diff --git a/policy-F15.patch b/policy-F15.patch index 87dc4e7..b9debd1 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -633,7 +633,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te -index 75ce30f..f7dcdf8 100644 +index 75ce30f..68cb617 100644 --- a/policy/modules/admin/logwatch.te +++ b/policy/modules/admin/logwatch.te @@ -19,6 +19,9 @@ files_lock_file(logwatch_lock_t) @@ -665,13 +665,14 @@ index 75ce30f..f7dcdf8 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -92,11 +100,20 @@ sysnet_dns_name_resolve(logwatch_t) +@@ -92,11 +100,21 @@ sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) -+userdom_dontaudit_list_admin_dir(logwatch_t) - +- -mta_send_mail(logwatch_t) ++userdom_dontaudit_list_admin_dir(logwatch_t) ++ +#mta_send_mail(logwatch_t) +mta_base_mail_template(logwatch) +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) @@ -680,6 +681,7 @@ index 75ce30f..f7dcdf8 100644 +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) +allow logwatch_mail_t self:capability { dac_read_search dac_override }; +mta_read_home(logwatch_mail_t) ++dev_read_rand(logwatch_mail_t) ifdef(`distro_redhat',` files_search_all(logwatch_t) @@ -8296,7 +8298,7 @@ index b06df19..c0763c2 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index edefaf3..14fc728 100644 +index edefaf3..900fc3d 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -15,6 +15,7 @@ attribute rpc_port_type; @@ -8387,7 +8389,7 @@ index edefaf3..14fc728 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -125,30 +147,35 @@ network_port(iscsi, tcp,3260,s0) +@@ -125,43 +147,57 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -8425,9 +8427,10 @@ index edefaf3..14fc728 100644 -network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) +network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -156,12 +183,20 @@ network_port(pegasus_http, tcp,5988,s0) + network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -8448,7 +8451,7 @@ index edefaf3..14fc728 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -176,43 +211,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -176,43 +212,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -8505,7 +8508,7 @@ index edefaf3..14fc728 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -274,5 +315,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn +@@ -274,5 +316,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -8550,7 +8553,7 @@ index 3b2da10..7c29e17 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 15a7bef..ee7727f 100644 +index 15a7bef..6d68113 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8757,7 +8760,32 @@ index 15a7bef..ee7727f 100644 ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -3048,24 +3192,6 @@ interface(`dev_rw_printer',` +@@ -1979,6 +2123,24 @@ interface(`dev_read_kmsg',` + + ######################################## + ## ++## Do not audit attempts to read the kernel messages ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_kmsg',` ++ gen_require(` ++ type kmsg_device_t; ++ ') ++ ++ dontaudit $1 kmsg_device_t:chr_file read; ++') ++ ++######################################## ++## + ## Write to the kernel messages device + ## + ## +@@ -3048,24 +3210,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -8782,7 +8810,7 @@ index 15a7bef..ee7727f 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3613,6 +3739,24 @@ interface(`dev_manage_smartcard',` +@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',` ######################################## ## @@ -8807,7 +8835,7 @@ index 15a7bef..ee7727f 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3773,6 +3917,42 @@ interface(`dev_rw_sysfs',` +@@ -3773,6 +3935,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -8850,7 +8878,7 @@ index 15a7bef..ee7727f 100644 ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## -@@ -3942,6 +4122,24 @@ interface(`dev_read_usbmon_dev',` +@@ -3942,6 +4140,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -8875,7 +8903,7 @@ index 15a7bef..ee7727f 100644 ## Mount a usbfs filesystem. ## ## -@@ -4252,11 +4450,10 @@ interface(`dev_write_video_dev',` +@@ -4252,11 +4468,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -9263,7 +9291,7 @@ index 3517db2..ebf38e4 100644 + +/usr/lib/debug <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ed203b2..7825dd2 100644 +index ed203b2..d38c240 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -9489,7 +9517,32 @@ index ed203b2..7825dd2 100644 ') ######################################## -@@ -3365,6 +3517,24 @@ interface(`files_list_mnt',` +@@ -3287,6 +3439,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` + dontaudit $1 lost_found_t:dir getattr; + ') + ++####################################### ++## ++## List the contents of /tmp/lost-found ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_lost_found_dirs',` ++ gen_require(` ++ type lost_found_t; ++ ') ++ ++ allow $1 lost_found_t:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Create, read, write, and delete objects in +@@ -3365,6 +3535,24 @@ interface(`files_list_mnt',` allow $1 mnt_t:dir list_dir_perms; ') @@ -9514,7 +9567,7 @@ index ed203b2..7825dd2 100644 ######################################## ## ## Mount a filesystem on /mnt. -@@ -3438,6 +3608,24 @@ interface(`files_read_mnt_files',` +@@ -3438,6 +3626,24 @@ interface(`files_read_mnt_files',` read_files_pattern($1, mnt_t, mnt_t) ') @@ -9539,7 +9592,7 @@ index ed203b2..7825dd2 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3729,6 +3917,100 @@ interface(`files_read_world_readable_sockets',` +@@ -3729,6 +3935,100 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9640,7 +9693,7 @@ index ed203b2..7825dd2 100644 ######################################## ## ## Allow the specified type to associate -@@ -3914,6 +4196,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -3914,6 +4214,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -9673,7 +9726,7 @@ index ed203b2..7825dd2 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3968,7 +4276,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3968,7 +4294,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -9682,7 +9735,7 @@ index ed203b2..7825dd2 100644 ## ## ## -@@ -3976,17 +4284,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3976,17 +4302,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -9704,7 +9757,7 @@ index ed203b2..7825dd2 100644 ## ## ## -@@ -3994,74 +4302,77 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -3994,74 +4320,77 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -9800,7 +9853,7 @@ index ed203b2..7825dd2 100644 ## ## ## -@@ -4069,36 +4380,111 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +@@ -4069,22 +4398,97 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` ## ## # @@ -9824,21 +9877,10 @@ index ed203b2..7825dd2 100644 ## ## -## Domain allowed access. --## --## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. +## Domain not to audit. - ## - ## - # --interface(`files_tmp_filetrans',` ++## ++## ++# +interface(`files_dontaudit_getattr_all_tmp_files',` + gen_require(` + attribute tmpfile; @@ -9911,24 +9953,10 @@ index ed203b2..7825dd2 100644 +## +## +## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+# -+interface(`files_tmp_filetrans',` - gen_require(` - type tmp_t; - ') -@@ -4127,6 +4513,13 @@ interface(`files_purge_tmp',` + ## + ## + ## +@@ -4127,6 +4531,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -9942,7 +9970,7 @@ index ed203b2..7825dd2 100644 ') ######################################## -@@ -4736,6 +5129,24 @@ interface(`files_read_var_files',` +@@ -4736,6 +5147,24 @@ interface(`files_read_var_files',` ######################################## ## @@ -9967,7 +9995,7 @@ index ed203b2..7825dd2 100644 ## Read and write files in the /var directory. ## ## -@@ -5071,6 +5482,24 @@ interface(`files_manage_mounttab',` +@@ -5071,6 +5500,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -9992,7 +10020,7 @@ index ed203b2..7825dd2 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5156,12 +5585,12 @@ interface(`files_getattr_generic_locks',` +@@ -5156,12 +5603,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -10009,7 +10037,7 @@ index ed203b2..7825dd2 100644 ') ######################################## -@@ -5207,6 +5636,27 @@ interface(`files_delete_all_locks',` +@@ -5207,6 +5654,27 @@ interface(`files_delete_all_locks',` ######################################## ## @@ -10037,7 +10065,7 @@ index ed203b2..7825dd2 100644 ## Read all lock files. ## ## -@@ -5335,6 +5785,43 @@ interface(`files_search_pids',` +@@ -5335,6 +5803,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -10081,7 +10109,7 @@ index ed203b2..7825dd2 100644 ######################################## ## ## Do not audit attempts to search -@@ -5542,6 +6029,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6047,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -10144,7 +10172,7 @@ index ed203b2..7825dd2 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6102,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6120,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -10189,7 +10217,7 @@ index ed203b2..7825dd2 100644 ') ######################################## -@@ -5844,3 +6425,247 @@ interface(`files_unconfined',` +@@ -5844,3 +6443,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -14023,7 +14051,7 @@ index c0f858d..d639ae0 100644 accountsd_manage_lib_files($1) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..2724c11 100644 +index 1632f10..f6e570c 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) @@ -14035,7 +14063,15 @@ index 1632f10..2724c11 100644 type accountsd_var_lib_t; files_type(accountsd_var_lib_t) -@@ -55,3 +57,8 @@ optional_policy(` +@@ -32,6 +34,7 @@ files_read_usr_files(accountsd_t) + files_read_mnt_files(accountsd_t) + + fs_list_inotifyfs(accountsd_t) ++fs_getattr_xattr_fs(accountsd_t) + fs_read_noxattr_fs_files(accountsd_t) + + auth_use_nsswitch(accountsd_t) +@@ -55,3 +58,8 @@ optional_policy(` optional_policy(` policykit_dbus_chat(accountsd_t) ') @@ -15177,7 +15213,7 @@ index c9e1a44..1a1ba36 100644 + dontaudit $1 httpd_tmp_t:file { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 08dfa0c..b02e348 100644 +index 08dfa0c..9dd70c3 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.0) @@ -15557,7 +15593,7 @@ index 08dfa0c..b02e348 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +509,71 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +509,73 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -15593,6 +15629,8 @@ index 08dfa0c..b02e348 100644 +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_t) + corenet_sendrecv_mssql_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) +') + +tunable_policy(`httpd_can_network_memcache',` @@ -15631,7 +15669,7 @@ index 08dfa0c..b02e348 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +586,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +588,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -15642,7 +15680,7 @@ index 08dfa0c..b02e348 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,8 +600,12 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,8 +602,12 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -15657,7 +15695,7 @@ index 08dfa0c..b02e348 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,6 +613,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -475,6 +615,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -15670,7 +15708,7 @@ index 08dfa0c..b02e348 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +628,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +630,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -15687,7 +15725,7 @@ index 08dfa0c..b02e348 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -500,8 +653,10 @@ tunable_policy(`httpd_ssi_exec',` +@@ -500,8 +655,10 @@ tunable_policy(`httpd_ssi_exec',` # are dontaudited here. tunable_policy(`httpd_tty_comm',` userdom_use_user_terminals(httpd_t) @@ -15698,7 +15736,7 @@ index 08dfa0c..b02e348 100644 ') optional_policy(` -@@ -513,7 +668,13 @@ optional_policy(` +@@ -513,7 +670,13 @@ optional_policy(` ') optional_policy(` @@ -15713,7 +15751,7 @@ index 08dfa0c..b02e348 100644 ') optional_policy(` -@@ -528,7 +689,18 @@ optional_policy(` +@@ -528,7 +691,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -15733,7 +15771,7 @@ index 08dfa0c..b02e348 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +709,13 @@ optional_policy(` +@@ -537,8 +711,13 @@ optional_policy(` ') optional_policy(` @@ -15748,7 +15786,7 @@ index 08dfa0c..b02e348 100644 ') ') -@@ -556,7 +733,13 @@ optional_policy(` +@@ -556,7 +735,13 @@ optional_policy(` ') optional_policy(` @@ -15762,7 +15800,7 @@ index 08dfa0c..b02e348 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +750,7 @@ optional_policy(` +@@ -567,6 +752,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -15770,7 +15808,7 @@ index 08dfa0c..b02e348 100644 ') optional_policy(` -@@ -577,6 +761,16 @@ optional_policy(` +@@ -577,6 +763,16 @@ optional_policy(` ') optional_policy(` @@ -15787,7 +15825,7 @@ index 08dfa0c..b02e348 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +785,11 @@ optional_policy(` +@@ -591,6 +787,11 @@ optional_policy(` ') optional_policy(` @@ -15799,7 +15837,7 @@ index 08dfa0c..b02e348 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +802,11 @@ optional_policy(` +@@ -603,6 +804,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -15811,7 +15849,7 @@ index 08dfa0c..b02e348 100644 ######################################## # # Apache helper local policy -@@ -618,6 +822,10 @@ logging_send_syslog_msg(httpd_helper_t) +@@ -618,6 +824,10 @@ logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) @@ -15822,7 +15860,7 @@ index 08dfa0c..b02e348 100644 ######################################## # # Apache PHP script local policy -@@ -654,28 +862,27 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +864,29 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -15841,6 +15879,8 @@ index 08dfa0c..b02e348 100644 - corenet_sendrecv_mssql_client_packets(httpd_suexec_t) + corenet_tcp_connect_mssql_port(httpd_php_t) + corenet_sendrecv_mssql_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ') optional_policy(` @@ -15863,7 +15903,7 @@ index 08dfa0c..b02e348 100644 ') ######################################## -@@ -699,17 +906,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +910,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -15889,13 +15929,15 @@ index 08dfa0c..b02e348 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +952,20 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,10 +956,22 