[selinux-policy/f18] - Allow mount to relabelfrom unlabeled file systems - systemd_logind wants to send and receive messa
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 19 17:55:00 UTC 2012
commit 0187425bd9d92518b6ecbd28d5988c21acacbe4c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Oct 19 19:54:44 2012 +0200
- Allow mount to relabelfrom unlabeled file systems
- systemd_logind wants to send and receive messages from devicekit disk over dbu
- Add label to get bin files under libreoffice labeled correctly
- Fix interface to allow executing of base_ro_file_type
- Add fixes for realmd
- Update pki policy
- Add tftp_homedir boolean
- Allow blueman sched_setscheduler
- openshift user domains wants to r/w ssh tcp sockets
policy-rawhide.patch | 197 +++++++++-----------
policy_contrib-rawhide.patch | 428 +++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 13 ++-
3 files changed, 444 insertions(+), 194 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 524a96f..e5511e4 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -109153,7 +109153,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..94ae2a8 100644
+index db981df..a98772f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -109234,7 +109234,7 @@ index db981df..94ae2a8 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -174,53 +184,78 @@ ifdef(`distro_gentoo',`
+@@ -174,53 +184,79 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -109273,6 +109273,7 @@ index db981df..94ae2a8 100644
+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/libreoffice(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -109330,7 +109331,7 @@ index db981df..94ae2a8 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -235,10 +270,15 @@ ifdef(`distro_gentoo',`
+@@ -235,10 +271,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -109346,7 +109347,7 @@ index db981df..94ae2a8 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -251,11 +291,17 @@ ifdef(`distro_gentoo',`
+@@ -251,11 +292,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -109368,7 +109369,7 @@ index db981df..94ae2a8 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -271,6 +317,10 @@ ifdef(`distro_gentoo',`
+@@ -271,6 +318,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -109379,7 +109380,7 @@ index db981df..94ae2a8 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -290,15 +340,19 @@ ifdef(`distro_gentoo',`
+@@ -290,15 +341,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -109400,7 +109401,7 @@ index db981df..94ae2a8 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,8 +368,12 @@ ifdef(`distro_redhat', `
+@@ -314,8 +369,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -109413,7 +109414,7 @@ index db981df..94ae2a8 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -325,9 +383,11 @@ ifdef(`distro_redhat', `
+@@ -325,9 +384,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -109425,7 +109426,7 @@ index db981df..94ae2a8 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -376,11 +436,14 @@ ifdef(`distro_suse', `
+@@ -376,11 +437,14 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -109441,7 +109442,7 @@ index db981df..94ae2a8 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -390,3 +453,12 @@ ifdef(`distro_suse', `
+@@ -390,3 +454,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -114074,7 +114075,7 @@ index 8796ca3..0cabe1f 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..cbcb4aa 100644
+index e1e814d..f10ea0b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -115575,7 +115576,7 @@ index e1e814d..cbcb4aa 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6467,3 +7403,459 @@ interface(`files_unconfined',`
+@@ -6467,3 +7403,457 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -116011,9 +116012,7 @@ index e1e814d..cbcb4aa 100644
+ attribute base_ro_file_type;
+ ')
+
-+ list_dirs_pattern($1, base_ro_file_type, base_ro_file_type)
-+ read_files_pattern($1, base_ro_file_type, base_ro_file_type)
-+ read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type)
++ can_exec($1, base_ro_file_type)
+')
+
+########################################
@@ -117490,7 +117489,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..58ee17c 100644
+index 4bf45cb..270fedd 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -117637,7 +117636,32 @@ index 4bf45cb..58ee17c 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2613,7 +2683,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2506,6 +2576,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to relabel unlabeled filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_relabelfrom_unlabeled_fs',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:filesystem relabelfrom;
++')
++
++########################################
++## <summary>
+ ## Allow caller to relabel unlabeled files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2613,7 +2701,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -117646,7 +117670,7 @@ index 4bf45cb..58ee17c 100644
')
########################################
-@@ -2651,6 +2721,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2651,6 +2739,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -117671,7 +117695,7 @@ index 4bf45cb..58ee17c 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2678,6 +2766,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2678,6 +2784,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -117697,7 +117721,7 @@ index 4bf45cb..58ee17c 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2787,6 +2894,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2787,6 +2912,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -117731,7 +117755,7 @@ index 4bf45cb..58ee17c 100644
########################################
## <summary>
-@@ -2942,6 +3076,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2942,6 +3094,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -117756,7 +117780,7 @@ index 4bf45cb..58ee17c 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2956,5 +3108,157 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3126,157 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -127248,7 +127272,7 @@ index f416ce9..372a87c 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f145ccb..dfba2fd 100644
+index f145ccb..f4db5d7 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.0)
@@ -127481,7 +127505,7 @@ index f145ccb..dfba2fd 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -397,12 +420,81 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +420,27 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -127500,73 +127524,20 @@ index f145ccb..dfba2fd 100644
+ tunable_policy(`polyinstantiation_enabled',`
+ namespace_init_domtrans(polydomain)
+ ')
-+')
-+
+ ')
+
+-#######################################
+######################################
-+#
-+# nsswitch_domain local policy
-+#
-+
+ #
+ # nsswitch_domain local policy
+ #
+
+auth_read_passwd(nsswitch_domain)
+
-+# read /etc/nsswitch.conf
-+files_read_etc_files(nsswitch_domain)
-+
-+sysnet_dns_name_resolve(nsswitch_domain)
-+
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ files_list_var_lib(nsswitch_domain)
-+
-+ miscfiles_read_generic_certs(nsswitch_domain)
-+ sysnet_use_ldap(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ dirsrv_stream_connect(nsswitch_domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ tunable_policy(`authlogin_nsswitch_use_ldap',`
-+ ldap_stream_connect(nsswitch_domain)
-+ ')
-+')
-+
-+optional_policy(`
-+ likewise_stream_connect_lsassd(nsswitch_domain)
-+')
-+
-+# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
-+optional_policy(`
-+ kerberos_use(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ nis_use_ypbind(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ nscd_use(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ nslcd_stream_connect(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ sssd_stream_connect(nsswitch_domain)
-+ sssd_read_public_files(nsswitch_domain)
-+')
-+
-+optional_policy(`
-+ samba_stream_connect_winbind(nsswitch_domain)
-+ samba_read_var_files(nsswitch_domain)
-+ samba_dontaudit_write_var_files(nsswitch_domain)
- ')
+ files_list_var_lib(nsswitch_domain)
- #######################################
-@@ -426,6 +518,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ # read /etc/nsswitch.conf
+@@ -426,6 +457,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
optional_policy(`
tunable_policy(`authlogin_nsswitch_use_ldap',`
@@ -127579,20 +127550,32 @@ index f145ccb..dfba2fd 100644
ldap_stream_connect(nsswitch_domain)
')
')
-@@ -455,7 +553,12 @@ optional_policy(`
+@@ -438,6 +475,7 @@ optional_policy(`
+ likewise_stream_connect_lsassd(nsswitch_domain)
')
++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
+ optional_policy(`
+ kerberos_use(nsswitch_domain)
+ ')
+@@ -447,7 +485,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(nsswitch_domain)
++ nscd_use(nsswitch_domain)
+ ')
+
+ optional_policy(`
+@@ -456,6 +494,7 @@ optional_policy(`
+
optional_policy(`
-+ realmd_dbus_chat(nsswitch_domain)
-+')
-+
-+optional_policy(`
sssd_stream_connect(nsswitch_domain)
+ sssd_read_public_files(nsswitch_domain)
')
optional_policy(`
-@@ -463,3 +566,127 @@ optional_policy(`
+@@ -463,3 +502,127 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -132431,7 +132414,7 @@ index 321bb13..267fa2a 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..ef34ce4 100644
+index 0034021..f6f1796 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.0)
@@ -132621,7 +132604,7 @@ index 0034021..ef34ce4 100644
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
dontaudit syslogd_t self:capability sys_tty_config;
-+allow syslogd_t self:capability2 syslog;
++allow syslogd_t self:capability2 { syslog block_suspend };
# setpgid for metalog
# setrlimit for syslog-ng
-# getsched for syslog-ng
@@ -134126,7 +134109,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..b23cdc1 100644
+index 63931f6..041c38f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
@@ -134201,7 +134184,7 @@ index 63931f6..b23cdc1 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +74,25 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -134220,6 +134203,7 @@ index 63931f6..b23cdc1 100644
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
++kernel_relabelfrom_unlabeled_fs(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
@@ -134227,7 +134211,7 @@ index 63931f6..b23cdc1 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +101,46 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -134277,7 +134261,7 @@ index 63931f6..b23cdc1 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +147,42 @@ files_list_mnt(mount_t)
+@@ -92,28 +148,42 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -134326,7 +134310,7 @@ index 63931f6..b23cdc1 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +190,20 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +191,20 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -134348,7 +134332,7 @@ index 63931f6..b23cdc1 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +219,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -134388,7 +134372,7 @@ index 63931f6..b23cdc1 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +253,8 @@ optional_policy(`
+@@ -179,6 +254,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -134397,7 +134381,7 @@ index 63931f6..b23cdc1 100644
')
optional_policy(`
-@@ -186,6 +262,28 @@ optional_policy(`
+@@ -186,6 +263,28 @@ optional_policy(`
')
optional_policy(`
@@ -134426,7 +134410,7 @@ index 63931f6..b23cdc1 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +291,121 @@ optional_policy(`
+@@ -193,21 +292,121 @@ optional_policy(`
')
')
@@ -137663,10 +137647,10 @@ index 0000000..f332422
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..8fccccd
+index 0000000..538bb15
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,448 @@
+@@ -0,0 +1,449 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -137846,6 +137830,7 @@ index 0000000..8fccccd
+
+optional_policy(`
+ devicekit_dbus_chat_power(systemd_logind_t)
++ devicekit_dbus_chat_disk(systemd_logind_t)
+')
+
+optional_policy(`
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 367a19d..0eaa777 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -5834,7 +5834,7 @@ index 6355318..98ba16a 100644
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.te b/blueman.te
-index 70969fa..1adc748 100644
+index 70969fa..75237ff 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,6 @@ policy_module(blueman, 1.0.0)
@@ -5845,7 +5845,18 @@ index 70969fa..1adc748 100644
init_daemon_domain(blueman_t, blueman_exec_t)
type blueman_var_lib_t;
-@@ -39,8 +38,18 @@ auth_use_nsswitch(blueman_t)
+@@ -17,6 +16,10 @@ files_type(blueman_var_lib_t)
+ #
+ # blueman local policy
+ #
++
++allow blueman_t self:capability sys_nice;
++allow blueman_t self:process setsched;
++
+ allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
+@@ -39,8 +42,18 @@ auth_use_nsswitch(blueman_t)
logging_send_syslog_msg(blueman_t)
@@ -31194,7 +31205,7 @@ index 67c7fdd..2f226de 100644
## <summary>
## Execute mailman CGI scripts in the
diff --git a/mailman.te b/mailman.te
-index 22265f0..2216569 100644
+index 22265f0..f2f7e05 100644
--- a/mailman.te
+++ b/mailman.te
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
@@ -31217,7 +31228,16 @@ index 22265f0..2216569 100644
')
########################################
-@@ -69,6 +75,16 @@ manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+@@ -62,13 +68,23 @@ optional_policy(`
+ #
+
+ allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+-allow mailman_mail_t self:process { signal signull };
+-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
++allow mailman_mail_t self:process { setsched signal signull };
++allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
+
+ manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
@@ -37565,7 +37585,7 @@ index 632a565..cd0e015 100644
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/nis.if b/nis.if
-index abe3f7f..deeebd1 100644
+index abe3f7f..1112fae 100644
--- a/nis.if
+++ b/nis.if
@@ -27,18 +27,13 @@ interface(`nis_use_ypbind_uncond',`
@@ -37624,7 +37644,32 @@ index abe3f7f..deeebd1 100644
nis_use_ypbind_uncond($1)
corenet_tcp_bind_all_rpc_ports($1)
corenet_udp_bind_all_rpc_ports($1)
-@@ -337,6 +331,55 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -131,6 +125,24 @@ interface(`nis_domtrans_ypbind',`
+ domtrans_pattern($1, ypbind_exec_t, ypbind_t)
+ ')
+
++#######################################
++## <summary>
++## Execute ypbind in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`nis_exec_ypbind',`
++ gen_require(`
++ type ypbind_t, ypbind_exec_t;
++ ')
++
++ can_exec($1, ypbind_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute ypbind in the ypbind domain, and
+@@ -337,6 +349,55 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -37680,7 +37725,7 @@ index abe3f7f..deeebd1 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,22 +397,31 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,22 +415,31 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -37719,7 +37764,7 @@ index abe3f7f..deeebd1 100644
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -379,18 +431,22 @@ interface(`nis_admin',`
+@@ -379,18 +449,22 @@ interface(`nis_admin',`
role_transition $2 ypbind_initrc_exec_t system_r;
allow $2 system_r;
@@ -41354,10 +41399,10 @@ index 0000000..681f8a0
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..8f642e4
+index 0000000..2c81ee4
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,351 @@
+@@ -0,0 +1,355 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -41654,6 +41699,10 @@ index 0000000..8f642e4
+
+allow openshift_user_domain openshift_domain:process ptrace;
+
++optional_policy(`
++ ssh_rw_tcp_sockets(openshift_user_domain)
++')
++
+############################################################################
+#
+# Rules specific to openshift and openshift_app_t
@@ -43794,10 +43843,10 @@ index 0000000..9ab2c4d
+logging_send_syslog_msg(pkcsslotd_t)
diff --git a/pki.fc b/pki.fc
new file mode 100644
-index 0000000..20d2c79
+index 0000000..2dc9806
--- /dev/null
+++ b/pki.fc
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,54 @@
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
@@ -43849,6 +43898,9 @@ index 0000000..20d2c79
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+
++/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_var_lock_t,s0)
++
++/usr/lib/systemd/system/pki-tomcatd at .service -- gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
diff --git a/pki.if b/pki.if
new file mode 100644
index 0000000..2e2927f
@@ -44085,10 +44137,10 @@ index 0000000..2e2927f
+
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..0f407c1
+index 0000000..9e5fd0b
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,271 @@
+@@ -0,0 +1,287 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -44122,6 +44174,9 @@ index 0000000..0f407c1
+
+tomcat_domain_template(pki_tomcat)
+
++type pki_tomcat_unit_file_t;
++systemd_unit_file(pki_tomcat_unit_file_t)
++
+type pki_tomcat_lock_t;
+files_lock_file(pki_tomcat_lock_t)
+
@@ -44146,6 +44201,15 @@ index 0000000..0f407c1
+
+pki_apache_template(pki_ra)
+
++# needed for dogtag 9 style instances
++type pki_tomcat_script_t;
++domain_type(pki_tomcat_script_t)
++role system_r types pki_tomcat_script_t;
++
++optional_policy(`
++ unconfined_domain(pki_tomcat_script_t)
++')
++
+########################################
+#
+# pki-tomcat local policy
@@ -44171,6 +44235,10 @@ index 0000000..0f407c1
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
+
++read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
++read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
++allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
++
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
+allow pki_tomcat_t pki_common_dev_t:dir search;
@@ -44361,10 +44429,10 @@ index 0000000..0f407c1
+')
+
diff --git a/plymouthd.fc b/plymouthd.fc
-index 5702ca4..332dd84 100644
+index 5702ca4..ef1dd7a 100644
--- a/plymouthd.fc
+++ b/plymouthd.fc
-@@ -2,6 +2,15 @@
+@@ -2,6 +2,14 @@
/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
@@ -44373,12 +44441,11 @@ index 5702ca4..332dd84 100644
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/run/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
++/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-+/var/spool/plymouth/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
+
diff --git a/plymouthd.if b/plymouthd.if
index 9759ed8..17c097d 100644
@@ -44781,7 +44848,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 44db896..ced9fab 100644
+index 44db896..946bfb5 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,51 +1,67 @@
@@ -44932,9 +44999,9 @@ index 44db896..ced9fab 100644
-allow policykit_auth_t self:capability setgid;
-allow policykit_auth_t self:process getattr;
-allow policykit_auth_t self:fifo_file rw_file_perms;
-+allow policykit_auth_t self:capability { ipc_lock setgid setuid };
++allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
+dontaudit policykit_auth_t self:capability sys_tty_config;
-+allow policykit_auth_t self:process { getsched signal };
++allow policykit_auth_t self:process { setsched getsched signal };
+
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -46400,7 +46467,7 @@ index 46bee12..dacb14d 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..2312d03 100644
+index a1e0f60..000794e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -46620,12 +46687,14 @@ index a1e0f60..2312d03 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,12 +306,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -272,13 +305,15 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
-
-+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
@@ -46635,7 +46704,7 @@ index a1e0f60..2312d03 100644
logging_dontaudit_search_logs(postfix_local_t)
-@@ -286,14 +320,36 @@ mta_read_aliases(postfix_local_t)
+@@ -286,14 +321,36 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -46675,7 +46744,7 @@ index a1e0f60..2312d03 100644
')
optional_policy(`
-@@ -304,9 +360,26 @@ optional_policy(`
+@@ -304,9 +361,26 @@ optional_policy(`
')
optional_policy(`
@@ -46702,7 +46771,7 @@ index a1e0f60..2312d03 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +403,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -46710,7 +46779,7 @@ index a1e0f60..2312d03 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +421,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -46718,7 +46787,7 @@ index a1e0f60..2312d03 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +428,6 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -46727,7 +46796,7 @@ index a1e0f60..2312d03 100644
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +449,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -46753,7 +46822,7 @@ index a1e0f60..2312d03 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +477,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -46762,7 +46831,7 @@ index a1e0f60..2312d03 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +497,7 @@ optional_policy(`
+@@ -420,6 +498,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -46770,7 +46839,7 @@ index a1e0f60..2312d03 100644
')
optional_policy(`
-@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +515,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -46788,7 +46857,7 @@ index a1e0f60..2312d03 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +572,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -46799,7 +46868,7 @@ index a1e0f60..2312d03 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +604,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -46812,7 +46881,7 @@ index a1e0f60..2312d03 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +628,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -46823,7 +46892,7 @@ index a1e0f60..2312d03 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +649,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -46835,7 +46904,7 @@ index a1e0f60..2312d03 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +660,14 @@ optional_policy(`
+@@ -565,6 +661,14 @@ optional_policy(`
')
optional_policy(`
@@ -46850,7 +46919,7 @@ index a1e0f60..2312d03 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +684,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -46877,7 +46946,7 @@ index a1e0f60..2312d03 100644
')
optional_policy(`
-@@ -599,6 +710,11 @@ optional_policy(`
+@@ -599,6 +711,11 @@ optional_policy(`
')
optional_policy(`
@@ -46889,7 +46958,7 @@ index a1e0f60..2312d03 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +727,6 @@ optional_policy(`
+@@ -611,7 +728,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -46897,7 +46966,7 @@ index a1e0f60..2312d03 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +737,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -46905,7 +46974,7 @@ index a1e0f60..2312d03 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +744,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -48458,7 +48527,7 @@ index f40c64d..d676e96 100644
+ ps_process_pattern($1, pulseaudio_t)
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 901ac9b..639b9e4 100644
+index 901ac9b..53a9509 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -48492,7 +48561,14 @@ index 901ac9b..639b9e4 100644
corenet_all_recvfrom_netlabel(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
-@@ -76,26 +81,42 @@ dev_write_sound(pulseaudio_t)
+@@ -70,32 +75,49 @@ corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+ corenet_udp_bind_sap_port(pulseaudio_t)
+ corenet_udp_sendrecv_generic_if(pulseaudio_t)
+ corenet_udp_sendrecv_generic_node(pulseaudio_t)
++corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
+
+ dev_read_sound(pulseaudio_t)
+ dev_write_sound(pulseaudio_t)
dev_read_sysfs(pulseaudio_t)
dev_read_urand(pulseaudio_t)
@@ -48543,7 +48619,7 @@ index 901ac9b..639b9e4 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -125,16 +146,37 @@ optional_policy(`
+@@ -125,16 +147,37 @@ optional_policy(`
')
optional_policy(`
@@ -48581,7 +48657,7 @@ index 901ac9b..639b9e4 100644
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
-@@ -146,3 +188,7 @@ optional_policy(`
+@@ -146,3 +189,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -52052,10 +52128,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..8c75780
+index 0000000..2d27770
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,80 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -52072,7 +52148,14 @@ index 0000000..8c75780
+#
+# realmd local policy
+#
++
++allow realmd_t self:capability sys_nice;
++allow realmd_t self:process setsched;
++
++kernel_read_system_state(realmd_t)
++
+corecmd_exec_bin(realmd_t)
++corecmd_exec_shell(realmd_t)
+
+corenet_tcp_connect_http_port(realmd_t)
+
@@ -52096,7 +52179,17 @@ index 0000000..8c75780
+')
+
+optional_policy(`
++ hostname_exec(realmd_t)
++')
++
++optional_policy(`
+ kerberos_use(realmd_t)
++ kerberos_rw_keytab(realmd_t)
++')
++
++optional_policy(`
++ nis_exec_ypbind(realmd_t)
++ nis_systemctl_ypbind(realmd_t)
+')
+
+optional_policy(`
@@ -52107,12 +52200,17 @@ index 0000000..8c75780
+
+optional_policy(`
+ samba_domtrans_net(realmd_t)
-+ samba_read_config(realmd_t)
++ samba_manage_config(realmd_t)
++ samba_getattr_winbind(realmd_t)
+')
+
+optional_policy(`
-+ sssd_read_config(realmd_t)
++ sssd_getattr_exec(realmd_t)
+ sssd_manage_config(realmd_t)
++ sssd_manage_lib_files(realmd_t)
++ sssd_manage_public_files(realmd_t)
++ sssd_read_pid_files(realmd_t)
++ sssd_systemctl(realmd_t)
+')
diff --git a/remotelogin.te b/remotelogin.te
index 0a76027..18f59a7 100644
@@ -56151,7 +56249,7 @@ index 69a6074..c9dbc93 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/samba.if b/samba.if
-index 82cb169..9bb5db2 100644
+index 82cb169..a6bab06 100644
--- a/samba.if
+++ b/samba.if
@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',`
@@ -56327,7 +56425,32 @@ index 82cb169..9bb5db2 100644
')
########################################
-@@ -564,6 +691,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -548,6 +675,24 @@ interface(`samba_rw_smbmount_tcp_sockets',`
+ allow $1 smbmount_t:tcp_socket { read write };
+ ')
+
++#######################################
++## <summary>
++## Allow to getattr on winbind binary.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`samba_getattr_winbind',`
++ gen_require(`
++ type winbind_exec_t;
++ ')
++
++ allow $1 winbind_exec_t:file getattr;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute winbind_helper in the winbind_helper domain.
+@@ -564,6 +709,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -56335,7 +56458,7 @@ index 82cb169..9bb5db2 100644
')
########################################
-@@ -607,7 +735,7 @@ interface(`samba_read_winbind_pid',`
+@@ -607,7 +753,7 @@ interface(`samba_read_winbind_pid',`
type winbind_var_run_t;
')
@@ -56344,7 +56467,7 @@ index 82cb169..9bb5db2 100644
allow $1 winbind_var_run_t:file read_file_perms;
')
-@@ -626,9 +754,10 @@ interface(`samba_stream_connect_winbind',`
+@@ -626,9 +772,10 @@ interface(`samba_stream_connect_winbind',`
type samba_var_t, winbind_t, winbind_var_run_t;
')
@@ -56356,7 +56479,7 @@ index 82cb169..9bb5db2 100644
ifndef(`distro_redhat',`
gen_require(`
-@@ -644,6 +773,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +791,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -56394,7 +56517,7 @@ index 82cb169..9bb5db2 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,33 +821,33 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,33 +839,33 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -56449,7 +56572,7 @@ index 82cb169..9bb5db2 100644
init_labeled_script_domtrans($1, samba_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -709,9 +869,6 @@ interface(`samba_admin',`
+@@ -709,9 +887,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -56459,7 +56582,7 @@ index 82cb169..9bb5db2 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +884,9 @@ interface(`samba_admin',`
+@@ -727,4 +902,9 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -62199,16 +62322,18 @@ index c38de7a..a654467 100644
+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
+')
diff --git a/sssd.fc b/sssd.fc
-index 4271815..fb5520f 100644
+index 4271815..45291bb 100644
--- a/sssd.fc
+++ b/sssd.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,15 @@
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
+
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
++
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
@@ -62217,10 +62342,32 @@ index 4271815..fb5520f 100644
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/sssd.if b/sssd.if
-index 941380a..a86bc33 100644
+index 941380a..62e4b12 100644
--- a/sssd.if
+++ b/sssd.if
-@@ -5,9 +5,9 @@
+@@ -1,13 +1,31 @@
+ ## <summary>System Security Services Daemon</summary>
+
++#######################################
++## <summary>
++## Allow a domain to getattr on sssd binary.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sssd_getattr_exec',`
++ gen_require(`
++ type sssd_t, sssd_exec_t;
++ ')
++
++ allow $1 sssd_exec_t:file getattr;
++')
