[selinux-policy/f15] - Fixes for zarafa, postfix policy - Backport collect policy
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Aug 5 13:31:09 UTC 2011
commit 01c2b0ca9390276ae21168ac340b08f411f87954
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Aug 5 15:30:43 2011 +0200
- Fixes for zarafa, postfix policy
- Backport collect policy
modules-targeted.conf | 7 +
policy-F15.patch | 892 +++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 6 +-
3 files changed, 694 insertions(+), 211 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 2d12a6b..aceefbb 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2368,3 +2368,10 @@ namespace = module
# policy for l2tpd
#
l2tpd = module
+
+# Layer: services
+# Module: collectd
+#
+# policy for collectd
+#
+collectd = module
diff --git a/policy-F15.patch b/policy-F15.patch
index 651fdc7..a703605 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -5781,7 +5781,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..8668188 100644
+index 9a6d67d..45c5566 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -5840,7 +5840,7 @@ index 9a6d67d..8668188 100644
## Execmod mozilla home directory content.
## </summary>
## <param name="domain">
-@@ -168,6 +194,77 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +194,80 @@ interface(`mozilla_domtrans',`
########################################
## <summary>
@@ -5892,6 +5892,9 @@ index 9a6d67d..8668188 100644
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:process { signal sigkill };
+
++ allow mozilla_plugin_t $1:shm rw_shm_perms;
++ allow mozilla_plugin_t $1:sem create_sem_perms;
++
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+')
+
@@ -5918,7 +5921,7 @@ index 9a6d67d..8668188 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
-@@ -204,3 +301,57 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +304,57 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -11371,7 +11374,7 @@ index 5a07a43..096bc60 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..c0ccec7 100644
+index 0757523..7652d34 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11521,7 +11524,7 @@ index 0757523..c0ccec7 100644
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
@@ -19102,7 +19105,7 @@ index 9e39aa5..0119d45 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..2d45594 100644
+index 6480167..04f38b8 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -19644,7 +19647,7 @@ index 6480167..2d45594 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1389,43 @@ interface(`apache_admin',`
+@@ -1205,14 +1389,61 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -19692,6 +19695,24 @@ index 6480167..2d45594 100644
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
++######################################
++## <summary>
++## Get the attributes of httpd unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`httpd_getattr_stream_socket',`
++ gen_require(`
++ type httpd_t;
++ ')
++
++ allow $1 httpd_t:unix_stream_socket { getattr ioctl };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 3136c6a..f6d4bab 100644
@@ -23656,6 +23677,252 @@ index 0258b48..3bd47ee 100644
+list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff --git a/policy/modules/services/collectd.fc b/policy/modules/services/collectd.fc
+new file mode 100644
+index 0000000..9d06a27
+--- /dev/null
++++ b/policy/modules/services/collectd.fc
+@@ -0,0 +1,11 @@
++
++/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
++
++/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
++
++/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
++
++/var/run/collectd\.pid gen_context(system_u:object_r:collectd_var_run_t,s0)
++
++/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
++
+diff --git a/policy/modules/services/collectd.if b/policy/modules/services/collectd.if
+new file mode 100644
+index 0000000..ed13d1e
+--- /dev/null
++++ b/policy/modules/services/collectd.if
+@@ -0,0 +1,157 @@
++
++## <summary>policy for collectd</summary>
++
++
++########################################
++## <summary>
++## Transition to collectd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`collectd_domtrans',`
++ gen_require(`
++ type collectd_t, collectd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, collectd_exec_t, collectd_t)
++')
++
++
++########################################
++## <summary>
++## Execute collectd server in the collectd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`collectd_initrc_domtrans',`
++ gen_require(`
++ type collectd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Search collectd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`collectd_search_lib',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ allow $1 collectd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read collectd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`collectd_read_lib_files',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage collectd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`collectd_manage_lib_files',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage collectd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`collectd_manage_lib_dirs',`
++ gen_require(`
++ type collectd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an collectd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`collectd_admin',`
++ gen_require(`
++ type collectd_t;
++ type collectd_initrc_exec_t;
++ type collectd_var_lib_t;
++ ')
++
++ allow $1 collectd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, collectd_t)
++
++ collectd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 collectd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, collectd_var_lib_t)
++
++')
++
+diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
+new file mode 100644
+index 0000000..2dfd363
+--- /dev/null
++++ b/policy/modules/services/collectd.te
+@@ -0,0 +1,60 @@
