diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 6e6d758d0..be67f97e9 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -67,6 +67,7 @@ kernel_read_software_raid_state(bootloader_t)
kernel_read_kernel_sysctls(bootloader_t)
kernel_search_debugfs(bootloader_t)
kernel_setsched(bootloader_t)
+kernel_dontaudit_getattr_proc(bootloader_t)
# for grub-probe
kernel_request_load_module(bootloader_t)
@@ -82,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_read_sysfs(bootloader_t)
+# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access
+dev_dontaudit_write_sysfs_files(bootloader_t)
# needed on some hardware
dev_rw_nvram(bootloader_t)
@@ -90,6 +93,7 @@ fs_getattr_dos_fs(bootloader_t)
fs_getattr_tmpfs(bootloader_t)
fs_read_tmpfs_symlinks(bootloader_t)
#Needed for EFI
+fs_getattr_efivarfs(bootloader_t)
fs_manage_dos_files(bootloader_t)
fs_mmap_read_dos_files(bootloader_t)
@@ -153,6 +157,7 @@ miscfiles_read_localization(bootloader_t)
mount_rw_runtime_files(bootloader_t)
selinux_getattr_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
seutil_read_bin_policy(bootloader_t)
seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index f8da0d878..adca75133 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -66,6 +66,7 @@ template(`sudo_role_template',`
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
allow $1_sudo_t self:key manage_key_perms;
+ dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
allow $1_sudo_t $3:key search;
@@ -85,6 +86,7 @@ template(`sudo_role_template',`
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
kernel_link_key($1_sudo_t)
+ kernel_dontaudit_getattr_proc($1_sudo_t)
corecmd_exec_all_executables($1_sudo_t)
@@ -142,6 +144,7 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_setattr_user_ptys($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
+ userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
userdom_dontaudit_search_user_home_dirs($1_sudo_t)
diff --git a/policy/modules/admin/usbguard.fc b/policy/modules/admin/usbguard.fc
index 00416afc3..bb03bd269 100644
--- a/policy/modules/admin/usbguard.fc
+++ b/policy/modules/admin/usbguard.fc
@@ -2,6 +2,9 @@
/etc/usbguard/rules\.conf gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard/.+ gen_context(system_u:object_r:usbguard_conf_t,s0)
+/run/usbguard(/.*)? gen_context(system_u:object_r:usbguard_runtime_t,s0)
+/run/usbguard\.pid gen_context(system_u:object_r:usbguard_runtime_t,s0)
+
/usr/sbin/usbguard-daemon -- gen_context(system_u:object_r:usbguard_daemon_exec_t,s0)
/var/log/usbguard(/.*)? gen_context(system_u:object_r:usbguard_log_t,s0)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index b3816c073..0b3c5ef48 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -27,6 +27,9 @@ logging_log_file(usbguard_log_t)
type usbguard_rules_t;
files_config_file(usbguard_rules_t)
+type usbguard_runtime_t;
+files_runtime_file(usbguard_runtime_t)
+
# /dev/shm
type usbguard_tmpfs_t;
files_tmpfs_file(usbguard_tmpfs_t)
@@ -45,6 +48,10 @@ list_dirs_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
read_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
+manage_dirs_pattern(usbguard_t, usbguard_runtime_t, usbguard_runtime_t)
+manage_files_pattern(usbguard_t, usbguard_runtime_t, usbguard_runtime_t)
+files_runtime_filetrans(usbguard_t, usbguard_runtime_t, { dir file })
+
manage_dirs_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
manage_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
mmap_read_files_pattern(usbguard_t, usbguard_tmpfs_t, usbguard_tmpfs_t)
@@ -57,6 +64,14 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
dev_rw_sysfs(usbguard_t)
+kernel_read_kernel_sysctls(usbguard_t)
+kernel_dontaudit_getattr_proc(usbguard_t)
+
+init_search_runtime(usbguard_t)
+
+logging_send_audit_msgs(usbguard_t)
+logging_send_syslog_msg(usbguard_t)
+
tunable_policy(`usbguard_user_modify_rule_files',`
manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c0578a517..ae20e3365 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3391,6 +3391,25 @@ interface(`dev_setattr_null_dev',`
setattr_chr_files_pattern($1, device_t, null_device_t)
')
+########################################
+##
+## Do not audit attempts to set the attributes of
+## the null device nodes.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_setattr_null_dev',`
+ gen_require(`
+ type null_device_t;
+ ')
+
+ dontaudit $1 null_device_t:chr_file setattr;
+')
+
########################################
##
## Delete the null device (/dev/null).
@@ -4454,6 +4473,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
dontaudit $1 sysfs_t:dir write;
')
+########################################
+##
+## Do not audit attempts to write to a sysfs file.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`dev_dontaudit_write_sysfs_files',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:file write;
+')
+
########################################
##
## Create, read, write, and delete sysfs
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4a752e133..364cda915 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4662,6 +4662,24 @@ interface(`files_manage_generic_tmp_dirs',`
manage_dirs_pattern($1, tmp_t, tmp_t)
')
+########################################
+##
+## Relabel temporary directories in /tmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabel_generic_tmp_dirs',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ relabel_dirs_pattern($1, tmp_t, tmp_t)
+')
+
########################################
##
## Manage temporary files and directories in /tmp.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e0a7e4bc7..f6b997714 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2155,6 +2155,24 @@ interface(`fs_manage_dos_files',`
manage_files_pattern($1, dosfs_t, dosfs_t)
')
+########################################
+##
+## Get the attributes of efivarfs filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_efivarfs',`
+ gen_require(`
+ type efivarfs_t;
+ ')
+
+ allow $1 efivarfs_t:filesystem getattr;
+')
+
########################################
##
## List dirs in efivarfs filesystem.
@@ -3850,6 +3868,25 @@ interface(`fs_getattr_pstore_dirs',`
dev_search_sysfs($1)
')
+########################################
+##
+## Create pstore directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_create_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ create_dirs_pattern($1, pstore_t, pstore_t)
+ dev_search_sysfs($1)
+')
+
########################################
##
## Relabel to/from pstore_t directories.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 5aaec991d..a3447e7b0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -81,6 +81,10 @@ ifdef(`init_systemd',`
# Allow sysadm to resolve the username of dynamic users by calling
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)
+
+ # Allow sysadm to get the status of and set properties of other users,
+ # sessions, and seats on the system.
+ systemd_dbus_chat_logind(sysadm_t)
')
tunable_policy(`allow_ptrace',`
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index bb17854bc..a41a75961 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -67,7 +67,7 @@ optional_policy(`
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:capability2 wake_alarm;
-allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:process { getsched setsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index d26d52256..e4d699e3b 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
kernel_read_system_state(fail2ban_t)
+kernel_read_vm_overcommit_sysctl(fail2ban_t)
kernel_search_fs_sysctls(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
@@ -125,6 +126,7 @@ optional_policy(`
optional_policy(`
systemd_read_journal_files(fail2ban_t)
+ systemd_watch_journal_dirs(fail2ban_t)
')
########################################
diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index b6a68566c..339eb19dd 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -50,7 +50,9 @@ manage_dirs_pattern(redis_t, redis_runtime_t, redis_runtime_t)
manage_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
manage_lnk_files_pattern(redis_t, redis_runtime_t, redis_runtime_t)
+kernel_read_net_sysctls(redis_t)
kernel_read_system_state(redis_t)
+kernel_read_vm_overcommit_sysctl(redis_t)
corenet_all_recvfrom_netlabel(redis_t)
corenet_tcp_sendrecv_generic_if(redis_t)
@@ -66,6 +68,7 @@ dev_read_urand(redis_t)
logging_send_syslog_msg(redis_t)
+miscfiles_read_generic_certs(redis_t)
miscfiles_read_localization(redis_t)
sysnet_dns_name_resolve(redis_t)
diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
index 4540e4ec7..5763e988d 100644
--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
@@ -32,6 +32,7 @@ kernel_rw_kernel_sysctl(rngd_t)
dev_read_rand(rngd_t)
dev_read_urand(rngd_t)
+dev_read_sysfs(rngd_t)
dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 229d1f5d1..cb95a77a2 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -417,6 +417,8 @@ tunable_policy(`rspamd_spamd',`
corenet_tcp_connect_http_port(spamd_t)
corenet_tcp_connect_redis_port(spamd_t)
+
+ kernel_read_network_state(spamd_t)
')
tunable_policy(`use_nfs_home_dirs',`
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 238c45ed8..d4ef9c3cc 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -334,6 +334,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_dontaudit_getattr_proc(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
@@ -354,6 +355,8 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
+miscfiles_read_localization(ssh_keygen_t)
+
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
index 5eb991051..c25d3c681 100644
--- a/policy/modules/services/wireguard.te
+++ b/policy/modules/services/wireguard.te
@@ -61,8 +61,13 @@ corecmd_exec_shell(wireguard_t)
domain_use_interactive_fds(wireguard_t)
+# wg-quick can be configured to run iptables and other networking
+# config tools when bringing up/down the wg interfaces
+iptables_domtrans(wireguard_t)
+
# wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
kernel_dontaudit_read_system_state(wireguard_t)
+kernel_dontaudit_search_kernel_sysctl(wireguard_t)
miscfiles_read_localization(wireguard_t)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 7fd315706..95482bfcf 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,7 +1,7 @@
-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/group\.lock -- gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_lock_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 973195bd3..ce3ffc44a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -679,6 +679,7 @@ interface(`auth_rw_shadow',`
')
files_list_etc($1)
+ auth_rw_shadow_lock($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
@@ -700,6 +701,7 @@ interface(`auth_manage_shadow',`
type shadow_t;
')
+ auth_rw_shadow_lock($1)
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
@@ -771,6 +773,24 @@ interface(`auth_relabel_shadow',`
typeattribute $1 can_relabelto_shadow_passwords;
')
+########################################
+##
+## Read/Write shadow lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`auth_rw_shadow_lock',`
+ gen_require(`
+ type shadow_lock_t;
+ ')
+
+ rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+')
+
#######################################
##
## Append to the login failure log.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 31f5503ec..2a3a29401 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -65,6 +65,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
+type shadow_lock_t;
+files_lock_file(shadow_lock_t)
+
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 95b1ec632..599a8e9d5 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -55,6 +55,7 @@ allow getty_t getty_tmp_t:file manage_file_perms;
allow getty_t getty_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
+kernel_read_kernel_sysctls(getty_t)
kernel_read_system_state(getty_t)
# these two needed for receiving faxes
@@ -66,6 +67,7 @@ dev_read_sysfs(getty_t)
files_read_etc_runtime_files(getty_t)
files_read_etc_files(getty_t)
files_search_spool(getty_t)
+files_dontaudit_search_var_lib(getty_t)
fs_search_auto_mountpoints(getty_t)
# for error condition handling
@@ -84,6 +86,7 @@ term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
init_rw_utmp(getty_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fecbb2f52..56b9e744a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2544,7 +2544,7 @@ interface(`init_rw_script_pipes',`
type initrc_t;
')
- allow $1 initrc_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_t:fifo_file rw_fifo_file_perms;
')
########################################
@@ -3009,6 +3009,24 @@ interface(`init_manage_utmp',`
allow $1 initrc_runtime_t:file manage_file_perms;
')
+########################################
+##
+## Add a watch on utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_watch_utmp',`
+ gen_require(`
+ type initrc_runtime_t;
+ ')
+
+ allow $1 initrc_runtime_t:file watch;
+')
+
########################################
##
## Relabel utmp.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 34d20f2d7..1b1a17d86 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -251,6 +251,7 @@ ifdef(`init_systemd',`
allow init_t self:capability2 audit_read;
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
+ dontaudit init_t self:process { dyntransition setcurrent };
allow init_t init_mountpoint_type:dir_file_class_set { getattr mounton };
@@ -267,7 +268,7 @@ ifdef(`init_systemd',`
# setexec and setkeycreate for systemd --user
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
- allow init_t self:capability2 { audit_read block_suspend };
+ allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
@@ -294,6 +295,11 @@ ifdef(`init_systemd',`
# /memfd:systemd-state
fs_tmpfs_filetrans(init_t, init_runtime_t, file)
+ # mounton is required for systemd-timesyncd
+ allow init_t init_var_lib_t:dir { manage_dir_perms mounton };
+ allow init_t init_var_lib_t:file manage_file_perms;
+ allow init_t init_var_lib_t:lnk_file manage_lnk_file_perms;
+
manage_files_pattern(init_t, systemd_unit_t, systemdunit)
manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
@@ -307,6 +313,8 @@ ifdef(`init_systemd',`
kernel_read_fs_sysctls(init_t)
kernel_list_unlabeled(init_t)
kernel_load_module(init_t)
+ kernel_request_load_module(init_t)
+ kernel_rw_fs_sysctls(init_t)
kernel_rw_kernel_sysctl(init_t)
kernel_rw_net_sysctls(init_t)
kernel_read_all_sysctls(init_t)
@@ -390,6 +398,8 @@ ifdef(`init_systemd',`
files_list_spool(init_t)
files_manage_all_runtime_dirs(init_t)
files_manage_generic_tmp_dirs(init_t)
+ files_relabel_generic_tmp_dirs(init_t)
+ files_mounton_tmp(init_t)
files_manage_urandom_seed(init_t)
files_read_boot_files(initrc_t)
files_relabel_all_lock_dirs(init_t)
@@ -398,6 +408,7 @@ ifdef(`init_systemd',`
# If /etc/localtime is missing, a watch on /etc is added.
files_watch_etc_dirs(init_t)
files_watch_etc_symlinks(init_t)
+ files_dontaudit_write_var_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_list_auto_mountpoints(init_t)
@@ -421,6 +432,7 @@ ifdef(`init_systemd',`
fs_relabel_tmpfs_blk_files(init_t)
fs_relabel_tmpfs_chr_files(init_t)
fs_relabel_tmpfs_fifo_files(init_t)
+ fs_read_efivarfs_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)
@@ -429,6 +441,7 @@ ifdef(`init_systemd',`
# mount-setup
fs_unmount_autofs(init_t)
fs_getattr_pstore_dirs(init_t)
+ fs_create_pstore_dirs(init_t)
# for network namespaces
fs_read_nsfs_files(init_t)
@@ -437,7 +450,11 @@ ifdef(`init_systemd',`
miscfiles_watch_localization(init_t)
+ # systemd watches utab in order to mount the
+ # local filesystem at boot
mount_watch_runtime_dirs(init_t)
+ mount_watch_runtime_files(init_t)
+ mount_watch_reads_runtime_files(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
@@ -460,6 +477,8 @@ ifdef(`init_systemd',`
auth_relabel_login_records(init_t)
auth_relabel_pam_console_data_dirs(init_t)
auth_domtrans_chk_passwd(init_t)
+ # for systemd dynamic users
+ auth_rw_shadow_lock(init_t)
logging_manage_runtime_sockets(init_t)
logging_relabelto_devlog_sock_files(init_t)
@@ -495,6 +514,9 @@ ifdef(`init_systemd',`
# for systemd to read udev status
udev_read_runtime_files(init_t)
+ udev_relabel_rules_dirs(init_t)
+ udev_relabel_rules_files(init_t)
+
userdom_relabel_user_runtime_root_dirs(init_t)
tunable_policy(`init_mounton_non_security',`
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 255b44df8..84d413c2a 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -86,6 +86,7 @@ auth_use_nsswitch(iptables_t)
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
+init_rw_script_pipes(iptables_t)
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index df474a634..d9063742d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -114,6 +114,7 @@ files_getattr_all_dirs(auditctl_t)
files_getattr_all_files(auditctl_t)
files_read_etc_files(auditctl_t)
+kernel_dontaudit_getattr_proc(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
kernel_setsched(auditctl_t)
@@ -166,6 +167,10 @@ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
files_runtime_filetrans(auditd_t, auditd_runtime_t, { file sock_file })
+# Needs to be able to getattr on the audisp-remote binary to verify
+# the plugin configuration.
+allow auditd_t audisp_remote_exec_t:file getattr;
+
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
@@ -196,6 +201,8 @@ domain_use_interactive_fds(auditd_t)
files_read_etc_files(auditd_t)
files_list_usr(auditd_t)
+auth_use_nsswitch(auditd_t)
+
init_telinit(auditd_t)
logging_set_audit_parameters(auditd_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index ef5de835e..59648d3bf 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -88,6 +88,7 @@ files_read_kernel_symbol_table(kmod_t)
files_read_etc_runtime_files(kmod_t)
files_read_etc_files(kmod_t)
files_read_usr_files(kmod_t)
+files_read_usr_src_files(kmod_t)
files_exec_etc_files(kmod_t)
files_search_tmp(kmod_t)
# for nscd:
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 5817e1a92..79591956d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -103,6 +103,7 @@ fs_getattr_tmpfs(mount_t)
fs_getattr_rpc_pipefs(mount_t)
fs_getattr_cifs(mount_t)
fs_getattr_nfs(mount_t)
+fs_getattr_dos_fs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index c19259f73..34db8c034 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -39,6 +39,7 @@
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
/usr/lib/systemd/systemd-socket-proxyd -- gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
+/usr/lib/systemd/systemd-sysctl -- gen_context(system_u:object_r:systemd_sysctl_exec_t,s0)
/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
/usr/lib/systemd/systemd-user-runtime-dir -- gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 38a026fd5..8462a1420 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -164,6 +164,8 @@ template(`systemd_role_template',`
systemd_status_user_runtime_units($3)
systemd_stop_user_runtime_units($3)
+ systemd_watch_passwd_runtime_dirs($3)
+
optional_policy(`
xdg_config_filetrans($1_systemd_t, systemd_conf_home_t, dir, "systemd")
xdg_data_filetrans($1_systemd_t, systemd_data_home_t, dir, "systemd")
@@ -1163,6 +1165,24 @@ interface(`systemd_manage_passwd_runtime_symlinks',`
allow $1 systemd_passwd_runtime_t:lnk_file manage_lnk_file_perms;
')
+########################################
+##
+## Allow a domain to watch systemd-passwd runtime dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_watch_passwd_runtime_dirs',`
+ gen_require(`
+ type systemd_passwd_runtime_t;
+ ')
+
+ allow $1 systemd_passwd_runtime_t:dir watch;
+')
+
########################################
##
## manage systemd unit dirs and the files in them (Deprecated)
@@ -1235,6 +1255,24 @@ interface(`systemd_manage_journal_files',`
allow $1 systemd_journal_t:file map;
')
+########################################
+##
+## Allow domain to add a watch on systemd_journal_t directories
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_watch_journal_dirs',`
+ gen_require(`
+ type systemd_journal_t;
+ ')
+
+ allow $1 systemd_journal_t:dir watch;
+')
+
########################################
##
## Relabel to systemd-journald directory type.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5b5b07a7..7090a9136 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -260,6 +260,10 @@ corenet_port(systemd_socket_proxyd_port_t)
type systemd_socket_proxyd_unit_file_t;
init_unit_file(systemd_socket_proxyd_unit_file_t)
+type systemd_sysctl_t;
+type systemd_sysctl_exec_t;
+init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
+
type systemd_sysusers_t;
type systemd_sysusers_exec_t;
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
@@ -332,6 +336,8 @@ systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)
+kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
+
# for udev.conf
files_read_etc_files(systemd_backlight_t)
@@ -432,6 +438,7 @@ allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
allow systemd_generator_t self:capability dac_override;
allow systemd_generator_t self:process setfscreate;
+corecmd_exec_shell(systemd_generator_t)
corecmd_getattr_bin_files(systemd_generator_t)
dev_read_sysfs(systemd_generator_t)
@@ -446,6 +453,7 @@ files_search_all_mountpoints(systemd_generator_t)
files_list_usr(systemd_generator_t)
fs_list_efivars(systemd_generator_t)
+fs_getattr_cgroup(systemd_generator_t)
fs_getattr_xattr_fs(systemd_generator_t)
init_create_runtime_files(systemd_generator_t)
@@ -464,6 +472,7 @@ init_read_script_files(systemd_generator_t)
kernel_use_fds(systemd_generator_t)
kernel_read_system_state(systemd_generator_t)
kernel_read_kernel_sysctls(systemd_generator_t)
+kernel_dontaudit_getattr_proc(systemd_generator_t)
storage_raw_read_fixed_disk(systemd_generator_t)
@@ -494,6 +503,7 @@ optional_policy(`
allow systemd_hostnamed_t self:capability sys_admin;
kernel_read_kernel_sysctls(systemd_hostnamed_t)
+kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
dev_read_sysfs(systemd_hostnamed_t)
@@ -592,6 +602,7 @@ allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+allow systemd_logind_t systemd_logind_var_lib_t:file manage_file_perms;
init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
@@ -610,6 +621,7 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
+kernel_dontaudit_getattr_proc(systemd_logind_t)
kernel_read_kernel_sysctls(systemd_logind_t)
dev_getattr_dri_dev(systemd_logind_t)
@@ -660,6 +672,7 @@ init_dbus_send_script(systemd_logind_t)
init_get_all_units_status(systemd_logind_t)
init_get_system_status(systemd_logind_t)
init_read_utmp(systemd_logind_t)
+init_watch_utmp(systemd_logind_t)
init_service_start(systemd_logind_t)
init_service_status(systemd_logind_t)
init_start_all_units(systemd_logind_t)
@@ -713,8 +726,11 @@ ifdef(`distro_redhat',`
tunable_policy(`systemd_logind_get_bootloader',`
fs_getattr_dos_fs(systemd_logind_t)
+ fs_getattr_xattr_fs(systemd_logind_t)
fs_list_dos(systemd_logind_t)
fs_read_dos_files(systemd_logind_t)
+
+ files_search_boot(systemd_logind_t)
')
