Projects
openEuler:Mainline
selinux-policy
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 8
View file
_service:tar_scm:selinux-policy.spec
Changed
@@ -11,12 +11,12 @@ Summary: SELinux policy configuration Name: selinux-policy -Version: 38.6 -Release: 5 +Version: 38.21 +Release: 1 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.6.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git @@ -63,12 +63,6 @@ Patch8: allow-rpcbind-to-bind-all-port.patch Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch -Patch11: Allow-login_pgm-setcap-permission.patch -Patch12: Additional-support-for-rpmdb_migrate.patch -Patch13: Add-initial-policy-for-the-usr-sbin-request-key-help.patch -Patch14: Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch -Patch15: Add-journalctl-the-sys_resource-capability.patch -Patch16: Allow-certmonger-read-the-contents-of-the-sysfs-file.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -748,6 +742,9 @@ %endif %changelog +* Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1 +- update version to 38.21 + * Wed May 31 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-5 - backport some upstream patches
View file
_service:tar_scm:Add-initial-policy-for-the-usr-sbin-request-key-help.patch
Deleted
@@ -1,227 +0,0 @@ -From 3a1ae904dba54474a56815ba7fbf3238fcfe5a46 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek <omosnace@redhat.com> -Date: Mon, 30 Jan 2023 14:46:50 +0100 -Subject: PATCH 2/5 Add initial policy for the /usr/sbin/request-key helper - -The kernel is hard-coded to call /sbin/request-key to handle requests -for instantiating keys that are not found in the existing keyrings. - -Thus, we need to add a domain for this helper and set up a transition -into that domain from kernel_t. - -request-key dispatches the key requests to further helper programs based -on the configuration in /etc/request-key.d/*.conf and -/etc/request-key.conf. Currently, the only known used dispatcher is -/usr/sbin/nfsidmap, which is set up by the nfs-utils package to handle -requests for the 'id_resolver' key type. This patch adds the minimal -policy for this helper that is needed for an NFS mount to succeed. - -Policy for other request-key helper programs may need to be added in the -future. An optional mechanism to allow any possible configuration (e.g. -by setting up a transition over any file to unconfined_service_t) may be -also desired. For now let's at least make the one known use case work. - -Fixes: 1e8688ea6943 ("Don't make kernel_t an unconfined domain") -Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> ---- - policy/modules.conf | 7 +++++ - policy/modules/contrib/keyutils.fc | 1 + - policy/modules/contrib/keyutils.if | 43 ++++++++++++++++++++++++++++++ - policy/modules/contrib/keyutils.te | 11 ++++++++ - policy/modules/contrib/rpc.fc | 1 + - policy/modules/contrib/rpc.te | 32 ++++++++++++++++++++++ - policy/modules/kernel/kernel.if | 19 +++++++++++++ - policy/modules/kernel/kernel.te | 4 +++ - 8 files changed, 118 insertions(+) - create mode 100644 policy/modules/contrib/keyutils.fc - create mode 100644 policy/modules/contrib/keyutils.if - create mode 100644 policy/modules/contrib/keyutils.te - -diff --git a/policy/modules.conf b/policy/modules.conf -index 5e0678668..6f63c8cb6 100644 ---- a/policy/modules.conf -+++ b/policy/modules.conf -@@ -3078,3 +3078,10 @@ rhcd = module - # wireguard - # - wireguard = module -+ -+# Layer: contrib -+# Module: keyutils -+# -+# keyutils - Linux Key Management Utilities -+# -+keyutils = module -diff --git a/policy/modules/contrib/keyutils.fc b/policy/modules/contrib/keyutils.fc -new file mode 100644 -index 000000000..78c5f159f ---- /dev/null -+++ b/policy/modules/contrib/keyutils.fc -@@ -0,0 +1 @@ -+/usr/sbin/request-key -- gen_context(system_u:object_r:keyutils_request_exec_t,s0) -diff --git a/policy/modules/contrib/keyutils.if b/policy/modules/contrib/keyutils.if -new file mode 100644 -index 000000000..06daab988 ---- /dev/null -+++ b/policy/modules/contrib/keyutils.if -@@ -0,0 +1,43 @@ -+## <summary>Linux Key Management Utilities</summary> -+ -+####################################### -+## <summary> -+## Execute request-key in the keyutils request domain. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`keyutils_request_domtrans',` -+ gen_require(` -+ type keyutils_request_t, keyutils_request_exec_t; -+ ') -+ -+ domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t) -+') -+ -+######################################## -+## <summary> -+## Allows to perform key instantiation callout -+## by transitioning to the specified domain. -+## </summary> -+## <param name="domain"> -+## <summary> -+## The process type entered by request-key. -+## </summary> -+## </param> -+## <param name="entrypoint"> -+## <summary> -+## The executable type for the entrypoint. -+## </summary> -+## </param> -+# -+interface(`keyutils_request_domtrans_to',` -+ gen_require(` -+ type keyutils_request_t; -+ ') -+ -+ domtrans_pattern(keyutils_request_t, $2, $1) -+') -diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te -new file mode 100644 -index 000000000..2ea1d5e38 ---- /dev/null -+++ b/policy/modules/contrib/keyutils.te -@@ -0,0 +1,11 @@ -+policy_module(keyutils, 1.0) -+ -+type keyutils_request_exec_t; -+files_type(keyutils_request_exec_t) -+ -+type keyutils_request_t; -+domain_type(keyutils_request_t) -+domain_entry_file(keyutils_request_t, keyutils_request_exec_t) -+ -+kernel_view_key(keyutils_request_t) -+kernel_read_key(keyutils_request_t) -diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc -index 3825ef707..06a6c009c 100644 ---- a/policy/modules/contrib/rpc.fc -+++ b/policy/modules/contrib/rpc.fc -@@ -32,6 +32,7 @@ - /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - /usr/sbin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+/usr/sbin/nfsidmap -- gen_context(system_u:object_r:nfsidmap_exec_t,s0) - - # - # /var -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index f94cfa5d2..c83492a56 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -434,3 +434,35 @@ optional_policy(` - optional_policy(` - xserver_rw_xdm_tmp_files(gssd_t) - ') -+ -+######################################## -+# -+# nfsidmap policy -+# -+ -+type nfsidmap_exec_t; -+files_type(nfsidmap_exec_t) -+ -+type nfsidmap_t; -+domain_type(nfsidmap_t) -+domain_entry_file(nfsidmap_t, nfsidmap_exec_t) -+ -+allow nfsidmap_t self:key write; -+allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms; -+ -+kernel_setattr_key(nfsidmap_t) -+ -+sysnet_read_config(nfsidmap_t) -+ -+optional_policy(` -+ auth_read_passwd_file(nfsidmap_t) -+') -+ -+optional_policy(` -+ logging_send_syslog_msg(nfsidmap_t) -+') -+ -+optional_policy(` -+ # /etc/request-key.d/id_resolver.conf -+ keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t) -+') -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 166586f66..adb71ed3a 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -579,6 +579,25 @@ interface(`kernel_dontaudit_view_key',` - - dontaudit $1 kernel_t:key view; - ') -+ -+######################################## -+## <summary> -+## Allow to set attributes on the kernel key ring. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+# -+interface(`kernel_setattr_key',`
View file
_service:tar_scm:Add-journalctl-the-sys_resource-capability.patch
Deleted
@@ -1,35 +0,0 @@ -From 4cb741896c440c80ea18a22ff60d4c36c5b0f95b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela <zpytela@redhat.com> -Date: Fri, 3 Feb 2023 17:20:51 +0100 -Subject: PATCH 4/5 Add journalctl the sys_resource capability - -The journalctl command runs in the journalctl_t domain when executed by -a confined user (user, staff, sysadm). When is invoked with pager, -prctl() is called to change the process name. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager) -type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1 - -Resolves: rhbz#2136189 ---- - policy/modules/contrib/journalctl.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te -index 5b4329c80..b22b6a713 100644 ---- a/policy/modules/contrib/journalctl.te -+++ b/policy/modules/contrib/journalctl.te -@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t; - # - # journalctl local policy - # -+allow journalctl_t self:capability sys_resource; - allow journalctl_t self:process { fork setrlimit signal_perms }; - - allow journalctl_t self:fifo_file manage_fifo_file_perms; --- -2.33.0 -
View file
_service:tar_scm:Additional-support-for-rpmdb_migrate.patch
Deleted
@@ -1,64 +0,0 @@ -From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela <zpytela@redhat.com> -Date: Tue, 31 Jan 2023 19:12:39 +0100 -Subject: PATCH 1/5 Additional support for rpmdb_migrate - -Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t") -commit, selinux-policy supports the rpmdb-migrate.service which is -executed after the first boot to a newer Fedora release to migrate the -rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm. -Additional permissions started to be required recently. - -Resolves: rhbz#2164752 ---- - policy/modules/contrib/rpm.te | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index 247f1fa7a..cf5539abb 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -260,26 +260,33 @@ optional_policy(` - # rpmdb local policy - # - --allow rpmdb_t rpm_var_lib_t:file map; --allow rpmdb_t rpmdb_tmp_t:file map; -+can_exec(rpmdb_t, rpm_exec_t) - - manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) - manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) --files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) --files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) -+read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) -+allow rpmdb_t rpm_var_lib_t:file map; - - manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) - manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) - files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir }) -+allow rpmdb_t rpmdb_tmp_t:file map; - --term_use_all_inherited_terms(rpmdb_t) -- --auth_dontaudit_read_passwd(rpmdb_t) -+corecmd_exec_bin(rpmdb_t) -+corecmd_exec_shell(rpmdb_t) - - files_rw_inherited_non_security_files(rpmdb_t) -+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) -+files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) - - sysnet_dontaudit_read_config(rpmdb_t) - -+term_use_all_inherited_terms(rpmdb_t) -+ -+optional_policy(` -+ auth_dontaudit_read_passwd(rpmdb_t) -+') -+ - optional_policy(` - miscfiles_read_generic_certs(rpmdb_t) - ') --- -2.33.0 -
View file
_service:tar_scm:Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
Deleted
@@ -1,31 +0,0 @@ -From 6651eeac26984ceb7416cb4639891bd59e30c4de Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela <zpytela@redhat.com> -Date: Tue, 7 Feb 2023 11:04:09 +0100 -Subject: PATCH 5/5 Allow certmonger read the contents of the sysfs - filesystem - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/07/2023 04:22:50.618:3929) : proctitle=/usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -type=PATH msg=audit(02/07/2023 04:22:50.618:3929) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(02/07/2023 04:22:50.618:3929) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f9dcfbc79d8 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25147 pid=25176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-ca-r exe=/usr/bin/python3.11 subj=system_u:system_r:certmonger_t:s0 key=(null) -type=AVC msg=audit(02/07/2023 04:22:50.618:3929) : avc: denied { open } for pid=25176 comm=dogtag-ipa-ca-r path=/sys/devices/system/cpu/possible dev="sysfs" ino=42 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- - policy/modules/contrib/certmonger.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te -index e721254ae..c72f05b44 100644 ---- a/policy/modules/contrib/certmonger.te -+++ b/policy/modules/contrib/certmonger.te -@@ -82,6 +82,7 @@ corecmd_exec_shell(certmonger_t) - - dev_read_rand(certmonger_t) - dev_read_urand(certmonger_t) -+dev_read_sysfs(certmonger_t) - - domain_use_interactive_fds(certmonger_t) - --- -2.33.0 -
View file
_service:tar_scm:Allow-login_pgm-setcap-permission.patch
Deleted
@@ -1,42 +0,0 @@ -From 704e79751a2219a7a1e647084be6dbf04e679bf6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela <zpytela@redhat.com> -Date: Fri, 3 Mar 2023 12:22:12 +0100 -Subject: PATCH Allow login_pgm setcap permission - -There is a pam_cap module as a part of the libcap package. When a -capability is added to the login process using pam_cap, the setcap -permission is required. - -Example setup: - - echo "cap_dac_read_search exampleuser" > /etc/security/capability.conf - echo "auth required pam_cap.so" >> /etc/pam.d/postlogin - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(03/03/2023 06:30:19.302:505) : proctitle=sshd: exampleuser priv -type=SYSCALL msg=audit(03/03/2023 06:30:19.302:505) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x55b8338dc6f4 a1=0x55b8338dc6fc a2=0x55b8338dc6fc a3=0x55b83388d010 items=0 ppid=1350 pid=1357 auid=exampleuser uid=root gid=exampleuser euid=root suid=root fsuid=root egid=exampleuser sgid=exampleuser fsgid=exampleuser tty=(none) ses=7 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(03/03/2023 06:30:19.302:505) : avc: denied { setcap } for pid=1357 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0 - -Resolves: rhbz#2172541 -Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com> ---- - policy/modules/system/authlogin.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index feabf67ab..2c3628a31 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -593,7 +593,7 @@ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms; - allow login_pgm self:netlink_selinux_socket create_socket_perms; - allow login_pgm self:capability ipc_lock; - dontaudit login_pgm self:capability net_admin; --allow login_pgm self:process setkeycreate; -+allow login_pgm self:process { setcap setkeycreate }; - allow login_pgm self:key manage_key_perms; - userdom_manage_all_users_keys(login_pgm) - allow login_pgm nsswitch_domain:key manage_key_perms; --- -2.33.0 -
View file
_service:tar_scm:Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
Deleted
@@ -1,35 +0,0 @@ -From 908adc1066c5df1e7d3b3a08f336a218b57c1dc2 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela <zpytela@redhat.com> -Date: Fri, 3 Feb 2023 18:15:19 +0100 -Subject: PATCH 3/5 Allow nm-dispatcher plugins read generic files in /proc - -It turns out the systemctl command needs to read /proc/cpuinfo at -the aarch64 architecture, so the permission was allowed for the -networkmanager_dispatcher_plugin attribute. - -The commit addresses the following AVC denial: -type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service -type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null) -type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { open } for pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 -type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { read } for pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 - -Resolves: rhbz#2164845 ---- - policy/modules/contrib/networkmanager.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te -index 0e3218929..ef77fdb32 100644 ---- a/policy/modules/contrib/networkmanager.te -+++ b/policy/modules/contrib/networkmanager.te -@@ -584,6 +584,7 @@ manage_files_pattern(NetworkManager_dispatcher_console_t, NetworkManager_dispatc - - read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t) - -+kernel_read_proc_files(networkmanager_dispatcher_plugin) - kernel_request_load_module(NetworkManager_dispatcher_ddclient_t) - - auth_read_passwd(networkmanager_dispatcher_plugin) --- -2.33.0 -
View file
_service:tar_scm:Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
Changed
@@ -5,15 +5,16 @@ without a transition" This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688. + --- - policy/modules/kernel/kernel.te | 12 +++--------- - 1 file changed, 3 insertions(+), 9 deletions(-) + policy/modules/kernel/kernel.te | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index f7ac8cd1f..2df33b0ac 100644 +index fc6f5f8..daf0801 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -347,16 +347,10 @@ selinux_compute_create_context(kernel_t) +@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t) term_use_all_terms(kernel_t) term_use_ptmx(kernel_t) @@ -28,10 +29,13 @@ -role system_r types kernel_generic_helper_t; -corecmd_bin_entry_type(kernel_generic_helper_t) -corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t) +- +-allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms; +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +corecmd_exec_bin(kernel_t) domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) -- -2.25.1 +2.27.0 +
View file
_service:tar_scm:v38.6.tar.gz/policy/modules.conf -> _service:tar_scm:v38.21.tar.gz/policy/modules.conf
Changed
@@ -3078,3 +3078,52 @@ # wireguard # wireguard = module + +# Layer: contrib +# Module: keyutils +# +# keyutils - Linux Key Management Utilities +# +keyutils = module + +# Layer: contrib +# Module: cifsutils +# +# cifsutils - Utilities for managing CIFS mounts +# +cifsutils = module + +# Layer: contrib +# Module: boothd +# +# boothd - Booth cluster ticket manager +# +boothd = module + +# Layer: contrib +# Module: kafs +# +# kafs - Tools for kAFS +# +kafs = module + +# Layer: contrib +# Module: bootupd +# +# bootupd - bootloader update daemon +# +bootupd = module + +# Layer: contrib +# Module: fdo +# +# fdo - fido device onboard protocol for IoT devices +# +fdo = module + +# Layer: contrib +# Module: qatlib +# +# qatlib - Intel QuickAssist technology library and resources management +# +qatlib = module
