[selinux-policy/f15] +- Allow sa-update to update rules +- Allow sa-update to read spamd tmp file +- Allow screen to read
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 11 15:20:43 UTC 2011
commit 3a4dba88c0609e448b77b3017b4eea838ead6bd7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 11 17:20:32 2011 +0200
+- Allow sa-update to update rules
+- Allow sa-update to read spamd tmp file
+- Allow screen to read all domain state
+- Allow sa-update to execute shell
+- More fixes for sa-update running out of cron job
+- Allow initrc to manage cron system spool
+- Fixes for collectd policy
+- Fixes added during clean up bugzillas
+- Dontaudit fail2ban_client_t sys_tty_config capability
+- Fix for puppet which does execute check on passwd
+- ricci_modservice send syslog msgs
+- Fix dev_dontaudit_write_mtrr() interface
policy-F15.patch | 497 ++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 16 ++-
2 files changed, 373 insertions(+), 140 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 3bad313..1ccd846 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -480,6 +480,22 @@ index 2c2cdb6..73b3814 100644
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
+diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
+index 9a62a1d..eb017ef 100644
+--- a/policy/modules/admin/brctl.te
++++ b/policy/modules/admin/brctl.te
+@@ -20,6 +20,11 @@ allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+ allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit brctl_t self:capability sys_module;
++')
++
+ kernel_request_load_module(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 9de382b..682e78e 100644
--- a/policy/modules/admin/certwatch.te
@@ -2671,7 +2687,7 @@ index 74354da..0852738 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 81fb26f..fa853d7 100644
+index 81fb26f..a0a1ab6 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',`
@@ -2718,7 +2734,7 @@ index 81fb26f..fa853d7 100644
+ ')
+
+ corecmd_search_bin($1)
-+ allow $1 passwd_exec_t:file { getattr_file_perms audit_access };
++ allow $1 passwd_exec_t:file { getattr_file_perms execute audit_access };
+')
+
+########################################
@@ -3076,10 +3092,10 @@ index 0000000..e921f24
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..df2b2a9
+index 0000000..701cd5d
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3148,6 +3164,7 @@ index 0000000..df2b2a9
+
+files_read_etc_files(chrome_sandbox_t)
+files_read_usr_files(chrome_sandbox_t)
++files_exec_usr_files(chrome_sandbox_t)
+
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
+
@@ -9020,7 +9037,7 @@ index 1f2cde4..b73334e 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..9889ff2 100644
+index 320df26..90537ed 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -50,7 +50,7 @@ template(`screen_role_template',`
@@ -9070,14 +9087,16 @@ index 320df26..9889ff2 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
-@@ -112,6 +118,7 @@ template(`screen_role_template',`
+@@ -112,7 +118,9 @@ template(`screen_role_template',`
# for SSP
dev_read_urand($1_screen_t)
+ domain_sigchld_interactive_fds($1_screen_t)
domain_use_interactive_fds($1_screen_t)
++ domain_read_all_domains_state($1_screen_t)
files_search_tmp($1_screen_t)
+ files_search_home($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..787df80 100644
--- a/policy/modules/apps/seunshare.if
@@ -11748,7 +11767,7 @@ index 6cf8784..e244a9d 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..97fbf5b 100644
+index e9313fb..78ef672 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11979,6 +11998,17 @@ index e9313fb..97fbf5b 100644
