[selinux-policy/f15] - Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content() - Allow init to delete all pid sockets
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 30 09:20:44 UTC 2011
commit e700f02abb72d7f7df107928e373fd0b36161778
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 30 11:21:28 2011 +0200
- Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content()
- Allow init to delete all pid sockets
- Allow colord to read /proc/stat
- Add label for /var/www/html/wordpress/wp-content/plugins directory
- Allow pppd to search /var/lock dir
- puppetmaster use nsswitch: #711804
- Update abrt to match rawhide policy
- allow privoxy to read network data
- support gecko mozilla browser plugin
- Allow chrome_sandbox to execute content in nfs homedir
- postfix_qmgr needs to read /var/spool/postfix/deferred
- abrt_t needs fsetid
policy-F15.patch | 836 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 16 +-
2 files changed, 637 insertions(+), 215 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 7f7af25..733b71f 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1377,7 +1377,7 @@ index c633aea..c489eec 100644
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..4e0088d 100644
+index af55369..158637d 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -18,6 +18,7 @@ type prelink_cron_system_t;
@@ -1427,16 +1427,18 @@ index af55369..4e0088d 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -99,6 +104,8 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -99,6 +104,10 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
+userdom_manage_user_home_content(prelink_t)
+userdom_execmod_user_home_files(prelink_t)
++
++term_use_all_inherited_terms(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +116,14 @@ optional_policy(`
+@@ -109,6 +118,14 @@ optional_policy(`
')
optional_policy(`
@@ -1451,7 +1453,7 @@ index af55369..4e0088d 100644
rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +144,7 @@ optional_policy(`
+@@ -129,6 +146,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -1459,7 +1461,7 @@ index af55369..4e0088d 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +164,28 @@ optional_policy(`
+@@ -148,17 +166,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -3039,10 +3041,10 @@ index 0000000..e921f24
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..0852151
+index 0000000..ee4cf03
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,111 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3141,13 +3143,17 @@ index 0000000..0852151
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
-+ fs_read_inherited_nfs_files(chrome_sandbox_t)
++ fs_exec_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
-+ fs_read_inherited_cifs_files(chrome_sandbox_t)
++ fs_exec_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
@@ -5752,7 +5758,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..19de023 100644
+index 9a6d67d..8668188 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -5889,14 +5895,32 @@ index 9a6d67d..19de023 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
-@@ -204,3 +301,39 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +301,57 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
+
++######################################
++## <summary>
++## Read mozilla_plugin tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_read_tmpfs_files',`
++ gen_require(`
++ type mozilla_plugin_tmpfs_t;
++ ')
++
++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
++')
++
+########################################
+## <summary>
-+## Delete mozilla_plugin tmpf files
++## Delete mozilla_plugin tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -5909,7 +5933,7 @@ index 9a6d67d..19de023 100644
+ type mozilla_plugin_tmpfs_t;
+ ')
+
-+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+########################################
@@ -5930,7 +5954,7 @@ index 9a6d67d..19de023 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..1ddd82a 100644
+index 2a91fa8..f0ccd36 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5950,7 +5974,7 @@ index 2a91fa8..1ddd82a 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_tmpfs_t;
-@@ -33,6 +34,20 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
+@@ -33,6 +34,21 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
files_tmpfs_file(mozilla_tmpfs_t)
ubac_constrained(mozilla_tmpfs_t)
@@ -5963,6 +5987,7 @@ index 2a91fa8..1ddd82a 100644
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
+
+type mozilla_plugin_tmpfs_t;
++userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
+files_tmpfs_file(mozilla_plugin_tmpfs_t)
+ubac_constrained(mozilla_plugin_tmpfs_t)
+
@@ -5971,7 +5996,7 @@ index 2a91fa8..1ddd82a 100644
########################################
#
# Local policy
-@@ -89,16 +104,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
+@@ -89,16 +105,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
@@ -5992,7 +6017,7 @@ index 2a91fa8..1ddd82a 100644
corenet_sendrecv_ftp_client_packets(mozilla_t)
corenet_sendrecv_ipp_client_packets(mozilla_t)
corenet_sendrecv_generic_client_packets(mozilla_t)
-@@ -238,6 +257,7 @@ optional_policy(`
+@@ -238,6 +258,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -6000,7 +6025,7 @@ index 2a91fa8..1ddd82a 100644
')
optional_policy(`
-@@ -258,6 +278,11 @@ optional_policy(`
+@@ -258,6 +279,11 @@ optional_policy(`
')
optional_policy(`
@@ -6012,7 +6037,7 @@ index 2a91fa8..1ddd82a 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,198 @@ optional_policy(`
+@@ -266,3 +292,214 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -6033,6 +6058,7 @@ index 2a91fa8..1ddd82a 100644
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
++allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
@@ -6041,8 +6067,9 @@ index 2a91fa8..1ddd82a 100644
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -6146,6 +6173,11 @@ index 2a91fa8..1ddd82a 100644
+')
+
+optional_policy(`
++ consolekit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
++ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
@@ -6185,6 +6217,7 @@ index 2a91fa8..1ddd82a 100644
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
++ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -6192,6 +6225,14 @@ index 2a91fa8..1ddd82a 100644
+')
+
+optional_policy(`
++ rtkit_scheduled(mozilla_plugin_t)
++')
++
++optional_policy(`
++ udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
@@ -7434,7 +7475,7 @@ index a2f6124..9d62060 100644
optional_policy(`
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 2ba7787..9f12b51 100644
+index 2ba7787..18adcbd 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -17,7 +17,7 @@
@@ -7473,8 +7514,33 @@ index 2ba7787..9f12b51 100644
userdom_search_user_home_dirs($1)
')
+@@ -256,3 +262,24 @@ interface(`pulseaudio_manage_home_files',`
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete pulseaudio
++## home directory symlinks.
