diff --git a/policy/modules/admin/dracut.fc b/policy/modules/admin/dracut.fc
new file mode 100644
index 0000000000..3f0a4bf1de
--- /dev/null
+++ b/policy/modules/admin/dracut.fc
@@ -0,0 +1,2 @@
+/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/policy/modules/admin/dracut.if b/policy/modules/admin/dracut.if
new file mode 100644
index 0000000000..e05cd1be3f
--- /dev/null
+++ b/policy/modules/admin/dracut.if
@@ -0,0 +1,66 @@
+## Dracut initramfs creation tool
+
+########################################
+##
+## Execute the dracut program in the dracut domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`dracut_domtrans',`
+ gen_require(`
+ type dracut_t, dracut_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dracut_exec_t, dracut_t)
+')
+
+########################################
+##
+## Execute dracut in the dracut domain, and
+## allow the specified role the dracut domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+#
+interface(`dracut_run',`
+ gen_require(`
+ type dracut_t;
+ ')
+
+ dracut_domtrans($1)
+ role $2 types dracut_t;
+')
+
+########################################
+##
+## Read/write dracut temporary files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dracut_rw_tmp_files',`
+ gen_require(`
+ type dracut_tmp_t;
+ ')
+
+ files_search_var($1)
+ files_search_tmp($1)
+
+ rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+')
diff --git a/policy/modules/admin/dracut.te b/policy/modules/admin/dracut.te
new file mode 100644
index 0000000000..e0b0b576d2
--- /dev/null
+++ b/policy/modules/admin/dracut.te
@@ -0,0 +1,207 @@
+policy_module(dracut)
+
+########################################
+#
+# Declarations
+#
+
+type dracut_t;
+type dracut_exec_t;
+application_domain(dracut_t, dracut_exec_t)
+
+type dracut_var_log_t;
+logging_log_file(dracut_var_log_t)
+
+type dracut_runtime_t;
+files_runtime_file(dracut_runtime_t)
+
+type dracut_tmp_t;
+files_tmp_file(dracut_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dracut_t self:process { getsched setfscreate };
+# sys_admin needed for fsfreeze use
+# sys_chroot needed for ldconfig
+allow dracut_t self:capability { dac_override dac_read_search setfcap sys_admin sys_chroot };
+dontaudit dracut_t self:capability sys_resource;
+allow dracut_t self:fifo_file rw_fifo_file_perms;
+allow dracut_t self:unix_stream_socket create_stream_socket_perms;
+allow dracut_t self:alg_socket create_stream_socket_perms;
+
+allow dracut_t dracut_runtime_t:dir manage_dir_perms;
+allow dracut_t dracut_runtime_t:file manage_file_perms;
+files_runtime_filetrans(dracut_t, dracut_runtime_t, { dir file })
+
+allow dracut_t dracut_tmp_t:dir { manage_dir_perms relabelfrom };
+allow dracut_t dracut_tmp_t:file { manage_file_perms relabel_file_perms };
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, dir)
+
+manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
+logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+
+corecmd_exec_bin(dracut_t)
+corecmd_exec_shell(dracut_t)
+corecmd_mmap_all_executables(dracut_t)
+corecmd_delete_all_executables(dracut_t)
+corecmd_setattr_all_executables(dracut_t)
+corecmd_relabelto_all_executables(dracut_t)
+
+dev_read_kmsg(dracut_t)
+dev_read_rand(dracut_t)
+dev_read_sysfs(dracut_t)
+dev_rw_lvm_control(dracut_t)
+# for ssh-keygen
+dev_write_urand(dracut_t)
+# findmnt generates these
+dev_dontaudit_getattr_all_blk_files(dracut_t)
+dev_dontaudit_getattr_all_chr_files(dracut_t)
+
+domain_use_interactive_fds(dracut_t)
+domain_obj_id_change_exemption(dracut_t)
+
+files_create_kernel_img(dracut_t)
+files_search_runtime(dracut_t)
+
+files_rw_etc_files(dracut_t)
+files_create_etc_files(dracut_t)
+files_delete_etc_files(dracut_t)
+files_rename_etc_files(dracut_t)
+files_setattr_etc_files(dracut_t)
+files_relabelto_etc_files(dracut_t)
+files_mmap_read_kernel_modules(dracut_t)
+files_delete_kernel_modules(dracut_t)
+files_setattr_kernel_modules(dracut_t)
+files_relabelto_kernel_modules_files(dracut_t)
+files_read_usr_files(dracut_t)
+files_delete_usr_files(dracut_t)
+files_setattr_usr_files(dracut_t)
+files_relabelto_usr_files(dracut_t)
+files_read_usr_src_files(dracut_t)
+files_read_etc_runtime_files(dracut_t)
+files_delete_etc_runtime_files(dracut_t)
+files_setattr_etc_runtime_files(dracut_t)
+files_relabelto_etc_runtime_files(dracut_t)
+files_relabelfrom_etc_runtime_files(dracut_t)
+
+files_dontaudit_search_mnt(dracut_t)
+
+# cgroup for virt-detect
+fs_getattr_cgroup(dracut_t)
+fs_read_cgroup_files(dracut_t)
+# tmpfs on /run/modprobe.d
+fs_list_tmpfs(dracut_t)
+fs_getattr_nsfs_files(dracut_t)
+fs_getattr_xattr_fs(dracut_t)
+fs_dontaudit_getattr_hugetlbfs_dirs(dracut_t)
+
+kernel_read_messages(dracut_t)
+kernel_read_system_state(dracut_t)
+# for virt-detect
+kernel_read_kernel_sysctls(dracut_t)
+kernel_read_network_state(dracut_t)
+kernel_read_vm_overcommit_sysctl(dracut_t)
+kernel_dontaudit_getattr_proc(dracut_t)
+
+storage_dontaudit_read_fixed_disk(dracut_t)
+
+# create a stripped down shadow file in initrd
+auth_manage_shadow(dracut_t)
+auth_use_nsswitch(dracut_t)
+
+# for virt-detect
+init_read_state(dracut_t)
+
+fstools_domtrans(dracut_t)
+
+libs_exec_ldconfig(dracut_t)
+libs_exec_ld_so(dracut_t)
+libs_exec_lib_files(dracut_t)
+libs_delete_ld_so(dracut_t)
+libs_setattr_ld_so(dracut_t)
+libs_relabel_ld_so(dracut_t)
+libs_delete_lib_files(dracut_t)
+libs_setattr_lib_files(dracut_t)
+libs_relabelto_lib_files(dracut_t)
+
+logging_read_syslog_config(dracut_t)
+logging_delete_syslog_config_files(dracut_t)
+logging_setattr_syslog_config_files(dracut_t)
+logging_relabelto_syslog_config_files(dracut_t)
+logging_dontaudit_search_runtime_dirs(dracut_t)
+
+miscfiles_read_generic_certs(dracut_t)
+miscfiles_read_localization(dracut_t)
+
+modutils_exec(dracut_t)
+modutils_read_module_config(dracut_t)
+modutils_delete_module_config(dracut_t)
+modutils_setattr_module_config(dracut_t)
+modutils_relabel_module_config(dracut_t)
+modutils_read_module_deps(dracut_t)
+
+seutil_domtrans_setfiles(dracut_t)
+
+udev_list_rules(dracut_t)
+udev_rw_rules_files(dracut_t)
+udev_delete_rules_files(dracut_t)
+udev_setattr_rules_files(dracut_t)
+udev_relabelto_rules_files(dracut_t)
+
+userdom_search_user_home_dirs(dracut_t)
+userdom_use_user_terminals(dracut_t)
+
+ifdef(`init_systemd',`
+ sysnet_read_config(dracut_t)
+ sysnet_delete_config(dracut_t)
+ sysnet_setattr_config(dracut_t)
+ sysnet_relabelto_config(dracut_t)
+
+ init_manage_all_unit_files(dracut_t)
+ init_relabel_all_unit_files(dracut_t)
+
+ systemd_exec_sysusers(dracut_t)
+ systemd_read_user_units_files(dracut_t)
+')
+
+optional_policy(`
+ installkernel_list_tmp(dracut_t)
+ installkernel_create_tmp_files(dracut_t)
+ installkernel_rw_tmp_files(dracut_t)
+')
+
+optional_policy(`
+ lvm_exec(dracut_t)
+ lvm_read_config(dracut_t)
+')
+
+optional_policy(`
+ portage_exec_gcc_config(dracut_t)
+ portage_list_config(dracut_t)
+ portage_read_config(dracut_t)
+ portage_list_ebuild(dracut_t)
+ portage_read_ebuild_files(dracut_t)
+')
+
+optional_policy(`
+ ssh_exec_keygen(dracut_t)
+ ssh_read_server_keys(dracut_t)
+ ssh_dontaudit_getattr_home_dirs(dracut_t)
+')
+
+optional_policy(`
+ xdg_dontaudit_search_data_dirs(dracut_t)
+')
+
+optional_policy(`
+ zfs_read_config(dracut_t)
+ zfs_read_zpool_cache(dracut_t)
+ zfs_delete_zpool_cache(dracut_t)
+ zfs_setattr_zpool_cache_files(dracut_t)
+ zfs_relabelto_zpool_cache_files(dracut_t)
+')
diff --git a/policy/modules/admin/installkernel.fc b/policy/modules/admin/installkernel.fc
new file mode 100644
index 0000000000..4a47a5c18f
--- /dev/null
+++ b/policy/modules/admin/installkernel.fc
@@ -0,0 +1,4 @@
+/usr/bin/kernel-install -- gen_context(system_u:object_r:installkernel_exec_t,s0)
+/usr/bin/installkernel -- gen_context(system_u:object_r:installkernel_exec_t,s0)
+/var/lib/misc/installkernel -- gen_context(system_u:object_r:installkernel_var_lib_t,s0)
+/var/log/installkernel\.log -- gen_context(system_u:object_r:installkernel_log_t,s0)
diff --git a/policy/modules/admin/installkernel.if b/policy/modules/admin/installkernel.if
new file mode 100644
index 0000000000..4a1ed707ab
--- /dev/null
+++ b/policy/modules/admin/installkernel.if
@@ -0,0 +1,101 @@
+## Install kernels and update the bootloader configuration.
+
+########################################
+##
+## Execute installkernel in the installkernel domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`installkernel_domtrans',`
+ gen_require(`
+ type installkernel_t, installkernel_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, installkernel_exec_t, installkernel_t)
+')
+
+########################################
+##
+## Execute installkernel in the installkernel
+## domain, and allow the specified
+## role the installkernel domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`installkernel_run',`
+ gen_require(`
+ type installkernel_t;
+ ')
+
+ installkernel_domtrans($1)
+ role $2 types installkernel_t;
+')
+
+########################################
+##
+## List the contents of installkernel tmp directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`installkernel_list_tmp',`
+ gen_require(`
+ type installkernel_tmp_t;
+ ')
+
+ allow $1 installkernel_tmp_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Create installkernel tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`installkernel_create_tmp_files',`
+ gen_require(`
+ type installkernel_tmp_t;
+ ')
+
+ create_files_pattern($1, installkernel_tmp_t, installkernel_tmp_t)
+')
+
+########################################
+##
+## Read and write installkernel tmp files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`installkernel_rw_tmp_files',`
+ gen_require(`
+ type installkernel_tmp_t;
+ ')
+
+ rw_files_pattern($1, installkernel_tmp_t, installkernel_tmp_t)
+')
diff --git a/policy/modules/admin/installkernel.te b/policy/modules/admin/installkernel.te
new file mode 100644
index 0000000000..72c80e638c
--- /dev/null
+++ b/policy/modules/admin/installkernel.te
@@ -0,0 +1,102 @@
+policy_module(installkernel)
+
+########################################
+#
+# Declarations
+#
+
+type installkernel_t;
+type installkernel_exec_t;
+application_domain(installkernel_t, installkernel_exec_t)
+
+type installkernel_var_lib_t;
+files_type(installkernel_var_lib_t)
+
+type installkernel_log_t;
+logging_log_file(installkernel_log_t)
+
+type installkernel_tmp_t;
+files_tmp_file(installkernel_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow installkernel_t self:process { getcap getsched };
+allow installkernel_t self:capability sys_resource;
+allow installkernel_t self:fifo_file rw_inherited_fifo_file_perms;
+
+can_exec(installkernel_t, installkernel_exec_t)
+
+corecmd_exec_bin(installkernel_t)
+corecmd_exec_shell(installkernel_t)
+
+# create staging area
+allow installkernel_t installkernel_tmp_t:dir manage_dir_perms;
+allow installkernel_t installkernel_tmp_t:file { mmap_manage_file_perms relabel_file_perms };
+files_tmp_filetrans(installkernel_t, installkernel_tmp_t, { dir file })
+
+# update /var/lib/misc/installkernel
+files_search_var_lib(installkernel_t)
+allow installkernel_t installkernel_var_lib_t:file manage_file_perms;
+
+allow installkernel_t installkernel_log_t:file { create_file_perms append_file_perms };
+logging_log_filetrans(installkernel_t, installkernel_log_t, file)
+
+dev_getattr_sysfs(installkernel_t)
+dev_read_sysfs(installkernel_t)
+
+# boot_t is constrained
+domain_obj_id_change_exemption(installkernel_t)
+
+domain_use_interactive_fds(installkernel_t)
+
+files_list_boot(installkernel_t)
+files_manage_boot_files(installkernel_t)
+files_relabelto_boot_files(installkernel_t)
+files_getattr_boot_fs(installkernel_t)
+# read /etc/kernel
+files_read_etc_files(installkernel_t)
+# read /etc/machine-id
+files_read_etc_runtime_files(installkernel_t)
+files_mmap_read_usr_src_files(installkernel_t)
+# execute depmod
+files_manage_kernel_modules(installkernel_t)
+
+fs_getattr_xattr_fs(installkernel_t)
+fs_getattr_nsfs_files(installkernel_t)
+
+kernel_read_system_state(installkernel_t)
+# read /proc/sys/kernel/osrelease
+kernel_read_kernel_sysctls(installkernel_t)
+kernel_dontaudit_getattr_proc(installkernel_t)
+
+storage_raw_read_fixed_disk(installkernel_t)
+
+auth_use_nsswitch(installkernel_t)
+
+miscfiles_read_generic_certs(installkernel_t)
+miscfiles_read_localization(installkernel_t)
+
+# read /etc/systemd/network
+sysnet_read_config(installkernel_t)
+
+libs_exec_lib_files(installkernel_t)
+
+userdom_use_user_terminals(installkernel_t)
+userdom_dontaudit_search_user_home_dirs(installkernel_t)
+
+xdg_dontaudit_search_data_dirs(installkernel_t)
+
+ifdef(`init_systemd',`
+ # detect if running in a container
+ init_search_runtime(installkernel_t)
+ fs_getattr_cgroup(installkernel_t)
+ fs_search_cgroup_dirs(installkernel_t)
+ init_read_state(installkernel_t)
+')
+
+optional_policy(`
+ dracut_domtrans(installkernel_t)
+')
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 7645cec897..2259cd499f 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -249,6 +249,25 @@ interface(`portage_run_fetch',`
roleattribute $2 portage_fetch_roles;
')
+########################################
+##
+## Execute gcc-config in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_exec_gcc_config',`
+ gen_require(`
+ type gcc_config_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, gcc_config_exec_t)
+')
+
########################################
##
## Execute gcc-config in the gcc config domain.
@@ -353,6 +372,103 @@ interface(`portage_dontaudit_read_config',`
dontaudit $1 portage_conf_t:lnk_file read_lnk_file_perms;
')
+########################################
+##
+## List the contents of portage config directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_list_config',`
+ gen_require(`
+ type portage_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, portage_conf_t, portage_conf_t)
+')
+
+########################################
+##
+## Read portage config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_read_config',`
+ gen_require(`
+ type portage_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, portage_conf_t, portage_conf_t)
+ read_files_pattern($1, portage_conf_t, portage_conf_t)
+ read_lnk_files_pattern($1, portage_conf_t, portage_conf_t)
+')
+
+########################################
+##
+## Memory map and read portage config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_mmap_read_config',`
+ gen_require(`
+ type portage_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, portage_conf_t, portage_conf_t)
+ mmap_read_files_pattern($1, portage_conf_t, portage_conf_t)
+ read_lnk_files_pattern($1, portage_conf_t, portage_conf_t)
+')
+
+########################################
+##
+## List the contents of portage ebuild directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_list_ebuild',`
+ gen_require(`
+ type portage_ebuild_t;
+ ')
+
+ list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t)
+')
+
+########################################
+##
+## Read portage ebuild files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_read_ebuild_files',`
+ gen_require(`
+ type portage_ebuild_t;
+ ')
+
+ read_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
+')
+
########################################
##
## Do not audit attempts to search the
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 08ed91f19c..bb7792e645 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -700,6 +700,27 @@ interface(`corecmd_getattr_all_executables',`
getattr_files_pattern($1, bin_t, exec_type)
')
+########################################
+##
+## Set the attributes of all executable files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`corecmd_setattr_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ corecmd_list_bin($1)
+ setattr_files_pattern($1, bin_t, exec_type)
+')
+
########################################
##
## Read all executable files.
@@ -780,6 +801,27 @@ interface(`corecmd_dontaudit_exec_all_executables',`
dontaudit $1 exec_type:file { execute execute_no_trans };
')
+########################################
+##
+## Delete all executable files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`corecmd_delete_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ type bin_t;
+ ')
+
+ corecmd_list_bin($1)
+ delete_files_pattern($1, bin_t, exec_type)
+')
+
########################################
##
## Create, read, write, and all executable files.
@@ -823,6 +865,25 @@ interface(`corecmd_relabel_all_executables',`
relabel_files_pattern($1, bin_t, exec_type)
')
+########################################
+##
+## Relabelto all executable file types.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`corecmd_relabelto_all_executables',`
+ gen_require(`
+ attribute exec_type;
+ ')
+
+ allow $1 exec_type:file relabelto;
+')
+
########################################
##
## Mmap all executables as executable.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e55bf337e3..f86058de5a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2724,6 +2724,24 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
+########################################
+##
+## Relabel to files in the /boot directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelto_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ relabelto_files_pattern($1, boot_t, boot_t)
+')
+
######################################
##
## Read symbolic links in the /boot directory.
@@ -3463,6 +3481,24 @@ interface(`files_dontaudit_manage_etc_files',`
dontaudit $1 etc_t:file manage_file_perms;
')
+########################################
+##
+## Create system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_create_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ create_files_pattern($1, etc_t, etc_t)
+')
+
########################################
##
## Delete system configuration files in /etc.
@@ -3480,6 +3516,41 @@ interface(`files_delete_etc_files',`
delete_files_pattern($1, etc_t, etc_t)
')
+########################################
+##
+## Rename system configuration files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_rename_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ rename_files_pattern($1, etc_t, etc_t)
+')
+
+########################################
+##
+## Set the attributes of etc_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_setattr_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:file setattr;
+')
########################################
##
@@ -3519,6 +3590,24 @@ interface(`files_watch_etc_files', `
allow $1 etc_t:file watch;
')
+########################################
+##
+## Relabel files to etc_t.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelto_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:file relabelto;
+')
+
########################################
##
## Get etc_t service status.
@@ -3868,8 +3957,8 @@ interface(`files_read_etc_runtime_files',`
')
allow $1 etc_t:dir list_dir_perms;
- read_files_pattern($1, etc_t, etc_runtime_t)
- read_lnk_files_pattern($1, etc_t, etc_runtime_t)
+ read_files_pattern($1, etc_runtime_t, etc_runtime_t)
+ read_lnk_files_pattern($1, etc_runtime_t, etc_runtime_t)
')
########################################
@@ -3988,6 +4077,24 @@ interface(`files_rw_etc_runtime_files',`
rw_files_pattern($1, etc_t, etc_runtime_t)
')
+########################################
+##
+## Delete etc_runtime_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_delete_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file delete_file_perms;
+')
+
########################################
##
## Create, read, write, and delete files in
@@ -4009,6 +4116,24 @@ interface(`files_manage_etc_runtime_files',`
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
')
+########################################
+##
+## Set the attributes on etc_runtime_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_setattr_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file setattr;
+')
