Projects
Mega:23.09
selinux-policy
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:selinux-policy.spec
Changed
@@ -11,12 +11,12 @@ Summary: SELinux policy configuration Name: selinux-policy -Version: 38.21 +Version: 40.7 Release: 1 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v40.7.tar.gz # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git @@ -742,6 +742,19 @@ %endif %changelog +* Thu Dec 28 2023 jinlun<jinlun@huawei.com> - 40.7-1 +- update version to 40.7 + - Allow chronyd-restricted read chronyd key files + - Allow systemd-sleep set attributes of efivarfs files + - Make name_zone_t and named_var_run_t a part of the mountpoint attribute + - Update cifs interfaces to include fs_search_auto_mountpoints() + - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on + - Add map_read map_write to kernel_prog_run_bpf + - Add policy for nvme-stas + - Make new virt drivers permissive + - Allow named and ndc use the io_uring api + - Allow sssd send SIGKILL to passket_child running in ipa_otpd_t + * Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1 - update version to 38.21
View file
_service:tar_scm:Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
Changed
@@ -1,4 +1,4 @@ -From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001 +From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001 From: "GONG, Ruiqi" <gongruiqi1@huawei.com> Date: Mon, 20 Mar 2023 20:42:49 +0800 Subject: PATCH Revert "Don't allow kernel_t to execute bin_t/usr_t binaries @@ -7,14 +7,14 @@ This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688. --- - policy/modules/kernel/kernel.te | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) + policy/modules/kernel/kernel.te | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index fc6f5f8..daf0801 100644 +index 7dce828..0c1d125 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t) +@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t) term_use_all_terms(kernel_t) term_use_ptmx(kernel_t) @@ -34,8 +34,15 @@ +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +corecmd_exec_bin(kernel_t) + # Enable running `/usr/bin/env umount ...` to support ZFS automounting. + # See the module/os/linux/zfs/zfs_ctldir.c file in + # https://github.com/openzfs/zfs/ for the usermode helper calls. +-optional_policy(` +- mount_domtrans(kernel_generic_helper_t) +-') + domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) -- -2.27.0 +2.33.0
View file
_service:tar_scm:add-qemu_exec_t-for-stratovirt.patch
Changed
@@ -1,25 +1,24 @@ -From 601ffc24a1d00f20833eb104913634dedb51b95d Mon Sep 17 00:00:00 2001 -From: root <root@localhost.localdomain> -Date: Fri, 20 Aug 2021 10:50:31 +0800 +From 3f9a66fb7bb35a101d8be50d8f2fa238af62d11f Mon Sep 17 00:00:00 2001 +From: jinlun <jinlun@huawei.com> +Date: Tue, 26 Dec 2023 17:18:00 +0800 Subject: PATCH add qemu_exec_t for stratovirt -Signed-off-by: root <root@localhost.localdomain> --- - policy/modules/contrib/virt.fc | 1 + + policy/modules/contrib/virt_supplementary.fc | 1 + 1 file changed, 1 insertion(+) -diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc -index d12dac0..c12f009 100644 ---- a/policy/modules/contrib/virt.fc -+++ b/policy/modules/contrib/virt.fc -@@ -100,6 +100,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_ - /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/bin/stratovirt -- gen_context(system_u:object_r:qemu_exec_t,s0) +diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc +index d27441f..5563457 100644 +--- a/policy/modules/contrib/virt_supplementary.fc ++++ b/policy/modules/contrib/virt_supplementary.fc +@@ -62,6 +62,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv + /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/stratovirt -- gen_context(system_u:object_r:qemu_exec_t,s0) - /etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) - /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) + # support for QEMU-GA + /etc/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -- -2.30.0 +2.27.0
View file
_service:tar_scm:allow-init_t-create-fifo-file-in-net_conf-dir.patch
Changed
@@ -1,6 +1,6 @@ -From b00033d4825cfc3ae9787c94ffa7e5408acf9a4b Mon Sep 17 00:00:00 2001 -From: Huaxin Lu <luhuaxin1@huawei.com> -Date: Sun, 29 Jan 2023 00:36:01 +0800 +From ebfc55113be3be3a298a14e767712cc5e16a50c3 Mon Sep 17 00:00:00 2001 +From: jinlun <jinlun@huawei.com> +Date: Thu, 28 Dec 2023 19:17:52 +0800 Subject: PATCH allow init_t create fifo file in net_conf dir Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> @@ -9,17 +9,17 @@ 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8b84aa1..15b57a7 100644 +index 4f2ce88..5fc8fed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -872,6 +872,7 @@ optional_policy(` - +@@ -879,6 +879,7 @@ optional_policy(` optional_policy(` sysnet_filetrans_cloud_net_conf(init_t) + sysnet_manage_config_pipes(init_t) + manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t) ') optional_policy(` -- -2.33.0 +2.27.0
View file
_service:tar_scm:fix-selinux-label-for-hostname-digest-list.patch
Changed
@@ -15,9 +15,9 @@ @@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit /root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) - /etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) -+/etc/^/*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) - /etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) + /etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) ++/etc/^/*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) + /etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) /etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) --
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/selinux-policy.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:v38.21.tar.gz/.copr/make-srpm.sh
Deleted
@@ -1,56 +0,0 @@ -#!/bin/bash - -set -ex - -outdir="$1"; shift - -dirname="$(dirname "$0")" - -DISTGIT_URL=https://src.fedoraproject.org/rpms/selinux-policy -DISTGIT_REF=rawhide - -CONTAINER_URL=https://github.com/containers/container-selinux -EXPANDER_URL=https://github.com/fedora-selinux/macro-expander - -rpm -q rpm-build git-core || dnf install -y rpm-build git-core - -# Ensure that the git directory is owned by us to appease Git's -# anti-CVE-2022-24765 measures. -chown $(id -u):$(id -g) "$dirname/.." - -base_head_id="$(git -C "$dirname/.." rev-parse HEAD)" -base_short_head_id="${base_head_id:0:7}" -base_date="$(TZ=UTC git show -s --format=%cd --date=format-local:%F_%T HEAD | tr -d :-)" - -tmpdir="$(mktemp -d)" - -trap 'rm -rf "$tmpdir"' EXIT - -container_dir="$tmpdir/container-selinux" -expander_dir="$tmpdir/macro-expander" -rpmbuild_dir="$tmpdir/rpmbuild" -distgit_dir="$tmpdir/rpmbuild/SOURCES" - -mkdir -p "$distgit_dir" - -git clone --single-branch --depth 1 "$CONTAINER_URL" "$container_dir" -git clone --single-branch --depth 1 "$EXPANDER_URL" "$expander_dir" -git clone -b "$DISTGIT_REF" --single-branch --depth 1 "$DISTGIT_URL" "$distgit_dir" - -git -C "$dirname/.." archive --prefix="selinux-policy-$base_head_id/" --format tgz HEAD \ - >"$distgit_dir/selinux-policy-$base_short_head_id.tar.gz" - -tar -C "$container_dir" -czf "$distgit_dir/container-selinux.tgz" \ - container.if container.te container.fc - -cp "$expander_dir/macro-expander.sh" "$distgit_dir/macro-expander" - -( - cd "$distgit_dir" - sed -i "s/%global commit ^ *$/%global commit $base_head_id/" selinux-policy.spec - sed -i "s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" selinux-policy.spec - rm -f sources - rpmbuild --define "_topdir $rpmbuild_dir" -bs selinux-policy.spec -) - -cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
View file
_service:tar_scm:v38.21.tar.gz/.copr/Makefile -> _service:tar_scm:v40.7.tar.gz/.copr/Makefile
Changed
@@ -2,7 +2,9 @@ outdir ?= $(PWD) +COPR_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + srpm: - $(dir $(lastword $(MAKEFILE_LIST)))/make-srpm.sh $(outdir) + $(COPR_DIR)/../scripts/make-srpm.sh $(outdir) .PHONY: srpm
View file
_service:tar_scm:v40.7.tar.gz/.fmf
Added
+(directory)
View file
_service:tar_scm:v40.7.tar.gz/.fmf/version
Added
@@ -0,0 +1,1 @@ +1
View file
_service:tar_scm:v38.21.tar.gz/.github/workflows/build.yml -> _service:tar_scm:v40.7.tar.gz/.github/workflows/build.yml
Changed
@@ -4,40 +4,13 @@ build: runs-on: ubuntu-latest container: - image: fedora:rawhide + image: quay.io/fedora/fedora:rawhide options: --security-opt seccomp=unconfined steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: dnf install --nogpgcheck -y git-core checkpolicy policycoreutils-devel make m4 findutils - run: git clone --depth=1 https://github.com/containers/container-selinux.git /tmp/container-selinux - run: cp /tmp/container-selinux/container.* policy/modules/contrib - run: make -j $(nproc) policy - run: make -j $(nproc) validate - run: make -j $(nproc) container.pp - build-rpm: - runs-on: ubuntu-latest - container: - image: fedora:rawhide - options: --security-opt seccomp=unconfined - steps: - - run: dnf install --nogpgcheck -y make git-core rpm-build 'dnf-command(builddep)' - - uses: actions/checkout@v2 - - run: make -C .copr srpm outdir="$PWD" - - name: Store the SRPM as an artifact - uses: actions/upload-artifact@v2 - with: - name: srpm - path: "*.src.rpm" - - run: | - if grep -q rawhide /etc/os-release; then - tag=rawhide - else - tag='f$releasever-build' - fi - dnf builddep --nogpgcheck --repofrompath "koji,https://kojipkgs.fedoraproject.org/repos/$tag/latest/\$arch/" -y --srpm *.src.rpm - - run: rpmbuild --define "_topdir $PWD/rpmbuild" -rb *.src.rpm - - name: Store binary RPMs as artifacts - uses: actions/upload-artifact@v2 - with: - name: rpms - path: rpmbuild/RPMS
View file
_service:tar_scm:v40.7.tar.gz/packit.yaml
Added
@@ -0,0 +1,35 @@ +# See https://packit.dev/docs/configuration/ + +specfile_path: tmp/rpm/selinux-policy.spec +upstream_tag_template: "v{version}" + +actions: + post-upstream-clone: + - mkdir -p tmp/rpm + - scripts/make-sources.sh tmp/rpm + create-archive: sh -c 'ls tmp/rpm/selinux-policy*.tar.gz' + +jobs: + - job: copr_build + trigger: pull_request + targets: + - fedora-development + - fedora-latest-stable + + # run tests for packages which test SELinux policy well, see plans/ with `revdeps == yes` + - job: tests + identifier: revdeps + trigger: pull_request + notifications: + failure_comment: + message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check." + targets: + - fedora-development + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo + tmt: + context: + revdeps: "yes"
View file
_service:tar_scm:v40.7.tar.gz/plans
Added
+(directory)
View file
_service:tar_scm:v40.7.tar.gz/plans/cockpit.fmf
Added
@@ -0,0 +1,30 @@ +# reverse dependency test for https://github.com/cockpit-project/cockpit +# packit should automatically notify the cockpit maintainers on failures. +# For questions, please contact @martinpitt, @jelly, @mvollmer + +enabled: false +adjust+: + when: revdeps == yes + enabled: true + +discover: + how: fmf + url: https://github.com/cockpit-project/cockpit + ref: main +execute: + how: tmt + +/basic: + summary: Run tests for basic packages + discover+: + test: /test/browser/basic + +/network: + summary: Run tests for cockpit-networkmanager + discover+: + test: /test/browser/network + +/optional: + summary: Run tests for optional packages + discover+: + test: /test/browser/optional
View file
_service:tar_scm:v38.21.tar.gz/policy/modules.conf -> _service:tar_scm:v40.7.tar.gz/policy/modules.conf
Changed
@@ -2509,6 +2509,13 @@ # virt = module +# Layer: services +# Module: virt_supplementary +# +# non-libvirt virtualization libraries +# +virt_supplementary = module + # Layer: apps # Module: vhostmd # @@ -3127,3 +3134,24 @@ # qatlib - Intel QuickAssist technology library and resources management # qatlib = module + +# Layer: contrib +# Module: afterburn +# +# afterburn +# +afterburn = module + +# Layer: contrib +# Module: nvme_stas +# +# nvme_stas +# +nvme_stas = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/admin/sudo.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/admin/sudo.if
Changed
@@ -101,6 +101,11 @@ ') optional_policy(` + netutils_domtrans($1_sudo_t) + netutils_run_traceroute($1_sudo_t, $2) + ') + + optional_policy(` systemd_domtrans_systemctl($1_sudo_t, $3) systemd_systemctl_entrypoint($3) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/admin/sudo.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/admin/sudo.te
Changed
@@ -92,6 +92,7 @@ # sudo stores a token in the pam_pid directory auth_manage_pam_pid(sudodomain) auth_manage_faillog(sudodomain) +auth_read_var_auth(sudodomain) auth_rw_lastlog(sudodomain) application_signal(sudodomain)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/afterburn.fc
Added
@@ -0,0 +1,3 @@ +/usr/bin/afterburn -- gen_context(system_u:object_r:afterburn_exec_t,s0) + +/usr/lib/systemd/system/afterburn.* -- gen_context(system_u:object_r:afterburn_unit_file_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/afterburn.if
Added
@@ -0,0 +1,39 @@ +## <summary>policy for afterburn</summary> + +######################################## +## <summary> +## Execute afterburn in the afterburn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`afterburn_domtrans',` + gen_require(` + type afterburn_t, afterburn_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, afterburn_exec_t, afterburn_t) +') + +###################################### +## <summary> +## Execute afterburn in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`afterburn_exec',` + gen_require(` + type afterburn_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, afterburn_exec_t) +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/afterburn.te
Added
@@ -0,0 +1,43 @@ +policy_module(afterburn, 1.0.0) + +######################################## +# +# Declarations +# + +type afterburn_t; +type afterburn_exec_t; +init_daemon_domain(afterburn_t, afterburn_exec_t) + +type afterburn_unit_file_t; +systemd_unit_file(afterburn_unit_file_t) + +permissive afterburn_t; + +######################################## +# +# afterburn local policy +# +allow afterburn_t self:capability { setgid setuid sys_admin }; +allow afterburn_t self:process { fork setpgid }; +allow afterburn_t self:fifo_file rw_fifo_file_perms; + +kernel_read_all_proc(afterburn_t) + +corenet_tcp_connect_http_port(afterburn_t) + +domain_use_interactive_fds(afterburn_t) + +files_read_etc_files(afterburn_t) + +optional_policy(` + auth_use_nsswitch(afterburn_t) +') + +optional_policy(` + miscfiles_read_localization(afterburn_t) +') + +optional_policy(` + sysnet_dns_name_resolve(afterburn_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/apcupsd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/apcupsd.te
Changed
@@ -156,5 +156,7 @@ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t) corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t) + dev_read_sysfs(apcupsd_cgi_script_t) + sysnet_dns_name_resolve(apcupsd_cgi_script_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bind.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/bind.te
Changed
@@ -58,11 +58,12 @@ type named_var_run_t; files_pid_file(named_var_run_t) +files_mountpoint(named_var_run_t) init_daemon_run_dir(named_var_run_t, "named") # for primary zone files type named_zone_t; -files_type(named_zone_t) +files_mountpoint(named_zone_t) type ndc_t; type ndc_exec_t; @@ -77,6 +78,7 @@ allow named_t self:capability { chown dac_read_search dac_override fowner kill net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; allow named_t self:capability2 block_suspend; +allow named_t self:io_uring sqpoll; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept connectto listen }; @@ -115,6 +117,7 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) allow named_t named_zone_t:file map; +kernel_io_uring_use(named_t) kernel_read_kernel_sysctls(named_t) kernel_read_system_state(named_t) kernel_read_network_state(named_t) @@ -263,6 +266,7 @@ allow ndc_t self:capability { dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; +allow ndc_t self:io_uring sqpoll; allow ndc_t self:process { fork signal_perms }; dontaudit ndc_t self:process setsched; allow ndc_t self:fifo_file rw_fifo_file_perms; @@ -278,6 +282,7 @@ allow ndc_t named_zone_t:dir search_dir_perms; +kernel_io_uring_use(ndc_t) kernel_read_system_state(ndc_t) kernel_read_kernel_sysctls(ndc_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bitlbee.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/bitlbee.te
Changed
@@ -19,6 +19,9 @@ type bitlbee_tmp_t; files_tmp_file(bitlbee_tmp_t) +type bitlbee_tmpfs_t; +files_tmpfs_file(bitlbee_tmpfs_t) + type bitlbee_var_t; files_type(bitlbee_var_t) @@ -40,6 +43,7 @@ allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +allow bitlbee_t self:netlink_kobject_uevent_socket create_socket_perms; allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; @@ -56,9 +60,15 @@ manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) +manage_files_pattern(bitlbee_t, bitlbee_tmpfs_t, bitlbee_tmpfs_t) +fs_tmpfs_filetrans(bitlbee_t, bitlbee_tmpfs_t, file) +can_exec(bitlbee_t, bitlbee_tmpfs_t) + manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +manage_lnk_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) -files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file}) +files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, { dir file }) +allow bitlbee_t bitlbee_var_t:file map; manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) @@ -68,6 +78,8 @@ kernel_read_system_state(bitlbee_t) kernel_read_kernel_sysctls(bitlbee_t) +corecmd_exec_shell(bitlbee_t) + corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) corenet_tcp_sendrecv_generic_if(bitlbee_t) @@ -114,8 +126,12 @@ corenet_tcp_bind_interwise_port(bitlbee_t) corenet_tcp_sendrecv_interwise_port(bitlbee_t) +dev_getattr_dri_dev(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) +dev_read_sysfs(bitlbee_t) + +fs_getattr_xattr_fs(bitlbee_t) libs_legacy_use_shared_libs(bitlbee_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/blueman.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/blueman.te
Changed
@@ -54,6 +54,7 @@ corecmd_exec_bin(blueman_t) +dev_read_sysfs(blueman_t) dev_read_rand(blueman_t) dev_read_urand(blueman_t) dev_rw_wireless(blueman_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/chrome.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/chrome.if
Changed
@@ -131,3 +131,31 @@ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; ') + + +######################################## +## <summary> +## Create chrome directory in the user home directory +## with an correct label. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chrome_filetrans_home_content',` + gen_require(` + type chrome_sandbox_home_t; + ') + + optional_policy(` + gnome_config_filetrans($1, chrome_sandbox_home_t, dir, "chromium") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "chromium") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "chrome") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "google-chrome") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "google-chrome-unstable") + + ') +') +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/chrome.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/chrome.te
Changed
@@ -138,6 +138,7 @@ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome") gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome") gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable") + gnome_config_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cifsutils.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/cifsutils.te
Changed
@@ -8,7 +8,10 @@ application_domain(cifs_helper_t, cifs_helper_exec_t) role system_r types cifs_helper_t; -allow cifs_helper_t self:capability { setgid setuid sys_chroot }; +# These capabilities are needed to switch into the namespaces & environment +# of the process ID parsed from the key description. It is necessary e.g. to +# work well with processes running in containers. +allow cifs_helper_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace }; allow cifs_helper_t self:key write; allow cifs_helper_t self:netlink_route_socket create_netlink_socket_perms; allow cifs_helper_t self:process setcap; @@ -54,6 +57,7 @@ optional_policy(` sssd_stream_connect(cifs_helper_t) + sssd_run_stream_connect(cifs_helper_t) ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cloudform.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/cloudform.te
Changed
@@ -164,6 +164,7 @@ ') optional_policy(` + sysnet_domtrans_dhcpc(cloud_init_t) sysnet_domtrans_ifconfig(cloud_init_t) sysnet_read_dhcpc_state(cloud_init_t) sysnet_dns_name_resolve(cloud_init_t)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/coreos_installer.fc
Added
@@ -0,0 +1,7 @@ +/usr/bin/coreos-installer -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) + +/usr/libexec/coreos-installer-disable-device-auto-activation -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/libexec/coreos-installer-service -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) + +/usr/lib/systemd/system-generators/coreos-installer-generator -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/lib/systemd/system/coreos-installer.* -- gen_context(system_u:object_r:coreos_installer_unit_file_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/coreos_installer.if
Added
@@ -0,0 +1,39 @@ +## <summary>policy for coreos_installer</summary> + +######################################## +## <summary> +## Execute coreos_installer_exec_t in the coreos_installer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`coreos_installer_domtrans',` + gen_require(` + type coreos_installer_t, coreos_installer_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, coreos_installer_exec_t, coreos_installer_t) +') + +###################################### +## <summary> +## Execute coreos_installer in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`coreos_installer_exec',` + gen_require(` + type coreos_installer_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, coreos_installer_exec_t) +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/coreos_installer.te
Added
@@ -0,0 +1,47 @@ +policy_module(coreos_installer, 1.0.0) + +######################################## +# +# Declarations +# + +type coreos_installer_t; +type coreos_installer_exec_t; +init_daemon_domain(coreos_installer_t, coreos_installer_exec_t) + +type coreos_installer_unit_file_t; +systemd_unit_file(coreos_installer_unit_file_t) + +permissive coreos_installer_t; + +######################################## +# +# coreos_installer local policy +# +allow coreos_installer_t self:capability { setgid setuid sys_admin }; +allow coreos_installer_t self:process { fork setpgid }; +allow coreos_installer_t self:fifo_file rw_fifo_file_perms; +allow coreos_installer_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_proc_files(coreos_installer_t) + +corecmd_exec_bin(coreos_installer_t) +corecmd_exec_shell(coreos_installer_t) + +dev_write_kmsg(coreos_installer_t) + +domain_use_interactive_fds(coreos_installer_t) + +files_read_etc_files(coreos_installer_t) + +optional_policy(` + auth_read_passwd_file(coreos_installer_t) +') + +optional_policy(` + miscfiles_read_localization(coreos_installer_t) +') + +optional_policy(` + sysnet_dns_name_resolve(coreos_installer_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cups.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/cups.te
Changed
@@ -140,7 +140,7 @@ allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:capability2 { block_suspend wake_alarm }; +allow cupsd_t self:capability2 { block_suspend bpf wake_alarm }; allow cupsd_t self:process { getpgid setpgid setsched }; allow cupsd_t self:unix_stream_socket { accept connectto listen }; allow cupsd_t self:netlink_selinux_socket create_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dbus.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/dbus.if
Changed
@@ -568,6 +568,24 @@ ######################################## ## <summary> +## Allow domain to write the dbus pid sock_file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_write_pid_sock_files',` + gen_require(` + type system_dbusd_var_run_t; + ') + + write_sock_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') + +######################################## +## <summary> ## Watch system dbus pid socket files ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dbus.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/dbus.te