++policy_module(collectd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type collectd_t;
++type collectd_exec_t;
++init_daemon_domain(collectd_t, collectd_exec_t)
++
++permissive collectd_t;
++
++type collectd_initrc_exec_t;
++init_script_file(collectd_initrc_exec_t)
++
++type collectd_var_lib_t;
++files_type(collectd_var_lib_t)
++
++type collectd_var_run_t;
++files_pid_file(collectd_var_run_t)
++
++########################################
++#
++# collectd local policy
++#
++allow collectd_t self:process { fork };
++
++allow collectd_t self:fifo_file rw_fifo_file_perms;
++allow collectd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
++manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
++files_var_lib_filetrans(collectd_t, collectd_var_lib_t, { dir file })
++
++manage_dirs_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++files_pid_filetrans(collectd_t, collectd_var_run_t, { dir file })
++
++domain_use_interactive_fds(collectd_t)
++
++kernel_read_network_state(collectd_t)
++kernel_read_system_state(collectd_t)
++
++files_read_etc_files(collectd_t)
++files_read_usr_files(collectd_t)
++
++miscfiles_read_localization(collectd_t)
++
++logging_send_syslog_msg(collectd_t)
++
++sysnet_dns_name_resolve(collectd_t)
++
++optional_policy(`
++ apache_content_template(collectd)
++ permissive httpd_collectd_script_t;
++
++ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++')
++
diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
new file mode 100644
index 0000000..0a83e88
@@ -26432,10 +26699,10 @@ index d4424ad..2e09383 100644
')
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
-index 0000000..2ce40a0
+index 0000000..00a91b0
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,13 @@
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
@@ -26447,12 +26714,14 @@ index 0000000..2ce40a0
+/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
++/usr/lib64/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++/usr/lib64/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
-index 0000000..60c81d6
+index 0000000..a951202
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.if
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,134 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
@@ -26530,6 +26799,24 @@ index 0000000..60c81d6
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
++#######################################
++## <summary>
++## Read dirsrv-adminserver tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_read_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
++
+########################################
+## <summary>
+## Manage dirsrv-adminserver tmp files.
@@ -26548,12 +26835,33 @@ index 0000000..60c81d6
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
++
++#######################################
++## <summary>
++## Execute admin cgi programs in caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_domtrans_unconfined_script_t',`
++ gen_require(`
++ type dirsrvadmin_unconfined_script_t;
++ type dirsrvadmin_unconfined_script_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
++ allow httpd_t dirsrvadmin_unconfined_script_t:process signal_perms;
++
++')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
-index 0000000..5214120
+index 0000000..583bdbe
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,133 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -26572,13 +26880,19 @@ index 0000000..5214120
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
++type dirsrvadmin_unconfined_script_t;
++type dirsrvadmin_unconfined_script_exec_t;
++domain_type(dirsrvadmin_unconfined_script_t)
++domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
++corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
++role system_r types dirsrvadmin_unconfined_script_t;
++
+########################################
+#
+# Local policy for the daemon
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
-+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -26593,8 +26907,6 @@ index 0000000..5214120
+
+files_exec_etc_files(dirsrvadmin_t)
+
-+libs_exec_ld_so(dirsrvadmin_t)
-+
+logging_search_logs(dirsrvadmin_t)
+
+miscfiles_read_localization(dirsrvadmin_t)
@@ -26602,10 +26914,8 @@ index 0000000..5214120
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
-+optional_policy(`
-+ apache_domtrans(dirsrvadmin_t)
-+ apache_signal(dirsrvadmin_t)
-+')
++apache_domtrans(dirsrvadmin_t)
++apache_signal(dirsrvadmin_t)
+
+########################################
+#
@@ -26628,8 +26938,7 @@ index 0000000..5214120
+
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
-+ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
-+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++ corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@@ -26654,6 +26963,37 @@ index 0000000..5214120
+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
++
++ optional_policy(`
++ httpd_getattr_stream_socket(httpd_dirsrvadmin_script_t)
++ ')
++')
++
++######################################
++#
++# Local policy for the admin CGIs
++#
++#
++
++manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# needed because of filetrans rules
++dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
++dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
++dirsrv_signal(dirsrvadmin_unconfined_script_t)
++dirsrv_signull(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
++dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
++dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
++dirsrv_read_share(dirsrvadmin_unconfined_script_t)
++
++optional_policy(`
++ unconfined_domain(dirsrvadmin_unconfined_script_t)
+')
diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
new file mode 100644
@@ -27182,10 +27522,10 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..bdbd777 100644
+index fdaeeba..06021d4 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -27196,7 +27536,11 @@ index fdaeeba..bdbd777 100644
