diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 203e848..b9c1965 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.4)
+policy_module(corenetwork, 1.11.5)
########################################
#
@@ -118,6 +118,7 @@ network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
index 36c832e..cd07b96 100644
--- a/policy/modules/services/apcupsd.fc
+++ b/policy/modules/services/apcupsd.fc
@@ -1,8 +1,6 @@
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
-ifdef(`distro_debian',`
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-')
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 3cea8fb..ee8cf51 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
-policy_module(apcupsd, 1.5.2)
+policy_module(apcupsd, 1.5.3)
########################################
#
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 74823c8..a8ecaf3 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -57,6 +57,24 @@ interface(`avahi_kill',`
########################################
##
+## Send avahi a signull
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`avahi_signull',`
+ gen_require(`
+ type avahi_t;
+ ')
+
+ allow $1 avahi_t:process signull;
+')
+
+########################################
+##
## Send and receive messages from
## avahi over dbus.
##
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 12e4a8c..d1c43f9 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi, 1.10.2)
+policy_module(avahi, 1.10.3)
########################################
#
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
index caa9338..dc687e6 100644
--- a/policy/modules/services/bluetooth.fc
+++ b/policy/modules/services/bluetooth.fc
@@ -15,6 +15,7 @@
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 835c576..f6028fd 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -173,7 +173,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
- type bluetooth_var_lib_t, bluetooth_var_run_t;
+ type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
@@ -196,6 +196,9 @@ interface(`bluetooth_admin',`
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
+ files_list_spool($1)
+ admin_pattern($1, bluetooth_spool_t)
+
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 227540b..c5d67be 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth, 3.1.2)
+policy_module(bluetooth, 3.1.3)
########################################
#
@@ -93,6 +93,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
+kernel_read_network_state(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
@@ -147,10 +148,10 @@ optional_policy(`
optional_policy(`
cups_dbus_chat(bluetooth_t)
')
-')
-optional_policy(`
- nis_use_ypbind(bluetooth_t)
+ optional_policy(`
+ hal_dbus_chat(bluetooth_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
index 718d0aa..c43ff4c 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -15,7 +15,9 @@ interface(`cvs_read_data',`
type cvs_data_t;
')
- allow $1 cvs_data_t:file { getattr read };
+ list_dirs_pattern($1, cvs_data_t, cvs_data_t)
+ read_files_pattern($1, cvs_data_t, cvs_data_t)
+ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
')
########################################
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 09b9969..0918b43 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,5 +1,5 @@
-policy_module(cvs, 1.7.2)
+policy_module(cvs, 1.7.3)
########################################
#
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 5b9d6c0..a328cea 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -4,4 +4,6 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
index 6c2dd40..016d191 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
@@ -41,6 +41,25 @@ interface(`dnsmasq_signal',`
########################################
##
+## Send dnsmasq a signull
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_signull',`
+ gen_require(`
+ type dnsmasq_t;
+ ')
+
+ allow $1 dnsmasq_t:process signull;
+')
+
+########################################
+##
## Send dnsmasq a kill signal.
##
##
@@ -60,6 +79,44 @@ interface(`dnsmasq_kill',`
########################################
##
+## Delete dnsmasq pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+##
+## Read dnsmasq pid files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+#
+interface(`dnsmasq_read_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an dnsmasq environment
##
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 26f8ba3..bb77a2f 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
-policy_module(dnsmasq, 1.7.1)
+policy_module(dnsmasq, 1.7.2)
########################################
#
@@ -69,24 +69,21 @@ domain_use_interactive_fds(dnsmasq_t)
# allow access to dnsmasq.conf
files_read_etc_files(dnsmasq_t)
+files_read_etc_runtime_files(dnsmasq_t)
fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)
+auth_use_nsswitch(dnsmasq_t)
+
logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
-sysnet_read_config(dnsmasq_t)
-
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
- nis_use_ypbind(dnsmasq_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(dnsmasq_t)
')
@@ -96,4 +93,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
')
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 4a5974b..8046831 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -19,6 +19,7 @@
/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index f5f46e4..a66fb18 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos, 1.9.2)
+policy_module(kerberos, 1.9.3)
########################################
#
@@ -290,6 +290,7 @@ corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
corenet_tcp_sendrecv_all_ports(kpropd_t)
corenet_tcp_bind_generic_node(kpropd_t)
+corenet_tcp_bind_kprop_port(kpropd_t)
dev_read_urand(kpropd_t)
diff --git a/policy/modules/services/openvpn.fc b/policy/modules/services/openvpn.fc
index 405b5bc..9c186d2 100644
--- a/policy/modules/services/openvpn.fc
+++ b/policy/modules/services/openvpn.fc
@@ -2,6 +2,7 @@
# /etc
#
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
+/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
#
diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
index 18d95e6..aab6297 100644
--- a/policy/modules/services/openvpn.if
+++ b/policy/modules/services/openvpn.if
@@ -46,6 +46,24 @@ interface(`openvpn_run',`
########################################
##
+## Send OPENVPN clients the kill signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_kill',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process sigkill;
+')
+
+########################################
+##
## Send generic signals to OPENVPN clients.
##
##
@@ -64,6 +82,24 @@ interface(`openvpn_signal',`
########################################
##
+## Send signulls to OPENVPN clients.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`openvpn_signull',`
+ gen_require(`
+ type openvpn_t;
+ ')
+
+ allow $1 openvpn_t:process signull;
+')
+
+########################################
+##
## Allow the specified domain to read
## OpenVPN configuration files.
##
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 7ddf99e..fc95508 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn, 1.7.2)
+policy_module(openvpn, 1.7.3)
########################################
#
@@ -22,6 +22,9 @@ init_daemon_domain(openvpn_t, openvpn_exec_t)
type openvpn_etc_t;
files_config_file(openvpn_etc_t)
+type openvpn_etc_rw_t;
+files_config_file(openvpn_etc_rw_t)
+
type openvpn_initrc_exec_t;
init_script_file(openvpn_initrc_exec_t)
@@ -40,6 +43,7 @@ files_pid_file(openvpn_var_run_t)
allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
allow openvpn_t self:process { signal getsched };
+allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -47,11 +51,13 @@ allow openvpn_t self:udp_socket create_socket_perms;
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
-allow openvpn_t openvpn_etc_t:dir list_dir_perms;
can_exec(openvpn_t, openvpn_etc_t)
read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
+filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
@@ -99,6 +105,8 @@ miscfiles_read_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
+sysnet_write_config(openvpn_t)
+sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
diff --git a/policy/modules/services/pcscd.fc b/policy/modules/services/pcscd.fc
index f2df0fc..87f17e8 100644
--- a/policy/modules/services/pcscd.fc
+++ b/policy/modules/services/pcscd.fc
@@ -1,5 +1,6 @@
/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pid -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
/var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0)
+/var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0)
/usr/sbin/pcscd -- gen_context(system_u:object_r:pcscd_exec_t,s0)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index adefaae..ed9e17f 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -1,5 +1,5 @@
-policy_module(pcscd, 1.4.2)
+policy_module(pcscd, 1.4.3)
########################################
#
@@ -27,9 +27,10 @@ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
allow pcscd_t self:unix_dgram_socket create_socket_perms;
allow pcscd_t self:tcp_socket create_stream_socket_perms;
+manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
-files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file })
+files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
corenet_all_recvfrom_unlabeled(pcscd_t)
corenet_all_recvfrom_netlabel(pcscd_t)
@@ -57,6 +58,14 @@ miscfiles_read_localization(pcscd_t)
sysnet_dns_name_resolve(pcscd_t)
optional_policy(`
+ dbus_system_bus_client(pcscd_t)
+
+ optional_policy(`
+ hal_dbus_chat(pcscd_t)
+ ')
+')
+
+optional_policy(`
openct_stream_connect(pcscd_t)
openct_read_pid_files(pcscd_t)
openct_signull(pcscd_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index b37971c..4f20532 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd, 1.10.2)
+policy_module(radvd, 1.10.3)
########################################
#
@@ -22,7 +22,7 @@ files_config_file(radvd_etc_t)
#
# Local policy
#
-allow radvd_t self:capability { setgid setuid net_raw };
+allow radvd_t self:capability { setgid setuid net_raw net_admin };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index b05c1a8..2b87f32 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
-policy_module(rlogin, 1.8.2)
+policy_module(rlogin, 1.8.3)
########################################
#
@@ -90,9 +90,21 @@ userdom_read_user_home_content_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs(rlogind_t)
