diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 42c8124..b1a3db6 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58218,10 +58218,10 @@ index 66e85ea..d02654d 100644 ## user domains. ##
diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..0f0bb47 100644 +index 4705ab6..cc2b436 100644 --- a/policy/global_tunables +++ b/policy/global_tunables -@@ -6,6 +6,13 @@ +@@ -6,52 +6,59 @@ ##@@ -58235,7 +58235,8 @@ index 4705ab6..0f0bb47 100644 ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##
##@@ -58252,7 +58253,8 @@ index 4705ab6..0f0bb47 100644 +## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t ##
##@@ -58260,7 +58262,35 @@ index 4705ab6..0f0bb47 100644 +## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##
##+ ## Enable polyinstantiated directory support. + ##
+ ##+ ## Allow system to run with NIS + ##
+ ##+ ## Allow logging in and using the system from /dev/console. + ##
+ ##
@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false)
##
@@ -58295,13 +58325,6 @@ index 4705ab6..0f0bb47 100644 ##
-+## Allow direct login to the console device. Required for System 390 -+##
-+##@@ -64161,7 +64460,7 @@ index cf04cb5..927cfba 100644 + sosreport_append_tmp_files(domain) +') + -+tunable_policy(`allow_domain_fd_use',` ++tunable_policy(`domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') @@ -64350,7 +64649,7 @@ index 4429d30..cbcd9d0 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 41346fb..7377b05 100644 +index 41346fb..9ec1de8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -64976,7 +65275,15 @@ index 41346fb..7377b05 100644 ## Get the attributes of the tmp directory (/tmp). ##
+## Allow ssh logins as sysadm_r:sysadm_t +##
+##-## Allow ssh logins as sysadm_r:sysadm_t +## Allow ssh with chroot env to read and write files @@ -72370,13 +72713,8 @@ index b17e27a..f82584d 100644 +userdom_use_inherited_user_terminals(ssh_t) +# needs to read krb/write tgt userdom_read_user_tmp_files(ssh_t) -+userdom_write_user_tmp_files(ssh_t) -+userdom_read_user_home_content_symlinks(ssh_t) -+userdom_rw_inherited_user_home_content_files(ssh_t) -+userdom_read_home_certs(ssh_t) -+userdom_home_manager(ssh_t) - - tunable_policy(`allow_ssh_keysign',` +- +-tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) - allow ssh_keysign_t ssh_t:fd use; - allow ssh_keysign_t ssh_t:process sigchld; @@ -72391,6 +72729,13 @@ index b17e27a..f82584d 100644 -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ssh_t) - fs_manage_cifs_files(ssh_t) ++userdom_write_user_tmp_files(ssh_t) ++userdom_read_user_home_content_symlinks(ssh_t) ++userdom_rw_inherited_user_home_content_files(ssh_t) ++userdom_read_home_certs(ssh_t) ++userdom_home_manager(ssh_t) ++ ++tunable_policy(`ssh_keysign',` + domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) ') @@ -72406,7 +72751,7 @@ index b17e27a..f82584d 100644 ') optional_policy(` -@@ -195,6 +212,7 @@ optional_policy(` +@@ -195,28 +212,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -72414,7 +72759,10 @@ index b17e27a..f82584d 100644 ############################## # # ssh_keysign_t local policy -@@ -204,19 +222,14 @@ tunable_policy(`allow_ssh_keysign',` + # + +-tunable_policy(`allow_ssh_keysign',` ++tunable_policy(`ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -72684,7 +73032,7 @@ index b17e27a..f82584d 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..4eaf2fd 100644 +index fc86b7c..7421ac9 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,34 @@ @@ -72726,11 +73074,11 @@ index fc86b7c..4eaf2fd 100644 /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) -+/etc/gdm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/gdm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/gdm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/gdm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) ++/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) + /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -72741,7 +73089,7 @@ index fc86b7c..4eaf2fd 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,11 +74,10 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,23 +74,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -72757,7 +73105,14 @@ index fc86b7c..4eaf2fd 100644 # # /usr -@@ -63,6 +90,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + # + ++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -72765,26 +73120,30 @@ index fc86b7c..4eaf2fd 100644 /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -92,6 +120,9 @@ ifndef(`distro_debian',` +@@ -90,24 +119,43 @@ ifndef(`distro_debian',` + /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + -+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -@@ -99,15 +130,32 @@ ifndef(`distro_debian',` +-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) ++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) -+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -72810,7 +73169,7 @@ index fc86b7c..4eaf2fd 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..56cb1f8 100644 +index 130ced9..647cc5c 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -72907,7 +73266,8 @@ index 130ced9..56cb1f8 100644 + modutils_run_insmod(xserver_t, $1) # Client write xserver shm - tunable_policy(`allow_write_xshm',` +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -72993,6 +73353,15 @@ index 130ced9..56cb1f8 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; +@@ -316,7 +341,7 @@ interface(`xserver_user_client',` + xserver_read_xdm_tmp_files($1) + + # Client write xserver shm +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') @@ -342,19 +367,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` @@ -73093,7 +73462,8 @@ index 130ced9..56cb1f8 100644 + xserver_common_x_domain_template($1, $2) # Client write xserver shm - tunable_policy(`allow_write_xshm',` +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -74096,7 +74466,7 @@ index 130ced9..56cb1f8 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index c4f7c35..f072b29 100644 +index c4f7c35..a4b887d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -74112,16 +74482,17 @@ index c4f7c35..f072b29 100644 +## memory segments. +##
##+## Allows XServer to execute writable memory +##
+##-## Allow xdm logins as sysadm +## Allow the graphical login program to execute bootloader @@ -75219,7 +75590,7 @@ index c4f7c35..f072b29 100644 -allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -+tunable_policy(`allow_xserver_execmem',` ++tunable_policy(`xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') + @@ -75228,7 +75599,7 @@ index c4f7c35..f072b29 100644 + allow xdm_t self:process execmem; +') + -+tunable_policy(`allow_execstack',` ++tunable_policy(`selinuxuser_execstack',` + allow xdm_t self:process { execstack execmem }; +') + @@ -76138,7 +76509,7 @@ index 6ce867a..283f236 100644 + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index f12b8ff..4847c97 100644 +index f12b8ff..b3e0efd 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1) @@ -76256,14 +76627,14 @@ index f12b8ff..4847c97 100644 + xserver_rw_xdm_pipes(utempter_t) +') + -+tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(polydomain) ') optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) -+ tunable_policy(`allow_polyinstantiation',` ++ tunable_policy(`polyinstantiation_enabled',` + namespace_init_domtrans(polydomain) + ') +') @@ -76561,7 +76932,7 @@ index e1a1848..909af45 100644 /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fd100fc..86e1fd0 100644 +index fd100fc..8409f5c 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t) @@ -76575,6 +76946,15 @@ index fd100fc..86e1fd0 100644 init_rw_utmp(getty_t) init_use_script_ptys(getty_t) +@@ -113,7 +115,7 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`console_login',` ++tunable_policy(`login_console_enabled',` + # Support logging in from /dev/console + term_use_console(getty_t) + ',` @@ -125,10 +127,6 @@ optional_policy(` ') @@ -77839,7 +78219,7 @@ index d26fe81..b0bb610 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5fb9683..da5e37d 100644 +index 5fb9683..28b9f3b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -77858,21 +78238,21 @@ index 5fb9683..da5e37d 100644 +## Allow all daemons to use tcp wrappers. +##
+##+## Allow all daemons the ability to read/write terminals +##
+##+## Allow all daemons to write corefiles to / +##
+##+## Allow dhcpc client applications to execute iptables commands @@ -83537,20 +84299,25 @@ index 8aed9d0..2d2b6ef 100644 +##
@@ -90080,7 +90890,19 @@ index 47efe9a..6b27e9c 100644 +## Allow users to connect to the local mysql server ##
##+ ## Allow users to connect to PostgreSQL + ##
+ ##
@@ -43,12 +43,27 @@ gen_tunable(user_rw_noexattrfile, false)
##
## Allow Apache to modify public files
-@@ -36,6 +38,27 @@ gen_tunable(allow_httpd_mod_auth_pam, false)
+@@ -25,14 +27,35 @@ policy_module(apache, 2.3.2)
+ ## be labeled public_content_rw_t.
+ ##
+ ## Allow Apache to use mod_auth_pam
+ ##
+## Allow Apache to use mod_auth_ntlm_winbind
+##
@@ -2484,12 +2500,9 @@ index a36a01d..a5457d4 100644
+##
- ## Allow httpd to use built in scripting (usually php)
- ##
@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false)
##
@@ -2865,12 +2878,13 @@ index a36a01d..a5457d4 100644
userdom_use_unpriv_users_fds(httpd_t)
+-tunable_policy(`allow_httpd_anon_write',`
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
+ allow httpd_t self:capability sys_resource;
+')
+
- tunable_policy(`allow_httpd_anon_write',`
++tunable_policy(`httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
@@ -2878,14 +2892,15 @@ index a36a01d..a5457d4 100644
#
# We need optionals to be able to be within booleans to make this work
#
- tunable_policy(`allow_httpd_mod_auth_pam',`
+-tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`httpd_mod_auth_pam',`
+ auth_domtrans_chkpwd(httpd_t)
+ logging_send_audit_msgs(httpd_t)
')
+
+optional_policy(`
-+ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',`
++ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
+ samba_domtrans_winbind_helper(httpd_t)
+ ')
')
@@ -2934,7 +2949,7 @@ index a36a01d..a5457d4 100644
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
+
-+tunable_policy(`allow_httpd_sys_script_anon_write',`
++tunable_policy(`httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
')
@@ -3594,7 +3609,7 @@ index a36a01d..a5457d4 100644
+miscfiles_read_localization(httpd_script_type)
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
+
-+tunable_policy(`httpd_enable_cgi && allow_ypbind',`
++tunable_policy(`httpd_enable_cgi && nis_enabled',`
+ nis_use_ypbind_uncond(httpd_script_type)
+')
+
@@ -9442,10 +9457,10 @@ index 0000000..40415f8
+
diff --git a/collectd.te b/collectd.te
new file mode 100644
-index 0000000..e7ca6fc
+index 0000000..6cefd75
--- /dev/null
+++ b/collectd.te
-@@ -0,0 +1,88 @@
+@@ -0,0 +1,91 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -9482,8 +9497,8 @@ index 0000000..e7ca6fc
+# collectd local policy
+#
+
-+allow collectd_t self:capability ipc_lock;
-+allow collectd_t self:process { signal fork };
++allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:process { getsched setsched signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:packet_socket create_socket_perms;
@@ -9534,6 +9549,9 @@ index 0000000..e7ca6fc
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
+')
+
++optional_policy(`
++ virt_read_config(collectd_t)
++')
diff --git a/colord.fc b/colord.fc
index 78b2fea..ef975ac 100644
--- a/colord.fc
@@ -11855,7 +11873,7 @@ index 6e12dc7..bd94df7 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/cron.te b/cron.te
-index b357856..4545fb1 100644
+index b357856..de056ab 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -12090,6 +12108,15 @@ index b357856..4545fb1 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
+@@ -241,7 +282,7 @@ ifdef(`distro_redhat', `
+ ')
+ ')
+
+-tunable_policy(`allow_polyinstantiation',`
++tunable_policy(`polyinstantiation_enabled',`
+ files_polyinstantiate_all(crond_t)
+ ')
+
@@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', `
')
@@ -13236,9 +13263,18 @@ index c43ff4c..5da88b5 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/cvs.te b/cvs.te
-index 88e7e97..fdfbb2c 100644
+index 88e7e97..1c723fb 100644
--- a/cvs.te
+++ b/cvs.te
+@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
+ ## Allow cvs daemon to read shadow
+ ##
+@@ -20,7 +20,7 @@ gen_tunable(allow_ftpd_anon_write, false) + ## read/write all files on the system, governed by DAC. + ##
+ ##+@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false) + ## used for public file transfer services. + ##
+ ##+@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false) + ## used for public file transfer services. + ##
+ ##+## Allow ftp servers to connect to mysql database ports +##
+##- ## Allow ftp to read and write files in the user home directories - ##
- ##@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false) ##
+## Allow mozilla_plugins to create random content in the users home directory @@ -29439,11 +29806,26 @@ index 0724816..7bf56bf 100644 +##
@@ -34697,7 +35180,7 @@ index 0000000..eeb5955 +read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) +read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) + -+tunable_policy(`allow_nsplugin_execmem',` ++tunable_policy(`nsplugin_execmem',` + allow nsplugin_t self:process { execstack execmem }; + allow nsplugin_config_t self:process { execstack execmem }; +') @@ -38435,11 +38918,73 @@ index 0000000..c08cddc +') + +userdom_home_manager(polipo_session_t) +diff --git a/portage.if b/portage.if +index b4bb48a..7098ded 100644 +--- a/portage.if ++++ b/portage.if +@@ -43,11 +43,15 @@ interface(`portage_domtrans',` + # + interface(`portage_run',` + gen_require(` +- attribute_role portage_roles; ++ type portage_t, portage_fetch_t, portage_sandbox_t; ++ #attribute_role portage_roles; + ') + +- portage_domtrans($1) +- roleattribute $2 portage_roles; ++ #portage_domtrans($1) ++ #roleattribute $2 portage_roles; ++ portage_domtrans($1) ++ role $2 types { portage_t portage_fetch_t portage_sandbox_t }; ++ + ') + + ######################################## diff --git a/portage.te b/portage.te -index 2af04b9..22bdf7d 100644 +index 2af04b9..f726e1d 100644 --- a/portage.te +++ b/portage.te -@@ -56,7 +56,7 @@ type portage_db_t; +@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) + ##
+@@ -19,7 +19,7 @@ gen_tunable(allow_gssd_read_tmp, true) + ## labeled public_content_rw_t. + ##
+ ##
@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
##