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
-@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -27205,7 +27549,7 @@ index fdaeeba..bdbd777 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +99,20 @@ optional_policy(`
+@@ -96,7 +100,20 @@ optional_policy(`
')
optional_policy(`
@@ -27226,7 +27570,7 @@ index fdaeeba..bdbd777 100644
')
optional_policy(`
-@@ -114,4 +130,5 @@ optional_policy(`
+@@ -114,4 +131,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -28144,6 +28488,21 @@ index 6537214..7d64c0a 100644
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
+index 3459d93..c39305a 100644
+--- a/policy/modules/services/fetchmail.te
++++ b/policy/modules/services/fetchmail.te
+@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+ optional_policy(`
++ kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ procmail_domtrans(fetchmail_t)
+ ')
+
diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
new file mode 100644
index 0000000..ba9a7a9
@@ -31535,7 +31894,7 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..ae8af5b 100644
+index 6a78de1..fc04753 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -31547,7 +31906,16 @@ index 6a78de1..ae8af5b 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-@@ -44,13 +44,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -24,6 +24,8 @@ files_pid_file(lircd_var_run_t)
+ #
+
+ allow lircd_t self:capability { chown kill sys_admin };
++allow lircd_t self:process signal;
++
+ allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:unix_dgram_socket create_socket_perms;
+ allow lircd_t self:tcp_socket create_stream_socket_perms;
+@@ -44,13 +46,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -31557,6 +31925,7 @@ index 6a78de1..ae8af5b 100644
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
-files_read_etc_files(lircd_t)
+files_read_config_files(lircd_t)
@@ -37542,7 +37911,7 @@ index 152af92..1594066 100644
type portreserve_var_run_t;
files_pid_file(portreserve_var_run_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index 55e62d2..f2674e8 100644
+index 55e62d2..c0e0959 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@@ -37553,7 +37922,7 @@ index 55e62d2..f2674e8 100644
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -29,12 +30,10 @@ ifdef(`distro_redhat', `
+@@ -29,7 +30,6 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
@@ -37561,12 +37930,7 @@ index 55e62d2..f2674e8 100644
')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
- /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
--/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
- /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
- /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -44,9 +43,10 @@ ifdef(`distro_redhat', `
+@@ -44,9 +44,11 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -37576,11 +37940,12 @@ index 55e62d2..f2674e8 100644
-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
++/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..fc18bf2 100644
+index 46bee12..c22af86 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -37639,17 +38004,36 @@ index 46bee12..fc18bf2 100644
')
########################################
-@@ -290,7 +295,8 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
- read_files_pattern($1, postfix_master_t, postfix_master_t)
+ kernel_search_proc($1)
+ ps_process_pattern($1, postfix_master_t)
++')
++
++########################################
++## <summary>
++## Use postfix master process file
++## file descriptors.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_use_fds_master',`
++ gen_require(`
++ type postfix_master_t;
++ ')
++
++ allow $1 postfix_master_t:fd use;
')
########################################
-@@ -376,6 +382,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -37675,7 +38059,7 @@ index 46bee12..fc18bf2 100644
########################################
## <summary>
## Execute the master postfix program in the
-@@ -404,7 +429,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +448,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@@ -37683,7 +38067,7 @@ index 46bee12..fc18bf2 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +440,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -37708,7 +38092,7 @@ index 46bee12..fc18bf2 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
-@@ -462,7 +504,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
@@ -37717,7 +38101,7 @@ index 46bee12..fc18bf2 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +571,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -37743,7 +38127,7 @@ index 46bee12..fc18bf2 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +600,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -37756,7 +38140,7 @@ index 46bee12..fc18bf2 100644
files_search_spool($1)
')
-@@ -558,10 +619,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +638,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -37769,7 +38153,7 @@ index 46bee12..fc18bf2 100644
files_search_spool($1)
')
-@@ -577,11 +638,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +657,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -37783,7 +38167,7 @@ index 46bee12..fc18bf2 100644
')
########################################
-@@ -596,11 +657,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -37797,7 +38181,7 @@ index 46bee12..fc18bf2 100644
')
########################################
-@@ -621,3 +682,108 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -37900,17 +38284,17 @@ index 46bee12..fc18bf2 100644
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
-+
-+ ifdef(`hide_broken_symptoms', `
-+ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write };
-+ ')
-+
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..b4d7354 100644
+index 06e37d4..c28b1b3 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
-@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
+@@ -1,10 +1,18 @@
