diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 2f29e17..d9a6df5 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -111776,7 +111776,7 @@ index 98b8b2d..41f4994 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 673180c..17d6f72 100644 +index 673180c..82cfc6e 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0) @@ -112054,11 +112054,15 @@ index 673180c..17d6f72 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -349,9 +385,11 @@ userdom_read_user_tmp_files(passwd_t) +@@ -349,9 +385,15 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) ++ ++optional_policy(` ++ gnome_exec_keyringd(passwd_t) ++') optional_policy(` - nscd_run(passwd_t, passwd_roles) @@ -112067,7 +112071,7 @@ index 673180c..17d6f72 100644 ') ######################################## -@@ -398,9 +436,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -398,9 +440,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -112080,7 +112084,7 @@ index 673180c..17d6f72 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -413,7 +452,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -413,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -112088,7 +112092,7 @@ index 673180c..17d6f72 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -423,19 +461,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -423,19 +465,17 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -112110,7 +112114,7 @@ index 673180c..17d6f72 100644 ') ######################################## -@@ -443,7 +479,8 @@ optional_policy(` +@@ -443,7 +483,8 @@ optional_policy(` # Useradd local policy # @@ -112120,7 +112124,7 @@ index 673180c..17d6f72 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -465,36 +502,35 @@ corecmd_exec_shell(useradd_t) +@@ -465,36 +506,35 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -112168,7 +112172,7 @@ index 673180c..17d6f72 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -505,33 +541,36 @@ init_rw_utmp(useradd_t) +@@ -505,33 +545,36 @@ init_rw_utmp(useradd_t) logging_send_audit_msgs(useradd_t) logging_send_syslog_msg(useradd_t) @@ -112198,10 +112202,10 @@ index 673180c..17d6f72 100644 userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) @@ -112219,7 +112223,7 @@ index 673180c..17d6f72 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +581,8 @@ optional_policy(` +@@ -542,7 +585,8 @@ optional_policy(` ') optional_policy(` @@ -112229,7 +112233,7 @@ index 673180c..17d6f72 100644 ') optional_policy(` -@@ -550,6 +590,11 @@ optional_policy(` +@@ -550,6 +594,11 @@ optional_policy(` ') optional_policy(` @@ -112241,7 +112245,7 @@ index 673180c..17d6f72 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +604,7 @@ optional_policy(` +@@ -559,3 +608,7 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -114381,7 +114385,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index fe2ee5e..5a58a39 100644 +index fe2ee5e..72c5a3b 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0) @@ -114559,7 +114563,7 @@ index fe2ee5e..5a58a39 100644 +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) -+network_port(keystone, tcp,5000,s0, udp,5000,s0) ++network_port(keystone, tcp,5000,s0, udp,5000,s0, tcp, 35357,s0, udp, 35357,s0) +network_port(rtsclient, tcp,2501,s0) network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) @@ -114744,7 +114748,7 @@ index fe2ee5e..5a58a39 100644 + +allow netlabel_peer_type netlabel_peer_t:peer recv; +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; -+allow netlabel_peer_t netif_t:netif ingress; ++allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress }; +allow netlabel_peer_t node_t:node recvfrom; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e168..51ad69a 100644 @@ -124385,7 +124389,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index e5aee97..2699a70 100644 +index e5aee97..2fdb49f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,67 @@ policy_module(staff, 2.3.0) @@ -124456,7 +124460,7 @@ index e5aee97..2699a70 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +78,106 @@ optional_policy(` +@@ -23,11 +78,110 @@ optional_policy(` ') optional_policy(` @@ -124493,7 +124497,7 @@ index e5aee97..2699a70 100644 +') + +optional_policy(` -+ gnomeclock_dbus_chat(staff_t) ++ firewalld_dbus_chat(staff_t) +') + +optional_policy(` @@ -124501,6 +124505,10 @@ index e5aee97..2699a70 100644 +') + +optional_policy(` ++ gnomeclock_dbus_chat(staff_t) ++') ++ ++optional_policy(` + gnome_role(staff_r, staff_t) +') + @@ -124509,19 +124517,19 @@ index e5aee97..2699a70 100644 +') + +optional_policy(` -+ lpd_list_spool(staff_t) ++ kerneloops_dbus_chat(staff_t) +') + +optional_policy(` -+ mock_role(staff_r, staff_t) ++ logadm_role_change(staff_r) +') + +optional_policy(` -+ kerneloops_dbus_chat(staff_t) ++ lpd_list_spool(staff_t) +') + +optional_policy(` -+ logadm_role_change(staff_r) ++ mock_role(staff_r, staff_t) +') + +optional_policy(` @@ -124564,7 +124572,7 @@ index e5aee97..2699a70 100644 ') optional_policy(` -@@ -35,15 +185,31 @@ optional_policy(` +@@ -35,15 +189,31 @@ optional_policy(` ') optional_policy(` @@ -124598,7 +124606,7 @@ index e5aee97..2699a70 100644 ') optional_policy(` -@@ -52,10 +218,59 @@ optional_policy(` +@@ -52,10 +222,59 @@ optional_policy(` ') optional_policy(` @@ -124658,7 +124666,7 @@ index e5aee97..2699a70 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +280,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +284,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124669,7 +124677,7 @@ index e5aee97..2699a70 100644 cdrecord_role(staff_r, staff_t) ') -@@ -93,18 +304,10 @@ ifndef(`distro_redhat',` +@@ -93,18 +308,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124688,7 +124696,7 @@ index e5aee97..2699a70 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +328,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +332,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124699,7 +124707,7 @@ index e5aee97..2699a70 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +340,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +344,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -124710,7 +124718,7 @@ index e5aee97..2699a70 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +371,20 @@ ifndef(`distro_redhat',` +@@ -176,3 +375,20 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -129619,7 +129627,7 @@ index 130ced9..a75282a 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..6a1f890 100644 +index d40f750..9f53f97 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -130370,7 +130378,7 @@ index d40f750..6a1f890 100644 hostname_exec(xdm_t) ') -@@ -537,28 +822,74 @@ optional_policy(` +@@ -537,28 +822,78 @@ optional_policy(` ') optional_policy(` @@ -130427,34 +130435,38 @@ index d40f750..6a1f890 100644 optional_policy(` - udev_read_db(xdm_t) + ssh_signull(xdm_t) ++') ++ ++optional_policy(` ++ shutdown_domtrans(xdm_t) ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) -+ shutdown_domtrans(xdm_t) ++ telepathy_exec(xdm_t) +') - ifndef(`distro_redhat',` - allow xdm_t self:process { execheap execmem }; - ') +optional_policy(` -+ telepathy_exec(xdm_t) ++ udev_read_db(xdm_t) +') - ifdef(`distro_rhel4',` - allow xdm_t self:process { execheap execmem }; - ') +optional_policy(` -+ udev_read_db(xdm_t) ++ unconfined_signal(xdm_t) +') + +optional_policy(` -+ unconfined_signal(xdm_t) ++ usbmuxd_stream_connect(xdm_t) ') optional_policy(` -@@ -570,6 +901,14 @@ optional_policy(` +@@ -570,6 +905,14 @@ optional_policy(` ') optional_policy(` @@ -130469,7 +130481,7 @@ index d40f750..6a1f890 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -130482,7 +130494,7 @@ index d40f750..6a1f890 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -130498,7 +130510,7 @@ index d40f750..6a1f890 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -130520,7 +130532,7 @@ index d40f750..6a1f890 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -130534,7 +130546,7 @@ index d40f750..6a1f890 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1023,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1027,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -130566,7 +130578,7 @@ index d40f750..6a1f890 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1055,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1059,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -130580,7 +130592,7 @@ index d40f750..6a1f890 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1074,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1078,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -130604,7 +130616,7 @@ index d40f750..6a1f890 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1139,40 @@ optional_policy(` +@@ -775,16 +1143,40 @@ optional_policy(` ') optional_policy(` @@ -130646,7 +130658,7 @@ index d40f750..6a1f890 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1181,10 @@ optional_policy(` +@@ -793,6 +1185,10 @@ optional_policy(` ') optional_policy(` @@ -130657,7 +130669,7 @@ index d40f750..6a1f890 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1204,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -130671,7 +130683,7 @@ index d40f750..6a1f890 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1215,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -130680,7 +130692,7 @@ index d40f750..6a1f890 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1224,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1228,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -130715,7 +130727,7 @@ index d40f750..6a1f890 100644 ') optional_policy(` -@@ -859,6 +1246,10 @@ optional_policy(` +@@ -859,6 +1250,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -130726,7 +130738,7 @@ index d40f750..6a1f890 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1293,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -130735,7 +130747,7 @@ index d40f750..6a1f890 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1347,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1351,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -130767,7 +130779,7 @@ index d40f750..6a1f890 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1393,44 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1397,44 