++
+ ########################################
+ ## <summary>
## Execute a domain transition to run sssd.
## </summary>
## <param name="domain">
@@ -62232,10 +62379,31 @@ index 941380a..a86bc33 100644
## </param>
#
interface(`sssd_domtrans',`
-@@ -36,6 +36,83 @@ interface(`sssd_initrc_domtrans',`
- init_labeled_script_domtrans($1, sssd_initrc_exec_t)
- ')
+@@ -38,6 +56,106 @@ interface(`sssd_initrc_domtrans',`
+ ########################################
+ ## <summary>
++## Execute sssd server in the sssd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sssd_systemctl',`
++ gen_require(`
++ type sssd_t;
++ type sssd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 sssd_unit_file_t:file read_file_perms;
++ allow $1 sssd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, sssd_t)
++')
++
+#######################################
+## <summary>
+## Read sssd configuration.
@@ -62313,10 +62481,38 @@ index 941380a..a86bc33 100644
+ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
+')
+
++########################################
++## <summary>
+ ## Read sssd public files.
+ ## </summary>
+ ## <param name="domain">
+@@ -55,6 +173,25 @@ interface(`sssd_read_public_files',`
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+ ')
+
++#######################################
++## <summary>
++## Manage sssd public files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_manage_public_files',`
++ gen_require(`
++ type sssd_public_t;
++ ')
++
++ sssd_search_lib($1)
++ manage_files_pattern($1, sssd_public_t, sssd_public_t)
++')
++
########################################
## <summary>
- ## Read sssd public files.
-@@ -89,6 +166,7 @@ interface(`sssd_manage_pids',`
+ ## Read sssd PID files.
+@@ -89,6 +226,7 @@ interface(`sssd_manage_pids',`
type sssd_var_run_t;
')
@@ -62324,7 +62520,7 @@ index 941380a..a86bc33 100644
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
')
-@@ -128,7 +206,6 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -128,7 +266,6 @@ interface(`sssd_dontaudit_search_lib',`
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
@@ -62332,7 +62528,7 @@ index 941380a..a86bc33 100644
')
########################################
-@@ -148,6 +225,7 @@ interface(`sssd_read_lib_files',`
+@@ -148,6 +285,7 @@ interface(`sssd_read_lib_files',`
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -62340,7 +62536,7 @@ index 941380a..a86bc33 100644
')
########################################
-@@ -168,6 +246,7 @@ interface(`sssd_manage_lib_files',`
+@@ -168,6 +306,7 @@ interface(`sssd_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
@@ -62348,7 +62544,7 @@ index 941380a..a86bc33 100644
')
########################################
-@@ -193,7 +272,7 @@ interface(`sssd_dbus_chat',`
+@@ -193,7 +332,7 @@ interface(`sssd_dbus_chat',`
########################################
## <summary>
@@ -62357,7 +62553,7 @@ index 941380a..a86bc33 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -225,21 +304,18 @@ interface(`sssd_stream_connect',`
+@@ -225,21 +364,19 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -62373,6 +62569,7 @@ index 941380a..a86bc33 100644
- type sssd_t, sssd_public_t;
- type sssd_initrc_exec_t;
+ type sssd_t, sssd_public_t, sssd_initrc_exec_t;
++ type sssd_unit_file_t;
')
- allow $1 sssd_t:process { ptrace signal_perms getattr };
@@ -62385,8 +62582,18 @@ index 941380a..a86bc33 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
+@@ -252,4 +389,9 @@ interface(`sssd_admin',`
+ sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
++
++ sssd_systemctl($1)
++ admin_pattern($1, sssd_unit_file_t)
++ allow $1 sssd_unit_file_t:service all_service_perms;
++
+ ')
diff --git a/sssd.te b/sssd.te
-index a1b61bc..c36be88 100644
+index a1b61bc..3d2a591 100644
--- a/sssd.te
+++ b/sssd.te
@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
@@ -62405,7 +62612,14 @@ index a1b61bc..c36be88 100644
type sssd_var_log_t;
logging_log_file(sssd_var_log_t)
-@@ -28,18 +32,24 @@ files_pid_file(sssd_var_run_t)
+@@ -24,22 +28,31 @@ logging_log_file(sssd_var_log_t)
+ type sssd_var_run_t;
+ files_pid_file(sssd_var_run_t)
+
++type sssd_unit_file_t;
++systemd_unit_file(sssd_unit_file_t)
++
+ ########################################
#
# sssd local policy
#
@@ -62434,7 +62648,7 @@ index a1b61bc..c36be88 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,37 +58,56 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,37 +61,56 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -62493,7 +62707,7 @@ index a1b61bc..c36be88 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,8 +116,17 @@ optional_policy(`
+@@ -87,8 +119,17 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -64000,10 +64214,24 @@ index 38bb312..0a40bc5 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index d50c10d..44d277d 100644
+index d50c10d..d2778d3 100644
--- a/tftp.te
+++ b/tftp.te
-@@ -26,21 +26,26 @@ files_type(tftpdir_t)
+@@ -13,6 +13,13 @@ policy_module(tftp, 1.12.0)
+ ## </desc>
+ gen_tunable(tftp_anon_write, false)
+
++## <desc>
++## <p>
++## Allow tftp to read and write files in the user home directories
++## </p>
++## </desc>
++gen_tunable(tftp_home_dir, false)
++
+ type tftpd_t;
+ type tftpd_exec_t;
+ init_daemon_domain(tftpd_t, tftpd_exec_t)
+@@ -26,21 +33,26 @@ files_type(tftpdir_t)
type tftpdir_rw_t;
files_type(tftpdir_rw_t)
@@ -64032,7 +64260,7 @@ index d50c10d..44d277d 100644
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
-@@ -52,7 +57,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
+@@ -52,7 +64,6 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
@@ -64040,7 +64268,7 @@ index d50c10d..44d277d 100644
corenet_all_recvfrom_netlabel(tftpd_t)
corenet_tcp_sendrecv_generic_if(tftpd_t)
corenet_udp_sendrecv_generic_if(tftpd_t)
-@@ -72,7 +76,6 @@ fs_search_auto_mountpoints(tftpd_t)
+@@ -72,7 +83,6 @@ fs_search_auto_mountpoints(tftpd_t)
domain_use_interactive_fds(tftpd_t)
@@ -64048,7 +64276,7 @@ index d50c10d..44d277d 100644
files_read_etc_runtime_files(tftpd_t)
files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
-@@ -82,7 +85,6 @@ auth_use_nsswitch(tftpd_t)
+@@ -82,7 +92,6 @@ auth_use_nsswitch(tftpd_t)
logging_send_syslog_msg(tftpd_t)
@@ -64056,17 +64284,43 @@ index d50c10d..44d277d 100644
miscfiles_read_public_files(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
-@@ -94,6 +96,10 @@ tunable_policy(`tftp_anon_write',`
+@@ -93,6 +102,36 @@ tunable_policy(`tftp_anon_write',`
+ miscfiles_manage_public_files(tftpd_t)
')
- optional_policy(`
-+ cobbler_read_lib_files(tftpd_t)
++tunable_policy(`tftp_home_dir',`
++ allow tftpd_t self:capability { dac_override dac_read_search };
++
++ # allow access to /home
++ files_list_home(tftpd_t)
++ userdom_read_user_home_content_files(tftpd_t)
++ userdom_manage_user_home_content(tftpd_t)
++
++ auth_read_all_dirs_except_shadow(tftpd_t)
++ auth_read_all_files_except_shadow(tftpd_t)
++ auth_read_all_symlinks_except_shadow(tftpd_t)
++',`
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
++')
++
++tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
++ fs_manage_nfs_files(tftpd_t)
++ fs_read_nfs_symlinks(tftpd_t)
++')
++
++tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
++ fs_manage_cifs_files(tftpd_t)
++ fs_read_cifs_symlinks(tftpd_t)
+')
+
+optional_policy(`
++ cobbler_read_lib_files(tftpd_t)
++')
++
+ optional_policy(`
inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
')
-
diff --git a/tgtd.fc b/tgtd.fc
index 8294f6f..4847b43 100644
--- a/tgtd.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c7cc941..d4547f8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 40%{?dist}
+Release: 41%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Oct 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-41
+- Allow mount to relabelfrom unlabeled file systems
+- systemd_logind wants to send and receive messages from devicekit disk over dbus to make connected mouse working
+- Add label to get bin files under libreoffice labeled correctly
+- Fix interface to allow executing of base_ro_file_type
+- Add fixes for realmd
+- Update pki policy
+- Add tftp_homedir boolean
+- Allow blueman sched_setscheduler
+- openshift user domains wants to r/w ssh tcp sockets
+
* Wed Oct 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-40
- Additional requirements for disable unconfined module when booting
- Fix label of systemd script files
More information about the scm-commits
mailing list