## Delete all block device files.
## </summary>
## <param name="domain">
+@@ -2913,8 +3023,8 @@ interface(`dev_dontaudit_write_mtrr',`
+ type mtrr_device_t;
+ ')
+
+- dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file write_file_perms;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
@@ -3192,24 +3302,6 @@ interface(`dev_rw_printer',`
########################################
@@ -18149,7 +18179,7 @@ index 0b827c5..7382308 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..5d66681 100644
+index 30861ec..a86043f 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -18236,16 +18266,18 @@ index 30861ec..5d66681 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,8 +121,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
-files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
++kernel_read_network_state(abrt_t)
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+ kernel_rw_kernel_sysctl(abrt_t)
+@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -18253,7 +18285,7 @@ index 30861ec..5d66681 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -18263,7 +18295,7 @@ index 30861ec..5d66681 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -18272,7 +18304,7 @@ index 30861ec..5d66681 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +175,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -18281,7 +18313,7 @@ index 30861ec..5d66681 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +184,16 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -18298,7 +18330,7 @@ index 30861ec..5d66681 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +203,11 @@ optional_policy(`
+@@ -150,6 +204,11 @@ optional_policy(`
')
optional_policy(`
@@ -18310,7 +18342,7 @@ index 30861ec..5d66681 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +225,7 @@ optional_policy(`
+@@ -167,6 +226,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -18318,7 +18350,7 @@ index 30861ec..5d66681 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +237,18 @@ optional_policy(`
+@@ -178,12 +238,18 @@ optional_policy(`
')
optional_policy(`
@@ -18338,7 +18370,7 @@ index 30861ec..5d66681 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,9 +266,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -18351,7 +18383,7 @@ index 30861ec..5d66681 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +285,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -18361,7 +18393,7 @@ index 30861ec..5d66681 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +294,131 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24006,10 +24038,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..979ed78
+index 0000000..3eb4655
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,80 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -24017,6 +24049,14 @@ index 0000000..979ed78
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow collectd to connect to the
++## network using TCP.
++## </p>
++## </desc>
++gen_tunable(collectd_can_network_connect, false)
++
+type collectd_t;
+type collectd_exec_t;
+init_daemon_domain(collectd_t, collectd_exec_t)
@@ -24052,10 +24092,12 @@ index 0000000..979ed78
+domain_use_interactive_fds(collectd_t)
+
+kernel_read_network_state(collectd_t)
++kernel_read_net_sysctls(collectd_t)
+kernel_read_system_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
+
++files_getattr_all_dirs(collectd_t)
+files_read_etc_files(collectd_t)
+files_read_usr_files(collectd_t)
+
@@ -24067,6 +24109,12 @@ index 0000000..979ed78
+
+sysnet_dns_name_resolve(collectd_t)
+
++tunable_policy(`collectd_can_network_connect',`
++ corenet_tcp_connect_all_ports(collectd_t)
++ corenet_tcp_sendrecv_all_ports(collectd_t)
++ corenet_sendrecv_all_client_packets(collectd_t)
++')
++
+optional_policy(`
+ apache_content_template(collectd)
+ permissive httpd_collectd_script_t;
@@ -24153,7 +24201,7 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..3d9234d
+index 0000000..76bf893
--- /dev/null
+++ b/policy/modules/services/colord.te
@@ -0,0 +1,132 @@
@@ -24210,7 +24258,7 @@ index 0000000..3d9234d
+kernel_request_load_module(colord_t)
+
+# reads *.ini files
-+corecmd_read_bin_files(colord_t)
++corecmd_exec_bin(colord_t)
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
@@ -24649,10 +24697,10 @@ index 13d2f63..a048c53 100644
type cpuspeed_t;
type cpuspeed_exec_t;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..34ab5ce 100644
+index 2eefc08..aa1c934 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -14,9 +14,10 @@
+@@ -14,14 +14,15 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -24664,6 +24712,12 @@ index 2eefc08..34ab5ce 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]* -- <<none>>
+
@@ -45,3 +46,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -24671,7 +24725,7 @@ index 2eefc08..34ab5ce 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..a75e22c 100644
+index 35241ed..372d2c1 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -24958,7 +25012,7 @@ index 35241ed..a75e22c 100644
')
########################################
-@@ -627,7 +678,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +678,66 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -25005,9 +25059,28 @@ index 35241ed..a75e22c 100644
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Search the directory containing user cron tables.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cron_manage_system_spool',`
++ gen_require(`
++ type cron_system_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..20a0261 100644