+
########################################
##
## Relabel to etc_runtime_t files.
@@ -4027,6 +4152,24 @@ interface(`files_relabelto_etc_runtime_files',`
allow $1 etc_runtime_t:file relabelto;
')
+########################################
+##
+## Relabel from etc_runtime_t files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelfrom_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:file relabelfrom;
+')
+
########################################
##
## Create, etc runtime objects with an automatic
@@ -4673,6 +4816,24 @@ interface(`files_delete_kernel_modules',`
delete_files_pattern($1, modules_object_t, modules_object_t)
')
+########################################
+##
+## Set the attributes on kernel module files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_setattr_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:file setattr;
+')
+
########################################
##
## Create, read, write, and delete
@@ -4766,6 +4927,24 @@ interface(`files_kernel_modules_filetrans',`
filetrans_pattern($1, modules_object_t, $2, $3, $4)
')
+########################################
+##
+## Relabel files to the kernel module type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_relabelto_kernel_modules_files',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ allow $1 modules_object_t:file relabelto;
+')
+
########################################
##
## Load kernel module files.
@@ -5583,6 +5762,24 @@ interface(`files_getattr_usr_files',`
getattr_files_pattern($1, usr_t, usr_t)
')
+########################################
+##
+## Set the attributes of files in the /usr directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_setattr_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:file setattr;
+')
+
########################################
##
## Map generic files in /usr.
@@ -5861,6 +6058,27 @@ interface(`files_read_usr_src_files',`
allow $1 src_t:dir list_dir_perms;
')
+########################################
+##
+## Memory map and read files in /usr/src.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mmap_read_usr_src_files',`
+ gen_require(`
+ type usr_t, src_t;
+ ')
+
+ allow $1 usr_t:dir search_dir_perms;
+ mmap_read_files_pattern($1, { usr_t src_t }, src_t)
+ read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+ allow $1 src_t:dir list_dir_perms;
+')
+
########################################
##
## Execute programs in /usr/src in the caller domain.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index b380912fb6..0d5431df17 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3641,6 +3641,25 @@ interface(`fs_getattr_hugetlbfs',`
allow $1 hugetlbfs_t:filesystem getattr;
')
+########################################
+##
+## Do not audit attempts to get the
+## attributes of directories on a hugetlbfs.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fs_dontaudit_getattr_hugetlbfs_dirs',`
+ gen_require(`
+ type hugetlbfs_t;
+ ')
+
+ dontaudit $1 hugetlbfs_t:dir getattr_dir_perms;
+')
+
########################################
##
## Remount a hugetlbfs filesystem.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 3a82425685..9af741123c 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -422,6 +422,10 @@ optional_policy(`
dpkg_run(sysadm_t, sysadm_r)
')
+optional_policy(`
+ dracut_run(sysadm_t, sysadm_r)
+')
+
optional_policy(`
drbd_admin(sysadm_t, sysadm_r)
')
@@ -555,6 +559,10 @@ optional_policy(`
ipsec_admin(sysadm_t, sysadm_r)
')
+optional_policy(`
+ installkernel_run(sysadm_t, sysadm_r)
+')
+
optional_policy(`
iptables_admin(sysadm_t, sysadm_r)
iptables_run(sysadm_t, sysadm_r)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 39fd112947..fc0bca87cc 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -459,7 +459,7 @@ template(`ssh_role_template',`
cockpit_rw_session_pipes($1_ssh_agent_t)
cockpit_send_signal($1_ssh_agent_t)
')
-
+
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
')
@@ -758,6 +758,25 @@ interface(`ssh_agent_exec',`
can_exec($1, ssh_agent_exec_t)
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of ssh home directory (~/.ssh).
