[selinux-policy: 1316/3172] patch from dan Wed, 29 Mar 2006 15:32:51 -0500

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:59:07 UTC 2010 

commit 724925579d2933ab642e0104b2fa7aaded9a7ceb
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Mar 30 15:59:39 2006 +0000

    patch from dan Wed, 29 Mar 2006 15:32:51 -0500

 refpolicy/man/man8/samba_selinux.8                |    2 +-
 refpolicy/policy/modules/admin/logwatch.te        |    3 +-
 refpolicy/policy/modules/admin/rpm.fc             |    2 +
 refpolicy/policy/modules/admin/rpm.te             |    2 +-
 refpolicy/policy/modules/admin/usermanage.te      |    4 +-
 refpolicy/policy/modules/kernel/corenetwork.te.in |    6 +-
 refpolicy/policy/modules/kernel/devices.if        |   38 +++++++++++++++
 refpolicy/policy/modules/kernel/devices.te        |    2 +-
 refpolicy/policy/modules/kernel/files.if          |   18 +++++++
 refpolicy/policy/modules/kernel/files.te          |    2 +-
 refpolicy/policy/modules/services/apm.te          |    7 ++-
 refpolicy/policy/modules/services/bluetooth.te    |    4 +-
 refpolicy/policy/modules/services/cups.te         |    5 ++-
 refpolicy/policy/modules/services/dovecot.te      |    4 +-
 refpolicy/policy/modules/services/ftp.te          |   12 +----
 refpolicy/policy/modules/services/hal.te          |    6 ++-
 refpolicy/policy/modules/services/pegasus.te      |    3 +-
 refpolicy/policy/modules/services/privoxy.te      |    7 ++-
 refpolicy/policy/modules/services/xfs.te          |    3 +-
 refpolicy/policy/modules/system/authlogin.te      |    4 +-
 refpolicy/policy/modules/system/fstools.te        |    4 +-
 refpolicy/policy/modules/system/libraries.fc      |    8 ++--
 refpolicy/policy/modules/system/libraries.te      |    2 +-
 refpolicy/policy/modules/system/mount.te          |    4 +-
 refpolicy/policy/modules/system/selinuxutil.fc    |    6 ++
 refpolicy/policy/modules/system/selinuxutil.te    |   52 +++++++++++++++++++-
 26 files changed, 171 insertions(+), 39 deletions(-)
---
diff --git a/refpolicy/man/man8/samba_selinux.8 b/refpolicy/man/man8/samba_selinux.8
index 55e10ac..f0268cc 100644
--- a/refpolicy/man/man8/samba_selinux.8
+++ b/refpolicy/man/man8/samba_selinux.8
@@ -23,7 +23,7 @@ If you want to make this permanant, i.e. survive a relabel, you must add an entr
 .SH SHARING FILES
 If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:
 
-setsebool -P allow_smb_anon_write=1
+setsebool -P allow_smbd_anon_write=1
 
 .SH BOOLEANS
 .br 
diff --git a/refpolicy/policy/modules/admin/logwatch.te b/refpolicy/policy/modules/admin/logwatch.te
index 669df86..28ea0a2 100644
--- a/refpolicy/policy/modules/admin/logwatch.te
+++ b/refpolicy/policy/modules/admin/logwatch.te
@@ -1,5 +1,5 @@
 
-policy_module(logwatch,1.1.0)
+policy_module(logwatch,1.1.1)
 
 #################################
 #
@@ -52,6 +52,7 @@ files_read_etc_files(logwatch_t)
 files_read_etc_runtime_files(logwatch_t)
 files_read_usr_files(logwatch_t)
 files_search_spool(logwatch_t)
+files_search_mnt(logwatch_t)
 files_dontaudit_search_home(logwatch_t)
 
 fs_getattr_all_fs(logwatch_t)
diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc
index e7ee7d7..cf6a87f 100644
--- a/refpolicy/policy/modules/admin/rpm.fc
+++ b/refpolicy/policy/modules/admin/rpm.fc
@@ -9,6 +9,8 @@
 /usr/lib(64)?/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 
+/usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+
 ifdef(`distro_redhat', `
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/pirut			--	gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te
index 502e1ed..a2bc8ce 100644
--- a/refpolicy/policy/modules/admin/rpm.te
+++ b/refpolicy/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
 
