[selinux-policy/f16] - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to i - Allow all postfix do
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Nov 29 12:48:54 UTC 2011
commit 347e5d1c125c1802a731071311b78cbed4f9dea0
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Nov 29 13:48:30 2011 +0100
- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to i
- Allow all postfix domains to use the fifo_file
- Allow sshd_t to getattr on all file systems in order to generate avc on nfs
- Allow apmd_t to read grub.cfg
- Let firewallgui read the selinux config
- Allow systemd-tmpfiles to delete content in /root that has been moved to /t
- Fix devicekit_manage_pid_files() interface
- Allow squid to check the network state
- Dontaudit colord getattr on file systems
- Allow ping domains to read zabbix_tmp_t files
policy-F16.patch | 326 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 14 ++-
2 files changed, 220 insertions(+), 120 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index e147e6f..90d2dcb 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1779,7 +1779,7 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..373882d 100644
+index e0791b9..9f49d01 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
@@ -1854,7 +1854,18 @@ index e0791b9..373882d 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -194,6 +213,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -157,6 +176,10 @@ optional_policy(`
+ hotplug_use_fds(ping_t)
+ ')
+
++optional_policy(`
++ zabbix_read_tmp(ping_t)
++')
++
+ ########################################
+ #
+ # Traceroute local policy
+@@ -194,6 +217,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1862,7 +1873,7 @@ index e0791b9..373882d 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +224,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +228,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -5476,10 +5487,10 @@ index 0000000..2bd5790
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..86b640d
+index 0000000..175de9d
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,72 @@
+@@ -0,0 +1,74 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -5529,6 +5540,8 @@ index 0000000..86b640d
+
+miscfiles_read_localization(firewallgui_t)
+
++seutil_read_config(firewallgui_t)
++
+userdom_dontaudit_search_user_home_dirs(firewallgui_t)
+
+optional_policy(`
@@ -14259,7 +14272,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..9c48de6 100644
+index 99b71cb..630e5e2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14462,7 +14475,7 @@ index 99b71cb..9c48de6 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +238,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -14502,7 +14515,13 @@ index 99b71cb..9c48de6 100644
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0)
+-network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
++network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
++network_port(tor_socks, tcp,9050,s0)
+ network_port(traceroute, udp,64000-64010,s0)
+ network_port(transproxy, tcp,8081,s0)
+ network_port(ups, tcp,3493,s0)
+@@ -215,9 +280,11 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14515,7 +14534,7 @@ index 99b71cb..9c48de6 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +296,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14523,7 +14542,7 @@ index 99b71cb..9c48de6 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +306,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14536,7 +14555,7 @@ index 99b71cb..9c48de6 100644
########################################
#
-@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +356,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -26621,7 +26640,7 @@ index 1ea99b2..9427dd5 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..3522d00 100644
+index 1c8c27e..7408dd1 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -26658,7 +26677,13 @@ index 1c8c27e..3522d00 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+@@ -109,11 +113,14 @@ domain_dontaudit_list_all_domains_state(apmd_t) # Excessive?