Changed
@@ -197,6 +197,7 @@ optional_policy(` gnome_atspi_domtrans(system_dbusd_t) gnome_exec_gconf(system_dbusd_t) + gnome_initial_setup_read_var_lib_files(system_dbusd_t) gnome_read_inherited_home_icc_data_files(system_dbusd_t) ') @@ -238,6 +239,10 @@ ') optional_policy(` + term_use_generic_ptys(system_dbusd_t) +') + +optional_policy(` udev_read_db(system_dbusd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ddclient.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/ddclient.if
Changed
@@ -118,3 +118,37 @@ getattr_files_pattern($1, ddclient_var_run_t, ddclient_var_run_t) ') + +######################################## +## <summary> +## Create objects in the ddclient home directory +## with an automatic type transition to a specified type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="type"> +## <summary> +## The type of the object being created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The class of the object being created. +## </summary> +## </param> +## <param name="name"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`ddclient_var_filetrans',` + gen_require(` + type ddclient_var_t; + ') + + filetrans_pattern($1, ddclient_var_t, $2, $3, $4) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dovecot.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/dovecot.te
Changed
@@ -324,6 +324,10 @@ postfix_search_spool(dovecot_auth_t) ') +optional_policy(` + systemd_private_tmp(dovecot_auth_tmp_t) +') + ######################################## # # dovecot deliver local policy
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/fdo.fc
Changed
@@ -1,3 +1,7 @@ +/boot/device-credentials -- gen_context(system_u:object_r:fdo_device_credentials_t,s0) + +/etc/device-credentials -- gen_context(system_u:object_r:fdo_device_credentials_t,s0) +/etc/device_onboarding_performed -- gen_context(system_u:object_r:fdo_device_credentials_t,s0) /etc/fdo(/.*)? gen_context(system_u:object_r:fdo_conf_t,s0) /etc/fdo/aio/aio_configuration -- gen_context(system_u:object_r:fdo_conf_rw_t,s0) /etc/fdo/aio/configs(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) @@ -5,9 +9,26 @@ /etc/fdo/aio/logs(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) /etc/fdo/aio/stores(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/manufacturing_sessions(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/owner_onboarding_sessions(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/owner_vouchers(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/rendezvous_registered(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/rendezvous_sessions(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) + +/tmp/fdouser -- gen_context(system_u:object_r:fdo_tmp_t,s0) + /usr/bin/fdo-admin-tool -- gen_context(system_u:object_r:fdo_exec_t,s0) /usr/bin/fdo-owner-tool -- gen_context(system_u:object_r:fdo_exec_t,s0) -/usr/libexec/fdo(/.*)? -- gen_context(system_u:object_r:fdo_exec_t,s0) +/usr/libexec/fdo(/.*)? gen_context(system_u:object_r:fdo_exec_t,s0) /usr/lib/systemd/system/fdo.*.service -- gen_context(system_u:object_r:fdo_unit_file_t,s0) + +/var/home/fdouser(/.*)? gen_context(system_u:object_r:fdo_home_t,s0) + +/var/fdo(/.*)? gen_context(system_u:object_r:fdo_var_t,s0) + +/var/lib/fdo(/.*)? gen_context(system_u:object_r:fdo_var_lib_t,s0) + + +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/fdo.te
Changed
@@ -15,22 +15,37 @@ type fdo_conf_rw_t; files_config_file(fdo_conf_rw_t) +type fdo_device_credentials_t; +files_type(fdo_device_credentials_t) + +type fdo_home_t; +userdom_user_home_content(fdo_home_t) + type fdo_tmp_t; files_tmp_file(fdo_tmp_t) type fdo_unit_file_t; systemd_unit_file(fdo_unit_file_t) +type fdo_var_lib_t; +files_type(fdo_var_lib_t) + +type fdo_var_t; +files_type(fdo_var_t) + ######################################## # # fdo local policy # +allow fdo_t self:capability { chown dac_override dac_read_search sys_admin }; allow fdo_t self:fifo_file rw_fifo_file_perms; allow fdo_t self:netlink_route_socket r_netlink_socket_perms; allow fdo_t self:tcp_socket create_stream_socket_perms; allow fdo_t self:udp_socket create_socket_perms; allow fdo_t self:unix_stream_socket create_stream_socket_perms; +allow fdo_t fdo_exec_t:dir search_dir_perms; +allow fdo_t fdo_exec_t:lnk_file read_lnk_file_perms; can_exec(fdo_t, fdo_exec_t) manage_dirs_pattern(fdo_t, fdo_conf_t, fdo_conf_t) @@ -40,8 +55,41 @@ filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "configs" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "keys" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "logs" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "manufacturing_sessions" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "owner_vouchers" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "owner_onboarding_sessions" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "rendezvous_registered" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "rendezvous_sessions" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "stores" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, file, "aio_configuration" ) +#fdouser file is copied by fdo from server to client /etc/sudoers.d/fdouser +files_etc_filetrans(fdo_t, fdo_conf_rw_t, file, "fdouser") + +manage_files_pattern(fdo_t, fdo_device_credentials_t, fdo_device_credentials_t) +files_etc_filetrans(fdo_t, fdo_device_credentials_t, file, "device-credentials") +files_etc_filetrans(fdo_t, fdo_device_credentials_t, file, "device_onboarding_performed") +files_boot_filetrans(fdo_t, fdo_device_credentials_t, file, "device-credentials") + +manage_dirs_pattern(fdo_t, fdo_home_t, fdo_home_t) +manage_files_pattern(fdo_t, fdo_home_t, fdo_home_t) + +manage_dirs_pattern(fdo_t, fdo_tmp_t, fdo_tmp_t) +manage_files_pattern(fdo_t, fdo_tmp_t, fdo_tmp_t) +files_tmp_filetrans(fdo_t, fdo_tmp_t, { file dir }) + +manage_dirs_pattern(fdo_t, fdo_var_t, fdo_var_t) +manage_files_pattern(fdo_t, fdo_var_t, fdo_var_t) +files_var_filetrans(fdo_t, fdo_var_t, { file dir }) + +read_files_pattern(fdo_t, fdo_var_lib_t, fdo_var_lib_t) +files_var_lib_filetrans(fdo_t, fdo_var_lib_t, { file dir }) + +kernel_get_sysvipc_info(fdo_t) +kernel_read_proc_files(fdo_t) +kernel_stream_connect(fdo_t) + +corecmd_exec_bin(fdo_t) +corecmd_exec_shell(fdo_t) corenet_tcp_bind_generic_node(fdo_t) corenet_tcp_bind_http_cache_port(fdo_t) @@ -53,17 +101,56 @@ corenet_tcp_bind_us_cli_port(fdo_t) corenet_tcp_connect_us_cli_port(fdo_t) +dev_getattr_fs(fdo_t) +dev_list_sysfs(fdo_t) +dev_read_rand(fdo_t) +dev_rw_lvm_control(fdo_t) +dev_rw_tpm(fdo_t) + domain_use_interactive_fds(fdo_t) files_read_config_files(fdo_t) +fs_getattr_xattr_fs(fdo_t) fs_read_cgroup_files(fdo_t) +storage_raw_rw_fixed_disk(fdo_t) + +optional_policy(` + auth_read_passwd_file(fdo_t) +') + +optional_policy(` + lvm_domtrans(fdo_t) + lvm_manage_var_run(fdo_t) + lvm_var_run_filetrans(fdo_t) +') + optional_policy(` miscfiles_read_generic_certs(fdo_t) miscfiles_read_localization(fdo_t) ') optional_policy(` + ssh_basic_client_template(fdo, fdo_t, system_r) + ssh_create_home_dirs(fdo_t) + ssh_filetrans_home_content(fdo_t) +') + +optional_policy(` sysnet_read_config(fdo_t) ') + +optional_policy(` + systemd_manage_userdbd_runtime_sock_files(fdo_t) +') + +optional_policy(` + userdom_home_filetrans_user_home_dir(fdo_home_t) +') + +optional_policy(` + usermanage_domtrans_passwd(fdo_t) + usermanage_domtrans_useradd(fdo_t) + usermanage_read_crack_db(fdo_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fedoratp.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/fedoratp.te
Changed
@@ -13,16 +13,22 @@ allow fedoratp_t self:process setsched; allow fedoratp_t self:unix_dgram_socket create_socket_perms; +kernel_read_proc_files(fedoratp_t) + corecmd_exec_bin(fedoratp_t) corenet_tcp_connect_http_port(fedoratp_t) +dev_read_sysfs(fedoratp_t) + files_manage_system_conf_files(fedoratp_t) files_manage_generic_tmp_dirs(fedoratp_t) files_manage_generic_tmp_files(fedoratp_t) files_manage_var_lib_dirs(fedoratp_t) files_manage_var_lib_files(fedoratp_t) +fs_getattr_xattr_fs(fedoratp_t) + sysnet_dns_name_resolve(fedoratp_t) term_use_unallocated_ttys(fedoratp_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/geoclue.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/geoclue.te
Changed
@@ -82,5 +82,9 @@ ') optional_policy(` + gnome_initial_setup_read_state(geoclue_t) +') + +optional_policy(` pcscd_stream_connect(geoclue_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gnome.fc
Changed
@@ -64,3 +64,5 @@ /usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) /usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + +/var/lib/gnome-initial-setup(/.*)? -- gen_context(system_u:object_r:gnome_initial_setup_var_lib_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gnome.if
Changed
@@ -2059,6 +2059,98 @@ ######################################## ## <summary> +## Allow create gnome-initial-setup variable state directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_create_var_lib_dirs',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + create_dirs_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +') + +######################################## +## <summary> +## Allow watch gnome-initial-setup variable state directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_watch_var_lib_dirs',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + watch_dirs_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +') + +######################################## +## <summary> +## Allow read gnome-initial-setup variable state files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_read_var_lib_files',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + read_files_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) + allow $1 gnome_initial_setup_var_lib_t:file map; +') + +######################################## +## <summary> +## Allow manage gnome-initial-setup variable state files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_manage_var_lib_files',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + manage_files_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) + allow $1 gnome_initial_setup_var_lib_t:file map; +') + +######################################## +## <summary> +## Allow manage gnome-initial-setup variable state socket files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_manage_var_lib_sock_files',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + manage_sock_files_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +') + +######################################## +## <summary> ## Allow read gnome-initial-setup runtime files ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gnome.te
Changed
@@ -77,6 +77,9 @@ type gnome_initial_setup_exec_t; init_system_domain(gnome_initial_setup_t, gnome_initial_setup_exec_t); +type gnome_initial_setup_var_lib_t; +files_type(gnome_initial_setup_var_lib_t); + type gnome_initial_setup_var_run_t; files_pid_file(gnome_initial_setup_var_run_t); @@ -352,6 +355,9 @@ allow gnome_initial_setup_t gnome_initial_setup_exec_t:file execute_no_trans; allow gnome_initial_setup_t gkeyringd_exec_t:file exec_file_perms; +manage_dirs_pattern(gnome_initial_setup_t, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) + manage_dirs_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) manage_sock_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) @@ -413,6 +419,10 @@ ') optional_policy(` + geoclue_dbus_chat(gnome_initial_setup_t) + ') + + optional_policy(` networkmanager_dbus_chat(gnome_initial_setup_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gpg.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gpg.te
Changed
@@ -197,6 +197,10 @@ ') optional_policy(` + rpm_read_db(gpg_t) +') + +optional_policy(` spamassassin_read_spamd_tmp_files(gpg_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gpsd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gpsd.te
Changed
@@ -63,6 +63,8 @@ corenet_tcp_bind_gpsd_port(gpsd_t) corenet_tcp_sendrecv_gpsd_port(gpsd_t) +dev_rw_gnss(gpsd_t) +dev_setattr_gnss(gpsd_t) dev_read_sysfs(gpsd_t) dev_rw_realtime_clock(gpsd_t) @@ -98,3 +100,8 @@ optional_policy(` udev_read_db(gpsd_t) ') + +optional_policy(` + userdom_use_user_ptys(gpsd_t) + userdom_use_user_ttys(gpsd_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/insights_client.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/insights_client.te
Changed
@@ -292,6 +292,7 @@ optional_policy(` logging_domtrans_auditctl(insights_client_t) + logging_manage_generic_logs(insights_client_t) logging_mmap_generic_logs(insights_client_t) logging_mmap_journal(insights_client_t) logging_read_audit_config(insights_client_t) @@ -344,6 +345,10 @@ ') optional_policy(` + rhcs_rw_cluster_tmpfs(insights_client_t) +') + +optional_policy(` rhnsd_read_config(insights_client_t) ') @@ -358,7 +363,7 @@ rpm_domtrans(insights_client_t) rpm_manage_db(insights_client_t) rpm_manage_cache(insights_client_t) - rpm_hawkey_named_filetrans(insights_client_t) + rpm_named_filetrans(insights_client_t) rpm_read_db(insights_client_t) rpm_signull(insights_client_t) ') @@ -401,12 +406,14 @@ ') optional_policy(` + unconfined_domain(insights_client_t) unconfined_server_create_shm(insights_client_t) unconfined_server_read_semaphores(insights_client_t) ') optional_policy(` userdom_manage_admin_files(insights_client_t) + userdom_manage_user_tmp_files(insights_client_t) userdom_user_tmp_filetrans(insights_client_t, insights_client_tmp_t, { dir file }) userdom_view_all_users_keys(insights_client_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ipa.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/ipa.if
Changed
@@ -42,6 +42,27 @@ ######################################## ## <summary> +## Send sigkill to ipa-otpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +ifndef(`ipa_sigkill_otpd',` + interface(`ipa_sigkill_otpd',` + gen_require(` + type ipa_otpd_t; + ') + + allow $1 ipa_otpd_t:process sigkill; + ') +') + +######################################## +## <summary> ## Connect to ipa-ods-exporter over a unix stream socket. ## </summary> ## <param name="domain"> @@ -364,6 +385,27 @@ ###################################### ## <summary> +## Execute ipa-pki-retrieve-key in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +ifndef(`ipa_pki_retrieve_key_exec',` + interface(`ipa_pki_retrieve_key_exec',` + gen_require(` + type ipa_pki_retrieve_key_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ipa_pki_retrieve_key_exec_t) + ') +') + +###################################### +## <summary> ## Execute ipa_custodia in the caller domain. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kdump.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/kdump.te
Changed
@@ -31,6 +31,9 @@ type kdump_log_t; logging_log_file(kdump_log_t) +type kdump_tmpfs_t; +files_tmpfs_file(kdump_tmpfs_t) + type kdumpctl_t; type kdumpctl_exec_t; init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) @@ -64,6 +67,9 @@ manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file }) +manage_files_pattern(kdump_t, kdump_tmpfs_t, kdump_tmpfs_t) +fs_tmpfs_filetrans(kdump_t, kdump_tmpfs_t, file) + files_manage_generic_tmp_files(kdump_t) files_read_etc_runtime_files(kdump_t) files_read_kernel_symbol_table(kdump_t) @@ -142,7 +148,7 @@ files_delete_kernel(kdumpctl_t) fs_getattr_all_fs(kdumpctl_t) -fs_search_all(kdumpctl_t) +fs_list_all(kdumpctl_t) application_executable_ioctl(kdumpctl_t) @@ -194,5 +200,9 @@ ') optional_policy(` + systemd_private_tmp(kdumpctl_tmp_t) +') + +optional_policy(` unconfined_domain(kdumpctl_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keepalived.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/keepalived.te
Changed
@@ -90,6 +90,8 @@ files_dontaudit_mounton_rootfs(keepalived_var_run_t) files_mounton_rootfs(keepalived_t) +files_watch_var_run_dirs(keepalived_t) +fs_getattr_tmpfs(keepalived_t) fs_read_nsfs_files(keepalived_t) fs_unmount_tmpfs(keepalived_t) @@ -145,6 +147,8 @@ allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms; allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms; allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl; + dontaudit keepalived_t keepalived_unconfined_script_exec_t:file setattr; + init_dbus_chat(keepalived_unconfined_script_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keyutils.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/keyutils.te
Changed
@@ -33,9 +33,14 @@ allow keyutils_dns_resolver_t self:netlink_route_socket r_netlink_socket_perms; allow keyutils_dns_resolver_t self:udp_socket create_socket_perms; +allow keyutils_dns_resolver_t self:unix_dgram_socket create_socket_perms; kernel_read_key(keyutils_dns_resolver_t) kernel_view_key(keyutils_dns_resolver_t) init_search_pid_dirs(keyutils_dns_resolver_t) sysnet_read_config(keyutils_dns_resolver_t) + +optional_policy(` + avahi_stream_connect(keyutils_dns_resolver_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/logrotate.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/logrotate.te
Changed
@@ -132,6 +132,7 @@ # Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) +files_map_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mon_statd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mon_statd.te
Changed
@@ -62,6 +62,7 @@ # mon_procd local policy # allow mon_procd_t self:capability sys_ptrace; +allow mon_procd_t self:cap_userns sys_ptrace; allow mon_procd_t self:unix_dgram_socket { create connect };
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mozilla.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mozilla.if
Changed
@@ -54,10 +54,6 @@ userdom_manage_tmp_role($1, mozilla_t) optional_policy(` - nsplugin_role($1, mozilla_t) - ') - - optional_policy(` pulseaudio_role($1, mozilla_t) pulseaudio_filetrans_admin_home_content(mozilla_t) pulseaudio_filetrans_home_content(mozilla_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mozilla.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mozilla.te
Changed
@@ -758,3 +758,7 @@ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t) ') + +tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files(mozilla_plugin_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mta.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mta.fc
Changed
@@ -8,6 +8,7 @@ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/aliases\.lmdb -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) @@ -15,6 +16,7 @@ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') +/var/cache/ddclient/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) /var/lib/arpwatch/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) /root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mta.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mta.te
Changed
@@ -131,6 +131,10 @@ ') optional_policy(` + ddclient_var_filetrans(system_mail_t, mail_home_rw_t, dir, ".esmtp_queue") +') + +optional_policy(` exim_domtrans(user_mail_domain) exim_manage_log(user_mail_domain) exim_manage_spool_files(user_mail_domain) @@ -288,6 +292,11 @@ ') optional_policy(` + exim_manage_spool_dirs(system_mail_t) + exim_manage_spool_files(system_mail_t) +') + +optional_policy(` fail2ban_append_log(user_mail_domain) fail2ban_dontaudit_leaks(user_mail_domain) fail2ban_rw_inherited_tmp_files(mta_user_agent)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/networkmanager.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/networkmanager.if
Changed
@@ -338,6 +338,7 @@ files_search_pids($1) manage_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + allow $1 NetworkManager_var_run_t:file map; ') ########################################
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/networkmanager.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/networkmanager.te
Changed
@@ -276,6 +276,9 @@ userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) +fs_read_tmpfs_files(NetworkManager_t) +fs_delete_tmpfs_files(NetworkManager_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') @@ -667,6 +670,7 @@ optional_policy(` samba_domtrans_smbcontrol(NetworkManager_dispatcher_winbind_t) samba_read_config(NetworkManager_dispatcher_winbind_t) + samba_rw_var_files(NetworkManager_dispatcher_winbind_t) samba_service_status(NetworkManager_dispatcher_winbind_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nscd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nscd.te
Changed
@@ -113,6 +113,7 @@ files_watch_etc_dirs(nscd_t) files_watch_etc_files(nscd_t) files_map_system_db_files(nscd_t) +files_watch_system_db_dirs(nscd_t) files_watch_system_db_files(nscd_t) logging_send_audit_msgs(nscd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nsd.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nsd.fc
Changed
@@ -16,5 +16,7 @@ /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) /var/run/nsd\.ctl -s gen_context(system_u:object_r:nsd_var_run_t,s0) +/var/run/nsd/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) +/var/run/nsd/nsd\.ctl -s gen_context(system_u:object_r:nsd_var_run_t,s0) /var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nsd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nsd.te
Changed
@@ -36,7 +36,7 @@ # NSD Local policy # -allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin }; +allow nsd_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; allow nsd_t self:tcp_socket create_stream_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ntp.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/ntp.te
Changed
@@ -99,6 +99,9 @@ corenet_sendrecv_ntp_server_packets(ntpd_t) corenet_sendrecv_ntp_client_packets(ntpd_t) +corenet_tcp_bind_ntske_port(ntpd_t) +corenet_tcp_connect_ntske_port(ntpd_t) + corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nut.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nut.te
Changed
@@ -74,6 +74,8 @@ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; +can_exec(nut_upsmon_t, nut_upsmon_exec_t) + read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) kernel_read_kernel_sysctls(nut_upsmon_t)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nvme_stas.fc
Added
@@ -0,0 +1,13 @@ +/usr/sbin/stacd -- gen_context(system_u:object_r:nvme_stas_exec_t,s0) +/usr/sbin/stafd -- gen_context(system_u:object_r:nvme_stas_exec_t,s0) + +/usr/lib/systemd/system/stacd\.service -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) +/usr/lib/systemd/system/stafd\.service -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) +/usr/lib/systemd/system/stas-config\.target -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) +/usr/lib/systemd/system/stas-config@\.service -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) + +/var/cache/stacd(/.*)? gen_context(system_u:object_r:nvme_stas_cache_t,s0) +/var/cache/stafd(/.*)? gen_context(system_u:object_r:nvme_stas_cache_t,s0) + +/var/run/stacd(/.*)? gen_context(system_u:object_r:nvme_stas_var_run_t,s0) +/var/run/stafd(/.*)? gen_context(system_u:object_r:nvme_stas_var_run_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nvme_stas.if
Added
@@ -0,0 +1,60 @@ +## <summary>policy for nvme_stas</summary> + +######################################## +## <summary> +## Execute nvme_stas_exec_t in the nvme_stas domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nvme_stas_domtrans',` + gen_require(` + type nvme_stas_t, nvme_stas_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nvme_stas_exec_t, nvme_stas_t) +') + +###################################### +## <summary> +## Execute nvme_stas in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nvme_stas_exec',` + gen_require(` + type nvme_stas_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, nvme_stas_exec_t) +') + +###################################### +## <summary> +## Send and receive messages from +## nvme_stas over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nvme_stas_dbus_chat',` + gen_require(` + type nvme_stas_t; + class dbus send_msg; + ') + + allow $1 nvme_stas_t:dbus send_msg; + allow nvme_stas_t $1:dbus send_msg; +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nvme_stas.te
Added
