[selinux-policy] - removing unconfined_notrans_t no longer necessary - Clean up handling of secure_mode_insmod and se
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Sep 9 11:28:51 UTC 2011
commit 116a117fbabe9d49a993685fb55b4405fe3369cf
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Sep 9 13:28:28 2011 +0200
- removing unconfined_notrans_t no longer necessary
- Clean up handling of secure_mode_insmod and secure_mode_policyload
- Remove unconfined_mount_t
policy-F16.patch | 830 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 7 +-
2 files changed, 530 insertions(+), 307 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 213601a..7a1c25d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -101,10 +101,10 @@ index 14a4799..067ecfc 100644
+
# FLASK
diff --git a/policy/global_booleans b/policy/global_booleans
-index 111d004..9df7b5e 100644
+index 111d004..c90e80d 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
-@@ -6,7 +6,7 @@
+@@ -6,25 +6,10 @@
## <desc>
## <p>
@@ -113,23 +113,24 @@ index 111d004..9df7b5e 100644
## newrole, from transitioning to administrative
## user domains.
## </p>
-@@ -15,14 +15,14 @@ gen_bool(secure_mode,false)
-
- ## <desc>
- ## <p>
--## Disable transitions to insmod.
-+## disallow programs and users from transitioning to insmod domain.
- ## </p>
## </desc>
- gen_bool(secure_mode_insmod,false)
+ gen_bool(secure_mode,false)
- ## <desc>
- ## <p>
+-## <desc>
+-## <p>
+-## Disable transitions to insmod.
+-## </p>
+-## </desc>
+-gen_bool(secure_mode_insmod,false)
+-
+-## <desc>
+-## <p>
-## boolean to determine whether the system permits loading policy, setting
-+## prevent all confined domains from loading policy, setting
- ## enforcing mode, and changing boolean values. Set this to true and you
- ## have to reboot to set it back
- ## </p>
+-## enforcing mode, and changing boolean values. Set this to true and you
+-## have to reboot to set it back
+-## </p>
+-## </desc>
+-gen_bool(secure_mode_policyload,false)
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..262b5ba 100644
--- a/policy/global_tunables
@@ -3621,10 +3622,10 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..3d2f418 100644
+index 441cf22..d3dd0b9 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t)
+@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -3635,9 +3636,10 @@ index 441cf22..3d2f418 100644
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
-@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
+
# for SSP
dev_read_urand(chfn_t)
++dev_dontaudit_getattr_all(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
@@ -3646,7 +3648,7 @@ index 441cf22..3d2f418 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -118,6 +116,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -3657,7 +3659,7 @@ index 441cf22..3d2f418 100644
########################################
#
# Crack local policy
-@@ -194,8 +196,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -3667,7 +3669,7 @@ index 441cf22..3d2f418 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -291,17 +292,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3690,7 +3692,7 @@ index 441cf22..3d2f418 100644
domain_use_interactive_fds(passwd_t)
-@@ -323,7 +325,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -3699,7 +3701,7 @@ index 441cf22..3d2f418 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +334,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3707,7 +3709,7 @@ index 441cf22..3d2f418 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +384,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3717,7 +3719,7 @@ index 441cf22..3d2f418 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +428,7 @@ optional_policy(`
+@@ -426,7 +429,7 @@ optional_policy(`
# Useradd local policy
#
@@ -3726,7 +3728,7 @@ index 441cf22..3d2f418 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,6 +450,9 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +451,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3735,8 +3737,11 @@ index 441cf22..3d2f418 100644
+
domain_use_interactive_fds(useradd_t)
domain_read_all_domains_state(useradd_t)
++domain_dontaudit_read_all_domains_state(useradd_t)
-@@ -460,6 +465,7 @@ fs_search_auto_mountpoints(useradd_t)
+ files_manage_etc_files(useradd_t)
+ files_search_var_lib(useradd_t)
+@@ -460,6 +467,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -3744,7 +3749,7 @@ index 441cf22..3d2f418 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +475,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +477,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -3754,7 +3759,7 @@ index 441cf22..3d2f418 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +505,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -16755,10 +16760,24 @@ index f125dc2..3c6e827 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..edbe041 100644
+index 6346378..8c500cd 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -2072,7 +2072,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
+ attribute can_load_kernmodule;
+ ')
+
+- allow $1 self:capability sys_module;
+ typeattribute $1 can_load_kernmodule;
+
+- # load_module() calls stop_machine() which
+- # calls sched_setscheduler()
+- allow $1 self:capability sys_nice;
+- kernel_setsched($1)
+ ')
+
+ ########################################
+@@ -2072,7 +2067,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -16767,7 +16786,7 @@ index 6346378..edbe041 100644
')
########################################
-@@ -2293,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2293,7 +2288,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -16776,7 +16795,7 @@ index 6346378..edbe041 100644
## </summary>
## </param>
#
-@@ -2475,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2470,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -16801,7 +16820,7 @@ index 6346378..edbe041 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2619,7 +2637,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2632,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -16810,7 +16829,7 @@ index 6346378..edbe041 100644
')
########################################
-@@ -2657,6 +2675,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2670,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -16835,7 +16854,7 @@ index 6346378..edbe041 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2684,6 +2720,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2715,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -16861,7 +16880,7 @@ index 6346378..edbe041 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2793,6 +2848,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2843,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -16895,7 +16914,7 @@ index 6346378..edbe041 100644
########################################
## <summary>
-@@ -2948,6 +3030,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3025,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -16920,9 +16939,11 @@ index 6346378..edbe041 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2963,3 +3063,23 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',`
+ ')
typeattribute $1 kern_unconfined;
++ kernel_load_module($1)
')
+
+########################################
@@ -16945,10 +16966,23 @@ index 6346378..edbe041 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..848f59b 100644
+index d91c62f..e8faa88 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
-@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+@@ -1,5 +1,12 @@
+ policy_module(kernel, 1.13.3)
+
++## <desc>
++## <p>
++## disallow programs and users from transitioning to insmod domain.
++## </p>
++## </desc>
++gen_bool(secure_mode_insmod,false)
++
+ ########################################
+ #
+ # Declarations
+@@ -50,6 +57,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
fs_type(debugfs_t)
@@ -16957,7 +16991,7 @@ index d91c62f..848f59b 100644
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-@@ -157,6 +159,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
+@@ -157,6 +166,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -16965,7 +16999,7 @@ index d91c62f..848f59b 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -242,11 +245,14 @@ dev_search_usbfs(kernel_t)
+@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
@@ -16984,7 +17018,7 @@ index d91c62f..848f59b 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -255,7 +261,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -16994,7 +17028,7 @@ index d91c62f..848f59b 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,25 +276,47 @@ files_list_root(kernel_t)
+@@ -269,25 +283,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -17042,7 +17076,7 @@ index d91c62f..848f59b 100644
')
optional_policy(`
-@@ -297,6 +326,19 @@ optional_policy(`
+@@ -297,6 +333,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -17062,7 +17096,7 @@ index d91c62f..848f59b 100644
')
optional_policy(`
-@@ -334,9 +376,7 @@ optional_policy(`
+@@ -334,9 +383,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -17073,7 +17107,7 @@ index d91c62f..848f59b 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +385,7 @@ optional_policy(`
+@@ -345,7 +392,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -17082,7 +17116,7 @@ index d91c62f..848f59b 100644
')
')
-@@ -358,6 +398,15 @@ optional_policy(`
+@@ -358,6 +405,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -17098,6 +17132,23 @@ index d91c62f..848f59b 100644
########################################
#
# Unlabeled process local policy
+@@ -387,3 +443,16 @@ allow kern_unconfined unlabeled_t:filesystem *;
+ allow kern_unconfined unlabeled_t:association *;
+ allow kern_unconfined unlabeled_t:packet *;
+ allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
++
++gen_require(`
++ bool secure_mode_insmod;
++')
++
++if( ! secure_mode_insmod ) {
++ allow can_load_kernmodule self:capability sys_module;
++ # load_module() calls stop_machine() which
++ # calls sched_setscheduler()
++ allow can_load_kernmodule self:capability sys_nice;
++ kernel_setsched(can_load_kernmodule)
++'}
++
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..6bb6529 100644
--- a/policy/modules/kernel/mcs.if
@@ -17170,7 +17221,7 @@ index 7be4ddf..4d4c577 100644
-# This module currently does not have any file contexts.
+/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index ca7e808..9ca9557 100644
+index ca7e808..f155e92 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17279,8 +17330,11 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -311,6 +345,8 @@ interface(`selinux_set_enforce_mode',`
- bool secure_mode_policyload;
+@@ -308,21 +342,13 @@ interface(`selinux_set_enforce_mode',`
+ gen_require(`
+ type security_t;
+ attribute can_setenforce;
+- bool secure_mode_policyload;
')
+ dev_getattr_sysfs_fs($1)
@@ -17288,8 +17342,23 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
-@@ -342,6 +378,8 @@ interface(`selinux_load_policy',`
- bool secure_mode_policyload;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security setenforce;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setenforce;
+- ')
+- }
+ ')
+
+ ########################################
+@@ -339,21 +365,13 @@ interface(`selinux_load_policy',`
+ gen_require(`
+ type security_t;
+ attribute can_load_policy;
+- bool secure_mode_policyload;
')
+ dev_getattr_sysfs_fs($1)
@@ -17297,7 +17366,19 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
-@@ -371,6 +409,8 @@ interface(`selinux_read_policy',`
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security load_policy;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security load_policy;
+- ')
+- }
+ ')
+
+ ########################################
+@@ -371,6 +389,8 @@ interface(`selinux_read_policy',`
type security_t;
')
@@ -17306,27 +17387,58 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
-@@ -436,6 +476,8 @@ interface(`selinux_set_generic_booleans',`
- bool secure_mode_policyload;
+@@ -433,20 +453,14 @@ interface(`selinux_set_boolean',`
+ interface(`selinux_set_generic_booleans',`
+ gen_require(`
+ type security_t;
+- bool secure_mode_policyload;
++ attribute can_setbool;
')
++ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security setbool;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setbool;
+- ')
+- }
+ ')
-@@ -478,7 +520,10 @@ interface(`selinux_set_all_booleans',`
- bool secure_mode_policyload;
+ ########################################
+@@ -475,20 +489,15 @@ interface(`selinux_set_all_booleans',`
+ gen_require(`
+ type security_t;
+ attribute boolean_type;
+- bool secure_mode_policyload;
++ attribute can_setbool;
')
++ typeattribute $1 can_setbool;
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
+ allow $1 boolean_type:dir list_dir_perms;
allow $1 boolean_type:file rw_file_perms;
+-
+- if(!secure_mode_policyload) {
+- allow $1 security_t:security setbool;
+-
+- ifdef(`distro_rhel4',`
+- # needed for systems without audit support
+- auditallow $1 security_t:security setbool;
+- ')
+- }
+ ')
- if(!secure_mode_policyload) {
-@@ -519,6 +564,8 @@ interface(`selinux_set_parameters',`
+ ########################################
+@@ -519,6 +528,8 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
@@ -17335,7 +17447,7 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -542,6 +589,8 @@ interface(`selinux_validate_context',`
+@@ -542,6 +553,8 @@ interface(`selinux_validate_context',`
type security_t;
')
@@ -17344,7 +17456,7 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -584,6 +633,8 @@ interface(`selinux_compute_access_vector',`
+@@ -584,6 +597,8 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
@@ -17353,7 +17465,7 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -605,6 +656,8 @@ interface(`selinux_compute_create_context',`
+@@ -605,6 +620,8 @@ interface(`selinux_compute_create_context',`
type security_t;
')
@@ -17362,7 +17474,7 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -626,6 +679,8 @@ interface(`selinux_compute_member',`
+@@ -626,6 +643,8 @@ interface(`selinux_compute_member',`
type security_t;
')
@@ -17371,7 +17483,7 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -655,6 +710,8 @@ interface(`selinux_compute_relabel_context',`
+@@ -655,6 +674,8 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
@@ -17380,7 +17492,7 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -675,6 +732,8 @@ interface(`selinux_compute_user_contexts',`
+@@ -675,6 +696,8 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
@@ -17389,10 +17501,14 @@ index ca7e808..9ca9557 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -697,3 +756,24 @@ interface(`selinux_unconfined',`
+@@ -696,4 +719,28 @@ interface(`selinux_unconfined',`
+ ')
typeattribute $1 selinux_unconfined_type;
- ')
++ selinux_set_all_booleans($1)
++ selinux_load_policy($1)
++ selinux_set_parameters($1)
++')
+
+########################################
+## <summary>
@@ -17412,13 +17528,36 @@ index ca7e808..9ca9557 100644
+ type $1, boolean_type;
+ fs_type($1)
+ mls_trusted_object($1)
-+')
+ ')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index d70e0b3..e1358fe 100644
+index d70e0b3..97b254e 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
-@@ -18,6 +18,7 @@ attribute selinux_unconfined_type;
+@@ -1,5 +1,14 @@
+ policy_module(selinux, 1.9.1)
+
++## <desc>
++## <p>
++## prevent all confined domains from loading policy, setting
++## enforcing mode, and changing boolean values. Set this to true and you
++## have to reboot to set it back
++## </p>
++## </desc>
++gen_bool(secure_mode_policyload,false)
++
+ ########################################
+ #
+ # Declarations
+@@ -8,6 +17,7 @@ policy_module(selinux, 1.9.1)
+ attribute boolean_type;
+ attribute can_load_policy;
+ attribute can_setenforce;
++attribute can_setbool;
+ attribute can_setsecparam;
+ attribute selinux_unconfined_type;
+
+@@ -18,14 +28,15 @@ attribute selinux_unconfined_type;
#
type security_t, boolean_type;
fs_type(security_t)
@@ -17426,6 +17565,45 @@ index d70e0b3..e1358fe 100644
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
+
+-neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+-neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+-neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
++neverallow ~{ can_load_policy } security_t:security load_policy;
++neverallow ~{ can_setenforce } security_t:security setenforce;
++neverallow ~{ can_setsecparam } security_t:security setsecparam;
+
+ ########################################
+ #
+@@ -41,11 +52,24 @@ allow selinux_unconfined_type boolean_type:file read_file_perms;
+ allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };
+
+ if(!secure_mode_policyload) {
+- allow selinux_unconfined_type boolean_type:file rw_file_perms;
+- allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
++ allow can_setenforce security_t:security setenforce;
++
++ ifdef(`distro_rhel4',`
++ # needed for systems without audit support
++ auditallow can_setenforce security_t:security setenforce;
++ ')
++
++ allow can_load_policy security_t:security load_policy;
++
++ ifdef(`distro_rhel4',`
++ # needed for systems without audit support
++ auditallow can_load_policy security_t:security load_policy;
++ ')
++
++ allow can_setbool boolean_type:security setbool;
+
+ ifdef(`distro_rhel4',`
+ # needed for systems without audit support
+- auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
++ auditallow can_setbool boolean_type:security setbool;
+ ')
+ }
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..6b7eabb 100644
--- a/policy/modules/kernel/storage.if
@@ -19979,10 +20157,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..a55926b
+index 0000000..e3db8d4
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,531 @@
+@@ -0,0 +1,507 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -20048,11 +20226,6 @@ index 0000000..a55926b
+role system_r types unconfined_t;
+typealias unconfined_t alias unconfined_crontab_t;
+
-+type unconfined_notrans_t;
-+type unconfined_notrans_exec_t;
-+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t)
-+role unconfined_r types unconfined_notrans_t;
-+
+########################################
+#
+# Local policy
@@ -20102,12 +20275,6 @@ index 0000000..a55926b
+
+systemd_config_all_services(unconfined_t)
+
-+optional_policy(`
-+ mount_run_unconfined(unconfined_t, unconfined_r)
-+ # Unconfined running as system_r
-+ mount_domtrans_unconfined(unconfined_t)
-+')
-+
+seutil_run_loadpolicy(unconfined_t, unconfined_r)
+seutil_run_setsebool(unconfined_t, unconfined_r)
+seutil_run_setfiles(unconfined_t, unconfined_r)
@@ -20496,19 +20663,6 @@ index 0000000..a55926b
+
+########################################
+#
-+# Unconfined notrans Local policy
-+#
-+
-+allow unconfined_notrans_t self:process { execstack execmem };
-+unconfined_domain_noaudit(unconfined_notrans_t)
-+userdom_unpriv_usertype(unconfined, unconfined_notrans_t)
-+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
-+# Allow SELinux aware applications to request rpm_script execution
-+rpm_transition_script(unconfined_notrans_t)
-+domain_ptrace_all_domains(unconfined_notrans_t)
-+
-+########################################
-+#
+# Unconfined mount local policy
+#
+
@@ -21481,7 +21635,7 @@ index c0f858d..d639ae0 100644
accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..5bc08d2 100644
+index 1632f10..493bde2 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -21493,7 +21647,15 @@ index 1632f10..5bc08d2 100644
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
-@@ -32,10 +34,12 @@ files_read_usr_files(accountsd_t)
+@@ -18,6 +20,7 @@ files_type(accountsd_var_lib_t)
+ #
+
+ allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
++allow accountsd_t self:process signal;
+ allow accountsd_t self:fifo_file rw_fifo_file_perms;
+
+ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+@@ -32,10 +35,12 @@ files_read_usr_files(accountsd_t)
files_read_mnt_files(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -21506,7 +21668,7 @@ index 1632f10..5bc08d2 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +59,8 @@ optional_policy(`
+@@ -55,3 +60,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -25800,10 +25962,10 @@ index fa62787..ffd0da5 100644
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index 3384132..daef4e1 100644
+index 3384132..97d3269 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
-@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+@@ -43,23 +43,25 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
@@ -25826,6 +25988,8 @@ index 3384132..daef4e1 100644
corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
++dev_read_urand(certmaster_t)
++
files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
files_list_var(certmaster_t)
@@ -28557,7 +28721,7 @@ index 35241ed..92acfae 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..3c9cf5a 100644
+index f7583ab..ee001c7 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -28691,7 +28855,7 @@ index f7583ab..3c9cf5a 100644
#
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
-+allow crond_t self:capability { dac_override chown setgid setuid sys_nice dac_read_search };
++allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
-allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
@@ -30915,7 +31079,7 @@ index f706b99..13d3a35 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..5a06fc7 100644
+index f231f17..544ab05 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -31100,7 +31264,7 @@ index f231f17..5a06fc7 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +325,25 @@ optional_policy(`
+@@ -276,9 +325,30 @@ optional_policy(`
')
optional_policy(`
@@ -31126,6 +31290,11 @@ index f231f17..5a06fc7 100644
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
++
++optional_policy(`
++ corenet_tcp_connect_xserver_port(devicekit_power_t)
++ xserver_stream_connect(devicekit_power_t)
++')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 767e0c7..7956248 100644
--- a/policy/modules/services/dhcp.fc
@@ -35311,10 +35480,10 @@ index 0000000..3b1870a
+
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..030a521
+index 0000000..3d67b98
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,131 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -35329,6 +35498,9 @@ index 0000000..030a521
+type glance_registry_initrc_exec_t;
+init_script_file(glance_registry_initrc_exec_t)
+
++type glance_registry_tmp_t;
++files_tmp_file(glance_registry_tmp_t)
++
+type glance_api_t;
+type glance_api_exec_t;
+init_daemon_domain(glance_api_t, glance_api_exec_t)
@@ -35357,6 +35529,10 @@ index 0000000..030a521
+allow glance_registry_t self:unix_stream_socket create_stream_socket_perms;
+allow glance_registry_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
++manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
++files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
++
+manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t)
+manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t)
+logging_log_filetrans(glance_registry_t, glance_log_t, { dir file })
@@ -35423,6 +35599,8 @@ index 0000000..030a521
+
+dev_read_urand(glance_api_t)
+
++fs_getattr_xattr_fs(glance_api_t)
++
+domain_use_interactive_fds(glance_api_t)
+
+files_read_etc_files(glance_api_t)
@@ -45867,7 +46045,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..53f977a 100644
+index 2af42e7..95a25b6 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -45959,7 +46137,15 @@ index 2af42e7..53f977a 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -194,6 +197,8 @@ optional_policy(`
+@@ -187,13 +190,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- tunable_policy(`pppd_can_insmod && ! secure_mode_insmod',`
++ tunable_policy(`pppd_can_insmod',`
+ modutils_domtrans_insmod_uncond(pppd_t)
+ ')
+ ')
optional_policy(`
mta_send_mail(pppd_t)
@@ -50792,7 +50978,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..2977339 100644
+index e30bb63..be3f853 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -50963,7 +51149,13 @@ index e30bb63..2977339 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t)
+@@ -574,11 +575,13 @@ samba_read_winbind_pid(smbcontrol_t)
+
+ domain_use_interactive_fds(smbcontrol_t)
+
++term_use_console(smbcontrol_t)
++
+ files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -50972,7 +51164,7 @@ index e30bb63..2977339 100644
########################################
#
-@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +647,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -50997,7 +51189,7 @@ index e30bb63..2977339 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +682,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -51006,7 +51198,7 @@ index e30bb63..2977339 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +697,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -51021,7 +51213,7 @@ index e30bb63..2977339 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +717,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -51029,7 +51221,7 @@ index e30bb63..2977339 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +760,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +762,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -51038,7 +51230,7 @@ index e30bb63..2977339 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +816,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -51060,7 +51252,7 @@ index e30bb63..2977339 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +844,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -51068,7 +51260,7 @@ index e30bb63..2977339 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +916,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -51077,7 +51269,7 @@ index e30bb63..2977339 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +932,18 @@ optional_policy(`
+@@ -922,6 +934,18 @@ optional_policy(`
#
optional_policy(`
@@ -51096,7 +51288,7 @@ index e30bb63..2977339 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +954,12 @@ optional_policy(`
+@@ -932,9 +956,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -51351,7 +51543,7 @@ index f1aea88..a5a75a8 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..53a9d2d 100644
+index cfc60dd..791c5b3 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -51364,7 +51556,7 @@ index cfc60dd..53a9d2d 100644
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
-@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
@@ -51381,14 +51573,14 @@ index cfc60dd..53a9d2d 100644
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
-
++kernel_rw_afs_state(saslauthd_t)
++
+#577519
+corecmd_exec_bin(saslauthd_t)
-+
+
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
- corenet_tcp_sendrecv_generic_if(saslauthd_t)
-@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
@@ -51410,7 +51602,7 @@ index 0000000..d5c3c3f
+/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
new file mode 100644
-index 0000000..8aef188
+index 0000000..b077a62
--- /dev/null
+++ b/policy/modules/services/sblim.if
@@ -0,0 +1,78 @@
@@ -51453,7 +51645,7 @@ index 0000000..8aef188
+ ')
+
+ files_search_pids($1)
-+ allow $1 gatherd_var_run_t:file read_file_perms;
++ allow $1 sblim_var_run_t:file read_file_perms;
+')
+
+
@@ -53919,7 +54111,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..4ecf377 100644
+index 8ffa257..69e86c3 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -53928,7 +54120,7 @@ index 8ffa257..4ecf377 100644
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
@@ -54093,7 +54285,7 @@ index 08d999c..bca4388 100644
/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
/var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
-index 52f0d6c..7ef2b18 100644
+index 52f0d6c..1473d95 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
@@ -54114,7 +54306,15 @@ index 52f0d6c..7ef2b18 100644
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
-@@ -51,12 +49,16 @@ fs_getattr_xattr_fs(sysstat_t)
+@@ -36,6 +34,7 @@ kernel_read_kernel_sysctls(sysstat_t)
+ kernel_read_fs_sysctls(sysstat_t)
+ kernel_read_rpc_sysctls(sysstat_t)
+
++corecmd_exec_shell(sysstat_t)
+ corecmd_exec_bin(sysstat_t)
+
+ dev_read_urand(sysstat_t)
+@@ -51,12 +50,16 @@ fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
term_use_console(sysstat_t)
@@ -54132,7 +54332,7 @@ index 52f0d6c..7ef2b18 100644
miscfiles_read_localization(sysstat_t)
userdom_dontaudit_list_user_home_dirs(sysstat_t)
-@@ -64,7 +66,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
+@@ -64,7 +67,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
@@ -58161,7 +58361,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..00b270e 100644
+index 143c893..453a478 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -58527,7 +58727,7 @@ index 143c893..00b270e 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -58545,6 +58745,7 @@ index 143c893..00b270e 100644
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++can_exec(xdm_t, xdm_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -58596,7 +58797,7 @@ index 143c893..00b270e 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -58624,7 +58825,7 @@ index 143c893..00b270e 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -58678,7 +58879,7 @@ index 143c893..00b270e 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +602,23 @@ files_list_mnt(xdm_t)
+@@ -435,9 +603,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -58702,7 +58903,7 @@ index 143c893..00b270e 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +628,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -58742,7 +58943,7 @@ index 143c893..00b270e 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -58773,7 +58974,7 @@ index 143c893..00b270e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -58788,7 +58989,7 @@ index 143c893..00b270e 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -58810,7 +59011,7 @@ index 143c893..00b270e 100644
')
optional_policy(`
-@@ -519,12 +748,62 @@ optional_policy(`
+@@ -519,12 +749,62 @@ optional_policy(`
')
optional_policy(`
@@ -58873,7 +59074,7 @@ index 143c893..00b270e 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +821,69 @@ optional_policy(`
+@@ -542,28 +822,69 @@ optional_policy(`
')
optional_policy(`
@@ -58952,7 +59153,7 @@ index 143c893..00b270e 100644
')
optional_policy(`
-@@ -575,6 +895,14 @@ optional_policy(`
+@@ -575,6 +896,14 @@ optional_policy(`
')
optional_policy(`
@@ -58967,7 +59168,7 @@ index 143c893..00b270e 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -58976,7 +59177,7 @@ index 143c893..00b270e 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -58992,7 +59193,7 @@ index 143c893..00b270e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -59014,7 +59215,7 @@ index 143c893..00b270e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -59022,7 +59223,7 @@ index 143c893..00b270e 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -59030,7 +59231,7 @@ index 143c893..00b270e 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -59048,7 +59249,7 @@ index 143c893..00b270e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -59062,7 +59263,7 @@ index 143c893..00b270e 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1064,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1065,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -59071,7 +59272,7 @@ index 143c893..00b270e 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -59086,7 +59287,7 @@ index 143c893..00b270e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1130,40 @@ optional_policy(`
+@@ -778,16 +1131,40 @@ optional_policy(`
')
optional_policy(`
@@ -59128,7 +59329,7 @@ index 143c893..00b270e 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1172,10 @@ optional_policy(`
+@@ -796,6 +1173,10 @@ optional_policy(`
')
optional_policy(`
@@ -59139,7 +59340,7 @@ index 143c893..00b270e 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -59153,7 +59354,7 @@ index 143c893..00b270e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -59162,7 +59363,7 @@ index 143c893..00b270e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1215,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1216,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -59172,7 +59373,7 @@ index 143c893..00b270e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1226,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -59184,7 +59385,7 @@ index 143c893..00b270e 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1239,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -59201,7 +59402,7 @@ index 143c893..00b270e 100644
')
optional_policy(`
-@@ -862,6 +1253,10 @@ optional_policy(`
+@@ -862,6 +1254,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -59212,7 +59413,7 @@ index 143c893..00b270e 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1301,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -59221,7 +59422,7 @@ index 143c893..00b270e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1355,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -59253,7 +59454,7 @@ index 143c893..00b270e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1401,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -59702,10 +59903,18 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..5b765ce 100644
+index 28ad538..59742f4 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+@@ -5,6 +5,7 @@
+ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -59713,7 +59922,7 @@ index 28ad538..5b765ce 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +46,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
@@ -64539,7 +64748,7 @@ index 532181a..2410551 100644
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 9c0faab..dd6530e 100644
+index 9c0faab..5d93844 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -12,7 +12,7 @@
@@ -64578,11 +64787,36 @@ index 9c0faab..dd6530e 100644
## Read the configuration options used when
## loading modules.
## </summary>
+@@ -152,13 +172,7 @@ interface(`modutils_domtrans_insmod_uncond',`
+ ## </param>
+ #
+ interface(`modutils_domtrans_insmod',`
+- gen_require(`
+- bool secure_mode_insmod;
+- ')
+-
+- if (!secure_mode_insmod) {
+- modutils_domtrans_insmod_uncond($1)
+- }
++ modutils_domtrans_insmod_uncond($1)
+ ')
+
+ ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..d5408ff 100644
+index a0eef20..406f160 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -18,11 +18,12 @@ type insmod_t;
+@@ -1,9 +1,5 @@
+ policy_module(modutils, 1.10.1)
+
+-gen_require(`
+- bool secure_mode_insmod;
+-')
+-
+ ########################################
+ #
+ # Declarations
+@@ -18,11 +14,12 @@ type insmod_t;
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
@@ -64596,7 +64830,7 @@ index a0eef20..d5408ff 100644
# module dependencies
type modules_dep_t;
-@@ -36,6 +37,9 @@ role system_r types update_modules_t;
+@@ -36,6 +33,9 @@ role system_r types update_modules_t;
type update_modules_tmp_t;
files_tmp_file(update_modules_tmp_t)
@@ -64606,7 +64840,7 @@ index a0eef20..d5408ff 100644
########################################
#
# depmod local policy
-@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t)
+@@ -55,12 +55,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
@@ -64622,7 +64856,7 @@ index a0eef20..d5408ff 100644
fs_getattr_xattr_fs(depmod_t)
-@@ -70,10 +77,11 @@ init_use_fds(depmod_t)
+@@ -70,10 +73,11 @@ init_use_fds(depmod_t)
init_use_script_fds(depmod_t)
init_use_script_ptys(depmod_t)
@@ -64635,7 +64869,7 @@ index a0eef20..d5408ff 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -95,7 +103,6 @@ optional_policy(`
+@@ -95,7 +99,6 @@ optional_policy(`
')
optional_policy(`
@@ -64643,7 +64877,7 @@ index a0eef20..d5408ff 100644
unconfined_domain(depmod_t)
')
-@@ -104,11 +111,12 @@ optional_policy(`
+@@ -104,11 +107,12 @@ optional_policy(`
# insmod local policy
#
@@ -64657,7 +64891,7 @@ index a0eef20..d5408ff 100644
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,6 +122,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
@@ -64667,7 +64901,7 @@ index a0eef20..d5408ff 100644
kernel_load_module(insmod_t)
kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
-@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +133,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -64675,7 +64909,7 @@ index a0eef20..d5408ff 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +151,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -64683,7 +64917,7 @@ index a0eef20..d5408ff 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +170,18 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -64702,7 +64936,7 @@ index a0eef20..d5408ff 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,41 +190,38 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -64711,14 +64945,20 @@ index a0eef20..d5408ff 100644
+term_use_all_inherited_terms(insmod_t)
userdom_dontaudit_search_user_home_dirs(insmod_t)
- if( ! secure_mode_insmod ) {
-@@ -187,28 +206,27 @@ optional_policy(`
+-if( ! secure_mode_insmod ) {
+- kernel_domtrans_to(insmod_t, insmod_exec_t)
+-}
++kernel_domtrans_to(insmod_t, insmod_exec_t)
+
+ optional_policy(`
+ alsa_domtrans(insmod_t)
')
optional_policy(`
- firstboot_dontaudit_rw_pipes(insmod_t)
- firstboot_dontaudit_rw_stream_sockets(insmod_t)
+ devicekit_use_fds_disk(insmod_t)
++ devicekit_dontaudit_read_pid_files(insmod_t)
')
optional_policy(`
@@ -64747,7 +64987,7 @@ index a0eef20..d5408ff 100644
')
optional_policy(`
-@@ -236,6 +254,10 @@ optional_policy(`
+@@ -236,6 +249,10 @@ optional_policy(`
')
optional_policy(`
@@ -64758,7 +64998,7 @@ index a0eef20..d5408ff 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +313,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
@@ -64790,7 +65030,7 @@ index 72c746e..704d2d7 100644
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..1be2768 100644
+index 8b5c196..da41726 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
@@ -64806,7 +65046,7 @@ index 8b5c196..1be2768 100644
')
########################################
-@@ -45,8 +51,73 @@ interface(`mount_run',`
+@@ -45,12 +51,77 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -64829,11 +65069,11 @@ index 8b5c196..1be2768 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -64853,7 +65093,7 @@ index 8b5c196..1be2768 100644
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
- ')
++ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
@@ -64878,22 +65118,14 @@ index 8b5c196..1be2768 100644
+
+ allow $1 mount_var_run_t:file read_file_perms;
+ files_search_pids($1)
- ')
-
- ########################################
-@@ -84,9 +155,11 @@ interface(`mount_exec',`
- interface(`mount_signal',`
- gen_require(`
- type mount_t;
-+ type unconfined_mount_t;
- ')
-
- allow $1 mount_t:process signal;
-+ allow $1 unconfined_mount_t:process signal;
- ')
-
- ########################################
-@@ -95,7 +168,7 @@ interface(`mount_signal',`
++')
++
++########################################
++## <summary>
+ ## Execute mount in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -95,7 +166,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@@ -64902,54 +65134,45 @@ index 8b5c196..1be2768 100644
## </summary>
## </param>
#
-@@ -135,6 +208,24 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,45 +206,119 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
+-## Execute mount in the unconfined mount domain.
+## Read the mount tmp directory
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`mount_domtrans_unconfined',`
+interface(`mount_list_tmp',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_mount_t, mount_exec_t;
+ type mount_tmp_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
+ allow $1 mount_tmp_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Execute mount in the unconfined mount domain.
- ## </summary>
- ## <param name="domain">
-@@ -176,4 +267,113 @@ interface(`mount_run_unconfined',`
+ ')
- mount_domtrans_unconfined($1)
- role $2 types unconfined_mount_t;
-+
-+ optional_policy(`
-+ rpc_run_rpcd(unconfined_mount_t, $2)
-+ ')
-+
-+ optional_policy(`
-+ samba_run_smbmount(unconfined_mount_t, $2)
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-## Execute mount in the unconfined mount domain, and
+-## allow the specified role the unconfined mount domain,
+-## and use the caller's terminal.
+## Execute fusermount in the mount domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="role">
+#
+interface(`mount_domtrans_fusermount',`
+ gen_require(`
@@ -64968,7 +65191,8 @@ index 8b5c196..1be2768 100644
+## Execute fusermount.