++## </summary>
++## <param name="user_domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pulseaudio_manage_home_symlinks',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++')
++
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..df078e0 100644
+index c2d20a2..2971797 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7508,10 +7574,15 @@ index c2d20a2..df078e0 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -131,6 +131,10 @@ optional_policy(`
+@@ -131,6 +131,15 @@ optional_policy(`
')
optional_policy(`
++ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
++ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
++')
++
++optional_policy(`
+ mpd_read_tmpfs_files(pulseaudio_t)
+')
+
@@ -7519,7 +7590,7 @@ index c2d20a2..df078e0 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -148,3 +152,7 @@ optional_policy(`
+@@ -148,3 +157,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -12369,7 +12440,7 @@ index 16108f6..a02d2cc 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..5631fb1 100644
+index 958ca84..cbbfe21 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -13006,12 +13077,13 @@ index 958ca84..5631fb1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',`
+@@ -4127,6 +4603,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
+ delete_chr_files_pattern($1, tmpfile, tmpfile)
+ delete_blk_files_pattern($1, tmpfile, tmpfile)
++ files_list_isid_type_dirs($1)
+ files_delete_isid_type_dirs($1)
+ files_delete_isid_type_files($1)
+ files_delete_isid_type_symlinks($1)
@@ -13022,7 +13094,7 @@ index 958ca84..5631fb1 100644
')
########################################
-@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5222,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -13047,7 +13119,7 @@ index 958ca84..5631fb1 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5575,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -13073,7 +13145,7 @@ index 958ca84..5631fb1 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5084,6 +5606,8 @@ interface(`files_search_locks',`
+@@ -5084,6 +5607,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -13082,7 +13154,7 @@ index 958ca84..5631fb1 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5103,11 +5627,50 @@ interface(`files_dontaudit_search_locks',`
+@@ -5103,11 +5628,50 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -13133,7 +13205,7 @@ index 958ca84..5631fb1 100644
## Add and remove entries in the /var/lock
## directories.
## </summary>
-@@ -5122,6 +5685,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5686,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -13141,7 +13213,7 @@ index 958ca84..5631fb1 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5140,7 +5704,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5140,7 +5705,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -13150,7 +13222,7 @@ index 958ca84..5631fb1 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5156,12 +5720,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5721,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -13167,7 +13239,7 @@ index 958ca84..5631fb1 100644
')
########################################
-@@ -5180,7 +5744,7 @@ interface(`files_manage_generic_locks',`
+@@ -5180,7 +5745,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -13176,7 +13248,7 @@ index 958ca84..5631fb1 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5771,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5772,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -13204,7 +13276,7 @@ index 958ca84..5631fb1 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5221,7 +5806,7 @@ interface(`files_read_all_locks',`
+@@ -5221,7 +5807,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -13213,7 +13285,7 @@ index 958ca84..5631fb1 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5243,7 +5828,7 @@ interface(`files_manage_all_locks',`
+@@ -5243,7 +5829,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -13222,7 +13294,7 @@ index 958ca84..5631fb1 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,7 +5860,7 @@ interface(`files_lock_filetrans',`
+@@ -5275,7 +5861,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -13231,7 +13303,7 @@ index 958ca84..5631fb1 100644
filetrans_pattern($1, var_lock_t, $2, $3)
')
-@@ -5332,9 +5917,47 @@ interface(`files_search_pids',`
+@@ -5332,9 +5918,47 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -13279,7 +13351,7 @@ index 958ca84..5631fb1 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5410,6 +6033,24 @@ interface(`files_write_generic_pid_pipes',`
+@@ -5410,6 +6034,24 @@ interface(`files_write_generic_pid_pipes',`
allow $1 var_run_t:fifo_file write;
')
@@ -13304,7 +13376,7 @@ index 958ca84..5631fb1 100644
########################################
## <summary>
## Create an object in the process ID directory, with a private type.
-@@ -5542,6 +6183,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6184,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -13334,7 +13406,7 @@ index 958ca84..5631fb1 100644
+## </summary>
+## </param>
+#
-+interface(`files_unlink_all_pid_sockets',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
@@ -13344,6 +13416,24 @@ index 958ca84..5631fb1 100644
+
+########################################
+## <summary>
++## Delete all pid named pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_all_pid_pipes',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++')
++
++########################################
++## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
@@ -13367,7 +13457,7 @@ index 958ca84..5631fb1 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6256,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6275,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -13412,7 +13502,7 @@ index 958ca84..5631fb1 100644
')
########################################
-@@ -5844,3 +6579,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6598,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15148,10 +15238,38 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..3440a84 100644
+index f3acfee..c5b2825 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
-@@ -274,7 +274,6 @@ interface(`term_dontaudit_read_console',`
+@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
+
+ ########################################
+ ## <summary>
++## Read and write the inherited console, all inherited
++## ttys and ptys.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`term_use_all_inherited_terms',`
++ gen_require(`
++ attribute ttynode, ptynode;
++ type console_device_t, devpts_t, tty_device_t;
++ ')
++
++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms;
++')
++
++########################################
++## <summary>
+ ## Write to the console.
+ ## </summary>
+ ## <param name="domain">
+@@ -274,7 +295,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
## </summary>
## </param>
@@ -15159,7 +15277,7 @@ index f3acfee..3440a84 100644
#
interface(`term_use_console',`
gen_require(`
-@@ -299,9 +298,11 @@ interface(`term_use_console',`
+@@ -299,9 +319,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -15172,7 +15290,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -341,7 +342,7 @@ interface(`term_relabel_console',`
+@@ -341,7 +363,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
@@ -15181,7 +15299,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -462,6 +463,24 @@ interface(`term_list_ptys',`
+@@ -462,6 +484,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
@@ -15206,7 +15324,7 @@ index f3acfee..3440a84 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
-@@ -658,6 +677,25 @@ interface(`term_use_controlling_term',`
+@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
@@ -15232,7 +15350,7 @@ index f3acfee..3440a84 100644
########################################
## <summary>
## Do not audit attempts to get attributes
-@@ -855,7 +893,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +914,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -15241,7 +15359,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1123,7 +1161,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1182,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -15250,7 +15368,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1222,7 +1260,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1281,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -15259,7 +15377,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1238,11 +1276,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1297,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -15273,7 +15391,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1259,10 +1299,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1320,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -15286,7 +15404,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1301,7 +1343,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1364,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -15295,7 +15413,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1359,7 +1401,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1422,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -15304,7 +15422,7 @@ index f3acfee..3440a84 100644
')
########################################
-@@ -1475,3 +1517,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1538,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -17558,10 +17676,21 @@ index e88b95f..69ade9e 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..3b3ba64 100644
+index 1bd5812..7112560 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -15,6 +15,7 @@
+@@ -3,8 +3,9 @@
+
+ /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+ /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+
+@@ -15,6 +16,21 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -17569,8 +17698,22 @@ index 1bd5812..3b3ba64 100644
/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
++
++# ABRT retrace server
++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
++
++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++
++# cjp: new version
++/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++
++
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..9a82e8d 100644
+index 0b827c5..7382308 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -17664,7 +17807,7 @@ index 0b827c5..9a82e8d 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +345,18 @@ interface(`abrt_admin',`
+@@ -286,18 +345,98 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -17688,8 +17831,88 @@ index 0b827c5..9a82e8d 100644
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