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/abrt.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/abrt.te
Changed
@@ -29,7 +29,7 @@ ## handle ABRT event scripts. ## </p> ## </desc> -gen_tunable(abrt_handle_event, false) +gen_tunable(abrt_handle_event, true) attribute abrt_domain; @@ -231,6 +231,7 @@ fs_search_all(abrt_t) fs_getattr_nsfs_files(abrt_t) fs_map_dos_files(abrt_t) +fs_read_pstore_files(abrt_t) storage_dontaudit_read_fixed_disk(abrt_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/accountsd.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/accountsd.if
Changed
@@ -22,6 +22,24 @@ ######################################## ## <summary> +## Read accountsd fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`accountsd_read_fifo_file',` + gen_require(` + type accountsd_t; + ') + + allow $1 accountsd_t:fifo_file read_fifo_file_perms; +') + +######################################## +## <summary> ## Do not audit attempts to read and ## write Accounts Daemon fifo files. ## </summary>
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/accountsd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/accountsd.te
Changed
@@ -85,6 +85,10 @@ ') optional_policy(` + gnome_initial_setup_read_state(accountsd_t) +') + +optional_policy(` policykit_dbus_chat(accountsd_t) ') @@ -93,6 +97,10 @@ ') optional_policy(` + systemd_read_generic_unit_lnk_files(accountsd_t) +') + +optional_policy(` xserver_read_xdm_tmp_files(accountsd_t) xserver_read_state_xdm(accountsd_t) xserver_dbus_chat_xdm(accountsd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/aide.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/aide.te
Changed
@@ -27,6 +27,7 @@ allow aide_t self:capability { dac_read_search fowner ipc_lock sys_admin }; allow aide_t self:process signal; +dontaudit aide_t self:process execmem; manage_files_pattern(aide_t, aide_db_t, aide_db_t) files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/antivirus.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/antivirus.fc
Changed
@@ -7,6 +7,7 @@ /usr/lib/systemd/system/amavisd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0) /usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0) +/usr/lib/systemd/system/mimedefang\.service -- gen_context(system_u:object_r:antivirus_unit_file_t,s0) /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/apache.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/apache.if
Changed
@@ -740,6 +740,25 @@ ######################################## ## <summary> +## Dontaudit the specified domain to search +## apache configuration dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apache_dontaudit_search_config',` + gen_require(` + type httpd_config_t; + ') + + dontaudit $1 httpd_config_t:dir search_dir_perms; +') + +######################################## +## <summary> ## Allow the specified domain to read ## apache configuration files. ## </summary>
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/apache.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/apache.te
Changed
@@ -109,6 +109,13 @@ ## <desc> ## <p> +## Allow httpd to connect to redis +## </p> +## </desc> +gen_tunable(httpd_can_network_redis, false) + +## <desc> +## <p> ## Allow httpd to act as a relay ## </p> ## </desc> @@ -743,6 +750,10 @@ corenet_tcp_connect_memcache_port(httpd_t) ') +tunable_policy(`httpd_can_network_redis',` + corenet_tcp_connect_redis_port(httpd_t) +') + tunable_policy(`httpd_can_network_relay',` # allow httpd to work as a relay corenet_tcp_connect_gopher_port(httpd_t) @@ -887,6 +898,10 @@ fs_manage_fusefs_symlinks(httpd_t) ') +tunable_policy(`httpd_use_opencryptoki',` + allow httpd_t self:capability fowner; +') + tunable_policy(`httpd_setrlimit',` allow httpd_t self:process setrlimit; allow httpd_t self:capability sys_resource; @@ -931,6 +946,9 @@ ') optional_policy(` + # type transitions with a filename not allowed inside conditionals + pkcs_tmpfs_named_filetrans(httpd_t) + tunable_policy(`httpd_use_opencryptoki',` pkcs_use_opencryptoki(httpd_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/bind.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bind.te
Changed
@@ -85,6 +85,7 @@ allow named_t dnssec_t:file read_file_perms; allow named_t named_conf_t:dir list_dir_perms; +allow named_t named_conf_t:file map; read_files_pattern(named_t, named_conf_t, named_conf_t) read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/blueman.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/blueman.te
Changed
@@ -58,6 +58,7 @@ dev_read_urand(blueman_t) dev_rw_wireless(blueman_t) dev_rwx_zero(blueman_t) +dev_watch_generic_dirs(blueman_t) domain_use_interactive_fds(blueman_t) domain_dontaudit_ptrace_all_domains(blueman_t) @@ -101,5 +102,9 @@ ') optional_policy(` + userdom_signal_unpriv_users(blueman_t) +') + +optional_policy(` xserver_read_state_xdm(blueman_t) ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/boothd.fc
Added
@@ -0,0 +1,11 @@ +/etc/booth(/.*)? gen_context(system_u:object_r:boothd_etc_t,s0) + +/usr/sbin/boothd -- gen_context(system_u:object_r:boothd_exec_t,s0) +/usr/sbin/booth-keygen -- gen_context(system_u:object_r:boothd_exec_t,s0) + +/usr/lib/systemd/system/booth@\.service -- gen_context(system_u:object_r:boothd_unit_file_t,s0) +/usr/lib/systemd/system/booth-arbitrator\.service -- gen_context(system_u:object_r:boothd_unit_file_t,s0) + +/var/run/booth(/.*)? gen_context(system_u:object_r:boothd_var_run_t,s0) + +/var/lib/booth(/.*)? gen_context(system_u:object_r:boothd_var_lib_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/boothd.if
Added
@@ -0,0 +1,39 @@ +## <summary>policy for boothd</summary> + +######################################## +## <summary> +## Execute boothd_exec_t in the boothd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`boothd_domtrans',` + gen_require(` + type boothd_t, boothd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, boothd_exec_t, boothd_t) +') + +###################################### +## <summary> +## Execute boothd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`boothd_exec',` + gen_require(` + type boothd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, boothd_exec_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/boothd.te
Added
@@ -0,0 +1,81 @@ +policy_module(boothd, 1.0.0) + +######################################## +# +# Declarations +# + +type boothd_t; +type boothd_exec_t; +init_daemon_domain(boothd_t, boothd_exec_t) + +type boothd_etc_t; +files_config_file(boothd_etc_t) + +type boothd_unit_file_t; +systemd_unit_file(boothd_unit_file_t) + +type boothd_var_run_t; +files_pid_file(boothd_var_run_t) + +type boothd_var_lib_t; +files_type(boothd_var_lib_t) + +######################################## +# +# boothd local policy +# +allow boothd_t self:fifo_file rw_fifo_file_perms; +allow boothd_t self:capability { chown dac_override dac_read_search net_admin setgid setuid sys_nice sys_resource }; +allow boothd_t self:netlink_route_socket create_netlink_socket_perms; +allow boothd_t self:process { setsched setrlimit }; +allow boothd_t self:tcp_socket create_stream_socket_perms; +allow boothd_t self:udp_socket create_socket_perms; +allow boothd_t self:unix_dgram_socket create_socket_perms; +allow boothd_t self:unix_stream_socket create_stream_socket_perms; + +read_files_pattern(boothd_t, boothd_etc_t, boothd_etc_t) + +manage_dirs_pattern(boothd_t, boothd_var_run_t, boothd_var_run_t) +manage_files_pattern(boothd_t, boothd_var_run_t, boothd_var_run_t) +files_pid_filetrans(boothd_t, boothd_var_run_t, { dir file} ) + +manage_dirs_pattern(boothd_t, boothd_var_lib_t, boothd_var_lib_t) + +kernel_dgram_send(boothd_t) + +corecmd_exec_bin(boothd_t) +corecmd_exec_shell(boothd_t) + +corenet_tcp_bind_boothd_port(boothd_t) +corenet_udp_bind_boothd_port(boothd_t) +corenet_tcp_bind_generic_node(boothd_t) +corenet_udp_bind_generic_node(boothd_t) +corenet_tcp_connect_boothd_port(boothd_t) + +domain_use_interactive_fds(boothd_t) + +files_read_etc_files(boothd_t) + +optional_policy(` + auth_read_passwd(boothd_t) +') + +optional_policy(` + logging_create_devlog_dev(boothd_t) + logging_read_syslog_pid(boothd_t) +') + +optional_policy(` + miscfiles_read_localization(boothd_t) +') + +optional_policy(` + rhcs_read_log_cluster(boothd_t) + rhcs_rw_cluster_tmpfs(boothd_t) + rhcs_stream_connect_cluster(boothd_t) +') + +optional_policy(` + sysnet_read_config(boothd_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bootupd.fc
Added
@@ -0,0 +1,7 @@ +/usr/bin/bootupctl -- gen_context(system_u:object_r:bootupd_exec_t,s0) +/usr/libexec/bootupd -- gen_context(system_u:object_r:bootupd_exec_t,s0) + +/usr/lib/systemd/system/bootupd\.service -- gen_context(system_u:object_r:bootupd_unit_file_t,s0) +/usr/lib/systemd/system/bootupd\.socket -- gen_context(system_u:object_r:bootupd_unit_file_t,s0) + +/var/run/bootupd\.sock -s gen_context(system_u:object_r:bootupd_var_run_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bootupd.if
Added
@@ -0,0 +1,39 @@ +## <summary>policy for bootupd</summary> + +######################################## +## <summary> +## Execute bootupd_exec_t in the bootupd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`bootupd_domtrans',` + gen_require(` + type bootupd_t, bootupd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, bootupd_exec_t, bootupd_t) +') + +###################################### +## <summary> +## Execute bootupd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bootupd_exec',` + gen_require(` + type bootupd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, bootupd_exec_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/bootupd.te
Added
@@ -0,0 +1,41 @@ +policy_module(bootupd, 1.0.0) + +######################################## +# +# Declarations +# + +type bootupd_t; +type bootupd_exec_t; +init_daemon_domain(bootupd_t, bootupd_exec_t) + +type bootupd_unit_file_t; +systemd_unit_file(bootupd_unit_file_t) + +type bootupd_var_run_t; +files_pid_file(bootupd_var_run_t) + +permissive bootupd_t; + +######################################## +# +# bootupd local policy +# +allow bootupd_t self:capability { setgid setuid }; +allow bootupd_t self:process { fork setpgid }; +allow bootupd_t self:fifo_file rw_fifo_file_perms; +allow bootupd_t self:unix_dgram_socket create_socket_perms; +allow bootupd_t self:unix_stream_socket create_stream_socket_perms; + +kernel_dgram_send(bootupd_t) + +domain_use_interactive_fds(bootupd_t) + +files_read_etc_files(bootupd_t) + +fs_getattr_all_fs(bootupd_t) +fs_search_dos(bootupd_t) + +optional_policy(` + miscfiles_read_localization(bootupd_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/certmonger.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/certmonger.te
Changed
@@ -82,6 +82,7 @@ dev_read_rand(certmonger_t) dev_read_urand(certmonger_t) +dev_read_sysfs(certmonger_t) domain_use_interactive_fds(certmonger_t) @@ -129,6 +130,10 @@ ') optional_policy(` + cron_dbus_chat_system_job(certmonger_t) +') + +optional_policy(` dbus_connect_system_bus(certmonger_t) dbus_system_bus_client(certmonger_t) ') @@ -177,6 +182,7 @@ ') optional_policy(` + rhcs_manage_cluster_lib_files(certmonger_t) rhcs_start_haproxy_services(certmonger_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/chrome.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/chrome.te
Changed
@@ -34,8 +34,7 @@ allow chrome_sandbox_t self:capability2 block_suspend; allow chrome_sandbox_t self:capability { chown dac_read_search fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; dontaudit chrome_sandbox_t self:capability sys_nice; -allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; -allow chrome_sandbox_t self:process setsched; +allow chrome_sandbox_t self:process { execmem execstack setcap setrlimit setsched signal_perms }; allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/chronyd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/chronyd.te
Changed
@@ -12,6 +12,10 @@ type chronyd_exec_t; init_daemon_domain(chronyd_t, chronyd_exec_t) +type chronyd_restricted_t; +init_explicit_domain(chronyd_restricted_t, chronyd_exec_t) +init_nnp_daemon_domain(chronyd_restricted_t) + type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) @@ -144,6 +148,10 @@ userdom_dgram_send(chronyd_t) optional_policy(` + cloudform_init_dgram_send(chronyd_t) +') + +optional_policy(` cron_dgram_send(chronyd_t) ') @@ -192,6 +200,50 @@ ######################################## # +# Policy for chronyd-restricted +# + +allow chronyd_restricted_t self:capability sys_time; +allow chronyd_restricted_t self:tcp_socket create_stream_socket_perms; +allow chronyd_restricted_t self:udp_socket create_socket_perms; +allow chronyd_restricted_t self:unix_dgram_socket create_socket_perms; + +manage_files_pattern(chronyd_restricted_t, chronyd_var_lib_t, chronyd_var_lib_t) + +allow chronyd_restricted_t chronyd_var_log_t:dir getattr_dir_perms; + +manage_files_pattern(chronyd_restricted_t, chronyd_var_run_t, chronyd_var_run_t) +list_dirs_pattern(chronyd_restricted_t, chronyd_var_run_t, chronyd_var_run_t) +manage_sock_files_pattern(chronyd_restricted_t, chronyd_var_run_t, chronyd_var_run_t) +files_pid_filetrans(chronyd_restricted_t, chronyd_var_run_t, { file sock_file }) + +corenet_tcp_bind_generic_node(chronyd_restricted_t) +corenet_udp_bind_generic_node(chronyd_restricted_t) + +corenet_udp_bind_chronyd_port(chronyd_restricted_t) +corenet_udp_bind_ntp_port(chronyd_restricted_t) +corenet_tcp_bind_ntske_port(chronyd_restricted_t) +corenet_tcp_connect_ntske_port(chronyd_restricted_t) +corenet_udp_bind_ptp_event_port(chronyd_restricted_t) + +optional_policy(` + auth_read_passwd(chronyd_restricted_t) +') + +optional_policy(` + logging_send_syslog_msg(chronyd_restricted_t) +') + +optional_policy(` + miscfiles_read_certs(chronyd_restricted_t) +') + +optional_policy(` + sysnet_dns_name_resolve(chronyd_restricted_t) +') + +######################################## +# # Local policy # @@ -226,6 +278,7 @@ kernel_read_system_state(chronyc_t) kernel_read_network_state(chronyc_t) +kernel_read_net_sysctls(chronyc_t) auth_use_nsswitch(chronyc_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cifsutils.fc
Added
@@ -0,0 +1,2 @@ +/usr/sbin/cifs\.upcall -- gen_context(system_u:object_r:cifs_helper_exec_t,s0) +/usr/sbin/cifs\.idmap -- gen_context(system_u:object_r:cifs_helper_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cifsutils.if
Added
@@ -0,0 +1,1 @@ +## <summary>Utilities for managing CIFS mounts</summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cifsutils.te
Added
@@ -0,0 +1,61 @@ +policy_module(cifsutils, 1.0) + +type cifs_helper_exec_t; +files_type(cifs_helper_exec_t) + +type cifs_helper_t; +domain_type(cifs_helper_t) +application_domain(cifs_helper_t, cifs_helper_exec_t) +role system_r types cifs_helper_t; + +allow cifs_helper_t self:capability { setgid setuid sys_chroot }; +allow cifs_helper_t self:key write; +allow cifs_helper_t self:netlink_route_socket create_netlink_socket_perms; +allow cifs_helper_t self:process setcap; +allow cifs_helper_t self:tcp_socket create_stream_socket_perms; +allow cifs_helper_t self:udp_socket create_socket_perms; + +kernel_view_key(cifs_helper_t) + +corenet_tcp_connect_kerberos_port(cifs_helper_t) + +fs_read_nsfs_files(cifs_helper_t) + +mount_read_state(cifs_helper_t) + +sysnet_read_config(cifs_helper_t) + +optional_policy(` + auth_read_passwd(cifs_helper_t) +') + +optional_policy(` + init_search_pid_dirs(cifs_helper_t) + logging_send_syslog_msg(cifs_helper_t) +') + +optional_policy(` + kerberos_read_config(cifs_helper_t) + kerberos_read_keytab(cifs_helper_t) + + optional_policy(` + sssd_read_public_files(cifs_helper_t) + ') +') + +optional_policy(` + # /etc/request-key.d/cifs.spnego.conf + keyutils_request_domtrans_to(cifs_helper_t, cifs_helper_exec_t) +') + +optional_policy(` + miscfiles_read_generic_certs(cifs_helper_t) +') + +optional_policy(` + sssd_stream_connect(cifs_helper_t) +') + +optional_policy(` + userdom_read_all_users_state(cifs_helper_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/cloudform.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cloudform.if
Changed
@@ -59,6 +59,43 @@ allow $1 cloud_init_t:fifo_file rw_fifo_file_perms; ') +######################################## +## <summary> +## Send a message to cloud-init over a datagram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudform_init_dgram_send',` + gen_require(` + type cloud_init_t; + ') + + allow $1 cloud_init_t:unix_dgram_socket sendto; +') + +######################################## +## <summary> +## Write to cloud-init temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cloudform_init_write_tmp',` + gen_require(` + type cloud_init_tmp_t; + ') + + files_search_tmp($1) + write_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t) +') + ###################################### ## <summary> ## Execute mongod in the caller domain.
