[selinux-policy] - devicekit leaks file descriptors to setfiles_t - Change all all_nodes to generic_node and all_if t
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 17 14:46:24 UTC 2011
commit f5eb99f70b808c2b3830c5d65d9b1df5599c3a0b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Mar 17 15:46:18 2011 +0000
- devicekit leaks file descriptors to setfiles_t
- Change all all_nodes to generic_node and all_if to generic_if
- Should not use deprecated interface
- Switch from using all_nodes to generic_node and from all_if to generic_if
- Add support for xfce4-notifyd
- Fix file context to show several labels as SystemHigh
- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
- Add etc_runtime_t label for /etc/securetty
- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
- login.krb needs to be able to write user_tmp_t
- dirsrv needs to bind to port 7390 for dogtag
- Fix a bug in gpg policy
- gpg sends audit messages
- Allow qpid to manage matahari files
policy-F15.patch | 696 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 18 ++-
2 files changed, 505 insertions(+), 209 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 08cb6ad..73343e7 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -3310,7 +3310,7 @@ index 00a19e3..1354800 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..7cbfcb4 100644
+index f5afe78..65118f7 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,43 +1,521 @@
@@ -3555,10 +3555,11 @@ index f5afe78..7cbfcb4 100644
+## manage gnome homedir content (.config)
+## </summary>
+## <param name="domain">
-+## <summary>
+ ## <summary>
+-## Role allowed access
+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+#
+interface(`gnome_manage_config',`
+ gen_require(`
@@ -3774,28 +3775,21 @@ index f5afe78..7cbfcb4 100644
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
- ## <summary>
--## Role allowed access
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="domain">
++## </summary>
++## </param>
+## <param name="object_class">
- ## <summary>
--## User domain for the role
++## <summary>
+## The class of the object to be created.
- ## </summary>
- ## </param>
- #
--interface(`gnome_role',`
++## </summary>
++## </param>
++#
+interface(`gnome_admin_home_gconf_filetrans',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-- type gconf_tmp_t;
++ gen_require(`
+ type gconf_home_t;
- ')
-
-- role $1 types gconfd_t;
++ ')
++
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2)
+')
+
@@ -3803,17 +3797,23 @@ index f5afe78..7cbfcb4 100644
+## <summary>
+## read gconf config files
+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## <param name="domain">
+ ## <summary>
+-## User domain for the role
+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## </param>
+ #
+-interface(`gnome_role',`
+interface(`gnome_read_gconf_config',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
+- type gconf_tmp_t;
+ type gconf_etc_t;
-+ ')
+ ')
+- role $1 types gconfd_t;
+-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
@@ -3959,7 +3959,7 @@ index f5afe78..7cbfcb4 100644
')
########################################
-@@ -151,40 +633,300 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +633,328 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -4202,13 +4202,14 @@ index f5afe78..7cbfcb4 100644
+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
-+ type gkeyringd_t;
++ attribute gkeyringd_domain;
+ class dbus send_msg;
+ ')
+
-+ allow $2 gkeyringd_t:dbus send_msg;
-+ allow gkeyringd_t $2:dbus send_msg;
++ allow $1 gkeyringd_domain:dbus send_msg;
++ allow gkeyringd_domain $1:dbus send_msg;
+')
++
+########################################
+## <summary>
+## Create directories in user home directories
@@ -4270,6 +4271,33 @@ index f5afe78..7cbfcb4 100644
+ manage_files_pattern($1, config_usr_t, config_usr_t)
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
+')
++
++########################################
++## <summary>
++## Execute gnome-keyring in the user gkeyring domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the gkeyring domain.
++## </summary>
++## </param>
++#
++interface(`gnome_transition_gkeyringd',`
++ gen_require(`
++ attribute gkeyringd_domain;
++ ')
++
++ allow $1 gkeyringd_domain:process transition;
++ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
++ allow gkeyringd_domain $1:process { sigchld signull };
++ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
++')
++
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 2505654..857e7df 100644
--- a/policy/modules/apps/gnome.te
@@ -5471,7 +5499,7 @@ index 9a6d67d..d88c02c 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..6e6b57c 100644
+index 2a91fa8..3188ebc 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5553,7 +5581,7 @@ index 2a91fa8..6e6b57c 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,191 @@ optional_policy(`
+@@ -266,3 +291,192 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -5648,6 +5676,7 @@ index 2a91fa8..6e6b57c 100644
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_read_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
+sysnet_dns_name_resolve(mozilla_plugin_t)
+
@@ -7241,7 +7270,7 @@ index c1d5f50..429b9ce 100644
+
+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..d5ed1df 100644
+index 5ef2f7d..6f02ecd 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -7253,7 +7282,7 @@ index 5ef2f7d..d5ed1df 100644
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)
-@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
+@@ -55,14 +55,15 @@ storage_raw_read_removable_device(qemu_t)
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
@@ -7261,6 +7290,17 @@ index 5ef2f7d..d5ed1df 100644
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
+
+- corenet_udp_sendrecv_all_if(qemu_t)
+- corenet_udp_sendrecv_all_nodes(qemu_t)
++ corenet_udp_sendrecv_generic_if(qemu_t)
++ corenet_udp_sendrecv_generic_node(qemu_t)
+ corenet_udp_sendrecv_all_ports(qemu_t)
+- corenet_udp_bind_all_nodes(qemu_t)
++ corenet_udp_bind_generic_node(qemu_t)
+ corenet_udp_bind_all_ports(qemu_t)
+ corenet_tcp_bind_all_ports(qemu_t)
+ corenet_tcp_connect_all_ports(qemu_t)
@@ -90,7 +91,9 @@ tunable_policy(`qemu_use_usb',`
')
@@ -7772,7 +7812,7 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..f2201d7
+index 0000000..26d0f56
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,476 @@
@@ -7842,13 +7882,13 @@ index 0000000..f2201d7
+
+corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
-+corenet_tcp_sendrecv_all_if(sandbox_xserver_t)
-+corenet_udp_sendrecv_all_if(sandbox_xserver_t)
-+corenet_tcp_sendrecv_all_nodes(sandbox_xserver_t)
-+corenet_udp_sendrecv_all_nodes(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
-+corenet_tcp_bind_all_nodes(sandbox_xserver_t)
++corenet_tcp_bind_generic_node(sandbox_xserver_t)
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
@@ -8141,10 +8181,10 @@ index 0000000..f2201d7
+
+corenet_all_recvfrom_unlabeled(sandbox_web_type)
+corenet_all_recvfrom_netlabel(sandbox_web_type)
-+corenet_tcp_sendrecv_all_if(sandbox_web_type)
-+corenet_raw_sendrecv_all_if(sandbox_web_type)
-+corenet_tcp_sendrecv_all_nodes(sandbox_web_type)
-+corenet_raw_sendrecv_all_nodes(sandbox_web_type)
++corenet_tcp_sendrecv_generic_if(sandbox_web_type)
++corenet_raw_sendrecv_generic_if(sandbox_web_type)
++corenet_tcp_sendrecv_generic_node(sandbox_web_type)
++corenet_raw_sendrecv_generic_node(sandbox_web_type)
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
@@ -8237,10 +8277,10 @@ index 0000000..f2201d7
+
+corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
+corenet_all_recvfrom_netlabel(sandbox_net_client_t)
-+corenet_tcp_sendrecv_all_if(sandbox_net_client_t)
-+corenet_udp_sendrecv_all_if(sandbox_net_client_t)
-+corenet_tcp_sendrecv_all_nodes(sandbox_net_client_t)
-+corenet_udp_sendrecv_all_nodes(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
@@ -8365,10 +8405,10 @@ index 1dc7a85..787df80 100644
+ ')
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..44aa6d1 100644
+index 7590165..080ea54 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,48 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -8434,6 +8474,17 @@ index 7590165..44aa6d1 100644
')
')
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_mounton_nfs(seunshare_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_mounton_cifs(seunshare_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_mounton_fusefs(seunshare_domain)
++')
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index e43c380..410027f 100644
--- a/policy/modules/apps/slocate.te
@@ -8668,10 +8719,10 @@ index 0000000..6878d68
+
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..db7941f
+index 0000000..b52b636
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,333 @@
+@@ -0,0 +1,334 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -8881,9 +8932,10 @@ index 0000000..db7941f
+')
+
+optional_policy(`
-+ gnome_read_gconf_home_files(telepathy_mission_control_t)
-+ gnome_setattr_cache_home_dir(telepathy_mission_control_t)
++ gnome_read_gconf_home_files(telepathy_mission_control_t)
++ gnome_setattr_cache_home_dir(telepathy_mission_control_t)
+ gnome_read_generic_cache_files(telepathy_mission_control_t)
++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
+')
+
+#######################################
@@ -9395,7 +9447,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..5574b5c 100644
+index 34c9d01..e65d58a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -9447,7 +9499,12 @@ index 34c9d01..5574b5c 100644
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -247,6 +252,8 @@ ifdef(`distro_gentoo',`
+@@ -244,9 +249,13 @@ ifdef(`distro_gentoo',`
+
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib(64)?/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
++
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9456,7 +9513,7 @@ index 34c9d01..5574b5c 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -307,6 +314,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +316,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -9464,7 +9521,7 @@ index 34c9d01..5574b5c 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +324,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +326,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -9584,7 +9641,7 @@ index 5a07a43..e97e47f 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..72c9dc8 100644
+index 0757523..5a4a625 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -9657,8 +9714,11 @@ index 0757523..72c9dc8 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
-@@ -98,7 +118,9 @@ network_port(dict, tcp,2628,s0)
+@@ -96,9 +116,12 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+ network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
+ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
++network_port(dogtag, tcp,7390,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
@@ -9667,7 +9727,7 @@ index 0757523..72c9dc8 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -112,7 +134,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -112,7 +135,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -9676,7 +9736,7 @@ index 0757523..72c9dc8 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +148,58 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +149,58 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -9739,7 +9799,7 @@ index 0757523..72c9dc8 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +214,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +215,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -9773,7 +9833,7 @@ index 0757523..72c9dc8 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,16 +247,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +248,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -9794,7 +9854,7 @@ index 0757523..72c9dc8 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +319,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +320,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -10448,7 +10508,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..2abd3eb 100644
+index 16108f6..33ea07b 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -10459,20 +10519,20 @@ index 16108f6..2abd3eb 100644
')
ifdef(`distro_suse',`
-@@ -58,6 +59,13 @@ ifdef(`distro_suse',`
+@@ -57,6 +58,13 @@ ifdef(`distro_suse',`
+ /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
++/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
+/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
-+
-+
+
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
- /etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -11804,7 +11864,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..fbbd1ce 100644
+index dfe361a..40bfd0f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12067,7 +12127,32 @@ index dfe361a..fbbd1ce 100644
