From 61a8737e37620bf7f65d6636fffb0739ee638ed3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 23 2013 12:32:45 +0000 Subject: - Fix collectd_t can read /etc/passwd file - Fix lsm.if summary - Add policy for lsmd - Cleanup raid.te - Add support for abrt-upload-watch - Dontaudit access check on cert_t for httpd_t - Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory - Allow glusterd to read domains state - Allow swift to crete cache dirs with correct labeling - Add support for pam_mount to mount user's encrypted home When a user logs in and logs o - Add support for .Xauthority-n --- diff --git a/policy-f19-base.patch b/policy-f19-base.patch index d5daf33..63fd39f 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -20167,7 +20167,7 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..dac68b3 100644 +index 5fc0391..2d08ed2 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) @@ -20470,7 +20470,7 @@ index 5fc0391..dac68b3 100644 ') optional_policy(` -@@ -257,11 +307,24 @@ optional_policy(` +@@ -257,11 +307,28 @@ optional_policy(` ') optional_policy(` @@ -20492,11 +20492,15 @@ index 5fc0391..dac68b3 100644 optional_policy(` - kerberos_keytab_template(sshd, sshd_t) ++ lvm_domtrans(sshd_t) ++') ++ ++optional_policy(` + nx_read_home_files(sshd_t) ') optional_policy(` -@@ -269,6 +332,10 @@ optional_policy(` +@@ -269,6 +336,10 @@ optional_policy(` ') optional_policy(` @@ -20507,7 +20511,7 @@ index 5fc0391..dac68b3 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +346,69 @@ optional_policy(` +@@ -279,13 +350,69 @@ optional_policy(` ') optional_policy(` @@ -20577,7 +20581,7 @@ index 5fc0391..dac68b3 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +417,26 @@ optional_policy(` +@@ -294,19 +421,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20605,7 +20609,7 @@ index 5fc0391..dac68b3 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +453,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20618,7 +20622,7 @@ index 5fc0391..dac68b3 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +467,138 @@ optional_policy(` +@@ -331,3 +471,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -20915,7 +20919,7 @@ index d1f64a0..8f50bb9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..188613e 100644 +index 6bf0ecc..15e1047 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21869,7 +21873,7 @@ index 6bf0ecc..188613e 100644 ') ######################################## -@@ -1284,10 +1655,622 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1655,623 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22369,6 +22373,7 @@ index 6bf0ecc..188613e 100644 + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") ++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") @@ -22495,7 +22500,7 @@ index 6bf0ecc..188613e 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..509319f 100644 +index 2696452..df66dcb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22745,7 +22750,7 @@ index 2696452..509319f 100644 ') ######################################## -@@ -247,48 +321,88 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -22811,6 +22816,7 @@ index 2696452..509319f 100644 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c") ++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth") @@ -22845,7 +22851,7 @@ index 2696452..509319f 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +413,107 @@ optional_policy(` +@@ -299,64 +414,107 @@ optional_policy(` # XDM Local policy # @@ -22963,7 +22969,7 @@ index 2696452..509319f 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +522,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +523,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -22995,7 +23001,7 @@ index 2696452..509319f 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +554,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +555,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -23048,7 +23054,7 @@ index 2696452..509319f 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +606,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +607,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23077,7 +23083,7 @@ index 2696452..509319f 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +636,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +637,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23124,7 +23130,7 @@ index 2696452..509319f 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +681,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +682,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23275,7 +23281,7 @@ index 2696452..509319f 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +832,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +833,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23302,7 +23308,7 @@ index 2696452..509319f 100644 ') optional_policy(` -@@ -514,12 +859,72 @@ optional_policy(` +@@ -514,12 +860,72 @@ optional_policy(` ') optional_policy(` @@ -23375,7 +23381,7 @@ index 2696452..509319f 100644 hostname_exec(xdm_t) ') -@@ -537,28 +942,78 @@ optional_policy(` +@@ -537,28 +943,78 @@ optional_policy(` ') optional_policy(` @@ -23463,7 +23469,7 @@ index 2696452..509319f 100644 ') optional_policy(` -@@ -570,6 +1025,14 @@ optional_policy(` +@@ -570,6 +1026,14 @@ optional_policy(` ') optional_policy(` @@ -23478,7 +23484,7 @@ index 2696452..509319f 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23491,7 +23497,7 @@ index 2696452..509319f 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23507,7 +23513,7 @@ index 2696452..509319f 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23518,7 +23524,7 @@ index 2696452..509319f 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1106,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23540,7 +23546,7 @@ index 2696452..509319f 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1126,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23554,7 +23560,7 @@ index 2696452..509319f 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1152,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23586,7 +23592,7 @@ index 2696452..509319f 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1184,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23604,7 +23610,7 @@ index 2696452..509319f 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1206,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1207,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23628,7 +23634,7 @@ index 2696452..509319f 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1226,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23637,7 +23643,7 @@ index 2696452..509319f 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1269,44 @@ optional_policy(` +@@ -775,16 +1270,44 @@ optional_policy(` ') optional_policy(` @@ -23683,7 +23689,7 @@ index 2696452..509319f 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1315,10 @@ optional_policy(` +@@ -793,6 +1316,10 @@ optional_policy(` ') optional_policy(` @@ -23694,7 +23700,7 @@ index 2696452..509319f 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1335,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23708,7 +23714,7 @@ index 2696452..509319f 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1346,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23717,7 +23723,7 @@ index 2696452..509319f 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1358,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1359,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23752,7 +23758,7 @@ index 2696452..509319f 100644 ') optional_policy(` -@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1424,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23761,7 +23767,7 @@ index 2696452..509319f 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1478,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23793,7 +23799,7 @@ index 2696452..509319f 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1524,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -30638,7 +30644,7 @@ index 4e94884..9b82ed0 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..bb695cf 100644 +index 39ea221..aae7b7d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -30954,7 +30960,7 @@ index 39ea221..bb695cf 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +575,36 @@ optional_policy(` +@@ -502,15 +575,40 @@ optional_policy(` ') optional_policy(` @@ -30981,6 +30987,10 @@ index 39ea221..bb695cf 100644 ') optional_policy(` ++ psad_search_lib_files(syslogd_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(syslogd_t) + snmp_read_snmp_var_lib_files(syslogd_t) + snmp_dontaudit_write_snmp_var_lib_files(syslogd_t) @@ -30991,7 +31001,7 @@ index 39ea221..bb695cf 100644 ') optional_policy(` -@@ -521,3 +615,26 @@ optional_policy(` +@@ -521,3 +619,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -31019,10 +31029,10 @@ index 39ea221..bb695cf 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..7daaff3 100644 +index 879bb1e..5aa4eeb 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc -@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',` +@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',` /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) @@ -31039,6 +31049,7 @@ index 879bb1e..7daaff3 100644 # /sbin # +/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) ++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -31058,7 +31069,7 @@ index 879bb1e..7daaff3 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',` +@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',` # # /usr # @@ -31132,7 +31143,7 @@ index 879bb1e..7daaff3 100644 # # /var -@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',` +@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 4ddf547..34382d4 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index e4f84de..4e4cbd4 100644 +index e4f84de..2fe1152 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,30 +1,40 @@ +@@ -1,30 +1,41 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -22,6 +22,7 @@ index e4f84de..4e4cbd4 100644 +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) @@ -518,7 +519,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..da5b191 100644 +index cc43d25..d345054 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -527,7 +528,7 @@ index cc43d25..da5b191 100644 ######################################## # -@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4) +@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4) # ## @@ -549,6 +550,14 @@ index cc43d25..da5b191 100644 -## the abrt_handle_event_t domain to -## handle ABRT event scripts. -##

++##

++## Allow abrt-handle-upload to modify public files ++## used for public file transfer services in /var/spool/abrt-upload/. ++##

++## ++gen_tunable(abrt_upload_watch_anon_write, true) ++ ++## +##

+## Allow ABRT to run in abrt_handle_event_t domain +## to handle ABRT event scripts @@ -627,15 +636,15 @@ index cc43d25..da5b191 100644 +ifdef(`enable_mcs',` + init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) +') -+ -+# -+# Support for ABRT retrace server -type abrt_retrace_worker_t, abrt_domain; -type abrt_retrace_worker_exec_t; -domain_type(abrt_retrace_worker_t) -domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) +# ++# Support for ABRT retrace server ++ ++# +abrt_basic_types_template(abrt_retrace_worker) +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) role system_r types abrt_retrace_worker_t; @@ -660,7 +669,10 @@ index cc43d25..da5b191 100644 -ifdef(`enable_mcs',` - init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) -') -- ++# Support for abrt-upload-watch ++abrt_basic_types_template(abrt_upload_watch) ++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t) + ######################################## # -# Local policy @@ -689,7 +701,7 @@ index cc43d25..da5b191 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -718,7 +730,7 @@ index cc43d25..da5b191 100644 kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -737,7 +749,7 @@ index cc43d25..da5b191 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -778,7 +790,7 @@ index cc43d25..da5b191 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -795,7 +807,7 @@ index cc43d25..da5b191 100644 ') optional_policy(` -@@ -209,6 +224,16 @@ optional_policy(` +@@ -209,6 +236,16 @@ optional_policy(` ') optional_policy(` @@ -812,7 +824,7 @@ index cc43d25..da5b191 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +245,7 @@ optional_policy(` +@@ -220,6 +257,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -820,7 +832,7 @@ index cc43d25..da5b191 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +256,7 @@ optional_policy(` +@@ -230,6 +268,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -828,7 +840,7 @@ index cc43d25..da5b191 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +267,17 @@ optional_policy(` +@@ -240,9 +279,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -847,7 +859,7 @@ index cc43d25..da5b191 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -862,7 +874,7 @@ index cc43d25..da5b191 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -870,7 +882,7 @@ index cc43d25..da5b191 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -891,7 +903,7 @@ index cc43d25..da5b191 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -918,7 +930,7 @@ index cc43d25..da5b191 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -932,7 +944,7 @@ index cc43d25..da5b191 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +391,11 @@ optional_policy(` +@@ -330,10 +403,11 @@ optional_policy(` ####################################### # @@ -946,7 +958,7 @@ index cc43d25..da5b191 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1008,7 +1020,7 @@ index cc43d25..da5b191 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1021,18 +1033,28 @@ index cc43d25..da5b191 100644 ####################################### # -# Global local policy -+# Local policy for all abrt domain ++# abrt-upload-watch local policy # -kernel_read_system_state(abrt_domain) ++corecmd_exec_bin(abrt_upload_watch_t) + +-files_read_etc_files(abrt_domain) ++tunable_policy(`abrt_upload_watch_anon_write',` ++ miscfiles_manage_public_files(abrt_upload_watch_t) ++') ++ ++####################################### ++# ++# Local policy for all abrt domain ++# + +-logging_send_syslog_msg(abrt_domain) +allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms; +allow abrt_domain abrt_var_run_t:unix_stream_socket connectto; - files_read_etc_files(abrt_domain) -- --logging_send_syslog_msg(abrt_domain) -- -miscfiles_read_localization(abrt_domain) ++files_read_etc_files(abrt_domain) diff --git a/accountsd.fc b/accountsd.fc index f9d8d7a..0682710 100644 --- a/accountsd.fc @@ -4596,7 +4618,7 @@ index 83e899c..fac6fe5 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..40e2876 100644 +index 1a82e29..12b3640 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5284,7 +5306,7 @@ index 1a82e29..40e2876 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5401,9 +5423,10 @@ index 1a82e29..40e2876 100644 miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) miscfiles_read_tetex_data(httpd_t) - --seutil_dontaudit_search_config(httpd_t) - +-seutil_dontaudit_search_config(httpd_t) ++miscfiles_dontaudit_access_check_cert(httpd_t) + userdom_use_unpriv_users_fds(httpd_t) -ifdef(`TODO',` @@ -5514,7 +5537,7 @@ index 1a82e29..40e2876 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5574,7 +5597,7 @@ index 1a82e29..40e2876 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +771,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5664,7 +5687,7 @@ index 1a82e29..40e2876 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +817,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5745,7 +5768,7 @@ index 1a82e29..40e2876 100644 ') optional_policy(` -@@ -743,14 +869,6 @@ optional_policy(` +@@ -743,14 +870,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5760,7 +5783,7 @@ index 1a82e29..40e2876 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +883,23 @@ optional_policy(` +@@ -765,6 +884,23 @@ optional_policy(` ') optional_policy(` @@ -5784,7 +5807,7 @@ index 1a82e29..40e2876 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +916,42 @@ optional_policy(` +@@ -781,34 +917,42 @@ optional_policy(` ') optional_policy(` @@ -5838,7 +5861,7 @@ index 1a82e29..40e2876 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +959,18 @@ optional_policy(` +@@ -816,8 +960,18 @@ optional_policy(` ') optional_policy(` @@ -5857,7 +5880,7 @@ index 1a82e29..40e2876 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +979,7 @@ optional_policy(` +@@ -826,6 +980,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5865,7 +5888,7 @@ index 1a82e29..40e2876 100644 ') optional_policy(` -@@ -836,20 +990,39 @@ optional_policy(` +@@ -836,20 +991,39 @@ optional_policy(` ') optional_policy(` @@ -5911,7 +5934,7 @@ index 1a82e29..40e2876 100644 ') optional_policy(` -@@ -857,19 +1030,35 @@ optional_policy(` +@@ -857,19 +1031,35 @@ optional_policy(` ') optional_policy(` @@ -5947,7 +5970,7 @@ index 1a82e29..40e2876 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1066,170 @@ optional_policy(` +@@ -877,65 +1067,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6140,7 +6163,7 @@ index 1a82e29..40e2876 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1238,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6295,7 +6318,7 @@ index 1a82e29..40e2876 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1322,104 @@ optional_policy(` +@@ -1077,172 +1323,104 @@ optional_policy(` ') ') @@ -6531,7 +6554,7 @@ index 1a82e29..40e2876 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1427,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6628,7 +6651,7 @@ index 1a82e29..40e2876 100644 ######################################## # -@@ -1315,8 +1502,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6645,7 +6668,7 @@ index 1a82e29..40e2876 100644 ') ######################################## -@@ -1324,49 +1518,38 @@ optional_policy(` +@@ -1324,49 +1519,38 @@ optional_policy(` # User content local policy # @@ -6710,7 +6733,7 @@ index 1a82e29..40e2876 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1559,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -12458,7 +12481,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..dbb3f45 100644 +index 6471fa8..dc0423c 100644 --- a/collectd.te +++ b/collectd.te @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) @@ -12486,7 +12509,7 @@ index 6471fa8..dbb3f45 100644 manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) +@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) files_pid_filetrans(collectd_t, collectd_var_run_t, file) @@ -12494,6 +12517,9 @@ index 6471fa8..dbb3f45 100644 +kernel_read_all_sysctls(collectd_t) +kernel_read_all_proc(collectd_t) +kernel_list_all_proc(collectd_t) ++ ++auth_getattr_passwd(collectd_t) ++auth_read_passwd(collectd_t) -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) @@ -12519,7 +12545,7 @@ index 6471fa8..dbb3f45 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -24977,7 +25003,7 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..79bc951 100644 +index e0a4f46..95cf77c 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) @@ -25011,7 +25037,7 @@ index e0a4f46..79bc951 100644 allow glance_domain self:fifo_file rw_fifo_file_perms; allow glance_domain self:unix_stream_socket create_stream_socket_perms; allow glance_domain self:tcp_socket { accept listen }; -@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -25030,6 +25056,7 @@ index e0a4f46..79bc951 100644 corecmd_exec_shell(glance_domain) dev_read_urand(glance_domain) ++dev_read_sysfs(glance_domain) -files_read_etc_files(glance_domain) -files_read_usr_files(glance_domain) @@ -25042,7 +25069,7 @@ index e0a4f46..79bc951 100644 sysnet_dns_name_resolve(glance_domain) ######################################## -@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -25057,7 +25084,7 @@ index e0a4f46..79bc951 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -25264,10 +25291,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..7244e2c +index 0000000..06e17e3 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,167 @@ +@@ -0,0 +1,169 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25396,6 +25423,8 @@ index 0000000..7244e2c +dev_read_sysfs(glusterd_t) +dev_read_urand(glusterd_t) + ++domain_read_all_domains_state(glusterd_t) ++ +domain_use_interactive_fds(glusterd_t) + +fs_mount_all_fs(glusterd_t) @@ -35686,6 +35715,163 @@ index b9270f7..15f3748 100644 +optional_policy(` + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') +diff --git a/lsm.fc b/lsm.fc +new file mode 100644 +index 0000000..711c04b +--- /dev/null ++++ b/lsm.fc +@@ -0,0 +1,5 @@ ++/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) ++ ++/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) ++ ++/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) +diff --git a/lsm.if b/lsm.if +new file mode 100644 +index 0000000..aaf4080 +--- /dev/null ++++ b/lsm.if +@@ -0,0 +1,103 @@ ++ ++##

libStorageMgmt plug-in daemon ++ ++######################################## ++## ++## Execute TEMPLATE in the lsmd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lsmd_domtrans',` ++ gen_require(` ++ type lsmd_t, lsmd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, lsmd_exec_t, lsmd_t) ++') ++######################################## ++## ++## Read lsmd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lsmd_read_pid_files',` ++ gen_require(` ++ type lsmd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) ++') ++ ++######################################## ++## ++## Execute lsmd server in the lsmd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`lsmd_systemctl',` ++ gen_require(` ++ type lsmd_t; ++ type lsmd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 lsmd_unit_file_t:file read_file_perms; ++ allow $1 lsmd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, lsmd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an lsmd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`lsmd_admin',` ++ gen_require(` ++ type lsmd_t; ++ type lsmd_var_run_t; ++ type lsmd_unit_file_t; ++ ') ++ ++ allow $1 lsmd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, lsmd_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, lsmd_var_run_t) ++ ++ lsmd_systemctl($1) ++ admin_pattern($1, lsmd_unit_file_t) ++ allow $1 lsmd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/lsm.te b/lsm.te +new file mode 100644 +index 0000000..14fe4d7 +--- /dev/null ++++ b/lsm.te +@@ -0,0 +1,31 @@ ++policy_module(lsm, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type lsmd_t; ++type lsmd_exec_t; ++init_daemon_domain(lsmd_t, lsmd_exec_t) ++ ++type lsmd_var_run_t; ++files_pid_file(lsmd_var_run_t) ++ ++type lsmd_unit_file_t; ++systemd_unit_file(lsmd_unit_file_t) ++ ++######################################## ++# ++# lsmd local policy ++# ++allow lsmd_t self:capability { setgid }; ++allow lsmd_t self:process { fork }; ++allow lsmd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) ++ ++logging_send_syslog_msg(lsmd_t) diff --git a/mailman.fc b/mailman.fc index 7fa381b..bbe6b01 100644 --- a/mailman.fc @@ -42859,7 +43045,7 @@ index 97370e4..92138ca 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index c48dc17..f93fa69 100644 +index c48dc17..6355fb4 100644 --- a/mysql.fc +++ b/mysql.fc @@ -1,11 +1,24 @@ @@ -42895,7 +43081,7 @@ index c48dc17..f93fa69 100644 /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) -@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) +@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) @@ -42911,6 +43097,7 @@ index c48dc17..f93fa69 100644 +/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) ++/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql.* gen_context(system_u:object_r:mysqld_log_t,s0) -/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0) @@ -43450,7 +43637,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..0f6abcb 100644 +index 9f6179e..94457fe 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -43623,7 +43810,7 @@ index 9f6179e..0f6abcb 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -153,29 +160,22 @@ optional_policy(` +@@ -153,29 +160,23 @@ optional_policy(` ####################################### # @@ -43649,6 +43836,7 @@ index 9f6179e..0f6abcb 100644 -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) ++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -43659,7 +43847,7 @@ index 9f6179e..0f6abcb 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +188,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -43687,7 +43875,7 @@ index 9f6179e..0f6abcb 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +209,7 @@ optional_policy(` +@@ -205,7 +210,7 @@ optional_policy(` ######################################## # @@ -43696,7 +43884,7 @@ index 9f6179e..0f6abcb 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +219,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -43714,7 +43902,7 @@ index 9f6179e..0f6abcb 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +232,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -46315,10 +46503,10 @@ index 0000000..02dc6dc +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..cf8f660 +index 0000000..28936b4 --- /dev/null +++ b/nova.if -@@ -0,0 +1,55 @@ +@@ -0,0 +1,57 @@ +## openstack-nova + +###################################### @@ -46373,13 +46561,15 @@ index 0000000..cf8f660 + + kernel_read_system_state(nova_$1_t) + ++ logging_send_syslog_msg(nova_$1_t) ++ +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..92134cc +index 0000000..36d6129 --- /dev/null +++ b/nova.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,320 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -46393,6 +46583,7 @@ index 0000000..92134cc +# + +attribute nova_domain; ++attribute nova_sudo_domain; + +nova_domain_template(ajax) +nova_domain_template(api) @@ -46406,6 +46597,12 @@ index 0000000..92134cc +nova_domain_template(vncproxy) +nova_domain_template(volume) + ++typeattribute nova_api_t nova_sudo_domain; ++typeattribute nova_cert_t nova_sudo_domain; ++typeattribute nova_console_t nova_sudo_domain; ++typeattribute nova_network_t nova_sudo_domain; ++typeattribute nova_volume_t nova_sudo_domain; ++ +type nova_log_t; +logging_log_file(nova_log_t) + @@ -46437,6 +46634,8 @@ index 0000000..92134cc +corenet_tcp_connect_amqp_port(nova_domain) +corenet_tcp_connect_mysqld_port(nova_domain) + ++kernel_read_network_state(nova_domain) ++ +corecmd_exec_bin(nova_domain) +corecmd_exec_shell(nova_domain) +corenet_tcp_connect_mysqld_port(nova_domain) @@ -46489,15 +46688,6 @@ index 0000000..92134cc + +miscfiles_read_certs(nova_api_t) + -+ifdef(`hide_broken_symptoms',` -+ optional_policy(` -+ sudo_exec(nova_api_t) -+ allow nova_api_t self:capability { setuid sys_resource setgid }; -+ allow nova_api_t self:process { setsched setrlimit }; -+ logging_send_audit_msgs(nova_api_t) -+ ') -+') -+ +optional_policy(` + iptables_domtrans(nova_api_t) +') @@ -46609,15 +46799,6 @@ index 0000000..92134cc + +logging_send_syslog_msg(nova_network_t) + -+ifdef(`hide_broken_symptoms',` -+ optional_policy(` -+ sudo_exec(nova_network_t) -+ allow nova_network_t self:capability { setuid sys_resource setgid }; -+ allow nova_network_t self:process { setsched setrlimit }; -+ logging_send_audit_msgs(nova_network_t) -+ ') -+') -+ +optional_policy(` + brctl_domtrans(nova_network_t) +') @@ -46691,23 +46872,24 @@ index 0000000..92134cc + lvm_domtrans(nova_volume_t) +') + -+ifdef(`hide_broken_symptoms',` -+ require { -+ type sudo_exec_t; -+ } -+ -+ allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans }; -+ -+ allow nova_volume_t self:capability { setuid sys_resource setgid audit_write }; -+ allow nova_volume_t self:process { setsched setrlimit }; ++optional_policy(` ++ unconfined_domain(nova_volume_t) ++') + -+ logging_send_audit_msgs(nova_volume_t) ++####################################### ++# ++# nova sudo domain local policy ++# + ++ifdef(`hide_broken_symptoms',` ++ optional_policy(` ++ sudo_exec(nova_sudo_domain) ++ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write }; ++ allow nova_sudo_domain self:process { setsched setrlimit }; ++ logging_send_audit_msgs(nova_sudo_domain) ++ ') +') + -+optional_policy(` -+ unconfined_domain(nova_volume_t) -+') diff --git a/nscd.fc b/nscd.fc index ba64485..429bd79 100644 --- a/nscd.fc @@ -51622,7 +51804,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..83daba9 100644 +index 3270ff9..60a7af6 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -51639,7 +51821,22 @@ index 3270ff9..83daba9 100644 ##

## Determine whether openvpn can ## read generic user home content files. -@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t) +@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3) + ## + gen_tunable(openvpn_enable_homedirs, false) + ++## ++##

++## Determine whether openvpn can ++## connect to the TCP network. ++##

++## ++gen_tunable(openvpn_can_network_connect, false) ++ + attribute_role openvpn_roles; + + type openvpn_t; +@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -51658,7 +51855,7 @@ index 3270ff9..83daba9 100644 type openvpn_var_log_t; logging_log_file(openvpn_var_log_t) -@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t) +@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # @@ -51667,7 +51864,7 @@ index 3270ff9..83daba9 100644 allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; -@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") @@ -51680,7 +51877,7 @@ index 3270ff9..83daba9 100644 manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t) +@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -51688,7 +51885,7 @@ index 3270ff9..83daba9 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -103,13 +121,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) +@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t) corenet_sendrecv_http_server_packets(openvpn_t) corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) @@ -51705,7 +51902,7 @@ index 3270ff9..83daba9 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +141,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t) auth_use_pam(openvpn_t) @@ -51733,7 +51930,18 @@ index 3270ff9..83daba9 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -155,3 +181,27 @@ optional_policy(` +@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) + ') + ++tunable_policy(`openvpn_can_network_connect',` ++ corenet_tcp_connect_all_ports(openvpn_t) ++') ++ + optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) + ') +@@ -155,3 +193,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -53076,7 +53284,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..92780c3 100644 +index 7bcf327..0d93ae2 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -53135,8 +53343,8 @@ index 7bcf327..92780c3 100644 +allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; +allow pegasus_openlmi_domain self:udp_socket create_socket_perms; + -+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) -+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) + +corecmd_exec_bin(pegasus_openlmi_domain) +corecmd_exec_shell(pegasus_openlmi_domain) @@ -61310,7 +61518,7 @@ index 0000000..4f6badd + +miscfiles_read_localization(prosody_t) diff --git a/psad.if b/psad.if -index d4dcf78..59ab964 100644 +index d4dcf78..3cce82e 100644 --- a/psad.if +++ b/psad.if @@ -93,9 +93,8 @@ interface(`psad_manage_config',` @@ -61380,7 +61588,7 @@ index d4dcf78..59ab964 