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/cloudform.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cloudform.te
Changed
@@ -121,6 +121,10 @@ ') optional_policy(` + gpg_manage_admin_home_content(cloud_init_t) +') + +optional_policy(` rhsmcertd_dbus_chat(cloud_init_t) ') @@ -141,6 +145,10 @@ ') optional_policy(` + insights_client_domtrans(cloud_init_t) +') + +optional_policy(` mount_domtrans(cloud_init_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/collectd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/collectd.te
Changed
@@ -72,6 +72,7 @@ kernel_read_all_sysctls(collectd_t) kernel_read_all_proc(collectd_t) kernel_list_all_proc(collectd_t) +kernel_read_network_state_symlinks(collectd_t) auth_use_nsswitch(collectd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/colord.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/colord.te
Changed
@@ -145,6 +145,7 @@ # Fixes lots of breakage in F16 on upgrade gnome_read_generic_data_home_files(colord_t) gnome_map_generic_data_home_files(colord_t) + gnome_initial_setup_read_var_run_files(colord_t) ') optional_policy(`
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/cron.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cron.te
Changed
@@ -544,8 +544,8 @@ # via redirection of standard out. optional_policy(` - rpm_domtrans_script(system_cronjob_t) rpm_manage_log(system_cronjob_t) + rpm_transition_script(system_cronjob_t, system_r) ') ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/cups.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cups.te
Changed
@@ -383,6 +383,7 @@ optional_policy(` samba_read_config(cupsd_t) + samba_create_var_files(cupsd_t) samba_rw_var_files(cupsd_t) samba_stream_connect_nmbd(cupsd_t) ') @@ -407,6 +408,10 @@ vmware_read_system_config(cupsd_t) ') +optional_policy(` + xserver_dbus_chat_xdm(cupsd_t) +') + ######################################## # # Configuration daemon local policy
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/cyrus.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/cyrus.if
Changed
@@ -52,9 +52,12 @@ # interface(`cyrus_stream_connect',` gen_require(` - type cyrus_t, cyrus_var_lib_t; + type cyrus_t, cyrus_var_lib_t, cyrus_var_run_t; ') + files_search_pids($1) + stream_connect_pattern($1, cyrus_var_run_t, cyrus_var_run_t, cyrus_t) + # deprecated, new socket location is in /run files_search_var_lib($1) stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/dmidecode.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dmidecode.te
Changed
@@ -34,6 +34,10 @@ userdom_use_inherited_user_terminals(dmidecode_t) optional_policy(` + cloudform_init_write_tmp(dmidecode_t) +') + +optional_policy(` rhsmcertd_rw_lock_files(dmidecode_t) rhsmcertd_read_log(dmidecode_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/dovecot.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/dovecot.te
Changed
@@ -125,6 +125,7 @@ manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir }) +allow dovecot_t dovecot_spool_t:file map; manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -338,6 +339,9 @@ allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; +create_dirs_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t) +mmap_read_files_pattern(dovecot_deliver_t, dovecot_spool_t, dovecot_spool_t) + manage_dirs_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) manage_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) logging_log_filetrans(dovecot_deliver_t, dovecot_var_log_t, { file dir }) @@ -346,6 +350,7 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) +allow dovecot_deliver_t dovecot_var_run_t:fifo_file write_fifo_file_perms; allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/exim.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/exim.te
Changed
@@ -104,6 +104,7 @@ kernel_read_crypto_sysctls(exim_t) kernel_read_kernel_sysctls(exim_t) +kernel_read_net_sysctls(exim_t) kernel_read_network_state(exim_t) kernel_read_system_state(exim_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.fc
Added
@@ -0,0 +1,13 @@ +/etc/fdo(/.*)? gen_context(system_u:object_r:fdo_conf_t,s0) +/etc/fdo/aio/aio_configuration -- gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/aio/configs(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/aio/keys(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/aio/logs(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) +/etc/fdo/aio/stores(/.*)? gen_context(system_u:object_r:fdo_conf_rw_t,s0) + +/usr/bin/fdo-admin-tool -- gen_context(system_u:object_r:fdo_exec_t,s0) +/usr/bin/fdo-owner-tool -- gen_context(system_u:object_r:fdo_exec_t,s0) + +/usr/libexec/fdo(/.*)? -- gen_context(system_u:object_r:fdo_exec_t,s0) + +/usr/lib/systemd/system/fdo.*.service -- gen_context(system_u:object_r:fdo_unit_file_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.if
Added
@@ -0,0 +1,40 @@ + +## <summary>policy for fdo</summary> + +######################################## +## <summary> +## Execute fdo_exec_t in the fdo domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`fdo_domtrans',` + gen_require(` + type fdo_t, fdo_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fdo_exec_t, fdo_t) +') + +###################################### +## <summary> +## Execute fdo in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fdo_exec',` + gen_require(` + type fdo_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, fdo_exec_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fdo.te
Added
@@ -0,0 +1,69 @@ +policy_module(fdo, 1.0.0) + +######################################## +# +# Declarations +# + +type fdo_t; +type fdo_exec_t; +init_daemon_domain(fdo_t, fdo_exec_t) + +type fdo_conf_t; +files_config_file(fdo_conf_t) + +type fdo_conf_rw_t; +files_config_file(fdo_conf_rw_t) + +type fdo_tmp_t; +files_tmp_file(fdo_tmp_t) + +type fdo_unit_file_t; +systemd_unit_file(fdo_unit_file_t) + +######################################## +# +# fdo local policy +# +allow fdo_t self:fifo_file rw_fifo_file_perms; +allow fdo_t self:netlink_route_socket r_netlink_socket_perms; +allow fdo_t self:tcp_socket create_stream_socket_perms; +allow fdo_t self:udp_socket create_socket_perms; +allow fdo_t self:unix_stream_socket create_stream_socket_perms; + +can_exec(fdo_t, fdo_exec_t) + +manage_dirs_pattern(fdo_t, fdo_conf_t, fdo_conf_t) +manage_dirs_pattern(fdo_t, fdo_conf_rw_t, fdo_conf_rw_t) +manage_files_pattern(fdo_t, fdo_conf_rw_t, fdo_conf_rw_t) +manage_lnk_files_pattern(fdo_t, fdo_conf_rw_t, fdo_conf_rw_t) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "configs" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "keys" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "logs" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "stores" ) +filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, file, "aio_configuration" ) + +corenet_tcp_bind_generic_node(fdo_t) +corenet_tcp_bind_http_cache_port(fdo_t) +corenet_tcp_connect_http_cache_port(fdo_t) +corenet_tcp_bind_http_port(fdo_t) +corenet_tcp_connect_http_port(fdo_t) +corenet_tcp_bind_transproxy_port(fdo_t) +corenet_tcp_connect_transproxy_port(fdo_t) +corenet_tcp_bind_us_cli_port(fdo_t) +corenet_tcp_connect_us_cli_port(fdo_t) + +domain_use_interactive_fds(fdo_t) + +files_read_config_files(fdo_t) + +fs_read_cgroup_files(fdo_t) + +optional_policy(` + miscfiles_read_generic_certs(fdo_t) + miscfiles_read_localization(fdo_t) +') + +optional_policy(` + sysnet_read_config(fdo_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/fedoratp.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/fedoratp.te
Changed
@@ -75,4 +75,5 @@ optional_policy(` userdom_manage_admin_dirs(fedoratp_t) userdom_manage_admin_files(fedoratp_t) + userdom_manage_tmp_dirs(fedoratp_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/firewalld.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/firewalld.te
Changed
@@ -82,6 +82,7 @@ dev_read_urand(firewalld_t) dev_read_sysfs(firewalld_t) +dev_rw_crypto(firewalld_t) domain_use_interactive_fds(firewalld_t) domain_obj_id_change_exemption(firewalld_t) @@ -131,6 +132,10 @@ ') optional_policy(` + ica_rw_map_tmpfs_files(firewalld_t) +') + +optional_policy(` iptables_domtrans(firewalld_t) iptables_read_var_run(firewalld_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/ftp.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ftp.fc
Changed
@@ -1,7 +1,7 @@ /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) -/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) -/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:ftpd_unit_file_t,s0) +/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:ftpd_unit_file_t,s0) /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/ftp.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/ftp.te
Changed
@@ -177,6 +177,7 @@ kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) kernel_read_network_state(ftpd_t) +kernel_read_net_sysctls(ftpd_t) dev_read_sysfs(ftpd_t) dev_read_urand(ftpd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/geoclue.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/geoclue.te
Changed
@@ -37,6 +37,7 @@ kernel_read_system_state(geoclue_t) kernel_read_network_state(geoclue_t) +kernel_read_net_sysctls(geoclue_t) auth_read_passwd(geoclue_t) @@ -48,6 +49,8 @@ dev_read_urand(geoclue_t) +files_watch_etc_dirs(geoclue_t) + fs_getattr_cgroup(geoclue_t) fs_getattr_xattr_fs(geoclue_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/gnome.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.fc
Changed
@@ -25,6 +25,7 @@ /var/run/user/%{USERID}/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) /var/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) /var/run/user/%{USERID}/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) +/var/run/gnome-initial-setup(/.*)? gen_context(system_u:object_r:gnome_initial_setup_var_run_t,s0) /root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0) /root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) @@ -59,5 +60,7 @@ /usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0) +/usr/libexec/gnome-initial-setup.* -- gen_context(system_u:object_r:gnome_initial_setup_exec_t,s0) + /usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) /usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/gnome.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.if
Changed
@@ -2019,3 +2019,116 @@ domtrans_pattern($1, gnome_atspi_exec_t, gnome_atspi_t) ') + +######################################## +## <summary> +## Execute gnome-initial-setup programs in its domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gnome_initial_setup_domtrans',` + gen_require(` + type gnome_initial_setup_t, gnome_initial_setup_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gnome_initial_setup_exec_t, gnome_initial_setup_t) +') + +######################################## +## <summary> +## Allow gnome-initial-setup noatsecure +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_noatsecure',` + gen_require(` + type gnome_initial_setup_t; + ') + + allow $1 gnome_initial_setup_t:process noatsecure; +') + +######################################## +## <summary> +## Allow read gnome-initial-setup runtime files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_read_var_run_files',` + gen_require(` + type gnome_initial_setup_var_run_t; + ') + + read_files_pattern($1, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) + allow $1 gnome_initial_setup_var_run_t:file map; +') + +######################################## +## <summary> +## Allow manage gnome-initial-setup all runtime files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_manage_var_run',` + gen_require(` + type gnome_initial_setup_var_run_t; + ') + + manage_dirs_pattern($1, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) + manage_files_pattern($1, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) + manage_sock_files_pattern($1, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) + allow $1 gnome_initial_setup_var_run_t:file map; +') + +######################################## +## <summary> +## Read the process state of gnome-initial-setup +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_read_state',` + gen_require(` + type gnome_initial_setup_t; + ') + + ps_process_pattern($1, gnome_initial_setup_t) +') + +######################################## +## <summary> +## Transition to gnome-initial-setup named content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gnome_initial_setup_filetrans_named_content',` + gen_require(` + type gnome_initial_setup_var_run_t; + ') + + files_pid_filetrans($1, gnome_initial_setup_var_run_t, dir, "gnome-initial-setup") +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/gnome.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gnome.te
Changed
@@ -73,6 +73,13 @@ type gconfdefaultsm_exec_t; init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t) +type gnome_initial_setup_t; +type gnome_initial_setup_exec_t; +init_system_domain(gnome_initial_setup_t, gnome_initial_setup_exec_t); + +type gnome_initial_setup_var_run_t; +files_pid_file(gnome_initial_setup_var_run_t); + type gnomesystemmm_t; type gnomesystemmm_exec_t; init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t) @@ -325,3 +332,139 @@ xserver_read_xdm_lib_files(gnome_atspi_t) xserver_stream_connect(gnome_atspi_t) ') + +###################################### +# +# gnome-initial-setup local policy +# + +allow gnome_initial_setup_t self:capability { audit_write dac_read_search setgid setuid }; +allow gnome_initial_setup_t self:cap_userns { dac_override net_admin setpcap sys_admin sys_ptrace }; +allow gnome_initial_setup_t self:netlink_route_socket create_netlink_socket_perms; +allow gnome_initial_setup_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow gnome_initial_setup_t self:process { setcap setrlimit setsched }; +allow gnome_initial_setup_t self:tcp_socket create_stream_socket_perms; +allow gnome_initial_setup_t self:udp_socket create_socket_perms; +allow gnome_initial_setup_t self:unix_dgram_socket create_socket_perms; +allow gnome_initial_setup_t self:unix_stream_socket connectto; +allow gnome_initial_setup_t self:user_namespace create; + +allow gnome_initial_setup_t gnome_initial_setup_exec_t:file execute_no_trans; +allow gnome_initial_setup_t gkeyringd_exec_t:file exec_file_perms; + +manage_dirs_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) +manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) +manage_sock_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t) +files_pid_filetrans(gnome_initial_setup_t, gnome_initial_setup_var_run_t, dir) +allow gnome_initial_setup_t gnome_initial_setup_var_run_t:file map; + +rw_files_pattern(gnome_initial_setup_t, config_home_t, config_home_t) +allow gnome_initial_setup_t config_home_t:file map; + +kernel_dgram_send(gnome_initial_setup_t) +kernel_mount_proc(gnome_initial_setup_t) +kernel_read_net_sysctls(gnome_initial_setup_t) +kernel_read_network_state_symlinks(gnome_initial_setup_t) +kernel_read_proc_files(gnome_initial_setup_t) +kernel_stream_connect(gnome_initial_setup_t) + +auth_read_passwd_file(gnome_initial_setup_t) + +corecmd_exec_bin(gnome_initial_setup_t) + +corenet_tcp_connect_http_port(gnome_initial_setup_t) + +dev_read_sysfs(gnome_initial_setup_t) +dev_remount_sysfs_fs(gnome_initial_setup_t) +dev_rw_dri(gnome_initial_setup_t) + +files_map_read_etc_files(gnome_initial_setup_t) +files_mounton_non_security(gnome_initial_setup_t) +files_watch_etc_dirs(gnome_initial_setup_t) +files_watch_tmpfs_dirs(gnome_initial_setup_t) + +fs_all_mount_fs_perms_tmpfs(gnome_initial_setup_t) +fs_all_mount_fs_perms_xattr_fs(gnome_initial_setup_t) +fs_getattr_nsfs_files(gnome_initial_setup_t) +fs_manage_tmpfs_dirs(gnome_initial_setup_t) +fs_manage_tmpfs_files(gnome_initial_setup_t) +fs_manage_tmpfs_symlinks(gnome_initial_setup_t) +fs_read_cgroup_files(gnome_initial_setup_t) + +# memfd objects created by gnome-shell +fs_map_tmpfs_files(gnome_initial_setup_t) +fs_rw_inherited_tmpfs_files(gnome_initial_setup_t) + +sysnet_read_config(gnome_initial_setup_t) + +term_mount_pty_fs(gnome_initial_setup_t) +term_use_unallocated_ttys(gnome_initial_setup_t) + +tunable_policy(`deny_execmem',`',` + allow gnome_initial_setup_t self:process execmem; +') + +optional_policy(` + dbus_system_bus_client(gnome_initial_setup_t) + dbus_write_session_tmp_sock_files(gnome_initial_setup_t) + + optional_policy(` + accountsd_dbus_chat(gnome_initial_setup_t) + ') + + optional_policy(` + networkmanager_dbus_chat(gnome_initial_setup_t) + ') + + optional_policy(` + policykit_dbus_chat(gnome_initial_setup_t) + ') + + optional_policy(` + realmd_dbus_chat(gnome_initial_setup_t) + ') + + optional_policy(` + xserver_connect_xdm_bus(gnome_initial_setup_t) + xserver_dbus_chat_xdm(gnome_initial_setup_t) + ') +') + +optional_policy(` + fedoratp_domtrans(gnome_initial_setup_t) +') + +optional_policy(` + logging_create_devlog_dev(gnome_initial_setup_t) + logging_write_syslog_pid_socket(gnome_initial_setup_t) +') + +optional_policy(` + miscfiles_map_generic_certs(gnome_initial_setup_t) + miscfiles_read_generic_certs(gnome_initial_setup_t) +') + +optional_policy(` + systemd_dbus_chat_localed(gnome_initial_setup_t) + systemd_dbus_chat_logind(gnome_initial_setup_t) + systemd_dbus_chat_timedated(gnome_initial_setup_t) + systemd_login_read_pid_files(gnome_initial_setup_t) + systemd_read_logind_sessions_files(gnome_initial_setup_t) + systemd_machined_stream_connect(gnome_initial_setup_t) + systemd_userdbd_stream_connect(gnome_initial_setup_t) +') + +optional_policy(` + unconfined_domain(gnome_initial_setup_t) +') + +optional_policy(` + userdom_manage_tmp_dirs(gnome_initial_setup_t) + userdom_manage_tmp_files(gnome_initial_setup_t) + userdom_manage_tmp_sockets(gnome_initial_setup_t) +') + +optional_policy(` + xserver_stream_connect_xdm(gnome_initial_setup_t) + xserver_xdm_signull(gnome_initial_setup_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/gssproxy.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/gssproxy.te
Changed
@@ -39,6 +39,7 @@ manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) +kernel_read_net_sysctls(gssproxy_t) kernel_rw_rpc_sysctls(gssproxy_t) kernel_read_network_state(gssproxy_t) kernel_read_system_state(gssproxy_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/icecast.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/icecast.te
Changed
@@ -49,6 +49,7 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) kernel_read_system_state(icecast_t) +kernel_stream_connect(icecast_t) corenet_all_recvfrom_unlabeled(icecast_t) corenet_all_recvfrom_netlabel(icecast_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/insights_client.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/insights_client.te
Changed
@@ -47,7 +47,7 @@ # # insights_client local policy # -allow insights_client_t self:capability { dac_override dac_read_search fowner ipc_owner kill net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource }; +allow insights_client_t self:capability { dac_override dac_read_search fowner ipc_owner kill net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource }; allow insights_client_t self:cap_userns sys_ptrace; allow insights_client_t self:fifo_file rw_fifo_file_perms; allow insights_client_t self:netlink_generic_socket create_socket_perms; @@ -55,8 +55,9 @@ allow insights_client_t self:netlink_route_socket create_netlink_socket_perms; allow insights_client_t self:netlink_selinux_socket create_socket_perms; allow insights_client_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow insights_client_t self:packet_socket create_socket_perms; allow insights_client_t self:passwd rootok; -allow insights_client_t self:process { getattr setfscreate setpgid setrlimit setsched }; +allow insights_client_t self:process { getattr getsession setfscreate setpgid setrlimit setsched }; allow insights_client_t self:tcp_socket create_socket_perms; allow insights_client_t self:udp_socket create_socket_perms; allow insights_client_t self:unix_dgram_socket create_socket_perms; @@ -88,7 +89,9 @@ manage_dirs_pattern(insights_client_t, insights_client_tmp_t, insights_client_tmp_t) manage_files_pattern(insights_client_t, insights_client_tmp_t, insights_client_tmp_t) -files_tmp_filetrans(insights_client_t, insights_client_tmp_t, { dir file }) +manage_fifo_files_pattern(insights_client_t, insights_client_tmp_t, insights_client_tmp_t) +manage_sock_files_pattern(insights_client_t, insights_client_tmp_t, insights_client_tmp_t) +files_tmp_filetrans(insights_client_t, insights_client_tmp_t, { dir file fifo_file sock_file }) allow insights_client_t insights_client_tmp_t:dir relabel_dir_perms; allow insights_client_t insights_client_tmp_t:file relabel_dir_perms; @@ -101,21 +104,14 @@ kernel_dgram_send(insights_client_t) kernel_get_sysvipc_info(insights_client_t) +kernel_read_all_sysctls(insights_client_t) kernel_list_all_proc(insights_client_t) -kernel_read_device_sysctls(insights_client_t) -kernel_read_fs_sysctls(insights_client_t) -kernel_read_kernel_ns_lastpid_sysctls(insights_client_t) -kernel_read_net_sysctls(insights_client_t) kernel_read_network_state(insights_client_t) kernel_read_proc_files(insights_client_t) -kernel_read_rpc_sysctls(insights_client_t) kernel_read_ring_buffer(insights_client_t) kernel_read_security_state(insights_client_t) kernel_read_software_raid_state(insights_client_t) kernel_read_system_state(insights_client_t) -kernel_read_unix_sysctls(insights_client_t) -kernel_read_usermodehelper_state(insights_client_t) -kernel_read_vm_sysctls(insights_client_t) kernel_request_load_module(insights_client_t) kernel_view_key(insights_client_t) @@ -155,12 +151,14 @@ files_getattr_all_sockets(insights_client_t) files_manage_etc_symlinks(insights_client_t) files_manage_generic_locks(insights_client_t) +files_map_non_security_files(insights_client_t) files_map_read_etc_files(insights_client_t) files_read_non_security_files(insights_client_t) files_read_all_symlinks(insights_client_t) files_status_etc(insights_client_t) files_write_generic_tmp_sock_files(insights_client_t) +fs_get_all_fs_quotas(insights_client_t) fs_getattr_all_fs(insights_client_t) fs_getattr_all_files(insights_client_t) fs_read_configfs_dirs(insights_client_t) @@ -184,6 +182,10 @@ storage_raw_read_fixed_disk(insights_client_t) +tunable_policy(`deny_execmem',`',` + allow insights_client_t self:process execmem; +') + optional_policy(` abrt_dbus_chat(insights_client_t) ') @@ -241,6 +243,7 @@ optional_policy(` fstools_domtrans(insights_client_t) + fsadm_manage_pid(insights_client_t) ') optional_policy(` @@ -289,6 +292,7 @@ optional_policy(` logging_domtrans_auditctl(insights_client_t) + logging_mmap_generic_logs(insights_client_t) logging_mmap_journal(insights_client_t) logging_read_audit_config(insights_client_t) logging_read_audit_log(insights_client_t) @@ -319,6 +323,7 @@ optional_policy(` networkmanager_dbus_chat(insights_client_t) + networkmanager_stream_connect(insights_client_t) ') optional_policy(` @@ -397,6 +402,7 @@ optional_policy(` unconfined_server_create_shm(insights_client_t) + unconfined_server_read_semaphores(insights_client_t) ') optional_policy(`
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/journalctl.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/journalctl.te
Changed
@@ -18,6 +18,7 @@ # # journalctl local policy # +allow journalctl_t self:capability sys_resource; allow journalctl_t self:process { fork setrlimit signal_perms }; allow journalctl_t self:fifo_file manage_fifo_file_perms; @@ -50,8 +51,8 @@ userdom_list_user_home_dirs(journalctl_t) userdom_read_user_home_content_files(journalctl_t) -userdom_use_inherited_user_ptys(journalctl_t) -userdom_use_inherited_user_ttys(journalctl_t) +userdom_use_user_ptys(journalctl_t) +userdom_use_user_ttys(journalctl_t) userdom_rw_inherited_user_tmp_files(journalctl_t) userdom_rw_inherited_user_home_content_files(journalctl_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kafs.fc
Added
@@ -0,0 +1,1 @@ +/usr/libexec/kafs-dns -- gen_context(system_u:object_r:kafs_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kafs.if
Added
@@ -0,0 +1,1 @@ +## <summary>Basic tools for kAFS</summary>
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kafs.te
Added
@@ -0,0 +1,28 @@ +policy_module(kafs, 1.0) + +type kafs_exec_t; +files_type(kafs_exec_t) + +type kafs_t; +domain_type(kafs_t) +application_domain(kafs_t, kafs_exec_t) +role system_r types kafs_t; + +allow kafs_t self:netlink_route_socket create_netlink_socket_perms; +allow kafs_t self:udp_socket create_socket_perms; +allow kafs_t self:unix_dgram_socket create_socket_perms; + +kernel_read_key(kafs_t) +kernel_view_key(kafs_t) +kernel_setattr_key(kafs_t) + +sysnet_read_config(kafs_t) + +optional_policy(` + logging_send_syslog_msg(kafs_t) +') + +optional_policy(` + # /etc/request-key.d/kafs_dns.conf + keyutils_request_domtrans_to(kafs_t, kafs_exec_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/kdump.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kdump.fc
Changed
@@ -16,3 +16,5 @@ /var/lib/kdump(/.*)? gen_context(system_u:object_r:kdump_var_lib_t,s0) /var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) + +/var/log/kdump.log -- gen_context(system_u:object_r:kdump_log_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/kdump.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kdump.te
Changed
@@ -28,6 +28,9 @@ type kdump_lock_t; files_lock_file(kdump_lock_t) +type kdump_log_t; +logging_log_file(kdump_log_t) + type kdumpctl_t; type kdumpctl_exec_t; init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) @@ -100,6 +103,9 @@ manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t) files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump") +manage_files_pattern(kdumpctl_t, kdump_log_t, kdump_log_t) +logging_log_filetrans(kdumpctl_t, kdump_log_t, file) + manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) @@ -157,6 +163,10 @@ storage_raw_read_fixed_disk(kdumpctl_t) storage_getattr_fixed_disk_dev(kdumpctl_t) +tunable_policy(`deny_execmem',`',` + allow kdumpctl_t self:process execmem; +') + optional_policy(` networkmanager_dbus_chat(kdumpctl_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/keepalived.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keepalived.te
Changed
@@ -58,6 +58,9 @@ manage_dirs_pattern(keepalived_t, keepalived_tmpfs_t, keepalived_tmpfs_t) fs_tmpfs_filetrans(keepalived_t, keepalived_tmpfs_t, { dir file }) +manage_files_pattern(keepalived_t, keepalived_tmp_t, keepalived_tmp_t) +files_tmp_filetrans(keepalived_t, keepalived_tmp_t, file) + kernel_read_system_state(keepalived_t) kernel_read_network_state(keepalived_t) kernel_request_load_module(keepalived_t) @@ -96,9 +99,6 @@ logging_send_syslog_msg(keepalived_t) -allow keepalived_t keepalived_tmp_t:file { create_file_perms write_file_perms }; -files_tmp_filetrans(keepalived_t, keepalived_tmp_t, file) - optional_policy(` dbus_system_bus_client(keepalived_t) init_dbus_chat(keepalived_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/kerberos.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/kerberos.if
Changed
@@ -199,7 +199,7 @@ ') files_search_etc($1) - allow $1 krb5_keytab_t:dir search_dir_perms; + allow $1 krb5_keytab_t:dir list_dir_perms; allow $1 krb5_keytab_t:file read_file_perms; ')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keyutils.fc
Added
@@ -0,0 +1,2 @@ +/usr/sbin/request-key -- gen_context(system_u:object_r:keyutils_request_exec_t,s0) +/usr/sbin/key\.dns_resolver -- gen_context(system_u:object_r:keyutils_dns_resolver_exec_t,s0)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keyutils.if
Added
@@ -0,0 +1,43 @@ +## <summary>Linux Key Management Utilities</summary> + +####################################### +## <summary> +## Execute request-key in the keyutils request domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`keyutils_request_domtrans',` + gen_require(` + type keyutils_request_t, keyutils_request_exec_t; + ') + + domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t) +') + +######################################## +## <summary> +## Allows to perform key instantiation callout +## by transitioning to the specified domain. +## </summary> +## <param name="domain"> +## <summary> +## The process type entered by request-key. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The executable type for the entrypoint. +## </summary> +## </param> +# +interface(`keyutils_request_domtrans_to',` + gen_require(` + type keyutils_request_t; + ') + + domtrans_pattern(keyutils_request_t, $2, $1) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/keyutils.te
Added
@@ -0,0 +1,41 @@ +policy_module(keyutils, 1.0) + +type keyutils_request_exec_t; +files_type(keyutils_request_exec_t) + +type keyutils_dns_resolver_exec_t; +files_type(keyutils_dns_resolver_exec_t) + +type keyutils_request_t; +domain_type(keyutils_request_t) +domain_entry_file(keyutils_request_t, keyutils_request_exec_t) +role system_r types keyutils_request_t; + +type keyutils_dns_resolver_t; +domain_type(keyutils_dns_resolver_t) +domain_entry_file(keyutils_dns_resolver_t, keyutils_dns_resolver_exec_t) +role system_r types keyutils_dns_resolver_t; + +### policy for the keyutils_request_t domain +allow keyutils_request_t self:unix_dgram_socket create_socket_perms; + +domain_read_view_all_domains_keyrings(keyutils_request_t) + +optional_policy(` + init_search_pid_dirs(keyutils_request_t) + logging_send_syslog_msg(keyutils_request_t) +') + +### policy for the keyutils_dns_resolver_t domain +can_exec(keyutils_dns_resolver_t, keyutils_dns_resolver_exec_t) + +domtrans_pattern(keyutils_request_t, keyutils_dns_resolver_exec_t, keyutils_dns_resolver_t) + +allow keyutils_dns_resolver_t self:netlink_route_socket r_netlink_socket_perms; +allow keyutils_dns_resolver_t self:udp_socket create_socket_perms; + +kernel_read_key(keyutils_dns_resolver_t) +kernel_view_key(keyutils_dns_resolver_t) + +init_search_pid_dirs(keyutils_dns_resolver_t) +sysnet_read_config(keyutils_dns_resolver_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/lldpad.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/lldpad.te
Changed
@@ -92,6 +92,10 @@ ') optional_policy(` + systemd_userdbd_stream_connect(lldpad_t) +') + +optional_policy(` unconfined_dgram_send(lldpad_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/logrotate.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/logrotate.te
