diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 718fb3d..81c1286 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1820,7 +1820,7 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..bfc85a0 100644 +index 03ec5ca..025c177 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -89,7 +89,6 @@ template(`su_restricted_domain_template', ` @@ -1843,41 +1843,234 @@ index 03ec5ca..bfc85a0 100644 optional_policy(` cron_read_pipes($1_su_t) ') -@@ -208,7 +202,7 @@ template(`su_role_template',` +@@ -172,14 +166,6 @@ template(`su_role_template',` + role $2 types $1_su_t; - auth_domtrans_chk_passwd($1_su_t) - auth_dontaudit_read_shadow($1_su_t) + allow $3 $1_su_t:process signal; +- +- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; +- dontaudit $1_su_t self:capability sys_tty_config; +- allow $1_su_t self:process { setexec setsched setrlimit }; +- allow $1_su_t self:fifo_file rw_fifo_file_perms; +- allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; +- allow $1_su_t self:key { search write }; +- + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. +@@ -194,125 +180,12 @@ template(`su_role_template',` + allow $3 $1_su_t:process sigchld; + + kernel_read_system_state($1_su_t) +- kernel_read_kernel_sysctls($1_su_t) +- kernel_search_key($1_su_t) +- kernel_link_key($1_su_t) +- +- # for SSP +- dev_read_urand($1_su_t) +- +- fs_search_auto_mountpoints($1_su_t) + +- # needed for pam_rootok +- selinux_compute_access_vector($1_su_t) +- +- auth_domtrans_chk_passwd($1_su_t) +- auth_dontaudit_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) +- auth_rw_faillog($1_su_t) +- +- corecmd_search_bin($1_su_t) +- +- domain_use_interactive_fds($1_su_t) +- +- files_read_etc_files($1_su_t) +- files_read_etc_runtime_files($1_su_t) +- files_search_var_lib($1_su_t) +- files_dontaudit_getattr_tmp_dirs($1_su_t) +- +- init_dontaudit_use_fds($1_su_t) +- # Write to utmp. +- init_rw_utmp($1_su_t) + auth_use_pam($1_su_t) - auth_rw_faillog($1_su_t) - corecmd_search_bin($1_su_t) -@@ -228,10 +222,10 @@ template(`su_role_template',` + mls_file_write_all_levels($1_su_t) logging_send_syslog_msg($1_su_t) - +- - miscfiles_read_localization($1_su_t) - - userdom_use_user_terminals($1_su_t) - userdom_search_user_home_dirs($1_su_t) -+ userdom_search_admin_dir($1_su_t) - - ifdef(`distro_redhat',` - # RHEL5 and possibly newer releases incl. Fedora -@@ -277,12 +271,7 @@ template(`su_role_template',` - ') - ') - +- +- userdom_use_user_terminals($1_su_t) +- userdom_search_user_home_dirs($1_su_t) +- +- ifdef(`distro_redhat',` +- # RHEL5 and possibly newer releases incl. Fedora +- auth_domtrans_upd_passwd($1_su_t) +- +- optional_policy(` +- locallogin_search_keys($1_su_t) +- ') +- ') +- +- ifdef(`distro_rhel4',` +- domain_role_change_exemption($1_su_t) +- domain_subj_id_change_exemption($1_su_t) +- domain_obj_id_change_exemption($1_su_t) +- +- selinux_get_fs_mount($1_su_t) +- selinux_validate_context($1_su_t) +- selinux_compute_create_context($1_su_t) +- selinux_compute_relabel_context($1_su_t) +- selinux_compute_user_contexts($1_su_t) +- +- # Relabel ttys and ptys. +- term_relabel_all_ttys($1_su_t) +- term_relabel_all_ptys($1_su_t) +- # Close and re-open ttys and ptys to get the fd into the correct domain. +- term_use_all_ttys($1_su_t) +- term_use_all_ptys($1_su_t) +- +- seutil_read_config($1_su_t) +- seutil_read_default_contexts($1_su_t) +- +- if(secure_mode) { +- # Only allow transitions to unprivileged user domains. +- userdom_spec_domtrans_unpriv_users($1_su_t) +- } else { +- # Allow transitions to all user domains +- userdom_spec_domtrans_all_users($1_su_t) +- } +- +- optional_policy(` +- unconfined_domtrans($1_su_t) +- unconfined_signal($1_su_t) +- ') +- ') +- - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $3:socket_class_set { read write }; - ') - - tunable_policy(`allow_polyinstantiation',` -+ tunable_policy(`polyinstantiation_enabled',` - fs_mount_xattr_fs($1_su_t) - fs_unmount_xattr_fs($1_su_t) - ') +- fs_mount_xattr_fs($1_su_t) +- fs_unmount_xattr_fs($1_su_t) +- ') +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_search_nfs($1_su_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_search_cifs($1_su_t) +- ') +- +- optional_policy(` +- cron_read_pipes($1_su_t) +- ') +- +- optional_policy(` +- kerberos_use($1_su_t) +- ') +- +- optional_policy(` +- # used when the password has expired +- usermanage_read_crack_db($1_su_t) +- ') +- +- # Modify .Xauthority file (via xauth program). +- optional_policy(` +- xserver_user_home_dir_filetrans_user_xauth($1_su_t) +- xserver_domtrans_xauth($1_su_t) +- ') + ') + + ####################################### +diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te +index 85bb77e..0df3b43 100644 +--- a/policy/modules/admin/su.te ++++ b/policy/modules/admin/su.te +@@ -9,3 +9,81 @@ attribute su_domain_type; + + type su_exec_t; + corecmd_executable_file(su_exec_t) ++ ++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; ++dontaudit su_domain_type self:capability sys_tty_config; ++allow su_domain_type self:process { setexec setsched setrlimit }; ++allow su_domain_type self:fifo_file rw_fifo_file_perms; ++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; ++allow su_domain_type self:key { search write }; ++ ++kernel_read_kernel_sysctls(su_domain_type) ++kernel_search_key(su_domain_type) ++kernel_link_key(su_domain_type) ++ ++# for SSP ++dev_read_urand(su_domain_type) ++dev_dontaudit_getattr_all(su_domain_type) ++ ++fs_search_auto_mountpoints(su_domain_type) ++ ++# needed for pam_rootok ++selinux_compute_access_vector(su_domain_type) ++ ++corecmd_search_bin(su_domain_type) ++ ++domain_use_interactive_fds(su_domain_type) ++ ++files_read_etc_files(su_domain_type) ++files_read_etc_runtime_files(su_domain_type) ++files_search_var_lib(su_domain_type) ++files_dontaudit_getattr_tmp_dirs(su_domain_type) ++ ++init_dontaudit_use_fds(su_domain_type) ++# Write to utmp. ++init_rw_utmp(su_domain_type) ++ ++userdom_use_user_terminals(su_domain_type) ++userdom_search_user_home_dirs(su_domain_type) ++userdom_search_admin_dir(su_domain_type) ++ ++ifdef(`distro_redhat',` ++ # RHEL5 and possibly newer releases incl. Fedora ++ auth_domtrans_upd_passwd(su_domain_type) ++ ++ optional_policy(` ++ locallogin_search_keys(su_domain_type) ++ ') ++') ++ ++tunable_policy(`polyinstantiation_enabled',` ++ fs_mount_xattr_fs(su_domain_type) ++ fs_unmount_xattr_fs(su_domain_type) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_nfs(su_domain_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(su_domain_type) ++') ++ ++optional_policy(` ++ cron_read_pipes(su_domain_type) ++') ++ ++optional_policy(` ++ kerberos_use(su_domain_type) ++') ++ ++optional_policy(` ++ # used when the password has expired ++ usermanage_read_crack_db(su_domain_type) ++') ++ ++# Modify .Xauthority file (via xauth program). ++optional_policy(` ++ xserver_user_home_dir_filetrans_user_xauth(su_domain_type) ++ xserver_domtrans_xauth(su_domain_type) ++') diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc index 7bddc02..2b59ed0 100644 --- a/policy/modules/admin/sudo.fc @@ -29858,7 +30051,7 @@ index 808ba93..9d8f729 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 23a645e..f0cbd38 100644 +index 23a645e..52a8540 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -29891,21 +30084,23 @@ index 23a645e..f0cbd38 100644 files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t) +@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t) +files_list_var_lib(ldconfig_t) ++files_dontaudit_leaks(ldconfig_t) +files_manage_var_lib_symlinks(ldconfig_t) + corecmd_search_bin(ldconfig_t) domain_use_interactive_fds(ldconfig_t) +-files_search_var_lib(ldconfig_t) +files_search_home(ldconfig_t) - files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) + files_search_tmp(ldconfig_t) @@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t) init_use_script_ptys(ldconfig_t) init_read_script_tmp_files(ldconfig_t) @@ -35040,7 +35235,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..7a9577f 100644 +index b7686d5..087fe08 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -35136,7 +35331,7 @@ index b7686d5..7a9577f 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -35159,10 +35354,11 @@ index b7686d5..7a9577f 100644 files_dontaudit_search_locks(dhcpc_t) files_getattr_generic_locks(dhcpc_t) +files_rw_inherited_tmp_file(dhcpc_t) ++files_dontaudit_rw_inherited_locks(dhcpc_t) fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -35179,7 +35375,7 @@ index b7686d5..7a9577f 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',` +@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -35195,7 +35391,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -174,10 +204,6 @@ optional_policy(` +@@ -174,10 +205,6 @@ optional_policy(` ') optional_policy(` @@ -35206,7 +35402,7 @@ index b7686d5..7a9577f 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -190,23 +216,36 @@ optional_policy(` +@@ -190,23 +217,36 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -35243,7 +35439,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -216,7 +255,11 @@ optional_policy(` +@@ -216,7 +256,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -35256,7 +35452,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -228,6 +271,10 @@ optional_policy(` +@@ -228,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -35267,7 +35463,7 @@ index b7686d5..7a9577f 100644 vmware_append_log(dhcpc_t) ') -@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -35291,7 +35487,7 @@ index b7686d5..7a9577f 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -35312,6 +35508,7 @@ index b7686d5..7a9577f 100644 +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t) + +files_dontaudit_rw_inherited_pipes(ifconfig_t) ++files_dontaudit_rw_inherited_locks(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) + @@ -35321,7 +35518,7 @@ index b7686d5..7a9577f 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -35349,7 +35546,7 @@ index b7686d5..7a9577f 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -35372,7 +35569,7 @@ index b7686d5..7a9577f 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -35386,7 +35583,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -339,7 +430,15 @@ optional_policy(` +@@ -339,7 +432,15 @@ optional_policy(` ') optional_policy(` @@ -35403,7 +35600,7 @@ index b7686d5..7a9577f 100644 ') optional_policy(` -@@ -360,3 +459,13 @@ optional_policy(` +@@ -360,3 +461,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -38804,7 +39001,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..5dc956a 100644 +index 3c5dba7..fc2fb65 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39366,7 +39563,7 @@ index 3c5dba7..5dc956a 100644 ############################## # -@@ -501,41 +632,52 @@ template(`userdom_common_user_template',` +@@ -501,41 +632,51 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -39389,7 +39586,6 @@ index 3c5dba7..5dc956a 100644 - kernel_read_device_sysctls($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -+ kernel_stream_connect($1_usertype) - corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) @@ -39442,7 +39638,7 @@ index 3c5dba7..5dc956a 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +688,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +687,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -39601,7 +39797,7 @@ index 3c5dba7..5dc956a 100644 ') optional_policy(` -@@ -642,23 +811,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +810,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -39630,7 +39826,7 @@ index 3c5dba7..5dc956a 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +838,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +837,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -39639,7 +39835,7 @@ index 3c5dba7..5dc956a 100644 ') optional_policy(` -@@ -680,9 +847,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +846,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39652,7 +39848,7 @@ index 3c5dba7..5dc956a 100644 ') ') -@@ -693,32 +860,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +859,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -39699,7 +39895,7 @@ index 3c5dba7..5dc956a 100644 ') ') -@@ -743,17 +913,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +912,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -39737,7 +39933,7 @@ index 3c5dba7..5dc956a 100644 userdom_change_password_template($1) -@@ -761,82 +947,99 @@ template(`userdom_login_user_template', ` +@@ -761,82 +946,99 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -39873,22 +40069,24 @@ index 3c5dba7..5dc956a 100644 ') ') -@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) + allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; + dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; + -+ seutil_read_file_contexts($1_t) -+ seutil_read_default_contexts($1_t) ++ seutil_read_file_contexts($1_t) ++ seutil_read_default_contexts($1_t) + ############################## # # Local policy -@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',` + # # Local policy # ++ kernel_stream_connect($1_usertype) - auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) @@ -40118,20 +40316,20 @@ index 3c5dba7..5dc956a 100644 + + optional_policy(` + gpm_stream_connect($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) + ') + + optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) + ') + + optional_policy(` ++ wine_role_template($1, $1_r, $1_t) + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') @@ -40831,7 +41029,7 @@ index 3c5dba7..5dc956a 100644 ') ######################################## -@@ -2027,21 +2632,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -40845,18 +41043,17 @@ index 3c5dba7..5dc956a 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. @@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6927ccb..aa2e445 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2023,7 +2023,7 @@ index 7f4dfbc..4d750fa 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..95b56a6 100644 +index ed45974..cd5a4fa 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,13 @@ attribute_role amanda_recover_roles; @@ -2033,7 +2033,7 @@ index ed45974..95b56a6 100644 +type amanda_exec_t; type amanda_inetd_exec_t; -inetd_service_domain(amanda_t, amanda_inetd_exec_t) -+init_daemon_domain(amanda_t, amanda_exec_t) ++init_daemon_domain(amanda_t, amanda_inetd_exec_t) +role system_r types amanda_t; -type amanda_exec_t; @@ -24947,7 +24947,7 @@ index 1e29af1..c67e44e 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 93b0301..eafea5b 100644 +index 93b0301..11a76a5 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -24965,13 +24965,7 @@ index 93b0301..eafea5b 100644 ## Determine whether Git system daemon ## can search home directories. ##

-@@ -87,15 +79,16 @@ apache_content_template(git) - type git_system_t, git_daemon; - type gitd_exec_t; - inetd_service_domain(git_system_t, gitd_exec_t) -+init_domain(git_system_t, gitd_exec_t) - - type git_session_t, git_daemon; +@@ -92,10 +84,10 @@ type git_session_t, git_daemon; userdom_user_application_domain(git_session_t, gitd_exec_t) role git_session_roles types git_session_t; @@ -24984,7 +24978,7 @@ index 93b0301..eafea5b 100644 userdom_user_home_content(git_user_content_t) ######################################## -@@ -109,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) +@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -24993,7 +24987,7 @@ index 93b0301..eafea5b 100644 corenet_all_recvfrom_netlabel(git_session_t) corenet_all_recvfrom_unlabeled(git_session_t) corenet_tcp_bind_generic_node(git_session_t) -@@ -129,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` +@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',` corenet_tcp_sendrecv_all_ports(git_session_t) ') @@ -25004,7 +24998,7 @@ index 93b0301..eafea5b 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(git_session_t) -@@ -157,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',` +@@ -157,6 +149,9 @@ tunable_policy(`use_samba_home_dirs',` list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) @@ -25014,7 +25008,7 @@ index 93b0301..eafea5b 100644 files_search_var_lib(git_system_t) auth_use_nsswitch(git_system_t) -@@ -255,12 +251,9 @@ tunable_policy(`git_cgi_use_nfs',` +@@ -255,12 +250,9 @@ tunable_policy(`git_cgi_use_nfs',` allow git_daemon self:fifo_file rw_fifo_file_perms; @@ -29958,14 +29952,16 @@ index 05387d1..08a489c 100644 userdom_dontaudit_search_user_home_dirs(imazesrv_t) diff --git a/inetd.if b/inetd.if -index fbb54e7..b347964 100644 +index fbb54e7..05c3777 100644 --- a/inetd.if +++ b/inetd.if -@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',` +@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',` domtrans_pattern(inetd_t, $2, $1) allow inetd_t $1:process { siginh sigkill }; + ++ init_domain($1, $2) ++ + optional_policy(` + abrt_stream_connect($1) + ') @@ -36154,7 +36150,7 @@ index b9270f7..15f3748 100644 ') diff --git a/lsm.fc b/lsm.fc new file mode 100644 -index 0000000..711c04b +index 0000000..81cd4e0 --- /dev/null +++ b/lsm.fc @@ -0,0 +1,5 @@ @@ -36162,7 +36158,7 @@ index 0000000..711c04b + +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) + -+/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) ++/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if new file mode 100644 index 0000000..e8d4ce2 @@ -50590,10 +50586,17 @@ index 296a1d3..edc3e32 100644 +userdom_stream_connect(oddjob_mkhomedir_t) + diff --git a/openct.te b/openct.te -index 8467596..66f068f 100644 +index 8467596..428ae48 100644 --- a/openct.te +++ b/openct.te -@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) +@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t) + + dontaudit openct_t self:capability sys_tty_config; + allow openct_t self:process signal_perms; ++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t) + manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t) files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file }) @@ -50608,7 +50611,7 @@ index 8467596..66f068f 100644 dev_read_sysfs(openct_t) dev_rw_usbfs(openct_t) dev_rw_smartcard(openct_t) -@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t) +@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t) domain_use_interactive_fds(openct_t) @@ -72017,18 +72020,10 @@ index 050479d..0e1b364 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d34cdec..eeeee9b 100644 +index d34cdec..f41c9c5 100644 --- a/rlogin.te +++ b/rlogin.te -@@ -9,6 +9,7 @@ type rlogind_t; - type rlogind_exec_t; - auth_login_pgm_domain(rlogind_t) - inetd_service_domain(rlogind_t, rlogind_exec_t) -+init_daemon_domain(rlogind_t, rlogind_exec_t) - - type rlogind_devpts_t; - term_login_pty(rlogind_devpts_t) -@@ -30,7 +31,9 @@ files_pid_file(rlogind_var_run_t) +@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t) allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; allow rlogind_t self:process signal_perms; allow rlogind_t self:fifo_file rw_fifo_file_perms; @@ -72039,7 +72034,7 @@ index d34cdec..eeeee9b 100644 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(rlogind_t, rlogind_devpts_t) -@@ -39,7 +42,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; +@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms; manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t) @@ -72047,7 +72042,7 @@ index d34cdec..eeeee9b 100644 manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t) files_pid_filetrans(rlogind_t, rlogind_var_run_t, file) -@@ -50,7 +52,6 @@ kernel_read_kernel_sysctls(rlogind_t) +@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t) kernel_read_system_state(rlogind_t) kernel_read_network_state(rlogind_t) @@ -72055,7 +72050,7 @@ index d34cdec..eeeee9b 100644 corenet_all_recvfrom_netlabel(rlogind_t) corenet_tcp_sendrecv_generic_if(rlogind_t) corenet_udp_sendrecv_generic_if(rlogind_t) -@@ -67,6 +68,7 @@ fs_getattr_all_fs(rlogind_t) +@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t) fs_search_auto_mountpoints(rlogind_t) auth_domtrans_chk_passwd(rlogind_t) @@ -72063,7 +72058,7 @@ index d34cdec..eeeee9b 100644 auth_rw_login_records(rlogind_t) auth_use_nsswitch(rlogind_t) -@@ -77,30 +79,23 @@ init_rw_utmp(rlogind_t) +@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t) logging_send_syslog_msg(rlogind_t) @@ -74938,7 +74933,7 @@ index f1140ef..ebc2190 100644 + files_etc_filetrans($1, rsync_etc_t, $2, $3) ') diff --git a/rsync.te b/rsync.te -index e3e7c96..0820cb2 100644 +index e3e7c96..ec50426 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -74947,7 +74942,7 @@ index e3e7c96..0820cb2 100644 ######################################## # -@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2) +@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2) # ## @@ -75023,7 +75018,6 @@ index e3e7c96..0820cb2 100644 -init_daemon_domain(rsync_t, rsync_exec_t) -application_domain(rsync_t, rsync_exec_t) -role rsync_roles types rsync_t; -+init_domain(rsync_t, rsync_exec_t) +application_executable_file(rsync_exec_t) +role system_r types rsync_t; @@ -75035,7 +75029,7 @@ index e3e7c96..0820cb2 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -75066,7 +75060,7 @@ index e3e7c96..0820cb2 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -82402,10 +82396,25 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index 703efa3..e3580b2 100644 +index 703efa3..f9d6ed6 100644 --- a/sosreport.te +++ b/sosreport.te -@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull }; +@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t) + type sosreport_tmpfs_t; + files_tmpfs_file(sosreport_tmpfs_t) + ++type sosreport_var_run_t; ++files_pid_file(sosreport_var_run_t) ++ + optional_policy(` + pulseaudio_tmpfs_content(sosreport_tmpfs_t) + ') +@@ -29,10 +32,13 @@ optional_policy(` + # + + allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; ++dontaudit sosreport_t self:capability { sys_ptrace }; + allow sosreport_t self:process { setsched signull }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket { accept listen }; allow sosreport_t self:unix_stream_socket { accept listen }; @@ -82414,16 +82423,37 @@ index 703efa3..e3580b2 100644 manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) -@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t) +@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) + files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") + files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) + ++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t) ++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file }) ++ + manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) + fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file) + +@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t) dev_read_urand(sosreport_t) dev_read_raw_memory(sosreport_t) dev_read_sysfs(sosreport_t) ++dev_rw_generic_usb_dev(sosreport_t) +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) domain_getattr_all_domains(sosreport_t) domain_read_all_domains_state(sosreport_t) -@@ -70,7 +74,6 @@ files_list_all(sosreport_t) +@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t) + domain_getattr_all_pipes(sosreport_t) + + files_getattr_all_sockets(sosreport_t) ++files_getattr_all_files(sosreport_t) ++files_getattr_all_pipes(sosreport_t) + files_exec_etc_files(sosreport_t) + files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -82431,7 +82461,7 @@ index 703efa3..e3580b2 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -82443,6 +82473,7 @@ index 703efa3..e3580b2 100644 +term_getattr_pty_fs(sosreport_t) +term_getattr_all_ptys(sosreport_t) ++term_use_generic_ptys(sosreport_t) + +# some config files do not have configfile attribute +# sosreport needs to read various files on system @@ -82465,18 +82496,16 @@ index 703efa3..e3580b2 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -103,6 +114,10 @@ optional_policy(` - ') - - optional_policy(` -+ brctl_domtrans(sosreport_t) + abrt_manage_cache(sosreport_t) ++ abrt_stream_connect(sosreport_t) +') + +optional_policy(` - cups_stream_connect(sosreport_t) ++ brctl_domtrans(sosreport_t) ') -@@ -111,6 +126,11 @@ optional_policy(` + optional_policy(` +@@ -111,6 +141,11 @@ optional_policy(` ') optional_policy(` @@ -87240,7 +87269,7 @@ index 5406b6e..dc5b46e 100644 admin_pattern($1, tgtd_tmpfs_t) ') diff --git a/tgtd.te b/tgtd.te -index c93c973..b04d201 100644 +index c93c973..4ec1eb0 100644 --- a/tgtd.te +++ b/tgtd.te @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t) @@ -87252,7 +87281,7 @@ index c93c973..b04d201 100644 allow tgtd_t self:capability2 