+index f7583ab..319de67 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -25348,7 +25421,7 @@ index f7583ab..20a0261 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +536,24 @@ optional_policy(`
+@@ -456,15 +536,25 @@ optional_policy(`
')
optional_policy(`
@@ -25368,12 +25441,13 @@ index f7583ab..20a0261 100644
')
optional_policy(`
++ mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
-@@ -480,7 +569,7 @@ optional_policy(`
+@@ -480,7 +570,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -25382,7 +25456,7 @@ index f7583ab..20a0261 100644
')
optional_policy(`
-@@ -495,6 +584,7 @@ optional_policy(`
+@@ -495,6 +585,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -25390,7 +25464,7 @@ index f7583ab..20a0261 100644
')
optional_policy(`
-@@ -502,7 +592,13 @@ optional_policy(`
+@@ -502,7 +593,13 @@ optional_policy(`
')
optional_policy(`
@@ -25404,7 +25478,7 @@ index f7583ab..20a0261 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +691,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +692,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -28436,7 +28510,7 @@ index 6bef7f8..885cd43 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..4e8fb56 100644
+index f28f64b..0523d8a 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -28501,7 +28575,18 @@ index f28f64b..4e8fb56 100644
files_getattr_all_mountpoints(exim_t)
fs_getattr_xattr_fs(exim_t)
-@@ -171,6 +175,10 @@ optional_policy(`
+@@ -162,6 +166,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dovecot_stream_connect(exim_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(exim, exim_t)
+ ')
+
+@@ -171,6 +179,10 @@ optional_policy(`
')
optional_policy(`
@@ -28512,7 +28597,7 @@ index f28f64b..4e8fb56 100644
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
-@@ -184,6 +192,7 @@ optional_policy(`
+@@ -184,6 +196,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -28645,7 +28730,7 @@ index f590a1f..26a6299 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..7b33bda 100644
+index 2a69e5e..aae90fa 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
@@ -28702,7 +28787,7 @@ index 2a69e5e..7b33bda 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +110,34 @@ optional_policy(`
+@@ -94,5 +110,36 @@ optional_policy(`
')
optional_policy(`
@@ -28722,6 +28807,8 @@ index 2a69e5e..7b33bda 100644
+# fail2ban client local policy
+#
+
++dontaudit fail2ban_client_t self:capability sys_tty_config;
++
+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+
+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
@@ -29045,7 +29132,7 @@ index bc27421..a65582e 100644
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..f947224 100644
+index 8a74a83..9348f18 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -29129,7 +29216,15 @@ index 8a74a83..f947224 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t)
+@@ -212,13 +231,11 @@ fs_search_auto_mountpoints(ftpd_t)
+ fs_getattr_all_fs(ftpd_t)
+ fs_search_fusefs(ftpd_t)
+
+-auth_use_nsswitch(ftpd_t)
+-auth_domtrans_chk_passwd(ftpd_t)
+-# Append to /var/log/wtmp.
+-auth_append_login_records(ftpd_t)
++auth_use_pam(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
@@ -29137,7 +29232,7 @@ index 8a74a83..f947224 100644
init_rw_utmp(ftpd_t)
-@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +287,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -29155,7 +29250,7 @@ index 8a74a83..f947224 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -316,6 +339,25 @@ optional_policy(`
+@@ -316,6 +336,25 @@ optional_policy(`
')
optional_policy(`
@@ -29181,7 +29276,7 @@ index 8a74a83..f947224 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,10 +389,11 @@ optional_policy(`
+@@ -347,10 +386,11 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -29194,7 +29289,7 @@ index 8a74a83..f947224 100644
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
-@@ -368,15 +411,30 @@ files_read_etc_files(sftpd_t)
+@@ -368,15 +408,30 @@ files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
@@ -38641,7 +38736,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..fb683ea 100644
+index 06e37d4..4781d16 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,10 +1,18 @@
@@ -38768,7 +38863,7 @@ index 06e37d4..fb683ea 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,15 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -38780,12 +38875,14 @@ index 06e37d4..fb683ea 100644
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
-+allow postfix_bounce_t postfix_spool_maildrop_t:dir search_dir_perms;
++manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
+
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -249,6 +272,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
@@ -38796,7 +38893,7 @@ index 06e37d4..fb683ea 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +291,8 @@ optional_policy(`
+@@ -264,8 +293,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -38806,7 +38903,7 @@ index 06e37d4..fb683ea 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +300,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -38815,7 +38912,7 @@ index 06e37d4..fb683ea 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +315,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -38834,7 +38931,7 @@ index 06e37d4..fb683ea 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +338,22 @@ optional_policy(`
+@@ -304,9 +340,22 @@ optional_policy(`
')
optional_policy(`
@@ -38857,7 +38954,7 @@ index 06e37d4..fb683ea 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +419,7 @@ optional_policy(`