# systemd-logind uses util-linux's blkid in order to find the ESP (EFI System Partition).
# This reads the first sectors of fixed disk devices.
@@ -814,6 +830,7 @@ optional_policy(`
kernel_load_module(systemd_modules_load_t)
kernel_read_kernel_sysctls(systemd_modules_load_t)
kernel_request_load_module(systemd_modules_load_t)
+kernel_dontaudit_getattr_proc(systemd_modules_load_t)
dev_read_sysfs(systemd_modules_load_t)
@@ -850,6 +867,7 @@ kernel_read_kernel_sysctls(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
kernel_request_load_module(systemd_networkd_t)
kernel_rw_net_sysctls(systemd_networkd_t)
+kernel_dontaudit_getattr_proc(systemd_networkd_t)
corecmd_bin_entry_type(systemd_networkd_t)
corecmd_exec_bin(systemd_networkd_t)
@@ -1180,6 +1198,7 @@ allow systemd_resolved_t systemd_networkd_runtime_t:dir watch;
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
init_runtime_filetrans(systemd_resolved_t, systemd_resolved_runtime_t, dir)
dev_read_sysfs(systemd_resolved_t)
@@ -1187,6 +1206,7 @@ dev_read_sysfs(systemd_resolved_t)
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
kernel_read_net_sysctls(systemd_resolved_t)
+kernel_dontaudit_getattr_proc(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_dns_port(systemd_resolved_t)
@@ -1254,6 +1274,7 @@ allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
kernel_read_kernel_sysctls(systemd_sessions_t)
+kernel_dontaudit_getattr_proc(systemd_sessions_t)
selinux_get_fs_mount(systemd_sessions_t)
selinux_use_status_page(systemd_sessions_t)
@@ -1264,6 +1285,21 @@ seutil_read_file_contexts(systemd_sessions_t)
systemd_log_parse_environment(systemd_sessions_t)
+########################################
+#
+# sysctl local policy
+#
+
+dontaudit systemd_sysctl_t self:capability sys_ptrace;
+
+kernel_read_kernel_sysctls(systemd_sysctl_t)
+kernel_request_load_module(systemd_sysctl_t)
+kernel_rw_all_sysctls(systemd_sysctl_t)
+kernel_dontaudit_getattr_proc(systemd_sysctl_t)
+
+files_read_etc_files(systemd_sysctl_t)
+
+systemd_log_parse_environment(systemd_sysctl_t)
#########################################
#
@@ -1557,6 +1593,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
selinux_use_status_page(systemd_user_runtime_dir_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 538f28514..f02b73edd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -202,6 +202,46 @@ interface(`udev_manage_rules_files',`
udev_search_runtime($1)
')
+########################################
+##
+## Relabel udev rules directories
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_relabel_rules_dirs',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ relabel_dirs_pattern($1, udev_rules_t, udev_rules_t)
+
+ files_search_etc($1)
+')
+
+########################################
+##
+## Relabel udev rules files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_relabel_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ relabel_files_pattern($1, udev_rules_t, udev_rules_t)
+
+ files_search_etc($1)
+')
+
########################################
##
## Do not audit search of udev database directories. (Deprecated)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 4a2283b6c..d22524c81 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -41,7 +41,6 @@ ifdef(`enable_mcs',`
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
-dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow udev_t self:fd use;
@@ -58,6 +57,13 @@ allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+ifdef(`init_systemd',`
+ # systemd-vconsole-setup will be called by udev during virtual terminal initialization
+ allow udev_t self:capability sys_tty_config;
+',`
+ dontaudit udev_t self:capability sys_tty_config;
+')
+
# for systemd-udevd to rename interfaces
allow udev_t self:netlink_route_socket nlmsg_write;
@@ -124,6 +130,10 @@ files_mmap_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
+files_dontaudit_getattr_default_files(udev_t)
+files_dontaudit_getattr_home_dir(udev_t)
+files_dontaudit_getattr_lost_found_dirs(udev_t)
+files_dontaudit_getattr_tmp_dirs(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
@@ -145,6 +155,7 @@ selinux_compute_access_vector(udev_t)
selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)
+selinux_use_status_page(udev_t)
storage_watch_fixed_disk(udev_t)
@@ -189,6 +200,7 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
+userdom_dontaudit_getattr_user_home_dirs(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
@@ -329,6 +341,7 @@ optional_policy(`
optional_policy(`
raid_domtrans_mdadm(udev_t)
+ raid_read_mdadm_runtime_files(udev_t)
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 958ccd521..978c1b875 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -78,6 +78,7 @@ template(`userdom_base_user_template',`
dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t)
+ dev_dontaudit_setattr_null_dev($1_t)
# for X session unlock
allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -3104,6 +3105,25 @@ interface(`userdom_manage_user_tmp_pipes',`
userdom_search_user_runtime($1)
')
+########################################
+##
+## Do not audit attempts to read and write
+## temporary pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:fifo_file rw_fifo_file_perms;
+')
+
########################################
##
## Create, read, write, and delete user