+ fs_read_nfs_files(rlogind_t)
+ fs_read_nfs_symlinks(rlogind_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs(rlogind_t)
+ fs_read_cifs_files(rlogind_t)
+ fs_read_cifs_symlinks(rlogind_t)
+')
+
optional_policy(`
- kerberos_use(rlogind_t)
- kerberos_read_keytab(rlogind_t)
+ kerberos_keytab_template(rlogind, rlogind_t)
+ kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 9367c21..f9e9396 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync, 1.8.2)
+policy_module(rsync, 1.8.3)
########################################
#
@@ -119,5 +119,9 @@ optional_policy(`
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
+ auth_read_all_symlinks_except_shadow(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
')
+auth_can_read_shadow_passwords(rsync_t)
diff --git a/policy/modules/services/stunnel.fc b/policy/modules/services/stunnel.fc
index 2806b91..c3aec89 100644
--- a/policy/modules/services/stunnel.fc
+++ b/policy/modules/services/stunnel.fc
@@ -1,6 +1,7 @@
-
/etc/stunnel(/.*)? gen_context(system_u:object_r:stunnel_etc_t,s0)
+/usr/bin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
+
/usr/sbin/stunnel -- gen_context(system_u:object_r:stunnel_exec_t,s0)
/var/run/stunnel(/.*)? gen_context(system_u:object_r:stunnel_var_run_t,s0)
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 0792988..43523e9 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel, 1.8.2)
+policy_module(stunnel, 1.8.3)
########################################
#
@@ -54,6 +54,8 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
+corecmd_exec_bin(stunnel_t)
+
corenet_all_recvfrom_unlabeled(stunnel_t)
corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_generic_if(stunnel_t)
@@ -105,6 +107,7 @@ ifdef(`distro_gentoo', `
dev_read_urand(stunnel_t)
files_read_etc_files(stunnel_t)
+ files_read_etc_runtime_files(stunnel_t)
files_search_home(stunnel_t)
optional_policy(`
diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
index b319f6a..08d999c 100644
--- a/policy/modules/services/sysstat.fc
+++ b/policy/modules/services/sysstat.fc
@@ -1,6 +1,6 @@
/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
-/usr/lib(64)?/sa/sadc -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
/var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 2a81c8e..7d769bc 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -1,5 +1,5 @@
-policy_module(sysstat, 1.4.0)
+policy_module(sysstat, 1.4.1)
########################################
#
@@ -19,13 +19,14 @@ logging_log_file(sysstat_log_t)
# Local policy
#
-allow sysstat_t self:capability sys_resource;
+allow sysstat_t self:capability { sys_resource sys_tty_config };
dontaudit sysstat_t self:capability sys_admin;
allow sysstat_t self:fifo_file rw_fifo_file_perms;
can_exec(sysstat_t, sysstat_exec_t)
manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
diff --git a/policy/modules/services/uucp.fc b/policy/modules/services/uucp.fc
index 0ddfd09..e1c0d8d 100644
--- a/policy/modules/services/uucp.fc
+++ b/policy/modules/services/uucp.fc
@@ -6,4 +6,6 @@
/var/spool/uucp(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
+/var/lock/uucp(/.*)? gen_context(system_u:object_r:uucpd_lock_t,s0)
+
/var/log/uucp(/.*)? gen_context(system_u:object_r:uucpd_log_t,s0)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index e5999d6..63c9e59 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -1,5 +1,5 @@
-policy_module(uucp, 1.9.2)
+policy_module(uucp, 1.9.3)
########################################
#
@@ -10,6 +10,9 @@ type uucpd_exec_t;
inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
role system_r types uucpd_t;
+type uucpd_lock_t;
+files_lock_file(uucpd_lock_t)
+
type uucpd_tmp_t;
files_tmp_file(uucpd_tmp_t)
@@ -58,6 +61,10 @@ manage_lnk_files_pattern(uucpd_t, uucpd_rw_t, uucpd_rw_t)
uucp_manage_spool(uucpd_t)
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+files_search_locks(uucpd_t)
+
manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })