Projects
Mega:23.09
selinux-policy
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:selinux-policy.spec
Changed
@@ -11,12 +11,12 @@ Summary: SELinux policy configuration Name: selinux-policy -Version: 38.21 +Version: 40.7 Release: 1 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v40.7.tar.gz # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git @@ -742,6 +742,19 @@ %endif %changelog +* Thu Dec 28 2023 jinlun<jinlun@huawei.com> - 40.7-1 +- update version to 40.7 + - Allow chronyd-restricted read chronyd key files + - Allow systemd-sleep set attributes of efivarfs files + - Make name_zone_t and named_var_run_t a part of the mountpoint attribute + - Update cifs interfaces to include fs_search_auto_mountpoints() + - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on + - Add map_read map_write to kernel_prog_run_bpf + - Add policy for nvme-stas + - Make new virt drivers permissive + - Allow named and ndc use the io_uring api + - Allow sssd send SIGKILL to passket_child running in ipa_otpd_t + * Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1 - update version to 38.21
View file
_service:tar_scm:Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
Changed
@@ -1,4 +1,4 @@ -From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001 +From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001 From: "GONG, Ruiqi" <gongruiqi1@huawei.com> Date: Mon, 20 Mar 2023 20:42:49 +0800 Subject: PATCH Revert "Don't allow kernel_t to execute bin_t/usr_t binaries @@ -7,14 +7,14 @@ This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688. --- - policy/modules/kernel/kernel.te | 14 +++----------- - 1 file changed, 3 insertions(+), 11 deletions(-) + policy/modules/kernel/kernel.te | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index fc6f5f8..daf0801 100644 +index 7dce828..0c1d125 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t) +@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t) term_use_all_terms(kernel_t) term_use_ptmx(kernel_t) @@ -34,8 +34,15 @@ +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +corecmd_exec_bin(kernel_t) + # Enable running `/usr/bin/env umount ...` to support ZFS automounting. + # See the module/os/linux/zfs/zfs_ctldir.c file in + # https://github.com/openzfs/zfs/ for the usermode helper calls. +-optional_policy(` +- mount_domtrans(kernel_generic_helper_t) +-') + domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) -- -2.27.0 +2.33.0
View file
_service:tar_scm:add-qemu_exec_t-for-stratovirt.patch
Changed
@@ -1,25 +1,24 @@ -From 601ffc24a1d00f20833eb104913634dedb51b95d Mon Sep 17 00:00:00 2001 -From: root <root@localhost.localdomain> -Date: Fri, 20 Aug 2021 10:50:31 +0800 +From 3f9a66fb7bb35a101d8be50d8f2fa238af62d11f Mon Sep 17 00:00:00 2001 +From: jinlun <jinlun@huawei.com> +Date: Tue, 26 Dec 2023 17:18:00 +0800 Subject: PATCH add qemu_exec_t for stratovirt -Signed-off-by: root <root@localhost.localdomain> --- - policy/modules/contrib/virt.fc | 1 + + policy/modules/contrib/virt_supplementary.fc | 1 + 1 file changed, 1 insertion(+) -diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc -index d12dac0..c12f009 100644 ---- a/policy/modules/contrib/virt.fc -+++ b/policy/modules/contrib/virt.fc -@@ -100,6 +100,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_ - /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) - /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -+/usr/bin/stratovirt -- gen_context(system_u:object_r:qemu_exec_t,s0) +diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc +index d27441f..5563457 100644 +--- a/policy/modules/contrib/virt_supplementary.fc ++++ b/policy/modules/contrib/virt_supplementary.fc +@@ -62,6 +62,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv + /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/stratovirt -- gen_context(system_u:object_r:qemu_exec_t,s0) - /etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) - /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) + # support for QEMU-GA + /etc/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -- -2.30.0 +2.27.0
View file
_service:tar_scm:allow-init_t-create-fifo-file-in-net_conf-dir.patch
Changed
@@ -1,6 +1,6 @@ -From b00033d4825cfc3ae9787c94ffa7e5408acf9a4b Mon Sep 17 00:00:00 2001 -From: Huaxin Lu <luhuaxin1@huawei.com> -Date: Sun, 29 Jan 2023 00:36:01 +0800 +From ebfc55113be3be3a298a14e767712cc5e16a50c3 Mon Sep 17 00:00:00 2001 +From: jinlun <jinlun@huawei.com> +Date: Thu, 28 Dec 2023 19:17:52 +0800 Subject: PATCH allow init_t create fifo file in net_conf dir Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> @@ -9,17 +9,17 @@ 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8b84aa1..15b57a7 100644 +index 4f2ce88..5fc8fed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -872,6 +872,7 @@ optional_policy(` - +@@ -879,6 +879,7 @@ optional_policy(` optional_policy(` sysnet_filetrans_cloud_net_conf(init_t) + sysnet_manage_config_pipes(init_t) + manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t) ') optional_policy(` -- -2.33.0 +2.27.0
View file
_service:tar_scm:fix-selinux-label-for-hostname-digest-list.patch
Changed
@@ -15,9 +15,9 @@ @@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit /root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) - /etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) -+/etc/^/*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) - /etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) + /etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) ++/etc/^/*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) + /etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) /etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) --
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/selinux-policy.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:v38.21.tar.gz/.copr/make-srpm.sh
Deleted
@@ -1,56 +0,0 @@ -#!/bin/bash - -set -ex - -outdir="$1"; shift - -dirname="$(dirname "$0")" - -DISTGIT_URL=https://src.fedoraproject.org/rpms/selinux-policy -DISTGIT_REF=rawhide - -CONTAINER_URL=https://github.com/containers/container-selinux -EXPANDER_URL=https://github.com/fedora-selinux/macro-expander - -rpm -q rpm-build git-core || dnf install -y rpm-build git-core - -# Ensure that the git directory is owned by us to appease Git's -# anti-CVE-2022-24765 measures. -chown $(id -u):$(id -g) "$dirname/.." - -base_head_id="$(git -C "$dirname/.." rev-parse HEAD)" -base_short_head_id="${base_head_id:0:7}" -base_date="$(TZ=UTC git show -s --format=%cd --date=format-local:%F_%T HEAD | tr -d :-)" - -tmpdir="$(mktemp -d)" - -trap 'rm -rf "$tmpdir"' EXIT - -container_dir="$tmpdir/container-selinux" -expander_dir="$tmpdir/macro-expander" -rpmbuild_dir="$tmpdir/rpmbuild" -distgit_dir="$tmpdir/rpmbuild/SOURCES" - -mkdir -p "$distgit_dir" - -git clone --single-branch --depth 1 "$CONTAINER_URL" "$container_dir" -git clone --single-branch --depth 1 "$EXPANDER_URL" "$expander_dir" -git clone -b "$DISTGIT_REF" --single-branch --depth 1 "$DISTGIT_URL" "$distgit_dir" - -git -C "$dirname/.." archive --prefix="selinux-policy-$base_head_id/" --format tgz HEAD \ - >"$distgit_dir/selinux-policy-$base_short_head_id.tar.gz" - -tar -C "$container_dir" -czf "$distgit_dir/container-selinux.tgz" \ - container.if container.te container.fc - -cp "$expander_dir/macro-expander.sh" "$distgit_dir/macro-expander" - -( - cd "$distgit_dir" - sed -i "s/%global commit ^ *$/%global commit $base_head_id/" selinux-policy.spec - sed -i "s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" selinux-policy.spec - rm -f sources - rpmbuild --define "_topdir $rpmbuild_dir" -bs selinux-policy.spec -) - -cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
View file
_service:tar_scm:v38.21.tar.gz/.copr/Makefile -> _service:tar_scm:v40.7.tar.gz/.copr/Makefile
Changed
@@ -2,7 +2,9 @@ outdir ?= $(PWD) +COPR_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + srpm: - $(dir $(lastword $(MAKEFILE_LIST)))/make-srpm.sh $(outdir) + $(COPR_DIR)/../scripts/make-srpm.sh $(outdir) .PHONY: srpm
View file
_service:tar_scm:v40.7.tar.gz/.fmf
Added
+(directory)
View file
_service:tar_scm:v40.7.tar.gz/.fmf/version
Added
@@ -0,0 +1,1 @@ +1
View file
_service:tar_scm:v38.21.tar.gz/.github/workflows/build.yml -> _service:tar_scm:v40.7.tar.gz/.github/workflows/build.yml
Changed
@@ -4,40 +4,13 @@ build: runs-on: ubuntu-latest container: - image: fedora:rawhide + image: quay.io/fedora/fedora:rawhide options: --security-opt seccomp=unconfined steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - run: dnf install --nogpgcheck -y git-core checkpolicy policycoreutils-devel make m4 findutils - run: git clone --depth=1 https://github.com/containers/container-selinux.git /tmp/container-selinux - run: cp /tmp/container-selinux/container.* policy/modules/contrib - run: make -j $(nproc) policy - run: make -j $(nproc) validate - run: make -j $(nproc) container.pp - build-rpm: - runs-on: ubuntu-latest - container: - image: fedora:rawhide - options: --security-opt seccomp=unconfined - steps: - - run: dnf install --nogpgcheck -y make git-core rpm-build 'dnf-command(builddep)' - - uses: actions/checkout@v2 - - run: make -C .copr srpm outdir="$PWD" - - name: Store the SRPM as an artifact - uses: actions/upload-artifact@v2 - with: - name: srpm - path: "*.src.rpm" - - run: | - if grep -q rawhide /etc/os-release; then - tag=rawhide - else - tag='f$releasever-build' - fi - dnf builddep --nogpgcheck --repofrompath "koji,https://kojipkgs.fedoraproject.org/repos/$tag/latest/\$arch/" -y --srpm *.src.rpm - - run: rpmbuild --define "_topdir $PWD/rpmbuild" -rb *.src.rpm - - name: Store binary RPMs as artifacts - uses: actions/upload-artifact@v2 - with: - name: rpms - path: rpmbuild/RPMS
View file
_service:tar_scm:v40.7.tar.gz/packit.yaml
Added
@@ -0,0 +1,35 @@ +# See https://packit.dev/docs/configuration/ + +specfile_path: tmp/rpm/selinux-policy.spec +upstream_tag_template: "v{version}" + +actions: + post-upstream-clone: + - mkdir -p tmp/rpm + - scripts/make-sources.sh tmp/rpm + create-archive: sh -c 'ls tmp/rpm/selinux-policy*.tar.gz' + +jobs: + - job: copr_build + trigger: pull_request + targets: + - fedora-development + - fedora-latest-stable + + # run tests for packages which test SELinux policy well, see plans/ with `revdeps == yes` + - job: tests + identifier: revdeps + trigger: pull_request + notifications: + failure_comment: + message: "Cockpit tests failed for commit {commit_sha}. @martinpitt, @jelly, @mvollmer please check." + targets: + - fedora-development + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo + tmt: + context: + revdeps: "yes"
View file
_service:tar_scm:v40.7.tar.gz/plans
Added
+(directory)
View file
_service:tar_scm:v40.7.tar.gz/plans/cockpit.fmf
Added
@@ -0,0 +1,30 @@ +# reverse dependency test for https://github.com/cockpit-project/cockpit +# packit should automatically notify the cockpit maintainers on failures. +# For questions, please contact @martinpitt, @jelly, @mvollmer + +enabled: false +adjust+: + when: revdeps == yes + enabled: true + +discover: + how: fmf + url: https://github.com/cockpit-project/cockpit + ref: main +execute: + how: tmt + +/basic: + summary: Run tests for basic packages + discover+: + test: /test/browser/basic + +/network: + summary: Run tests for cockpit-networkmanager + discover+: + test: /test/browser/network + +/optional: + summary: Run tests for optional packages + discover+: + test: /test/browser/optional
View file
_service:tar_scm:v38.21.tar.gz/policy/modules.conf -> _service:tar_scm:v40.7.tar.gz/policy/modules.conf
Changed
@@ -2509,6 +2509,13 @@ # virt = module +# Layer: services +# Module: virt_supplementary +# +# non-libvirt virtualization libraries +# +virt_supplementary = module + # Layer: apps # Module: vhostmd # @@ -3127,3 +3134,24 @@ # qatlib - Intel QuickAssist technology library and resources management # qatlib = module + +# Layer: contrib +# Module: afterburn +# +# afterburn +# +afterburn = module + +# Layer: contrib +# Module: nvme_stas +# +# nvme_stas +# +nvme_stas = module + +# Layer: contrib +# Module: coreos_installer +# +# coreos_installer +# +coreos_installer = module
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/admin/sudo.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/admin/sudo.if
Changed
@@ -101,6 +101,11 @@ ') optional_policy(` + netutils_domtrans($1_sudo_t) + netutils_run_traceroute($1_sudo_t, $2) + ') + + optional_policy(` systemd_domtrans_systemctl($1_sudo_t, $3) systemd_systemctl_entrypoint($3) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/admin/sudo.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/admin/sudo.te
Changed
@@ -92,6 +92,7 @@ # sudo stores a token in the pam_pid directory auth_manage_pam_pid(sudodomain) auth_manage_faillog(sudodomain) +auth_read_var_auth(sudodomain) auth_rw_lastlog(sudodomain) application_signal(sudodomain)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/afterburn.fc
Added
@@ -0,0 +1,3 @@ +/usr/bin/afterburn -- gen_context(system_u:object_r:afterburn_exec_t,s0) + +/usr/lib/systemd/system/afterburn.* -- gen_context(system_u:object_r:afterburn_unit_file_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/afterburn.if
Added
@@ -0,0 +1,39 @@ +## <summary>policy for afterburn</summary> + +######################################## +## <summary> +## Execute afterburn in the afterburn domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`afterburn_domtrans',` + gen_require(` + type afterburn_t, afterburn_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, afterburn_exec_t, afterburn_t) +') + +###################################### +## <summary> +## Execute afterburn in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`afterburn_exec',` + gen_require(` + type afterburn_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, afterburn_exec_t) +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/afterburn.te
Added
@@ -0,0 +1,43 @@ +policy_module(afterburn, 1.0.0) + +######################################## +# +# Declarations +# + +type afterburn_t; +type afterburn_exec_t; +init_daemon_domain(afterburn_t, afterburn_exec_t) + +type afterburn_unit_file_t; +systemd_unit_file(afterburn_unit_file_t) + +permissive afterburn_t; + +######################################## +# +# afterburn local policy +# +allow afterburn_t self:capability { setgid setuid sys_admin }; +allow afterburn_t self:process { fork setpgid }; +allow afterburn_t self:fifo_file rw_fifo_file_perms; + +kernel_read_all_proc(afterburn_t) + +corenet_tcp_connect_http_port(afterburn_t) + +domain_use_interactive_fds(afterburn_t) + +files_read_etc_files(afterburn_t) + +optional_policy(` + auth_use_nsswitch(afterburn_t) +') + +optional_policy(` + miscfiles_read_localization(afterburn_t) +') + +optional_policy(` + sysnet_dns_name_resolve(afterburn_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/apcupsd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/apcupsd.te
Changed
@@ -156,5 +156,7 @@ corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t) corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t) + dev_read_sysfs(apcupsd_cgi_script_t) + sysnet_dns_name_resolve(apcupsd_cgi_script_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bind.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/bind.te
Changed
@@ -58,11 +58,12 @@ type named_var_run_t; files_pid_file(named_var_run_t) +files_mountpoint(named_var_run_t) init_daemon_run_dir(named_var_run_t, "named") # for primary zone files type named_zone_t; -files_type(named_zone_t) +files_mountpoint(named_zone_t) type ndc_t; type ndc_exec_t; @@ -77,6 +78,7 @@ allow named_t self:capability { chown dac_read_search dac_override fowner kill net_admin net_raw setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; allow named_t self:capability2 block_suspend; +allow named_t self:io_uring sqpoll; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept connectto listen }; @@ -115,6 +117,7 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) allow named_t named_zone_t:file map; +kernel_io_uring_use(named_t) kernel_read_kernel_sysctls(named_t) kernel_read_system_state(named_t) kernel_read_network_state(named_t) @@ -263,6 +266,7 @@ allow ndc_t self:capability { dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; +allow ndc_t self:io_uring sqpoll; allow ndc_t self:process { fork signal_perms }; dontaudit ndc_t self:process setsched; allow ndc_t self:fifo_file rw_fifo_file_perms; @@ -278,6 +282,7 @@ allow ndc_t named_zone_t:dir search_dir_perms; +kernel_io_uring_use(ndc_t) kernel_read_system_state(ndc_t) kernel_read_kernel_sysctls(ndc_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bitlbee.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/bitlbee.te
Changed