## Create, read, write, and delete dirs
## on a DOS filesystem.
## </summary>
-@@ -1892,6 +2047,26 @@ interface(`fs_manage_fusefs_files',`
+@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',`
+
+ ########################################
+ ## <summary>
++## Mounton a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mounton_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Search directories
+ ## on a FUSEFS filesystem.
+ ## </summary>
+@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',`
########################################
## <summary>
@@ -12094,7 +12179,7 @@ index dfe361a..fbbd1ce 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
-@@ -1931,7 +2106,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -12122,7 +12207,7 @@ index dfe361a..fbbd1ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2140,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -12164,7 +12249,7 @@ index dfe361a..fbbd1ce 100644
########################################
## <summary>
-@@ -1999,6 +2228,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -12172,7 +12257,7 @@ index dfe361a..fbbd1ce 100644
')
########################################
-@@ -2331,6 +2561,7 @@ interface(`fs_read_nfs_files',`
+@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -12180,7 +12265,7 @@ index dfe361a..fbbd1ce 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2600,7 @@ interface(`fs_write_nfs_files',`
+@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -12188,7 +12273,7 @@ index dfe361a..fbbd1ce 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2627,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -12214,7 +12299,7 @@ index dfe361a..fbbd1ce 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2686,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -12257,7 +12342,7 @@ index dfe361a..fbbd1ce 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2736,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -12266,7 +12351,7 @@ index dfe361a..fbbd1ce 100644
')
########################################
-@@ -2637,6 +2924,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -12291,7 +12376,7 @@ index dfe361a..fbbd1ce 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2958,25 @@ interface(`fs_read_removable_symlinks',`
+@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -12317,7 +12402,7 @@ index dfe361a..fbbd1ce 100644
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2779,6 +3103,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -12325,7 +12410,7 @@ index dfe361a..fbbd1ce 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3144,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -12333,7 +12418,7 @@ index dfe361a..fbbd1ce 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3171,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -12342,7 +12427,7 @@ index dfe361a..fbbd1ce 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3185,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -12350,7 +12435,7 @@ index dfe361a..fbbd1ce 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3989,6 +4316,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4334,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -12393,7 +12478,7 @@ index dfe361a..fbbd1ce 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4634,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -12402,7 +12487,7 @@ index dfe361a..fbbd1ce 100644
')
########################################
-@@ -4681,3 +5046,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -16913,7 +16998,7 @@ index 6480167..09c61a0 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..b09a425 100644
+index 3136c6a..da3eab1 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -17395,13 +17480,13 @@ index 3136c6a..b09a425 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-+ fs_list_auto_mountpoints(httpd_t)
++ fs_list_auto_mountpoints(httpd_t)
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_t)
++ fs_list_auto_mountpoints(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
@@ -17703,7 +17788,7 @@ index 3136c6a..b09a425 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1058,37 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1058,49 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -17741,6 +17826,24 @@ index 3136c6a..b09a425 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
+- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
+- corenet_udp_bind_all_nodes(httpd_sys_script_t)
++ corenet_tcp_bind_generic_node(httpd_sys_script_t)
++ corenet_udp_bind_generic_node(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
+- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
+- corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
+- corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
++ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
++ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
@@ -822,14 +1108,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
@@ -18928,7 +19031,7 @@ index 0000000..3964548
+')
diff --git a/policy/modules/services/bugzilla.te b/policy/modules/services/bugzilla.te
new file mode 100644
-index 0000000..b73c9f2
+index 0000000..5fa8122
--- /dev/null
+++ b/policy/modules/services/bugzilla.te
@@ -0,0 +1,57 @@
@@ -18955,10 +19058,10 @@ index 0000000..b73c9f2
+
+corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
+corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_all_if(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_all_if(httpd_bugzilla_script_t)
-+corenet_tcp_sendrecv_all_nodes(httpd_bugzilla_script_t)
-+corenet_udp_sendrecv_all_nodes(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_generic_if(httpd_bugzilla_script_t)
++corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
++corenet_udp_sendrecv_generic_node(httpd_bugzilla_script_t)
+corenet_tcp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_udp_sendrecv_all_ports(httpd_bugzilla_script_t)
+corenet_tcp_connect_postgresql_port(httpd_bugzilla_script_t)
@@ -21928,7 +22031,7 @@ index f7583ab..9941737 100644
')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..3d09c0e 100644
+index 1b492ed..76480c2 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -56,6 +56,7 @@
@@ -21939,7 +22042,15 @@ index 1b492ed..3d09c0e 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -71,3 +72,9 @@
+@@ -64,10 +65,16 @@
+
+ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+ /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -23720,10 +23831,10 @@ index 0000000..9d8f5de
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..2a9e3f9
+index 0000000..24f776b
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,176 @@
+@@ -0,0 +1,178 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -23807,6 +23918,7 @@ index 0000000..2a9e3f9
+
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
@@ -23821,8 +23933,9 @@ index 0000000..2a9e3f9
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
-+corenet_tcp_bind_all_nodes(dirsrv_t)
++corenet_tcp_bind_generic_node(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_dogtag_port(dirsrv_t)
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
@@ -26221,11 +26334,15 @@ index a627b34..4b27e25 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..2a87d1e 100644
+index 03742d8..c65263e 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
-@@ -46,6 +46,8 @@ corenet_tcp_sendrecv_all_ports(gpsd_t)
- corenet_tcp_bind_all_nodes(gpsd_t)
+@@ -43,9 +43,11 @@ corenet_all_recvfrom_netlabel(gpsd_t)
+ corenet_tcp_sendrecv_generic_if(gpsd_t)
+ corenet_tcp_sendrecv_generic_node(gpsd_t)
+ corenet_tcp_sendrecv_all_ports(gpsd_t)
+-corenet_tcp_bind_all_nodes(gpsd_t)
++corenet_tcp_bind_generic_node(gpsd_t)
corenet_tcp_bind_gpsd_port(gpsd_t)
+dev_read_sysfs(gpsd_t)
@@ -26245,9 +26362,18 @@ index 03742d8..2a87d1e 100644
')
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
-index 2d0b4e1..804d347 100644
+index 2d0b4e1..e268ede 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
+@@ -91,7 +91,7 @@ template(`hadoop_domain_template',`
+
+ corenet_all_recvfrom_unlabeled(hadoop_$1_t)
+ corenet_all_recvfrom_netlabel(hadoop_$1_t)
+- corenet_tcp_bind_all_nodes(hadoop_$1_t)
++ corenet_tcp_bind_generic_node(hadoop_$1_t)
+ corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
+ corenet_udp_sendrecv_generic_if(hadoop_$1_t)
+ corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
@@ -175,8 +175,6 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_initrc_t)
files_read_usr_files(hadoop_$1_initrc_t)
@@ -28322,7 +28448,7 @@ index 0000000..8e22c5e
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..6800643
+index 0000000..fbad798
--- /dev/null
+++ b/policy/modules/services/matahari.te
@@ -0,0 +1,116 @@
@@ -28375,7 +28501,7 @@ index 0000000..6800643
+
+dev_read_sysfs(matahari_hostd_t)
+dev_read_urand(matahari_hostd_t)
-+dev_write_mtrr(matahari_hostd_t)
++dev_rw_mtrr(matahari_hostd_t)
+
+domain_use_interactive_fds(matahari_hostd_t)
+domain_read_all_domains_state(matahari_hostd_t)
@@ -31580,9 +31706,18 @@ index c61adc8..b5b5992 100644
term_use_ptmx(ntpd_t)
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
-index ff962dd..69c07c1 100644
+index ff962dd..3cf3fe3 100644
--- a/policy/modules/services/nut.te
+++ b/policy/modules/services/nut.te
+@@ -47,7 +47,7 @@ kernel_read_kernel_sysctls(nut_upsd_t)
+
+ corenet_tcp_bind_ups_port(nut_upsd_t)
+ corenet_tcp_bind_generic_port(nut_upsd_t)
+-corenet_tcp_bind_all_nodes(nut_upsd_t)
++corenet_tcp_bind_generic_node(nut_upsd_t)
+
+ files_read_usr_files(nut_upsd_t)
+
@@ -133,6 +133,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
@@ -32289,7 +32424,7 @@ index 1c2a091..ea5ae69 100644
#
interface(`pcscd_domtrans',`
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
-index ceafba6..eca6852 100644
+index ceafba6..9eb6967 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -7,7 +7,6 @@ policy_module(pcscd, 1.7.0)
@@ -32300,6 +32435,22 @@ index ceafba6..eca6852 100644
init_daemon_domain(pcscd_t, pcscd_exec_t)
# pid files
+@@ -25,6 +24,7 @@ allow pcscd_t self:fifo_file rw_fifo_file_perms;
+ allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
+ allow pcscd_t self:unix_dgram_socket create_socket_perms;
+ allow pcscd_t self:tcp_socket create_stream_socket_perms;
++allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+@@ -77,3 +77,7 @@ optional_policy(`
+ optional_policy(`
+ rpm_use_script_fds(pcscd_t)
+ ')
++
++optional_policy(`
++ udev_read_db(pcscd_t)
++')
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 3185114..514e127 100644
--- a/policy/modules/services/pegasus.te
@@ -36417,7 +36568,7 @@ index 852840b..1244ab2 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..3c00e89 100644
+index 0a76027..7083808 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t)
@@ -36438,7 +36589,7 @@ index 0a76027..3c00e89 100644
miscfiles_read_localization(remote_login_t)
-@@ -87,9 +89,7 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,9 +89,8 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -36446,10 +36597,11 @@ index 0a76027..3c00e89 100644
-# Search for mail spool file.
-mta_getattr_spool(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
++userdom_rw_user_tmp_files(remote_login_t)
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
-@@ -106,15 +106,15 @@ optional_policy(`
+@@ -106,15 +107,15 @@ optional_policy(`
')
optional_policy(`
@@ -44236,7 +44388,7 @@ index 130ced9..33c8170 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..7add988 100644
+index 6c01261..4bd148a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -44872,17 +45024,23 @@ index 6c01261..7add988 100644
')
optional_policy(`
-@@ -517,7 +738,37 @@ optional_policy(`
+@@ -517,7 +738,43 @@ optional_policy(`
')
optional_policy(`
- cpufreqselector_dbus_chat(xdm_t)
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
++
++ #fixes for xfce4-notifyd
++ allow xdm_dbusd_t self:unix_stream_socket connectto;
++ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
+ xserver_read_xdm_pid(xdm_dbusd_t)
++
++ miscfiles_read_fonts(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
@@ -44911,7 +45069,7 @@ index 6c01261..7add988 100644
')
optional_policy(`
-@@ -527,6 +778,14 @@ optional_policy(`
+@@ -527,6 +784,15 @@ optional_policy(`
')
optional_policy(`
@@ -44920,13 +45078,14 @@ index 6c01261..7add988 100644
+ gnome_manage_gconf_home_files(xdm_t)
+ gnome_read_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
++ gnome_transition_gkeyringd(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
-@@ -544,28 +803,65 @@ optional_policy(`
+@@ -544,28 +810,65 @@ optional_policy(`
')
optional_policy(`
@@ -45001,7 +45160,7 @@ index 6c01261..7add988 100644
')
optional_policy(`
-@@ -577,6 +873,14 @@ optional_policy(`
+@@ -577,6 +880,14 @@ optional_policy(`
')
optional_policy(`
@@ -45016,7 +45175,7 @@ index 6c01261..7add988 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +905,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +912,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -45025,7 +45184,7 @@ index 6c01261..7add988 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +926,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -45041,7 +45200,7 @@ index 6c01261..7add988 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +953,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -45063,7 +45222,7 @@ index 6c01261..7add988 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +973,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -45071,7 +45230,7 @@ index 6c01261..7add988 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +993,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1000,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -45079,7 +45238,7 @@ index 6c01261..7add988 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1002,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1009,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -45097,7 +45256,7 @@ index 6c01261..7add988 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1030,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -45111,7 +45270,7 @@ index 6c01261..7add988 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1042,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1049,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -45120,7 +45279,7 @@ index 6c01261..7add988 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1056,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -45135,7 +45294,7 @@ index 6c01261..7add988 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1108,36 @@ optional_policy(`
+@@ -780,16 +1115,36 @@ optional_policy(`
')
optional_policy(`
@@ -45173,7 +45332,7 @@ index 6c01261..7add988 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1146,10 @@ optional_policy(`
+@@ -798,6 +1153,10 @@ optional_policy(`
')
optional_policy(`
@@ -45184,7 +45343,7 @@ index 6c01261..7add988 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1165,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1172,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -45198,7 +45357,7 @@ index 6c01261..7add988 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1176,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1183,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -45207,7 +45366,7 @@ index 6c01261..7add988 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1189,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1196,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -45217,7 +45376,7 @@ index 6c01261..7add988 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1199,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1206,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -45229,7 +45388,7 @@ index 6c01261..7add988 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1212,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1219,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -45246,7 +45405,7 @@ index 6c01261..7add988 100644
')
optional_policy(`
-@@ -864,6 +1227,10 @@ optional_policy(`
+@@ -864,6 +1234,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -45257,7 +45416,7 @@ index 6c01261..7add988 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1274,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1281,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -45266,7 +45425,7 @@ index 6c01261..7add988 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1328,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1335,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -45298,7 +45457,7 @@ index 6c01261..7add988 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1374,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1381,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -47376,7 +47535,7 @@ index cc83689..3596325 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..cd82670 100644
+index ea29513..b8a5c6d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -47523,7 +47682,7 @@ index ea29513..cd82670 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +231,105 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +231,106 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -47555,6 +47714,7 @@ index ea29513..cd82670 100644
+
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
++ dev_rw_lvm_control(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
@@ -47629,7 +47789,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -199,10 +337,25 @@ optional_policy(`
+@@ -199,10 +338,25 @@ optional_policy(`
')
optional_policy(`
@@ -47655,7 +47815,7 @@ index ea29513..cd82670 100644
unconfined_domain(init_t)
')
-@@ -212,7 +365,7 @@ optional_policy(`
+@@ -212,7 +366,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -47664,7 +47824,7 @@ index ea29513..cd82670 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +394,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +395,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -47679,7 +47839,7 @@ index ea29513..cd82670 100644
init_write_initctl(initrc_t)
-@@ -258,11 +413,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +414,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -47703,7 +47863,20 @@ index ea29513..cd82670 100644
corecmd_exec_all_executables(initrc_t)
-@@ -279,6 +446,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+ corenet_all_recvfrom_unlabeled(initrc_t)
+ corenet_all_recvfrom_netlabel(initrc_t)
+-corenet_tcp_sendrecv_all_if(initrc_t)
+-corenet_udp_sendrecv_all_if(initrc_t)
+-corenet_tcp_sendrecv_all_nodes(initrc_t)
+-corenet_udp_sendrecv_all_nodes(initrc_t)
++corenet_tcp_sendrecv_generic_if(initrc_t)
++corenet_udp_sendrecv_generic_if(initrc_t)
++corenet_tcp_sendrecv_generic_node(initrc_t)
++corenet_udp_sendrecv_generic_node(initrc_t)
+ corenet_tcp_sendrecv_all_ports(initrc_t)
+ corenet_udp_sendrecv_all_ports(initrc_t)
+ corenet_tcp_connect_all_ports(initrc_t)
+@@ -279,6 +447,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -47711,7 +47884,7 @@ index ea29513..cd82670 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +459,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +460,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -47719,7 +47892,7 @@ index ea29513..cd82670 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +467,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +468,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -47735,7 +47908,7 @@ index ea29513..cd82670 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +485,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +486,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -47743,7 +47916,7 @@ index ea29513..cd82670 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +493,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +494,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -47755,7 +47928,7 @@ index ea29513..cd82670 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +512,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +513,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -47769,7 +47942,7 @@ index ea29513..cd82670 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +527,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +528,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -47778,7 +47951,7 @@ index ea29513..cd82670 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +541,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +542,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -47786,7 +47959,7 @@ index ea29513..cd82670 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +553,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +554,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -47794,7 +47967,7 @@ index ea29513..cd82670 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +574,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +575,12 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -47810,7 +47983,7 @@ index ea29513..cd82670 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +657,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +658,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -47819,7 +47992,7 @@ index ea29513..cd82670 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -524,6 +703,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +704,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -47843,7 +48016,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -531,10 +727,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +728,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -47861,7 +48034,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -549,6 +752,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +753,39 @@ ifdef(`distro_suse',`
')
')
@@ -47901,7 +48074,7 @@ index ea29513..cd82670 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +797,8 @@ optional_policy(`
+@@ -561,6 +798,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -47910,7 +48083,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -577,6 +815,7 @@ optional_policy(`
+@@ -577,6 +816,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -47918,7 +48091,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -589,6 +828,11 @@ optional_policy(`
+@@ -589,6 +829,11 @@ optional_policy(`
')
optional_policy(`
@@ -47930,7 +48103,7 @@ index ea29513..cd82670 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +849,13 @@ optional_policy(`
+@@ -605,9 +850,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -47944,7 +48117,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -649,6 +897,11 @@ optional_policy(`
+@@ -649,6 +898,11 @@ optional_policy(`
')
optional_policy(`
@@ -47956,7 +48129,7 @@ index ea29513..cd82670 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +959,13 @@ optional_policy(`
+@@ -706,7 +960,13 @@ optional_policy(`
')
optional_policy(`
@@ -47970,7 +48143,7 @@ index ea29513..cd82670 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +988,10 @@ optional_policy(`
+@@ -729,6 +989,10 @@ optional_policy(`
')
optional_policy(`
@@ -47981,7 +48154,7 @@ index ea29513..cd82670 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1001,20 @@ optional_policy(`
+@@ -738,10 +1002,20 @@ optional_policy(`
')
optional_policy(`
@@ -48002,7 +48175,7 @@ index ea29513..cd82670 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1023,10 @@ optional_policy(`
+@@ -750,6 +1024,10 @@ optional_policy(`
')
optional_policy(`
@@ -48013,7 +48186,7 @@ index ea29513..cd82670 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1048,6 @@ optional_policy(`
+@@ -771,8 +1049,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -48022,7 +48195,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -781,14 +1056,21 @@ optional_policy(`
+@@ -781,14 +1057,21 @@ optional_policy(`
')
optional_policy(`
@@ -48044,7 +48217,7 @@ index ea29513..cd82670 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1092,19 @@ optional_policy(`
+@@ -810,11 +1093,19 @@ optional_policy(`
')
optional_policy(`
@@ -48065,7 +48238,7 @@ index ea29513..cd82670 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1114,25 @@ optional_policy(`
+@@ -824,6 +1115,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -48091,7 +48264,7 @@ index ea29513..cd82670 100644
')
optional_policy(`
-@@ -849,3 +1158,37 @@ optional_policy(`
+@@ -849,3 +1159,37 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -48270,7 +48443,7 @@ index 8232f91..8897e32 100644
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 98d6081..ba4b965 100644
+index 98d6081..c214645 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,7 +73,7 @@ role system_r types setkey_t;
@@ -48303,6 +48476,26 @@ index 98d6081..ba4b965 100644
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
+@@ -127,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
+
+ # Pluto needs network access
+ corenet_all_recvfrom_unlabeled(ipsec_t)
+-corenet_tcp_sendrecv_all_if(ipsec_t)
+-corenet_raw_sendrecv_all_if(ipsec_t)
+-corenet_tcp_sendrecv_all_nodes(ipsec_t)
+-corenet_raw_sendrecv_all_nodes(ipsec_t)
++corenet_tcp_sendrecv_generic_if(ipsec_t)
++corenet_raw_sendrecv_generic_if(ipsec_t)
++corenet_tcp_sendrecv_generic_node(ipsec_t)
++corenet_raw_sendrecv_generic_node(ipsec_t)
+ corenet_tcp_sendrecv_all_ports(ipsec_t)
+-corenet_tcp_bind_all_nodes(ipsec_t)
+-corenet_udp_bind_all_nodes(ipsec_t)
++corenet_tcp_bind_generic_node(ipsec_t)
++corenet_udp_bind_generic_node(ipsec_t)
+ corenet_tcp_bind_reserved_port(ipsec_t)
+ corenet_tcp_bind_isakmp_port(ipsec_t)
+ corenet_udp_bind_isakmp_port(ipsec_t)
@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
@@ -48421,6 +48614,25 @@ index 98d6081..ba4b965 100644
nscd_socket_use(ipsec_mgmt_t)
')
+@@ -352,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+ corecmd_exec_bin(racoon_t)
+
+ corenet_all_recvfrom_unlabeled(racoon_t)
+-corenet_tcp_sendrecv_all_if(racoon_t)
+-corenet_udp_sendrecv_all_if(racoon_t)
+-corenet_tcp_sendrecv_all_nodes(racoon_t)
+-corenet_udp_sendrecv_all_nodes(racoon_t)
+-corenet_tcp_bind_all_nodes(racoon_t)
+-corenet_udp_bind_all_nodes(racoon_t)
++corenet_tcp_sendrecv_generic_if(racoon_t)
++corenet_udp_sendrecv_generic_if(racoon_t)
++corenet_tcp_sendrecv_generic_node(racoon_t)
++corenet_udp_sendrecv_generic_node(racoon_t)
++corenet_tcp_bind_generic_node(racoon_t)
++corenet_udp_bind_generic_node(racoon_t)
+ corenet_udp_bind_isakmp_port(racoon_t)
+ corenet_udp_bind_ipsecnat_port(racoon_t)
+
@@ -386,6 +424,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -48486,7 +48698,7 @@ index 5c94dfe..59bfb17 100644
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..96b3872 100644
+index a3fdcb3..3240adf 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -48541,7 +48753,8 @@ index a3fdcb3..96b3872 100644
domain_use_interactive_fds(iptables_t)
files_read_etc_files(iptables_t)
- files_read_etc_runtime_files(iptables_t)
+-files_read_etc_runtime_files(iptables_t)
++files_rw_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
auth_use_nsswitch(iptables_t)
@@ -49150,7 +49363,7 @@ index 2b7e5f3..76b4ce1 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..7e33883 100644
+index 571599b..8a12739 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,11 @@
@@ -49173,7 +49386,23 @@ index 571599b..7e33883 100644
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
-@@ -54,18 +60,24 @@ ifdef(`distro_redhat',`
+@@ -37,13 +43,14 @@ ifdef(`distro_suse', `
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
++/var/log/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -54,18 +61,24 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -49188,13 +49417,15 @@ index 571599b..7e33883 100644
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+-/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
- /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+-/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -50239,7 +50470,7 @@ index 8b5c196..6dc92dd 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..e7aff81 100644
+index 15832c7..00f5ea9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -50429,7 +50660,7 @@ index 15832c7..e7aff81 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,10 +212,13 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +212,29 @@ ifdef(`distro_ubuntu',`
')
')
@@ -50443,6 +50674,30 @@ index 15832c7..e7aff81 100644
')
optional_policy(`
+ # for nfs
+ corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
+- corenet_tcp_sendrecv_all_if(mount_t)
+- corenet_raw_sendrecv_all_if(mount_t)
+- corenet_udp_sendrecv_all_if(mount_t)
+- corenet_tcp_sendrecv_all_nodes(mount_t)
+- corenet_raw_sendrecv_all_nodes(mount_t)
+- corenet_udp_sendrecv_all_nodes(mount_t)
++ corenet_tcp_sendrecv_generic_if(mount_t)
++ corenet_raw_sendrecv_generic_if(mount_t)
++ corenet_udp_sendrecv_generic_if(mount_t)
++ corenet_tcp_sendrecv_generic_node(mount_t)
++ corenet_raw_sendrecv_generic_node(mount_t)
++ corenet_udp_sendrecv_generic_node(mount_t)
+ corenet_tcp_sendrecv_all_ports(mount_t)
+ corenet_udp_sendrecv_all_ports(mount_t)
+- corenet_tcp_bind_all_nodes(mount_t)
+- corenet_udp_bind_all_nodes(mount_t)
++ corenet_tcp_bind_generic_node(mount_t)
++ corenet_udp_bind_generic_node(mount_t)
+ corenet_tcp_bind_generic_port(mount_t)
+ corenet_udp_bind_generic_port(mount_t)
+ corenet_tcp_bind_reserved_port(mount_t)
@@ -174,6 +248,8 @@ optional_policy(`
fs_search_rpc(mount_t)
@@ -51134,7 +51389,7 @@ index 170e2c7..540a936 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..c3dc5ba 100644
+index 7ed9819..293555e 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -51403,7 +51658,7 @@ index 7ed9819..c3dc5ba 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +487,64 @@ ifdef(`distro_debian',`
+@@ -487,118 +487,69 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -51481,44 +51736,49 @@ index 7ed9819..c3dc5ba 100644
-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
--logging_send_syslog_msg(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--miscfiles_read_localization(setfiles_t)
+-logging_send_syslog_msg(setfiles_t)
-
--seutil_libselinux_linked(setfiles_t)
+-miscfiles_read_localization(setfiles_t)
+########################################
+#
+# Setfiles local policy
+#
--userdom_use_all_users_fds(setfiles_t)
--# for config files in a home directory
--userdom_read_user_home_content_files(setfiles_t)
+-seutil_libselinux_linked(setfiles_t)
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
+-userdom_use_all_users_fds(setfiles_t)
+-# for config files in a home directory
+-userdom_read_user_home_content_files(setfiles_t)
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
+
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
--')
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
++optional_policy(`
++ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
++ livecd_dontaudit_leaks(setfiles_mac_t)
++ livecd_rw_tmp_files(setfiles_mac_t)
++ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
+ ')
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
@@ -51526,10 +51786,8 @@ index 7ed9819..c3dc5ba 100644
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
+optional_policy(`
-+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
-+ livecd_dontaudit_leaks(setfiles_mac_t)
-+ livecd_rw_tmp_files(setfiles_mac_t)
-+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++ devicekit_dontaudit_read_pid_files(setfiles_t)
++ devicekit_dontaudit_rw_log(setfiles_t)
')
-ifdef(`distro_ubuntu',`
@@ -51834,7 +52092,7 @@ index ff80d0a..7f1a21c 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..6de83ef 100644
+index df32316..e8d03fb 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -51891,7 +52149,29 @@ index df32316..6de83ef 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -105,11 +120,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -91,25 +106,28 @@ corecmd_exec_shell(dhcpc_t)
+
+ corenet_all_recvfrom_unlabeled(dhcpc_t)
+ corenet_all_recvfrom_netlabel(dhcpc_t)
+-corenet_tcp_sendrecv_all_if(dhcpc_t)
+-corenet_raw_sendrecv_all_if(dhcpc_t)
+-corenet_udp_sendrecv_all_if(dhcpc_t)
+-corenet_tcp_sendrecv_all_nodes(dhcpc_t)
+-corenet_raw_sendrecv_all_nodes(dhcpc_t)
+-corenet_udp_sendrecv_all_nodes(dhcpc_t)
++corenet_tcp_sendrecv_generic_if(dhcpc_t)
++corenet_raw_sendrecv_generic_if(dhcpc_t)
++corenet_udp_sendrecv_generic_if(dhcpc_t)
++corenet_tcp_sendrecv_generic_node(dhcpc_t)
++corenet_raw_sendrecv_generic_node(dhcpc_t)
++corenet_udp_sendrecv_generic_node(dhcpc_t)
+ corenet_tcp_sendrecv_all_ports(dhcpc_t)
+ corenet_udp_sendrecv_all_ports(dhcpc_t)
+-corenet_tcp_bind_all_nodes(dhcpc_t)
+-corenet_udp_bind_all_nodes(dhcpc_t)
++corenet_tcp_bind_generic_node(dhcpc_t)
++corenet_udp_bind_generic_node(dhcpc_t)
+ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -53407,7 +53687,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..cbc864f 100644
+index 28b88de..3e329c7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -54466,7 +54746,7 @@ index 28b88de..cbc864f 100644
+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
-+ corenet_tcp_bind_all_nodes($1_usertype)
++ corenet_tcp_bind_generic_node($1_usertype)
- files_exec_usr_files($1_t)
- # cjp: why?
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 25ae8fb..7f00daf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,22 @@ exit 0
%endif
%changelog
+* Thu Mar 17 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-5
+- devicekit leaks file descriptors to setfiles_t
+- Change all all_nodes to generic_node and all_if to generic_if
+- Should not use deprecated interface
+- Switch from using all_nodes to generic_node and from all_if to generic_if
+- Add support for xfce4-notifyd
+- Fix file context to show several labels as SystemHigh
+- seunshare needs to be able to mounton nfs/cifs/fusefs homedirs
+- Add etc_runtime_t label for /etc/securetty
+- Fixes to allow xdm_t to start gkeyringd_USERTYPE_t directly
+- login.krb needs to be able to write user_tmp_t
+- dirsrv needs to bind to port 7390 for dogtag
+- Fix a bug in gpg policy
+- gpg sends audit messages
+- Allow qpid to manage matahari files
+
* Tue Mar 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-4
- Initial policy for matahari
- Add dev_read_watchdog
More information about the scm-commits
mailing list