')
++
++####################################
++## <summary>
++## Execute abrt-retrace in the abrt-retrace domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`abrt_domtrans_retrace_worker',`
++ gen_require(`
++ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
++')
++
++######################################
++## <summary>
++## Manage abrt retrace server cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_manage_spool_retrace',`
++ gen_require(`
++ type abrt_retrace_spool_t;
++ ')
++
++ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++')
++
++#####################################
++## <summary>
++## Read abrt retrace server cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_read_spool_retrace',`
++ gen_require(`
++ type abrt_retrace_spool_t;
++ ')
++
++ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++')
++
++
++#####################################
++## <summary>
++## Read abrt retrace server cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_read_cache_retrace',`
++ gen_require(`
++ type abrt_retrace_cache_t;
++ ')
++
++ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
++')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..de61315 100644
+index 30861ec..28604d3 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -17707,19 +17930,47 @@ index 30861ec..de61315 100644
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -48,9 +56,9 @@ ifdef(`enable_mcs',`
+@@ -43,14 +51,37 @@ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+ ')
+
++#
++# Support for ABRT retrace server
++#
++
++type abrt_retrace_worker_t;
++type abrt_retrace_worker_exec_t;
++application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++role system_r types abrt_retrace_worker_t;
++
++type abrt_retrace_coredump_t;
++type abrt_retrace_coredump_exec_t;
++application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
++role system_r types abrt_retrace_coredump_t;
++
++permissive abrt_retrace_worker_exec_t;
++permissive abrt_retrace_coredump_t;
++
++type abrt_retrace_cache_t;
++files_type(abrt_retrace_cache_t)
++
++type abrt_retrace_spool_t;
++files_type(abrt_retrace_spool_t)
++
+ ########################################
+ #
# abrt local policy
#
-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
-+allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +67,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -17727,7 +17978,7 @@ index 30861ec..de61315 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +78,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -17735,7 +17986,7 @@ index 30861ec..de61315 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +92,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -17744,7 +17995,15 @@ index 30861ec..de61315 100644
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -113,7 +123,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+ corenet_sendrecv_http_client_packets(abrt_t)
+
+ dev_getattr_all_chr_files(abrt_t)
++dev_read_rand(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+ dev_dontaudit_read_raw_memory(abrt_t)
+@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -17754,7 +18013,7 @@ index 30861ec..de61315 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +132,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -17763,7 +18022,7 @@ index 30861ec..de61315 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +144,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -17772,7 +18031,7 @@ index 30861ec..de61315 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +153,15 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -17783,12 +18042,13 @@ index 30861ec..de61315 100644
+')
+
+optional_policy(`
++ apache_list_modules(abrt_t)
+ apache_read_modules(abrt_t)
+')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +172,11 @@ optional_policy(`
+@@ -150,6 +197,11 @@ optional_policy(`
')
optional_policy(`
@@ -17800,7 +18060,7 @@ index 30861ec..de61315 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +194,7 @@ optional_policy(`
+@@ -167,6 +219,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -17808,7 +18068,7 @@ index 30861ec..de61315 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +206,18 @@ optional_policy(`
+@@ -178,12 +231,18 @@ optional_policy(`
')
optional_policy(`
@@ -17828,7 +18088,7 @@ index 30861ec..de61315 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -17836,7 +18096,7 @@ index 30861ec..de61315 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -17846,7 +18106,7 @@ index 30861ec..de61315 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -17864,6 +18124,88 @@ index 30861ec..de61315 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
++')
++
++#######################################
++#
++# abrt retrace coredump policy
++#
++
++allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
++
++list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
++read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
++read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
++
++list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++
++kernel_read_system_state(abrt_retrace_coredump_t)
++
++corecmd_exec_bin(abrt_retrace_coredump_t)
++corecmd_exec_shell(abrt_retrace_coredump_t)
++
++dev_read_urand(abrt_retrace_coredump_t)
++
++files_read_etc_files(abrt_retrace_coredump_t)
++files_read_usr_files(abrt_retrace_coredump_t)
++
++logging_send_syslog_msg(abrt_retrace_coredump_t)
++
++miscfiles_read_localization(abrt_retrace_coredump_t)
++
++sysnet_dns_name_resolve(abrt_retrace_coredump_t)
++
++# to install debuginfo packages
++optional_policy(`
++ rpm_exec(abrt_retrace_coredump_t)
++ rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
++ rpm_manage_cache(abrt_retrace_coredump_t)
++ rpm_manage_log(abrt_retrace_coredump_t)
++ rpm_manage_pid_files(abrt_retrace_coredump_t)
++ rpm_read_db(abrt_retrace_coredump_t)
++ rpm_signull(abrt_retrace_coredump_t)
++')
++
++#######################################
++#
++# abrt retrace worker policy
++#
++
++allow abrt_retrace_worker_t self:capability { setuid };
++
++allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
++
++domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
++allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
++
++manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
++
++allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
++
++can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++
++kernel_read_system_state(abrt_retrace_worker_t)
++
++corecmd_exec_bin(abrt_retrace_worker_t)
++corecmd_exec_shell(abrt_retrace_worker_t)
++
++dev_read_urand(abrt_retrace_worker_t)
++
++files_read_etc_files(abrt_retrace_worker_t)
++files_read_usr_files(abrt_retrace_worker_t)
++
++logging_send_syslog_msg(abrt_retrace_worker_t)
++
++miscfiles_read_localization(abrt_retrace_worker_t)
++
++sysnet_dns_name_resolve(abrt_retrace_worker_t)
++
++optional_policy(`
++ mock_domtrans(abrt_retrace_worker_t)
')
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
@@ -18532,7 +18874,7 @@ index c3a1903..19fb14a 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..7ba3b11 100644
+index 9e39aa5..0119d45 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -18564,7 +18906,15 @@ index 9e39aa5..7ba3b11 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -74,7 +74,8 @@ ifdef(`distro_suse', `
+@@ -57,6 +57,7 @@ ifdef(`distro_suse', `
+ /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+ /usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/wordpress/wp-content/plugins(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+ /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+@@ -74,7 +75,8 @@ ifdef(`distro_suse', `
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -18574,15 +18924,16 @@ index 9e39aa5..7ba3b11 100644
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -86,7 +87,6 @@ ifdef(`distro_suse', `
+@@ -86,7 +88,7 @@ ifdef(`distro_suse', `
/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +109,22 @@ ifdef(`distro_debian', `
+@@ -109,3 +111,22 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -20608,10 +20959,10 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..a2bf2dc 100644
+index 4deca04..074b9bb 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
-@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0)
+@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
#
## <desc>
@@ -20633,7 +20984,14 @@ index 4deca04..a2bf2dc 100644
## </desc>
gen_tunable(named_write_master_zones, false)
-@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+ # for DNSSEC key files
+ type dnssec_t;
+ files_security_file(dnssec_t)
++files_mountpoint(dnssec_t)
+
+ type named_t;
+ type named_exec_t;
+@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
# A type for configuration files of named.
type named_conf_t;
@@ -20642,7 +21000,7 @@ index 4deca04..a2bf2dc 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -20654,7 +21012,7 @@ index 4deca04..a2bf2dc 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t)
+@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
@@ -20665,7 +21023,7 @@ index 4deca04..a2bf2dc 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
@@ -20680,7 +21038,7 @@ index 4deca04..a2bf2dc 100644
allow ndc_t named_zone_t:dir search_dir_perms;
-@@ -244,7 +256,7 @@ term_dontaudit_use_console(ndc_t)
+@@ -244,7 +257,7 @@ term_dontaudit_use_console(ndc_t)
# for /etc/rndc.key
ifdef(`distro_redhat',`
@@ -23216,7 +23574,7 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..67db20a
+index 0000000..22f0ffd
--- /dev/null
+++ b/policy/modules/services/colord.te
@@ -0,0 +1,120 @@
@@ -23266,7 +23624,7 @@ index 0000000..67db20a
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
-+kernel_getattr_proc_files(colord_t)
++kernel_read_system_state(colord_t)
+kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
+
@@ -27148,12 +27506,11 @@ index 0000000..63f11d9
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
-index 0000000..1453c54
+index 0000000..3bca7b0
--- /dev/null
+++ b/policy/modules/services/drbd.te
-@@ -0,0 +1,55 @@
-+
-+policy_module(drbd,1.0.0)
+@@ -0,0 +1,50 @@
++policy_module(drbd, 1.0.0)
+
+########################################
+#
@@ -27175,11 +27532,8 @@ index 0000000..1453c54
+# drbd local policy
+#
+
-+allow drbd_t self:capability net_admin;
-+
-+allow drbd_t self:capability { kill };
-+allow drbd_t self:process { fork };
-+
++allow drbd_t self:capability { kill net_admin };
++dontaudit drbd_t self:capability sys_tty_config;
+allow drbd_t self:fifo_file rw_fifo_file_perms;
+allow drbd_t self:unix_stream_socket create_stream_socket_perms;
+allow drbd_t self:netlink_socket create_socket_perms;
@@ -27206,7 +27560,6 @@ index 0000000..1453c54
+miscfiles_read_localization(drbd_t)
+
+sysnet_dns_name_resolve(drbd_t)
-+
diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc
index 298f066..c2570df 100644
--- a/policy/modules/services/exim.fc
@@ -36723,7 +37076,7 @@ index 152af92..1594066 100644
type portreserve_var_run_t;
files_pid_file(portreserve_var_run_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index 55e62d2..6082184 100644
+index 55e62d2..f2674e8 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@@ -36747,7 +37100,7 @@ index 55e62d2..6082184 100644
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -44,9 +43,9 @@ ifdef(`distro_redhat', `
+@@ -44,9 +43,10 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -36756,11 +37109,12 @@ index 55e62d2..6082184 100644
-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
++/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..b90c902 100644
+index 46bee12..83cb270 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -36796,7 +37150,7 @@ index 46bee12..b90c902 100644
files_tmp_file(postfix_$1_tmp_t)
- allow postfix_$1_t self:capability { setuid setgid dac_override };
-+ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override };