+-policy_module(postfix, 1.12.0)
++policy_module(postfix, 1.12.1)
+
+ ########################################
+ #
# Declarations
#
@@ -38018,16 +38402,18 @@ index 06e37d4..b4d7354 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,8 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
+files_search_var_lib(postfix_master_t)
+files_search_tmp(postfix_master_t)
++
++mcs_file_read_all(postfix_master_t)
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +239,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,7 +241,7 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -38036,17 +38422,18 @@ index 06e37d4..b4d7354 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
- files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+@@ -249,6 +270,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
-+manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
- manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
- manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -264,8 +287,8 @@ optional_policy(`
+ allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
+
+ corecmd_exec_bin(postfix_cleanup_t)
+@@ -264,8 +289,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -38056,7 +38443,7 @@ index 06e37d4..b4d7354 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +296,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +298,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -38065,7 +38452,7 @@ index 06e37d4..b4d7354 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +311,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +313,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -38084,7 +38471,7 @@ index 06e37d4..b4d7354 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +334,22 @@ optional_policy(`
+@@ -304,9 +336,22 @@ optional_policy(`
')
optional_policy(`
@@ -38100,14 +38487,14 @@ index 06e37d4..b4d7354 100644
+')
+
+optional_policy(`
-+ zarafa_deliver_domtrans(postfix_local_t)
++ zarafa_domtrans_deliver(postfix_local_t)
+ zarafa_stream_connect_server(postfix_local_t)
+')
+
########################################
#
# Postfix map local policy
-@@ -372,6 +415,7 @@ optional_policy(`
+@@ -372,6 +417,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -38115,18 +38502,25 @@ index 06e37d4..b4d7354 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -381,6 +425,10 @@ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-
- postfix_list_spool(postfix_pickup_t)
+@@ -379,19 +425,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+ rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
+
+ postfix_list_spool(postfix_pickup_t)
+
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-@@ -390,8 +438,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+
++mcs_file_read_all(postfix_pickup_t)
++mcs_file_write_all(postfix_pickup_t)
++
+ ########################################
+ #
# Postfix pipe local policy
#
@@ -38136,7 +38530,7 @@ index 06e37d4..b4d7354 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +449,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -38145,7 +38539,7 @@ index 06e37d4..b4d7354 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +470,7 @@ optional_policy(`
+@@ -420,6 +475,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -38153,7 +38547,7 @@ index 06e37d4..b4d7354 100644
')
optional_policy(`
-@@ -436,6 +487,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -38163,7 +38557,15 @@ index 06e37d4..b4d7354 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -507,6 +561,8 @@ optional_policy(`
+ manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++mcs_file_read_all(postfix_postdrop_t)
++mcs_file_write_all(postfix_postdrop_t)
++
+ corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
+ corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
+
+@@ -507,6 +569,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -38172,7 +38574,7 @@ index 06e37d4..b4d7354 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +575,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +583,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -38185,16 +38587,18 @@ index 06e37d4..b4d7354 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +599,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +607,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
-allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
++mcs_file_read_all(postfix_showq_t)
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +648,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -38211,18 +38615,7 @@ index 06e37d4..b4d7354 100644
')
optional_policy(`
-@@ -599,6 +665,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ mysql_stream_connect(postfix_smtpd_t)
-+')
-+
-+optional_policy(`
- postgrey_stream_connect(postfix_smtpd_t)
- ')
-
-@@ -611,8 +681,8 @@ optional_policy(`
+@@ -611,8 +687,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -38232,7 +38625,7 @@ index 06e37d4..b4d7354 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +700,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -43235,9 +43628,18 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..7cff55a 100644
+index 606a098..13ffcc1 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
+@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
+ # Local policy
+ #
+
+-allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { kill setpcap setgid sys_rawio sys_admin };
+ dontaudit fsdaemon_t self:capability sys_tty_config;
+ allow fsdaemon_t self:process { getcap setcap signal_perms };
+ allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
# for config
@@ -47569,7 +47971,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..33c8170 100644
+index 130ced9..dc521f4 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -47817,7 +48219,7 @@ index 130ced9..33c8170 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +509,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -47827,6 +48229,7 @@ index 130ced9..33c8170 100644