@@ -0,0 +1,120 @@ +policy_module(nvme_stas, 1.0.0) + +gen_require(` + class dbus send_msg; +') + +######################################## +# +# Declarations +# + +type nvme_stas_t; +type nvme_stas_exec_t; +init_daemon_domain(nvme_stas_t, nvme_stas_exec_t) + +type nvme_stas_cache_t; +files_type(nvme_stas_cache_t) + +type nvme_stas_tmpfs_t; +files_tmp_file(nvme_stas_tmpfs_t) + +type nvme_stas_unit_file_t; +systemd_unit_file(nvme_stas_unit_file_t) + +type nvme_stas_var_run_t; +files_pid_file(nvme_stas_var_run_t) + +######################################## +# +# stas local policy +# +allow nvme_stas_t self:capability { net_admin sys_admin }; +allow nvme_stas_t self:capability2 bpf; +allow nvme_stas_t self:dbus send_msg; +allow nvme_stas_t self:fifo_file rw_fifo_file_perms; +allow nvme_stas_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow nvme_stas_t self:process setsched; +allow nvme_stas_t self:tcp_socket create_stream_socket_perms; +allow nvme_stas_t self:unix_stream_socket create_stream_socket_perms; +allow nvme_stas_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(nvme_stas_t, nvme_stas_tmpfs_t, nvme_stas_tmpfs_t) +fs_tmpfs_filetrans(nvme_stas_t, nvme_stas_tmpfs_t, file) +can_exec(nvme_stas_t, nvme_stas_tmpfs_t) + +manage_dirs_pattern(nvme_stas_t, nvme_stas_var_run_t, nvme_stas_var_run_t) +manage_files_pattern(nvme_stas_t, nvme_stas_var_run_t, nvme_stas_var_run_t) +files_pid_filetrans(nvme_stas_t, nvme_stas_var_run_t, file, "last-known-config.pickle" ) + +kernel_dgram_send(nvme_stas_t) +kernel_request_load_module(nvme_stas_t) + +corecmd_exec_bin(nvme_stas_t) + +dev_read_sysfs(nvme_stas_t) +domain_use_interactive_fds(nvme_stas_t) + +files_getattr_all_files(nvme_stas_t) +files_read_etc_files(nvme_stas_t) + +storage_raw_read_fixed_disk(nvme_stas_t) +storage_rw_inherited_fixed_disk_dev(nvme_stas_t) + +optional_policy(` + auth_read_passwd_file(nvme_stas_t) +') + +optional_policy(` + avahi_dbus_chat(nvme_stas_t) +') + +optional_policy(` + dbus_connect_system_bus(nvme_stas_t) + dbus_send_system_bus(nvme_stas_t) + dbus_stream_connect_system_dbusd(nvme_stas_t) + dbus_write_pid_sock_files(nvme_stas_t) +') + +optional_policy(` + gnome_search_gconf(nvme_stas_t) +') + +optional_policy(` + libs_exec_ldconfig(nvme_stas_t) +') + +optional_policy(` + logging_write_syslog_pid_socket(nvme_stas_t) +') + +optional_policy(` + miscfiles_read_localization(nvme_stas_t) + miscfiles_read_generic_certs(nvme_stas_t) +') + +optional_policy(` + sssd_search_lib(nvme_stas_t) +') + +optional_policy(` + sysnet_read_config(nvme_stas_t) +') + +optional_policy(` + systemd_exec_systemctl(nvme_stas_t) +') + +optional_policy(` + udev_manage_pid_dirs(nvme_stas_t) + udev_manage_pid_files(nvme_stas_t) +') + +optional_policy(` + unconfined_dbus_send(nvme_stas_t) +') + +optional_policy(` + userdom_list_user_home_content(nvme_stas_t) +') +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/oddjob.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/oddjob.te
Changed
@@ -73,6 +73,11 @@ init_dbus_chat(oddjob_t) ') +optional_policy(` + userdom_use_user_ptys(oddjob_t) + userdom_use_user_ttys(oddjob_t) +') + ifdef(`ipa_helper_noatsecure',` optional_policy(` ipa_helper_noatsecure(oddjob_t) @@ -122,3 +127,7 @@ dbus_system_bus_client(oddjob_mkhomedir_t) ') +optional_policy(` + userdom_use_user_ptys(oddjob_mkhomedir_t) + userdom_use_user_ttys(oddjob_mkhomedir_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/opafm.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/opafm.te
Changed
@@ -47,6 +47,8 @@ dev_list_sysfs(opafm_t) dev_read_sysfs(opafm_t) +fs_search_nfs(opafm_t) + libs_exec_lib_files(opafm_t) logging_send_syslog_msg(opafm_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/openshift.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/openshift.te
Changed
@@ -219,7 +219,6 @@ dontaudit openshift_domain openshift_initrc_tmp_t:file append; dontaudit openshift_domain openshift_var_run_t:file append; -dontaudit openshift_domain openshift_file_type:sock_file execute; kernel_dontaudit_search_network_state(openshift_domain) kernel_dontaudit_list_all_proc(openshift_domain)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/pdns.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/pdns.te
Changed
@@ -48,8 +48,9 @@ kernel_read_system_state(pdns_t) corenet_tcp_bind_dns_port(pdns_t) -corenet_udp_bind_dns_port(pdns_t) corenet_tcp_bind_transproxy_port(pdns_t) +corenet_tcp_connect_all_ports(pdns_t) +corenet_udp_bind_all_ports(pdns_t) manage_dirs_pattern(pdns_t, pdns_var_lib_t, pdns_var_lib_t) manage_files_pattern(pdns_t, pdns_var_lib_t, pdns_var_lib_t) @@ -60,12 +61,17 @@ manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) -auth_use_nsswitch(pdns_t) - -corenet_udp_bind_generic_port(pdns_t) +optional_policy(` + auth_use_nsswitch(pdns_t) +') -logging_send_syslog_msg(pdns_t) +optional_policy(` + kerberos_read_keytab(pdns_t) +') +optional_policy(` + logging_send_syslog_msg(pdns_t) +') ######################################## #
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/policykit.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/policykit.te
Changed
@@ -60,6 +60,7 @@ allow policykit_t policykit_auth_exec_t:file map; allow policykit_t policykit_auth_t:process signal; +allow policykit_t policykit_auth_t:process2 nnp_transition; can_exec(policykit_t, policykit_exec_t) corecmd_exec_bin(policykit_t) @@ -125,6 +126,10 @@ ') optional_policy(` + rhsmcertd_dbus_chat(policykit_t) + ') + + optional_policy(` rpm_dbus_chat(policykit_t) ') ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/postfix.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/postfix.te
Changed
@@ -62,7 +62,6 @@ postfix_user_domain_template(postdrop) mta_mailserver_user_agent(postfix_postdrop_t) -mta_agent_executable(postfix_postdrop_t) postfix_user_domain_template(postqueue) mta_mailserver_user_agent(postfix_postqueue_t) @@ -125,7 +124,7 @@ can_exec(postfix_master_t, postfix_exec_t) allow postfix_master_t postfix_data_t:dir manage_dir_perms; -allow postfix_master_t postfix_data_t:file manage_file_perms; +allow postfix_master_t postfix_data_t:file { manage_file_perms map }; allow postfix_master_t postfix_keytab_t:file read_file_perms; @@ -214,6 +213,7 @@ ifdef(`distro_redhat',` # for newer main.cf that uses /etc/aliases mta_manage_aliases(postfix_master_t) + mta_map_aliases(postfix_master_t) mta_etc_filetrans_aliases(postfix_master_t) ') @@ -330,10 +330,6 @@ logging_dontaudit_search_logs(postfix_local_t) -mta_delete_spool(postfix_local_t) -# Handle vacation script -mta_send_mail(postfix_local_t) - userdom_read_user_home_content_files(postfix_local_t) userdom_exec_user_bin_files(postfix_local_t) @@ -375,6 +371,13 @@ ') optional_policy(` + mta_delete_spool(postfix_local_t) + mta_map_aliases(postfix_local_t) + # Handle vacation script + mta_send_mail(postfix_local_t) +') + +optional_policy(` munin_search_lib(postfix_local_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/prosody.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/prosody.te
Changed
@@ -62,6 +62,7 @@ can_exec(prosody_t, prosody_exec_t) +kernel_read_net_sysctls(prosody_t) kernel_read_system_state(prosody_t) corecmd_exec_bin(prosody_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/qatlib.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/qatlib.te
Changed
@@ -23,6 +23,7 @@ # qatlib local policy # allow qatlib_t self:fifo_file rw_fifo_file_perms; +allow qatlib_t self:system module_load; allow qatlib_t self:unix_stream_socket create_stream_socket_perms; allow qatlib_t qatlib_unit_file_t:file read_file_perms; @@ -34,13 +35,20 @@ manage_files_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t) files_pid_filetrans(qatlib_t, qatlib_var_run_t, { dir file } ) +kernel_read_proc_files(qatlib_t) +kernel_request_load_module(qatlib_t) + corecmd_exec_shell(qatlib_t) corecmd_exec_bin(qatlib_t) -dev_read_sysfs(qatlib_t) +dev_create_sysfs_files(qatlib_t) +dev_rw_sysfs(qatlib_t) +dev_setattr_generic_dirs(qatlib_t) domain_use_interactive_fds(qatlib_t) +files_read_kernel_modules(qatlib_t) + optional_policy(` auth_read_passwd_file(qatlib_t) ') @@ -50,6 +58,16 @@ ') optional_policy(` + modutils_exec_kmod(qatlib_t) + modutils_read_module_config(qatlib_t) + modutils_read_module_deps_files(qatlib_t) +') + +optional_policy(` + sssd_read_public_files(qatlib_t) +') + +optional_policy(` systemd_search_unit_dirs(qatlib_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rhcs.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rhcs.fc
Changed
@@ -41,6 +41,7 @@ /var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) /var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) /var/run/haproxy\.sock.* -s gen_context(system_u:object_r:haproxy_var_run_t,s0) +/var/run/pcsd\.socket -s gen_context(system_u:object_r:cluster_var_run_t,s0) /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) # cluster administrative domains file spec
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rhsmcertd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rhsmcertd.te
Changed
@@ -93,6 +93,7 @@ corecmd_exec_bin(rhsmcertd_t) corecmd_exec_shell(rhsmcertd_t) +dev_dontaudit_write_raw_memory(rhsmcertd_t) dev_read_sysfs(rhsmcertd_t) dev_read_rand(rhsmcertd_t) dev_read_urand(rhsmcertd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpc.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rpc.te
Changed
@@ -257,6 +257,7 @@ kernel_dontaudit_setsched(nfsd_t) kernel_request_load_module(nfsd_t) kernel_mounton_proc(nfsd_t) +kernel_read_net_sysctls(nfsd_t) kernel_rw_rpc_sysctls_dirs(nfsd_t) kernel_create_rpc_sysctls(nfsd_t) kernel_rw_fs_sysctls(nfsd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpcbind.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rpcbind.te
Changed
@@ -51,6 +51,7 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) +kernel_read_net_sysctls(rpcbind_t) kernel_request_load_module(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rsync.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rsync.te
Changed
@@ -102,6 +102,7 @@ files_pid_filetrans(rsync_t, rsync_var_run_t, file) kernel_read_kernel_sysctls(rsync_t) +kernel_read_net_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/samba.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/samba.te
Changed
@@ -187,6 +187,9 @@ type winbind_rpcd_var_run_t; files_pid_file(winbind_rpcd_var_run_t) +type winbind_rpcd_tmp_t; +files_tmp_file(winbind_rpcd_tmp_t) + type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -601,6 +604,11 @@ files_dontaudit_list_security_dirs(nmbd_t) files_dontaudit_search_security_files(nmbd_t) files_dontaudit_read_security_files(nmbd_t) + fs_read_noxattr_fs_files(winbind_rpcd_t) + files_read_non_security_files(winbind_rpcd_t) + files_dontaudit_list_security_dirs(winbind_rpcd_t) + files_dontaudit_search_security_files(winbind_rpcd_t) + files_dontaudit_read_security_files(winbind_rpcd_t) ') tunable_policy(`samba_export_all_rw',` @@ -617,6 +625,12 @@ files_dontaudit_list_security_dirs(nmbd_t) files_dontaudit_search_security_files(nmbd_t) files_dontaudit_read_security_files(nmbd_t) + fs_manage_noxattr_fs_files(winbind_rpcd_t) + files_manage_non_security_files(winbind_rpcd_t) + files_manage_non_security_dirs(winbind_rpcd_t) + files_dontaudit_list_security_dirs(winbind_rpcd_t) + files_dontaudit_search_security_files(winbind_rpcd_t) + files_dontaudit_read_security_files(winbind_rpcd_t) ') userdom_filetrans_home_content(nmbd_t) @@ -1188,6 +1202,9 @@ manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) +manage_files_pattern(winbind_rpcd_t, winbind_rpcd_tmp_t, winbind_rpcd_tmp_t) +files_tmp_filetrans(winbind_rpcd_t, winbind_rpcd_tmp_t, file) + # access to files of other samba domains manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) @@ -1204,6 +1221,8 @@ manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) allow winbind_rpcd_t samba_var_t:file { map } ; +manage_files_pattern(winbind_rpcd_t, smbd_tmp_t, smbd_tmp_t) + kernel_read_network_state(winbind_rpcd_t) corecmd_exec_bin(winbind_rpcd_t) @@ -1248,6 +1267,10 @@ ') optional_policy(` + lpd_domtrans_lpr(winbind_rpcd_t) +') + +optional_policy(` miscfiles_read_generic_certs(winbind_rpcd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sandboxX.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sandboxX.te
Changed
@@ -357,7 +357,8 @@ # typeattribute sandbox_web_client_t sandbox_web_type; -allow sandbox_web_client_t sandbox_web_client_t:cap_userns sys_chroot; +allow sandbox_web_client_t self:user_namespace create; +allow sandbox_web_client_t self:cap_userns sys_chroot; allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition; selinux_get_fs_mount(sandbox_web_client_t) @@ -475,6 +476,10 @@ ') optional_policy(` + dbus_watch_config(sandbox_web_type) +') + +optional_policy(` mozilla_plugin_rw_sem(sandbox_web_type) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sblim.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sblim.te
Changed
@@ -150,7 +150,7 @@ # Sfcbd local policy # -allow sblim_sfcbd_t self:capability { sys_ptrace setgid setuid }; +allow sblim_sfcbd_t self:capability { setgid setuid sys_ptrace sys_rawio}; dontaudit sblim_sfcbd_t self:cap_userns sys_ptrace; allow sblim_sfcbd_t self:process signal; allow sblim_sfcbd_t self:unix_stream_socket connectto; @@ -177,10 +177,15 @@ dev_read_rand(sblim_sfcbd_t) dev_read_urand(sblim_sfcbd_t) +dev_read_raw_memory(sblim_sfcbd_t) domain_read_all_domains_state(sblim_sfcbd_t) domain_use_interactive_fds(sblim_sfcbd_t) +files_getattr_non_auth_dirs(sblim_sfcbd_t) + +init_read_utmp(sblim_sfcbd_t) + logging_send_audit_msgs(sblim_sfcbd_t) optional_policy(` @@ -193,6 +198,10 @@ ') optional_policy(` + ssh_signull(sblim_sfcbd_t) +') + +optional_policy(` virt_manage_config(sblim_sfcbd_t) virt_stream_connect(sblim_sfcbd_t) virt_search_images(sblim_sfcbd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sendmail.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sendmail.te
Changed
@@ -45,7 +45,7 @@ dontaudit sendmail_t self:capability2 block_suspend; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t self:tcp_socket create_stream_socket_perms; allow sendmail_t self:udp_socket create_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/smartmon.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/smartmon.te
Changed
@@ -30,7 +30,7 @@ files_tmp_file(fsdaemon_tmp_t) ifdef(`enable_mls',` - init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) + init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, s0 - mls_systemhigh) ') ########################################
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sosreport.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sosreport.fc
Changed
@@ -1,3 +1,4 @@ +/usr/sbin/sos -- gen_context(system_u:object_r:sosreport_exec_t,s0) /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) /\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/spamassassin.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/spamassassin.te
Changed
@@ -638,6 +638,7 @@ corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) +dev_read_sysfs(spamd_update_t) dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sssd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sssd.te
Changed
@@ -21,6 +21,13 @@ ## </desc> gen_tunable(sssd_connect_all_unreserved_ports, false) +## <desc> +## <p> +## Allow sssd use usb devices +## </p> +## </desc> +gen_tunable(sssd_use_usb, false) + type sssd_t; type sssd_exec_t; init_daemon_domain(sssd_t, sssd_exec_t) @@ -61,6 +68,7 @@ allow sssd_t self:capability { dac_override ipc_lock chown dac_read_search kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid setcap}; allow sssd_t self:fifo_file rw_fifo_file_perms; +allow sssd_t self:io_uring sqpoll; allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -68,6 +76,7 @@ allow sssd_t sssd_exec_t:file execute_no_trans; read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) +read_lnk_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t) manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) @@ -181,6 +190,16 @@ corenet_tcp_connect_all_unreserved_ports(sssd_t) ') +tunable_policy(`sssd_use_usb',` + dev_rw_generic_usb_dev(sssd_t) +') + +optional_policy(` + tunable_policy(`sssd_use_usb',` + ipa_domtrans_otpd(sssd_t) + ') +') + optional_policy(` accountsd_read_fifo_file(sssd_t) ') @@ -223,6 +242,10 @@ ') optional_policy(` + ipa_sigkill_otpd(sssd_t) +') + +optional_policy(` ldap_stream_connect(sssd_t) ldap_read_certs(sssd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/svnserve.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/svnserve.te
Changed
@@ -94,6 +94,10 @@ ') optional_policy(` + postfix_domtrans_postdrop(svnserve_t) +') + +optional_policy(` sasl_connect(svnserve_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/targetd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/targetd.te
Changed
@@ -111,6 +111,10 @@ ') optional_policy(` + logging_write_syslog_pid_socket(targetd_t) +') + +optional_policy(` lvm_domtrans(targetd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/thumb.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/thumb.te
Changed
@@ -105,6 +105,8 @@ libs_legacy_use_shared_libs(thumb_t) ') +init_append_stream_sockets(thumb_t) + libs_dontaudit_setattr_lib_dirs(thumb_t) logging_send_syslog_msg(thumb_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/tuned.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/tuned.te
Changed
@@ -32,7 +32,7 @@ # Local policy # -allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; +allow tuned_t self:capability { net_admin sys_admin sys_nice sys_ptrace sys_rawio }; dontaudit tuned_t self:capability { dac_read_search sys_tty_config }; allow tuned_t self:process { setsched signal }; allow tuned_t self:fifo_file rw_fifo_file_perms; @@ -67,13 +67,11 @@ kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) -kernel_read_kernel_sysctls(tuned_t) kernel_request_load_module(tuned_t) -kernel_rw_kernel_sysctl(tuned_t) +kernel_rw_all_sysctls(tuned_t) +kernel_rw_security_state(tuned_t) kernel_rw_usermodehelper_state(tuned_t) -kernel_rw_vm_sysctls(tuned_t) kernel_setsched(tuned_t) -kernel_rw_all_sysctls(tuned_t) kernel_manage_perf_event(tuned_t) corecmd_exec_bin(tuned_t) @@ -82,10 +80,13 @@ dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) +dev_read_raw_memory(tuned_t) dev_rw_cpu_microcode(tuned_t) dev_rw_sysfs(tuned_t) dev_rw_netcontrol(tuned_t) +domain_read_all_domains_state(tuned_t) + files_dontaudit_all_access_check(tuned_t) files_dontaudit_search_home(tuned_t) files_list_tmp(tuned_t) @@ -94,6 +95,8 @@ fs_search_all(tuned_t) fs_rw_hugetlbfs_files(tuned_t) +mls_file_read_to_clearance(tuned_t) + auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) @@ -101,6 +104,8 @@ logging_manage_syslog_config(tuned_t) logging_filetrans_named_conf(tuned_t) +systemd_exec_systemctl(tuned_t) + mount_read_pid_files(tuned_t) modutils_domtrans_kmod(tuned_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt.fc
Changed
@@ -1,134 +1,115 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) - -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/virtlogd.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) -/etc/libvirt/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) -/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - -/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) -/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) -/usr/libexec/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/qemu-storage-daemon -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) -/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) -/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) - -/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtxend -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - -/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) - -/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) -/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/common(/.*)? gen_context(system_u:object_r:virt_common_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) -/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) -/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) -/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0) - -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - -# support for AEOLUS project -/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) -/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) -/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0) - -# add support vios-proxy-* -/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) - -# support for vdsm -/usr/libexec/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/libexec/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/libexec/vdsm/supervdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/libexec/vdsm/vdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) -# these paths are now obsolete -/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/share/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0) - -# support for nova-stack -/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) - -/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) - -/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) - -/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) - -/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) - -/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) - -/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) -/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) - -/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) -/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) + +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +# Use parentheses so that "interface" is not recognized as a keyword by M4 +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/nwfilter-binding(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/virtqemud\.pid -- gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/virtnwfilterd\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/virtnwfilterd-binding\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/virtsecretd\.pid -- gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/virtstoraged\.pid -- gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/common(/.*)? gen_context(system_u:object_r:virt_common_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/libvirt-sock -s gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/virtlockd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt/virtlogd-admin-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt/virtinterfaced-admin-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/virtinterfaced-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/virtinterfaced-sock-ro -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/virtlxcd-admin-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/virtlxcd-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/virtlxcd-sock-ro -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/virtnetworkd-admin-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/libvirt/virtnetworkd-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/libvirt/virtnetworkd-sock-ro -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/libvirt/virtnodedevd-admin-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/virtnodedevd-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/virtnodedevd-sock-ro -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/virtnwfilterd-admin-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/virtnwfilterd-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/virtnwfilterd-sock-ro -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/virtproxyd-admin-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/libvirt/virtproxyd-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/libvirt/virtproxyd-sock-ro -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/libvirt/virtqemud-admin-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/libvirt/virtqemud-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/libvirt/virtqemud-sock-ro -s gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/libvirt/virtsecretd-admin-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/virtsecretd-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/virtsecretd-sock-ro -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/virtstoraged-admin-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0) +/var/run/libvirt/virtstoraged-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0) +/var/run/libvirt/virtstoraged-sock-ro -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0) +/var/run/libvirt/virtvboxd-admin-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/libvirt/virtvboxd-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/libvirt/virtvboxd-sock-ro -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0) + +/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) + +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/virt.*\.socket -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt.if