++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -37082,7 +37436,7 @@ index 46bee12..b90c902 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..fedaa96 100644
+index 06e37d4..e160aa1 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -37326,16 +37680,20 @@ index 06e37d4..fedaa96 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +567,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +567,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
++
++allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +587,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +591,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -37344,7 +37702,7 @@ index 06e37d4..fedaa96 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +636,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +640,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -37361,7 +37719,7 @@ index 06e37d4..fedaa96 100644
')
optional_policy(`
-@@ -611,8 +665,8 @@ optional_policy(`
+@@ -611,8 +669,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -37371,7 +37729,7 @@ index 06e37d4..fedaa96 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +684,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +688,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -37749,7 +38107,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..802ec48 100644
+index 2af42e7..95f673b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -37787,7 +38145,7 @@ index 2af42e7..802ec48 100644
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms;
+@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@@ -37806,6 +38164,7 @@ index 2af42e7..802ec48 100644
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
++files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file manage_file_perms;
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
@@ -37822,7 +38181,7 @@ index 2af42e7..802ec48 100644
allow pppd_t pptp_t:process signal;
-@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -37831,7 +38190,7 @@ index 2af42e7..802ec48 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -194,6 +196,8 @@ optional_policy(`
+@@ -194,6 +197,8 @@ optional_policy(`
optional_policy(`
mta_send_mail(pppd_t)
@@ -37840,7 +38199,7 @@ index 2af42e7..802ec48 100644
')
optional_policy(`
-@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -37979,7 +38338,7 @@ index b1bc02c..8f0b07e 100644
dev_read_rand(prelude_lml_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 2dbf4d4..abb4475 100644
+index 2dbf4d4..b46ef7d 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0)
@@ -37997,6 +38356,17 @@ index 2dbf4d4..abb4475 100644
## </desc>
gen_tunable(privoxy_connect_any, false)
+@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+ files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+-kernel_read_system_state(privoxy_t)
+ kernel_read_kernel_sysctls(privoxy_t)
++kernel_read_network_state(privoxy_t)
++kernel_read_system_state(privoxy_t)
+
+ corenet_all_recvfrom_unlabeled(privoxy_t)
+ corenet_all_recvfrom_netlabel(privoxy_t)
diff --git a/policy/modules/services/procmail.fc b/policy/modules/services/procmail.fc
index 1343621..4b36a13 100644
--- a/policy/modules/services/procmail.fc
@@ -38306,7 +38676,7 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..eff13cc 100644
+index 64c5f95..3fdd4b4 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -38350,7 +38720,12 @@ index 64c5f95..eff13cc 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -176,24 +183,30 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+@@ -171,29 +178,34 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+ allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
+ allow puppetmaster_t self:socket create;
+ allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
+-allow puppetmaster_t self:udp_socket create_socket_perms;
+
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -38383,18 +38758,20 @@ index 64c5f95..eff13cc 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -210,17 +223,38 @@ dev_read_rand(puppetmaster_t)
+@@ -210,17 +222,37 @@ dev_read_rand(puppetmaster_t)
dev_read_urand(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
- files_read_etc_files(puppetmaster_t)
+-files_read_etc_files(puppetmaster_t)
+-files_search_var_lib(puppetmaster_t)
+files_read_usr_files(puppetmaster_t)
- files_search_var_lib(puppetmaster_t)
-
++
+selinux_validate_context(puppetmaster_t)
+
++auth_use_nsswitch(puppetmaster_t)
+
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
@@ -38402,7 +38779,7 @@ index 64c5f95..eff13cc 100644
+
+seutil_read_file_contexts(puppetmaster_t)
- sysnet_dns_name_resolve(puppetmaster_t)
+-sysnet_dns_name_resolve(puppetmaster_t)
sysnet_run_ifconfig(puppetmaster_t, system_r)
+mta_send_mail(puppetmaster_t)
@@ -38422,7 +38799,7 @@ index 64c5f95..eff13cc 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +265,9 @@ optional_policy(`
+@@ -231,3 +263,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -49496,7 +49873,7 @@ index 2952cef..d845132 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..7910be0 100644
+index 42b4f0f..0e6f84a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -49796,10 +50173,21 @@ index 42b4f0f..7910be0 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -896,6 +1070,26 @@ interface(`auth_manage_var_auth',`
+@@ -889,9 +1063,30 @@ interface(`auth_manage_var_auth',`
+ ')
- ########################################
- ## <summary>
+ files_search_var($1)
+- allow $1 var_auth_t:dir manage_dir_perms;
+- allow $1 var_auth_t:file rw_file_perms;
+- allow $1 var_auth_t:lnk_file rw_lnk_file_perms;
++
++ manage_dirs_pattern($1, var_auth_t, var_auth_t)
++ manage_files_pattern($1, var_auth_t, var_auth_t)
++ manage_lnk_files_pattern($1, var_auth_t, var_auth_t)
++')
++
++########################################
++## <summary>
+## Relabel all var auth files. Used by various other applications
+## and pam applets etc.