block_suspend; allow tgtd_t self:process { setrlimit signal }; allow tgtd_t self:fifo_file rw_fifo_file_perms; -@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t) +@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) @@ -87260,7 +87289,11 @@ index c93c973..b04d201 100644 corenet_tcp_sendrecv_generic_if(tgtd_t) corenet_tcp_sendrecv_generic_node(tgtd_t) corenet_tcp_bind_generic_node(tgtd_t) -@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t) + + corenet_sendrecv_iscsi_server_packets(tgtd_t) + corenet_tcp_bind_iscsi_port(tgtd_t) ++corenet_tcp_connect_isns_port(tgtd_t) + corenet_tcp_sendrecv_iscsi_port(tgtd_t) dev_read_sysfs(tgtd_t) @@ -92140,7 +92173,7 @@ index 9dec06c..4e31afe 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..a4ae8e0 100644 +index 1f22fba..d48d354 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -92999,7 +93032,7 @@ index 1f22fba..a4ae8e0 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +592,261 @@ optional_policy(` +@@ -737,44 +592,262 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -93020,6 +93053,7 @@ index 1f22fba..a4ae8e0 100644 +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:udp_socket create_socket_perms; ++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; @@ -93283,7 +93317,7 @@ index 1f22fba..a4ae8e0 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +857,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -93310,7 +93344,7 @@ index 1f22fba..a4ae8e0 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +877,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -93342,7 +93376,7 @@ index 1f22fba..a4ae8e0 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +910,20 @@ optional_policy(` +@@ -847,14 +911,20 @@ optional_policy(` ') optional_policy(` @@ -93364,7 +93398,7 @@ index 1f22fba..a4ae8e0 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +948,65 @@ optional_policy(` +@@ -879,49 +949,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -93448,7 +93482,7 @@ index 1f22fba..a4ae8e0 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1018,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -93468,7 +93502,7 @@ index 1f22fba..a4ae8e0 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1039,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -93492,7 +93526,7 @@ index 1f22fba..a4ae8e0 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1064,247 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -93870,7 +93904,7 @@ index 1f22fba..a4ae8e0 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1317,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -93885,7 +93919,7 @@ index 1f22fba..a4ae8e0 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1335,8 @@ optional_policy(` +@@ -1183,9 +1336,8 @@ optional_policy(` ######################################## # @@ -93896,7 +93930,7 @@ index 1f22fba..a4ae8e0 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1349,120 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 78f2179..609d27e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 75%{?dist} +Release: 76%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -92,7 +92,7 @@ fi; exit 0 %preun sandbox -semodule -n -r sandbox 2>/dev/null +semodule -n -d sandbox 2>/dev/null if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi;exit 0 @@ -569,6 +569,19 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Sep 4 2013 Miroslav Grepl 3.12.1-76 +- Cleanup related to init_domain()+inetd_domain fixes +- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain +- svirt domains neeed to create kobject_uevint_sockets +- Lots of new access required for sosreport +- Allow tgtd_t to connect to isns ports +- Allow init_t to transition to all inetd domains: +- openct needs to be able to create netlink_object_uevent_sockets +- Dontaudit leaks into ldconfig_t +- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls +- Move kernel_stream_connect into all Xwindow using users +- Dontaudit inherited lock files in ifconfig o dhcpc_t + * Tue Sep 3 2013 Miroslav Grepl 3.12.1-75 - Also sock_file trans rule is needed in lsm - Fix labeling for fetchmail pid files/dirs