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -137825,7 +137837,7 @@ index f8eeecd..0d42470 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index fe3427d..2a501db 100644 +index fe3427d..2410a4e 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,8 +9,9 @@ ifdef(`distro_gentoo',` @@ -137852,14 +137864,17 @@ index fe3427d..2a501db 100644 /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) -@@ -75,7 +71,6 @@ ifdef(`distro_redhat',` +@@ -75,8 +71,9 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) -/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) ++ ++/var/named/chroot/etc/localtime -- gen_context(system_u:object_r:cert_t,s0) /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 926ba65..9cac7b3 100644 --- a/policy/modules/system/miscfiles.if @@ -142312,10 +142327,10 @@ index 0000000..5d53f08 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9537426 +index 0000000..223e3f0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,450 @@ +@@ -0,0 +1,451 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -142478,10 +142493,11 @@ index 0000000..9537426 + +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) -+userdom_manage_user_tmp_dirs(systemd_logind_t) -+userdom_manage_user_tmp_files(systemd_logind_t) -+userdom_manage_user_tmp_symlinks(systemd_logind_t) -+userdom_manage_user_tmp_sockets(systemd_logind_t) ++userdom_manage_all_user_tmp_content(systemd_logind_t) ++ ++optional_policy(` ++ apache_read_tmp_files(systemd_logind_t) ++') + +optional_policy(` + cron_dbus_chat_crond(systemd_logind_t) diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index fd42ade..916914e 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -4551,7 +4551,7 @@ index e342775..1fedbe5 100644 + allow $1 apcupsd_unit_file_t:service all_service_perms; ') diff --git a/apcupsd.te b/apcupsd.te -index d052bf0..48f0ce4 100644 +index d052bf0..8f2695f 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) @@ -4564,7 +4564,7 @@ index d052bf0..48f0ce4 100644 ######################################## # # apcupsd local policy -@@ -53,7 +56,6 @@ kernel_read_system_state(apcupsd_t) +@@ -53,15 +56,16 @@ kernel_read_system_state(apcupsd_t) corecmd_exec_bin(apcupsd_t) corecmd_exec_shell(apcupsd_t) @@ -4572,7 +4572,17 @@ index d052bf0..48f0ce4 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -76,24 +78,29 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file) + corenet_tcp_sendrecv_all_ports(apcupsd_t) + corenet_tcp_bind_generic_node(apcupsd_t) + corenet_tcp_bind_apcupsd_port(apcupsd_t) ++corenet_udp_bind_generic_node(apcupsd_t) + corenet_sendrecv_apcupsd_server_packets(apcupsd_t) + corenet_tcp_connect_apcupsd_port(apcupsd_t) ++corenet_udp_bind_snmp_port(apcupsd_t) + + dev_rw_generic_usb_dev(apcupsd_t) + +@@ -76,24 +80,29 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file) # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805 term_use_unallocated_ttys(apcupsd_t) @@ -4605,7 +4615,7 @@ index d052bf0..48f0ce4 100644 mta_send_mail(apcupsd_t) mta_system_content(apcupsd_tmp_t) ') -@@ -113,7 +120,6 @@ optional_policy(` +@@ -113,7 +122,6 @@ optional_policy(` allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; @@ -8862,10 +8872,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..6298388 +index 0000000..32ff486 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,193 @@ +@@ -0,0 +1,195 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -8899,10 +8909,12 @@ index 0000000..6298388 +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:process setsched; -+allow chrome_sandbox_t self:fifo_file manage_file_perms; ++allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms; +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; +allow chrome_sandbox_t self:shm create_shm_perms; ++allow chrome_sandbox_t self:sem create_sem_perms; ++allow chrome_sandbox_t self:msgq create_msgq_perms; +allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; +dontaudit chrome_sandbox_t self:memprotect mmap_zero; + @@ -9942,10 +9954,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..1e73280 +index 0000000..b73fed6 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,199 @@ +@@ -0,0 +1,201 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -10048,6 +10060,8 @@ index 0000000..1e73280 + +corenet_tcp_bind_generic_node(deltacloudd_t) +corenet_tcp_bind_generic_port(deltacloudd_t) ++corenet_tcp_connect_http_port(deltacloudd_t) ++corenet_tcp_connect_keystone_port(deltacloudd_t) + +auth_use_nsswitch(deltacloudd_t) + @@ -12138,13 +12152,29 @@ index 3a6d7eb..1bb208a 100644 /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/corosync.if b/corosync.if -index 5220c9d..885b25d 100644 +index 5220c9d..33df583 100644 --- a/corosync.if +++ b/corosync.if -@@ -18,6 +18,25 @@ interface(`corosync_domtrans',` - domtrans_pattern($1, corosync_exec_t, corosync_t) - ') +@@ -20,6 +20,43 @@ interface(`corosync_domtrans',` + ####################################### + ## ++## Execute a domain transition to run corosync. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`corosync_initrc_domtrans',` ++ gen_require(` ++ type corosync_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, corosync_initrc_exec_t) ++') ++ +###################################### +## +## Execute corosync in the caller domain. @@ -12164,10 +12194,12 @@ index 5220c9d..885b25d 100644 + can_exec($1, corosync_exec_t) +') + - ####################################### - ## ++####################################### ++## ## Allow the specified domain to read corosync's log files. -@@ -52,14 +71,58 @@ interface(`corosync_read_log',` + ## + ## +@@ -52,14 +89,58 @@ interface(`corosync_read_log',` interface(`corosync_stream_connect',` gen_require(` type corosync_t, corosync_var_run_t; @@ -12226,7 +12258,7 @@ index 5220c9d..885b25d 100644 ## All of the rules required to administrate ## an corosync environment ## -@@ -80,11 +143,16 @@ interface(`corosyncd_admin',` +@@ -80,11 +161,16 @@ interface(`corosyncd_admin',` type corosync_t, corosync_var_lib_t, corosync_var_log_t; type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; type corosync_initrc_exec_t; @@ -12244,7 +12276,7 @@ index 5220c9d..885b25d 100644 init_labeled_script_domtrans($1, corosync_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; -@@ -103,4 +171,8 @@ interface(`corosyncd_admin',` +@@ -103,4 +189,8 @@ interface(`corosyncd_admin',` files_list_pids($1) admin_pattern($1, corosync_var_run_t) @@ -12254,7 +12286,7 @@ index 5220c9d..885b25d 100644 + allow $1 corosync_unit_file_t:service all_service_perms; ') diff --git a/corosync.te b/corosync.te -index 04969e5..65c8353 100644 +index 04969e5..1d60d9f 100644 --- a/corosync.te +++ b/corosync.te @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) @@ -12311,7 +12343,7 @@ index 04969e5..65c8353 100644 manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -@@ -60,44 +71,93 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) +@@ -60,44 +71,96 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) @@ -12370,17 +12402,17 @@ index 04969e5..65c8353 100644 +optional_policy(` + consoletype_exec(corosync_t) +') ++ ++optional_policy(` ++ dbus_system_bus_client(corosync_t) ++') - rhcs_rw_gfs_controld_semaphores(corosync_t) +optional_policy(` -+ dbus_system_bus_client(corosync_t) ++ drbd_domtrans(corosync_t) ') optional_policy(` -+ drbd_domtrans(corosync_t) -+') -+ -+optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) + lvm_delete_clvmd_tmpfs_files(corosync_t) +') @@ -12412,6 +12444,9 @@ index 04969e5..65c8353 100644 + rpc_search_nfs_state_data(corosync_t) +') + ++optional_policy(` ++ wdmd_rw_tmpfs(corosync_t) ++') diff --git a/couchdb.fc b/couchdb.fc new file mode 100644 index 0000000..196461b @@ -13589,7 +13624,7 @@ index 6e12dc7..b006818 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/cron.te b/cron.te -index b357856..2a711bd 100644 +index b357856..28ae123 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -14015,16 +14050,20 @@ index b357856..2a711bd 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -439,6 +522,8 @@ optional_policy(` +@@ -439,6 +522,12 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) + apache_delete_cache_dirs(system_cronjob_t) + apache_delete_cache_files(system_cronjob_t) ++') ++ ++optional_policy(` ++ bind_read_config(system_cronjob_t) ') optional_policy(` -@@ -446,6 +531,14 @@ optional_policy(` +@@ -446,6 +535,14 @@ optional_policy(` ') optional_policy(` @@ -14039,7 +14078,7 @@ index b357856..2a711bd 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,6 +549,10 @@ optional_policy(` +@@ -456,6 +553,10 @@ optional_policy(` ') optional_policy(` @@ -14050,7 +14089,7 @@ index b357856..2a711bd 100644 lpd_list_spool(system_cronjob_t) ') -@@ -464,7 +561,9 @@ optional_policy(` +@@ -464,7 +565,9 @@ optional_policy(` ') optional_policy(` @@ -14060,7 +14099,7 @@ index b357856..2a711bd 100644 ') optional_policy(` -@@ -472,6 +571,10 @@ optional_policy(` +@@ -472,6 +575,10 @@ optional_policy(` ') optional_policy(` @@ -14071,7 +14110,7 @@ index b357856..2a711bd 100644 postfix_read_config(system_cronjob_t) ') -@@ -480,7 +583,7 @@ optional_policy(` +@@ -480,7 +587,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -14080,7 +14119,7 @@ index b357856..2a711bd 100644 ') optional_policy(` -@@ -495,6 +598,7 @@ optional_policy(` +@@ -495,6 +602,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -14088,7 +14127,7 @@ index b357856..2a711bd 100644 ') optional_policy(` -@@ -502,7 +606,18 @@ optional_policy(` +@@ -502,7 +610,18 @@ optional_policy(` ') optional_policy(` @@ -14107,7 +14146,7 @@ index b357856..2a711bd 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -542,7 +657,6 @@ kernel_read_kernel_sysctls(cronjob_t) +@@ -542,7 +661,6 @@ kernel_read_kernel_sysctls(cronjob_t) # ps does not need to access /boot when run from cron files_dontaudit_search_boot(cronjob_t) @@ -14115,7 +14154,7 @@ index b357856..2a711bd 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -579,7 +693,6 @@ logging_search_logs(cronjob_t) +@@ -579,7 +697,6 @@ logging_search_logs(cronjob_t) seutil_read_config(cronjob_t) @@ -14123,7 +14162,7 @@ index b357856..2a711bd 100644 userdom_manage_user_tmp_files(cronjob_t) userdom_manage_user_tmp_symlinks(cronjob_t) -@@ -595,9 +708,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +712,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -14137,7 +14176,7 @@ index b357856..2a711bd 100644 allow crond_t user_cron_spool_t:file manage_file_perms; ') -@@ -626,3 +742,74 @@ optional_policy(` +@@ -626,3 +746,74 @@ optional_policy(` unconfined_domain(unconfined_cronjob_t) ') @@ -19778,10 +19817,10 @@ index 0000000..2f3efe7 +sysnet_dns_name_resolve(drbd_t) diff --git a/dspam.fc b/dspam.fc new file mode 100644 -index 0000000..cc0815b +index 0000000..4dc92b3 --- /dev/null +++ b/dspam.fc -@@ -0,0 +1,16 @@ +@@ -0,0 +1,18 @@ + +/etc/rc\.d/init\.d/dspam -- gen_context(system_u:object_r:dspam_initrc_exec_t,s0) + @@ -19795,6 +19834,8 @@ index 0000000..cc0815b + +# web + ++/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) ++/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0) +/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0) + +/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_content_rw_t,s0) @@ -20073,10 +20114,10 @@ index 0000000..a446210 +') diff --git a/dspam.te b/dspam.te new file mode 100644 -index 0000000..2b91a78 +index 0000000..e6f0960 --- /dev/null +++ b/dspam.te -@@ -0,0 +1,92 @@ +@@ -0,0 +1,113 @@ + +policy_module(dspam, 1.0.0) + @@ -20121,15 +20162,17 @@ index 0000000..2b91a78 +manage_dirs_pattern(dspam_t, dspam_log_t, dspam_log_t) +manage_files_pattern(dspam_t, dspam_log_t, dspam_log_t) + ++files_search_var_lib(dspam_t) +manage_dirs_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) +manage_files_pattern(dspam_t, dspam_var_lib_t, dspam_var_lib_t) + +manage_dirs_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) +manage_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) +manage_sock_files_pattern(dspam_t, dspam_var_run_t, dspam_var_run_t) ++files_pid_filetrans(dspam_t, dspam_var_run_t, dir, "dspam") + +manage_sock_files_pattern(dspam_t, dspam_tmp_t, dspam_tmp_t) -+files_tmp_filetrans(dspam_t, dspam_tmp_t, { sock_file }) ++files_tmp_filetrans(dspam_t, dspam_tmp_t, sock_file) + +corenet_tcp_connect_spamd_port(dspam_t) +corenet_tcp_bind_spamd_port(dspam_t) @@ -20164,11 +20207,30 @@ index 0000000..2b91a78 +optional_policy(` + apache_content_template(dspam) + ++ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) ++ ++ files_search_var_lib(httpd_dspam_script_t) + list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t) + manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) + manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) -+') + ++ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t) ++ ++ term_dontaudit_search_ptys(httpd_dspam_script_t) ++ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t) ++ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t) ++ ++ init_read_utmp(httpd_dspam_script_t) ++ ++ logging_send_syslog_msg(httpd_dspam_script_t) ++ ++ mta_send_mail(httpd_dspam_script_t) ++ ++ optional_policy(` ++ mysql_tcp_connect(httpd_dspam_script_t) ++ mysql_stream_connect(httpd_dspam_script_t) ++ ') ++') diff --git a/entropyd.te b/entropyd.te index b6ac808..6235eb0 100644 --- a/entropyd.te @@ -23420,7 +23482,7 @@ index 0000000..d35f2b0 + +userdom_manage_user_home_dirs(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index 00a19e3..5a2dbfd 100644 +index 00a19e3..52e5a3a 100644 --- a/gnome.fc +++ b/gnome.fc @@ -1,9 +1,57 @@ @@ -23438,7 +23500,7 @@ index 00a19e3..5a2dbfd 100644 +HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -+HOME_DIR/cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) @@ -23460,7 +23522,7 @@ index 00a19e3..5a2dbfd 100644 +/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) +/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) -+/root/cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) ++/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) +/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0) +/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0) +/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0) @@ -23484,7 +23546,7 @@ index 00a19e3..5a2dbfd 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..2a96043 100644 +index f5afe78..69577c7 100644 --- a/gnome.if +++ b/gnome.if @@ -1,44 +1,1048 @@ @@ -24737,18 +24799,18 @@ index f5afe78..2a96043 100644 + userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0") -+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0") ++ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") + userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") + userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10") -+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10") ++ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12") +') + +####################################### @@ -28686,10 +28748,37 @@ index c66934f..1906ffe 100644 +/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + diff --git a/kdump.if b/kdump.if -index 4198ff5..d1ab262 100644 +index 4198ff5..15d521b 100644 --- a/kdump.if +++ b/kdump.if -@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',` +@@ -19,6 +19,26 @@ interface(`kdump_domtrans',` + domtrans_pattern($1, kdump_exec_t, kdump_t) + ') + ++###################################### ++## ++## Execute kdumpctl in the kdumpctl domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kdumpctl_domtrans',` ++ gen_require(` ++ type kdumpctl_t, kdumpctl_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t) ++') ++ ++ + ####################################### + ## + ## Execute kdump in the kdump domain. +@@ -37,6 +57,30 @@ interface(`kdump_initrc_domtrans',` init_labeled_script_domtrans($1, kdump_initrc_exec_t) ') @@ -28720,7 +28809,7 @@ index 4198ff5..d1ab262 100644 ##################################### ## ## Read kdump configuration file. -@@ -56,6 +80,24 @@ interface(`kdump_read_config',` +@@ -56,6 +100,24 @@ interface(`kdump_read_config',` allow $1 kdump_etc_t:file read_file_perms; ') @@ -28745,7 +28834,7 @@ index 4198ff5..d1ab262 100644 #################################### ## ## Manage kdump configuration file. -@@ -75,6 +117,27 @@ interface(`kdump_manage_config',` +@@ -75,6 +137,27 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -28773,7 +28862,7 @@ index 4198ff5..d1ab262 100644 ###################################### ## ## All of the rules required to administrate -@@ -96,10 +159,14 @@ interface(`kdump_admin',` +@@ -96,10 +179,14 @@ interface(`kdump_admin',` gen_require(` type kdump_t, kdump_etc_t; type kdump_initrc_exec_t; @@ -28789,7 +28878,7 @@ index 4198ff5..d1ab262 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -108,4 +175,8 @@ interface(`kdump_admin',` +@@ -108,4 +195,8 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -28799,7 +28888,7 @@ index 4198ff5..d1ab262 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index b29d8e2..f177074 100644 +index b29d8e2..6b6a6c4 100644 --- a/kdump.te +++ b/kdump.te @@ -15,15 +15,28 @@ files_config_file(kdump_etc_t) @@ -28831,7 +28920,7 @@ index b29d8e2..f177074 100644 files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) -@@ -36,3 +49,88 @@ dev_read_framebuffer(kdump_t) +@@ -36,3 +49,89 @@ dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) term_use_console(kdump_t) @@ -28877,6 +28966,7 @@ index b29d8e2..f177074 100644 +files_read_usr_files(kdumpctl_t) +files_read_kernel_modules(kdumpctl_t) +files_getattr_all_dirs(kdumpctl_t) ++files_delete_kernel(kdumpctl_t) + +fs_getattr_all_fs(kdumpctl_t) +fs_search_all(kdumpctl_t) @@ -28949,7 +29039,7 @@ index d6af9b0..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index 0c52f60..96f687c 100644 +index 0c52f60..acb89ac 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0) @@ -28991,7 +29081,7 @@ index 0c52f60..96f687c 100644 files_manage_boot_files(kdumpgui_t) files_manage_boot_symlinks(kdumpgui_t) -@@ -36,28 +47,52 @@ files_manage_etc_runtime_files(kdumpgui_t) +@@ -36,28 +47,53 @@ files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) @@ -29042,6 +29132,7 @@ index 0c52f60..96f687c 100644 kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) + kdump_systemctl(kdumpgui_t) ++ kdumpctl_domtrans(kdumpgui_t) ') optional_policy(` @@ -31426,10 +31517,10 @@ index 572b5db..1e55f43 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.te b/logrotate.te -index 7090dae..9f51d10 100644 +index 7090dae..4aaa8fb 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t) +@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t) # # Change ownership on log files. @@ -31437,10 +31528,11 @@ index 7090dae..9f51d10 100644 -# for mailx -dontaudit logrotate_t self:capability { setuid setgid sys_ptrace }; +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; ++dontaudit logrotate_t self:capability sys_resource; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -@@ -39,6 +37,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi +@@ -39,6 +38,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi allow logrotate_t self:process setfscreate; allow logrotate_t self:fd use; @@ -31448,7 +31540,7 @@ index 7090dae..9f51d10 100644 allow logrotate_t self:fifo_file rw_fifo_file_perms; allow logrotate_t self:unix_dgram_socket create_socket_perms; allow logrotate_t self:unix_stream_socket create_stream_socket_perms; -@@ -61,6 +60,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) +@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) @@ -31456,7 +31548,7 @@ index 7090dae..9f51d10 100644 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) -@@ -75,6 +75,7 @@ fs_list_inotifyfs(logrotate_t) +@@ -75,6 +76,7 @@ fs_list_inotifyfs(logrotate_t) mls_file_read_all_levels(logrotate_t) mls_file_write_all_levels(logrotate_t) mls_file_upgrade(logrotate_t) @@ -31464,7 +31556,7 @@ index 7090dae..9f51d10 100644 selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) -@@ -85,6 +86,7 @@ auth_use_nsswitch(logrotate_t) +@@ -85,6 +87,7 @@ auth_use_nsswitch(logrotate_t) # Run helper programs. corecmd_exec_bin(logrotate_t) corecmd_exec_shell(logrotate_t) @@ -31472,7 +31564,7 @@ index 7090dae..9f51d10 100644 domain_signal_all_domains(logrotate_t) domain_use_interactive_fds(logrotate_t) -@@ -93,7 +95,6 @@ domain_getattr_all_entry_files(logrotate_t) +@@ -93,7 +96,6 @@ domain_getattr_all_entry_files(logrotate_t) domain_read_all_domains_state(logrotate_t) files_read_usr_files(logrotate_t) @@ -31480,7 +31572,7 @@ index 7090dae..9f51d10 100644 files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t) files_search_all(logrotate_t) -@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t) +@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -31488,7 +31580,7 @@ index 7090dae..9f51d10 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -112,21 +114,20 @@ logging_send_audit_msgs(logrotate_t) +@@ -112,21 +115,20 @@ logging_send_audit_msgs(logrotate_t) # cjp: why is this needed? logging_exec_all_logs(logrotate_t) @@ -31519,7 +31611,7 @@ index 7090dae..9f51d10 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -138,7 +139,7 @@ ifdef(`distro_debian', ` +@@ -138,7 +140,7 @@ ifdef(`distro_debian', ` ') optional_policy(` @@ -31528,7 +31620,7 @@ index 7090dae..9f51d10 100644 ') optional_policy(` -@@ -154,6 +155,10 @@ optional_policy(` +@@ -154,6 +156,10 @@ optional_policy(` ') optional_policy(` @@ -31539,7 +31631,7 @@ index 7090dae..9f51d10 100644 asterisk_domtrans(logrotate_t) ') -@@ -162,10 +167,20 @@ optional_policy(` +@@ -162,10 +168,20 @@ optional_policy(` ') optional_policy(` @@ -31560,7 +31652,7 @@ index 7090dae..9f51d10 100644 cups_domtrans(logrotate_t) ') -@@ -178,6 +193,10 @@ optional_policy(` +@@ -178,6 +194,10 @@ optional_policy(` ') optional_policy(` @@ -31571,7 +31663,7 @@ index 7090dae..9f51d10 100644 icecast_signal(logrotate_t) ') -@@ -194,15 +213,19 @@ optional_policy(` +@@ -194,15 +214,19 @@ optional_policy(` ') optional_policy(` @@ -31592,7 +31684,7 @@ index 7090dae..9f51d10 100644 optional_policy(` samba_exec_log(logrotate_t) -@@ -217,6 +240,11 @@ optional_policy(` +@@ -217,6 +241,11 @@ optional_policy(` ') optional_policy(` @@ -31604,7 +31696,7 @@ index 7090dae..9f51d10 100644 squid_domtrans(logrotate_t) ') -@@ -228,3 +256,14 @@ optional_policy(` +@@ -228,3 +257,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -34277,7 +34369,7 @@ index 3a73e74..60e7237 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index b397fde..c7c031d 100644 +index b397fde..17b14ad 100644 --- a/mozilla.if +++ b/mozilla.if @@ -18,10 +18,11 @@ @@ -34328,7 +34420,7 @@ index b397fde..c7c031d 100644 ') ######################################## -@@ -193,11 +211,34 @@ interface(`mozilla_domtrans',` +@@ -193,11 +211,38 @@ interface(`mozilla_domtrans',` # interface(`mozilla_domtrans_plugin',` gen_require(` @@ -34345,6 +34437,10 @@ index b397fde..c7c031d 100644 + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:fd use; + ++ #tunable_policy(`deny_ptrace',`',` ++ # allow $1 mozilla_plugin_t:process ptrace; ++ #') ++ + allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; + allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms }; + allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; @@ -34364,7 +34460,7 @@ index b397fde..c7c031d 100644 allow mozilla_plugin_t $1:process signull; ') -@@ -224,6 +265,32 @@ interface(`mozilla_run_plugin',` +@@ -224,6 +269,32 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; @@ -34397,7 +34493,7 @@ index b397fde..c7c031d 100644 ') ######################################## -@@ -265,9 +332,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -265,9 +336,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -34426,7 +34522,7 @@ index b397fde..c7c031d 100644 ## ## ## -@@ -275,28 +360,118 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -275,28 +364,118 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -34457,9 +34553,8 @@ index b397fde..c7c031d 100644 gen_require(` - type mozilla_plugin_tmpfs_t; + type mozilla_plugin_t; - ') - -- allow $1 mozilla_plugin_tmpfs_t:file unlink; ++ ') ++ + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') + @@ -34479,7 +34574,7 @@ index b397fde..c7c031d 100644 + ') + + dontaudit $1 mozilla_plugin_tmp_t:file { read write }; - ') ++') + +######################################## +## @@ -34514,10 +34609,11 @@ index b397fde..c7c031d 100644 +interface(`mozilla_plugin_read_rw_files',` + gen_require(` + type mozilla_plugin_rw_t; -+ ') -+ + ') + +- allow $1 mozilla_plugin_tmpfs_t:file unlink; + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) -+') + ') + +######################################## +## @@ -34553,7 +34649,7 @@ index b397fde..c7c031d 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..72efe21 100644 +index d4fcb75..907ff48 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -34716,7 +34812,7 @@ index d4fcb75..72efe21 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,65 +317,100 @@ optional_policy(` +@@ -297,65 +317,101 @@ optional_policy(` # mozilla_plugin local policy # @@ -34735,6 +34831,7 @@ index d4fcb75..72efe21 100644 + allow mozilla_plugin_t self:sem create_sem_perms; allow mozilla_plugin_t self:shm create_shm_perms; ++allow mozilla_plugin_t self:msgq create_msgq_perms; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; +allow mozilla_plugin_t self:unix_dgram_socket sendto; +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -34832,7 +34929,7 @@ index d4fcb75..72efe21 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,55 +418,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,55 +419,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -34914,7 +35011,7 @@ index d4fcb75..72efe21 100644 ') optional_policy(` -@@ -422,24 +481,39 @@ optional_policy(` +@@ -422,24 +482,39 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -34958,7 +35055,7 @@ index d4fcb75..72efe21 100644 ') optional_policy(` -@@ -447,10 +521,115 @@ optional_policy(` +@@ -447,10 +522,115 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -36291,7 +36388,7 @@ index 4e2a5ba..0005ac0 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index 84a7d66..c58f1e7 100644 +index 84a7d66..61f95e2 100644 --- a/mta.te +++ b/mta.te @@ -20,14 +20,19 @@ files_type(etc_aliases_t) @@ -36369,12 +36466,14 @@ index 84a7d66..c58f1e7 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,25 +99,38 @@ optional_policy(` +@@ -92,25 +99,40 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) + apache_dontaudit_rw_tmp_files(system_mail_t) + ++ apache_dontaudit_rw_fifo_file(user_mail_domain) ++ apache_dontaudit_rw_fifo_file(mta_user_agent) + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets(mta_user_agent) + apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent) @@ -36413,7 +36512,7 @@ index 84a7d66..c58f1e7 100644 ') optional_policy(` -@@ -124,12 +144,9 @@ optional_policy(` +@@ -124,12 +146,9 @@ optional_policy(` ') optional_policy(` @@ -36428,7 +36527,7 @@ index 84a7d66..c58f1e7 100644 ') optional_policy(` -@@ -146,6 +163,10 @@ optional_policy(` +@@ -146,6 +165,10 @@ optional_policy(` ') optional_policy(` @@ -36439,7 +36538,7 @@ index 84a7d66..c58f1e7 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,22 +179,13 @@ optional_policy(` +@@ -158,22 +181,13 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -36465,7 +36564,7 @@ index 84a7d66..c58f1e7 100644 ') optional_policy(` -@@ -189,6 +201,10 @@ optional_policy(` +@@ -189,6 +203,10 @@ optional_policy(` ') optional_policy(` @@ -36476,7 +36575,7 @@ index 84a7d66..c58f1e7 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,20 +215,23 @@ optional_policy(` +@@ -199,20 +217,23 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -36504,7 +36603,7 @@ index 84a7d66..c58f1e7 100644 allow mailserver_delivery mail_spool_t:dir list_dir_perms; create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) -@@ -220,21 +239,14 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,21 +241,14 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -36532,7 +36631,7 @@ index 84a7d66..c58f1e7 100644 optional_policy(` dovecot_manage_spool(mailserver_delivery) -@@ -242,6 +254,10 @@ optional_policy(` +@@ -242,6 +256,10 @@ optional_policy(` ') optional_policy(` @@ -36543,7 +36642,7 @@ index 84a7d66..c58f1e7 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,6 +265,14 @@ optional_policy(` +@@ -249,6 +267,14 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -36558,7 +36657,7 @@ index 84a7d66..c58f1e7 100644 ######################################## # # User send mail local policy -@@ -256,9 +280,9 @@ optional_policy(` +@@ -256,9 +282,9 @@ optional_policy(` domain_use_interactive_fds(user_mail_t) @@ -36570,7 +36669,7 @@ index 84a7d66..c58f1e7 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -270,6 +294,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery) +@@ -270,6 +296,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery) userdom_manage_user_home_content_pipes(mailserver_delivery) userdom_manage_user_home_content_sockets(mailserver_delivery) userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file }) @@ -36579,7 +36678,7 @@ index 84a7d66..c58f1e7 100644 # Read user temporary files. userdom_read_user_tmp_files(user_mail_t) userdom_dontaudit_append_user_tmp_files(user_mail_t) -@@ -277,6 +303,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) +@@ -277,6 +305,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t) # files in an appropriate place for mta_user_agent userdom_read_user_tmp_files(mta_user_agent) @@ -36588,7 +36687,7 @@ index 84a7d66..c58f1e7 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(user_mail_t) fs_manage_cifs_symlinks(user_mail_t) -@@ -292,3 +320,123 @@ optional_policy(` +@@ -292,3 +322,123 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -36713,7 +36812,7 @@ index 84a7d66..c58f1e7 100644 + clamav_stream_connect(mta_user_agent) +') diff --git a/munin.fc b/munin.fc -index fd71d69..5b771ef 100644 +index fd71d69..123ee4c 100644 --- a/munin.fc +++ b/munin.fc @@ -4,7 +4,9 @@ @@ -36745,7 +36844,7 @@ index fd71d69..5b771ef 100644 /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -@@ -58,11 +64,13 @@ +@@ -58,12 +64,15 @@ /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -36759,6 +36858,8 @@ index fd71d69..5b771ef 100644 /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0) /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0) /var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0) + /var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) ++/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0) diff --git a/munin.if b/munin.if index c358d8f..1cc176c 100644 --- a/munin.if @@ -36878,7 +36979,7 @@ index c358d8f..1cc176c 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..de08ab6 100644 +index f17583b..3a691c7 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -36961,7 +37062,19 @@ index f17583b..de08ab6 100644 sysnet_exec_ifconfig(munin_t) -@@ -145,6 +155,7 @@ optional_policy(` +@@ -128,6 +138,11 @@ optional_policy(` + manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + apache_search_sys_content(munin_t) ++ ++ read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t) ++ read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t) ++ ++ files_search_var_lib(httpd_munin_script_t) + ') + + optional_policy(` +@@ -145,6 +160,7 @@ optional_policy(` optional_policy(` mta_read_config(munin_t) mta_send_mail(munin_t) @@ -36969,7 +37082,7 @@ index f17583b..de08ab6 100644 mta_read_queue(munin_t) ') -@@ -155,10 +166,13 @@ optional_policy(` +@@ -155,10 +171,13 @@ optional_policy(` optional_policy(` netutils_domtrans_ping(munin_t) @@ -36983,7 +37096,7 @@ index f17583b..de08ab6 100644 ') optional_policy(` -@@ -182,6 +196,7 @@ optional_policy(` +@@ -182,6 +201,7 @@ optional_policy(` # local policy for disk plugins # @@ -36991,7 +37104,7 @@ index f17583b..de08ab6 100644 allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +205,18 @@ corecmd_exec_shell(disk_munin_plugin_t) +@@ -190,15 +210,18 @@ corecmd_exec_shell(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) @@ -37014,7 +37127,7 @@ index f17583b..de08ab6 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +239,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +244,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -37068,7 +37181,7 @@ index f17583b..de08ab6 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +290,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +295,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -37083,7 +37196,7 @@ index f17583b..de08ab6 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +311,10 @@ optional_policy(` +@@ -279,6 +316,10 @@ optional_policy(` ') optional_policy(` @@ -37094,7 +37207,7 @@ index f17583b..de08ab6 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +322,18 @@ optional_policy(` +@@ -286,6 +327,18 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -37113,7 +37226,7 @@ index f17583b..de08ab6 100644 ################################## # # local policy for system plugins -@@ -295,12 +343,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,12 +348,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -37129,7 +37242,7 @@ index f17583b..de08ab6 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +359,47 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +364,47 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -38624,7 +38737,7 @@ index 2324d9e..96dbf6f 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..3a77265 100644 +index 0619395..a953cf1 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -38878,10 +38991,11 @@ index 0619395..3a77265 100644 ') optional_policy(` -@@ -254,6 +337,11 @@ optional_policy(` +@@ -254,6 +337,12 @@ optional_policy(` ') optional_policy(` ++ systemd_write_inhibit_pipes(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) +') @@ -38890,7 +39004,7 @@ index 0619395..3a77265 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +351,7 @@ optional_policy(` +@@ -263,6 +352,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -38898,7 +39012,7 @@ index 0619395..3a77265 100644 ') ######################################## -@@ -284,6 +373,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -284,6 +374,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -44237,10 +44351,10 @@ index b246bdd..3cbcc49 100644 sysnet_dns_name_resolve(pads_t) diff --git a/passenger.fc b/passenger.fc -index 545518d..677ac68 100644 +index 545518d..9155bd0 100644 --- a/passenger.fc +++ b/passenger.fc -@@ -1,11 +1,10 @@ +@@ -1,11 +1,12 @@ -/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0) -/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0) @@ -44249,6 +44363,8 @@ index 545518d..677ac68 100644 +/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0) +/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0) /var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) @@ -44390,7 +44506,7 @@ index f68b573..c050b37 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) +') diff --git a/passenger.te b/passenger.te -index 3470036..7811795 100644 +index 3470036..ca09bc0 100644 --- a/passenger.te +++ b/passenger.te @@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t) @@ -44402,6 +44518,15 @@ index 3470036..7811795 100644 allow passenger_t self:process { setpgid setsched sigkill signal }; allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -37,7 +37,7 @@ can_exec(passenger_t, passenger_exec_t) + + manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t) + manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t) +-logging_log_filetrans(passenger_t, passenger_log_t, file) ++logging_log_filetrans(passenger_t, passenger_log_t, { dir file }) + + manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) + manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) @@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -50461,24 +50586,25 @@ index d90245a..546474f 100644 -miscfiles_read_localization(ptchown_t) +auth_read_passwd(ptchown_t) diff --git a/pulseaudio.fc b/pulseaudio.fc -index 84f23dc..5be2738 100644 +index 84f23dc..0e7d875 100644 --- a/pulseaudio.fc +++ b/pulseaudio.fc -@@ -1,6 +1,11 @@ +@@ -1,5 +1,12 @@ -HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) - ++HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) ++ +/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) -+ ++/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) + /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) - /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) diff --git a/pulseaudio.if b/pulseaudio.if -index f40c64d..d676e96 100644 +index f40c64d..7015dce 100644 --- a/pulseaudio.if +++ b/pulseaudio.if @@ -35,6 +35,9 @@ interface(`pulseaudio_role',` @@ -50506,7 +50632,7 @@ index f40c64d..d676e96 100644 ') ######################################## -@@ -257,4 +262,87 @@ interface(`pulseaudio_manage_home_files',` +@@ -257,4 +262,88 @@ interface(`pulseaudio_manage_home_files',` userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) @@ -50553,6 +50679,7 @@ index f40c64d..d676e96 100644 + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") + userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ++ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse") +') + +######################################## @@ -61210,7 +61337,7 @@ index c8254dd..b73334e 100644 /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/screen.if b/screen.if -index c50a444..caef1cd 100644 +index c50a444..ee00be2 100644 --- a/screen.if +++ b/screen.if @@ -25,6 +25,7 @@ template(`screen_role_template',` @@ -61221,7 +61348,7 @@ index c50a444..caef1cd 100644 ') ######################################## -@@ -32,50 +33,20 @@ template(`screen_role_template',` +@@ -32,50 +33,24 @@ template(`screen_role_template',` # Declarations # @@ -61265,7 +61392,10 @@ index c50a444..caef1cd 100644 - userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) - read_files_pattern($1_screen_t, screen_home_t, screen_home_t) - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) -- ++ tunable_policy(`deny_ptrace',`',` ++ allow $3 $1_screen_t:process ptrace; ++ ') + - allow $1_screen_t $3:process signal; + userdom_home_reader($1_screen_t) @@ -61278,7 +61408,7 @@ index c50a444..caef1cd 100644 manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) -@@ -86,77 +57,46 @@ template(`screen_role_template',` +@@ -86,77 +61,46 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -65320,7 +65450,7 @@ index 941380a..54c45f6 100644 + ') diff --git a/sssd.te b/sssd.te -index a1b61bc..3d2a591 100644 +index a1b61bc..4253541 100644 --- a/sssd.te +++ b/sssd.te @@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t) @@ -65375,7 +65505,7 @@ index a1b61bc..3d2a591 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,37 +61,56 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,37 +61,57 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -65384,6 +65514,7 @@ index a1b61bc..3d2a591 100644 +corenet_udp_bind_generic_port(sssd_t) +corenet_dontaudit_udp_bind_all_ports(sssd_t) ++corenet_tcp_connect_kerberos_password_port(sssd_t) + corecmd_exec_bin(sssd_t) @@ -65434,7 +65565,7 @@ index a1b61bc..3d2a591 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,8 +119,17 @@ optional_policy(` +@@ -87,8 +120,17 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -70041,7 +70172,7 @@ index 2124b6a..e55e393 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..d91242a 100644 +index 6f0736b..408a20a 100644 --- a/virt.if +++ b/virt.if @@ -13,67 +13,30 @@ @@ -70559,7 +70690,7 @@ index 6f0736b..d91242a 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -517,4 +729,306 @@ interface(`virt_admin',` +@@ -517,4 +729,305 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -70603,13 +70734,12 @@ index 6f0736b..d91242a 100644 + role $2 types virt_bridgehelper_t; + role $2 types svirt_socket_t; + ++ allow $1 virt_domain:process { sigkill sigstop signull signal }; + allow $1 svirt_image_t:file { relabelfrom relabelto }; + allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; + allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; + allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; + -+ virt_signal_svirt($1) -+ + optional_policy(` + ptchown_run(virt_domain, $2) + ') @@ -70867,7 +70997,7 @@ index 6f0736b..d91242a 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..0b607f1 100644 +index 947bbc6..d17661a 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) @@ -70953,15 +71083,15 @@ index 947bbc6..0b607f1 100644 +gen_tunable(virt_use_rawip, false) + +## - ##

--## Allow virt to use usb devices ++##

+## Allow confined virtual guests to interact with the xserver +##

+## +gen_tunable(virt_use_xserver, false) + +## -+##

+ ##

+-## Allow virt to use usb devices +## Allow confined virtual guests to use usb devices ##

## @@ -71345,7 +71475,7 @@ index 947bbc6..0b607f1 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +424,33 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +424,36 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -71363,6 +71493,9 @@ index 947bbc6..0b607f1 100644 sysnet_domtrans_ifconfig(virtd_t) sysnet_read_config(virtd_t) ++systemd_dbus_chat_logind(virtd_t) ++systemd_write_inhibit_pipes(virtd_t) ++ +userdom_list_admin_dir(virtd_t) userdom_getattr_all_users(virtd_t) userdom_list_user_home_content(virtd_t) @@ -71379,7 +71512,7 @@ index 947bbc6..0b607f1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +469,10 @@ optional_policy(` +@@ -322,6 +472,10 @@ optional_policy(` ') optional_policy(` @@ -71390,7 +71523,7 @@ index 947bbc6..0b607f1 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +486,34 @@ optional_policy(` +@@ -335,19 +489,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -71426,7 +71559,7 @@ index 947bbc6..0b607f1 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +528,12 @@ optional_policy(` +@@ -362,6 +531,12 @@ optional_policy(` ') optional_policy(` @@ -71439,7 +71572,7 @@ index 947bbc6..0b607f1 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +541,11 @@ optional_policy(` +@@ -369,11 +544,11 @@ optional_policy(` ') optional_policy(` @@ -71456,7 +71589,7 @@ index 947bbc6..0b607f1 100644 ') optional_policy(` -@@ -384,6 +556,7 @@ optional_policy(` +@@ -384,6 +559,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -71464,7 +71597,7 @@ index 947bbc6..0b607f1 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -402,35 +575,85 @@ optional_policy(` +@@ -402,35 +578,85 @@ optional_policy(` # # virtual domains common policy # @@ -71559,7 +71692,7 @@ index 947bbc6..0b607f1 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +661,601 @@ dev_write_sound(virt_domain) +@@ -438,34 +664,627 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -71581,14 +71714,14 @@ index 947bbc6..0b607f1 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -71772,7 +71905,7 @@ index 947bbc6..0b607f1 100644 + fs_manage_nfs_dirs(virsh_t) + fs_manage_nfs_files(virsh_t) + fs_read_nfs_symlinks(virsh_t) -+') + ') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(virsh_t) @@ -71866,6 +71999,7 @@ index 947bbc6..0b607f1 100644 +files_associate_rootfs(svirt_lxc_file_t) + +storage_manage_fixed_disk(virtd_lxc_t) ++storage_rw_fuse(virtd_lxc_t) + +kernel_read_all_sysctls(virtd_lxc_t) +kernel_read_network_state(virtd_lxc_t) @@ -71928,12 +72062,9 @@ index 947bbc6..0b607f1 100644 +selinux_compute_user_contexts(virtd_lxc_t) +seutil_read_default_contexts(virtd_lxc_t) + -+sysnet_domtrans_ifconfig(virtd_lxc_t) -+ -+#optional_policy(` -+# unconfined_shell_domtrans(virtd_lxc_t) -+# unconfined_signal(virtd_t) -+#') ++optional_policy(` ++ unconfined_domain(virtd_lxc_t) ++') + +######################################## +# @@ -72025,7 +72156,7 @@ index 947bbc6..0b607f1 100644 +optional_policy(` + apache_exec_modules(svirt_lxc_domain) + apache_read_sys_content(svirt_lxc_domain) - ') ++') + +virt_lxc_domain_template(svirt_lxc_net) + @@ -72135,6 +72266,8 @@ index 947bbc6..0b607f1 100644 +# virt_qemu_ga local policy +# + ++allow virt_qemu_ga_t self:capability sys_tty_config; ++ +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; + @@ -72150,16 +72283,42 @@ index 947bbc6..0b607f1 100644 + +files_read_etc_files(virt_qemu_ga_t) + ++dev_rw_sysfs(virt_qemu_ga_t) ++ +term_use_virtio_console(virt_qemu_ga_t) ++term_use_all_ttys(virt_qemu_ga_t) + +logging_send_syslog_msg(virt_qemu_ga_t) + +sysnet_dns_name_resolve(virt_qemu_ga_t) + ++userdom_use_user_ptys(virt_qemu_ga_t) ++ ++optional_policy(` ++ bootloader_domtrans(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ cron_initrc_domtrans(virt_qemu_ga_t) ++ cron_domtrans(virt_qemu_ga_t) ++') ++ +optional_policy(` + devicekit_manage_pid_files(virt_qemu_ga_t) +') + ++optional_policy(` ++ fstools_domtrans(virt_qemu_ga_t) ++') ++ ++optional_policy(` ++ shutdown_domtrans(virt_qemu_ga_t) ++') ++ +type svirt_socket_t; +role system_r types svirt_socket_t; +allow svirt_t svirt_socket_t:unix_stream_socket connectto; @@ -72520,22 +72679,24 @@ index b10bb05..f0d56b5 100644 userdom_dontaudit_use_unpriv_user_fds(watchdog_t) diff --git a/wdmd.fc b/wdmd.fc new file mode 100644 -index 0000000..ad47e05 +index 0000000..0d6257d --- /dev/null +++ b/wdmd.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ + +/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0) + ++/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) ++ +/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0) ++/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0) + -+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) diff --git a/wdmd.if b/wdmd.if new file mode 100644 -index 0000000..8e3570d +index 0000000..d17ff39 --- /dev/null +++ b/wdmd.if -@@ -0,0 +1,113 @@ +@@ -0,0 +1,133 @@ + +## watchdog multiplexing daemon + @@ -72649,12 +72810,32 @@ index 0000000..8e3570d + files_search_pids($1) + stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) +') ++ ++ ++#################################### ++## ++## Allow the specified domain to read/write wdmd's tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wdmd_rw_tmpfs',` ++ gen_require(` ++ type wdmd_tmpfs_t; ++ ') ++ ++ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t) ++ ++') diff --git a/wdmd.te b/wdmd.te new file mode 100644 -index 0000000..f2b3f6c +index 0000000..09b45bb --- /dev/null +++ b/wdmd.te -@@ -0,0 +1,50 @@ +@@ -0,0 +1,61 @@ +policy_module(wdmd,1.0.0) + +######################################## @@ -72694,6 +72875,11 @@ index 0000000..f2b3f6c +manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t) +fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file }) + ++kernel_read_system_state(wdmd_t) ++ ++corecmd_exec_bin(wdmd_t) ++corecmd_exec_shell(wdmd_t) ++ +dev_read_watchdog(wdmd_t) +dev_write_watchdog(wdmd_t) + @@ -72705,6 +72891,12 @@ index 0000000..f2b3f6c +auth_use_nsswitch(wdmd_t) + +logging_send_syslog_msg(wdmd_t) ++ ++optional_policy(` ++ corosync_initrc_domtrans(wdmd_t) ++ corosync_stream_connect(wdmd_t) ++ corosync_rw_tmpfs(wdmd_t) ++') diff --git a/webadm.te b/webadm.te index 0ecc786..79a664a 100644 --- a/webadm.te diff --git a/selinux-policy.spec b/selinux-policy.spec index bcfcfed..cf75bdd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 66%{?dist} +Release: 67%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,45 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Dec 21 2012 Miroslav Grepl 3.11.1-67 +- systemd_logind_t is looking at all files under /run/user/apache +- Allow systemd to manage all user tmp files +- Add labeling for /var/named/chroot/etc/localtime +- Allow netlabel_peer_t type to flow over netif_t and node_t, and only be hindered by MLS, need back port to RHEL6 +- Keystone is now using a differnt port +- Allow xdm_t to use usbmuxd daemon to control sound +- Allow passwd daemon to execute gnome_exec_keyringd +- Fix chrome_sandbox policy +- Add labeling for /var/run/checkquorum-timer +- More fixes for the dspam domain, needs back port to RHEL6 +- More fixes for the dspam domain, needs back port to RHEL6 +- sssd needs to connect to kerberos password port if a user changes his password +- Lots of fixes from RHEL testing of dspam web +- Allow chrome and mozilla_plugin to create msgq and semaphores +- Fixes for dspam cgi scripts +- Fixes for dspam cgi scripts +- Allow confine users to ptrace screen +- Backport virt_qemu_ga_t changes from RHEL +- Fix labeling for dspam.cgi needed for RHEL6 +- We need to back port this policy to RHEL6, for lxc domains +- Dontaudit attempts to set sys_resource of logrotate +- Allow corosync to read/write wdmd's tmpfs files +- I see a ptrace of mozilla_plugin_t by staff_t, will allow without deny_ptrace being set +- Allow cron jobs to read bind config for unbound +- libvirt needs to inhibit systemd +- kdumpctl needs to delete boot_t files +- Fix duplicate gnome_config_filetrans +- virtd_lxc_t is using /dev/fuse +- Passenger needs to create a directory in /var/log, needs a backport to RHEL6 for openshift +- apcupsd can be setup to listen to snmp trafic +- Allow transition from kdumpgui to kdumpctl +- Add fixes for munin CGI scripts +- Allow deltacloud to connect to openstack at the keystone port +- Allow domains that transition to svirt domains to be able to signal them +- Fix file context of gstreamer in .cache directory +- libvirt is communicating with logind +- NetworkManager writes to the systemd inhibit pipe + * Mon Dec 17 2012 Miroslav Grepl 3.11.1-66 - Allow munin disk plugins to get attributes of all directories - Allow munin disk plugins to get attributes of all directorie @@ -737,7 +776,7 @@ SELinux Reference policy mls base module. - gnomessytemmm_t needs to read /etc/passwd - Allow cgred to read all sysctls -* Tue Nov 5 2012 Miroslav Grepl 3.11.1-50 +* Tue Nov 6 2012 Miroslav Grepl 3.11.1-50 - Allow all domains to read /proc/sys/vm/overcommit_memory - Make proc_numa_t an MLS Trusted Object - Add /proc/numactl support for confined users @@ -1516,7 +1555,7 @@ SELinux Reference policy mls base module. * Wed May 9 2012 Miroslav Grepl 3.10.0-124 - Make systemd unit files less specific -* Tue May 7 2012 Miroslav Grepl 3.10.0-123 +* Tue May 8 2012 Miroslav Grepl 3.10.0-123 - Fix zarafa labeling - Allow guest_t to fix labeling - corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean @@ -1573,7 +1612,7 @@ SELinux Reference policy mls base module. - firewalld needs to execute restorecon - Allow restorecon and other login domains to execute restorecon -* Tue Apr 26 2012 Miroslav Grepl 3.10.0-119 +* Tue Apr 24 2012 Miroslav Grepl 3.10.0-119 - Allow logrotate to getattr on systemd unit files - Add support for tor systemd unit file - Allow apmd to create /var/run/pm-utils with the correct label @@ -1611,13 +1650,13 @@ SELinux Reference policy mls base module. - Add labeling for /etc/zipl.conf and zipl binary - Turn on allow_execstack and turn off telepathy transition for final release -* Mon Apr 15 2012 Miroslav Grepl 3.10.0-116 +* Mon Apr 16 2012 Miroslav Grepl 3.10.0-116 - More access required for virt_qmf_t - Additional assess required for systemd-logind to support multi-seat - Allow mozilla_plugin to setrlimit - Revert changes to fuse file system to stop deadlock -* Mon Apr 15 2012 Miroslav Grepl 3.10.0-115 +* Mon Apr 16 2012 Miroslav Grepl 3.10.0-115 - Allow condor domains to connect to ephemeral ports - More fixes for condor policy - Allow keystone to stream connect to mysqld @@ -2166,15 +2205,15 @@ SELinux Reference policy mls base module. - Allow virtd to relabel generic usb which is need if USB device - Fixes for virt.if interfaces to consider chr_file as image file type -* Fri Nov 5 2011 Dan Walsh 3.10.0-54.1 +* Fri Nov 4 2011 Dan Walsh 3.10.0-54.1 - Remove Open Office policy - Remove execmem policy -* Fri Nov 5 2011 Miroslav Grepl 3.10.0-54 +* Fri Nov 4 2011 Miroslav Grepl 3.10.0-54 - MCS fixes - quota fixes -* Thu Nov 4 2011 Dan Walsh 3.10.0-53.1 +* Thu Nov 3 2011 Dan Walsh 3.10.0-53.1 - Remove transitions to consoletype * Tue Nov 1 2011 Miroslav Grepl 3.10.0-53 @@ -2225,7 +2264,7 @@ SELinux Reference policy mls base module. - Add port 8953 as a dns port used by unbound - Fix file name transition for alsa and confined users -* Thu Oct 21 2011 Dan Walsh 3.10.0-46.1 +* Fri Oct 21 2011 Dan Walsh 3.10.0-46.1 - Turn on mock_t and thumb_t for unconfined domains * Fri Oct 21 2011 Miroslav Grepl 3.10.0-46 @@ -2243,10 +2282,10 @@ SELinux Reference policy mls base module. * Wed Oct 19 2011 Miroslav Grepl 3.10.0-43 - Add policies for nova openstack -* Mon Oct 18 2011 Miroslav Grepl 3.10.0-42 +* Tue Oct 18 2011 Miroslav Grepl 3.10.0-42 - Add fixes for nova-stack policy -* Mon Oct 18 2011 Miroslav Grepl 3.10.0-41 +* Tue Oct 18 2011 Miroslav Grepl 3.10.0-41 - Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain - Allow init process to setrlimit on itself - Take away transition rules for users executing ssh-keygen @@ -2318,7 +2357,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user -* Tue Oct 3 2011 Dan Walsh 3.10.0-36.1 +* Tue Oct 4 2011 Dan Walsh 3.10.0-36.1 - Fix missing patch from F16 * Mon Oct 3 2011 Miroslav Grepl 3.10.0-36 @@ -2336,13 +2375,13 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; * Mon Oct 3 2011 Dan Walsh 3.10.0-35 - Stop complaining about leaked file descriptors during install -* Fri Sep 29 2011 Dan Walsh 3.10.0-34.7 +* Fri Sep 30 2011 Dan Walsh 3.10.0-34.7 - Remove java and mono module and merge into execmem -* Fri Sep 29 2011 Dan Walsh 3.10.0-34.6 +* Fri Sep 30 2011 Dan Walsh 3.10.0-34.6 - Fixes for thumb policy and passwd_file_t -* Fri Sep 29 2011 Dan Walsh 3.10.0-34.4 +* Fri Sep 30 2011 Dan Walsh 3.10.0-34.4 - Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide @@ -2380,7 +2419,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; - Add SELinux support for ssh pre-auth net process in F17 - Add logging_syslogd_can_sendmail boolean -* Wed Sep 20 2011 Dan Walsh 3.10.0-31.1 +* Wed Sep 21 2011 Dan Walsh 3.10.0-31.1 - Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type @@ -2649,7 +2688,7 @@ dontaudit domain domain:process { noatsecure siginh rlimitinh } ; - Lot of fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log -* Thu May 17 2011 Miroslav Grepl 3.9.16-22 +* Thu May 19 2011 Miroslav Grepl 3.9.16-22 - Allow logrotate to execute systemctl - Allow nsplugin_t to getattr on gpmctl - Fix dev_getattr_all_chr_files() interface @@ -2924,7 +2963,7 @@ assembled or disassembled. - Allow readahead to read all mcs levels - Allow mozilla_plugin_t to use nfs or samba homedirs -* Wed Jan 25 2011 Miroslav Grepl 3.9.13-5 +* Tue Jan 25 2011 Miroslav Grepl 3.9.13-5 - Allow nagios plugin to read /proc/meminfo - Fix for mozilla_plugin - Allow samba_net_t to create /etc/keytab @@ -3096,7 +3135,7 @@ assembled or disassembled. - Dontaudit sys_ptrace capability for iscsid - Fixes for nagios plugin policy -* Thu Dec 1 2010 Miroslav Grepl 3.9.10-5 +* Thu Dec 2 2010 Miroslav Grepl 3.9.10-5 - Fix cron to run ranged when started by init - Fix devicekit to use log files - Dontaudit use of devicekit_var_run_t for fstools @@ -3354,7 +3393,7 @@ Bz #637339 - Allow dovecot_deliver to append to inherited log files - Lots of fixes for consolehelper -* Wed Sep 21 2010 Dan Walsh 3.9.5-3 +* Wed Sep 22 2010 Dan Walsh 3.9.5-3 - Fix up Xguest policy * Thu Sep 16 2010 Dan Walsh 3.9.5-2 @@ -3375,13 +3414,13 @@ Bz #637339 - Allow all domains that can use cgroups to search tmpfs_t directory - Allow init to send audit messages -* Thu Sep 8 2010 Dan Walsh 3.9.4-1 +* Thu Sep 9 2010 Dan Walsh 3.9.4-1 - Update to upstream -* Thu Sep 8 2010 Dan Walsh 3.9.3-4 +* Thu Sep 9 2010 Dan Walsh 3.9.3-4 - Allow mdadm_t to create files and sock files in /dev/md/ -* Thu Sep 8 2010 Dan Walsh 3.9.3-3 +* Thu Sep 9 2010 Dan Walsh 3.9.3-3 - Add policy for ajaxterm * Wed Sep 8 2010 Dan Walsh 3.9.3-2 @@ -3403,7 +3442,7 @@ Allow freshclam to execute shell and bin_t Allow devicekit_power to transition to dhcpc Add boolean to allow icecast to connect to any port -* Thu Aug 31 2010 Dan Walsh 3.9.2-1 +* Tue Aug 31 2010 Dan Walsh 3.9.2-1 - Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to communicate with clvmd via tmpfs @@ -3411,11 +3450,10 @@ Add boolean to allow icecast to connect to any port - Allow dbus system services to search cgroup_t - Define rlogind_t as a login pgm - -* Wed Aug 31 2010 Dan Walsh 3.9.1-3 +* Tue Aug 31 2010 Dan Walsh 3.9.1-3 - Allow mdadm_t to read/write hugetlbfs -* Tue Aug 30 2010 Dan Walsh 3.9.1-2 +* Tue Aug 31 2010 Dan Walsh 3.9.1-2 - Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and prelink @@ -3447,11 +3485,11 @@ Add boolean to allow icecast to connect to any port - Allow mount_t to write to debufs_t dir - Dontaudit mount_t trying to write to security_t dir -* Thu Aug 18 2010 Dan Walsh 3.8.8-17 +* Thu Aug 19 2010 Dan Walsh 3.8.8-17 - Allow clamscan_t execmem if clamd_use_jit set - Add policy for firefox plugin-container -* Wed Aug 17 2010 Dan Walsh 3.8.8-16 +* Wed Aug 18 2010 Dan Walsh 3.8.8-16 - Fix /root/.forward definition * Tue Aug 17 2010 Dan Walsh 3.8.8-15 @@ -3507,13 +3545,13 @@ Add boolean to allow icecast to connect to any port * Tue Jul 20 2010 Dan Walsh 3.8.8-1 - Update to latest policy -* Mon Jul 14 2010 Dan Walsh 3.8.7-3 +* Wed Jul 14 2010 Dan Walsh 3.8.7-3 - Fix eclipse labeling from IBMSupportAssasstant packageing -* Mon Jul 14 2010 Dan Walsh 3.8.7-2 +* Wed Jul 14 2010 Dan Walsh 3.8.7-2 - Make boot with systemd in enforcing mode -* Mon Jul 14 2010 Dan Walsh 3.8.7-1 +* Wed Jul 14 2010 Dan Walsh 3.8.7-1 - Update to upstream * Mon Jul 12 2010 Dan Walsh 3.8.6-3 @@ -3620,7 +3658,7 @@ Partially resolves 590224 - Allow aiccu to use tun tap devices - Dontaudit shutdown using xserver.log -* Fri May 6 2010 Dan Walsh 3.7.19-14 +* Fri May 7 2010 Dan Walsh 3.7.19-14 - Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ - Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory - Add dontaudit interface for bluetooth dbus @@ -3841,7 +3879,7 @@ Resolves: #582145 - Add cachefilesfd policy - Dontaudit leaks when transitioning -* Wed Feb 23 2010 Dan Walsh 3.7.10-4 +* Wed Feb 24 2010 Dan Walsh 3.7.10-4 - Change allow_execstack and allow_execmem booleans to on - dontaudit acct using console - Add label for fping @@ -3849,7 +3887,7 @@ Resolves: #582145 - Fix wine dontaudit mmap_zero - Allow abrt to read var_t symlinks -* Tue Feb 22 2010 Dan Walsh 3.7.10-3 +* Tue Feb 23 2010 Dan Walsh 3.7.10-3 - Additional policy for rgmanager * Mon Feb 22 2010 Dan Walsh 3.7.10-2 @@ -3886,7 +3924,7 @@ Resolves: #582145 * Mon Feb 1 2010 Dan Walsh 3.7.8-6 - Lots of fixes found in F12 -* Thu Jan 27 2010 Dan Walsh 3.7.8-5 +* Thu Jan 28 2010 Dan Walsh 3.7.8-5 - Fix rpm_dontaudit_leaks * Wed Jan 27 2010 Dan Walsh 3.7.8-4 @@ -3910,7 +3948,7 @@ Resolves: #582145 - Turn on puppet policy - Update to dgrift git policy -* Mon Jan 7 2010 Dan Walsh 3.7.7-1 +* Thu Jan 7 2010 Dan Walsh 3.7.7-1 - Move users file to selection by spec file. - Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t @@ -3989,7 +4027,7 @@ Resolves: #582145 * Thu Sep 24 2009 Dan Walsh 3.6.32-11 - Allow users to exec restorecond -* Tue Sep 21 2009 Dan Walsh 3.6.32-10 +* Tue Sep 22 2009 Dan Walsh 3.6.32-10 - Allow sendmail to request kernel modules load * Mon Sep 21 2009 Dan Walsh 3.6.32-9 @@ -4017,12 +4055,12 @@ Resolves: #582145 * Thu Sep 17 2009 Dan Walsh 3.6.32-2 - Fixes for sandbox -* Wed Sep 17 2009 Dan Walsh 3.6.32-1 +* Wed Sep 16 2009 Dan Walsh 3.6.32-1 - Update to upstream - Dontaudit nsplugin search /root - Dontaudit nsplugin sys_nice -* Mon Sep 15 2009 Dan Walsh 3.6.31-5 +* Tue Sep 15 2009 Dan Walsh 3.6.31-5 - Fix label on /usr/bin/notepad, /usr/sbin/vboxadd-service - Remove policycoreutils-python requirement except for minimum @@ -4145,10 +4183,10 @@ Resolves: #582145 * Mon Jul 27 2009 Dan Walsh 3.6.23-2 - Allow certmaster to override dac permissions -* Thu Jul 22 2009 Dan Walsh 3.6.23-1 +* Thu Jul 23 2009 Dan Walsh 3.6.23-1 - Update to upstream -* Tue Jul 20 2009 Dan Walsh 3.6.22-3 +* Tue Jul 21 2009 Dan Walsh 3.6.22-3 - Fix context for VirtualBox * Tue Jul 14 2009 Dan Walsh 3.6.22-1 @@ -4250,7 +4288,7 @@ Resolves: #582145 * Mon May 11 2009 Dan Walsh 3.6.12-34 - Allow rpcd_t to send signals to kernel threads -* Fri May 7 2009 Dan Walsh 3.6.12-33 +* Fri May 8 2009 Dan Walsh 3.6.12-33 - Fix upgrade for F10 to F11 * Thu May 7 2009 Dan Walsh 3.6.12-31 @@ -4351,7 +4389,7 @@ Resolves: #582145 * Thu Apr 9 2009 Dan Walsh 3.6.12-3 - Separate out the ucnonfined user from the unconfined.pp package -* Wed Apr 7 2009 Dan Walsh 3.6.12-2 +* Wed Apr 8 2009 Dan Walsh 3.6.12-2 - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t. * Tue Apr 7 2009 Dan Walsh 3.6.12-1 @@ -4413,7 +4451,7 @@ Resolves: #582145 * Sat Mar 7 2009 Dan Walsh 3.6.8-2 - Add pulseaudio context -* Thu Mar 4 2009 Dan Walsh 3.6.8-1 +* Thu Mar 5 2009 Dan Walsh 3.6.8-1 - Upgrade to latest patches * Wed Mar 4 2009 Dan Walsh 3.6.7-2 @@ -4560,10 +4598,10 @@ Resolves: #582145 * Mon Dec 01 2008 Ignacio Vazquez-Abrams - 3.6.1-2 - Rebuild for Python 2.6 -* Fri Nov 5 2008 Dan Walsh 3.5.13-19 +* Fri Nov 7 2008 Dan Walsh 3.5.13-19 - Fix labeling on /var/spool/rsyslog -* Thu Nov 5 2008 