+## </summary>
@@ -49816,14 +50204,10 @@ index 42b4f0f..7910be0 100644
+
+ files_search_var($1)
+ relabel_dirs_pattern($1, var_auth_t, var_auth_t)
-+')
-+
-+########################################
-+## <summary>
- ## Read PAM PID files.
- ## </summary>
- ## <param name="domain">
-@@ -1093,6 +1287,24 @@ interface(`auth_delete_pam_console_data',`
+ ')
+
+ ########################################
+@@ -1093,6 +1288,24 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
@@ -49848,7 +50232,7 @@ index 42b4f0f..7910be0 100644
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1326,6 +1538,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1539,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -49874,7 +50258,7 @@ index 42b4f0f..7910be0 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,28 +1731,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1732,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -49918,7 +50302,7 @@ index 42b4f0f..7910be0 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1531,7 +1770,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1771,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -50424,7 +50808,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..569ce8d 100644
+index cc83689..e33701e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -51042,7 +51426,7 @@ index cc83689..569ce8d 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2095,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2095,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -51182,8 +51566,25 @@ index cc83689..569ce8d 100644
+
+')
+
++########################################
++## <summary>
++## Read init unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_read_pipes',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
++ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..51b8e22 100644
+index ea29513..7cb9e99 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -51393,7 +51794,7 @@ index ea29513..51b8e22 100644
+ files_manage_all_pid_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
-+ files_unlink_all_pid_sockets(init_t)
++ files_delete_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
+ files_create_lock_dirs(init_t)
@@ -56577,10 +56978,10 @@ index 0000000..4dfe28c
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..bdca6ab
+index 0000000..e7b669f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,196 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -56649,8 +57050,9 @@ index 0000000..bdca6ab
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
-+init_read_utmp(systemd_passwd_agent_t)
+init_create_pid_dirs(systemd_passwd_agent_t)
++init_read_pipes(systemd_passwd_agent_t)
++init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
@@ -56690,7 +57092,8 @@ index 0000000..bdca6ab
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_unlink_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
@@ -57916,7 +58319,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..f12b86d 100644
+index 28b88de..6b7f9c7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -59209,7 +59612,7 @@ index 28b88de..f12b86d 100644
optional_policy(`
aide_run($1,$2)
')
-@@ -1279,11 +1562,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1562,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -59244,10 +59647,33 @@ index 28b88de..f12b86d 100644
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
++ ubac_constrained($1)
++')
++
++#######################################
++## <summary>
++## Make the specified type usable in a
++## generic tmpfs_t directory.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a file in the
++## generic temporary directory.
++## </summary>
++## </param>
++#
++interface(`userdom_user_tmpfs_content',`
++ gen_require(`
++ attribute user_tmpfs_type;
++ ')
++
++ typeattribute $1 user_tmpfs_type;
++
++ files_tmpfs_file($1)
ubac_constrained($1)
')
-@@ -1395,6 +1704,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1727,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -59255,11 +59681,14 @@ index 28b88de..f12b86d 100644
files_search_home($1)
')
-@@ -1441,6 +1751,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,10 +1774,18 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
-+
+-')
+
+-########################################
+-## <summary>
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -59267,10 +59696,14 @@ index 28b88de..f12b86d 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
- ')
-
- ########################################
-@@ -1456,9 +1774,11 @@ interface(`userdom_list_user_home_dirs',`
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to list user home subdirectories.
+ ## </summary>
+ ## <param name="domain">
+@@ -1456,9 +1797,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -59282,37 +59715,14 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -1515,10 +1835,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1858,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
+
- ########################################
- ## <summary>
--## Create directories in the home dir root with
--## the user home directory type.
-+## Relabel to user home files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -1526,14 +1846,50 @@ interface(`userdom_relabelto_user_home_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`userdom_home_filetrans_user_home_dir',`
-+interface(`userdom_relabelto_user_home_files',`
- gen_require(`
-- type user_home_dir_t;
-+ type user_home_t;
- ')
-
-- files_home_filetrans($1, user_home_dir_t, dir)
-+ allow $1 user_home_t:file relabelto;
- ')
--
+########################################
+## <summary>
-+## Relabel user home files.