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) +') + +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) @@ -15911,7 +15953,7 @@ index 08dfa0c..b02e348 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +991,25 @@ optional_policy(` +@@ -769,6 +997,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -15937,7 +15979,7 @@ index 08dfa0c..b02e348 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1030,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1036,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -15955,7 +15997,7 @@ index 08dfa0c..b02e348 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1049,33 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,6 +1055,35 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -15968,6 +16010,8 @@ index 08dfa0c..b02e348 100644 +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_mssql_port(httpd_sys_script_t) + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) +') + +fs_cifs_entry_type(httpd_sys_script_t) @@ -15989,7 +16033,7 @@ index 08dfa0c..b02e348 100644 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -822,7 +1095,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,7 +1103,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -15998,7 +16042,7 @@ index 08dfa0c..b02e348 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -830,6 +1103,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -830,6 +1111,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -16019,7 +16063,7 @@ index 08dfa0c..b02e348 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1129,20 @@ optional_policy(` +@@ -842,10 +1137,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -16040,7 +16084,7 @@ index 08dfa0c..b02e348 100644 ') ######################################## -@@ -891,11 +1188,21 @@ optional_policy(` +@@ -891,11 +1196,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -23807,17 +23851,31 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..41dfb2b 100644 +index 4fde46b..078ea24 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -20,6 +20,7 @@ allow gnomeclock_t self:fifo_file rw_fifo_file_perms; +@@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched }; + allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; ++kernel_read_system_state(gnomeclock_t) ++ corecmd_exec_bin(gnomeclock_t) +corecmd_exec_shell(gnomeclock_t) files_read_etc_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) +@@ -39,6 +42,10 @@ optional_policy(` + ') + + optional_policy(` ++ consoletype_exec(gnomeclock_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(gnomeclock_t) + policykit_domtrans_auth(gnomeclock_t) + policykit_read_lib(gnomeclock_t) diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 7d97298..d6b2959 100644 --- a/policy/modules/services/gpm.if @@ -30825,7 +30883,7 @@ index 46bee12..b87375e 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..e76a63c 100644 +index 06e37d4..5a4973e 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -30991,7 +31049,7 @@ index 06e37d4..e76a63c 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -304,9 +329,17 @@ optional_policy(` +@@ -304,9 +329,18 @@ optional_policy(` ') optional_policy(` @@ -31004,12 +31062,13 @@ index 06e37d4..e76a63c 100644 +optional_policy(` + zarafa_deliver_domtrans(postfix_local_t) ++ zarafa_stream_connect_server(postfix_local_t) +') + ######################################## # # Postfix map local policy -@@ -390,8 +423,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m +@@ -390,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m # Postfix pipe local policy # @@ -31019,7 +31078,7 @@ index 06e37d4..e76a63c 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +434,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +435,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -31028,7 +31087,7 @@ index 06e37d4..e76a63c 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +455,7 @@ optional_policy(` +@@ -420,6 +456,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -31036,7 +31095,7 @@ index 06e37d4..e76a63c 100644 ') optional_policy(` -@@ -436,6 +472,9 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,6 +473,9 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -31046,7 +31105,7 @@ index 06e37d4..e76a63c 100644 rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) postfix_list_spool(postfix_postdrop_t) -@@ -519,7 +558,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -31055,7 +31114,7 @@ index 06e37d4..e76a63c 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +578,7 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +579,7 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -31064,7 +31123,7 @@ index 06e37d4..e76a63c 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -588,10 +627,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +628,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -31081,7 +31140,7 @@ index 06e37d4..e76a63c 100644 ') optional_policy(` -@@ -611,8 +656,8 @@ optional_policy(` +@@ -611,8 +657,8 @@ optional_policy(` # Postfix virtual local policy # @@ -31091,7 +31150,7 @@ index 06e37d4..e76a63c 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +675,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +676,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -31972,25 +32031,33 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..76da005 100644 +index 64c5f95..4d48908 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te -@@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0) +@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) # ## --##

