From 22545a13feb3f51091198cf5563d2cb77a3109fb Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 03 2013 20:42:22 +0000 Subject: - Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs - Add additional fixes for abrt-upload-watch - Fix polipo.te - Fix transition rules in asterisk policy - Add fowner capability to networkmanager policy - Allow polipo to connect to tor ports - Cleanup lsmd.if - Cleanup openhpid policy - Fix kdump_read_crash() interface - Make more domains as init domain - Fix cupsd.te - Fix requires in rpm_rw_script_inherited_pipes - Fix interfaces in lsm.if - Allow munin service plugins to manage own tmpfs files/dirs - Allow virtd_t also relabel unix stream sockets for virt_image_type - Make ktalk as init domain - Fix to define ktalkd_unit_file_t correctly - Fix ktalk.fc - Add systemd support for talk-server - Allow glusterd to create sock_file in /run - Allow xdm_t to delete gkeyringd_tmp_t files on logout - Add fixes for hypervkvp policy - Add logwatch_can_sendmail boolean - Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb - Allow xdm_t to delete gkeyringd_tmp_t files on logout --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a8e95dd..718fb3d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -22589,7 +22589,7 @@ index 6bf0ecc..9b46e11 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..b67997e 100644 +index 2696452..93b05fa 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -23403,7 +23403,7 @@ index 2696452..b67997e 100644 ') optional_policy(` -@@ -514,12 +865,56 @@ optional_policy(` +@@ -514,12 +865,57 @@ optional_policy(` ') optional_policy(` @@ -23446,6 +23446,7 @@ index 2696452..b67997e 100644 + gnome_stream_connect_gkeyringd(xdm_t) + gnome_exec_gstreamer_home_files(xdm_t) + gnome_exec_keyringd(xdm_t) ++ gnome_delete_gkeyringd_tmp_content(xdm_t) + gnome_manage_config(xdm_t) + gnome_manage_gconf_home_files(xdm_t) + #gnome_filetrans_home_content(xdm_t) @@ -23460,7 +23461,7 @@ index 2696452..b67997e 100644 hostname_exec(xdm_t) ') -@@ -537,28 +932,78 @@ optional_policy(` +@@ -537,28 +933,78 @@ optional_policy(` ') optional_policy(` @@ -23548,7 +23549,7 @@ index 2696452..b67997e 100644 ') optional_policy(` -@@ -570,6 +1015,14 @@ optional_policy(` +@@ -570,6 +1016,14 @@ optional_policy(` ') optional_policy(` @@ -23563,7 +23564,7 @@ index 2696452..b67997e 100644 xfs_stream_connect(xdm_t) ') -@@ -584,7 +1037,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -23572,7 +23573,7 @@ index 2696452..b67997e 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -594,8 +1047,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23585,7 +23586,7 @@ index 2696452..b67997e 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1064,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23601,7 +23602,7 @@ index 2696452..b67997e 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1080,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23612,7 +23613,7 @@ index 2696452..b67997e 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1095,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23634,7 +23635,7 @@ index 2696452..b67997e 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1115,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23648,7 +23649,7 @@ index 2696452..b67997e 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1141,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23680,7 +23681,7 @@ index 2696452..b67997e 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23698,7 +23699,7 @@ index 2696452..b67997e 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1196,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1197,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23722,7 +23723,7 @@ index 2696452..b67997e 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23731,7 +23732,7 @@ index 2696452..b67997e 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1259,44 @@ optional_policy(` +@@ -775,16 +1260,44 @@ optional_policy(` ') optional_policy(` @@ -23777,7 +23778,7 @@ index 2696452..b67997e 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1305,10 @@ optional_policy(` +@@ -793,6 +1306,10 @@ optional_policy(` ') optional_policy(` @@ -23788,7 +23789,7 @@ index 2696452..b67997e 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23802,7 +23803,7 @@ index 2696452..b67997e 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23811,7 +23812,7 @@ index 2696452..b67997e 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1348,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1349,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23846,7 +23847,7 @@ index 2696452..b67997e 100644 ') optional_policy(` -@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23855,7 +23856,7 @@ index 2696452..b67997e 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23887,7 +23888,7 @@ index 2696452..b67997e 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1513,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 69b9cf3..6927ccb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -519,7 +519,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..883dd05 100644 +index cc43d25..f71a133 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -528,7 +528,7 @@ index cc43d25..883dd05 100644 ######################################## # -@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4) +@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4) # ## @@ -636,15 +636,15 @@ index cc43d25..883dd05 100644 +ifdef(`enable_mcs',` + init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) +') ++ ++# ++# Support for ABRT retrace server -type abrt_retrace_worker_t, abrt_domain; -type abrt_retrace_worker_exec_t; -domain_type(abrt_retrace_worker_t) -domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) +# -+# Support for ABRT retrace server -+ -+# +abrt_basic_types_template(abrt_retrace_worker) +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) role system_r types abrt_retrace_worker_t; @@ -672,6 +672,9 @@ index cc43d25..883dd05 100644 +# Support for abrt-upload-watch +abrt_basic_types_template(abrt_upload_watch) +init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) ++ ++type abrt_upload_watch_tmp_t; ++files_tmp_file(abrt_upload_watch_tmp_t) ######################################## # @@ -701,7 +704,7 @@ index cc43d25..883dd05 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -730,7 +733,7 @@ index cc43d25..883dd05 100644 kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -749,7 +752,7 @@ index cc43d25..883dd05 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -790,7 +793,7 @@ index cc43d25..883dd05 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -807,7 +810,7 @@ index cc43d25..883dd05 100644 ') optional_policy(` -@@ -209,6 +236,16 @@ optional_policy(` +@@ -209,6 +239,16 @@ optional_policy(` ') optional_policy(` @@ -824,7 +827,7 @@ index cc43d25..883dd05 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +257,7 @@ optional_policy(` +@@ -220,6 +260,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -832,7 +835,7 @@ index cc43d25..883dd05 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +268,7 @@ optional_policy(` +@@ -230,6 +271,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -840,7 +843,7 @@ index cc43d25..883dd05 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +279,17 @@ optional_policy(` +@@ -240,9 +282,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -859,7 +862,7 @@ index cc43d25..883dd05 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -874,7 +877,7 @@ index cc43d25..883dd05 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -882,7 +885,7 @@ index cc43d25..883dd05 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -903,7 +906,7 @@ index cc43d25..883dd05 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -930,7 +933,7 @@ index cc43d25..883dd05 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -944,7 +947,7 @@ index cc43d25..883dd05 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +403,11 @@ optional_policy(` +@@ -330,10 +406,11 @@ optional_policy(` ####################################### # @@ -958,7 +961,7 @@ index cc43d25..883dd05 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1020,7 +1023,7 @@ index cc43d25..883dd05 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1037,23 +1040,41 @@ index cc43d25..883dd05 100644 # -kernel_read_system_state(abrt_domain) -+corecmd_exec_bin(abrt_upload_watch_t) ++allow abrt_upload_watch_t self:capability dac_override; -files_read_etc_files(abrt_domain) ++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t) ++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir}) ++ ++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t) + +-logging_send_syslog_msg(abrt_domain) ++manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t) ++ ++corecmd_exec_bin(abrt_upload_watch_t) ++ ++dev_read_urand(abrt_upload_watch_t) ++ ++auth_read_passwd(abrt_upload_watch_t) ++ +tunable_policy(`abrt_upload_watch_anon_write',` + miscfiles_manage_public_files(abrt_upload_watch_t) +') + +-miscfiles_read_localization(abrt_domain) ++optional_policy(` ++ dbus_system_bus_client(abrt_upload_watch_t) ++') + +####################################### +# +# Local policy for all abrt domain +# - --logging_send_syslog_msg(abrt_domain) ++ +allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; +allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; - --miscfiles_read_localization(abrt_domain) ++ +files_read_etc_files(abrt_domain) diff --git a/accountsd.fc b/accountsd.fc index f9d8d7a..0682710 100644 @@ -7416,7 +7437,7 @@ index 7268a04..6ffd87d 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 5439f1c..74c24a3 100644 +index 5439f1c..4f8a8a5 100644 --- a/asterisk.te +++ b/asterisk.te @@ -19,7 +19,7 @@ type asterisk_log_t; @@ -7428,7 +7449,25 @@ index 5439f1c..74c24a3 100644 type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) -@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f +@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms; + read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + +-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) +-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) ++logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir}) + + manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) + manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) + manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t) ++files_spool_file(asterisk_t, asterisk_spool_t, {dir file}) + + manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) + manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t) +@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) @@ -7442,7 +7481,7 @@ index 5439f1c..74c24a3 100644 can_exec(asterisk_t, asterisk_exec_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t) +@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t) corecmd_exec_bin(asterisk_t) corecmd_exec_shell(asterisk_t) @@ -7450,7 +7489,7 @@ index 5439f1c..74c24a3 100644 corenet_all_recvfrom_netlabel(asterisk_t) corenet_tcp_sendrecv_generic_if(asterisk_t) corenet_udp_sendrecv_generic_if(asterisk_t) -@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t) +@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) @@ -7458,7 +7497,7 @@ index 5439f1c..74c24a3 100644 files_search_spool(asterisk_t) files_dontaudit_search_home(asterisk_t) -@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t) +@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t) logging_send_syslog_msg(asterisk_t) @@ -17056,7 +17095,7 @@ index 06da9a0..6d69a2f 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..ab0eee9 100644 +index 9f34c2e..09ef91c 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -17086,7 +17125,7 @@ index 9f34c2e..ab0eee9 100644 files_config_file(cupsd_etc_t) type cupsd_initrc_exec_t; -@@ -33,9 +38,13 @@ type cupsd_lock_t; +@@ -33,13 +38,15 @@ type cupsd_lock_t; files_lock_file(cupsd_lock_t) type cupsd_log_t; @@ -17099,9 +17138,14 @@ index 9f34c2e..ab0eee9 100644 + +type cupsd_lpd_t, cups_domain; type cupsd_lpd_exec_t; - domain_type(cupsd_lpd_t) - domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) -@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t) +-domain_type(cupsd_lpd_t) +-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t) +-role system_r types cupsd_lpd_t; ++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t) + + type