diff --git a/policy-F16.patch b/policy-F16.patch
index f9e9883..f4b4dfe 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3875,7 +3875,7 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..3ca01ec 100644
+index f5afe78..c9f63b0 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,623 @@
@@ -3981,7 +3981,7 @@ index f5afe78..3ca01ec 100644
+ allow $1_gkeyringd_t $3:dbus send_msg;
+ allow $3 $1_gkeyringd_t:dbus send_msg;
+ optional_policy(`
-+ dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
++ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
+ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_home_dir_filetrans($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
@@ -9466,10 +9466,10 @@ index 0000000..8a7ed4f
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
-index 0000000..6878d68
+index 0000000..f6acf24
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,191 @@
+
+##
-+## Allow exim to connect to databases (postgres, mysql) ++## Allow exim to connect to databases (PostgreSQL, MySQL) +##
## gen_tunable(exim_can_connect_db, false) @@ -29196,7 +29210,7 @@ index 0000000..84d1768 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..a63cabe +index 0000000..8dcd6e4 --- /dev/null +++ b/policy/modules/services/firewalld.te @@ -0,0 +1,68 @@ @@ -29225,7 +29239,7 @@ index 0000000..a63cabe +# +# firewalld local policy +# -+ ++dontaudit firewalld_t self:capability sys_tty_config; +allow firewalld_t self:fifo_file rw_fifo_file_perms; +allow firewalld_t self:unix_stream_socket create_stream_socket_perms; + @@ -34861,14 +34875,14 @@ index 64268e4..9ddac52 100644 + exim_manage_log(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc -index fd71d69..2e9f2a3 100644 +index fd71d69..bf90863 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -51,6 +51,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -39522,7 +39536,7 @@ index 09aeffa..dd70b14 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 8ed5067..f31634f 100644 +index 8ed5067..a5603cd 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,16 +19,16 @@ gen_require(` @@ -39533,7 +39547,7 @@ index 8ed5067..f31634f 100644 -## Allow unprived users to execute DDL statement -## +##-+## Allow unprived users to execute DDL statement ++## Allow unprivileged users to execute DDL statement +##
## gen_tunable(sepgsql_enable_users_ddl, true) @@ -40250,7 +40264,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..69fa687 100644 +index 64c5f95..ebb9b4d 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -40268,7 +40282,7 @@ index 64c5f95..69fa687 100644 ##-## Allow Puppet client to manage all file -## types. -+## Allow Puppet master to use connect to mysql and postgresql database ++## Allow Puppet master to use connect to MySQL and PostgreSQL database ##
## -gen_tunable(puppet_manage_all_files, false) @@ -50995,10 +51009,10 @@ index c26ecf5..b906c48 100644 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 -index 0000000..72059b2 +index 0000000..28cd477 --- /dev/null +++ b/policy/modules/services/zarafa.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,33 @@ + +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + @@ -51012,6 +51026,8 @@ index 0000000..72059b2 + +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) + ++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) ++ +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) + +/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) @@ -51020,6 +51036,7 @@ index 0000000..72059b2 +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) ++/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) + +/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) @@ -51027,6 +51044,7 @@ index 0000000..72059b2 +/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) ++/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 @@ -51158,10 +51176,10 @@ index 0000000..8a909f5 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..fec9997 +index 0000000..850b8b5 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,141 @@ +@@ -0,0 +1,146 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -51172,6 +51190,7 @@ index 0000000..fec9997 +attribute zarafa_domain; + +zarafa_domain_template(monitor) ++zarafa_domain_template(indexer) +zarafa_domain_template(ical) +zarafa_domain_template(server) +zarafa_domain_template(spooler) @@ -51193,6 +51212,8 @@ index 0000000..fec9997 +type zarafa_share_t; +files_type(zarafa_share_t) + ++permissive zarafa_indexer_t; ++ +######################################## +# +# zarafa-deliver local policy @@ -51221,6 +51242,8 @@ index 0000000..fec9997 +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) + ++stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) ++ +corenet_tcp_bind_zarafa_port(zarafa_server_t) + +files_read_usr_files(zarafa_server_t) @@ -52473,10 +52496,10 @@ index 882c6a2..d0ff4ec 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 354ce93..f97fbb7 100644 +index 354ce93..b8b14b9 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', ` +@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', ` # # /sbin # @@ -52496,7 +52519,12 @@ index 354ce93..f97fbb7 100644 /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) # because nowadays, /sbin/init is often a symlink to /sbin/upstart /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) -@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', ` ++# for Fedora ++/lib/upstart/init -- gen_context(system_u:object_r:init_exec_t,s0) + + ifdef(`distro_gentoo', ` + /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', ` /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -52506,7 +52534,7 @@ index 354ce93..f97fbb7 100644 # # /var -@@ -76,3 +92,4 @@ ifdef(`distro_suse', ` +@@ -76,3 +94,4 @@ ifdef(`distro_suse', ` /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 436ed55..1921a1e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,14 @@ exit 0 %endif %changelog +* Thu May 5 2011 Miroslav Grepl