From 2b7c0552d71bdeab7f282d88f6bb6d6a9efbbe5d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 14 2011 16:49:37 +0000 Subject: - Allow setsched for virsh - Systemd needs to impersonate cups, which means it needs to create tcp_sock - iptables: the various /sbin/ip6?tables.* are now symlinks for /sbin/xtables-mult --- diff --git a/policy-F16.patch b/policy-F16.patch index 3556157..111a915 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -857,10 +857,18 @@ index 4f7bd3c..b5c346f 100644 + #unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..ee8eaf6 100644 +index 7090dae..6eac7b9 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -102,6 +102,7 @@ files_read_var_lib_files(logrotate_t) +@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) + # for /var/lib/logrotate.status and /var/lib/logcheck + create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) ++read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) + files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) + + kernel_read_system_state(logrotate_t) +@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -868,7 +876,7 @@ index 7090dae..ee8eaf6 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +117,15 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -891,7 +899,7 @@ index 7090dae..ee8eaf6 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -162,10 +161,20 @@ optional_policy(` +@@ -162,10 +162,20 @@ optional_policy(` ') optional_policy(` @@ -912,7 +920,7 @@ index 7090dae..ee8eaf6 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +212,6 @@ optional_policy(` +@@ -203,7 +213,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -920,7 +928,7 @@ index 7090dae..ee8eaf6 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +236,14 @@ optional_policy(` +@@ -228,3 +237,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -1827,7 +1835,7 @@ index b206bf6..bbd902f 100644 /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if -index d33daa8..c76708e 100644 +index d33daa8..8ba0f86 100644 --- a/policy/modules/admin/rpm.if +++ b/policy/modules/admin/rpm.if @@ -13,10 +13,13 @@ @@ -1898,7 +1906,17 @@ index d33daa8..c76708e 100644 ## Send and receive messages from ## rpm over dbus. ## -@@ -335,7 +378,9 @@ interface(`rpm_manage_script_tmp_files',` +@@ -277,8 +320,7 @@ interface(`rpm_append_log',` + type rpm_log_t; + ') + +- logging_search_logs($1) +- append_files_pattern($1, rpm_log_t, rpm_log_t) ++ allow $1 rpm_log_t:file append_inherited_file_perms; + ') + + ######################################## +@@ -335,7 +377,9 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -1908,7 +1926,17 @@ index d33daa8..c76708e 100644 ') ##################################### -@@ -375,7 +420,9 @@ interface(`rpm_manage_tmp_files',` +@@ -354,8 +398,7 @@ interface(`rpm_append_tmp_files',` + type rpm_tmp_t; + ') + +- files_search_tmp($1) +- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t) ++ allow $1 rpm_tmp_t:file append_inherited_file_perms; + ') + + ######################################## +@@ -375,7 +418,9 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -1918,7 +1946,7 @@ index d33daa8..c76708e 100644 ') ######################################## -@@ -459,6 +506,7 @@ interface(`rpm_read_db',` +@@ -459,6 +504,7 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -1926,7 +1954,7 @@ index d33daa8..c76708e 100644 ') ######################################## -@@ -516,7 +564,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -516,7 +562,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -1935,7 +1963,7 @@ index d33daa8..c76708e 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -576,3 +624,66 @@ interface(`rpm_pid_filetrans',` +@@ -576,3 +622,66 @@ interface(`rpm_pid_filetrans',` files_pid_filetrans($1, rpm_var_run_t, file) ') @@ -2489,6 +2517,19 @@ index bc00875..819a10b 100644 dbus_system_bus_client(smoltclient_t) ') +diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if +index 94c01b5..f64bd93 100644 +--- a/policy/modules/admin/sosreport.if ++++ b/policy/modules/admin/sosreport.if +@@ -106,7 +106,7 @@ interface(`sosreport_append_tmp_files',` + type sosreport_tmp_t; + ') + +- append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) ++ allow $1 sosreport_tmp_t:file append_inherited_file_perms; + ') + + ######################################## diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te index fe1c377..7660180 100644 --- a/policy/modules/admin/sosreport.te @@ -3863,10 +3904,10 @@ index 00a19e3..d5acf98 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..265ff1a 100644 +index f5afe78..718b7ff 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,739 @@ +@@ -1,44 +1,740 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -3976,6 +4017,7 @@ index f5afe78..265ff1a 100644 + + optional_policy(` + telepathy_mission_control_read_state($1_gkeyringd_t) ++ telepathy_dbus_chat($1_gkeyringd_t) + ') + ') +') @@ -4624,7 +4666,7 @@ index f5afe78..265ff1a 100644 ## ## ## -@@ -46,37 +741,36 @@ interface(`gnome_role',` +@@ -46,37 +742,36 @@ interface(`gnome_role',` ## ## # @@ -4673,7 +4715,7 @@ index f5afe78..265ff1a 100644 ## ## ## -@@ -84,37 +778,42 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +779,42 @@ template(`gnome_read_gconf_config',` ## ## # @@ -4727,7 +4769,7 @@ index f5afe78..265ff1a 100644 ## ## ## -@@ -122,17 +821,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +822,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -4749,7 +4791,7 @@ index f5afe78..265ff1a 100644 ## ## ## -@@ -140,51 +839,359 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +840,354 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -4857,11 +4899,6 @@ index f5afe78..265ff1a 100644 +## Send and receive messages from +## gkeyringd over dbus. +## -+## -+## -+## Role prefix. -+## -+## +## +## +## Domain allowed access. @@ -9195,7 +9232,7 @@ index 7590165..9a7ebe5 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if -index 3cfb128..cfeed29 100644 +index 3cfb128..632c30c 100644 --- a/policy/modules/apps/telepathy.if +++ b/policy/modules/apps/telepathy.if @@ -11,7 +11,6 @@ @@ -9215,26 +9252,31 @@ index 3cfb128..cfeed29 100644 ## ## ## -@@ -46,6 +45,7 @@ template(`telepathy_domain_template',` +@@ -44,8 +43,13 @@ template(`telepathy_domain_template',` + ## The type of the user domain. + ## ## ++## ++## ++## User domain prefix to be used. ++## ++## # - template(`telepathy_role', ` -+ +-template(`telepathy_role', ` ++template(`telepathy_role',` gen_require(` attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; -@@ -78,6 +78,10 @@ template(`telepathy_role', ` +@@ -76,6 +80,8 @@ template(`telepathy_role', ` + dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) + dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) ++ ++ telepathy_dbus_chat($2) ') -+ optional_policy(` -+ telepathy_dbus_chat($2) -+ ') -+ ######################################## - ## - ## Stream connect to Telepathy Gabble -@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', ` +@@ -179,3 +185,75 @@ interface(`telepathy_salut_stream_connect', ` stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) files_search_tmp($1) ') @@ -9311,7 +9353,7 @@ index 3cfb128..cfeed29 100644 + ') +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..f605e0a 100644 +index 2533ea0..9f6298c 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t) @@ -9349,7 +9391,19 @@ index 2533ea0..f605e0a 100644 ####################################### # # Telepathy Idle local policy. -@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',` +@@ -148,9 +162,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` + allow telepathy_logger_t self:unix_stream_socket create_socket_perms; + + manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) ++gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file) + + manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) + manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) ++gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir) + + files_read_etc_files(telepathy_logger_t) + files_read_usr_files(telepathy_logger_t) +@@ -168,6 +184,11 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_logger_t) ') @@ -9361,7 +9415,7 @@ index 2533ea0..f605e0a 100644 ####################################### # # Telepathy Mission-Control local policy. -@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',` +@@ -176,6 +197,7 @@ tunable_policy(`use_samba_home_dirs',` manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) @@ -9369,10 +9423,14 @@ index 2533ea0..f605e0a 100644 dev_read_rand(telepathy_mission_control_t) -@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -194,6 +216,16 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_mission_control_t) ') ++optional_policy(` ++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) ++') ++ +# ~/.cache/.mc_connections. +optional_policy(` + manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) @@ -9382,7 +9440,7 @@ index 2533ea0..f605e0a 100644 ####################################### # # Telepathy Butterfly and Haze local policy. -@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -9394,7 +9452,7 @@ index 2533ea0..f605e0a 100644 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +281,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -9405,7 +9463,7 @@ index 2533ea0..f605e0a 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain) +@@ -365,6 +404,7 @@ dev_read_urand(telepathy_domain) kernel_read_system_state(telepathy_domain) @@ -9413,7 +9471,7 @@ index 2533ea0..f605e0a 100644 fs_search_auto_mountpoints(telepathy_domain) auth_use_nsswitch(telepathy_domain) -@@ -376,5 +410,23 @@ optional_policy(` +@@ -376,5 +416,23 @@ optional_policy(` ') optional_policy(` @@ -20425,7 +20483,7 @@ index 6480167..b32b10e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..6650c05 100644 +index 3136c6a..a079c51 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -20771,7 +20829,7 @@ index 3136c6a..6650c05 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +453,11 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -20782,7 +20840,11 @@ index 3136c6a..6650c05 100644 +corenet_tcp_bind_jboss_management_port(httpd_t) corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown - corenet_tcp_connect_http_port(httpd_t) +-corenet_tcp_connect_http_port(httpd_t) ++#corenet_tcp_connect_http_port(httpd_t) + + dev_read_sysfs(httpd_t) + dev_read_rand(httpd_t) @@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) @@ -26350,7 +26412,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 1a1becd..5a0ca9f 100644 +index 1a1becd..7dbd8f6 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -26513,7 +26575,19 @@ index 1a1becd..5a0ca9f 100644 ') ######################################## -@@ -336,13 +377,13 @@ interface(`dbus_connect_session_bus',` +@@ -322,6 +363,11 @@ interface(`dbus_connect_session_bus',` + ## Allow a application domain to be started + ## by the session dbus. + ## ++## ++## ++## User domain prefix to be used. ++## ++## + ## + ## + ## Type to be used as a domain. +@@ -336,13 +382,13 @@ interface(`dbus_connect_session_bus',` # interface(`dbus_session_domain',` gen_require(` @@ -26531,7 +26605,7 @@ index 1a1becd..5a0ca9f 100644 ') ######################################## -@@ -432,14 +473,33 @@ interface(`dbus_system_domain',` +@@ -432,14 +478,33 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -26566,7 +26640,7 @@ index 1a1becd..5a0ca9f 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -464,26 +524,25 @@ interface(`dbus_use_system_bus_fds',` +@@ -464,26 +529,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -26599,7 +26673,7 @@ index 1a1becd..5a0ca9f 100644 ## ## ## -@@ -491,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -491,10 +555,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -28350,7 +28424,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..f4f2402 100644 +index acf6d4f..4bbff24 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -28451,7 +28525,12 @@ index acf6d4f..f4f2402 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -204,6 +223,7 @@ kernel_read_system_state(dovecot_auth_t) +@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) + kernel_read_all_sysctls(dovecot_auth_t) + kernel_read_system_state(dovecot_auth_t) + ++corecmd_exec_bin(dovecot_auth_t) ++ logging_send_audit_msgs(dovecot_auth_t) logging_send_syslog_msg(dovecot_auth_t) @@ -28459,7 +28538,7 @@ index acf6d4f..f4f2402 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -218,6 +238,8 @@ files_read_var_lib_files(dovecot_auth_t) +@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) @@ -28468,7 +28547,7 @@ index acf6d4f..f4f2402 100644 init_rw_utmp(dovecot_auth_t) miscfiles_read_localization(dovecot_auth_t) -@@ -236,6 +258,8 @@ optional_policy(` +@@ -236,6 +260,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -28477,7 +28556,7 @@ index acf6d4f..f4f2402 100644 ') optional_policy(` -@@ -243,6 +267,8 @@ optional_policy(` +@@ -243,6 +269,8 @@ optional_policy(` ') optional_policy(` @@ -28486,7 +28565,7 @@ index acf6d4f..f4f2402 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +276,42 @@ optional_policy(` +@@ -250,23 +278,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -28531,7 +28610,7 @@ index acf6d4f..f4f2402 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,5 +347,19 @@ tunable_policy(`use_samba_home_dirs',` +@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -49280,10 +49359,10 @@ index 2124b6a..9682c44 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..5c0a7a4 100644 +index 7c5d8d8..411edf3 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -13,14 +13,15 @@ +@@ -13,39 +13,42 @@ # template(`virt_domain_template',` gen_require(` @@ -49292,6 +49371,7 @@ index 7c5d8d8..5c0a7a4 100644 - attribute virt_domain; + attribute virt_image_type, virt_domain; + attribute virt_tmpfs_type; ++ attribute virt_ptynode; ') type $1_t, virt_domain; @@ -49301,8 +49381,10 @@ index 7c5d8d8..5c0a7a4 100644 + mcs_untrusted_proc($1_t) role system_r types $1_t; - type $1_devpts_t; -@@ -29,23 +30,24 @@ template(`virt_domain_template',` +- type $1_devpts_t; ++ type $1_devpts_t, virt_ptynode; + term_pty($1_devpts_t) + type $1_tmp_t; files_tmp_file($1_tmp_t) @@ -49332,7 +49414,7 @@ index 7c5d8d8..5c0a7a4 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +59,6 @@ template(`virt_domain_template',` +@@ -57,18 +60,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -49351,7 +49433,7 @@ index 7c5d8d8..5c0a7a4 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -101,9 +91,9 @@ interface(`virt_image',` +@@ -101,9 +92,9 @@ interface(`virt_image',` ## Execute a domain transition to run virt. ## ## @@ -49363,7 +49445,7 @@ index 7c5d8d8..5c0a7a4 100644 ## # interface(`virt_domtrans',` -@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',` +@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -49379,7 +49461,7 @@ index 7c5d8d8..5c0a7a4 100644 ') ######################################## -@@ -185,13 +175,13 @@ interface(`virt_read_config',` +@@ -185,13 +176,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -49395,7 +49477,7 @@ index 7c5d8d8..5c0a7a4 100644 ') ######################################## -@@ -231,6 +221,24 @@ interface(`virt_read_content',` +@@ -231,6 +222,24 @@ interface(`virt_read_content',` ######################################## ## @@ -49420,7 +49502,7 @@ index 7c5d8d8..5c0a7a4 100644 ## Read virt PID files. ## ## -@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',` +@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',` ######################################## ## @@ -49457,7 +49539,7 @@ index 7c5d8d8..5c0a7a4 100644 ## Search virt lib directories. ## ## -@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -49482,7 +49564,7 @@ index 7c5d8d8..5c0a7a4 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +408,9 @@ interface(`virt_read_log',` +@@ -352,9 +409,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -49494,7 +49576,7 @@ index 7c5d8d8..5c0a7a4 100644 ## # interface(`virt_append_log',` -@@ -424,6 +480,24 @@ interface(`virt_read_images',` +@@ -424,6 +481,24 @@ interface(`virt_read_images',` ######################################## ## @@ -49519,7 +49601,7 @@ index 7c5d8d8..5c0a7a4 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +507,15 @@ interface(`virt_read_images',` +@@ -433,15 +508,15 @@ interface(`virt_read_images',` ## ## # @@ -49540,7 +49622,7 @@ index 7c5d8d8..5c0a7a4 100644 ') ######################################## -@@ -500,6 +574,7 @@ interface(`virt_manage_images',` +@@ -500,6 +575,7 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -49548,7 +49630,7 @@ index 7c5d8d8..5c0a7a4 100644 ') allow $1 virtd_t:process { ptrace signal_perms }; -@@ -515,4 +590,188 @@ interface(`virt_admin',` +@@ -515,4 +591,188 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -49738,14 +49820,15 @@ index 7c5d8d8..5c0a7a4 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..4dec4ad 100644 +index 3eca020..441810b 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te -@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0) +@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) # Declarations # +attribute virsh_transition_domain; ++attribute virt_ptynode; + ## -##

@@ -49829,7 +49912,7 @@ index 3eca020..4dec4ad 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -62,23 +72,31 @@ files_config_file(virt_etc_t) +@@ -62,23 +73,31 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) @@ -49862,7 +49945,7 @@ index 3eca020..4dec4ad 100644 type virtd_t; type virtd_exec_t; -@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -89,6 +108,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -49874,7 +49957,7 @@ index 3eca020..4dec4ad 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -104,15 +127,12 @@ ifdef(`enable_mls',` +@@ -104,15 +128,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -49891,7 +49974,7 @@ index 3eca020..4dec4ad 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t) +@@ -133,6 +154,8 @@ dev_list_sysfs(svirt_t) userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) @@ -49900,7 +49983,7 @@ index 3eca020..4dec4ad 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +170,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -49916,7 +49999,7 @@ index 3eca020..4dec4ad 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +187,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -49939,7 +50022,7 @@ index 3eca020..4dec4ad 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +211,34 @@ optional_policy(` +@@ -174,21 +212,34 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -49978,7 +50061,7 @@ index 3eca020..4dec4ad 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +250,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +251,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -49987,6 +50070,7 @@ index 3eca020..4dec4ad 100644 +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) +allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; ++allow virtd_t virt_ptynode:chr_file rw_term_perms; + +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) @@ -49995,7 +50079,7 @@ index 3eca020..4dec4ad 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +276,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -50003,7 +50087,7 @@ index 3eca020..4dec4ad 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +296,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -50036,7 +50120,7 @@ index 3eca020..4dec4ad 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +328,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -50055,7 +50139,7 @@ index 3eca020..4dec4ad 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +363,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +365,29 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -50085,7 +50169,7 @@ index 3eca020..4dec4ad 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +404,10 @@ optional_policy(` +@@ -313,6 +406,10 @@ optional_policy(` ') optional_policy(` @@ -50096,7 +50180,7 @@ index 3eca020..4dec4ad 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,6 +424,10 @@ optional_policy(` +@@ -329,6 +426,10 @@ optional_policy(` ') optional_policy(` @@ -50107,7 +50191,7 @@ index 3eca020..4dec4ad 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +464,12 @@ optional_policy(` +@@ -365,6 +466,12 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -50120,7 +50204,7 @@ index 3eca020..4dec4ad 100644 ') optional_policy(` -@@ -385,23 +490,37 @@ optional_policy(` +@@ -385,23 +492,37 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -50163,7 +50247,7 @@ index 3eca020..4dec4ad 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -418,10 +537,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +539,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -50176,7 +50260,7 @@ index 3eca020..4dec4ad 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +549,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +551,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -50189,7 +50273,7 @@ index 3eca020..4dec4ad 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,8 +562,16 @@ files_search_all(virt_domain) +@@ -440,8 +564,16 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -50207,7 +50291,7 @@ index 3eca020..4dec4ad 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +587,117 @@ optional_policy(` +@@ -457,8 +589,117 @@ optional_policy(` ') optional_policy(` @@ -50232,7 +50316,7 @@ index 3eca020..4dec4ad 100644 +typealias virsh_exec_t alias xm_exec_t; + +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config }; -+allow virsh_t self:process { getcap getsched setcap signal }; ++allow virsh_t self:process { getcap getsched setsched setcap signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; @@ -54096,7 +54180,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..2ae760f 100644 +index 94fd8dd..99fe8d1 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,41 @@ interface(`init_script_domain',` @@ -54165,7 +54249,7 @@ index 94fd8dd..2ae760f 100644 ') typeattribute $1 daemon; -@@ -204,7 +245,23 @@ interface(`init_daemon_domain',` +@@ -204,7 +245,24 @@ interface(`init_daemon_domain',` role system_r types $1; @@ -54184,13 +54268,14 @@ index 94fd8dd..2ae760f 100644 + tunable_policy(`init_systemd',` + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow init_t $1:unix_dgram_socket create_socket_perms; ++ allow init_t $1:tcp_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + dontaudit $1 init_t:unix_stream_socket { read ioctl getattr }; + ') # daemons started from init will # inherit fds from init for the console -@@ -231,6 +288,8 @@ interface(`init_daemon_domain',` +@@ -231,6 +289,8 @@ interface(`init_daemon_domain',` ifdef(`distro_rhel4',` kernel_dontaudit_use_fds($1) ') @@ -54199,7 +54284,7 @@ index 94fd8dd..2ae760f 100644 ') optional_policy(` -@@ -283,17 +342,20 @@ interface(`init_daemon_domain',` +@@ -283,17 +343,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -54221,7 +54306,7 @@ index 94fd8dd..2ae760f 100644 ') ') -@@ -336,15 +398,32 @@ interface(`init_ranged_daemon_domain',` +@@ -336,15 +399,32 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -54255,7 +54340,7 @@ index 94fd8dd..2ae760f 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +432,41 @@ interface(`init_system_domain',` +@@ -353,6 +433,41 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -54297,7 +54382,7 @@ index 94fd8dd..2ae760f 100644 ') ######################################## -@@ -401,16 +515,19 @@ interface(`init_system_domain',` +@@ -401,16 +516,19 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -54317,7 +54402,7 @@ index 94fd8dd..2ae760f 100644 mls_rangetrans_target($1) ') ') -@@ -451,6 +568,10 @@ interface(`init_exec',` +@@ -451,6 +569,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -54328,7 +54413,7 @@ index 94fd8dd..2ae760f 100644 ') ######################################## -@@ -509,6 +630,24 @@ interface(`init_sigchld',` +@@ -509,6 +631,24 @@ interface(`init_sigchld',` ######################################## ##

@@ -54353,7 +54438,7 @@ index 94fd8dd..2ae760f 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +658,29 @@ interface(`init_sigchld',` +@@ -519,10 +659,29 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -54385,7 +54470,7 @@ index 94fd8dd..2ae760f 100644 ') ######################################## -@@ -688,19 +846,25 @@ interface(`init_telinit',` +@@ -688,19 +847,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -54412,7 +54497,7 @@ index 94fd8dd..2ae760f 100644 ') ') -@@ -730,7 +894,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +895,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -54421,7 +54506,7 @@ index 94fd8dd..2ae760f 100644 ## ## # -@@ -773,18 +937,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +938,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -54445,7 +54530,7 @@ index 94fd8dd..2ae760f 100644 ') ') -@@ -800,19 +965,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +966,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -54491,7 +54576,7 @@ index 94fd8dd..2ae760f 100644 ') ######################################## -@@ -868,9 +1055,14 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1056,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -54506,7 +54591,7 @@ index 94fd8dd..2ae760f 100644 files_search_etc($1) ') -@@ -1079,6 +1271,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1272,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -54531,7 +54616,7 @@ index 94fd8dd..2ae760f 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1340,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1341,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -54545,7 +54630,7 @@ index 94fd8dd..2ae760f 100644 ') ######################################## -@@ -1375,6 +1580,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1581,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -54573,7 +54658,7 @@ index 94fd8dd..2ae760f 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1687,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1688,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -54599,7 +54684,7 @@ index 94fd8dd..2ae760f 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1764,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1765,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -54624,7 +54709,7 @@ index 94fd8dd..2ae760f 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1674,7 +1937,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1938,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -54633,7 +54718,7 @@ index 94fd8dd..2ae760f 100644 ') ######################################## -@@ -1715,6 +1978,92 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1979,92 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -54726,7 +54811,7 @@ index 94fd8dd..2ae760f 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2098,156 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2099,156 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -54884,7 +54969,7 @@ index 94fd8dd..2ae760f 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..e30550a 100644 +index 29a9565..3e12154 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -55571,7 +55656,15 @@ index 29a9565..e30550a 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +1014,13 @@ optional_policy(` +@@ -689,6 +997,7 @@ optional_policy(` + lpd_list_spool(initrc_t) + + lpd_read_config(initrc_t) ++ lpd_manage_spool(init_t) + ') + + optional_policy(` +@@ -706,7 +1015,13 @@ optional_policy(` ') optional_policy(` @@ -55585,7 +55678,7 @@ index 29a9565..e30550a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1043,10 @@ optional_policy(` +@@ -729,6 +1044,10 @@ optional_policy(` ') optional_policy(` @@ -55596,7 +55689,7 @@ index 29a9565..e30550a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1056,20 @@ optional_policy(` +@@ -738,10 +1057,20 @@ optional_policy(` ') optional_policy(` @@ -55617,7 +55710,7 @@ index 29a9565..e30550a 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1078,10 @@ optional_policy(` +@@ -750,6 +1079,10 @@ optional_policy(` ') optional_policy(` @@ -55628,7 +55721,7 @@ index 29a9565..e30550a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1103,6 @@ optional_policy(` +@@ -771,8 +1104,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -55637,7 +55730,7 @@ index 29a9565..e30550a 100644 ') optional_policy(` -@@ -790,10 +1120,12 @@ optional_policy(` +@@ -790,10 +1121,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -55650,7 +55743,7 @@ index 29a9565..e30550a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1137,6 @@ optional_policy(` +@@ -805,7 +1138,6 @@ optional_policy(` ') optional_policy(` @@ -55658,7 +55751,7 @@ index 29a9565..e30550a 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1146,24 @@ optional_policy(` +@@ -815,11 +1147,24 @@ optional_policy(` ') optional_policy(` @@ -55684,7 +55777,7 @@ index 29a9565..e30550a 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1173,25 @@ optional_policy(` +@@ -829,6 +1174,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -55710,7 +55803,7 @@ index 29a9565..e30550a 100644 ') optional_policy(` -@@ -844,6 +1207,10 @@ optional_policy(` +@@ -844,6 +1208,10 @@ optional_policy(` ') optional_policy(` @@ -55721,7 +55814,7 @@ index 29a9565..e30550a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1221,45 @@ optional_policy(` +@@ -854,3 +1222,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -55947,7 +56040,7 @@ index 55a6cd8..bec6385 100644 +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 05fb364..2538de7 100644 +index 05fb364..6b895d1 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc @@ -1,7 +1,5 @@ @@ -55959,7 +56052,7 @@ index 05fb364..2538de7 100644 /sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -@@ -12,8 +10,3 @@ +@@ -12,8 +10,4 @@ /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -55968,6 +56061,7 @@ index 05fb364..2538de7 100644 -/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index f3e1b57..a7b2adc 100644 --- a/policy/modules/system/iptables.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 5861f29..c0758c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jul 14 2011 Miroslav Grepl 3.10.0-4 +- Allow setsched for virsh +- Systemd needs to impersonate cups, which means it needs to create tcp_sockets in cups_t domain, as well as manage spool directories +- iptables: the various /sbin/ip6?tables.* are now symlinks for +/sbin/xtables-multi + * Tue Jul 12 2011 Miroslav Grepl 3.10.0-3 - A lot of users are running yum -y update while in /root which is causing ldconfig to list the contents, adding dontaudit - Allow colord to interact with the users through the tmpfs file system