100644 ## Read and write psad fifo files. ## ## -@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',` +@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',` ####################################### ## @@ -61404,10 +61612,29 @@ index d4dcf78..59ab964 100644 + +####################################### +## ++## Allow search to psad lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`psad_search_lib_files',` ++ gen_require(` ++ type psad_t, psad_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) ++') ++ ++####################################### ++## ## Read and write psad temporary files. ## ## -@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',` +@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',` interface(`psad_admin',` gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; @@ -66535,7 +66762,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..1e9ad6b 100644 +index 2c1730b..0bf7d02 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -66616,7 +66843,7 @@ index 2c1730b..1e9ad6b 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -66634,10 +66861,11 @@ index 2c1730b..1e9ad6b 100644 -miscfiles_read_localization(mdadm_t) +systemd_exec_systemctl(mdadm_t) ++systemd_start_systemd_services(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +122,17 @@ optional_policy(` +@@ -97,9 +123,17 @@ optional_policy(` ') optional_policy(` @@ -83864,10 +84092,10 @@ index c6aaac7..a5600a8 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..e5433ad +index 0000000..744f0ce --- /dev/null +++ b/swift.fc -@@ -0,0 +1,28 @@ +@@ -0,0 +1,29 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -83887,7 +84115,8 @@ index 0000000..e5433ad + +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) + -+/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0) ++/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) ++/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) + +# This seems to be a de-facto standard when using swift. +/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) @@ -84027,10 +84256,10 @@ index 0000000..015c2c9 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..39f1ca1 +index 0000000..c7b2bf6 --- /dev/null +++ b/swift.te -@@ -0,0 +1,53 @@ +@@ -0,0 +1,69 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -84042,6 +84271,9 @@ index 0000000..39f1ca1 +type swift_exec_t; +init_daemon_domain(swift_t, swift_exec_t) + ++type swift_var_cache_t; ++files_type(swift_var_cache_t) ++ +type swift_var_run_t; +files_pid_file(swift_var_run_t) + @@ -84056,10 +84288,18 @@ index 0000000..39f1ca1 +# swift local policy +# + ++allow swift_t self:process signal; ++ +allow swift_t self:fifo_file rw_fifo_file_perms; ++allow swift_t self:tcp_socket create_stream_socket_perms; +allow swift_t self:unix_stream_socket create_stream_socket_perms; +allow swift_t self:unix_dgram_socket create_socket_perms; + ++manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) ++files_var_filetrans(swift_t,swift_var_cache_t, { dir file }) ++ +manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) +manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) @@ -84072,6 +84312,7 @@ index 0000000..39f1ca1 + +kernel_dgram_send(swift_t) +kernel_read_system_state(swift_t) ++kernel_read_network_state(swift_t) + +corecmd_exec_shell(swift_t) + @@ -84079,11 +84320,15 @@ index 0000000..39f1ca1 + +domain_use_interactive_fds(swift_t) + ++files_dontaudit_search_home(swift_t) ++ +auth_use_nsswitch(swift_t) + +libs_exec_ldconfig(swift_t) + +logging_send_syslog_msg(swift_t) ++ ++userdom_dontaudit_search_user_home_dirs(swift_t) diff --git a/swift_alias.fc b/swift_alias.fc new file mode 100644 index 0000000..b7db254 diff --git a/selinux-policy.spec b/selinux-policy.spec index ba44369..c6decf8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 71%{?dist} +Release: 72%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Aug 23 2013 Miroslav Grepl 3.12.1-72 +- Fix collectd_t can read /etc/passwd file +- Fix lsm.if summary +- Add policy for lsmd +- Cleanup raid.te +- Add support for abrt-upload-watch +- Dontaudit access check on cert_t for httpd_t +- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory +- Allow glusterd to read domains state +- Allow swift to crete cache dirs with correct labeling +- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh +- Add support for .Xauthority-n + * Tue Aug 20 2013 Miroslav Grepl 3.12.1-71 - Allow boinc to connect to @/tmp/.X11-unix/X0 - Allow beam.smp to connect to tcp/5984