diff --git a/container-selinux.tgz b/container-selinux.tgz index 34e3204..4168c82 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f25-base.patch b/policy-f25-base.patch index cb9387c..adc7a97 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -877,7 +877,7 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..7c036a8 100644 +index a94b169..7c61322 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -121,6 +121,60 @@ common x_device @@ -941,10 +941,19 @@ index a94b169..7c036a8 100644 # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } -@@ -393,62 +447,31 @@ class system +@@ -379,6 +433,7 @@ class security + setsecparam + setcheckreqprot + read_policy ++ validate_trans + } + + +@@ -393,62 +448,32 @@ class system syslog_mod syslog_console module_request ++ module_load + # these are overloaded userspace + # permissions from systemd + halt @@ -1020,7 +1029,7 @@ index a94b169..7c036a8 100644 # # Define the access vector interpretation for controlling # changes to passwd information. -@@ -690,6 +713,8 @@ class nscd +@@ -690,6 +715,8 @@ class nscd shmemhost getserv shmemserv @@ -1029,7 +1038,7 @@ index a94b169..7c036a8 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +856,38 @@ inherits socket +@@ -831,6 +858,38 @@ inherits socket attach_queue } @@ -1068,7 +1077,7 @@ index a94b169..7c036a8 100644 class x_pointer inherits x_device -@@ -865,3 +922,28 @@ inherits database +@@ -865,3 +924,28 @@ inherits database implement execute } @@ -2089,7 +2098,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..ae484a0 100644 +index c44c359..a3d4e61 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2187,11 +2196,12 @@ index c44c359..ae484a0 100644 domain_use_interactive_fds(ping_t) -@@ -131,14 +139,13 @@ files_read_etc_files(ping_t) +@@ -131,14 +139,14 @@ files_read_etc_files(ping_t) files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) +kernel_read_network_state(ping_t) ++kernel_request_load_module(ping_t) auth_use_nsswitch(ping_t) @@ -2205,7 +2215,7 @@ index c44c359..ae484a0 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',` +@@ -146,14 +154,29 @@ ifdef(`hide_broken_symptoms',` optional_policy(` nagios_dontaudit_rw_log(ping_t) nagios_dontaudit_rw_pipes(ping_t) @@ -2235,7 +2245,7 @@ index c44c359..ae484a0 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +183,15 @@ optional_policy(` +@@ -161,6 +184,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -2251,7 +2261,7 @@ index c44c359..ae484a0 100644 ######################################## # # Traceroute local policy -@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -174,7 +206,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -2259,7 +2269,7 @@ index c44c359..ae484a0 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -198,6 +229,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -2267,7 +2277,7 @@ index c44c359..ae484a0 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t) +@@ -206,11 +238,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -2299,10 +2309,18 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..48ab7f8 100644 +index 03ec5ca..1ed2cd4 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if -@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', ` +@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', ` + allow $1_su_t self:fifo_file rw_fifo_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_su_t self:netlink_selinux_socket create_socket_perms; + + # Transition from the user domain to this domain. + domtrans_pattern($2, su_exec_t, $1_su_t) +@@ -58,6 +59,7 @@ template(`su_restricted_domain_template', ` allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -2310,7 +2328,7 @@ index 03ec5ca..48ab7f8 100644 kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) kernel_search_key($1_su_t) -@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', ` +@@ -86,10 +88,10 @@ template(`su_restricted_domain_template', ` # Write to utmp. init_rw_utmp($1_su_t) init_search_script_keys($1_su_t) @@ -2322,7 +2340,7 @@ index 03ec5ca..48ab7f8 100644 ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora -@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', ` +@@ -119,11 +121,6 @@ template(`su_restricted_domain_template', ` userdom_spec_domtrans_unpriv_users($1_su_t) ') @@ -2334,7 +2352,7 @@ index 03ec5ca..48ab7f8 100644 optional_policy(` cron_read_pipes($1_su_t) ') -@@ -172,14 +168,6 @@ template(`su_role_template',` +@@ -172,14 +169,6 @@ template(`su_role_template',` role $2 types $1_su_t; allow $3 $1_su_t:process signal; @@ -2349,7 +2367,7 @@ index 03ec5ca..48ab7f8 100644 allow $1_su_t $3:key search; # Transition from the user domain to this domain. -@@ -194,125 +182,16 @@ template(`su_role_template',` +@@ -194,125 +183,16 @@ template(`su_role_template',` allow $3 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) @@ -11209,7 +11227,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..e06a46c 100644 +index f962f76..fa12587 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13173,7 +13191,33 @@ index f962f76..e06a46c 100644 ') ######################################## -@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4126,6 +5028,25 @@ interface(`files_kernel_modules_filetrans',` + + ######################################## + ## ++## Load kernel module files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_load_kernel_modules',` ++ gen_require(` ++ type modules_object_t; ++ ') ++ ++ files_read_kernel_modules($1) ++ allow $1 modules_object_t:system module_load; ++') ++ ++######################################## ++## + ## List world-readable directories. + ## + ## +@@ -4217,174 +5138,275 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13320,91 +13364,61 @@ index f962f76..e06a46c 100644 ## -## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') - -- dontaudit $1 tmp_t:dir search_dir_perms; ++ + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +################################### - ## --## Read the tmp directory (/tmp). ++## +## Create files in /etc with the type used for +## the manageable system config files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## The type of the process performing this action. +## - ## - # --interface(`files_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir list_dir_perms; ++ + filetrans_pattern($1, etc_t, system_conf_t, file) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit listing of the tmp directory (/tmp). ++## +## Manage manageable system db files in /var/lib. - ## - ## --## --## Domain not to audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') - -- dontaudit $1 tmp_t:dir list_dir_perms; ++ + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) - ') - --######################################## ++') ++ +##################################### - ## --## Remove entries from the tmp directory. ++## +## File name transition for system db files in /var/lib. ## ## @@ -13430,24 +13444,24 @@ index f962f76..e06a46c 100644 +## +## ## --## Domain allowed access. +-## Domain to not audit. +## Type of the file to associate. ## ## # --interface(`files_delete_tmp_dir_entry',` +-interface(`files_dontaudit_search_tmp',` +interface(`files_associate_tmp',` gen_require(` type tmp_t; ') -- allow $1 tmp_t:dir del_entry_dir_perms; +- dontaudit $1 tmp_t:dir search_dir_perms; + allow $1 tmp_t:filesystem associate; ') ######################################## ## --## Read files in the tmp directory (/tmp). +-## Read the tmp directory (/tmp). +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system @@ -13460,42 +13474,43 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_generic_tmp_files',` +-interface(`files_list_tmp',` +interface(`files_associate_rootfs',` gen_require(` - type tmp_t; + type root_t; ') -- read_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmp_t:dir list_dir_perms; + allow $1 root_t:filesystem associate; ') ######################################## ## --## Manage temporary directories in /tmp. +-## Do not audit listing of the tmp directory (/tmp). +## Get the attributes of the tmp directory (/tmp). ## ## ## -@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',` +-## Domain not to audit. ++## Domain allowed access. ## ## # --interface(`files_manage_generic_tmp_dirs',` +-interface(`files_dontaudit_list_tmp',` +interface(`files_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- manage_dirs_pattern($1, tmp_t, tmp_t) +- dontaudit $1 tmp_t:dir list_dir_perms; + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; ') ######################################## ## --## Manage temporary files and directories in /tmp. +-## Remove entries from the tmp directory. +## Do not audit attempts to check the +## access on tmp files ## @@ -13506,20 +13521,20 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_manage_generic_tmp_files',` +-interface(`files_delete_tmp_dir_entry',` +interface(`files_dontaudit_access_check_tmp',` gen_require(` - type tmp_t; + type etc_t; ') -- manage_files_pattern($1, tmp_t, tmp_t) +- allow $1 tmp_t:dir del_entry_dir_perms; + dontaudit $1 tmp_t:dir_file_class_set audit_access; ') ######################################## ## --## Read symbolic links in the tmp directory (/tmp). +-## Read files in the tmp directory (/tmp). +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). ## @@ -13530,34 +13545,34 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_generic_tmp_symlinks',` +-interface(`files_read_generic_tmp_files',` +interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; ') -- read_lnk_files_pattern($1, tmp_t, tmp_t) +- read_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir getattr; ') ######################################## ## --## Read and write generic named sockets in the tmp directory (/tmp). +-## Manage temporary directories in /tmp. +## Search the tmp directory (/tmp). ## ## ## -@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',` +@@ -4392,35 +5414,37 @@ interface(`files_read_generic_tmp_files',` ## ## # --interface(`files_rw_generic_tmp_sockets',` +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_search_tmp',` gen_require(` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) +- manage_dirs_pattern($1, tmp_t, tmp_t) + fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; @@ -13565,7 +13580,7 @@ index f962f76..e06a46c 100644 ######################################## ## --## Set the attributes of all tmp directories. +-## Manage temporary files and directories in /tmp. +## Do not audit attempts to search the tmp directory (/tmp). ## ## @@ -13575,44 +13590,40 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_setattr_all_tmp_dirs',` +-interface(`files_manage_generic_tmp_files',` +interface(`files_dontaudit_search_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir { search_dir_perms setattr }; +- manage_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir search_dir_perms; ') ######################################## ## --## List all tmp directories. +-## Read symbolic links in the tmp directory (/tmp). +## Read the tmp directory (/tmp). ## ## ## -@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4428,53 +5452,55 @@ interface(`files_manage_generic_tmp_files',` ## ## # --interface(`files_list_all_tmp',` +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_list_tmp',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + type tmp_t; ') -- allow $1 tmpfile:dir list_dir_perms; -+ read_lnk_files_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; ') ######################################## ## --## Relabel to and from all temporary --## directory types. +-## Read and write generic named sockets in the tmp directory (/tmp). +## Do not audit listing of the tmp directory (/tmp). ## ## @@ -13621,38 +13632,33 @@ index f962f76..e06a46c 100644 +## Domain to not audit. ## ## --## # --interface(`files_relabel_all_tmp_dirs',` +-interface(`files_rw_generic_tmp_sockets',` +interface(`files_dontaudit_list_tmp',` gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; + type tmp_t; ') -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) +- rw_sock_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir list_dir_perms; ') -######################################## +####################################### ## --## Do not audit attempts to get the attributes --## of all tmp files. +-## Set the attributes of all tmp directories. +## Allow read and write to the tmp directory (/tmp). ## ## -## --## Domain not to audit. +-## Domain allowed access. -## +## +## Domain not to audit. +## ## # --interface(`files_dontaudit_getattr_all_tmp_files',` +-interface(`files_setattr_all_tmp_dirs',` - gen_require(` - attribute tmpfile; - ') @@ -13661,31 +13667,30 @@ index f962f76..e06a46c 100644 + type tmp_t; + ') -- dontaudit $1 tmpfile:file getattr; +- allow $1 tmpfile:dir { search_dir_perms setattr }; + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; ') ######################################## ## --## Allow attempts to get the attributes --## of all tmp files. +-## List all tmp directories. +## Remove entries from the tmp directory. ## ## ## -@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4482,118 +5508,116 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # --interface(`files_getattr_all_tmp_files',` +-interface(`files_list_all_tmp',` +interface(`files_delete_tmp_dir_entry',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- allow $1 tmpfile:file getattr; +- allow $1 tmpfile:dir list_dir_perms; + files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; ') @@ -13693,7 +13698,7 @@ index f962f76..e06a46c 100644 ######################################## ## -## Relabel to and from all temporary --## file types. +-## directory types. +## Read files in the tmp directory (/tmp). ## ## @@ -13703,7 +13708,7 @@ index f962f76..e06a46c 100644 ## -## # --interface(`files_relabel_all_tmp_files',` +-interface(`files_relabel_all_tmp_dirs',` +interface(`files_read_generic_tmp_files',` gen_require(` - attribute tmpfile; @@ -13712,14 +13717,14 @@ index f962f76..e06a46c 100644 ') - allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) +- relabel_dirs_pattern($1, tmpfile, tmpfile) + read_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit attempts to get the attributes --## of all tmp sock_file. +-## of all tmp files. +## Manage temporary directories in /tmp. ## ## @@ -13729,20 +13734,21 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_dontaudit_getattr_all_tmp_sockets',` +-interface(`files_dontaudit_getattr_all_tmp_files',` +interface(`files_manage_generic_tmp_dirs',` gen_require(` - attribute tmpfile; + type tmp_t; ') -- dontaudit $1 tmpfile:sock_file getattr; +- dontaudit $1 tmpfile:file getattr; + manage_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## --## Read all tmp files. +-## Allow attempts to get the attributes +-## of all tmp files. +## Allow shared library text relocations in tmp files. ## +## @@ -13759,21 +13765,93 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_all_tmp_files',` +-interface(`files_getattr_all_tmp_files',` +interface(`files_execmod_tmp',` gen_require(` attribute tmpfile; ') -- read_files_pattern($1, tmpfile, tmpfile) +- allow $1 tmpfile:file getattr; + allow $1 tmpfile:file execmod; ') ######################################## ## +-## Relabel to and from all temporary +-## file types. ++## Manage temporary files and directories in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ manage_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Read symbolic links in the tmp directory (/tmp). + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Read all tmp files. ++## Read and write generic named sockets in the tmp directory (/tmp). + ## + ## + ## +@@ -4601,51 +5625,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` + ## + ## + # +-interface(`files_read_all_tmp_files',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- read_files_pattern($1, tmpfile, tmpfile) ++ rw_sock_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## -## Create an object in the tmp directories, with a private -## type using a type transition. -+## Manage temporary files and directories in /tmp. ++## Relabel a dir from the type used in /tmp. ## ## ## @@ -13797,28 +13875,28 @@ index f962f76..e06a46c 100644 -## # -interface(`files_tmp_filetrans',` -+interface(`files_manage_generic_tmp_files',` ++interface(`files_relabelfrom_tmp_dirs',` gen_require(` type tmp_t; ') - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ manage_files_pattern($1, tmp_t, tmp_t) ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Delete the contents of /tmp. -+## Read symbolic links in the tmp directory (/tmp). ++## Relabel a file from the type used in /tmp. ## ## ## -@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',` +@@ -4653,22 +5661,17 @@ interface(`files_tmp_filetrans',` ## ## # -interface(`files_purge_tmp',` -+interface(`files_read_generic_tmp_symlinks',` ++interface(`files_relabelfrom_tmp_files',` gen_require(` - attribute tmpfile; + type tmp_t; @@ -13830,80 +13908,80 @@ index f962f76..e06a46c 100644 - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Set the attributes of the /usr directory. -+## Read and write generic named sockets in the tmp directory (/tmp). ++## Set the attributes of all tmp directories. ## ## ## -@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',` +@@ -4676,17 +5679,17 @@ interface(`files_purge_tmp',` ## ## # -interface(`files_setattr_usr_dirs',` -+interface(`files_rw_generic_tmp_sockets',` ++interface(`files_setattr_all_tmp_dirs',` gen_require(` - type usr_t; -+ type tmp_t; ++ attribute tmpfile; ') - allow $1 usr_t:dir setattr; -+ rw_sock_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## -## Search the content of /usr. -+## Relabel a dir from the type used in /tmp. ++## Allow caller to read inherited tmp files. ## ## ## -@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4694,18 +5697,17 @@ interface(`files_setattr_usr_dirs',` ## ## # -interface(`files_search_usr',` -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_read_inherited_tmp_files',` gen_require(` - type usr_t; -+ type tmp_t; ++ attribute tmpfile; ') - allow $1 usr_t:dir search_dir_perms; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ') ######################################## ## -## List the contents of generic -## directories in /usr. -+## Relabel a file from the type used in /tmp. ++## Allow caller to append inherited tmp files. ## ## ## -@@ -4713,35 +5642,35 @@ interface(`files_search_usr',` +@@ -4713,35 +5715,35 @@ interface(`files_search_usr',` ## ## # -interface(`files_list_usr',` -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_append_inherited_tmp_files',` gen_require(` - type usr_t; -+ type tmp_t; ++ attribute tmpfile; ') - allow $1 usr_t:dir list_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## -## Do not audit write of /usr dirs -+## Set the attributes of all tmp directories. ++## Allow caller to read and write inherited tmp files. ## ## ## @@ -13913,43 +13991,44 @@ index f962f76..e06a46c 100644 ## # -interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_setattr_all_tmp_dirs',` ++interface(`files_rw_inherited_tmp_file',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; ++ allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Add and remove entries from /usr directories. -+## Allow caller to read inherited tmp files. ++## List all tmp directories. ## ## ## -@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4749,54 +5751,59 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # -interface(`files_rw_usr_dirs',` -+interface(`files_read_inherited_tmp_files',` ++interface(`files_list_all_tmp',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## -## Do not audit attempts to add and remove -## entries from /usr directories. -+## Allow caller to append inherited tmp files. ++## Relabel to and from all temporary ++## directory types. ## ## ## @@ -13957,67 +14036,73 @@ index f962f76..e06a46c 100644 +## Domain allowed access. ## ## ++## # -interface(`files_dontaudit_rw_usr_dirs',` -+interface(`files_append_inherited_tmp_files',` ++interface(`files_relabel_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ++ type var_t; ') - dontaudit $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file append_inherited_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Delete generic directories in /usr in the caller domain. -+## Allow caller to read and write inherited tmp files. ++## Do not audit attempts to get the attributes ++## of all tmp files. ## ## ## -@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_delete_usr_dirs',` -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_dirs_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ dontaudit $1 tmpfile:file getattr; ') ######################################## ## -## Delete generic files in /usr in the caller domain. -+## List all tmp directories. ++## Allow attempts to get the attributes ++## of all tmp files. ## ## ## -@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',` +@@ -4804,73 +5811,58 @@ interface(`files_delete_usr_dirs',` ## ## # -interface(`files_delete_usr_files',` -+interface(`files_list_all_tmp',` ++interface(`files_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; ++ allow $1 tmpfile:file getattr; ') ######################################## ## -## Get the attributes of files in /usr. +## Relabel to and from all temporary -+## directory types. ++## file types. ## ## ## @@ -14027,7 +14112,7 @@ index f962f76..e06a46c 100644 +## # -interface(`files_getattr_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_relabel_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; @@ -14036,14 +14121,14 @@ index f962f76..e06a46c 100644 - getattr_files_pattern($1, usr_t, usr_t) + allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Read generic files in /usr. +## Do not audit attempts to get the attributes -+## of all tmp files. ++## of all tmp sock_file. ## -## -##

@@ -14071,7 +14156,7 @@ index f962f76..e06a46c 100644 -## # -interface(`files_read_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` - type usr_t; + attribute tmpfile; @@ -14080,23 +14165,22 @@ index f962f76..e06a46c 100644 - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; ++ dontaudit $1 tmpfile:sock_file getattr; ') ######################################## ##

-## Execute generic programs in /usr in the caller domain. -+## Allow attempts to get the attributes -+## of all tmp files. ++## Read all tmp files. ## ## ## -@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',` +@@ -4878,19 +5870,18 @@ interface(`files_read_usr_files',` ## ## # -interface(`files_exec_usr_files',` -+interface(`files_getattr_all_tmp_files',` ++interface(`files_read_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; @@ -14105,109 +14189,35 @@ index f962f76..e06a46c 100644 - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; - ') - - ######################################## - ## --## dontaudit write of /usr files -+## Relabel to and from all temporary -+## file types. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_write_usr_files',` -+interface(`files_relabel_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; - ') - -- dontaudit $1 usr_t:file write; -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /usr directory. -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_sockets',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- manage_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:sock_file getattr; - ') - - ######################################## - ## --## Relabel a file to the type used in /usr. -+## Read all tmp files. - ## - ## - ## -@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',` - ## - ## - # --interface(`files_relabelto_usr_files',` -+interface(`files_read_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') - -- relabelto_files_pattern($1, usr_t, usr_t) + read_files_pattern($1, tmpfile, tmpfile) ') ######################################## ## --## Relabel a file from the type used in /usr. +-## dontaudit write of /usr files +## Do not audit attempts to read or write +## all leaked tmpfiles files. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -4898,71 +5889,70 @@ interface(`files_exec_usr_files',` ## ## # --interface(`files_relabelfrom_usr_files',` +-interface(`files_dontaudit_write_usr_files',` +interface(`files_dontaudit_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') -- relabelfrom_files_pattern($1, usr_t, usr_t) +- dontaudit $1 usr_t:file write; + dontaudit $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Read symbolic links in /usr. +-## Create, read, write, and delete files in the /usr directory. +## Do allow attempts to read or write +## all leaked tmpfiles files. ## @@ -14218,20 +14228,20 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_read_usr_symlinks',` +-interface(`files_manage_usr_files',` +interface(`files_rw_tmp_file_leaks',` gen_require(` - type usr_t; + attribute tmpfile; ') -- read_lnk_files_pattern($1, usr_t, usr_t) +- manage_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## --## Create objects in the /usr directory +-## Relabel a file to the type used in /usr. +## Create an object in the tmp directories, with a private +## type using a type transition. ## @@ -14240,56 +14250,67 @@ index f962f76..e06a46c 100644 ## Domain allowed access. ## ## --## +-# +-interface(`files_relabelto_usr_files',` +- gen_require(` +- type usr_t; +- ') +- +- relabelto_files_pattern($1, usr_t, usr_t) +-') +- +-######################################## +-## +-## Relabel a file from the type used in /usr. +-## +-## +## ## --## The type of the object to be created +-## Domain allowed access. +## The type of the object to be created. - ## - ## --## ++## ++## +## - ## --## The object class. ++## +## The object class of the object being created. - ## - ## - ## -@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',` ++## ++## ++## ++## ++## The name of the object being created. ## ## # --interface(`files_usr_filetrans',` +-interface(`files_relabelfrom_usr_files',` +interface(`files_tmp_filetrans',` gen_require(` - type usr_t; + type tmp_t; ') -- filetrans_pattern($1, usr_t, $2, $3, $4) +- relabelfrom_files_pattern($1, usr_t, usr_t) + filetrans_pattern($1, tmp_t, $2, $3, $4) ') ######################################## ## --## Do not audit attempts to search /usr/src. +-## Read symbolic links in /usr. +## Delete the contents of /tmp. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -4970,68 +5960,69 @@ interface(`files_relabelfrom_usr_files',` ## ## # --interface(`files_dontaudit_search_src',` +-interface(`files_read_usr_symlinks',` +interface(`files_purge_tmp',` gen_require(` -- type src_t; +- type usr_t; + attribute tmpfile; ') -- dontaudit $1 src_t:dir search_dir_perms; +- read_lnk_files_pattern($1, usr_t, usr_t) + allow $1 tmpfile:dir list_dir_perms; + delete_dirs_pattern($1, tmpfile, tmpfile) + delete_files_pattern($1, tmpfile, tmpfile) @@ -14310,81 +14331,92 @@ index f962f76..e06a46c 100644 ######################################## ## --## Get the attributes of files in /usr/src. +-## Create objects in the /usr directory +## Set the attributes of the /usr directory. ## ## ## -@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',` + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # --interface(`files_getattr_usr_src_files',` +-interface(`files_usr_filetrans',` +interface(`files_setattr_usr_dirs',` gen_require(` -- type usr_t, src_t; -+ type usr_t; + type usr_t; ') -- getattr_files_pattern($1, src_t, src_t) -- -- # /usr/src/linux symlink: -- read_lnk_files_pattern($1, usr_t, src_t) +- filetrans_pattern($1, usr_t, $2, $3, $4) + allow $1 usr_t:dir setattr; ') ######################################## ## --## Read files in /usr/src. +-## Do not audit attempts to search /usr/src. +## Search the content of /usr. ## ## ## -@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_read_usr_src_files',` +-interface(`files_dontaudit_search_src',` +interface(`files_search_usr',` gen_require(` -- type usr_t, src_t; +- type src_t; + type usr_t; ') - allow $1 usr_t:dir search_dir_perms; -- read_files_pattern($1, { usr_t src_t }, src_t) -- read_lnk_files_pattern($1, { usr_t src_t }, src_t) -- allow $1 src_t:dir list_dir_perms; +- dontaudit $1 src_t:dir search_dir_perms; ++ allow $1 usr_t:dir search_dir_perms; ') ######################################## ## --## Execute programs in /usr/src in the caller domain. +-## Get the attributes of files in /usr/src. +## List the contents of generic +## directories in /usr. ## ## ## -@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',` +@@ -5039,41 +6030,35 @@ interface(`files_dontaudit_search_src',` ## ## # --interface(`files_exec_usr_src_files',` +-interface(`files_getattr_usr_src_files',` +interface(`files_list_usr',` gen_require(` - type usr_t, src_t; + type usr_t; ') -- list_dirs_pattern($1, usr_t, src_t) -- exec_files_pattern($1, src_t, src_t) -- read_lnk_files_pattern($1, src_t, src_t) +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) + allow $1 usr_t:dir list_dir_perms; ') ######################################## ## --## Install a system.map into the /boot directory. +-## Read files in /usr/src. +## Do not audit write of /usr dirs ## ## @@ -14394,44 +14426,47 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_create_kernel_symbol_table',` +-interface(`files_read_usr_src_files',` +interface(`files_dontaudit_write_usr_dirs',` gen_require(` -- type boot_t, system_map_t; +- type usr_t, src_t; + type usr_t; ') -- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -- allow $1 system_map_t:file { create_file_perms rw_file_perms }; +- allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; + dontaudit $1 usr_t:dir write; ') ######################################## ## --## Read system.map in the /boot directory. +-## Execute programs in /usr/src in the caller domain. +## Add and remove entries from /usr directories. ## ## ## -@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5081,38 +6066,36 @@ interface(`files_read_usr_src_files',` ## ## # --interface(`files_read_kernel_symbol_table',` +-interface(`files_exec_usr_src_files',` +interface(`files_rw_usr_dirs',` gen_require(` -- type boot_t, system_map_t; +- type usr_t, src_t; + type usr_t; ') -- allow $1 boot_t:dir list_dir_perms; -- read_files_pattern($1, boot_t, system_map_t) +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) + allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Delete a system.map in the /boot directory. +-## Install a system.map into the /boot directory. +## Do not audit attempts to add and remove +## entries from /usr directories. ## @@ -14442,89 +14477,89 @@ index f962f76..e06a46c 100644 ## ## # --interface(`files_delete_kernel_symbol_table',` +-interface(`files_create_kernel_symbol_table',` +interface(`files_dontaudit_rw_usr_dirs',` gen_require(` - type boot_t, system_map_t; + type usr_t; ') -- allow $1 boot_t:dir list_dir_perms; -- delete_files_pattern($1, boot_t, system_map_t) +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; + dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Search the contents of /var. +-## Read system.map in the /boot directory. +## Delete generic directories in /usr in the caller domain. ## ## ## -@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5120,18 +6103,17 @@ interface(`files_create_kernel_symbol_table',` ## ## # --interface(`files_search_var',` +-interface(`files_read_kernel_symbol_table',` +interface(`files_delete_usr_dirs',` gen_require(` -- type var_t; +- type boot_t, system_map_t; + type usr_t; ') -- allow $1 var_t:dir search_dir_perms; +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) + delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to write to /var. +-## Delete a system.map in the /boot directory. +## Delete generic files in /usr in the caller domain. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5139,18 +6121,17 @@ interface(`files_read_kernel_symbol_table',` ## ## # --interface(`files_dontaudit_write_var_dirs',` +-interface(`files_delete_kernel_symbol_table',` +interface(`files_delete_usr_files',` gen_require(` -- type var_t; +- type boot_t, system_map_t; + type usr_t; ') -- dontaudit $1 var_t:dir write; +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) + delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Allow attempts to write to /var.dirs +-## Search the contents of /var. +## Get the attributes of files in /usr. ## ## ## -@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5158,35 +6139,55 @@ interface(`files_delete_kernel_symbol_table',` ## ## # --interface(`files_write_var_dirs',` +-interface(`files_search_var',` +interface(`files_getattr_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir write; +- allow $1 var_t:dir search_dir_perms; + getattr_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to search --## the contents of /var. +-## Do not audit attempts to write to /var. +## Read generic files in /usr. ## +## @@ -14552,14 +14587,14 @@ index f962f76..e06a46c 100644 ## +## # --interface(`files_dontaudit_search_var',` +-interface(`files_dontaudit_write_var_dirs',` +interface(`files_read_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- dontaudit $1 var_t:dir search_dir_perms; +- dontaudit $1 var_t:dir write; + allow $1 usr_t:dir list_dir_perms; + read_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) @@ -14567,23 +14602,23 @@ index f962f76..e06a46c 100644 ######################################## ## --## List the contents of /var. +-## Allow attempts to write to /var.dirs +## Execute generic programs in /usr in the caller domain. ## ## ## -@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',` +@@ -5194,18 +6195,19 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # --interface(`files_list_var',` +-interface(`files_write_var_dirs',` +interface(`files_exec_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir list_dir_perms; +- allow $1 var_t:dir write; + allow $1 usr_t:dir list_dir_perms; + exec_files_pattern($1, usr_t, usr_t) + read_lnk_files_pattern($1, usr_t, usr_t) @@ -14591,121 +14626,119 @@ index f962f76..e06a46c 100644 ######################################## ## --## Create, read, write, and delete directories --## in the /var directory. +-## Do not audit attempts to search +-## the contents of /var. +## dontaudit write of /usr files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5213,17 +6215,17 @@ interface(`files_write_var_dirs',` ## ## # --interface(`files_manage_var_dirs',` +-interface(`files_dontaudit_search_var',` +interface(`files_dontaudit_write_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- allow $1 var_t:dir manage_dir_perms; +- dontaudit $1 var_t:dir search_dir_perms; + dontaudit $1 usr_t:file write; ') ######################################## ## --## Read files in the /var directory. +-## List the contents of /var. +## Create, read, write, and delete files in the /usr directory. ## ## ## -@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',` +@@ -5231,18 +6233,17 @@ interface(`files_dontaudit_search_var',` ## ## # --interface(`files_read_var_files',` +-interface(`files_list_var',` +interface(`files_manage_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- read_files_pattern($1, var_t, var_t) +- allow $1 var_t:dir list_dir_perms; + manage_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Append files in the /var directory. +-## Create, read, write, and delete directories +-## in the /var directory. +## Relabel a file to the type used in /usr. ## ## ## -@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',` +@@ -5250,17 +6251,17 @@ interface(`files_list_var',` ## ## # --interface(`files_append_var_files',` +-interface(`files_manage_var_dirs',` +interface(`files_relabelto_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- append_files_pattern($1, var_t, var_t) +- allow $1 var_t:dir manage_dir_perms; + relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Read and write files in the /var directory. +-## Read files in the /var directory. +## Relabel a file from the type used in /usr. ## ## ## -@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',` +@@ -5268,17 +6269,17 @@ interface(`files_manage_var_dirs',` ## ## # --interface(`files_rw_var_files',` +-interface(`files_read_var_files',` +interface(`files_relabelfrom_usr_files',` gen_require(` - type var_t; + type usr_t; ') -- rw_files_pattern($1, var_t, var_t) +- read_files_pattern($1, var_t, var_t) + relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Do not audit attempts to read and write --## files in the /var directory. +-## Append files in the /var directory. +## Read symbolic links in /usr. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5286,36 +6287,50 @@ interface(`files_read_var_files',` ## ## # --interface(`files_dontaudit_rw_var_files',` +-interface(`files_append_var_files',` +interface(`files_read_usr_symlinks',` gen_require(` - type var_t; + type usr_t; ') -- dontaudit $1 var_t:file rw_file_perms; +- append_files_pattern($1, var_t, var_t) + read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete files in the /var directory. +-## Read and write files in the /var directory. +## Create objects in the /usr directory ## ## @@ -14729,60 +14762,59 @@ index f962f76..e06a46c 100644 +## +## # --interface(`files_manage_var_files',` +-interface(`files_rw_var_files',` +interface(`files_usr_filetrans',` gen_require(` - type var_t; + type usr_t; ') -- manage_files_pattern($1, var_t, var_t) +- rw_files_pattern($1, var_t, var_t) + filetrans_pattern($1, usr_t, $2, $3, $4) ') ######################################## ## --## Read symbolic links in the /var directory. +-## Do not audit attempts to read and write +-## files in the /var directory. +## Do not audit attempts to search /usr/src. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5323,17 +6338,17 @@ interface(`files_rw_var_files',` ## ## # --interface(`files_read_var_symlinks',` +-interface(`files_dontaudit_rw_var_files',` +interface(`files_dontaudit_search_src',` gen_require(` - type var_t; + type src_t; ') -- read_lnk_files_pattern($1, var_t, var_t) +- dontaudit $1 var_t:file rw_file_perms; + dontaudit $1 src_t:dir search_dir_perms; ') ######################################## ## --## Create, read, write, and delete symbolic --## links in the /var directory. +-## Create, read, write, and delete files in the /var directory. +## Get the attributes of files in /usr/src. ## ## ## -@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',` +@@ -5341,17 +6356,20 @@ interface(`files_dontaudit_rw_var_files',` ## ## # --interface(`files_manage_var_symlinks',` +-interface(`files_manage_var_files',` +interface(`files_getattr_usr_src_files',` gen_require(` - type var_t; + type usr_t, src_t; ') -- manage_lnk_files_pattern($1, var_t, var_t) +- manage_files_pattern($1, var_t, var_t) + getattr_files_pattern($1, src_t, src_t) + + # /usr/src/linux symlink: @@ -14791,11 +14823,61 @@ index f962f76..e06a46c 100644 ######################################## ## --## Create objects in the /var directory +-## Read symbolic links in the /var directory. +## Read files in /usr/src. ## ## ## +@@ -5359,18 +6377,20 @@ interface(`files_manage_var_files',` + ## + ## + # +-interface(`files_read_var_symlinks',` ++interface(`files_read_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- read_lnk_files_pattern($1, var_t, var_t) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Execute programs in /usr/src in the caller domain. + ## + ## + ## +@@ -5378,120 +6398,94 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_exec_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Install a system.map into the /boot directory. + ## + ## + ## ## Domain allowed access. ## ## @@ -14816,47 +14898,44 @@ index f962f76..e06a46c 100644 -## # -interface(`files_var_filetrans',` -+interface(`files_read_usr_src_files',` ++interface(`files_create_kernel_symbol_table',` gen_require(` - type var_t; -+ type usr_t, src_t; ++ type boot_t, system_map_t; ') - filetrans_pattern($1, var_t, $2, $3, $4) -+ allow $1 usr_t:dir search_dir_perms; -+ read_files_pattern($1, { usr_t src_t }, src_t) -+ read_lnk_files_pattern($1, { usr_t src_t }, src_t) -+ allow $1 src_t:dir list_dir_perms; ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ') ######################################## ## -## Get the attributes of the /var/lib directory. -+## Execute programs in /usr/src in the caller domain. ++## Dontaudit getattr attempts on the system.map file ## ## ## -@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_getattr_var_lib_dirs',` -+interface(`files_exec_usr_src_files',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; -+ type usr_t, src_t; ++ type system_map_t; ') - getattr_dirs_pattern($1, var_t, var_lib_t) -+ list_dirs_pattern($1, usr_t, src_t) -+ exec_files_pattern($1, src_t, src_t) -+ read_lnk_files_pattern($1, src_t, src_t) ++ dontaudit $1 system_map_t:file getattr; ') ######################################## ## -## Search the /var/lib directory. -+## Install a system.map into the /boot directory. ++## Read system.map in the /boot directory. ## -## -##