+@@ -372,6 +421,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -38865,7 +38962,7 @@ index 06e37d4..fb683ea 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +427,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,19 +429,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -38893,7 +38990,7 @@ index 06e37d4..fb683ea 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +456,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +458,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -38902,7 +38999,7 @@ index 06e37d4..fb683ea 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +477,7 @@ optional_policy(`
+@@ -420,6 +479,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -38910,7 +39007,7 @@ index 06e37d4..fb683ea 100644
')
optional_policy(`
-@@ -436,11 +494,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +496,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -38928,7 +39025,7 @@ index 06e37d4..fb683ea 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -507,6 +571,8 @@ optional_policy(`
+@@ -507,6 +573,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -38937,7 +39034,7 @@ index 06e37d4..fb683ea 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +585,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -38950,7 +39047,7 @@ index 06e37d4..fb683ea 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +609,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -38961,7 +39058,7 @@ index 06e37d4..fb683ea 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +637,10 @@ optional_policy(`
+@@ -565,6 +639,10 @@ optional_policy(`
')
optional_policy(`
@@ -38972,7 +39069,7 @@ index 06e37d4..fb683ea 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +664,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +666,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -38989,7 +39086,7 @@ index 06e37d4..fb683ea 100644
')
optional_policy(`
-@@ -611,8 +693,8 @@ optional_policy(`
+@@ -611,8 +695,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -38999,7 +39096,7 @@ index 06e37d4..fb683ea 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +712,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +714,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -41651,10 +41748,10 @@ index 00fa514..0f49245 100644
mysql_stream_connect(rgmanager_t)
')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..853eeb5 100644
+index c2ba53b..1f935bf 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
-@@ -1,14 +1,18 @@
+@@ -1,20 +1,25 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -41673,6 +41770,13 @@ index c2ba53b..853eeb5 100644
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+ /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+ /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+ /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index de37806..229a3c7 100644
--- a/policy/modules/services/rhcs.if
@@ -42319,7 +42423,7 @@ index f7826f9..3128dd8 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..b71d193 100644
+index 33e72e8..bf98758 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -42450,7 +42554,7 @@ index 33e72e8..b71d193 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,10 +415,10 @@ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
@@ -42458,8 +42562,12 @@ index 33e72e8..b71d193 100644
-
init_domtrans_script(ricci_modservice_t)
++logging_send_syslog_msg(ricci_modservice_t)
++
miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +424,10 @@ optional_policy(`
+
+ optional_policy(`
+@@ -405,6 +426,10 @@ optional_policy(`
')
optional_policy(`
@@ -42470,7 +42578,7 @@ index 33e72e8..b71d193 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +469,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -42499,7 +42607,7 @@ index 33e72e8..b71d193 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,11 +492,27 @@ optional_policy(`
+@@ -471,11 +494,27 @@ optional_policy(`
')
optional_policy(`
@@ -44698,7 +44806,7 @@ index c954f31..7f57f22 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..37677b9 100644
+index ec1eb1e..b4c21bd 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,54 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -45102,7 +45210,7 @@ index ec1eb1e..37677b9 100644
')
optional_policy(`
-@@ -451,3 +559,43 @@ optional_policy(`
+@@ -451,3 +559,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -45124,7 +45232,15 @@ index ec1eb1e..37677b9 100644
+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
++allow spamd_update_t spamd_tmp_t:file read_file_perms;
++
++kernel_read_system_state(spamd_update_t)
++
++# for updating rules
++corenet_tcp_connect_http_port(spamd_update_t)
++
+corecmd_exec_bin(spamd_update_t)
++corecmd_exec_shell(spamd_update_t)
+
+dev_read_urand(spamd_update_t)
+
@@ -47014,10 +47130,10 @@ index 0000000..7647279
+
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..9fb3ea7
+index 0000000..4fd2377
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,54 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -47040,6 +47156,8 @@ index 0000000..9fb3ea7
+# vdagent local policy
+#
+
++dontaudit vdagent_t self:capability sys_admin;
++
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -47053,6 +47171,10 @@ index 0000000..9fb3ea7
+logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+
+dev_rw_input_dev(vdagent_t)
++dev_read_sysfs(vdagent_t)
++dev_dontaudit_write_mtrr(vdagent_t)
++
++files_read_etc_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
+
@@ -47628,7 +47750,7 @@ index 7c5d8d8..03cc7aee 100644
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..931dbce 100644
+index 3eca020..e78e1e4 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -47792,16 +47914,21 @@ index 3eca020..931dbce 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -133,6 +157,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +157,13 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