Changed
@@ -178,6 +178,7 @@ systemd_status_all_unit_files(logrotate_t) systemd_dbus_chat_logind(logrotate_t) systemd_config_generic_services(logrotate_t) +systemd_dbus_chat_hostnamed(logrotate_t) init_stream_connect(logrotate_t) init_reload_transient_unit(logrotate_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/logwatch.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/logwatch.te
Changed
@@ -198,6 +198,8 @@ manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) +kernel_read_net_sysctls(logwatch_mail_t) + dev_read_rand(logwatch_mail_t) dev_read_urand(logwatch_mail_t) dev_read_sysfs(logwatch_mail_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/milter.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/milter.te
Changed
@@ -92,6 +92,10 @@ mta_sendmail_exec(dkim_milter_t) ') +optional_policy(` + sendmail_domtrans(dkim_milter_t) +') + ######################################## # # milter-greylist local policy
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/mongodb.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mongodb.te
Changed
@@ -71,6 +71,8 @@ kernel_read_system_state(mongod_t) kernel_read_network_state(mongod_t) +kernel_read_fs_sysctls(mongod_t) +kernel_read_net_sysctls(mongod_t) kernel_read_vm_sysctls(mongod_t) corecmd_exec_bin(mongod_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/mptcpd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mptcpd.te
Changed
@@ -13,8 +13,6 @@ type mptcpd_etc_t; files_config_file(mptcpd_etc_t) -permissive mptcpd_t; - ######################################## # # mptcpd local policy
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/mta.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mta.fc
Changed
@@ -28,6 +28,13 @@ /usr/bin/esmtp-wrapper -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +# msmtp +/usr/bin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/usr/bin/msmtpd -- gen_context(system_u:object_r:sendmail_exec_t,s0) + +# opensmtpd +/usr/sbin/smtpd -- gen_context(system_u:object_r:sendmail_exec_t,s0) + /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/munin.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/munin.te
Changed
@@ -411,6 +411,7 @@ # System local policy # +allow system_munin_plugin_t self:netlink_generic_socket create_socket_perms; allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -443,6 +444,10 @@ ') optional_policy(` + miscfiles_read_generic_certs(services_munin_plugin_t) +') + +optional_policy(` sssd_read_public_files(system_munin_plugin_t) sssd_stream_connect(system_munin_plugin_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/mysql.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/mysql.fc
Changed
@@ -40,6 +40,8 @@ /usr/bin/mariadbd-safe-helper -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mariadb-upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + /usr/libexec/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) #
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/nagios.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nagios.te
Changed
@@ -486,6 +486,7 @@ optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) + postfix_exec_master(nagios_mail_plugin_t) postfix_exec_postqueue(nagios_mail_plugin_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/networkmanager.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/networkmanager.te
Changed
@@ -584,6 +584,7 @@ read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t) +kernel_read_proc_files(networkmanager_dispatcher_plugin) kernel_request_load_module(NetworkManager_dispatcher_ddclient_t) auth_read_passwd(networkmanager_dispatcher_plugin) @@ -594,6 +595,7 @@ corecmd_exec_shell(NetworkManager_dispatcher_chronyc_t) corecmd_exec_shell(NetworkManager_dispatcher_cloud_t) corecmd_exec_shell(NetworkManager_dispatcher_custom_t) +corecmd_exec_shell(NetworkManager_dispatcher_dhclient_t) corecmd_exec_shell(NetworkManager_dispatcher_iscsid_t) corecmd_exec_shell(NetworkManager_dispatcher_winbind_t) @@ -675,6 +677,7 @@ optional_policy(` sysnet_exec_ifconfig(networkmanager_dispatcher_plugin) sysnet_read_config(networkmanager_dispatcher_plugin) + sysnet_read_dhcp_config(NetworkManager_dispatcher_dhclient_t) ') optional_policy(` @@ -693,6 +696,7 @@ ') optional_policy(` + tlp_create_pid_dirs(NetworkManager_dispatcher_tlp_t) tlp_manage_pid_files(NetworkManager_dispatcher_tlp_t) tlp_filetrans_named_content(NetworkManager_dispatcher_tlp_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/nsd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/nsd.te
Changed
@@ -138,6 +138,8 @@ manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) +stream_connect_pattern(nsd_crond_t, nsd_var_run_t, nsd_var_run_t, nsd_t) + can_exec(nsd_crond_t, nsd_exec_t) kernel_read_system_state(nsd_crond_t)
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/passt.if
Added
@@ -0,0 +1,40 @@ +## <summary>passt: usermode networking daemons for vms</summary> + +ifndef(`passt_stub',` + interface(`passt_stub',` + gen_require(` + type passt_t; + ') + ') +') + +ifndef(`passt_domtrans',` + interface(`passt_domtrans',` + gen_require(` + type passt_t, passt_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, passt_exec_t, passt_t) + ') +') + +ifndef(`passt_entrypoint',` + interface(`passt_entrypoint',` + gen_require(` + type passt_exec_t; + ') + + allow $1 passt_exec_t:file entrypoint; + ') +') + +ifndef(`passt_stream_connect',` + interface(`passt_stream_connect',` + gen_require(` + type passt_t; + ') + + allow $1 passt_t:unix_stream_socket connectto; + ') +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/pkcs.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/pkcs.fc
Changed
@@ -12,4 +12,5 @@ /var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_lock_t,s0) +/var/run/opencryptoki(/.*)? gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0) /var/run/pkcsslotd.* gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/pkcs.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/pkcs.if
Changed
@@ -62,6 +62,24 @@ ######################################## ## <summary> +## Destroy pkcsslotd sysv shared memory segments. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pkcs_destroy_shm',` + gen_require(` + type pkcs_slotd_t; + ') + + allow $1 pkcs_slotd_t:shm destroy; +') + +######################################## +## <summary> ## Connect to pkcs using a unix ## domain stream socket. ## </summary> @@ -151,18 +169,36 @@ type pkcs_slotd_tmpfs_t; ') - allow $1 pkcs_slotd_tmpfs_t:file map; - - manage_files_pattern($1, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki.ccatok") fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki.ep11tok") fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki.lite") + fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki_stats_0") + fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki_stats_48") fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki.swtok") fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file, "var.lib.opencryptoki.tpm.root") ') ######################################## ## <summary> +## Delete pkcs files in the tmpfs directories +## with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pkcs_delete_tmpfs_files',` + gen_require(` + type pkcs_slotd_tmpfs_t; + ') + + allow $1 pkcs_slotd_tmpfs_t:file delete_file_perms; +') + +######################################## +## <summary> ## Use opencryptoki services ## </summary> ## <param name="domain"> @@ -174,10 +210,12 @@ interface(`pkcs_use_opencryptoki',` gen_require(` type pkcs_slotd_t; + type pkcs_slotd_tmpfs_t; ') - allow $1 self:capability fsetid; + allow $1 self:capability { fsetid ipc_owner }; allow pkcs_slotd_t $1:process signull; + allow $1 pkcs_slotd_tmpfs_t:file { create_file_perms mmap_rw_file_perms }; kernel_search_proc($1) ps_process_pattern(pkcs_slotd_t, $1)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/pkcs.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/pkcs.te
Changed
@@ -10,6 +10,7 @@ typealias pkcs_slotd_t alias pkcsslotd_t; typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t; init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t) +init_nnp_daemon_domain(pkcs_slotd_t) type pkcs_slotd_initrc_exec_t; init_script_file(pkcs_slotd_initrc_exec_t) @@ -45,11 +46,12 @@ # Local policy # -allow pkcs_slotd_t self:capability { fsetid kill chown }; +allow pkcs_slotd_t self:capability { chown fsetid kill setgid setuid }; dontaudit pkcs_slotd_t self:capability sys_admin; allow pkcs_slotd_t self:capability2 bpf; allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; allow pkcs_slotd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow pkcs_slotd_t self:process setcap; allow pkcs_slotd_t self:sem create_sem_perms; allow pkcs_slotd_t self:shm create_shm_perms; allow pkcs_slotd_t self:unix_stream_socket { accept listen }; @@ -80,6 +82,8 @@ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, { file dir }) +can_exec(pkcs_slotd_t, pkcs_slotd_exec_t) + auth_use_nsswitch(pkcs_slotd_t) files_search_locks(pkcs_slotd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/plymouthd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/plymouthd.te
Changed
@@ -32,7 +32,7 @@ # allow plymouthd_t self:capability { sys_admin sys_chroot sys_tty_config }; -allow plymouthd_t self:capability2 block_suspend; +allow plymouthd_t self:capability2 { block_suspend bpf }; dontaudit plymouthd_t self:capability{ dac_read_search }; allow plymouthd_t self:process { signal getsched }; allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -67,6 +67,7 @@ dev_read_framebuffer(plymouthd_t) dev_write_framebuffer(plymouthd_t) dev_map_framebuffer(plymouthd_t) +dev_rw_xserver_misc(plymouthd_t) domain_use_interactive_fds(plymouthd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/policykit.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/policykit.te
Changed
@@ -10,6 +10,7 @@ type policykit_t, policykit_domain; type policykit_exec_t; init_daemon_domain(policykit_t, policykit_exec_t) +init_nnp_daemon_domain(policykit_t) type policykit_auth_t, policykit_domain; type policykit_auth_exec_t;
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/qatlib.fc
Added
@@ -0,0 +1,9 @@ +/usr/sbin/qat_init\.sh -- gen_context(system_u:object_r:qatlib_exec_t,s0) +/usr/sbin/qatmgr -- gen_context(system_u:object_r:qatlib_exec_t,s0) + +/usr/lib/systemd/system/qat\.service -- gen_context(system_u:object_r:qatlib_unit_file_t,s0) + +/var/run/qat/qatmgr\.pid -- gen_context(system_u:object_r:qatlib_var_run_t,s0) + +/etc/sysconfig/qat -- gen_context(system_u:object_r:qatlib_conf_t,s0) +
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/qatlib.if
Added
@@ -0,0 +1,40 @@ + +## <summary>policy for qatlib</summary> + +######################################## +## <summary> +## Execute qatlib_exec_t in the qatlib domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`qatlib_domtrans',` + gen_require(` + type qatlib_t, qatlib_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, qatlib_exec_t, qatlib_t) +') + +###################################### +## <summary> +## Execute qatlib in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`qatlib_exec',` + gen_require(` + type qatlib_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, qatlib_exec_t) +')
View file
_service:tar_scm:v38.21.tar.gz/policy/modules/contrib/qatlib.te
Added
@@ -0,0 +1,55 @@ +policy_module(qatlib, 1.0.0) + +######################################## +# +# Declarations +# + +type qatlib_t; +type qatlib_exec_t; +init_daemon_domain(qatlib_t, qatlib_exec_t) + +type qatlib_conf_t; +files_config_file(qatlib_conf_t) + +type qatlib_unit_file_t; +systemd_unit_file(qatlib_unit_file_t) + +type qatlib_var_run_t; +files_pid_file(qatlib_var_run_t) + +######################################## +# +# qatlib local policy +# +allow qatlib_t self:fifo_file rw_fifo_file_perms; +allow qatlib_t self:unix_stream_socket create_stream_socket_perms; + +allow qatlib_t qatlib_unit_file_t:file read_file_perms; + +read_files_pattern(qatlib_t, qatlib_conf_t, qatlib_conf_t) +list_dirs_pattern(qatlib_t, qatlib_conf_t, qatlib_conf_t) + +manage_dirs_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t) +manage_files_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t) +files_pid_filetrans(qatlib_t, qatlib_var_run_t, { dir file } ) + +corecmd_exec_shell(qatlib_t) +corecmd_exec_bin(qatlib_t) + +dev_read_sysfs(qatlib_t) + +domain_use_interactive_fds(qatlib_t) + +optional_policy(` + auth_read_passwd_file(qatlib_t) +') + +optional_policy(` + miscfiles_read_localization(qatlib_t) +') + +optional_policy(` + systemd_search_unit_dirs(qatlib_t) +') +
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rabbitmq.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rabbitmq.te
Changed
@@ -85,6 +85,7 @@ kernel_read_system_state(rabbitmq_t) kernel_read_fs_sysctls(rabbitmq_t) +kernel_read_net_sysctls(rabbitmq_t) corecmd_exec_bin(rabbitmq_t) corecmd_exec_shell(rabbitmq_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rhcs.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rhcs.te
Changed
@@ -219,8 +219,6 @@ init_manage_script_status_files(cluster_t) init_dbus_chat(cluster_t) -systemd_dbus_chat_logind(cluster_t) - userdom_delete_user_tmp_files(cluster_t) userdom_rw_user_tmp_files(cluster_t) userdom_kill_all_users(cluster_t) @@ -346,6 +344,16 @@ sysnet_domtrans_ifconfig(cluster_t) ') + optional_policy(` + systemd_dbus_chat_hostnamed(cluster_t) + systemd_dbus_chat_logind(cluster_t) + systemd_dbus_chat_timedated(cluster_t) +') + +optional_policy(` + timedatex_dbus_chat(cluster_t) +') + optional_policy(` udev_read_db(cluster_t) ') @@ -665,7 +673,7 @@ corenet_tcp_connect_http_cache_port(haproxy_t) corenet_tcp_connect_rtp_media_port(haproxy_t) -dev_list_sysfs(haproxy_t) +dev_read_sysfs(haproxy_t) dev_read_rand(haproxy_t) dev_read_urand(haproxy_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rhsmcertd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rhsmcertd.te
Changed
@@ -70,7 +70,7 @@ manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir sock_file }) manage_dirs_pattern(rhsmcertd_t, cloud_what_var_cache_t, cloud_what_var_cache_t) manage_files_pattern(rhsmcertd_t, cloud_what_var_cache_t, cloud_what_var_cache_t) @@ -80,6 +80,7 @@ kernel_read_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) kernel_read_sysctl(rhsmcertd_t) +kernel_request_load_module(rhsmcertd_t) kernel_signull(rhsmcertd_t) corenet_tcp_bind_generic_node(rhsmcertd_t) @@ -130,6 +131,7 @@ nis_use_ypbind(rhsmcertd_t) sysnet_dns_name_resolve(rhsmcertd_t) +sysnet_exec_ifconfig(rhsmcertd_t) ifdef(`hide_broken_symptoms',` exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rpc.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpc.fc
Changed
@@ -32,6 +32,7 @@ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) /usr/sbin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) +/usr/sbin/nfsidmap -- gen_context(system_u:object_r:nfsidmap_exec_t,s0) # # /var
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rpc.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpc.te
Changed
@@ -241,6 +241,7 @@ allow nfsd_t self:process { setcap }; allow nfsd_t exports_t:file read_file_perms; +allow nfsd_t exports_t:dir list_dir_perms; manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t) @@ -434,3 +435,42 @@ optional_policy(` xserver_rw_xdm_tmp_files(gssd_t) ') + +######################################## +# +# nfsidmap policy +# + +type nfsidmap_exec_t; +files_type(nfsidmap_exec_t) + +type nfsidmap_t; +domain_type(nfsidmap_t) +domain_entry_file(nfsidmap_t, nfsidmap_exec_t) +role system_r types nfsidmap_t; + +allow nfsidmap_t self:key write; +allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms; +allow nfsidmap_t self:udp_socket create_socket_perms; + +kernel_setattr_key(nfsidmap_t) + +sysnet_read_config(nfsidmap_t) + +optional_policy(` + auth_read_passwd(nfsidmap_t) +') + +optional_policy(` + logging_send_syslog_msg(nfsidmap_t) +') + +optional_policy(` + # /etc/request-key.d/id_resolver.conf + keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t) +') + +optional_policy(` + systemd_machined_stream_connect(nfsidmap_t) + systemd_userdbd_stream_connect(nfsidmap_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rpm.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rpm.te
Changed
@@ -75,7 +75,7 @@ # allow rpm_t self:capability2 block_suspend; -allow rpm_t self:capability { audit_write chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; +allow rpm_t self:capability { audit_write chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_admin sys_chroot sys_nice sys_tty_config mknod }; allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; @@ -260,26 +260,34 @@ # rpmdb local policy # -allow rpmdb_t rpm_var_lib_t:file map; -allow rpmdb_t rpmdb_tmp_t:file map; +can_exec(rpmdb_t, rpm_exec_t) +can_exec(rpmdb_t, rpmdb_exec_t) manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) -files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) -files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) +read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) +allow rpmdb_t rpm_var_lib_t:file map; manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir }) +allow rpmdb_t rpmdb_tmp_t:file map; -term_use_all_inherited_terms(rpmdb_t) - -auth_dontaudit_read_passwd(rpmdb_t) +corecmd_exec_bin(rpmdb_t) +corecmd_exec_shell(rpmdb_t) files_rw_inherited_non_security_files(rpmdb_t) +files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) +files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) sysnet_dontaudit_read_config(rpmdb_t) +term_use_all_inherited_terms(rpmdb_t) + +optional_policy(` + auth_dontaudit_read_passwd(rpmdb_t) +') + optional_policy(` miscfiles_read_generic_certs(rpmdb_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/rshim.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/rshim.te
Changed
@@ -12,8 +12,6 @@ type rshim_unit_file_t; systemd_unit_file(rshim_unit_file_t) -permissive rshim_t; - ######################################## # # rshim local policy
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/samba.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/samba.if
Changed
@@ -538,6 +538,25 @@ ######################################## ## <summary> +## Allow the specified domain to +## create samba /var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_create_var_files',` + gen_require(` + type samba_var_t; + ') + + create_files_pattern($1, samba_var_t, samba_var_t) +') + +######################################## +## <summary> ## Allow the specified domain to ## read and write samba /var files. ## </summary>
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/samba.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/samba.te
Changed
@@ -471,6 +471,9 @@ usermanage_domtrans_useradd(smbd_t) usermanage_domtrans_groupadd(smbd_t) allow smbd_t self:passwd passwd; + + usermanage_domtrans_passwd(winbind_rpcd_t) + allow winbind_rpcd_t self:passwd passwd; ') tunable_policy(`samba_enable_home_dirs',` @@ -1170,6 +1173,7 @@ allow winbind_rpcd_t self:capability { setgid setuid }; allow winbind_rpcd_t self:key { read write }; allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; +allow winbind_rpcd_t self:process setcap; allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; allow winbind_rpcd_t self:unix_stream_socket connectto; allow winbind_rpcd_t self:udp_socket create_socket_perms; @@ -1213,6 +1217,7 @@ term_use_ptmx(winbind_rpcd_t) optional_policy(` + auth_domtrans_chk_passwd(winbind_rpcd_t) auth_read_passwd(winbind_rpcd_t) ') @@ -1260,10 +1265,15 @@ ') optional_policy(` + systemd_machined_stream_connect(winbind_rpcd_t) systemd_userdbd_stream_connect(winbind_rpcd_t) ') optional_policy(` + term_use_generic_ptys(winbind_rpcd_t) +') + +optional_policy(` unconfined_dgram_send(winbind_rpcd_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/sendmail.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sendmail.fc
Changed
@@ -6,3 +6,4 @@ /var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/smtpd\.sock -s gen_context(system_u:object_r:sendmail_var_run_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/sendmail.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sendmail.te
Changed
@@ -40,7 +40,7 @@ # Sendmail local policy # -allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config }; +allow sendmail_t self:capability { dac_read_search dac_override fowner setuid setgid net_bind_service sys_chroot sys_nice chown sys_tty_config }; dontaudit sendmail_t self:capability net_admin; dontaudit sendmail_t self:capability2 block_suspend; allow sendmail_t self:process { setsched setpgid setrlimit signal signull }; @@ -60,8 +60,10 @@ manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) -allow sendmail_t sendmail_var_run_t:file manage_file_perms; -files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) +manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) +manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) +manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) +files_pid_filetrans(sendmail_t, sendmail_var_run_t, { dir file sock_file }) kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) @@ -70,6 +72,7 @@ kernel_search_network_sysctl(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) kernel_read_net_sysctls(sendmail_t) +kernel_request_load_module(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_generic_if(sendmail_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/snapper.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/snapper.fc
Changed
@@ -12,4 +12,5 @@ /usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) /var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) /etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +/home/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/snapper.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/snapper.te
Changed
@@ -44,6 +44,7 @@ snapper_filetrans_named_content(snapperd_t) kernel_setsched(snapperd_t) +kernel_stream_connect(snapperd_t) domain_read_all_domains_state(snapperd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/snmp.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/snmp.te
Changed
@@ -105,11 +105,9 @@ files_search_all_mountpoints(snmpd_t) fs_search_auto_mountpoints(snmpd_t) -storage_dontaudit_read_fixed_disk(snmpd_t) -storage_dontaudit_read_removable_device(snmpd_t) +storage_raw_read_fixed_disk(snmpd_t) +storage_raw_read_removable_device(snmpd_t) storage_dontaudit_write_removable_device(snmpd_t) -storage_getattr_fixed_disk_dev(snmpd_t) -storage_getattr_removable_dev(snmpd_t) auth_use_nsswitch(snmpd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/spamassassin.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/spamassassin.te
Changed
@@ -623,10 +623,9 @@ manage_files_pattern(spamd_update_t, spamd_log_t, spamd_log_t) logging_log_filetrans(spamd_update_t, spamd_log_t, file) -allow spamd_update_t spamc_home_t:dir search_dir_perms; -allow spamd_update_t spamd_tmp_t:file read_file_perms; +manage_files_pattern(spamd_update_t, spamc_home_t, spamc_home_t) -allow spamd_update_t spamc_home_t:dir search_dir_perms; +allow spamd_update_t spamd_tmp_t:file read_file_perms; kernel_read_network_state(spamd_update_t) kernel_read_system_state(spamd_update_t) @@ -671,6 +670,10 @@ ') optional_policy(` + logging_send_syslog_msg(spamd_update_t) +') + +optional_policy(` mta_read_config(spamd_update_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/squid.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/squid.te
Changed
@@ -21,6 +21,14 @@ ## </desc> gen_tunable(squid_use_tproxy, false) +## <desc> +## <p> +## Determine whether squid should +## have access to snmp port. +## </p> +## </desc> +gen_tunable(squid_bind_snmp_port, false) + type squid_t; type squid_exec_t; init_daemon_domain(squid_t, squid_exec_t) @@ -76,6 +84,7 @@ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) files_var_filetrans(squid_t, squid_cache_t, dir, "squid") filetrans_pattern(squid_t, squid_conf_t, squid_cache_t, dir, "ssl_db") +allow squid_t squid_cache_t:file map; allow squid_t squid_conf_t:dir list_dir_perms; allow squid_t squid_conf_t:file read_file_perms; @@ -205,6 +214,10 @@ corenet_tcp_sendrecv_netport_port(squid_t) ') +tunable_policy(`squid_bind_snmp_port',` + corenet_udp_bind_snmp_port(squid_t) +') + optional_policy(` apache_content_template(squid) apache_content_alias_template(squid, squid)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/sssd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/sssd.te
Changed
@@ -182,6 +182,10 @@ ') optional_policy(` + accountsd_read_fifo_file(sssd_t) +') + +optional_policy(` bind_read_cache(sssd_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/targetd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/targetd.te
Changed
@@ -71,6 +71,7 @@ kernel_get_sysvipc_info(targetd_t) kernel_read_system_state(targetd_t) kernel_read_network_state(targetd_t) +kernel_read_net_sysctls(targetd_t) kernel_load_module(targetd_t) kernel_request_load_module(targetd_t) kernel_dgram_send(targetd_t) @@ -102,6 +103,10 @@ sysnet_read_config(targetd_t) optional_policy(` + apache_dontaudit_search_config(targetd_t) +') + +optional_policy(` gnome_read_generic_data_home_dirs(targetd_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/telnet.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/telnet.te
Changed
@@ -48,6 +48,7 @@ files_pid_filetrans(telnetd_t, telnetd_var_run_t, file) kernel_read_kernel_sysctls(telnetd_t) +kernel_read_net_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) kernel_read_network_state(telnetd_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/tlp.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/tlp.if
Changed
@@ -141,7 +141,7 @@ ######################################## ## <summary> -## Read all dbus pid files +## Manage tlp pid files ## </summary> ## <param name="domain"> ## <summary> @@ -160,6 +160,25 @@ ######################################## ## <summary> +## Create tlp pid directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`tlp_create_pid_dirs',` + gen_require(` + type tlp_var_run_t; + ') + + files_search_pids($1) + create_dirs_pattern($1, tlp_var_run_t, tlp_var_run_t) +') + +######################################## +## <summary> ## All of the rules required to administrate ## an tlp environment ## </summary>
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/virt.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.if
Changed
@@ -1743,6 +1743,24 @@ ######################################## ## <summary> +## Write svirt tmp files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_svirt_write_tmp',` + gen_require(` + type svirt_tmp_t; + ') + + write_files_pattern($1, svirt_tmp_t, svirt_tmp_t) +') + +######################################## +## <summary> ## Manage svirt tmp files,dirs and sockfiles. ## </summary> ## <param name="domain"> @@ -1780,3 +1798,60 @@ list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t) read_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ') + +######################################## +## <summary> +## Write qemu PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_write_qemu_pid_files',` + gen_require(` + type qemu_var_run_t; + ') + + files_search_pids($1) + write_files_pattern($1, qemu_var_run_t, qemu_var_run_t) +') + +######################################## +## <summary> +## Create qemu PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_create_qemu_pid_files',` + gen_require(` + type qemu_var_run_t; + ') + + files_search_pids($1) + create_files_pattern($1, qemu_var_run_t, qemu_var_run_t) +') + +######################################## +## <summary> +## Manage qemu PID socket files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_qemu_pid_sock_files',` + gen_require(` + type qemu_var_run_t; + ') + + files_search_pids($1) + manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/virt.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/virt.te
Changed
@@ -203,7 +203,14 @@ ## Allow qemu-ga read ssh home directory content. ## </p> ## </desc> -gen_tunable(virt_qemu_ga_read_ssh, false) +gen_tunable(virt_qemu_ga_manage_ssh, false) + +## <desc> +## <p> +## Allow qemu-ga to run unconfined scripts +## </p> +## </desc> +gen_tunable(virt_qemu_ga_run_unconfined, false) virt_domain_template(svirt) role system_r types svirt_t; @@ -335,6 +342,8 @@ type virt_qemu_ga_unconfined_exec_t, virt_file_type; application_executable_file(virt_qemu_ga_unconfined_exec_t) +type virt_qemu_ga_unconfined_t; + ######################################## # # Declarations @@ -743,6 +752,10 @@ ') optional_policy(` + passt_domtrans(virtd_t) +') + +optional_policy(` policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) @@ -927,6 +940,7 @@ fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file) allow svirt_t svirt_image_t:file map; allow svirt_t svirt_image_t:blk_file map; +allow svirt_t svirt_image_t:chr_file map; manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) @@ -1041,6 +1055,25 @@ ') optional_policy(` + passt_domtrans(svirt_t) + passt_entrypoint(svirt_t) + passt_stream_connect(svirt_t) + + optional_policy(` + userdom_write_user_tmp_sockets(svirt_t) + ') + + optional_policy(` + passt_stub(svirt_t) + virt_write_qemu_pid_files(passt_t) + virt_create_qemu_pid_files(passt_t) + virt_manage_qemu_pid_sock_files(passt_t) + virt_read_pid_files(passt_t) + virt_svirt_write_tmp(passt_t) + ') +') + +optional_policy(` ptchown_domtrans(virt_domain) ') @@ -1207,6 +1240,7 @@ corenet_tcp_sendrecv_generic_if(virsh_t) corenet_tcp_sendrecv_generic_node(virsh_t) corenet_tcp_connect_soundd_port(virsh_t) +corenet_tcp_connect_virt_port(virsh_t) dev_read_rand(virsh_t) dev_read_urand(virsh_t) @@ -1727,6 +1761,7 @@ allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; +allow virt_qemu_ga_t self:vsock_socket create_socket_perms; allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) @@ -1801,11 +1836,20 @@ ') optional_policy(` - tunable_policy(`virt_qemu_ga_read_ssh',` - ssh_read_user_home_files(virt_qemu_ga_t) + ssh_filetrans_home_content(virt_qemu_ga_t) + tunable_policy(`virt_qemu_ga_manage_ssh',` + allow virt_qemu_ga_t self:capability { chown dac_override dac_read_search fowner fsetid }; + + ssh_manage_home_files(virt_qemu_ga_t) ') ') +tunable_policy(`virt_qemu_ga_run_unconfined',` + domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) +',` + can_exec(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t) +') + optional_policy(` bootloader_domtrans(virt_qemu_ga_t) ') @@ -1850,14 +1894,11 @@ # optional_policy(` - type virt_qemu_ga_unconfined_t; domain_type(virt_qemu_ga_unconfined_t) domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) role system_r types virt_qemu_ga_unconfined_t; - domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) - allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms; allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms; allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/wireguard.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/wireguard.if