@@ -14879,92 +14958,93 @@ index f962f76..e06a46c 100644 -## # -interface(`files_search_var_lib',` -+interface(`files_create_kernel_symbol_table',` ++interface(`files_read_kernel_symbol_table',` gen_require(` - type var_t, var_lib_t; + type boot_t, system_map_t; ') - search_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -+ allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) ') ######################################## ##

-## Do not audit attempts to search the -## contents of /var/lib. -+## Dontaudit getattr attempts on the system.map file ++## Delete a system.map in the /boot directory. ## ## ## - ## Domain to not audit. +-## Domain to not audit. ++## Domain allowed access. ## ## -## # -interface(`files_dontaudit_search_var_lib',` -+interface(`files_dontaduit_getattr_kernel_symbol_table',` ++interface(`files_delete_kernel_symbol_table',` gen_require(` - type var_lib_t; -+ type system_map_t; ++ type boot_t, system_map_t; ') - dontaudit $1 var_lib_t:dir search_dir_perms; -+ dontaudit $1 system_map_t:file getattr; ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) ') ######################################## ## -## List the contents of the /var/lib directory. -+## Read system.map in the /boot directory. ++## Search the contents of /var. ## ## ## -@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',` ## ## # -interface(`files_list_var_lib',` -+interface(`files_read_kernel_symbol_table',` ++interface(`files_search_var',` gen_require(` - type var_t, var_lib_t; -+ type boot_t, system_map_t; ++ type var_t; ') - list_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ read_files_pattern($1, boot_t, system_map_t) ++ allow $1 var_t:dir search_dir_perms; ') -########################################### +######################################## ## -## Read-write /var/lib directories -+## Delete a system.map in the /boot directory. ++## Do not audit attempts to write to /var. ## ## ## -@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_rw_var_lib_dirs',` -+interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaudit_write_var_dirs',` gen_require(` - type var_lib_t; -+ type boot_t, system_map_t; ++ type var_t; ') - rw_dirs_pattern($1, var_lib_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 var_t:dir write; ') ######################################## ## -## Create objects in the /var/lib directory -+## Search the contents of /var. ++## Allow attempts to write to /var.dirs ## ## ## @@ -14988,20 +15068,22 @@ index f962f76..e06a46c 100644 -## # -interface(`files_var_lib_filetrans',` -+interface(`files_search_var',` ++interface(`files_write_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; ') - allow $1 var_t:dir search_dir_perms; +- allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_lib_t, $2, $3, $4) ++ allow $1 var_t:dir write; ') ######################################## ## -## Read generic files in /var/lib. -+## Do not audit attempts to write to /var. ++## Do not audit attempts to search ++## the contents of /var. ## ## ## @@ -15011,7 +15093,7 @@ index f962f76..e06a46c 100644 ## # -interface(`files_read_var_lib_files',` -+interface(`files_dontaudit_write_var_dirs',` ++interface(`files_dontaudit_search_var',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15019,29 +15101,29 @@ index f962f76..e06a46c 100644 - allow $1 var_lib_t:dir list_dir_perms; - read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ dontaudit $1 var_t:dir write; ++ dontaudit $1 var_t:dir search_dir_perms; ') ######################################## ## -## Read generic symbolic links in /var/lib -+## Allow attempts to write to /var.dirs ++## List the contents of /var. ## ## ## -@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',` ## ## # -interface(`files_read_var_lib_symlinks',` -+interface(`files_write_var_dirs',` ++interface(`files_list_var',` gen_require(` - type var_t, var_lib_t; + type var_t; ') - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ allow $1 var_t:dir write; ++ allow $1 var_t:dir list_dir_perms; ') -# cjp: the next two interfaces really need to be fixed @@ -15051,8 +15133,7 @@ index f962f76..e06a46c 100644 ## -## Create, read, write, and delete the -## pseudorandom number generator seed. -+## Do not audit attempts to search -+## the contents of /var. ++## Do not audit listing of the var directory (/var). ## ## ## @@ -15062,7 +15143,7 @@ index f962f76..e06a46c 100644 ## # -interface(`files_manage_urandom_seed',` -+interface(`files_dontaudit_search_var',` ++interface(`files_dontaudit_list_var',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15070,23 +15151,24 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir search_dir_perms; ++ dontaudit $1 var_t:dir list_dir_perms; ') ######################################## ## -## Allow domain to manage mount tables -## necessary for rpcd, nfsd, etc. -+## List the contents of /var. ++## Create, read, write, and delete directories ++## in the /var directory. ## ## ## -@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',` ## ## # -interface(`files_manage_mounttab',` -+interface(`files_list_var',` ++interface(`files_manage_var_dirs',` gen_require(` - type var_t, var_lib_t; + type var_t; @@ -15094,46 +15176,44 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - manage_files_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir list_dir_perms; ++ allow $1 var_t:dir manage_dir_perms; ') ######################################## ## -## Set the attributes of the generic lock directories. -+## Do not audit listing of the var directory (/var). ++## Read files in the /var directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',` ## ## # -interface(`files_setattr_lock_dirs',` -+interface(`files_dontaudit_list_var',` ++interface(`files_read_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; ') - setattr_dirs_pattern($1, var_t, var_lock_t) -+ dontaudit $1 var_t:dir list_dir_perms; ++ read_files_pattern($1, var_t, var_t) ') ######################################## ## -## Search the locks directory (/var/lock). -+## Create, read, write, and delete directories -+## in the /var directory. ++## Append files in the /var directory. ## ## ## -@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',` ## ## # -interface(`files_search_locks',` -+interface(`files_manage_var_dirs',` ++interface(`files_append_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15141,14 +15221,14 @@ index f962f76..e06a46c 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_t:dir manage_dir_perms; ++ append_files_pattern($1, var_t, var_t) ') ######################################## ## -## Do not audit attempts to search the -## locks directory (/var/lock). -+## Read files in the /var directory. ++## Read and write files in the /var directory. ## ## ## @@ -15158,7 +15238,7 @@ index f962f76..e06a46c 100644 ## # -interface(`files_dontaudit_search_locks',` -+interface(`files_read_var_files',` ++interface(`files_rw_var_files',` gen_require(` - type var_lock_t; + type var_t; @@ -15166,22 +15246,24 @@ index f962f76..e06a46c 100644 - dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; - dontaudit $1 var_lock_t:dir search_dir_perms; -+ read_files_pattern($1, var_t, var_t) ++ rw_files_pattern($1, var_t, var_t) ') ######################################## ## -## List generic lock directories. -+## Append files in the /var directory. ++## Do not audit attempts to read and write ++## files in the /var directory. ## ## ## -@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_list_locks',` -+interface(`files_append_var_files',` ++interface(`files_dontaudit_rw_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15189,23 +15271,23 @@ index f962f76..e06a46c 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) -+ append_files_pattern($1, var_t, var_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; ') ######################################## ## -## Add and remove entries in the /var/lock -## directories. -+## Read and write files in the /var directory. ++## Create, read, write, and delete files in the /var directory. ## ## ## -@@ -5726,60 +6638,54 @@ interface(`files_list_locks',` +@@ -5726,81 +6694,88 @@ interface(`files_list_locks',` ## ## # -interface(`files_rw_lock_dirs',` -+interface(`files_rw_var_files',` ++interface(`files_manage_var_files',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15213,25 +15295,24 @@ index f962f76..e06a46c 100644 - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - rw_dirs_pattern($1, var_t, var_lock_t) -+ rw_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, var_t, var_t) ') ######################################## ## -## Create lock directories -+## Do not audit attempts to read and write -+## files in the /var directory. ++## Read symbolic links in the /var directory. ## ## -## -## Domain allowed access +## -+## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`files_create_lock_dirs',` -+interface(`files_dontaudit_rw_var_files',` ++interface(`files_read_var_symlinks',` gen_require(` - type var_t, var_lock_t; + type var_t; @@ -15240,13 +15321,14 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_lock_t, var_lock_t) -+ dontaudit $1 var_t:file rw_inherited_file_perms; ++ read_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## -## Relabel to and from all lock directory types. -+## Create, read, write, and delete files in the /var directory. ++## Create, read, write, and delete symbolic ++## links in the /var directory. ## ## ## @@ -15256,7 +15338,7 @@ index f962f76..e06a46c 100644 -## # -interface(`files_relabel_all_lock_dirs',` -+interface(`files_manage_var_files',` ++interface(`files_manage_var_symlinks',` gen_require(` - attribute lockfile; - type var_t, var_lock_t; @@ -15266,63 +15348,12 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - relabel_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Get the attributes of generic lock files. -+## Read symbolic links in the /var directory. - ## - ## - ## -@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_read_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 var_lock_t:dir list_dir_perms; -- getattr_files_pattern($1, var_lock_t, var_lock_t) -+ read_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Delete generic lock files. -+## Create, read, write, and delete symbolic -+## links in the /var directory. - ## - ## - ## -@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',` - ## - ## - # --interface(`files_delete_generic_locks',` -+interface(`files_manage_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) + manage_lnk_files_pattern($1, var_t, var_t) ') ######################################## ## --## Create, read, write, and delete generic --## lock files. +-## Get the attributes of generic lock files. +## Create objects in the /var directory ## ## @@ -15346,7 +15377,7 @@ index f962f76..e06a46c 100644 +## +## # --interface(`files_manage_generic_locks',` +-interface(`files_getattr_generic_locks',` +interface(`files_var_filetrans',` gen_require(` - type var_t, var_lock_t; @@ -15355,68 +15386,65 @@ index f962f76..e06a46c 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -- manage_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) + filetrans_pattern($1, var_t, $2, $3, $4) ') + ######################################## ## --## Delete all lock files. +-## Delete generic lock files. +## Relabel dirs in the /var directory. ## ## ## - ## Domain allowed access. +@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',` ## ## --## # --interface(`files_delete_all_locks',` +-interface(`files_delete_generic_locks',` +interface(`files_relabel_var_dirs',` gen_require(` -- attribute lockfile; - type var_t, var_lock_t; + type var_t; ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, lockfile, lockfile) +- delete_files_pattern($1, var_lock_t, var_lock_t) + allow $1 var_t:dir relabel_dir_perms; ') ######################################## ## --## Read all lock files. +-## Create, read, write, and delete generic +-## lock files. +## Get the attributes of the /var/lib directory. ## ## ## -@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',` +@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',` ## ## # --interface(`files_read_all_locks',` +-interface(`files_manage_generic_locks',` +interface(`files_getattr_var_lib_dirs',` gen_require(` -- attribute lockfile; - type var_t, var_lock_t; + type var_t, var_lib_t; ') +- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) + getattr_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## --## manage all lock files. +-## Delete all lock files. +## Search the /var/lib directory. ## +## @@ -15437,9 +15465,10 @@ index f962f76..e06a46c 100644 ## Domain allowed access. ## ## +-## +## # --interface(`files_manage_all_locks',` +-interface(`files_delete_all_locks',` +interface(`files_search_var_lib',` gen_require(` - attribute lockfile; @@ -15447,140 +15476,143 @@ index f962f76..e06a46c 100644 + type var_t, var_lib_t; ') +- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) +- delete_files_pattern($1, lockfile, lockfile) + search_dirs_pattern($1, var_t, var_lib_t) ') ######################################## ## --## Create an object in the locks directory, with a private --## type using a type transition. +-## Read all lock files. +## Do not audit attempts to search the +## contents of /var/lib. ## ## ## -## Domain allowed access. --## --## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. +## Domain to not audit. ## ## +## # --interface(`files_lock_filetrans',` +-interface(`files_read_all_locks',` +interface(`files_dontaudit_search_var_lib',` gen_require(` +- attribute lockfile; - type var_t, var_lock_t; + type var_lib_t; ') -- allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) + dontaudit $1 var_lib_t:dir search_dir_perms; ') ######################################## ## --## Do not audit attempts to get the attributes --## of the /var/run directory. +-## manage all lock files. +## List the contents of the /var/lib directory. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',` ## ## # --interface(`files_dontaudit_getattr_pid_dirs',` +-interface(`files_manage_all_locks',` +interface(`files_list_var_lib',` gen_require(` -- type var_run_t; +- attribute lockfile; +- type var_t, var_lock_t; + type var_t, var_lib_t; ') -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) + list_dirs_pattern($1, var_t, var_lib_t) ') -######################################## +########################################### ## --## Set the attributes of the /var/run directory. +-## Create an object in the locks directory, with a private +-## type using a type transition. +## Read-write /var/lib directories ## ## ## -@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## Domain allowed access. ## ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## # --interface(`files_setattr_pid_dirs',` +-interface(`files_lock_filetrans',` +interface(`files_rw_var_lib_dirs',` gen_require(` -- type var_run_t; +- type var_t, var_lock_t; + type var_lib_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) + rw_dirs_pattern($1, var_lib_t, var_lib_t) ') ######################################## ## --## Search the contents of runtime process --## ID directories (/var/run). +-## Do not audit attempts to get the attributes +-## of the /var/run directory. +## Create directories in /var/lib ## ## ## -@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_search_pids',` +-interface(`files_dontaudit_getattr_pid_dirs',` +interface(`files_create_var_lib_dirs',` gen_require(` -- type var_t, var_run_t; +- type var_run_t; + type var_lib_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; + allow $1 var_lib_t:dir { create rw_dir_perms }; ') + ######################################## ## --## Do not audit attempts to search --## the /var/run directory. +-## Set the attributes of the /var/run directory. +## Create objects in the /var/lib directory - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. +## +## @@ -15597,37 +15629,30 @@ index f962f76..e06a46c 100644 +## +## +## The name of the object being created. - ## - ## - # --interface(`files_dontaudit_search_pids',` ++## ++## ++# +interface(`files_var_lib_filetrans',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). ++') ++ ++######################################## ++## +## Read generic files in /var/lib. - ## - ## - ## -@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_read_var_lib_files',` - gen_require(` ++ gen_require(` + type var_t, var_lib_t; + ') + @@ -16748,11 +16773,9 @@ index f962f76..e06a46c 100644 +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -16905,34 +16928,39 @@ index f962f76..e06a46c 100644 +## +## List the contents of generic spool +## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## + ## + # +-interface(`files_setattr_pid_dirs',` +interface(`files_list_spool',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; + list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## --## Read generic process ID files. +-## Search the contents of runtime process +-## ID directories (/var/run). +## Create, read, write, and delete generic +## spool directories (/var/spool). ## ## ## -@@ -6053,19 +8243,18 @@ interface(`files_list_pids',` +@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',` ## ## # --interface(`files_read_generic_pids',` +-interface(`files_search_pids',` +interface(`files_manage_generic_spool_dirs',` gen_require(` - type var_t, var_run_t; @@ -16940,67 +16968,74 @@ index f962f76..e06a46c 100644 ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) +- search_dirs_pattern($1, var_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## --## Write named generic process ID pipes +-## Do not audit attempts to search +-## the /var/run directory. +## Read generic spool files. ## ## ## -@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_write_generic_pid_pipes',` +-interface(`files_dontaudit_search_pids',` +interface(`files_read_generic_spool',` gen_require(` - type var_run_t; + type var_t, var_spool_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; + list_dirs_pattern($1, var_t, var_spool_t) + read_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## --## Create an object in the process ID directory, with a private type. +-## List the contents of the runtime process +-## ID directories (/var/run). +## Create, read, write, and delete generic +## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` +interface(`files_manage_generic_spool',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic process ID files. +## Create objects in the spool directory +## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## Type to which the created node will be transitioned. @@ -17017,33 +17052,43 @@ index f962f76..e06a46c 100644 +## The name of the object being created. +## +## -+# + # +-interface(`files_read_generic_pids',` +interface(`files_spool_filetrans',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + allow $1 var_t:dir search_dir_perms; + filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write named generic process ID pipes +## Allow access to manage all polyinstantiated +## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_polyinstantiate_all',` -+ gen_require(` + gen_require(` +- type var_run_t; + attribute polydir, polymember, polyparent; + type poly_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + # Need to give access to /selinux/member + selinux_compute_member($1) + @@ -17080,10 +17125,11 @@ index f962f76..e06a46c 100644 + corecmd_exec_bin($1) + seutil_domtrans_setfiles($1) + ') -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Unconfined access to files. +## +## @@ -17132,7 +17178,7 @@ index f962f76..e06a46c 100644 ##

## ## -@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8433,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ## ## @@ -17319,7 +17365,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8591,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17343,7 +17389,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8609,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17366,7 +17412,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8627,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17536,7 +17582,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8747,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17561,7 +17607,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6386,132 +8748,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8767,227 @@ interface(`files_search_spool',` ## ## # @@ -17835,7 +17881,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8995,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17893,7 +17939,7 @@ index f962f76..e06a46c 100644 ## ## ## -@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +9013,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -18154,7 +18200,7 @@ index d7c11a0..f521a50 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..b38387e 100644 +index 8416beb..f1ebb1b 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18653,7 +18699,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2122,835 @@ interface(`fs_search_fusefs',` ## ## # @@ -18759,7 +18805,6 @@ index 8416beb..b38387e 100644 -# -interface(`fs_exec_fusefs_files',` - gen_require(` -- type fusefs_t; +## +##

+## Execute a file on a FUSE filesystem @@ -18793,110 +18838,88 @@ index 8416beb..b38387e 100644 +interface(`fs_ecryptfs_domtrans',` + gen_require(` + type ecryptfs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + allow $1 ecryptfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, ecryptfs_t, $2) - ') - - ######################################## - ##

--## Create, read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mount a FUSE filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_manage_fusefs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- manage_files_pattern($1, fusefs_t, fusefs_t) ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem mount; - ') - - ######################################## - ## --## Do not audit attempts to create, --## read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Unmount a FUSE filesystem. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` ++## ++## ++# +interface(`fs_unmount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem unmount; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mounton a FUSEFS filesystem. - ## - ## - ## -@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mounton_fusefs',` - gen_require(` - type fusefs_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:dir mounton; - ') - - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. ++') ++ ++######################################## ++## +## Search directories +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_getattr_hugetlbfs',` ++# +interface(`fs_search_fusefs',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; ++ ') ++ + allow $1 fusefs_t:dir search_dir_perms; - ') - - ######################################## - ## --## List hugetlbfs. ++') ++ ++######################################## ++## +## Do not audit attempts to list the contents +## of directories on a FUSEFS filesystem. +## @@ -18918,28 +18941,24 @@ index 8416beb..b38387e 100644 +## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_list_hugetlbfs',` ++# +interface(`fs_manage_fusefs_dirs',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:dir list_dir_perms; ++ ') ++ + allow $1 fusefs_t:dir manage_dir_perms; - ') - - ######################################## - ## --## Manage hugetlbfs dirs. ++') ++ ++######################################## ++## +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. @@ -18961,157 +18980,129 @@ index 8416beb..b38387e 100644 +######################################## +## +## Read, a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_manage_hugetlbfs_dirs',` ++# +interface(`fs_read_fusefs_files',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ ') ++ + read_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Read and write hugetlbfs files. ++') ++ ++######################################## ++## +## Execute files on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_rw_hugetlbfs_files',` ++# +interface(`fs_exec_fusefs_files',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ ') ++ + exec_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Allow the type to associate to hugetlbfs filesystems. ++') ++ ++######################################## ++## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## --## ++## +## - ## --## The type of the object to be associated. ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_associate_hugetlbfs',` ++## ++## ++# +interface(`fs_fusefs_entry_type',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem associate; ++ ') ++ + domain_entry_file($1, fusefs_t) - ') - - ######################################## - ## --## Search inotifyfs filesystem. ++') ++ ++######################################## ++## +## Make general progams in FUSEFS an entrypoint for +## the specified domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## The domain for which fusefs_t is an entrypoint. - ## - ## - # --interface(`fs_search_inotifyfs',` ++## ++## ++# +interface(`fs_fusefs_entrypoint',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 inotifyfs_t:dir search_dir_perms; ++ ') ++ + allow $1 fusefs_t:file entrypoint; - ') - - ######################################## - ## --## List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Create, read, write, and delete files +## on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_list_inotifyfs',` ++# +interface(`fs_manage_fusefs_files',` - gen_require(` -- type inotifyfs_t; -+ type fusefs_t; ++ gen_require(` + type fusefs_t; ') -- allow $1 inotifyfs_t:dir list_dir_perms; +- exec_files_pattern($1, fusefs_t, fusefs_t) + manage_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Dontaudit List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. - ## - ## - ## -@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',` - ## - ## - # --interface(`fs_dontaudit_list_inotifyfs',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`fs_dontaudit_manage_fusefs_files',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type fusefs_t; - ') - -- dontaudit $1 inotifyfs_t:dir list_dir_perms; ++ ') ++ + dontaudit $1 fusefs_t:file manage_file_perms; - ') - - ######################################## - ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. ++') ++ ++######################################## ++## +## Read symbolic links on a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`fs_read_fusefs_symlinks',` + gen_require(` @@ -19127,12 +19118,10 @@ index 8416beb..b38387e 100644 +## Manage symbolic links on a FUSEFS filesystem. +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# +interface(`fs_manage_fusefs_symlinks',` + gen_require(` @@ -19167,94 +19156,73 @@ index 8416beb..b38387e 100644 +##