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
@@ -64988,14 +65212,19 @@ index 8b5c196..1be2768 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`mount_run_unconfined',`
+interface(`mount_dontaudit_exec_fusermount',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_mount_t;
+ type fusermount_exec_t;
-+ ')
-+
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
@@ -65042,10 +65271,10 @@ index 8b5c196..1be2768 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..79bc8f4 100644
+index 15832c7..2e0bdd4 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -17,8 +17,15 @@ type mount_exec_t;
+@@ -17,17 +17,29 @@ type mount_exec_t;
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -65061,12 +65290,12 @@ index 15832c7..79bc8f4 100644
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-@@ -28,6 +35,18 @@ files_tmp_file(mount_tmp_t)
- # policy--duplicate type declaration
- type unconfined_mount_t;
- application_domain(unconfined_mount_t, mount_exec_t)
-+role system_r types unconfined_mount_t;
-+
+
+-# causes problems with interfaces when
+-# this is optionally declared in monolithic
+-# policy--duplicate type declaration
+-type unconfined_mount_t;
+-application_domain(unconfined_mount_t, mount_exec_t)
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+dev_associate(mount_var_run_t)
@@ -65080,7 +65309,7 @@ index 15832c7..79bc8f4 100644
########################################
#
-@@ -35,7 +54,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
+@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
@@ -65093,7 +65322,7 @@ index 15832c7..79bc8f4 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,9 +69,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -65119,7 +65348,7 @@ index 15832c7..79bc8f4 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,65 +95,93 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -65222,7 +65451,7 @@ index 15832c7..79bc8f4 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +192,12 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +185,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -65235,7 +65464,7 @@ index 15832c7..79bc8f4 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +213,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -65274,7 +65503,7 @@ index 15832c7..79bc8f4 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +248,8 @@ optional_policy(`
+@@ -174,6 +241,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -65283,7 +65512,7 @@ index 15832c7..79bc8f4 100644
')
optional_policy(`
-@@ -181,6 +257,28 @@ optional_policy(`
+@@ -181,6 +250,28 @@ optional_policy(`
')
optional_policy(`
@@ -65312,7 +65541,7 @@ index 15832c7..79bc8f4 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,13 +286,52 @@ optional_policy(`
+@@ -188,21 +279,83 @@ optional_policy(`
')
')
@@ -65346,15 +65575,21 @@ index 15832c7..79bc8f4 100644
optional_policy(`
samba_domtrans_smbmount(mount_t)
+ samba_read_config(mount_t)
-+')
-+
+ ')
+
+-########################################
+-#
+-# Unconfined mount local policy
+-#
+optional_policy(`
+ ssh_exec(mount_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
+ usbmuxd_stream_connect(mount_t)
-+')
+ ')
+
+optional_policy(`
+ virt_read_blk_images(mount_t)
@@ -65362,22 +65597,8 @@ index 15832c7..79bc8f4 100644
+
+optional_policy(`
+ vmware_exec_host(mount_t)
- ')
-
- ########################################
-@@ -203,6 +340,43 @@ optional_policy(`
- #
-
- optional_policy(`
-+ unconfined_domain_noaudit(unconfined_mount_t)
+')
+
-+optional_policy(`
-+ userdom_unpriv_usertype(unconfined, unconfined_mount_t)
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
- ')
-+
+######################################
+#
+# showmount local policy
@@ -67119,10 +67340,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fdb31d8
+index 0000000..42276b7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,414 @@
+@@ -0,0 +1,416 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -67206,7 +67427,9 @@ index 0000000..fdb31d8
+ ')
+
+ files_search_var_lib($1)
-+ allow $1 systemd_unit_file_type:file read_file_perms;
++ allow $1 systemd_unit_file_type:file read_file_perms;
++ allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms;
++ allow $1 systemd_unit_file_type:dir list_dir_perms;
+')
+
+#####################################
@@ -68338,10 +68561,10 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..a56f542 100644
+index 416e668..683497a 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
-@@ -12,27 +12,34 @@
+@@ -12,27 +12,29 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
@@ -68349,7 +68572,6 @@ index 416e668..a56f542 100644
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
-+ bool secure_mode_insmod;
')
# Use any Linux capability.
@@ -68358,10 +68580,6 @@ index 416e668..a56f542 100644
+ allow $1 self:capability ~sys_module;
+ allow $1 self:capability2 syslog;
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-+
-+ if (!secure_mode_insmod) {
-+ allow $1 self:capability sys_module;
-+ }
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
@@ -68383,7 +68601,7 @@ index 416e668..a56f542 100644
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -43,6 +50,13 @@ interface(`unconfined_domain_noaudit',`
+@@ -43,6 +45,13 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
@@ -68397,7 +68615,7 @@ index 416e668..a56f542 100644
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
-@@ -69,6 +83,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +78,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -68405,7 +68623,7 @@ index 416e668..a56f542 100644
')
optional_policy(`
-@@ -122,6 +137,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +132,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -68416,7 +68634,7 @@ index 416e668..a56f542 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -178,412 +197,3 @@ interface(`unconfined_alias_domain',`
+@@ -178,412 +192,3 @@ interface(`unconfined_alias_domain',`
interface(`unconfined_execmem_alias_program',`
refpolicywarn(`$0($1) has been deprecated.')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fc9b871..ab8325f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 25%{?dist}
+Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
++* Fri Sep 9 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-26
+- removing unconfined_notrans_t no longer necessary
+- Clean up handling of secure_mode_insmod and secure_mode_policyload
+- Remove unconfined_mount_t
+
* Tue Sep 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-25
- Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
More information about the scm-commits
mailing list