+
+ files_exec_etc_files(apmd_t)
+ files_read_etc_runtime_files(apmd_t)
++files_read_boot_files(apmd_t)
+ files_dontaudit_getattr_all_files(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
@@ -26667,7 +26692,7 @@ index 1c8c27e..3522d00 100644
init_domtrans_script(apmd_t)
init_rw_utmp(apmd_t)
init_telinit(apmd_t)
-@@ -127,10 +133,8 @@ logging_send_audit_msgs(apmd_t)
+@@ -127,10 +134,8 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -26679,7 +26704,7 @@ index 1c8c27e..3522d00 100644
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
userdom_dontaudit_search_user_home_dirs(apmd_t)
-@@ -142,9 +146,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +147,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -26690,7 +26715,7 @@ index 1c8c27e..3522d00 100644
')
optional_policy(`
-@@ -155,6 +158,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +159,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -26706,7 +26731,7 @@ index 1c8c27e..3522d00 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -181,6 +193,12 @@ optional_policy(`
+@@ -181,6 +194,12 @@ optional_policy(`
')
optional_policy(`
@@ -26719,7 +26744,7 @@ index 1c8c27e..3522d00 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -201,7 +219,8 @@ optional_policy(`
+@@ -201,7 +220,8 @@ optional_policy(`
')
optional_policy(`
@@ -26729,7 +26754,7 @@ index 1c8c27e..3522d00 100644
')
optional_policy(`
-@@ -209,8 +228,9 @@ optional_policy(`
+@@ -209,8 +229,9 @@ optional_policy(`
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -26740,7 +26765,7 @@ index 1c8c27e..3522d00 100644
')
optional_policy(`
-@@ -219,10 +239,6 @@ optional_policy(`
+@@ -219,10 +240,6 @@ optional_policy(`
')
optional_policy(`
@@ -30847,7 +30872,7 @@ index 0000000..ca71d08
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..f510183 100644
+index 74505cc..39a0cde 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
@@ -30901,12 +30926,13 @@ index 74505cc..f510183 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +82,34 @@ files_list_mnt(colord_t)
+@@ -65,19 +82,35 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
+fs_search_all(colord_t)
+fs_getattr_noxattr_fs(colord_t)
++fs_dontaudit_getattr_all_fs(colord_t)
+fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
@@ -30937,7 +30963,7 @@ index 74505cc..f510183 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +121,10 @@ optional_policy(`
+@@ -89,6 +122,10 @@ optional_policy(`
')
optional_policy(`
@@ -30948,7 +30974,7 @@ index 74505cc..f510183 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +132,16 @@ optional_policy(`
+@@ -96,5 +133,16 @@ optional_policy(`
')
optional_policy(`
@@ -34235,7 +34261,7 @@ index 418a5a0..c25fbdc 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..037af58 100644
+index f706b99..7315b40 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -34425,7 +34451,7 @@ index f706b99..037af58 100644
+ ')
+
+ files_search_pids($1)
-+ rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
@@ -37782,7 +37808,7 @@ index 0000000..8dcd6e4
+ policykit_dbus_chat(firewalld_t)
+')
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
-index ebad8c4..c02062c 100644
+index ebad8c4..eeddf7b 100644
--- a/policy/modules/services/fprintd.if
+++ b/policy/modules/services/fprintd.if
@@ -5,9 +5,9 @@
@@ -37797,9 +37823,11 @@ index ebad8c4..c02062c 100644
## </param>
#
interface(`fprintd_domtrans',`
-@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
+@@ -37,5 +37,5 @@ interface(`fprintd_dbus_chat',`
+
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
++ allow fprintd_t $1:file read;
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
@@ -47786,7 +47814,7 @@ index 7f8fdc2..047d985 100644
optional_policy(`
seutil_sigchld_newrole(openct_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..ed5aae9 100644
+index 8b550f4..6b73075 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -47853,7 +47881,15 @@ index 8b550f4..ed5aae9 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
+ corenet_tcp_connect_http_port(openvpn_t)
++corenet_tcp_connect_tor_socks_port(openvpn_t)
+ corenet_tcp_connect_http_cache_port(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+@@ -102,6 +110,8 @@ files_read_etc_runtime_files(openvpn_t)
auth_use_pam(openvpn_t)
@@ -47862,7 +47898,7 @@ index 8b550f4..ed5aae9 100644
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-@@ -112,21 +121,21 @@ sysnet_exec_ifconfig(openvpn_t)
+@@ -112,21 +122,21 @@ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
@@ -47892,7 +47928,7 @@ index 8b550f4..ed5aae9 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +147,7 @@ optional_policy(`
+@@ -138,3 +148,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -50018,10 +50054,10 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..ca32d30 100644
+index 46bee12..76b68b5 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
-@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
+@@ -34,11 +34,13 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
@@ -50032,7 +50068,11 @@ index 46bee12..ca32d30 100644
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
-@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
++ allow postfix_$1_t self:fifo_file rw_fifo_file_perms;
+
+ allow postfix_master_t postfix_$1_t:process signal;
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+@@ -50,7 +52,7 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -50041,7 +50081,7 @@ index 46bee12..ca32d30 100644
allow postfix_$1_t postfix_master_t:process sigchld;
-@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
+@@ -77,6 +79,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
@@ -50049,7 +50089,7 @@ index 46bee12..ca32d30 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
-@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
+@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',`
type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
@@ -50058,7 +50098,7 @@ index 46bee12..ca32d30 100644
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
+@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
@@ -50067,7 +50107,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',`
+@@ -215,7 +220,7 @@ interface(`postfix_config_filetrans',`
')
files_search_etc($1)
@@ -50076,7 +50116,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
+@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -50086,7 +50126,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -50115,7 +50155,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -50141,7 +50181,7 @@ index 46bee12..ca32d30 100644
########################################
## <summary>
## Execute the master postfix program in the
-@@ -404,7 +448,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +449,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@@ -50149,7 +50189,7 @@ index 46bee12..ca32d30 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +459,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',`
########################################
## <summary>
@@ -50174,7 +50214,7 @@ index 46bee12..ca32d30 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
## </summary>
-@@ -462,7 +523,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
@@ -50183,7 +50223,7 @@ index 46bee12..ca32d30 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +590,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -50209,7 +50249,7 @@ index 46bee12..ca32d30 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +619,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -50222,7 +50262,7 @@ index 46bee12..ca32d30 100644
files_search_spool($1)
')
-@@ -558,10 +638,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +639,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -50235,7 +50275,7 @@ index 46bee12..ca32d30 100644
files_search_spool($1)
')
-@@ -577,11 +657,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +658,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -50249,7 +50289,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -596,11 +676,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -50263,7 +50303,7 @@ index 46bee12..ca32d30 100644
')
########################################
-@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +702,125 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -50390,7 +50430,7 @@ index 46bee12..ca32d30 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..94e68b2 100644
+index a32c4b3..149da7a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -50458,12 +50498,12 @@ index a32c4b3..94e68b2 100644
type postfix_public_t;
files_type(postfix_public_t)
-@@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -94,23 +106,24 @@ mta_mailserver_delivery(postfix_virtual_t)
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+-allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+allow postfix_master_t self:process setrlimit;
- allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
-allow postfix_master_t self:process setrlimit;
@@ -50488,7 +50528,7 @@ index a32c4b3..94e68b2 100644
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+@@ -130,7 +143,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
@@ -50497,7 +50537,7 @@ index a32c4b3..94e68b2 100644
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+@@ -138,6 +151,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -50505,7 +50545,7 @@ index a32c4b3..94e68b2 100644
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
kernel_read_all_sysctls(postfix_master_t)
-@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -50515,7 +50555,7 @@ index a32c4b3..94e68b2 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -50526,7 +50566,7 @@ index a32c4b3..94e68b2 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -50545,7 +50585,7 @@ index a32c4b3..94e68b2 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -50563,17 +50603,15 @@ index a32c4b3..94e68b2 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +295,8 @@ optional_policy(`
+@@ -264,7 +294,6 @@ optional_policy(`
# Postfix local local policy
#
-allow postfix_local_t self:fifo_file rw_fifo_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
-+allow postfix_local_t self:fifo_file rw_fifo_file_perms;
# connect to master process
- stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -50582,7 +50620,7 @@ index a32c4b3..94e68b2 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -50601,7 +50639,7 @@ index a32c4b3..94e68b2 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +335,10 @@ optional_policy(`
+@@ -297,6 +333,10 @@ optional_policy(`
')
optional_policy(`
@@ -50612,7 +50650,7 @@ index a32c4b3..94e68b2 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +346,22 @@ optional_policy(`
+@@ -304,9 +344,22 @@ optional_policy(`
')
optional_policy(`
@@ -50635,15 +50673,7 @@ index a32c4b3..94e68b2 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +427,7 @@ optional_policy(`
- # Postfix pickup local policy
- #
-
-+allow postfix_pickup_t self:fifo_file rw_fifo_file_perms;
- allow postfix_pickup_t self:tcp_socket create_socket_perms;
-
- stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +435,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -50667,11 +50697,9 @@ index a32c4b3..94e68b2 100644
-allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
allow postfix_pipe_t self:process setrlimit;
-+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-
-@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -50680,7 +50708,7 @@ index a32c4b3..94e68b2 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +485,7 @@ optional_policy(`
+@@ -420,6 +481,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -50688,7 +50716,7 @@ index a32c4b3..94e68b2 100644
')
optional_policy(`
-@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -50706,7 +50734,7 @@ index a32c4b3..94e68b2 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -50717,16 +50745,7 @@ index a32c4b3..94e68b2 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +579,8 @@ optional_policy(`
- # Postfix qmgr local policy
- #
-
-+allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
-+
- stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
-
- rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -50739,7 +50758,7 @@ index a32c4b3..94e68b2 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -50750,7 +50769,7 @@ index a32c4b3..94e68b2 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +632,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -50759,7 +50778,7 @@ index a32c4b3..94e68b2 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +647,14 @@ optional_policy(`
+@@ -565,6 +641,14 @@ optional_policy(`
')
optional_policy(`
@@ -50774,7 +50793,7 @@ index a32c4b3..94e68b2 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +678,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -50791,7 +50810,7 @@ index a32c4b3..94e68b2 100644
')
optional_policy(`
-@@ -599,6 +695,10 @@ optional_policy(`
+@@ -599,6 +689,10 @@ optional_policy(`
')
optional_policy(`
@@ -50802,17 +50821,15 @@ index a32c4b3..94e68b2 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,8 +711,8 @@ optional_policy(`
+@@ -611,7 +705,6 @@ optional_policy(`
# Postfix virtual local policy
#
-allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t self:process { setsched setrlimit };
-+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-
-@@ -630,3 +730,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +723,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -51565,7 +51582,7 @@ index b1bc02c..e0c0f70 100644
dev_read_rand(prelude_lml_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 2dbf4d4..28d7fe5 100644
+index 2dbf4d4..8323004 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0)
@@ -51594,7 +51611,15 @@ index 2dbf4d4..28d7fe5 100644
corenet_all_recvfrom_unlabeled(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
-@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t)
+@@ -62,6 +63,7 @@ corenet_tcp_connect_squid_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
+ corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
++corenet_tcp_connect_tor_socks_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
+ corenet_sendrecv_squid_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
+@@ -87,7 +89,7 @@ miscfiles_read_localization(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
@@ -59066,7 +59091,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..950e65a 100644
+index 4b2230e..7b3d2db 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -59103,7 +59128,15 @@ index 4b2230e..950e65a 100644
type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)
-@@ -169,7 +169,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+
+ kernel_read_kernel_sysctls(squid_t)
+ kernel_read_system_state(squid_t)
++kernel_read_network_state(squid_t)
+
+ files_dontaudit_getattr_boot_dirs(squid_t)
+
+@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -59113,7 +59146,7 @@ index 4b2230e..950e65a 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +186,7 @@ optional_policy(`
+@@ -185,6 +187,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -59121,7 +59154,7 @@ index 4b2230e..950e65a 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +208,7 @@ optional_policy(`
+@@ -206,3 +209,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -59154,7 +59187,7 @@ index 078bcd7..84d29ee 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..4b063ff 100644
+index 22adaca..9001bca 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -59285,7 +59318,7 @@ index 22adaca..4b063ff 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +244,11 @@ template(`ssh_server_template', `
+@@ -220,10 +244,13 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -59296,8 +59329,11 @@ index 22adaca..4b063ff 100644
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
- fs_dontaudit_getattr_all_fs($1_t)
+- fs_dontaudit_getattr_all_fs($1_t)
++ fs_getattr_all_fs($1_t)
+ auth_rw_login_records($1_t)
+ auth_rw_faillog($1_t)
@@ -234,6 +261,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
@@ -60836,7 +60872,7 @@ index 904f13e..464347f 100644
init_labeled_script_domtrans($1, tor_initrc_exec_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
-index c842cad..1136b10 100644
+index c842cad..037dd90 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -42,6 +42,7 @@ files_pid_file(tor_var_run_t)
@@ -60847,7 +60883,15 @@ index c842cad..1136b10 100644
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -95,9 +96,11 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -87,6 +88,7 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+ corenet_tcp_bind_generic_node(tor_t)
+ corenet_udp_bind_generic_node(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
++corenet_tcp_bind_tor_socks_port(tor_t)
+ corenet_udp_bind_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_sendrecv_dns_server_packets(tor_t)
+@@ -95,9 +97,11 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -65998,7 +66042,7 @@ index 664cd7a..e3eaec5 100644
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if
-index c9981d1..11013a6 100644
+index c9981d1..d0931f9 100644
--- a/policy/modules/services/zabbix.if
+++ b/policy/modules/services/zabbix.if
@@ -5,9 +5,9 @@
@@ -66013,7 +66057,31 @@ index c9981d1..11013a6 100644
## </param>
#
interface(`zabbix_domtrans',`
-@@ -65,9 +65,9 @@ interface(`zabbix_read_log',`
+@@ -61,13 +61,33 @@ interface(`zabbix_read_log',`
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to read zabbix's tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`zabbix_read_tmp',`
++ gen_require(`
++ type zabbix_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to append
## zabbix log files.
## </summary>
## <param name="domain">
@@ -66025,7 +66093,7 @@ index c9981d1..11013a6 100644
## </param>
#
interface(`zabbix_append_log',`
-@@ -110,7 +110,7 @@ interface(`zabbix_read_pid_files',`
+@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
#
interface(`zabbix_agent_tcp_connect',`
gen_require(`
@@ -74836,10 +74904,10 @@ index 0000000..5571350
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..ff3ce3f
+index 0000000..b7da774
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,378 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -75105,6 +75173,7 @@ index 0000000..ff3ce3f
+ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
+ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
+ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
++ userdom_delete_admin_home_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
@@ -76431,7 +76500,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..86b81c0 100644
+index 4b2878a..c6d53ea 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78821,7 +78890,7 @@ index 4b2878a..86b81c0 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3925,1146 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3925,1165 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -79083,6 +79152,25 @@ index 4b2878a..86b81c0 100644
+
+########################################
+## <summary>
++## Delete admin home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_delete_admin_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:file delete_file_perms;
++')
++
++########################################
++## <summary>
+## Execute admin home files.
+## </summary>
+## <param name="domain">
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dc18443..0fee544 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 62%{?dist}
+Release: 63%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-63
+- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
+- Allow all postfix domains to use the fifo_file
+- Allow sshd_t to getattr on all file systems in order to generate avc on nfs_t
+- Allow apmd_t to read grub.cfg
+- Let firewallgui read the selinux config
+- Allow systemd-tmpfiles to delete content in /root that has been moved to /tmp
+- Fix devicekit_manage_pid_files() interface
+- Allow squid to check the network state
+- Dontaudit colord getattr on file systems
+- Allow ping domains to read zabbix_tmp_t files
+
* Mon Nov 28 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-62
- Add fs_read_fusefs_dirs interface
- Allow mailman to read /dev/urandom
More information about the scm-commits
mailing list