-policy_module(rpm,1.3.2)
+policy_module(rpm,1.3.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index c66e420..10941b7 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.3.1)
+policy_module(usermanage,1.3.2)
 
 ########################################
 #
@@ -225,6 +225,7 @@ domain_use_interactive_fds(groupadd_t)
 
 files_manage_etc_files(groupadd_t)
 files_relabel_etc_files(groupadd_t)
+files_read_etc_runtime_files(groupadd_t)
 
 libs_use_ld_so(groupadd_t)
 libs_use_shared_libs(groupadd_t)
@@ -492,6 +493,7 @@ domain_use_interactive_fds(useradd_t)
 files_manage_etc_files(useradd_t)
 files_search_var_lib(useradd_t)
 files_relabel_etc_files(useradd_t)
+files_read_etc_runtime_files(useradd_t)
 
 init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 16fa9ac..eca4897 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.3)
+policy_module(corenetwork,1.1.4)
 
 ########################################
 #
@@ -68,7 +68,7 @@ network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,50000,s0, tcp,50002,s0)
+network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0)
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)
 network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -127,7 +127,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
 network_port(zebra, tcp,2601,s0)
 network_port(zope, tcp,8021,s0)
 
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 6ad516b..a5cfa0e 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -2364,6 +2364,44 @@ interface(`dev_write_urand',`
 
 ########################################
 ## <summary>
+##	Getattr generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 usb_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Setattr generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 usb_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
 ##	Read and write generic the USB devices.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index 884eccd..9b119bb 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.1.3)
+policy_module(devices,1.1.4)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index b84c359..050c088 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -2151,6 +2151,24 @@ interface(`files_search_mnt',`
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to search /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_mnt',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	dontaudit $1 mnt_t:dir search_dir_perms;
+')
+
+########################################
 #
 # files_list_mnt(domain)
 #
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index e5aabdf..4e47285 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.3)
+policy_module(files,1.2.4)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index c01e916..651b74e 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -1,5 +1,5 @@
 
-policy_module(apm,1.2.1)
+policy_module(apm,1.2.2)
 
 ########################################
 #
@@ -234,6 +234,11 @@ optional_policy(`
 	udev_read_state(apmd_t) #necessary?
 ')
 
+# cjp: related to sleep/resume (?)
+optional_policy(`
+	xserver_domtrans_xdm_xserver(apmd_t)
+')
+
 ifdef(`TODO',`
 allow apmd_t proc_t:file write;
 allow apmd_t user_tty_type:chr_file { ioctl read getattr lock write append };
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index daf0c41..074c2f3 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
 
-policy_module(bluetooth,1.2.2)
+policy_module(bluetooth,1.2.3)
 
 ########################################
 #
@@ -206,6 +206,8 @@ logging_send_syslog_msg(bluetooth_helper_t)
 miscfiles_read_localization(bluetooth_helper_t) 
 miscfiles_read_fonts(bluetooth_helper_t)
 
+sysnet_read_config(bluetooth_helper_t)
+
 ifdef(`targeted_policy',`
 	files_rw_generic_tmp_sockets(bluetooth_helper_t)
 
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 0c5fe40..9a2d72f 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.3.1)
+policy_module(cups,1.3.2)
 
 ########################################
 #
@@ -375,7 +375,9 @@ allow initrc_t cupsd_rw_etc_t:file r_file_perms;
 # HPLIP local policy
 #
 
+allow hplip_t self:capability net_raw;
 dontaudit hplip_t self:capability sys_tty_config;
+allow hplip_t self:fifo_file rw_file_perms;
 allow hplip_t self:process signal_perms;
 allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
@@ -418,6 +420,7 @@ corenet_tcp_connect_ipp_port(hplip_t)
 dev_read_sysfs(hplip_t)
 dev_rw_printer(hplip_t)
 dev_read_urand(hplip_t)
+dev_rw_generic_usb_dev(hplip_t)
 
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te
index b84404a..9ef28df 100644
--- a/refpolicy/policy/modules/services/dovecot.te
+++ b/refpolicy/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
 
-policy_module(dovecot,1.2.0)
+policy_module(dovecot,1.2.1)
 
 ########################################
 #
@@ -79,12 +79,14 @@ corenet_non_ipsec_sendrecv(dovecot_t)
 corenet_tcp_bind_all_nodes(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
+corenet_tcp_connect_postgresql_port(dovecot_t)
 
 dev_read_sysfs(dovecot_t)
 dev_read_urand(dovecot_t)
 
 fs_getattr_all_fs(dovecot_t)
 fs_search_auto_mountpoints(dovecot_t)
+fs_list_inotifyfs(dovecot_t)
 
 term_dontaudit_use_console(dovecot_t)
 
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 169e8da..8ed9e17 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
 
-policy_module(ftp,1.2.0)
+policy_module(ftp,1.2.1)
 
 ########################################
 #
@@ -134,16 +134,6 @@ ifdef(`targeted_policy',`
 
 	term_dontaudit_use_generic_ptys(ftpd_t)
 	term_dontaudit_use_unallocated_ttys(ftpd_t)
-
-	optional_policy(`
-		tunable_policy(`ftpd_is_daemon',`
-			userdom_manage_generic_user_home_content_files(ftpd_t)
-			userdom_manage_generic_user_home_content_symlinks(ftpd_t)
-			userdom_manage_generic_user_home_content_sockets(ftpd_t)
-			userdom_manage_generic_user_home_content_pipes(ftpd_t)
-			userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
-		')
-	')
 ')
 
 tunable_policy(`allow_ftpd_anon_write',`
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 827f414..3ed03c2 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal,1.3.1)
+policy_module(hal,1.3.2)
 
 ########################################
 #
@@ -215,6 +215,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+        ntp_domtrans(hald_t)
+')
+
+optional_policy(`
 	pcmcia_manage_pid(hald_t)
 	pcmcia_manage_pid_chr_files(hald_t)
 ')
diff --git a/refpolicy/policy/modules/services/pegasus.te b/refpolicy/policy/modules/services/pegasus.te
index 55a5075..b22f413 100644
--- a/refpolicy/policy/modules/services/pegasus.te
+++ b/refpolicy/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.1.0)
+policy_module(pegasus,1.1.1)
 
 ########################################
 #
@@ -77,6 +77,7 @@ corenet_tcp_bind_pegasus_http_port(pegasus_t)
 corenet_tcp_bind_pegasus_https_port(pegasus_t)
 corenet_tcp_connect_pegasus_http_port(pegasus_t)
 corenet_tcp_connect_pegasus_https_port(pegasus_t)
+corenet_tcp_connect_generic_port(pegasus_t)
 
 dev_read_sysfs(pegasus_t)
 dev_read_urand(pegasus_t)
diff --git a/refpolicy/policy/modules/services/privoxy.te b/refpolicy/policy/modules/services/privoxy.te
index b4ba164..0be0cd7 100644
--- a/refpolicy/policy/modules/services/privoxy.te
+++ b/refpolicy/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
 
-policy_module(privoxy,1.1.0)
+policy_module(privoxy,1.1.1)
 
 ########################################
 #
@@ -51,6 +51,7 @@ corenet_non_ipsec_sendrecv(privoxy_t)
 corenet_tcp_bind_http_cache_port(privoxy_t)
 corenet_tcp_connect_http_port(privoxy_t)
 corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_tor_port(privoxy_t)
 
 dev_read_sysfs(privoxy_t)
 
@@ -95,6 +96,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nscd_socket_use(privoxy_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(privoxy_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te
index 9cd8f96..6c5eac8 100644
--- a/refpolicy/policy/modules/services/xfs.te
+++ b/refpolicy/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
 
-policy_module(xfs,1.0.0)
+policy_module(xfs,1.0.1)
 
 ########################################
 #
@@ -53,6 +53,7 @@ domain_use_interactive_fds(xfs_t)
 
 files_read_etc_files(xfs_t)
 files_read_etc_runtime_files(xfs_t)
+files_read_usr_files(xfs_t)
 
 init_use_fds(xfs_t)
 init_use_script_ptys(xfs_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 11dddec..da36856 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.3.0)
+policy_module(authlogin,1.3.1)
 
 ########################################
 #
@@ -157,6 +157,8 @@ dev_getattr_dri_dev(pam_console_t)
 dev_setattr_dri_dev(pam_console_t)
 dev_getattr_framebuffer_dev(pam_console_t)
 dev_setattr_framebuffer_dev(pam_console_t)
+dev_getattr_generic_usb_dev(pam_console_t)
+dev_setattr_generic_usb_dev(pam_console_t)
 dev_getattr_misc_dev(pam_console_t)
 dev_setattr_misc_dev(pam_console_t)
 dev_getattr_mouse_dev(pam_console_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index ac64ff6..3b479a0 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.3.1)
+policy_module(fstools,1.3.2)
 
