++##
+## Allow ZoneMinder to modify public files
+## used for public file transfer services.
+##
+##
+gen_tunable(zoneminder_anon_write, false)
+
++gen_require(`
++ class passwd rootok;
++ ')
++
+type zoneminder_t;
+type zoneminder_exec_t;
+init_daemon_domain(zoneminder_t, zoneminder_exec_t)
+
++type zoneminder_unit_file_t;
++systemd_unit_file(zoneminder_unit_file_t)
++
+type zoneminder_initrc_exec_t;
+init_script_file(zoneminder_initrc_exec_t)
+
@@ -94709,7 +95301,8 @@ index 0000000..67b461b
+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
-+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file sock_file })
++manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file })
+
+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
@@ -94722,6 +95315,8 @@ index 0000000..67b461b
+
+kernel_read_system_state(zoneminder_t)
+
++domain_read_all_domains_state(zoneminder_t)
++
+corecmd_exec_bin(zoneminder_t)
+corecmd_exec_shell(zoneminder_t)
+
@@ -94735,15 +95330,45 @@ index 0000000..67b461b
+dev_read_video_dev(zoneminder_t)
+dev_write_video_dev(zoneminder_t)
+
-+
+auth_use_nsswitch(zoneminder_t)
+
+logging_send_syslog_msg(zoneminder_t)
++logging_send_audit_msgs(zoneminder_t)
++
++mta_send_mail(zoneminder_t)
+
+tunable_policy(`zoneminder_anon_write',`
+ miscfiles_manage_public_files(zoneminder_t)
+')
+
++tunable_policy(`zoneminder_run_sudo',`
++ allow zoneminder_t self:capability { setuid setgid sys_resource };
++ allow zoneminder_t self:process { setrlimit setsched };
++ allow zoneminder_t self:key write;
++ allow zoneminder_t self:passwd rootok;
++
++ auth_rw_lastlog(zoneminder_t)
++
++ selinux_compute_access_vector(zoneminder_t)
++
++ systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
++ systemd_dbus_chat_logind(zoneminder_t)
++
++ xserver_exec_xauth(zoneminder_t)
++')
++
++optional_policy(`
++ tunable_policy(`zoneminder_run_sudo',`
++ dbus_system_bus_client(zoneminder_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`zoneminder_run_sudo',`
++ sudo_exec(zoneminder_t)
++ su_exec(zoneminder_t)
++ ')
++')
+optional_policy(`
+ mysql_stream_connect(zoneminder_t)
+')
@@ -94760,7 +95385,12 @@ index 0000000..67b461b
+ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
+
+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
++
++ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++
+ zoneminder_stream_connect(httpd_zoneminder_script_t)
++
++ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
+
+ files_search_var_lib(httpd_zoneminder_script_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index eddfbfc..2fcda05 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 58%{?dist}
+Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 3 2013 Miroslav Grepl