From e5768e0fb632b43941250b3a9137484806e8f439 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Nov 29 2011 13:16:11 +0000 Subject: - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file - Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t - Allow apmd_t to read grub.cfg - Let firewallgui read the selinux config - Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp - Fix devicekit_manage_pid_files() interface - Allow squid to check the network state - Dontaudit colord getattr on file systems - Allow ping domains to read zabbix_tmp_t files --- diff --git a/policy-F16.patch b/policy-F16.patch index ca71a31..e9a7f65 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1858,7 +1858,7 @@ index c6ca761..46e0767 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index e0791b9..373882d 100644 +index e0791b9..9f49d01 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) @@ -1933,7 +1933,18 @@ index e0791b9..373882d 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -194,6 +213,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -157,6 +176,10 @@ optional_policy(` + hotplug_use_fds(ping_t) + ') + ++optional_policy(` ++ zabbix_read_tmp(ping_t) ++') ++ + ######################################## + # + # Traceroute local policy +@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -1941,7 +1952,7 @@ index e0791b9..373882d 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -204,9 +224,16 @@ logging_send_syslog_msg(traceroute_t) +@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -5134,10 +5145,10 @@ index 0000000..2bd5790 +') diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te new file mode 100644 -index 0000000..86b640d +index 0000000..175de9d --- /dev/null +++ b/policy/modules/apps/firewallgui.te -@@ -0,0 +1,72 @@ +@@ -0,0 +1,74 @@ +policy_module(firewallgui,1.0.0) + +######################################## @@ -5187,6 +5198,8 @@ index 0000000..86b640d + +miscfiles_read_localization(firewallgui_t) + ++seutil_read_config(firewallgui_t) ++ +userdom_dontaudit_search_user_home_dirs(firewallgui_t) + +optional_policy(` @@ -14134,7 +14147,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..9c48de6 100644 +index 99b71cb..630e5e2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14337,7 +14350,7 @@ index 99b71cb..9c48de6 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +238,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14377,7 +14390,13 @@ index 99b71cb..9c48de6 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0) +-network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) ++network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0) ++network_port(tor_socks, tcp,9050,s0) + network_port(traceroute, udp,64000-64010,s0) + network_port(transproxy, tcp,8081,s0) + network_port(ups, tcp,3493,s0) +@@ -215,9 +280,11 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14390,7 +14409,7 @@ index 99b71cb..9c48de6 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +296,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14398,7 +14417,7 @@ index 99b71cb..9c48de6 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +306,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14411,7 +14430,7 @@ index 99b71cb..9c48de6 100644 ######################################## # -@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +356,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -29922,7 +29941,7 @@ index 1f11572..717fb8d 100644 init_labeled_script_domtrans($1, clamd_initrc_exec_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..4c06224 100644 +index f758323..9f2a358 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,16 @@ @@ -30016,7 +30035,7 @@ index f758323..4c06224 100644 + +optional_policy(` + spamd_stream_connect(clamd_t) -+ spamd_read_pid(clamd_t) ++ spamassassin_read_pid_files(clamd_t) +') + tunable_policy(`clamd_use_jit',` @@ -31266,7 +31285,7 @@ index 0000000..ca71d08 +') + diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..246bbf9 100644 +index 74505cc..2f9b1bc 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -5,6 +5,13 @@ policy_module(colord, 1.0.0) @@ -31320,12 +31339,13 @@ index 74505cc..246bbf9 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,19 +82,36 @@ files_list_mnt(colord_t) +@@ -65,19 +82,37 @@ files_list_mnt(colord_t) files_read_etc_files(colord_t) files_read_usr_files(colord_t) +fs_search_all(colord_t) +fs_getattr_noxattr_fs(colord_t) ++fs_dontaudit_getattr_all_fs(colord_t) +fs_list_noxattr_fs(colord_t) fs_read_noxattr_fs_files(colord_t) @@ -31358,7 +31378,7 @@ index 74505cc..246bbf9 100644 fs_read_cifs_files(colord_t) ') -@@ -89,6 +123,12 @@ optional_policy(` +@@ -89,6 +124,12 @@ optional_policy(` ') optional_policy(` @@ -31371,7 +31391,7 @@ index 74505cc..246bbf9 100644 policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +136,16 @@ optional_policy(` +@@ -96,5 +137,16 @@ optional_policy(` ') optional_policy(` @@ -34737,7 +34757,7 @@ index 418a5a0..c25fbdc 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..7cdc0f5 100644 +index f706b99..d41e4fe 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -34927,7 +34947,7 @@ index f706b99..7cdc0f5 100644 + ') + + files_search_pids($1) -+ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) ++ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) + manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) +') + @@ -38414,7 +38434,7 @@ index 0000000..8dcd6e4 + policykit_dbus_chat(firewalld_t) +') diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if -index ebad8c4..c02062c 100644 +index ebad8c4..eeddf7b 100644 --- a/policy/modules/services/fprintd.if +++ b/policy/modules/services/fprintd.if @@ -5,9 +5,9 @@ @@ -38429,9 +38449,11 @@ index ebad8c4..c02062c 100644 ## # interface(`fprintd_domtrans',` -@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',` +@@ -37,5 +37,5 @@ interface(`fprintd_dbus_chat',` + allow $1 fprintd_t:dbus send_msg; allow fprintd_t $1:dbus send_msg; ++ allow fprintd_t $1:file read; ') - diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te @@ -48777,7 +48799,7 @@ index d883214..d6afa87 100644 init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te -index 8b550f4..ed5aae9 100644 +index 8b550f4..6b73075 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0) @@ -48844,7 +48866,15 @@ index 8b550f4..ed5aae9 100644 corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) -@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t) +@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) + corenet_tcp_bind_http_port(openvpn_t) + corenet_tcp_connect_openvpn_port(openvpn_t) + corenet_tcp_connect_http_port(openvpn_t) ++corenet_tcp_connect_tor_socks_port(openvpn_t) + corenet_tcp_connect_http_cache_port(openvpn_t) + corenet_rw_tun_tap_dev(openvpn_t) + corenet_sendrecv_openvpn_server_packets(openvpn_t) +@@ -102,6 +110,8 @@ files_read_etc_runtime_files(openvpn_t) auth_use_pam(openvpn_t) @@ -48853,7 +48883,7 @@ index 8b550f4..ed5aae9 100644 logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -@@ -112,21 +121,21 @@ sysnet_exec_ifconfig(openvpn_t) +@@ -112,21 +122,21 @@ sysnet_exec_ifconfig(openvpn_t) sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) @@ -48883,7 +48913,7 @@ index 8b550f4..ed5aae9 100644 optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) -@@ -138,3 +147,7 @@ optional_policy(` +@@ -138,3 +148,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') @@ -51060,10 +51090,10 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..2216f6a 100644 +index 46bee12..1fbe0fa 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if -@@ -34,8 +34,9 @@ template(`postfix_domain_template',` +@@ -34,11 +34,13 @@ template(`postfix_domain_template',` domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; @@ -51074,7 +51104,11 @@ index 46bee12..2216f6a 100644 allow postfix_$1_t self:unix_dgram_socket create_socket_perms; allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms; allow postfix_$1_t self:unix_stream_socket connectto; -@@ -50,7 +51,7 @@ template(`postfix_domain_template',` ++ allow postfix_$1_t self:fifo_file rw_fifo_file_perms; + + allow postfix_master_t postfix_$1_t:process signal; + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 +@@ -50,7 +52,7 @@ template(`postfix_domain_template',` can_exec(postfix_$1_t, postfix_$1_exec_t) @@ -51083,7 +51117,7 @@ index 46bee12..2216f6a 100644 allow postfix_$1_t postfix_master_t:process sigchld; -@@ -77,6 +78,7 @@ template(`postfix_domain_template',` +@@ -77,6 +79,7 @@ template(`postfix_domain_template',` files_read_etc_files(postfix_$1_t) files_read_etc_runtime_files(postfix_$1_t) @@ -51091,7 +51125,7 @@ index 46bee12..2216f6a 100644 files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) -@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',` +@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',` type postfix_$1_tmp_t; files_tmp_file(postfix_$1_tmp_t) @@ -51100,7 +51134,7 @@ index 46bee12..2216f6a 100644 allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; -@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',` +@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',` domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) @@ -51109,7 +51143,7 @@ index 46bee12..2216f6a 100644 ') ######################################## -@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',` +@@ -215,7 +220,7 @@ interface(`postfix_config_filetrans',` ') files_search_etc($1) @@ -51118,7 +51152,7 @@ index 46bee12..2216f6a 100644 ') ######################################## -@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',` +@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',` type postfix_local_t; ') @@ -51128,7 +51162,7 @@ index 46bee12..2216f6a 100644 ') ######################################## -@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',` +@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',` type postfix_master_t; ') @@ -51157,7 +51191,7 @@ index 46bee12..2216f6a 100644 ') ######################################## -@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',` +@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',` domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -51183,7 +51217,7 @@ index 46bee12..2216f6a 100644 ######################################## ## ## Execute the master postfix program in the -@@ -404,7 +448,6 @@ interface(`postfix_exec_master',` +@@ -404,7 +449,6 @@ interface(`postfix_exec_master',` ## Domain allowed access. ## ## @@ -51191,7 +51225,7 @@ index 46bee12..2216f6a 100644 # interface(`postfix_stream_connect_master',` gen_require(` -@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',` +@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',` ######################################## ## @@ -51216,7 +51250,7 @@ index 46bee12..2216f6a 100644 ## Execute the master postdrop in the ## postfix_postdrop domain. ## -@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',` +@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',` ## ## # @@ -51225,7 +51259,7 @@ index 46bee12..2216f6a 100644 gen_require(` type postfix_postqueue_exec_t; ') -@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',` +@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',` ######################################## ## @@ -51251,7 +51285,7 @@ index 46bee12..2216f6a 100644 ## Search postfix mail spool directories. ## ## -@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',` +@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',` # interface(`postfix_search_spool',` gen_require(` @@ -51264,7 +51298,7 @@ index 46bee12..2216f6a 100644 files_search_spool($1) ') -@@ -558,10 +638,10 @@ interface(`postfix_search_spool',` +@@ -558,10 +639,10 @@ interface(`postfix_search_spool',` # interface(`postfix_list_spool',` gen_require(` @@ -51277,7 +51311,7 @@ index 46bee12..2216f6a 100644 files_search_spool($1) ') -@@ -577,11 +657,11 @@ interface(`postfix_list_spool',` +@@ -577,11 +658,11 @@ interface(`postfix_list_spool',` # interface(`postfix_read_spool_files',` gen_require(` @@ -51291,7 +51325,7 @@ index 46bee12..2216f6a 100644 ') ######################################## -@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',` +@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',` # interface(`postfix_manage_spool_files',` gen_require(` @@ -51305,7 +51339,7 @@ index 46bee12..2216f6a 100644 ') ######################################## -@@ -621,3 +701,154 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +702,154 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -51461,7 +51495,7 @@ index 46bee12..2216f6a 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..94e68b2 100644 +index a32c4b3..149da7a 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -51529,12 +51563,12 @@ index a32c4b3..94e68b2 100644 type postfix_public_t; files_type(postfix_public_t) -@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t) +@@ -94,23 +106,24 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; +-allow postfix_master_t self:fifo_file rw_fifo_file_perms; +allow postfix_master_t self:process setrlimit; - allow postfix_master_t self:fifo_file rw_fifo_file_perms; allow postfix_master_t self:tcp_socket create_stream_socket_perms; allow postfix_master_t self:udp_socket create_socket_perms; -allow postfix_master_t self:process setrlimit; @@ -51559,7 +51593,7 @@ index a32c4b3..94e68b2 100644 manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) -@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) +@@ -130,7 +143,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; @@ -51568,7 +51602,7 @@ index a32c4b3..94e68b2 100644 manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t) -@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ +@@ -138,6 +151,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -51576,7 +51610,7 @@ index a32c4b3..94e68b2 100644 setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) kernel_read_all_sysctls(postfix_master_t) -@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) +@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t) corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -51586,7 +51620,7 @@ index a32c4b3..94e68b2 100644 corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t) +@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -51597,7 +51631,7 @@ index a32c4b3..94e68b2 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -51616,7 +51650,7 @@ index a32c4b3..94e68b2 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, +@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t) @@ -51634,17 +51668,15 @@ index a32c4b3..94e68b2 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,8 +295,8 @@ optional_policy(` +@@ -264,7 +294,6 @@ optional_policy(` # Postfix local local policy # -allow postfix_local_t self:fifo_file rw_fifo_file_perms; allow postfix_local_t self:process { setsched setrlimit }; -+allow postfix_local_t self:fifo_file rw_fifo_file_perms; # connect to master process - stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -51653,7 +51685,7 @@ index a32c4b3..94e68b2 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -51672,7 +51704,7 @@ index a32c4b3..94e68b2 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +335,10 @@ optional_policy(` +@@ -297,6 +333,10 @@ optional_policy(` ') optional_policy(` @@ -51683,7 +51715,7 @@ index a32c4b3..94e68b2 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +346,22 @@ optional_policy(` +@@ -304,9 +344,22 @@ optional_policy(` ') optional_policy(` @@ -51706,15 +51738,7 @@ index a32c4b3..94e68b2 100644 ######################################## # # Postfix map local policy -@@ -372,6 +427,7 @@ optional_policy(` - # Postfix pickup local policy - # - -+allow postfix_pickup_t self:fifo_file rw_fifo_file_perms; - allow postfix_pickup_t self:tcp_socket create_socket_perms; - - stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -379,19 +435,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -51738,11 +51762,9 @@ index a32c4b3..94e68b2 100644 -allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; allow postfix_pipe_t self:process setrlimit; -+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) - -@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -51751,7 +51773,7 @@ index a32c4b3..94e68b2 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +485,7 @@ optional_policy(` +@@ -420,6 +481,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -51759,7 +51781,7 @@ index a32c4b3..94e68b2 100644 ') optional_policy(` -@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -51777,7 +51799,7 @@ index a32c4b3..94e68b2 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -51788,16 +51810,7 @@ index a32c4b3..94e68b2 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +579,8 @@ optional_policy(` - # Postfix qmgr local policy - # - -+allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms; -+ - stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) - - rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -51810,7 +51823,7 @@ index a32c4b3..94e68b2 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -51821,7 +51834,7 @@ index a32c4b3..94e68b2 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +632,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -51830,7 +51843,7 @@ index a32c4b3..94e68b2 100644 files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +647,14 @@ optional_policy(` +@@ -565,6 +641,14 @@ optional_policy(` ') optional_policy(` @@ -51845,7 +51858,7 @@ index a32c4b3..94e68b2 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +678,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -51862,7 +51875,7 @@ index a32c4b3..94e68b2 100644 ') optional_policy(` -@@ -599,6 +695,10 @@ optional_policy(` +@@ -599,6 +689,10 @@ optional_policy(` ') optional_policy(` @@ -51873,17 +51886,15 @@ index a32c4b3..94e68b2 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,8 +711,8 @@ optional_policy(` +@@ -611,7 +705,6 @@ optional_policy(` # Postfix virtual local policy # -allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; allow postfix_virtual_t self:process { setsched setrlimit }; -+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; - -@@ -630,3 +730,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +723,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -52707,7 +52718,7 @@ index afd1751..5aff531 100644 init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te -index 2dbf4d4..28d7fe5 100644 +index 2dbf4d4..8323004 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0) @@ -52736,7 +52747,15 @@ index 2dbf4d4..28d7fe5 100644 corenet_all_recvfrom_unlabeled(privoxy_t) corenet_all_recvfrom_netlabel(privoxy_t) -@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t) +@@ -62,6 +63,7 @@ corenet_tcp_connect_squid_port(privoxy_t) + corenet_tcp_connect_ftp_port(privoxy_t) + corenet_tcp_connect_pgpkeyserver_port(privoxy_t) + corenet_tcp_connect_tor_port(privoxy_t) ++corenet_tcp_connect_tor_socks_port(privoxy_t) + corenet_sendrecv_http_cache_client_packets(privoxy_t) + corenet_sendrecv_squid_client_packets(privoxy_t) + corenet_sendrecv_http_cache_server_packets(privoxy_t) +@@ -87,7 +89,7 @@ miscfiles_read_localization(privoxy_t) userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed @@ -59730,7 +59749,7 @@ index 6b3abf9..a785741 100644 +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if -index c954f31..4aac595 100644 +index c954f31..82fc7f6 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -14,6 +14,7 @@ @@ -59857,42 +59876,42 @@ index c954f31..4aac595 100644 + dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; +') + -+####################################### ++######################################## +## -+## Read spamd pid file. ++## Connect to run spamd. +## +## -+## -+## Domain allowed to connect. -+## ++## ++## Domain allowed to connect. ++## +## +# -+interface(`spamd_read_pid',` -+ gen_require(` -+ type spamd_t, spamd_var_run_t; -+ ') ++interface(`spamd_stream_connect',` ++ gen_require(` ++ type spamd_t, spamd_var_run_t; ++ ') + -+ files_search_pids($1) -+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) ++ files_search_pids($1) ++ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) +') + +######################################## +## -+## Connect to run spamd. ++## Read spamd pid files. +## +## +## -+## Domain allowed to connect. ++## Domain allowed access. +## +## +# -+interface(`spamd_stream_connect',` ++interface(`spamassassin_read_pid_files',` + gen_require(` -+ type spamd_t, spamd_var_run_t; ++ type spamd_var_run_t; + ') + + files_search_pids($1) -+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) ++ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) +') + +######################################## @@ -60478,7 +60497,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te -index 4b2230e..950e65a 100644 +index 4b2230e..7b3d2db 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) @@ -60515,7 +60534,15 @@ index 4b2230e..950e65a 100644 type squid_initrc_exec_t; init_script_file(squid_initrc_exec_t) -@@ -169,7 +169,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file) + + kernel_read_kernel_sysctls(squid_t) + kernel_read_system_state(squid_t) ++kernel_read_network_state(squid_t) + + files_dontaudit_getattr_boot_dirs(squid_t) + +@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) @@ -60525,7 +60552,7 @@ index 4b2230e..950e65a 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -185,6 +186,7 @@ optional_policy(` +@@ -185,6 +187,7 @@ optional_policy(` corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) @@ -60533,7 +60560,7 @@ index 4b2230e..950e65a 100644 sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -206,3 +208,7 @@ optional_policy(` +@@ -206,3 +209,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -60566,7 +60593,7 @@ index 078bcd7..84d29ee 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..d6a4b77 100644 +index 22adaca..e494f5c 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -60697,7 +60724,7 @@ index 22adaca..d6a4b77 100644 corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,8 +244,11 @@ template(`ssh_server_template', ` +@@ -220,10 +244,13 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -60708,8 +60735,11 @@ index 22adaca..d6a4b77 100644 + # tunnel feature and -w (net_admin capability also) + corenet_rw_tun_tap_dev($1_t) - fs_dontaudit_getattr_all_fs($1_t) +- fs_dontaudit_getattr_all_fs($1_t) ++ fs_getattr_all_fs($1_t) + auth_rw_login_records($1_t) + auth_rw_faillog($1_t) @@ -234,6 +261,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) @@ -62280,7 +62310,7 @@ index 904f13e..f9d007b 100644 init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te -index c842cad..1136b10 100644 +index c842cad..037dd90 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te @@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t) @@ -62291,7 +62321,15 @@ index c842cad..1136b10 100644 allow tor_t self:fifo_file rw_fifo_file_perms; allow tor_t self:unix_stream_socket create_stream_socket_perms; allow tor_t self:netlink_route_socket r_netlink_socket_perms; -@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t) + corenet_tcp_bind_generic_node(tor_t) + corenet_udp_bind_generic_node(tor_t) + corenet_tcp_bind_tor_port(tor_t) ++corenet_tcp_bind_tor_socks_port(tor_t) + corenet_udp_bind_dns_port(tor_t) + corenet_sendrecv_tor_server_packets(tor_t) + corenet_sendrecv_dns_server_packets(tor_t) +@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -67561,7 +67599,7 @@ index 664cd7a..e3eaec5 100644 /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if -index c9981d1..0629472 100644 +index c9981d1..75a7d17 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -5,9 +5,9 @@ @@ -67576,7 +67614,31 @@ index c9981d1..0629472 100644 ## # interface(`zabbix_domtrans',` -@@ -65,9 +65,9 @@ interface(`zabbix_read_log',` +@@ -61,13 +61,33 @@ interface(`zabbix_read_log',` + + ######################################## + ## ++## Allow the specified domain to read zabbix's tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`zabbix_read_tmp',` ++ gen_require(` ++ type zabbix_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t) ++') ++ ++######################################## ++## + ## Allow the specified domain to append ## zabbix log files. ## ## @@ -67588,7 +67650,7 @@ index c9981d1..0629472 100644 ## # interface(`zabbix_append_log',` -@@ -110,7 +110,7 @@ interface(`zabbix_read_pid_files',` +@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',` # interface(`zabbix_agent_tcp_connect',` gen_require(` @@ -67597,7 +67659,7 @@ index c9981d1..0629472 100644 ') corenet_sendrecv_zabbix_agent_client_packets($1) -@@ -142,8 +142,11 @@ interface(`zabbix_admin',` +@@ -142,8 +162,11 @@ interface(`zabbix_admin',` type zabbix_initrc_exec_t; ') @@ -67611,10 +67673,21 @@ index c9981d1..0629472 100644 init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 7f88f5f..bd6493d 100644 +index 7f88f5f..5f1e19c 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te -@@ -36,16 +36,17 @@ files_pid_file(zabbix_var_run_t) +@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t) + type zabbix_log_t; + logging_log_file(zabbix_log_t) + ++# tmp files ++type zabbix_tmp_t; ++files_tmp_file(zabbix_tmp_t) ++ + # shared memory + type zabbix_tmpfs_t; + files_tmpfs_file(zabbix_tmpfs_t) +@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t) # zabbix local policy # @@ -67636,22 +67709,64 @@ index 7f88f5f..bd6493d 100644 manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) logging_log_filetrans(zabbix_t, zabbix_log_t, file) -@@ -58,11 +59,15 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) ++# tmp files ++manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) ++manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) ++files_tmp_filetrans(zabbix_t, zabbix_tmp_t, { dir file }) ++ + # shared memory + rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) + fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) +@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) ++kernel_read_system_state(zabbix_t) +kernel_read_kernel_sysctls(zabbix_t) + ++corecmd_exec_bin(zabbix_t) ++corecmd_exec_shell(zabbix_t) ++ corenet_tcp_bind_generic_node(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) ++#needed by zabbix-server-mysql ++corenet_tcp_connect_http_port(zabbix_t) ++ ++dev_read_urand(zabbix_t) files_read_etc_files(zabbix_t) ++files_read_usr_files(zabbix_t) +-miscfiles_read_localization(zabbix_t) +auth_use_nsswitch(zabbix_t) + +-sysnet_dns_name_resolve(zabbix_t) ++miscfiles_read_localization(zabbix_t) + + zabbix_agent_tcp_connect(zabbix_t) + +@@ -74,9 +95,21 @@ optional_policy(` + ') + + optional_policy(` ++ netutils_domtrans_ping(zabbix_t) ++') + - miscfiles_read_localization(zabbix_t) ++optional_policy(` + postgresql_stream_connect(zabbix_t) + ') - sysnet_dns_name_resolve(zabbix_t) ++optional_policy(` ++ snmp_read_snmp_var_lib_dirs(zabbix_t) ++') ++ ++optional_policy(` ++ sysnet_dns_name_resolve(zabbix_t) ++') ++ + ######################################## + # + # zabbix agent local policy diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc index 3defaa1..2ad2488 100644 --- a/policy/modules/services/zarafa.fc @@ -74092,7 +74207,7 @@ index 8b5c196..da41726 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..a50ceba 100644 +index 15832c7..aa18423 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,17 +17,29 @@ type mount_exec_t; @@ -74363,7 +74478,7 @@ index 15832c7..a50ceba 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,21 +280,87 @@ optional_policy(` +@@ -188,21 +280,88 @@ optional_policy(` ') ') @@ -74378,6 +74493,7 @@ index 15832c7..a50ceba 100644 + +optional_policy(` + modutils_domtrans_insmod(mount_t) ++ modutils_read_module_deps(mount_t) +') + +optional_policy(` @@ -76741,10 +76857,10 @@ index 0000000..5571350 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..ff3ce3f +index 0000000..b7da774 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,377 @@ +@@ -0,0 +1,378 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -77010,6 +77126,7 @@ index 0000000..ff3ce3f + userdom_delete_all_user_home_content_files(systemd_tmpfiles_t) + userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t) + userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t) ++ userdom_delete_admin_home_files(systemd_tmpfiles_t) +') + +optional_policy(` @@ -78367,7 +78484,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..290f54e 100644 +index 4b2878a..b7ed01c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -80691,7 +80808,7 @@ index 4b2878a..290f54e 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3912,1186 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3912,1205 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -80955,6 +81072,25 @@ index 4b2878a..290f54e 100644 + +######################################## +## ++## Delete admin home files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_delete_admin_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ allow $1 admin_home_t:file delete_file_perms; ++') ++ ++######################################## ++## +## Execute admin home files. +## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 308544c..888c519 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 61%{?dist} +Release: 63%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 29 2011 Miroslav Grepl 3.10.0-63 +- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it +- Allow all postfix domains to use the fifo_file +- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t +- Allow apmd_t to read grub.cfg +- Let firewallgui read the selinux config +- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp +- Fix devicekit_manage_pid_files() interface +- Allow squid to check the network state +- Dontaudit colord getattr on file systems +- Allow ping domains to read zabbix_tmp_t files + * Wed Nov 23 2011 Miroslav Grepl 3.10.0-59 - Allow mcelog_t to create dir and file in /var/run and label it correctly - Allow dbus to manage fusefs