--## Allow Puppet client to manage all file --## types. --##

+##

+## Allow Puppet client to manage all file +## types. +##

++## ++gen_tunable(puppet_manage_all_files, false) ++ ++## + ##

+-## Allow Puppet client to manage all file +-## types. ++## Alow Pupper master to use connect to mysql and postgresql database + ##

## - gen_tunable(puppet_manage_all_files, false) +-gen_tunable(puppet_manage_all_files, false) ++gen_tunable(puppetmaster_use_db, false) -@@ -63,7 +63,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) + type puppet_t; + type puppet_exec_t; +@@ -63,7 +70,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib(puppet_t) @@ -31999,7 +32066,7 @@ index 64c5f95..76da005 100644 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -176,24 +176,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -176,24 +183,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -32031,7 +32098,7 @@ index 64c5f95..76da005 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -214,13 +219,20 @@ domain_read_all_domains_state(puppetmaster_t) +@@ -214,13 +226,32 @@ domain_read_all_domains_state(puppetmaster_t) files_read_etc_files(puppetmaster_t) files_search_var_lib(puppetmaster_t) @@ -32049,10 +32116,22 @@ index 64c5f95..76da005 100644 +mta_send_mail(puppetmaster_t) + ++optional_policy(` ++ tunable_policy(`puppetmaster_use_db',` ++ mysql_stream_connect(puppetmaster_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`puppetmaster_use_db',` ++ postgresql_stream_connect(puppetmaster_t) ++ ') ++') ++ optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +243,8 @@ optional_policy(` +@@ -231,3 +262,8 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -41865,10 +41944,10 @@ index 0000000..8a909f5 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..3ce4d86 +index 0000000..d7c3f51 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,132 @@ +@@ -0,0 +1,134 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -41946,6 +42025,8 @@ index 0000000..3ce4d86 +allow zarafa_spooler_t self:capability { chown kill }; +allow zarafa_spooler_t self:process signal; + ++can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) ++ +corenet_tcp_connect_smtp_port(zarafa_spooler_t) + +######################################## @@ -43523,7 +43604,7 @@ index ed152c4..a398d39 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 0580e7c..90ca53f 100644 +index 0580e7c..c45e5d8 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -43856,7 +43937,15 @@ index 0580e7c..90ca53f 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +464,7 @@ dev_read_sound_mixer(initrc_t) +@@ -279,6 +452,7 @@ corenet_sendrecv_all_client_packets(initrc_t) + + dev_read_rand(initrc_t) + dev_read_urand(initrc_t) ++dev_dontaudit_read_kmsg(initrc_t) + dev_write_kmsg(initrc_t) + dev_write_rand(initrc_t) + dev_write_urand(initrc_t) +@@ -291,6 +465,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -43864,7 +43953,7 @@ index 0580e7c..90ca53f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +472,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +473,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -43880,7 +43969,7 @@ index 0580e7c..90ca53f 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +497,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +498,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -43892,7 +43981,7 @@ index 0580e7c..90ca53f 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +516,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +517,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -43906,7 +43995,7 @@ index 0580e7c..90ca53f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +531,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +532,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -43915,7 +44004,7 @@ index 0580e7c..90ca53f 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +545,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +546,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -43923,7 +44012,7 @@ index 0580e7c..90ca53f 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +557,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +558,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -43931,7 +44020,7 @@ index 0580e7c..90ca53f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +578,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +579,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -43947,7 +44036,7 @@ index 0580e7c..90ca53f 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -474,7 +659,7 @@ ifdef(`distro_redhat',` +@@ -474,7 +660,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -43956,7 +44045,7 @@ index 0580e7c..90ca53f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +705,23 @@ ifdef(`distro_redhat',` +@@ -520,6 +706,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -43980,7 +44069,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -527,10 +729,17 @@ ifdef(`distro_redhat',` +@@ -527,10 +730,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -43998,7 +44087,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -545,6 +754,35 @@ ifdef(`distro_suse',` +@@ -545,6 +755,35 @@ ifdef(`distro_suse',` ') ') @@ -44034,7 +44123,7 @@ index 0580e7c..90ca53f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -557,6 +795,8 @@ optional_policy(` +@@ -557,6 +796,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -44043,7 +44132,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -573,6 +813,7 @@ optional_policy(` +@@ -573,6 +814,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -44051,7 +44140,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -585,6 +826,11 @@ optional_policy(` +@@ -585,6 +827,11 @@ optional_policy(` ') optional_policy(` @@ -44063,7 +44152,7 @@ index 0580e7c..90ca53f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -601,9 +847,13 @@ optional_policy(` +@@ -601,9 +848,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -44077,7 +44166,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -702,7 +952,13 @@ optional_policy(` +@@ -702,7 +953,13 @@ optional_policy(` ') optional_policy(` @@ -44091,7 +44180,7 @@ index 0580e7c..90ca53f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -725,6 +981,10 @@ optional_policy(` +@@ -725,6 +982,10 @@ optional_policy(` ') optional_policy(` @@ -44102,7 +44191,7 @@ index 0580e7c..90ca53f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -734,10 +994,20 @@ optional_policy(` +@@ -734,10 +995,20 @@ optional_policy(` ') optional_policy(` @@ -44123,7 +44212,7 @@ index 0580e7c..90ca53f 100644 quota_manage_flags(initrc_t) ') -@@ -746,6 +1016,10 @@ optional_policy(` +@@ -746,6 +1017,10 @@ optional_policy(` ') optional_policy(` @@ -44134,7 +44223,7 @@ index 0580e7c..90ca53f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -767,8 +1041,6 @@ optional_policy(` +@@ -767,8 +1042,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -44143,7 +44232,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -777,14 +1049,21 @@ optional_policy(` +@@ -777,14 +1050,21 @@ optional_policy(` ') optional_policy(` @@ -44165,7 +44254,7 @@ index 0580e7c..90ca53f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -806,11 +1085,19 @@ optional_policy(` +@@ -806,11 +1086,19 @@ optional_policy(` ') optional_policy(` @@ -44186,7 +44275,7 @@ index 0580e7c..90ca53f 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -820,6 +1107,25 @@ optional_policy(` +@@ -820,6 +1108,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -44212,7 +44301,7 @@ index 0580e7c..90ca53f 100644 ') optional_policy(` -@@ -845,3 +1151,59 @@ optional_policy(` +@@ -845,3 +1152,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48122,10 +48211,10 @@ index 0000000..5f0352b + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..174dd0c +index 0000000..85d3b7a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,102 @@ +@@ -0,0 +1,103 @@ + +policy_module(systemd, 1.0.0) + @@ -48204,7 +48293,7 @@ index 0000000..174dd0c +files_relabelfrom_tmp_files(systemd_tmpfiles_t) +files_relabel_all_tmp_dirs(systemd_tmpfiles_t) +files_relabel_all_tmp_files(systemd_tmpfiles_t) -+files_getattr_lost_found_dirs(systemd_tmpfiles_t) ++files_list_lost_found_dirs(systemd_tmpfiles_t) + +init_dgram_send(systemd_tmpfiles_t) + @@ -48214,6 +48303,7 @@ index 0000000..174dd0c +auth_relabel_var_auth_dirs(systemd_tmpfiles_t) +auth_relabel_login_records(systemd_tmpfiles_t) +auth_setattr_login_records(systemd_tmpfiles_t) ++auth_use_nsswitch(systemd_tmpfiles_t) + +seutil_read_file_contexts(systemd_tmpfiles_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 570253c..8459e8e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.12 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Mon Jan 17 2011 Miroslav Grepl 3.9.12-8 +- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on +- Add puppetmaster_use_db boolean +- Fixes for zarafa policy +- Fixes for gnomeclock poliy +- Fix systemd-tmpfiles to use auth_use_nsswitch + * Fri Jan 14 2011 Miroslav Grepl 3.9.12-7 - gnomeclock executes a shell - Update for screen policy to handle pipe in homedir