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`ssh_dontaudit_getattr_home_dirs',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ dontaudit $1 ssh_home_t:dir getattr_dir_perms;
+')
+
########################################
##
## Set the attributes of ssh home directory (~/.ssh)
@@ -816,6 +835,24 @@ interface(`ssh_read_user_home_files',`
userdom_search_user_home_dirs($1)
')
+########################################
+##
+## Execute the ssh key generator in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ssh_exec_keygen',`
+ gen_require(`
+ type ssh_keygen_exec_t;
+ ')
+
+ can_exec($1, ssh_keygen_exec_t)
+')
+
########################################
##
## Execute the ssh key generator in the ssh keygen domain.
diff --git a/policy/modules/services/zfs.if b/policy/modules/services/zfs.if
index 1b2841be95..7b0d358537 100644
--- a/policy/modules/services/zfs.if
+++ b/policy/modules/services/zfs.if
@@ -104,6 +104,80 @@ interface(`zfs_read_config',`
read_lnk_files_pattern($1, zfs_config_t, zfs_config_t)
')
+########################################
+##
+## Read the zpool cache.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zfs_read_zpool_cache',`
+ gen_require(`
+ type zfs_zpool_cache_t;
+ ')
+
+ files_search_etc($1)
+ zfs_search_config($1)
+ read_files_pattern($1, zfs_zpool_cache_t, zfs_zpool_cache_t)
+')
+
+########################################
+##
+## Delete the zpool cache file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zfs_delete_zpool_cache',`
+ gen_require(`
+ type zfs_zpool_cache_t;
+ ')
+
+ delete_files_pattern($1, zfs_zpool_cache_t, zfs_zpool_cache_t)
+')
+
+########################################
+##
+## Set the attributes on the zpool cache file.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zfs_setattr_zpool_cache_files',`
+ gen_require(`
+ type zfs_zpool_cache_t;
+ ')
+
+ allow $1 zfs_zpool_cache_t:file setattr;
+')
+
+########################################
+##
+## Relabel files to the zpool cache type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`zfs_relabelto_zpool_cache_files',`
+ gen_require(`
+ type zfs_zpool_cache_t;
+ ')
+
+ allow $1 zfs_zpool_cache_t:file relabelto;
+')
+
########################################
##
## Create the zpool cache with an
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 105ad32f7e..9a8a9b8d5d 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -149,6 +149,42 @@ interface(`libs_exec_ld_so',`
exec_files_pattern($1, lib_t, ld_so_t)
')
+########################################
+##
+## Delete the dynamic link/loader.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`libs_delete_ld_so',`
+ gen_require(`
+ type ld_so_t;
+ ')
+
+ delete_files_pattern($1, ld_so_t, ld_so_t)
+')
+
+########################################
+##
+## Set the attributes on the dynamic link/loader.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`libs_setattr_ld_so',`
+ gen_require(`
+ type ld_so_t;
+ ')
+
+ allow $1 ld_so_t:file setattr;
+')
+
########################################
##
## Create, read, write, and delete the
@@ -313,6 +349,42 @@ interface(`libs_watch_lib_dirs',`
allow $1 lib_t:dir watch;
')
+########################################
+##
+## Delete library files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`libs_delete_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:file delete_file_perms;
+')
+
+########################################
+##
+## Set the attributes on library files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`libs_setattr_lib_files',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:file setattr;
+')
+
########################################
##
## dontaudit attempts to setattr on library files
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 499da83ba8..04110c0dbb 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -827,6 +827,82 @@ interface(`logging_read_syslog_config',`
allow $1 syslog_conf_t:file read_file_perms;
')
+########################################
+##
+## Delete syslog configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`logging_delete_syslog_config_files',`
+ gen_require(`
+ type syslog_conf_t;
+ ')
+
+ delete_files_pattern($1, syslog_conf_t, syslog_conf_t)
+')
+
+########################################
+##
+## Set the attributes on syslog configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`logging_setattr_syslog_config_files',`
+ gen_require(`
+ type syslog_conf_t;
+ ')
+
+ allow $1 syslog_conf_t:file setattr;
+')
+
+########################################
+##
+## Relabelto syslog configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`logging_relabelto_syslog_config_files',`
+ gen_require(`
+ type syslog_conf_t;
+ ')
+
+ allow $1 syslog_conf_t:file relabelto;
+')
+
+########################################
+##
+## Do not audit attempts to search syslog
+## runtime directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`logging_dontaudit_search_runtime_dirs',`
+ gen_require(`
+ type syslogd_runtime_t;
+ ')
+
+ dontaudit $1 syslogd_runtime_t:dir search_dir_perms;
+')
+
########################################
##
## Watch syslog runtime dirs.
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 09e782c6f3..ae9dc6cd4c 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -103,6 +103,25 @@ interface(`modutils_delete_module_config',`
delete_files_pattern($1, modules_conf_t, modules_conf_t)
')
+########################################
+##
+## Set the attributes on a file with the configuration
+## options used when loading modules.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modutils_setattr_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ allow $1 modules_conf_t:file setattr;
+')
+
########################################
##
## Manage files with the configuration options used when
@@ -122,6 +141,25 @@ interface(`modutils_manage_module_config',`
manage_files_pattern($1, modules_conf_t, modules_conf_t)
')
+########################################
+##
+## Relabel to and from a file with the configuration
+## options used when loading modules.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`modutils_relabel_module_config',`
+ gen_require(`
+ type modules_conf_t;
+ ')
+
+ relabel_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
########################################
##
## Execute any modutil,
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 271cdb1d4b..fb3bcbf9b0 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -146,6 +146,10 @@ optional_policy(`
apt_use_ptys(kmod_t)
')
+optional_policy(`
+ dracut_rw_tmp_files(kmod_t)
+')
+
optional_policy(`
firstboot_dontaudit_rw_pipes(kmod_t)
firstboot_dontaudit_rw_stream_sockets(kmod_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 906b08a462..9d4586b210 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -493,6 +493,25 @@ interface(`sysnet_create_config',`
allow $1 net_conf_t:file create_file_perms;
')
+#######################################
+##
+## Delete network config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sysnet_delete_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ delete_files_pattern($1, net_conf_t, net_conf_t)
+')
+
#######################################
##
## Relabel network config files.
@@ -512,6 +531,25 @@ interface(`sysnet_relabel_config',`
allow $1 net_conf_t:file relabel_file_perms;
')
+#######################################
+##
+## Relabelto network config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sysnet_relabelto_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file relabelto;
+')
+
#######################################
##
## Create files in /etc with the type used for
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 809fde402d..42d0b111c3 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -3077,6 +3077,26 @@ interface(`systemd_status_all_user_sessions',`
allow $1 systemd_user_session_type:system status;
')
+########################################
+##
+## Execute systemd-sysusers in the
+## caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_exec_sysusers', `
+ gen_require(`
+ type systemd_sysusers_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, systemd_sysusers_exec_t)
+')
+
########################################
##
## Execute systemd-sysusers in the
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index e83e0cb95d..2245961510 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -180,6 +180,134 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
dontaudit $1 udev_t:unix_dgram_socket { read write };
')
+########################################
+##
+## List the contents of udev rules directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_list_rules',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:dir list_dir_perms;
+')
+
+########################################
+##
+## Read udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_read_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ files_search_etc($1) # /etc/udev/rules.d
+ udev_search_runtime($1) # /run/udev/rules.d
+ read_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+########################################
+##
+## Read and write udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_rw_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ rw_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+########################################
+##
+## Create udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_create_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ create_files_pattern($1, udev_rules_t, udev_rules_t)
+')
+
+########################################
+##
+## Delete udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_delete_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:file delete_file_perms;
+')
+
+########################################
+##
+## Rename udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_rename_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:file rename_file_perms;
+')
+
+########################################
+##
+## Set the attributes on udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_setattr_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:file setattr;
+')
+
########################################
##
## Manage udev rules files
@@ -242,6 +370,24 @@ interface(`udev_relabel_rules_files',`
files_search_etc($1)
')
+########################################
+##
+## Relabelto udev rules files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_relabelto_rules_files',`
+ gen_require(`
+ type udev_rules_t;
+ ')
+
+ allow $1 udev_rules_t:file relabelto;
+')
+
########################################
##
## Search through udev runtime dirs.
diff --git a/testing/sechecker.ini b/testing/sechecker.ini
index 01a8854502..3ab00fb6ae 100644
--- a/testing/sechecker.ini
+++ b/testing/sechecker.ini
@@ -103,6 +103,7 @@ exempt_source = acpi_t
dockerd_t # Container engine (namespacing)
dockerd_user_t # Container engine (namespacing)
dphysswapfile_t # Configure swap files
+ dracut_t # Needed to use fsfreeze when building an initrd
entropyd_t # Add entropy to the system
fapolicyd_t
fsadm_t