirt_lxc_domain) +optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') - + -libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_sandbox_domain) @@ -118180,7 +118180,7 @@ index f03dcf567..a030fcba1 100644 + fs_manage_nfs_named_sockets(svirt_sandbox_domain) + fs_manage_nfs_symlinks(svirt_sandbox_domain) +') - + -miscfiles_read_localization(svirt_lxc_domain) -miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) -miscfiles_read_fonts(svirt_lxc_domain) @@ -118190,20 +118190,20 @@ index f03dcf567..a030fcba1 100644 + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) +') - + -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +tunable_policy(`virt_sandbox_use_fusefs',` + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) +') - + optional_policy(` - udev_read_pid_files(svirt_lxc_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ') - + optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) @@ -118212,7 +118212,7 @@ index f03dcf567..a030fcba1 100644 + container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) + container_use_ptys(svirt_sandbox_domain) ') - + ######################################## # -# Lxc net local policy @@ -118221,7 +118221,7 @@ index f03dcf567..a030fcba1 100644 +virt_sandbox_domain_template(container) +typealias container_t alias svirt_lxc_net_t; +# Policy moved to container-selinux policy package - + -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; @@ -118239,13 +118239,13 @@ index f03dcf567..a030fcba1 100644 +# +virt_sandbox_domain_template(svirt_qemu_net) +typeattribute svirt_qemu_net_t sandbox_net_domain; - + -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_qemu_net_t self:capability2 block_suspend; +allow svirt_qemu_net_t self:process { execstack execmem }; - + -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) @@ -118261,7 +118261,7 @@ index f03dcf567..a030fcba1 100644 + allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; +') - + -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) @@ -118271,44 +118271,44 @@ index f03dcf567..a030fcba1 100644 +manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) - + -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) - + -dev_getattr_mtrr_dev(svirt_lxc_net_t) -dev_read_rand(svirt_lxc_net_t) -dev_read_sysfs(svirt_lxc_net_t) -dev_read_urand(svirt_lxc_net_t) +dev_rw_kvm(svirt_qemu_net_t) - + -files_read_kernel_modules(svirt_lxc_net_t) +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) - + -fs_mount_cgroup(svirt_lxc_net_t) -fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) - + -auth_use_nsswitch(svirt_lxc_net_t) +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) - + -logging_send_audit_msgs(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_qemu_net_t) - + -userdom_use_user_ptys(svirt_lxc_net_t) +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) - + -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -') +files_read_kernel_modules(svirt_qemu_net_t) - + -####################################### -# -# Prot exec local policy @@ -118319,7 +118319,7 @@ index f03dcf567..a030fcba1 100644 +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(container_file_t) - + -allow svirt_prot_exec_t self:process { execmem execstack }; +auth_use_nsswitch(svirt_qemu_net_t) + @@ -118332,7 +118332,7 @@ index f03dcf567..a030fcba1 100644 +') + +userdom_use_user_ptys(svirt_qemu_net_t) - + ######################################## # -# Qmf local policy @@ -118346,24 +118346,24 @@ index f03dcf567..a030fcba1 100644 +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; - + @@ -1174,12 +1579,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) - + +corenet_tcp_connect_matahari_port(virt_qmf_t) + domain_use_interactive_fds(virt_qmf_t) - + logging_send_syslog_msg(virt_qmf_t) - + -miscfiles_read_localization(virt_qmf_t) - sysnet_read_config(virt_qmf_t) - + optional_policy(` @@ -1192,9 +1597,8 @@ optional_policy(` - + ######################################## # -# Bridgehelper local policy @@ -118374,9 +118374,9 @@ index f03dcf567..a030fcba1 100644 allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; @@ -1207,5 +1611,244 @@ kernel_read_network_state(virt_bridgehelper_t) - + corenet_rw_tun_tap_dev(virt_bridgehelper_t) - + -userdom_search_user_home_dirs(virt_bridgehelper_t) -userdom_use_user_ptys(virt_bridgehelper_t) +userdom_use_inherited_user_ptys(virt_bridgehelper_t) @@ -118625,12 +118625,12 @@ index 6b72968ea..de409cc61 100644 --- a/vlock.te +++ b/vlock.te @@ -38,7 +38,7 @@ auth_use_pam(vlock_t) - + init_dontaudit_rw_utmp(vlock_t) - + -miscfiles_read_localization(vlock_t) +logging_send_syslog_msg(vlock_t) - + userdom_dontaudit_search_user_home_dirs(vlock_t) -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) @@ -118922,21 +118922,21 @@ index 20a1fb296..39d21a304 100644 --- a/vmware.if +++ b/vmware.if @@ -26,7 +26,11 @@ interface(`vmware_role',` - domtrans_pattern($2, vmware_exec_t, vmware_t) - - ps_process_pattern($2, vmware_t) + domtrans_pattern($2, vmware_exec_t, vmware_t) + + ps_process_pattern($2, vmware_t) - allow $2 vmware_t:process { ptrace signal_perms }; + allow $2 vmware_t:process signal_perms; + + tunable_policy(`deny_ptrace',`',` + allow $2 vmware_t:process ptrace; + ') - - allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; + + allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; @@ -112,3 +116,39 @@ interface(`vmware_append_log',` - logging_search_logs($1) - append_files_pattern($1, vmware_log_t, vmware_log_t) + logging_search_logs($1) + append_files_pattern($1, vmware_log_t, vmware_log_t) ') + +######################################## @@ -118981,7 +118981,7 @@ index 4ad18944a..dfe8d1f1a 100644 @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` # Host local policy # - + -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +allow vmware_host_t self:capability { net_admin sys_module }; +allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search dac_override }; @@ -118993,7 +118993,7 @@ index 4ad18944a..dfe8d1f1a 100644 kernel_read_system_state(vmware_host_t) kernel_read_network_state(vmware_host_t) +kernel_request_load_module(vmware_host_t) - + -corenet_all_recvfrom_unlabeled(vmware_host_t) corenet_all_recvfrom_netlabel(vmware_host_t) corenet_tcp_sendrecv_generic_if(vmware_host_t) @@ -119003,78 +119003,78 @@ index 4ad18944a..dfe8d1f1a 100644 dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) +dev_rw_generic_chr_files(vmware_host_t) - + domain_use_interactive_fds(vmware_host_t) domain_dontaudit_read_all_domains_state(vmware_host_t) - + files_list_tmp(vmware_host_t) -files_read_etc_files(vmware_host_t) files_read_etc_runtime_files(vmware_host_t) -files_read_usr_files(vmware_host_t) - + fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) @@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t) - + logging_send_syslog_msg(vmware_host_t) - + -miscfiles_read_localization(vmware_host_t) - sysnet_dns_name_resolve(vmware_host_t) sysnet_domtrans_ifconfig(vmware_host_t) - + +systemd_start_power_services(vmware_host_t) + userdom_dontaudit_use_unpriv_user_fds(vmware_host_t) userdom_dontaudit_search_user_home_dirs(vmware_host_t) - + netutils_domtrans_ping(vmware_host_t) - + optional_policy(` - hostname_exec(vmware_host_t) + unconfined_domain(vmware_host_t) ') - + +optional_policy(` + hostname_exec(vmware_host_t) -+') ++') + optional_policy(` - modutils_domtrans_insmod(vmware_host_t) + modutils_domtrans_insmod(vmware_host_t) -') -+') - ++') + optional_policy(` - samba_read_config(vmware_host_t) + samba_read_config(vmware_host_t) @@ -182,7 +186,7 @@ optional_policy(` # Guest local policy # - + -allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; +allow vmware_t self:capability { dac_read_search dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown }; dontaudit vmware_t self:capability sys_tty_config; allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow vmware_t self:process { execmem execstack }; @@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t) - + domain_use_interactive_fds(vmware_t) - + -files_read_etc_files(vmware_t) files_read_etc_runtime_files(vmware_t) -files_read_usr_files(vmware_t) files_list_home(vmware_t) - + fs_getattr_all_fs(vmware_t) @@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t) libs_exec_ld_so(vmware_t) libs_read_lib_files(vmware_t) - + -miscfiles_read_localization(vmware_t) - + -userdom_use_user_terminals(vmware_t) +userdom_use_inherited_user_terminals(vmware_t) userdom_list_user_home_dirs(vmware_t) - + sysnet_dns_name_resolve(vmware_t) diff --git a/vnstatd.if b/vnstatd.if index 137ac4458..b644854c9 100644 @@ -119087,49 +119087,49 @@ index 137ac4458..b644854c9 100644 -## # interface(`vnstatd_admin',` - gen_require(` + gen_require(` @@ -165,9 +164,13 @@ interface(`vnstatd_admin',` - type vnstatd_var_run_t; - ') - + type vnstatd_var_run_t; + ') + - allow $1 vnstatd_t:process { ptrace signal_perms }; + allow $1 vnstatd_t:process signal_perms; - ps_process_pattern($1, vnstatd_t) - + ps_process_pattern($1, vnstatd_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 vnstatd_t:process ptrace; + ') + - init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 vnstatd_initrc_exec_t system_r; + init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 vnstatd_initrc_exec_t system_r; diff --git a/vnstatd.te b/vnstatd.te index e2220ae7f..85f393b41 100644 --- a/vnstatd.te +++ b/vnstatd.te @@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; - + manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir) - + manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) @@ -45,16 +45,14 @@ files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) kernel_read_network_state(vnstatd_t) kernel_read_system_state(vnstatd_t) - + -domain_use_interactive_fds(vnstatd_t) +dev_read_sysfs(vnstatd_t) - + -files_read_etc_files(vnstatd_t) +domain_use_interactive_fds(vnstatd_t) - + fs_getattr_xattr_fs(vnstatd_t) - + logging_send_syslog_msg(vnstatd_t) - + -miscfiles_read_localization(vnstatd_t) - ######################################## @@ -119138,27 +119138,27 @@ index e2220ae7f..85f393b41 100644 @@ -64,23 +62,19 @@ allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; allow vnstat_t self:unix_stream_socket { accept listen }; - + +files_search_var_lib(vnstat_t) manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) - + kernel_read_network_state(vnstat_t) kernel_read_system_state(vnstat_t) - + domain_use_interactive_fds(vnstat_t) - + -files_read_etc_files(vnstat_t) - fs_getattr_xattr_fs(vnstat_t) - + logging_send_syslog_msg(vnstat_t) - + -miscfiles_read_localization(vnstat_t) - optional_policy(` - cron_system_entry(vnstat_t, vnstat_exec_t) + cron_system_entry(vnstat_t, vnstat_exec_t) ') diff --git a/vpn.fc b/vpn.fc index 524ac2f76..076dcc3e6 100644 @@ -119170,15 +119170,15 @@ index 524ac2f76..076dcc3e6 100644 +# sbin +# +/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - + +# +# /usr +# /usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) - + -/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) +/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) - + -/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) +/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0) diff --git a/vpn.if b/vpn.if @@ -119188,7 +119188,7 @@ index 7a7f34297..afedcba80 100644 @@ -1,8 +1,8 @@ -## Virtual Private Networking client. +## Virtual Private Networking client - + ######################################## ## -## Execute vpn clients in the vpnc domain. @@ -119197,13 +119197,13 @@ index 7a7f34297..afedcba80 100644 ## ## @@ -15,15 +15,13 @@ interface(`vpn_domtrans',` - type vpnc_t, vpnc_exec_t; - ') - + type vpnc_t, vpnc_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, vpnc_exec_t, vpnc_t) + domtrans_pattern($1, vpnc_exec_t, vpnc_t) ') - + ######################################## ## -## Execute vpn clients in the vpnc @@ -119216,14 +119216,14 @@ index 7a7f34297..afedcba80 100644 ## @@ -40,6 +38,7 @@ interface(`vpn_domtrans',` interface(`vpn_run',` - gen_require(` - attribute_role vpnc_roles; + gen_require(` + attribute_role vpnc_roles; + type vpnc_t; - ') - - vpn_domtrans($1) + ') + + vpn_domtrans($1) @@ -48,7 +47,7 @@ interface(`vpn_run',` - + ######################################## ## -## Send kill signals to vpnc. @@ -119232,7 +119232,7 @@ index 7a7f34297..afedcba80 100644 ## ## @@ -66,7 +65,7 @@ interface(`vpn_kill',` - + ######################################## ## -## Send generic signals to vpnc. @@ -119241,7 +119241,7 @@ index 7a7f34297..afedcba80 100644 ## ## @@ -84,7 +83,7 @@ interface(`vpn_signal',` - + ######################################## ## -## Send null signals to vpnc. @@ -119264,10 +119264,10 @@ index 95b26d126..3d74e70cc 100644 +++ b/vpn.te @@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0) # - + attribute_role vpnc_roles; +roleattribute system_r vpnc_roles; - + type vpnc_t; type vpnc_exec_t; @@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n @@ -119283,12 +119283,12 @@ index 95b26d126..3d74e70cc 100644 allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; +# cjp: this needs to be fixed allow vpnc_t self:socket create_socket_perms; - + manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) @@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t) kernel_request_load_module(vpnc_t) kernel_rw_net_sysctls(vpnc_t) - + -corenet_all_recvfrom_unlabeled(vpnc_t) corenet_all_recvfrom_netlabel(vpnc_t) corenet_tcp_sendrecv_generic_if(vpnc_t) @@ -119314,22 +119314,22 @@ index 95b26d126..3d74e70cc 100644 +corenet_sendrecv_isakmp_server_packets(vpnc_t) +corenet_sendrecv_generic_server_packets(vpnc_t) corenet_rw_tun_tap_dev(vpnc_t) - + -corecmd_exec_all_executables(vpnc_t) - dev_read_rand(vpnc_t) dev_read_urand(vpnc_t) dev_read_sysfs(vpnc_t) - + domain_use_interactive_fds(vpnc_t) - + -files_exec_etc_files(vpnc_t) -files_read_etc_runtime_files(vpnc_t) -files_dontaudit_search_home(vpnc_t) - fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) - + -term_use_all_ptys(vpnc_t) -term_use_all_ttys(vpnc_t) +term_use_all_inherited_ptys(vpnc_t) @@ -119340,33 +119340,33 @@ index 95b26d126..3d74e70cc 100644 +files_exec_etc_files(vpnc_t) +files_read_etc_runtime_files(vpnc_t) +files_dontaudit_search_home(vpnc_t) - + auth_use_nsswitch(vpnc_t) - + @@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t) logging_send_syslog_msg(vpnc_t) logging_dontaudit_search_logs(vpnc_t) - + -miscfiles_read_localization(vpnc_t) - -seutil_dontaudit_search_config(vpnc_t) +seutil_use_newrole_fds(vpnc_t) - + sysnet_run_ifconfig(vpnc_t, vpnc_roles) sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) - + userdom_use_all_users_fds(vpnc_t) -userdom_dontaudit_search_user_home_content(vpnc_t) +userdom_read_home_certs(vpnc_t) +userdom_search_admin_dir(vpnc_t) - + optional_policy(` - dbus_system_bus_client(vpnc_t) + dbus_system_bus_client(vpnc_t) @@ -124,8 +121,5 @@ optional_policy(` - + optional_policy(` - networkmanager_attach_tun_iface(vpnc_t) + networkmanager_attach_tun_iface(vpnc_t) -') - -optional_policy(` @@ -119380,7 +119380,7 @@ index 463c799f4..227feaf34 100644 @@ -1,4 +1,4 @@ -/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) +/usr/lib/cgi-bin/check -- gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) - + -/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0) -/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0) +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0) @@ -119391,13 +119391,13 @@ index b14d6a948..d7c79382d 100644 +++ b/w3c.te @@ -6,29 +6,37 @@ policy_module(w3c, 1.1.0) # - + apache_content_template(w3c_validator) +apache_content_alias_template(w3c_validator, w3c_validator) + +type w3c_validator_tmp_t; +files_tmp_file(w3c_validator_tmp_t) - + ######################################## # # Local policy @@ -119406,7 +119406,7 @@ index b14d6a948..d7c79382d 100644 +manage_files_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t) +files_tmp_filetrans(w3c_validator_script_t, w3c_validator_tmp_t, { file dir }) + - + -corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) -corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_generic_if(httpd_w3c_validator_script_t) @@ -119415,31 +119415,31 @@ index b14d6a948..d7c79382d 100644 +corenet_all_recvfrom_netlabel(w3c_validator_script_t) +corenet_tcp_sendrecv_generic_if(w3c_validator_script_t) +corenet_tcp_sendrecv_generic_node(w3c_validator_script_t) - + -corenet_sendrecv_ftp_client_packets(httpd_w3c_validator_script_t) -corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) +corenet_sendrecv_ftp_client_packets(w3c_validator_script_t) +corenet_tcp_connect_ftp_port(w3c_validator_script_t) +corenet_tcp_sendrecv_ftp_port(w3c_validator_script_t) - + -corenet_sendrecv_http_client_packets(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) +corenet_sendrecv_http_client_packets(w3c_validator_script_t) +corenet_tcp_connect_http_port(w3c_validator_script_t) +corenet_tcp_sendrecv_http_port(w3c_validator_script_t) - + -corenet_sendrecv_http_cache_client_packets(httpd_w3c_validator_script_t) -corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) -corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) +corenet_sendrecv_http_cache_client_packets(w3c_validator_script_t) +corenet_tcp_connect_http_cache_port(w3c_validator_script_t) +corenet_tcp_sendrecv_http_cache_port(w3c_validator_script_t) - + -miscfiles_read_generic_certs(httpd_w3c_validator_script_t) +miscfiles_read_generic_certs(w3c_validator_script_t) - + -sysnet_dns_name_resolve(httpd_w3c_validator_script_t) +sysnet_dns_name_resolve(w3c_validator_script_t) diff --git a/watchdog.fc b/watchdog.fc @@ -119449,23 +119449,23 @@ index eecd0e03b..8df2e8ce7 100644 @@ -1,7 +1,12 @@ /etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0) +/etc/watchdog\.d(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0) - + /usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0) - + +/usr/libexec/watchdog/scripts(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0) + +/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0) + /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) - + /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.if b/watchdog.if index 6461a7746..8fda2dd71 100644 --- a/watchdog.if +++ b/watchdog.if @@ -37,3 +37,21 @@ interface(`watchdog_admin',` - files_search_pids($1) - admin_pattern($1, watchdog_var_run_t) + files_search_pids($1) + admin_pattern($1, watchdog_var_run_t) ') + +####################################### @@ -119492,16 +119492,16 @@ index 3548317cf..fc3da17d6 100644 @@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) type watchdog_initrc_exec_t; init_script_file(watchdog_initrc_exec_t) - + +type watchdog_cache_t; +files_type(watchdog_cache_t) + type watchdog_log_t; logging_log_file(watchdog_log_t) - + type watchdog_var_run_t; files_pid_file(watchdog_var_run_t) - + +type watchdog_unconfined_exec_t; +application_executable_file(watchdog_unconfined_exec_t) + @@ -119509,7 +119509,7 @@ index 3548317cf..fc3da17d6 100644 # # Local policy # - + -allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource }; +allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw }; dontaudit watchdog_t self:capability sys_tty_config; @@ -119517,7 +119517,7 @@ index 3548317cf..fc3da17d6 100644 allow watchdog_t self:fifo_file rw_fifo_file_perms; allow watchdog_t self:tcp_socket { accept listen }; +allow watchdog_t self:rawip_socket create_socket_perms; - + -allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) +manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) @@ -119526,64 +119526,64 @@ index 3548317cf..fc3da17d6 100644 +manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) +manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) +logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file}) - + manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t) files_pid_filetrans(watchdog_t, watchdog_var_run_t, file) - + +kernel_read_network_state(watchdog_t) kernel_read_system_state(watchdog_t) kernel_read_kernel_sysctls(watchdog_t) kernel_unmount_proc(watchdog_t) - + corecmd_exec_shell(watchdog_t) +corecmd_exec_bin(watchdog_t) - + corenet_all_recvfrom_unlabeled(watchdog_t) corenet_all_recvfrom_netlabel(watchdog_t) @@ -63,7 +76,6 @@ domain_signull_all_domains(watchdog_t) domain_signal_all_domains(watchdog_t) domain_kill_all_domains(watchdog_t) - + -files_read_etc_files(watchdog_t) files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) - + @@ -72,16 +84,19 @@ fs_getattr_all_fs(watchdog_t) fs_search_auto_mountpoints(watchdog_t) - + auth_append_login_records(watchdog_t) +auth_read_passwd(watchdog_t) - + logging_send_syslog_msg(watchdog_t) - + -miscfiles_read_localization(watchdog_t) - sysnet_dns_name_resolve(watchdog_t) - + userdom_dontaudit_use_unpriv_user_fds(watchdog_t) userdom_dontaudit_search_user_home_dirs(watchdog_t) - + +optional_policy(` + cron_system_entry(watchdog_t, watchdog_exec_t) +') + optional_policy(` - mta_send_mail(watchdog_t) + mta_send_mail(watchdog_t) ') @@ -90,6 +105,10 @@ optional_policy(` - nis_use_ypbind(watchdog_t) + nis_use_ypbind(watchdog_t) ') - + +optional_policy(` + rhcs_domtrans_fenced(watchdog_t) +') + optional_policy(` - seutil_sigchld_newrole(watchdog_t) + seutil_sigchld_newrole(watchdog_t) ') @@ -97,3 +116,32 @@ optional_policy(` optional_policy(` - udev_read_db(watchdog_t) + udev_read_db(watchdog_t) ') + +optional_policy(` @@ -119620,13 +119620,13 @@ index 66f11f724..e051997a6 100644 +++ b/wdmd.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) - + -/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) +/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) + +/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) +/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0) - + -/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) diff --git a/wdmd.if b/wdmd.if index 1e3aec07f..d17ff392f 100644 @@ -119636,7 +119636,7 @@ index 1e3aec07f..d17ff392f 100644 -## Watchdog multiplexing daemon. + +## watchdog multiplexing daemon - + ######################################## ## -## Connect to wdmd with a unix @@ -119671,16 +119671,16 @@ index 1e3aec07f..d17ff392f 100644 # -interface(`wdmd_stream_connect',` +interface(`wdmd_initrc_domtrans',` - gen_require(` + gen_require(` - type wdmd_t, wdmd_var_run_t; + type wdmd_initrc_exec_t; - ') - + ') + - files_search_pids($1) - stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) + init_labeled_script_domtrans($1, wdmd_initrc_exec_t) ') - + ######################################## ## -## All of the rules required to @@ -119693,25 +119693,25 @@ index 1e3aec07f..d17ff392f 100644 @@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',` # interface(`wdmd_admin',` - gen_require(` + gen_require(` - type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t; + type wdmd_t; + type wdmd_initrc_exec_t; - ') - + ') + - allow $1 wdmd_t:process { ptrace signal_perms }; + allow $1 wdmd_t:process signal_perms; - ps_process_pattern($1, wdmd_t) + ps_process_pattern($1, wdmd_t) + tunable_policy(`deny_ptrace',`',` + allow $1 wdmd_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, wdmd_initrc_exec_t) + wdmd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 wdmd_initrc_exec_t system_r; - allow $2 system_r; - + domain_system_change_exemption($1) + role_transition $2 wdmd_initrc_exec_t system_r; + allow $2 system_r; + +') + +###################################### @@ -119729,7 +119729,7 @@ index 1e3aec07f..d17ff392f 100644 + type wdmd_var_run_t; + ') + - files_search_pids($1) + files_search_pids($1) - admin_pattern($1, wdmd_var_run_t) + manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t) +') @@ -119779,14 +119779,14 @@ index 4815a93f4..24dcf5174 100644 @@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) dev_read_watchdog(wdmd_t) dev_write_watchdog(wdmd_t) - + +fs_getattr_all_fs(wdmd_t) fs_read_anon_inodefs_files(wdmd_t) - + auth_use_nsswitch(wdmd_t) - + logging_send_syslog_msg(wdmd_t) - + -miscfiles_read_localization(wdmd_t) - optional_policy(` @@ -119802,9 +119802,9 @@ index 2a6cae773..d2752d9bb 100644 --- a/webadm.te +++ b/webadm.te @@ -25,12 +25,21 @@ role webadm_r; - + userdom_base_user_template(webadm) - + +type webadm_tmp_t; +files_tmp_file(webadm_tmp_t) + @@ -119812,7 +119812,7 @@ index 2a6cae773..d2752d9bb 100644 # # Local policy # - + -allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; +allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource }; + @@ -119821,19 +119821,19 @@ index 2a6cae773..d2752d9bb 100644 +manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir }) +can_exec(webadm_t, webadm_tmp_t) - + files_dontaudit_search_all_dirs(webadm_t) files_list_var(webadm_t) @@ -38,12 +47,26 @@ files_list_var(webadm_t) selinux_get_enforce_mode(webadm_t) seutil_domtrans_setfiles(webadm_t) - + +init_rw_pipes(webadm_t) +init_status(webadm_t) + logging_send_audit_msgs(webadm_t) logging_send_syslog_msg(webadm_t) - + userdom_dontaudit_search_user_home_dirs(webadm_t) +userdom_dontaudit_manage_admin_files(webadm_t) + @@ -119844,22 +119844,22 @@ index 2a6cae773..d2752d9bb 100644 +optional_policy(` + dbus_system_bus_client(webadm_t) +') - + -apache_admin(webadm_t, webadm_r) +optional_policy(` + policykit_dbus_chat(webadm_t) +') - + tunable_policy(`webadm_manage_user_files',` - userdom_manage_user_home_content_files(webadm_t) + userdom_manage_user_home_content_files(webadm_t) diff --git a/webalizer.fc b/webalizer.fc index 64baf679e..76c753b1a 100644 --- a/webalizer.fc +++ b/webalizer.fc @@ -6,4 +6,4 @@ - + /var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0) - + -/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0) +/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0) diff --git a/webalizer.te b/webalizer.te @@ -119869,7 +119869,7 @@ index ae919b9a5..cdd9359d1 100644 @@ -33,7 +33,7 @@ files_type(webalizer_write_t) # Local policy # - + -allow webalizer_t self:capability dac_override; +allow webalizer_t self:capability { dac_read_search dac_override }; allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -119878,28 +119878,28 @@ index ae919b9a5..cdd9359d1 100644 @@ -55,29 +55,36 @@ can_exec(webalizer_t, webalizer_exec_t) kernel_read_kernel_sysctls(webalizer_t) kernel_read_system_state(webalizer_t) - + -files_read_etc_runtime_files(webalizer_t) +corenet_all_recvfrom_netlabel(webalizer_t) +corenet_tcp_sendrecv_generic_if(webalizer_t) +corenet_tcp_sendrecv_generic_node(webalizer_t) +corenet_tcp_sendrecv_all_ports(webalizer_t) - + fs_search_auto_mountpoints(webalizer_t) fs_getattr_xattr_fs(webalizer_t) fs_rw_anon_inodefs_files(webalizer_t) - + -auth_use_nsswitch(webalizer_t) +files_read_etc_runtime_files(webalizer_t) - + logging_list_logs(webalizer_t) logging_send_syslog_msg(webalizer_t) - + -miscfiles_read_localization(webalizer_t) +auth_use_nsswitch(webalizer_t) + miscfiles_read_public_files(webalizer_t) - + -userdom_use_user_terminals(webalizer_t) +sysnet_dns_name_resolve(webalizer_t) +sysnet_read_config(webalizer_t) @@ -119907,16 +119907,16 @@ index ae919b9a5..cdd9359d1 100644 +userdom_use_inherited_user_terminals(webalizer_t) userdom_use_unpriv_users_fds(webalizer_t) userdom_dontaudit_search_user_home_content(webalizer_t) - + optional_policy(` - apache_read_log(webalizer_t) - apache_content_template(webalizer) + apache_read_log(webalizer_t) + apache_content_template(webalizer) - manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) - manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) + apache_content_alias_template(webalizer, webalizer) + apache_manage_sys_content(webalizer_t) ') - + optional_policy(` diff --git a/wine.if b/wine.if index fd2b6cc1e..9c4f14b88 100644 @@ -119925,7 +119925,7 @@ index fd2b6cc1e..9c4f14b88 100644 @@ -1,46 +1,58 @@ -## Run Windows programs in Linux. +## Wine Is Not an Emulator. Run Windows programs in Linux. - + -######################################## +####################################### ## @@ -119955,38 +119955,38 @@ index fd2b6cc1e..9c4f14b88 100644 # -interface(`wine_role',` +template(`wine_role',` - gen_require(` + gen_require(` - attribute_role wine_roles; - type wine_exec_t, wine_t, wine_tmp_t; + type wine_t; - type wine_home_t; + type wine_home_t; + type wine_exec_t; - ') - + ') + - roleattribute $1 wine_roles; - - domtrans_pattern($2, wine_exec_t, wine_t) + role $1 types wine_t; - + + domain_auto_trans($2, wine_exec_t, wine_t) + # Unrestricted inheritance from the caller. + allow $2 wine_t:process { noatsecure siginh rlimitinh }; + allow wine_t $2:fd use; + allow wine_t $2:process { sigchld signull }; - allow wine_t $2:unix_stream_socket connectto; + allow wine_t $2:unix_stream_socket connectto; - allow wine_t $2:process signull; - + + # Allow the user domain to signal/ps. - ps_process_pattern($2, wine_t) + ps_process_pattern($2, wine_t) - allow $2 wine_t:process { ptrace signal_perms }; + allow $2 wine_t:process signal_perms; - - allow $2 wine_t:fd use; + + allow $2 wine_t:fd use; - allow $2 wine_t:shm { associate getattr }; - allow $2 wine_t:shm rw_shm_perms; + allow $2 wine_t:shm { associate getattr unix_read unix_write }; - allow $2 wine_t:unix_stream_socket connectto; - + allow $2 wine_t:unix_stream_socket connectto; + - allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms }; - allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; @@ -120000,24 +120000,24 @@ index fd2b6cc1e..9c4f14b88 100644 + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) + ') - + ####################################### @@ -72,31 +84,26 @@ interface(`wine_role',` # template(`wine_role_template',` - gen_require(` + gen_require(` + type wine_t; + attribute wine_domain; - type wine_exec_t; - ') - + type wine_exec_t; + ') + - type $1_wine_t; - userdom_user_application_domain($1_wine_t, wine_exec_t) + type $1_wine_t, wine_domain; + domain_type($1_wine_t) + domain_entry_file($1_wine_t, wine_exec_t) + ubac_constrained($1_wine_t) - role $2 types $1_wine_t; + role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; - @@ -120025,27 +120025,27 @@ index fd2b6cc1e..9c4f14b88 100644 - ps_process_pattern($3, $1_wine_t) - + allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) + domtrans_pattern($3, wine_exec_t, $1_wine_t) - - corecmd_bin_domtrans($1_wine_t, $3) + corecmd_bin_domtrans($1_wine_t, $1_t) - - userdom_unpriv_usertype($1, $1_wine_t) + + userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) + userdom_manage_tmp_role($2, $1_wine_t) + userdom_manage_home_role($2 ,$1_wine_t) - - domain_mmap_low($1_wine_t) - + + domain_mmap_low($1_wine_t) + - tunable_policy(`wine_mmap_zero_ignore',` - dontaudit $1_wine_t self:memprotect mmap_zero; - ') - - optional_policy(` - xserver_role($1_r, $1_wine_t) - ') + optional_policy(` + xserver_role($1_r, $1_wine_t) + ') @@ -123,9 +130,8 @@ interface(`wine_domtrans',` - + ######################################## ## -## Execute wine in the wine domain, @@ -120059,20 +120059,20 @@ index fd2b6cc1e..9c4f14b88 100644 @@ -140,11 +146,11 @@ interface(`wine_domtrans',` # interface(`wine_run',` - gen_require(` + gen_require(` - attribute_role wine_roles; + type wine_t; - ') - - wine_domtrans($1) + ') + + wine_domtrans($1) - roleattribute $2 wine_roles; + role $2 types wine_t; ') - + ######################################## @@ -165,3 +171,22 @@ interface(`wine_rw_shm',` - - allow $1 wine_t:shm rw_shm_perms; + + allow $1 wine_t:shm rw_shm_perms; ') + +######################################## @@ -120100,11 +120100,11 @@ index 491b87b44..2a79df407 100644 @@ -14,10 +14,11 @@ policy_module(wine, 1.11.0) ## gen_tunable(wine_mmap_zero_ignore, false) - + +attribute wine_domain; attribute_role wine_roles; roleattribute system_r wine_roles; - + -type wine_t; +type wine_t, wine_domain; type wine_exec_t; @@ -120113,7 +120113,7 @@ index 491b87b44..2a79df407 100644 @@ -25,56 +26,63 @@ role wine_roles types wine_t; type wine_home_t; userdom_user_home_content(wine_home_t) - + -type wine_tmp_t; -userdom_user_tmp_file(wine_tmp_t) - @@ -120126,68 +120126,68 @@ index 491b87b44..2a79df407 100644 +optional_policy(` + unconfined_domain(wine_t) +') - + -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; - + -can_exec(wine_t, wine_exec_t) +######################################## +# +# Common wine domain policy +# - + -userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +allow wine_domain self:process { execstack execmem execheap }; +allow wine_domain self:fifo_file manage_fifo_file_perms; - + -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) +can_exec(wine_domain, wine_exec_t) - + -domain_mmap_low(wine_t) +manage_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_lnk_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) +userdom_tmpfs_filetrans(wine_domain, file) +wine_filetrans_named_content(wine_domain) - + -files_execmod_all_files(wine_t) +files_execmod_all_files(wine_domain) - + -userdom_use_user_terminals(wine_t) +userdom_use_inherited_user_terminals(wine_domain) - + tunable_policy(`wine_mmap_zero_ignore',` - dontaudit wine_t self:memprotect mmap_zero; + dontaudit wine_domain self:memprotect mmap_zero; ') - + optional_policy(` - dbus_system_bus_client(wine_t) + dbus_system_bus_client(wine_domain) - - optional_policy(` + + optional_policy(` - hal_dbus_chat(wine_t) + hal_dbus_chat(wine_domain) - ') - - optional_policy(` + ') + + optional_policy(` - policykit_dbus_chat(wine_t) + policykit_dbus_chat(wine_domain) - ') + ') ') - + optional_policy(` - rtkit_scheduled(wine_t) + gnome_create_generic_cache_dir(wine_domain) ') - + optional_policy(` - unconfined_domain(wine_t) + rtkit_scheduled(wine_domain) ') - + optional_policy(` - xserver_read_xdm_pid(wine_t) - xserver_rw_shm(wine_t) @@ -120202,7 +120202,7 @@ index ff6ef3859..436d3bf5a 100644 @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t) # Local Policy # - + -allow wireshark_t self:capability { net_admin net_raw setgid }; +allow wireshark_t self:capability { net_admin net_raw }; allow wireshark_t self:process { signal getsched }; @@ -120211,22 +120211,22 @@ index ff6ef3859..436d3bf5a 100644 @@ -82,7 +82,6 @@ dev_read_rand(wireshark_t) dev_read_sysfs(wireshark_t) dev_read_urand(wireshark_t) - + -files_read_usr_files(wireshark_t) - + fs_getattr_all_fs(wireshark_t) fs_list_inotifyfs(wireshark_t) @@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t) - + auth_use_nsswitch(wireshark_t) - + -libs_read_lib_files(wireshark_t) - miscfiles_read_fonts(wireshark_t) -miscfiles_read_localization(wireshark_t) - + userdom_use_user_terminals(wireshark_t) - + userdom_manage_user_home_content_files(wireshark_t) -userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) - @@ -120235,21 +120235,21 @@ index ff6ef3859..436d3bf5a 100644 - fs_manage_nfs_files(wireshark_t) - fs_manage_nfs_symlinks(wireshark_t) -') - + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(wireshark_t) - fs_manage_cifs_files(wireshark_t) - fs_manage_cifs_symlinks(wireshark_t) -') +userdom_filetrans_home_content(wireshark_t) - + -optional_policy(` - seutil_use_newrole_fds(wireshark_t) -') +userdom_home_manager(wireshark_t) - + optional_policy(` - userhelper_use_fd(wireshark_t) + userhelper_use_fd(wireshark_t) diff --git a/wm.fc b/wm.fc index 304ae09d3..c1d10a11b 100644 --- a/wm.fc @@ -120267,67 +120267,67 @@ index 95f888d16..48fe249e1 100644 @@ -1,4 +1,4 @@ -## X Window Managers. +## X Window Managers - + ####################################### ## @@ -29,69 +29,58 @@ # template(`wm_role_template',` - gen_require(` + gen_require(` - attribute wm_domain; - type wm_exec_t; + type wm_exec_t; + class dbus send_msg; + attribute wm_domain; - ') - + ') + - ######################################## - # - # Declarations - # - - type $1_wm_t, wm_domain; + type $1_wm_t, wm_domain; - userdom_user_application_domain($1_wm_t, wm_exec_t) + domain_type($1_wm_t) + domain_entry_file($1_wm_t, wm_exec_t) - role $2 types $1_wm_t; - + role $2 types $1_wm_t; + - ######################################## - # - # Policy - # - - allow $1_wm_t $3:unix_stream_socket connectto; - allow $3 $1_wm_t:unix_stream_socket connectto; + allow $1_wm_t $3:unix_stream_socket connectto; + allow $3 $1_wm_t:unix_stream_socket connectto; + allow $3 $1_wm_t:process { signal sigchld signull }; + allow $1_wm_t $3:process { signull sigkill }; - + - allow $3 $1_wm_t:process { ptrace signal_perms }; - ps_process_pattern($3, $1_wm_t) + allow $1_wm_t $3:dbus send_msg; + allow $3 $1_wm_t:dbus send_msg; - + - allow $1_wm_t $3:process { signull sigkill }; + userdom_manage_home_role($2, $1_wm_t) + userdom_manage_tmp_role($2, $1_wm_t) + userdom_exec_user_tmp_files($1_wm_t) - - domtrans_pattern($3, wm_exec_t, $1_wm_t) - - corecmd_bin_domtrans($1_wm_t, $3) - corecmd_shell_domtrans($1_wm_t, $3) - + + domtrans_pattern($3, wm_exec_t, $1_wm_t) + + corecmd_bin_domtrans($1_wm_t, $3) + corecmd_shell_domtrans($1_wm_t, $3) + + auth_use_nsswitch($1_wm_t) + + kernel_read_system_state($1_wm_t) + + auth_use_nsswitch($1_wm_t) + - mls_file_read_all_levels($1_wm_t) - mls_file_write_all_levels($1_wm_t) - mls_xwin_read_all_levels($1_wm_t) - mls_xwin_write_all_levels($1_wm_t) - mls_fd_use_all_levels($1_wm_t) - + mls_file_read_all_levels($1_wm_t) + mls_file_write_all_levels($1_wm_t) + mls_xwin_read_all_levels($1_wm_t) + mls_xwin_write_all_levels($1_wm_t) + mls_fd_use_all_levels($1_wm_t) + - auth_use_nsswitch($1_wm_t) - - xserver_role($2, $1_wm_t) @@ -120342,18 +120342,18 @@ index 95f888d16..48fe249e1 100644 - ') - ') - - optional_policy(` + optional_policy(` - gnome_stream_connect_gkeyringd($1, $1_wm_t) + pulseaudio_run($1_wm_t, $2) - ') - - optional_policy(` + ') + + optional_policy(` - pulseaudio_run($1_wm_t, $2) + xserver_role($2, $1_wm_t) + xserver_manage_core_devices($1_wm_t) - ') + ') ') - + ######################################## ## -## Execute wm in the caller domain. @@ -120362,11 +120362,11 @@ index 95f888d16..48fe249e1 100644 ## ## @@ -104,33 +93,5 @@ interface(`wm_exec',` - type wm_exec_t; - ') - + type wm_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, wm_exec_t) + can_exec($1, wm_exec_t) ') - -######################################## @@ -120401,19 +120401,19 @@ index 638d10fc6..5fb996008 100644 +++ b/wm.te @@ -1,12 +1,12 @@ policy_module(wm, 1.3.3) - + +attribute wm_domain; + ######################################## # # Declarations # - + -attribute wm_domain; - type wm_exec_t; corecmd_executable_file(wm_exec_t) - + @@ -18,11 +18,11 @@ corecmd_executable_file(wm_exec_t) allow wm_domain self:fifo_file rw_fifo_file_perms; allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched }; @@ -120421,21 +120421,21 @@ index 638d10fc6..5fb996008 100644 + allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; - + -kernel_read_system_state(wm_domain) - +corecmd_dontaudit_access_all_executables(wm_domain) corecmd_getattr_all_executables(wm_domain) - + dev_read_sound(wm_domain) @@ -31,12 +31,18 @@ dev_read_urand(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) - + -files_read_usr_files(wm_domain) - fs_getattr_all_fs(wm_domain) - + +application_signull(wm_domain) + +init_read_state(wm_domain) @@ -120447,27 +120447,27 @@ index 638d10fc6..5fb996008 100644 +systemd_read_logind_sessions_files(wm_domain) +systemd_write_inhibit_pipes(wm_domain) +systemd_login_read_pid_files(wm_domain) - + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) @@ -45,24 +51,38 @@ userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) - + -optional_policy(` - accountsd_dbus_chat(wm_domain) -') -- +- -optional_policy(` - bluetooth_dbus_chat(wm_domain) --') +-') +udev_read_pid_files(wm_domain) - + optional_policy(` - devicekit_dbus_chat_power(wm_domain) + gnome_stream_connect_gkeyringd(wm_domain) ') - + optional_policy(` - networkmanager_dbus_chat(wm_domain) -') @@ -120476,11 +120476,11 @@ index 638d10fc6..5fb996008 100644 + optional_policy(` + accountsd_dbus_chat(wm_domain) + ') -+ ++ + optional_policy(` + bluetooth_dbus_chat(wm_domain) -+ ') - ++ ') + -optional_policy(` - policykit_dbus_chat(wm_domain) + optional_policy(` @@ -120499,11 +120499,11 @@ index 638d10fc6..5fb996008 100644 + systemd_dbus_chat_logind(wm_domain) + ') ') - + optional_policy(` @@ -72,3 +92,7 @@ optional_policy(` optional_policy(` - userhelper_exec_consolehelper(wm_domain) + userhelper_exec_consolehelper(wm_domain) ') + +optional_policy(` @@ -120515,7 +120515,7 @@ index 42d83b02f..651d1cb61 100644 +++ b/xen.fc @@ -1,38 +1,42 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) - + -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) -/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) @@ -120542,14 +120542,14 @@ index 42d83b02f..651d1cb61 100644 -/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) +/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) +') - + -/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) -/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) +/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) - + /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) -/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) @@ -120557,7 +120557,7 @@ index 42d83b02f..651d1cb61 100644 /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) +/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0) - + /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) -/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) @@ -120569,7 +120569,7 @@ index 42d83b02f..651d1cb61 100644 +/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0) - + -/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/xen.if b/xen.if @@ -120579,7 +120579,7 @@ index f93558c5a..16e29c141 100644 @@ -1,13 +1,13 @@ -## Xen hypervisor. +## Xen hypervisor - + ######################################## ## ## Execute a domain transition to run xend. @@ -120594,13 +120594,13 @@ index f93558c5a..16e29c141 100644 # interface(`xen_domtrans',` @@ -15,18 +15,18 @@ interface(`xen_domtrans',` - type xend_t, xend_exec_t; - ') - + type xend_t, xend_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, xend_exec_t, xend_t) + domtrans_pattern($1, xend_exec_t, xend_t) ') - + ######################################## ## -## Execute xend in the caller domain. @@ -120617,17 +120617,17 @@ index f93558c5a..16e29c141 100644 # interface(`xen_exec',` @@ -34,7 +34,6 @@ interface(`xen_exec',` - type xend_exec_t; - ') - + type xend_exec_t; + ') + - corecmd_search_bin($1) - can_exec($1, xend_exec_t) + can_exec($1, xend_exec_t) ') - + @@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',` - dontaudit $1 xend_t:fd use; + dontaudit $1 xend_t:fd use; ') - + +####################################### +## +## Read xend pid files. @@ -120664,16 +120664,16 @@ index f93558c5a..16e29c141 100644 # -interface(`xen_manage_image_dirs',` +interface(`xen_read_lib_files',` - gen_require(` - type xend_var_lib_t; - ') - + gen_require(` + type xend_var_lib_t; + ') + - files_search_var_lib($1) - manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + files_list_var_lib($1) + read_files_pattern($1, xend_var_lib_t, xend_var_lib_t) ') - + ######################################## @@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',` ## Read xend image files. @@ -120688,14 +120688,14 @@ index f93558c5a..16e29c141 100644 # interface(`xen_read_image_files',` @@ -111,18 +129,40 @@ interface(`xen_read_image_files',` - ') - - files_list_var_lib($1) + ') + + files_list_var_lib($1) + - list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) - read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) + list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) ') - + ######################################## ## -## Read and write xend image files. @@ -120732,7 +120732,7 @@ index f93558c5a..16e29c141 100644 # interface(`xen_rw_image_files',` @@ -137,7 +177,8 @@ interface(`xen_rw_image_files',` - + ######################################## ## -## Append xend log files. @@ -120742,7 +120742,7 @@ index f93558c5a..16e29c141 100644 ## ## @@ -157,13 +198,13 @@ interface(`xen_append_log',` - + ######################################## ## -## Create, read, write, and delete @@ -120759,9 +120759,9 @@ index f93558c5a..16e29c141 100644 # interface(`xen_manage_log',` @@ -176,29 +217,11 @@ interface(`xen_manage_log',` - manage_files_pattern($1, xend_var_log_t, xend_var_log_t) + manage_files_pattern($1, xend_var_log_t, xend_var_log_t) ') - + -####################################### -## -## Read xenstored pid files. @@ -120791,7 +120791,7 @@ index f93558c5a..16e29c141 100644 ## ## @@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` - + ######################################## ## -## Connect to xenstored with a unix @@ -120801,7 +120801,7 @@ index f93558c5a..16e29c141 100644 ## ## @@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',` - + ######################################## ## -## Connect to xend with a unix @@ -120812,16 +120812,16 @@ index f93558c5a..16e29c141 100644 ## @@ -270,16 +291,15 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` - gen_require(` - type xm_t, xm_exec_t; + gen_require(` + type xm_t, xm_exec_t; + attribute virsh_transition_domain; - ') + ') - - corecmd_search_bin($1) + typeattribute $1 virsh_transition_domain; - domtrans_pattern($1, xm_exec_t, xm_t) + domtrans_pattern($1, xm_exec_t, xm_t) ') - + ######################################## ## -## Connect to xm with a unix @@ -120833,12 +120833,12 @@ index f93558c5a..16e29c141 100644 @@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` - gen_require(` + gen_require(` - type xm_t; + type xm_t, xenstored_var_run_t; - ') - - files_search_pids($1) + ') + + files_search_pids($1) diff --git a/xen.te b/xen.te index 6f736a993..c1ba3ba4b 100644 --- a/xen.te @@ -120848,7 +120848,7 @@ index 6f736a993..c1ba3ba4b 100644 # Declarations # +attribute xm_transition_domain; - + ## -##