Changed
@@ -37,3 +37,21 @@ corecmd_search_bin($1) can_exec($1, wireguard_exec_t) ') + +######################################## +## <summary> +## Read wireguard fifo files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wireguard_read_fifo_files',` + gen_require(` + type wireguard_t; + ') + + allow $1 wireguard_t:fifo_file read_fifo_file_perms; +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/wireguard.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/wireguard.te
Changed
@@ -16,7 +16,7 @@ # # wireguard local policy # -allow wireguard_t self:capability { net_admin }; +allow wireguard_t self:capability { net_admin net_bind_service }; allow wireguard_t self:fifo_file rw_fifo_file_perms; allow wireguard_t self:netlink_generic_socket create_socket_perms; allow wireguard_t self:netlink_netfilter_socket create_socket_perms; @@ -26,7 +26,10 @@ allow wireguard_t self:unix_stream_socket create_stream_socket_perms; kernel_dgram_send(wireguard_t) +kernel_load_module(wireguard_t) kernel_request_load_module(wireguard_t) +kernel_rw_net_sysctls(wireguard_t) +kernel_search_debugfs(wireguard_t) corecmd_exec_bin(wireguard_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/wireshark.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/wireshark.te
Changed
@@ -35,7 +35,8 @@ # allow wireshark_t self:capability { net_admin net_raw }; -allow wireshark_t self:process { setcap signal getsched }; +allow wireshark_t self:process { setcap signal getsched setsched }; +dontaudit wireshark_t self:process execmem; allow wireshark_t self:fifo_file rw_fifo_file_perms; allow wireshark_t self:shm create_shm_perms; allow wireshark_t self:packet_socket { create_socket_perms map };
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/contrib/zebra.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/contrib/zebra.fc
Changed
@@ -20,7 +20,8 @@ /usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/isisd -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) -/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/ripd -- gen_context(system_u:object_r:zebra_exec_t,s0) +/usr/sbin/ripngd -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/nhrpd -- gen_context(system_u:object_r:zebra_exec_t,s0) /usr/sbin/pimd -- gen_context(system_u:object_r:zebra_exec_t,s0) @@ -31,6 +32,7 @@ /var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) /var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) +/var/run/bgpd(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0) /var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/corenetwork.te.in -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/corenetwork.te.in
Changed
@@ -126,6 +126,7 @@ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) +network_port(boothd, tcp,9929,s0, udp,9929,s0) network_port(brlp, tcp,4101,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -220,6 +221,7 @@ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) network_port(kerberos_admin, tcp,749,s0) network_port(kerberos_password, tcp,464,s0, udp,464,s0) +network_port(keylime, tcp,8881,s0, tcp,8892,s0, tcp,9002,s0) network_port(keystone, tcp, 35357,s0, udp, 35357,s0) network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0) network_port(lltng, tcp, 5345, s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/devices.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.fc
Changed
@@ -228,6 +228,7 @@ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/userfaultfd -c gen_context(system_u:object_r:userfaultfd_device_t,s0) /dev/vmbus/hv_vss -c gen_context(system_u:object_r:hypervvssd_device_t,s0) /dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hypervkvp_device_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/devices.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.if
Changed
@@ -7545,3 +7545,21 @@ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") ') + +######################################## +## <summary> +## Allow to use IORING_OP_URING_CMD on all device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_io_uring_cmd_on_all_dev_nodes',` + gen_require(` + attribute device_node; + ') + + allow $1 device_node:io_uring cmd; +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/devices.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/devices.te
Changed
@@ -379,6 +379,12 @@ dev_node(usbmon_device_t) # +# Type for /dev/userfaultfd +# +type userfaultfd_device_t; +dev_node(userfaultfd_device_t) + +# # userio_device_t is the type for /dev/uio0-9+ # type userio_device_t;
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/domain.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/domain.te
Changed
@@ -255,6 +255,7 @@ # allow special io_uring features allow unconfined_domain_type domain:io_uring override_creds; allow unconfined_domain_type self:io_uring sqpoll; +dev_io_uring_cmd_on_all_dev_nodes(unconfined_domain_type) files_io_uring_cmd_on_all_files(unconfined_domain_type) # allow using the user_namespace class
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/files.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/files.fc
Changed
@@ -220,6 +220,7 @@ /tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /tmp/.* <<none>> +/tmp-inst/.* <<none>> /tmp/\.journal <<none>> /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) @@ -325,6 +326,7 @@ /var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp/.* <<none>> +/var/tmp/tmp-inst/.* <<none>> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <<none>> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/files.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/files.if
Changed
@@ -3767,6 +3767,24 @@ ######################################## ## <summary> +## Mounton directories on the /usr filesystem +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_mounton_usr',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:dir mounton; +') + +######################################## +## <summary> ## Search the contents of /etc directories. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/filesystem.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/filesystem.if
Changed
@@ -3990,7 +3990,7 @@ ######################################## ## <summary> -## Do not audit attempts to list removable storage directories. +## List kernel persistent storage directories. ## </summary> ## <param name="domain"> ## <summary> @@ -4008,6 +4008,44 @@ ######################################## ## <summary> +## Read kernel persistent storage files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`fs_read_pstore_files',` + gen_require(` + type pstore_t; + ') + + read_files_pattern($1, pstore_t, pstore_t) + dev_search_sysfs($1) +') + +######################################## +## <summary> +## Delete kernel persistent storage files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`fs_delete_pstore_files',` + gen_require(` + type pstore_t; + ') + + delete_files_pattern($1, pstore_t, pstore_t) + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Relabel directory on removable storage. ## </summary> ## <param name="domain"> @@ -5853,7 +5891,25 @@ type tmpfs_t; ') - allow $1 tmpfs_t:file { read write }; + allow $1 tmpfs_t:file { rw_inherited_file_perms }; +') + +######################################## +## <summary> +## Map generic tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_map_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:file map; ') ########################################
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/kernel.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/kernel.if
Changed
@@ -579,6 +579,25 @@ dontaudit $1 kernel_t:key view; ') + +######################################## +## <summary> +## Allow to set attributes on the kernel key ring. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_setattr_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key setattr; +') + ######################################## ## <summary> ## Allows caller to read the ring buffer. @@ -4466,3 +4485,21 @@ allow $1 self:lockdown confidentiality; allow $1 self:perf_event manage_perf_event_perms; ') + +######################################## +## <summary> +## Allow caller domain to run bpf. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_prog_run_bpf',` + gen_require(` + type init_t; + ') + + allow $1 kernel_t:bpf prog_run; +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/kernel/kernel.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/kernel/kernel.te
Changed
@@ -274,6 +274,7 @@ allow kernel_t self:fifo_file rw_fifo_file_perms; allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; +allow kernel_t self:bpf { map_create map_read map_write prog_load prog_run }; allow kernel_t debugfs_t:dir search_dir_perms; @@ -335,6 +336,9 @@ dev_mounton(kernel_t) dev_filetrans_all_named_dev(kernel_t) term_filetrans_all_named_dev(kernel_t) +# mapping video devices is needed for plymouthd +dev_map_dri(kernel_t) +dev_map_framebuffer(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem @@ -358,11 +362,16 @@ corecmd_bin_entry_type(kernel_generic_helper_t) corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t) +allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms; + domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) domain_search_all_domains_state(kernel_t) domain_connect_all_stream_sockets(kernel_t) domain_rw_all_sockets(kernel_t) +# Needed for overlayfs mounter checks +# (see: https://bugzilla.redhat.com/show_bug.cgi?id=2215454) +domain_obj_id_change_exemption(kernel_t) files_manage_all_files(kernel_t) # The 'execute' permission on lower inodes is checked against the mounter @@ -411,9 +420,15 @@ ') optional_policy(` + keyutils_request_domtrans(kernel_t) +') + +optional_policy(` init_dbus_chat(kernel_t) init_sigchld(kernel_t) init_dyntrans(kernel_t) + # required actually for plymouthd + init_read_state(kernel_t) ') optional_policy(` @@ -507,6 +522,9 @@ # and trigger the respective service unit. systemd_systemctl_domain(kernel) systemd_config_power_services(kernel_systemctl_t) + systemd_dbus_chat_logind(kernel_systemctl_t) + + dbus_system_bus_client(kernel_systemctl_t) init_read_utmp(kernel_systemctl_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/roles/staff.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/roles/staff.te
Changed
@@ -70,6 +70,8 @@ init_dbus_chat(staff_t) init_dbus_chat_script(staff_t) +init_getattr_pid_blk_file(staff_t) +init_getattr_pid_chr_file(staff_t) init_status(staff_t) miscfiles_read_hwdata(staff_t) @@ -178,6 +180,10 @@ ') optional_policy(` + kerberos_read_keytab(staff_t) +') + +optional_policy(` kerneloops_dbus_chat(staff_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/roles/sysadm.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/roles/sysadm.te
Changed
@@ -24,6 +24,7 @@ # Local policy # kernel_manage_perf_event(sysadm_t) +kernel_prog_run_bpf(sysadm_t) kernel_read_fs_sysctls(sysadm_t) kernel_read_all_proc(sysadm_t) kernel_unconfined(sysadm_t) @@ -53,6 +54,7 @@ fs_mount_fusefs(sysadm_t) fs_rw_tracefs_files(sysadm_t) fs_mount_tracefs(sysadm_t) +fs_read_nsfs_files(sysadm_t) storage_filetrans_all_named_dev(sysadm_t) storage_read_scsi_generic(sysadm_t) @@ -90,7 +92,7 @@ init_undefined(sysadm_t) init_ioctl_stream_sockets(sysadm_t) init_prog_run_bpf(sysadm_t) -init_domtrans_script(sysadm_t) +init_run_script(sysadm_t, sysadm_r) logging_filetrans_named_content(sysadm_t) logging_map_audit_config(sysadm_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/services/ssh.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.if
Changed
@@ -397,6 +397,9 @@ stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t) + # for ssh-agent user service + allow $3 $1_ssh_agent_t:unix_stream_socket create_stream_socket_perms; + # Allow the user shell to signal the ssh program. allow $3 $1_ssh_agent_t:process signal_perms; @@ -415,6 +418,8 @@ logging_send_syslog_msg($1_ssh_agent_t) + term_use_unallocated_ttys($1_ssh_agent_t) + userdom_user_home_domtrans($1_ssh_agent_t, $3) userdom_home_manager($1_ssh_agent_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/services/ssh.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/services/ssh.te
Changed
@@ -164,6 +164,7 @@ manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) +kernel_read_device_sysctls(ssh_t) kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) @@ -180,6 +181,7 @@ dev_read_rand(ssh_t) dev_read_urand(ssh_t) +dev_read_sysfs(ssh_t) fs_getattr_all_fs(ssh_t) fs_search_auto_mountpoints(ssh_t) @@ -204,6 +206,7 @@ auth_use_nsswitch(ssh_t) miscfiles_read_generic_certs(ssh_t) +miscfiles_read_hwdata(ssh_t) seutil_read_config(ssh_t) @@ -238,6 +241,14 @@ ') optional_policy(` + dbus_write_session_tmp_sock_files(ssh_t) + dbus_stream_connect_session_bus(ssh_t) +') + +optional_policy(` + gnome_read_generic_cache_files(ssh_t) + gnome_map_generic_cache_files(ssh_t) + gnome_read_home_config(ssh_t) gnome_stream_connect_gkeyringd(ssh_t) ') @@ -253,6 +264,7 @@ optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) + xserver_map_user_fonts(ssh_t) ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/services/xserver.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/services/xserver.if
Changed
@@ -904,6 +904,25 @@ ######################################## ## <summary> +## Connect to the xdm dbus for service (acquire_svc). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_connect_xdm_bus',` + gen_require(` + type xdm_t; + class dbus acquire_svc; + ') + + allow $1 xdm_t:dbus acquire_svc; +') + +######################################## +## <summary> ## Read xserver configuration files. ## </summary> ## <param name="domain"> @@ -2196,6 +2215,26 @@ ######################################## ## <summary> +## Map user homedir fonts. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`xserver_map_user_fonts',` + gen_require(` + type user_fonts_t, user_fonts_cache_t; + ') + + allow $1 user_fonts_t:file map; + allow $1 user_fonts_cache_t:file map; +') + +######################################## +## <summary> ## Manage user fonts dir. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/services/xserver.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/services/xserver.te
Changed