++
++#676372
++allow svirt_t virt_home_t:dir { add_name write };
++allow svirt_t virt_home_t:sock_file manage_sock_file_perms;
++allow svirt_t virt_home_t:file rw_inherited_file_perms;
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +173,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +178,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -47817,7 +47944,7 @@ index 3eca020..931dbce 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +190,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +195,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -47840,7 +47967,7 @@ index 3eca020..931dbce 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +215,33 @@ optional_policy(`
+@@ -174,21 +220,33 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -47878,7 +48005,7 @@ index 3eca020..931dbce 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +253,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +258,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -47896,7 +48023,7 @@ index 3eca020..931dbce 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +280,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +285,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -47904,7 +48031,7 @@ index 3eca020..931dbce 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +300,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +305,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -47937,7 +48064,7 @@ index 3eca020..931dbce 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +332,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +337,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -47956,14 +48083,14 @@ index 3eca020..931dbce 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +367,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +372,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -47987,7 +48114,7 @@ index 3eca020..931dbce 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +409,10 @@ optional_policy(`
+@@ -313,6 +414,10 @@ optional_policy(`
')
optional_policy(`
@@ -47998,7 +48125,7 @@ index 3eca020..931dbce 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +429,10 @@ optional_policy(`
+@@ -329,6 +434,10 @@ optional_policy(`
')
optional_policy(`
@@ -48009,7 +48136,7 @@ index 3eca020..931dbce 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +469,8 @@ optional_policy(`
+@@ -365,6 +474,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -48018,7 +48145,7 @@ index 3eca020..931dbce 100644
')
optional_policy(`
-@@ -394,14 +500,26 @@ optional_policy(`
+@@ -394,14 +505,26 @@ optional_policy(`
# virtual domains common policy
#
@@ -48047,7 +48174,7 @@ index 3eca020..931dbce 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +540,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +545,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -48055,7 +48182,7 @@ index 3eca020..931dbce 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +548,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +553,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -48068,7 +48195,7 @@ index 3eca020..931dbce 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +561,14 @@ files_search_all(virt_domain)
+@@ -440,6 +566,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -48083,7 +48210,7 @@ index 3eca020..931dbce 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +586,117 @@ optional_policy(`
+@@ -457,8 +591,118 @@ optional_policy(`
')
optional_policy(`
@@ -48162,6 +48289,7 @@ index 3eca020..931dbce 100644
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
++ xen_domtrans(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
@@ -51537,7 +51665,7 @@ index 2952cef..4892b2a 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..1bc48bc 100644
+index 42b4f0f..7282768 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -51560,7 +51688,20 @@ index 42b4f0f..1bc48bc 100644
')
optional_policy(`
-@@ -91,9 +97,12 @@ interface(`auth_use_pam',`
+@@ -76,6 +82,12 @@ interface(`auth_use_pam',`
+ optional_policy(`
+ nis_authenticate($1)
+ ')
++
++ optional_policy(`
++ systemd_dbus_chat_logind($1)
++ systemd_use_fds_logind($1)
++ systemd_write_inherited_logind_sessions_pipes($1)
++ ')
+ ')
+
+ ########################################
+@@ -91,9 +103,12 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -51573,7 +51714,7 @@ index 42b4f0f..1bc48bc 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -101,14 +110,17 @@ interface(`auth_login_pgm_domain',`
+@@ -101,14 +116,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -51591,7 +51732,7 @@ index 42b4f0f..1bc48bc 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -119,13 +131,19 @@ interface(`auth_login_pgm_domain',`
+@@ -119,13 +137,19 @@ interface(`auth_login_pgm_domain',`
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
@@ -51612,7 +51753,7 @@ index 42b4f0f..1bc48bc 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +159,8 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +165,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -51621,7 +51762,7 @@ index 42b4f0f..1bc48bc 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,13 +171,68 @@ interface(`auth_login_pgm_domain',`
+@@ -151,9 +177,86 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -51666,12 +51807,14 @@ index 42b4f0f..1bc48bc 100644
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
+ userdom_read_user_home_content_files($1)
- ')
- ')
-
- ########################################
- ## <summary>
-+## Read and write a authlogin unnamed pipe.