+## +## - ## --## The object class of the object being created. ++## +## Domain allowed to transition. - ## - ## --## ++## ++## +## - ## --## The name of the object being created. ++## +## The type of the new process. - ## - ## - # --interface(`fs_hugetlbfs_filetrans',` ++## ++## ++# +interface(`fs_fusefs_domtrans',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++ ') ++ + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) - ') - - ######################################## - ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Get the attributes of a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_mount_iso9660_fs',` ++# +interface(`fs_getattr_fusefs',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 iso9660_t:filesystem mount; ++ ') ++ + allow $1 fusefs_t:filesystem getattr; - ') - - ######################################## - ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. ++') ++ ++######################################## ++## +## Get the attributes of an hugetlbfs +## filesystem. - ## - ## - ## -@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',` - ## - ## - # --interface(`fs_remount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_hugetlbfs',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type hugetlbfs_t; - ') - -- allow $1 iso9660_t:filesystem remount; ++ ') ++ + allow $1 hugetlbfs_t:filesystem getattr; - ') - - ######################################## - ## --## Unmount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## List hugetlbfs. - ## - ## - ## -@@ -2253,38 +2606,725 @@ interface(`fs_remount_iso9660_fs',` - ## - ## - # --interface(`fs_unmount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_list_hugetlbfs',` + gen_require(` + type hugetlbfs_t; @@ -19539,18 +19507,21 @@ index 8416beb..b38387e 100644 + ') + + dontaudit $1 inotifyfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete files +-## on a FUSEFS filesystem. +## Create an object in a hugetlbfs filesystem, with a private +## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +## +## The type of the object to be created. @@ -19566,217 +19537,271 @@ index 8416beb..b38387e 100644 +## The name of the object being created. +## +## -+# + # +-interface(`fs_manage_fusefs_files',` +interface(`fs_hugetlbfs_filetrans',` -+ gen_require(` + gen_require(` +- type fusefs_t; + type hugetlbfs_t; -+ ') -+ + ') + +- manage_files_pattern($1, fusefs_t, fusefs_t) + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to create, +-## read, write, and delete files +-## on a FUSEFS filesystem. +## Mount an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_mount_iso9660_fs',` -+ gen_require(` + gen_require(` +- type fusefs_t; + type iso9660_t; -+ ') -+ + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 iso9660_t:filesystem mount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. +## Remount an iso9660 filesystem, which +## is usually used on CDs. This allows +## some mount options to be changed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2014,19 +2958,18 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## + ## + # +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_remount_iso9660_fs',` -+ gen_require(` + gen_require(` +- type fusefs_t; + type iso9660_t; -+ ') -+ + ') + +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem remount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of an hugetlbfs +-## filesystem. +## Unmount an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2034,35 +2977,38 @@ interface(`fs_read_fusefs_symlinks',` + ## + ## + # +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_unmount_iso9660_fs',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type iso9660_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem getattr; + allow $1 iso9660_t:filesystem unmount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List hugetlbfs. +## Get the attributes of an iso9660 +## filesystem, which is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_list_hugetlbfs',` +interface(`fs_getattr_iso9660_fs',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type iso9660_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 iso9660_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Manage hugetlbfs dirs. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2070,17 +3016,19 @@ interface(`fs_list_hugetlbfs',` + ## + ## + # +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_getattr_iso9660_files',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type iso9660_t; -+ ') -+ + ') + +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write hugetlbfs files. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2088,35 +3036,38 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## + ## + # +-interface(`fs_rw_hugetlbfs_files',` +interface(`fs_read_iso9660_files',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type iso9660_t; -+ ') -+ + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 iso9660_t:dir list_dir_perms; + read_files_pattern($1, iso9660_t, iso9660_t) + read_lnk_files_pattern($1, iso9660_t, iso9660_t) -+') -+ + ') + + -+######################################## -+## + ######################################## + ## +-## Allow the type to associate to hugetlbfs filesystems. +## Mount kdbus filesystems. -+## + ## +-## +## -+## + ## +-## The type of the object to be associated. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_associate_hugetlbfs',` +interface(`fs_mount_kdbus', ` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem associate; + allow $1 kdbusfs_t:filesystem mount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search inotifyfs filesystem. +## Remount kdbus filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2124,17 +3075,17 @@ interface(`fs_associate_hugetlbfs',` + ## + ## + # +-interface(`fs_search_inotifyfs',` +interface(`fs_remount_kdbus', ` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; + allow $1 kdbusfs_t:filesystem remount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List inotifyfs filesystem. +## Unmount kdbus filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2142,71 +3093,134 @@ interface(`fs_search_inotifyfs',` + ## + ## + # +-interface(`fs_list_inotifyfs',` +interface(`fs_unmount_kdbus', ` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir list_dir_perms; + allow $1 kdbusfs_t:filesystem unmount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. +## Get attributes of kdbus filesystems. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_list_inotifyfs',` +interface(`fs_getattr_kdbus',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type kdbusfs_t; -+ ') -+ + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; + allow $1 kdbusfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. +## Search kdbusfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`fs_search_kdbus_dirs',` + gen_require(` @@ -19794,10 +19819,12 @@ index 8416beb..b38387e 100644 +## Relabel kdbusfs directories. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`fs_relabel_kdbus_dirs',` + gen_require(` @@ -19813,10 +19840,12 @@ index 8416beb..b38387e 100644 +## List kdbusfs directories. +## +## -+## + ## +-## The object class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`fs_list_kdbus_dirs',` + gen_require(` @@ -19852,103 +19881,101 @@ index 8416beb..b38387e 100644 +## Delete kdbusfs directories. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_delete_kdbus_dirs', ` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type kdbusfs_t; -+ ') -+ + ') + +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## Manage kdbusfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2214,19 +3228,19 @@ interface(`fs_hugetlbfs_filetrans',` + ## + ## + # +-interface(`fs_mount_iso9660_fs',` +interface(`fs_manage_kdbus_dirs',` -+ gen_require(` + gen_require(` +- type iso9660_t; +- ') + type kdbusfs_t; -+ + +- allow $1 iso9660_t:filesystem mount; + ') + manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Read kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2234,18 +3248,21 @@ interface(`fs_mount_iso9660_fs',` + ## + ## + # +-interface(`fs_remount_iso9660_fs',` +interface(`fs_read_kdbus_files',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type cgroup_t; + -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem remount; + read_files_pattern($1, kdbusfs_t, kdbusfs_t) + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. +## Write kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2253,38 +3270,61 @@ interface(`fs_remount_iso9660_fs',` + ## + ## + # +-interface(`fs_unmount_iso9660_fs',` +interface(`fs_write_kdbus_files', ` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## -+## Read and write kdbusfs files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; -+ ') - allow $1 iso9660_t:filesystem unmount; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -19957,33 +19984,54 @@ index 8416beb..b38387e 100644 ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. ++## Read and write kdbusfs files. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_dontaudit_rw_kdbus_files',` ++interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem getattr; -+ dontaudit $1 kdbusfs_t:file rw_file_perms; ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_rw_kdbus_files',` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ++') ++ ++######################################## ++## +## Manage kdbusfs files. ## ## @@ -20326,7 +20374,7 @@ index 8416beb..b38387e 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3255,17 +4470,126 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +4470,182 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20441,13 +20489,69 @@ index 8416beb..b38387e 100644 +## +# +interface(`fs_rw_nsfs_files',` ++ gen_require(` ++ type nsfs_t; ++ ') ++ ++ rw_files_pattern($1, nsfs_t, nsfs_t) ++') ++ ++ ++######################################## ++## ++## Mount a nsfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mount_nsfs',` ++ gen_require(` ++ type nsfs_t; ++ ') ++ ++ allow $1 nsfs_t:filesystem mount; ++') ++ ++ ++######################################## ++## ++## Remount a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_remount_nsfs',` ++ gen_require(` ++ type nsfs_t; ++ ') ++ ++ allow $1 nsfs_t:filesystem remount; ++') ++ ++######################################## ++## ++## Unmount a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_nsfs',` gen_require(` - type nfsd_fs_t; + type nsfs_t; ') - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+ rw_files_pattern($1, nsfs_t, nsfs_t) ++ allow $1 nsfs_t:filesystem unmount; ') ######################################## @@ -20457,7 +20561,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3273,12 +4597,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4653,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -20472,7 +20576,7 @@ index 8416beb..b38387e 100644 ') ######################################## -@@ -3301,6 +4625,24 @@ interface(`fs_associate_ramfs',` +@@ -3301,6 +4681,24 @@ interface(`fs_associate_ramfs',` ######################################## ## @@ -20497,7 +20601,7 @@ index 8416beb..b38387e 100644 ## Mount a RAM filesystem. ## ## -@@ -3392,7 +4734,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4790,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20506,7 +20610,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3429,7 +4771,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4827,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20515,7 +20619,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3447,7 +4789,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4845,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20524,7 +20628,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3779,6 +5121,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5177,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20549,7 +20653,7 @@ index 8416beb..b38387e 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5175,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5231,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20574,7 +20678,7 @@ index 8416beb..b38387e 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5286,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5342,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20583,7 +20687,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3916,17 +5294,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5350,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20604,7 +20708,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3934,17 +5312,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5368,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20625,7 +20729,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3952,17 +5330,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5386,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20665,7 +20769,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -3970,31 +5367,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5423,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20721,7 +20825,7 @@ index 8416beb..b38387e 100644 ') ######################################## -@@ -4057,23 +5471,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5527,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20898,7 +21002,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4081,18 +5642,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5698,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20921,7 +21025,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4100,54 +5661,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5717,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20988,7 +21092,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4155,17 +5715,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5771,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -21010,7 +21114,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4173,17 +5734,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5790,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -21032,7 +21136,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4191,37 +5753,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5809,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -21078,7 +21182,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4229,18 +5790,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5846,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -21100,7 +21204,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4248,18 +5809,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5865,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -21124,7 +21228,7 @@ index 8416beb..b38387e 100644 ## ## ## -@@ -4267,32 +5829,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5885,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -21163,7 +21267,7 @@ index 8416beb..b38387e 100644 ') ######################################## -@@ -4407,6 +5968,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6024,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -21189,7 +21293,7 @@ index 8416beb..b38387e 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6083,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6139,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -21198,7 +21302,7 @@ index 8416beb..b38387e 100644 ') ######################################## -@@ -4549,7 +6131,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6187,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -21207,7 +21311,7 @@ index 8416beb..b38387e 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6178,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6234,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21234,7 +21338,7 @@ index 8416beb..b38387e 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6273,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6329,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21260,7 +21364,7 @@ index 8416beb..b38387e 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6533,175 @@ interface(`fs_unconfined',` +@@ -4912,3 +6589,175 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -22930,7 +23034,7 @@ index e100d88..1428581 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..5deb336 100644 +index 8dbab4c..c4d3183 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -23225,7 +23329,20 @@ index 8dbab4c..5deb336 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) { +@@ -388,8 +480,12 @@ optional_policy(` + if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; + ++ files_load_kernel_modules(can_load_kernmodule) ++ + # load_module() calls stop_machine() which + # calls sched_setscheduler() ++ # gt: there seems to be no trace of the above, at ++ # least in kernel versions greater than 2.6.37... + allow can_load_kernmodule self:capability sys_nice; + kernel_setsched(can_load_kernmodule) + } +@@ -399,14 +495,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -32019,7 +32136,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..b4908dd 100644 +index 8b40377..84a88ff 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32378,7 +32495,7 @@ index 8b40377..b4908dd 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +420,104 @@ optional_policy(` +@@ -300,64 +420,105 @@ optional_policy(` # XDM Local policy # @@ -32387,6 +32504,7 @@ index 8b40377..b4908dd 100644 +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; +allow xdm_t self:capability2 { block_suspend }; +dontaudit xdm_t self:capability sys_admin; ++dontaudit xdm_t self:capability2 wake_alarm; +tunable_policy(`deny_ptrace',`',` + allow xdm_t self:process ptrace; +') @@ -32496,7 +32614,7 @@ index 8b40377..b4908dd 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +527,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -32529,7 +32647,7 @@ index 8b40377..b4908dd 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +560,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -32584,7 +32702,7 @@ index 8b40377..b4908dd 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +613,30 @@ files_list_mnt(xdm_t) +@@ -431,9 +614,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -32615,7 +32733,7 @@ index 8b40377..b4908dd 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +646,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -32666,7 +32784,7 @@ index 8b40377..b4908dd 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +694,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -32836,7 +32954,7 @@ index 8b40377..b4908dd 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +863,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -32868,7 +32986,7 @@ index 8b40377..b4908dd 100644 ') optional_policy(` -@@ -518,8 +897,36 @@ optional_policy(` +@@ -518,8 +898,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -32906,7 +33024,7 @@ index 8b40377..b4908dd 100644 ') ') -@@ -530,6 +937,20 @@ optional_policy(` +@@ -530,6 +938,20 @@ optional_policy(` ') optional_policy(` @@ -32927,7 +33045,7 @@ index 8b40377..b4908dd 100644 hostname_exec(xdm_t) ') -@@ -547,28 +968,78 @@ optional_policy(` +@@ -547,28 +969,78 @@ optional_policy(` ') optional_policy(` @@ -33015,7 +33133,7 @@ index 8b40377..b4908dd 100644 ') optional_policy(` -@@ -580,6 +1051,14 @@ optional_policy(` +@@ -580,6 +1052,14 @@ optional_policy(` ') optional_policy(` @@ -33030,7 +33148,7 @@ index 8b40377..b4908dd 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1074,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -33039,7 +33157,7 @@ index 8b40377..b4908dd 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1084,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -33052,7 +33170,7 @@ index 8b40377..b4908dd 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1101,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -33068,7 +33186,7 @@ index 8b40377..b4908dd 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1117,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -33079,7 +33197,7 @@ index 8b40377..b4908dd 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1131,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1132,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -33121,7 +33239,7 @@ index 8b40377..b4908dd 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1182,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1183,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -33153,7 +33271,7 @@ index 8b40377..b4908dd 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1215,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1216,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -33168,7 +33286,7 @@ index 8b40377..b4908dd 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1236,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1237,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -33192,7 +33310,7 @@ index 8b40377..b4908dd 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1255,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1256,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -33201,7 +33319,7 @@ index 8b40377..b4908dd 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1299,54 @@ optional_policy(` +@@ -785,17 +1300,54 @@ optional_policy(` ') optional_policy(` @@ -33258,7 +33376,7 @@ index 8b40377..b4908dd 100644 ') optional_policy(` -@@ -803,6 +1354,10 @@ optional_policy(` +@@ -803,6 +1355,10 @@ optional_policy(` ') optional_policy(` @@ -33269,7 +33387,7 @@ index 8b40377..b4908dd 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1373,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1374,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -33294,7 +33412,7 @@ index 8b40377..b4908dd 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1396,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1397,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -33329,7 +33447,7 @@ index 8b40377..b4908dd 100644 ') optional_policy(` -@@ -912,7 +1461,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1462,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -33338,7 +33456,7 @@ index 8b40377..b4908dd 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1515,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1516,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -33370,7 +33488,7 @@ index 8b40377..b4908dd 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1561,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1562,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -40199,7 +40317,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..fffae71 100644 +index 73bb3c0..7b05663 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -40270,7 +40388,7 @@ index 73bb3c0..fffae71 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -125,10 +135,12 @@ ifdef(`distro_redhat',` +@@ -125,13 +135,16 @@ ifdef(`distro_redhat',` /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40283,7 +40401,11 @@ index 73bb3c0..fffae71 100644 /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +153,23 @@ ifdef(`distro_redhat',` ++/usr/lib/libGLdispatch/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -141,19 +154,23 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40312,7 +40434,7 @@ index 73bb3c0..fffae71 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -182,11 +198,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +199,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40326,7 +40448,7 @@ index 73bb3c0..fffae71 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +260,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40342,7 +40464,7 @@ index 73bb3c0..fffae71 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +286,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40373,7 +40495,7 @@ index 73bb3c0..fffae71 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +315,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -47137,7 +47259,7 @@ index 2cea692..e3cb4f2 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..b01eb22 100644 +index a392fc4..b7497fc 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -47380,7 +47502,7 @@ index a392fc4..b01eb22 100644 vmware_append_log(dhcpc_t) ') -@@ -264,29 +322,66 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,32 +322,72 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -47447,7 +47569,13 @@ index a392fc4..b01eb22 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +394,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) ++fs_read_nsfs_files(ifconfig_t) ++fs_mount_nsfs(ifconfig_t) ++fs_unmount_nsfs(ifconfig_t) + + selinux_dontaudit_getattr_fs(ifconfig_t) + +@@ -299,33 +397,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -47505,7 +47633,7 @@ index a392fc4..b01eb22 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +449,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +452,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -47518,7 +47646,7 @@ index a392fc4..b01eb22 100644 ') optional_policy(` -@@ -350,7 +467,16 @@ optional_policy(` +@@ -350,7 +470,16 @@ optional_policy(` ') optional_policy(` @@ -47536,7 +47664,7 @@ index a392fc4..b01eb22 100644 ') optional_policy(` -@@ -371,3 +497,17 @@ optional_policy(` +@@ -371,3 +500,17 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -51843,7 +51971,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..adc5f75 100644 +index 9dc60c6..dfb1d27 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -55439,7 +55567,7 @@ index 9dc60c6..adc5f75 100644 +# +interface(`userdom_execmod_user_home_files',` + gen_require(` -+ type user_home_type; ++ attribute user_home_type; + ') + + allow $1 user_home_type:file execmod; @@ -55835,7 +55963,7 @@ index 9dc60c6..adc5f75 100644 +# +interface(`userdom_dontaudit_read_inherited_admin_home_files',` + gen_require(` -+ attribute admin_home_t; ++ type admin_home_t; + ') + + dontaudit $1 admin_home_t:file read_inherited_file_perms; @@ -55853,7 +55981,7 @@ index 9dc60c6..adc5f75 100644 +# +interface(`userdom_dontaudit_append_inherited_admin_home_file',` + gen_require(` -+ attribute admin_home_t; ++ type admin_home_t; + ') + + dontaudit $1 admin_home_t:file append_inherited_file_perms; diff --git a/policy-f25-contrib.patch b/policy-f25-contrib.patch index 759d08c..e5d2322 100644 --- a/policy-f25-contrib.patch +++ b/policy-f25-contrib.patch @@ -2280,7 +2280,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..69a4c66 100644 +index 519051c..c3a718a 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2301,7 +2301,17 @@ index 519051c..69a4c66 100644 type amanda_log_t; logging_log_file(amanda_log_t) -@@ -60,7 +63,7 @@ optional_policy(` +@@ -33,6 +36,9 @@ files_type(amanda_gnutarlists_t) + type amanda_tmp_t; + files_tmp_file(amanda_tmp_t) + ++type amanda_tmpfs_t; ++files_tmpfs_file(amanda_tmpfs_t) ++ + type amanda_amandates_t; + files_type(amanda_amandates_t) + +@@ -60,7 +66,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -2310,7 +2320,7 @@ index 519051c..69a4c66 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +77,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -2318,7 +2328,7 @@ index 519051c..69a4c66 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; +@@ -81,6 +88,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) @@ -2326,7 +2336,18 @@ index 519051c..69a4c66 100644 manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) -@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -90,6 +98,10 @@ manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) + manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t) + files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir }) + ++manage_files_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t) ++manage_dirs_pattern(amanda_t, amanda_tmpfs_t, amanda_tmpfs_t) ++fs_tmpfs_filetrans(amanda_t, amanda_tmpfs_t, { dir }) ++ + can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t }) + + kernel_read_kernel_sysctls(amanda_t) +@@ -100,13 +112,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2343,7 +2364,7 @@ index 519051c..69a4c66 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +128,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2351,7 +2372,7 @@ index 519051c..69a4c66 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -130,6 +138,7 @@ fs_list_all(amanda_t) +@@ -130,6 +145,7 @@ fs_list_all(amanda_t) storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) @@ -2359,7 +2380,7 @@ index 519051c..69a4c66 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2367,7 +2388,7 @@ index 519051c..69a4c66 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -42027,10 +42048,10 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 2990962..c153d15 100644 +index 2990962..abd217f 100644 --- a/kdumpgui.te +++ b/kdumpgui.te -@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0) +@@ -5,79 +5,89 @@ policy_module(kdumpgui, 1.2.0) # Declarations # @@ -42078,6 +42099,7 @@ index 2990962..c153d15 100644 dev_read_sysfs(kdumpgui_t) +dev_read_urand(kdumpgui_t) +dev_getattr_all_blk_files(kdumpgui_t) ++dev_read_nvme(kdumpgui_t) files_manage_boot_files(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t) @@ -42138,7 +42160,7 @@ index 2990962..c153d15 100644 ') optional_policy(` -@@ -87,4 +96,10 @@ optional_policy(` +@@ -87,4 +97,10 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -57704,7 +57726,7 @@ index 0000000..79f1250 + +fs_getattr_xattr_fs(naemon_t) diff --git a/nagios.fc b/nagios.fc -index d78dfc3..40e1c77 100644 +index d78dfc3..c781b72 100644 --- a/nagios.fc +++ b/nagios.fc @@ -1,88 +1,113 @@ @@ -57752,13 +57774,13 @@ index d78dfc3..40e1c77 100644 + +/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -+ + +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') +/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:nagios_script_exec_t,s0) +/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) - ++ +# admin plugins /usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0) @@ -57770,106 +57792,132 @@ index d78dfc3..40e1c77 100644 /usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) -+# mail plugins -+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) - -+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) -+ -+# system plugins - /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +- +-/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) - -+# services plugins - /usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +- +-/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - /usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) +-/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - -/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) -+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) - +- -/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) +- +-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) +- +-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) +-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) +- +-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++# mail plugins ++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) ++ ++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++ ++# system plugins ++/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0) ++ ++# services plugins ++/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) ++ +# openshift plugins +/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) +/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0) - --/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) --/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++ +# label all nagios plugin as unconfined by default +/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0) - --/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) --/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) ++ +# eventhandlers +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) +/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) - --/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++ diff --git a/nagios.if b/nagios.if index 0641e97..f3b1111 100644 --- a/nagios.if @@ -89247,7 +89295,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..1271bf3 100644 +index d32e1a2..7239c98 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -89286,13 +89334,14 @@ index d32e1a2..1271bf3 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,89 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) +kernel_read_net_sysctls(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t) ++kernel_signull(rhsmcertd_t) + +corenet_tcp_connect_http_port(rhsmcertd_t) +corenet_tcp_connect_http_cache_port(rhsmcertd_t) @@ -105162,7 +105211,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..a28dfe7 100644 +index 2d8db1f..1139567 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -105186,7 +105235,8 @@ index 2d8db1f..a28dfe7 100644 -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; +allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:capability2 block_suspend; - allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; +-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; ++allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid}; allow sssd_t self:fifo_file rw_fifo_file_perms; allow sssd_t self:key manage_key_perms; -allow sssd_t self:unix_stream_socket { accept connectto listen }; @@ -114655,7 +114705,7 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..8036117 100644 +index f03dcf5..14e8dd9 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,410 @@ @@ -116246,7 +116296,7 @@ index f03dcf5..8036117 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1267,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116459,10 +116509,7 @@ index f03dcf5..8036117 100644 +files_entrypoint_all_mountpoint(svirt_sandbox_domain) +corecmd_entrypoint_all_executables(svirt_sandbox_domain) + -+files_list_var(svirt_sandbox_domain) -+files_list_var_lib(svirt_sandbox_domain) +files_search_all(svirt_sandbox_domain) -+files_read_config_files(svirt_sandbox_domain) +files_read_usr_symlinks(svirt_sandbox_domain) +files_search_locks(svirt_sandbox_domain) +files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) @@ -116470,10 +116517,9 @@ index f03dcf5..8036117 100644 +fs_getattr_all_fs(svirt_sandbox_domain) +fs_list_inotifyfs(svirt_sandbox_domain) +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) -+fs_read_fusefs_files(svirt_sandbox_domain) +fs_read_hugetlbfs_files(svirt_sandbox_domain) +fs_read_tmpfs_symlinks(svirt_sandbox_domain) -+fs_list_tmpfs(svirt_sandbox_domain) ++fs_search_tmpfs(svirt_sandbox_domain) +fs_rw_hugetlbfs_files(svirt_sandbox_domain) + + @@ -116482,9 +116528,7 @@ index f03dcf5..8036117 100644 +auth_dontaudit_write_login_records(svirt_sandbox_domain) +auth_search_pam_console_data(svirt_sandbox_domain) + -+clock_read_adjtime(svirt_sandbox_domain) -+ -+init_read_utmp(svirt_sandbox_domain) ++init_dontaudit_read_utmp(svirt_sandbox_domain) +init_dontaudit_write_utmp(svirt_sandbox_domain) + +libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) @@ -116494,8 +116538,6 @@ index f03dcf5..8036117 100644 +miscfiles_read_fonts(svirt_sandbox_domain) +miscfiles_read_hwdata(svirt_sandbox_domain) + -+systemd_read_unit_files(svirt_sandbox_domain) -+ +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) @@ -116572,7 +116614,6 @@ index f03dcf5..8036117 100644 +virt_sandbox_domain_template(container) +typealias container_t alias svirt_lxc_net_t; +virt_default_capabilities(container_t) -+typeattribute container_t sandbox_net_domain; +dontaudit container_t self:capability fsetid; +dontaudit container_t self:capability2 block_suspend ; +allow container_t self:process { execstack execmem }; @@ -116660,12 +116701,6 @@ index f03dcf5..8036117 100644 -auth_use_nsswitch(svirt_lxc_net_t) +fs_noxattr_type(container_file_t) -+# Do we actually need these? -+fs_mount_cgroup(container_t) -+fs_manage_cgroup_dirs(container_t) -+fs_manage_cgroup_files(container_t) -+# Needed for docker -+fs_unmount_xattr_fs(container_t) -logging_send_audit_msgs(svirt_lxc_net_t) +term_pty(container_file_t) @@ -116762,7 +116797,7 @@ index f03dcf5..8036117 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1628,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116777,7 +116812,7 @@ index f03dcf5..8036117 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1661,7 @@ optional_policy(` +@@ -1192,7 +1646,7 @@ optional_policy(` ######################################## # @@ -116786,7 +116821,7 @@ index f03dcf5..8036117 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1655,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 3c6c596..7791e64 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 225.7%{?dist} +Release: 225.8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,25 @@ exit 0 %endif %changelog +* Wed Feb 15 2017 Lukas Vrabec - 3.13.1-225.8 +- Allow rhsmcertd domain signull kernel. +- Fix label for nagios plugins in nagios file conxtext file +- Allow kdumpgui domain to read nvme device +- Add amanda_tmpfs_t label. BZ(1243752) +- More cleanup of read access for container domains +- Allow sssd_t domain setpgid BZ(1411437) +- Dontaudit xdm_t wake_alarm capability2 +- Allow ifconfig_t to mount/unmount nsfs_t filesystem +- Add interfaces allowing mount/unmount nsfs_t filesystem +- Label /usr/lib/libGLdispatch.so.0.0.0 as textrel_shlib_t BZ(1419944) +- su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization. Resolves: rhbz#1146987 +- Add module_load permission to can_load_kernmodule +- Add module_load permission to class system +- Add the validate_trans access vector to the security class +- Allow ifconfig_t domain read nsfs_t +- Allow ping_t domain to load kernel modules. +- rawhide-base: Fix wrong type/attribute flavors in require blocks + * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-225.7 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe types