From 75beb95014d85e499f1bd3d8259d4e85601bb0a7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 06 2006 16:36:23 +0000 Subject: patch from dan Tue, 05 Sep 2006 17:06:06 -0400 --- diff --git a/Changelog b/Changelog index 89f9ae3..0d17563 100644 --- a/Changelog +++ b/Changelog @@ -67,6 +67,7 @@ Wed, 23 Aug 2006 Thu, 31 Aug 2006 Fri, 01 Sep 2006 + Tue, 05 Sep 2006 - Added modules: afs amavis (Erich Schubert) diff --git a/Makefile b/Makefile index 9397d2b..2e2699e 100644 --- a/Makefile +++ b/Makefile @@ -47,19 +47,21 @@ endif BINDIR ?= /usr/bin SBINDIR ?= /usr/sbin ifdef TEST_TOOLCHAIN -tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR) -tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR) +tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR) +tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR) +tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin else -tc_bindir := $(BINDIR) -tc_sbindir := $(SBINDIR) +tc_usrbindir := $(BINDIR) +tc_usrsbindir := $(SBINDIR) +tc_sbindir := /sbin endif -CHECKPOLICY ?= $(tc_bindir)/checkpolicy -CHECKMODULE ?= $(tc_bindir)/checkmodule -SEMODULE ?= $(tc_sbindir)/semodule -SEMOD_PKG ?= $(tc_bindir)/semodule_package -SEMOD_LNK ?= $(tc_bindir)/semodule_link -SEMOD_EXP ?= $(tc_bindir)/semodule_expand -LOADPOLICY ?= $(tc_sbindir)/load_policy +CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy +CHECKMODULE ?= $(tc_usrbindir)/checkmodule +SEMODULE ?= $(tc_usrsbindir)/semodule +SEMOD_PKG ?= $(tc_usrbindir)/semodule_package +SEMOD_LNK ?= $(tc_usrbindir)/semodule_link +SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand +LOADPOLICY ?= $(tc_usrsbindir)/load_policy SETFILES ?= $(tc_sbindir)/setfiles XMLLINT ?= $(BINDIR)/xmllint SECHECK ?= $(BINDIR)/sechecker diff --git a/policy/modules/admin/firstboot.if b/policy/modules/admin/firstboot.if index ceb0580..4214456 100644 --- a/policy/modules/admin/firstboot.if +++ b/policy/modules/admin/firstboot.if @@ -111,20 +111,3 @@ interface(`firstboot_write_pipes',` allow $1 firstboot_t:fifo_file write; ') -######################################## -## -## Read firstboot writable config files. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`firstboot_read_rw_files',` - gen_require(` - type firstboot_rw_t; - ') - - allow $1 firstboot_rw_t:file r_file_perms; -') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 9a162b0..b00f0ee 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -125,6 +125,7 @@ ifdef(`distro_gentoo',` /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 13945b9..513514e 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.3.14) +policy_module(corecommands,1.3.15) ######################################## # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 526a375..169e582 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.14) +policy_module(corenetwork,1.1.15) ######################################## # @@ -126,7 +126,6 @@ network_port(rndc, tcp,953,s0) network_port(router, udp,520,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) -network_port(setroubleshoot, tcp,3267,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 512192a..9f2ed2c 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2045,6 +2045,25 @@ interface(`fs_dontaudit_search_ramfs',` ######################################## ## +## Create, read, write, and delete +## directories on a ramfs. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_ramfs_dirs',` + gen_require(` + type ramfs_t; + ') + + allow $1 ramfs_t:dir manage_dir_perms; +') + +######################################## +## ## Dontaudit read on a ramfs files. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index fab7a62..b9fa21b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem,1.3.13) +policy_module(filesystem,1.3.14) ######################################## # diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index ddc3042..ce3bc65 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -412,7 +412,7 @@ interface(`term_dontaudit_manage_pty_dirs',` ######################################## ## -## ioctl of generic pty types. +## ioctl of generic pty devices. ## ## ## @@ -433,6 +433,26 @@ interface(`term_ioctl_generic_ptys',` ######################################## ## +## Dontaudit setting the attributes of +## generic pty devices. +## +## +## +## Domain allowed access. +## +## +# +# dwalsh: added for rhgb +interface(`term_dontaudit_setattr_generic_ptys',` + gen_require(` + type devpts_t; + ') + + dontaudit $1 devpts_t:chr_file setattr; +') + +######################################## +## ## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 885f01c..fb4e1c2 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.7) +policy_module(terminal,1.1.8) ######################################## # diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 14dc4bd..d2794d4 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.2.6) +policy_module(dovecot,1.2.7) ######################################## # @@ -46,7 +46,6 @@ allow dovecot_t self:fifo_file rw_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow dovecot_t self:netlink_route_socket r_netlink_socket_perms; domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) allow dovecot_t dovecot_auth_t:fd use; diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te index 7170171..958f90c 100644 --- a/policy/modules/services/rhgb.te +++ b/policy/modules/services/rhgb.te @@ -1,5 +1,5 @@ -policy_module(rhgb,1.0.1) +policy_module(rhgb,1.0.2) ######################################## # @@ -10,18 +10,20 @@ type rhgb_t; type rhgb_exec_t; init_daemon_domain(rhgb_t,rhgb_exec_t) -type rhgb_devpts_t; -term_pty(rhgb_devpts_t) - type rhgb_tmpfs_t; files_tmpfs_file(rhgb_tmpfs_t) +ifdef(`strict_policy',` + type rhgb_devpts_t; + term_pty(rhgb_devpts_t) +') + ######################################## # # Local policy # -allow rhgb_t self:capability { sys_admin sys_tty_config }; +allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config }; dontaudit rhgb_t self:capability sys_tty_config; allow rhgb_t self:process signal_perms; allow rhgb_t self:shm create_shm_perms; @@ -29,9 +31,7 @@ allow rhgb_t self:unix_stream_socket create_stream_socket_perms; allow rhgb_t self:fifo_file rw_file_perms; allow rhgb_t self:tcp_socket create_socket_perms; allow rhgb_t self:udp_socket create_socket_perms; - -allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr }; -term_create_pty(rhgb_t,rhgb_devpts_t) +allow rhgb_t self:netlink_route_socket r_netlink_socket_perms; allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms; allow rhgb_t rhgb_tmpfs_t:file manage_file_perms; @@ -45,6 +45,7 @@ kernel_read_system_state(rhgb_t) corecmd_exec_bin(rhgb_t) corecmd_exec_sbin(rhgb_t) +corecmd_exec_shell(rhgb_t) corenet_non_ipsec_sendrecv(rhgb_t) corenet_tcp_sendrecv_generic_if(rhgb_t) @@ -61,6 +62,7 @@ dev_read_sysfs(rhgb_t) domain_use_interactive_fds(rhgb_t) files_read_etc_files(rhgb_t) +files_read_var_files(rhgb_t) files_read_etc_runtime_files(rhgb_t) files_search_tmp(rhgb_t) files_read_usr_files(rhgb_t) @@ -73,13 +75,17 @@ files_dontaudit_search_var(rhgb_t) fs_search_auto_mountpoints(rhgb_t) fs_mount_ramfs(rhgb_t) fs_unmount_ramfs(rhgb_t) +fs_getattr_tmpfs(rhgb_t) # for ramfs file systems +fs_manage_ramfs_dirs(rhgb_t) fs_manage_ramfs_files(rhgb_t) fs_manage_ramfs_pipes(rhgb_t) fs_manage_ramfs_sockets(rhgb_t) term_dontaudit_use_console(rhgb_t) term_use_unallocated_ttys(rhgb_t) +term_use_ptmx(rhgb_t) +term_getattr_pty_fs(rhgb_t) init_use_fds(rhgb_t) init_use_script_ptys(rhgb_t) @@ -96,22 +102,30 @@ miscfiles_read_localization(rhgb_t) miscfiles_read_fonts(rhgb_t) sysnet_read_config(rhgb_t) +sysnet_domtrans_ifconfig(rhgb_t) userdom_dontaudit_use_unpriv_user_fds(rhgb_t) +userdom_dontaudit_search_sysadm_home_dirs(rhgb_t) xserver_read_xdm_xserver_tmp_files(rhgb_t) xserver_kill_xdm_xserver(rhgb_t) # for running setxkbmap xserver_read_xkb_libs(rhgb_t) -ifdef(`targeted_policy',` +ifdef(`strict_policy',` + allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr }; + term_create_pty(rhgb_t,rhgb_devpts_t) +', ` + files_dontaudit_read_root_files(rhgb_t) + + term_dontaudit_use_generic_ptys(rhgb_t) + term_dontaudit_setattr_generic_ptys(rhgb_t) term_dontaudit_use_unallocated_ttys(rhgb_t) term_dontaudit_use_generic_ptys(rhgb_t) - files_dontaudit_read_root_files(rhgb_t) -') -optional_policy(` - firstboot_read_rw_files(rhgb_t) + xserver_domtrans_xdm_xserver(rhgb_t) + xserver_signal_xdm_xserver(rhgb_t) + xserver_read_xdm_tmp_files(rhgb_t) ') optional_policy(` @@ -127,21 +141,7 @@ optional_policy(` ') ifdef(`TODO',` - #TODO - ifdef(`hide_broken_symptoms', ` - # for a bug in the X server - dontaudit mount_t rhgb_gph_t:fd use; - ') - #TODO this seems a bit much + #this seems a bit much allow domain rhgb_devpts_t:chr_file { read write }; - #TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following - allow rhgb_t default_t:file { getattr read }; - #TODO - # for gnome-pty-helper - gph_domain(rhgb, system) allow initrc_t rhgb_gph_t:fd use; - ifdef(`hide_broken_symptoms', ` - # it should not do this - dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search; - ') ') diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 5286e4f..c3ced2a 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -1,5 +1,5 @@ -policy_module(setroubleshoot,1.0.0) +policy_module(setroubleshoot,1.0.1) ######################################## # @@ -64,9 +64,7 @@ corenet_tcp_sendrecv_generic_if(setroubleshootd_t) corenet_tcp_sendrecv_all_nodes(setroubleshootd_t) corenet_tcp_sendrecv_all_ports(setroubleshootd_t) corenet_tcp_bind_all_nodes(setroubleshootd_t) -corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t) corenet_tcp_connect_smtp_port(setroubleshootd_t) -corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t) corenet_sendrecv_smtp_client_packets(setroubleshootd_t) dev_read_urand(setroubleshootd_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 289f530..232c005 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,5 +1,5 @@ -policy_module(ssh,1.3.9) +policy_module(ssh,1.3.10) ######################################## # @@ -12,8 +12,10 @@ attribute ssh_server; type ssh_exec_t; corecmd_executable_file(ssh_exec_t) +type ssh_keygen_t; type ssh_keygen_exec_t; -corecmd_executable_file(ssh_keygen_exec_t) +init_system_domain(ssh_keygen_t,ssh_keygen_exec_t) +role system_r types ssh_keygen_t; type ssh_keysign_exec_t; corecmd_executable_file(ssh_keysign_exec_t) @@ -39,10 +41,6 @@ ifdef(`targeted_policy',` type ssh_agent_exec_t; files_type(ssh_agent_exec_t) - type ssh_keygen_t; - init_system_domain(ssh_keygen_t,ssh_keygen_exec_t) - role system_r types ssh_keygen_t; - ssh_server_template(sshd) ssh_server_template(sshd_extern) @@ -193,62 +191,64 @@ ifdef(`strict_policy',` # ssh_keygen local policy # -ifdef(`targeted_policy',`',` - # ssh_keygen_t is the type of the ssh-keygen program when run at install time - # and by sysadm_t +# ssh_keygen_t is the type of the ssh-keygen program when run at install time +# and by sysadm_t - dontaudit ssh_keygen_t self:capability sys_tty_config; - allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; +dontaudit ssh_keygen_t self:capability sys_tty_config; +allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; - allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; +allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; - allow ssh_keygen_t sshd_key_t:file create_file_perms; - files_etc_filetrans(ssh_keygen_t,sshd_key_t,file) +allow ssh_keygen_t sshd_key_t:file create_file_perms; +files_etc_filetrans(ssh_keygen_t,sshd_key_t,file) - kernel_read_kernel_sysctls(ssh_keygen_t) +kernel_read_kernel_sysctls(ssh_keygen_t) - fs_search_auto_mountpoints(ssh_keygen_t) +fs_search_auto_mountpoints(ssh_keygen_t) - dev_read_sysfs(ssh_keygen_t) - dev_read_urand(ssh_keygen_t) +dev_read_sysfs(ssh_keygen_t) +dev_read_urand(ssh_keygen_t) - term_dontaudit_use_console(ssh_keygen_t) +term_dontaudit_use_console(ssh_keygen_t) - domain_use_interactive_fds(ssh_keygen_t) +domain_use_interactive_fds(ssh_keygen_t) - files_read_etc_files(ssh_keygen_t) +files_read_etc_files(ssh_keygen_t) - init_use_fds(ssh_keygen_t) - init_use_script_ptys(ssh_keygen_t) +init_use_fds(ssh_keygen_t) +init_use_script_ptys(ssh_keygen_t) - libs_use_ld_so(ssh_keygen_t) - libs_use_shared_libs(ssh_keygen_t) +libs_use_ld_so(ssh_keygen_t) +libs_use_shared_libs(ssh_keygen_t) - logging_send_syslog_msg(ssh_keygen_t) +logging_send_syslog_msg(ssh_keygen_t) - allow ssh_keygen_t proc_t:dir r_dir_perms; - allow ssh_keygen_t proc_t:lnk_file read; +allow ssh_keygen_t proc_t:dir r_dir_perms; +allow ssh_keygen_t proc_t:lnk_file read; - userdom_use_sysadm_ttys(ssh_keygen_t) - userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) +userdom_use_sysadm_ttys(ssh_keygen_t) +userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) - # cjp: with the old daemon_(base_)domain being broken up into - # a daemon and system interface, this probably is not needed: - ifdef(`direct_sysadm_daemon',` - userdom_dontaudit_use_sysadm_terms(ssh_keygen_t) - ') +# cjp: with the old daemon_(base_)domain being broken up into +# a daemon and system interface, this probably is not needed: +ifdef(`direct_sysadm_daemon',` + userdom_dontaudit_use_sysadm_terms(ssh_keygen_t) +') - ifdef(`targeted_policy', ` - term_dontaudit_use_unallocated_ttys(ssh_keygen_t) - term_dontaudit_use_generic_ptys(ssh_keygen_t) - files_dontaudit_read_root_files(ssh_keygen_t) - ') +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(ssh_keygen_t) + term_dontaudit_use_generic_ptys(ssh_keygen_t) + files_dontaudit_read_root_files(ssh_keygen_t) +') - optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) - ') +optional_policy(` + nscd_socket_use(ssh_keygen_t) +') - optional_policy(` - udev_read_db(ssh_keygen_t) - ') +optional_policy(` + seutil_sigchld_newrole(ssh_keygen_t) +') + +optional_policy(` + udev_read_db(ssh_keygen_t) ') diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 7e33cf8..6c6ccf2 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1072,11 +1072,30 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') + allow $1 xdm_tmp_t:dir search_dir_perms; allow $1 xdm_tmp_t:file { getattr read }; ') ######################################## ## +## Signal XDM X servers +## +## +## +## Domain to not audit +## +## +# +interface(`xserver_signal_xdm_xserver',` + gen_require(` + type xdm_xserver_t; + ') + + allow $1 xdm_xserver_t:process signal; +') + +######################################## +## ## Kill XDM X servers ## ## diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 6099a00..9e92fc2 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,5 +1,5 @@ -policy_module(xserver,1.1.14) +policy_module(xserver,1.1.15) ######################################## # @@ -99,6 +99,11 @@ dontaudit xdm_t ice_tmp_t:dir { getattr setattr }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +allow xdm_t xdm_tmp_t:dir manage_dir_perms; +allow xdm_t xdm_tmp_t:file manage_file_perms; +allow xdm_t xdm_tmp_t:sock_file manage_file_perms; +files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) + # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) @@ -218,11 +223,6 @@ ifdef(`strict_policy',` allow xdm_t xdm_lock_t:file create_file_perms; files_lock_filetrans(xdm_t,xdm_lock_t,file) - allow xdm_t xdm_tmp_t:dir manage_dir_perms; - allow xdm_t xdm_tmp_t:file manage_file_perms; - allow xdm_t xdm_tmp_t:sock_file manage_file_perms; - files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) - allow xdm_t xdm_tmpfs_t:dir manage_dir_perms; allow xdm_t xdm_tmpfs_t:file manage_file_perms; allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms; diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 769abdc..ca83c75 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.13) +policy_module(authlogin,1.3.14) ######################################## # @@ -176,7 +176,7 @@ dev_getattr_xserver_misc_dev(pam_console_t) dev_setattr_xserver_misc_dev(pam_console_t) dev_read_urand(pam_console_t) -fs_search_auto_mountpoints(pam_console_t) +fs_list_auto_mountpoints(pam_console_t) mls_file_read_up(pam_console_t) mls_file_write_down(pam_console_t) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 4382e10..4954537 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,5 +1,5 @@ -policy_module(xen,1.0.9) +policy_module(xen,1.0.10) ######################################## # @@ -131,6 +131,7 @@ corenet_tcp_bind_all_nodes(xend_t) corenet_tcp_bind_xen_port(xend_t) corenet_tcp_bind_soundd_port(xend_t) corenet_tcp_bind_generic_port(xend_t) +corenet_tcp_bind_vnc_port(xend_t) corenet_sendrecv_xen_server_packets(xend_t) corenet_sendrecv_soundd_server_packets(xend_t) corenet_rw_tun_tap_dev(xend_t) @@ -175,6 +176,8 @@ sysnet_dns_name_resolve(xend_t) sysnet_delete_dhcpc_pid(xend_t) sysnet_read_dhcpc_pid(xend_t) +userdom_dontaudit_search_sysadm_home_dirs(xend_t) + xen_stream_connect_xenstore(xend_t) netutils_domtrans(xend_t)