xserver_read_xdm_tmp_files($2)
+ xserver_read_xdm_pid($2)
++ xserver_xdm_append_log($2)
# X object manager
xserver_object_types_template($1)
@@ -47845,7 +48248,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +560,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -47853,7 +48256,7 @@ index 130ced9..33c8170 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +589,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -47882,7 +48285,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +664,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -47890,7 +48293,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +682,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -47899,7 +48302,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +718,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -47908,7 +48311,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +737,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -47917,7 +48320,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +755,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -47926,7 +48329,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +770,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -47940,7 +48343,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +790,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -47974,7 +48377,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +851,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -47983,7 +48386,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +891,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -48011,7 +48414,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1002,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -48020,7 +48423,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1021,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -48029,7 +48432,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1068,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -48075,7 +48478,7 @@ index 130ced9..33c8170 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1120,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -48084,7 +48487,7 @@ index 130ced9..33c8170 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1182,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -48127,7 +48530,7 @@ index 130ced9..33c8170 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1232,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -48136,7 +48539,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1250,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -48148,7 +48551,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1367,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -48175,7 +48578,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1412,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -48184,7 +48587,7 @@ index 130ced9..33c8170 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1422,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -48209,7 +48612,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1455,392 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -49809,50 +50212,44 @@ index c26ecf5..ad41551 100644
optional_policy(`
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
-index 0000000..ac33ce2
+index 0000000..2ad2488
--- /dev/null
+++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,33 @@
-+
+@@ -0,0 +1,27 @@
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
-+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
-+
-+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
-+
-+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
-+
-+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
++/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
++/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
++/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
++/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
++/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
++/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
+
-+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+
-+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
-+
-+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
-+
-+/var/lib/zarafa.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+
-+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
-+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
++/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
++/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+
-+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
-+/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
-+/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
-+/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
-+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
-+/var/run/zarafa-indexer.* gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
++/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
++/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
++/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
-index 0000000..7ee5092
+index 0000000..3e448dd
--- /dev/null
+++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,141 @@
-+## <summary>policy for zarafa services</summary>
+@@ -0,0 +1,143 @@
++## <summary>Zarafa collaboration platform.</summary>
+
+######################################
+## <summary>
@@ -49894,26 +50291,30 @@ index 0000000..7ee5092
+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
+
-+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
-+ logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
++ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
++ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
++
++ auth_use_nsswitch(zarafa_$1_t)
+')
+
-+########################################
++######################################
+## <summary>
-+## Execute a domain transition to run zarafa_server.