++ ')
++
++
++')
++
++########################################
++## <summary>
++## Read authlogin state files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -51679,20 +51822,36 @@ index 42b4f0f..1bc48bc 100644
+## </summary>
+## </param>
+#
-+interface(`authlogin_rw_pipes',`
++interface(`authlogin_read_state',`
+ gen_require(`
+ attribute polydomain;
+ ')
+
-+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
++ kernel_search_proc($1)
++ ps_process_pattern($1, polydomain)
++
+')
+
+########################################
+## <summary>
- ## Use the login program as an entry point program.
- ## </summary>
- ## <param name="domain">
-@@ -361,17 +436,18 @@ interface(`auth_domtrans_chk_passwd',`
++## Read and write a authlogin unnamed pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`authlogin_rw_pipes',`
++ gen_require(`
++ attribute polydomain;
+ ')
++
++ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -361,17 +464,18 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
kerberos_read_keytab($1)
@@ -51713,7 +51872,7 @@ index 42b4f0f..1bc48bc 100644
')
########################################
-@@ -418,6 +494,25 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +522,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -51739,7 +51898,7 @@ index 42b4f0f..1bc48bc 100644
')
########################################
-@@ -694,7 +789,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +817,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
@@ -51748,7 +51907,7 @@ index 42b4f0f..1bc48bc 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -733,7 +828,47 @@ interface(`auth_rw_faillog',`
+@@ -733,7 +856,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -51797,7 +51956,7 @@ index 42b4f0f..1bc48bc 100644
')
#######################################
-@@ -874,6 +1009,46 @@ interface(`auth_exec_pam',`
+@@ -874,6 +1037,46 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -51844,7 +52003,7 @@ index 42b4f0f..1bc48bc 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -889,9 +1064,30 @@ interface(`auth_manage_var_auth',`
+@@ -889,9 +1092,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -51878,7 +52037,7 @@ index 42b4f0f..1bc48bc 100644
')
########################################
-@@ -1093,6 +1289,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1317,24 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
@@ -51903,7 +52062,7 @@ index 42b4f0f..1bc48bc 100644
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1326,6 +1540,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1568,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -51929,7 +52088,7 @@ index 42b4f0f..1bc48bc 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,28 +1733,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1761,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -51973,7 +52132,7 @@ index 42b4f0f..1bc48bc 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1531,7 +1772,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1800,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -53286,7 +53445,7 @@ index cc83689..fc87c2c 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..5219266 100644
+index ea29513..a8e892b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -53894,7 +54053,7 @@ index ea29513..5219266 100644
')
optional_policy(`
-@@ -589,6 +856,15 @@ optional_policy(`
+@@ -589,6 +856,17 @@ optional_policy(`
')
optional_policy(`
@@ -53904,13 +54063,15 @@ index ea29513..5219266 100644
+
+optional_policy(`
+ cron_read_pipes(initrc_t)
++ # managing /etc/cron.d/mailman content
++ cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +881,13 @@ optional_policy(`
+@@ -605,9 +883,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -53924,7 +54085,7 @@ index ea29513..5219266 100644
')
optional_policy(`
-@@ -649,6 +929,11 @@ optional_policy(`
+@@ -649,6 +931,11 @@ optional_policy(`
')
optional_policy(`
@@ -53936,7 +54097,7 @@ index ea29513..5219266 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +991,13 @@ optional_policy(`
+@@ -706,7 +993,13 @@ optional_policy(`
')