    -## Determine whether xend can @@ -120860,7 +120860,7 @@ index 6f736a993..c1ba3ba4b 100644 ## -gen_tunable(xend_run_blktap, false) +gen_tunable(xend_run_blktap, true) - + ## -##

    -## Determine whether xen can @@ -120873,7 +120873,7 @@ index 6f736a993..c1ba3ba4b 100644 ## -gen_tunable(xen_use_fusefs, false) +gen_tunable(xend_run_qemu, true) - + ## -##

    -## Determine whether xen can @@ -120884,7 +120884,7 @@ index 6f736a993..c1ba3ba4b 100644 +##

    ##     gen_tunable(xen_use_nfs, false) - + -## -##

    -## Determine whether xen can @@ -120899,15 +120899,15 @@ index 6f736a993..c1ba3ba4b 100644 @@ -50,41 +42,55 @@ type evtchnd_t; type evtchnd_exec_t; init_daemon_domain(evtchnd_t, evtchnd_exec_t) - + +# log files type evtchnd_var_log_t; logging_log_file(evtchnd_var_log_t) - + +# pid files type evtchnd_var_run_t; files_pid_file(evtchnd_var_run_t) - + +type qemu_dm_t; +type qemu_dm_exec_t; +domain_type(qemu_dm_t) @@ -120918,7 +120918,7 @@ index 6f736a993..c1ba3ba4b 100644 type xen_devpts_t; term_pty(xen_devpts_t) files_type(xen_devpts_t) - + +# Xen Image files type xen_image_t; # customizable files_type(xen_image_t) @@ -120929,29 +120929,29 @@ index 6f736a993..c1ba3ba4b 100644 - virt_image(xen_image_t) -') +virt_image(xen_image_t) - + type xenctl_t; files_type(xenctl_t) - + type xend_t; type xend_exec_t; +domain_type(xend_t) init_daemon_domain(xend_t, xend_exec_t) - + +# tmp files type xend_tmp_t; files_tmp_file(xend_tmp_t) - + +# var/lib files type xend_var_lib_t; files_type(xend_var_lib_t) +# for mounting an NFS store files_mountpoint(xend_var_lib_t) - + +# log files type xend_var_log_t; logging_log_file(xend_var_log_t) - + +# pid files type xend_var_run_t; files_pid_file(xend_var_run_t) @@ -120959,29 +120959,29 @@ index 6f736a993..c1ba3ba4b 100644 @@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) type xenstored_tmp_t; files_tmp_file(xenstored_tmp_t) - + +# var/lib files type xenstored_var_lib_t; files_type(xenstored_var_lib_t) files_mountpoint(xenstored_var_lib_t) - + +# log files type xenstored_var_log_t; logging_log_file(xenstored_var_log_t) - + +# pid files type xenstored_var_run_t; files_pid_file(xenstored_var_run_t) -init_daemon_run_dir(xenstored_var_run_t, "xenstored") - + type xenconsoled_t; type xenconsoled_exec_t; init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) - + +# pid files type xenconsoled_var_run_t; files_pid_file(xenconsoled_var_run_t) - + -type xm_t; -type xm_exec_t; -init_system_domain(xm_t, xm_exec_t) @@ -120994,50 +120994,50 @@ index 6f736a993..c1ba3ba4b 100644 +# Do we need to allow execution of blktap? tunable_policy(`xend_run_blktap',` + # If yes, transition to its own domain. - domtrans_pattern(xend_t, blktap_exec_t, blktap_t) - + domtrans_pattern(xend_t, blktap_exec_t, blktap_t) + - allow blktap_t self:fifo_file { read write }; +',` + # If no, then silently refuse to run it. + dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; +') - + - dev_read_sysfs(blktap_t) - dev_rw_xen(blktap_t) +allow blktap_t self:fifo_file { read write }; - + - files_read_etc_files(blktap_t) +dev_read_sysfs(blktap_t) +dev_rw_xen(blktap_t) - + - logging_send_syslog_msg(blktap_t) - + - miscfiles_read_localization(blktap_t) +logging_send_syslog_msg(blktap_t) - + - xen_stream_connect_xenstore(blktap_t) -',` - dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; -') +xen_stream_connect_xenstore(blktap_t) - + ####################################### # @@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',` # - + manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) -setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) +manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) - + manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) @@ -158,30 +161,70 @@ manage_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) manage_sock_files_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) - + +######################################## +# +# qemu-dm local policy @@ -121080,7 +121080,7 @@ index 6f736a993..c1ba3ba4b 100644 # # xend local policy # - + -allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio }; -dontaudit xend_t self:capability { sys_ptrace }; -allow xend_t self:process { setrlimit signal sigkill }; @@ -121102,7 +121102,7 @@ index 6f736a993..c1ba3ba4b 100644 +allow xend_t self:tcp_socket create_stream_socket_perms; allow xend_t self:packet_socket create_socket_perms; allow xend_t self:tun_socket create_socket_perms; - + allow xend_t xen_image_t:dir list_dir_perms; manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) -manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t) @@ -121112,20 +121112,20 @@ index 6f736a993..c1ba3ba4b 100644 -rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t) rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t) -fs_hugetlbfs_filetrans(xend_t, xen_image_t, file) - + allow xend_t xenctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(xend_t, xenctl_t, fifo_file) @@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) - + +# pid file manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) - + +# log files manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) -append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) @@ -121134,30 +121134,30 @@ index 6f736a993..c1ba3ba4b 100644 +manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) - + +# var/lib files for xend manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) - + +# transition to store +domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) + +# manage xenstored pid file manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) - + -allow xend_t xenstored_var_lib_t:dir list_dir_perms; +# mount tmpfs on /var/lib/xenstored +allow xend_t xenstored_var_lib_t:dir read; - + +# transition to console domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) -domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) - -xen_stream_connect_xenstore(xend_t) - + kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) @@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t) @@ -121165,10 +121165,10 @@ index 6f736a993..c1ba3ba4b 100644 kernel_rw_net_sysctls(xend_t) kernel_read_network_state(xend_t) +kernel_request_load_module(xend_t) - + corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) - + -corenet_all_recvfrom_unlabeled(xend_t) corenet_all_recvfrom_netlabel(xend_t) corenet_tcp_sendrecv_generic_if(xend_t) @@ -121199,7 +121199,7 @@ index 6f736a993..c1ba3ba4b 100644 +corenet_sendrecv_xen_client_packets(xend_t) +corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) - + -dev_getattr_all_chr_files(xend_t) dev_read_urand(xend_t) +# run lsscsi @@ -121207,10 +121207,10 @@ index 6f736a993..c1ba3ba4b 100644 dev_filetrans_xen(xend_t) dev_rw_sysfs(xend_t) dev_rw_xen(xend_t) - + domain_dontaudit_read_all_domains_state(xend_t) -domain_dontaudit_ptrace_all_domains(xend_t) - + -files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) files_read_kernel_img(xend_t) @@ -121219,30 +121219,30 @@ index 6f736a993..c1ba3ba4b 100644 -files_read_usr_files(xend_t) files_read_default_symlinks(xend_t) -files_search_mnt(xend_t) - + -fs_getattr_all_fs(xend_t) -fs_list_auto_mountpoints(xend_t) -fs_read_dos_files(xend_t) fs_read_removable_blk_files(xend_t) -fs_manage_xenfs_dirs(xend_t) -fs_manage_xenfs_files(xend_t) - + storage_read_scsi_generic(xend_t) - + @@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t) - + logging_send_syslog_msg(xend_t) - + -miscfiles_read_localization(xend_t) +auth_read_passwd(xend_t) + miscfiles_read_hwdata(xend_t) - + sysnet_domtrans_dhcpc(xend_t) @@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t) - + userdom_dontaudit_search_user_home_dirs(xend_t) - + -tunable_policy(`xen_use_fusefs',` - fs_manage_fusefs_dirs(xend_t) - fs_manage_fusefs_files(xend_t) @@ -121261,36 +121261,36 @@ index 6f736a993..c1ba3ba4b 100644 - fs_read_cifs_symlinks(xend_t) -') +xen_stream_connect_xenstore(xend_t) - + optional_policy(` - brctl_domtrans(xend_t) + brctl_domtrans(xend_t) @@ -342,7 +357,7 @@ optional_policy(` - mount_domtrans(xend_t) + mount_domtrans(xend_t) ') - + -optional_policy(` -+optional_policy(` - netutils_domtrans(xend_t) ++optional_policy(` + netutils_domtrans(xend_t) ') - + @@ -351,6 +366,7 @@ optional_policy(` ') - + optional_policy(` + virt_manage_default_image_type(xend_t) - virt_search_images(xend_t) - virt_read_config(xend_t) + virt_search_images(xend_t) + virt_read_config(xend_t) ') @@ -360,18 +376,14 @@ optional_policy(` # Xen console local policy # - + -allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; +allow xenconsoled_t self:capability { dac_read_search dac_override fsetid ipc_lock }; allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; - + -allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; - -manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) @@ -121298,7 +121298,7 @@ index 6f736a993..c1ba3ba4b 100644 -create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) -setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) +allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr }; - + +# pid file manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) @@ -121306,52 +121306,52 @@ index 6f736a993..c1ba3ba4b 100644 @@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) - + -domain_dontaudit_ptrace_all_domains(xenconsoled_t) - -files_read_etc_files(xenconsoled_t) -files_read_usr_files(xenconsoled_t) - + fs_list_tmpfs(xenconsoled_t) fs_manage_xenfs_dirs(xenconsoled_t) @@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t) - + term_create_pty(xenconsoled_t, xen_devpts_t) term_use_generic_ptys(xenconsoled_t) -term_use_console(xenconsoled_t) - + init_use_fds(xenconsoled_t) init_use_script_ptys(xenconsoled_t) - + -logging_search_logs(xenconsoled_t) - -miscfiles_read_localization(xenconsoled_t) +auth_read_passwd(xenconsoled_t) - + +xen_manage_log(xenconsoled_t) xen_stream_connect_xenstore(xenconsoled_t) - + optional_policy(` @@ -415,25 +421,27 @@ optional_policy(` # Xen store local policy # - + -allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; -allow xenstored_t self:unix_stream_socket { accept listen }; +allow xenstored_t self:capability { dac_read_search dac_override ipc_lock sys_resource }; +allow xenstored_t self:unix_stream_socket create_stream_socket_perms; +allow xenstored_t self:unix_dgram_socket create_socket_perms; - + manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) - + +# pid file manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) - + +# log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) @@ -121360,7 +121360,7 @@ index 6f736a993..c1ba3ba4b 100644 +manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) - + +# var/lib files for xenstored manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) @@ -121368,26 +121368,26 @@ index 6f736a993..c1ba3ba4b 100644 @@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) - + -files_read_etc_files(xenstored_t) -files_read_usr_files(xenstored_t) + - + fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) - + term_use_generic_ptys(xenstored_t) +term_use_console(xenconsoled_t) - + init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) - + logging_send_syslog_msg(xenstored_t) - + -miscfiles_read_localization(xenstored_t) - xen_append_log(xenstored_t) - + -######################################## -# -# xm local policy @@ -121489,7 +121489,7 @@ index 6f736a993..c1ba3ba4b 100644 - cron_system_entry(xm_t, xm_exec_t) + virt_read_config(xenstored_t) ') - + +######################################## +# +# SSH component local policy @@ -121510,7 +121510,7 @@ index 6f736a993..c1ba3ba4b 100644 + tunable_policy(`xen_use_nfs',` + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) - ') + ') ') - -optional_policy(` @@ -121548,7 +121548,7 @@ index 0928c5d6a..b9bcf8824 100644 @@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t) # Local policy # - + -allow xfs_t self:capability { dac_override setgid setuid }; +allow xfs_t self:capability { dac_read_search dac_override setgid setuid }; dontaudit xfs_t self:capability sys_tty_config; @@ -121557,26 +121557,26 @@ index 0928c5d6a..b9bcf8824 100644 @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t) kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) - + -corenet_all_recvfrom_unlabeled(xfs_t) corenet_all_recvfrom_netlabel(xfs_t) corenet_tcp_sendrecv_generic_if(xfs_t) corenet_tcp_sendrecv_generic_node(xfs_t) @@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t) domain_use_interactive_fds(xfs_t) - + files_read_etc_runtime_files(xfs_t) -files_read_usr_files(xfs_t) - + auth_use_nsswitch(xfs_t) - + @@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") - + logging_send_syslog_msg(xfs_t) - + -miscfiles_read_localization(xfs_t) miscfiles_read_fonts(xfs_t) - + userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.if b/xguest.if index 4f1d07d71..5c819abe8 100644 @@ -121585,7 +121585,7 @@ index 4f1d07d71..5c819abe8 100644 @@ -1,4 +1,4 @@ -##