++## Allow the specified domain to search
++## zarafa configuration dirs.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`zarafa_server_domtrans',`
++interface(`zarafa_search_config',`
+ gen_require(`
-+ type zarafa_server_t, zarafa_server_exec_t;
++ type zarafa_etc_t;
+ ')
+
-+ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
++ files_search_etc($1)
++ allow $1 zarafa_etc_t:dir search_dir_perms;
+')
+
+########################################
@@ -49926,7 +50327,7 @@ index 0000000..7ee5092
+## </summary>
+## </param>
+#
-+interface(`zarafa_deliver_domtrans',`
++interface(`zarafa_domtrans_deliver',`
+ gen_require(`
+ type zarafa_deliver_t, zarafa_deliver_exec_t;
+ ')
@@ -49934,46 +50335,44 @@ index 0000000..7ee5092
+ domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
+')
+
-+#######################################
++########################################
+## <summary>
-+## Connect to zarafa-server unix domain stream socket.
++## Execute a domain transition to run zarafa_server.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`zarafa_stream_connect_server',`
++interface(`zarafa_domtrans_server',`
+ gen_require(`
-+ type zarafa_server_t, zarafa_server_var_run_t;
++ type zarafa_server_t, zarafa_server_exec_t;
+ ')
+
-+ files_search_var_lib($1)
-+ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
++ domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
+')
+
-+######################################
++#######################################
+## <summary>
-+## Allow the specified domain to search
-+## zarafa configuration dirs.
++## Connect to zarafa-server unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`zarafa_search_config',`
-+ gen_require(`
-+ type zarafa_etc_t;
-+ ')
++interface(`zarafa_stream_connect_server',`
++ gen_require(`
++ type zarafa_server_t, zarafa_server_var_run_t;
++ ')
+
-+ files_search_etc($1)
-+ allow $1 zarafa_etc_t:dir search_dir_perms;
++ files_search_var_lib($1)
++ stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
+')
+
-+#####################################
++####################################
+## <summary>
+## Allow the specified domain to manage
+## zarafa /var/lib files.
@@ -49988,17 +50387,17 @@ index 0000000..7ee5092
+ gen_require(`
+ type zarafa_var_lib_t;
+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
-+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..0b1d997
+index 0000000..a59cfc2
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,209 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -50008,39 +50407,69 @@ index 0000000..0b1d997
+
+attribute zarafa_domain;
+
-+zarafa_domain_template(monitor)
-+zarafa_domain_template(indexer)
-+zarafa_domain_template(ical)
-+zarafa_domain_template(server)
-+zarafa_domain_template(spooler)
-+zarafa_domain_template(gateway)
+zarafa_domain_template(deliver)
+
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
++type zarafa_etc_t;
++files_config_file(zarafa_etc_t)
++
++zarafa_domain_template(gateway)
++zarafa_domain_template(ical)
++zarafa_domain_template(indexer)
++
+type zarafa_indexer_tmp_t;
+files_tmp_file(zarafa_indexer_tmp_t)
+
++zarafa_domain_template(monitor)
++zarafa_domain_template(server)
++
+type zarafa_server_tmp_t;
+files_tmp_file(zarafa_server_tmp_t)
+
++type zarafa_share_t;
++files_type(zarafa_share_t)
++
++zarafa_domain_template(spooler)
++
+type zarafa_var_lib_t;
+files_tmp_file(zarafa_var_lib_t)
+
-+type zarafa_etc_t;
-+files_config_file(zarafa_etc_t)
++permissive zarafa_indexer_t;
+
-+type zarafa_share_t;
-+files_type(zarafa_share_t)
++########################################
++#
++# zarafa-deliver local policy
++#
+
-+permissive zarafa_indexer_t;
++manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
++manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
++files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
-+#######################################
++########################################
++#
++# zarafa_gateway local policy
++#
++
++allow zarafa_gateway_t self:capability { chown kill };
++allow zarafa_gateway_t self:process setrlimit;
++
++corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
++corenet_all_recvfrom_netlabel(zarafa_gateway_t)
++corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
++corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
++corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
++corenet_tcp_bind_generic_node(zarafa_gateway_t)
++corenet_tcp_bind_pop_port(zarafa_gateway_t)
++
++######################################
+#
+# zarafa-indexer local policy
+#
+
++allow zarafa_indexer_t self:capability chown;
