Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2022-06-25 10:23:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Sat Jun 25 10:23:52 2022 rev:26 rq:984856 version:20220624 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2022-06-20 15:36:45.814814640 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1548/selinux-policy.changes 2022-06-25 10:23:58.382648982 +0200 @@ -1,0 +2,13 @@ +Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <[email protected]> + +- Update to version 20220624. Refreshed: + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_logging.patch + * fix_networkmanager.patch + * fix_unprivuser.patch + Dropped fix_hadoop.patch, not necessary anymore +* Updated fix_locallogin.patch to allow accesses for nss-systemd + (bsc#1199630) + +------------------------------------------------------------------- Old: ---- fedora-policy-20220520.tar.bz2 fix_hadoop.patch New: ---- fedora-policy-20220624.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:23:59.398650433 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:23:59.402650438 +0200 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20220520 +Version: 20220624 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -88,7 +88,6 @@ Patch001: fix_djbdns.patch Patch002: fix_dbus.patch Patch004: fix_java.patch -Patch005: fix_hadoop.patch Patch006: fix_thunderbird.patch Patch007: fix_postfix.patch Patch008: fix_nscd.patch ++++++ fedora-policy-20220520.tar.bz2 -> fedora-policy-20220624.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/anaconda.fc new/fedora-policy-20220624/policy/modules/contrib/anaconda.fc --- old/fedora-policy-20220520/policy/modules/contrib/anaconda.fc 2022-05-20 12:50:59.555640209 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/anaconda.fc 2022-06-24 08:28:15.514217177 +0200 @@ -11,3 +11,5 @@ /usr/bin/preupg.* -- gen_context(system_u:object_r:preupgrade_exec_t,s0) /var/lib/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0) /var/log/preupgrade(/.*)? gen_context(system_u:object_r:preupgrade_data_t,s0) + +/var/run/ostree-booted -s gen_context(system_u:object_r:install_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/anaconda.if new/fedora-policy-20220624/policy/modules/contrib/anaconda.if --- old/fedora-policy-20220520/policy/modules/contrib/anaconda.if 2022-05-20 12:50:59.555640209 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/anaconda.if 2022-06-24 08:28:15.514217177 +0200 @@ -130,3 +130,40 @@ manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t) files_search_var_lib($1) ') + +######################################## +## <summary> +## Connect over a unix stream socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`anaconda_stream_connect',` + gen_require(` + type install_t, install_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, install_var_run_t, install_var_run_t, install_t) +') + +######################################## +## <summary> +## Create and use a unix stream socket +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`anaconda_create_unix_stream_sockets',` + gen_require(` + type install_t; + ') + + allow $1 install_t:unix_stream_socket create_stream_socket_perms; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/anaconda.te new/fedora-policy-20220624/policy/modules/contrib/anaconda.te --- old/fedora-policy-20220520/policy/modules/contrib/anaconda.te 2022-05-20 12:50:59.555640209 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/anaconda.te 2022-06-24 08:28:15.514217177 +0200 @@ -28,6 +28,9 @@ application_domain(install_t, install_exec_t) role install_roles types install_t; +type install_var_run_t; +files_pid_file(install_var_run_t) + type preupgrade_t; type preupgrade_exec_t; application_domain(preupgrade_t, preupgrade_exec_t) @@ -87,6 +90,9 @@ init_dbus_chat(install_t) init_nnp_daemon_domain(install_t) +manage_sock_files_pattern(install_t, install_var_run_t, install_var_run_t) +files_pid_filetrans(install_t, install_var_run_t, sock_file) + tunable_policy(`deny_ptrace',`',` domain_ptrace_all_domains(install_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/chronyd.if new/fedora-policy-20220624/policy/modules/contrib/chronyd.if --- old/fedora-policy-20220520/policy/modules/contrib/chronyd.if 2022-05-20 12:50:59.559640269 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/chronyd.if 2022-06-24 08:28:15.518217234 +0200 @@ -236,6 +236,25 @@ manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) ') +######################################## +## <summary> +## Manage pid files used by chronyd +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_manage_pid_files',` + gen_require(` + type chronyd_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t) +') + ###################################### ## <summary> ## Create objects in /var/run diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/ctdb.te new/fedora-policy-20220624/policy/modules/contrib/ctdb.te --- old/fedora-policy-20220520/policy/modules/contrib/ctdb.te 2022-05-20 12:50:59.563640328 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/ctdb.te 2022-06-24 08:28:15.522217291 +0200 @@ -45,7 +45,7 @@ allow ctdbd_t self:tcp_socket create_stream_socket_perms; allow ctdbd_t self:udp_socket create_socket_perms; allow ctdbd_t self:rawip_socket create_socket_perms; -allow ctdbd_t self:netlink_tcpdiag_socket create_socket_perms; +allow ctdbd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/insights_client.fc new/fedora-policy-20220624/policy/modules/contrib/insights_client.fc --- old/fedora-policy-20220520/policy/modules/contrib/insights_client.fc 2022-05-20 12:50:59.571640448 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/insights_client.fc 2022-06-24 08:28:15.530217406 +0200 @@ -5,14 +5,19 @@ /etc/insights-client/\.cache\.json -- gen_context(system_u:object_r:insights_client_etc_rw_t,s0) /etc/insights-client/\.insights-core\.etag -- gen_context(system_u:object_r:insights_client_etc_rw_t,s0) /etc/insights-client/\.insights-core-gpg-sig\.etag -- gen_context(system_u:object_r:insights_client_etc_rw_t,s0) +/etc/insights-client/\.lastupload -- gen_context(system_u:object_r:insights_client_etc_rw_t,s0) +/etc/insights-client/\.last-upload\.results -- gen_context(system_u:object_r:insights_client_etc_rw_t,s0) /usr/bin/insights-client -- gen_context(system_u:object_r:insights_client_exec_t,s0) /usr/bin/redhat-access-insights -- gen_context(system_u:object_r:insights_client_exec_t,s0) -/var/cache/insights(/.*)? gen_context(system_u:object_r:insights_client_cache_t,s0) +/var/cache/insights(/.*)? gen_context(system_u:object_r:insights_client_cache_t,s0) -/var/lib/insights(/.*)? gen_context(system_u:object_r:insights_client_var_lib_t,s0) +/var/lib/insights(/.*)? gen_context(system_u:object_r:insights_client_var_lib_t,s0) /var/log/insights-client(/.*)? gen_context(system_u:object_r:insights_client_var_log_t,s0) /var/run/insights-client\.pid -- gen_context(system_u:object_r:insights_client_var_run_t,s0) + +/var/tmp/insights-client(/.*)? gen_context(system_u:object_r:insights_client_tmp_t,s0) + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/insights_client.if new/fedora-policy-20220624/policy/modules/contrib/insights_client.if --- old/fedora-policy-20220520/policy/modules/contrib/insights_client.if 2022-05-20 12:50:59.571640448 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/insights_client.if 2022-06-24 08:28:15.530217406 +0200 @@ -2,11 +2,11 @@ ######################################## ## <summary> -## Execute insights_client_exec_t in the insights_client domain. +## Execute insights_client_exec_t in the insights_client domain. ## </summary> ## <param name="domain"> ## <summary> -## Domain allowed to transition. +## Domain allowed to transition. ## </summary> ## </param> # @@ -21,12 +21,12 @@ ###################################### ## <summary> -## Execute insights_client in the caller domain. +## Execute insights_client in the caller domain. ## </summary> ## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> +## <summary> +## Domain allowed access. +## </summary> ## </param> # interface(`insights_client_exec',` @@ -37,3 +37,46 @@ corecmd_search_bin($1) can_exec($1, insights_client_exec_t) ') + +######################################## +## <summary> +## Read and write a insights_client unnamed pipe. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`insights_client_rw_pipes',` + gen_require(` + type insights_client_t; + ') + + allow $1 insights_client_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## <summary> +## Transition to insights_client named content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`insights_client_filetrans_named_content',` + gen_require(` + type insights_client_t; + type insights_client_etc_t, insights_client_etc_rw_t; + type insights_client_tmp_t; + ') + + filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".cache.json.asc") + filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".insights-core.etag") + filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".lastupload") + filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t, file, ".last-upload.results") + + files_tmp_filetrans($1, insights_client_tmp_t, dir, "insights-client") +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/insights_client.te new/fedora-policy-20220624/policy/modules/contrib/insights_client.te --- old/fedora-policy-20220520/policy/modules/contrib/insights_client.te 2022-05-20 12:50:59.571640448 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/insights_client.te 2022-06-24 08:28:15.530217406 +0200 @@ -18,9 +18,6 @@ type insights_client_etc_rw_t; files_config_file(insights_client_etc_rw_t) -type insights_client_tmp_t; -files_tmp_file(insights_client_tmp_t) - type insights_client_cache_t; files_type(insights_client_cache_t) @@ -30,12 +27,24 @@ type insights_client_var_run_t; files_pid_file(insights_client_var_run_t) +type insights_client_tmp_t; +files_tmp_file(insights_client_tmp_t) + +type insights_client_tmpfs_t; +files_tmpfs_file(insights_client_tmpfs_t) + ######################################## # # insights_client local policy # -allow insights_client_t self:capability dac_override; +allow insights_client_t self:capability { audit_control dac_override dac_read_search sys_ptrace sys_resource sys_admin }; allow insights_client_t self:fifo_file rw_fifo_file_perms; +allow insights_client_t self:netlink_audit_socket r_netlink_socket_perms; +allow insights_client_t self:netlink_generic_socket create_socket_perms; +allow insights_client_t self:netlink_netfilter_socket create_socket_perms; +allow insights_client_t self:netlink_route_socket create_netlink_socket_perms; +allow insights_client_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow insights_client_t self:process { getattr setfscreate setpgid }; allow insights_client_t self:tcp_socket create_socket_perms; allow insights_client_t self:udp_socket create_socket_perms; allow insights_client_t self:unix_dgram_socket create_socket_perms; @@ -44,12 +53,22 @@ manage_dirs_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_t) read_files_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_t) manage_files_pattern(insights_client_t, insights_client_etc_rw_t, insights_client_etc_rw_t) -filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file) +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, ".cache.json") +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, ".cache.json.asc") +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, ".insights-core.etag") +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, ".lastupload") +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, ".last-upload.results") +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, ".registered") +filetrans_pattern(insights_client_t, insights_client_etc_t, insights_client_etc_rw_t, file, "machine-id") manage_dirs_pattern(insights_client_t, insights_client_tmp_t, insights_client_tmp_t) manage_files_pattern(insights_client_t, insights_client_tmp_t, insights_client_tmp_t) files_tmp_filetrans(insights_client_t, insights_client_tmp_t, { dir file }) +manage_files_pattern(insights_client_t, insights_client_tmpfs_t, insights_client_tmpfs_t) +fs_tmpfs_filetrans(insights_client_t, insights_client_tmpfs_t, file) +can_exec(insights_client_t, insights_client_tmpfs_t) + manage_files_pattern(insights_client_t, insights_client_cache_t, insights_client_cache_t) manage_dirs_pattern(insights_client_t, insights_client_var_log_t, insights_client_var_log_t) @@ -64,26 +83,90 @@ manage_files_pattern(insights_client_t, insights_client_var_run_t, insights_client_var_run_t) files_pid_filetrans(insights_client_t, insights_client_var_run_t, { dir file }) +kernel_dgram_send(insights_client_t) +kernel_read_device_sysctls(insights_client_t) +kernel_read_kernel_ns_lastpid_sysctls(insights_client_t) +kernel_read_net_sysctls(insights_client_t) +kernel_read_network_state(insights_client_t) +kernel_read_ring_buffer(insights_client_t) +kernel_read_security_state(insights_client_t) +kernel_read_software_raid_state(insights_client_t) kernel_read_system_state(insights_client_t) +kernel_read_unix_sysctls(insights_client_t) +kernel_read_usermodehelper_state(insights_client_t) +kernel_read_vm_sysctls(insights_client_t) +kernel_request_load_module(insights_client_t) +kernel_view_key(insights_client_t) auth_read_passwd(insights_client_t) -corecmd_exec_bin(insights_client_t) +corecmd_exec_all_executables(insights_client_t) corenet_tcp_bind_generic_node(insights_client_t) corenet_tcp_connect_http_port(insights_client_t) +dev_getattr_all(insights_client_t) +dev_read_kmsg(insights_client_t) +dev_read_netcontrol(insights_client_t) + +domain_getattr_all_domains(insights_client_t) +domain_getattr_all_sockets(insights_client_t) +domain_manage_all_domains_keyrings(insights_client_t) +domain_read_all_domains_state(insights_client_t) domain_use_interactive_fds(insights_client_t) +files_getattr_all_blk_files(insights_client_t) +files_getattr_all_chr_files(insights_client_t) +files_getattr_all_file_type_fs(insights_client_t) +files_getattr_all_pipes(insights_client_t) +files_getattr_all_sockets(insights_client_t) files_manage_etc_symlinks(insights_client_t) +files_read_non_security_files(insights_client_t) +files_read_all_symlinks(insights_client_t) +files_status_etc(insights_client_t) + +fs_getattr_all_fs(insights_client_t) +fs_read_configfs_dirs(insights_client_t) init_dontaudit_read_state(insights_client_t) +init_status(insights_client_t) libs_exec_ldconfig(insights_client_t) miscfiles_read_generic_certs(insights_client_t) miscfiles_read_localization(insights_client_t) -sysnet_read_config(insights_client_t) +storage_raw_read_fixed_disk(insights_client_t) + +optional_policy(` + auth_getattr_shadow(insights_client_t) +') + +optional_policy(` + bootloader_exec(insights_client_t) +') + +optional_policy(` + chronyd_dgram_send(insights_client_t) + chronyd_domtrans_chronyc(insights_client_t) + chronyd_manage_pid(insights_client_t) + chronyd_stream_connect(insights_client_t) +') + +optional_policy(` + dbus_system_bus_client(insights_client_t) +') + +optional_policy(` + dmesg_exec(insights_client_t) +') + +optional_policy(` + dmidecode_exec(insights_client_t) +') + +optional_policy(` + fstools_domtrans(insights_client_t) +') optional_policy(` gnome_search_gconf(insights_client_t) @@ -96,9 +179,73 @@ ') optional_policy(` + hostname_exec(insights_client_t) +') + +optional_policy(` + init_stream_connect(insights_client_t) +') + +optional_policy(` + iptables_domtrans(insights_client_t) +') + +optional_policy(` + logging_domtrans_auditctl(insights_client_t) + logging_read_audit_config(insights_client_t) + logging_read_audit_log(insights_client_t) +') + +optional_policy(` + lvm_domtrans(insights_client_t) +') + +optional_policy(` + mount_domtrans(insights_client_t) +') + +optional_policy(` + modutils_domtrans_kmod(insights_client_t) + modutils_read_module_deps_files(insights_client_t) +') + +optional_policy(` + networkmanager_dbus_chat(insights_client_t) +') + +optional_policy(` rhnsd_read_config(insights_client_t) ') optional_policy(` + rhsmcertd_manage_pid_files(insights_client_t) + rhsmcertd_manage_lib_files(insights_client_t) + rhsmcertd_manage_log(insights_client_t) rhsmcertd_read_config_files(insights_client_t) ') + +optional_policy(` + rpm_domtrans(insights_client_t) + rpm_manage_cache(insights_client_t) + rpm_read_db(insights_client_t) + rpm_setattr_db_files(insights_client_t) +') + +optional_policy(` + samba_manage_var_files(insights_client_t) +') + +optional_policy(` + sysnet_exec_ifconfig(insights_client_t) + sysnet_read_config(insights_client_t) +') + +optional_policy(` + systemd_start_all_unit_files(insights_client_t) + systemd_status_all_unit_files(insights_client_t) + systemd_userdbd_stream_connect(insights_client_t) +') + +optional_policy(` + tuned_dbus_chat(insights_client_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/iscsi.te new/fedora-policy-20220624/policy/modules/contrib/iscsi.te --- old/fedora-policy-20220520/policy/modules/contrib/iscsi.te 2022-05-20 12:50:59.571640448 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/iscsi.te 2022-06-24 08:28:15.530217406 +0200 @@ -36,6 +36,7 @@ # allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; +allow iscsid_t self:cap_userns sys_ptrace; allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/ksmtuned.te new/fedora-policy-20220624/policy/modules/contrib/ksmtuned.te --- old/fedora-policy-20220520/policy/modules/contrib/ksmtuned.te 2022-05-20 12:50:59.575640508 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/ksmtuned.te 2022-06-24 08:28:15.534217463 +0200 @@ -91,5 +91,6 @@ # # Local policy for ksm # +dev_create_sysfs_files(ksm_t) dev_rw_sysfs(ksm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/networkmanager.fc new/fedora-policy-20220624/policy/modules/contrib/networkmanager.fc --- old/fedora-policy-20220520/policy/modules/contrib/networkmanager.fc 2022-05-20 12:50:59.583640628 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/networkmanager.fc 2022-06-24 08:28:15.538217520 +0200 @@ -22,6 +22,7 @@ /usr/lib/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_dispatcher_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/01-dnssec-trigger -- gen_context(system_u:object_r:NetworkManager_dispatcher_dnssec_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) +/usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/networkmanager.te new/fedora-policy-20220624/policy/modules/contrib/networkmanager.te --- old/fedora-policy-20220520/policy/modules/contrib/networkmanager.te 2022-05-20 12:50:59.583640628 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/networkmanager.te 2022-06-24 08:28:15.538217520 +0200 @@ -58,6 +58,7 @@ networkmanager_dispatcher_plugin_template(dhclient) networkmanager_dispatcher_plugin_template(dnssec) networkmanager_dispatcher_plugin_template(iscsid) +networkmanager_dispatcher_plugin_template(sendmail) networkmanager_dispatcher_plugin_template(tlp) networkmanager_dispatcher_plugin_template(winbind) @@ -553,9 +554,11 @@ allow NetworkManager_dispatcher_tlp_t self:capability sys_nice; allow NetworkManager_dispatcher_t self:process setsched; allow NetworkManager_dispatcher_tlp_t self:process setsched; -allow NetworkManager_dispatcher_t self:netlink_route_socket { create_socket_perms nlmsg_read }; -allow NetworkManager_dispatcher_ddclient_t self:netlink_route_socket { create_socket_perms nlmsg_read }; +allow NetworkManager_dispatcher_t self:netlink_route_socket create_netlink_socket_perms; +allow NetworkManager_dispatcher_ddclient_t self:netlink_route_socket create_netlink_socket_perms; +allow NetworkManager_dispatcher_custom_t self:netlink_route_socket create_netlink_socket_perms; allow NetworkManager_dispatcher_t self:udp_socket create_socket_perms; +allow NetworkManager_dispatcher_custom_t self:udp_socket create_socket_perms; allow NetworkManager_dispatcher_ddclient_t self:udp_socket create_socket_perms; allow NetworkManager_dispatcher_t self:unix_dgram_socket { create_socket_perms sendto }; allow NetworkManager_dispatcher_ddclient_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -619,6 +622,7 @@ networkmanager_dbus_chat(NetworkManager_dispatcher_t) dbus_system_bus_client(NetworkManager_dispatcher_tlp_t) networkmanager_dbus_chat(NetworkManager_dispatcher_tlp_t) + dbus_system_bus_client(NetworkManager_dispatcher_custom_t) ') optional_policy(` @@ -655,8 +659,11 @@ systemd_exec_systemctl(NetworkManager_dispatcher_cloud_t) systemd_exec_systemctl(NetworkManager_dispatcher_ddclient_t) systemd_exec_systemctl(NetworkManager_dispatcher_iscsid_t) + systemd_exec_systemctl(NetworkManager_dispatcher_sendmail_t) systemd_exec_systemctl(NetworkManager_dispatcher_winbind_t) + systemd_exec_systemctl(NetworkManager_dispatcher_custom_t) systemd_getattr_unit_files(NetworkManager_dispatcher_ddclient_t) + systemd_start_systemd_services(NetworkManager_dispatcher_sendmail_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/pcp.te new/fedora-policy-20220624/policy/modules/contrib/pcp.te --- old/fedora-policy-20220520/policy/modules/contrib/pcp.te 2022-05-20 12:50:59.587640687 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/pcp.te 2022-06-24 08:28:15.542217577 +0200 @@ -82,6 +82,7 @@ manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t) fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file }) +can_exec(pcp_domain, pcp_tmpfs_t) dev_read_urand(pcp_domain) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/rabbitmq.te new/fedora-policy-20220624/policy/modules/contrib/rabbitmq.te --- old/fedora-policy-20220520/policy/modules/contrib/rabbitmq.te 2022-05-20 12:50:59.591640748 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/rabbitmq.te 2022-06-24 08:28:15.550217692 +0200 @@ -35,6 +35,9 @@ type rabbitmq_conf_t; files_config_file(rabbitmq_conf_t) +type rabbitmq_tmpfs_t; +files_tmpfs_file(rabbitmq_tmpfs_t) + ###################################### # # Rabbitmq local policy @@ -74,6 +77,10 @@ manage_files_pattern(rabbitmq_t, rabbitmq_conf_t, rabbitmq_conf_t) files_etc_filetrans(rabbitmq_t, rabbitmq_conf_t, dir) +manage_files_pattern(rabbitmq_t, rabbitmq_tmpfs_t, rabbitmq_tmpfs_t) +fs_tmpfs_filetrans(rabbitmq_t, rabbitmq_tmpfs_t, file) +can_exec(rabbitmq_t, rabbitmq_tmpfs_t) + kernel_dgram_send(rabbitmq_t) kernel_read_system_state(rabbitmq_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/rhcs.te new/fedora-policy-20220624/policy/modules/contrib/rhcs.te --- old/fedora-policy-20220520/policy/modules/contrib/rhcs.te 2022-05-20 12:50:59.591640748 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/rhcs.te 2022-06-24 08:28:15.550217692 +0200 @@ -374,6 +374,8 @@ allow dlm_controld_t self:capability { dac_read_search net_admin sys_admin setgid sys_resource }; allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; +allow dlm_controld_t cluster_t:process signull; + files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir) stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/rpm.if new/fedora-policy-20220624/policy/modules/contrib/rpm.if --- old/fedora-policy-20220520/policy/modules/contrib/rpm.if 2022-05-20 12:50:59.595640807 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/rpm.if 2022-06-24 08:28:15.550217692 +0200 @@ -694,6 +694,25 @@ ######################################## ## <summary> +## Set the attributes of RPM package database. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`rpm_setattr_db_files',` + gen_require(` + type rpm_var_lib_t; + ') + + files_search_var_lib($1) + setattr_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) +') + +######################################## +## <summary> ## Delete the RPM package database. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/samba.fc new/fedora-policy-20220624/policy/modules/contrib/samba.fc --- old/fedora-policy-20220520/policy/modules/contrib/samba.fc 2022-05-20 12:50:59.595640807 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/samba.fc 2022-06-24 08:28:15.554217749 +0200 @@ -18,6 +18,9 @@ /usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) /usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) +/usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/samba.if new/fedora-policy-20220624/policy/modules/contrib/samba.if --- old/fedora-policy-20220520/policy/modules/contrib/samba.if 2022-05-20 12:50:59.595640807 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/samba.if 2022-06-24 08:28:15.554217749 +0200 @@ -1080,3 +1080,22 @@ admin_pattern($1, samba_unit_file_t) allow $1 samba_unit_file_t:service all_service_perms; ') + +######################################## +## <summary> +## Execute winbind rpcd in the winbind_rpcd_t domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`samba_domtrans_winbind_rpcd',` + gen_require(` + type winbind_rpcd_t, winbind_rpcd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/samba.te new/fedora-policy-20220624/policy/modules/contrib/samba.te --- old/fedora-policy-20220520/policy/modules/contrib/samba.te 2022-05-20 12:50:59.595640807 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/samba.te 2022-06-24 08:28:15.554217749 +0200 @@ -176,9 +176,17 @@ type winbind_helper_exec_t; domain_entry_file(winbind_helper_t, winbind_helper_exec_t) +type winbind_rpcd_t; +type winbind_rpcd_exec_t; +application_domain(winbind_rpcd_t, winbind_rpcd_exec_t) +role system_r types winbind_rpcd_t; + type winbind_log_t; logging_log_file(winbind_log_t) +type winbind_rpcd_var_run_t; +files_pid_file(winbind_rpcd_var_run_t) + type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -1011,6 +1019,7 @@ manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) +files_pid_filetrans(winbind_t, winbind_rpcd_var_run_t, file, "samba-dcerpcd.pid") filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) # /run/samba/krb5cc_samba manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) @@ -1153,6 +1162,77 @@ ######################################## # +# Winbind-rpcd local policy +# + +allow winbind_rpcd_t self:capability { setgid setuid }; +allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; +allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow winbind_rpcd_t self:unix_stream_socket connectto; +allow winbind_rpcd_t self:udp_socket create_socket_perms; + +allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; + +read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + +manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) +files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + +# access to files of other samba domains +manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) +read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) +manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + +manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) +manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) + +manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) +manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) +allow winbind_rpcd_t samba_var_t:file { map } ; + +kernel_read_network_state(winbind_rpcd_t) + +corecmd_exec_bin(winbind_rpcd_t) + +optional_policy(` + auth_read_passwd(winbind_rpcd_t) +') + +optional_policy(` + dbus_system_bus_client(winbind_rpcd_t) +') + +optional_policy(` + dirsrv_stream_connect(winbind_rpcd_t) +') + +optional_policy(` + kerberos_use(winbind_rpcd_t) +') + +optional_policy(` + logging_send_syslog_msg(winbind_rpcd_t) +') + +optional_policy(` + sssd_read_public_files(winbind_rpcd_t) + sssd_stream_connect(winbind_rpcd_t) +') + +optional_policy(` + sysnet_read_config(winbind_rpcd_t) +') + +# interactions with smbd_t/winbind_t +allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; +allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; + +samba_domtrans_winbind_rpcd(smbd_t) +samba_domtrans_winbind_rpcd(winbind_t) + +######################################## +# # samba_unconfined_script_t local policy # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/sslh.te new/fedora-policy-20220624/policy/modules/contrib/sslh.te --- old/fedora-policy-20220520/policy/modules/contrib/sslh.te 2022-05-20 12:50:59.599640867 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/sslh.te 2022-06-24 08:28:15.558217806 +0200 @@ -55,7 +55,7 @@ logging_send_syslog_msg(sslh_t); -allow sslh_t self:capability { setuid setgid }; +allow sslh_t self:capability { net_admin setuid setgid }; allow sslh_t self:process { setcap getcap signal }; allow sslh_t self:tcp_socket create_stream_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/stalld.te new/fedora-policy-20220624/policy/modules/contrib/stalld.te --- old/fedora-policy-20220520/policy/modules/contrib/stalld.te 2022-05-20 12:50:59.599640867 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/stalld.te 2022-06-24 08:28:15.558217806 +0200 @@ -19,7 +19,8 @@ # # stalld local policy # -allow stalld_t self:process { fork }; +allow stalld_t self:capability sys_nice; +allow stalld_t self:process { fork setsched }; allow stalld_t self:fifo_file rw_fifo_file_perms; allow stalld_t self:unix_stream_socket create_stream_socket_perms; @@ -28,6 +29,7 @@ manage_lnk_files_pattern(stalld_t, stalld_var_run_t, stalld_var_run_t) files_pid_filetrans(stalld_t, stalld_var_run_t, { dir file lnk_file }) +kernel_getsched(stalld_t) kernel_manage_debugfs(stalld_t) kernel_read_all_proc(stalld_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/targetd.fc new/fedora-policy-20220624/policy/modules/contrib/targetd.fc --- old/fedora-policy-20220520/policy/modules/contrib/targetd.fc 2022-05-20 12:50:59.599640867 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/targetd.fc 2022-06-24 08:28:15.558217806 +0200 @@ -1,5 +1,12 @@ -/etc/target(/.*)? gen_context(system_u:object_r:targetd_etc_rw_t,s0) +/etc/target(/.*)? gen_context(system_u:object_r:targetd_etc_rw_t,s0) + +/root/\.targetcli(/.*)? gen_context(system_u:object_r:targetclid_home_t,s0) /usr/bin/targetd -- gen_context(system_u:object_r:targetd_exec_t,s0) +/usr/bin/targetclid -- gen_context(system_u:object_r:targetclid_exec_t,s0) + +/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0) +/usr/lib/systemd/system/targetclid.* -- gen_context(system_u:object_r:targetclid_unit_file_t,s0) -/usr/lib/systemd/system/targetd.* -- gen_context(system_u:object_r:targetd_unit_file_t,s0) +/var/run/targetclid\.pid -- gen_context(system_u:object_r:targetclid_var_run_t,s0) +/var/run/targetclid\.sock -s gen_context(system_u:object_r:targetclid_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/targetd.te new/fedora-policy-20220624/policy/modules/contrib/targetd.te --- old/fedora-policy-20220520/policy/modules/contrib/targetd.te 2022-05-20 12:50:59.599640867 +0200 +++ new/fedora-policy-20220624/policy/modules/contrib/targetd.te 2022-06-24 08:28:15.558217806 +0200 @@ -9,15 +9,28 @@ type targetd_exec_t; init_daemon_domain(targetd_t, targetd_exec_t) +type targetclid_t; +type targetclid_exec_t; +init_daemon_domain(targetclid_t, targetclid_exec_t) + type targetd_etc_rw_t; files_type(targetd_etc_rw_t) type targetd_unit_file_t; systemd_unit_file(targetd_unit_file_t) +type targetclid_unit_file_t; +systemd_unit_file(targetclid_unit_file_t) + type targetd_tmp_t; files_tmp_file(targetd_tmp_t) +type targetclid_home_t; +userdom_user_home_content(targetclid_home_t) + +type