[selinux-policy] * Wed Oct 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-89 - Allow keystone_cgi_script_t to bind
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Oct 29 10:24:42 UTC 2014
commit af3cfa7b5c2d707a498f4932020e47c0ce4d92f4
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Oct 29 11:24:42 2014 +0100
* Wed Oct 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
policy-rawhide-base.patch | 166 ++++++----
policy-rawhide-contrib.patch | 732 ++++++++++++++++++++++++++++++------------
selinux-policy.spec | 15 +-
3 files changed, 633 insertions(+), 280 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 828da9c..612563b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..57afd42 100644
+index b191055..2f2f2b9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5555,11 +5555,13 @@ index b191055..57afd42 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
- network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
++network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(apc, tcp,3052,s0, udp,3052,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@@ -8936,7 +8938,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..16c88de 100644
+index cf04cb5..c2776d0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9085,7 +9087,7 @@ index cf04cb5..16c88de 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9380,6 +9382,10 @@ index cf04cb5..16c88de 100644
+')
+
+optional_policy(`
++ rolekit_dbus_chat(domain)
++')
++
++optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
@@ -15685,7 +15691,7 @@ index 7be4ddf..71e675a 100644
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..227ae89 100644
+index e100d88..85da370 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -15823,10 +15829,29 @@ index e100d88..227ae89 100644
')
########################################
-@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
########################################
## <summary>
++## Do not audit attempts to write the
++## file in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_write_proc_files',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ dontaudit $1 proc_t:file write;
++')
++
++########################################
++## <summary>
+## Do not audit attempts to check the
+## access on generic proc entries.
+## </summary>
@@ -15849,7 +15874,7 @@ index e100d88..227ae89 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
-@@ -1208,6 +1296,24 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',`
########################################
## <summary>
@@ -15874,7 +15899,7 @@ index e100d88..227ae89 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
-@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',`
########################################
## <summary>
@@ -15900,7 +15925,7 @@ index e100d88..227ae89 100644
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
-@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -15925,7 +15950,7 @@ index e100d88..227ae89 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -15934,7 +15959,7 @@ index e100d88..227ae89 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -15943,7 +15968,7 @@ index e100d88..227ae89 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -15951,7 +15976,7 @@ index e100d88..227ae89 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15969,7 +15994,7 @@ index e100d88..227ae89 100644
')
########################################
-@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -15987,7 +16012,7 @@ index e100d88..227ae89 100644
')
########################################
-@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -16005,7 +16030,7 @@ index e100d88..227ae89 100644
')
########################################
-@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@@ -16023,7 +16048,7 @@ index e100d88..227ae89 100644
')
########################################
-@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -16053,7 +16078,7 @@ index e100d88..227ae89 100644
########################################
## <summary>
## Allow caller to read all sysctls.
-@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -16079,7 +16104,7 @@ index e100d88..227ae89 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -16088,7 +16113,7 @@ index e100d88..227ae89 100644
## </summary>
## </param>
#
-@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -16113,7 +16138,7 @@ index e100d88..227ae89 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -16138,7 +16163,7 @@ index e100d88..227ae89 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -16163,13 +16188,23 @@ index e100d88..227ae89 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
+-## Do not audit attempts to receive TCP packets from an unlabeled
+## Do not audit attempts to receive DCCP packets from an unlabeled
-+## connection.
-+## </summary>
+ ## connection.
+ ## </summary>
+-## <desc>
+-## <p>
+-## Do not audit attempts to receive TCP packets from an unlabeled
+-## connection.
+-## </p>
+-## <p>
+-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+-## should be used instead of this one.
+-## </p>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@@ -16186,29 +16221,34 @@ index e100d88..227ae89 100644
+
+########################################
+## <summary>
- ## Do not audit attempts to receive TCP packets from an unlabeled
- ## connection.
- ## </summary>
-@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
++## Do not audit attempts to receive TCP packets from an unlabeled
++## connection.
++## </summary>
++## <desc>
++## <p>
++## Do not audit attempts to receive TCP packets from an unlabeled
++## connection.
++## </p>
++## <p>
++## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
++## should be used instead of this one.
++## </p>
+ ## </desc>
+ ## <param name="domain">
+ ## <summary>
+@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
--
- ########################################
- ## <summary>
--## Do not audit attempts to receive Raw IP packets from an unlabeled
--## connection.
++########################################
++## <summary>
+## Read/Write Raw IP packets from an unlabeled connection.
- ## </summary>
- ## <desc>
- ## <p>
--## Do not audit attempts to receive Raw IP packets from an unlabeled
--## connection.
++## </summary>
++## <desc>
++## <p>
+## Receive Raw IP packets from an unlabeled connection.
- ## </p>
- ## <p>
--## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
--## should be used instead of this one.
++## </p>
++## <p>
+## The corenetwork interface corenet_raw_recv_unlabeled() should
+## be used instead of this one.
+## </p>
@@ -16227,24 +16267,10 @@ index e100d88..227ae89 100644
+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to receive Raw IP packets from an unlabeled
-+## connection.
-+## </summary>
-+## <desc>
-+## <p>
-+## Do not audit attempts to receive Raw IP packets from an unlabeled
-+## connection.
-+## </p>
-+## <p>
-+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
-+## should be used instead of this one.
- ## </p>
- ## </desc>
- ## <param name="domain">
-@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+
+ ########################################
+ ## <summary>
+@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -16269,7 +16295,7 @@ index e100d88..227ae89 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -28059,7 +28085,7 @@ index 3efd5b6..12dca57 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..dbf639e 100644
+index 09b791d..03657db 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -28337,12 +28363,12 @@ index 09b791d..dbf639e 100644
+systemd_hostnamed_read_config(nsswitch_domain)
+
+
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-- files_list_var_lib(nsswitch_domain)
++tunable_policy(`authlogin_nsswitch_use_ldap',`
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+- files_list_var_lib(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
@@ -28383,7 +28409,7 @@ index 09b791d..dbf639e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,151 @@ optional_policy(`
+@@ -456,10 +520,155 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -28395,6 +28421,10 @@ index 09b791d..dbf639e 100644
+userdom_manage_all_users_keys(nsswitch_domain)
+optional_policy(`
+ sssd_manage_keys(nsswitch_domain)
++')
++
++optional_policy(`
++ rolekit_manage_keys(nsswitch_domain)
')
optional_policy(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4917f25..9696771 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -9232,7 +9232,7 @@ index 531a8f2..67b6c3d 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 1241123..88edc92 100644
+index 1241123..a3d3001 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9308,15 +9308,17 @@ index 1241123..88edc92 100644
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -187,6 +198,7 @@ optional_policy(`
+@@ -187,7 +198,9 @@ optional_policy(`
')
optional_policy(`
+ kerberos_filetrans_named_content(named_t)
kerberos_read_keytab(named_t)
++ kerberos_read_host_rcache(named_t)
kerberos_use(named_t)
')
-@@ -215,7 +227,8 @@ optional_policy(`
+
+@@ -215,7 +228,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -9326,7 +9328,7 @@ index 1241123..88edc92 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -229,10 +242,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +243,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -9338,7 +9340,7 @@ index 1241123..88edc92 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -242,6 +254,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+@@ -242,6 +255,9 @@ corenet_tcp_bind_generic_node(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
@@ -9348,7 +9350,7 @@ index 1241123..88edc92 100644
domain_use_interactive_fds(ndc_t)
files_search_pids(ndc_t)
-@@ -257,7 +272,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +273,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -10803,10 +10805,10 @@ index 0000000..de66654
+')
diff --git a/bumblebee.te b/bumblebee.te
new file mode 100644
-index 0000000..1076e6a
+index 0000000..cccf2f7
--- /dev/null
+++ b/bumblebee.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(bumblebee, 1.0.0)
+
+########################################
@@ -10842,6 +10844,7 @@ index 0000000..1076e6a
+
+kernel_read_system_state(bumblebee_t)
+kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_dontaudit_write_proc_files(bumblebee_t)
+kernel_manage_debugfs(bumblebee_t)
+
+corecmd_exec_shell(bumblebee_t)
@@ -12300,10 +12303,12 @@ index 0000000..f50b201
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..a665b32 100644
+index 4e4143e..d5e0260 100644
--- a/chronyd.fc
+++ b/chronyd.fc
-@@ -2,6 +2,8 @@
+@@ -1,7 +1,9 @@
+-/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
++/etc/chrony\.keys.* -- gen_context(system_u:object_r:chronyd_keys_t,s0)
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
@@ -23050,7 +23055,7 @@ index c697edb..31d45bf 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..5b576ff 100644
+index 98a24b9..401ddbc 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -23063,6 +23068,15 @@ index 98a24b9..5b576ff 100644
type dhcpd_state_t;
files_type(dhcpd_state_t)
+@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
+ # Local policy
+ #
+
+-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid setpcap sys_resource };
+ dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+ allow dhcpd_t self:process { getcap setcap signal_perms };
+ allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
kernel_read_network_state(dhcpd_t)
@@ -28460,7 +28474,7 @@ index 0000000..dc94853
+
diff --git a/freeipmi.te b/freeipmi.te
new file mode 100644
-index 0000000..65fb9b8
+index 0000000..0ca4fc3
--- /dev/null
+++ b/freeipmi.te
@@ -0,0 +1,79 @@
@@ -28514,7 +28528,7 @@ index 0000000..65fb9b8
+# bmc-watchdog local policy
+#
+
-+allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem { unix_read unix_write };
++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
+
+files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
+
@@ -38620,7 +38634,7 @@ index 4fe75fd..b05128a 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..59923df 100644
+index f6c00d8..7b777ab 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -38801,119 +38815,62 @@ index f6c00d8..59923df 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
+@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos home files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_manage_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
--## Relabel kerberos home files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_relabel_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file relabel_file_perms;
--')
--
--########################################
--## <summary>
--## Create objects in user home
--## directories with the krb5 home type.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## Class of the object being created.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
--#
--interface(`kerberos_home_filetrans_krb5_home',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
--')
--
--########################################
--## <summary>
--## Read kerberos key table files.
+## Read the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
-@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_manage_krb5_home_files',`
++interface(`kerberos_read_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file manage_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file read_file_perms;
+ ')
########################################
## <summary>
--## Read and write kerberos key table files.
+-## Relabel kerberos home files.
+## Read/Write the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
-@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
+@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_relabel_krb5_home_files',`
++interface(`kerberos_rw_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file relabel_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file rw_file_perms;
+ ')
########################################
## <summary>
--## Create, read, write, and delete
--## kerberos key table files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_manage_keytab_files',`
-- gen_require(`
-- type krb5_keytab_t;
-- ')
--
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
--## Create specified objects in generic
--## etc directories with the kerberos
--## keytab file type.
+-## Create objects in user home
+-## directories with the krb5 home type.
+## Create keytab file in /etc
## </summary>
## <param name="domain">
@@ -38929,97 +38886,167 @@ index f6c00d8..59923df 100644
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
-@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
- type krb5_keytab_t;
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_home_filetrans_krb5_home',`
++interface(`kerberos_etc_filetrans_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
')
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
++')
++
++########################################
++## <summary>
++## Create a derived type for kerberos keytab
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`kerberos_keytab_template',`
++ refpolicywarn(`$0($*) has been deprecated.')
++ kerberos_read_keytab($2)
++ kerberos_use($2)
')
########################################
## <summary>
--## Create a derived type for kerberos
--## keytab files.
-+## Create a derived type for kerberos keytab
+-## Read kerberos key table files.
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
- ## <param name="prefix">
+ ## <param name="domain">
## <summary>
-@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',`
+@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`kerberos_read_keytab',`
++interface(`kerberos_read_kdc_config',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5_keytab_t:file read_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ ')
########################################
## <summary>
--## Read kerberos kdc configuration files.
+-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -381,8 +282,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_rw_keytab',`
++interface(`kerberos_read_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
+ ')
+-
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file rw_file_perms;
++ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ ')
########################################
## <summary>
-## Create, read, write, and delete
--## kerberos host rcache files.
+-## kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -396,34 +296,99 @@ interface(`kerberos_manage_host_rcache',`
- type krb5_host_rcache_t;
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_manage_keytab_files',`
++interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
')
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
- domain_obj_id_change_exemption($1)
-
-- tunable_policy(`allow_kerberos',`
++ domain_obj_id_change_exemption($1)
++
+ tunable_policy(`kerberos_enabled',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
++ allow $1 self:process setfscreate;
++
++ selinux_validate_context($1)
++
++ seutil_read_file_contexts($1)
++
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
- files_search_tmp($1)
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
++ files_search_tmp($1)
++ ')
')
########################################
## <summary>
--## Create objects in generic temporary
--## directories with the kerberos host
--## rcache type.
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+## All of the rules required to administrate
+## an kerberos environment
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed to transition.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+## <param name="role">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## The role to be allowed to manage the kerberos domain.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_admin',`
-+ gen_require(`
+ gen_require(`
+- type krb5_keytab_t;
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ ')
-+
+ ')
+
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -39059,37 +39086,156 @@ index f6c00d8..59923df 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a derived type for kerberos
+-## keytab files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
-+## </summary>
+ ## </summary>
+-## <param name="prefix">
+## <param name="domain">
## <summary>
+-## The prefix to be used for deriving type names.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="domain">
++## <param name="name" optional="true">
+ ## <summary>
+-## Domain allowed access.
++## The name of the object being created.
+ ## </summary>
+ ## </param>
+ #
+-template(`kerberos_keytab_template',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- kerberos_read_keytab($2)
+- kerberos_use($2)
++interface(`kerberos_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read kerberos kdc configuration files.
++## Type transition files created in /tmp
++## to the kadmind_tmp type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`kerberos_read_kdc_config',`
++interface(`kerberos_tmp_filetrans_kadmin',`
+ gen_require(`
+- type krb5kdc_conf_t;
++ type kadmind_tmp_t;
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
++ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## kerberos host rcache files.
++## read kerberos homedir content (.k5login)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kerberos_manage_host_rcache',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
+ ')
+
+- domain_obj_id_change_exemption($1)
+-
+- tunable_policy(`allow_kerberos',`
+- allow $1 self:process setfscreate;
+-
+- selinux_validate_context($1)
+-
+- seutil_read_file_contexts($1)
+-
+- files_search_tmp($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
+- ')
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in generic temporary
+-## directories with the kerberos host
+-## rcache type.
++## create kerberos content in the in the /root directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
- ## <param name="name" optional="true">
-@@ -437,12 +402,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
- type krb5_host_rcache_t;
+ #
+-interface(`kerberos_tmp_filetrans_host_rcache',`
++interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
')
########################################
## <summary>
-## Connect to krb524 service.
-+## read kerberos homedir content (.k5login)
++## Transition to kerberos named content
## </summary>
## <param name="domain">
## <summary>
-@@ -450,82 +416,87 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+-## Domain allowed access.
++## Domain allowed access.
## </summary>
## </param>
#
@@ -39104,44 +39250,28 @@ index f6c00d8..59923df 100644
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
-+interface(`kerberos_read_home_content',`
++interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
')
########################################
## <summary>
-## All of the rules required to
-## administrate an kerberos environment.
-+## create kerberos content in the in the /root directory
-+## with an correct label.
++## Transition to kerberos named content
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
+-## Domain allowed access.
+-## </summary>
+-## </param>
-## <param name="role">
-+#
-+interface(`kerberos_filetrans_admin_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
-+')
-+
-+########################################
-+## <summary>
-+## Transition to kerberos named content
-+## </summary>
-+## <param name="domain">
- ## <summary>
+-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
@@ -39149,14 +39279,14 @@ index f6c00d8..59923df 100644
-## <rolecap/>
#
-interface(`kerberos_admin',`
-+interface(`kerberos_filetrans_home_content',`
++interface(`kerberos_filetrans_named_content',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
-- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ type krb5_home_t;
++ type krb5kdc_principal_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
@@ -39184,28 +39314,10 @@ index f6c00d8..59923df 100644
-
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
-+')
-
+-
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
-+########################################
-+## <summary>
-+## Transition to kerberos named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_filetrans_named_content',`
-+ gen_require(`
-+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-+ type krb5kdc_principal_t;
-+ ')
-
+-
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
@@ -39946,7 +40058,7 @@ index e88fb16..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 9929647..4a4ccf1 100644
+index 9929647..3144a89 100644
--- a/keystone.te
+++ b/keystone.te
@@ -18,13 +18,20 @@ logging_log_file(keystone_log_t)
@@ -40034,8 +40146,8 @@ index 9929647..4a4ccf1 100644
+
+ read_files_pattern(keystone_cgi_script_t, keystone_log_t, keystone_log_t)
+
-+ corenet_tcp_bind_commplex_main_port(keystone_t)
-+ corenet_tcp_sendrecv_commplex_main_port(keystone_t)
++ corenet_tcp_bind_commplex_main_port(keystone_cgi_script_t)
++ corenet_tcp_sendrecv_commplex_main_port(keystone_cgi_script_t)
')
diff --git a/kismet.if b/kismet.if
index aa2a337..7ff229f 100644
@@ -46092,7 +46204,7 @@ index b1ac8b5..9b22bea 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..6af07aa 100644
+index d15eb5b..25f2cfe 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -46105,7 +46217,13 @@ index d15eb5b..6af07aa 100644
########################################
#
# Local policy
-@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+ allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
+ allow modemmanager_t self:process { getsched signal };
+ allow modemmanager_t self:fifo_file rw_fifo_file_perms;
+-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
++allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms};
+ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
kernel_read_system_state(modemmanager_t)
@@ -77132,7 +77250,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..42203ed 100644
+index dc3b0ed..0675a9c 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@@ -77166,7 +77284,7 @@ index dc3b0ed..42203ed 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,98 +31,82 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,86 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -77339,6 +77457,10 @@ index dc3b0ed..42203ed 100644
+optional_policy(`
+ dbus_system_bus_client(rabbitmq_t)
+')
++
++optional_policy(`
++ rpc_read_nfs_state_data(rabbitmq_t)
++')
-miscfiles_read_localization(rabbitmq_epmd_t)
diff --git a/radius.fc b/radius.fc
@@ -83300,6 +83422,194 @@ index a7b7717..861aa31 100644
logging_send_syslog_msg(rngd_t)
-miscfiles_read_localization(rngd_t)
+diff --git a/rolekit.fc b/rolekit.fc
+new file mode 100644
+index 0000000..504b6e1
+--- /dev/null
++++ b/rolekit.fc
+@@ -0,0 +1,3 @@
++/usr/lib/systemd/system/rolekit.* -- gen_context(system_u:object_r:rolekit_unit_file_t,s0)
++
++/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
+diff --git a/rolekit.if b/rolekit.if
+new file mode 100644
+index 0000000..8d833ed
+--- /dev/null
++++ b/rolekit.if
+@@ -0,0 +1,124 @@
++## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
++
++########################################
++## <summary>
++## Execute rolekit in the rolekit domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rolekit_domtrans',`
++ gen_require(`
++ type rolekit_t, rolekit_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rolekit_exec_t, rolekit_t)
++')
++
++########################################
++## <summary>
++## Execute rolekit server in the rolekit domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rolekit_systemctl',`
++ gen_require(`
++ type rolekit_t;
++ type rolekit_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 rolekit_unit_file_t:file read_file_perms;
++ allow $1 rolekit_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, rolekit_t)
++')
++#######################################
++## <summary>
++## Manage rolekit kernel keyrings.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rolekit_manage_keys',`
++ gen_require(`
++ type rolekit_t;
++ ')
++
++ allow $1 rolekit_t:key manage_key_perms;
++ allow rolekit_t $1:key manage_key_perms;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## policykit over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rolekit_dbus_chat',`
++ gen_require(`
++ type rolekit_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(rolekit_t, $1)
++
++ allow $1 rolekit_t:dbus send_msg;
++ allow rolekit_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rolekit environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rolekit_admin',`
++ gen_require(`
++ type rolekit_t;
++ type rolekit_unit_file_t;
++ ')
++
++ allow $1 rolekit_t:process { signal_perms };
++ ps_process_pattern($1, rolekit_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 rolekit_t:process ptrace;
++ ')
++
++ rolekit_systemctl($1)
++ admin_pattern($1, rolekit_unit_file_t)
++ allow $1 rolekit_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/rolekit.te b/rolekit.te
+new file mode 100644
+index 0000000..da7bd10
+--- /dev/null
++++ b/rolekit.te
+@@ -0,0 +1,43 @@
++policy_module(rolekit, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rolekit_t;
++type rolekit_exec_t;
++init_daemon_domain(rolekit_t, rolekit_exec_t)
++
++type rolekit_tmp_t;
++files_tmp_file(rolekit_tmp_t)
++
++type rolekit_unit_file_t;
++systemd_unit_file(rolekit_unit_file_t)
++
++########################################
++#
++# rolekit local policy
++#
++
++allow rolekit_t self:fifo_file rw_fifo_file_perms;
++allow rolekit_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
++manage_dirs_pattern(rolekit_t, rolekit_tmp_t, rolekit_tmp_t)
++files_tmp_filetrans(rolekit_t, rolekit_tmp_t, { file dir })
++
++kernel_read_system_state(rolekit_t)
++
++auth_use_nsswitch(rolekit_t)
++
++optional_policy(`
++ sssd_domtrans(rolekit_t)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(rolekit_t)
++ #should be changed for debugging
++ #unconfined_domain(rolekit_t)
++ domain_named_filetrans(rolekit_t)
++')
diff --git a/roundup.if b/roundup.if
index 975bb6a..ce4f5ea 100644
--- a/roundup.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c4549f8..1e58600 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 88%{?dist}
+Release: 89%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 29 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-89
+- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
+- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
+- Allow rabbitmq to read nfs state data. BZ(1122412)
+- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
+- Add rolekit policy
+- ALlow rolekit domtrans to sssd_t.
+- Add kerberos_tmp_filetrans_kadmin() interface.
+- rolekit should be noaudit.
+- Add rolekit_manage_keys().
+- Need to label rpmnew file correctly
+- Allow modemmanger to connectto itself
+
* Tue Oct 21 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)
More information about the scm-commits
mailing list