    Least privledge xwindows user role. +## Least privileged xwindows user role. - + ######################################## ## diff --git a/xguest.te b/xguest.te @@ -121594,7 +121594,7 @@ index a64aad347..4ddc93c38 100644 +++ b/xguest.te @@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0) # - + ## -##

    -## Determine whether xguest can @@ -121606,7 +121606,7 @@ index a64aad347..4ddc93c38 100644 ## -gen_tunable(xguest_mount_media, false) +gen_tunable(xguest_mount_media, true) - + ## -##

    -## Determine whether xguest can @@ -121618,7 +121618,7 @@ index a64aad347..4ddc93c38 100644 ## -gen_tunable(xguest_connect_network, false) +gen_tunable(xguest_connect_network, true) - + ## -##

    -## Determine whether xguest can @@ -121630,39 +121630,39 @@ index a64aad347..4ddc93c38 100644 ## -gen_tunable(xguest_use_bluetooth, false) +gen_tunable(xguest_use_bluetooth, true) - + role xguest_r; - + userdom_restricted_xwindows_user_template(xguest) +sysnet_dns_name_resolve(xguest_t) + +init_dbus_chat(xguest_t) +init_status(xguest_t) +systemd_dontaudit_dbus_chat(xguest_t) - + ######################################## # # Local policy # - + -kernel_dontaudit_request_load_module(xguest_t) +dontaudit xguest_t xguest_t : tcp_socket { listen }; - + ifndef(`enable_mls',` - fs_exec_noxattr(xguest_t) - + fs_exec_noxattr(xguest_t) + - tunable_policy(`user_rw_noexattrfile',` + tunable_policy(`selinuxuser_rw_noexattrfile',` - fs_manage_noxattr_fs_files(xguest_t) - fs_manage_noxattr_fs_dirs(xguest_t) -+ # Write floppies - storage_raw_read_removable_device(xguest_t) - storage_raw_write_removable_device(xguest_t) - ',` + fs_manage_noxattr_fs_files(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) ++ # Write floppies + storage_raw_read_removable_device(xguest_t) + storage_raw_write_removable_device(xguest_t) + ',` @@ -53,10 +56,23 @@ ifndef(`enable_mls',` - ') + ') ') - + +optional_policy(` + # Dontaudit fusermount + mount_dontaudit_exec_fusermount(xguest_t) @@ -121677,29 +121677,29 @@ index a64aad347..4ddc93c38 100644 + +# Allow mounting of file systems optional_policy(` - tunable_policy(`xguest_mount_media',` - kernel_read_fs_sysctls(xguest_t) + tunable_policy(`xguest_mount_media',` + kernel_read_fs_sysctls(xguest_t) - + kernel_request_load_module(xguest_t) - files_dontaudit_getattr_boot_dirs(xguest_t) - files_search_mnt(xguest_t) - + files_dontaudit_getattr_boot_dirs(xguest_t) + files_search_mnt(xguest_t) + @@ -65,10 +81,9 @@ optional_policy(` - fs_manage_noxattr_fs_dirs(xguest_t) - fs_getattr_noxattr_fs(xguest_t) - fs_read_noxattr_fs_symlinks(xguest_t) + fs_manage_noxattr_fs_dirs(xguest_t) + fs_getattr_noxattr_fs(xguest_t) + fs_read_noxattr_fs_symlinks(xguest_t) + fs_mount_fusefs(xguest_t) - - auth_list_pam_console_data(xguest_t) + + auth_list_pam_console_data(xguest_t) - - init_read_utmp(xguest_t) - ') + ') ') - + @@ -84,12 +99,25 @@ optional_policy(` - ') + ') ') - + + optional_policy(` - apache_role(xguest_r, xguest_t) @@ -121717,26 +121717,26 @@ index a64aad347..4ddc93c38 100644 +optional_policy(` + thumb_role(xguest_r, xguest_t) ') - + optional_policy(` - gnomeclock_dontaudit_dbus_chat(xguest_t) + dbus_dontaudit_chat_system_bus(xguest_t) ') - + optional_policy(` @@ -97,75 +125,78 @@ optional_policy(` ') - + optional_policy(` - java_role(xguest_r, xguest_t) + apache_role(xguest_r, xguest_t) ') - + optional_policy(` - mozilla_role(xguest_r, xguest_t) + mozilla_run_plugin(xguest_t, xguest_r) ') - + optional_policy(` - tunable_policy(`xguest_connect_network',` - kernel_read_network_state(xguest_t) @@ -121751,14 +121751,14 @@ index a64aad347..4ddc93c38 100644 +optional_policy(` + rhsmcertd_dontaudit_dbus_chat(xguest_t) +') - + +optional_policy(` + tunable_policy(`xguest_connect_network',` - networkmanager_dbus_chat(xguest_t) - networkmanager_read_lib_files(xguest_t) + networkmanager_dbus_chat(xguest_t) + networkmanager_read_lib_files(xguest_t) + ') +') - + - corenet_all_recvfrom_unlabeled(xguest_t) - corenet_all_recvfrom_netlabel(xguest_t) +optional_policy(` @@ -121766,10 +121766,10 @@ index a64aad347..4ddc93c38 100644 + kernel_read_network_state(xguest_t) + + corenet_tcp_connect_pulseaudio_port(xguest_t) - corenet_tcp_sendrecv_generic_if(xguest_t) - corenet_raw_sendrecv_generic_if(xguest_t) - corenet_tcp_sendrecv_generic_node(xguest_t) - corenet_raw_sendrecv_generic_node(xguest_t) + corenet_tcp_sendrecv_generic_if(xguest_t) + corenet_raw_sendrecv_generic_if(xguest_t) + corenet_tcp_sendrecv_generic_node(xguest_t) + corenet_raw_sendrecv_generic_node(xguest_t) - - corenet_sendrecv_pulseaudio_client_packets(xguest_t) - corenet_tcp_connect_pulseaudio_port(xguest_t) @@ -121778,23 +121778,23 @@ index a64aad347..4ddc93c38 100644 - corenet_sendrecv_http_client_packets(xguest_t) - corenet_tcp_connect_http_port(xguest_t) + corenet_tcp_connect_commplex_link_port(xguest_t) - corenet_tcp_sendrecv_http_port(xguest_t) + corenet_tcp_sendrecv_http_port(xguest_t) - - corenet_sendrecv_http_cache_client_packets(xguest_t) - corenet_tcp_connect_http_cache_port(xguest_t) - corenet_tcp_sendrecv_http_cache_port(xguest_t) + corenet_tcp_sendrecv_http_cache_port(xguest_t) - - corenet_sendrecv_squid_client_packets(xguest_t) - corenet_tcp_connect_squid_port(xguest_t) - corenet_tcp_sendrecv_squid_port(xguest_t) + corenet_tcp_sendrecv_squid_port(xguest_t) - - corenet_sendrecv_ftp_client_packets(xguest_t) - corenet_tcp_connect_ftp_port(xguest_t) - corenet_tcp_sendrecv_ftp_port(xguest_t) + corenet_tcp_sendrecv_ftp_port(xguest_t) - - corenet_sendrecv_ipp_client_packets(xguest_t) - corenet_tcp_connect_ipp_port(xguest_t) - corenet_tcp_sendrecv_ipp_port(xguest_t) + corenet_tcp_sendrecv_ipp_port(xguest_t) - - corenet_sendrecv_generic_client_packets(xguest_t) + corenet_tcp_connect_http_port(xguest_t) @@ -121803,11 +121803,11 @@ index a64aad347..4ddc93c38 100644 + corenet_tcp_connect_flash_port(xguest_t) + corenet_tcp_connect_ftp_port(xguest_t) + corenet_tcp_connect_ipp_port(xguest_t) - corenet_tcp_connect_generic_port(xguest_t) + corenet_tcp_connect_generic_port(xguest_t) - corenet_tcp_sendrecv_generic_port(xguest_t) - - corenet_sendrecv_soundd_client_packets(xguest_t) - corenet_tcp_connect_soundd_port(xguest_t) + corenet_tcp_connect_soundd_port(xguest_t) - corenet_tcp_sendrecv_soundd_port(xguest_t) - - corenet_sendrecv_speech_client_packets(xguest_t) @@ -121825,14 +121825,14 @@ index a64aad347..4ddc93c38 100644 + corenet_sendrecv_ipp_client_packets(xguest_t) + corenet_sendrecv_generic_client_packets(xguest_t) + # Should not need other ports - corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) - corenet_dontaudit_tcp_bind_generic_port(xguest_t) + corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) + corenet_dontaudit_tcp_bind_generic_port(xguest_t) + corenet_tcp_connect_speech_port(xguest_t) + corenet_tcp_sendrecv_transproxy_port(xguest_t) + corenet_tcp_connect_transproxy_port(xguest_t) - ') + ') ') - + optional_policy(` - pcscd_read_pid_files(xguest_t) - pcscd_stream_connect(xguest_t) @@ -121843,7 +121843,7 @@ index a64aad347..4ddc93c38 100644 + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; ') - + -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/xprint.te b/xprint.te @@ -121853,52 +121853,52 @@ index 3c44d8493..ce5e69d69 100644 @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t) corecmd_exec_bin(xprint_t) corecmd_exec_shell(xprint_t) - + -corenet_all_recvfrom_unlabeled(xprint_t) corenet_all_recvfrom_netlabel(xprint_t) corenet_tcp_sendrecv_generic_if(xprint_t) corenet_udp_sendrecv_generic_if(xprint_t) @@ -46,9 +45,7 @@ dev_read_urand(xprint_t) - + domain_use_interactive_fds(xprint_t) - + -files_read_etc_files(xprint_t) files_read_etc_runtime_files(xprint_t) -files_read_usr_files(xprint_t) files_search_var_lib(xprint_t) files_search_tmp(xprint_t) - + @@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t) logging_send_syslog_msg(xprint_t) - + miscfiles_read_fonts(xprint_t) -miscfiles_read_localization(xprint_t) - + sysnet_read_config(xprint_t) - + diff --git a/xscreensaver.te b/xscreensaver.te index 04096a050..98a8205a7 100644 --- a/xscreensaver.te +++ b/xscreensaver.te @@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms; - + kernel_read_system_state(xscreensaver_t) - + -files_read_usr_files(xscreensaver_t) - + auth_use_nsswitch(xscreensaver_t) auth_domtrans_chk_passwd(xscreensaver_t) @@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t) logging_send_audit_msgs(xscreensaver_t) logging_send_syslog_msg(xscreensaver_t) - + -miscfiles_read_localization(xscreensaver_t) - -userdom_use_user_terminals(xscreensaver_t) +userdom_use_inherited_user_ptys(xscreensaver_t) +#access to .icons and ~/.xscreensaver userdom_read_user_home_content_files(xscreensaver_t) - + xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) diff --git a/yam.te b/yam.te index 2695db25c..c1ec89384 100644 @@ -121907,27 +121907,27 @@ index 2695db25c..c1ec89384 100644 @@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t) # Local policy # - + -allow yam_t self:capability { chown fowner fsetid dac_override }; +allow yam_t self:capability { chown fowner fsetid dac_read_search dac_override }; allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow yam_t self:fd use; allow yam_t self:fifo_file rw_fifo_file_perms; @@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t) - + logging_send_syslog_msg(yam_t) - + -miscfiles_read_localization(yam_t) - seutil_read_config(yam_t) - + -userdom_use_user_terminals(yam_t) +sysnet_read_config(yam_t) + +userdom_use_inherited_user_terminals(yam_t) userdom_use_unpriv_users_fds(yam_t) userdom_search_user_home_dirs(yam_t) - + diff --git a/zabbix.fc b/zabbix.fc index c3b5a819e..c384947f3 100644 --- a/zabbix.fc @@ -121935,7 +121935,7 @@ index c3b5a819e..c384947f3 100644 @@ -4,12 +4,22 @@ /usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) - + -/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) /usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0) +/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) @@ -121952,10 +121952,10 @@ index c3b5a819e..c384947f3 100644 +/var/lib/zabbixsrv(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) +/var/lib/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_lib_t,s0) +/var/lib/zabbix/externalscripts(/.*)? gen_context(system_u:object_r:zabbix_script_exec_t,s0) - + -/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) +/var/log/zabbix.* gen_context(system_u:object_r:zabbix_log_t,s0) - + /var/run/zabbix(/.*)? gen_context(system_u:object_r:zabbix_var_run_t,s0) diff --git a/zabbix.if b/zabbix.if index dd63de028..7cf8202ab 100644 @@ -121964,17 +121964,17 @@ index dd63de028..7cf8202ab 100644 @@ -1,4 +1,4 @@ -##

    Distributed infrastructure monitoring. +## Distributed infrastructure monitoring - + ######################################## ## @@ -15,13 +15,30 @@ interface(`zabbix_domtrans',` - type zabbix_t, zabbix_exec_t; - ') - + type zabbix_t, zabbix_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, zabbix_exec_t, zabbix_t) + domtrans_pattern($1, zabbix_exec_t, zabbix_t) ') - + ######################################## ## -## Connect to zabbit on the TCP network. @@ -122001,16 +122001,16 @@ index dd63de028..7cf8202ab 100644 ## ## @@ -34,7 +51,7 @@ interface(`zabbix_tcp_connect',` - type zabbix_t; - ') - + type zabbix_t; + ') + - corenet_sendrecv_zabbix_client_packets($1) + corenet_sendrecv_zabbix_agent_client_packets($1) - corenet_tcp_connect_zabbix_port($1) - corenet_tcp_recvfrom_labeled($1, zabbix_t) - corenet_tcp_sendrecv_zabbix_port($1) + corenet_tcp_connect_zabbix_port($1) + corenet_tcp_recvfrom_labeled($1, zabbix_t) + corenet_tcp_sendrecv_zabbix_port($1) @@ -42,7 +59,7 @@ interface(`zabbix_tcp_connect',` - + ######################################## ## -## Read zabbix log files. @@ -122019,7 +122019,7 @@ index dd63de028..7cf8202ab 100644 ## ## @@ -62,13 +79,34 @@ interface(`zabbix_read_log',` - + ######################################## ## -## Append zabbix log files. @@ -122053,9 +122053,9 @@ index dd63de028..7cf8202ab 100644 +## # interface(`zabbix_append_log',` - gen_require(` + gen_require(` @@ -81,7 +119,7 @@ interface(`zabbix_append_log',` - + ######################################## ## -## Read zabbix pid files. @@ -122064,7 +122064,7 @@ index dd63de028..7cf8202ab 100644 ## ## @@ -100,7 +138,7 @@ interface(`zabbix_read_pid_files',` - + ######################################## ## -## Connect to zabbix agent on the TCP network. @@ -122075,14 +122075,14 @@ index dd63de028..7cf8202ab 100644 @@ -110,7 +148,7 @@ interface(`zabbix_read_pid_files',` # interface(`zabbix_agent_tcp_connect',` - gen_require(` + gen_require(` - type zabbix_agent_t; + type zabbix_t, zabbix_agent_t; - ') - - corenet_sendrecv_zabbix_agent_client_packets($1) + ') + + corenet_sendrecv_zabbix_agent_client_packets($1) @@ -121,8 +159,8 @@ interface(`zabbix_agent_tcp_connect',` - + ######################################## ## -## All of the rules required to @@ -122103,13 +122103,13 @@ index dd63de028..7cf8202ab 100644 ## @@ -139,16 +177,18 @@ interface(`zabbix_agent_tcp_connect',` interface(`zabbix_admin',` - gen_require(` - type zabbix_t, zabbix_log_t, zabbix_var_run_t; + gen_require(` + type zabbix_t, zabbix_log_t, zabbix_var_run_t; - type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t; - type zabbit_tmpfs_t; + type zabbix_initrc_exec_t; - ') - + ') + - allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { zabbix_t zabbix_agent_t }) + allow $1 zabbix_t:process signal_perms; @@ -122117,19 +122117,19 @@ index dd63de028..7cf8202ab 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 zabbix_t:process ptrace; + ') - + - init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t }) + init_labeled_script_domtrans($1, zabbix_initrc_exec_t) - domain_system_change_exemption($1) + domain_system_change_exemption($1) - role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r; + role_transition $2 zabbix_initrc_exec_t system_r; - allow $2 system_r; - - logging_list_logs($1) + allow $2 system_r; + + logging_list_logs($1) @@ -156,10 +196,4 @@ interface(`zabbix_admin',` - - files_list_pids($1) - admin_pattern($1, zabbix_var_run_t) + + files_list_pids($1) + admin_pattern($1, zabbix_var_run_t) - - files_list_tmp($1) - admin_pattern($1, zabbix_tmp_t) @@ -122143,7 +122143,7 @@ index 7f496c617..569f9209f 100644 +++ b/zabbix.te @@ -6,27 +6,45 @@ policy_module(zabbix, 1.6.0) # - + ## -##

    +##

    @@ -122152,7 +122152,7 @@ index 7f496c617..569f9209f 100644 ##

    ##     gen_tunable(zabbix_can_network, false) - + -type zabbix_t; + +## @@ -122172,34 +122172,34 @@ index 7f496c617..569f9209f 100644 +type zabbix_t, zabbix_domain; type zabbix_exec_t; init_daemon_domain(zabbix_t, zabbix_exec_t) - + type zabbix_initrc_exec_t; init_script_file(zabbix_initrc_exec_t) - + -type zabbix_agent_t; +type zabbix_agent_t, zabbix_domain; type zabbix_agent_exec_t; init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t) - + type zabbix_agent_initrc_exec_t; init_script_file(zabbix_agent_initrc_exec_t) - + +type zabbixd_var_lib_t; +files_type(zabbixd_var_lib_t) + type zabbix_log_t; logging_log_file(zabbix_log_t) - + @@ -36,27 +54,62 @@ files_tmp_file(zabbix_tmp_t) type zabbix_tmpfs_t; files_tmpfs_file(zabbix_tmpfs_t) - + +type zabbix_var_lib_t; +files_type(zabbix_var_lib_t) + type zabbix_var_run_t; files_pid_file(zabbix_var_run_t) - + +type zabbix_script_t; +type zabbix_script_exec_t; +domain_type(zabbix_script_t) @@ -122237,7 +122237,7 @@ index 7f496c617..569f9209f 100644 # # Local policy # - + -allow zabbix_t self:capability { dac_read_search dac_override setuid setgid }; -allow zabbix_t self:process { setsched signal_perms }; -allow zabbix_t self:fifo_file rw_fifo_file_perms; @@ -122252,7 +122252,7 @@ index 7f496c617..569f9209f 100644 +manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t) +files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv") - + -allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) @@ -122262,21 +122262,21 @@ index 7f496c617..569f9209f 100644 +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file }) - + manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) @@ -70,13 +123,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) - + kernel_read_system_state(zabbix_t) -kernel_read_kernel_sysctls(zabbix_t) - + corenet_all_recvfrom_unlabeled(zabbix_t) corenet_all_recvfrom_netlabel(zabbix_t) -corenet_tcp_sendrecv_generic_if(zabbix_t) -corenet_tcp_sendrecv_generic_node(zabbix_t) -corenet_tcp_bind_generic_node(zabbix_t) - + corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) @@ -85,37 +134,55 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) @@ -122284,11 +122284,11 @@ index 7f496c617..569f9209f 100644 corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t) +corenet_tcp_connect_smtp_port(zabbix_t) - + corenet_sendrecv_zabbix_server_packets(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) corenet_tcp_sendrecv_zabbix_port(zabbix_t) - + -corecmd_exec_bin(zabbix_t) -corecmd_exec_shell(zabbix_t) - @@ -122297,19 +122297,19 @@ index 7f496c617..569f9209f 100644 -files_read_usr_files(zabbix_t) - auth_use_nsswitch(zabbix_t) - + -miscfiles_read_localization(zabbix_t) - zabbix_agent_tcp_connect(zabbix_t) - + +logging_send_syslog_msg(zabbix_t) + tunable_policy(`zabbix_can_network',` - corenet_sendrecv_all_client_packets(zabbix_t) - corenet_tcp_connect_all_ports(zabbix_t) - corenet_tcp_sendrecv_all_ports(zabbix_t) + corenet_sendrecv_all_client_packets(zabbix_t) + corenet_tcp_connect_all_ports(zabbix_t) + corenet_tcp_sendrecv_all_ports(zabbix_t) ') - + +tunable_policy(`zabbix_run_sudo',` + allow zabbix_t self:capability { setuid setgid sys_resource }; + allow zabbix_t self:process { setrlimit setsched }; @@ -122335,29 +122335,29 @@ index 7f496c617..569f9209f 100644 + su_exec(zabbix_t) + ') ') - + optional_policy(` - mysql_stream_connect(zabbix_t) + mysql_stream_connect(zabbix_t) - mysql_tcp_connect(zabbix_t) +') + +optional_policy(` + netutils_domtrans_ping(zabbix_t) ') - + optional_policy(` @@ -125,6 +192,7 @@ optional_policy(` - + optional_policy(` - snmp_read_snmp_var_lib_files(zabbix_t) + snmp_read_snmp_var_lib_files(zabbix_t) + snmp_read_snmp_var_lib_dirs(zabbix_t) ') - + ######################################## @@ -132,18 +200,9 @@ optional_policy(` # Agent local policy # - + -allow zabbix_agent_t self:capability { setuid setgid }; -allow zabbix_agent_t self:process { setsched getsched signal }; -allow zabbix_agent_t self:fifo_file rw_fifo_file_perms; @@ -122366,25 +122366,25 @@ index 7f496c617..569f9209f 100644 -allow zabbix_agent_t self:tcp_socket { accept listen }; -allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms; +allow zabbix_agent_t self:process { setrlimit }; - + -append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) -filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file) +manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t) - + rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) @@ -151,16 +210,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) - + -kernel_read_all_sysctls(zabbix_agent_t) kernel_read_system_state(zabbix_agent_t) - -corecmd_read_all_executables(zabbix_agent_t) +kernel_read_network_state(zabbix_agent_t) - + corenet_all_recvfrom_unlabeled(zabbix_agent_t) corenet_all_recvfrom_netlabel(zabbix_agent_t) -corenet_tcp_sendrecv_generic_if(zabbix_agent_t) @@ -122392,13 +122392,13 @@ index 7f496c617..569f9209f 100644 -corenet_tcp_bind_generic_node(zabbix_agent_t) + +corecmd_read_all_executables(zabbix_agent_t) - + corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) @@ -170,28 +226,108 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) - + +corenet_sendrecv_ftp_client_packets(zabbix_agent_t) +corenet_tcp_connect_ftp_port(zabbix_agent_t) +corenet_tcp_sendrecv_ftp_port(zabbix_agent_t) @@ -122424,33 +122424,33 @@ index 7f496c617..569f9209f 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) - + +corenet_tcp_connect_redis_port(zabbix_agent_t) +corenet_tcp_sendrecv_redis_port(zabbix_agent_t) + dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) - + -domain_search_all_domains_state(zabbix_agent_t) +domain_read_all_domains_state(zabbix_agent_t) - + files_getattr_all_dirs(zabbix_agent_t) files_getattr_all_files(zabbix_agent_t) files_read_all_symlinks(zabbix_agent_t) -files_read_etc_files(zabbix_agent_t) - + fs_getattr_all_fs(zabbix_agent_t) - + +auth_use_nsswitch(zabbix_agent_t) + init_read_utmp(zabbix_agent_t) - + logging_search_logs(zabbix_agent_t) - + -miscfiles_read_localization(zabbix_agent_t) - sysnet_dns_name_resolve(zabbix_agent_t) - + zabbix_tcp_connect(zabbix_agent_t) + +zabbix_script_domtrans(zabbix_agent_t) @@ -122515,7 +122515,7 @@ index faf99ed51..44e94fad9 100644 @@ -1,33 +1,34 @@ -/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) - + -/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) +/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) +/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) @@ -122525,7 +122525,7 @@ index faf99ed51..44e94fad9 100644 +/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) +/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) - + -/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) -/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) -/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) @@ -122539,7 +122539,7 @@ index faf99ed51..44e94fad9 100644 /var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) - + -/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) +/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) /var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) @@ -122547,9 +122547,9 @@ index faf99ed51..44e94fad9 100644 /var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) /var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -+/var/log/zarafa/search\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) ++/var/log/zarafa/search\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) - + -/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) -/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) +/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) @@ -122569,7 +122569,7 @@ index 36e32df6d..3d089626e 100644 +++ b/zarafa.if @@ -1,55 +1,59 @@ ## Zarafa collaboration platform. - + -####################################### +###################################### ## @@ -122586,41 +122586,41 @@ index 36e32df6d..3d089626e 100644 ## # template(`zarafa_domain_template',` - gen_require(` + gen_require(` - attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; + attribute zarafa_domain; - ') - + ') + - ######################################## + ############################## - # + # - # Declarations + # $1_t declarations - # - - type zarafa_$1_t, zarafa_domain; - type zarafa_$1_exec_t; - init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - + # + + type zarafa_$1_t, zarafa_domain; + type zarafa_$1_exec_t; + init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) + - type zarafa_$1_log_t, zarafa_logfile; + type zarafa_$1_log_t; - logging_log_file(zarafa_$1_log_t) - + logging_log_file(zarafa_$1_log_t) + - type zarafa_$1_var_run_t, zarafa_pidfile; + type zarafa_$1_var_run_t; - files_pid_file(zarafa_$1_var_run_t) - + files_pid_file(zarafa_$1_var_run_t) + - ######################################## + ############################## - # + # - # Policy + # $1_t local policy - # - - manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) - files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) - + # + + manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) + files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) + - append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) @@ -122629,12 +122629,12 @@ index 36e32df6d..3d089626e 100644 + logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) + + kernel_read_system_state(zarafa_$1_t) - - auth_use_nsswitch(zarafa_$1_t) + + auth_use_nsswitch(zarafa_$1_t) + + logging_send_syslog_msg(zarafa_$1_t) ') - + ###################################### ## -## search zarafa configuration directories. @@ -122644,7 +122644,7 @@ index 36e32df6d..3d089626e 100644 ## ## @@ -68,7 +72,7 @@ interface(`zarafa_search_config',` - + ######################################## ## -## Execute a domain transition to run zarafa deliver. @@ -122653,13 +122653,13 @@ index 36e32df6d..3d089626e 100644 ## ## @@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',` - type zarafa_deliver_t, zarafa_deliver_exec_t; - ') - + type zarafa_deliver_t, zarafa_deliver_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) + domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) ') - + ######################################## ## -## Execute a domain transition to run zarafa server. @@ -122668,13 +122668,13 @@ index 36e32df6d..3d089626e 100644 ## ## @@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',` - type zarafa_server_t, zarafa_server_exec_t; - ') - + type zarafa_server_t, zarafa_server_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) + domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) ') - + ####################################### ## -## Connect to zarafa server with a unix @@ -122684,9 +122684,9 @@ index 36e32df6d..3d089626e 100644 ## ## @@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',` - stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) + stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') - + -######################################## +#################################### ## @@ -122757,7 +122757,7 @@ index 3fded1c4d..8bea5e820 100644 @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0) # Declarations # - + +## +##

    +## Allow zarafa domains to setrlimit/sys_resource. @@ -122768,13 +122768,13 @@ index 3fded1c4d..8bea5e820 100644 attribute zarafa_domain; -attribute zarafa_logfile; -attribute zarafa_pidfile; - + zarafa_domain_template(deliver) - + @@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t) type zarafa_etc_t; files_config_file(zarafa_etc_t) - + -type zarafa_initrc_exec_t; -init_script_file(zarafa_initrc_exec_t) - @@ -122782,17 +122782,17 @@ index 3fded1c4d..8bea5e820 100644 zarafa_domain_template(ical) zarafa_domain_template(indexer) @@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t) - + ######################################## # -# Deliver local policy +# zarafa-deliver local policy # - + manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) - + +auth_use_nsswitch(zarafa_deliver_t) + +corenet_tcp_bind_lmtp_port(zarafa_deliver_t) @@ -122829,13 +122829,13 @@ index 3fded1c4d..8bea5e820 100644 +manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) + +auth_use_nsswitch(zarafa_indexer_t) - + ####################################### # -# Ical local policy +# zarafa-ical local policy # - + -corenet_all_recvfrom_unlabeled(zarafa_ical_t) + corenet_all_recvfrom_netlabel(zarafa_ical_t) @@ -122849,37 +122849,37 @@ index 3fded1c4d..8bea5e820 100644 -corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) + +auth_use_nsswitch(zarafa_ical_t) - + ###################################### # -# Indexer local policy +# zarafa-monitor local policy # - + -manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) -manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) -files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) - + -manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) -manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +auth_use_nsswitch(zarafa_monitor_t) - + ######################################## # -# Server local policy +# zarafa_server local policy # - + +allow zarafa_server_t self:capability net_bind_service; + manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) @@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file } - + stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) - + -corenet_all_recvfrom_unlabeled(zarafa_server_t) corenet_all_recvfrom_netlabel(zarafa_server_t) corenet_tcp_sendrecv_generic_if(zarafa_server_t) @@ -122890,22 +122890,22 @@ index 3fded1c4d..8bea5e820 100644 -corenet_sendrecv_zarafa_server_packets(zarafa_server_t) corenet_tcp_bind_zarafa_port(zarafa_server_t) -corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) - + -files_read_usr_files(zarafa_server_t) - + +auth_use_nsswitch(zarafa_server_t) + +logging_send_syslog_msg(zarafa_server_t) logging_send_audit_msgs(zarafa_server_t) - + +sysnet_dns_name_resolve(zarafa_server_t) + optional_policy(` - kerberos_use(zarafa_server_t) + kerberos_use(zarafa_server_t) ') - + optional_policy(` - mysql_stream_connect(zarafa_server_t) + mysql_stream_connect(zarafa_server_t) - mysql_tcp_connect(zarafa_server_t) -') - @@ -122913,15 +122913,15 @@ index 3fded1c4d..8bea5e820 100644 - postgresql_stream_connect(zarafa_server_t) - postgresql_tcp_connect(zarafa_server_t) ') - + ######################################## # -# Spooler local policy +# zarafa_spooler local policy # - + can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) - + -corenet_all_recvfrom_unlabeled(zarafa_spooler_t) corenet_all_recvfrom_netlabel(zarafa_spooler_t) corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) @@ -122933,14 +122933,14 @@ index 3fded1c4d..8bea5e820 100644 -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) + +auth_use_nsswitch(zarafa_spooler_t) - + ######################################## # -# Zarafa domain local policy +# zarafa_gateway local policy # +corenet_tcp_bind_pop_port(zarafa_gateway_t) - + -allow zarafa_domain self:capability { kill dac_override chown setgid setuid }; -allow zarafa_domain self:process { setrlimit signal }; +####################################### @@ -122974,16 +122974,16 @@ index 3fded1c4d..8bea5e820 100644 + allow zarafa_domain self:capability sys_resource; + allow zarafa_domain self:process setrlimit; +') - + stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) - + read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) - + -kernel_read_system_state(zarafa_domain) - dev_read_rand(zarafa_domain) dev_read_urand(zarafa_domain) - + -logging_send_syslog_msg(zarafa_domain) - -miscfiles_read_localization(zarafa_domain) @@ -123017,7 +123017,7 @@ index 28ee4cac9..bc37f7691 100644 +/usr/lib/systemd/system/ripd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) +/usr/lib/systemd/system/ripngd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) +/usr/lib/systemd/system/zebra.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0) - + -/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/babeld -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) @@ -123030,12 +123030,12 @@ index 28ee4cac9..bc37f7691 100644 + +/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) +/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) - + -/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) -/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) - + /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) -/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) @@ -123047,7 +123047,7 @@ index 34164017b..e364caf4b 100644 @@ -1,8 +1,8 @@ -##

    Zebra border gateway protocol network routing service. +## Zebra border gateway protocol network routing service - + ######################################## ## -## Read zebra configuration content. @@ -123056,15 +123056,15 @@ index 34164017b..e364caf4b 100644 ## ## @@ -18,14 +18,13 @@ interface(`zebra_read_config',` - - files_search_etc($1) - allow $1 zebra_conf_t:dir list_dir_perms; + + files_search_etc($1) + allow $1 zebra_conf_t:dir list_dir_perms; - allow $1 zebra_conf_t:file read_file_perms; - allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, zebra_conf_t, zebra_conf_t) + read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) ') - + ######################################## ## -## Connect to zebra with a unix @@ -123074,9 +123074,9 @@ index 34164017b..e364caf4b 100644 ## ## @@ -42,10 +41,34 @@ interface(`zebra_stream_connect',` - stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) + stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) ') - + +####################################### +## +## Execute zebra services in the zebra domain. @@ -123121,28 +123121,28 @@ index 34164017b..e364caf4b 100644 ## @@ -62,13 +85,16 @@ interface(`zebra_stream_connect',` interface(`zebra_admin',` - gen_require(` - type zebra_t, zebra_tmp_t, zebra_log_t; + gen_require(` + type zebra_t, zebra_tmp_t, zebra_log_t; - type zebra_conf_t, zebra_var_run_t; - type zebra_initrc_exec_t; + type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; - ') - + ') + - allow $1 zebra_t:process { ptrace signal_perms }; + allow $1 zebra_t:process signal_perms; - ps_process_pattern($1, zebra_t) - + ps_process_pattern($1, zebra_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 zebra_t:process ptrace; + ') + - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 zebra_initrc_exec_t system_r; + init_labeled_script_domtrans($1, zebra_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zebra_initrc_exec_t system_r; @@ -85,4 +111,8 @@ interface(`zebra_admin',` - - files_list_pids($1) - admin_pattern($1, zebra_var_run_t) + + files_list_pids($1) + admin_pattern($1, zebra_var_run_t) + + zebra_systemctl($1) + admin_pattern($1, zebra_unit_file_t) @@ -123154,7 +123154,7 @@ index 2e80d04fc..5bf04b2d0 100644 +++ b/zebra.te @@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0) # - + ## -##

    -## Determine whether zebra daemon can @@ -123167,24 +123167,24 @@ index 2e80d04fc..5bf04b2d0 100644 -gen_tunable(allow_zebra_write_config, false) +# +gen_tunable(zebra_write_config, false) - + type zebra_t; type zebra_exec_t; init_daemon_domain(zebra_t, zebra_exec_t) - + type zebra_conf_t; -files_type(zebra_conf_t) +files_config_file(zebra_conf_t) - + type zebra_initrc_exec_t; init_script_file(zebra_initrc_exec_t) - + +type zebra_unit_file_t; +systemd_unit_file(zebra_unit_file_t) + type zebra_log_t; logging_log_file(zebra_log_t) - + @@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t) allow zebra_t self:capability { setgid setuid net_admin net_raw }; dontaudit zebra_t self:capability sys_tty_config; @@ -123198,13 +123198,13 @@ index 2e80d04fc..5bf04b2d0 100644 allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; allow zebra_t self:udp_socket create_socket_perms; allow zebra_t self:rawip_socket create_socket_perms; - + allow zebra_t zebra_conf_t:dir list_dir_perms; -allow zebra_t zebra_conf_t:file read_file_perms; -allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; +read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) +read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) - + allow zebra_t zebra_log_t:dir setattr_dir_perms; -append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) -create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) @@ -123212,20 +123212,20 @@ index 2e80d04fc..5bf04b2d0 100644 +manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) - + -allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; -files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) +# /tmp/.bgpd is such a bad idea! +manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t) +manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t) +files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file }) - + manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) @@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t) kernel_read_kernel_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t) - + -corenet_all_recvfrom_unlabeled(zebra_t) corenet_all_recvfrom_netlabel(zebra_t) corenet_tcp_sendrecv_generic_if(zebra_t) @@ -123254,14 +123254,14 @@ index 2e80d04fc..5bf04b2d0 100644 corenet_sendrecv_router_server_packets(zebra_t) -corenet_udp_bind_router_port(zebra_t) -corenet_udp_sendrecv_router_port(zebra_t) - + dev_associate_usbfs(zebra_var_run_t) dev_list_all_dev_nodes(zebra_t) +dev_read_rand(zebra_t) +dev_read_urand(zebra_t) dev_read_sysfs(zebra_t) dev_rw_zero(zebra_t) - + -domain_use_interactive_fds(zebra_t) - -files_read_etc_files(zebra_t) @@ -123269,33 +123269,33 @@ index 2e80d04fc..5bf04b2d0 100644 - fs_getattr_all_fs(zebra_t) fs_search_auto_mountpoints(zebra_t) - + term_list_ptys(zebra_t) - + -logging_send_syslog_msg(zebra_t) +domain_use_interactive_fds(zebra_t) + +files_search_etc(zebra_t) +files_read_etc_runtime_files(zebra_t) - + -miscfiles_read_localization(zebra_t) +auth_use_nsswitch(zebra_t) + +logging_send_syslog_msg(zebra_t) - + sysnet_read_config(zebra_t) - + userdom_dontaudit_use_unpriv_user_fds(zebra_t) userdom_dontaudit_search_user_home_dirs(zebra_t) - + -tunable_policy(`allow_zebra_write_config',` +tunable_policy(`zebra_write_config',` - manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) ') - + @@ -139,3 +138,7 @@ optional_policy(` optional_policy(` - udev_read_db(zebra_t) + udev_read_db(zebra_t) ') + +optional_policy(` @@ -123886,7 +123886,7 @@ index 000000000..ba1d14974 + zoneminder_stream_connect(zoneminder_script_t) + + can_exec(zoneminder_t, zoneminder_script_exec_t) -+ ++ + files_search_var_lib(zoneminder_script_t) + + logging_send_syslog_msg(zoneminder_script_t) @@ -123906,15 +123906,15 @@ index b14698c4f..16e1581a0 100644 +## # interface(`zosremote_run',` - gen_require(` + gen_require(` diff --git a/zosremote.te b/zosremote.te index bc6a5db70..0abdcebcb 100644 --- a/zosremote.te +++ b/zosremote.te @@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen }; - + auth_use_nsswitch(zos_remote_t) - + -miscfiles_read_localization(zos_remote_t) - logging_send_syslog_msg(zos_remote_t) diff --git a/SOURCES/policy-rhel-7.6.z-base.patch b/SOURCES/policy-rhel-7.6.z-base.patch new file mode 100644 index 00000000..f63d0a46 --- /dev/null +++ b/SOURCES/policy-rhel-7.6.z-base.patch @@ -0,0 +1,36 @@ +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index b6debf340..329eb3922 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -55,6 +55,7 @@ template(`sudo_role_template',` + files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) + + allow $1_sudo_t $3:dir search_dir_perms;; ++ allow $1_sudo_t $3:file read_file_perms;; + allow $1_sudo_t $3:key search; + + # Enter this derived domain from the user domain +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index c03a52c04..8569b19db 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -55,6 +55,7 @@ storage_read_scsi_generic(staff_t) + storage_write_scsi_generic(staff_t) + + term_use_unallocated_ttys(staff_t) ++term_use_generic_ptys(staff_t) + + auth_domtrans_pam_console(staff_t) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index cceb511fc..f5139efd2 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -381,6 +381,7 @@ dontaudit confined_admindomain self:socket create; + + allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms }; + term_create_pty(confined_admindomain, user_devpts_t) ++term_use_generic_ptys(confined_admindomain) + # avoid annoying messages on terminal hangup on role change + dontaudit confined_admindomain user_devpts_t:chr_file ioctl; + diff --git a/SOURCES/policy-rhel-7.6.z-contrib.patch b/SOURCES/policy-rhel-7.6.z-contrib.patch new file mode 100644 index 00000000..4f47591c --- /dev/null +++ b/SOURCES/policy-rhel-7.6.z-contrib.patch @@ -0,0 +1,525 @@ +diff --git a/cinder.te b/cinder.te +index 488a7a659..a05691d8f 100644 +--- a/cinder.te ++++ b/cinder.te +@@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t) + + logging_send_syslog_msg(cinder_volume_t) + ++systemd_dbus_chat_logind(cinder_volume_t) ++ + optional_policy(` + lvm_domtrans(cinder_volume_t) + ') +diff --git a/ganesha.fc b/ganesha.fc +new file mode 100644 +index 000000000..c723bfb97 +--- /dev/null ++++ b/ganesha.fc +@@ -0,0 +1,12 @@ ++/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0) ++ ++/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) ++ ++/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) ++ ++/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0) ++ ++/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) ++/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0) ++ ++/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0) +diff --git a/ganesha.if b/ganesha.if +new file mode 100644 +index 000000000..4c347e5cc +--- /dev/null ++++ b/ganesha.if +@@ -0,0 +1,146 @@ ++##

    policy for ganesha ++ ++######################################## ++## ++## Execute ganesha_exec_t in the ganesha domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ganesha_domtrans',` ++ gen_require(` ++ type ganesha_t, ganesha_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ganesha_exec_t, ganesha_t) ++') ++ ++###################################### ++## ++## Execute ganesha in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ganesha_exec',` ++ gen_require(` ++ type ganesha_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, ganesha_exec_t) ++') ++######################################## ++## ++## Read ganesha PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ganesha_read_pid_files',` ++ gen_require(` ++ type ganesha_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t) ++') ++ ++######################################## ++## ++## Execute ganesha server in the ganesha domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ganesha_systemctl',` ++ gen_require(` ++ type ganesha_t; ++ type ganesha_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 ganesha_unit_file_t:file read_file_perms; ++ allow $1 ganesha_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ganesha_t) ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## ganesha over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ganesha_dbus_chat',` ++ gen_require(` ++ type ganesha_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 ganesha_t:dbus send_msg; ++ allow ganesha_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ganesha environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ganesha_admin',` ++ gen_require(` ++ type ganesha_t; ++ type ganesha_var_run_t; ++ type ganesha_unit_file_t; ++ ') ++ ++ allow $1 ganesha_t:process { signal_perms }; ++ ps_process_pattern($1, ganesha_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ganesha_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, ganesha_var_run_t) ++ ++ ganesha_systemctl($1) ++ admin_pattern($1, ganesha_unit_file_t) ++ allow $1 ganesha_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/ganesha.te b/ganesha.te +new file mode 100644 +index 000000000..f25a3f34d +--- /dev/null ++++ b/ganesha.te +@@ -0,0 +1,111 @@ ++policy_module(ganesha, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow ganesha to read/write fuse files ++##