cupsd_lpd_tmp_t; + files_tmp_file(cupsd_lpd_tmp_t) +@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t) type cupsd_lpd_var_run_t; files_pid_file(cupsd_lpd_var_run_t) @@ -17110,7 +17154,7 @@ index 9f34c2e..ab0eee9 100644 type cups_pdf_exec_t; cups_backend(cups_pdf_t, cups_pdf_exec_t) -@@ -55,29 +64,17 @@ type cups_pdf_tmp_t; +@@ -55,29 +62,17 @@ type cups_pdf_tmp_t; files_tmp_file(cups_pdf_tmp_t) type cupsd_tmp_t; @@ -17144,7 +17188,7 @@ index 9f34c2e..ab0eee9 100644 type ptal_t; type ptal_exec_t; -@@ -97,21 +94,49 @@ ifdef(`enable_mls',` +@@ -97,21 +92,49 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') @@ -17198,7 +17242,7 @@ index 9f34c2e..ab0eee9 100644 allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -17212,8 +17256,15 @@ index 9f34c2e..ab0eee9 100644 allow cupsd_t cupsd_exec_t:dir search_dir_perms; allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; -@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) - setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms; + files_lock_filetrans(cupsd_t, cupsd_lock_t, file) + + manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) ++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) +manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t) @@ -17240,7 +17291,7 @@ index 9f34c2e..ab0eee9 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -17252,7 +17303,7 @@ index 9f34c2e..ab0eee9 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -17277,7 +17328,7 @@ index 9f34c2e..ab0eee9 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -17285,7 +17336,7 @@ index 9f34c2e..ab0eee9 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -17305,7 +17356,7 @@ index 9f34c2e..ab0eee9 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -17314,7 +17365,7 @@ index 9f34c2e..ab0eee9 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -17340,7 +17391,7 @@ index 9f34c2e..ab0eee9 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +310,8 @@ optional_policy(` +@@ -275,6 +305,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -17349,7 +17400,7 @@ index 9f34c2e..ab0eee9 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +322,10 @@ optional_policy(` +@@ -285,8 +317,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -17360,7 +17411,7 @@ index 9f34c2e..ab0eee9 100644 ') ') -@@ -299,8 +338,8 @@ optional_policy(` +@@ -299,8 +333,8 @@ optional_policy(` ') optional_policy(` @@ -17370,7 +17421,7 @@ index 9f34c2e..ab0eee9 100644 ') optional_policy(` -@@ -309,7 +348,6 @@ optional_policy(` +@@ -309,7 +343,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -17378,7 +17429,7 @@ index 9f34c2e..ab0eee9 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +375,11 @@ optional_policy(` +@@ -337,7 +370,11 @@ optional_policy(` ') optional_policy(` @@ -17391,7 +17442,7 @@ index 9f34c2e..ab0eee9 100644 ') ######################################## -@@ -345,12 +387,11 @@ optional_policy(` +@@ -345,12 +382,11 @@ optional_policy(` # Configuration daemon local policy # @@ -17407,7 +17458,7 @@ index 9f34c2e..ab0eee9 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -17428,7 +17479,7 @@ index 9f34c2e..ab0eee9 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -17449,7 +17500,7 @@ index 9f34c2e..ab0eee9 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -17461,7 +17512,7 @@ index 9f34c2e..ab0eee9 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +478,12 @@ optional_policy(` +@@ -452,9 +473,12 @@ optional_policy(` ') optional_policy(` @@ -17475,7 +17526,7 @@ index 9f34c2e..ab0eee9 100644 ') optional_policy(` -@@ -490,10 +519,6 @@ optional_policy(` +@@ -490,10 +514,6 @@ optional_policy(` # Lpd local policy # @@ -17486,7 +17537,7 @@ index 9f34c2e..ab0eee9 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -17519,7 +17570,7 @@ index 9f34c2e..ab0eee9 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +562,6 @@ optional_policy(` +@@ -546,7 +557,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -17527,7 +17578,7 @@ index 9f34c2e..ab0eee9 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -17679,7 +17730,7 @@ index 9f34c2e..ab0eee9 100644 ######################################## # -@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -17687,7 +17738,7 @@ index 9f34c2e..ab0eee9 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -17701,7 +17752,7 @@ index 9f34c2e..ab0eee9 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -17710,7 +17761,7 @@ index 9f34c2e..ab0eee9 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +654,4 @@ optional_policy(` +@@ -769,3 +649,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -17760,10 +17811,10 @@ index 9fa7ffb..fd3262c 100644 domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; diff --git a/cvs.te b/cvs.te -index 53fc3af..25b3285 100644 +index 53fc3af..989aabf 100644 --- a/cvs.te +++ b/cvs.te -@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1) +@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1) ## password files. ##

## @@ -17772,7 +17823,12 @@ index 53fc3af..25b3285 100644 type cvs_t; type cvs_exec_t; -@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t) + inetd_tcp_service_domain(cvs_t, cvs_exec_t) ++init_domain(cvs_t, cvs_exec_t) + application_executable_file(cvs_exec_t) + + type cvs_data_t; # customizable +@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t) corecmd_exec_bin(cvs_t) corecmd_exec_shell(cvs_t) @@ -17787,7 +17843,7 @@ index 53fc3af..25b3285 100644 dev_read_urand(cvs_t) files_read_etc_runtime_files(cvs_t) -@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t) +@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t) init_read_utmp(cvs_t) @@ -17809,7 +17865,7 @@ index 53fc3af..25b3285 100644 allow cvs_t self:capability dac_override; auth_tunable_read_shadow(cvs_t) ') -@@ -103,4 +111,5 @@ optional_policy(` +@@ -103,4 +112,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -23596,7 +23652,7 @@ index 79b9273..76b7ed5 100644 logging_send_syslog_msg(fcoemon_t) diff --git a/fetchmail.fc b/fetchmail.fc -index 2486e2a..72143ee 100644 +index 2486e2a..fef9bff 100644 --- a/fetchmail.fc +++ b/fetchmail.fc @@ -1,4 +1,5 @@ @@ -23610,7 +23666,7 @@ index 2486e2a..72143ee 100644 /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) -/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) -+/var/run/fetchmail.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0) ++/var/run/fetchmail.* gen_context(system_u:object_r:fetchmail_var_run_t,s0) diff --git a/fetchmail.if b/fetchmail.if index c3f7916..cab3954 100644 --- a/fetchmail.if @@ -24891,7 +24947,7 @@ index 1e29af1..c67e44e 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 93b0301..11a76a5 100644 +index 93b0301..eafea5b 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -24909,7 +24965,13 @@ index 93b0301..11a76a5 100644 ## Determine whether Git system daemon ## can search home directories. ##

-@@ -92,10 +84,10 @@ type git_session_t, git_daemon; +@@ -87,15 +79,16 @@ apache_content_template(git) + type git_system_t, git_daemon; + type gitd_exec_t; + inetd_service_domain(git_system_t, gitd_exec_t) ++init_domain(git_system_t, gitd_exec_t) + + type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; @@ -24922,7 +24984,7 @@ index 93b0301..11a76a5 100644 userdom_user_home_content(git_user_content_t) ######################################## -@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -24931,7 +24993,7 @@ index 93b0301..11a76a5 100644 corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) -@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` +@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_sendrecv_all_ports(git_session_t) ') @@ -24942,7 +25004,7 @@ index 93b0301..11a76a5 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(git_session_t) -@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',` +@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) @@ -24952,7 +25014,7 @@ index 93b0301..11a76a5 100644 files_search_var_lib(git_system_t) auth_use_nsswitch(git_system_t) -@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -25335,10 +25397,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..06e17e3 +index 0000000..a19c35c --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,169 @@ +@@ -0,0 +1,170 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25420,7 +25482,8 @@ index 0000000..06e17e3 + +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) -+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) ++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file }) + +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) @@ -25788,7 +25851,7 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..e334392 100644 +index d03fd43..71aa685 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,155 @@ @@ -26870,7 +26933,7 @@ index d03fd43..e334392 100644 ## ## ## -@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -26967,6 +27030,27 @@ index d03fd43..e334392 100644 + +####################################### +## ++## Delete gkeyringd temporary ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_delete_gkeyringd_tmp_content',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++') ++ ++####################################### ++## +## Manage gkeyringd temporary directories. +## +## @@ -26981,7 +27065,7 @@ index d03fd43..e334392 100644 + ') + + files_search_tmp($1) -+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) ++ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) +') + +######################################## @@ -29564,19 +29648,22 @@ index e207823..4e0f8ba 100644 diff --git a/hypervkvp.fc b/hypervkvp.fc new file mode 100644 -index 0000000..2a69ee4 +index 0000000..3f82945 --- /dev/null +++ b/hypervkvp.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) + +/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) ++/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) ++ ++/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/hypervkvp.if b/hypervkvp.if new file mode 100644 -index 0000000..7743be5 +index 0000000..17c3627 --- /dev/null +++ b/hypervkvp.if -@@ -0,0 +1,21 @@ +@@ -0,0 +1,111 @@ + +## policy for hypervkvp + @@ -29598,12 +29685,102 @@ index 0000000..7743be5 + corecmd_search_bin($1) + domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t) +') ++ ++######################################## ++## ++## Search hypervkvp lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_search_lib',` ++ gen_require(` ++ type hypervkvp_var_lib_t; ++ ') ++ ++ allow $1 hypervkvp_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read hypervkvp lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_read_lib_files',` ++ gen_require(` ++ type hypervkvp_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 hypervkvp_var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## hypervkvp lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_manage_lib_files',` ++ gen_require(` ++ type hypervkvp_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an hypervkvp environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hypervkvp_admin',` ++ gen_require(` ++ type hypervkvp_t; ++ type hypervkvp_unit_file_t; ++ ') ++ ++ allow $1 hypervkvp_t:process signal_perms; ++ ps_process_pattern($1, hypervkvp_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 hypervkvp_t:process ptrace; ++ ') ++ ++ hypervkvp_manage_lib_files($1) ++ ++ hypervkvp_systemctl($1) ++ admin_pattern($1, hypervkvp_unit_file_t) ++ allow $1 hypervkvp_unit_file_t:service all_service_perms; ++') diff --git a/hypervkvp.te b/hypervkvp.te new file mode 100644 -index 0000000..fd3b26b +index 0000000..63591db --- /dev/null +++ b/hypervkvp.te -@@ -0,0 +1,28 @@ +@@ -0,0 +1,36 @@ +policy_module(hypervkvp, 1.0.0) + +######################################## @@ -29618,15 +29795,23 @@ index 0000000..fd3b26b +type hypervkvp_initrc_exec_t; +init_script_file(hypervkvp_initrc_exec_t) + ++type hypervkvp_var_lib_t; ++files_type(hypervkvp_var_lib_t) ++ +######################################## +# +# hypervkvp local policy +# +# -+ ++allow hypervkvp_t self:capability net_admin; ++allow hypervkvp_t self:netlink_socket create_socket_perms; +allow hypervkvp_t self:fifo_file rw_fifo_file_perms; +allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms; + ++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) ++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) ++ +logging_send_syslog_msg(hypervkvp_t) + +miscfiles_read_localization(hypervkvp_t) @@ -31646,7 +31831,7 @@ index a49ae4e..913a0e3 100644 -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..b835e95 100644 +index 3a00b3a..7cc27b6 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -31717,7 +31902,7 @@ index 3a00b3a..b835e95 100644 ## ## ## -@@ -56,10 +100,66 @@ interface(`kdump_read_config',` +@@ -56,10 +100,67 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -31738,6 +31923,7 @@ index 3a00b3a..b835e95 100644 + + files_search_var($1) + read_files_pattern($1, kdump_crash_t, kdump_crash_t) ++ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) +') + + @@ -31786,7 +31972,7 @@ index 3a00b3a..b835e95 100644 ## ## ## -@@ -76,10 +176,31 @@ interface(`kdump_manage_config',` +@@ -76,10 +177,31 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -31820,7 +32006,7 @@ index 3a00b3a..b835e95 100644 ## ## ## -@@ -88,19 +209,24 @@ interface(`kdump_manage_config',` +@@ -88,19 +210,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -31850,7 +32036,7 @@ index 3a00b3a..b835e95 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +236,10 @@ interface(`kdump_admin',` +@@ -110,6 +237,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -33844,11 +34030,124 @@ index c1539b5..fd0a17f 100644 + fs_read_cifs_files(ksmtuned_t) + samba_read_share_files(ksmtuned_t) +') +diff --git a/ktalk.fc b/ktalk.fc +index 38ecb07..451067e 100644 +--- a/ktalk.fc ++++ b/ktalk.fc +@@ -1,3 +1,5 @@ ++/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0) ++ + /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) + + /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) +diff --git a/ktalk.if b/ktalk.if +index 19777b8..63d46d3 100644 +--- a/ktalk.if ++++ b/ktalk.if +@@ -1 +1,81 @@ +-## KDE Talk daemon. ++ ++## talk-server - daemon programs for the Internet talk ++ ++######################################## ++## ++## Execute TEMPLATE in the ktalkd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ktalk_domtrans',` ++ gen_require(` ++ type ktalkd_t, ktalkd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t) ++') ++######################################## ++## ++## Execute ktalkd server in the ktalkd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ktalk_systemctl',` ++ gen_require(` ++ type ktalkd_t; ++ type ktalkd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 ktalkd_unit_file_t:file read_file_perms; ++ allow $1 ktalkd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ktalkd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ktalkd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ktalk_admin',` ++ gen_require(` ++ type ktalkd_t; ++ type ktalkd_unit_file_t; ++ ') ++ ++ allow $1 ktalkd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ktalkd_t) ++ ++ ktalk_systemctl($1) ++ admin_pattern($1, ktalkd_unit_file_t) ++ allow $1 ktalkd_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') diff --git a/ktalk.te b/ktalk.te -index 2cf3815..2c4c979 100644 +index 2cf3815..cb979b0 100644 --- a/ktalk.te +++ b/ktalk.te -@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t) +@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) + + type ktalkd_t; + type ktalkd_exec_t; ++init_domain(ktalkd_t, ktalkd_exec_t) + inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) + + type ktalkd_log_t; + logging_log_file(ktalkd_log_t) + ++type ktalkd_unit_file_t; ++systemd_unit_file(ktalkd_unit_file_t) ++ + type ktalkd_tmp_t; + files_tmp_file(ktalkd_tmp_t) + +@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) @@ -35413,11 +35712,20 @@ index 7bab8e5..b88bbf3 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..a8dde53 100644 +index 4256a4c..30e3cd2 100644 --- a/logwatch.te +++ b/logwatch.te -@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6) +@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) + # Declarations + # ++## ++##

++## Allow epylog to send mail ++##

++## ++gen_tunable(logwatch_can_sendmail, false) ++ type logwatch_t; type logwatch_exec_t; -init_system_domain(logwatch_t, logwatch_exec_t) @@ -35426,7 +35734,7 @@ index 4256a4c..a8dde53 100644 type logwatch_cache_t; files_type(logwatch_cache_t) -@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; +@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) @@ -35436,7 +35744,7 @@ index 4256a4c..a8dde53 100644 files_lock_filetrans(logwatch_t, logwatch_lock_t, file) manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -@@ -67,10 +69,11 @@ files_list_var(logwatch_t) +@@ -67,10 +76,11 @@ files_list_var(logwatch_t) files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_runtime_files(logwatch_t) @@ -35449,7 +35757,7 @@ index 4256a4c..a8dde53 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t) +@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -35464,7 +35772,7 @@ index 4256a4c..a8dde53 100644 mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) mta_getattr_spool(logwatch_t) -@@ -137,6 +139,11 @@ optional_policy(` +@@ -137,6 +146,11 @@ optional_policy(` ') optional_policy(` @@ -35476,7 +35784,21 @@ index 4256a4c..a8dde53 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -145,6 +159,13 @@ optional_policy(` + samba_read_share_files(logwatch_t) + ') + ++tunable_policy(`logwatch_can_sendmail',` ++ corenet_tcp_connect_smtp_port(logwatch_t) ++ corenet_sendrecv_smtp_client_packets(logwatch_t) ++ corenet_tcp_connect_pop_port(logwatch_t) ++ corenet_sendrecv_pop_client_packets(logwatch_t) ++') ++ + ######################################## + # + # Mail local policy +@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -35843,10 +36165,10 @@ index 0000000..711c04b +/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if new file mode 100644 -index 0000000..aaf4080 +index 0000000..e8d4ce2 --- /dev/null +++ b/lsm.if -@@ -0,0 +1,103 @@ +@@ -0,0 +1,104 @@ + +## libStorageMgmt plug-in daemon + @@ -35904,7 +36226,7 @@ index 0000000..aaf4080 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_password_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 lsmd_unit_file_t:file read_file_perms; + allow $1 lsmd_unit_file_t:service manage_service_perms; + @@ -35945,6 +36267,7 @@ index 0000000..aaf4080 + lsmd_systemctl($1) + admin_pattern($1, lsmd_unit_file_t) + allow $1 lsmd_unit_file_t:service all_service_perms; ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) @@ -35952,10 +36275,10 @@ index 0000000..aaf4080 +') diff --git a/lsm.te b/lsm.te new file mode 100644 -index 0000000..14fe4d7 +index 0000000..fc42149 --- /dev/null +++ b/lsm.te -@@ -0,0 +1,31 @@ +@@ -0,0 +1,32 @@ +policy_module(lsm, 1.0.0) + +######################################## @@ -35985,6 +36308,7 @@ index 0000000..14fe4d7 +manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) + +logging_send_syslog_msg(lsmd_t) diff --git a/mailman.fc b/mailman.fc @@ -42917,10 +43241,17 @@ index b744fe3..4c1b6a8 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index 97370e4..92138ca 100644 +index 97370e4..3549b8f 100644 --- a/munin.te +++ b/munin.te -@@ -40,12 +40,15 @@ munin_plugin_template(services) +@@ -37,15 +37,22 @@ munin_plugin_template(disk) + munin_plugin_template(mail) + munin_plugin_template(selinux) + munin_plugin_template(services) ++ ++type services_munin_plugin_tmpfs_t; ++files_tmpfs_file(services_munin_plugin_tmpfs_t) ++ munin_plugin_template(system) munin_plugin_template(unconfined) @@ -42937,7 +43268,7 @@ index 97370e4..92138ca 100644 allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; -@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; +@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms; manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t) @@ -42962,7 +43293,7 @@ index 97370e4..92138ca 100644 optional_policy(` nscd_use(munin_plugin_domain) -@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) +@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t) @@ -42971,7 +43302,7 @@ index 97370e4..92138ca 100644 manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t) manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t) -@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t) +@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t) corecmd_exec_bin(munin_t) corecmd_exec_shell(munin_t) @@ -42979,7 +43310,7 @@ index 97370e4..92138ca 100644 corenet_all_recvfrom_netlabel(munin_t) corenet_tcp_sendrecv_generic_if(munin_t) corenet_tcp_sendrecv_generic_node(munin_t) -@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t) +@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t) domain_read_all_domains_state(munin_t) files_read_etc_runtime_files(munin_t) @@ -42987,7 +43318,7 @@ index 97370e4..92138ca 100644 files_list_spool(munin_t) fs_getattr_all_fs(munin_t) -@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t) +@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t) logging_read_all_logs(munin_t) miscfiles_read_fonts(munin_t) @@ -42995,7 +43326,7 @@ index 97370e4..92138ca 100644 miscfiles_setattr_fonts_cache_dirs(munin_t) sysnet_exec_ifconfig(munin_t) -@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t) +@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t) userdom_dontaudit_use_unpriv_user_fds(munin_t) userdom_dontaudit_search_user_home_dirs(munin_t) @@ -43009,7 +43340,7 @@ index 97370e4..92138ca 100644 optional_policy(` cron_system_entry(munin_t, munin_exec_t) -@@ -213,7 +200,6 @@ optional_policy(` +@@ -213,7 +204,6 @@ optional_policy(` optional_policy(` postfix_list_spool(munin_t) @@ -43017,7 +43348,7 @@ index 97370e4..92138ca 100644 ') optional_policy(` -@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; +@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -43045,7 +43376,7 @@ index 97370e4..92138ca 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -268,6 +256,10 @@ optional_policy(` +@@ -268,6 +260,10 @@ optional_policy(` fstools_exec(disk_munin_plugin_t) ') @@ -43056,7 +43387,7 @@ index 97370e4..92138ca 100644 #################################### # # Mail local policy -@@ -275,27 +267,36 @@ optional_policy(` +@@ -275,27 +271,36 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -43097,7 +43428,17 @@ index 97370e4..92138ca 100644 ') optional_policy(` -@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t) +@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; + allow services_munin_plugin_t self:udp_socket create_socket_perms; + allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; + ++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) ++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t) ++ + corenet_sendrecv_all_client_packets(services_munin_plugin_t) + corenet_tcp_connect_all_ports(services_munin_plugin_t) + corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -43106,7 +43447,7 @@ index 97370e4..92138ca 100644 ') optional_policy(` -@@ -353,7 +354,11 @@ optional_policy(` +@@ -353,7 +361,11 @@ optional_policy(` ') optional_policy(` @@ -43119,7 +43460,7 @@ index 97370e4..92138ca 100644 ') optional_policy(` -@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -43127,7 +43468,7 @@ index 97370e4..92138ca 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -413,3 +419,31 @@ optional_policy(` +@@ -413,3 +426,31 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -43752,7 +44093,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..94457fe 100644 +index 9f6179e..3c7bbd8 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -43925,7 +44266,7 @@ index 9f6179e..94457fe 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -153,29 +160,23 @@ optional_policy(` +@@ -153,29 +160,24 @@ optional_policy(` ####################################### # @@ -43952,6 +44293,7 @@ index 9f6179e..94457fe 100644 -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) +list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) ++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -43962,7 +44304,7 @@ index 9f6179e..94457fe 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -43990,7 +44332,7 @@ index 9f6179e..94457fe 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +210,7 @@ optional_policy(` +@@ -205,7 +211,7 @@ optional_policy(` ######################################## # @@ -43999,7 +44341,7 @@ index 9f6179e..94457fe 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -44017,7 +44359,7 @@ index 9f6179e..94457fe 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -45596,7 +45938,7 @@ index 0e8508c..0b68b86 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..2de59df 100644 +index 0b48a30..2b6c69a 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -45636,7 +45978,7 @@ index 0b48a30..2de59df 100644 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +# networkmanager will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; ++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; +dontaudit NetworkManager_t self:capability sys_tty_config; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code @@ -50475,10 +50817,10 @@ index 0000000..598789a + diff --git a/openhpid.te b/openhpid.te new file mode 100644 -index 0000000..be2a88d +index 0000000..51acfae --- /dev/null +++ b/openhpid.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,47 @@ +policy_module(openhpid, 1.0.0) + +######################################## @@ -50505,7 +50847,7 @@ index 0000000..be2a88d +# + +allow openhpid_t self:capability { kill }; -+allow openhpid_t self:process { fork signal }; ++allow openhpid_t self:process signal_perms; + +allow openhpid_t self:fifo_file rw_fifo_file_perms; +allow openhpid_t self:netlink_route_socket r_netlink_socket_perms; @@ -50523,11 +50865,8 @@ index 0000000..be2a88d +corenet_tcp_bind_generic_node(openhpid_t) +corenet_tcp_bind_openhpid_port(openhpid_t) + -+domain_use_interactive_fds(openhpid_t) -+ +dev_read_urand(openhpid_t) + -+ +logging_send_syslog_msg(openhpid_t) diff --git a/openshift-origin.fc b/openshift-origin.fc new file mode 100644 @@ -52385,7 +52724,7 @@ index 9b15730..eedd136 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..f025b03 100644 +index 508fedf..a499612 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -52408,7 +52747,13 @@ index 508fedf..f025b03 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t) +@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t) + type openvswitch_log_t; + logging_log_file(openvswitch_log_t) + ++type openvswitch_tmp_t; ++files_tmp_file(openvswitch_tmp_t) ++ type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) @@ -52432,19 +52777,19 @@ index 508fedf..f025b03 100644 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; -+ -+can_exec(openvswitch_t, openvswitch_exec_t) -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t) ++can_exec(openvswitch_t, openvswitch_exec_t) ++ +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t) manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -52455,7 +52800,14 @@ index 508fedf..f025b03 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ ++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) ++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir }) ++ + manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -57060,7 +57412,7 @@ index ae27bb7..d00f6ba 100644 + allow $1 polipo_unit_file_t:service all_service_perms; ') diff --git a/polipo.te b/polipo.te -index 316d53a..79b5c4f 100644 +index 316d53a..388d659 100644 --- a/polipo.te +++ b/polipo.te @@ -1,4 +1,4 @@ @@ -57174,10 +57526,14 @@ index 316d53a..79b5c4f 100644 -userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache") - -auth_use_nsswitch(polipo_session_t) +- +-userdom_use_user_terminals(polipo_session_t) +allow polipo_daemon self:fifo_file rw_fifo_file_perms; +allow polipo_daemon self:tcp_socket { listen accept }; --userdom_use_user_terminals(polipo_session_t) +-tunable_policy(`polipo_session_send_syslog_msg',` +- logging_send_syslog_msg(polipo_session_t) +-') +corenet_tcp_bind_generic_node(polipo_daemon) +corenet_tcp_sendrecv_generic_if(polipo_daemon) +corenet_tcp_sendrecv_generic_node(polipo_daemon) @@ -57185,10 +57541,7 @@ index 316d53a..79b5c4f 100644 +corenet_tcp_bind_http_cache_port(polipo_daemon) +corenet_sendrecv_http_cache_server_packets(polipo_daemon) +corenet_tcp_connect_http_port(polipo_daemon) - --tunable_policy(`polipo_session_send_syslog_msg',` -- logging_send_syslog_msg(polipo_session_t) --') ++corenet_tcp_connect_tor_port(polipo_daemon) -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(polipo_session_t) @@ -71664,10 +72017,18 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d34cdec..f41c9c5 100644 +index d34cdec..eeeee9b 100644 --- a/rlogin.te +++ b/rlogin.te -@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) +@@ -9,6 +9,7 @@ type rlogind_t; + type rlogind_exec_t; + auth_login_pgm_domain(rlogind_t) + inetd_service_domain(rlogind_t, rlogind_exec_t) ++init_daemon_domain(rlogind_t, rlogind_exec_t) + + type rlogind_devpts_t; + term_login_pty(rlogind_devpts_t) +@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t) allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; @@ -71678,7 +72039,7 @@ index d34cdec..f41c9c5 100644 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) -@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; +@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) @@ -71686,7 +72047,7 @@ index d34cdec..f41c9c5 100644 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) +@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) @@ -71694,7 +72055,7 @@ index d34cdec..f41c9c5 100644 corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) corenet_udp_sendrecv_generic_if(rlogind_t) -@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t) +@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -71702,7 +72063,7 @@ index d34cdec..f41c9c5 100644 auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) -@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t) +@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t) logging_send_syslog_msg(rlogind_t) @@ -73072,7 +73433,7 @@ index ebe91fc..6392cad 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..3031a82 100644 +index 0628d50..39e36fb 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -73221,7 +73582,7 @@ index 0628d50..3031a82 100644 +# +interface(`rpm_rw_script_inherited_pipes',` + gen_require(` -+ type rpm_t; ++ type rpm_script_t; + ') + + allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; @@ -85807,7 +86168,7 @@ index 42946bc..741f2f4 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index e9c0964..91c1898 100644 +index e9c0964..ff77783 100644 --- a/telepathy.te +++ b/telepathy.te @@ -1,29 +1,28 @@ @@ -86308,7 +86669,7 @@ index e9c0964..91c1898 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -452,31 +382,40 @@ optional_policy(` +@@ -452,31 +382,43 @@ optional_policy(` ####################################### # @@ -86336,10 +86697,12 @@ index e9c0964..91c1898 100644 fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) -- --miscfiles_read_localization(telepathy_domain) +fs_rw_inherited_tmpfs_files(telepathy_domain) +-miscfiles_read_localization(telepathy_domain) ++userdom_search_user_tmp_dirs(telepathy_domain) ++userdom_search_user_home_dirs(telepathy_domain) + optional_policy(` automount_dontaudit_getattr_tmp_dirs(telepathy_domain) ') @@ -86347,7 +86710,7 @@ index e9c0964..91c1898 100644 optional_policy(` + gnome_read_generic_cache_files(telepathy_domain) + gnome_write_generic_cache_files(telepathy_domain) -+ gnome_filetrans_config_home_content(telepathy_domain) ++ gnome_filetrans_config_home_content(telepathy_domain) +') + +optional_policy(` @@ -91777,7 +92140,7 @@ index 9dec06c..4e31afe 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..d200be6 100644 +index 1f22fba..a4ae8e0 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -92360,7 +92723,7 @@ index 1f22fba..d200be6 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -92384,6 +92747,7 @@ index 1f22fba..d200be6 100644 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; - ++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) @@ -92406,7 +92770,7 @@ index 1f22fba..d200be6 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -92427,7 +92791,7 @@ index 1f22fba..d200be6 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -92435,7 +92799,7 @@ index 1f22fba..d200be6 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -92463,7 +92827,7 @@ index 1f22fba..d200be6 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -92492,7 +92856,7 @@ index 1f22fba..d200be6 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -92512,7 +92876,7 @@ index 1f22fba..d200be6 100644 selinux_validate_context(virtd_t) -@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -92549,7 +92913,7 @@ index 1f22fba..d200be6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -92558,7 +92922,7 @@ index 1f22fba..d200be6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +504,12 @@ optional_policy(` +@@ -658,20 +505,12 @@ optional_policy(` ') optional_policy(` @@ -92579,7 +92943,7 @@ index 1f22fba..d200be6 100644 ') optional_policy(` -@@ -684,14 +522,20 @@ optional_policy(` +@@ -684,14 +523,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -92602,7 +92966,7 @@ index 1f22fba..d200be6 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +548,13 @@ optional_policy(` +@@ -704,11 +549,13 @@ optional_policy(` ') optional_policy(` @@ -92616,7 +92980,7 @@ index 1f22fba..d200be6 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +565,18 @@ optional_policy(` +@@ -719,10 +566,18 @@ optional_policy(` ') optional_policy(` @@ -92635,7 +92999,7 @@ index 1f22fba..d200be6 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +591,261 @@ optional_policy(` +@@ -737,44 +592,261 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -92919,7 +93283,7 @@ index 1f22fba..d200be6 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +856,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -92946,7 +93310,7 @@ index 1f22fba..d200be6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +876,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -92978,7 +93342,7 @@ index 1f22fba..d200be6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +909,20 @@ optional_policy(` +@@ -847,14 +910,20 @@ optional_policy(` ') optional_policy(` @@ -93000,7 +93364,7 @@ index 1f22fba..d200be6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +947,65 @@ optional_policy(` +@@ -879,49 +948,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -93084,7 +93448,7 @@ index 1f22fba..d200be6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1017,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -93104,7 +93468,7 @@ index 1f22fba..d200be6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1038,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -93128,7 +93492,7 @@ index 1f22fba..d200be6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1063,247 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -93506,7 +93870,7 @@ index 1f22fba..d200be6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -93521,7 +93885,7 @@ index 1f22fba..d200be6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1334,8 @@ optional_policy(` +@@ -1183,9 +1335,8 @@ optional_policy(` ######################################## # @@ -93532,7 +93896,7 @@ index 1f22fba..d200be6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1348,120 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index dc8c4d6..ff52e16 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74%{?dist} +Release: 75%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -563,6 +563,34 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 3 2013 Miroslav Grepl 3.12.1-75 +- Also sock_file trans rule is needed in lsm +- Fix labeling for fetchmail pid files/dirs +- Add additional fixes for abrt-upload-watch +- Fix polipo.te +- Fix transition rules in asterisk policy +- Add fowner capability to networkmanager policy +- Allow polipo to connect to tor ports +- Cleanup lsmd.if +- Cleanup openhpid policy +- Fix kdump_read_crash() interface +- Make more domains as init domain +- Fix cupsd.te +- Fix requires in rpm_rw_script_inherited_pipes +- Fix interfaces in lsm.if +- Allow munin service plugins to manage own tmpfs files/dirs +- Allow virtd_t also relabel unix stream sockets for virt_image_type +- Make ktalk as init domain +- Fix to define ktalkd_unit_file_t correctly +- Fix ktalk.fc +- Add systemd support for talk-server +- Allow glusterd to create sock_file in /run +- Allow xdm_t to delete gkeyringd_tmp_t files on logout +- Add fixes for hypervkvp policy +- Add logwatch_can_sendmail boolean +- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb +- Allow xdm_t to delete gkeyringd_tmp_t files on logout + * Thu Aug 29 2013 Miroslav Grepl 3.12.1-74 - Add selinux-policy-sandbox pkg