Changed
@@ -2,7 +2,7 @@ ######################################## ## <summary> -## virtd_lxc_t stub interface. No access allowed. +## virtd_lxc_t stub interface. No access allowed. ## </summary> ## <param name="domain" unused="true"> ## <summary> @@ -18,7 +18,7 @@ ######################################## ## <summary> -## svirt_sandbox_domain attribute stub interface. No access allowed. +## svirt_sandbox_domain attribute stub interface. No access allowed. ## </summary> ## <param name="domain" unused="true"> ## <summary> @@ -34,7 +34,7 @@ ######################################## ## <summary> -## container_file_t stub interface. No access allowed. +## container_file_t stub interface. No access allowed. ## </summary> ## <param name="domain" unused="true"> ## <summary> @@ -48,6 +48,17 @@ ') ') +######################################## +## <summary> +## container_file_t and container_ro_file_t stub interface. +## No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# interface(`virt_stub_svirt_sandbox_file',` gen_require(` type container_file_t; @@ -68,15 +79,13 @@ # template(`virt_domain_template',` gen_require(` - attribute virt_image_type, virt_domain; - attribute virt_tmpfs_type; + attribute virt_domain; attribute virt_ptynode; - type qemu_exec_t; type virtlogd_t; ') type $1_t, virt_domain; - application_domain($1_t, qemu_exec_t) + application_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) @@ -97,6 +106,115 @@ # Allow domain to write to pipes connected to virtlogd allow $1_t virtlogd_t:fd use; allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; + + qemu_entry_type($1_t) + +') + +###################################### +## <summary> +## Creates types and rules for a basic +## virt driver domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`virt_driver_template',` + gen_require(` + attribute virt_driver_domain; + attribute virt_driver_executable; + attribute virt_driver_var_run; + type virtd_t; + type virtqemud_t; + type virt_common_var_run_t; + type virt_etc_t; + type virt_etc_rw_t; + type virtinterfaced_var_run_t; + type virtnodedevd_var_run_t; + type virtnetworkd_var_run_t; + type virtnwfilterd_var_run_t; + type virtsecretd_var_run_t; + type virtstoraged_var_run_t; + type virt_var_run_t; + ') + + mls_rangetrans_source($1) + mls_rangetrans_target($1) + + ################################## + # + # Local policy + # + + allow $1 self:netlink_audit_socket create; + allow $1 self:netlink_kobject_uevent_socket create_socket_perms; + allow $1 self:netlink_route_socket create_netlink_socket_perms; + allow $1 self:rawip_socket create_socket_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + + allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms; + allow virt_driver_domain virtqemud_t:unix_stream_socket connectto; + + allow $1 virt_common_var_run_t:file append_file_perms; + manage_dirs_pattern($1, virt_common_var_run_t, virt_common_var_run_t) + manage_files_pattern($1, virt_common_var_run_t, virt_common_var_run_t) + filetrans_pattern($1, virt_driver_var_run, virt_common_var_run_t, dir, "common") + filetrans_pattern($1, virt_var_run_t, virt_common_var_run_t, dir, "common") + + filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") + filetrans_pattern($1, virt_var_run_t, virtnodedevd_var_run_t, dir, "nodedev") + filetrans_pattern($1, virt_var_run_t, virtnwfilterd_var_run_t, dir, "nwfilter") + filetrans_pattern($1, virt_var_run_t, virtsecretd_var_run_t, dir, "secrets") + filetrans_pattern($1, virt_var_run_t, virtstoraged_var_run_t, dir, "storage") + + manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) + + read_files_pattern($1, virt_etc_t, virt_etc_t) + manage_dirs_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern($1, virt_etc_t, virt_etc_rw_t, dir) + + read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t) + + kernel_dgram_send($1) + + mls_fd_share_all_levels($1) + mls_file_read_to_clearance($1) + mls_file_write_to_clearance($1) + mls_process_read_to_clearance($1) + mls_process_write_to_clearance($1) + mls_socket_read_to_clearance($1) + mls_socket_write_to_clearance($1) + + auth_read_passwd($1) + + dev_read_sysfs($1) + + files_read_non_security_files($1) + init_read_utmp($1) + + logging_send_syslog_msg($1) + + miscfiles_read_generic_certs($1) + + virt_manage_cache($1) + virt_manage_pid_files($1) + virt_stream_connect($1) + + optional_policy(` + dbus_read_pid_files($1) + dbus_stream_connect_system_dbusd($1) + dbus_system_bus_client($1) + ') + + optional_policy(` + systemd_dbus_chat_logind($1) + systemd_machined_stream_connect($1) + systemd_write_inhibit_pipes($1) + ') ') ######################################## @@ -123,20 +241,22 @@ ####################################### ## <summary> -## Getattr on virt executable. +## Getattr on virt executable. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> +## <summary> +## Domain allowed to transition. +## </summary> ## </param> # interface(`virt_getattr_exec',` - gen_require(` - type virtd_exec_t; - ') + gen_require(` + attribute virt_driver_executable; + type virtd_exec_t; + ') allow $1 virtd_exec_t:file getattr; + allow $1 virt_driver_executable:file getattr; ') ######################################## @@ -169,51 +289,59 @@ # interface(`virt_exec',` gen_require(` + attribute virt_driver_executable; type virtd_exec_t; ') can_exec($1, virtd_exec_t) + can_exec($1, virt_driver_executable) ') ######################################## ## <summary> -## Transition to virt_bridgehelper. +## Allow caller domain to run bpftool. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> -interface(`virt_domtrans_bridgehelper',` +# +interface(`virt_prog_run_bpf',` gen_require(` - type virt_bridgehelper_t, virt_bridgehelper_exec_t; + type virtd_t; ') - domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) + allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run }; ') -######################################## + +####################################### ## <summary> -## Allow caller domain to run bpftool. +## Connect to virt over a unix domain stream socket. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # -interface(`virt_prog_run_bpf',` - gen_require(` - type virtd_t; - ') +interface(`virt_stream_connect',` + gen_require(` + attribute virt_driver_domain; + attribute virt_driver_var_run; + type virtd_t, virt_var_run_t; + ') - allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run }; + files_search_pids($1) + stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain) ') - -####################################### +######################################## ## <summary> -## Connect to virt over a unix domain stream socket. +## Read and write to virt_domain unix +## stream sockets. ## </summary> ## <param name="domain"> ## <summary> @@ -221,15 +349,15 @@ ## </summary> ## </param> # -interface(`virt_stream_connect',` +interface(`virt_rw_stream_sockets_virt_domain',` gen_require(` - type virtd_t, virt_var_run_t; + attribute virt_domain; ') - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + allow $1 virt_domain:unix_stream_socket { read write }; ') + ####################################### ## <summary> ## Connect to svirt process over a unix domain stream socket. @@ -243,7 +371,7 @@ interface(`virt_stream_connect_svirt',` gen_require(` type svirt_t; - type svirt_image_t; + type svirt_image_t; ') stream_connect_pattern($1, svirt_image_t, svirt_image_t, svirt_t) @@ -265,7 +393,7 @@ type svirt_t; ') - allow $1 svirt_t:unix_stream_socket { setopt getopt read write }; + allow $1 svirt_t:unix_stream_socket { getopt read setopt write }; ') ######################################## @@ -280,10 +408,12 @@ # interface(`virt_attach_tun_iface',` gen_require(` + attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:tun_socket relabelfrom; + allow $1 virt_driver_domain:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; ') @@ -363,7 +493,7 @@ type virt_content_t; ') - allow $1 virt_content_t:file getattr_file_perms; + allow $1 virt_content_t:file getattr_file_perms; ') ######################################## @@ -389,7 +519,7 @@ read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) - read_chr_files_pattern($1, virt_content_t, virt_content_t) + read_chr_files_pattern($1, virt_content_t, virt_content_t) tunable_policy(`virt_use_nfs',` fs_list_nfs($1) @@ -434,11 +564,13 @@ # interface(`virt_read_pid_symlinks',` gen_require(` + attribute virt_driver_var_run; type virt_var_run_t; ') files_search_pids($1) read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run) ') ######################################## @@ -453,12 +585,15 @@ # interface(`virt_read_pid_files',` gen_require(` + attribute virt_driver_var_run; type virt_var_run_t; ') files_search_pids($1) read_files_pattern($1, virt_var_run_t, virt_var_run_t) - read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_files_pattern($1, virt_driver_var_run, virt_driver_var_run) + read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run) ') ######################################## @@ -473,12 +608,14 @@ # interface(`virt_manage_pid_dirs',` gen_require(` + attribute virt_driver_var_run; type virt_var_run_t; type virt_lxc_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) + manage_dirs_pattern($1, virt_driver_var_run, virt_driver_var_run) manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) virt_filetrans_named_content($1) ') @@ -495,12 +632,14 @@ # interface(`virt_manage_pid_files',` gen_require(` + attribute virt_driver_var_run; type virt_var_run_t; type virt_lxc_var_run_t; ') files_search_pids($1) manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_files_pattern($1, virt_driver_var_run, virt_driver_var_run) manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ') @@ -533,10 +672,12 @@ # interface(`virt_pid_filetrans',` gen_require(` + attribute virt_driver_var_run; type virt_var_run_t; ') filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + filetrans_pattern($1, virt_driver_var_run, $2, $3, $4) ') ######################################## @@ -727,7 +868,6 @@ # interface(`virt_read_images',` gen_require(` - type virt_var_lib_t; attribute virt_image_type; ') @@ -822,7 +962,6 @@ # interface(`virt_manage_images',` gen_require(` - type virt_var_lib_t; attribute virt_image_type; ') @@ -837,24 +976,41 @@ ####################################### ## <summary> -## Allow domain to manage virt image files +## Allow domain to manage virt image files ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # interface(`virt_manage_default_image_type',` - gen_require(` - type virt_var_lib_t; - type virt_image_t; - ') + gen_require(` + type virt_image_t; + ') - virt_search_lib($1) - manage_dirs_pattern($1, virt_image_t, virt_image_t) - manage_files_pattern($1, virt_image_t, virt_image_t) - read_lnk_files_pattern($1, virt_image_t, virt_image_t) + virt_search_lib($1) + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) +') + +####################################### +## <summary> +## Get virtd services status +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virtd_service_status',` + gen_require(` + type virtd_unit_file_t; + ') + + allow $1 virtd_unit_file_t:service status; ') ######################################## @@ -1091,17 +1247,18 @@ interface(`virt_transition_svirt',` gen_require(` attribute virt_domain; - type virt_bridgehelper_t; type svirt_image_t; type svirt_socket_t; ') allow $1 virt_domain:process transition; role $2 types virt_domain; - role $2 types virt_bridgehelper_t; role $2 types svirt_socket_t; + optional_policy(` + virt_bridgehelper_role($2) + ') - allow $1 virt_domain:process { sigkill sigstop signull signal }; + allow $1 virt_domain:process { sigkill signal signull sigstop }; allow $1 svirt_image_t:file { relabelfrom relabelto }; allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; @@ -1161,10 +1318,12 @@ # interface(`virt_kill',` gen_require(` + attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:process sigkill; + allow $1 virt_driver_domain:process sigkill; ') ######################################## @@ -1179,10 +1338,12 @@ # interface(`virt_signal',` gen_require(` + attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:process signal; + allow $1 virt_driver_domain:process signal; ') ######################################## @@ -1197,10 +1358,12 @@ # interface(`virt_signull',` gen_require(` + attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:process signull; + allow $1 virt_driver_domain:process signull; ') ######################################## @@ -1347,6 +1510,43 @@ ######################################## ## <summary> +## Make the specified type usable as a virt file type +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virt file type +## </summary> +## </param> +# +interface(`virt_file_types',` + gen_require(` + attribute virt_file_type; + ') + + typeattribute $1 virt_file_type; +') + +######################################## +## <summary> +## Make the specified type usable as a svirt file type +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a svirt file type +## </summary> +## </param> +# +interface(`svirt_file_types',` + gen_require(` + attribute svirt_file_type; + ') + + typeattribute $1 svirt_file_type; +') + + +######################################## +## <summary> ## Creates types and rules for a basic ## virt_lxc process domain. ## </summary> @@ -1373,9 +1573,9 @@ kernel_read_system_state($1_t) kernel_read_all_proc($1_t) - # optional_policy(` - # container_runtime_typebounds($1_t) - # ') + # optional_policy(` + # container_runtime_typebounds($1_t) + # ') ') ######################################## @@ -1393,7 +1593,7 @@ attribute svirt_sandbox_domain; ') - typeattribute $1 svirt_sandbox_domain; + typeattribute $1 svirt_sandbox_domain; ') ######################################## @@ -1412,25 +1612,25 @@ ') virt_sandbox_domain($1) - typeattribute $1 sandbox_net_domain; + typeattribute $1 sandbox_net_domain; ') ######################################## ## <summary> -## Execute a qemu_exec_t in the callers domain -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. +## Make the specified type usable as a virt system domain ## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virt system domain +## </summary> ## </param> # -interface(`virt_exec_qemu',` +interface(`virt_system_domain_type',` gen_require(` - type qemu_exec_t; + attribute virt_system_domain; ') - can_exec($1, qemu_exec_t) + typeattribute $1 virt_system_domain; ') ######################################## @@ -1439,7 +1639,7 @@ ## </summary> ## <param name="domain"> ## <summary> -## Domain allowed access. +## Domain allowed access. ## </summary> ## </param> # @@ -1476,7 +1676,7 @@ attribute svirt_sandbox_domain; ') - allow $1 svirt_sandbox_domain:process { transition signal_perms }; + allow $1 svirt_sandbox_domain:process { signal_perms transition }; role $2 types svirt_sandbox_domain; allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; @@ -1519,7 +1719,7 @@ type svirt_image_t; ') - allow $1 svirt_image_t:chr_file rw_file_perms; + allow $1 svirt_image_t:chr_file rw_chr_file_perms; ') ######################################## @@ -1555,7 +1755,7 @@ type virtd_t; ') - allow $1 virtd_t:process { rlimitinh }; + allow $1 virtd_t:process { rlimitinh }; ') ######################################## @@ -1573,7 +1773,7 @@ type virtd_t; ') - allow $1 virtd_t:process { noatsecure rlimitinh }; + allow $1 virtd_t:process { noatsecure rlimitinh }; ') ######################################## @@ -1600,6 +1800,7 @@ attribute svirt_file_type; attribute virt_file_type; type virtd_initrc_exec_t; + type virtd_unit_file_t; ') allow $1 virt_system_domain:process signal_perms; @@ -1628,14 +1829,15 @@ virt_stream_connect_svirt($1) virt_stream_connect($1) ') + ####################################### ## <summary> -## Getattr on virt executable. +## Getattr on virt executable. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> +## <summary> +## Domain allowed to transition. +## </summary> ## </param> # interface(`virt_default_capabilities',` @@ -1646,27 +1848,30 @@ typeattribute $1 sandbox_caps_domain; ') - ######################################## ## <summary> -## Send and receive messages from -## virt over dbus. +## Send and receive messages from +## virt over dbus. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # interface(`virt_dbus_chat',` - gen_require(` - type virtd_t; - class dbus send_msg; - ') + gen_require(` + attribute virt_driver_domain; + type virtd_t; + class dbus send_msg; + ') - allow $1 virtd_t:dbus send_msg; - allow virtd_t $1:dbus send_msg; - ps_process_pattern(virtd_t, $1) + allow $1 virtd_t:dbus send_msg; + allow virtd_t $1:dbus send_msg; + allow $1 virt_driver_domain:dbus send_msg; + allow virt_driver_domain $1:dbus send_msg; + ps_process_pattern(virtd_t, $1) + ps_process_pattern(virt_driver_domain, $1) ') ######################################## @@ -1677,7 +1882,7 @@ ## <desc> ## <p> ## Execute a file in a sandbox directory -## in the specified domain. This allows +## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. @@ -1743,6 +1948,26 @@ ######################################## ## <summary> +## Manage svirt home files,dirs and sockfiles. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_svirt_manage_home',` + gen_require(` + type svirt_home_t; + ') + + manage_files_pattern($1, svirt_home_t, svirt_home_t) + manage_dirs_pattern($1, svirt_home_t, svirt_home_t) + manage_sock_files_pattern($1, svirt_home_t, svirt_home_t) +') + +######################################## +## <summary> ## Write svirt tmp files. ## </summary> ## <param name="domain"> @@ -1761,18 +1986,18 @@ ######################################## ## <summary> -## Manage svirt tmp files,dirs and sockfiles. +## Manage svirt tmp files,dirs and sockfiles. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # interface(`virt_svirt_manage_tmp',` - gen_require(` - type svirt_tmp_t; - ') + gen_require(` + type svirt_tmp_t; + ') manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t) manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t) @@ -1781,22 +2006,22 @@ ######################################## ## <summary> -## Read qemu PID files. +## Read qemu PID files. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # interface(`virt_read_qemu_pid_files',` - gen_require(` - type qemu_var_run_t; - ') + gen_require(` + type qemu_var_run_t; + ') - files_search_pids($1) - list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t) - read_files_pattern($1, qemu_var_run_t, qemu_var_run_t) + files_search_pids($1) + list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t) + read_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ') ########################################
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt.te
Changed
@@ -5,33 +5,6 @@ # Declarations # -gen_require(` - class passwd rootok; - class passwd passwd; -') - -attribute virsh_transition_domain; -attribute virt_ptynode; -attribute virt_system_domain; -attribute virt_domain; -attribute virt_image_type; -attribute virt_tmpfs_type; -attribute svirt_file_type; -attribute virt_file_type; -attribute sandbox_net_domain; -attribute sandbox_caps_domain; - -type svirt_tmp_t, svirt_file_type; -files_tmp_file(svirt_tmp_t) - -type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; -files_tmpfs_file(svirt_tmpfs_t) - -type svirt_image_t, virt_image_type, svirt_file_type; -files_type(svirt_image_t) -dev_node(svirt_image_t) -dev_associate_sysfs(svirt_image_t) - ## <desc> ## <p> ## Allow confined virtual guests to use serial/parallel communication ports @@ -55,6 +28,13 @@ ## <desc> ## <p> +## Allow virtqemu driver to use executable memory and executable stack +## </p> +## </desc> +gen_tunable(virtqemud_use_execmem, true) + +## <desc> +## <p> ## Allow confined virtual guests to read fuse files ## </p> ## </desc> @@ -96,16 +76,16 @@ gen_tunable(virt_use_samba, false) ## <desc> -## <p> -## Allow confined virtual guests to interact with the sanlock -## </p> +## <p> +## Allow confined virtual guests to interact with the sanlock +## </p> ## </desc> gen_tunable(virt_use_sanlock, false) ## <desc> -## <p> -## Allow confined virtual guests to interact with rawip sockets -## </p> +## <p> +## Allow confined virtual guests to interact with rawip sockets +## </p> ## </desc> gen_tunable(virt_use_rawip, false) @@ -172,45 +152,40 @@ ## <desc> ## <p> -## Allow qemu-ga to read qemu-ga date. -## </p> -## </desc> -gen_tunable(virt_read_qemu_ga_data, false) - -## <desc> -## <p> -## Allow qemu-ga to manage qemu-ga date. -## </p> -## </desc> -gen_tunable(virt_rw_qemu_ga_data, false) - -## <desc> -## <p> ## Allow virtlockd read and lock block devices. ## </p> ## </desc> gen_tunable(virt_lockd_blk_devs, false) -## <desc> -## <p> -## Allow qemu-ga read all non-security file types. -## </p> -## </desc> -gen_tunable(virt_qemu_ga_read_nonsecurity_files, false) +gen_require(` + class passwd rootok; + class passwd passwd; +') -## <desc> -## <p> -## Allow qemu-ga read ssh home directory content. -## </p> -## </desc> -gen_tunable(virt_qemu_ga_manage_ssh, false) +attribute virsh_transition_domain; +attribute virt_ptynode; +attribute virt_system_domain; +attribute virt_domain; +attribute virt_driver_domain; +attribute virt_driver_executable; +attribute virt_driver_var_run; +attribute virt_image_type; +attribute virt_tmpfs_type; +attribute svirt_file_type; +attribute virt_file_type; +attribute sandbox_net_domain; +attribute sandbox_caps_domain; -## <desc> -## <p> -## Allow qemu-ga to run unconfined scripts -## </p> -## </desc> -gen_tunable(virt_qemu_ga_run_unconfined, false) +type svirt_tmp_t, svirt_file_type; +files_tmp_file(svirt_tmp_t) + +type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; +files_tmpfs_file(svirt_tmpfs_t) + +type svirt_image_t, virt_image_type, svirt_file_type; +files_type(svirt_image_t) +dev_node(svirt_image_t) +dev_associate_sysfs(svirt_image_t) virt_domain_template(svirt) role system_r types svirt_t; @@ -219,8 +194,6 @@ virt_domain_template(svirt_tcg) role system_r types svirt_tcg_t; -type qemu_exec_t, virt_file_type; - type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -299,6 +272,8 @@ type virtlogd_initrc_exec_t, virt_file_type; init_script_file(virtlogd_initrc_exec_t) +type qemu_exec_t, virt_file_type; +application_executable_file(qemu_exec_t) type qemu_var_run_t, virt_file_type; typealias qemu_var_run_t alias svirt_var_run_t; @@ -315,34 +290,142 @@ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') -type virt_bridgehelper_t, virt_system_domain; -domain_type(virt_bridgehelper_t) +# virtinterfaced +type virtinterfaced_t, virt_driver_domain; +type virtinterfaced_exec_t, virt_driver_executable; +init_daemon_domain(virtinterfaced_t, virtinterfaced_exec_t) + +virt_driver_template(virtinterfaced_t) +files_type(virtinterfaced_t) + +type virtinterfaced_var_run_t, virt_driver_var_run; +files_pid_file(virtinterfaced_var_run_t) + +# virtnetworkd +type virtnetworkd_t, virt_driver_domain; +type virtnetworkd_exec_t, virt_driver_executable; +init_daemon_domain(virtnetworkd_t, virtnetworkd_exec_t) + +virt_driver_template(virtnetworkd_t) +files_type(virtnetworkd_t) + +type virtnetworkd_var_run_t, virt_driver_var_run; +files_pid_file(virtnetworkd_var_run_t) + +# virtnodedevd +type virtnodedevd_t, virt_driver_domain; +type virtnodedevd_exec_t, virt_driver_executable; +init_daemon_domain(virtnodedevd_t, virtnodedevd_exec_t) + +virt_driver_template(virtnodedevd_t) +files_type(virtnodedevd_t) + +type virtnodedevd_var_run_t, virt_driver_var_run; +files_pid_file(virtnodedevd_var_run_t) + +# virtnwfilterd +type virtnwfilterd_t, virt_driver_domain; +type virtnwfilterd_exec_t, virt_driver_executable; +init_daemon_domain(virtnwfilterd_t, virtnwfilterd_exec_t) + +virt_driver_template(virtnwfilterd_t) +files_type(virtnwfilterd_t) + +type virtnwfilterd_var_run_t, virt_driver_var_run; +files_pid_file(virtnwfilterd_var_run_t) + +# virtproxyd +type virtproxyd_t, virt_driver_domain; +type virtproxyd_exec_t, virt_driver_executable; +init_daemon_domain(virtproxyd_t, virtproxyd_exec_t) + +virt_driver_template(virtproxyd_t) +files_type(virtproxyd_t) + +type virtproxyd_var_run_t, virt_driver_var_run; +files_pid_file(virtproxyd_var_run_t) + +# virtqemud +type virtqemud_t, virt_driver_domain; +type virtqemud_exec_t, virt_driver_executable; +init_daemon_domain(virtqemud_t, virtqemud_exec_t) + +virt_driver_template(virtqemud_t) +files_type(virtqemud_t) +domain_obj_id_change_exemption(virtqemud_t) + +type virtqemud_lock_t; +files_lock_file(virtqemud_lock_t) + +type virtqemud_tmp_t; +files_tmp_file(virtqemud_tmp_t) + +type virtqemud_var_run_t, virt_driver_var_run; +files_pid_file(virtqemud_var_run_t) + +permissive virtqemud_t; +# virtsecretd +type virtsecretd_t, virt_driver_domain; +type virtsecretd_exec_t, virt_driver_executable; +init_daemon_domain(virtsecretd_t, virtsecretd_exec_t) + +virt_driver_template(virtsecretd_t) +files_type(virtsecretd_t) + +type virtsecretd_var_run_t, virt_driver_var_run; +files_pid_file(virtsecretd_var_run_t) + +permissive virtsecretd_t; +# virtstoraged +type virtstoraged_t, virt_driver_domain; +type virtstoraged_exec_t, virt_driver_executable; +init_daemon_domain(virtstoraged_t, virtstoraged_exec_t) + +virt_driver_template(virtstoraged_t) +files_type(virtstoraged_t) + +type virtstoraged_tmp_t; +files_tmp_file(virtstoraged_tmp_t) + +type virtstoraged_var_run_t, virt_driver_var_run; +files_pid_file(virtstoraged_var_run_t) + +permissive virtstoraged_t; + +# virtvboxd +type virtvboxd_t, virt_driver_domain; +type virtvboxd_exec_t, virt_driver_executable; +init_daemon_domain(virtvboxd_t, virtvboxd_exec_t) + +virt_driver_template(virtvboxd_t) +files_type(virtvboxd_t) -type virt_bridgehelper_exec_t, virt_file_type; -domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) -role system_r types virt_bridgehelper_t; +type virtvboxd_var_run_t, virt_driver_var_run; +files_pid_file(virtvboxd_var_run_t) -# policy for qemu_ga -type virt_qemu_ga_t, virt_system_domain; -type virt_qemu_ga_exec_t, virt_file_type; -init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) +permissive virtvboxd_t; -type virt_qemu_ga_var_run_t, virt_file_type; -files_pid_file(virt_qemu_ga_var_run_t) +# virtvzd - unconfined +type virtvzd_t, virt_driver_domain; +type virtvzd_exec_t, virt_driver_executable; +init_daemon_domain(virtvzd_t, virtvzd_exec_t) -type virt_qemu_ga_log_t, virt_file_type; -logging_log_file(virt_qemu_ga_log_t) +virt_driver_template(virtvzd_t) +files_type(virtvzd_t) -type virt_qemu_ga_tmp_t, virt_file_type; -files_tmp_file(virt_qemu_ga_tmp_t) +type virtvzd_var_run_t, virt_driver_var_run; +files_pid_file(virtvzd_var_run_t) -type virt_qemu_ga_data_t, virt_file_type; -files_type(virt_qemu_ga_data_t) +# virtxend - unconfined +type virtxend_t, virt_driver_domain; +type virtxend_exec_t, virt_driver_executable; +init_daemon_domain(virtxend_t, virtxend_exec_t) -type virt_qemu_ga_unconfined_exec_t, virt_file_type; -application_executable_file(virt_qemu_ga_unconfined_exec_t) +virt_driver_template(virtxend_t) +files_type(virtxend_t) -type virt_qemu_ga_unconfined_t; +type virtxend_var_run_t, virt_driver_var_run; +files_pid_file(virtxend_var_run_t) ######################################## # @@ -377,8 +460,13 @@ # it was a part of auth_use_nsswitch allow svirt_t self:netlink_route_socket r_netlink_socket_perms; +allow svirt_t virtlogd_t:fifo_file write; allow svirt_t virtlogd_t:unix_stream_socket connectto; +allow svirt_t virtqemud_var_run_t:file write; + +read_files_pattern(svirt_t, virtqemud_t, virtqemud_t) + kernel_request_load_module(svirt_t) corenet_udp_sendrecv_generic_if(svirt_t) @@ -389,6 +477,8 @@ corenet_tcp_bind_all_ports(svirt_t) corenet_tcp_connect_all_ports(svirt_t) +dev_rw_dma_dev(svirt_t) + init_dontaudit_read_state(svirt_t) virt_dontaudit_read_state(svirt_t) @@ -423,9 +513,9 @@ # # fsetid - for chmod'ing its runtime files -allow virtd_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice sys_ptrace }; #allow virtd_t self:capability2 compromise_kernel; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { execmem getcap getsched setcap setexec setfscreate setsched setsockcreate sigkill signal signull }; ifdef(`hide_broken_symptoms',` # caused by some bogus kernel code dontaudit virtd_t self:capability { sys_module }; @@ -451,16 +541,13 @@ allow virtd_t virtd_keytab_t:file read_file_perms; -allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; -allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virtd_t virt_domain:process { getattr getsched setsched sigkill signal signull transition }; +allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched sigkill signal signull transition }; allow virt_domain virtd_t:fd use; -allow virt_domain virtd_t:unix_stream_socket { read write getopt getattr accept }; +allow virt_domain virtd_t:unix_stream_socket { accept getattr getopt read write }; allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; allow virt_domain virtd_t:tun_socket attach_queue; -can_exec(virtd_t, qemu_exec_t) -can_exec(virt_domain, qemu_exec_t) - allow virtd_t qemu_var_run_t:file relabel_file_perms; manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) relabelfrom_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) @@ -483,11 +570,11 @@ manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) -allow virtd_t virt_image_type:dir { setattr rmdir }; +allow virtd_t virt_image_type:dir { rmdir setattr }; allow virtd_t virt_image_type:file relabel_file_perms; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms; +allow virtd_t virt_image_type:unix_stream_socket { getattr relabelfrom relabelto }; allow virtd_t virt_ptynode:chr_file rw_term_perms; manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) @@ -527,6 +614,10 @@ allow virtlogd_t virt_common_var_run_t:file append_file_perms; manage_files_pattern(virtlogd_t, virt_common_var_run_t, virt_common_var_run_t) +manage_dirs_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run) +manage_files_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run) +manage_sock_files_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run) + manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") @@ -545,6 +636,7 @@ kernel_search_debugfs(virtd_t) kernel_dontaudit_setsched(virtd_t) kernel_write_proc_files(virtd_t) +kernel_io_uring_use(virtd_t) corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) @@ -670,7 +762,7 @@ tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) fs_manage_nfs_files(virtd_t) - fs_mmap_nfs_files(virtd_t) + fs_mmap_nfs_files(virtd_t) fs_read_nfs_symlinks(virtd_t) ') @@ -714,7 +806,7 @@ dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) - dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); + dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t) dnsmasq_manage_pid_files(virtd_t) ') @@ -732,8 +824,18 @@ ') optional_policy(` - kerberos_read_keytab(virtd_t) - kerberos_use(virtd_t) + kerberos_read_keytab(virtd_t) + kerberos_use(virtd_t) +') + +optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + + xen_exec(virtd_t) + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) + xen_read_image_files(virtd_t) ') optional_policy(` @@ -747,8 +849,8 @@ ') optional_policy(` - numad_domtrans(virtd_t) - numad_dbus_chat(virtd_t) + numad_domtrans(virtd_t) + numad_dbus_chat(virtd_t) ') optional_policy(` @@ -779,16 +881,6 @@ ') optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) - - xen_exec(virtd_t) - xen_stream_connect(virtd_t) - xen_stream_connect_xenstore(virtd_t) - xen_read_image_files(virtd_t) -') - -optional_policy(` udev_domtrans(virtd_t) udev_read_db(virtd_t) udev_read_pid_files(virtd_t) @@ -802,17 +894,17 @@ # # virtlogd local policy # +allow virtlogd_t virt_image_t:dir search_dir_perms; # virtlogd is allowed to manage files it creates in /var/run/libvirt manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) dontaudit virtlogd_t self:process execmem; - # virtlogd needs to read /etc/libvirt/virtlogd.conf only allow virtlogd_t virtlogd_etc_t:file read_file_perms; files_search_etc(virtlogd_t) allow virtlogd_t virt_etc_t:file read_file_perms; -allow virtlogd_t virt_etc_t:lnk_file read_file_perms; +allow virtlogd_t virt_etc_t:lnk_file { ioctl lock read_lnk_file_perms }; allow virtlogd_t virt_etc_t:dir search; manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) @@ -821,7 +913,6 @@ filetrans_pattern(virtlogd_t, virt_etc_t, virt_etc_rw_t, dir) allow virtlogd_t virt_image_type:dir search_dir_perms; - # virtlogd creates /var/run/libvirt/virtlogd-sock with isolated # context from other stuff in /var/run/libvirt filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file }) @@ -844,6 +935,8 @@ kernel_read_network_state(virtlogd_t) +mls_fd_share_all_levels(virtlogd_t) + allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; # Allow virtlogd_t to execute itself. @@ -865,6 +958,8 @@ allow virtlogd_t virtd_t:file read_file_perms; allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; +read_files_pattern(virtlogd_t, virtqemud_t, virtqemud_t) + virt_manage_lib_files(virtlogd_t) tunable_policy(`virt_lockd_blk_devs',` @@ -876,12 +971,12 @@ ') optional_policy(` - dbus_system_bus_client(virtlogd_t) + dbus_system_bus_client(virtlogd_t) ') optional_policy(` - systemd_write_inhibit_pipes(virtlogd_t) - systemd_dbus_chat_logind(virtlogd_t) + systemd_write_inhibit_pipes(virtlogd_t) + systemd_dbus_chat_logind(virtlogd_t) ') optional_policy(` @@ -893,7 +988,7 @@ # virtual domains common policy # #allow virt_domain self:capability2 compromise_kernel; -allow virt_domain self:process { setrlimit signal_perms getsched setsched }; +allow virt_domain self:process { getsched setrlimit setsched signal_perms }; allow virt_domain self:fifo_file rw_fifo_file_perms; allow virt_domain self:shm create_shm_perms; allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -912,6 +1007,10 @@ kernel_read_net_sysctls(virt_domain) kernel_read_network_state(virt_domain) kernel_ib_access_unlabeled_pkeys(virt_domain) +kernel_io_uring_use(virt_domain) +# qemu uses userfaultfd to implement live post-copy migration +# https://wiki.qemu.org/Features/PostCopyLiveMigration +kernel_userfaultfd_use(virt_domain) userdom_search_user_home_content(virt_domain) userdom_read_user_home_content_symlinks(virt_domain) @@ -962,7 +1061,7 @@ files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) -dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; +dontaudit virtd_t virt_domain:process { noatsecure rlimitinh siginh}; dontaudit virt_domain virt_tmpfs_type:file { read write }; @@ -1030,20 +1129,87 @@ term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) +tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_files(virt_domain) +') + +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') + tunable_policy(`virt_use_execmem',` allow virt_domain self:process { execmem execstack }; ') +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) + fs_manage_nfs_named_sockets(virt_domain) + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) + fs_mmap_nfs_files(virt_domain) +') + +tunable_policy(`virt_use_rawip',` + allow virt_domain self:rawip_socket create_socket_perms; +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) + fs_manage_cifs_named_sockets(virt_domain) + fs_read_cifs_symlinks(virt_domain) + fs_getattr_cifs(virt_domain) +') + +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) + fs_getattr_dos_fs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) + udev_read_db(virt_domain) +') + optional_policy(` - alsa_read_rw_config(virt_domain) + tunable_policy(`virt_use_glusterd',` + glusterd_manage_pid(virt_domain) + ') ') optional_policy(` - gnome_dontaudit_manage_cache_home_dir(virt_domain) + tunable_policy(`virt_use_pcscd',` + pcscd_stream_connect(virt_domain) + ') ') optional_policy(` - nscd_dontaudit_write_sock_file(virt_domain) + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + sanlock_read_state(virt_domain) + ') +') + +optional_policy(` + tunable_policy(`virt_use_xserver',` + xserver_stream_connect(virt_domain) + ') +') + +optional_policy(` + alsa_read_rw_config(virt_domain) +') + +optional_policy(` + gnome_dontaudit_manage_cache_home_dir(virt_domain) ') optional_policy(` @@ -1051,7 +1217,11 @@ ') optional_policy(` - openvswitch_stream_connect(svirt_t) + nscd_dontaudit_write_sock_file(virt_domain) +') + +optional_policy(` + openvswitch_stream_connect(svirt_t) ') optional_policy(` @@ -1082,6 +1252,10 @@ ') optional_policy(` + qemu_exec(virt_domain) +') + +optional_policy(` sssd_dontaudit_stream_connect(virt_domain) sssd_dontaudit_read_lib(virt_domain) ') @@ -1091,6 +1265,10 @@ ') optional_policy(` + unconfined_dontaudit_read_state(virt_domain) +') + +optional_policy(` virt_read_config(virt_domain) virt_read_lib_files(virt_domain) virt_read_content(virt_domain) @@ -1100,84 +1278,9 @@ ') optional_policy(` - unconfined_dontaudit_read_state(virt_domain) -') - -optional_policy(` xserver_rw_shm(virt_domain) ') -tunable_policy(`virt_use_comm',` - term_use_unallocated_ttys(virt_domain) - dev_rw_printer(virt_domain) -') - -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virt_domain) - fs_manage_fusefs_files(virt_domain) - fs_read_fusefs_symlinks(virt_domain) - fs_getattr_fusefs(virt_domain) -') - -tunable_policy(`use_ecryptfs_home_dirs',` - fs_manage_ecryptfs_files(virt_domain) -') - -optional_policy(` - tunable_policy(`virt_use_glusterd',` - glusterd_manage_pid(virt_domain) - ') -') - -tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs(virt_domain) - fs_manage_nfs_files(virt_domain) - fs_manage_nfs_named_sockets(virt_domain) - fs_read_nfs_symlinks(virt_domain) - fs_getattr_nfs(virt_domain) - fs_mmap_nfs_files(virt_domain) -') - -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(virt_domain) - fs_manage_cifs_files(virt_domain) - fs_manage_cifs_named_sockets(virt_domain) - fs_read_cifs_symlinks(virt_domain) - fs_getattr_cifs(virt_domain) -') - -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) - dev_read_sysfs(virt_domain) - fs_getattr_dos_fs(virt_domain) - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) - udev_read_db(virt_domain) -') - -optional_policy(` - tunable_policy(`virt_use_pcscd',` - pcscd_stream_connect(virt_domain) - ') -') - -optional_policy(` - tunable_policy(`virt_use_sanlock',` - sanlock_stream_connect(virt_domain) - sanlock_read_state(virt_domain) - ') -') - -tunable_policy(`virt_use_rawip',` - allow virt_domain self:rawip_socket create_socket_perms; -') - -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_stream_connect(virt_domain) - ') -') - ######################################## # # xm local policy @@ -1188,10 +1291,10 @@ typealias virsh_t alias xm_t; typealias virsh_exec_t alias xm_exec_t; -allow virsh_t self:capability { setpcap dac_read_search ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:capability { dac_read_search ipc_lock setpcap sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setcap setexec setsched signal }; allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow virsh_t self:tcp_socket create_stream_socket_perms; ps_process_pattern(virsh_t, svirt_sandbox_domain) @@ -1295,26 +1398,15 @@ ') optional_policy(` - rhcs_domtrans_fenced(virsh_t) -') - -optional_policy(` - rpm_exec(virsh_t) + dbus_system_bus_client(virsh_t) ') optional_policy(` - xen_manage_image_dirs(virsh_t) - xen_read_image_files(virsh_t) - xen_read_lib_files(virsh_t) - xen_append_log(virsh_t) - xen_domtrans(virsh_t) - xen_read_pid_files_xenstored(virsh_t) - xen_stream_connect(virsh_t) - xen_stream_connect_xenstore(virsh_t) + rhcs_domtrans_fenced(virsh_t) ') optional_policy(` - dbus_system_bus_client(virsh_t) + rpm_exec(virsh_t) ') optional_policy(` @@ -1338,16 +1430,27 @@ userdom_search_admin_dir(virsh_ssh_t) ') +optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_read_image_files(virsh_t) + xen_read_lib_files(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) + xen_read_pid_files_xenstored(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) +') + ######################################## # # virt_lxc local policy # -allow virtd_lxc_t self:bpf { map_read map_write prog_load map_create prog_run }; -allow virtd_lxc_t self:capability { dac_read_search net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; -allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms }; +allow virtd_lxc_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow virtd_lxc_t self:capability { chown dac_read_search net_admin net_raw setgid setpcap setuid sys_admin sys_boot sys_nice sys_resource }; +allow virtd_lxc_t self:process { setpgid setsockcreate signal_perms transition }; #allow virtd_lxc_t self:capability2 compromise_kernel; -allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; +allow virtd_lxc_t self:process { getcap setcap setexec setrlimit setsched signal_perms }; allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -1377,8 +1480,8 @@ manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t) manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t) manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t) -allow virtd_lxc_t container_file_t:dir_file_class_set { relabelto relabelfrom }; -allow virtd_lxc_t container_file_t:filesystem { relabelto relabelfrom }; +allow virtd_lxc_t container_file_t:dir_file_class_set { relabelfrom relabelto }; +allow virtd_lxc_t container_file_t:filesystem { relabelfrom relabelto }; files_associate_rootfs(container_file_t) seutil_read_file_contexts(virtd_lxc_t) @@ -1459,7 +1562,7 @@ ') optional_policy(` - container_exec_lib(virtd_lxc_t) + container_exec_lib(virtd_lxc_t) ') optional_policy(` @@ -1481,14 +1584,14 @@ allow svirt_sandbox_domain self:key manage_key_perms; dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; -allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; -allow svirt_sandbox_domain self:fifo_file manage_file_perms; +allow svirt_sandbox_domain self:process { getattr getcap getpgid getsched setcap setpgid setrlimit setsched signal_perms }; +allow svirt_sandbox_domain self:fifo_file manage_fifo_file_perms; allow svirt_sandbox_domain self:msg all_msg_perms; allow svirt_sandbox_domain self:sem create_sem_perms; allow svirt_sandbox_domain self:shm create_shm_perms; allow svirt_sandbox_domain self:msgq create_msgq_perms; -allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto }; -allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow svirt_sandbox_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow svirt_sandbox_domain self:unix_dgram_socket { create_socket_perms sendto }; allow svirt_sandbox_domain self:passwd rootok; allow svirt_sandbox_domain self:filesystem associate; allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; @@ -1502,9 +1605,9 @@ allow svirt_sandbox_domain self:process ptrace; ') -allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; -allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; -allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; +allow virtd_t svirt_sandbox_domain:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtd_t svirt_sandbox_domain:process { getattr signal_perms }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setrlimit setsched signal_perms transition }; allow svirt_sandbox_domain virtd_lxc_t:process sigchld; allow svirt_sandbox_domain virtd_lxc_t:fd use; @@ -1571,7 +1674,6 @@ fs_search_tmpfs(svirt_sandbox_domain) fs_rw_hugetlbfs_files(svirt_sandbox_domain) - auth_dontaudit_read_passwd(svirt_sandbox_domain) auth_dontaudit_read_login_records(svirt_sandbox_domain) auth_dontaudit_write_login_records(svirt_sandbox_domain) @@ -1591,29 +1693,6 @@ userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -optional_policy(` -tunable_policy(`virt_sandbox_share_apache_content',` - apache_exec_modules(svirt_sandbox_domain) - apache_read_sys_content(svirt_sandbox_domain) - ') -') - -optional_policy(` - mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -') - -optional_policy(` - ssh_use_ptys(svirt_sandbox_domain) -') - -optional_policy(` - udev_read_pid_files(svirt_sandbox_domain) -') - -optional_policy(` - userhelper_dontaudit_write_config(svirt_sandbox_domain) -') - tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_sandbox_domain) fs_manage_nfs_files(svirt_sandbox_domain) @@ -1634,22 +1713,45 @@ ') tunable_policy(`virt_sandbox_use_fusefs',` - fs_manage_fusefs_dirs(svirt_sandbox_domain) - fs_manage_fusefs_files(svirt_sandbox_domain) - fs_manage_fusefs_symlinks(svirt_sandbox_domain) - fs_mount_fusefs(svirt_sandbox_domain) - fs_unmount_fusefs(svirt_sandbox_domain) - fs_exec_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) + fs_mount_fusefs(svirt_sandbox_domain) + fs_unmount_fusefs(svirt_sandbox_domain) + fs_exec_fusefs_files(svirt_sandbox_domain) +') + +optional_policy(` +tunable_policy(`virt_sandbox_share_apache_content',` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) + ') +') + +optional_policy(` + container_read_share_files(svirt_sandbox_domain) + container_exec_share_files(svirt_sandbox_domain) + container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) + container_use_ptys(svirt_sandbox_domain) + container_spc_stream_connect(svirt_sandbox_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) +') + +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) ') optional_policy(` - container_read_share_files(svirt_sandbox_domain) - container_exec_share_files(svirt_sandbox_domain) - container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) - container_use_ptys(svirt_sandbox_domain) - container_spc_stream_connect(svirt_sandbox_domain) - fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) - dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) + udev_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ') ######################################## @@ -1667,9 +1769,9 @@ virt_sandbox_domain_template(svirt_qemu_net) typeattribute svirt_qemu_net_t sandbox_net_domain; -allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +allow svirt_qemu_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource }; dontaudit svirt_qemu_net_t self:capability2 block_suspend; -allow svirt_qemu_net_t self:process { execstack execmem }; +allow svirt_qemu_net_t self:process { execmem execstack }; tunable_policy(`virt_sandbox_use_netlink',` allow svirt_qemu_net_t self:netlink_socket create_socket_perms; @@ -1718,196 +1820,445 @@ logging_send_syslog_msg(svirt_qemu_net_t) +userdom_use_user_ptys(svirt_qemu_net_t) + tunable_policy(`virt_sandbox_use_audit',` logging_send_audit_msgs(svirt_qemu_net_t) ') -userdom_use_user_ptys(svirt_qemu_net_t) - -######################################## +####################################### # -# virt_bridgehelper local policy +# virtinterfaced local policy # +allow virtinterfaced_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t) +manage_sock_files_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virtinterfaced_t, virt_var_lib_t, { dir file }) -allow virt_bridgehelper_t self:process { setcap getcap }; -allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; -allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -allow virt_bridgehelper_t self:tun_socket create_socket_perms; -allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(virtinterfaced_t, virtinterfaced_var_run_t, virtinterfaced_var_run_t) +manage_files_pattern(virtinterfaced_t, virtinterfaced_var_run_t, virtinterfaced_var_run_t) +manage_sock_files_pattern(virtinterfaced_t, virt_var_run_t, virtinterfaced_var_run_t) +files_pid_filetrans(virtinterfaced_t, virtinterfaced_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtinterfaced_t, virt_var_run_t, virtinterfaced_var_run_t, { file sock_file } ) -allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write }; +kernel_read_network_state(virtinterfaced_t) -manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) +corecmd_exec_bin(virtinterfaced_t) -kernel_read_network_state(virt_bridgehelper_t) -kernel_read_system_state(virt_bridgehelper_t) +fs_getattr_all_fs(virtinterfaced_t) -dev_read_urand(virt_bridgehelper_t) -dev_read_rand(virt_bridgehelper_t) -dev_read_sysfs(virt_bridgehelper_t) +modutils_read_module_config(virtinterfaced_t) -corenet_rw_tun_tap_dev(virt_bridgehelper_t) +sysnet_manage_config(virtinterfaced_t) -userdom_use_inherited_user_ptys(virt_bridgehelper_t) +userdom_read_all_users_state(virtinterfaced_t) + +optional_policy(` + dnsmasq_filetrans_named_content_fromdir(virtinterfaced_t, virtinterfaced_var_run_t) +') ####################################### # -# virt_qemu_ga local policy +# virtnetworkd local policy # +allow virtnetworkd_t self:capability { kill net_admin sys_ptrace }; +allow virtnetworkd_t self:netlink_netfilter_socket create_socket_perms; +allow virtnetworkd_t self:process setcap; +allow virtnetworkd_t self:tun_socket { create relabelfrom relabelto }; -allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config }; +manage_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t) -allow virt_qemu_ga_t self:passwd passwd; +manage_dirs_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t) -allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; -allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; -allow virt_qemu_ga_t self:vsock_socket create_socket_perms; +manage_dirs_pattern(virtnetworkd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtnetworkd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t) +manage_files_pattern(virtnetworkd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t) +manage_sock_files_pattern(virtnetworkd_t, virt_var_run_t, virtnetworkd_var_run_t) +files_pid_filetrans(virtnetworkd_t, virtnetworkd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtnetworkd_t, virt_var_run_t, virtnetworkd_var_run_t, { file sock_file } ) -allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; -can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) +kernel_read_network_state(virtnetworkd_t) +kernel_request_load_module(virtnetworkd_t) +kernel_rw_net_sysctls(virtnetworkd_t) -manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) -manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) -files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir }) +corenet_rw_tun_tap_dev(virtnetworkd_t) -manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) -manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) -files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) +dev_rw_sysfs(virtnetworkd_t) -manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) -manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) -logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file }) +sysnet_domtrans_ifconfig(virtnetworkd_t) +sysnet_read_config(virtnetworkd_t) -kernel_read_system_state(virt_qemu_ga_t) -kernel_read_network_state(virt_qemu_ga_t) -kernel_rw_kernel_sysctl(virt_qemu_ga_t) +optional_policy(` + dnsmasq_create_pid_dirs(virtnetworkd_t) + dnsmasq_domtrans(virtnetworkd_t) + dnsmasq_filetrans_named_content_fromdir(virtnetworkd_t, virtnetworkd_var_run_t) + dnsmasq_manage_pid_files(virtnetworkd_t) + dnsmasq_read_state(virtnetworkd_t) + dnsmasq_signal(virtnetworkd_t) + dnsmasq_signull(virtnetworkd_t) +') -corecmd_exec_shell(virt_qemu_ga_t) -corecmd_exec_bin(virt_qemu_ga_t) +optional_policy(` + iptables_domtrans(virtnetworkd_t) + iptables_read_var_run(virtnetworkd_t) +') -clock_read_adjtime(virt_qemu_ga_t) +optional_policy(` + firewalld_dbus_chat(virtnetworkd_t) +') -dev_getattr_apm_bios_dev(virt_qemu_ga_t) -dev_rw_sysfs(virt_qemu_ga_t) -dev_rw_realtime_clock(virt_qemu_ga_t) +####################################### +# +# virtnodedevd local policy +# +allow virtnodedevd_t self:capability { net_admin sys_admin }; +allow virtnodedevd_t self:netlink_generic_socket create_socket_perms; +allow virtnodedevd_t self:process { setsched }; -files_list_all_mountpoints(virt_qemu_ga_t) -files_write_all_mountpoints(virt_qemu_ga_t) +manage_dirs_pattern(virtnodedevd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtnodedevd_t, virtnodedevd_var_run_t, virtnodedevd_var_run_t) +manage_files_pattern(virtnodedevd_t, virtnodedevd_var_run_t, virtnodedevd_var_run_t) +manage_sock_files_pattern(virtnodedevd_t, virt_var_run_t, virtnodedevd_var_run_t) +files_pid_filetrans(virtnodedevd_t, virtnodedevd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtnodedevd_t, virt_var_run_t, virtnodedevd_var_run_t, { file sock_file } ) -fs_list_all(virt_qemu_ga_t) -fs_getattr_all_fs(virt_qemu_ga_t) +kernel_request_load_module(virtnodedevd_t) -term_use_virtio_console(virt_qemu_ga_t) -term_use_all_ttys(virt_qemu_ga_t) -term_use_unallocated_ttys(virt_qemu_ga_t) +corecmd_exec_bin(virtnodedevd_t) +corecmd_exec_shell(virtnodedevd_t) -auth_use_nsswitch(virt_qemu_ga_t) +dev_rw_mtrr(virtnodedevd_t) -logging_send_syslog_msg(virt_qemu_ga_t) -logging_send_audit_msgs(virt_qemu_ga_t) +files_watch_etc_dirs(virtnodedevd_t) -init_read_utmp(virt_qemu_ga_t) +miscfiles_read_hwdata(virtnodedevd_t) -modutils_exec_kmod(virt_qemu_ga_t) +optional_policy(` + dnsmasq_filetrans_named_content_fromdir(virtnodedevd_t, virtnodedevd_var_run_t) +') -sysnet_dns_name_resolve(virt_qemu_ga_t) +optional_policy(` + udev_read_pid_files(virtnodedevd_t) +') -systemd_exec_systemctl(virt_qemu_ga_t) -systemd_start_power_services(virt_qemu_ga_t) -systemd_dbus_chat_logind(virt_qemu_ga_t) +####################################### +# +# virtnwfilterd local policy +# +allow virtnwfilterd_t self:capability net_raw; +allow virtnwfilterd_t self:netlink_generic_socket create_socket_perms; +allow virtnwfilterd_t self:netlink_netfilter_socket create_socket_perms; +allow virtnwfilterd_t self:netlink_rdma_socket create_socket_perms; +allow virtnwfilterd_t self:packet_socket { bind create getopt ioctl map setopt }; +allow virtnwfilterd_t self:rawip_socket create_socket_perms; -userdom_use_user_ptys(virt_qemu_ga_t) +manage_dirs_pattern(virtnwfilterd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtnwfilterd_t, virtnwfilterd_var_run_t, virtnwfilterd_var_run_t) +manage_files_pattern(virtnwfilterd_t, virtnwfilterd_var_run_t, virtnwfilterd_var_run_t) +manage_sock_files_pattern(virtnwfilterd_t, virt_var_run_t, virtnwfilterd_var_run_t) +files_pid_filetrans(virtnwfilterd_t, virtnwfilterd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtnwfilterd_t, virt_var_run_t, virtnwfilterd_var_run_t, { file sock_file } ) -usermanage_domtrans_passwd(virt_qemu_ga_t) +manage_dirs_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t) +manage_files_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t) -tunable_policy(`virt_qemu_ga_read_nonsecurity_files',` - files_read_non_security_files(virt_qemu_ga_t) -') +manage_files_pattern(virtnwfilterd_t, virt_var_run_t, virtlogd_var_run_t) -tunable_policy(`virt_read_qemu_ga_data',` - read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) - read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) -') +kernel_read_all_proc(virtnwfilterd_t) +kernel_read_net_sysctls(virtnwfilterd_t) +kernel_request_load_module(virtnwfilterd_t) -tunable_policy(`virt_rw_qemu_ga_data',` - manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) - manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) - manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) -') +corecmd_exec_bin(virtnwfilterd_t) optional_policy(` - ssh_filetrans_home_content(virt_qemu_ga_t) - tunable_policy(`virt_qemu_ga_manage_ssh',` - allow virt_qemu_ga_t self:capability { chown dac_override dac_read_search fowner fsetid }; - - ssh_manage_home_files(virt_qemu_ga_t) - ') + dnsmasq_domtrans(virtnwfilterd_t) + dnsmasq_filetrans_named_content_fromdir(virtnwfilterd_t, virtnwfilterd_var_run_t) + dnsmasq_manage_pid_files(virtnwfilterd_t) ') -tunable_policy(`virt_qemu_ga_run_unconfined',` - domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) -',` - can_exec(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t) +optional_policy(` + iptables_domtrans(virtnwfilterd_t) + iptables_filetrans_named_content(virtnwfilterd_t) + iptables_read_var_run(virtnwfilterd_t) ') +####################################### +# +# virtproxyd local policy +# +allow virtproxyd_t self:tcp_socket create_stream_socket_perms; +allow virtproxyd_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(virtproxyd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtproxyd_t, virtproxyd_var_run_t, virtproxyd_var_run_t) +manage_files_pattern(virtproxyd_t, virtproxyd_var_run_t, virtproxyd_var_run_t) +manage_sock_files_pattern(virtproxyd_t, virt_var_run_t, virtproxyd_var_run_t) +files_pid_filetrans(virtproxyd_t, virtproxyd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtproxyd_t, virt_var_run_t, virtproxyd_var_run_t, { file sock_file } ) + +corenet_tcp_bind_generic_node(virtproxyd_t) +corenet_tcp_bind_virt_port(virtproxyd_t) + +userdom_read_all_users_state(virtproxyd_t) + optional_policy(` - bootloader_domtrans(virt_qemu_ga_t) + dnsmasq_filetrans_named_content_fromdir(virtproxyd_t, virtproxyd_var_run_t) ') -optional_policy(` - clock_domtrans(virt_qemu_ga_t) +####################################### +# +# virtqemud local policy +# +allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio }; +allow virtqemud_t self:capability2 { bpf perfmon }; + +allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write }; +allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate }; +allow virtqemud_t self:tcp_socket create_socket_perms; +allow virtqemud_t self:tun_socket create; +allow virtqemud_t self:udp_socket { connect create getattr }; + +allow virtqemud_t svirt_t:process { getattr setsched signal signull transition }; +allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtqemud_t svirt_socket_t:unix_stream_socket connectto; + +allow virtqemud_t qemu_var_run_t:dir relabelfrom; + +allow virtqemud_t virt_cache_t:file { relabelfrom relabelto }; + +allow virtqemud_t virt_driver_domain:unix_stream_socket connectto; + +allow virtqemud_t virt_var_run_t:file map; + +allow virtqemud_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +allow virtqemud_t virtlogd_t:unix_stream_socket connectto; + +manage_files_pattern(virtqemud_t, virtqemud_lock_t, virtqemud_lock_t) +files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file) + +manage_dirs_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtqemud_t, virtqemud_var_run_t, virtqemud_var_run_t) +manage_files_pattern(virtqemud_t, virtqemud_var_run_t, virtqemud_var_run_t) +manage_sock_files_pattern(virtqemud_t, virt_var_run_t, virtqemud_var_run_t) +files_pid_filetrans(virtqemud_t, virtqemud_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtqemud_t, virt_var_run_t, virtqemud_var_run_t, { file sock_file } ) + +manage_dirs_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t) +manage_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t) +manage_sock_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t) +files_tmp_filetrans(virtqemud_t, virtqemud_tmp_t, { file dir sock_file}) + +manage_dirs_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) + +manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +manage_fifo_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +read_files_pattern(virtqemud_t, svirt_t, svirt_t) +read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t) + +manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t) + +manage_files_pattern(virtqemud_t, virt_image_t, virt_image_t) + +manage_dirs_pattern(virtqemud_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtqemud_t, virt_var_lib_t, virt_var_lib_t) + +manage_sock_files_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t) + +manage_sock_files_pattern(virtqemud_t, virtlogd_var_run_t, virtlogd_var_run_t) + +read_files_pattern(virtqemud_t, virtproxyd_t, virtproxyd_t) + +kernel_io_uring_use(virtqemud_t) +kernel_read_all_proc(virtqemud_t) +kernel_read_network_state_symlinks(virtqemud_t) +kernel_request_load_module(virtqemud_t) + +corecmd_exec_bin(virtqemud_t) +corecmd_exec_shell(virtqemud_t) + +corenet_rw_tun_tap_dev(virtqemud_t) +corenet_tcp_bind_generic_node(virtqemud_t) +corenet_tcp_bind_vnc_port(virtqemud_t) + +dev_delete_urand(virtqemud_t) +dev_read_cpuid(virtqemud_t) +dev_read_sysfs(virtqemud_t) +dev_read_urand(virtqemud_t) +dev_relabel_all_dev_nodes(virtqemud_t) +dev_rw_kvm(virtqemud_t) +dev_rw_lvm_control(virtqemud_t) +dev_rw_vhost(virtqemud_t) + +files_mounton_non_security(virtqemud_t) +files_read_all_symlinks(virtqemud_t) + +fs_getattr_cgroup(virtqemud_t) +fs_getattr_hugetlbfs(virtqemud_t) +fs_delete_tmpfs_files(virtqemud_t) +fs_manage_hugetlbfs_dirs(virtqemud_t) +fs_manage_cgroup_dirs(virtqemud_t) +fs_manage_cgroup_files(virtqemud_t) +fs_manage_tmpfs_chr_files(virtqemud_t) +fs_manage_tmpfs_dirs(virtqemud_t) +fs_manage_tmpfs_symlinks(virtqemud_t) +fs_mount_tmpfs(virtqemud_t) +fs_read_nsfs_files(virtqemud_t) +fs_relabel_tmpfs_chr_file(virtqemud_t) + +seutil_read_default_contexts(virtqemud_t) +seutil_read_file_contexts(virtqemud_t) + +init_stream_connect(virtqemud_t) +init_stream_connect_script(virtqemud_t) + +sysnet_exec_ifconfig(virtqemud_t) +sysnet_manage_config(virtqemud_t) + +userdom_read_all_users_state(virtqemud_t) +userdom_read_user_home_content_files(virtqemud_t) +userdom_relabel_user_home_files(virtqemud_t) + +tunable_policy(`virtqemud_use_execmem',` + allow virtqemud_t self:process { execmem execstack }; ') optional_policy(` - dbus_system_bus_client(virt_qemu_ga_t) + dmidecode_domtrans(virtqemud_t) ') optional_policy(` - cron_initrc_domtrans(virt_qemu_ga_t) - cron_domtrans(virt_qemu_ga_t) + dnsmasq_filetrans_named_content_fromdir(virtqemud_t, virtqemud_var_run_t) ') optional_policy(` - devicekit_manage_pid_files(virt_qemu_ga_t) - devicekit_read_log_files(virt_qemu_ga_t) + qemu_exec(virtqemud_t) ') optional_policy(` - fstools_domtrans(virt_qemu_ga_t) + policykit_dbus_chat(virtqemud_t) ') optional_policy(` - rpm_dbus_chat(virt_qemu_ga_t) + systemd_dbus_chat_machined(virtqemud_t) + systemd_userdbd_stream_connect(virtqemud_t) ') +####################################### +# +# virtsecretd local policy +# +manage_dirs_pattern(virtsecretd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtsecretd_t, virtsecretd_var_run_t, virtsecretd_var_run_t) +manage_files_pattern(virtsecretd_t, virtsecretd_var_run_t, virtsecretd_var_run_t) +manage_sock_files_pattern(virtsecretd_t, virt_var_run_t, virtsecretd_var_run_t) +files_pid_filetrans(virtsecretd_t, virtsecretd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtsecretd_t, virt_var_run_t, virtsecretd_var_run_t, { file sock_file } ) + optional_policy(` - shutdown_domtrans(virt_qemu_ga_t) + dnsmasq_filetrans_named_content_fromdir(virtsecretd_t, virtsecretd_var_run_t) ') +####################################### +# +# virtstoraged local policy +# +allow virtstoraged_t self:capability { dac_override dac_read_search ipc_lock }; +allow virtstoraged_t self:process { setsched }; + +files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir }) + +manage_dirs_pattern(virtstoraged_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtstoraged_t, virtstoraged_var_run_t, virtstoraged_var_run_t) +manage_files_pattern(virtstoraged_t, virtstoraged_var_run_t, virtstoraged_var_run_t) +manage_sock_files_pattern(virtstoraged_t, virt_var_run_t, virtstoraged_var_run_t) +files_pid_filetrans(virtstoraged_t, virtstoraged_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtstoraged_t, virt_var_run_t, virtstoraged_var_run_t, { file sock_file } ) + +manage_dirs_pattern(virtstoraged_t, virt_content_t, virt_content_t) + +manage_dirs_pattern(virtstoraged_t, virt_image_t, virt_image_t) +manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t) + +manage_files_pattern(virtstoraged_t, svirt_image_t, svirt_image_t) + +manage_dirs_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) + +manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t) + +corecmd_exec_bin(virtstoraged_t) + +fs_getattr_all_fs(virtstoraged_t) + +userdom_read_user_home_content_files(virtstoraged_t) + optional_policy(` - udev_read_pid_files(virt_qemu_ga_t) + dnsmasq_filetrans_named_content_fromdir(virtstoraged_t, virtstoraged_var_run_t) ') ####################################### # -# qemu-ga unconfined hook script local policy +# virtvboxd local policy # +allow virtvboxd_t self:netlink_audit_socket create; +allow virtvboxd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow virtvboxd_t self:netlink_route_socket create_socket_perms; +allow virtvboxd_t self:unix_dgram_socket create; +allow virtvboxd_t virt_etc_t:dir search; + +manage_dirs_pattern(virtvboxd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtvboxd_t, virtvboxd_var_run_t, virtvboxd_var_run_t) +manage_files_pattern(virtvboxd_t, virtvboxd_var_run_t, virtvboxd_var_run_t) +manage_sock_files_pattern(virtvboxd_t, virt_var_run_t, virtvboxd_var_run_t) +files_pid_filetrans(virtvboxd_t, virtvboxd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtvboxd_t, virt_var_run_t, virtvboxd_var_run_t, { file sock_file } ) optional_policy(` - domain_type(virt_qemu_ga_unconfined_t) + dnsmasq_filetrans_named_content_fromdir(virtvboxd_t, virtvboxd_var_run_t) +') - domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) - role system_r types virt_qemu_ga_unconfined_t; +####################################### +# +# virtvzd local policy +# +# Use unconfined_domain macro until the policy for this driver is made, +# to avoid lots of SELinux policy denials and confused users. +# +manage_dirs_pattern(virtvzd_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtvzd_t, virtvzd_var_run_t, virtvzd_var_run_t) +manage_files_pattern(virtvzd_t, virtvzd_var_run_t, virtvzd_var_run_t) +manage_sock_files_pattern(virtvzd_t, virt_var_run_t, virtvzd_var_run_t) +files_pid_filetrans(virtvzd_t, virtvzd_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtvzd_t, virt_var_run_t, virtvzd_var_run_t, { file sock_file } ) - allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms; - allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms; - allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl; +optional_policy(` + unconfined_domain(virtvzd_t) +') - init_domtrans_script(virt_qemu_ga_unconfined_t) +####################################### +# +# virtxend local policy +# +# Use unconfined_domain macro until the policy for this driver is made, +# to avoid lots of SELinux policy denials and confused users. +# +manage_dirs_pattern(virtxend_t, virt_var_run_t, virt_var_run_t) +manage_dirs_pattern(virtxend_t, virtxend_var_run_t, virtxend_var_run_t) +manage_files_pattern(virtxend_t, virtxend_var_run_t, virtxend_var_run_t) +manage_sock_files_pattern(virtxend_t, virt_var_run_t, virtxend_var_run_t) +files_pid_filetrans(virtxend_t, virtxend_var_run_t, { dir file sock_file } ) +filetrans_pattern(virtxend_t, virt_var_run_t, virtxend_var_run_t, { file sock_file } ) - optional_policy(` - unconfined_domain(virt_qemu_ga_unconfined_t) - ') +optional_policy(` + unconfined_domain(virtxend_t) ') ####################################### @@ -1933,7 +2284,7 @@ virt_sandbox_domain_template(svirt_kvm_net) typeattribute svirt_kvm_net_t sandbox_net_domain; -allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +allow svirt_kvm_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource }; dontaudit svirt_kvm_net_t self:capability2 block_suspend; tunable_policy(`virt_sandbox_use_netlink',` @@ -1985,8 +2336,8 @@ kernel_read_network_state(sandbox_net_domain) -allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service }; -allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service }; +allow sandbox_net_domain self:capability { net_admin net_bind_service net_raw }; +allow sandbox_net_domain self:cap_userns { net_admin net_bind_service net_raw }; allow sandbox_net_domain self:udp_socket create_socket_perms; allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; @@ -2013,8 +2364,8 @@ systemd_dbus_chat_logind(sandbox_net_domain) ') -allow sandbox_caps_domain self:capability { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; -allow sandbox_caps_domain self:cap_userns { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; +allow sandbox_caps_domain self:capability { audit_write chown dac_read_search fowner kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot }; +allow sandbox_caps_domain self:cap_userns { audit_write chown dac_read_search fowner kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot }; list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt_supplementary.fc
Added
@@ -0,0 +1,75 @@ +HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/qemu-storage-daemon -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) + +/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0) + +/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) + +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) + +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for AEOLUS project +/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) +/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +# add support vios-proxy-* +/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) + +#support for vdsm +/usr/libexec/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/libexec/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/libexec/vdsm/supervdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/libexec/vdsm/vdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) +# these paths are now obsolete +/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/share/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for nova-stack +/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + +# support for QEMU-GA +/etc/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) +/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) +/usr/libexec/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/var/run/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt_supplementary.if
Added
@@ -0,0 +1,53 @@ +## <summary>Policy for virtualization</summary> +##################################### +## <summary> +## Transition to virt_bridgehelper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +interface(`virt_domtrans_bridgehelper',` + gen_require(` + type virt_bridgehelper_t, virt_bridgehelper_exec_t; + ') + + domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) +') + +######################################## +## <summary> +## Execute a qemu_exec_t in the callers domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_exec_qemu',` + gen_require(` + type qemu_exec_t; + ') + + can_exec($1, qemu_exec_t) +') + +######################################## +## <summary> +## Role access for virt_bridgehelper +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`virt_bridgehelper_role',` + gen_require(` + type virt_bridgehelper_t; + ') + + role $1 types virt_bridgehelper_t; +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt_supplementary.te
Added
@@ -0,0 +1,320 @@ +policy_module(virt_supplementary, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow qemu-ga to read qemu-ga date. +## </p> +## </desc> +gen_tunable(virt_read_qemu_ga_data, false) + +## <desc> +## <p> +## Allow qemu-ga to manage qemu-ga date. +## </p> +## </desc> +gen_tunable(virt_rw_qemu_ga_data, false) + +## <desc> +## <p> +## Allow qemu-ga read all non-security file types. +## </p> +## </desc> +gen_tunable(virt_qemu_ga_read_nonsecurity_files, false) + +## <desc> +## <p> +## Allow qemu-ga read ssh home directory content. +## </p> +## </desc> +gen_tunable(virt_qemu_ga_manage_ssh, false) + +## <desc> +## <p> +## Allow qemu-ga to run unconfined scripts +## </p> +## </desc> +gen_tunable(virt_qemu_ga_run_unconfined, false) + +gen_require(` + class passwd passwd; +') + +type virt_qmf_t; +type virt_qmf_exec_t; +init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) + +type virt_bridgehelper_t; +domain_type(virt_bridgehelper_t) + +type virt_bridgehelper_exec_t; +domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) +role system_r types virt_bridgehelper_t; + +# policy for qemu_ga +type virt_qemu_ga_t; +type virt_qemu_ga_exec_t; +init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +type virt_qemu_ga_var_run_t; +files_pid_file(virt_qemu_ga_var_run_t) + +type virt_qemu_ga_log_t; +logging_log_file(virt_qemu_ga_log_t) + +type virt_qemu_ga_tmp_t; +files_tmp_file(virt_qemu_ga_tmp_t) + +type virt_qemu_ga_data_t; +files_type(virt_qemu_ga_data_t) + +type virt_qemu_ga_unconfined_exec_t; +application_executable_file(virt_qemu_ga_unconfined_exec_t) + +type virt_qemu_ga_unconfined_t; + +optional_policy(` + virt_file_types(virt_qemu_ga_exec_t) + virt_file_types(virt_qemu_ga_var_run_t) + virt_file_types(virt_qemu_ga_log_t) + virt_file_types(virt_qemu_ga_tmp_t) + virt_file_types(virt_qemu_ga_data_t) + virt_file_types(virt_qemu_ga_unconfined_exec_t) +') + +######################################## +# +# virt_qmf local policy +# +allow virt_qmf_t self:capability { sys_nice sys_tty_config }; +allow virt_qmf_t self:process { setsched signal }; +allow virt_qmf_t self:fifo_file rw_fifo_file_perms; +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; +allow virt_qmf_t self:tcp_socket create_stream_socket_perms; +allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + +kernel_read_system_state(virt_qmf_t) +kernel_read_network_state(virt_qmf_t) + +corenet_tcp_connect_matahari_port(virt_qmf_t) + +dev_read_sysfs(virt_qmf_t) +dev_read_rand(virt_qmf_t) +dev_read_urand(virt_qmf_t) + +domain_use_interactive_fds(virt_qmf_t) + +logging_send_syslog_msg(virt_qmf_t) + +sysnet_read_config(virt_qmf_t) + +optional_policy(` + dbus_read_lib_files(virt_qmf_t) +') + +optional_policy(` + virt_exec(virt_qmf_t) + virt_file_types(virt_qmf_exec_t) + virt_stream_connect(virt_qmf_t) + virt_system_domain_type(virt_qmf_t) +') + +######################################## +# +# virt_bridgehelper local policy +# + +allow virt_bridgehelper_t self:process { getcap setcap }; +allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; +allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +allow virt_bridgehelper_t self:tun_socket create_socket_perms; +allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; + +kernel_read_network_state(virt_bridgehelper_t) +kernel_read_system_state(virt_bridgehelper_t) + +corenet_rw_tun_tap_dev(virt_bridgehelper_t) + +dev_read_urand(virt_bridgehelper_t) +dev_read_rand(virt_bridgehelper_t) +dev_read_sysfs(virt_bridgehelper_t) + +userdom_use_inherited_user_ptys(virt_bridgehelper_t) + +optional_policy(` + virt_file_types(virt_bridgehelper_exec_t) + virt_rw_stream_sockets_virt_domain(virt_bridgehelper_t) + virt_svirt_manage_home(virt_bridgehelper_t) + virt_system_domain_type(virt_bridgehelper_t) +') + +####################################### +# +# virt_qemu_ga local policy +# + +allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config }; + +allow virt_qemu_ga_t self:passwd passwd; + +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; +allow virt_qemu_ga_t self:vsock_socket create_socket_perms; + +allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; +can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) +files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir }) + +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) + +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file }) + +kernel_read_system_state(virt_qemu_ga_t) +kernel_read_network_state(virt_qemu_ga_t) +kernel_rw_kernel_sysctl(virt_qemu_ga_t) + +corecmd_exec_shell(virt_qemu_ga_t) +corecmd_exec_bin(virt_qemu_ga_t) + +dev_getattr_apm_bios_dev(virt_qemu_ga_t) +dev_rw_sysfs(virt_qemu_ga_t) +dev_rw_realtime_clock(virt_qemu_ga_t) + +files_list_all_mountpoints(virt_qemu_ga_t) +files_write_all_mountpoints(virt_qemu_ga_t) + +fs_list_all(virt_qemu_ga_t) +fs_getattr_all_fs(virt_qemu_ga_t) + +term_use_virtio_console(virt_qemu_ga_t) +term_use_all_ttys(virt_qemu_ga_t) +term_use_unallocated_ttys(virt_qemu_ga_t) + +auth_use_nsswitch(virt_qemu_ga_t) + +clock_read_adjtime(virt_qemu_ga_t) + +init_read_utmp(virt_qemu_ga_t) + +logging_send_syslog_msg(virt_qemu_ga_t) +logging_send_audit_msgs(virt_qemu_ga_t) + +modutils_exec_kmod(virt_qemu_ga_t) + +storage_getattr_fixed_disk_dev(virt_qemu_ga_t) + +sysnet_dns_name_resolve(virt_qemu_ga_t) + +systemd_exec_systemctl(virt_qemu_ga_t) +systemd_start_power_services(virt_qemu_ga_t) +systemd_dbus_chat_logind(virt_qemu_ga_t) + +userdom_use_user_ptys(virt_qemu_ga_t) + +usermanage_domtrans_passwd(virt_qemu_ga_t) + +tunable_policy(`virt_read_qemu_ga_data',` + read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) + read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) +') + +tunable_policy(`virt_rw_qemu_ga_data',` + manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) + manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) + manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) +') + +tunable_policy(`virt_qemu_ga_read_nonsecurity_files',` + files_read_non_security_files(virt_qemu_ga_t) +') + +tunable_policy(`virt_qemu_ga_run_unconfined',` + domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) +',` + can_exec(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t) +') + +optional_policy(` + ssh_filetrans_home_content(virt_qemu_ga_t) + tunable_policy(`virt_qemu_ga_manage_ssh',` + allow virt_qemu_ga_t self:capability { chown dac_override dac_read_search fowner fsetid }; + + ssh_create_home_dirs(virt_qemu_ga_t) + ssh_manage_home_files(virt_qemu_ga_t) + ') +') + +optional_policy(` + bootloader_domtrans(virt_qemu_ga_t) +') + +optional_policy(` + clock_domtrans(virt_qemu_ga_t) +') + +optional_policy(` + cron_initrc_domtrans(virt_qemu_ga_t) + cron_domtrans(virt_qemu_ga_t) +') + +optional_policy(` + dbus_system_bus_client(virt_qemu_ga_t) +') + +optional_policy(` + devicekit_manage_pid_files(virt_qemu_ga_t) + devicekit_read_log_files(virt_qemu_ga_t) +') + +optional_policy(` + fstools_domtrans(virt_qemu_ga_t) +') + +optional_policy(` + rpm_dbus_chat(virt_qemu_ga_t) +') + +optional_policy(` + shutdown_domtrans(virt_qemu_ga_t) +') + +optional_policy(` + udev_read_pid_files(virt_qemu_ga_t) +') + +optional_policy(` + virt_system_domain_type(virt_qemu_ga_t) +') + +####################################### +# +# qemu-ga unconfined hook script local policy +# + +optional_policy(` + domain_type(virt_qemu_ga_unconfined_t) + + domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) + role system_r types virt_qemu_ga_unconfined_t; + + allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms; + allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms; + allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl; + + init_domtrans_script(virt_qemu_ga_unconfined_t) + + optional_policy(` + unconfined_domain(virt_qemu_ga_unconfined_t) + ') +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/vpn.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/vpn.te
Changed
@@ -75,6 +75,7 @@ dev_read_rand(vpnc_t) dev_read_urand(vpnc_t) dev_read_sysfs(vpnc_t) +dev_rw_vhost(vpnc_t) domain_use_interactive_fds(vpnc_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/xen.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/xen.te
Changed
@@ -468,6 +468,7 @@ fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) +fs_map_xenfs_files(xenstored_t) term_use_generic_ptys(xenstored_t) term_use_console(xenconsoled_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/devices.fc
Changed
@@ -42,6 +42,7 @@ /dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/gnss0-9+ -c gen_context(system_u:object_r:gnss_device_t,s0) /dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) @@ -151,6 +152,7 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vas -c gen_context(system_u:object_r:vas_device_t,s0) /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) /dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0) /dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/devices.if
Changed
@@ -2142,6 +2142,24 @@ ######################################## ## <summary> +## Read and write the the dma device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_rw_dma_dev',` + gen_require(` + type device_t, dma_device_t; + ') + + rw_chr_files_pattern($1, device_t, dma_device_t) +') + +######################################## +## <summary> ## getattr the dri devices. ## </summary> ## <param name="domain"> @@ -5373,6 +5391,24 @@ ######################################## ## <summary> +## Delete files in the dev/urandom. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_urand',` + gen_require(` + type urandom_device_t; + ') + + allow $1 urandom_device_t:chr_file unlink; +') + +######################################## +## <summary> ## Getattr generic the USB devices. ## </summary> ## <param name="domain"> @@ -5855,6 +5891,24 @@ ######################################## ## <summary> +## Watch the video4linux devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_watch_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + watch_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## <summary> ## Get the attributes of vfio devices. ## </summary> ## <param name="domain"> @@ -6593,6 +6647,42 @@ ') ######################################## +## <summary> +## Allow read/write the gnss device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_rw_gnss',` + gen_require(` + type device_t, gnss_device_t; + ') + + rw_chr_files_pattern($1, device_t, gnss_device_t) +') + +######################################## +## <summary> +## Allow setattr the gnss device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_gnss',` + gen_require(` + type device_t, gnss_device_t; + ') + + setattr_chr_files_pattern($1, device_t, gnss_device_t) +') + +######################################## ## <summary> ## Create all named devices with the correct label ## </summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/devices.te
Changed
@@ -141,6 +141,12 @@ dev_node(hypervvssd_device_t) # +# Type for /dev/gnss0 +# +type gnss_device_t; +dev_node(gnss_device_t) + +# # Type for /dev/ss0 # type gpfs_device_t; @@ -396,6 +402,9 @@ type uhid_device_t; dev_node(uhid_device_t) +type vas_device_t; +dev_node(vas_device_t) + type vfio_device_t; dev_node(vfio_device_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/domain.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/domain.te
Changed
@@ -26,7 +26,7 @@ ## </p> ## </desc> # -gen_tunable(domain_kernel_load_modules, false) +gen_tunable(domain_kernel_load_modules, true) ## <desc> ## <p> @@ -121,7 +121,6 @@ # Rules applied to all domains # -allow domain domain:anon_inode common_anon_inode_perms; # read /proc/(pid|self) entries allow domain self:dir { list_dir_perms watch_dir_perms }; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; @@ -130,6 +129,9 @@ allow domain self:sem create_sem_perms; allow domain self:shm create_shm_perms; +kernel_userfaultfd_domtrans(domain) +kernel_io_uring_domtrans(domain) + kernel_getattr_proc(domain) kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) @@ -173,6 +175,9 @@ files_read_all_base_ro_files(domain) files_dontaudit_getattr_kernel_symbol_table(domain) files_dontaudit_map_all_dirs(domain) +# Executing a socket is nonsense, yet such access checks can technically +# happen, so dontaudit them +files_dontaudit_execute_all_sockets(domain) fs_dontaudit_map_all_dirs(domain) @@ -253,7 +258,7 @@ # be used on an attribute. # allow special io_uring features -allow unconfined_domain_type domain:io_uring override_creds; +allow unconfined_domain_type domain:io_uring { cmd override_creds }; allow unconfined_domain_type self:io_uring sqpoll; dev_io_uring_cmd_on_all_dev_nodes(unconfined_domain_type) files_io_uring_cmd_on_all_files(unconfined_domain_type) @@ -298,6 +303,8 @@ allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms; kernel_manage_perf_event(unconfined_domain_type) +kernel_userfaultfd_use(unconfined_domain_type) +kernel_io_uring_use(unconfined_domain_type) corenet_filetrans_all_named_dev(named_filetrans_domain)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/files.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/files.fc
Changed
@@ -285,6 +285,8 @@ /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) +/var/lib/authselect/backups(/.*)? <<none>> + /var/lib/nfs/rpc_pipefs(/.*)? <<none>> /var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/files.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/files.if
Changed
@@ -636,6 +636,24 @@ ######################################## ## <summary> +## Get attributes of all non-security directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + allow $1 non_security_file_type:dir getattr_dir_perms; +') + +######################################## +## <summary> ## List all non-security directories. ## </summary> ## <param name="domain"> @@ -1623,6 +1641,25 @@ ######################################## ## <summary> +## Do not audit attempts to execute +## any named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`files_dontaudit_execute_all_sockets',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:sock_file execute; +') + +######################################## +## <summary> ## Do not audit attempts to read ## of all security file types. ## </summary> @@ -1728,8 +1765,12 @@ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: - seutil_relabelto_bin_policy($1) - auth_relabelto_shadow($1) + optional_policy(` + seutil_relabelto_bin_policy($1) + ') + optional_policy(` + auth_relabelto_shadow($1) + ') ') ######################################## @@ -1800,6 +1841,44 @@ ######################################## ## <summary> +## Manage all block device files on the filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_manage_all_blk_files',` + gen_require(` + attribute file_type; + ') + + manage_blk_files_pattern($1, file_type, file_type) +') + +######################################## +## <summary> +## Manage all character device files on the filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_manage_all_chr_files',` + gen_require(` + attribute file_type; + ') + + manage_chr_files_pattern($1, file_type, file_type) +') + +######################################## +## <summary> ## Grant execute access to all files on the filesystem, ## except the listed exceptions. ## </summary> @@ -1903,6 +1982,24 @@ ######################################## ## <summary> +## Read all lnk_files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_read_all_lnk_files',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Get the attributes of all filesystems ## with the type of a file. ## </summary> @@ -2016,6 +2113,25 @@ ######################################## ## <summary> +## Get attributes of all non-authentication related +## directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_non_auth_dirs',` + gen_require(` + attribute non_auth_file_type; + ') + + allow $1 non_auth_file_type:dir getattr_dir_perms; +') + +######################################## +## <summary> ## Read all non-authentication related ## directories. ## </summary> @@ -3967,6 +4083,24 @@ ######################################## ## <summary> +## Map generic files in /etc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`files_map_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:file map; +') + +######################################## +## <summary> ## Do not audit attempts to write generic files in /etc. ## </summary> ## <param name="domain"> @@ -6047,6 +6181,24 @@ ###################################### ## <summary> +## Watch manageable system db dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_system_db_dirs',` + gen_require(` + type system_db_t; + ') + + allow $1 system_db_t:dir watch_dir_perms; +') + +###################################### +## <summary> ## Watch manageable system db files in /var/db. ## </summary> ## <param name="domain"> @@ -7437,6 +7589,24 @@ ') ######################################## +## <summary> +## Watch generic lnk_files in /usr. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_usr_lnk_files',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:file watch_lnk_file_perms; +') + +######################################## ## <summary> ## Install a system.map into the /boot directory. ## </summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/filesystem.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/filesystem.if
Changed
@@ -1242,6 +1242,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; ') @@ -1298,6 +1299,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; read_files_pattern($1, cifs_t, cifs_t) ') @@ -1641,6 +1643,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; read_lnk_files_pattern($1, cifs_t, cifs_t) ') @@ -1661,6 +1664,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) read_fifo_files_pattern($1, cifs_t, cifs_t) ') @@ -1680,6 +1684,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) read_sock_files_pattern($1, cifs_t, cifs_t) ') @@ -1743,6 +1748,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir manage_dir_perms; ') @@ -1783,6 +1789,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_files_pattern($1, cifs_t, cifs_t) ') @@ -1822,6 +1829,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_lnk_files_pattern($1, cifs_t, cifs_t) ') @@ -1841,6 +1849,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_fifo_files_pattern($1, cifs_t, cifs_t) ') @@ -1860,6 +1869,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_sock_files_pattern($1, cifs_t, cifs_t) ') @@ -6231,6 +6241,25 @@ ######################################## ## <summary> +## Write to socket files on tmpfs filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_write_tmpfs_socket_files',` + gen_require(` + type tmpfs_t; + ') + + write_sock_files_pattern($1, tmpfs_t, tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> ## Read and write, create and delete character ## nodes on tmpfs filesystems. ## </summary> @@ -6324,6 +6353,24 @@ ######################################## ## <summary> +## Map files on a XENFS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_map_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:file map; +') + +######################################## +## <summary> ## Create, read, write, and delete directories ## on a XENFS filesystem. ## </summary> @@ -6969,6 +7016,44 @@ ') ####################################### +## <summary> +## Read and write files in efivarfs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fs_rw_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + rw_files_pattern($1, efivarfs_t, efivarfs_t) +') + +####################################### +## <summary> +## Create efivarfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fs_create_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + create_files_pattern($1, efivarfs_t, efivarfs_t) +') + +####################################### ## <summary> ## Manage efivarfs files ## </summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/kernel.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/kernel.if
Changed
@@ -4185,8 +4185,14 @@ ######################################## ## <summary> -## Allow caller to read the security state symbolic links. +## Read and write the security state information. ## </summary> +## <desc> +## <p> +## Allow the specified domain to read and write +## the security state information. +## </p> +## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access. @@ -4501,5 +4507,115 @@ type init_t; ') - allow $1 kernel_t:bpf prog_run; + allow $1 kernel_t:bpf { map_read map_write prog_run }; +') + +######################################## +## <summary> +## Set up type transition for userfaultfd anon inodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to receive the type transition. +## </summary> +## </param> +# +interface(`kernel_userfaultfd_domtrans',` + gen_require(` + type userfaultfd_t; + ') + type_transition $1 self:anon_inode userfaultfd_t "userfaultfd"; +') + +######################################## +## <summary> +## Allow the domain to use the userfaultfd API via an inherited +## file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_userfaultfd_use_inherited',` + gen_require(` + type userfaultfd_t; + ') + allow $1 userfaultfd_t:anon_inode { getattr ioctl read }; + + # Work around a known bug; see: + # https://lore.kernel.org/selinux/20210624152515.1844133-1-omosnace@redhat.com/ + allow $1 userfaultfd_t:anon_inode { write }; +') + +######################################## +## <summary> +## Allow the domain to use the userfaultfd API. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_userfaultfd_use',` + gen_require(` + type userfaultfd_t; + ') + kernel_userfaultfd_use_inherited($1) + allow $1 userfaultfd_t:anon_inode create; +') + +######################################## +## <summary> +## Set up type transition for io_uring anon inodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to receive the type transition. +## </summary> +## </param> +# +interface(`kernel_io_uring_domtrans',` + gen_require(` + type io_uring_t; + ') + type_transition $1 self:anon_inode io_uring_t "io_uring"; +') + +######################################## +## <summary> +## Allow the domain to use the io_uring API via an inherited file +## descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_io_uring_use_inherited',` + gen_require(` + type io_uring_t; + ') + allow $1 io_uring_t:anon_inode { getattr read write map }; +') + +######################################## +## <summary> +## Allow the domain to use the io_uring API. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_io_uring_use',` + gen_require(` + type io_uring_t; + ') + kernel_io_uring_use_inherited($1) + allow $1 io_uring_t:anon_inode create; ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/kernel.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/kernel.te
Changed
@@ -234,6 +234,10 @@ typealias unlabeled_t alias file_t; neverallow * unlabeled_t:file entrypoint; +# anon_inode types +type userfaultfd_t; +type io_uring_t; + # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) @@ -340,6 +344,7 @@ dev_map_dri(kernel_t) dev_map_framebuffer(kernel_t) +fs_getattr_all_fs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) @@ -364,6 +369,13 @@ allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms; +# Enable running `/usr/bin/env umount ...` to support ZFS automounting. +# See the module/os/linux/zfs/zfs_ctldir.c file in +# https://github.com/openzfs/zfs/ for the usermode helper calls. +optional_policy(` + mount_domtrans(kernel_generic_helper_t) +') + domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) @@ -374,6 +386,9 @@ domain_obj_id_change_exemption(kernel_t) files_manage_all_files(kernel_t) +files_manage_all_blk_files(kernel_t) +files_manage_all_chr_files(kernel_t) +files_relabel_all_files(kernel_t) # The 'execute' permission on lower inodes is checked against the mounter # cred by overlayfs, so we need to grant it to allow overlay mounts created # during early boot to work. @@ -481,8 +496,6 @@ corenet_sendrecv_portmap_client_packets(kernel_t) corenet_sendrecv_generic_server_packets(kernel_t) - fs_getattr_xattr_fs(kernel_t) - auth_dontaudit_getattr_shadow(kernel_t) sysnet_read_config(kernel_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/roles/sysadm.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/roles/sysadm.te
Changed
@@ -45,6 +45,7 @@ domain_read_view_all_domains_keyrings(sysadm_t) files_read_kernel_modules(sysadm_t) +files_map_kernel_modules(sysadm_t) files_filetrans_named_content(sysadm_t) files_status_etc(sysadm_t) files_unconfined(sysadm_t) @@ -365,6 +366,10 @@ ') optional_policy(` + iscsi_stream_connect(sysadm_t) +') + +optional_policy(` kerberos_exec_kadmind(sysadm_t) kerberos_filetrans_named_content(sysadm_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/roles/unconfineduser.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/roles/unconfineduser.if
Changed
@@ -277,6 +277,42 @@ ######################################## ## <summary> +## List unconfined domain directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_list_dirs',` + gen_require(` + type unconfined_t; + ') + + list_dirs_pattern($1, unconfined_t, unconfined_t) +') + +######################################## +## <summary> +## Read unconfined domain files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_read_files',` + gen_require(` + type unconfined_t; + ') + + read_files_pattern($1, unconfined_t, unconfined_t) +') + +######################################## +## <summary> ## Read unconfined domain unnamed pipes. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/roles/unconfineduser.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/roles/unconfineduser.te
Changed
@@ -216,6 +216,7 @@ ') optional_policy(` + chrome_filetrans_home_content(unconfined_t) chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/ssh.fc
Changed
@@ -30,6 +30,7 @@ /usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/libexec/openssh/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) +/usr/libexec/openssh/ssh-pkcs11-helper -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/ssh.if
Changed
@@ -406,6 +406,7 @@ # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) + can_exec($1_ssh_agent_t, ssh_agent_exec_t) domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) kernel_read_system_state($1_ssh_agent_t) @@ -908,6 +909,25 @@ userdom_search_user_home_dirs($1) ') +######################################## +## <summary> +## Create ssh home directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_create_home_dirs',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir create_dir_perms; + setattr_dirs_pattern($1, ssh_home_t, ssh_home_t) +') + ####################################### ## <summary> ## Delete from the ssh temp files.
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/ssh.te
Changed
@@ -91,6 +91,7 @@ typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; userdom_user_tmp_file(ssh_agent_tmp_t) +userdom_user_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, sock_file) type ssh_keysign_t; type ssh_keysign_exec_t; @@ -748,6 +749,10 @@ ') optional_policy(` + gnome_manage_generic_cache_files(ssh_agent_type) +') + +optional_policy(` xserver_use_xdm_fds(ssh_agent_type) xserver_rw_xdm_pipes(ssh_agent_type) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/xserver.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/xserver.if
Changed
@@ -255,7 +255,7 @@ # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; + allow $1 xserver_tmpfs_t:file mmap_rw_file_perms; ') ') @@ -439,7 +439,7 @@ # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; + allow $2 xserver_tmpfs_t:file mmap_rw_file_perms; ') tunable_policy(`selinuxuser_direct_dri_enabled',` @@ -963,6 +963,25 @@ ######################################## ## <summary> +## Create xserver configuration dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_create_config_dirs',` + gen_require(` + type xserver_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, xserver_etc_t, xserver_etc_t) +') + +######################################## +## <summary> ## Read xdm-writable configuration files. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/xserver.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/xserver.te
Changed
@@ -1056,6 +1056,9 @@ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") gnome_initial_setup_domtrans(xdm_t) gnome_initial_setup_filetrans_named_content(xdm_t) + gnome_initial_setup_create_var_lib_dirs(xdm_t) + gnome_initial_setup_manage_var_lib_files(xdm_t) + gnome_initial_setup_manage_var_lib_sock_files(xdm_t) gnome_initial_setup_manage_var_run(xdm_t) gnome_initial_setup_noatsecure(xdm_t) gnome_initial_setup_read_state(xdm_t) @@ -1821,7 +1824,7 @@ # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow x_userdomain xserver_t:shm rw_shm_perms; - allow x_userdomain xserver_tmpfs_t:file rw_file_perms; + allow x_userdomain xserver_tmpfs_t:file mmap_rw_file_perms; ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/fstools.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/fstools.te
Changed
@@ -37,6 +37,7 @@ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap execstack }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; +allow fsadm_t self:file mounton; allow fsadm_t self:sock_file read_sock_file_perms; allow fsadm_t self:unix_dgram_socket create_socket_perms; allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/init.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/init.te
Changed
@@ -177,6 +177,7 @@ allow init_t self:cap_userns all_cap_userns_perms; allow init_t self:tcp_socket { listen accept }; allow init_t self:packet_socket create_socket_perms; +allow init_t self:vsock_socket create_socket_perms; allow init_t self:key manage_key_perms; allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; @@ -870,6 +871,7 @@ optional_policy(` sysnet_filetrans_cloud_net_conf(init_t) + sysnet_manage_config_pipes(init_t) ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/ipsec.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/ipsec.te
Changed
@@ -192,6 +192,7 @@ files_dontaudit_write_all_files(ipsec_t) fs_getattr_all_fs(ipsec_t) +fs_read_nsfs_files(ipsec_mgmt_t) fs_search_auto_mountpoints(ipsec_t) selinux_compute_access_vector(ipsec_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/logging.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/logging.fc
Changed
@@ -27,6 +27,8 @@ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/libexec/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_unconfined_script_exec_t,s0) + /usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) @@ -76,6 +78,7 @@ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +/var/run/auditd\.state -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/logging.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/logging.te
Changed
@@ -114,6 +114,12 @@ type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) +type syslogd_unconfined_script_t; +type syslogd_unconfined_script_exec_t; +role system_r types syslogd_unconfined_script_t; +application_domain(syslogd_unconfined_script_t, syslogd_unconfined_script_exec_t) +domtrans_pattern(syslogd_t, syslogd_unconfined_script_exec_t, syslogd_unconfined_script_t) + type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) @@ -241,6 +247,7 @@ corecmd_exec_bin(auditd_t) corecmd_exec_shell(auditd_t) +domain_read_all_domains_state(auditd_t) domain_use_interactive_fds(auditd_t) files_read_etc_files(auditd_t) @@ -645,6 +652,7 @@ fs_read_efivarfs_files(syslogd_t) fs_search_auto_mountpoints(syslogd_t) fs_list_cgroup_dirs(syslogd_t) +fs_write_cgroup_files(syslogd_t) miscfiles_manage_generic_cert_files(syslogd_t) @@ -799,3 +807,13 @@ ') logging_stream_connect_syslog(syslog_client_type) + +######################################## +# +# syslogd_unconfined_script_t local policy +# + +optional_policy(` + unconfined_domain(syslogd_unconfined_script_t) + +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/lvm.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/lvm.fc
Changed
@@ -177,6 +177,7 @@ /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/var/run/cryptsetup(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/lvm.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/lvm.if
Changed
@@ -525,3 +525,42 @@ allow $1 lvm_var_run_t:file { rw_file_perms }; ') + +######################################## +## <summary> +## Create, read, write, and delete +## lvm var run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_manage_var_run',` + gen_require(` + type lvm_var_run_t; + ') + + manage_dirs_pattern($1, lvm_var_run_t, lvm_var_run_t) + manage_files_pattern($1, lvm_var_run_t, lvm_var_run_t) +') + +######################################## +## <summary> +## Create directory cryptsetup in the /var/run +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_var_run_filetrans',` + gen_require(` + type lvm_var_run_t; + ') + + files_search_pids($1) + files_pid_filetrans($1, lvm_var_run_t, dir, "cryptsetup" ) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/selinuxutil.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/selinuxutil.fc
Changed
@@ -36,6 +36,8 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) +/usr/libexec/selinux/selinux-autorelabel -- gen_context(system_u:object_r:semanage_exec_t,s0) + /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/selinuxutil.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/selinuxutil.if
Changed
@@ -821,6 +821,25 @@ ######################################## ## <summary> +## Watch the general SELinux configuration files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`selinux_watch_config',` + gen_require(` + type selinux_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:file watch_file_perms; +') + +######################################## +## <summary> ## Read and write the general SELinux configuration files. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/sysnetwork.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/sysnetwork.fc
Changed
@@ -41,7 +41,7 @@ /var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) ') /var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -/var/run/NetworkManager/no-stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) +/var/run/NetworkManager/no-stub-resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /var/run/cloud-init(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/sysnetwork.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/sysnetwork.if
Changed
@@ -634,6 +634,25 @@ manage_dirs_pattern($1, net_conf_t, net_conf_t) ') +######################################## +## <summary> +## Create, read, write and delete +## network config pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sysnet_manage_config_pipes',` + gen_require(` + type net_conf_t; + ') + + manage_fifo_files_pattern($1, net_conf_t, net_conf_t) +') + ####################################### ## <summary> ## Read the dhcp client pid file. @@ -1140,6 +1159,7 @@ ') optional_policy(` + systemd_resolved_pid_filetrans($1, net_conf_t, file, "no-stub-resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf")
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/sysnetwork.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/sysnetwork.te
Changed
@@ -64,6 +64,7 @@ dontaudit dhcpc_t self:capability sys_admin; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +allow dhcpc_t self:capability2 bpf; allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate setrlimit signal_perms }; allow dhcpc_t self:cap_userns { net_bind_service }; @@ -309,7 +310,9 @@ # Ifconfig local policy # +allow ifconfig_t self:bpf { prog_load prog_run }; allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config }; +allow ifconfig_t self:capability2 { bpf perfmon }; allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; @@ -385,6 +388,8 @@ files_read_etc_runtime_files(ifconfig_t) files_read_usr_files(ifconfig_t) +fs_manage_cgroup_dirs(ifconfig_t) +fs_rw_cgroup_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_unmount_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -393,6 +398,7 @@ fs_unmount_nsfs(ifconfig_t) selinux_dontaudit_getattr_fs(ifconfig_t) +selinux_compute_create_context(ifconfig_t) term_dontaudit_use_console(ifconfig_t) term_dontaudit_use_all_ttys(ifconfig_t) @@ -430,6 +436,14 @@ ') optional_policy(` + apache_domtrans(ifconfig_t) +') + +optional_policy(` + bind_domtrans(ifconfig_t) +') + +optional_policy(` brctl_domtrans(ifconfig_t) ') @@ -489,6 +503,10 @@ ') optional_policy(` + ssh_domtrans(ifconfig_t) +') + +optional_policy(` unconfined_dontaudit_rw_pipes(ifconfig_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/systemd.fc
Changed
@@ -2,8 +2,8 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) /root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) -/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) -/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) /etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) /bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) @@ -68,7 +68,10 @@ /usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_network_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-rc-local-generator -- gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0) /usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0) /usr/lib/systemd/systemd-importd -- gen_context(system_u:object_r:systemd_importd_exec_t,s0) /usr/lib/systemd/systemd-journal-upload -- gen_context(system_u:object_r:systemd_journal_upload_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/systemd.if
Changed
@@ -29,6 +29,39 @@ ###################################### ## <summary> +## Creates types and rules for +## systemd generators. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`systemd_generator_template',` + gen_require(` + attribute systemd_generator; + ') + + type $1_t, systemd_generator; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + init_nnp_daemon_domain($1_t) + + kernel_read_system_state($1_t) + + dev_write_kmsg($1_t) + + auth_use_nsswitch($1_t) + selinux_get_enforce_mode($1_t) + + systemd_manage_unit_dirs($1_t) + systemd_create_unit_file_dirs($1_t) + systemd_create_unit_file_lnk($1_t) +') + +###################################### +## <summary> ## Create a domain for processes which are started ## exuting systemctl. ## </summary> @@ -2040,6 +2073,44 @@ allow $1 power_unit_file_t:service status; ') +######################################## +## <summary> +## Start vconsole unit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_start_vconsole_services',` + gen_require(` + type systemd_vconsole_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_vconsole_unit_file_t:service start; +') + +######################################## +## <summary> +## Status vconsole unit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_status_vconsole_services',` + gen_require(` + type systemd_vconsole_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_vconsole_unit_file_t:service status; +') + ####################################### ## <summary> ## Start power unit files domain.
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/systemd.te
Changed
@@ -23,6 +23,7 @@ attribute systemd_unit_file_type; attribute systemd_domain; +attribute systemd_generator; attribute systemctl_domain; attribute systemd_mount_directory; attribute systemd_private_tmp_type; @@ -192,6 +193,15 @@ type systemd_gpt_generator_unit_file_t; systemd_unit_file(systemd_gpt_generator_unit_file_t) +#domain for fstab-generator +systemd_generator_template(systemd_fstab_generator) + +#domain for rc-local-generator +systemd_generator_template(systemd_rc_local_generator) + +#domain for sysv-generator +systemd_generator_template(systemd_sysv_generator) + #domain for systemd-machined systemd_domain_template(systemd_machined) @@ -452,7 +462,7 @@ allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill }; allow systemd_machined_t systemd_unit_file_t:service { status start stop }; allow systemd_machined_t self:unix_dgram_socket create_socket_perms; -allow systemd_machined_t self:cap_userns { sys_chroot }; +allow systemd_machined_t self:cap_userns { setgid setuid sys_admin sys_chroot sys_ptrace }; manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) @@ -464,9 +474,6 @@ manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") -fs_read_nsfs_files(systemd_machined_t) -fs_write_cgroup_files(systemd_machined_t) - kernel_dgram_send(systemd_machined_t) # This is a bug, but need for now. kernel_read_unlabeled_state(systemd_machined_t) @@ -474,6 +481,14 @@ domain_signal_all_domains(systemd_machined_t) domain_signull_all_domains(systemd_machined_t) +files_read_var_lib_symlinks(systemd_machined_t) +files_write_root_dirs(systemd_machined_t) + +fs_read_nsfs_files(systemd_machined_t) +fs_read_tmpfs_symlinks(systemd_machined_t) +fs_write_cgroup_files(systemd_machined_t) +fs_write_tmpfs_socket_files(systemd_machined_t) + init_dbus_chat(systemd_machined_t) init_status(systemd_machined_t) init_start(systemd_machined_t) @@ -508,6 +523,15 @@ ') optional_policy(` + term_use_generic_ptys(systemd_machined_t) +') + +optional_policy(` + unconfined_server_read_state(systemd_machined_t) + unconfined_server_stream_connectto(systemd_machined_t) +') + +optional_policy(` virt_dbus_chat(systemd_machined_t) virt_sandbox_read_state(systemd_machined_t) virt_signal_sandbox(systemd_machined_t) @@ -558,6 +582,7 @@ fs_read_xenfs_files(systemd_networkd_t) fs_read_nsfs_files(systemd_networkd_t) +fs_write_cgroup_files(systemd_networkd_t) dev_read_sysfs(systemd_networkd_t) dev_write_kmsg(systemd_networkd_t) @@ -862,6 +887,7 @@ userdom_dbus_send_all_users(systemd_localed_t) +xserver_create_config_dirs(systemd_localed_t) xserver_manage_config(systemd_localed_t) optional_policy(` @@ -1164,12 +1190,27 @@ # # systemd_hwdb domain # +dontaudit systemd_hwdb_t self:capability dac_override; + manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t) allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto}; files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file) systemd_read_efivarfs(systemd_hwdb_t) +######################################## +# +# Common rules for systemd generators +# +allow systemd_generator self:unix_dgram_socket { create_socket_perms sendto }; + +kernel_dgram_send(systemd_generator) + +fs_getattr_all_fs(systemd_generator) +fs_search_all(systemd_generator) + +logging_stream_connect_syslog(systemd_generator) + ####################################### # # systemd_gpt_generator domain @@ -1189,6 +1230,8 @@ files_list_usr(systemd_gpt_generator_t) files_list_var(systemd_gpt_generator_t) +fs_mount_tmpfs(systemd_gpt_generator_t) + fstools_exec(systemd_gpt_generator_t) mls_file_read_to_clearance(systemd_gpt_generator_t) @@ -1209,14 +1252,50 @@ ####################################### # +# systemd_fstab_generator_t +# +allow systemd_fstab_generator_t self:capability dac_override; +dev_write_sysfs_dirs(systemd_fstab_generator_t) + +files_read_etc_files(systemd_fstab_generator_t) +files_read_all_lnk_files(systemd_fstab_generator_t) +files_search_all(systemd_fstab_generator_t) + +fstools_exec(systemd_fstab_generator_t) + +systemd_manage_all_unit_files(systemd_fstab_generator_t) + +####################################### +# +# systemd_rc_local_generator_t +# + +init_exec_script_files(systemd_rc_local_generator_t) + +####################################### +# +# systemd_sysv_generator_t +# + +init_read_script_files(systemd_sysv_generator_t) + +systemd_manage_all_unit_files(systemd_sysv_generator_t) + +####################################### +# # systemd_network_generator domain # init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, dir, "network") +init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, file) sysnet_manage_config(systemd_network_generator_t) sysnet_manage_config_dirs(systemd_network_generator_t) +optional_policy(` + logging_send_syslog_msg(systemd_network_generator_t) +') + ####################################### # # systemd_resolved domain @@ -1507,7 +1586,7 @@ # systemd_sleep local policy # -allow systemd_sleep_t self:capability sys_resource; +allow systemd_sleep_t self:capability { linux_immutable sys_resource }; # systemd-sleep needs to set timer for suspend-then-hibernate allow systemd_sleep_t self:capability2 wake_alarm; dontaudit systemd_sleep_t self:capability sys_ptrace; @@ -1525,6 +1604,9 @@ dev_rw_sysfs(systemd_sleep_t) dev_write_kmsg(systemd_sleep_t) +fs_create_efivarfs_files(systemd_sleep_t) +fs_rw_efivarfs_files(systemd_sleep_t) + fstools_rw_swap_files(systemd_sleep_t) init_search_var_lib_dirs(systemd_sleep_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/udev.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/udev.te
Changed
@@ -43,6 +43,7 @@ dontaudit udev_t self:capability sys_tty_config; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; +allow udev_t self:system module_load; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; allow udev_t self:sock_file read_sock_file_perms; @@ -141,6 +142,7 @@ files_list_tmp(udev_t) fs_getattr_all_fs(udev_t) +fs_search_all(udev_t) fs_list_auto_mountpoints(udev_t) fs_list_hugetlbfs(udev_t) fs_read_cgroup_files(udev_t) @@ -200,6 +202,10 @@ systemd_login_read_pid_files(udev_t) systemd_getattr_unit_files(udev_t) systemd_domtrans_sysctl(udev_t) +systemd_hwdb_mmap_config(udev_t) +systemd_hwdb_read_config(udev_t) +systemd_start_vconsole_services(udev_t) +systemd_status_vconsole_services(udev_t) userdom_dontaudit_search_user_home_content(udev_t) userdom_rw_inherited_user_tmp_pipes(udev_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/unconfined.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/unconfined.if
Changed
@@ -429,3 +429,21 @@ allow $1 unconfined_service_t:sem r_sem_perms; ') + +####################################### +## <summary> +## Allow the specified domain read unconfined service process state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_server_read_state',` + gen_require(` + type unconfined_service_t; + ') + + ps_process_pattern($1, unconfined_service_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/userdomain.fc
Changed
@@ -23,6 +23,7 @@ HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0) HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) +HOME_DIR/tmp/.* <<none>> /tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) /tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/userdomain.if
Changed
@@ -594,7 +594,6 @@ allow $1 user_tmp_t:file entrypoint; exec_files_pattern($1, user_tmp_t, user_tmp_t) - dontaudit $1 user_tmp_t:sock_file execute; files_search_tmp($1) ') @@ -1189,6 +1188,7 @@ miscfiles_exec_tetex_data($1_usertype) seutil_read_config($1_usertype) + selinux_watch_config($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_exec_setfiles($1_usertype) @@ -1524,6 +1524,7 @@ storage_rw_fuse($1_t) + files_getattr_non_security_dirs($1_t) files_exec_usr_files($1_t) # cjp: why? files_read_kernel_symbol_table($1_t) @@ -3068,8 +3069,7 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - dontaudit $1 user_home_type:sock_file execute; - ') +') ######################################## ## <summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/userdomain.te
Changed
@@ -394,6 +394,7 @@ corecmd_watch_bin_dirs(login_userdomain) dev_watch_generic_dirs(login_userdomain) +dev_watch_video_dev(login_userdomain) files_map_var_lib_files(login_userdomain) files_read_var_lib_symlinks(login_userdomain) @@ -403,6 +404,7 @@ files_watch_system_conf_dirs(login_userdomain) files_watch_usr_dirs(login_userdomain) files_watch_usr_files(login_userdomain) +files_watch_usr_lnk_files(login_userdomain) files_watch_var_lib_dirs(login_userdomain) files_watch_var_run_dirs(login_userdomain) files_watch_generic_tmp_dirs(login_userdomain)
View file
_service:tar_scm:v38.21.tar.gz/policy/support/obj_perm_sets.spt -> _service:tar_scm:v40.7.tar.gz/policy/support/obj_perm_sets.spt
Changed
@@ -284,10 +284,14 @@ # define(`userfaultfd_anon_inode_perms',` # deprecated 2022.02.07 - refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, please use common_inode_perms() instead.') + refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, enumerate the needed permissions instead.') { create getattr ioctl read write } ') -define(`common_anon_inode_perms',`{ create getattr ioctl map read write }') +define(`common_anon_inode_perms',` + # deprecated 2023.10.04 + refpolicywarn(`common_anon_inode_perms() is deprecated, enumerate the needed permissions instead.') + { create getattr ioctl map read write } +') ######################################## #
View file
_service:tar_scm:v40.7.tar.gz/scripts
Added
+(directory)
View file
_service:tar_scm:v40.7.tar.gz/scripts/make-sources.sh
Added
@@ -0,0 +1,42 @@ +#!/bin/bash + +# Prepare sources for an SRPM build + +set -eux + +outdir="$1"; shift + +rootdir="$(realpath -m "$0/../..")" + +DISTGIT_URL=https://src.fedoraproject.org/rpms/selinux-policy +DISTGIT_REF=rawhide + +CONTAINER_URL=https://github.com/containers/container-selinux +EXPANDER_URL=https://github.com/fedora-selinux/macro-expander + +base_head_id="$(git -C "$rootdir" rev-parse HEAD)" +base_short_head_id="${base_head_id:0:7}" +base_date="$(TZ=UTC git show -s --format=%cd --date=format-local:%F_%T HEAD | tr -d :-)" + +tmpdir="$(mktemp -d)" + +trap 'rm -rf "$tmpdir"' EXIT + +container_dir="$tmpdir/container-selinux" +expander_dir="$tmpdir/macro-expander" + +git clone --single-branch --depth 1 "$CONTAINER_URL" "$container_dir" +git clone --single-branch --depth 1 "$EXPANDER_URL" "$expander_dir" +git clone -b "$DISTGIT_REF" --single-branch --depth 1 "$DISTGIT_URL" "$outdir" + +git -C "$rootdir" archive --prefix="selinux-policy-$base_head_id/" --format tgz HEAD \ + >"$outdir/selinux-policy-$base_short_head_id.tar.gz" + +tar -C "$container_dir" -czf "$outdir/container-selinux.tgz" \ + container.if container.te container.fc + +cp "$expander_dir/macro-expander.sh" "$outdir/macro-expander" + +sed -i "s/%global commit ^ *$/%global commit $base_head_id/; + s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" "$outdir/selinux-policy.spec" +rm -f "$outdir/sources"
View file
_service:tar_scm:v40.7.tar.gz/scripts/make-srpm.sh
Added
@@ -0,0 +1,25 @@ +#!/bin/bash + +# Make an SRPM for COPR + +set -eux + +outdir="$1"; shift + +rootdir="$(realpath -m "$0/../..")" + +rpm -q rpm-build git-core || dnf install -y rpm-build git-core + +tmpdir="$(mktemp -d)" + +trap 'rm -rf "$tmpdir"' EXIT + +rpmbuild_dir="$tmpdir" +distgit_dir="$tmpdir/SOURCES" + +mkdir -p "$distgit_dir" + +"$rootdir/scripts/make-sources.sh" "$distgit_dir" + +rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec" +cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2