    ++##     ++gen_tunable(ganesha_use_fusefs, false) ++ ++type ganesha_t; ++type ganesha_exec_t; ++init_daemon_domain(ganesha_t, ganesha_exec_t) ++ ++type ganesha_var_log_t; ++logging_log_file(ganesha_var_log_t) ++ ++type ganesha_var_run_t; ++files_pid_file(ganesha_var_run_t) ++ ++type ganesha_tmp_t; ++files_tmp_file(ganesha_tmp_t) ++ ++type ganesha_unit_file_t; ++systemd_unit_file(ganesha_unit_file_t) ++ ++######################################## ++# ++# ganesha local policy ++# ++dontaudit ganesha_t self:capability net_admin; ++ ++allow ganesha_t self:capability { dac_read_search dac_override }; ++allow ganesha_t self:capability2 block_suspend; ++allow ganesha_t self:process { setcap setrlimit }; ++allow ganesha_t self:fifo_file rw_fifo_file_perms; ++allow ganesha_t self:unix_stream_socket create_stream_socket_perms; ++allow ganesha_t self:tcp_socket { accept listen }; ++ ++manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) ++manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) ++manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t) ++files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) ++manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t) ++logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir }) ++ ++manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) ++manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t) ++files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir }) ++ ++kernel_read_system_state(ganesha_t) ++kernel_search_network_sysctl(ganesha_t) ++kernel_read_net_sysctls(ganesha_t) ++ ++auth_use_nsswitch(ganesha_t) ++ ++corenet_tcp_bind_nfs_port(ganesha_t) ++corenet_tcp_connect_generic_port(ganesha_t) ++corenet_tcp_connect_gluster_port(ganesha_t) ++corenet_udp_bind_dey_keyneg_port(ganesha_t) ++corenet_tcp_bind_dey_keyneg_port(ganesha_t) ++corenet_udp_bind_nfs_port(ganesha_t) ++corenet_udp_bind_all_rpc_ports(ganesha_t) ++corenet_tcp_bind_all_rpc_ports(ganesha_t) ++corenet_tcp_bind_mountd_port(ganesha_t) ++corenet_udp_bind_mountd_port(ganesha_t) ++corenet_tcp_connect_virt_migration_port(ganesha_t) ++corenet_tcp_connect_all_rpc_ports(ganesha_t) ++ ++dev_rw_infiniband_dev(ganesha_t) ++dev_read_gpfs(ganesha_t) ++dev_read_rand(ganesha_t) ++ ++logging_send_syslog_msg(ganesha_t) ++ ++sysnet_dns_name_resolve(ganesha_t) ++ ++optional_policy(` ++ dbus_system_bus_client(ganesha_t) ++ dbus_connect_system_bus(ganesha_t) ++ unconfined_dbus_chat(ganesha_t) ++') ++ ++optional_policy(` ++ glusterd_read_conf(ganesha_t) ++ glusterd_read_lib_files(ganesha_t) ++ glusterd_manage_pid(ganesha_t) ++') ++ ++optional_policy(` ++ kerberos_read_keytab(ganesha_t) ++') ++ ++optional_policy(` ++ rpc_manage_nfs_state_data_dir(ganesha_t) ++ rpc_read_nfs_state_data(ganesha_t) ++ rpcbind_stream_connect(ganesha_t) ++') ++ ++tunable_policy(`ganesha_use_fusefs',` ++ fs_manage_fusefs_dirs(ganesha_t) ++ fs_manage_fusefs_files(ganesha_t) ++ fs_read_fusefs_symlinks(ganesha_t) ++ fs_getattr_fusefs(ganesha_t) ++') +diff --git a/glusterd.fc b/glusterd.fc +index e42e81f5f..9806f50ae 100644 +--- a/glusterd.fc ++++ b/glusterd.fc +@@ -23,8 +23,3 @@ + /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) + /var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) + /var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) +- +-/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +-/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) +-/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0) +- +diff --git a/glusterd.if b/glusterd.if +index a62e355ac..291191f17 100644 +--- a/glusterd.if ++++ b/glusterd.if +@@ -135,7 +135,6 @@ interface(`glusterd_manage_log',` + manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) + manage_files_pattern($1, glusterd_log_t, glusterd_log_t) + manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) +- logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log") + ') + + ###################################### +diff --git a/glusterd.te b/glusterd.te +index 7804cbaf4..2bcedd014 100644 +--- a/glusterd.te ++++ b/glusterd.te +@@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t) + type glusterd_brick_t; + files_type(glusterd_brick_t) + +-typealias glusterd_log_t alias ganesha_var_log_t; +- + ######################################## + # + # Local policy +@@ -270,6 +268,11 @@ optional_policy(` + ') + ') + ++optional_policy(` ++ ganesha_systemctl(glusterd_t) ++ ganesha_dbus_chat(glusterd_t) ++') ++ + optional_policy(` + hostname_exec(glusterd_t) + ') +@@ -310,8 +313,8 @@ optional_policy(` + optional_policy(` + rpc_systemctl_nfsd(glusterd_t) + rpc_systemctl_rpcd(glusterd_t) ++ + rpc_domtrans_nfsd(glusterd_t) +- rpc_dbus_chat_nfsd(glusterd_t) + rpc_domtrans_rpcd(glusterd_t) + rpc_manage_nfs_state_data(glusterd_t) + rpc_manage_nfs_state_data_dir(glusterd_t) +diff --git a/nova.te b/nova.te +index 2259a5192..af8dd5527 100644 +--- a/nova.te ++++ b/nova.te +@@ -124,6 +124,7 @@ corenet_sendrecv_dns_server_packets(nova_domain) + corenet_sendrecv_dhcpd_server_packets(nova_domain) + + auth_use_nsswitch(nova_t) ++auth_use_pam(nova_t) + auth_read_passwd(nova_domain) + + dev_read_sysfs(nova_domain) +@@ -132,7 +133,7 @@ dev_read_rand(nova_domain) + + fs_getattr_all_fs(nova_domain) + +-init_read_utmp(nova_domain) ++init_rw_utmp(nova_domain) + + libs_exec_ldconfig(nova_domain) + +diff --git a/rhcs.te b/rhcs.te +index 0e8b031bb..c029ccd71 100644 +--- a/rhcs.te ++++ b/rhcs.te +@@ -265,7 +265,7 @@ optional_policy(` + ') + + optional_policy(` +- rpc_dbus_chat_nfsd(cluster_t) ++ ganesha_dbus_chat(cluster_t) + ') + + optional_policy(` +diff --git a/rpc.fc b/rpc.fc +index b08ec8d2d..38a2f0911 100644 +--- a/rpc.fc ++++ b/rpc.fc +@@ -1,5 +1,3 @@ +- +- + # + # /etc + # +@@ -11,10 +9,6 @@ + /usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) + /usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0) + +-/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +-/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +-/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0) +- + # + # /sbin + # +@@ -33,15 +27,12 @@ + /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) + /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + +-/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) +- + # + # /var + # + /var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0) + + /var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0) +-/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0) + /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) + /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) + +diff --git a/rpc.if b/rpc.if +index 2ee527f2a..79a2a9c48 100644 +--- a/rpc.if ++++ b/rpc.if +@@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',` + + allow $1 gssd_t:process { noatsecure rlimitinh }; + ') +- +-######################################## +-## +-## Send and receive messages from +-## ganesha over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`rpc_dbus_chat_nfsd',` +- gen_require(` +- type nfsd_t; +- class dbus send_msg; +- ') +- +- allow $1 nfsd_t:dbus send_msg; +- allow nfsd_t $1:dbus send_msg; +-') +diff --git a/rpc.te b/rpc.te +index f4df4fda2..f585a7fb5 100644 +--- a/rpc.te ++++ b/rpc.te +@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t) + type var_lib_nfs_t; + files_mountpoint(var_lib_nfs_t) + +-type nfsd_tmp_t; +-files_tmp_file(nfsd_tmp_t) +- +-typealias nfsd_t alias ganesha_t; +-typealias nfsd_exec_t alias ganesha_exec_t; +-typealias nfsd_unit_file_t alias ganesha_unit_file_t; +- + ######################################## + # + # Common rpc domain local policy +@@ -234,17 +227,8 @@ optional_policy(` + + allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource }; + +-allow nfsd_t self:process { setcap }; +- + allow nfsd_t exports_t:file read_file_perms; + +-manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) +-manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) +-files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir }) +- +-manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t) +-files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file }) +- + # for /proc/fs/nfs/exports - should we have a new type? + kernel_read_system_state(nfsd_t) + kernel_read_network_state(nfsd_t) +@@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',` + files_read_non_security_files(nfsd_t) + ') + +-optional_policy(` +- glusterd_manage_log(nfsd_t) +- glusterd_manage_pid(nfsd_t) +-') +- +-optional_policy(` +- dbus_system_bus_client(nfsd_t) +- dbus_acquire_svc_system_dbusd(nfsd_t) +-') +- + optional_policy(` + mount_exec(nfsd_t) + mount_manage_pid_files(nfsd_t) +diff --git a/sysstat.te b/sysstat.te +index a2690e315..efb2f855c 100644 +--- a/sysstat.te ++++ b/sysstat.te +@@ -44,6 +44,7 @@ dev_read_urand(sysstat_t) + + files_search_var(sysstat_t) + files_read_etc_runtime_files(sysstat_t) ++files_search_all_mountpoints(sysstat_t) + + fs_getattr_all_fs(sysstat_t) + fs_list_inotifyfs(sysstat_t) diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 11e9c778..40d31408 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -20,12 +20,14 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 229%{?dist} +Release: 229%{?dist}.6 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch0: policy-rhel-7.6-base.patch +patch3: policy-rhel-7.6.z-base.patch patch1: policy-rhel-7.6-contrib.patch +patch2: policy-rhel-7.6.z-contrib.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -274,9 +276,6 @@ fi; \ %define preInstall() \ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ - if [ -d %{_sysconfdir}/selinux/%1/active/modules/100/ganesha ]; then \ - %{_sbindir}/semodule -n -d ganesha; \ - fi; \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ @@ -343,9 +342,11 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-contrib-%{version} -q -b 29 %patch1 -p1 +%patch2 -p1 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch0 -p1 +%patch3 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.* @@ -656,6 +657,32 @@ fi %endif %changelog +* Fri Nov 02 2018 Lukas Vrabec - 3.13.1-229.6 +- Allow nova_t domain to use pam +Resolves: rhbz:#1645270 +- sysstat: grant sysstat_t the search_dir_perms set +Resolves: rhbz#1645271 + +* Fri Oct 12 2018 Lukas Vrabec - 3.13.1-229.5 +- Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone module +Resolves: rhbz#1638257 + +* Thu Oct 11 2018 Lukas Vrabec - 3.13.1-229.4 +- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging' +Resolves: rhbz#1638427 + +* Thu Oct 11 2018 Lukas Vrabec - 3.13.1-229.3 +- Run ganesha as ganesha_t domain again, revert changes where ganesha is running as nfsd_t +Resolves: rhbz#1638257 + +* Wed Oct 10 2018 Lukas Vrabec - 3.13.1-229.2 +- Fix missing patch in spec file +Resolves: rhbz#1635704 + +* Fri Oct 05 2018 Lukas Vrabec - 3.13.1-229.1 +- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain +Resolves: rhbz#1635704 + * Wed Sep 26 2018 Lukas Vrabec - 3.13.1-229 - Allow neutron domain to read/write /var/run/utmp Resolves: rhbz#1630318 @@ -1008,7 +1035,7 @@ Resolves: rhbz#1452444 Resolves: rhbz#1595667 * Tue Jun 26 2018 Lukas Vrabec - 3.13.1-205 -- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t +- Allow abrt_watch_log_t domain to mmap binaries with label abrt_dump_oops_exec_t Resolves: rhbz#1591191 - Update cups_filetrans_named_content() to allow caller domain create ppd directory with cupsd_etc_rw_t label Resolves: rhbz#1452595 @@ -1211,7 +1238,7 @@ Resolves: rhbz#1588884 Resolves: rhbz#1548350 * Wed Jun 06 2018 Lukas Vrabec - 3.13.1-202 -- Update ctdb domain to support gNFS setup +- Update ctdb domain to support gNFS setup Resolves: rhbz#1576818 - Allow authconfig_t dbus chat with policykit Resolves: rhbz#1551241 @@ -1334,7 +1361,7 @@ Resolves:rhbz#1510412 * Wed Apr 25 2018 Lukas Vrabec - 3.13.1-195 - Rename tang policy to tangd -- Allow virtd_t domain to relabel virt_var_lib_t files +- Allow virtd_t domain to relabel virt_var_lib_t files Resolves: rhbz#1558121 - Allow logrotate_t domain to stop services via systemd Resolves: rhbz#1527522 @@ -1362,7 +1389,7 @@ Resolves: rhbz#1377915 Resolves: rhbz#1550700 - Allow usbmuxd to access /run/udev/data/+usb:*. Resolves: rhbz#1521054 -- Allow abrt_t domain to manage kdump crash files +- Allow abrt_t domain to manage kdump crash files Resolves: rhbz#1491585 - Allow systemd to use virtio console Resolves: rhbz#1558121