++## Relabel to user home files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -59320,18 +59730,16 @@ index 28b88de..f12b86d 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_relabel_user_home_files',`
++interface(`userdom_relabelto_user_home_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
-+ allow $1 user_home_t:file relabel_file_perms;
++ allow $1 user_home_t:file relabelto;
+')
-+
+########################################
+## <summary>
-+## Create directories in the home dir root with
-+## the user home directory type.
++## Relabel user home files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -59339,18 +59747,18 @@ index 28b88de..f12b86d 100644
+## </summary>
+## </param>
+#
-+interface(`userdom_home_filetrans_user_home_dir',`
++interface(`userdom_relabel_user_home_files',`
+ gen_require(`
-+ type user_home_dir_t;
++ type user_home_t;
+ ')
+
-+ files_home_filetrans($1, user_home_dir_t, dir)
++ allow $1 user_home_t:file relabel_file_perms;
+')
+
########################################
## <summary>
- ## Do a domain transition to the specified
-@@ -1589,6 +1945,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ## Create directories in the home dir root with
+@@ -1589,6 +1968,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -59359,7 +59767,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -1603,10 +1961,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1984,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -59374,7 +59782,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -1649,6 +2009,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2032,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -59400,7 +59808,7 @@ index 28b88de..f12b86d 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2079,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2102,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -59433,7 +59841,7 @@ index 28b88de..f12b86d 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2115,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2138,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -59451,7 +59859,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -1779,6 +2181,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2204,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -59476,7 +59884,7 @@ index 28b88de..f12b86d 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2230,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2253,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -59486,7 +59894,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -1827,20 +2246,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2269,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -59511,7 +59919,7 @@ index 28b88de..f12b86d 100644
########################################
## <summary>
-@@ -2008,7 +2421,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2444,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -59520,7 +59928,7 @@ index 28b88de..f12b86d 100644
files_search_home($1)
')
-@@ -2182,7 +2595,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2618,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -59529,7 +59937,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -2435,13 +2848,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2871,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -59545,7 +59953,7 @@ index 28b88de..f12b86d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2876,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2899,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -59572,7 +59980,7 @@ index 28b88de..f12b86d 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2570,6 +2964,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2570,6 +2987,24 @@ interface(`userdom_use_user_ttys',`
allow $1 user_tty_device_t:chr_file rw_term_perms;
')
@@ -59597,7 +60005,7 @@ index 28b88de..f12b86d 100644
########################################
## <summary>
## Read and write a user domain pty.
-@@ -2588,6 +3000,24 @@ interface(`userdom_use_user_ptys',`
+@@ -2588,6 +3023,24 @@ interface(`userdom_use_user_ptys',`
allow $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -59622,7 +60030,7 @@ index 28b88de..f12b86d 100644
########################################
## <summary>
## Read and write a user TTYs and PTYs.
-@@ -2646,6 +3076,24 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2646,6 +3099,24 @@ interface(`userdom_dontaudit_use_user_terminals',`
########################################
## <summary>
@@ -59647,7 +60055,7 @@ index 28b88de..f12b86d 100644
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2815,7 +3263,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3286,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -59656,7 +60064,7 @@ index 28b88de..f12b86d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3279,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3302,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -59672,7 +60080,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -2917,7 +3367,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3390,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -59681,7 +60089,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -2972,7 +3422,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3445,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -59728,7 +60136,7 @@ index 28b88de..f12b86d 100644
')
########################################
-@@ -3009,6 +3497,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3520,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -59736,7 +60144,7 @@ index 28b88de..f12b86d 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3576,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3599,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -59761,7 +60169,7 @@ index 28b88de..f12b86d 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3646,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3669,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0eb5397..0bea73d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,20 @@ exit 0
%endif
%changelog
+* Thu Jun 30 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-31
+- Make mozilla_plugin_tmpfs_t as userdom_user_tmpfs_content()
+- Allow init to delete all pid sockets
+- Allow colord to read /proc/stat
+- Add label for /var/www/html/wordpress/wp-content/plugins directory
+- Allow pppd to search /var/lock dir
+- puppetmaster use nsswitch: #711804
+- Update abrt to match rawhide policy
+- allow privoxy to read network data
+- support gecko mozilla browser plugin
+- Allow chrome_sandbox to execute content in nfs homedir
+- postfix_qmgr needs to read /var/spool/postfix/deferred
+- abrt_t needs fsetid
+
* Tue Jun 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-30
- Fixes for zarafa policy
- Other fixes for fail2ban
More information about the scm-commits
mailing list