@@ -19,6 +19,9 @@ type bitlbee_tmp_t; files_tmp_file(bitlbee_tmp_t) +type bitlbee_tmpfs_t; +files_tmpfs_file(bitlbee_tmpfs_t) + type bitlbee_var_t; files_type(bitlbee_var_t) @@ -40,6 +43,7 @@ allow bitlbee_t self:udp_socket create_socket_perms; allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; +allow bitlbee_t self:netlink_kobject_uevent_socket create_socket_perms; allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms; allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; @@ -56,9 +60,15 @@ manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) +manage_files_pattern(bitlbee_t, bitlbee_tmpfs_t, bitlbee_tmpfs_t) +fs_tmpfs_filetrans(bitlbee_t, bitlbee_tmpfs_t, file) +can_exec(bitlbee_t, bitlbee_tmpfs_t) + manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +manage_lnk_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) -files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file}) +files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, { dir file }) +allow bitlbee_t bitlbee_var_t:file map; manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) @@ -68,6 +78,8 @@ kernel_read_system_state(bitlbee_t) kernel_read_kernel_sysctls(bitlbee_t) +corecmd_exec_shell(bitlbee_t) + corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) corenet_tcp_sendrecv_generic_if(bitlbee_t) @@ -114,8 +126,12 @@ corenet_tcp_bind_interwise_port(bitlbee_t) corenet_tcp_sendrecv_interwise_port(bitlbee_t) +dev_getattr_dri_dev(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) +dev_read_sysfs(bitlbee_t) + +fs_getattr_xattr_fs(bitlbee_t) libs_legacy_use_shared_libs(bitlbee_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/blueman.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/blueman.te
Changed
@@ -54,6 +54,7 @@ corecmd_exec_bin(blueman_t) +dev_read_sysfs(blueman_t) dev_read_rand(blueman_t) dev_read_urand(blueman_t) dev_rw_wireless(blueman_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/chrome.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/chrome.if
Changed
@@ -131,3 +131,31 @@ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; ') + + +######################################## +## <summary> +## Create chrome directory in the user home directory +## with an correct label. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chrome_filetrans_home_content',` + gen_require(` + type chrome_sandbox_home_t; + ') + + optional_policy(` + gnome_config_filetrans($1, chrome_sandbox_home_t, dir, "chromium") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "chromium") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "chrome") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "google-chrome") + gnome_cache_filetrans($1, chrome_sandbox_home_t, dir, "google-chrome-unstable") + + ') +') +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/chrome.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/chrome.te
Changed
@@ -138,6 +138,7 @@ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome") gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome") gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "google-chrome-unstable") + gnome_config_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cifsutils.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/cifsutils.te
Changed
@@ -8,7 +8,10 @@ application_domain(cifs_helper_t, cifs_helper_exec_t) role system_r types cifs_helper_t; -allow cifs_helper_t self:capability { setgid setuid sys_chroot }; +# These capabilities are needed to switch into the namespaces & environment +# of the process ID parsed from the key description. It is necessary e.g. to +# work well with processes running in containers. +allow cifs_helper_t self:capability { dac_read_search setgid setuid sys_admin sys_chroot sys_ptrace }; allow cifs_helper_t self:key write; allow cifs_helper_t self:netlink_route_socket create_netlink_socket_perms; allow cifs_helper_t self:process setcap; @@ -54,6 +57,7 @@ optional_policy(` sssd_stream_connect(cifs_helper_t) + sssd_run_stream_connect(cifs_helper_t) ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cloudform.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/cloudform.te
Changed
@@ -164,6 +164,7 @@ ') optional_policy(` + sysnet_domtrans_dhcpc(cloud_init_t) sysnet_domtrans_ifconfig(cloud_init_t) sysnet_read_dhcpc_state(cloud_init_t) sysnet_dns_name_resolve(cloud_init_t)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/coreos_installer.fc
Added
@@ -0,0 +1,7 @@ +/usr/bin/coreos-installer -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) + +/usr/libexec/coreos-installer-disable-device-auto-activation -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/libexec/coreos-installer-service -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) + +/usr/lib/systemd/system-generators/coreos-installer-generator -- gen_context(system_u:object_r:coreos_installer_exec_t,s0) +/usr/lib/systemd/system/coreos-installer.* -- gen_context(system_u:object_r:coreos_installer_unit_file_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/coreos_installer.if
Added
@@ -0,0 +1,39 @@ +## <summary>policy for coreos_installer</summary> + +######################################## +## <summary> +## Execute coreos_installer_exec_t in the coreos_installer domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`coreos_installer_domtrans',` + gen_require(` + type coreos_installer_t, coreos_installer_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, coreos_installer_exec_t, coreos_installer_t) +') + +###################################### +## <summary> +## Execute coreos_installer in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`coreos_installer_exec',` + gen_require(` + type coreos_installer_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, coreos_installer_exec_t) +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/coreos_installer.te
Added
@@ -0,0 +1,47 @@ +policy_module(coreos_installer, 1.0.0) + +######################################## +# +# Declarations +# + +type coreos_installer_t; +type coreos_installer_exec_t; +init_daemon_domain(coreos_installer_t, coreos_installer_exec_t) + +type coreos_installer_unit_file_t; +systemd_unit_file(coreos_installer_unit_file_t) + +permissive coreos_installer_t; + +######################################## +# +# coreos_installer local policy +# +allow coreos_installer_t self:capability { setgid setuid sys_admin }; +allow coreos_installer_t self:process { fork setpgid }; +allow coreos_installer_t self:fifo_file rw_fifo_file_perms; +allow coreos_installer_t self:unix_stream_socket create_stream_socket_perms; + +kernel_read_proc_files(coreos_installer_t) + +corecmd_exec_bin(coreos_installer_t) +corecmd_exec_shell(coreos_installer_t) + +dev_write_kmsg(coreos_installer_t) + +domain_use_interactive_fds(coreos_installer_t) + +files_read_etc_files(coreos_installer_t) + +optional_policy(` + auth_read_passwd_file(coreos_installer_t) +') + +optional_policy(` + miscfiles_read_localization(coreos_installer_t) +') + +optional_policy(` + sysnet_dns_name_resolve(coreos_installer_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cups.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/cups.te
Changed
@@ -140,7 +140,7 @@ allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown sys_resource sys_tty_config }; dontaudit cupsd_t self:capability { sys_tty_config net_admin }; -allow cupsd_t self:capability2 { block_suspend wake_alarm }; +allow cupsd_t self:capability2 { block_suspend bpf wake_alarm }; allow cupsd_t self:process { getpgid setpgid setsched }; allow cupsd_t self:unix_stream_socket { accept connectto listen }; allow cupsd_t self:netlink_selinux_socket create_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dbus.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/dbus.if
Changed
@@ -568,6 +568,24 @@ ######################################## ## <summary> +## Allow domain to write the dbus pid sock_file. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dbus_write_pid_sock_files',` + gen_require(` + type system_dbusd_var_run_t; + ') + + write_sock_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') + +######################################## +## <summary> ## Watch system dbus pid socket files ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dbus.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/dbus.te
Changed
@@ -197,6 +197,7 @@ optional_policy(` gnome_atspi_domtrans(system_dbusd_t) gnome_exec_gconf(system_dbusd_t) + gnome_initial_setup_read_var_lib_files(system_dbusd_t) gnome_read_inherited_home_icc_data_files(system_dbusd_t) ') @@ -238,6 +239,10 @@ ') optional_policy(` + term_use_generic_ptys(system_dbusd_t) +') + +optional_policy(` udev_read_db(system_dbusd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ddclient.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/ddclient.if
Changed
@@ -118,3 +118,37 @@ getattr_files_pattern($1, ddclient_var_run_t, ddclient_var_run_t) ') + +######################################## +## <summary> +## Create objects in the ddclient home directory +## with an automatic type transition to a specified type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="type"> +## <summary> +## The type of the object being created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The class of the object being created. +## </summary> +## </param> +## <param name="name"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`ddclient_var_filetrans',` + gen_require(` + type ddclient_var_t; + ') + + filetrans_pattern($1, ddclient_var_t, $2, $3, $4) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dovecot.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/dovecot.te
Changed
@@ -324,6 +324,10 @@ postfix_search_spool(dovecot_auth_t) ') +optional_policy(` + systemd_private_tmp(dovecot_auth_tmp_t) +') + ######################################## # # dovecot deliver local policy
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/fdo.fc
Changed
@@ -1,3 +1,7 @@ +/boot/device-credentials -- gen_context(system_u:object_r:fdo_device_credentials_t,s0) + +/etc/device-credentials -- gen_context(system_u:object_r:fdo_device_credentials_t,s0) +/etc/device_onboarding_performed -- gen_context(system_u:object_r:fdo_device_credentials_t,s0) /etc/fdo(/.*)? gen_context(system_u:object_r:fdo_conf_t,s0) /etc/fdo/aio/aio_configuration -- gen_context(system_u:object_r:fdo_conf_rw_t,s0) /etc/fdo/aio/configs(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) @@ -5,9 +9,26 @@ /etc/fdo/aio/logs(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) /etc/fdo/aio/stores(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/manufacturing_sessions(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/owner_onboarding_sessions(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/owner_vouchers(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/rendezvous_registered(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/stores/rendezvous_sessions(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) + +/tmp/fdouser -- gen_context(system_u:object_r:fdo_tmp_t,s0) + /usr/bin/fdo-admin-tool -- gen_context(system_u:object_r:fdo_exec_t,s0) /usr/bin/fdo-owner-tool -- gen_context(system_u:object_r:fdo_exec_t,s0) -/usr/libexec/fdo(/.*)? -- gen_context(system_u:object_r:fdo_exec_t,s0) +/usr/libexec/fdo(/.*)? gen_context(system_u:object_r:fdo_exec_t,s0) /usr/lib/systemd/system/fdo.*.service -- gen_context(system_u:object_r:fdo_unit_file_t,s0) + +/var/home/fdouser(/.*)? gen_context(system_u:object_r:fdo_home_t,s0) + +/var/fdo(/.*)? gen_context(system_u:object_r:fdo_var_t,s0) + +/var/lib/fdo(/.*)? gen_context(system_u:object_r:fdo_var_lib_t,s0) + + +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/fdo.te
Changed
@@ -15,22 +15,37 @@ type fdo_conf_rw_t; files_config_file(fdo_conf_rw_t) +type fdo_device_credentials_t; +files_type(fdo_device_credentials_t) + +type fdo_home_t; +userdom_user_home_content(fdo_home_t) + type fdo_tmp_t; files_tmp_file(fdo_tmp_t) type fdo_unit_file_t; systemd_unit_file(fdo_unit_file_t) +type fdo_var_lib_t; +files_type(fdo_var_lib_t) + +type fdo_var_t; +files_type(fdo_var_t) + ######################################## # # fdo local policy # +allow fdo_t self:capability { chown dac_override dac_read_search sys_admin }; allow fdo_t self:fifo_file rw_fifo_file_perms; allow fdo_t self:netlink_route_socket r_netlink_socket_perms; allow fdo_t self:tcp_socket create_stream_socket_perms; allow fdo_t self:udp_socket create_socket_perms; allow fdo_t self:unix_stream_socket create_stream_socket_perms; +allow fdo_t fdo_exec_t:dir search_dir_perms; +allow fdo_t fdo_exec_t:lnk_file read_lnk_file_perms; can_exec(fdo_t, fdo_exec_t) manage_dirs_pattern(fdo_t, fdo_conf_t, fdo_conf_t) @@ -40,8 +55,41 @@ filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "configs" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "keys" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "logs" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "manufacturing_sessions" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "owner_vouchers" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "owner_onboarding_sessions" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "rendezvous_registered" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "rendezvous_sessions" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "stores" ) filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, file, "aio_configuration" ) +#fdouser file is copied by fdo from server to client /etc/sudoers.d/fdouser +files_etc_filetrans(fdo_t, fdo_conf_rw_t, file, "fdouser") + +manage_files_pattern(fdo_t, fdo_device_credentials_t, fdo_device_credentials_t) +files_etc_filetrans(fdo_t, fdo_device_credentials_t, file, "device-credentials") +files_etc_filetrans(fdo_t, fdo_device_credentials_t, file, "device_onboarding_performed") +files_boot_filetrans(fdo_t, fdo_device_credentials_t, file, "device-credentials") + +manage_dirs_pattern(fdo_t, fdo_home_t, fdo_home_t) +manage_files_pattern(fdo_t, fdo_home_t, fdo_home_t) + +manage_dirs_pattern(fdo_t, fdo_tmp_t, fdo_tmp_t) +manage_files_pattern(fdo_t, fdo_tmp_t, fdo_tmp_t) +files_tmp_filetrans(fdo_t, fdo_tmp_t, { file dir }) + +manage_dirs_pattern(fdo_t, fdo_var_t, fdo_var_t) +manage_files_pattern(fdo_t, fdo_var_t, fdo_var_t) +files_var_filetrans(fdo_t, fdo_var_t, { file dir }) + +read_files_pattern(fdo_t, fdo_var_lib_t, fdo_var_lib_t) +files_var_lib_filetrans(fdo_t, fdo_var_lib_t, { file dir }) + +kernel_get_sysvipc_info(fdo_t) +kernel_read_proc_files(fdo_t) +kernel_stream_connect(fdo_t) + +corecmd_exec_bin(fdo_t) +corecmd_exec_shell(fdo_t) corenet_tcp_bind_generic_node(fdo_t) corenet_tcp_bind_http_cache_port(fdo_t) @@ -53,17 +101,56 @@ corenet_tcp_bind_us_cli_port(fdo_t) corenet_tcp_connect_us_cli_port(fdo_t) +dev_getattr_fs(fdo_t) +dev_list_sysfs(fdo_t) +dev_read_rand(fdo_t) +dev_rw_lvm_control(fdo_t) +dev_rw_tpm(fdo_t) + domain_use_interactive_fds(fdo_t) files_read_config_files(fdo_t) +fs_getattr_xattr_fs(fdo_t) fs_read_cgroup_files(fdo_t) +storage_raw_rw_fixed_disk(fdo_t) + +optional_policy(` + auth_read_passwd_file(fdo_t) +') + +optional_policy(` + lvm_domtrans(fdo_t) + lvm_manage_var_run(fdo_t) + lvm_var_run_filetrans(fdo_t) +') + optional_policy(` miscfiles_read_generic_certs(fdo_t) miscfiles_read_localization(fdo_t) ') optional_policy(` + ssh_basic_client_template(fdo, fdo_t, system_r) + ssh_create_home_dirs(fdo_t) + ssh_filetrans_home_content(fdo_t) +') + +optional_policy(` sysnet_read_config(fdo_t) ') + +optional_policy(` + systemd_manage_userdbd_runtime_sock_files(fdo_t) +') + +optional_policy(` + userdom_home_filetrans_user_home_dir(fdo_home_t) +') + +optional_policy(` + usermanage_domtrans_passwd(fdo_t) + usermanage_domtrans_useradd(fdo_t) + usermanage_read_crack_db(fdo_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fedoratp.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/fedoratp.te
Changed
@@ -13,16 +13,22 @@ allow fedoratp_t self:process setsched; allow fedoratp_t self:unix_dgram_socket create_socket_perms; +kernel_read_proc_files(fedoratp_t) + corecmd_exec_bin(fedoratp_t) corenet_tcp_connect_http_port(fedoratp_t) +dev_read_sysfs(fedoratp_t) + files_manage_system_conf_files(fedoratp_t) files_manage_generic_tmp_dirs(fedoratp_t) files_manage_generic_tmp_files(fedoratp_t) files_manage_var_lib_dirs(fedoratp_t) files_manage_var_lib_files(fedoratp_t) +fs_getattr_xattr_fs(fedoratp_t) + sysnet_dns_name_resolve(fedoratp_t) term_use_unallocated_ttys(fedoratp_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/geoclue.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/geoclue.te
Changed
@@ -82,5 +82,9 @@ ') optional_policy(` + gnome_initial_setup_read_state(geoclue_t) +') + +optional_policy(` pcscd_stream_connect(geoclue_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gnome.fc
Changed
@@ -64,3 +64,5 @@ /usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) /usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + +/var/lib/gnome-initial-setup(/.*)? -- gen_context(system_u:object_r:gnome_initial_setup_var_lib_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gnome.if
Changed
@@ -2059,6 +2059,98 @@ ######################################## ## <summary> +## Allow create gnome-initial-setup variable state directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_create_var_lib_dirs',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + create_dirs_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +') + +######################################## +## <summary> +## Allow watch gnome-initial-setup variable state directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_watch_var_lib_dirs',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + watch_dirs_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +') + +######################################## +## <summary> +## Allow read gnome-initial-setup variable state files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_read_var_lib_files',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + read_files_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) + allow $1 gnome_initial_setup_var_lib_t:file map; +') + +######################################## +## <summary> +## Allow manage gnome-initial-setup variable state files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_manage_var_lib_files',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + manage_files_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) + allow $1 gnome_initial_setup_var_lib_t:file map; +') + +######################################## +## <summary> +## Allow manage gnome-initial-setup variable state socket files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_manage_var_lib_sock_files',` + gen_require(` + type gnome_initial_setup_var_lib_t; + ') + + manage_sock_files_pattern($1, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +') + +######################################## +## <summary> ## Allow read gnome-initial-setup runtime files ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gnome.te
Changed
@@ -77,6 +77,9 @@ type gnome_initial_setup_exec_t; init_system_domain(gnome_initial_setup_t, gnome_initial_setup_exec_t); +type gnome_initial_setup_var_lib_t; +files_type(gnome_initial_setup_var_lib_t); + type gnome_initial_setup_var_run_t; files_pid_file(gnome_initial_setup_var_run_t); @@ -352,6 +355,9 @@ allow gnome_initial_setup_t gnome_initial_setup_exec_t:file execute_no_trans; allow gnome_initial_setup_t gkeyringd_exec_t:file exec_file_perms; +manage_dirs_pattern(gnome_initial_setup_t, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) +manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_lib_t, gnome_initial_setup_var_lib_t) + manage_dirs_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) manage_sock_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) @@ -413,6 +419,10 @@ ') optional_policy(` + geoclue_dbus_chat(gnome_initial_setup_t) + ') + + optional_policy(` networkmanager_dbus_chat(gnome_initial_setup_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gpg.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gpg.te
Changed
@@ -197,6 +197,10 @@ ') optional_policy(` + rpm_read_db(gpg_t) +') + +optional_policy(` spamassassin_read_spamd_tmp_files(gpg_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gpsd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/gpsd.te
Changed
@@ -63,6 +63,8 @@ corenet_tcp_bind_gpsd_port(gpsd_t) corenet_tcp_sendrecv_gpsd_port(gpsd_t) +dev_rw_gnss(gpsd_t) +dev_setattr_gnss(gpsd_t) dev_read_sysfs(gpsd_t) dev_rw_realtime_clock(gpsd_t) @@ -98,3 +100,8 @@ optional_policy(` udev_read_db(gpsd_t) ') + +optional_policy(` + userdom_use_user_ptys(gpsd_t) + userdom_use_user_ttys(gpsd_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/insights_client.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/insights_client.te
Changed
@@ -292,6 +292,7 @@ optional_policy(` logging_domtrans_auditctl(insights_client_t) + logging_manage_generic_logs(insights_client_t) logging_mmap_generic_logs(insights_client_t) logging_mmap_journal(insights_client_t) logging_read_audit_config(insights_client_t) @@ -344,6 +345,10 @@ ') optional_policy(` + rhcs_rw_cluster_tmpfs(insights_client_t) +') + +optional_policy(` rhnsd_read_config(insights_client_t) ') @@ -358,7 +363,7 @@ rpm_domtrans(insights_client_t) rpm_manage_db(insights_client_t) rpm_manage_cache(insights_client_t) - rpm_hawkey_named_filetrans(insights_client_t) + rpm_named_filetrans(insights_client_t) rpm_read_db(insights_client_t) rpm_signull(insights_client_t) ') @@ -401,12 +406,14 @@ ') optional_policy(` + unconfined_domain(insights_client_t) unconfined_server_create_shm(insights_client_t) unconfined_server_read_semaphores(insights_client_t) ') optional_policy(` userdom_manage_admin_files(insights_client_t) + userdom_manage_user_tmp_files(insights_client_t) userdom_user_tmp_filetrans(insights_client_t, insights_client_tmp_t, { dir file }) userdom_view_all_users_keys(insights_client_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ipa.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/ipa.if
Changed
@@ -42,6 +42,27 @@ ######################################## ## <summary> +## Send sigkill to ipa-otpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +# +ifndef(`ipa_sigkill_otpd',` + interface(`ipa_sigkill_otpd',` + gen_require(` + type ipa_otpd_t; + ') + + allow $1 ipa_otpd_t:process sigkill; + ') +') + +######################################## +## <summary> ## Connect to ipa-ods-exporter over a unix stream socket. ## </summary> ## <param name="domain"> @@ -364,6 +385,27 @@ ###################################### ## <summary> +## Execute ipa-pki-retrieve-key in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +ifndef(`ipa_pki_retrieve_key_exec',` + interface(`ipa_pki_retrieve_key_exec',` + gen_require(` + type ipa_pki_retrieve_key_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, ipa_pki_retrieve_key_exec_t) + ') +') + +###################################### +## <summary> ## Execute ipa_custodia in the caller domain. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kdump.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/kdump.te
Changed
@@ -31,6 +31,9 @@ type kdump_log_t; logging_log_file(kdump_log_t) +type kdump_tmpfs_t; +files_tmpfs_file(kdump_tmpfs_t) + type kdumpctl_t; type kdumpctl_exec_t; init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) @@ -64,6 +67,9 @@ manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file }) +manage_files_pattern(kdump_t, kdump_tmpfs_t, kdump_tmpfs_t) +fs_tmpfs_filetrans(kdump_t, kdump_tmpfs_t, file) + files_manage_generic_tmp_files(kdump_t) files_read_etc_runtime_files(kdump_t) files_read_kernel_symbol_table(kdump_t) @@ -142,7 +148,7 @@ files_delete_kernel(kdumpctl_t) fs_getattr_all_fs(kdumpctl_t) -fs_search_all(kdumpctl_t) +fs_list_all(kdumpctl_t) application_executable_ioctl(kdumpctl_t) @@ -194,5 +200,9 @@ ') optional_policy(` + systemd_private_tmp(kdumpctl_tmp_t) +') + +optional_policy(` unconfined_domain(kdumpctl_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keepalived.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/keepalived.te
Changed
@@ -90,6 +90,8 @@ files_dontaudit_mounton_rootfs(keepalived_var_run_t) files_mounton_rootfs(keepalived_t) +files_watch_var_run_dirs(keepalived_t) +fs_getattr_tmpfs(keepalived_t) fs_read_nsfs_files(keepalived_t) fs_unmount_tmpfs(keepalived_t) @@ -145,6 +147,8 @@ allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms; allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms; allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl; + dontaudit keepalived_t keepalived_unconfined_script_exec_t:file setattr; + init_dbus_chat(keepalived_unconfined_script_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keyutils.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/keyutils.te
Changed
@@ -33,9 +33,14 @@ allow keyutils_dns_resolver_t self:netlink_route_socket r_netlink_socket_perms; allow keyutils_dns_resolver_t self:udp_socket create_socket_perms; +allow keyutils_dns_resolver_t self:unix_dgram_socket create_socket_perms; kernel_read_key(keyutils_dns_resolver_t) kernel_view_key(keyutils_dns_resolver_t) init_search_pid_dirs(keyutils_dns_resolver_t) sysnet_read_config(keyutils_dns_resolver_t) + +optional_policy(` + avahi_stream_connect(keyutils_dns_resolver_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/logrotate.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/logrotate.te
Changed
@@ -132,6 +132,7 @@ # Read /proc/PID directories for all domains. domain_read_all_domains_state(logrotate_t) +files_map_etc_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mon_statd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mon_statd.te
Changed
@@ -62,6 +62,7 @@ # mon_procd local policy # allow mon_procd_t self:capability sys_ptrace; +allow mon_procd_t self:cap_userns sys_ptrace; allow mon_procd_t self:unix_dgram_socket { create connect };
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mozilla.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mozilla.if
Changed
@@ -54,10 +54,6 @@ userdom_manage_tmp_role($1, mozilla_t) optional_policy(` - nsplugin_role($1, mozilla_t) - ') - - optional_policy(` pulseaudio_role($1, mozilla_t) pulseaudio_filetrans_admin_home_content(mozilla_t) pulseaudio_filetrans_home_content(mozilla_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mozilla.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mozilla.te
Changed
@@ -758,3 +758,7 @@ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t) ') + +tunable_policy(`use_nfs_home_dirs',` + fs_exec_nfs_files(mozilla_plugin_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mta.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mta.fc
Changed
@@ -8,6 +8,7 @@ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) +/etc/aliases\.lmdb -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0) /etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0) /etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0) @@ -15,6 +16,7 @@ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0) ') +/var/cache/ddclient/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) /var/lib/arpwatch/\.esmtp_queue(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0) /root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mta.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/mta.te
Changed
@@ -131,6 +131,10 @@ ') optional_policy(` + ddclient_var_filetrans(system_mail_t, mail_home_rw_t, dir, ".esmtp_queue") +') + +optional_policy(` exim_domtrans(user_mail_domain) exim_manage_log(user_mail_domain) exim_manage_spool_files(user_mail_domain) @@ -288,6 +292,11 @@ ') optional_policy(` + exim_manage_spool_dirs(system_mail_t) + exim_manage_spool_files(system_mail_t) +') + +optional_policy(` fail2ban_append_log(user_mail_domain) fail2ban_dontaudit_leaks(user_mail_domain) fail2ban_rw_inherited_tmp_files(mta_user_agent)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/networkmanager.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/networkmanager.if
Changed
@@ -338,6 +338,7 @@ files_search_pids($1) manage_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + allow $1 NetworkManager_var_run_t:file map; ') ########################################
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/networkmanager.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/networkmanager.te
Changed
@@ -276,6 +276,9 @@ userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) +fs_read_tmpfs_files(NetworkManager_t) +fs_delete_tmpfs_files(NetworkManager_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') @@ -667,6 +670,7 @@ optional_policy(` samba_domtrans_smbcontrol(NetworkManager_dispatcher_winbind_t) samba_read_config(NetworkManager_dispatcher_winbind_t) + samba_rw_var_files(NetworkManager_dispatcher_winbind_t) samba_service_status(NetworkManager_dispatcher_winbind_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nscd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nscd.te
Changed
@@ -113,6 +113,7 @@ files_watch_etc_dirs(nscd_t) files_watch_etc_files(nscd_t) files_map_system_db_files(nscd_t) +files_watch_system_db_dirs(nscd_t) files_watch_system_db_files(nscd_t) logging_send_audit_msgs(nscd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nsd.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nsd.fc
Changed
@@ -16,5 +16,7 @@ /var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) /var/run/nsd\.ctl -s gen_context(system_u:object_r:nsd_var_run_t,s0) +/var/run/nsd/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) +/var/run/nsd/nsd\.ctl -s gen_context(system_u:object_r:nsd_var_run_t,s0) /var/log/nsd\.log.* -- gen_context(system_u:object_r:nsd_log_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nsd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nsd.te
Changed
@@ -36,7 +36,7 @@ # NSD Local policy # -allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin }; +allow nsd_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid net_admin }; dontaudit nsd_t self:capability sys_tty_config; allow nsd_t self:process signal_perms; allow nsd_t self:tcp_socket create_stream_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ntp.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/ntp.te
Changed
@@ -99,6 +99,9 @@ corenet_sendrecv_ntp_server_packets(ntpd_t) corenet_sendrecv_ntp_client_packets(ntpd_t) +corenet_tcp_bind_ntske_port(ntpd_t) +corenet_tcp_connect_ntske_port(ntpd_t) + corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nut.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nut.te
Changed
@@ -74,6 +74,8 @@ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; +can_exec(nut_upsmon_t, nut_upsmon_exec_t) + read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) kernel_read_kernel_sysctls(nut_upsmon_t)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nvme_stas.fc
Added
@@ -0,0 +1,13 @@ +/usr/sbin/stacd -- gen_context(system_u:object_r:nvme_stas_exec_t,s0) +/usr/sbin/stafd -- gen_context(system_u:object_r:nvme_stas_exec_t,s0) + +/usr/lib/systemd/system/stacd\.service -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) +/usr/lib/systemd/system/stafd\.service -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) +/usr/lib/systemd/system/stas-config\.target -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) +/usr/lib/systemd/system/stas-config@\.service -- gen_context(system_u:object_r:nvme_stas_unit_file_t,s0) + +/var/cache/stacd(/.*)? gen_context(system_u:object_r:nvme_stas_cache_t,s0) +/var/cache/stafd(/.*)? gen_context(system_u:object_r:nvme_stas_cache_t,s0) + +/var/run/stacd(/.*)? gen_context(system_u:object_r:nvme_stas_var_run_t,s0) +/var/run/stafd(/.*)? gen_context(system_u:object_r:nvme_stas_var_run_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nvme_stas.if
Added
@@ -0,0 +1,60 @@ +## <summary>policy for nvme_stas</summary> + +######################################## +## <summary> +## Execute nvme_stas_exec_t in the nvme_stas domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nvme_stas_domtrans',` + gen_require(` + type nvme_stas_t, nvme_stas_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, nvme_stas_exec_t, nvme_stas_t) +') + +###################################### +## <summary> +## Execute nvme_stas in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nvme_stas_exec',` + gen_require(` + type nvme_stas_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, nvme_stas_exec_t) +') + +###################################### +## <summary> +## Send and receive messages from +## nvme_stas over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nvme_stas_dbus_chat',` + gen_require(` + type nvme_stas_t; + class dbus send_msg; + ') + + allow $1 nvme_stas_t:dbus send_msg; + allow nvme_stas_t $1:dbus send_msg; +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/nvme_stas.te
Added
@@ -0,0 +1,120 @@ +policy_module(nvme_stas, 1.0.0) + +gen_require(` + class dbus send_msg; +') + +######################################## +# +# Declarations +# + +type nvme_stas_t; +type nvme_stas_exec_t; +init_daemon_domain(nvme_stas_t, nvme_stas_exec_t) + +type nvme_stas_cache_t; +files_type(nvme_stas_cache_t) + +type nvme_stas_tmpfs_t; +files_tmp_file(nvme_stas_tmpfs_t) + +type nvme_stas_unit_file_t; +systemd_unit_file(nvme_stas_unit_file_t) + +type nvme_stas_var_run_t; +files_pid_file(nvme_stas_var_run_t) + +######################################## +# +# stas local policy +# +allow nvme_stas_t self:capability { net_admin sys_admin }; +allow nvme_stas_t self:capability2 bpf; +allow nvme_stas_t self:dbus send_msg; +allow nvme_stas_t self:fifo_file rw_fifo_file_perms; +allow nvme_stas_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow nvme_stas_t self:process setsched; +allow nvme_stas_t self:tcp_socket create_stream_socket_perms; +allow nvme_stas_t self:unix_stream_socket create_stream_socket_perms; +allow nvme_stas_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(nvme_stas_t, nvme_stas_tmpfs_t, nvme_stas_tmpfs_t) +fs_tmpfs_filetrans(nvme_stas_t, nvme_stas_tmpfs_t, file) +can_exec(nvme_stas_t, nvme_stas_tmpfs_t) + +manage_dirs_pattern(nvme_stas_t, nvme_stas_var_run_t, nvme_stas_var_run_t) +manage_files_pattern(nvme_stas_t, nvme_stas_var_run_t, nvme_stas_var_run_t) +files_pid_filetrans(nvme_stas_t, nvme_stas_var_run_t, file, "last-known-config.pickle" ) + +kernel_dgram_send(nvme_stas_t) +kernel_request_load_module(nvme_stas_t) + +corecmd_exec_bin(nvme_stas_t) + +dev_read_sysfs(nvme_stas_t) +domain_use_interactive_fds(nvme_stas_t) + +files_getattr_all_files(nvme_stas_t) +files_read_etc_files(nvme_stas_t) + +storage_raw_read_fixed_disk(nvme_stas_t) +storage_rw_inherited_fixed_disk_dev(nvme_stas_t) + +optional_policy(` + auth_read_passwd_file(nvme_stas_t) +') + +optional_policy(` + avahi_dbus_chat(nvme_stas_t) +') + +optional_policy(` + dbus_connect_system_bus(nvme_stas_t) + dbus_send_system_bus(nvme_stas_t) + dbus_stream_connect_system_dbusd(nvme_stas_t) + dbus_write_pid_sock_files(nvme_stas_t) +') + +optional_policy(` + gnome_search_gconf(nvme_stas_t) +') + +optional_policy(` + libs_exec_ldconfig(nvme_stas_t) +') + +optional_policy(` + logging_write_syslog_pid_socket(nvme_stas_t) +') + +optional_policy(` + miscfiles_read_localization(nvme_stas_t) + miscfiles_read_generic_certs(nvme_stas_t) +') + +optional_policy(` + sssd_search_lib(nvme_stas_t) +') + +optional_policy(` + sysnet_read_config(nvme_stas_t) +') + +optional_policy(` + systemd_exec_systemctl(nvme_stas_t) +') + +optional_policy(` + udev_manage_pid_dirs(nvme_stas_t) + udev_manage_pid_files(nvme_stas_t) +') + +optional_policy(` + unconfined_dbus_send(nvme_stas_t) +') + +optional_policy(` + userdom_list_user_home_content(nvme_stas_t) +') +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/oddjob.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/oddjob.te
Changed
@@ -73,6 +73,11 @@ init_dbus_chat(oddjob_t) ') +optional_policy(` + userdom_use_user_ptys(oddjob_t) + userdom_use_user_ttys(oddjob_t) +') + ifdef(`ipa_helper_noatsecure',` optional_policy(` ipa_helper_noatsecure(oddjob_t) @@ -122,3 +127,7 @@ dbus_system_bus_client(oddjob_mkhomedir_t) ') +optional_policy(` + userdom_use_user_ptys(oddjob_mkhomedir_t) + userdom_use_user_ttys(oddjob_mkhomedir_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/opafm.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/opafm.te
Changed
@@ -47,6 +47,8 @@ dev_list_sysfs(opafm_t) dev_read_sysfs(opafm_t) +fs_search_nfs(opafm_t) + libs_exec_lib_files(opafm_t) logging_send_syslog_msg(opafm_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/openshift.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/openshift.te
Changed
@@ -219,7 +219,6 @@ dontaudit openshift_domain openshift_initrc_tmp_t:file append; dontaudit openshift_domain openshift_var_run_t:file append; -dontaudit openshift_domain openshift_file_type:sock_file execute; kernel_dontaudit_search_network_state(openshift_domain) kernel_dontaudit_list_all_proc(openshift_domain)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/pdns.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/pdns.te
Changed
@@ -48,8 +48,9 @@ kernel_read_system_state(pdns_t) corenet_tcp_bind_dns_port(pdns_t) -corenet_udp_bind_dns_port(pdns_t) corenet_tcp_bind_transproxy_port(pdns_t) +corenet_tcp_connect_all_ports(pdns_t) +corenet_udp_bind_all_ports(pdns_t) manage_dirs_pattern(pdns_t, pdns_var_lib_t, pdns_var_lib_t) manage_files_pattern(pdns_t, pdns_var_lib_t, pdns_var_lib_t) @@ -60,12 +61,17 @@ manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) -auth_use_nsswitch(pdns_t) - -corenet_udp_bind_generic_port(pdns_t) +optional_policy(` + auth_use_nsswitch(pdns_t) +') -logging_send_syslog_msg(pdns_t) +optional_policy(` + kerberos_read_keytab(pdns_t) +') +optional_policy(` + logging_send_syslog_msg(pdns_t) +') ######################################## #
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/policykit.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/policykit.te
Changed
@@ -60,6 +60,7 @@ allow policykit_t policykit_auth_exec_t:file map; allow policykit_t policykit_auth_t:process signal; +allow policykit_t policykit_auth_t:process2 nnp_transition; can_exec(policykit_t, policykit_exec_t) corecmd_exec_bin(policykit_t) @@ -125,6 +126,10 @@ ') optional_policy(` + rhsmcertd_dbus_chat(policykit_t) + ') + + optional_policy(` rpm_dbus_chat(policykit_t) ') ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/postfix.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/postfix.te
Changed
@@ -62,7 +62,6 @@ postfix_user_domain_template(postdrop) mta_mailserver_user_agent(postfix_postdrop_t) -mta_agent_executable(postfix_postdrop_t) postfix_user_domain_template(postqueue) mta_mailserver_user_agent(postfix_postqueue_t) @@ -125,7 +124,7 @@ can_exec(postfix_master_t, postfix_exec_t) allow postfix_master_t postfix_data_t:dir manage_dir_perms; -allow postfix_master_t postfix_data_t:file manage_file_perms; +allow postfix_master_t postfix_data_t:file { manage_file_perms map }; allow postfix_master_t postfix_keytab_t:file read_file_perms; @@ -214,6 +213,7 @@ ifdef(`distro_redhat',` # for newer main.cf that uses /etc/aliases mta_manage_aliases(postfix_master_t) + mta_map_aliases(postfix_master_t) mta_etc_filetrans_aliases(postfix_master_t) ') @@ -330,10 +330,6 @@ logging_dontaudit_search_logs(postfix_local_t) -mta_delete_spool(postfix_local_t) -# Handle vacation script -mta_send_mail(postfix_local_t) - userdom_read_user_home_content_files(postfix_local_t) userdom_exec_user_bin_files(postfix_local_t) @@ -375,6 +371,13 @@ ') optional_policy(` + mta_delete_spool(postfix_local_t) + mta_map_aliases(postfix_local_t) + # Handle vacation script + mta_send_mail(postfix_local_t) +') + +optional_policy(` munin_search_lib(postfix_local_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/prosody.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/prosody.te
Changed
@@ -62,6 +62,7 @@ can_exec(prosody_t, prosody_exec_t) +kernel_read_net_sysctls(prosody_t) kernel_read_system_state(prosody_t) corecmd_exec_bin(prosody_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/qatlib.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/qatlib.te
Changed
@@ -23,6 +23,7 @@ # qatlib local policy # allow qatlib_t self:fifo_file rw_fifo_file_perms; +allow qatlib_t self:system module_load; allow qatlib_t self:unix_stream_socket create_stream_socket_perms; allow qatlib_t qatlib_unit_file_t:file read_file_perms; @@ -34,13 +35,20 @@ manage_files_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t) files_pid_filetrans(qatlib_t, qatlib_var_run_t, { dir file } ) +kernel_read_proc_files(qatlib_t) +kernel_request_load_module(qatlib_t) + corecmd_exec_shell(qatlib_t) corecmd_exec_bin(qatlib_t) -dev_read_sysfs(qatlib_t) +dev_create_sysfs_files(qatlib_t) +dev_rw_sysfs(qatlib_t) +dev_setattr_generic_dirs(qatlib_t) domain_use_interactive_fds(qatlib_t) +files_read_kernel_modules(qatlib_t) + optional_policy(` auth_read_passwd_file(qatlib_t) ') @@ -50,6 +58,16 @@ ') optional_policy(` + modutils_exec_kmod(qatlib_t) + modutils_read_module_config(qatlib_t) + modutils_read_module_deps_files(qatlib_t) +') + +optional_policy(` + sssd_read_public_files(qatlib_t) +') + +optional_policy(` systemd_search_unit_dirs(qatlib_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rhcs.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rhcs.fc
Changed
@@ -41,6 +41,7 @@ /var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) /var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) /var/run/haproxy\.sock.* -s gen_context(system_u:object_r:haproxy_var_run_t,s0) +/var/run/pcsd\.socket -s gen_context(system_u:object_r:cluster_var_run_t,s0) /var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) # cluster administrative domains file spec
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rhsmcertd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rhsmcertd.te
Changed
@@ -93,6 +93,7 @@ corecmd_exec_bin(rhsmcertd_t) corecmd_exec_shell(rhsmcertd_t) +dev_dontaudit_write_raw_memory(rhsmcertd_t) dev_read_sysfs(rhsmcertd_t) dev_read_rand(rhsmcertd_t) dev_read_urand(rhsmcertd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpc.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rpc.te
Changed
@@ -257,6 +257,7 @@ kernel_dontaudit_setsched(nfsd_t) kernel_request_load_module(nfsd_t) kernel_mounton_proc(nfsd_t) +kernel_read_net_sysctls(nfsd_t) kernel_rw_rpc_sysctls_dirs(nfsd_t) kernel_create_rpc_sysctls(nfsd_t) kernel_rw_fs_sysctls(nfsd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpcbind.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rpcbind.te
Changed
@@ -51,6 +51,7 @@ kernel_read_system_state(rpcbind_t) kernel_read_network_state(rpcbind_t) +kernel_read_net_sysctls(rpcbind_t) kernel_request_load_module(rpcbind_t) corenet_all_recvfrom_netlabel(rpcbind_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rsync.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/rsync.te
Changed
@@ -102,6 +102,7 @@ files_pid_filetrans(rsync_t, rsync_var_run_t, file) kernel_read_kernel_sysctls(rsync_t) +kernel_read_net_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/samba.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/samba.te
Changed
@@ -187,6 +187,9 @@ type winbind_rpcd_var_run_t; files_pid_file(winbind_rpcd_var_run_t) +type winbind_rpcd_tmp_t; +files_tmp_file(winbind_rpcd_tmp_t) + type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -601,6 +604,11 @@ files_dontaudit_list_security_dirs(nmbd_t) files_dontaudit_search_security_files(nmbd_t) files_dontaudit_read_security_files(nmbd_t) + fs_read_noxattr_fs_files(winbind_rpcd_t) + files_read_non_security_files(winbind_rpcd_t) + files_dontaudit_list_security_dirs(winbind_rpcd_t) + files_dontaudit_search_security_files(winbind_rpcd_t) + files_dontaudit_read_security_files(winbind_rpcd_t) ') tunable_policy(`samba_export_all_rw',` @@ -617,6 +625,12 @@ files_dontaudit_list_security_dirs(nmbd_t) files_dontaudit_search_security_files(nmbd_t) files_dontaudit_read_security_files(nmbd_t) + fs_manage_noxattr_fs_files(winbind_rpcd_t) + files_manage_non_security_files(winbind_rpcd_t) + files_manage_non_security_dirs(winbind_rpcd_t) + files_dontaudit_list_security_dirs(winbind_rpcd_t) + files_dontaudit_search_security_files(winbind_rpcd_t) + files_dontaudit_read_security_files(winbind_rpcd_t) ') userdom_filetrans_home_content(nmbd_t) @@ -1188,6 +1202,9 @@ manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) +manage_files_pattern(winbind_rpcd_t, winbind_rpcd_tmp_t, winbind_rpcd_tmp_t) +files_tmp_filetrans(winbind_rpcd_t, winbind_rpcd_tmp_t, file) + # access to files of other samba domains manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) @@ -1204,6 +1221,8 @@ manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) allow winbind_rpcd_t samba_var_t:file { map } ; +manage_files_pattern(winbind_rpcd_t, smbd_tmp_t, smbd_tmp_t) + kernel_read_network_state(winbind_rpcd_t) corecmd_exec_bin(winbind_rpcd_t) @@ -1248,6 +1267,10 @@ ') optional_policy(` + lpd_domtrans_lpr(winbind_rpcd_t) +') + +optional_policy(` miscfiles_read_generic_certs(winbind_rpcd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sandboxX.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sandboxX.te
Changed
@@ -357,7 +357,8 @@ # typeattribute sandbox_web_client_t sandbox_web_type; -allow sandbox_web_client_t sandbox_web_client_t:cap_userns sys_chroot; +allow sandbox_web_client_t self:user_namespace create; +allow sandbox_web_client_t self:cap_userns sys_chroot; allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition; selinux_get_fs_mount(sandbox_web_client_t) @@ -475,6 +476,10 @@ ') optional_policy(` + dbus_watch_config(sandbox_web_type) +') + +optional_policy(` mozilla_plugin_rw_sem(sandbox_web_type) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sblim.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sblim.te
Changed
@@ -150,7 +150,7 @@ # Sfcbd local policy # -allow sblim_sfcbd_t self:capability { sys_ptrace setgid setuid }; +allow sblim_sfcbd_t self:capability { setgid setuid sys_ptrace sys_rawio}; dontaudit sblim_sfcbd_t self:cap_userns sys_ptrace; allow sblim_sfcbd_t self:process signal; allow sblim_sfcbd_t self:unix_stream_socket connectto; @@ -177,10 +177,15 @@ dev_read_rand(sblim_sfcbd_t) dev_read_urand(sblim_sfcbd_t) +dev_read_raw_memory(sblim_sfcbd_t) domain_read_all_domains_state(sblim_sfcbd_t) domain_use_interactive_fds(sblim_sfcbd_t) +files_getattr_non_auth_dirs(sblim_sfcbd_t) + +init_read_utmp(sblim_sfcbd_t) + logging_send_audit_msgs(sblim_sfcbd_t) optional_policy(` @@ -193,6 +198,10 @@ ') optional_policy(` + ssh_signull(sblim_sfcbd_t) +') + +optional_policy(` virt_manage_config(sblim_sfcbd_t) virt_stream_connect(sblim_sfcbd_t) virt_search_images(sblim_sfcbd_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sendmail.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sendmail.te
Changed
@@ -45,7 +45,7 @@ dontaudit sendmail_t self:capability2 block_suspend; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; allow sendmail_t self:fifo_file rw_fifo_file_perms; -allow sendmail_t self:unix_stream_socket create_stream_socket_perms; +allow sendmail_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow sendmail_t self:unix_dgram_socket create_socket_perms; allow sendmail_t self:tcp_socket create_stream_socket_perms; allow sendmail_t self:udp_socket create_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/smartmon.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/smartmon.te
Changed
@@ -30,7 +30,7 @@ files_tmp_file(fsdaemon_tmp_t) ifdef(`enable_mls',` - init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) + init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, s0 - mls_systemhigh) ') ########################################
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sosreport.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sosreport.fc
Changed
@@ -1,3 +1,4 @@ +/usr/sbin/sos -- gen_context(system_u:object_r:sosreport_exec_t,s0) /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) /\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/spamassassin.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/spamassassin.te
Changed
@@ -638,6 +638,7 @@ corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) +dev_read_sysfs(spamd_update_t) dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sssd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/sssd.te
Changed
@@ -21,6 +21,13 @@ ## </desc> gen_tunable(sssd_connect_all_unreserved_ports, false) +## <desc> +## <p> +## Allow sssd use usb devices +## </p> +## </desc> +gen_tunable(sssd_use_usb, false) + type sssd_t; type sssd_exec_t; init_daemon_domain(sssd_t, sssd_exec_t) @@ -61,6 +68,7 @@ allow sssd_t self:capability { dac_override ipc_lock chown dac_read_search kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid setcap}; allow sssd_t self:fifo_file rw_fifo_file_perms; +allow sssd_t self:io_uring sqpoll; allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -68,6 +76,7 @@ allow sssd_t sssd_exec_t:file execute_no_trans; read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) +read_lnk_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t) manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) @@ -181,6 +190,16 @@ corenet_tcp_connect_all_unreserved_ports(sssd_t) ') +tunable_policy(`sssd_use_usb',` + dev_rw_generic_usb_dev(sssd_t) +') + +optional_policy(` + tunable_policy(`sssd_use_usb',` + ipa_domtrans_otpd(sssd_t) + ') +') + optional_policy(` accountsd_read_fifo_file(sssd_t) ') @@ -223,6 +242,10 @@ ') optional_policy(` + ipa_sigkill_otpd(sssd_t) +') + +optional_policy(` ldap_stream_connect(sssd_t) ldap_read_certs(sssd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/svnserve.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/svnserve.te
Changed
@@ -94,6 +94,10 @@ ') optional_policy(` + postfix_domtrans_postdrop(svnserve_t) +') + +optional_policy(` sasl_connect(svnserve_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/targetd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/targetd.te
Changed
@@ -111,6 +111,10 @@ ') optional_policy(` + logging_write_syslog_pid_socket(targetd_t) +') + +optional_policy(` lvm_domtrans(targetd_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/thumb.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/thumb.te
Changed
@@ -105,6 +105,8 @@ libs_legacy_use_shared_libs(thumb_t) ') +init_append_stream_sockets(thumb_t) + libs_dontaudit_setattr_lib_dirs(thumb_t) logging_send_syslog_msg(thumb_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/tuned.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/tuned.te
Changed
@@ -32,7 +32,7 @@ # Local policy # -allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; +allow tuned_t self:capability { net_admin sys_admin sys_nice sys_ptrace sys_rawio }; dontaudit tuned_t self:capability { dac_read_search sys_tty_config }; allow tuned_t self:process { setsched signal }; allow tuned_t self:fifo_file rw_fifo_file_perms; @@ -67,13 +67,11 @@ kernel_read_system_state(tuned_t) kernel_read_network_state(tuned_t) -kernel_read_kernel_sysctls(tuned_t) kernel_request_load_module(tuned_t) -kernel_rw_kernel_sysctl(tuned_t) +kernel_rw_all_sysctls(tuned_t) +kernel_rw_security_state(tuned_t) kernel_rw_usermodehelper_state(tuned_t) -kernel_rw_vm_sysctls(tuned_t) kernel_setsched(tuned_t) -kernel_rw_all_sysctls(tuned_t) kernel_manage_perf_event(tuned_t) corecmd_exec_bin(tuned_t) @@ -82,10 +80,13 @@ dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) +dev_read_raw_memory(tuned_t) dev_rw_cpu_microcode(tuned_t) dev_rw_sysfs(tuned_t) dev_rw_netcontrol(tuned_t) +domain_read_all_domains_state(tuned_t) + files_dontaudit_all_access_check(tuned_t) files_dontaudit_search_home(tuned_t) files_list_tmp(tuned_t) @@ -94,6 +95,8 @@ fs_search_all(tuned_t) fs_rw_hugetlbfs_files(tuned_t) +mls_file_read_to_clearance(tuned_t) + auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) @@ -101,6 +104,8 @@ logging_manage_syslog_config(tuned_t) logging_filetrans_named_conf(tuned_t) +systemd_exec_systemctl(tuned_t) + mount_read_pid_files(tuned_t) modutils_domtrans_kmod(tuned_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt.fc
Changed