 ########################################
 #
@@ -67,6 +67,8 @@ dev_read_rand(fsadm_t)
 dev_read_urand(fsadm_t)
 # Recreate /dev/cdrom.
 dev_manage_generic_symlinks(fsadm_t)
+# fdisk needs this for early boot
+dev_manage_generic_blk_files(fsadm_t)
 # Access to /initrd devices
 dev_search_usbfs(fsadm_t)
 # for swapon
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index c897505..f4c6b05 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -143,14 +143,14 @@ ifdef(`distro_redhat',`
 /usr/lib(64)?/ladspa/sc4_1882\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/ladspa/se4_1883\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libImlib2\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/ocaml/stublibs/dllnums\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/httpd/modules/libphp5\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/php/modules/.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/php/modules/.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib(64)?/xmms/Input/libmpg123\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?.*/libmpg123\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/libavformat-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavformat-.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libavcodec-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libavutil-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 8ed52a3..f6de196 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.1)
+policy_module(libraries,1.3.2)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 08a5c9c..9dc0be6 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
 
-policy_module(mount,1.3.1)
+policy_module(mount,1.3.2)
 
 ########################################
 #
@@ -72,6 +72,8 @@ files_unmount_all_file_type_fs(mount_t)
 # for when /etc/mtab loses its type
 # cjp: this seems wrong, the type should probably be etc
 files_read_isid_type_files(mount_t)
+# For reading cert files
+files_read_usr_files(mount_t)
 
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc
index d66bfe6..34698ad 100644
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ b/refpolicy/policy/modules/system/selinuxutil.fc
@@ -33,6 +33,7 @@
 /usr/lib(64)?/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
 
 /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
 /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
 /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -40,3 +41,8 @@
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
 ')
+
+#
+# /var/run
+#
+/var/run/restorecond.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index f0201fe..7797059 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.2.2)
+policy_module(selinuxutil,1.2.3)
 
 gen_require(`
 	bool secure_mode;
@@ -83,6 +83,15 @@ domain_obj_id_change_exemption(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
 role system_r types restorecon_t;
 
+type restorecond_t;
+type restorecond_exec_t;
+init_daemon_domain(restorecond_t,restorecond_exec_t)
+domain_obj_id_change_exemption(restorecond_t)
+role system_r types restorecond_t;
+
+type restorecond_var_run_t;
+files_pid_file(restorecond_var_run_t)
+
 type run_init_t;
 type run_init_exec_t;
 domain_type(run_init_t)
@@ -415,6 +424,45 @@ domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
 
 allow restorecon_t kernel_t:unix_dgram_socket { read write };
 
+########################################
+#
+# Restorecond local policy
+#
+
+allow restorecond_t self:capability { dac_override dac_read_search fowner };
+allow restorecond_t self:fifo_file rw_file_perms;
+
+allow restorecond_t restorecond_var_run_t:file create_file_perms;
+files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
+
+auth_relabel_all_files_except_shadow(restorecond_t )
+auth_read_all_files_except_shadow(restorecond_t)
+
+kernel_use_fds(restorecond_t)
+kernel_rw_pipes(restorecond_t)
+kernel_read_system_state(restorecond_t)
+
+fs_getattr_xattr_fs(restorecond_t)
+fs_list_inotifyfs(restorecond_t)
+
+selinux_get_fs_mount(restorecond_t)
+selinux_validate_context(restorecond_t)
+selinux_compute_access_vector(restorecond_t)
+selinux_compute_create_context(restorecond_t)
+selinux_compute_relabel_context(restorecond_t)
+selinux_compute_user_contexts(restorecond_t)
+
+term_dontaudit_use_generic_ptys(restorecond_t)
+
+init_use_fds(restorecond_t)
+
+libs_use_ld_so(restorecond_t)
+libs_use_shared_libs(restorecond_t)
+
+logging_send_syslog_msg(restorecond_t)
+
+miscfiles_read_localization(run_init_t)
+
 #################################
 #
 # Run_init local policy
@@ -594,8 +642,6 @@ logging_send_syslog_msg(setfiles_t)
 
 miscfiles_read_localization(setfiles_t)
 
-seutil_get_semanage_read_lock(setfiles_t)
-
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_all_users_home_content_files(setfiles_t)

More information about the scm-commits mailing list