Dan Walsh 3.5.13-18 +* Thu Nov 6 2008 Dan Walsh 3.5.13-18 - Allow postgresl to bind to udp nodes * Wed Nov 5 2008 Dan Walsh 3.5.13-17 @@ -4573,11 +4611,11 @@ Resolves: #582145 * Wed Nov 5 2008 Dan Walsh 3.5.13-16 - Fix cyphesis file context -* Tue Nov 3 2008 Dan Walsh 3.5.13-15 +* Tue Nov 4 2008 Dan Walsh 3.5.13-15 - Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy -* Tue Nov 3 2008 Dan Walsh 3.5.13-14 +* Tue Nov 4 2008 Dan Walsh 3.5.13-14 - Additional fixes for cyphesis - Fix certmaster file context - Add policy for system-config-samba @@ -4712,7 +4750,7 @@ Resolves: #582145 * Thu Aug 7 2008 Dan Walsh 3.5.3-1 - Update to upstream -* Wed Aug 2 2008 Dan Walsh 3.5.2-2 +* Sat Aug 2 2008 Dan Walsh 3.5.2-2 - Allow system-config-selinux to work with policykit * Fri Jul 25 2008 Dan Walsh 3.5.1-5 @@ -4725,7 +4763,7 @@ Resolves: #582145 * Fri Jul 25 2008 Dan Walsh 3.5.1-3 - Fixes for logrotate, alsa -* Thu Jul 25 2008 Dan Walsh 3.5.1-2 +* Thu Jul 24 2008 Dan Walsh 3.5.1-2 - Eliminate vbetool duplicate entry * Wed Jul 16 2008 Dan Walsh 3.5.1-1 @@ -4771,7 +4809,7 @@ Resolves: #582145 * Sun Jun 22 2008 Dan Walsh 3.4.2-5 - Fix prelude file context -* Fri Jun 12 2008 Dan Walsh 3.4.2-4 +* Fri Jun 13 2008 Dan Walsh 3.4.2-4 - allow hplip to talk dbus - Fix context on ~/.local dir @@ -4830,7 +4868,7 @@ Resolves: #582145 * Wed Apr 23 2008 Dan Walsh 3.3.1-39 - Change etc files to config files to allow users to read them -* Fri Apr 14 2008 Dan Walsh 3.3.1-37 +* Fri Apr 18 2008 Dan Walsh 3.3.1-37 - Lots of fixes for confined domains on NFS_t homedir * Mon Apr 14 2008 Dan Walsh 3.3.1-36 @@ -4862,13 +4900,12 @@ Resolves: #582145 - Allow privhome apps including dovecot read on nfs and cifs home dirs if the boolean is set - * Tue Apr 1 2008 Dan Walsh 3.3.1-27 - Allow nsplugin to read /etc/mozpluggerrc, user_fonts - Allow syslog to manage innd logs. - Allow procmail to ioctl spamd_exec_t -* Sat Mar 28 2008 Dan Walsh 3.3.1-26 +* Sat Mar 29 2008 Dan Walsh 3.3.1-26 - Allow initrc_t to dbus chat with consolekit. * Thu Mar 27 2008 Dan Walsh 3.3.1-25 @@ -4879,7 +4916,7 @@ dirs if the boolean is set - Allow mount to mkdir on tmpfs - Allow ifconfig to search debugfs -* Fri Mar 18 2008 Dan Walsh 3.3.1-23 +* Fri Mar 21 2008 Dan Walsh 3.3.1-23 - Fix file context for MATLAB - Fixes for xace @@ -4984,17 +5021,17 @@ directory) * Fri Feb 15 2008 Dan Walsh 3.2.8-1 - Merge with upstream -* Thu Feb 5 2008 Dan Walsh 3.2.7-6 +* Thu Feb 7 2008 Dan Walsh 3.2.7-6 - Allow udev to send audit messages -* Thu Feb 5 2008 Dan Walsh 3.2.7-5 +* Thu Feb 7 2008 Dan Walsh 3.2.7-5 - Add additional login users interfaces - userdom_admin_login_user_template(staff) -* Thu Feb 5 2008 Dan Walsh 3.2.7-3 +* Thu Feb 7 2008 Dan Walsh 3.2.7-3 - More fixes for polkit -* Thu Feb 5 2008 Dan Walsh 3.2.7-2 +* Thu Feb 7 2008 Dan Walsh 3.2.7-2 - Eliminate transition from unconfined_t to qemu by default - Fixes for gpg @@ -5088,7 +5125,7 @@ directory) - Fix role transition from unconfined_r to system_r when running rpm - Allow unconfined_domains to communicate with user dbus instances -* Sat Dec 21 2007 Dan Walsh 3.2.5-5 +* Sat Dec 22 2007 Dan Walsh 3.2.5-5 - Fixes for xguest * Thu Dec 20 2007 Dan Walsh 3.2.5-4 @@ -5161,19 +5198,19 @@ directory) - Allow udef to read alsa config - Fix xguest to be able to connect to sound port -* Fri Oct 17 2007 Dan Walsh 3.0.8-28 +* Fri Oct 19 2007 Dan Walsh 3.0.8-28 - Fixes for hald_mac - Treat unconfined_home_dir_t as a home dir - dontaudit rhgb writes to fonts and root -* Fri Oct 17 2007 Dan Walsh 3.0.8-27 +* Fri Oct 19 2007 Dan Walsh 3.0.8-27 - Fix dnsmasq - Allow rshd full login privs -* Thu Oct 16 2007 Dan Walsh 3.0.8-26 +* Thu Oct 18 2007 Dan Walsh 3.0.8-26 - Allow rshd to connect to ports > 1023 -* Thu Oct 16 2007 Dan Walsh 3.0.8-25 +* Thu Oct 18 2007 Dan Walsh 3.0.8-25 - Fix vpn to bind to port 4500 - Allow ssh to create shm - Add Kismet policy @@ -5207,16 +5244,16 @@ directory) * Mon Oct 1 2007 Dan Walsh 3.0.8-16 - Fix exim policy -* Thu Sep 24 2007 Dan Walsh 3.0.8-15 +* Thu Sep 27 2007 Dan Walsh 3.0.8-15 - Allow tmpreadper to read man_t - Allow racoon to bind to all nodes - Fixes for finger print reader -* Tue Sep 24 2007 Dan Walsh 3.0.8-14 +* Tue Sep 25 2007 Dan Walsh 3.0.8-14 - Allow xdm to talk to input device (fingerprint reader) - Allow octave to run as java -* Tue Sep 24 2007 Dan Walsh 3.0.8-13 +* Tue Sep 25 2007 Dan Walsh 3.0.8-13 - Allow login programs to set ioctl on /proc * Mon Sep 24 2007 Dan Walsh 3.0.8-12 @@ -5346,13 +5383,13 @@ directory) * Mon Jul 30 2007 Dan Walsh 3.0.4-3 - Allow xserver to write to ramfs mounted by rhgb -* Tue Jul 23 2007 Dan Walsh 3.0.4-2 +* Tue Jul 24 2007 Dan Walsh 3.0.4-2 - Add context for dbus machine id -* Tue Jul 23 2007 Dan Walsh 3.0.4-1 +* Tue Jul 24 2007 Dan Walsh 3.0.4-1 - Update with latest changes from upstream -* Tue Jul 23 2007 Dan Walsh 3.0.3-6 +* Tue Jul 24 2007 Dan Walsh 3.0.3-6 - Fix prelink to handle execmod * Mon Jul 23 2007 Dan Walsh 3.0.3-5 @@ -5402,10 +5439,10 @@ directory) - fix squid - Fix rpm running as uid -* Wed Jun 26 2007 Dan Walsh 3.0.1-3 +* Tue Jun 26 2007 Dan Walsh 3.0.1-3 - Fix syslog declaration -* Wed Jun 26 2007 Dan Walsh 3.0.1-2 +* Tue Jun 26 2007 Dan Walsh 3.0.1-2 - Allow avahi to access inotify - Remove a lot of bogus security_t:filesystem avcs @@ -5449,9 +5486,6 @@ directory) * Fri Apr 27 2007 Dan Walsh 2.6.1-4 - Allow pcscd_t to send itself signals -* Fri Apr 27 2007 Dan Walsh 2.6.1-3 -- - * Wed Apr 25 2007 Dan Walsh 2.6.1-2 - Fixes for unix_update - Fix logwatch to be able to search all dirs @@ -5481,7 +5515,7 @@ directory) - Rwho policy - Fixes for consolekit -* Fri Apr 12 2007 Dan Walsh 2.5.12-3 +* Fri Apr 13 2007 Dan Walsh 2.5.12-3 - fixes for fusefs * Thu Apr 12 2007 Dan Walsh 2.5.12-2 @@ -5615,7 +5649,7 @@ Resolves: #227237 - Fixes to allow kpasswd to work - Fixes for bluetooth -* Fri Jan 25 2007 Dan Walsh 2.5.2-3 +* Fri Jan 26 2007 Dan Walsh 2.5.2-3 - Remove some targeted diffs in file context file * Thu Jan 25 2007 Dan Walsh 2.5.2-2 @@ -5724,7 +5758,7 @@ Resolves: #212957 Resolves: #217640 Resolves: #218014 -* Thu Nov 28 2006 Dan Walsh 2.4.6-3 +* Thu Nov 30 2006 Dan Walsh 2.4.6-3 - Allow login programs to polyinstatiate homedirs Resolves: #216184 - Allow quotacheck to create database files @@ -5738,7 +5772,7 @@ Resolves: #217611 Resolves: #217640 Resolves: #217725 -* Mon Nov 21 2006 Dan Walsh 2.4.5-4 +* Tue Nov 21 2006 Dan Walsh 2.4.5-4 - Fix context for helix players file_context #216942 * Mon Nov 20 2006 Dan Walsh 2.4.5-3 @@ -5901,21 +5935,21 @@ Resolves: #217725 * Mon Oct 2 2006 Dan Walsh 2.3.17-2 - Fix crond handling for mls -* Fri Sep 28 2006 Dan Walsh 2.3.17-1 +* Fri Sep 29 2006 Dan Walsh 2.3.17-1 - Update to upstream -* Fri Sep 28 2006 Dan Walsh 2.3.16-9 +* Fri Sep 29 2006 Dan Walsh 2.3.16-9 - Remove bluetooth-helper transition - Add selinux_validate for semanage - Require new version of libsemanage -* Fri Sep 28 2006 Dan Walsh 2.3.16-8 +* Fri Sep 29 2006 Dan Walsh 2.3.16-8 - Fix prelink -* Fri Sep 28 2006 Dan Walsh 2.3.16-7 +* Fri Sep 29 2006 Dan Walsh 2.3.16-7 - Fix rhgb -* Thu Sep 27 2006 Dan Walsh 2.3.16-6 +* Thu Sep 28 2006 Dan Walsh 2.3.16-6 - Fix setrans handling on MLS and useradd * Wed Sep 27 2006 Dan Walsh 2.3.16-5 @@ -6022,15 +6056,15 @@ Resolves: #217725 * Wed Aug 23 2006 Dan Walsh 2.3.9-1 - Update to upstream -* Sun Aug 20 2006 Dan Walsh 2.3.8-2 +* Tue Aug 22 2006 Dan Walsh 2.3.8-2 - Fixes for stunnel and postgresql - Update from upstream -* Sat Aug 10 2006 Dan Walsh 2.3.7-1 +* Sat Aug 12 2006 Dan Walsh 2.3.7-1 - Update from upstream - More java fixes -* Fri Aug 10 2006 Dan Walsh 2.3.6-4 +* Fri Aug 11 2006 Dan Walsh 2.3.6-4 - Change allow_execstack to default to on, for RHEL5 Beta. This is required because of a Java compiler problem. Hope to turn off for next beta @@ -6320,7 +6354,7 @@ Resolves: #217725 - Lots of file_context fixes for textrel_shlib_t in FC5 - Turn off execmem auditallow since they are filling log files -* Fri Mar 30 2006 Dan Walsh 2.2.29-1 +* Fri Mar 31 2006 Dan Walsh 2.2.29-1 - Update to upstream * Thu Mar 30 2006 Dan Walsh 2.2.28-3 @@ -6438,16 +6472,16 @@ Resolves: #217725 * Fri Feb 24 2006 Dan Walsh 2.2.21-5 - Fix problem with privoxy talking to Tor -* Thu Feb 22 2006 Dan Walsh 2.2.21-4 +* Thu Feb 23 2006 Dan Walsh 2.2.21-4 - Turn on polyinstatiation -* Thu Feb 22 2006 Dan Walsh 2.2.21-3 +* Thu Feb 23 2006 Dan Walsh 2.2.21-3 - Don't transition from unconfined_t to fsadm_t -* Thu Feb 22 2006 Dan Walsh 2.2.21-2 +* Thu Feb 23 2006 Dan Walsh 2.2.21-2 - Fix policy update model. -* Thu Feb 22 2006 Dan Walsh 2.2.21-1 +* Thu Feb 23 2006 Dan Walsh 2.2.21-1 - Update to upstream * Wed Feb 22 2006 Dan Walsh 2.2.20-1 @@ -6588,10 +6622,10 @@ Resolves: #217725 * Mon Jan 9 2006 Dan Walsh 2.1.8-1 - Update to upstream - Apply -* Fri Jan 7 2006 Dan Walsh 2.1.7-4 +* Fri Jan 6 2006 Dan Walsh 2.1.7-4 - Add wine and fix hal problems -* Thu Jan 6 2006 Dan Walsh 2.1.7-3 +* Thu Jan 5 2006 Dan Walsh 2.1.7-3 - Handle new location of hal scripts * Thu Jan 5 2006 Dan Walsh 2.1.7-2 @@ -6683,20 +6717,20 @@ Resolves: #217725 - fix requirements to be on the actual packages so that policy can get created properly at install time -* Sun Dec 10 2005 Dan Walsh 2.1.2-2 +* Sun Dec 11 2005 Dan Walsh 2.1.2-2 - Allow unconfined_t to execmod texrel_shlib_t -* Sat Dec 9 2005 Dan Walsh 2.1.2-1 +* Sat Dec 10 2005 Dan Walsh 2.1.2-1 - Update to upstream - Turn off allow_execmem and allow_execmod booleans - Add tcpd and automount policies -* Fri Dec 8 2005 Dan Walsh 2.1.1-3 +* Fri Dec 9 2005 Dan Walsh 2.1.1-3 - Add two new httpd booleans, turned off by default * httpd_can_network_relay * httpd_can_network_connect_db -* Fri Dec 8 2005 Dan Walsh 2.1.1-2 +* Fri Dec 9 2005 Dan Walsh 2.1.1-2 - Add ghost for policy.20 * Thu Dec 8 2005 Dan Walsh 2.1.1-1 @@ -6739,10 +6773,10 @@ Update from upstream - Fix spec file - Fix up passwd changing applications -* Tue Nov 21 2005 Dan Walsh 2.0.5-1 +* Tue Nov 22 2005 Dan Walsh 2.0.5-1 -Update to latest from upstream -* Tue Nov 21 2005 Dan Walsh 2.0.4-1 +* Tue Nov 22 2005 Dan Walsh 2.0.4-1 - Add rules for pegasus and avahi * Mon Nov 21 2005 Dan Walsh 2.0.2-2