@@ -1,134 +1,115 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) - -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/virtlogd.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) -/etc/libvirt/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/libvirt/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) -/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) -/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) -/etc/xen/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) - -/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) -/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) -/usr/libexec/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/qemu-storage-daemon -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) -/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) -/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) -/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) - -/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/sbin/virtxend -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) - -/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) - -/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) -/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) -/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) -/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/common(/.*)? gen_context(system_u:object_r:virt_common_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) -/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) -/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) -/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0) - -/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) - -# support for AEOLUS project -/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) -/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) -/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) -/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) -/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0) - -# add support vios-proxy-* -/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) - -# support for vdsm -/usr/libexec/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/libexec/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/libexec/vdsm/supervdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/libexec/vdsm/vdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) -# these paths are now obsolete -/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/share/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0) - -# support for nova-stack -/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) - -/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) -/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) - -/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) - -/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0) - -/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) - -/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) -/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) - -/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) - -/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) -/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) - -/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) -/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) + +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +# Use parentheses so that "interface" is not recognized as a keyword by M4 +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/nwfilter-binding(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/virtqemud\.pid -- gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt.if
Changed
@@ -2,7 +2,7 @@ ######################################## ## <summary> -## virtd_lxc_t stub interface. No access allowed. +## virtd_lxc_t stub interface. No access allowed. ## </summary> ## <param name="domain" unused="true"> ## <summary> @@ -18,7 +18,7 @@ ######################################## ## <summary> -## svirt_sandbox_domain attribute stub interface. No access allowed. +## svirt_sandbox_domain attribute stub interface. No access allowed. ## </summary> ## <param name="domain" unused="true"> ## <summary> @@ -34,7 +34,7 @@ ######################################## ## <summary> -## container_file_t stub interface. No access allowed. +## container_file_t stub interface. No access allowed. ## </summary> ## <param name="domain" unused="true"> ## <summary> @@ -48,6 +48,17 @@ ') ') +######################################## +## <summary> +## container_file_t and container_ro_file_t stub interface. +## No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# interface(`virt_stub_svirt_sandbox_file',` gen_require(` type container_file_t; @@ -68,15 +79,13 @@ # template(`virt_domain_template',` gen_require(` - attribute virt_image_type, virt_domain; - attribute virt_tmpfs_type; + attribute virt_domain; attribute virt_ptynode; - type qemu_exec_t; type virtlogd_t; ') type $1_t, virt_domain; - application_domain($1_t, qemu_exec_t) + application_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) @@ -97,6 +106,115 @@ # Allow domain to write to pipes connected to virtlogd allow $1_t virtlogd_t:fd use; allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; + + qemu_entry_type($1_t) + +') + +###################################### +## <summary> +## Creates types and rules for a basic +## virt driver domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`virt_driver_template',` + gen_require(` + attribute virt_driver_domain; + attribute virt_driver_executable; + attribute virt_driver_var_run; + type virtd_t; + type virtqemud_t; + type virt_common_var_run_t; + type virt_etc_t; + type virt_etc_rw_t; + type virtinterfaced_var_run_t; + type virtnodedevd_var_run_t; + type virtnetworkd_var_run_t; + type virtnwfilterd_var_run_t; + type virtsecretd_var_run_t; + type virtstoraged_var_run_t; + type virt_var_run_t; + ') + + mls_rangetrans_source($1) + mls_rangetrans_target($1) + + ################################## + # + # Local policy + # + + allow $1 self:netlink_audit_socket create; + allow $1 self:netlink_kobject_uevent_socket create_socket_perms; + allow $1 self:netlink_route_socket create_netlink_socket_perms; + allow $1 self:rawip_socket create_socket_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + + allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms; + allow virt_driver_domain virtqemud_t:unix_stream_socket connectto; + + allow $1 virt_common_var_run_t:file append_file_perms; + manage_dirs_pattern($1, virt_common_var_run_t, virt_common_var_run_t) + manage_files_pattern($1, virt_common_var_run_t, virt_common_var_run_t) + filetrans_pattern($1, virt_driver_var_run, virt_common_var_run_t, dir, "common") + filetrans_pattern($1, virt_var_run_t, virt_common_var_run_t, dir, "common") + + filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") + filetrans_pattern($1, virt_var_run_t, virtnodedevd_var_run_t, dir, "nodedev") + filetrans_pattern($1, virt_var_run_t, virtnwfilterd_var_run_t, dir, "nwfilter") + filetrans_pattern($1, virt_var_run_t, virtsecretd_var_run_t, dir, "secrets") + filetrans_pattern($1, virt_var_run_t, virtstoraged_var_run_t, dir, "storage") + + manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) + + read_files_pattern($1, virt_etc_t, virt_etc_t) + manage_dirs_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern($1, virt_etc_t, virt_etc_rw_t, dir) + + read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t) + + kernel_dgram_send($1) + + mls_fd_share_all_levels($1) + mls_file_read_to_clearance($1) + mls_file_write_to_clearance($1) + mls_process_read_to_clearance($1) + mls_process_write_to_clearance($1) + mls_socket_read_to_clearance($1) + mls_socket_write_to_clearance($1) + + auth_read_passwd($1) + + dev_read_sysfs($1) + + files_read_non_security_files($1) + init_read_utmp($1) + + logging_send_syslog_msg($1) + + miscfiles_read_generic_certs($1) + + virt_manage_cache($1) + virt_manage_pid_files($1) + virt_stream_connect($1) + + optional_policy(` + dbus_read_pid_files($1) + dbus_stream_connect_system_dbusd($1) + dbus_system_bus_client($1) + ') + + optional_policy(` + systemd_dbus_chat_logind($1) + systemd_machined_stream_connect($1) + systemd_write_inhibit_pipes($1) + ') ') ######################################## @@ -123,20 +241,22 @@ ####################################### ## <summary> -## Getattr on virt executable. +## Getattr on virt executable. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> +## <summary> +## Domain allowed to transition. +## </summary> ## </param> # interface(`virt_getattr_exec',` - gen_require(` - type virtd_exec_t; - ') + gen_require(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt.te
Changed
@@ -5,33 +5,6 @@ # Declarations # -gen_require(` - class passwd rootok; - class passwd passwd; -') - -attribute virsh_transition_domain; -attribute virt_ptynode; -attribute virt_system_domain; -attribute virt_domain; -attribute virt_image_type; -attribute virt_tmpfs_type; -attribute svirt_file_type; -attribute virt_file_type; -attribute sandbox_net_domain; -attribute sandbox_caps_domain; - -type svirt_tmp_t, svirt_file_type; -files_tmp_file(svirt_tmp_t) - -type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; -files_tmpfs_file(svirt_tmpfs_t) - -type svirt_image_t, virt_image_type, svirt_file_type; -files_type(svirt_image_t) -dev_node(svirt_image_t) -dev_associate_sysfs(svirt_image_t) - ## <desc> ## <p> ## Allow confined virtual guests to use serial/parallel communication ports @@ -55,6 +28,13 @@ ## <desc> ## <p> +## Allow virtqemu driver to use executable memory and executable stack +## </p> +## </desc> +gen_tunable(virtqemud_use_execmem, true) + +## <desc> +## <p> ## Allow confined virtual guests to read fuse files ## </p> ## </desc> @@ -96,16 +76,16 @@ gen_tunable(virt_use_samba, false) ## <desc> -## <p> -## Allow confined virtual guests to interact with the sanlock -## </p> +## <p> +## Allow confined virtual guests to interact with the sanlock +## </p> ## </desc> gen_tunable(virt_use_sanlock, false) ## <desc> -## <p> -## Allow confined virtual guests to interact with rawip sockets -## </p> +## <p> +## Allow confined virtual guests to interact with rawip sockets +## </p> ## </desc> gen_tunable(virt_use_rawip, false) @@ -172,45 +152,40 @@ ## <desc> ## <p> -## Allow qemu-ga to read qemu-ga date. -## </p> -## </desc> -gen_tunable(virt_read_qemu_ga_data, false) - -## <desc> -## <p> -## Allow qemu-ga to manage qemu-ga date. -## </p> -## </desc> -gen_tunable(virt_rw_qemu_ga_data, false) - -## <desc> -## <p> ## Allow virtlockd read and lock block devices. ## </p> ## </desc> gen_tunable(virt_lockd_blk_devs, false) -## <desc> -## <p> -## Allow qemu-ga read all non-security file types. -## </p> -## </desc> -gen_tunable(virt_qemu_ga_read_nonsecurity_files, false) +gen_require(` + class passwd rootok; + class passwd passwd; +') -## <desc> -## <p> -## Allow qemu-ga read ssh home directory content. -## </p> -## </desc> -gen_tunable(virt_qemu_ga_manage_ssh, false) +attribute virsh_transition_domain; +attribute virt_ptynode; +attribute virt_system_domain; +attribute virt_domain; +attribute virt_driver_domain; +attribute virt_driver_executable; +attribute virt_driver_var_run; +attribute virt_image_type; +attribute virt_tmpfs_type; +attribute svirt_file_type; +attribute virt_file_type; +attribute sandbox_net_domain; +attribute sandbox_caps_domain; -## <desc> -## <p> -## Allow qemu-ga to run unconfined scripts -## </p> -## </desc> -gen_tunable(virt_qemu_ga_run_unconfined, false) +type svirt_tmp_t, svirt_file_type; +files_tmp_file(svirt_tmp_t) + +type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; +files_tmpfs_file(svirt_tmpfs_t) + +type svirt_image_t, virt_image_type, svirt_file_type; +files_type(svirt_image_t) +dev_node(svirt_image_t) +dev_associate_sysfs(svirt_image_t) virt_domain_template(svirt) role system_r types svirt_t; @@ -219,8 +194,6 @@ virt_domain_template(svirt_tcg) role system_r types svirt_tcg_t; -type qemu_exec_t, virt_file_type; - type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -299,6 +272,8 @@ type virtlogd_initrc_exec_t, virt_file_type; init_script_file(virtlogd_initrc_exec_t) +type qemu_exec_t, virt_file_type; +application_executable_file(qemu_exec_t) type qemu_var_run_t, virt_file_type; typealias qemu_var_run_t alias svirt_var_run_t; @@ -315,34 +290,142 @@ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') -type virt_bridgehelper_t, virt_system_domain; -domain_type(virt_bridgehelper_t) +# virtinterfaced +type virtinterfaced_t, virt_driver_domain; +type virtinterfaced_exec_t, virt_driver_executable; +init_daemon_domain(virtinterfaced_t, virtinterfaced_exec_t) + +virt_driver_template(virtinterfaced_t) +files_type(virtinterfaced_t) + +type virtinterfaced_var_run_t, virt_driver_var_run; +files_pid_file(virtinterfaced_var_run_t) + +# virtnetworkd +type virtnetworkd_t, virt_driver_domain; +type virtnetworkd_exec_t, virt_driver_executable; +init_daemon_domain(virtnetworkd_t, virtnetworkd_exec_t) + +virt_driver_template(virtnetworkd_t) +files_type(virtnetworkd_t) + +type virtnetworkd_var_run_t, virt_driver_var_run; +files_pid_file(virtnetworkd_var_run_t) + +# virtnodedevd +type virtnodedevd_t, virt_driver_domain; +type virtnodedevd_exec_t, virt_driver_executable; +init_daemon_domain(virtnodedevd_t, virtnodedevd_exec_t) + +virt_driver_template(virtnodedevd_t) +files_type(virtnodedevd_t) + +type virtnodedevd_var_run_t, virt_driver_var_run; +files_pid_file(virtnodedevd_var_run_t)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt_supplementary.fc
Added
@@ -0,0 +1,75 @@ +HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/^/* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/^/* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) + +/usr/bin/qemu-pr-helper -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/qemu-storage-daemon -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) + +/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/virt-sysprep/firstboot.sh -- gen_context(system_u:object_r:virtd_exec_t,s0) + +/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0) + +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) +/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) + +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for AEOLUS project +/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) +/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +# add support vios-proxy-* +/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) + +#support for vdsm +/usr/libexec/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/libexec/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/libexec/vdsm/supervdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/libexec/vdsm/vdsmd -- gen_context(system_u:object_r:virtd_exec_t,s0) +# these paths are now obsolete +/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/share/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for nova-stack +/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + +# support for QEMU-GA +/etc/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) +/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) +/usr/libexec/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/var/run/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt_supplementary.if
Added
@@ -0,0 +1,53 @@ +## <summary>Policy for virtualization</summary> +##################################### +## <summary> +## Transition to virt_bridgehelper. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +interface(`virt_domtrans_bridgehelper',` + gen_require(` + type virt_bridgehelper_t, virt_bridgehelper_exec_t; + ') + + domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) +') + +######################################## +## <summary> +## Execute a qemu_exec_t in the callers domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_exec_qemu',` + gen_require(` + type qemu_exec_t; + ') + + can_exec($1, qemu_exec_t) +') + +######################################## +## <summary> +## Role access for virt_bridgehelper +## </summary> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`virt_bridgehelper_role',` + gen_require(` + type virt_bridgehelper_t; + ') + + role $1 types virt_bridgehelper_t; +')
View file
_service:tar_scm:v40.7.tar.gz/policy/modules/contrib/virt_supplementary.te
Added
@@ -0,0 +1,320 @@ +policy_module(virt_supplementary, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow qemu-ga to read qemu-ga date. +## </p> +## </desc> +gen_tunable(virt_read_qemu_ga_data, false) + +## <desc> +## <p> +## Allow qemu-ga to manage qemu-ga date. +## </p> +## </desc> +gen_tunable(virt_rw_qemu_ga_data, false) + +## <desc> +## <p> +## Allow qemu-ga read all non-security file types. +## </p> +## </desc> +gen_tunable(virt_qemu_ga_read_nonsecurity_files, false) + +## <desc> +## <p> +## Allow qemu-ga read ssh home directory content. +## </p> +## </desc> +gen_tunable(virt_qemu_ga_manage_ssh, false) + +## <desc> +## <p> +## Allow qemu-ga to run unconfined scripts +## </p> +## </desc> +gen_tunable(virt_qemu_ga_run_unconfined, false) + +gen_require(` + class passwd passwd; +') + +type virt_qmf_t; +type virt_qmf_exec_t; +init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) + +type virt_bridgehelper_t; +domain_type(virt_bridgehelper_t) + +type virt_bridgehelper_exec_t; +domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) +role system_r types virt_bridgehelper_t; + +# policy for qemu_ga +type virt_qemu_ga_t; +type virt_qemu_ga_exec_t; +init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +type virt_qemu_ga_var_run_t; +files_pid_file(virt_qemu_ga_var_run_t) + +type virt_qemu_ga_log_t; +logging_log_file(virt_qemu_ga_log_t) + +type virt_qemu_ga_tmp_t; +files_tmp_file(virt_qemu_ga_tmp_t) + +type virt_qemu_ga_data_t; +files_type(virt_qemu_ga_data_t) + +type virt_qemu_ga_unconfined_exec_t; +application_executable_file(virt_qemu_ga_unconfined_exec_t) + +type virt_qemu_ga_unconfined_t; + +optional_policy(` + virt_file_types(virt_qemu_ga_exec_t) + virt_file_types(virt_qemu_ga_var_run_t) + virt_file_types(virt_qemu_ga_log_t) + virt_file_types(virt_qemu_ga_tmp_t) + virt_file_types(virt_qemu_ga_data_t) + virt_file_types(virt_qemu_ga_unconfined_exec_t) +') + +######################################## +# +# virt_qmf local policy +# +allow virt_qmf_t self:capability { sys_nice sys_tty_config }; +allow virt_qmf_t self:process { setsched signal }; +allow virt_qmf_t self:fifo_file rw_fifo_file_perms; +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms; +allow virt_qmf_t self:tcp_socket create_stream_socket_perms; +allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + +kernel_read_system_state(virt_qmf_t) +kernel_read_network_state(virt_qmf_t) + +corenet_tcp_connect_matahari_port(virt_qmf_t) + +dev_read_sysfs(virt_qmf_t) +dev_read_rand(virt_qmf_t) +dev_read_urand(virt_qmf_t) + +domain_use_interactive_fds(virt_qmf_t) + +logging_send_syslog_msg(virt_qmf_t) + +sysnet_read_config(virt_qmf_t) + +optional_policy(` + dbus_read_lib_files(virt_qmf_t) +') + +optional_policy(` + virt_exec(virt_qmf_t) + virt_file_types(virt_qmf_exec_t) + virt_stream_connect(virt_qmf_t) + virt_system_domain_type(virt_qmf_t) +') + +######################################## +# +# virt_bridgehelper local policy +# + +allow virt_bridgehelper_t self:process { getcap setcap }; +allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid }; +allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +allow virt_bridgehelper_t self:tun_socket create_socket_perms; +allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; + +kernel_read_network_state(virt_bridgehelper_t) +kernel_read_system_state(virt_bridgehelper_t) + +corenet_rw_tun_tap_dev(virt_bridgehelper_t) + +dev_read_urand(virt_bridgehelper_t) +dev_read_rand(virt_bridgehelper_t) +dev_read_sysfs(virt_bridgehelper_t) + +userdom_use_inherited_user_ptys(virt_bridgehelper_t) + +optional_policy(` + virt_file_types(virt_bridgehelper_exec_t) + virt_rw_stream_sockets_virt_domain(virt_bridgehelper_t) + virt_svirt_manage_home(virt_bridgehelper_t) + virt_system_domain_type(virt_bridgehelper_t) +') + +####################################### +# +# virt_qemu_ga local policy +# + +allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config }; + +allow virt_qemu_ga_t self:passwd passwd; + +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; +allow virt_qemu_ga_t self:vsock_socket create_socket_perms; + +allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; +can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) +files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir }) + +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) + +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file }) + +kernel_read_system_state(virt_qemu_ga_t) +kernel_read_network_state(virt_qemu_ga_t) +kernel_rw_kernel_sysctl(virt_qemu_ga_t) + +corecmd_exec_shell(virt_qemu_ga_t) +corecmd_exec_bin(virt_qemu_ga_t) + +dev_getattr_apm_bios_dev(virt_qemu_ga_t) +dev_rw_sysfs(virt_qemu_ga_t) +dev_rw_realtime_clock(virt_qemu_ga_t) + +files_list_all_mountpoints(virt_qemu_ga_t) +files_write_all_mountpoints(virt_qemu_ga_t) + +fs_list_all(virt_qemu_ga_t) +fs_getattr_all_fs(virt_qemu_ga_t) +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/vpn.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/vpn.te
Changed
@@ -75,6 +75,7 @@ dev_read_rand(vpnc_t) dev_read_urand(vpnc_t) dev_read_sysfs(vpnc_t) +dev_rw_vhost(vpnc_t) domain_use_interactive_fds(vpnc_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/xen.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/contrib/xen.te
Changed
@@ -468,6 +468,7 @@ fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) +fs_map_xenfs_files(xenstored_t) term_use_generic_ptys(xenstored_t) term_use_console(xenconsoled_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/devices.fc
Changed
@@ -42,6 +42,7 @@ /dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/gnss0-9+ -c gen_context(system_u:object_r:gnss_device_t,s0) /dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) @@ -151,6 +152,7 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vas -c gen_context(system_u:object_r:vas_device_t,s0) /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) /dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0) /dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/devices.if
Changed
@@ -2142,6 +2142,24 @@ ######################################## ## <summary> +## Read and write the the dma device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_rw_dma_dev',` + gen_require(` + type device_t, dma_device_t; + ') + + rw_chr_files_pattern($1, device_t, dma_device_t) +') + +######################################## +## <summary> ## getattr the dri devices. ## </summary> ## <param name="domain"> @@ -5373,6 +5391,24 @@ ######################################## ## <summary> +## Delete files in the dev/urandom. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_urand',` + gen_require(` + type urandom_device_t; + ') + + allow $1 urandom_device_t:chr_file unlink; +') + +######################################## +## <summary> ## Getattr generic the USB devices. ## </summary> ## <param name="domain"> @@ -5855,6 +5891,24 @@ ######################################## ## <summary> +## Watch the video4linux devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_watch_video_dev',` + gen_require(` + type device_t, v4l_device_t; + ') + + watch_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## <summary> ## Get the attributes of vfio devices. ## </summary> ## <param name="domain"> @@ -6593,6 +6647,42 @@ ') ######################################## +## <summary> +## Allow read/write the gnss device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_rw_gnss',` + gen_require(` + type device_t, gnss_device_t; + ') + + rw_chr_files_pattern($1, device_t, gnss_device_t) +') + +######################################## +## <summary> +## Allow setattr the gnss device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_gnss',` + gen_require(` + type device_t, gnss_device_t; + ') + + setattr_chr_files_pattern($1, device_t, gnss_device_t) +') + +######################################## ## <summary> ## Create all named devices with the correct label ## </summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/devices.te
Changed
@@ -141,6 +141,12 @@ dev_node(hypervvssd_device_t) # +# Type for /dev/gnss0 +# +type gnss_device_t; +dev_node(gnss_device_t) + +# # Type for /dev/ss0 # type gpfs_device_t; @@ -396,6 +402,9 @@ type uhid_device_t; dev_node(uhid_device_t) +type vas_device_t; +dev_node(vas_device_t) + type vfio_device_t; dev_node(vfio_device_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/domain.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/domain.te
Changed
@@ -26,7 +26,7 @@ ## </p> ## </desc> # -gen_tunable(domain_kernel_load_modules, false) +gen_tunable(domain_kernel_load_modules, true) ## <desc> ## <p> @@ -121,7 +121,6 @@ # Rules applied to all domains # -allow domain domain:anon_inode common_anon_inode_perms; # read /proc/(pid|self) entries allow domain self:dir { list_dir_perms watch_dir_perms }; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; @@ -130,6 +129,9 @@ allow domain self:sem create_sem_perms; allow domain self:shm create_shm_perms; +kernel_userfaultfd_domtrans(domain) +kernel_io_uring_domtrans(domain) + kernel_getattr_proc(domain) kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) @@ -173,6 +175,9 @@ files_read_all_base_ro_files(domain) files_dontaudit_getattr_kernel_symbol_table(domain) files_dontaudit_map_all_dirs(domain) +# Executing a socket is nonsense, yet such access checks can technically +# happen, so dontaudit them +files_dontaudit_execute_all_sockets(domain) fs_dontaudit_map_all_dirs(domain) @@ -253,7 +258,7 @@ # be used on an attribute. # allow special io_uring features -allow unconfined_domain_type domain:io_uring override_creds; +allow unconfined_domain_type domain:io_uring { cmd override_creds }; allow unconfined_domain_type self:io_uring sqpoll; dev_io_uring_cmd_on_all_dev_nodes(unconfined_domain_type) files_io_uring_cmd_on_all_files(unconfined_domain_type) @@ -298,6 +303,8 @@ allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms; kernel_manage_perf_event(unconfined_domain_type) +kernel_userfaultfd_use(unconfined_domain_type) +kernel_io_uring_use(unconfined_domain_type) corenet_filetrans_all_named_dev(named_filetrans_domain)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/files.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/files.fc
Changed
@@ -285,6 +285,8 @@ /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) +/var/lib/authselect/backups(/.*)? <<none>> + /var/lib/nfs/rpc_pipefs(/.*)? <<none>> /var/lib/stickshift/.stickshift-proxy.d(/.*)? gen_context(system_u:object_r:etc_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/files.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/files.if
Changed
@@ -636,6 +636,24 @@ ######################################## ## <summary> +## Get attributes of all non-security directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + allow $1 non_security_file_type:dir getattr_dir_perms; +') + +######################################## +## <summary> ## List all non-security directories. ## </summary> ## <param name="domain"> @@ -1623,6 +1641,25 @@ ######################################## ## <summary> +## Do not audit attempts to execute +## any named socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`files_dontaudit_execute_all_sockets',` + gen_require(` + attribute file_type; + ') + + dontaudit $1 file_type:sock_file execute; +') + +######################################## +## <summary> ## Do not audit attempts to read ## of all security file types. ## </summary> @@ -1728,8 +1765,12 @@ relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: - seutil_relabelto_bin_policy($1) - auth_relabelto_shadow($1) + optional_policy(` + seutil_relabelto_bin_policy($1) + ') + optional_policy(` + auth_relabelto_shadow($1) + ') ') ######################################## @@ -1800,6 +1841,44 @@ ######################################## ## <summary> +## Manage all block device files on the filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_manage_all_blk_files',` + gen_require(` + attribute file_type; + ') + + manage_blk_files_pattern($1, file_type, file_type) +') + +######################################## +## <summary> +## Manage all character device files on the filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_manage_all_chr_files',` + gen_require(` + attribute file_type; + ') + + manage_chr_files_pattern($1, file_type, file_type) +') + +######################################## +## <summary> ## Grant execute access to all files on the filesystem, ## except the listed exceptions. ## </summary> @@ -1903,6 +1982,24 @@ ######################################## ## <summary> +## Read all lnk_files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_read_all_lnk_files',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Get the attributes of all filesystems ## with the type of a file. ## </summary> @@ -2016,6 +2113,25 @@ ######################################## ## <summary> +## Get attributes of all non-authentication related +## directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_getattr_non_auth_dirs',` + gen_require(` + attribute non_auth_file_type; + ') + + allow $1 non_auth_file_type:dir getattr_dir_perms; +') + +######################################## +## <summary> ## Read all non-authentication related ## directories. ## </summary> @@ -3967,6 +4083,24 @@ ######################################## ## <summary> +## Map generic files in /etc. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`files_map_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:file map; +') + +######################################## +## <summary> ## Do not audit attempts to write generic files in /etc. ## </summary> ## <param name="domain"> @@ -6047,6 +6181,24 @@ ###################################### ## <summary> +## Watch manageable system db dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_system_db_dirs',`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/filesystem.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/filesystem.if
Changed
@@ -1242,6 +1242,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; ') @@ -1298,6 +1299,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; read_files_pattern($1, cifs_t, cifs_t) ') @@ -1641,6 +1643,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; read_lnk_files_pattern($1, cifs_t, cifs_t) ') @@ -1661,6 +1664,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) read_fifo_files_pattern($1, cifs_t, cifs_t) ') @@ -1680,6 +1684,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) read_sock_files_pattern($1, cifs_t, cifs_t) ') @@ -1743,6 +1748,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) allow $1 cifs_t:dir manage_dir_perms; ') @@ -1783,6 +1789,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_files_pattern($1, cifs_t, cifs_t) ') @@ -1822,6 +1829,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_lnk_files_pattern($1, cifs_t, cifs_t) ') @@ -1841,6 +1849,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_fifo_files_pattern($1, cifs_t, cifs_t) ') @@ -1860,6 +1869,7 @@ type cifs_t; ') + fs_search_auto_mountpoints($1) manage_sock_files_pattern($1, cifs_t, cifs_t) ') @@ -6231,6 +6241,25 @@ ######################################## ## <summary> +## Write to socket files on tmpfs filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_write_tmpfs_socket_files',` + gen_require(` + type tmpfs_t; + ') + + write_sock_files_pattern($1, tmpfs_t, tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## <summary> ## Read and write, create and delete character ## nodes on tmpfs filesystems. ## </summary> @@ -6324,6 +6353,24 @@ ######################################## ## <summary> +## Map files on a XENFS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_map_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:file map; +') + +######################################## +## <summary> ## Create, read, write, and delete directories ## on a XENFS filesystem. ## </summary> @@ -6969,6 +7016,44 @@ ') ####################################### +## <summary> +## Read and write files in efivarfs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fs_rw_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + rw_files_pattern($1, efivarfs_t, efivarfs_t) +') + +####################################### +## <summary> +## Create efivarfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fs_create_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + create_files_pattern($1, efivarfs_t, efivarfs_t) +') + +####################################### ## <summary> ## Manage efivarfs files ## </summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/kernel.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/kernel.if
Changed
@@ -4185,8 +4185,14 @@ ######################################## ## <summary> -## Allow caller to read the security state symbolic links. +## Read and write the security state information. ## </summary> +## <desc> +## <p> +## Allow the specified domain to read and write +## the security state information. +## </p> +## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access. @@ -4501,5 +4507,115 @@ type init_t; ') - allow $1 kernel_t:bpf prog_run; + allow $1 kernel_t:bpf { map_read map_write prog_run }; +') + +######################################## +## <summary> +## Set up type transition for userfaultfd anon inodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to receive the type transition. +## </summary> +## </param> +# +interface(`kernel_userfaultfd_domtrans',` + gen_require(` + type userfaultfd_t; + ') + type_transition $1 self:anon_inode userfaultfd_t "userfaultfd"; +') + +######################################## +## <summary> +## Allow the domain to use the userfaultfd API via an inherited +## file descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_userfaultfd_use_inherited',` + gen_require(` + type userfaultfd_t; + ') + allow $1 userfaultfd_t:anon_inode { getattr ioctl read }; + + # Work around a known bug; see: + # https://lore.kernel.org/selinux/20210624152515.1844133-1-omosnace@redhat.com/ + allow $1 userfaultfd_t:anon_inode { write }; +') + +######################################## +## <summary> +## Allow the domain to use the userfaultfd API. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_userfaultfd_use',` + gen_require(` + type userfaultfd_t; + ') + kernel_userfaultfd_use_inherited($1) + allow $1 userfaultfd_t:anon_inode create; +') + +######################################## +## <summary> +## Set up type transition for io_uring anon inodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to receive the type transition. +## </summary> +## </param> +# +interface(`kernel_io_uring_domtrans',` + gen_require(` + type io_uring_t; + ') + type_transition $1 self:anon_inode io_uring_t "io_uring"; +') + +######################################## +## <summary> +## Allow the domain to use the io_uring API via an inherited file +## descriptor. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_io_uring_use_inherited',` + gen_require(` + type io_uring_t; + ') + allow $1 io_uring_t:anon_inode { getattr read write map }; +') + +######################################## +## <summary> +## Allow the domain to use the io_uring API. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_io_uring_use',` + gen_require(` + type io_uring_t; + ') + kernel_io_uring_use_inherited($1) + allow $1 io_uring_t:anon_inode create; ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/kernel/kernel.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/kernel/kernel.te