optional_policy(`
@@ -53950,7 +54111,7 @@ index ea29513..5219266 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1020,10 @@ optional_policy(`
+@@ -729,6 +1022,10 @@ optional_policy(`
')
optional_policy(`
@@ -53961,7 +54122,7 @@ index ea29513..5219266 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1033,20 @@ optional_policy(`
+@@ -738,10 +1035,20 @@ optional_policy(`
')
optional_policy(`
@@ -53982,7 +54143,7 @@ index ea29513..5219266 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1055,10 @@ optional_policy(`
+@@ -750,6 +1057,10 @@ optional_policy(`
')
optional_policy(`
@@ -53993,7 +54154,7 @@ index ea29513..5219266 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1080,6 @@ optional_policy(`
+@@ -771,8 +1082,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -54002,7 +54163,7 @@ index ea29513..5219266 100644
')
optional_policy(`
-@@ -781,14 +1088,21 @@ optional_policy(`
+@@ -781,14 +1090,21 @@ optional_policy(`
')
optional_policy(`
@@ -54024,7 +54185,7 @@ index ea29513..5219266 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1114,6 @@ optional_policy(`
+@@ -800,7 +1116,6 @@ optional_policy(`
')
optional_policy(`
@@ -54032,7 +54193,7 @@ index ea29513..5219266 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1123,24 @@ optional_policy(`
+@@ -810,11 +1125,24 @@ optional_policy(`
')
optional_policy(`
@@ -54058,7 +54219,7 @@ index ea29513..5219266 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1150,25 @@ optional_policy(`
+@@ -824,6 +1152,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -54084,7 +54245,7 @@ index ea29513..5219266 100644
')
optional_policy(`
-@@ -849,3 +1194,42 @@ optional_policy(`
+@@ -849,3 +1196,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -58484,10 +58645,10 @@ index 0000000..c7476cb
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..da83870
+index 0000000..fe2a3fd
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,264 @@
+@@ -0,0 +1,322 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -58541,6 +58702,64 @@ index 0000000..da83870
+ can_exec($1, systemd_systemctl_exec_t)
+')
+
++#####################################
++## <summary>
++## Write inherited logind sessions pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_write_inherited_logind_sessions_pipes',`
++ gen_require(`
++ type systemd_logind_sessions_t;
++ ')
++
++ allow $1 systemd_logind_sessions_t:fifo_file write;
++')
++
++#######################################
++## <summary>
++## Send and receive messages from
++## systemd logind over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_dbus_chat_logind',`
++ gen_require(`
++ type systemd_logind_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_logind_t:dbus send_msg;
++ allow systemd_logind_t $1:dbus send_msg;
++')
++
++#####################################
++## <summary>
++## Use and and inherited systemd
++## logind file descriptors.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_use_fds_logind',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:fd use;
++')
++
+#######################################
+## <summary>
+## Create a file type used for systemd unit files.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bf2e153..41b7857 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,20 @@ exit 0
%endif
%changelog
+* Tue Oct 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-43
+- Allow sa-update to update rules
+- Allow sa-update to read spamd tmp file
+- Allow screen to read all domain state
+- Allow sa-update to execute shell
+- More fixes for sa-update running out of cron job
+- Allow initrc to manage cron system spool
+- Fixes for collectd policy
+- Fixes added during clean up bugzillas
+- Dontaudit fail2ban_client_t sys_tty_config capability
+- Fix for puppet which does execute check on passwd
+- ricci_modservice send syslog msgs
+- Fix dev_dontaudit_write_mtrr() interface
+
* Thu Sep 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-42
- Make mta_role() active
- Add additional gitweb file context labeling
More information about the scm-commits
mailing list