targetclid_var_run_t; +files_pid_file(targetclid_var_run_t) + ######################################## # # targetd local policy @@ -83,27 +96,82 @@ sysnet_read_config(targetd_t) optional_policy(` - gnome_read_generic_data_home_dirs(targetd_t) + gnome_read_generic_data_home_dirs(targetd_t) ') optional_policy(` - lvm_domtrans(targetd_t) + lvm_domtrans(targetd_t) ') optional_policy(` - modutils_read_module_config(targetd_t) + modutils_read_module_config(targetd_t) ') optional_policy(` - rpc_manage_nfs_state_data(targetd_t) + rpc_manage_nfs_state_data(targetd_t) ') optional_policy(` - rpm_dontaudit_read_db(targetd_t) - rpm_dontaudit_exec(targetd_t) + rpm_dontaudit_read_db(targetd_t) + rpm_dontaudit_exec(targetd_t) ') optional_policy(` - udev_read_pid_files(targetd_t) + udev_read_pid_files(targetd_t) ') +######################################## +# +# targetclid local policy +# +allow targetclid_t self:capability dac_override; +allow targetclid_t self:fifo_file rw_fifo_file_perms; +allow targetclid_t self:system module_load; +allow targetclid_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(targetclid_t, targetclid_home_t, targetclid_home_t) +manage_files_pattern(targetclid_t, targetclid_home_t, targetclid_home_t) +userdom_admin_home_dir_filetrans(targetclid_t, targetclid_home_t, dir, ".targetcli") + +manage_files_pattern(targetclid_t, targetclid_var_run_t, targetclid_var_run_t) +manage_sock_files_pattern(targetclid_t, targetclid_var_run_t, targetclid_var_run_t) +files_pid_filetrans(targetclid_t, targetclid_var_run_t, { file sock_file }) + +manage_dirs_pattern(targetclid_t, targetd_etc_rw_t, targetd_etc_rw_t) + +kernel_load_module(targetclid_t) +kernel_read_all_proc(targetclid_t) + +corecmd_exec_bin(targetclid_t) + +dev_read_sysfs(targetclid_t) + +domain_use_interactive_fds(targetclid_t) + +files_getattr_all_dirs(targetclid_t) +files_read_etc_files(targetclid_t) + +fs_manage_configfs_dirs(targetclid_t) +fs_manage_configfs_files(targetclid_t) + +optional_policy(` + auth_read_passwd(targetclid_t) +') + +optional_policy(` + dbus_system_bus_client(targetclid_t) +') + +optional_policy(` + libs_exec_ldconfig(targetclid_t) +') + +optional_policy(` + miscfiles_read_localization(targetclid_t) +') + +optional_policy(` + modutils_exec_kmod(targetclid_t) + modutils_read_module_config(targetclid_t) + modutils_read_module_deps(targetclid_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/wireguard.fc new/fedora-policy-20220624/policy/modules/contrib/wireguard.fc --- old/fedora-policy-20220520/policy/modules/contrib/wireguard.fc 1970-01-01 01:00:00.000000000 +0100 +++ new/fedora-policy-20220624/policy/modules/contrib/wireguard.fc 2022-06-24 08:28:15.562217863 +0200 @@ -0,0 +1,3 @@ +/usr/bin/wg-quick -- gen_context(system_u:object_r:wireguard_exec_t,s0) + +/usr/lib/systemd/system/wg-quick@\.service -- gen_context(system_u:object_r:wireguard_unit_file_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/wireguard.if new/fedora-policy-20220624/policy/modules/contrib/wireguard.if --- old/fedora-policy-20220520/policy/modules/contrib/wireguard.if 1970-01-01 01:00:00.000000000 +0100 +++ new/fedora-policy-20220624/policy/modules/contrib/wireguard.if 2022-06-24 08:28:15.562217863 +0200 @@ -0,0 +1,39 @@ +## <summary>policy for wireguard</summary> + +######################################## +## <summary> +## Execute wireguard_exec_t in the wireguard domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`wireguard_domtrans',` + gen_require(` + type wireguard_t, wireguard_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wireguard_exec_t, wireguard_t) +') + +###################################### +## <summary> +## Execute wireguard in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wireguard_exec',` + gen_require(` + type wireguard_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, wireguard_exec_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/contrib/wireguard.te new/fedora-policy-20220624/policy/modules/contrib/wireguard.te --- old/fedora-policy-20220520/policy/modules/contrib/wireguard.te 1970-01-01 01:00:00.000000000 +0100 +++ new/fedora-policy-20220624/policy/modules/contrib/wireguard.te 2022-06-24 08:28:15.562217863 +0200 @@ -0,0 +1,49 @@ +policy_module(wireguard, 1.0.0) + +######################################## +# +# Declarations +# + +type wireguard_t; +type wireguard_exec_t; +init_daemon_domain(wireguard_t, wireguard_exec_t) + +type wireguard_unit_file_t; +systemd_unit_file(wireguard_unit_file_t) + +######################################## +# +# wireguard local policy +# +allow wireguard_t self:capability { net_admin }; +allow wireguard_t self:fifo_file rw_fifo_file_perms; +allow wireguard_t self:netlink_generic_socket create_socket_perms; +allow wireguard_t self:netlink_netfilter_socket create_socket_perms; +allow wireguard_t self:netlink_route_socket create_netlink_socket_perms; +allow wireguard_t self:unix_dgram_socket create_socket_perms; +allow wireguard_t self:unix_stream_socket create_stream_socket_perms; + +kernel_request_load_module(wireguard_t) + +corecmd_exec_bin(wireguard_t) + +domain_use_interactive_fds(wireguard_t) + +files_read_etc_files(wireguard_t) + +optional_policy(` + auth_read_passwd(wireguard_t) +') + +optional_policy(` + iptables_domtrans(wireguard_t) +') + +optional_policy(` + miscfiles_read_localization(wireguard_t) +') + +optional_policy(` + sysnet_exec_ifconfig(wireguard_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/kernel/kernel.if new/fedora-policy-20220624/policy/modules/kernel/kernel.if --- old/fedora-policy-20220520/policy/modules/kernel/kernel.if 2022-05-20 12:50:59.611641047 +0200 +++ new/fedora-policy-20220624/policy/modules/kernel/kernel.if 2022-06-24 08:28:15.566217921 +0200 @@ -144,6 +144,24 @@ ######################################## ## <summary> +## Get scheduling policy and attributes of kernel threads. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_getsched',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:process getsched; +') + +######################################## +## <summary> ## Send a SIGCHLD signal to kernel threads. ## </summary> ## <param name="domain"> @@ -2011,7 +2029,7 @@ ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) - list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + list_dirs_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/roles/sysadm.te new/fedora-policy-20220624/policy/modules/roles/sysadm.te --- old/fedora-policy-20220520/policy/modules/roles/sysadm.te 2022-05-20 12:50:59.611641047 +0200 +++ new/fedora-policy-20220624/policy/modules/roles/sysadm.te 2022-06-24 08:28:15.570217978 +0200 @@ -320,6 +320,10 @@ ') optional_policy(` + insights_client_filetrans_named_content(sysadm_t) +') + +optional_policy(` iotop_run(sysadm_t, sysadm_r) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/roles/unconfineduser.te new/fedora-policy-20220624/policy/modules/roles/unconfineduser.te --- old/fedora-policy-20220520/policy/modules/roles/unconfineduser.te 2022-05-20 12:50:59.611641047 +0200 +++ new/fedora-policy-20220624/policy/modules/roles/unconfineduser.te 2022-06-24 08:28:15.570217978 +0200 @@ -344,6 +344,10 @@ ') optional_policy(` + insights_client_filetrans_named_content(unconfined_t) +') + +optional_policy(` ipa_run_helper(unconfined_t, unconfined_r) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/services/container.te new/fedora-policy-20220624/policy/modules/services/container.te --- old/fedora-policy-20220520/policy/modules/services/container.te 2022-05-20 12:51:00.159649245 +0200 +++ new/fedora-policy-20220624/policy/modules/services/container.te 2022-06-24 08:28:16.106225645 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.185.0) +policy_module(container, 2.188.0) gen_require(` class passwd rootok; @@ -837,6 +837,7 @@ dev_getattr_mtrr_dev(container_domain) dev_list_sysfs(container_domain) dev_rw_kvm(container_domain) +dev_rwx_zero(container_domain) allow container_domain self:key manage_key_perms; dontaudit container_domain container_domain:key search; @@ -1005,6 +1006,7 @@ fs_manage_fusefs_named_sockets(container_domain) fs_manage_fusefs_named_pipes(container_domain) fs_exec_fusefs_files(container_domain) +fs_mount_xattr_fs(container_domain) fs_unmount_xattr_fs(container_domain) fs_remount_xattr_fs(container_domain) fs_mount_fusefs(container_domain) @@ -1168,7 +1170,7 @@ allow staff_t container_runtime_t:process signal_perms; allow staff_t container_domain:process signal_perms; - allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt }; + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; ') gen_require(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/services/xserver.te new/fedora-policy-20220624/policy/modules/services/xserver.te --- old/fedora-policy-20220520/policy/modules/services/xserver.te 2022-05-20 12:50:59.615641107 +0200 +++ new/fedora-policy-20220624/policy/modules/services/xserver.te 2022-06-24 08:28:15.570217978 +0200 @@ -891,6 +891,10 @@ ') optional_policy(` + unconfined_server_stream_connectto(xdm_t) +') + +optional_policy(` virt_filetrans_home_content(xdm_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/system/init.te new/fedora-policy-20220624/policy/modules/system/init.te --- old/fedora-policy-20220520/policy/modules/system/init.te 2022-05-20 12:50:59.615641107 +0200 +++ new/fedora-policy-20220624/policy/modules/system/init.te 2022-06-24 08:28:15.570217978 +0200 @@ -452,6 +452,11 @@ sysnet_read_dhcpc_state(init_t) optional_policy(` + anaconda_stream_connect(init_t) + anaconda_create_unix_stream_sockets(init_t) +') + +optional_policy(` bootloader_domtrans(init_t) ') @@ -813,6 +818,10 @@ ') optional_policy(` + insights_client_rw_pipes(init_t) +') + +optional_policy(` mount_manage_pid_files(init_t) mount_watch_reads_pid_dirs(init_t) mount_watch_reads_pid_files(init_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/system/logging.te new/fedora-policy-20220624/policy/modules/system/logging.te --- old/fedora-policy-20220520/policy/modules/system/logging.te 2022-05-20 12:50:59.615641107 +0200 +++ new/fedora-policy-20220624/policy/modules/system/logging.te 2022-06-24 08:28:15.570217978 +0200 @@ -194,7 +194,7 @@ allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:file { read_file_perms map }; -allow auditd_t audisp_remote_t:process signal; +allow auditd_t audisp_remote_t:process { noatsecure signal }; manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t) manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/system/sysnetwork.te new/fedora-policy-20220624/policy/modules/system/sysnetwork.te --- old/fedora-policy-20220520/policy/modules/system/sysnetwork.te 2022-05-20 12:50:59.615641107 +0200 +++ new/fedora-policy-20220624/policy/modules/system/sysnetwork.te 2022-06-24 08:28:15.574218035 +0200 @@ -201,6 +201,7 @@ chronyd_systemctl(dhcpc_t) chronyd_domtrans(dhcpc_t) chronyd_domtrans_chronyc(dhcpc_t) + chronyd_manage_pid_files(dhcpc_t) chronyd_pid_filetrans(dhcpc_t) chronyd_read_keys(dhcpc_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules/system/unconfined.if new/fedora-policy-20220624/policy/modules/system/unconfined.if --- old/fedora-policy-20220520/policy/modules/system/unconfined.if 2022-05-20 12:50:59.619641166 +0200 +++ new/fedora-policy-20220624/policy/modules/system/unconfined.if 2022-06-24 08:28:15.574218035 +0200 @@ -212,6 +212,24 @@ ######################################## ## <summary> +## Connect to unconfined_service_t with a unix socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`unconfined_server_stream_connectto',` + gen_require(` + type unconfined_service_t; + ') + + allow $1 unconfined_service_t:unix_stream_socket connectto; +') + +######################################## +## <summary> ## Connect to unconfined_server with a unix socket. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20220520/policy/modules.conf new/fedora-policy-20220624/policy/modules.conf --- old/fedora-policy-20220520/policy/modules.conf 2022-05-20 12:50:59.547640089 +0200 +++ new/fedora-policy-20220624/policy/modules.conf 2022-06-24 08:28:15.510217119 +0200 @@ -3085,3 +3085,10 @@ # rhcd # rhcd = module + +# Layer: contrib +# Module: wireguard +# +# wireguard +# +wireguard = module ++++++ fix_init.patch ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:24:00.322651752 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:24:00.326651757 +0200 @@ -1,7 +1,7 @@ -Index: fedora-policy-20220428/policy/modules/system/init.te +Index: fedora-policy-20220624/policy/modules/system/init.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/init.te -+++ fedora-policy-20220428/policy/modules/system/init.te +--- fedora-policy-20220624.orig/policy/modules/system/init.te ++++ fedora-policy-20220624/policy/modules/system/init.te @@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() @@ -28,7 +28,7 @@ seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -446,9 +451,19 @@ ifdef(`distro_redhat',` +@@ -448,9 +453,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -46,9 +46,9 @@ +') + optional_policy(` - bootloader_domtrans(init_t) - ') -@@ -573,10 +588,10 @@ tunable_policy(`init_audit_control',` + anaconda_stream_connect(init_t) + anaconda_create_unix_stream_sockets(init_t) +@@ -580,10 +595,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +61,7 @@ allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -635,6 +650,7 @@ files_delete_all_spool_sockets(init_t) +@@ -642,6 +657,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +69,7 @@ files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -672,7 +688,7 @@ fs_list_all(init_t) +@@ -679,7 +695,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +78,7 @@ fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -728,6 +744,7 @@ systemd_write_inherited_logind_sessions_ +@@ -735,6 +751,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +86,7 @@ auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1578,6 +1595,8 @@ optional_policy(` +@@ -1589,6 +1606,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) ++++++ fix_kernel_sysctl.patch ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:24:00.342651780 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:24:00.346651786 +0200 @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/kernel/files.fc +Index: fedora-policy-20220624/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20220428.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20220428/policy/modules/kernel/files.fc -@@ -236,6 +236,8 @@ ifdef(`distro_redhat',` +--- fedora-policy-20220624.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20220624/policy/modules/kernel/files.fc +@@ -242,6 +242,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0) @@ -11,10 +11,10 @@ /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20220428/policy/modules/system/systemd.te +Index: fedora-policy-20220624/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220428/policy/modules/system/systemd.te +--- fedora-policy-20220624.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220624/policy/modules/system/systemd.te @@ -1052,6 +1052,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) ++++++ fix_locallogin.patch ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:24:00.358651803 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:24:00.362651809 +0200 @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/locallogin.te +Index: fedora-policy-20220624/policy/modules/system/locallogin.te =================================================================== ---- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000 -+++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000 +--- fedora-policy-20220624.orig/policy/modules/system/locallogin.te ++++ fedora-policy-20220624/policy/modules/system/locallogin.te @@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) kernel_search_key(local_login_t) @@ -10,4 +10,12 @@ corecmd_list_bin(local_login_t) corecmd_read_bin_symlinks(local_login_t) +@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t) + auth_manage_pam_console_data(local_login_t) + auth_domtrans_pam_console(local_login_t) + auth_use_nsswitch(local_login_t) ++auth_read_shadow(local_login_t) + + init_dontaudit_use_fds(local_login_t) + init_stream_connect(local_login_t) ++++++ fix_logging.patch ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:24:00.374651826 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:24:00.378651832 +0200 @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/system/logging.fc +Index: fedora-policy-20220624/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.fc -+++ fedora-policy-20211111/policy/modules/system/logging.fc +--- fedora-policy-20220624.orig/policy/modules/system/logging.fc ++++ fedora-policy-20220624/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20211111/policy/modules/system/logging.if +Index: fedora-policy-20220624/policy/modules/system/logging.if =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.if -+++ fedora-policy-20211111/policy/modules/system/logging.if -@@ -1787,3 +1787,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20220624.orig/policy/modules/system/logging.if ++++ fedora-policy-20220624/policy/modules/system/logging.if +@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') ++++++ fix_networkmanager.patch ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:24:00.398651860 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:24:00.402651866 +0200 @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20220428/policy/modules/contrib/networkmanager.te -@@ -271,6 +271,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20220624.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20220624/policy/modules/contrib/networkmanager.te +@@ -276,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,7 @@ tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -288,6 +291,14 @@ optional_policy(` +@@ -293,6 +296,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +27,10 @@ bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20220428/policy/modules/contrib/networkmanager.if +--- fedora-policy-20220624.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20220624/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') ++++++ fix_unprivuser.patch ++++++ --- /var/tmp/diff_new_pack.vXEFYH/_old 2022-06-25 10:24:00.446651929 +0200 +++ /var/tmp/diff_new_pack.vXEFYH/_new 2022-06-25 10:24:00.450651935 +0200 @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220624/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20220428/policy/modules/roles/unprivuser.te -@@ -292,6 +292,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220624.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220624/policy/modules/roles/unprivuser.te +@@ -296,6 +296,13 @@ ifndef(`distro_redhat',` ') optional_policy(`