Changed
@@ -234,6 +234,10 @@ typealias unlabeled_t alias file_t; neverallow * unlabeled_t:file entrypoint; +# anon_inode types +type userfaultfd_t; +type io_uring_t; + # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) @@ -340,6 +344,7 @@ dev_map_dri(kernel_t) dev_map_framebuffer(kernel_t) +fs_getattr_all_fs(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) @@ -364,6 +369,13 @@ allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms; +# Enable running `/usr/bin/env umount ...` to support ZFS automounting. +# See the module/os/linux/zfs/zfs_ctldir.c file in +# https://github.com/openzfs/zfs/ for the usermode helper calls. +optional_policy(` + mount_domtrans(kernel_generic_helper_t) +') + domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) @@ -374,6 +386,9 @@ domain_obj_id_change_exemption(kernel_t) files_manage_all_files(kernel_t) +files_manage_all_blk_files(kernel_t) +files_manage_all_chr_files(kernel_t) +files_relabel_all_files(kernel_t) # The 'execute' permission on lower inodes is checked against the mounter # cred by overlayfs, so we need to grant it to allow overlay mounts created # during early boot to work. @@ -481,8 +496,6 @@ corenet_sendrecv_portmap_client_packets(kernel_t) corenet_sendrecv_generic_server_packets(kernel_t) - fs_getattr_xattr_fs(kernel_t) - auth_dontaudit_getattr_shadow(kernel_t) sysnet_read_config(kernel_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/roles/sysadm.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/roles/sysadm.te
Changed
@@ -45,6 +45,7 @@ domain_read_view_all_domains_keyrings(sysadm_t) files_read_kernel_modules(sysadm_t) +files_map_kernel_modules(sysadm_t) files_filetrans_named_content(sysadm_t) files_status_etc(sysadm_t) files_unconfined(sysadm_t) @@ -365,6 +366,10 @@ ') optional_policy(` + iscsi_stream_connect(sysadm_t) +') + +optional_policy(` kerberos_exec_kadmind(sysadm_t) kerberos_filetrans_named_content(sysadm_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/roles/unconfineduser.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/roles/unconfineduser.if
Changed
@@ -277,6 +277,42 @@ ######################################## ## <summary> +## List unconfined domain directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_list_dirs',` + gen_require(` + type unconfined_t; + ') + + list_dirs_pattern($1, unconfined_t, unconfined_t) +') + +######################################## +## <summary> +## Read unconfined domain files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_read_files',` + gen_require(` + type unconfined_t; + ') + + read_files_pattern($1, unconfined_t, unconfined_t) +') + +######################################## +## <summary> ## Read unconfined domain unnamed pipes. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/roles/unconfineduser.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/roles/unconfineduser.te
Changed
@@ -216,6 +216,7 @@ ') optional_policy(` + chrome_filetrans_home_content(unconfined_t) chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/ssh.fc
Changed
@@ -30,6 +30,7 @@ /usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/libexec/openssh/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) +/usr/libexec/openssh/ssh-pkcs11-helper -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/ssh.if
Changed
@@ -406,6 +406,7 @@ # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) + can_exec($1_ssh_agent_t, ssh_agent_exec_t) domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) kernel_read_system_state($1_ssh_agent_t) @@ -908,6 +909,25 @@ userdom_search_user_home_dirs($1) ') +######################################## +## <summary> +## Create ssh home directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ssh_create_home_dirs',` + gen_require(` + type ssh_home_t; + ') + + allow $1 ssh_home_t:dir create_dir_perms; + setattr_dirs_pattern($1, ssh_home_t, ssh_home_t) +') + ####################################### ## <summary> ## Delete from the ssh temp files.
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/ssh.te
Changed
@@ -91,6 +91,7 @@ typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; userdom_user_tmp_file(ssh_agent_tmp_t) +userdom_user_tmp_filetrans(ssh_agent_type, ssh_agent_tmp_t, sock_file) type ssh_keysign_t; type ssh_keysign_exec_t; @@ -748,6 +749,10 @@ ') optional_policy(` + gnome_manage_generic_cache_files(ssh_agent_type) +') + +optional_policy(` xserver_use_xdm_fds(ssh_agent_type) xserver_rw_xdm_pipes(ssh_agent_type) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/xserver.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/xserver.if
Changed
@@ -255,7 +255,7 @@ # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; - allow $1 xserver_tmpfs_t:file rw_file_perms; + allow $1 xserver_tmpfs_t:file mmap_rw_file_perms; ') ') @@ -439,7 +439,7 @@ # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; + allow $2 xserver_tmpfs_t:file mmap_rw_file_perms; ') tunable_policy(`selinuxuser_direct_dri_enabled',` @@ -963,6 +963,25 @@ ######################################## ## <summary> +## Create xserver configuration dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_create_config_dirs',` + gen_require(` + type xserver_etc_t; + ') + + files_search_etc($1) + manage_dirs_pattern($1, xserver_etc_t, xserver_etc_t) +') + +######################################## +## <summary> ## Read xdm-writable configuration files. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/services/xserver.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/services/xserver.te
Changed
@@ -1056,6 +1056,9 @@ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") gnome_initial_setup_domtrans(xdm_t) gnome_initial_setup_filetrans_named_content(xdm_t) + gnome_initial_setup_create_var_lib_dirs(xdm_t) + gnome_initial_setup_manage_var_lib_files(xdm_t) + gnome_initial_setup_manage_var_lib_sock_files(xdm_t) gnome_initial_setup_manage_var_run(xdm_t) gnome_initial_setup_noatsecure(xdm_t) gnome_initial_setup_read_state(xdm_t) @@ -1821,7 +1824,7 @@ # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow x_userdomain xserver_t:shm rw_shm_perms; - allow x_userdomain xserver_tmpfs_t:file rw_file_perms; + allow x_userdomain xserver_tmpfs_t:file mmap_rw_file_perms; ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/fstools.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/fstools.te
Changed
@@ -37,6 +37,7 @@ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap execstack }; allow fsadm_t self:fd use; allow fsadm_t self:fifo_file rw_fifo_file_perms; +allow fsadm_t self:file mounton; allow fsadm_t self:sock_file read_sock_file_perms; allow fsadm_t self:unix_dgram_socket create_socket_perms; allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/init.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/init.te
Changed
@@ -177,6 +177,7 @@ allow init_t self:cap_userns all_cap_userns_perms; allow init_t self:tcp_socket { listen accept }; allow init_t self:packet_socket create_socket_perms; +allow init_t self:vsock_socket create_socket_perms; allow init_t self:key manage_key_perms; allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; @@ -870,6 +871,7 @@ optional_policy(` sysnet_filetrans_cloud_net_conf(init_t) + sysnet_manage_config_pipes(init_t) ') optional_policy(`
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/ipsec.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/ipsec.te
Changed
@@ -192,6 +192,7 @@ files_dontaudit_write_all_files(ipsec_t) fs_getattr_all_fs(ipsec_t) +fs_read_nsfs_files(ipsec_mgmt_t) fs_search_auto_mountpoints(ipsec_t) selinux_compute_access_vector(ipsec_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/logging.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/logging.fc
Changed
@@ -27,6 +27,8 @@ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/usr/libexec/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_unconfined_script_exec_t,s0) + /usr/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) @@ -76,6 +78,7 @@ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) +/var/run/auditd\.state -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/logging.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/logging.te
Changed
@@ -114,6 +114,12 @@ type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) +type syslogd_unconfined_script_t; +type syslogd_unconfined_script_exec_t; +role system_r types syslogd_unconfined_script_t; +application_domain(syslogd_unconfined_script_t, syslogd_unconfined_script_exec_t) +domtrans_pattern(syslogd_t, syslogd_unconfined_script_exec_t, syslogd_unconfined_script_t) + type syslogd_tmp_t; files_tmp_file(syslogd_tmp_t) @@ -241,6 +247,7 @@ corecmd_exec_bin(auditd_t) corecmd_exec_shell(auditd_t) +domain_read_all_domains_state(auditd_t) domain_use_interactive_fds(auditd_t) files_read_etc_files(auditd_t) @@ -645,6 +652,7 @@ fs_read_efivarfs_files(syslogd_t) fs_search_auto_mountpoints(syslogd_t) fs_list_cgroup_dirs(syslogd_t) +fs_write_cgroup_files(syslogd_t) miscfiles_manage_generic_cert_files(syslogd_t) @@ -799,3 +807,13 @@ ') logging_stream_connect_syslog(syslog_client_type) + +######################################## +# +# syslogd_unconfined_script_t local policy +# + +optional_policy(` + unconfined_domain(syslogd_unconfined_script_t) + +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/lvm.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/lvm.fc
Changed
@@ -177,6 +177,7 @@ /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) /var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/var/run/cryptsetup(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/multipathd(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/lvm.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/lvm.if
Changed
@@ -525,3 +525,42 @@ allow $1 lvm_var_run_t:file { rw_file_perms }; ') + +######################################## +## <summary> +## Create, read, write, and delete +## lvm var run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_manage_var_run',` + gen_require(` + type lvm_var_run_t; + ') + + manage_dirs_pattern($1, lvm_var_run_t, lvm_var_run_t) + manage_files_pattern($1, lvm_var_run_t, lvm_var_run_t) +') + +######################################## +## <summary> +## Create directory cryptsetup in the /var/run +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_var_run_filetrans',` + gen_require(` + type lvm_var_run_t; + ') + + files_search_pids($1) + files_pid_filetrans($1, lvm_var_run_t, dir, "cryptsetup" ) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/selinuxutil.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/selinuxutil.fc
Changed
@@ -36,6 +36,8 @@ /usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0) +/usr/libexec/selinux/selinux-autorelabel -- gen_context(system_u:object_r:semanage_exec_t,s0) + /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/selinuxutil.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/selinuxutil.if
Changed
@@ -821,6 +821,25 @@ ######################################## ## <summary> +## Watch the general SELinux configuration files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`selinux_watch_config',` + gen_require(` + type selinux_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:file watch_file_perms; +') + +######################################## +## <summary> ## Read and write the general SELinux configuration files. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/sysnetwork.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/sysnetwork.fc
Changed
@@ -41,7 +41,7 @@ /var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) ') /var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) -/var/run/NetworkManager/no-stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) +/var/run/NetworkManager/no-stub-resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /var/run/cloud-init(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/sysnetwork.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/sysnetwork.if
Changed
@@ -634,6 +634,25 @@ manage_dirs_pattern($1, net_conf_t, net_conf_t) ') +######################################## +## <summary> +## Create, read, write and delete +## network config pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sysnet_manage_config_pipes',` + gen_require(` + type net_conf_t; + ') + + manage_fifo_files_pattern($1, net_conf_t, net_conf_t) +') + ####################################### ## <summary> ## Read the dhcp client pid file. @@ -1140,6 +1159,7 @@ ') optional_policy(` + systemd_resolved_pid_filetrans($1, net_conf_t, file, "no-stub-resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf")
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/sysnetwork.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/sysnetwork.te
Changed
@@ -64,6 +64,7 @@ dontaudit dhcpc_t self:capability sys_admin; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; +allow dhcpc_t self:capability2 bpf; allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate setrlimit signal_perms }; allow dhcpc_t self:cap_userns { net_bind_service }; @@ -309,7 +310,9 @@ # Ifconfig local policy # +allow ifconfig_t self:bpf { prog_load prog_run }; allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config }; +allow ifconfig_t self:capability2 { bpf perfmon }; allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; @@ -385,6 +388,8 @@ files_read_etc_runtime_files(ifconfig_t) files_read_usr_files(ifconfig_t) +fs_manage_cgroup_dirs(ifconfig_t) +fs_rw_cgroup_files(ifconfig_t) fs_getattr_xattr_fs(ifconfig_t) fs_unmount_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -393,6 +398,7 @@ fs_unmount_nsfs(ifconfig_t) selinux_dontaudit_getattr_fs(ifconfig_t) +selinux_compute_create_context(ifconfig_t) term_dontaudit_use_console(ifconfig_t) term_dontaudit_use_all_ttys(ifconfig_t) @@ -430,6 +436,14 @@ ') optional_policy(` + apache_domtrans(ifconfig_t) +') + +optional_policy(` + bind_domtrans(ifconfig_t) +') + +optional_policy(` brctl_domtrans(ifconfig_t) ') @@ -489,6 +503,10 @@ ') optional_policy(` + ssh_domtrans(ifconfig_t) +') + +optional_policy(` unconfined_dontaudit_rw_pipes(ifconfig_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/systemd.fc
Changed
@@ -2,8 +2,8 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) /root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) -/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) -/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) /etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) /bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) @@ -68,7 +68,10 @@ /usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-network-generator -- gen_context(system_u:object_r:systemd_network_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-fstab-generator -- gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0) /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-rc-local-generator -- gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-sysv-generator -- gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0) /usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0) /usr/lib/systemd/systemd-importd -- gen_context(system_u:object_r:systemd_importd_exec_t,s0) /usr/lib/systemd/systemd-journal-upload -- gen_context(system_u:object_r:systemd_journal_upload_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/systemd.if
Changed
@@ -29,6 +29,39 @@ ###################################### ## <summary> +## Creates types and rules for +## systemd generators. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`systemd_generator_template',` + gen_require(` + attribute systemd_generator; + ') + + type $1_t, systemd_generator; + type $1_exec_t; + init_daemon_domain($1_t, $1_exec_t) + init_nnp_daemon_domain($1_t) + + kernel_read_system_state($1_t) + + dev_write_kmsg($1_t) + + auth_use_nsswitch($1_t) + selinux_get_enforce_mode($1_t) + + systemd_manage_unit_dirs($1_t) + systemd_create_unit_file_dirs($1_t) + systemd_create_unit_file_lnk($1_t) +') + +###################################### +## <summary> ## Create a domain for processes which are started ## exuting systemctl. ## </summary> @@ -2040,6 +2073,44 @@ allow $1 power_unit_file_t:service status; ') +######################################## +## <summary> +## Start vconsole unit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_start_vconsole_services',` + gen_require(` + type systemd_vconsole_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_vconsole_unit_file_t:service start; +') + +######################################## +## <summary> +## Status vconsole unit. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_status_vconsole_services',` + gen_require(` + type systemd_vconsole_unit_file_t; + ') + + systemd_exec_systemctl($1) + allow $1 systemd_vconsole_unit_file_t:service status; +') + ####################################### ## <summary> ## Start power unit files domain.
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/systemd.te
Changed
@@ -23,6 +23,7 @@ attribute systemd_unit_file_type; attribute systemd_domain; +attribute systemd_generator; attribute systemctl_domain; attribute systemd_mount_directory; attribute systemd_private_tmp_type; @@ -192,6 +193,15 @@ type systemd_gpt_generator_unit_file_t; systemd_unit_file(systemd_gpt_generator_unit_file_t) +#domain for fstab-generator +systemd_generator_template(systemd_fstab_generator) + +#domain for rc-local-generator +systemd_generator_template(systemd_rc_local_generator) + +#domain for sysv-generator +systemd_generator_template(systemd_sysv_generator) + #domain for systemd-machined systemd_domain_template(systemd_machined) @@ -452,7 +462,7 @@ allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill }; allow systemd_machined_t systemd_unit_file_t:service { status start stop }; allow systemd_machined_t self:unix_dgram_socket create_socket_perms; -allow systemd_machined_t self:cap_userns { sys_chroot }; +allow systemd_machined_t self:cap_userns { setgid setuid sys_admin sys_chroot sys_ptrace }; manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) @@ -464,9 +474,6 @@ manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") -fs_read_nsfs_files(systemd_machined_t) -fs_write_cgroup_files(systemd_machined_t) - kernel_dgram_send(systemd_machined_t) # This is a bug, but need for now. kernel_read_unlabeled_state(systemd_machined_t) @@ -474,6 +481,14 @@ domain_signal_all_domains(systemd_machined_t) domain_signull_all_domains(systemd_machined_t) +files_read_var_lib_symlinks(systemd_machined_t) +files_write_root_dirs(systemd_machined_t) + +fs_read_nsfs_files(systemd_machined_t) +fs_read_tmpfs_symlinks(systemd_machined_t) +fs_write_cgroup_files(systemd_machined_t) +fs_write_tmpfs_socket_files(systemd_machined_t) + init_dbus_chat(systemd_machined_t) init_status(systemd_machined_t) init_start(systemd_machined_t) @@ -508,6 +523,15 @@ ') optional_policy(` + term_use_generic_ptys(systemd_machined_t) +') + +optional_policy(` + unconfined_server_read_state(systemd_machined_t) + unconfined_server_stream_connectto(systemd_machined_t) +') + +optional_policy(` virt_dbus_chat(systemd_machined_t) virt_sandbox_read_state(systemd_machined_t) virt_signal_sandbox(systemd_machined_t) @@ -558,6 +582,7 @@ fs_read_xenfs_files(systemd_networkd_t) fs_read_nsfs_files(systemd_networkd_t) +fs_write_cgroup_files(systemd_networkd_t) dev_read_sysfs(systemd_networkd_t) dev_write_kmsg(systemd_networkd_t) @@ -862,6 +887,7 @@ userdom_dbus_send_all_users(systemd_localed_t) +xserver_create_config_dirs(systemd_localed_t) xserver_manage_config(systemd_localed_t) optional_policy(` @@ -1164,12 +1190,27 @@ # # systemd_hwdb domain # +dontaudit systemd_hwdb_t self:capability dac_override; + manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t) allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto}; files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file) systemd_read_efivarfs(systemd_hwdb_t) +######################################## +# +# Common rules for systemd generators +# +allow systemd_generator self:unix_dgram_socket { create_socket_perms sendto }; + +kernel_dgram_send(systemd_generator) + +fs_getattr_all_fs(systemd_generator) +fs_search_all(systemd_generator) + +logging_stream_connect_syslog(systemd_generator) + ####################################### # # systemd_gpt_generator domain @@ -1189,6 +1230,8 @@ files_list_usr(systemd_gpt_generator_t) files_list_var(systemd_gpt_generator_t) +fs_mount_tmpfs(systemd_gpt_generator_t) + fstools_exec(systemd_gpt_generator_t) mls_file_read_to_clearance(systemd_gpt_generator_t) @@ -1209,14 +1252,50 @@ ####################################### # +# systemd_fstab_generator_t +# +allow systemd_fstab_generator_t self:capability dac_override; +dev_write_sysfs_dirs(systemd_fstab_generator_t) + +files_read_etc_files(systemd_fstab_generator_t) +files_read_all_lnk_files(systemd_fstab_generator_t) +files_search_all(systemd_fstab_generator_t) + +fstools_exec(systemd_fstab_generator_t) + +systemd_manage_all_unit_files(systemd_fstab_generator_t) + +####################################### +# +# systemd_rc_local_generator_t +# + +init_exec_script_files(systemd_rc_local_generator_t) + +####################################### +# +# systemd_sysv_generator_t +# + +init_read_script_files(systemd_sysv_generator_t) + +systemd_manage_all_unit_files(systemd_sysv_generator_t) + +####################################### +# # systemd_network_generator domain # init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, dir, "network") +init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, file) sysnet_manage_config(systemd_network_generator_t) sysnet_manage_config_dirs(systemd_network_generator_t) +optional_policy(` + logging_send_syslog_msg(systemd_network_generator_t) +') + ####################################### # # systemd_resolved domain @@ -1507,7 +1586,7 @@ # systemd_sleep local policy # -allow systemd_sleep_t self:capability sys_resource; +allow systemd_sleep_t self:capability { linux_immutable sys_resource }; # systemd-sleep needs to set timer for suspend-then-hibernate allow systemd_sleep_t self:capability2 wake_alarm; dontaudit systemd_sleep_t self:capability sys_ptrace; @@ -1525,6 +1604,9 @@ dev_rw_sysfs(systemd_sleep_t) dev_write_kmsg(systemd_sleep_t) +fs_create_efivarfs_files(systemd_sleep_t) +fs_rw_efivarfs_files(systemd_sleep_t) + fstools_rw_swap_files(systemd_sleep_t) init_search_var_lib_dirs(systemd_sleep_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/udev.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/udev.te
Changed
@@ -43,6 +43,7 @@ dontaudit udev_t self:capability sys_tty_config; allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; +allow udev_t self:system module_load; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; allow udev_t self:sock_file read_sock_file_perms; @@ -141,6 +142,7 @@ files_list_tmp(udev_t) fs_getattr_all_fs(udev_t) +fs_search_all(udev_t) fs_list_auto_mountpoints(udev_t) fs_list_hugetlbfs(udev_t) fs_read_cgroup_files(udev_t) @@ -200,6 +202,10 @@ systemd_login_read_pid_files(udev_t) systemd_getattr_unit_files(udev_t) systemd_domtrans_sysctl(udev_t) +systemd_hwdb_mmap_config(udev_t) +systemd_hwdb_read_config(udev_t) +systemd_start_vconsole_services(udev_t) +systemd_status_vconsole_services(udev_t) userdom_dontaudit_search_user_home_content(udev_t) userdom_rw_inherited_user_tmp_pipes(udev_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/unconfined.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/unconfined.if
Changed
@@ -429,3 +429,21 @@ allow $1 unconfined_service_t:sem r_sem_perms; ') + +####################################### +## <summary> +## Allow the specified domain read unconfined service process state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_server_read_state',` + gen_require(` + type unconfined_service_t; + ') + + ps_process_pattern($1, unconfined_service_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.fc -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/userdomain.fc
Changed
@@ -23,6 +23,7 @@ HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0) HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0) +HOME_DIR/tmp/.* <<none>> /tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) /tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.if -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/userdomain.if
Changed
@@ -594,7 +594,6 @@ allow $1 user_tmp_t:file entrypoint; exec_files_pattern($1, user_tmp_t, user_tmp_t) - dontaudit $1 user_tmp_t:sock_file execute; files_search_tmp($1) ') @@ -1189,6 +1188,7 @@ miscfiles_exec_tetex_data($1_usertype) seutil_read_config($1_usertype) + selinux_watch_config($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_exec_setfiles($1_usertype) @@ -1524,6 +1524,7 @@ storage_rw_fuse($1_t) + files_getattr_non_security_dirs($1_t) files_exec_usr_files($1_t) # cjp: why? files_read_kernel_symbol_table($1_t) @@ -3068,8 +3069,7 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - dontaudit $1 user_home_type:sock_file execute; - ') +') ######################################## ## <summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.te -> _service:tar_scm:v40.7.tar.gz/policy/modules/system/userdomain.te
Changed
@@ -394,6 +394,7 @@ corecmd_watch_bin_dirs(login_userdomain) dev_watch_generic_dirs(login_userdomain) +dev_watch_video_dev(login_userdomain) files_map_var_lib_files(login_userdomain) files_read_var_lib_symlinks(login_userdomain) @@ -403,6 +404,7 @@ files_watch_system_conf_dirs(login_userdomain) files_watch_usr_dirs(login_userdomain) files_watch_usr_files(login_userdomain) +files_watch_usr_lnk_files(login_userdomain) files_watch_var_lib_dirs(login_userdomain) files_watch_var_run_dirs(login_userdomain) files_watch_generic_tmp_dirs(login_userdomain)
View file
_service:tar_scm:v38.21.tar.gz/policy/support/obj_perm_sets.spt -> _service:tar_scm:v40.7.tar.gz/policy/support/obj_perm_sets.spt
Changed
@@ -284,10 +284,14 @@ # define(`userfaultfd_anon_inode_perms',` # deprecated 2022.02.07 - refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, please use common_inode_perms() instead.') + refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, enumerate the needed permissions instead.') { create getattr ioctl read write } ') -define(`common_anon_inode_perms',`{ create getattr ioctl map read write }') +define(`common_anon_inode_perms',` + # deprecated 2023.10.04 + refpolicywarn(`common_anon_inode_perms() is deprecated, enumerate the needed permissions instead.') + { create getattr ioctl map read write } +') ######################################## #
View file
_service:tar_scm:v40.7.tar.gz/scripts
Added
+(directory)
View file
_service:tar_scm:v40.7.tar.gz/scripts/make-sources.sh
Added
@@ -0,0 +1,42 @@ +#!/bin/bash + +# Prepare sources for an SRPM build + +set -eux + +outdir="$1"; shift + +rootdir="$(realpath -m "$0/../..")" + +DISTGIT_URL=https://src.fedoraproject.org/rpms/selinux-policy +DISTGIT_REF=rawhide + +CONTAINER_URL=https://github.com/containers/container-selinux +EXPANDER_URL=https://github.com/fedora-selinux/macro-expander + +base_head_id="$(git -C "$rootdir" rev-parse HEAD)" +base_short_head_id="${base_head_id:0:7}" +base_date="$(TZ=UTC git show -s --format=%cd --date=format-local:%F_%T HEAD | tr -d :-)" + +tmpdir="$(mktemp -d)" + +trap 'rm -rf "$tmpdir"' EXIT + +container_dir="$tmpdir/container-selinux" +expander_dir="$tmpdir/macro-expander" + +git clone --single-branch --depth 1 "$CONTAINER_URL" "$container_dir" +git clone --single-branch --depth 1 "$EXPANDER_URL" "$expander_dir" +git clone -b "$DISTGIT_REF" --single-branch --depth 1 "$DISTGIT_URL" "$outdir" + +git -C "$rootdir" archive --prefix="selinux-policy-$base_head_id/" --format tgz HEAD \ + >"$outdir/selinux-policy-$base_short_head_id.tar.gz" + +tar -C "$container_dir" -czf "$outdir/container-selinux.tgz" \ + container.if container.te container.fc + +cp "$expander_dir/macro-expander.sh" "$outdir/macro-expander" + +sed -i "s/%global commit ^ *$/%global commit $base_head_id/; + s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" "$outdir/selinux-policy.spec" +rm -f "$outdir/sources"
View file
_service:tar_scm:v40.7.tar.gz/scripts/make-srpm.sh
Added
@@ -0,0 +1,25 @@ +#!/bin/bash + +# Make an SRPM for COPR + +set -eux + +outdir="$1"; shift + +rootdir="$(realpath -m "$0/../..")" + +rpm -q rpm-build git-core || dnf install -y rpm-build git-core + +tmpdir="$(mktemp -d)" + +trap 'rm -rf "$tmpdir"' EXIT + +rpmbuild_dir="$tmpdir" +distgit_dir="$tmpdir/SOURCES" + +mkdir -p "$distgit_dir" + +"$rootdir/scripts/make-sources.sh" "$distgit_dir" + +rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec" +cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2