@@ -473,8 +473,6 @@ userdom_signull_unpriv_users(xdm_t) userdom_dontaudit_read_admin_home_lnk_files(xdm_t) -kernel_read_vm_sysctls(xdm_t) - # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) can_exec(xdm_t, xsession_exec_t) @@ -496,6 +494,7 @@ manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) +#fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, file) manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t) @@ -563,9 +562,11 @@ kernel_read_system_state(xdm_t) kernel_read_device_sysctls(xdm_t) kernel_read_sysctl(xdm_t) +kernel_read_fs_sysctls(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) +kernel_read_vm_sysctls(xdm_t) kernel_request_load_module(xdm_t) kernel_stream_connect(xdm_t) kernel_read_key(xdm_t) @@ -673,6 +674,10 @@ fs_manage_cgroup_files(xdm_t) fs_getattr_nsfs_files(xdm_t) +# memfd objects created by gnome-shell +fs_map_tmpfs_files(xdm_t) +fs_rw_tmpfs_files(xdm_t) + miscfiles_watch_fonts_dirs(xdm_t) mount_read_pid_files(xdm_t) @@ -694,7 +699,8 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) -storage_dontaudit_rw_fuse(xdm_t) +#storage_dontaudit_rw_fuse(xdm_t) +storage_rw_fuse(xdm_t) term_mount_pty_fs(xdm_t) term_setattr_console(xdm_t) @@ -798,6 +804,10 @@ userdom_filetrans_generic_home_content(xdm_t) optional_policy(` + alsa_read_lib(xdm_t) +') + +optional_policy(` dbus_exec_dbusd(xdm_t) dbus_rw_tmp_sock_files(xdm_t) dbus_stream_connect_session_bus(xdm_t) @@ -873,6 +883,10 @@ ') optional_policy(` + rpm_dbus_chat(xdm_t) +') + +optional_policy(` spamassassin_filetrans_home_content(xdm_t) spamassassin_filetrans_admin_home_content(xdm_t) ') @@ -1040,6 +1054,11 @@ gnome_read_gconf_config(xdm_t) gnome_transition_gkeyringd(xdm_t) gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") + gnome_initial_setup_domtrans(xdm_t) + gnome_initial_setup_filetrans_named_content(xdm_t) + gnome_initial_setup_manage_var_run(xdm_t) + gnome_initial_setup_noatsecure(xdm_t) + gnome_initial_setup_read_state(xdm_t) ') optional_policy(`
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/authlogin.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/authlogin.te
Changed
@@ -593,7 +593,7 @@ allow login_pgm self:netlink_selinux_socket create_socket_perms; allow login_pgm self:capability ipc_lock; dontaudit login_pgm self:capability net_admin; -allow login_pgm self:process setkeycreate; +allow login_pgm self:process { setcap setkeycreate }; allow login_pgm self:key manage_key_perms; userdom_manage_all_users_keys(login_pgm) allow login_pgm nsswitch_domain:key manage_key_perms;
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/fstools.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/fstools.te
Changed
@@ -142,6 +142,7 @@ fs_manage_nfs_files(fsadm_t) fs_manage_cifs_files(fsadm_t) fs_rw_hugetlbfs_files(fsadm_t) +fs_getattr_cgroup(fsadm_t) # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/init.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/init.if
Changed
@@ -453,6 +453,35 @@ ') ') +######################################## +## <summary> +## Create a domain which can be started by init +## using an explicit transition. +## </summary> +## <param name="domain"> +## <summary> +## Type to be used as a domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +# +interface(`init_explicit_domain',` + gen_require(` + type init_t; + role system_r; + ') + + role system_r types $1; + + domain_type($1) + domain_entry_file($1, $2) + domain_transition_pattern(init_t, $2, $1) +') + ###################################### ## <summary> ## Allow domain dyntransition to init_t domain. @@ -1187,6 +1216,32 @@ ######################################## ## <summary> +## Execute init scripts with a domain transition +## and allow the specified role the init script type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`init_run_script',` + gen_require(` + type initrc_t; + ') + + init_domtrans_script($1) + role $2 types initrc_t; +') + +######################################## +## <summary> ## Execute a file in a bin directory ## in the initrc_t domain ## </summary> @@ -2619,6 +2674,42 @@ allow $1 init_var_run_t:dir watch_dir_perms; ') +######################################## +## <summary> +## Get the attributes of block nodes in the /run/systemd directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_getattr_pid_blk_file',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:blk_file getattr; +') + +######################################## +## <summary> +## Get the attributes of character device nodes in the /run/systemd directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_getattr_pid_chr_file',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:chr_file getattr; +') + ####################################### ## <summary> ## Create objects in /run/systemd directory
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/init.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/init.te
Changed
@@ -56,7 +56,7 @@ ## Allow init audit_control capability ## </p> ## </desc> -gen_tunable(init_audit_control, false) +gen_tunable(init_audit_control, true) # used for direct running of init scripts # by admin domains @@ -550,6 +550,11 @@ ') optional_policy(` + pkcs_delete_tmpfs_files(init_t) + pkcs_destroy_shm(init_t) +') + +optional_policy(` raid_manage_mdadm_pid(init_t) raid_relabel_mdadm_var_run_content(init_t) raid_stream_connect(init_t) @@ -887,6 +892,7 @@ optional_policy(` domain_named_filetrans(init_t) unconfined_server_domtrans(init_t) + unconfined_server_siginh(init_t) unconfined_server_noatsecure(init_t) unconfined_server_create_tcp_sockets(init_t) unconfined_server_create_udp_sockets(init_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/iptables.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/iptables.te
Changed
@@ -209,3 +209,8 @@ optional_policy(` udev_read_db(iptables_t) ') + +optional_policy(` + wireguard_read_fifo_files(iptables_t) +') +
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/logging.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/logging.fc
Changed
@@ -62,7 +62,7 @@ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) - +/var/run/systemd/journal\.^/+(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ifndef(`distro_gentoo',` /var/log/audit\.log.* -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) ') @@ -83,8 +83,9 @@ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) -/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) - +/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/var/run/systemd/journal\.^/+/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/var/run/systemd/journal\.^/+/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/modutils.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/modutils.fc
Changed
@@ -35,3 +35,4 @@ /usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) /var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:kmod_var_run_t,s0) +/var/run/tmpfiles.d/static-nodes.conf -- gen_context(system_u:object_r:kmod_var_run_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/mount.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/mount.if
Changed
@@ -104,6 +104,23 @@ ######################################## ## <summary> +## Read mount process state files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mount_read_state',` + gen_require(` + type mount_t; + ') + ps_process_pattern($1, mount_t) +') + +######################################## +## <summary> ## Read/write mount PID files. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/systemd.fc -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.fc
Changed
@@ -52,6 +52,7 @@ /usr/lib/systemd/system/systemd-userdbd\.(service|socket) -- gen_context(system_u:object_r:systemd_userdbd_unit_file_t,s0) /usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0) /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) +/usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0) /usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0) /usr/lib/systemd/systemd-socket-proxyd -- gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0) /usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0) @@ -75,6 +76,7 @@ /var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) +/var/lib/systemd/pstore(/.*)? gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0) /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) /var/lib/systemd/timesync(/.*)? gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/systemd.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.if
Changed
@@ -1687,6 +1687,24 @@ ####################################### ## <summary> +## Read generic systemd unit lnk files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_read_generic_unit_lnk_files',` + gen_require(` + type systemd_unit_file_t; + ') + + read_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) +') + +####################################### +## <summary> ## Create a directory in the /usr/lib/systemd/system directory. ## </summary> ## <param name="domain"> @@ -2728,6 +2746,25 @@ ####################################### ## <summary> +## Read systemd-userdbd data symlinks. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_userdbd_runtime_read_symlinks',` + gen_require(` + type systemd_userdbd_runtime_t; + ') + + list_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) + read_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) +') + +####################################### +## <summary> ## Manage systemd-userdbd data symlinks. ## </summary> ## <param name="domain">
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/systemd.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/systemd.te
Changed
@@ -228,6 +228,10 @@ systemd_domain_template(systemd_sleep) +systemd_domain_template(systemd_pstore) +type systemd_pstore_var_lib_t; +files_type(systemd_pstore_var_lib_t) + ####################################### # # Systemd_logind local policy @@ -461,6 +465,7 @@ init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") fs_read_nsfs_files(systemd_machined_t) +fs_write_cgroup_files(systemd_machined_t) kernel_dgram_send(systemd_machined_t) # This is a bug, but need for now. @@ -687,6 +692,7 @@ mls_file_read_all_levels(systemd_tmpfiles_t) mls_file_write_all_levels(systemd_tmpfiles_t) mls_file_upgrade(systemd_tmpfiles_t) +mls_file_downgrade(systemd_tmpfiles_t) selinux_get_enforce_mode(systemd_tmpfiles_t) selinux_setcheckreqprot(systemd_tmpfiles_t) @@ -1015,6 +1021,7 @@ files_watch_var_run_path(systemd_timedated_t) fs_getattr_xattr_fs(systemd_timedated_t) +fs_write_cgroup_files(systemd_timedated_t) init_dbus_chat(systemd_timedated_t) init_status(systemd_timedated_t) @@ -1145,6 +1152,7 @@ files_map_non_security_files(systemd_coredump_t) files_mounton_rootfs(systemd_coredump_t) +files_mounton_usr(systemd_coredump_t) fs_getattr_nsfs_files(systemd_coredump_t) @@ -1235,6 +1243,8 @@ auth_read_passwd(systemd_resolved_t) +corenet_tcp_bind_all_nodes(systemd_resolved_t) +corenet_udp_bind_all_nodes(systemd_resolved_t) corenet_tcp_bind_llmnr_port(systemd_resolved_t) corenet_udp_bind_llmnr_port(systemd_resolved_t) corenet_tcp_connect_llmnr_port(systemd_resolved_t) @@ -1249,6 +1259,8 @@ files_watch_tmpfs_dirs(systemd_resolved_t) files_watch_var_run_dirs(systemd_resolved_t) +fs_write_cgroup_files(systemd_resolved_t) + init_watch_pid_dir(systemd_resolved_t) sysnet_manage_config(systemd_resolved_t) @@ -1356,6 +1368,7 @@ allow systemd_bootchart_t self:capability sys_admin; allow systemd_bootchart_t self:capability2 wake_alarm; +allow systemd_bootchart_t self:cap_userns sys_ptrace; allow systemd_bootchart_t self:unix_dgram_socket create_socket_perms; kernel_dgram_send(systemd_bootchart_t) @@ -1476,6 +1489,8 @@ kernel_dgram_send(systemd_userdbd_t) +fs_write_cgroup_files(systemd_userdbd_t) + auth_read_shadow(systemd_userdbd_t) auth_use_nsswitch(systemd_userdbd_t) @@ -1499,6 +1514,8 @@ # systemd-sleep needs the permission to change sleep state allow systemd_sleep_t self:lockdown integrity; +allow systemd_sleep_t systemd_unit_file_t:service { start stop }; + kernel_dgram_send(systemd_sleep_t) corecmd_exec_bin(systemd_sleep_t) @@ -1510,6 +1527,8 @@ fstools_rw_swap_files(systemd_sleep_t) +init_search_var_lib_dirs(systemd_sleep_t) + # systemd-sleep needs to getattr swap partitions storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) @@ -1524,5 +1543,24 @@ ') optional_policy(` + udev_read_pid_files(systemd_sleep_t) +') + +optional_policy(` unconfined_server_domtrans(systemd_sleep_t) ') + +######################################## +# +# systemd_pstore local policy +# + +manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t) + +kernel_dgram_send(systemd_pstore_t) + +fs_delete_pstore_files(systemd_pstore_t) +fs_list_pstore(systemd_pstore_t) +fs_read_pstore_files(systemd_pstore_t) + +init_search_var_lib_dirs(systemd_pstore_t)
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/unconfined.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/unconfined.if
Changed
@@ -286,6 +286,24 @@ ######################################## ## <summary> +## Allow inherit signal state +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_server_siginh',` + gen_require(` + type unconfined_service_t; + ') + + allow $1 unconfined_service_t:process siginh; +') + +######################################## +## <summary> ## Allow noatsecure. ## </summary> ## <param name="domain"> @@ -393,3 +411,21 @@ allow $1 unconfined_service_t:shm create_shm_perms; ') + +####################################### +## <summary> +## Allow the specified domain read unconfined service semaphores +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_server_read_semaphores',` + gen_require(` + type unconfined_service_t; + ') + + allow $1 unconfined_service_t:sem r_sem_perms; +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/unconfined.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/unconfined.te
Changed
@@ -45,3 +45,7 @@ optional_policy(` container_runtime_domtrans(unconfined_service_t) ') + +optional_policy(` + gpg_manage_admin_home_content(unconfined_service_t) +')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/userdomain.if -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.if
Changed
@@ -1688,8 +1688,6 @@ allow $1_t self:cap_userns sys_ptrace; - allow $1_t self:user_namespace create; - tunable_policy(`deny_bluetooth',`',` allow $1_t self:bluetooth_socket create_stream_socket_perms; ')
View file
_service:tar_scm:v38.6.tar.gz/policy/modules/system/userdomain.te -> _service:tar_scm:v38.21.tar.gz/policy/modules/system/userdomain.te
Changed
@@ -373,6 +373,7 @@ # login_userdomain local policy allow login_userdomain self:service status; +allow login_userdomain self:user_namespace create; corenet_tcp_bind_xmsg_port(login_userdomain)
View file
_service:tar_scm:v38.6.tar.gz/policy/support/obj_perm_sets.spt -> _service:tar_scm:v38.21.tar.gz/policy/support/obj_perm_sets.spt
Changed
@@ -206,7 +206,8 @@ # define(`getattr_fifo_file_perms',`{ getattr }') define(`setattr_fifo_file_perms',`{ setattr }') -define(`read_fifo_file_perms',`{ getattr open read lock ioctl }') +define(`read_inherited_fifo_file_perms',`{ getattr read ioctl lock }') +define(`read_fifo_file_perms',`{ open read_inherited_fifo_file_perms }') define(`append_fifo_file_perms',`{ getattr open append lock ioctl }') define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }') define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2