++
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
@@ -50048,15 +50477,27 @@ index 0000000..0b1d997
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
-+########################################
++#######################################
+#
-+# zarafa-deliver local policy
++# zarafa-ical local policy
+#
+
-+manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
-+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
-+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
++allow zarafa_ical_t self:capability chown;
+
++corenet_all_recvfrom_unlabeled(zarafa_ical_t)
++corenet_all_recvfrom_netlabel(zarafa_ical_t)
++corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
++corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
++corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
++corenet_tcp_bind_generic_node(zarafa_ical_t)
++corenet_tcp_bind_http_cache_port(zarafa_ical_t)
++
++######################################
++#
++# zarafa-monitor local policy
++#
++
++allow zarafa_monitor_t self:capability chown;
+
+########################################
+#
@@ -50072,9 +50513,16 @@ index 0000000..0b1d997
+
+manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
+
+stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
++corenet_all_recvfrom_unlabeled(zarafa_server_t)
++corenet_all_recvfrom_netlabel(zarafa_server_t)
++corenet_tcp_sendrecv_generic_if(zarafa_server_t)
++corenet_tcp_sendrecv_generic_node(zarafa_server_t)
++corenet_tcp_sendrecv_all_ports(zarafa_server_t)
++corenet_tcp_bind_generic_node(zarafa_server_t)
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
+files_read_usr_files(zarafa_server_t)
@@ -50085,11 +50533,11 @@ index 0000000..0b1d997
+sysnet_dns_name_resolve(zarafa_server_t)
+
+optional_policy(`
-+ mysql_stream_connect(zarafa_server_t)
++ kerberos_use(zarafa_server_t)
+')
+
+optional_policy(`
-+ kerberos_use(zarafa_server_t)
++ mysql_stream_connect(zarafa_server_t)
+')
+
+########################################
@@ -50101,8 +50549,15 @@ index 0000000..0b1d997
+
+can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
++corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
++corenet_all_recvfrom_netlabel(zarafa_spooler_t)
++corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
++corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
++corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
+corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+
++dev_read_rand(zarafa_spooler_t)
++
+########################################
+#
+# zarafa_gateway local policy
@@ -50111,6 +50566,8 @@ index 0000000..0b1d997
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
++dev_read_rand(zarafa_gateway_t)
++
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
@@ -50149,8 +50606,6 @@ index 0000000..0b1d997
+
+files_read_etc_files(zarafa_domain)
+
-+auth_use_nsswitch(zarafa_domain)
-+
+miscfiles_read_localization(zarafa_domain)
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..347f754 100644
@@ -56986,7 +57441,7 @@ index ff80d0a..7f1a21c 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..773c572 100644
+index df32316..0f71f92 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -57155,7 +57610,7 @@ index df32316..773c572 100644
+')
+optional_policy(`
+ systemd_passwd_agent_domtrans(dhcpc_t)
-+ systemd_exec_systemctl(dhcpc_t)
++ systemd_signal_passwd_agent(dhcpc_t)
')
optional_policy(`
@@ -57264,10 +57719,10 @@ index 0000000..c7476cb
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..4dfe28c
+index 0000000..de940a5
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,263 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -57483,6 +57938,23 @@ index 0000000..4dfe28c
+ allow $2 systemd_passwd_agent_t:process signal;
+')
+
++########################################
++## <summary>
++## Send generic signals to systemd_passwd_agent processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_signal_passwd_agent',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ allow $1 systemd_passwd_agent_t:process signal;
++')
+
+######################################
+## <summary>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 458b848..df9f83b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 36%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Fri Aug 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-37
+- Fixes for zarafa, postfix policy
+- Backport collect policy
+
* Wed Jul 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-36
- Backport ABRT changes
- Make tmux working with scree policy
More information about the scm-commits
mailing list